diff options
author | Patrick McHardy <kaber@trash.net> | 2014-03-26 12:28:59 +0000 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2014-04-14 08:22:48 +0200 |
commit | 0eb9a25120e41ad4b0d7a2bda9effd4b4e2b64d5 (patch) | |
tree | 657e6f900765511e7bd236bb1b03166abfbff727 | |
parent | b65f854278c7412b9dd2f6b335ad1f7e32d83d34 (diff) |
doc: documentation update
Signed-off-by: Patrick McHardy
-rw-r--r-- | doc/nftables.xml | 2470 |
1 files changed, 1833 insertions, 637 deletions
diff --git a/doc/nftables.xml b/doc/nftables.xml index 055d4a65..af4f2ca6 100644 --- a/doc/nftables.xml +++ b/doc/nftables.xml @@ -1,8 +1,11 @@ <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" - "/usr/share/xml/docbook/schema/dtd/4.5/docbookx.dtd"> +"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> +<!-- +vi:ts=4 sw=4 +--> -<refentry> +<refentry xmlns:xi="http://www.w3.org/2001/XInclude"> <refentryinfo> <author> <firstname>Patrick</firstname> @@ -10,18 +13,18 @@ <email>kaber@trash.net</email> </author> <copyright> - <year>2008</year> + <year>2008-2014</year> <holder>Patrick McHardy</holder> </copyright> </refentryinfo> <refmeta> - <refentrytitle>nftables</refentrytitle> + <refentrytitle>nft</refentrytitle> <manvolnum>8</manvolnum> </refmeta> <refnamediv> - <refname>nftables</refname> + <refname>nft</refname> <refpurpose> Administration tool for packet filtering and classification </refpurpose> @@ -29,7 +32,7 @@ <refsynopsisdiv> <cmdsynopsis> - <command>nftables</command> + <command>nft</command> <arg choice="opt"> <option>-n/--numeric</option> </arg> @@ -51,7 +54,7 @@ </group> </cmdsynopsis> <cmdsynopsis> - <command>nftables</command> + <command>nft</command> <arg choice="opt"> <option>-h/--help</option> </arg> @@ -64,7 +67,7 @@ <refsect1> <title>Description</title> <para> - nftables is used to set up, maintain and inspect packet + nft is used to set up, maintain and inspect packet filtering and classification rules in the Linux kernel. </para> </refsect1> @@ -72,7 +75,7 @@ <refsect1> <title>Options</title> <para> - For a full summary of options, run <command>nftables --help</command>. + For a full summary of options, run <command>nft --help</command>. </para> <variablelist> @@ -96,9 +99,19 @@ <term><option>-n/--numeric</option></term> <listitem> <para> - Numeric output: IP addresses and other information + Numeric output: Addresses and other information that might need network traffic to resolve to symbolic names - are shown numerically. + are shown numerically. When used twice, internet services + and UIDs/GIDs are also shown numerically. When used thrice, + protocol numbers are also shown numerically. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>-a/--handle</option></term> + <listitem> + <para> + Show rule handles in output. </para> </listitem> </varlistentry> @@ -131,19 +144,226 @@ <refsect1> <title>Input file format</title> + <refsect2> + <title>Lexical conventions</title> + <para> + Input is parsed line-wise. When the last character of a line just before + the newline character is a non-quoted backslash (<literal>\</literal>), + the next line is treated as a continuation. Multiple commands on the + same line can be separated using a semicolon (<literal>;</literal>). + </para> + <para> + A hash sign (<literal>#</literal>) begins a comment. All following characters + on the same line are ignored. + </para> + <para> + Identifiers begin with an alphabetic character (<literal>a-z,A-Z</literal>), + followed zero or more alphanumeric characters (<literal>a-z,A-Z,0-9</literal>) + and the characters slash (<literal>/</literal>), backslash (<literal>\</literal>), + underscore (<literal>_</literal>) and dot (<literal>.</literal>). Identifiers + using different characters or clashing with a keyword need to be enclosed in + double quotes (<literal>"</literal>). + </para> + <para> + </para> + </refsect2> + <refsect2> + <title>Include files</title> + <para> + <cmdsynopsis> + <command>include</command> "<replaceable>filename</replaceable>" + </cmdsynopsis> + </para> + <para> + Other files can be included by using the <command>include</command> statement. + The directories to be searched for include files can be specified using + the <option>-I/--includepath</option> option. + </para> + </refsect2> + <refsect2> + <title>Symbolic variables</title> + <para> + <cmdsynopsis> + <command>define</command> <varname><replaceable>variable</replaceable></varname> = <replaceable>expr</replaceable> + </cmdsynopsis> + <cmdsynopsis> + <command>$<varname><replaceable>variable</replaceable></varname></command> + </cmdsynopsis> + </para> + <para> + Symbolic variables can be defined using the <command>define</command> statement. + Variable references are expressions and can be used initialize other variables. + The scope of a definition is the current block and all blocks contained within. + + <example> + <title>Using symbolic variables</title> + <programlisting> + define int_if1 = eth0 + define int_if2 = eth1 + define int_ifs = { $int_if1, $int_if2 } + + filter input iif $int_ifs accept + </programlisting> + </example> + </para> + </refsect2> + </refsect1> + + <refsect1> + <title>Address families</title> <para> - Input is parsed line-wise. When the last character of a line just before - the newline character is a non-quoted backslash (<literal>\</literal>), - the newline is treated as a line continuation. + Address families determine the type of packets which are processed. For each address + family the kernel contains so called hooks at specific stages of the packet processing + paths, which invoke nftables if rules for these hooks exist. </para> <para> - A <literal>#</literal> begins a comment. All following characters on - the same line are ignored. + <variablelist> + <varlistentry> + <term><option>ip</option></term> + <listitem> + <para> + IPv4 address family. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>ip6</option></term> + <listitem> + <para> + IPv6 address family. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>inet</option></term> + <listitem> + <para> + Internet (IPv4/IPv6) address family. