Family nftables
netlink specification¶
Summary¶
Netfilter nftables configuration over netlink.
Operations¶
batch-begin¶
Start a batch of operations
- attribute-set
- fixed-header
- do
- request
- attributes
[
genid
]
- reply
- attributes
[
genid
]
batch-end¶
Finish a batch of operations
- attribute-set
- fixed-header
- do
- request
- attributes
[
genid
]
newtable¶
Create a new table.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
gettable¶
Get / dump tables.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
- reply
- attributes
[
name
]
deltable¶
Delete an existing table.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
destroytable¶
Delete an existing table with destroy semantics (ignoring ENOENT errors).
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
newchain¶
Create a new chain.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
getchain¶
Get / dump chains.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
- reply
- attributes
[
name
]
delchain¶
Delete an existing chain.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
destroychain¶
Delete an existing chain with destroy semantics (ignoring ENOENT errors).
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
newrule¶
Create a new rule.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
getrule¶
Get / dump rules.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
- reply
- attributes
[
name
]
getrule-reset¶
Get / dump rules and reset stateful expressions.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
- reply
- attributes
[
name
]
delrule¶
Delete an existing rule.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
destroyrule¶
Delete an existing rule with destroy semantics (ignoring ENOENT errors).
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
newset¶
Create a new set.
getset¶
Get / dump sets.
delset¶
Delete an existing set.
destroyset¶
Delete an existing set with destroy semantics (ignoring ENOENT errors).
newsetelem¶
Create a new set element.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
getsetelem¶
Get / dump set elements.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
- reply
- attributes
[
name
]
getsetelem-reset¶
Get / dump set elements and reset stateful expressions.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
- reply
- attributes
[
name
]
delsetelem¶
Delete an existing set element.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
destroysetelem¶
Delete an existing set element with destroy semantics.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
getgen¶
Get / dump rule-set generation.
newobj¶
Create a new stateful object.
getobj¶
Get / dump stateful objects.
delobj¶
Delete an existing stateful object.
destroyobj¶
Delete an existing stateful object with destroy semantics.
newflowtable¶
Create a new flow table.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
getflowtable¶
Get / dump flow tables.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
- reply
- attributes
[
name
]
delflowtable¶
Delete an existing flow table.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
destroyflowtable¶
Delete an existing flow table with destroy semantics.
- attribute-set
- fixed-header
- do
- request
- attributes
[
name
]
Multicast groups¶
mgmt
Definitions¶
nfgenmsg¶
- type
struct
- members
- nfgen-family (
u8
) - version (
u8
) - res-id (
u16
)
- nfgen-family (
meta-keys¶
- type
enum
- entries
len
protocol
priority
mark
iif
oif
iifname
oifname
iftype
oiftype
skuid
skgid
nftrace
rtclassid
secmark
nfproto
l4-proto
bri-iifname
bri-oifname
pkttype
cpu
iifgroup
oifgroup
cgroup
prandom
secpath
iifkind
oifkind
bri-iifpvid
bri-iifvproto
time-ns
time-day
time-hour
sdif
sdifname
bri-broute
cmp-ops¶
- type
enum
- entries
eq
neq
lt
lte
gt
gte
object-type¶
- type
enum
- entries
unspec
counter
quota
ct-helper
limit
connlimit
tunnel
ct-timeout
secmark
ct-expect
synproxy
nat-range-flags¶
- type
flags
- entries
map-ips
proto-specified
