.. SPDX-License-Identifier: GPL-2.0
.. NOTE: This document was auto-generated.
=========================================
Family ``nftables`` netlink specification
=========================================
.. contents:: :depth: 3
-------
Summary
-------
Netfilter nftables configuration over netlink.
----------
Operations
----------
.. _nftables-operation-batch-begin:
batch-begin
===========
Start a batch of operations
:attribute-set: :ref:`nftables-attribute-set-batch-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``genid``]
**reply**
:attributes: [``genid``]
.. _nftables-operation-batch-end:
batch-end
=========
Finish a batch of operations
:attribute-set: :ref:`nftables-attribute-set-batch-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``genid``]
.. _nftables-operation-newtable:
newtable
========
Create a new table.
:attribute-set: :ref:`nftables-attribute-set-table-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-gettable:
gettable
========
Get / dump tables.
:attribute-set: :ref:`nftables-attribute-set-table-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
**reply**
:attributes: [``name``]
.. _nftables-operation-deltable:
deltable
========
Delete an existing table.
:attribute-set: :ref:`nftables-attribute-set-table-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-destroytable:
destroytable
============
Delete an existing table with destroy semantics (ignoring ENOENT errors).
:attribute-set: :ref:`nftables-attribute-set-table-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-newchain:
newchain
========
Create a new chain.
:attribute-set: :ref:`nftables-attribute-set-chain-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-getchain:
getchain
========
Get / dump chains.
:attribute-set: :ref:`nftables-attribute-set-chain-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
**reply**
:attributes: [``name``]
.. _nftables-operation-delchain:
delchain
========
Delete an existing chain.
:attribute-set: :ref:`nftables-attribute-set-chain-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-destroychain:
destroychain
============
Delete an existing chain with destroy semantics (ignoring ENOENT errors).
:attribute-set: :ref:`nftables-attribute-set-chain-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-newrule:
newrule
=======
Create a new rule.
:attribute-set: :ref:`nftables-attribute-set-rule-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-getrule:
getrule
=======
Get / dump rules.
:attribute-set: :ref:`nftables-attribute-set-rule-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
**reply**
:attributes: [``name``]
.. _nftables-operation-getrule-reset:
getrule-reset
=============
Get / dump rules and reset stateful expressions.
:attribute-set: :ref:`nftables-attribute-set-rule-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
**reply**
:attributes: [``name``]
.. _nftables-operation-delrule:
delrule
=======
Delete an existing rule.
:attribute-set: :ref:`nftables-attribute-set-rule-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-destroyrule:
destroyrule
===========
Delete an existing rule with destroy semantics (ignoring ENOENT errors).
:attribute-set: :ref:`nftables-attribute-set-rule-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-newset:
newset
======
Create a new set.
:attribute-set: :ref:`nftables-attribute-set-set-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-getset:
getset
======
Get / dump sets.
:attribute-set: :ref:`nftables-attribute-set-set-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
**reply**
:attributes: [``name``]
.. _nftables-operation-delset:
delset
======
Delete an existing set.
:attribute-set: :ref:`nftables-attribute-set-set-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-destroyset:
destroyset
==========
Delete an existing set with destroy semantics (ignoring ENOENT errors).
:attribute-set: :ref:`nftables-attribute-set-set-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-newsetelem:
newsetelem
==========
Create a new set element.
:attribute-set: :ref:`nftables-attribute-set-setelem-list-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-getsetelem:
getsetelem
==========
Get / dump set elements.
:attribute-set: :ref:`nftables-attribute-set-setelem-list-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
**reply**
:attributes: [``name``]
.. _nftables-operation-getsetelem-reset:
getsetelem-reset
================
Get / dump set elements and reset stateful expressions.
:attribute-set: :ref:`nftables-attribute-set-setelem-list-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
**reply**
:attributes: [``name``]
.. _nftables-operation-delsetelem:
delsetelem
==========
Delete an existing set element.
:attribute-set: :ref:`nftables-attribute-set-setelem-list-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-destroysetelem:
destroysetelem
==============
Delete an existing set element with destroy semantics.
:attribute-set: :ref:`nftables-attribute-set-setelem-list-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-getgen:
getgen
======
Get / dump rule-set generation.