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>arp</option></term> + <listitem> + <para> + ARP address family, handling packets vi + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>bridge</option></term> + <listitem> + <para> + Bridge address family, handling packets which traverse a bridge device. + </para> + </listitem> + </varlistentry> + </variablelist> </para> <para> - Other files can be included by using - <command>include "<replaceable>filename</replaceable>"</command>. + All nftables objects exist in address family specific namespaces, therefore + all identifiers include an address family. If an identifier is specified without + an address family, the <literal>ip</literal> family is used by default. </para> + + <refsect2> + <title>IPv4/IPv6/Inet address families</title> + <para> + The IPv4/IPv6/Inet address families handle IPv4, IPv6 or both types of packets. They + contain five hooks at different packet processing stages in the network stack. + </para> + <para> + <table frame="all"> + <title>IPv4/IPv6/Inet address family hooks</title> + <tgroup cols='2' align='left' colsep='1' rowsep='1'> + <colspec colname='c1' colwidth="1*"/> + <colspec colname='c2' colwidth="5*"/> + <thead> + <row> + <entry>Hook</entry> + <entry>Description</entry> + </row> + </thead> + <tbody> + <row> + <entry>prerouting</entry> + <entry> + All packets entering the system are processed by the prerouting hook. It is invoked + before the routing process and is used for early filtering or changing packet + attributes that affect routing. + </entry> + </row> + <row> + <entry>input</entry> + <entry> + Packets delivered to the local system are processed by the input hook. + </entry> + </row> + <row> + <entry>forward</entry> + <entry> + Packets forwarded to a different host are processed by the forward hook. + </entry> + </row> + <row> + <entry>output</entry> + <entry> + Packets sent by local processes are processed by the output hook. + </entry> + </row> + <row> + <entry>postrouting</entry> + <entry> + All packets leaving the system are processed by the postrouting hook. + </entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + <refsect2> + <title>ARP address family</title> + <para> + The ARP address family handles ARP packets received and sent by the system. It is commonly used + to mangle ARP packets for clustering. + </para> + <para> + <table frame="all"> + <title>ARP address family hooks</title> + <tgroup cols='2' align='left' colsep='1' rowsep='1' pgwide="1"> + <colspec colname='c1' colwidth="1*"/> + <colspec colname='c2' colwidth="5*"/> + <thead> + <row> + <entry>Hook</entry> + <entry>Description</entry> + </row> + </thead> + <tbody> + <row> + <entry>input</entry> + <entry> + Packets delivered to the local system are processed by the input hook. + </entry> + </row> + <row> + <entry>output</entry> + <entry> + Packets send by the local system are processed by the output hook. + </entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + <refsect2> + <title>Bridge address family</title> + <para> + The bridge address family handles ethernet packets traversing bridge devices. + </para> + </refsect2> </refsect1> <refsect1> @@ -163,17 +383,21 @@ </para> <para> - Tables are containers for chains. They are identified by their family - and their name. The family must be one of + Tables are containers for chains and sets. They are identified by their address family + and their name. The address family must be one of <simplelist type="inline"> <member><literal>ip</literal></member> <member><literal>ip6</literal></member> + <member><literal>inet</literal></member> <member><literal>arp</literal></member> <member><literal>bridge</literal></member> </simplelist>. - When no family is specified, <literal>ip</literal> is used by default. + The <literal>inet</literal> address family is a dummy family which is used to create + hybrid IPv4/IPv6 tables. + + When no address family is specified, <literal>ip</literal> is used by default. </para> <variablelist> @@ -227,6 +451,7 @@ <cmdsynopsis> <group choice="req"> <arg>add</arg> + <arg>create</arg> <arg>delete</arg> <arg>list</arg> <arg>flush</arg> @@ -236,11 +461,19 @@ <arg choice="req"><replaceable>table</replaceable></arg> <arg choice="req"><replaceable>chain</replaceable></arg> </cmdsynopsis> + <cmdsynopsis> + <arg choice="req">rename</arg> + <command>chain</command> + <arg choice="opt"><replaceable>family</replaceable></arg> + <arg choice="req"><replaceable>table</replaceable></arg> + <arg choice="req"><replaceable>chain</replaceable></arg> + <arg choice="req"><replaceable>newname</replaceable></arg> + </cmdsynopsis> </para> <para> Chains are containers for rules. They exist in two kinds, - basechains and regular chains. A basecase is an entry point for + base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization. </para> @@ -257,10 +490,28 @@ </listitem> </varlistentry> <varlistentry> + <term><option>create</option></term> + <listitem> + <para> + Simlar to the <command>add</command> command, but returns an error if the + chain already exists. + </para> + </listitem> + </varlistentry> + <varlistentry> <term><option>delete</option></term> <listitem> <para> - Delete the specified chain. + Delete the specified chain. The chain must not contain any rules or be + used as jump target. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>flush</option></term> + <listitem> + <para> + Rename the specified chain. </para> </listitem> </varlistentry> @@ -287,645 +538,1590 @@ <title>Rules</title> <para> <cmdsynopsis> - <group choice="req"> - <arg>add</arg> - <arg>delete</arg> + <group> + <arg choice="opt">add</arg> + <arg choice="req">insert</arg> </group> <command>rule</command> <arg choice="opt"><replaceable>family</replaceable></arg> <arg choice="req"><replaceable>table</replaceable></arg> <arg choice="req"><replaceable>chain</replaceable></arg> - <arg choice="opt">handle <replaceable>handle</replaceable></arg> + <arg choice="opt">position <replaceable>position</replaceable></arg> <arg choice="req" rep="repeat"><replaceable>statement</replaceable></arg> </cmdsynopsis> + <cmdsynopsis> + <arg choice="req">delete</arg> + <command>rule</command> + <arg choice="opt"><replaceable>family</replaceable></arg> + <arg choice="req"><replaceable>table</replaceable></arg> + <arg choice="req"><replaceable>chain</replaceable></arg> + <arg choice="req">handle <replaceable>handle</replaceable></arg> + </cmdsynopsis> </para> <para> Rules are constructed from two kinds of components according to a set - of rules: expressions and statements. The lowest order expression is a - primary expression, representing either a constant or a single datum - from a packets payload, meta data or a stateful module. Primary expressions - can be used as arguments to relational expressions (equality, - set membership, ...) to construct match expressions. + of grammatical rules: expressions and statements. </para> + + <variablelist> + <varlistentry> + <term><option>add</option></term> + <listitem> + <para> + Add a new rule described by the list of statements. The rule is appended to the + given chain unless a position is specified, in which case the rule is appended to + the rule given by the position. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>insert</option></term> + <listitem> + <para> + Similar to the <command>add</command> command, but the rule is prepended to the + beginning of the chain or before the rule at the given position. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>delete</option></term> + <listitem> + <para> + Delete the specified rule. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>Expressions</title> + <para> + Expressions represent values, either constants like network addresses, port numbers etc. or data + gathered from the packet during ruleset evaluation. Expressions can be combined using binary, + logical, relational and other types of expressions to form complex or relational (match) expressions. + They are also used as arguments to certain types of operations, like NAT, packet marking etc. + </para> + <para> + Each expression has a data type, which determines the size, parsing and representation of + symbolic values and type compatibility with other expressions. + </para> + + <refsect2> + <title>describe command</title> + <para> + <cmdsynopsis> + <command>describe</command> + <arg choice="req"><replaceable>expression</replaceable></arg> + </cmdsynopsis> + </para> + <para> + The <command>describe</command> command shows information about the type of an expression and + its data type. + </para> + <example> + <title>The <command>describe</command> command</title> + <programlisting> + $ nft describe tcp flags + payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits + + pre-defined symbolic constants: + fin 0x01 + syn 0x02 + rst 0x04 + psh 0x08 + ack 0x10 + urg 0x20 + ecn 0x40 + cwr 0x80 + </programlisting> + </example> + </refsect2> + </refsect1> + + <refsect1> + <title>Data types</title> + <para> + Data types determine the size, parsing and representation of symbolic values and type compatibility + of expressions. A number of global data types exist, in addition some expression types define further + data types specific to the expression type. Most data types have a fixed size, some however may have + a dynamic size, f.i. the string type. + </para> + <para> + Types may be derived from lower order types, f.i. the IPv4 address type is derived from the integer + type, meaning an IPv4 address can also be specified as an integer value. + </para> + <para> + In certain contexts (set and map definitions) it is necessary to explicitly specify a data type. + Each type has a name which is used for this. + </para> + + <refsect2> + <title>Integer type</title> + <para> + <table frame="all"> + <tgroup cols='4' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <colspec colname='c4'/> + <thead> + <row> + <entry>Name</entry> + <entry>Keyword</entry> + <entry>Size</entry> + <entry>Base type</entry> + </row> + </thead> + <tbody> + <row> + <entry>Integer</entry> + <entry>integer</entry> + <entry>variable</entry> + <entry>-</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <para> + The integer type is used for numeric values. It may be specified as decimal, hexadecimal + or octal number. The integer type doesn't have a fixed size, its size is determined by the + expression for which it is used. + </para> + </refsect2> + + <refsect2> + <title>Bitmask type</title> + <para> + <table frame="all"> + <tgroup cols='4' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <colspec colname='c4'/> + <thead> + <row> + <entry>Name</entry> + <entry>Keyword</entry> + <entry>Size</entry> + <entry>Base type</entry> + </row> + </thead> + <tbody> + <row> + <entry>Bitmask</entry> + <entry>bitmask</entry> + <entry>variable</entry> + <entry>integer</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <para> + The bitmask type (<command>bitmask</command>) is used for bitmasks. + </para> + </refsect2> + + <refsect2> + <title>String type</title> + <para> + <table frame="all"> + <tgroup cols='4' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <colspec colname='c4'/> + <thead> + <row> + <entry>Name</entry> + <entry>Keyword</entry> + <entry>Size</entry> + <entry>Base type</entry> + </row> + </thead> + <tbody> + <row> + <entry>String</entry> + <entry>string</entry> + <entry>variable</entry> + <entry>-</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <para> + The string type is used to for character strings. A string begins with an alphabetic character + (a-zA-Z) followed by zero or more alphanumeric characters or the characters <literal>/</literal>, + <literal>-</literal>, <literal>_</literal> and <literal>.</literal>. In addition anything enclosed + in double quotes (<literal>"</literal>) is recognized as a string. + </para> + <example> + <title>String specification</title> + <programlisting> + # Interface name + filter input iifname eth0 + + # Weird interface name + filter input iifname "(eth0)" + </programlisting> + </example> + </refsect2> + + <refsect2> + <title>Link layer address type</title> + <para> + <table frame="all"> + <tgroup cols='4' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <colspec colname='c4'/> + <thead> + <row> + <entry>Name</entry> + <entry>Keyword</entry> + <entry>Size</entry> + <entry>Base type</entry> + </row> + </thead> + <tbody> + <row> + <entry>Link layer address</entry> + <entry>lladdr</entry> + <entry>variable</entry> + <entry>integer</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <para> + The link layer address type is used for link layer addresses. Link layer addresses are specified + as a variable amount of groups of two hexadecimal digits separated using colons (<literal>:</literal>). + </para> + <example> + <title>Link layer address specification</title> + <programlisting> + # Ethernet destination MAC address + filter input ether daddr 20:c9:d0:43:12:d9 + </programlisting> + </example> + </refsect2> + + <refsect2> + <title>IPv4 address type</title> + <para> + <table frame="all"> + <tgroup cols='4' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <colspec colname='c4'/> + <thead> + <row> + <entry>Name</entry> + <entry>Keyword</entry> + <entry>Size</entry> + <entry>Base type</entry> + </row> + </thead> + <tbody> + <row> + <entry>IPv4 address</entry> + <entry>ipv4_addr</entry> + <entry>32 bit</entry> + <entry>integer</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <para> + The IPv4 address type is used for IPv4 addresses. Addresses are specified in either dotted decimal, + dotted hexadecimal, dotted octal, decimal, hexadecimal, octal notation or as a host name. A host name + will be resolved using the standard system resolver. + </para> + <example> + <title>IPv4 address specification</title> + <programlisting> + # dotted decimal notation + filter output ip daddr 127.0.0.1 + + # host name + filter output ip daddr localhost + </programlisting> + </example> + </refsect2> + + <refsect2> + <title>IPv6 address type</title> + <para> + <table frame="all"> + <tgroup cols='4' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <colspec colname='c4'/> + <thead> + <row> + <entry>Name</entry> + <entry>Keyword</entry> + <entry>Size</entry> + <entry>Base type</entry> + </row> + </thead> + <tbody> + <row> + <entry>IPv6 address</entry> + <entry>ipv6_addr</entry> + <entry>128 bit</entry> + <entry>integer</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <para> + The IPv6 address type is used for IPv6 addresses. FIXME + </para> + <example> + <title>IPv6 address specification</title> + <programlisting> + # abbreviated loopback address + filter output ip6 daddr ::1 + </programlisting> + </example> + </refsect2> </refsect1> <refsect1> <title>Primary expressions</title> + <para> + The lowest order expression is a primary expression, representing either a constant or a single + datum from a packet's payload, meta data or a stateful module. + </para> <refsect2> <title>Meta