summaryrefslogtreecommitdiffstats
path: root/doc/nft.xml
diff options
context:
space:
mode:
Diffstat (limited to 'doc/nft.xml')
-rw-r--r--doc/nft.xml460
1 files changed, 457 insertions, 3 deletions
diff --git a/doc/nft.xml b/doc/nft.xml
index e6e8583f..9eed8834 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -2203,36 +2203,490 @@ filter input iif eth0 drop
<refsect2>
<title>Log statement</title>
<para>
+ <cmdsynopsis>
+ <command>log</command>
+ <arg choice="opt">prefix
+ <replaceable>quoted_string</replaceable></arg>
+ <arg choice="opt">level
+ <replaceable>syslog-level</replaceable></arg>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>log</command>
+ <arg choice="none">group
+ <replaceable>nflog_group</replaceable></arg>
+ <arg choice="opt">prefix
+ <replaceable>quoted_string</replaceable></arg>
+ <arg choice="opt">queue-threshold
+ <replaceable>value</replaceable></arg>
+ <arg choice="opt">snaplen
+ <replaceable>size</replaceable></arg>
+ </cmdsynopsis>
</para>
- </refsect2>
+ <para>
+ The log statement enables logging of matching packets. When this statement is used from a rule, the Linux kernel will print some information on all matching packets, such as header fields, via the kernel log (where it can be read with dmesg(1) or read in the syslog). If the group number is specified, the Linux kernel will pass the packet to nfnetlink_log which will multicast the packet through a netlink socket to the specified multicast group. One or more userspace processes may subscribe to the group to receive the packets, see libnetfilter_queue documentation for details. This is a non-terminating statement, so the rule evaluation continues after the packet is logged.
+ </para>
+ <para>
+ <table frame="all">
+ <title>log statement options</title>
+ <tgroup cols='3' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1'/>
+ <colspec colname='c2'/>
+ <colspec colname='c3'/>
+ <thead>
+ <row>
+ <entry>Keyword</entry>
+ <entry>Description</entry>
+ <entry>Type</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>prefix</entry>
+ <entry>Log message prefix</entry>
+ <entry>quoted string</entry>
+ </row>
+ <row>
+ <entry>syslog-level</entry>
+ <entry>Syslog level of logging</entry>
+ <entry>string: emerg, alert, crit, err, warn [default], notice, info, debug</entry>
+ </row>
+ <row>
+ <entry>group</entry>
+ <entry>NFLOG group to send messages to</entry>
+ <entry>unsigned integer (16 bit)</entry>
+ </row>
+ <row>
+ <entry>snaplen</entry>
+ <entry>Length of packet payload to include in netlink message</entry>
+ <entry>unsigned integer (32 bit)</entry>
+ </row>
+ <row>
+ <entry>queue-threshold</entry>
+ <entry>Number of packets to queue inside the kernel before sending them to userspace</entry>
+ <entry>unsigned integer (32 bit)</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ </refsect2>
<refsect2>
<title>Reject statement</title>
<para>
+ <cmdsynopsis>
+ <command>reject</command>
+ <arg choice="none">with</arg>
+ <group choice="req">
+ <arg>icmp</arg>
+ <arg>icmp6</arg>
+ <arg>icmpx</arg>
+ </group>
+ <arg choice="none">type</arg>
+ <group choice="req">
+ <arg>icmp_type</arg>
+ <arg>icmp6_type</arg>
+ <arg>icmpx_type</arg>
+ </group>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>reject</command>
+ <arg choice="none">with</arg>
+ <arg choice="req">tcp</arg>
+ <arg choice="req">reset</arg>
+ </cmdsynopsis>
+ </para>
+ <para>
+ A reject statement is used to send back an error packet in response to the matched packet otherwise it is equivalent to drop so it is a terminating statement, ending rule traversal. This statement is only valid in the input, forward and output chains, and user-defined chains which are only called from those chains.
+ <table frame="all">
+ <title>reject statement type (ip)</title>
+ <tgroup cols='3' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1'/>
+ <colspec colname='c2'/>
+ <colspec colname='c3'/>
+ <thead>
+ <row>
+ <entry>Value</entry>
+ <entry>Description</entry>
+ <entry>Type</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>icmp_type</entry>
+ <entry>ICMP type response to be sent to the host</entry>
+ <entry>net-unreachable, host-unreachable, prot-unreachable, port-unreachable [default], net-prohibited, host-prohibited, admin-prohibited</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <table frame="all">
+ <title>reject statement type (ip6)</title>
+ <tgroup cols='3' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1'/>
+ <colspec colname='c2'/>
+ <colspec colname='c3'/>
+ <thead>
+ <row>
+ <entry>Value</entry>
+ <entry>Description</entry>
+ <entry>Type</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>icmp6_type</entry>
+ <entry>ICMPv6 type response to be sent to the host</entry>
+ <entry>no-route, admin-prohibited, addr-unreachable, port-unreachable [default], policy-fail, reject-route</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <table frame="all">
+ <title>reject statement type (inet)</title>
+ <tgroup cols='3' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1'/>
+ <colspec colname='c2'/>
+ <colspec colname='c3'/>
+ <thead>
+ <row>
+ <entry>Value</entry>
+ <entry>Description</entry>
+ <entry>Type</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>icmpx_type</entry>
+ <entry>ICMPvXtype abstraction response to be sent to the host, this is a set of types that overlap in IPv4 and IPv6 to be used from the inet family.</entry>
+ <entry>port-unreachable [default], admin-prohibited, no-route, host-unreachable</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
</para>
</refsect2>
<refsect2>
<title>Counter statement</title>
<para>
+ A counter statement sets the hit count of packets along with the number of bytes.