proto-random
persistent
proto-random-fully
proto-offset
netmap
table-flags¶
- type
flags
- entries
dormant
owner
persist
chain-flags¶
- type
flags
- entries
base
hw-offload
binding
set-flags¶
- type
flags
- entries
anonymous
constant
interval
map
timeout
eval
object
concat
expr
Attribute sets¶
empty-attrs¶
name (string
)¶
batch-attrs¶
genid (u32
)¶
- byte-order
big-endian
table-attrs¶
name (string
)¶
- doc
name of the table
flags (u32
)¶
- byte-order
big-endian
- doc
bitmask of flags
- enum
- enum-as-flags
True
use (u32
)¶
- byte-order
big-endian
- doc
number of chains in this table
handle (u64
)¶
- byte-order
big-endian
- doc
numeric handle of the table
userdata (binary
)¶
- doc
user data
chain-attrs¶
table (string
)¶
- doc
name of the table containing the chain
handle (u64
)¶
- byte-order
big-endian
- doc
numeric handle of the chain
name (string
)¶
- doc
name of the chain
hook (nest
)¶
- nested-attributes
- doc
hook specification for basechains
policy (u32
)¶
- byte-order
big-endian
- doc
numeric policy of the chain
use (u32
)¶
- byte-order
big-endian
- doc
number of references to this chain
type (string
)¶
- doc
type name of the chain
counters (nest
)¶
- nested-attributes
- doc
counter specification of the chain
flags (u32
)¶
- byte-order
big-endian
- doc
chain flags
- enum
- enum-as-flags
True
id (u32
)¶
- byte-order
big-endian
- doc
uniquely identifies a chain in a transaction
userdata (binary
)¶
- doc
user data
counter-attrs¶
bytes (u64
)¶
- byte-order
big-endian
packets (u64
)¶
- byte-order
big-endian
pad (pad
)¶
nft-hook-attrs¶
num (u32
)¶
- byte-order
big-endian
priority (s32
)¶
- byte-order
big-endian
dev (string
)¶
- doc
net device name
devs (nest
)¶
- nested-attributes
- doc
list of net devices
hook-dev-attrs¶
name (string
)¶
- multi-attr
True
nft-counter-attrs¶
bytes (u64
)¶
packets (u64
)¶
rule-attrs¶
table (string
)¶
- doc
name of the table containing the rule
chain (string
)¶
- doc
name of the chain containing the rule
handle (u64
)¶
- byte-order
big-endian
- doc
numeric handle of the rule
expressions (nest
)¶
- nested-attributes
- doc
list of expressions
compat (nest
)¶
- nested-attributes
- doc
compatibility specifications of the rule
position (u64
)¶
- byte-order
big-endian
- doc
numeric handle of the previous rule
userdata (binary
)¶
- doc
user data
id (u32
)¶
- doc
uniquely identifies a rule in a transaction
position-id (u32
)¶
- doc
transaction unique identifier of the previous rule
chain-id (u32
)¶
- doc
add the rule to chain by ID, alternative to chain name
expr-list-attrs¶
elem (nest
)¶
- nested-attributes
- multi-attr
True
expr-attrs¶
name (string
)¶
- doc
name of the expression type
data (sub-message
)¶
- sub-message
- selector
name
- doc
type specific data
rule-compat-attrs¶
proto (binary
)¶
- doc
numeric value of the handled protocol
flags (binary
)¶
- doc
bitmask of flags
set-attrs¶
table (string
)¶
- doc
table name
name (string
)¶
- doc
set name
flags (u32
)¶
- enum
- byte-order
big-endian
- doc
bitmask of enum nft_set_flags
key-type (u32
)¶
- byte-order
big-endian
- doc
key data type, informational purpose only
key-len (u32
)¶
- byte-order
big-endian
- doc
key data length
data-type (u32
)¶
- byte-order
big-endian
- doc
mapping data type
data-len (u32
)¶
- byte-order
big-endian
- doc
mapping data length
policy (u32
)¶
- byte-order
big-endian
- doc
selection policy
desc (nest
)¶
- nested-attributes
- doc
set description
id (u32
)¶
- doc
uniquely identifies a set in a transaction
timeout (u64
)¶
- doc
default timeout value
gc-interval (u32
)¶
- doc
garbage collection interval
userdata (binary
)¶
- doc
user data
pad (pad
)¶
obj-type (u32
)¶
- byte-order
big-endian
- doc
stateful object type
handle (u64
)¶
- byte-order
big-endian
- doc
set handle
expr (nest
)¶
- nested-attributes
- doc
set expression
- multi-attr
True
expressions (nest
)¶
- nested-attributes
- doc
list of expressions
set-desc-attrs¶
size (u32
)¶
