summaryrefslogtreecommitdiffstats
path: root/doc/data-types.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/data-types.txt')
-rw-r--r--doc/data-types.txt485
1 files changed, 485 insertions, 0 deletions
diff --git a/doc/data-types.txt b/doc/data-types.txt
new file mode 100644
index 00000000..1d4218eb
--- /dev/null
+++ b/doc/data-types.txt
@@ -0,0 +1,485 @@
+INTEGER TYPE
+~~~~~~~~~~~
+[options="header"]
+|==================
+|Name | Keyword | Size | Base type
+|Integer |
+integer |
+variable |
+-
+|===================
+
+The integer type is used for numeric values. It may be specified as decimal, hexadecimal or octal number. The integer type doesn't have a fixed size, its size is determined by the expression for which it is used.
+
+BITMASK TYPE
+~~~~~~~~~~~~
+[options="header"]
+|==================
+|Name | Keyword | Size | Base type
+|Bitmask |
+bitmask |
+variable |
+integer
+|===================
+
+The bitmask type (bitmask) is used for bitmasks.
+
+STRING TYPE
+~~~~~~~~~~~~
+[options="header"]
+|==================
+|Name | Keyword | Size | Base type
+|String |
+string |
+variable |
+-
+|===================
+
+The string type is used for character strings. A string begins with an alphabetic character (a-zA-Z) followed by zero or more alphanumeric characters or the characters /, -, _ and .. In addition anything enclosed in double quotes (") is recognized as a string.
+
+.String specification
+----------------------
+# Interface name
+filter input iifname eth0
+
+# Weird interface name
+filter input iifname "(eth0)"
+----------------------------
+
+LINK LAYER ADDRESS TYPE
+~~~~~~~~~~~~~~~~~~~~~~~
+[options="header"]
+|==================
+|Name | Keyword | Size | Base type
+|Link layer address |
+lladdr|
+variable |
+integer
+|===================
+
+The link layer address type is used for link layer addresses. Link layer addresses are specified as a variable amount of groups of two hexadecimal digits separated using colons (:).
+
+.Link layer address specification
+----------------------
+# Ethernet destination MAC address
+filter input ether daddr 20:c9:d0:43:12:d9
+----------------------------
+
+IPV4 ADDRESS TYPE
+~~~~~~~~~~~~~~~~~
+[options="header"]
+|==================
+|Name | Keyword | Size | Base type
+|IPV4 address|
+ipv4_addr|
+32 bit|
+integer
+|===================
+
+The IPv4 address type is used for IPv4 addresses. Addresses are specified in either dotted decimal, dotted hexadecimal, dotted octal, decimal, hexadecimal, octal notation or as a host name. A host name will be resolved using the standard system resolver.
+
+.IPv4 address specification
+----------------------
+# dotted decimal notation
+filter output ip daddr 127.0.0.1
+
+# host name
+filter output ip daddr localhost
+----------------------------
+
+IPV6 ADDRESS TYPE
+~~~~~~~~~~~~~~~~~
+[options="header"]
+|==================
+|Name | Keyword | Size | Base type
+|IPv6 address|
+ipv6_addr|
+128 bit|
+integer
+|===================
+
+The IPv6 address type is used for IPv6 addresses. Addresses are specified as a host name or as hexadecimal halfwords separated by colons. Addresses might be enclosed in square brackets ("[]") to differentiate them from port numbers.
+
+.IPv6 address specificationIPv6 address specification with bracket notation
+----------------------
+# abbreviated loopback address
+filter output ip6 daddr ::1
+
+# without [] the port number (22) would be parsed as part of ipv6 address
+ip6 nat prerouting tcp dport 2222 dnat to [1ce::d0]:22
+----------------------------
+
+BOOLEAN TYPE
+~~~~~~~~~~~~
+[options="header"]
+|==================
+|Name | Keyword | Size | Base type
+|Boolean |
+boolean |
+1 bit |
+integer
+|===================
+
+The boolean type is a syntactical helper type in user space. It's use is in the right-hand side of a (typically implicit) relational expression to change the expression on the left-hand side into a boolean check (usually for existence). +
+
+The following keywords will automatically resolve into a boolean type with given value:
+The bitmask type (bitmask) is used for bitmasks.
+
+[options="header"]
+|==================
+|Keyword | Value
+|exits |
+1 |
+missing |
+0
+|===================
+
+[options="header"]
+|======================================
+|Expression | Behaviour
+|fib |
+Check route existence.
+|exthdr|
+Check IPv6 extension header existence.
+|tcp option |
+Check TCP option header existence.
+|===================
+
+.expressions support a boolean comparison:
+[options="header"]
+|======================================
+|Expression | Behaviour
+|fib |
+Check route existence.
+|exthdr|
+Check IPv6 extension header existence.
+|tcp option |
+Check TCP option header existence.
+|===================
+
+.Boolean specification
+----------------------
+# match if route exists
+filter input fib daddr . iif oif exists
+
+# match only non-fragmented packets in IPv6 traffic
+filter input exthdr frag missing
+
+# match if TCP timestamp option is present
+filter input tcp option timestamp exists
+------------------------------------------
+
+ICMP TYPE TYPE
+~~~~~~~~~~~~~~
+[options="header"]
+|==================
+|Name | Keyword | Size | Base type
+|ICMP Type |
+icmp_type |
+8 bit |
+integer
+|===================
+The ICMP Type type is used to conveniently specify the ICMP header's type field.