</para>
+ <para>
+ <cmdsynopsis>
+ <command>counter</command>
+ <arg choice="req">packets
+ <replaceable>number</replaceable>
+ </arg>
+ <arg choice="req">bytes
+ <replaceable>number</replaceable>
+ </arg>
+ </cmdsynopsis>
+ </para>
+
</refsect2>
<refsect2>
<title>Meta statement</title>
<para>
+ A meta statement sets the value of a meta expression.
+ The existing meta fields are: priority, mark, pkttype, nftrace.
+ </para>
+ <para>
+ <cmdsynopsis>
+ <command>meta</command>
+ <group choice="req">
+ <arg>mark</arg>
+ <arg>priority</arg>
+ <arg>pkttype</arg>
+ <arg>nftrace</arg>
+ </group>
+ <arg choice="none">set</arg>
+ <replaceable>value</replaceable>
+ </cmdsynopsis>
+ </para>
+ <para>
+ A meta statement sets meta data associated with a packet.
+ </para>
+ <para>
+ <table frame="all">
+ <title>Meta statement types</title>
+ <tgroup cols='3' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1'/>
+ <colspec colname='c2'/>
+ <colspec colname='c3'/>
+ <thead>
+ <row>
+ <entry>Keyword</entry>
+ <entry>Description</entry>
+ <entry>Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>priority</entry>
+ <entry>TC packet priority</entry>
+ <entry>tc_handle</entry>
+ </row>
+ <row>
+ <entry>mark</entry>
+ <entry>Packet mark</entry>
+ <entry>mark</entry>
+ </row>
+ <row>
+ <entry>pkttype</entry>
+ <entry>packet type</entry>
+ <entry>pkt_type</entry>
+ </row>
+ <row>
+ <entry>nftrace</entry>
+ <entry>ruleset packet tracing on/off. Use <command>monitor trace</command> command to watch traces</entry>
+ <entry>0, 1</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
</para>
+
+
</refsect2>
<refsect2>
<title>Limit statement</title>
<para>
+ <cmdsynopsis>
+ <command>limit</command>
+ <arg choice="none">rate</arg>
+ <arg choice="opt">over</arg>
+ <replaceable>packet_number</replaceable>
+ <arg choice="none">/</arg>
+ <group choice="req">
+ <arg>second</arg>
+ <arg>minute</arg>
+ <arg>hour</arg>
+ <arg>day</arg>
+ </group>
+ <arg>burst <replaceable>packet_number</replaceable> packets</arg>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>limit</command>
+ <arg choice="none">rate</arg>
+ <arg choice="opt">over</arg>
+ <replaceable>byte_number</replaceable>
+ <group choice="req">
+ <arg>bytes</arg>
+ <arg>kbytes</arg>
+ <arg>mbytes</arg>
+ </group>
+ <arg choice="none">/</arg>
+ <group choice="req">
+ <arg>second</arg>
+ <arg>minute</arg>
+ <arg>hour</arg>
+ <arg>day</arg>
+ <arg>week</arg>
+ </group>
+ <arg>burst <replaceable>byte_number</replaceable> bytes</arg>
+ </cmdsynopsis>
+ </para>
+ <para>
+ A limit statement matches at a limited rate using a token bucket filter. A rule using this statement will match until this limit is reached. It can be used in combination with the log statement to give limited logging. The <command>over</command> keyword, that is optional, makes it match over the specified rate.
</para>
+ <table frame="all">
+ <title>limit statement values</title>
+ <tgroup cols='3' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1'/>
+ <colspec colname='c2'/>
+ <colspec colname='c3'/>
+ <thead>
+ <row>
+ <entry>Value</entry>
+ <entry>Description</entry>
+ <entry>Type</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>packet_number</entry>
+ <entry>Number of packets</entry>
+ <entry>unsigned integer (32 bit)</entry>
+ </row>
+ <row>
+ <entry>byte_number</entry>
+ <entry>Number of bytes</entry>
+ <entry>unsigned integer (32 bit)</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
</refsect2>
- <refsect2>
- <title>NAT statement</title>
+ <refsect2>
+ <title>NAT statements</title>
<para>
+ <cmdsynopsis>
+ <command>snat</command>
+ <arg choice="none">to
+ <replaceable>address</replaceable>
+ <arg choice="opt">:port</arg></arg>
+ <arg choice="opt">persistent, random, fully-random</arg>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>snat</command>
+ <arg choice="none">to
+ <replaceable>address</replaceable> - <replaceable>address</replaceable>
+ <arg choice="opt">:<replaceable>port</replaceable> - <replaceable>port</replaceable></arg></arg>
+ <arg choice="opt">persistent, random, fully-random</arg>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>dnat</command>
+ <arg choice="none">to
+ <replaceable>address</replaceable>
+ <arg choice="opt">:<replaceable>port</replaceable></arg></arg>
+ <arg choice="opt">persistent, random, fully-random</arg>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>dnat</command>
+ <arg choice="none">to
+ <replaceable>address</replaceable>
+ <arg choice="opt">:<replaceable>port</replaceable> - <replaceable>port</replaceable></arg></arg>
+ <arg choice="opt">persistent, random, fully-random</arg>
+ </cmdsynopsis>
+ </para>
+ <para>
+ The nat statements are only valid from nat chain types.
+ </para>
+ <para>
+ The <command>snat</command> statement is only valid in the postrouting and input hooks, it specifies that the source address of the packet should be modified. The <command>dnat</command> statement is only valid in the prerouting and output chains, it specifies that the destination address of the packet should be modified. You can use non-base chains which are called from base chains of nat chain type too. All future packets in this connection will also be mangled, and rules should cease being examined.
+ </para>
+ <para>
+ <table frame="all">
+ <title>NAT statement values</title>
+ <tgroup cols='3' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1'/>
+ <colspec colname='c2'/>
+ <colspec colname='c3'/>
+ <thead>
+ <row>
+ <entry>Expression</entry>
+ <entry>Description</entry>
+ <entry>Type</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>address</entry>
+ <entry>Specifies that the source/destination address of the packet should be modified. You may specify a mapping to relate a list of tuples composed of arbitrary expression key with address value.</entry>
+ <entry>ipv4_addr, ipv6_addr, eg. abcd::1234, or you can use a mapping, eg. meta mark map { 10 : 192.168.1.2, 20 : 192.168.1.3 }</entry>
+ </row>
+ <row>
+ <entry>port</entry>
+ <entry>Specifies that the source/destination address of the packet should be modified.</entry>
+ <entry>port number (16 bits)</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <table frame="all">
+ <title>NAT statement flags</title>
+ <tgroup cols='2' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1'/>
+ <colspec colname='c2'/>
+ <thead>
+ <row>
+ <entry>Flag</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>persistent</entry>
+ <entry>Gives a client the same source-/destination-address for each connection.</entry>
+ </row>
+ <row>
+ <entry>random</entry>
+ <entry>If used then port mapping will be randomized using a random seeded MD5 hash mix using source and destination address and destination port.</entry>
+ </row>
+ <row>
+ <entry>fully-random</entry>
+ <entry>If used then port mapping is generated based on a 32-bit pseudo-random algorithm.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
</para>
</refsect2>
<refsect2>
<title>Queue statement</title>
<para>
+ This statement passes the packet to userspace using the nfnetlink_queue handler. The packet is put into the queue identified by its 16-bit queue number. Userspace can inspect and modify the packet if desired. Userspace must then drop or reinject the packet into the kernel. See libnetfilter_queue documentation for details.
+ </para>
+ <para>
+ <cmdsynopsis>
+ <command>queue</command>
+ <arg choice="opt">num
+ <replaceable>queue_number</replaceable></arg>
+ <arg choice="opt">bypass</arg>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>queue</command>
+ <arg choice="opt">num
+ <replaceable>queue_number_from</replaceable> - <replaceable>queue_number_to</replaceable></arg>
+ <arg choice="opt">bypass,fanout</arg>
+ </cmdsynopsis>
+ </para>
+ <para>
+ <table frame="all">
+ <title>queue statement values</title>
+ <tgroup cols='3' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1'/>
+ <colspec colname='c2'/>
+ <colspec colname='c3'/>
+ <thead>
+ <row>
+ <entry>Value</entry>
+ <entry>Description</entry>
+ <entry>Type</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>queue_number</entry>
+ <entry>Sets queue number, default is 0.</entry>
+ <entry>unsigned integer (16 bit)</entry>
+ </row>
+ <row>
+ <entry>queue_number_from</entry>
+ <entry>Sets initial queue in the range, if fanout is used.</entry>
+ <entry>unsigned integer (16 bit)</entry>
+ </row>
+ <row>
+ <entry>queue_number_to</entry>
+ <entry>Sets closing queue in the range, if fanout is used.</entry>
+ <entry>unsigned integer (16 bit)</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <table frame="all">
+ <title>queue statement flags</title>
+ <tgroup cols='2' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1'/>
+ <colspec colname='c2'/>
+ <thead>
+ <row>
+ <entry>Flag</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>bypass</entry>
+ <entry>Let packets go through if userspace application cannot back off. Before using this flag, read libnetfilter_queue documentation for performance tuning recomendations.</entry>
+ </row>
+ <row>
+ <entry>fanout</entry>
+ <entry>Distribute packets between several queues.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
</para>
</refsect2>
</refsect1>