expressions</title> <para> + <cmdsynopsis> + <command>meta</command> + <group choice="req"> + <arg>length</arg> + <arg>nfproto</arg> + <arg>l4proto</arg> + <arg>protocol</arg> + <arg>priority</arg> + </group> + </cmdsynopsis> + <cmdsynopsis> + <arg choice="opt">meta</arg> + <group choice="req"> + <arg>mark</arg> + <arg>iif</arg> + <arg>iifname</arg> + <arg>iiftype</arg> + <arg>oif</arg> + <arg>oifname</arg> + <arg>oiftype</arg> + <arg>skuid</arg> + <arg>skgid</arg> + <arg>nftrace</arg> + <arg>rtclassid</arg> + </group> + </cmdsynopsis> + </para> + <para> A meta expression refers to meta data associated with a packet. </para> - <table frame="all"> - <title>Meta expressions</title> - <tgroup cols='3' align='left' colsep='1' rowsep='1'> - <colspec colname='c1'/> - <colspec colname='c2'/> - <colspec colname='c3'/> - <thead> - <row> - <entry>Keyword</entry> - <entry>Description</entry> - <entry>Type</entry> - </row> - </thead> - <tbody> - <row> - <entry>length</entry> - <entry>Length of the packet in bytes</entry> - <entry>Numeric (32 bit)</entry> - </row> - <row> - <entry>protocol</entry> - <entry>Ethertype protocol value</entry> - <entry>ethertype</entry> - </row> - <row> - <entry>priority</entry> - <entry>TC packet priority</entry> - <entry>Numeric (32 bit)</entry> - </row> - <row> - <entry>mark</entry> - <entry>Packet mark</entry> - <entry>packetmark</entry> - </row> - <row> - <entry>iif</entry> - <entry>Input interface index</entry> - <entry>ifindex</entry> - </row> - <row> - <entry>iifname</entry> - <entry>Input interface name</entry> - <entry>ifname</entry> - </row> - <row> - <entry>iiftype</entry> - <entry>Input interface hardware type</entry> - <entry>hwtype</entry> - </row> - <row> - <entry>oif</entry> - <entry>Output interface index</entry> - <entry>ifindex</entry> - </row> - <row> - <entry>oifname</entry> - <entry>Output interface name</entry> - <entry>ifname</entry> - </row> - <row> - <entry>oiftype</entry> - <entry>Output interface hardware type</entry> - <entry>hwtype</entry> - </row> - <row> - <entry>skuid</entry> - <entry>UID associated with originating socket</entry> - <entry>uid</entry> - </row> - <row> - <entry>skgid</entry> - <entry>GID associated with originating socket</entry> - <entry>gid</entry> - </row> - <row> - <entry>rtclassid</entry> - <entry>Routing realm</entry> - <entry>realm</entry> - </row> - </tbody> - </tgroup> - </table> - <table frame="all"> - <title>Meta expression specific types</title> - <tgroup cols='2' align='left' colsep='1' rowsep='1'> - <colspec colname='c1'/> - <colspec colname='c2'/> - <thead> - <row> - <entry>Type</entry> - <entry>Description</entry> - </row> - </thead> - <tbody> - <row> - <entry>ifindex</entry> - <entry> - Interface index (32 bit number). Can be specified numerically - or as name of an existing interface. - </entry> - </row> - <row> - <entry>ifname</entry> - <entry> - Interface name (16 byte string). Does not have to exist. - </entry> - </row> - <row> - <entry>uid</entry> - <entry> - User ID (32 bit number). Can be specified numerically or as - user name. - </entry> - </row> - <row> - <entry>gid</entry> - <entry> - Group ID (32 bit number). Can be specified numerically or as - group name. - </entry> - </row> - <row> - <entry>realm</entry> - <entry> - Routing Realm (32 bit number). Can be specified numerically - or as symbolic name defined in /etc/iproute2/rt_realms. - </entry> - </row> - </tbody> - </tgroup> - </table> - </refsect2> - - <refsect2> - <title>Payload expressions</title> - <table frame="all"> - <title>Ethernet header expression</title> - <tgroup cols='2' align='left' colsep='1' rowsep='1'> - <colspec colname='c1'/> - <colspec colname='c2'/> - <thead> - <row> - <entry>Keyword</entry> - <entry>Description</entry> - </row> - </thead> - <tbody> - <row> - <entry>daddr</entry> - <entry>Destination address</entry> - </row> - <row> - <entry>saddr</entry> - <entry>Source address</entry> - </row> - <row> - <entry>type</entry> - <entry>EtherType</entry> - </row> - </tbody> - </tgroup> - </table> - - <table frame="all"> - <title>VLAN header expression</title> - <tgroup cols='2' align='left' colsep='1' rowsep='1'> - <colspec colname='c1'/> - <colspec colname='c2'/> - <thead> - <row> - <entry>Keyword</entry> - <entry>Description</entry> - </row> - </thead> - <tbody> - <row> - <entry>id</entry> - <entry>VLAN ID (VID)</entry> - </row> - <row> - <entry>cfi</entry> - <entry>Canonical Format Indicator</entry> - </row> - <row> - <entry>pcp</entry> - <entry>Priority code point</entry> - </row> - <row> - <entry>type</entry> - <entry>EtherType</entry> - </row> - </tbody> - </tgroup> - </table> - - <table frame="all"> - <title>ARP header expression</title> - <tgroup cols='2' align='left' colsep='1' rowsep='1'> - <colspec colname='c1'/> - <colspec colname='c2'/> - <thead> - <row> - <entry>Keyword</entry> - <entry>Description</entry> - </row> - </thead> - <tbody> - <row> - <entry>htype</entry> - <entry>ARP hardware type</entry> - </row> - <row> - <entry>ptype</entry> - <entry>EtherType</entry> - </row> - <row> - <entry>hlen</entry> - <entry>Hardware address len</entry> - </row> - <row> - <entry>plen</entry> - <entry>Protocol address len</entry> - </row> - <row> - <entry>op</entry> - <entry>Operation</entry> - </row> - </tbody> - </tgroup> - </table> - - <table frame="all"> - <title>IPv4 header expression</title> - <tgroup cols='2' align='left' colsep='1' rowsep='1'> - <colspec colname='c1'/> - <colspec colname='c2'/> - <thead> - <row> - <entry>Keyword</entry> - <entry>Description</entry> - </row> - </thead> - <tbody> - <row> - <entry>version</entry> - <entry>IP header version (4)</entry> - </row> - <row> - <entry>hdrlength</entry> - <entry>IP header length including options</entry> - </row> - <row> - <entry>tos</entry> - <entry>Type Of Service</entry> - </row> - <row> - <entry>length</entry> - <entry>Total packet length</entry> - </row> - <row> - <entry>id</entry> - <entry>IP ID</entry> - </row> - <row> - <entry>frag-off</entry> - <entry>Fragment offset</entry> - </row> - <row> - <entry>ttl</entry> - <entry>Time to live</entry> - </row> - <row> - <entry>protocol</entry> - <entry>Upper layer protocol</entry> - </row> - <row> - <entry>checksum</entry> - <entry>IP header checksum</entry> - </row> - <row> - <entry>saddr</entry> - <entry>Source address</entry> - </row> - <row> - <entry>daddr</entry> - <entry>Destination address</entry> - </row> - </tbody> - </tgroup> - </table> - - <table frame="all"> - <title>IPv6 header expression</title> - <tgroup cols='2' align='left' colsep='1' rowsep='1'> - <colspec colname='c1'/> - <colspec colname='c2'/> - <thead> - <row> - <entry>Keyword</entry> - <entry>Description</entry> - </row> - </thead> - <tbody> - <row> - <entry>version</entry> - <entry>IP header version (6)</entry> - </row> - <row> - <entry>priority</entry> - <entry></entry> - </row> - <row> - <entry>flowlabel</entry> - <entry></entry> - </row> - <row> - <entry>length</entry> - <entry></entry> - </row> - <row> - <entry>nexthdr</entry> - <entry>Nexthdr