:attribute-set: :ref:`nftables-attribute-set-gen-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
**reply**
:attributes: [``name``]
.. _nftables-operation-newobj:
newobj
======
Create a new stateful object.
:attribute-set: :ref:`nftables-attribute-set-obj-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-getobj:
getobj
======
Get / dump stateful objects.
:attribute-set: :ref:`nftables-attribute-set-obj-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
**reply**
:attributes: [``name``]
.. _nftables-operation-delobj:
delobj
======
Delete an existing stateful object.
:attribute-set: :ref:`nftables-attribute-set-obj-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-destroyobj:
destroyobj
==========
Delete an existing stateful object with destroy semantics.
:attribute-set: :ref:`nftables-attribute-set-obj-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-newflowtable:
newflowtable
============
Create a new flow table.
:attribute-set: :ref:`nftables-attribute-set-flowtable-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-getflowtable:
getflowtable
============
Get / dump flow tables.
:attribute-set: :ref:`nftables-attribute-set-flowtable-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
**reply**
:attributes: [``name``]
.. _nftables-operation-delflowtable:
delflowtable
============
Delete an existing flow table.
:attribute-set: :ref:`nftables-attribute-set-flowtable-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
.. _nftables-operation-destroyflowtable:
destroyflowtable
================
Delete an existing flow table with destroy semantics.
:attribute-set: :ref:`nftables-attribute-set-flowtable-attrs`
:fixed-header: :ref:`nftables-definition-nfgenmsg`
:do:
**request**
:attributes: [``name``]
----------------
Multicast groups
----------------
- mgmt
-----------
Definitions
-----------
.. _nftables-definition-nfgenmsg:
nfgenmsg
========
:type: struct
:members:
:nfgen-family (``u8``):
:version (``u8``):
:res-id (``u16``):
.. _nftables-definition-meta-keys:
meta-keys
=========
:type: enum
:entries:
- ``len``
- ``protocol``
- ``priority``
- ``mark``
- ``iif``
- ``oif``
- ``iifname``
- ``oifname``
- ``iftype``
- ``oiftype``
- ``skuid``
- ``skgid``
- ``nftrace``
- ``rtclassid``
- ``secmark``
- ``nfproto``
- ``l4-proto``
- ``bri-iifname``
- ``bri-oifname``
- ``pkttype``
- ``cpu``
- ``iifgroup``
- ``oifgroup``
- ``cgroup``
- ``prandom``
- ``secpath``
- ``iifkind``
- ``oifkind``
- ``bri-iifpvid``
- ``bri-iifvproto``
- ``time-ns``
- ``time-day``
- ``time-hour``
- ``sdif``
- ``sdifname``
- ``bri-broute``
.. _nftables-definition-bitwise-ops:
bitwise-ops
===========
:type: enum
:entries:
- ``bool``
- ``lshift``
- ``rshift``
.. _nftables-definition-cmp-ops:
cmp-ops
=======
:type: enum
:entries:
- ``eq``
- ``neq``
- ``lt``
- ``lte``
- ``gt``
- ``gte``
.. _nftables-definition-object-type:
object-type
===========
:type: enum
:entries:
- ``unspec``
- ``counter``
- ``quota``
- ``ct-helper``
- ``limit``
- ``connlimit``
- ``tunnel``
- ``ct-timeout``
- ``secmark``
- ``ct-expect``
- ``synproxy``
.. _nftables-definition-nat-range-flags:
nat-range-flags
===============
:type: flags
:entries:
- ``map-ips``
- ``proto-specified``
- ``proto-random``
- ``persistent``
- ``proto-random-fully``
- ``proto-offset``
- ``netmap``
.. _nftables-definition-table-flags:
table-flags
===========
:type: flags
:entries:
- ``dormant``
- ``owner``
- ``persist``
.. _nftables-definition-chain-flags:
chain-flags
===========
:type: flags
:entries:
- ``base``
- ``hw-offload``
- ``binding``
.. _nftables-definition-set-flags:
set-flags
=========
:type: flags
:entries:
- ``anonymous``
- ``constant``
- ``interval``
- ``map``
- ``timeout``
- ``eval``
- ``object``
- ``concat``
- ``expr``
.. _nftables-definition-lookup-flags:
lookup-flags