+
+.Keywords may be used when specifying the ICMP type
+[options="header"]
+|==================
+|Keyword | Value
+|echo-reply |
+0
+|destination-unreachable |
+3
+|source-quench|
+4
+|redirect|
+5
+|echo-request|
+8
+|router-advertisement|
+9
+|router-solicitation|
+10
+|time-exceeded|
+11
+|parameter-problem|
+12
+|timestamp-request|
+13
+|timestamp-reply|
+14
+|info-request|
+15
+|info-reply|
+16
+|address-mask-request|
+17
+|address-mask-reply|
+18
+|===================
+
+.ICMP Type specification
+------------------------
+# match ping packets
+filter output icmp type { echo-request, echo-reply }
+------------------------
+
+ICMP CODE TYPE
+~~~~~~~~~~~~~~
+[options="header"]
+|==================
+|Name | Keyword | Size | Base type
+|ICMP Type |
+icmp_type |
+8 bit |
+integer
+|===================
+
+The ICMP Code type is used to conveniently specify the ICMP header's code field.
+
+.Keywords may be used when specifying the ICMP type
+[options="header"]
+|==================
+|Keyword | Value
+|net-unreachable |
+0
+|host-unreachable |
+1
+|prot-unreachable|
+2
+|port-unreachable|
+3
+|net-prohibited|
+9
+|host-prohibited|
+10
+|admin-prohibited|
+13
+|===================
+
+ICMPV6 TYPE TYPE
+~~~~~~~~~~~~~~~~
+[options="header"]
+|==================
+|Name | Keyword | Size | Base type
+|ICMPv6 Type |
+icmpv6_type |
+8 bit |
+integer
+|===================
+
+The ICMPv6 Type type is used to conveniently specify the ICMPv6 header's type field.
+
+.keywords may be used when specifying the ICMPv6 type:
+[options="header"]
+|==================
+|Keyword | Value
+|destination-unreachable |
+1
+|packet-too-big|
+2
+|time-exceeded|
+3
+|parameter-problem|
+4
+|echo-request|
+128
+|echo-reply|
+129
+|mld-listener-query|
+130
+|mld-listener-report|
+131
+|mld-listener-done |
+132
+|mld-listener-reduction|
+132
+|nd-router-solicit |
+133
+|nd-router-advert|
+134
+|nd-neighbor-solicit|
+135
+|nd-neighbor-advert|
+136
+|nd-redirect|
+137
+|router-renumbering|
+138
+|ind-neighbor-solicit|
+141
+|ind-neighbor-advert|
+142
+|mld2-listener-report|
+143
+|===================
+
+.ICMPv6 Type specification
+--------------------------
+# match ICMPv6 ping packets
+filter output icmpv6 type { echo-request, echo-reply }
+--------------------------
+
+ICMPV6 CODE TYPE
+~~~~~~~~~~~~~~~~
+[options="header"]
+|==================
+|Name | Keyword | Size | Base type
+|ICMPv6 Code |
+icmpv6_type |
+8 bit |
+integer
+|===================
+
+The ICMPv6 Code type is used to conveniently specify the ICMPv6 header's code field.
+
+.keywords may be used when specifying the ICMPv6 code
+[options="header"]
+|==================
+|Keyword |Value
+|no-route|
+0
+|admin-prohibited|
+1
+|addr-unreachable|
+3
+|port-unreachable|
+4
+|policy-fail|
+5
+|reject-route|
+6
+|==================
+
+ICMPVX CODE TYPE
+~~~~~~~~~~~~~~~~
+[options="header"]
+|==================
+|Name | Keyword | Size | Base type
+|ICMPvX Code |
+icmpv6_type |
+8 bit |
+integer
+|===================
+
+The ICMPvX Code type abstraction is a set of values which overlap between ICMP and ICMPv6 Code types to be used from the inet family.
+
+.keywords may be used when specifying the ICMPvX code
+[options="header"]
+|==================
+|Keyword |Value
+|no-route|
+0
+|port-unreachable|
+1
+|host-unreachable|
+2
+|admin-prohibited|
+3
+|=================
+
+CONNTRACK TYPES
+~~~~~~~~~~~~~~~
+
+.overview of types used in ct expression and statement
+[options="header"]
+|==================
+|Name | Keyword |Size |Base type
+|conntrack state|
+ct_state|
+4 byte|
+bitmask
+|conntrack direction|
+ct_dir |
+8 bit|
+integer
+|conntrack status|
+ct_status|
+4 byte|
+bitmask
+|conntrack event bits|
+ct_events |
+4 byte |
+bitmask
+|conntrack label|
+ct_label |
+128 bit|
+bitmask
+|=================
+
+For each of the types above, keywords are available for convenience:
+
+.conntrack state (ct_state)
+[options="header"]
+|==================
+|Keyword| Value
+|invalid|
+1
+|established|
+2
+|related|
+4
+|new|
+8
+|untracked|
+64
+|================
+
+.conntrack direction (ct_dir)
+[options="header"]
+|==================
+|Keyword| Value
+|original|
+0
+|reply|
+1
+|================
+
+.conntrack status (ct_status)
+[options="header"]
+|==================
+|Keyword| Value
+|expected|
+1
+|seen-reply|
+1
+|assured|
+4
+|confirmed|
+8
+|snat|
+16
+|dnat|
+32
+|dying|
+512
+|================
+
+.conntrack event bits (ct_event)
+[options="header"]
+|==================
+|Keyword| Value
+|new|
+1
+|related|
+2
+|destroy|
+4
+|reply|
+8
+|assured|
+16
+|protoinfo|
+32
+|helper|
+64
+|mark|
+128
+|seqadj|
+256
+|secmark|
+512
+|label|
+1024
+|==================
+
+Possible keywords for conntrack label type (ct_label) are read at runtime from /etc/connlabel.conf.