protocol</entry> - </row> - <row> - <entry>hoplimit</entry> - <entry></entry> - </row> - <row> - <entry>saddr</entry> - <entry>Source address</entry> - </row> - <row> - <entry>daddr</entry> - <entry>Destination address</entry> - </row> - </tbody> - </tgroup> - </table> - - <table frame="all"> - <title>SCTP header expression</title> - <tgroup cols='2' align='left' colsep='1' rowsep='1'> - <colspec colname='c1'/> - <colspec colname='c2'/> - <thead> - <row> - <entry>Keyword</entry> - <entry>Description</entry> - </row> - </thead> - <tbody> - <row> - <entry>sport</entry> - <entry>Source port</entry> - </row> - <row> - <entry>dport</entry> - <entry>Destination port</entry> - </row> - <row> - <entry>vtag</entry> - <entry>Verfication Tag</entry> - </row> - <row> - <entry>checksum</entry> - <entry>Checksum</entry> - </row> - </tbody> - </tgroup> - </table> - - <table frame="all"> - <title>DCCP header expression</title> - <tgroup cols='2' align='left' colsep='1' rowsep='1'> - <colspec colname='c1'/> - <colspec colname='c2'/> - <thead> - <row> - <entry>Keyword</entry> - <entry>Description</entry> - </row> - </thead> - <tbody> - <row> - <entry>sport</entry> - <entry>Source port</entry> - </row> - <row> - <entry>dport</entry> - <entry>Destination port</entry> - </row> - </tbody> - </tgroup> - </table> - - <table frame="all"> - <title>TCP header expression</title> - <tgroup cols='2' align='left' colsep='1' rowsep='1'> - <colspec colname='c1'/> - <colspec colname='c2'/> - <thead> - <row> - <entry>Keyword</entry> - <entry>Description</entry> - </row> - </thead> - <tbody> - <row> - <entry>sport</entry> - <entry>Source port</entry> - </row> - <row> - <entry>dport</entry> - <entry>Destination port</entry> - </row> - <row> - <entry>sequence</entry> - <entry>Sequence number</entry> - </row> - <row> - <entry>ackseq</entry> - <entry>Acknowledgement number</entry> - </row> - <row> - <entry>doff</entry> - <entry>Data offset</entry> - </row> - <row> - <entry>reserved</entry> - <entry>Reserved area</entry> - </row> - <row> - <entry>flags</entry> - <entry>TCP flags</entry> - </row> - <row> - <entry>window</entry> - <entry>Window</entry> - </row> - <row> - <entry>checksum</entry> - <entry>Checksum</entry> - </row> - <row> - <entry>urgptr</entry> - <entry>Urgent pointer</entry> - </row> - </tbody> - </tgroup> - </table> - - <table frame="all"> - <title>UDP header expression</title> - <tgroup cols='2' align='left' colsep='1' rowsep='1'> - <colspec colname='c1'/> - <colspec colname='c2'/> - <thead> - <row> - <entry>Keyword</entry> - <entry>Description</entry> - </row> - </thead> - <tbody> - <row> - <entry>sport</entry> - <entry>Source port</entry> - </row> - <row> - <entry>dport</entry> - <entry>Destination port</entry> - </row> - <row> - <entry>length</entry> - <entry>Total packet length</entry> - </row> - <row> - <entry>checksum</entry> - <entry>Checksum</entry> - </row> - </tbody> - </tgroup> - </table> - - <table frame="all"> - <title>UDP-Lite header expression</title> - <tgroup cols='2' align='left' colsep='1' rowsep='1'> - <colspec colname='c1'/> - <colspec colname='c2'/> - <thead> - <row> - <entry>Keyword</entry> - <entry>Description</entry> - </row> - </thead> - <tbody> - <row> - <entry>sport</entry> - <entry>Source port</entry> - </row> - <row> - <entry>dport</entry> - <entry>Destination port</entry> - </row> - <row> - <entry>cscov</entry> - <entry>Checksum coverage</entry> - </row> - <row> - <entry>checksum</entry> - <entry>Checksum</entry> - </row> - </tbody> - </tgroup> - </table> - - - <table frame="all"> - <title>AH header expression</title> - <tgroup cols='2' align='left' colsep='1' rowsep='1'> - <colspec colname='c1'/> - <colspec colname='c2'/> - <thead> - <row> - <entry>Keyword</entry> - <entry>Description</entry> - </row> - </thead> - <tbody> - <row> - <entry>nexthdr</entry> - <entry>Next header protocol</entry> - </row> - <row> - <entry>hdrlength</entry> - <entry>AH Header length</entry> - </row> - <row> - <entry>reserved</entry> - <entry>Reserved area</entry> - </row> - <row> - <entry>spi</entry> - <entry>Security Parameter Index</entry> - </row> - <row> - <entry>sequence</entry> - <entry>Sequence number</entry> - </row> - </tbody> - </tgroup> - </table> - - <table frame="all"> - <title>ESP header expression</title> - <tgroup cols='2' align='left' colsep='1' rowsep='1'> - <colspec colname='c1'/> - <colspec colname='c2'/> - <thead> - <row> - <entry>Keyword</entry> - <entry>Description</entry> - </row> - </thead> - <tbody> - <row> - <entry>spi</entry> - <entry>Security Parameter Index</entry> - </row> - <row> - <entry>sequence</entry> - <entry>Sequence number</entry> - </row> - </tbody> - </tgroup> - </table> - - <table frame="all"> - <title>IPComp header expression</title> - <tgroup cols='2' align='left' colsep='1' rowsep='1'> - <colspec colname='c1'/> - <colspec colname='c2'/> - <thead> - <row> - <entry>Keyword</entry> - <entry>Description</entry> - </row> - </thead> - <tbody> - <row> - <entry>nexthdr</entry> - <entry>Next header protocol</entry> - </row> - <row> - <entry>flags</entry> - <entry>Flags</entry> - </row> - <row> - <entry>cfi</entry> - <entry>Compression Parameter Index</entry> - </row> - </tbody> - </tgroup> - </table> + <para> + There are two types of meta expressions: unqualified and qualified meta expressions. + Qualified meta expressions require the <command>meta</command> keyword before the + meta key, unqualified meta expressions can be specified by using the meta key directly + or as qualified meta expressions. + </para> + <para> + <table frame="all"> + <title>Meta expression types</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>length</entry> + <entry>Length of the packet in bytes</entry> + <entry>integer (32 bit)</entry> + </row> + <row> + <entry>protocol</entry> + <entry>Ethertype protocol value</entry> + <entry>ether_type</entry> + </row> + <row> + <entry>priority</entry> + <entry>TC packet priority</entry> + <entry>integer (32 bit)</entry> + </row> + <row> + <entry>mark</entry> + <entry>Packet mark</entry> + <entry>packetmark</entry> + </row> + <row> + <entry>iif</entry> + <entry>Input interface index</entry> + <entry>iface_index</entry> + </row> + <row> + <entry>iifname</entry> + <entry>Input interface name</entry> + <entry>string</entry> + </row> + <row> + <entry>iiftype</entry> + <entry>Input interface type</entry> + <entry>iface_type</entry> + </row> + <row> + <entry>oif</entry> + <entry>Output interface index</entry> + <entry>iface_index</entry> + </row> + <row> + <entry>oifname</entry> + <entry>Output interface name</entry> + <entry>string</entry> + </row> + <row> + <entry>oiftype</entry> + <entry>Output interface hardware type</entry> + <entry>iface_type</entry> + </row> + <row> + <entry>skuid</entry> + <entry>UID associated with originating socket</entry> + <entry>uid</entry> + </row> + <row> + <entry>skgid</entry> + <entry>GID associated with originating socket</entry> + <entry>gid</entry> + </row> + <row> + <entry>rtclassid</entry> + <entry>Routing