Family nftables netlink specification

Summary

Netfilter nftables configuration over netlink.

Operations

batch-begin

Start a batch of operations

attribute-set:

batch-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[genid]

reply

attributes:

[genid]

batch-end

Finish a batch of operations

attribute-set:

batch-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[genid]

newtable

Create a new table.

attribute-set:

table-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

gettable

Get / dump tables.

attribute-set:

table-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

reply

attributes:

[name]

deltable

Delete an existing table.

attribute-set:

table-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

destroytable

Delete an existing table with destroy semantics (ignoring ENOENT errors).

attribute-set:

table-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

newchain

Create a new chain.

attribute-set:

chain-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

getchain

Get / dump chains.

attribute-set:

chain-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

reply

attributes:

[name]

delchain

Delete an existing chain.

attribute-set:

chain-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

destroychain

Delete an existing chain with destroy semantics (ignoring ENOENT errors).

attribute-set:

chain-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

newrule

Create a new rule.

attribute-set:

rule-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

getrule

Get / dump rules.

attribute-set:

rule-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

reply

attributes:

[name]

getrule-reset

Get / dump rules and reset stateful expressions.

attribute-set:

rule-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

reply

attributes:

[name]

delrule

Delete an existing rule.

attribute-set:

rule-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

destroyrule

Delete an existing rule with destroy semantics (ignoring ENOENT errors).

attribute-set:

rule-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

newset

Create a new set.

attribute-set:

set-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

getset

Get / dump sets.

attribute-set:

set-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

reply

attributes:

[name]

delset

Delete an existing set.

attribute-set:

set-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

destroyset

Delete an existing set with destroy semantics (ignoring ENOENT errors).

attribute-set:

set-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

newsetelem

Create a new set element.

attribute-set:

setelem-list-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

getsetelem

Get / dump set elements.

attribute-set:

setelem-list-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

reply

attributes:

[name]

getsetelem-reset

Get / dump set elements and reset stateful expressions.

attribute-set:

setelem-list-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

reply

attributes:

[name]

delsetelem

Delete an existing set element.

attribute-set:

setelem-list-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

destroysetelem

Delete an existing set element with destroy semantics.

attribute-set:

setelem-list-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

getgen

Get / dump rule-set generation.

attribute-set:

gen-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

reply

attributes:

[name]

newobj

Create a new stateful object.

attribute-set:

obj-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

getobj

Get / dump stateful objects.

attribute-set:

obj-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

reply

attributes:

[name]

delobj

Delete an existing stateful object.

attribute-set:

obj-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

destroyobj

Delete an existing stateful object with destroy semantics.

attribute-set:

obj-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

newflowtable

Create a new flow table.

attribute-set:

flowtable-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

getflowtable

Get / dump flow tables.

attribute-set:

flowtable-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

reply

attributes:

[name]

delflowtable

Delete an existing flow table.

attribute-set:

flowtable-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

destroyflowtable

Delete an existing flow table with destroy semantics.

attribute-set:

flowtable-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[name]

Multicast groups

• mgmt

Definitions

nfgenmsg

type:

struct

members:

nfgen-family (u8):

version (u8):

res-id (u16):

meta-keys

type:

enum

entries:

• len

• protocol

• priority

• mark

• iif

• oif

• iifname

• oifname

• iftype

• oiftype

• skuid

• skgid

• nftrace

• rtclassid

• secmark

• nfproto

• l4-proto

• bri-iifname

• bri-oifname

• pkttype

• cpu

• iifgroup

• oifgroup

• cgroup

• prandom

• secpath

• iifkind

• oifkind

• bri-iifpvid

• bri-iifvproto

• time-ns

• time-day

• time-hour

• sdif

• sdifname

• bri-broute

bitwise-ops

type:

enum

entries:

• bool

• lshift

• rshift

cmp-ops

type:

enum

entries:

• eq

• neq

• lt

• lte

• gt

• gte

object-type

type:

enum

entries:

• unspec

• counter

• quota

• ct-helper

• limit

• connlimit

• tunnel

• ct-timeout

• secmark

• ct-expect

• synproxy

nat-range-flags

type:

flags

entries:

• map-ips

• proto-specified

• proto-random

• persistent

• proto-random-fully

• proto-offset

• netmap

table-flags

type:

flags

entries:

• dormant

• owner

• persist

chain-flags

type:

flags

entries:

• base

• hw-offload

• binding

set-flags

type:

flags

entries:

• anonymous

• constant

• interval

• map

• timeout

• eval

• object

• concat

• expr

lookup-flags

type:

flags

entries:

• invert

ct-keys

type:

enum

entries:

• state

• direction

• status

• mark

• secmark

• expiration

• helper

• l3protocol

• src

• dst

• protocol

• proto-src

• proto-dst

• labels

• pkts

• bytes

• avgpkt

• zone

• eventmask

• src-ip

• dst-ip

• src-ip6

• dst-ip6

• ct-id

ct-direction

type:

enum

entries:

• original

• reply

quota-flags

type:

flags

entries:

• invert

• depleted

verdict-code

type:

enum

entries:

continue:

break:

jump:

goto:

return:

drop:

accept:

stolen:

queue:

repeat:

fib-result

type:

enum

entries:

• oif

• oifname

• addrtype

fib-flags

type:

flags

entries:

• saddr

• daddr

• mark

• iif

• oif

• present

reject-types

type:

enum

entries:

• icmp-unreach

• tcp-rst

• icmpx-unreach

Attribute sets

empty-attrs

name (string)

batch-attrs

genid (u32)

byte-order:

big-endian

table-attrs

name (string)

doc:

name of the table

flags (u32)

byte-order:

big-endian

doc:

bitmask of flags

enum:

table-flags

enum-as-flags:

True

use (u32)

byte-order:

big-endian

doc:

number of chains in this table

handle (u64)

byte-order:

big-endian

doc:

numeric handle of the table

userdata (binary)

doc:

user data

chain-attrs

table (string)

doc:

name of the table containing the chain

handle (u64)

byte-order:

big-endian

doc:

numeric handle of the chain

name (string)

doc:

name of the chain

hook (nest)

nested-attributes:

nft-hook-attrs

doc:

hook specification for basechains

policy (u32)

byte-order:

big-endian

doc:

numeric policy of the chain

use (u32)

byte-order:

big-endian

doc:

number of references to this chain

type (string)

doc:

type name of the chain

counters (nest)

nested-attributes:

nft-counter-attrs

doc:

counter specification of the chain

flags (u32)

byte-order:

big-endian

doc:

chain flags

enum:

chain-flags

enum-as-flags:

True

id (u32)

byte-order:

big-endian

doc:

uniquely identifies a chain in a transaction

userdata (binary)

doc:

user data

counter-attrs

bytes (u64)

byte-order:

big-endian

packets (u64)

byte-order:

big-endian

pad (pad)

nft-hook-attrs

num (u32)

byte-order:

big-endian

priority (s32)

byte-order:

big-endian

dev (string)

doc:

net device name

devs (nest)

nested-attributes:

hook-dev-attrs

doc:

list of net devices

hook-dev-attrs

name (string)

multi-attr:

True

nft-counter-attrs

bytes (u64)

packets (u64)

rule-attrs

table (string)

doc:

name of the table containing the rule

chain (string)

doc:

name of the chain containing the rule

handle (u64)

byte-order:

big-endian

doc:

numeric handle of the rule

expressions (nest)

nested-attributes:

expr-list-attrs

doc:

list of expressions

compat (nest)

nested-attributes:

rule-compat-attrs

doc:

compatibility specifications of the rule

position (u64)

byte-order:

big-endian

doc:

numeric handle of the previous rule

userdata (binary)

doc:

user data

id (u32)

doc:

uniquely identifies a rule in a transaction

position-id (u32)

doc:

transaction unique identifier of the previous rule

chain-id (u32)

doc:

add the rule to chain by ID, alternative to chain name

expr-list-attrs

elem (nest)

nested-attributes:

expr-attrs

multi-attr:

True

expr-attrs

name (string)

doc:

name of the expression type

data (sub-message)

sub-message:

expr-ops

selector:

name

doc:

type specific data

rule-compat-attrs

proto (binary)

doc:

numeric value of the handled protocol

flags (binary)

doc:

bitmask of flags

set-attrs

table (string)

doc:

table name

name (string)

doc:

set name

flags (u32)

enum:

set-flags

byte-order:

big-endian

doc:

bitmask of enum nft_set_flags

key-type (u32)

byte-order:

big-endian

doc:

key data type, informational purpose only

key-len (u32)

byte-order:

big-endian

doc:

key data length

data-type (u32)

byte-order:

big-endian

doc:

mapping data type

data-len (u32)

byte-order:

big-endian

doc:

mapping data length

policy (u32)

byte-order:

big-endian

doc:

selection policy

desc (nest)

nested-attributes:

set-desc-attrs

doc:

set description

id (u32)

doc:

uniquely identifies a set in a transaction

timeout (u64)

doc:

default timeout value

gc-interval (u32)

doc:

garbage collection interval

userdata (binary)

doc:

user data

pad (pad)

obj-type (u32)

byte-order:

big-endian

doc:

stateful object type

handle (u64)

byte-order:

big-endian

doc:

set handle

expr (nest)

nested-attributes:

expr-attrs

doc:

set expression

multi-attr:

True

expressions (nest)

nested-attributes:

set-list-attrs

doc:

list of expressions

set-desc-attrs

size (u32)

byte-order:

big-endian

doc:

number of elements in set

concat (nest)

nested-attributes:

set-desc-concat-attrs

doc:

description of field concatenation

multi-attr:

True

set-desc-concat-attrs

elem (nest)

nested-attributes:

set-field-attrs

set-field-attrs

len (u32)

byte-order:

big-endian

set-list-attrs

elem (nest)

nested-attributes:

expr-attrs

multi-attr:

True

setelem-attrs

key (nest)

nested-attributes:

data-attrs

doc:

key value

data (nest)

nested-attributes:

data-attrs

doc:

data value of mapping

flags (binary)

doc:

bitmask of nft_set_elem_flags

timeout (u64)

doc:

timeout value

expiration (u64)

doc:

expiration time

userdata (binary)

doc:

user data

expr (nest)

nested-attributes:

expr-attrs

doc:

expression

objref (string)

doc:

stateful object reference

key-end (nest)

nested-attributes:

data-attrs

doc:

closing key value

expressions (nest)

nested-attributes:

expr-list-attrs

doc:

list of expressions

setelem-list-elem-attrs

elem (nest)

nested-attributes:

setelem-attrs

multi-attr:

True

setelem-list-attrs

table (string)

set (string)

elements (nest)

nested-attributes:

setelem-list-elem-attrs

set-id (u32)

gen-attrs

id (u32)

byte-order:

big-endian

doc:

ruleset generation id

proc-pid (u32)

byte-order:

big-endian

proc-name (string)

obj-attrs

table (string)

doc:

name of the table containing the expression

name (string)

doc:

name of this expression type

type (u32)

enum:

object-type

byte-order:

big-endian

doc:

stateful object type

data (sub-message)

sub-message:

obj-data

selector:

type

doc:

stateful object data

use (u32)

byte-order:

big-endian

doc:

number of references to this expression

handle (u64)

byte-order:

big-endian

doc:

object handle

pad (pad)

userdata (binary)

doc:

user data

quota-attrs

bytes (u64)

byte-order:

big-endian

flags (u32)

byte-order:

big-endian

enum:

quota-flags

pad (pad)

consumed (u64)

byte-order:

big-endian

flowtable-attrs

table (string)

name (string)

hook (nest)

nested-attributes:

flowtable-hook-attrs

use (u32)

byte-order:

big-endian

handle (u64)

byte-order:

big-endian

pad (pad)

flags (u32)

byte-order:

big-endian

flowtable-hook-attrs

num (u32)

byte-order:

big-endian

priority (u32)

byte-order:

big-endian

devs (nest)

nested-attributes:

hook-dev-attrs

expr-bitwise-attrs

sreg (u32)

byte-order:

big-endian

dreg (u32)

byte-order:

big-endian

len (u32)

byte-order:

big-endian

mask (nest)

nested-attributes:

data-attrs

xor (nest)

nested-attributes:

data-attrs

op (u32)

byte-order:

big-endian

enum:

bitwise-ops

data (nest)

nested-attributes:

data-attrs

expr-cmp-attrs

sreg (u32)

byte-order:

big-endian

op (u32)

byte-order:

big-endian

enum:

cmp-ops

data (nest)

nested-attributes:

data-attrs

data-attrs

value (binary)

verdict (nest)

nested-attributes:

verdict-attrs

verdict-attrs

code (u32)

byte-order:

big-endian

enum:

verdict-code

chain (string)

chain-id (u32)

expr-counter-attrs

bytes (u64)

doc:

Number of bytes

packets (u64)

doc:

Number of packets

pad (pad)

expr-fib-attrs

dreg (u32)

byte-order:

big-endian

result (u32)

byte-order:

big-endian

enum:

fib-result

flags (u32)

byte-order:

big-endian

enum:

fib-flags

expr-ct-attrs

dreg (u32)

byte-order:

big-endian

key (u32)

byte-order:

big-endian

enum:

ct-keys

direction (u8)

enum:

ct-direction

sreg (u32)

byte-order:

big-endian

expr-flow-offload-attrs

name (string)

doc:

Flow offload table name

expr-immediate-attrs

dreg (u32)

byte-order:

big-endian

data (nest)

nested-attributes:

data-attrs

expr-lookup-attrs

set (string)

doc:

Name of set to use

set id (u32)

byte-order:

big-endian

doc:

ID of set to use

sreg (u32)

byte-order:

big-endian

dreg (u32)

byte-order:

big-endian

flags (u32)

byte-order:

big-endian

enum:

lookup-flags

expr-meta-attrs

dreg (u32)

byte-order:

big-endian

key (u32)

byte-order:

big-endian

enum:

meta-keys

sreg (u32)

byte-order:

big-endian

expr-nat-attrs

type (u32)

byte-order:

big-endian

family (u32)

byte-order:

big-endian

reg-addr-min (u32)

byte-order:

big-endian

reg-addr-max (u32)

byte-order:

big-endian

reg-proto-min (u32)

byte-order:

big-endian

reg-proto-max (u32)

byte-order:

big-endian

flags (u32)

byte-order:

big-endian

enum:

nat-range-flags

enum-as-flags:

True

expr-payload-attrs

dreg (u32)

byte-order:

big-endian

base (u32)

byte-order:

big-endian

offset (u32)

byte-order:

big-endian

len (u32)

byte-order:

big-endian

sreg (u32)

byte-order:

big-endian

csum-type (u32)

byte-order:

big-endian

csum-offset (u32)

byte-order:

big-endian

csum-flags (u32)

byte-order:

big-endian

expr-reject-attrs

type (u32)

byte-order:

big-endian

enum:

reject-types

icmp-code (u8)

expr-target-attrs

name (string)

rev (u32)

byte-order:

big-endian

info (binary)

expr-tproxy-attrs

family (u32)

byte-order:

big-endian

reg-addr (u32)

byte-order:

big-endian

reg-port (u32)

byte-order:

big-endian

expr-objref-attrs

imm-type (u32)

byte-order:

big-endian

imm-name (string)

doc:

object name

set-sreg (u32)

byte-order:

big-endian

set-name (string)

doc:

name of object map

set-id (u32)

byte-order:

big-endian

doc:

id of object map

Sub-messages

expr-ops

• bitwise

  attribute-set:

  expr-bitwise-attrs

• cmp

  attribute-set:

  expr-cmp-attrs

• counter

  attribute-set:

  expr-counter-attrs

• ct

  attribute-set:

  expr-ct-attrs

• fib

  attribute-set:

  expr-fib-attrs

• flow_offload

  attribute-set:

  expr-flow-offload-attrs

• immediate

  attribute-set:

  expr-immediate-attrs

• lookup

  attribute-set:

  expr-lookup-attrs

• meta

  attribute-set:

  expr-meta-attrs

• nat

  attribute-set:

  expr-nat-attrs

• objref

  attribute-set:

  expr-objref-attrs

• payload

  attribute-set:

  expr-payload-attrs

• quota

  attribute-set:

  quota-attrs

• reject

  attribute-set:

  expr-reject-attrs

• target

  attribute-set:

  expr-target-attrs

• tproxy

  attribute-set:

  expr-tproxy-attrs

obj-data

• counter

  attribute-set:

  counter-attrs

• quota

  attribute-set:

  quota-attrs