============
:type: flags
:entries:
- ``invert``
.. _nftables-definition-ct-keys:
ct-keys
=======
:type: enum
:entries:
- ``state``
- ``direction``
- ``status``
- ``mark``
- ``secmark``
- ``expiration``
- ``helper``
- ``l3protocol``
- ``src``
- ``dst``
- ``protocol``
- ``proto-src``
- ``proto-dst``
- ``labels``
- ``pkts``
- ``bytes``
- ``avgpkt``
- ``zone``
- ``eventmask``
- ``src-ip``
- ``dst-ip``
- ``src-ip6``
- ``dst-ip6``
- ``ct-id``
.. _nftables-definition-ct-direction:
ct-direction
============
:type: enum
:entries:
- ``original``
- ``reply``
.. _nftables-definition-quota-flags:
quota-flags
===========
:type: flags
:entries:
- ``invert``
- ``depleted``
.. _nftables-definition-verdict-code:
verdict-code
============
:type: enum
:entries:
:continue:
:break:
:jump:
:goto:
:return:
:drop:
:accept:
:stolen:
:queue:
:repeat:
.. _nftables-definition-fib-result:
fib-result
==========
:type: enum
:entries:
- ``oif``
- ``oifname``
- ``addrtype``
.. _nftables-definition-fib-flags:
fib-flags
=========
:type: flags
:entries:
- ``saddr``
- ``daddr``
- ``mark``
- ``iif``
- ``oif``
- ``present``
.. _nftables-definition-reject-types:
reject-types
============
:type: enum
:entries:
- ``icmp-unreach``
- ``tcp-rst``
- ``icmpx-unreach``
--------------
Attribute sets
--------------
.. _nftables-attribute-set-empty-attrs:
empty-attrs
===========
name (``string``)
~~~~~~~~~~~~~~~~~
.. _nftables-attribute-set-batch-attrs:
batch-attrs
===========
genid (``u32``)
~~~~~~~~~~~~~~~
:byte-order: big-endian
.. _nftables-attribute-set-table-attrs:
table-attrs
===========
name (``string``)
~~~~~~~~~~~~~~~~~
:doc: name of the table
flags (``u32``)
~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: bitmask of flags
:enum: :ref:`nftables-definition-table-flags`
:enum-as-flags: True
use (``u32``)
~~~~~~~~~~~~~
:byte-order: big-endian
:doc: number of chains in this table
handle (``u64``)
~~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: numeric handle of the table
userdata (``binary``)
~~~~~~~~~~~~~~~~~~~~~
:doc: user data
.. _nftables-attribute-set-chain-attrs:
chain-attrs
===========
table (``string``)
~~~~~~~~~~~~~~~~~~
:doc: name of the table containing the chain
handle (``u64``)
~~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: numeric handle of the chain
name (``string``)
~~~~~~~~~~~~~~~~~
:doc: name of the chain
hook (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-nft-hook-attrs`
:doc: hook specification for basechains
policy (``u32``)
~~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: numeric policy of the chain
use (``u32``)
~~~~~~~~~~~~~
:byte-order: big-endian
:doc: number of references to this chain
type (``string``)
~~~~~~~~~~~~~~~~~
:doc: type name of the chain
counters (``nest``)
~~~~~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-nft-counter-attrs`
:doc: counter specification of the chain
flags (``u32``)
~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: chain flags
:enum: :ref:`nftables-definition-chain-flags`
:enum-as-flags: True
id (``u32``)
~~~~~~~~~~~~
:byte-order: big-endian
:doc: uniquely identifies a chain in a transaction
userdata (``binary``)
~~~~~~~~~~~~~~~~~~~~~
:doc: user data
.. _nftables-attribute-set-counter-attrs:
counter-attrs
=============
bytes (``u64``)
~~~~~~~~~~~~~~~
:byte-order: big-endian
packets (``u64``)
~~~~~~~~~~~~~~~~~
:byte-order: big-endian
pad (``pad``)
~~~~~~~~~~~~~
.. _nftables-attribute-set-nft-hook-attrs:
nft-hook-attrs
==============
num (``u32``)
~~~~~~~~~~~~~
:byte-order: big-endian
priority (``s32``)
~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
dev (``string``)
~~~~~~~~~~~~~~~~
:doc: net device name
devs (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-hook-dev-attrs`
:doc: list of net devices
.. _nftables-attribute-set-hook-dev-attrs:
hook-dev-attrs
==============
name (``string``)
~~~~~~~~~~~~~~~~~
:multi-attr: True
.. _nftables-attribute-set-nft-counter-attrs:
nft-counter-attrs
=================
bytes (``u64``)
~~~~~~~~~~~~~~~
packets (``u64``)
~~~~~~~~~~~~~~~~~
.. _nftables-attribute-set-rule-attrs:
rule-attrs
==========
table (``string``)
~~~~~~~~~~~~~~~~~~
:doc: name of the table containing the rule
chain (``string``)
~~~~~~~~~~~~~~~~~~
:doc: name of the chain containing the rule
handle (``u64``)
~~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: numeric handle of the rule
expressions (``nest``)
~~~~~~~~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-expr-list-attrs`
:doc: list of expressions
compat (``nest``)
~~~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-rule-compat-attrs`
:doc: compatibility specifications of the rule
position (``u64``)
~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: numeric handle of the previous rule
userdata (``binary``)
~~~~~~~~~~~~~~~~~~~~~
:doc: user data
id (``u32``)
~~~~~~~~~~~~
:doc: uniquely identifies a rule in a transaction
position-id (``u32``)
~~~~~~~~~~~~~~~~~~~~~
:doc: transaction unique identifier of the previous rule
chain-id (``u32``)
~~~~~~~~~~~~~~~~~~
:doc: add the rule to chain by ID, alternative to chain name
.. _nftables-attribute-set-expr-list-attrs:
expr-list-attrs
===============
elem (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-expr-attrs`
:multi-attr: True
.. _nftables-attribute-set-expr-attrs:
expr-attrs
==========
name (``string``)
~~~~~~~~~~~~~~~~~
:doc: name of the expression type
data (``sub-message``)
~~~~~~~~~~~~~~~~~~~~~~
:sub-message: :ref:`nftables-sub-message-expr-ops`
:selector: name
:doc: type specific data
.. _nftables-attribute-set-rule-compat-attrs:
rule-compat-attrs
=================
proto (``binary``)
~~~~~~~~~~~~~~~~~~
:doc: numeric value of the handled protocol
flags (``binary``)
~~~~~~~~~~~~~~~~~~
:doc: bitmask of flags
.. _nftables-attribute-set-set-attrs:
set-attrs
=========
table (``string``)
~~~~~~~~~~~~~~~~~~
:doc: table name
name (``string``)
~~~~~~~~~~~~~~~~~
:doc: set name
flags (``u32``)
~~~~~~~~~~~~~~~
:enum: :ref:`nftables-definition-set-flags`
:byte-order: big-endian
:doc: bitmask of enum nft_set_flags
key-type (``u32``)
~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: key data type, informational purpose only
key-len (``u32``)
~~~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: key data length
data-type (``u32``)
~~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: mapping data type
data-len (``u32``)
~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: mapping data length
policy (``u32``)
~~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: selection policy
desc (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-set-desc-attrs`
:doc: set description
id (``u32``)
~~~~~~~~~~~~
:doc: uniquely identifies a set in a transaction
timeout (``u64``)
~~~~~~~~~~~~~~~~~
:doc: default timeout value
gc-interval (``u32``)
~~~~~~~~~~~~~~~~~~~~~
:doc: garbage collection interval
userdata (``binary``)
~~~~~~~~~~~~~~~~~~~~~
:doc: user data
pad (``pad``)
~~~~~~~~~~~~~
obj-type (``u32``)
~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: stateful object type
handle (``u64``)
~~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: set handle
expr (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-expr-attrs`
:doc: set expression
:multi-attr: True
expressions (``nest``)
~~~~~~~~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-set-list-attrs`
:doc: list of expressions
.. _nftables-attribute-set-set-desc-attrs:
set-desc-attrs
==============
size (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: number of elements in set
concat (``nest``)
~~~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-set-desc-concat-attrs`