realm</entry> + <entry>realm</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <para> + <table frame="all"> + <title>Meta expression specific types</title> + <tgroup cols='2' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <thead> + <row> + <entry>Type</entry> + <entry>Description</entry> + </row> + </thead> + <tbody> + <row> + <entry>iface_index</entry> + <entry> + Interface index (32 bit number). Can be specified numerically + or as name of an existing interface. + </entry> + </row> + <row> + <entry>ifname</entry> + <entry> + Interface name (16 byte string). Does not have to exist. + </entry> + </row> + <row> + <entry>iface_type</entry> + <entry> + Interface type (16 bit number). + </entry> + </row> + <row> + <entry>uid</entry> + <entry> + User ID (32 bit number). Can be specified numerically or as + user name. + </entry> + </row> + <row> + <entry>gid</entry> + <entry> + Group ID (32 bit number). Can be specified numerically or as + group name. + </entry> + </row> + <row> + <entry>realm</entry> + <entry> + Routing Realm (32 bit number). Can be specified numerically + or as symbolic name defined in /etc/iproute2/rt_realms. + </entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <para> + <example> + <title>Using meta expressions</title> + <programlisting> + # qualified meta expression + filter output meta oif eth0 + + # unqualified meta expression + filter output oif eth0 + </programlisting> + </example> + </para> + </refsect2> + </refsect1> + + <refsect1> + <title>Payload expressions</title> + <para> + Payload expressions refer to data from the packet's payload. + </para> + + <refsect2> + <title>Ethernet header expression</title> + <para> + <cmdsynopsis> + <command>ether</command> + <arg opt="req"><replaceable>ethernet header field</replaceable></arg> + </cmdsynopsis> + </para> + <para> + <table frame="all"> + <title>Ethernet header expression types</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>daddr</entry> + <entry>Destination MAC address</entry> + <entry>ether_addr</entry> + </row> + <row> + <entry>saddr</entry> + <entry>Source MAC address</entry> + <entry>ether_addr</entry> + </row> + <row> + <entry>type</entry> + <entry>EtherType</entry> + <entry>ether_type</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + + <refsect2> + <title>VLAN header expression</title> + <para> + <cmdsynopsis> + <command>vlan</command> + <arg opt="req"><replaceable>VLAN header field</replaceable></arg> + </cmdsynopsis> + </para> + <para> + <table frame="all"> + <title>VLAN header expression</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c2'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>id</entry> + <entry>VLAN ID (VID)</entry> + <entry>integer (12 bit)</entry> + </row> + <row> + <entry>cfi</entry> + <entry>Canonical Format Indicator</entry> + <entry>flag</entry> + </row> + <row> + <entry>pcp</entry> + <entry>Priority code point</entry> + <entry>integer (3 bit)</entry> + </row> + <row> + <entry>type</entry> + <entry>EtherType</entry> + <entry>ethertype</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + + <refsect2> + <title>ARP header expression</title> + <para> + <cmdsynopsis> + <command>arp</command> + <arg opt="req"><replaceable>ARP header field</replaceable></arg> + </cmdsynopsis> + </para> + <para> + <table frame="all"> + <title>ARP header expression</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>htype</entry> + <entry>ARP hardware type</entry> + <entry>FIXME</entry> + </row> + <row> + <entry>ptype</entry> + <entry>EtherType</entry> + <entry>ethertype</entry> + </row> + <row> + <entry>hlen</entry> + <entry>Hardware address len</entry> + <entry>integer (8 bit)</entry> + </row> + <row> + <entry>plen</entry> + <entry>Protocol address len</entry> + <entry>integer (8 bit)</entry> + </row> + <row> + <entry>op</entry> + <entry>Operation</entry> + <entry>FIXME</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + + <refsect2> + <title>IPv4 header expression</title> + <para> + <cmdsynopsis> + <command>ip</command> + <arg opt="req"><replaceable>IPv4 header field</replaceable></arg> + </cmdsynopsis> + </para> + <para> + <table frame="all"> + <title>IPv4 header expression</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>version</entry> + <entry>IP header version (4)</entry> + <entry>integer (4 bit)</entry> + </row> + <row> + <entry>hdrlength</entry> + <entry>IP header length including options</entry> + <entry>integer (4 bit) FIXME scaling</entry> + </row> + <row> + <entry>tos</entry> + <entry>Type Of Service</entry> + <entry>FIXME</entry> + </row> + <row> + <entry>length</entry> + <entry>Total packet length</entry> + <entry>integer (16 bit)</entry> + </row> + <row> + <entry>id</entry> + <entry>IP ID</entry> + <entry>integer (16 bit)</entry> + </row> + <row> + <entry>frag-off</entry> + <entry>Fragment offset</entry> + <entry>integer (16 bit)</entry> + </row> + <row> + <entry>ttl</entry> + <entry>Time to live</entry> + <entry>integer (8 bit)</entry> + </row> + <row> + <entry>protocol</entry> + <entry>Upper layer protocol</entry> + <entry>inet_proto</entry> + </row> + <row> + <entry>checksum</entry> + <entry>IP header checksum</entry> + <entry>integer (16 bit)</entry> + </row> + <row> + <entry>saddr</entry> + <entry>Source address</entry> + <entry>ipv4_addr</entry> + </row> + <row> + <entry>daddr</entry> + <entry>Destination address</entry> + <entry>ipv4_addr</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + + <refsect2> + <title>IPv6 header expression</title> + <para> + <cmdsynopsis> + <command>ip6</command> + <arg opt="req"><replaceable>IPv6 header field</replaceable></arg> + </cmdsynopsis> + </para> + <para> + <table frame="all"> + <title>IPv6 header expression</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>version</entry> + <entry>IP header version (6)</entry> + <entry>integer (4 bit)</entry> + </row> + <row> + <entry>priority</entry> + <entry></entry> + <entry></entry> + </row> + <row> + <entry>flowlabel</entry> + <entry>Flow label</entry> + <entry></entry> + </row> + <row> + <entry>length</entry> + <entry>Payload length</entry> + <entry>integer (16 bit)</entry> + </row> + <row> + <entry>nexthdr</entry> + <entry>Nexthdr protocol</entry> + <entry>inet_proto</entry> + </row> + <row> + <entry>hoplimit</entry> + <entry>Hop limit</entry> + <entry>integer (8 bit)</entry> + </row> + <row> + <entry>saddr</entry> + <entry>Source address</entry> + <entry>ipv6_addr</entry> + </row> + <row> + <entry>daddr</entry> + <entry>Destination address</entry> + <entry>ipv6_addr</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + + <refsect2> + <title>TCP header expression</title> + <para> + <cmdsynopsis> + <command>tcp</command> + <arg opt="req"><replaceable>TCP header field</replaceable></arg> + </cmdsynopsis> + </para> + <para> + <table frame="all"> + <title>TCP header expression</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>sport</entry> + <entry>Source port</entry> + <entry>inet_service</entry> + </row> + <row> + <entry>dport</entry> + <entry>Destination