Family nftables netlink specification¶
Summary¶
Netfilter nftables configuration over netlink.
Operations¶
batch-begin¶
Start a batch of operations
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
genid]
- reply
- attributes:
[
genid]
batch-end¶
Finish a batch of operations
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
genid]
newtable¶
Create a new table.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
gettable¶
Get / dump tables.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
- reply
- attributes:
[
name]
deltable¶
Delete an existing table.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
destroytable¶
Delete an existing table with destroy semantics (ignoring ENOENT errors).
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
newchain¶
Create a new chain.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
getchain¶
Get / dump chains.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
- reply
- attributes:
[
name]
delchain¶
Delete an existing chain.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
destroychain¶
Delete an existing chain with destroy semantics (ignoring ENOENT errors).
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
newrule¶
Create a new rule.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
getrule¶
Get / dump rules.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
- reply
- attributes:
[
name]
getrule-reset¶
Get / dump rules and reset stateful expressions.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
- reply
- attributes:
[
name]
delrule¶
Delete an existing rule.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
destroyrule¶
Delete an existing rule with destroy semantics (ignoring ENOENT errors).
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
newset¶
Create a new set.
getset¶
Get / dump sets.
delset¶
Delete an existing set.
destroyset¶
Delete an existing set with destroy semantics (ignoring ENOENT errors).
newsetelem¶
Create a new set element.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
getsetelem¶
Get / dump set elements.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
- reply
- attributes:
[
name]
getsetelem-reset¶
Get / dump set elements and reset stateful expressions.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
- reply
- attributes:
[
name]
delsetelem¶
Delete an existing set element.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
destroysetelem¶
Delete an existing set element with destroy semantics.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
getgen¶
Get / dump rule-set generation.
newobj¶
Create a new stateful object.
getobj¶
Get / dump stateful objects.
delobj¶
Delete an existing stateful object.
destroyobj¶
Delete an existing stateful object with destroy semantics.
newflowtable¶
Create a new flow table.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
getflowtable¶
Get / dump flow tables.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
- reply
- attributes:
[
name]
delflowtable¶
Delete an existing flow table.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
destroyflowtable¶
Delete an existing flow table with destroy semantics.
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
Multicast groups¶
mgmt
Definitions¶
nfgenmsg¶
- type:
struct
- members:
- nfgen-family (
u8): - version (
u8): - res-id (
u16):
- nfgen-family (
meta-keys¶
- type:
enum
- entries:
lenprotocolprioritymarkiifoifiifnameoifnameiftypeoiftypeskuidskgidnftracertclassidsecmarknfprotol4-protobri-iifnamebri-oifnamepkttypecpuiifgroupoifgroupcgroupprandomsecpathiifkindoifkindbri-iifpvidbri-iifvprototime-nstime-daytime-hoursdifsdifnamebri-broute
bitwise-ops¶
- type:
enum
- entries:
boollshiftrshift
cmp-ops¶
- type:
enum
- entries:
eqneqltltegtgte
object-type¶
- type:
enum
- entries:
unspeccounterquotact-helperlimitconnlimittunnelct-timeoutsecmarkct-expectsynproxy
nat-range-flags¶
- type:
flags
- entries:
map-ipsproto-specifiedproto-randompersistentproto-random-fullyproto-offsetnetmap
table-flags¶
- type:
flags
- entries:
dormantownerpersist
chain-flags¶
- type:
flags
- entries:
basehw-offloadbinding
set-flags¶
- type:
flags
- entries:
anonymousconstantintervalmaptimeoutevalobjectconcatexpr
lookup-flags¶
- type:
flags
- entries:
invert
ct-keys¶
- type:
enum
- entries:
statedirectionstatusmarksecmarkexpirationhelperl3protocolsrcdstprotocolproto-srcproto-dstlabelspktsbytesavgpktzoneeventmasksrc-ipdst-ipsrc-ip6dst-ip6ct-id
ct-direction¶
- type:
enum
- entries:
originalreply
quota-flags¶
- type:
flags
- entries:
invertdepleted
verdict-code¶
- type:
enum
- entries:
- continue:
- break:
- jump:
- goto:
- return:
- drop:
- accept:
- stolen:
- queue:
- repeat:
fib-result¶
- type:
enum
- entries:
oifoifnameaddrtype
fib-flags¶
- type:
flags
- entries:
saddrdaddrmarkiifoifpresent
reject-types¶
- type:
enum
- entries:
icmp-unreachtcp-rsticmpx-unreach
Attribute sets¶
empty-attrs¶
name (string)¶
batch-attrs¶
genid (u32)¶
- byte-order:
big-endian
table-attrs¶
name (string)¶
- doc:
name of the table
flags (u32)¶
- byte-order:
big-endian
- doc:
bitmask of flags
- enum:
- enum-as-flags:
True
use (u32)¶
- byte-order:
big-endian
- doc:
number of chains in this table
handle (u64)¶
- byte-order:
big-endian
- doc:
numeric handle of the table
userdata (binary)¶
- doc:
user data
chain-attrs¶
table (string)¶
- doc:
name of the table containing the chain
handle (u64)¶
- byte-order:
big-endian
- doc:
numeric handle of the chain
name (string)¶
- doc:
name of the chain
hook (nest)¶
- nested-attributes:
- doc:
hook specification for basechains
policy (u32)¶
- byte-order:
big-endian
- doc:
numeric policy of the chain
use (u32)¶
- byte-order:
big-endian
- doc:
number of references to this chain
type (string)¶
- doc:
type name of the chain
counters (nest)¶
- nested-attributes:
- doc:
counter specification of the chain
flags (u32)¶
- byte-order:
big-endian
- doc:
chain flags
- enum:
- enum-as-flags:
True
id (u32)¶
- byte-order:
big-endian
- doc:
uniquely identifies a chain in a transaction
userdata (binary)¶
- doc:
user data
counter-attrs¶
bytes (u64)¶
- byte-order:
big-endian
packets (u64)¶
- byte-order:
big-endian
pad (pad)¶
nft-hook-attrs¶
num (u32)¶
- byte-order:
big-endian
priority (s32)¶
- byte-order:
big-endian
dev (string)¶
- doc:
net device name
devs (nest)¶
- nested-attributes:
- doc:
list of net devices
hook-dev-attrs¶
name (string)¶
- multi-attr:
True
nft-counter-attrs¶
bytes (u64)¶
packets (u64)¶
rule-attrs¶
table (string)¶
- doc:
name of the table containing the rule
chain (string)¶
- doc:
name of the chain containing the rule
handle (u64)¶
- byte-order:
big-endian
- doc:
numeric handle of the rule
expressions (nest)¶
- nested-attributes:
- doc:
list of expressions
compat (nest)¶
- nested-attributes:
- doc:
compatibility specifications of the rule
position (u64)¶
- byte-order:
big-endian
- doc:
numeric handle of the previous rule
userdata (binary)¶
- doc:
user data
id (u32)¶
- doc:
uniquely identifies a rule in a transaction