:doc: description of field concatenation
:multi-attr: True
.. _nftables-attribute-set-set-desc-concat-attrs:
set-desc-concat-attrs
=====================
elem (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-set-field-attrs`
.. _nftables-attribute-set-set-field-attrs:
set-field-attrs
===============
len (``u32``)
~~~~~~~~~~~~~
:byte-order: big-endian
.. _nftables-attribute-set-set-list-attrs:
set-list-attrs
==============
elem (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-expr-attrs`
:multi-attr: True
.. _nftables-attribute-set-setelem-attrs:
setelem-attrs
=============
key (``nest``)
~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-data-attrs`
:doc: key value
data (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-data-attrs`
:doc: data value of mapping
flags (``binary``)
~~~~~~~~~~~~~~~~~~
:doc: bitmask of nft_set_elem_flags
timeout (``u64``)
~~~~~~~~~~~~~~~~~
:doc: timeout value
expiration (``u64``)
~~~~~~~~~~~~~~~~~~~~
:doc: expiration time
userdata (``binary``)
~~~~~~~~~~~~~~~~~~~~~
:doc: user data
expr (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-expr-attrs`
:doc: expression
objref (``string``)
~~~~~~~~~~~~~~~~~~~
:doc: stateful object reference
key-end (``nest``)
~~~~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-data-attrs`
:doc: closing key value
expressions (``nest``)
~~~~~~~~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-expr-list-attrs`
:doc: list of expressions
.. _nftables-attribute-set-setelem-list-elem-attrs:
setelem-list-elem-attrs
=======================
elem (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-setelem-attrs`
:multi-attr: True
.. _nftables-attribute-set-setelem-list-attrs:
setelem-list-attrs
==================
table (``string``)
~~~~~~~~~~~~~~~~~~
set (``string``)
~~~~~~~~~~~~~~~~
elements (``nest``)
~~~~~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-setelem-list-elem-attrs`
set-id (``u32``)
~~~~~~~~~~~~~~~~
.. _nftables-attribute-set-gen-attrs:
gen-attrs
=========
id (``u32``)
~~~~~~~~~~~~
:byte-order: big-endian
:doc: ruleset generation id
proc-pid (``u32``)
~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
proc-name (``string``)
~~~~~~~~~~~~~~~~~~~~~~
.. _nftables-attribute-set-obj-attrs:
obj-attrs
=========
table (``string``)
~~~~~~~~~~~~~~~~~~
:doc: name of the table containing the expression
name (``string``)
~~~~~~~~~~~~~~~~~
:doc: name of this expression type
type (``u32``)
~~~~~~~~~~~~~~
:enum: :ref:`nftables-definition-object-type`
:byte-order: big-endian
:doc: stateful object type
data (``sub-message``)
~~~~~~~~~~~~~~~~~~~~~~
:sub-message: :ref:`nftables-sub-message-obj-data`
:selector: type
:doc: stateful object data
use (``u32``)
~~~~~~~~~~~~~
:byte-order: big-endian
:doc: number of references to this expression
handle (``u64``)
~~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: object handle
pad (``pad``)
~~~~~~~~~~~~~
userdata (``binary``)
~~~~~~~~~~~~~~~~~~~~~
:doc: user data
.. _nftables-attribute-set-quota-attrs:
quota-attrs
===========
bytes (``u64``)
~~~~~~~~~~~~~~~
:byte-order: big-endian
flags (``u32``)
~~~~~~~~~~~~~~~
:byte-order: big-endian
:enum: :ref:`nftables-definition-quota-flags`
pad (``pad``)
~~~~~~~~~~~~~
consumed (``u64``)
~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
.. _nftables-attribute-set-flowtable-attrs:
flowtable-attrs
===============
table (``string``)
~~~~~~~~~~~~~~~~~~
name (``string``)
~~~~~~~~~~~~~~~~~
hook (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-flowtable-hook-attrs`
use (``u32``)
~~~~~~~~~~~~~
:byte-order: big-endian
handle (``u64``)
~~~~~~~~~~~~~~~~
:byte-order: big-endian
pad (``pad``)
~~~~~~~~~~~~~
flags (``u32``)
~~~~~~~~~~~~~~~
:byte-order: big-endian
.. _nftables-attribute-set-flowtable-hook-attrs:
flowtable-hook-attrs
====================
num (``u32``)
~~~~~~~~~~~~~
:byte-order: big-endian
priority (``u32``)
~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
devs (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-hook-dev-attrs`
.. _nftables-attribute-set-expr-bitwise-attrs:
expr-bitwise-attrs
==================
sreg (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
dreg (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
len (``u32``)
~~~~~~~~~~~~~
:byte-order: big-endian
mask (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-data-attrs`
xor (``nest``)
~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-data-attrs`
op (``u32``)
~~~~~~~~~~~~
:byte-order: big-endian
:enum: :ref:`nftables-definition-bitwise-ops`
data (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-data-attrs`
.. _nftables-attribute-set-expr-cmp-attrs:
expr-cmp-attrs
==============
sreg (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
op (``u32``)
~~~~~~~~~~~~
:byte-order: big-endian
:enum: :ref:`nftables-definition-cmp-ops`
data (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-data-attrs`
.. _nftables-attribute-set-data-attrs:
data-attrs
==========
value (``binary``)
~~~~~~~~~~~~~~~~~~
verdict (``nest``)
~~~~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-verdict-attrs`
.. _nftables-attribute-set-verdict-attrs:
verdict-attrs
=============
code (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
:enum: :ref:`nftables-definition-verdict-code`
chain (``string``)
~~~~~~~~~~~~~~~~~~
chain-id (``u32``)
~~~~~~~~~~~~~~~~~~
.. _nftables-attribute-set-expr-counter-attrs:
expr-counter-attrs
==================
bytes (``u64``)
~~~~~~~~~~~~~~~
:doc: Number of bytes
packets (``u64``)
~~~~~~~~~~~~~~~~~
:doc: Number of packets
pad (``pad``)
~~~~~~~~~~~~~
.. _nftables-attribute-set-expr-fib-attrs:
expr-fib-attrs
==============
dreg (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
result (``u32``)
~~~~~~~~~~~~~~~~
:byte-order: big-endian
:enum: :ref:`nftables-definition-fib-result`
flags (``u32``)
~~~~~~~~~~~~~~~
:byte-order: big-endian
:enum: :ref:`nftables-definition-fib-flags`
.. _nftables-attribute-set-expr-ct-attrs:
expr-ct-attrs
=============
dreg (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
key (``u32``)
~~~~~~~~~~~~~
:byte-order: big-endian
:enum: :ref:`nftables-definition-ct-keys`
direction (``u8``)
~~~~~~~~~~~~~~~~~~
:enum: :ref:`nftables-definition-ct-direction`
sreg (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
.. _nftables-attribute-set-expr-flow-offload-attrs:
expr-flow-offload-attrs
=======================
name (``string``)
~~~~~~~~~~~~~~~~~
:doc: Flow offload table name
.. _nftables-attribute-set-expr-immediate-attrs:
expr-immediate-attrs
====================
dreg (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
data (``nest``)
~~~~~~~~~~~~~~~
:nested-attributes: :ref:`nftables-attribute-set-data-attrs`
.. _nftables-attribute-set-expr-lookup-attrs:
expr-lookup-attrs
=================
set (``string``)
~~~~~~~~~~~~~~~~
:doc: Name of set to use
set id (``u32``)
~~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: ID of set to use
sreg (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
dreg (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
flags (``u32``)
~~~~~~~~~~~~~~~
:byte-order: big-endian
:enum: :ref:`nftables-definition-lookup-flags`
.. _nftables-attribute-set-expr-meta-attrs:
expr-meta-attrs
===============
dreg (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
key (``u32``)
~~~~~~~~~~~~~
:byte-order: big-endian
:enum: :ref:`nftables-definition-meta-keys`
sreg (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
.. _nftables-attribute-set-expr-nat-attrs:
expr-nat-attrs
==============
type (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