port</entry> + <entry>inet_service</entry> + </row> + <row> + <entry>sequence</entry> + <entry>Sequence number</entry> + <entry>integer (32 bit)</entry> + </row> + <row> + <entry>ackseq</entry> + <entry>Acknowledgement number</entry> + <entry>integer (32 bit)</entry> + </row> + <row> + <entry>doff</entry> + <entry>Data offset</entry> + <entry>integer (4 bit) FIXME scaling</entry> + </row> + <row> + <entry>reserved</entry> + <entry>Reserved area</entry> + <entry>FIXME</entry> + </row> + <row> + <entry>flags</entry> + <entry>TCP flags</entry> + <entry>tcp_flags</entry> + </row> + <row> + <entry>window</entry> + <entry>Window</entry> + <entry>integer (16 bit)</entry> + </row> + <row> + <entry>checksum</entry> + <entry>Checksum</entry> + <entry>integer (16 bit)</entry> + </row> + <row> + <entry>urgptr</entry> + <entry>Urgent pointer</entry> + <entry>integer (16 bit)</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + + <refsect2> + <title>UDP header expression</title> + <para> + <cmdsynopsis> + <command>udp</command> + <arg opt="req"><replaceable>UDP header field</replaceable></arg> + </cmdsynopsis> + </para> + <para> + <table frame="all"> + <title>UDP header expression</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>sport</entry> + <entry>Source port</entry> + <entry>inet_service</entry> + </row> + <row> + <entry>dport</entry> + <entry>Destination port</entry> + <entry>inet_service</entry> + </row> + <row> + <entry>length</entry> + <entry>Total packet length</entry> + <entry>integer (16 bit)</entry> + </row> + <row> + <entry>checksum</entry> + <entry>Checksum</entry> + <entry>integer (16 bit)</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + + <refsect2> + <title>UDP-Lite header expression</title> + <para> + <cmdsynopsis> + <command>udplite</command> + <arg opt="req"><replaceable>UDP-Lite header field</replaceable></arg> + </cmdsynopsis> + </para> + <para> + <table frame="all"> + <title>UDP-Lite header expression</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>sport</entry> + <entry>Source port</entry> + <entry>inet_service</entry> + </row> + <row> + <entry>dport</entry> + <entry>Destination port</entry> + <entry>inet_service</entry> + </row> + <row> + <entry>cscov</entry> + <entry>Checksum coverage</entry> + <entry>integer (16 bit)</entry> + </row> + <row> + <entry>checksum</entry> + <entry>Checksum</entry> + <entry>integer (16 bit)</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + + + <refsect2> + <title>SCTP header expression</title> + <para> + <cmdsynopsis> + <command>sctp</command> + <arg opt="req"><replaceable>SCTP header field</replaceable></arg> + </cmdsynopsis> + </para> + <para> + <table frame="all"> + <title>SCTP header expression</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>sport</entry> + <entry>Source port</entry> + <entry>inet_service</entry> + </row> + <row> + <entry>dport</entry> + <entry>Destination port</entry> + <entry>inet_service</entry> + </row> + <row> + <entry>vtag</entry> + <entry>Verfication Tag</entry> + <entry>integer (32 bit)</entry> + </row> + <row> + <entry>checksum</entry> + <entry>Checksum</entry> + <entry>integer (32 bit)</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + + <refsect2> + <title>DCCP header expression</title> + <para> + <cmdsynopsis> + <command>dccp</command> + <arg opt="req"><replaceable>DCCP header field</replaceable></arg> + </cmdsynopsis> + </para> + <para> + <table frame="all"> + <title>DCCP header expression</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>sport</entry> + <entry>Source port</entry> + <entry>inet_service</entry> + </row> + <row> + <entry>dport</entry> + <entry>Destination port</entry> + <entry>inet_service</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + + <refsect2> + <title>Authentication header expression</title> + <para> + <cmdsynopsis> + <command>ah</command> + <arg opt="req"><replaceable>AH header field</replaceable></arg> + </cmdsynopsis> + </para> + <para> + <table frame="all"> + <title>AH header expression</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>nexthdr</entry> + <entry>Next header protocol</entry> + <entry>inet_service</entry> + </row> + <row> + <entry>hdrlength</entry> + <entry>AH Header length</entry> + <entry>integer (8 bit)</entry> + </row> + <row> + <entry>reserved</entry> + <entry>Reserved area</entry> + <entry>FIXME</entry> + </row> + <row> + <entry>spi</entry> + <entry>Security Parameter Index</entry> + <entry>integer (32 bit)</entry> + </row> + <row> + <entry>sequence</entry> + <entry>Sequence number</entry> + <entry>integer (32 bit)</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + + <refsect2> + <title> Encrypted security payload header expression</title> + <para> + <cmdsynopsis> + <command>esp</command> + <arg opt="req"><replaceable>ESP header field</replaceable></arg> + </cmdsynopsis> + </para> + <para> + <table frame="all"> + <title>ESP header expression</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>spi</entry> + <entry>Security Parameter Index</entry> + <entry>integer (32 bit)</entry> + </row> + <row> + <entry>sequence</entry> + <entry>Sequence number</entry> + <entry>integer (32 bit)</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + + <refsect2> + <title>IPcomp header expression</title> + <para> + <cmdsynopsis> + <command>ipcomp</command> + <arg opt="req"><replaceable>IPComp header field</replaceable></arg> + </cmdsynopsis> + </para> + <para> + <table frame="all"> + <title>IPComp header expression</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>nexthdr</entry> + <entry>Next header protocol</entry> + <entry>inet_service</entry> + </row> + <row> + <entry>flags</entry> + <entry>Flags</entry> + <entry>FIXME</entry> + </row> + <row> + <entry>cfi</entry> + <entry>Compression Parameter Index</entry> + <entry>FIXME</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + </refsect1> + + <refsect1> + <title>bla</title> + <refsect2> + <title>IPv6 extension header expressions</title> + <para> + IPv6 extension header expressions refer to data from an IPv6 packet's extension headers. + </para> + </refsect2> + + <refsect2> + <title>Conntrack expressions</title> + <para> + Conntrack expressions refer to meta data of the connection tracking entry associated with a packet. + </para> + <para> + <cmdsynopsis> + <command>ct</command> + <group choice="req"> + <arg>state</arg> + <arg>direction</arg> + <arg>status</arg> + <arg>mark</arg> + <arg>expiration</arg> + <arg>helper</arg> + <arg>l3proto</arg> + <arg>saddr</arg> + <arg>daddr</arg> + <arg>protocol</arg> + <arg>proto-src</arg> + <arg>proto-dst</arg> + </group> + </cmdsynopsis> + </para> + <para> + <table frame="all"> + <title>Conntrack expressions</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>state</entry> + <entry>State of the connection</entry> + <entry>ct_state</entry> + </row> + <row> + <entry>direction</entry> + <entry>Direction of the packet relative to the connection</entry> + <entry>ct_dir</entry> + </row> + <row> + <entry>status</entry> + <entry>Status of the