- byte-order
big-endian
- doc
number of elements in set
concat (nest
)¶
- nested-attributes
- doc
description of field concatenation
- multi-attr
True
set-desc-concat-attrs¶
elem (nest
)¶
- nested-attributes
set-field-attrs¶
len (u32
)¶
- byte-order
big-endian
set-list-attrs¶
elem (nest
)¶
- nested-attributes
- multi-attr
True
setelem-attrs¶
key (nest
)¶
- nested-attributes
- doc
key value
data (nest
)¶
- nested-attributes
- doc
data value of mapping
flags (binary
)¶
- doc
bitmask of nft_set_elem_flags
timeout (u64
)¶
- doc
timeout value
expiration (u64
)¶
- doc
expiration time
userdata (binary
)¶
- doc
user data
expr (nest
)¶
- nested-attributes
- doc
expression
objref (string
)¶
- doc
stateful object reference
key-end (nest
)¶
- nested-attributes
- doc
closing key value
expressions (nest
)¶
- nested-attributes
- doc
list of expressions
setelem-list-elem-attrs¶
elem (nest
)¶
- nested-attributes
- multi-attr
True
setelem-list-attrs¶
table (string
)¶
set (string
)¶
elements (nest
)¶
- nested-attributes
set-id (u32
)¶
gen-attrs¶
id (u32
)¶
- byte-order
big-endian
- doc
ruleset generation id
proc-pid (u32
)¶
- byte-order
big-endian
proc-name (string
)¶
obj-attrs¶
table (string
)¶
- doc
name of the table containing the expression
name (string
)¶
- doc
name of this expression type
type (u32
)¶
- enum
- byte-order
big-endian
- doc
stateful object type
data (sub-message
)¶
- sub-message
- selector
type
- doc
stateful object data
use (u32
)¶
- byte-order
big-endian
- doc
number of references to this expression
handle (u64
)¶
- byte-order
big-endian
- doc
object handle
pad (pad
)¶
userdata (binary
)¶
- doc
user data
quota-attrs¶
bytes (u64
)¶
- byte-order
big-endian
flags (u32
)¶
- byte-order
big-endian
pad (pad
)¶
consumed (u64
)¶
- byte-order
big-endian
flowtable-attrs¶
table (string
)¶
name (string
)¶
hook (nest
)¶
- nested-attributes
use (u32
)¶
- byte-order
big-endian
handle (u64
)¶
- byte-order
big-endian
pad (pad
)¶
flags (u32
)¶
- byte-order
big-endian
flowtable-hook-attrs¶
num (u32
)¶
- byte-order
big-endian
priority (u32
)¶
- byte-order
big-endian
devs (nest
)¶
- nested-attributes
expr-cmp-attrs¶
sreg (u32
)¶
- byte-order
big-endian
op (u32
)¶
- byte-order
big-endian
- enum
data (nest
)¶
- nested-attributes
data-attrs¶
value (binary
)¶
verdict (nest
)¶
- nested-attributes
verdict-attrs¶
code (u32
)¶
- byte-order
big-endian
chain (string
)¶
chain-id (u32
)¶
expr-counter-attrs¶
bytes (u64
)¶
- doc
Number of bytes
packets (u64
)¶
- doc
Number of packets
pad (pad
)¶
expr-flow-offload-attrs¶
name (string
)¶
- doc
Flow offload table name
expr-immediate-attrs¶
dreg (u32
)¶
- byte-order
big-endian
data (nest
)¶
- nested-attributes
expr-meta-attrs¶
dreg (u32
)¶
- byte-order
big-endian
key (u32
)¶
- byte-order
big-endian
- enum
sreg (u32
)¶
- byte-order
big-endian
expr-nat-attrs¶
type (u32
)¶
- byte-order
big-endian
family (u32
)¶
- byte-order
big-endian
reg-addr-min (u32
)¶
- byte-order
big-endian
reg-addr-max (u32
)¶
- byte-order
big-endian
reg-proto-min (u32
)¶
- byte-order
big-endian
reg-proto-max (u32
)¶
- byte-order
big-endian
flags (u32
)¶
- byte-order
big-endian
- enum
- enum-as-flags
True
expr-payload-attrs¶
dreg (u32
)¶
- byte-order
big-endian
base (u32
)¶
- byte-order
big-endian
offset (u32
)¶
- byte-order
big-endian
len (u32
)¶
- byte-order
big-endian
sreg (u32
)¶
- byte-order
big-endian
csum-type (u32
)¶
- byte-order
big-endian
csum-offset (u32
)¶
- byte-order
big-endian
csum-flags (u32
)¶
- byte-order
big-endian
expr-tproxy-attrs¶
family (u32
)¶
- byte-order
big-endian
reg-addr (u32
)¶
- byte-order
big-endian
reg-port (u32
)¶
- byte-order
big-endian
Sub-messages¶
expr-ops¶
bitwise
- cmp
- attribute-set
- counter
- attribute-set
ct
- flow_offload
- attribute-set
- immediate
- attribute-set
lookup
- meta
- attribute-set
- nat
- attribute-set
- payload
- attribute-set
- tproxy
- attribute-set
obj-data¶
- counter
- attribute-set
- quota
- attribute-set