family (``u32``)
~~~~~~~~~~~~~~~~
:byte-order: big-endian
reg-addr-min (``u32``)
~~~~~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
reg-addr-max (``u32``)
~~~~~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
reg-proto-min (``u32``)
~~~~~~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
reg-proto-max (``u32``)
~~~~~~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
flags (``u32``)
~~~~~~~~~~~~~~~
:byte-order: big-endian
:enum: :ref:`nftables-definition-nat-range-flags`
:enum-as-flags: True
.. _nftables-attribute-set-expr-payload-attrs:
expr-payload-attrs
==================
dreg (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
base (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
offset (``u32``)
~~~~~~~~~~~~~~~~
:byte-order: big-endian
len (``u32``)
~~~~~~~~~~~~~
:byte-order: big-endian
sreg (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
csum-type (``u32``)
~~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
csum-offset (``u32``)
~~~~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
csum-flags (``u32``)
~~~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
.. _nftables-attribute-set-expr-reject-attrs:
expr-reject-attrs
=================
type (``u32``)
~~~~~~~~~~~~~~
:byte-order: big-endian
:enum: :ref:`nftables-definition-reject-types`
icmp-code (``u8``)
~~~~~~~~~~~~~~~~~~
.. _nftables-attribute-set-expr-target-attrs:
expr-target-attrs
=================
name (``string``)
~~~~~~~~~~~~~~~~~
rev (``u32``)
~~~~~~~~~~~~~
:byte-order: big-endian
info (``binary``)
~~~~~~~~~~~~~~~~~
.. _nftables-attribute-set-expr-tproxy-attrs:
expr-tproxy-attrs
=================
family (``u32``)
~~~~~~~~~~~~~~~~
:byte-order: big-endian
reg-addr (``u32``)
~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
reg-port (``u32``)
~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
.. _nftables-attribute-set-expr-objref-attrs:
expr-objref-attrs
=================
imm-type (``u32``)
~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
imm-name (``string``)
~~~~~~~~~~~~~~~~~~~~~
:doc: object name
set-sreg (``u32``)
~~~~~~~~~~~~~~~~~~
:byte-order: big-endian
set-name (``string``)
~~~~~~~~~~~~~~~~~~~~~
:doc: name of object map
set-id (``u32``)
~~~~~~~~~~~~~~~~
:byte-order: big-endian
:doc: id of object map
------------
Sub-messages
------------
.. _nftables-sub-message-expr-ops:
expr-ops
========
- **bitwise**
:attribute-set: :ref:`nftables-attribute-set-expr-bitwise-attrs`
- **cmp**
:attribute-set: :ref:`nftables-attribute-set-expr-cmp-attrs`
- **counter**
:attribute-set: :ref:`nftables-attribute-set-expr-counter-attrs`
- **ct**
:attribute-set: :ref:`nftables-attribute-set-expr-ct-attrs`
- **fib**
:attribute-set: :ref:`nftables-attribute-set-expr-fib-attrs`
- **flow_offload**
:attribute-set: :ref:`nftables-attribute-set-expr-flow-offload-attrs`
- **immediate**
:attribute-set: :ref:`nftables-attribute-set-expr-immediate-attrs`
- **lookup**
:attribute-set: :ref:`nftables-attribute-set-expr-lookup-attrs`
- **meta**
:attribute-set: :ref:`nftables-attribute-set-expr-meta-attrs`
- **nat**
:attribute-set: :ref:`nftables-attribute-set-expr-nat-attrs`
- **objref**
:attribute-set: :ref:`nftables-attribute-set-expr-objref-attrs`
- **payload**
:attribute-set: :ref:`nftables-attribute-set-expr-payload-attrs`
- **quota**
:attribute-set: :ref:`nftables-attribute-set-quota-attrs`
- **reject**
:attribute-set: :ref:`nftables-attribute-set-expr-reject-attrs`
- **target**
:attribute-set: :ref:`nftables-attribute-set-expr-target-attrs`
- **tproxy**
:attribute-set: :ref:`nftables-attribute-set-expr-tproxy-attrs`
.. _nftables-sub-message-obj-data:
obj-data
========
- **counter**
:attribute-set: :ref:`nftables-attribute-set-counter-attrs`
- **quota**
:attribute-set: :ref:`nftables-attribute-set-quota-attrs`