connection</entry> + <entry>ct_status</entry> + </row> + <row> + <entry>mark</entry> + <entry>Connection mark</entry> + <entry>packetmark</entry> + </row> + <row> + <entry>expiration</entry> + <entry>Connection expiration time</entry> + <entry>time</entry> + </row> + <row> + <entry>helper</entry> + <entry>Helper associated with the connection</entry> + <entry>string</entry> + </row> + <row> + <entry>l3proto</entry> + <entry>Layer 3 protocol of the connection</entry> + <entry>nf_proto FIXME</entry> + </row> + <row> + <entry>saddr</entry> + <entry>Source address of the connection for the given direction</entry> + <entry>ipv4_addr/ipv6_addr</entry> + </row> + <row> + <entry>daddr</entry> + <entry>Destination address of the connection for the given direction</entry> + <entry>ipv4_addr/ipv6_addr</entry> + </row> + <row> + <entry>protocol</entry> + <entry>Layer 4 protocol of the connection for the given direction</entry> + <entry>inet_proto</entry> + </row> + <row> + <entry>proto-src</entry> + <entry>Layer 4 protocol source for the given direction</entry> + <entry>FIXME</entry> + </row> + <row> + <entry>proto-dst</entry> + <entry>Layer 4 protocol destination for the given direction</entry> + <entry>FIXME</entry> + </row> + </tbody> + </tgroup> + </table> + </para> </refsect2> </refsect1> <refsect1> + <title>Statements</title> + <para> + Statements represent actions to be performed. They can alter control flow (return, jump + to a different chain, accept or drop the packet) or can perform actions, such as logging, + rejecting a packet, etc. + </para> + <para> + Statements exist in two kinds. Terminal statements unconditionally terminate evaluation + of the current rule, non-terminal statements either only conditionally or never terminate + evaluation of the current rule, in other words, they are passive from the ruleset evaluation + perspective. There can be an arbitrary amount of non-terminal statements in a rule, but + only a single terminal statement as the final statement. + </para> + + <refsect2> + <title>Verdict statement</title> + <para> + The verdict statement alters control flow in the ruleset and issues + policy decisions for packets. + </para> + <para> + <cmdsynopsis> + <group choice="req"> + <arg>accept</arg> + <arg>drop</arg> + <arg>queue</arg> + <arg>continue</arg> + <arg>return</arg> + </group> + </cmdsynopsis> + <cmdsynopsis> + <group choice="req"> + <arg>jump</arg> + <arg>goto</arg> + </group> + <arg choice="req"><replaceable>chain</replaceable></arg> + </cmdsynopsis> + </para> + <para> + <variablelist> + <varlistentry> + <term><option>accept</option></term> + <listitem> + <para> + Terminate ruleset evaluation and accept the packet. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>drop</option></term> + <listitem> + <para> + Terminate ruleset evaluation and drop the packet. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>queue</option></term> + <listitem> + <para> + Terminate ruleset evaluation and queue the packet to userspace. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>continue</option></term> + <listitem> + <para> + Continue ruleset evaluation with the next rule. FIXME + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>return</option></term> + <listitem> + <para> + Return from the current chain and continue evaluation at the + next rule in the last chain. If issued in a base chain, it is + equivalent to <command>accept</command>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>jump <replaceable>chain</replaceable></option></term> + <listitem> + <para> + Continue evaluation at the first rule in <replaceable>chain</replaceable>. + The current position in the ruleset is pushed to a call stack and evaluation + will continue there when the new chain is entirely evaluated of a + <command>return</command> verdict is issued. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>goto <replaceable>chain</replaceable></option></term> + <listitem> + <para> + Similar to <command>jump</command>, but the current position is not pushed + to the call stack, meaning that after the new chain evaluation will continue + at the last chain instead of the one containing the goto statement. + </para> + </listitem> + </varlistentry> + </variablelist> + </para> + <para> + <example> + <title>Verdict statements</title> + <programlisting> + # process packets from eth0 and the internal network in from_lan + # chain, drop all packets from eth0 with different source addresses. + filter input iif eth0 ip saddr 192.168.0.0/24 jump from_lan + filter input iif eth0 drop + </programlisting> + </example> + </para> + </refsect2> + <refsect2> + <title>Log statement</title> + <para> + </para> + </refsect2> + <refsect2> + <title>Reject statement</title> + <para> + </para> + </refsect2> + <refsect2> + <title>Counter statement</title> + <para> + </para> + </refsect2> + <refsect2> + <title>Meta statement</title> + <para> + </para> + </refsect2> + <refsect2> + <title>Limit statement</title> + <para> + </para> + </refsect2> + <refsect2> + <title>NAT statement</title> + <para> + </para> + </refsect2> + <refsect2> + <title>Queue statement</title> + <para> + </para> + </refsect2> + </refsect1> + + <refsect1> + <title>Error reporting</title> + <para> + When an error is detected, nft shows the line(s) containing the error, the position + of the erroneous parts in the input stream and marks up the erroneous parts using + carrets (<literal>^</literal>). If the error results from the combination of two + expressions or statements, the part imposing the constraints which are violated is + marked using tildes (<literal>~</literal>). + </para> + <para> + For errors returned by the kernel, nft can't detect which parts of the input caused + the error and the entire command is marked. + </para> + <example> + <title>Error caused by single incorrect expression</title> + <programlisting> + <cmdline>:1:19-22: Error: Interface does not exist + filter output oif eth0 + ^^^ + </programlisting> + </example> + <example> + <title>Error caused by invalid combination of two expressions</title> + <programlisting> + <cmdline>:1:28-36: Error: Right hand side of relational expression (==) must be constant + filter output tcp dport == tcp dport + ~~ ^^^^^^^^^ + </programlisting> + </example> + + <example> + <title>Error returned by the kernel</title> + <programlisting> + <cmdline>:0:0-23: Error: Could not process rule: Operation not permitted + filter output oif wlan0 + ^^^^^^^^^^^^^^^^^^^^^^^ + </programlisting> + </example> + </refsect1> + + <refsect1> <title>Exit status</title> <para> - On success, nftables exits with a status of 0. Unspecified + On success, nft exits with a status of 0. Unspecified errors cause it to exit with a status of 1, memory allocation errors with a status of 2. </para> @@ -955,7 +2151,7 @@ <refsect1> <title>Copyright</title> <para> - Copyright © 2008 Patrick McHardy <email>kaber@trash.net</email> + Copyright © 2008-2014 Patrick McHardy <email>kaber@trash.net</email> </para> <para> This program is free software; you can redistribute it and/or modify |