position-id (u32)¶
- doc:
transaction unique identifier of the previous rule
chain-id (u32)¶
- doc:
add the rule to chain by ID, alternative to chain name
expr-list-attrs¶
elem (nest)¶
- nested-attributes:
- multi-attr:
True
expr-attrs¶
name (string)¶
- doc:
name of the expression type
data (sub-message)¶
- sub-message:
- selector:
name
- doc:
type specific data
rule-compat-attrs¶
proto (binary)¶
- doc:
numeric value of the handled protocol
flags (binary)¶
- doc:
bitmask of flags
set-attrs¶
table (string)¶
- doc:
table name
name (string)¶
- doc:
set name
flags (u32)¶
- enum:
- byte-order:
big-endian
- doc:
bitmask of enum nft_set_flags
key-type (u32)¶
- byte-order:
big-endian
- doc:
key data type, informational purpose only
key-len (u32)¶
- byte-order:
big-endian
- doc:
key data length
data-type (u32)¶
- byte-order:
big-endian
- doc:
mapping data type
data-len (u32)¶
- byte-order:
big-endian
- doc:
mapping data length
policy (u32)¶
- byte-order:
big-endian
- doc:
selection policy
desc (nest)¶
- nested-attributes:
- doc:
set description
id (u32)¶
- doc:
uniquely identifies a set in a transaction
timeout (u64)¶
- doc:
default timeout value
gc-interval (u32)¶
- doc:
garbage collection interval
userdata (binary)¶
- doc:
user data
pad (pad)¶
obj-type (u32)¶
- byte-order:
big-endian
- doc:
stateful object type
handle (u64)¶
- byte-order:
big-endian
- doc:
set handle
expr (nest)¶
- nested-attributes:
- doc:
set expression
- multi-attr:
True
expressions (nest)¶
- nested-attributes:
- doc:
list of expressions
set-desc-attrs¶
size (u32)¶
- byte-order:
big-endian
- doc:
number of elements in set
concat (nest)¶
- nested-attributes:
- doc:
description of field concatenation
- multi-attr:
True
set-desc-concat-attrs¶
elem (nest)¶
- nested-attributes:
set-field-attrs¶
len (u32)¶
- byte-order:
big-endian
set-list-attrs¶
elem (nest)¶
- nested-attributes:
- multi-attr:
True
setelem-attrs¶
key (nest)¶
- nested-attributes:
- doc:
key value
data (nest)¶
- nested-attributes:
- doc:
data value of mapping
flags (binary)¶
- doc:
bitmask of nft_set_elem_flags
timeout (u64)¶
- doc:
timeout value
expiration (u64)¶
- doc:
expiration time
userdata (binary)¶
- doc:
user data
expr (nest)¶
- nested-attributes:
- doc:
expression
objref (string)¶
- doc:
stateful object reference
key-end (nest)¶
- nested-attributes:
- doc:
closing key value
expressions (nest)¶
- nested-attributes:
- doc:
list of expressions
setelem-list-elem-attrs¶
elem (nest)¶
- nested-attributes:
- multi-attr:
True
setelem-list-attrs¶
table (string)¶
set (string)¶
elements (nest)¶
- nested-attributes:
set-id (u32)¶
gen-attrs¶
id (u32)¶
- byte-order:
big-endian
- doc:
ruleset generation id
proc-pid (u32)¶
- byte-order:
big-endian
proc-name (string)¶
obj-attrs¶
table (string)¶
- doc:
name of the table containing the expression
name (string)¶
- doc:
name of this expression type
type (u32)¶
- enum:
- byte-order:
big-endian
- doc:
stateful object type
data (sub-message)¶
- sub-message:
- selector:
type
- doc:
stateful object data
use (u32)¶
- byte-order:
big-endian
- doc:
number of references to this expression
handle (u64)¶
- byte-order:
big-endian
- doc:
object handle
pad (pad)¶
userdata (binary)¶
- doc:
user data
quota-attrs¶
bytes (u64)¶
- byte-order:
big-endian
flags (u32)¶
- byte-order:
big-endian
- enum:
pad (pad)¶
consumed (u64)¶
- byte-order:
big-endian
flowtable-attrs¶
table (string)¶
name (string)¶
hook (nest)¶
- nested-attributes:
use (u32)¶
- byte-order:
big-endian
handle (u64)¶
- byte-order:
big-endian
pad (pad)¶
flags (u32)¶
- byte-order:
big-endian
flowtable-hook-attrs¶
num (u32)¶
- byte-order:
big-endian
priority (u32)¶
- byte-order:
big-endian
devs (nest)¶
- nested-attributes:
expr-bitwise-attrs¶
sreg (u32)¶
- byte-order:
big-endian
dreg (u32)¶
- byte-order:
big-endian
len (u32)¶
- byte-order:
big-endian
mask (nest)¶
- nested-attributes:
xor (nest)¶
- nested-attributes:
op (u32)¶
- byte-order:
big-endian
- enum:
data (nest)¶
- nested-attributes:
expr-cmp-attrs¶
sreg (u32)¶
- byte-order:
big-endian
op (u32)¶
- byte-order:
big-endian
- enum:
data (nest)¶
- nested-attributes:
data-attrs¶
value (binary)¶
verdict (nest)¶
- nested-attributes:
verdict-attrs¶
code (u32)¶
- byte-order:
big-endian
- enum:
chain (string)¶
chain-id (u32)¶
expr-counter-attrs¶
bytes (u64)¶
- doc:
Number of bytes
packets (u64)¶
- doc:
Number of packets
pad (pad)¶
expr-fib-attrs¶
dreg (u32)¶
- byte-order:
big-endian
result (u32)¶
- byte-order:
big-endian
- enum:
flags (u32)¶
- byte-order:
big-endian
- enum:
expr-ct-attrs¶
dreg (u32)¶
- byte-order:
big-endian
key (u32)¶
- byte-order:
big-endian
- enum:
direction (u8)¶
- enum:
sreg (u32)¶
- byte-order:
big-endian
expr-flow-offload-attrs¶
name (string)¶
- doc:
Flow offload table name
expr-immediate-attrs¶
dreg (u32)¶
- byte-order:
big-endian
data (nest)¶
- nested-attributes:
expr-lookup-attrs¶
set (string)¶
- doc:
Name of set to use
set id (u32)¶
- byte-order:
big-endian
- doc:
ID of set to use
sreg (u32)¶
- byte-order:
big-endian
dreg (u32)¶
- byte-order:
big-endian
flags (u32)¶
- byte-order:
big-endian
- enum:
expr-meta-attrs¶
dreg (u32)¶
- byte-order:
big-endian
key (u32)¶
- byte-order:
big-endian
- enum:
sreg (u32)¶
- byte-order:
big-endian
expr-nat-attrs¶
type (u32)¶
- byte-order:
big-endian
family (u32)¶
- byte-order:
big-endian
reg-addr-min (u32)¶
- byte-order:
big-endian
reg-addr-max (u32)¶
- byte-order:
big-endian
reg-proto-min (u32)¶
- byte-order:
big-endian
reg-proto-max (u32)¶
- byte-order:
big-endian
flags (u32)¶
- byte-order:
big-endian
- enum:
- enum-as-flags:
True
expr-payload-attrs¶
dreg (u32)¶
- byte-order:
big-endian
base (u32)¶
- byte-order:
big-endian
offset (u32)¶
- byte-order:
big-endian
len (u32)¶
- byte-order:
big-endian
sreg (u32)¶
- byte-order:
big-endian
csum-type (u32)¶
- byte-order:
big-endian
csum-offset (u32)¶
- byte-order:
big-endian
csum-flags (u32)¶
- byte-order:
big-endian
expr-reject-attrs¶
type (u32)¶
- byte-order:
big-endian
- enum:
icmp-code (u8)¶
expr-target-attrs¶
name (string)¶
rev (u32)¶
- byte-order:
big-endian
info (binary)¶
expr-tproxy-attrs¶
family (u32)¶
- byte-order:
big-endian
reg-addr (u32)¶
- byte-order:
big-endian
reg-port (u32)¶
- byte-order:
big-endian
expr-objref-attrs¶
imm-type (u32)¶
- byte-order:
big-endian
imm-name (string)¶
- doc:
object name
set-sreg (u32)¶
- byte-order:
big-endian
set-name (string)¶
- doc:
name of object map
set-id (u32)¶
- byte-order:
big-endian
- doc:
id of object map
Sub-messages¶
expr-ops¶
- bitwise
- attribute-set:
- cmp
- attribute-set:
- counter
- attribute-set:
- ct
- attribute-set:
- fib
- attribute-set:
- flow_offload
- attribute-set:
- immediate
- attribute-set:
- lookup
- attribute-set:
- meta
- attribute-set:
- nat
- attribute-set:
- objref
- attribute-set:
- payload
- attribute-set:
- quota
- attribute-set:
- reject
- attribute-set:
- target
- attribute-set:
- tproxy
- attribute-set:
obj-data¶
- counter
- attribute-set:
- quota
- attribute-set: