summaryrefslogtreecommitdiffstats
path: root/doc/primary-expression.txt
blob: 12b88bdd2a8a1f6a346734bbbac3cdaedc227b11 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
META EXPRESSIONS
~~~~~~~~~~~~~~~~
[verse]
*meta* {length | nfproto | l4proto | protocol | priority}
[meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype |
skuid | skgid | nftrace | rtclassid | ibrname | obrname | pkttype | cpu
| iifgroup | oifgroup | cgroup | random | secpath}

A meta expression refers to meta data associated with a packet.

There are two types of meta expressions: unqualified and qualified meta
expressions. Qualified meta expressions require the meta keyword before the meta
key, unqualified meta expressions can be specified by using the meta key
directly or as qualified  meta  expressions. Meta l4proto is useful to match a
particular transport protocol that is part of either an IPv4 or IPv6 packet. It
will also skip any IPv6 extension headers present in an IPv6 packet.

.Meta expression types
[options="header"]
|==================
|Keyword | Description | Type
|length|
Length of the packet in bytes|
integer (32 bit)
|nfproto|
real hook  protocol family, useful only in inet table|
integer (32 bit)
|l4proto|
layer 4 protocol, skips ipv6 extension headers|
integer (8 bit)
|protocol|
EtherType protocol value|
ether_type
|priority|
TC packet priority|
tc_handle
|mark|
Packet mark |
mark
|iif|
Input interface index |
iface_index
|iifname|
Input interface name |
ifname
|iiftype|
Input interface type|
iface_type
|oif|
Output interface index|
iface_index
|oifname|
Output interface name|
ifname
|oiftype|
Output interface hardware type|
iface_type
|skuid|
UID  associated  with  originating socket|
uid
|skgid|
GID  associated  with  originating socket|
gid
|rtclassid|
Routing realm|
realm
|ibrname|
Input bridge interface name|
ifname
|obrname|
Output bridge interface name|
ifname
|pkttype|
packet type|
pkt_type
|cpu|
cpu number processing the packet|
integer (32 bit)
|iifgroup|
incoming device group|
devgroup
|oifgroup|
outgoing device group|
devgroup
|cgroup|
control group id |
integer (32 bit)
|random|
pseudo-random number|
integer (32 bit)
|secpath|
boolean|
boolean (1 bit)
|====================

.Meta expression specific types
[options="header"]
|==================
|Type | Description
|iface_index |
Interface index (32 bit number). Can be specified numerically  or as name of an existing interface.
|ifname|
Interface name (16 byte string). Does not have to exist.
|iface_type|
Interface type (16 bit number).
|uid|
User ID (32 bit number). Can be specified numerically or as user name.
|gid|
Group ID (32 bit number). Can be specified numerically or as group name.
|realm|
Routing  Realm (32 bit number). Can be specified numerically or as symbolic name  defined in /etc/iproute2/rt_realms.
|devgroup_type|
Device  group  (32 bit number). Can be specified numerically or as symbolic name  defined in /etc/iproute2/group.
|pkt_type|
Packet  type: Unicast (addressed to local host), Broadcast (to all), Multicast (to group).
|=============================

.Using meta expressions
-----------------------
# qualified meta expression
filter output meta oif eth0

# unqualified meta expression
filter output oif eth0

# packed was subject to ipsec processing
raw prerouting meta secpath exists accept
-----------------------

SOCKET EXPRESSION
~~~~~~~~~~~~~~~~~
[verse]
*socket* \{transparent\}

Socket expression can be used to search for an existing open TCP/UDP socket and
its attributes that can be associated with a packet. It looks for an established
or non-zero bound listening socket (possibly with a non-local address).

.Available socket attributes
[options="header"]
|==================
|Name |Description| Type
|transparent|
Value of the IP_TRANSPARENT socket option in the found socket. It can be 0 or 1.|
boolean (1 bit)
|mark| Value of the socket mark (SOL_SOCKET, SO_MARK). | mark
|==================

.Using socket expression
------------------------
# Mark packets that correspond to a transparent socket
table inet x {
    chain y {
	type filter hook prerouting priority -150; policy accept;
        socket transparent 1 mark set 0x00000001 accept
    }
}

# Trace packets that corresponds to a socket with a mark value of 15
table inet x {
    chain y {
        type filter hook prerouting priority -150; policy accept;
        socket mark 0x0000000f nftrace set 1
    }
}

# Set packet mark to socket mark
table inet x {
    chain y {
        type filter hook prerouting priority -150; policy accept;
        tcp dport 8080 mark set socket mark
    }
}
----------------------

OSF EXPRESSION
~~~~~~~~~~~~~~
[verse]
osf {name}

The osf expression does passive operating system fingerprinting. This
expression compares some data (Window Size, MSS, options and their order, DF,
and others) from packets with the SYN bit set.

.Available osf attributes
[options="header"]
|==================
|Name |Description| Type
|name|
Name of the OS signature to match. All signatures can be found at pf.os file.|
Use "unknown" for OS signatures that the expression could not detect.
|==================

.Using osf expression
---------------------
# Accept packets that match the "Linux" OS signature.
table inet x {
    chain y {
	type filter hook input priority 0; policy accept;
        osf "Linux"
    }
}
-----------------------

FIB EXPRESSIONS
~~~~~~~~~~~~~~~
[verse]
*fib* {saddr | daddr | {mark | iif | oif}} {oif | oifname | type}

A fib expression queries the fib (forwarding information base) to obtain
information such as the output interface index a particular address would use.
The input is a tuple of elements that is used as input to the fib lookup
functions.

.fib expression specific types
[options="header"]
|==================
|Keyword| Description| Type
|oif|
Output interface index|
integer (32 bit)
|oifname|
Output interface name|
string
|type|
Address type |
fib_addrtype
|=======================

.Using fib expressions
----------------------
# drop packets without a reverse path
filter prerouting fib saddr . iif oif missing drop

# drop packets to address not configured on ininterface
filter prerouting fib daddr . iif type != { local, broadcast, multicast } drop

# perform lookup in a specific 'blackhole' table (0xdead, needs ip appropriate ip rule)
filter prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : jump prohibited, unreachable : drop }
----------------------

ROUTING EXPRESSIONS
~~~~~~~~~~~~~~~~~~~
[verse]
*rt* {classid | nexthop}

A routing expression refers to routing data associated with a packet.

.Routing expression types
[options="header"]
|=======================
|Keyword| Description| Type
|classid|
Routing realm|
realm
|nexthop|
Routing nexthop|
ipv4_addr/ipv6_addr
|mtu|
TCP maximum segment size of route |
integer (16 bit)
|=================================

.Routing expression specific types
[options="header"]
|=======================
|Type| Description
|realm|
Routing  Realm (32 bit number). Can be specified numerically or as symbolic name  defined in /etc/iproute2/rt_realms.
|========================

.Using routing expressions
--------------------------
# IP family independent rt expression
filter output rt classid 10

# IP family dependent rt expressions
ip filter output rt nexthop 192.168.0.1
ip6 filter output rt nexthop fd00::1
inet filter output rt ip nexthop 192.168.0.1
inet filter output rt ip6 nexthop fd00::1
--------------------------