diff options
Diffstat (limited to 'doc/primary-expression.txt')
-rw-r--r-- | doc/primary-expression.txt | 56 |
1 files changed, 43 insertions, 13 deletions
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index a9c39cbb..782494bd 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -168,15 +168,18 @@ Either an integer or a date in ISO format. For example: "2019-06-06 17:00". Hour and seconds are optional and can be omitted if desired. If omitted, midnight will be assumed. The following three would be equivalent: "2019-06-06", "2019-06-06 00:00" -and "2019-06-06 00:00:00". +and "2019-06-06 00:00:00". Use a range expression such as +"2019-06-06 10:00"-"2019-06-10 14:00" for matching a time range. When an integer is given, it is assumed to be a UNIX timestamp. |day| Either a day of week ("Monday", "Tuesday", etc.), or an integer between 0 and 6. Strings are matched case-insensitively, and a full match is not expected (e.g. "Mon" would match "Monday"). -When an integer is given, 0 is Sunday and 6 is Saturday. +When an integer is given, 0 is Sunday and 6 is Saturday. Use a range expression +such as "Monday"-"Wednesday" for matching a week day range. |hour| A string representing an hour in 24-hour format. Seconds can optionally be specified. -For example, 17:00 and 17:00:00 would be equivalent. +For example, 17:00 and 17:00:00 would be equivalent. Use a range expression such +as "17:00"-"19:00" for matching a time range. |============================= .Using meta expressions @@ -190,16 +193,23 @@ filter output oif eth0 # incoming packet was subject to ipsec processing raw prerouting meta ipsec exists accept + +# match incoming packet from 03:00 to 14:00 local time +raw prerouting meta hour "03:00"-"14:00" counter accept ----------------------- SOCKET EXPRESSION ~~~~~~~~~~~~~~~~~ [verse] -*socket* {*transparent* | *mark*} +*socket* {*transparent* | *mark* | *wildcard*} +*socket* *cgroupv2* *level* 'NUM' Socket expression can be used to search for an existing open TCP/UDP socket and its attributes that can be associated with a packet. It looks for an established -or non-zero bound listening socket (possibly with a non-local address). +or non-zero bound listening socket (possibly with a non-local address). You can +also use it to match on the socket cgroupv2 at a given ancestor level, e.g. if +the socket belongs to cgroupv2 'a/b', ancestor level 1 checks for a matching on +cgroup 'a' and ancestor level 2 checks for a matching on cgroup 'b'. .Available socket attributes [options="header"] @@ -209,22 +219,30 @@ or non-zero bound listening socket (possibly with a non-local address). Value of the IP_TRANSPARENT socket option in the found socket. It can be 0 or 1.| boolean (1 bit) |mark| Value of the socket mark (SOL_SOCKET, SO_MARK). | mark +|wildcard| +Indicates whether the socket is wildcard-bound (e.g. 0.0.0.0 or ::0). | +boolean (1 bit) +|cgroupv2| +cgroup version 2 for this socket (path from /sys/fs/cgroup)| +cgroupv2 |================== .Using socket expression ------------------------ -# Mark packets that correspond to a transparent socket +# Mark packets that correspond to a transparent socket. "socket wildcard 0" +# means that zero-bound listener sockets are NOT matched (which is usually +# exactly what you want). table inet x { chain y { - type filter hook prerouting priority -150; policy accept; - socket transparent 1 mark set 0x00000001 accept + type filter hook prerouting priority mangle; policy accept; + socket transparent 1 socket wildcard 0 mark set 0x00000001 accept } } # Trace packets that corresponds to a socket with a mark value of 15 table inet x { chain y { - type filter hook prerouting priority -150; policy accept; + type filter hook prerouting priority mangle; policy accept; socket mark 0x0000000f nftrace set 1 } } @@ -232,10 +250,18 @@ table inet x { # Set packet mark to socket mark table inet x { chain y { - type filter hook prerouting priority -150; policy accept; + type filter hook prerouting priority mangle; policy accept; tcp dport 8080 mark set socket mark } } + +# Count packets for cgroupv2 "user.slice" at level 1 +table inet x { + chain y { + type filter hook input priority filter; policy accept; + socket cgroupv2 level 1 "user.slice" counter + } +} ---------------------- OSF EXPRESSION @@ -275,7 +301,7 @@ If no TTL attribute is passed, make a true IP header and fingerprint TTL true co # Accept packets that match the "Linux" OS genre signature without comparing TTL. table inet x { chain y { - type filter hook input priority 0; policy accept; + type filter hook input priority filter; policy accept; osf ttl skip name "Linux" } } @@ -408,6 +434,10 @@ Destination address of the tunnel| ipv4_addr/ipv6_addr |================================= +*Note:* When using xfrm_interface, this expression is not useable in output +hook as the plain packet does not traverse it with IPsec info attached - use a +chain in postrouting hook instead. + NUMGEN EXPRESSION ~~~~~~~~~~~~~~~~~ @@ -418,7 +448,7 @@ Create a number generator. The *inc* or *random* keywords control its operation mode: In *inc* mode, the last returned value is simply incremented. In *random* mode, a new random number is returned. The value after *mod* keyword specifies an upper boundary (read: modulus) which is not reached by -returned numbers. The optional *offset* allows to increment the returned value +returned numbers. The optional *offset* allows one to increment the returned value by a fixed offset. A typical use-case for *numgen* is load-balancing: @@ -448,7 +478,7 @@ header to apply the hashing, concatenations are possible as well. The value after *mod* keyword specifies an upper boundary (read: modulus) which is not reached by returned numbers. The optional *seed* is used to specify an init value used as seed in the hashing function. The optional *offset* -allows to increment the returned value by a fixed offset. +allows one to increment the returned value by a fixed offset. A typical use-case for *jhash* and *symhash* is load-balancing: |