Google Git
Sign in
zircon-guest/third_party/linux/refs/heads/master/./Documentation/netlink/specs/nftables.yaml
blob: 21edf3d25f34bcff1a7ad993177125aee14a792a [file] [edit]
# SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause)
---
name: nftables
protocol: netlink-raw
protonum: 12
doc: >-
Netfilter nftables configuration over netlink.
definitions:
-
name: nfgenmsg
type: struct
members:
-
name: nfgen-family
type: u8
-
name: version
type: u8
-
name: res-id
byte-order: big-endian
type: u16
-
name: meta-keys
type: enum
entries:
- len
- protocol
- priority
- mark
- iif
- oif
- iifname
- oifname
- iftype
- oiftype
- skuid
- skgid
- nftrace
- rtclassid
- secmark
- nfproto
- l4-proto
- bri-iifname
- bri-oifname
- pkttype
- cpu
- iifgroup
- oifgroup
- cgroup
- prandom
- secpath
- iifkind
- oifkind
- bri-iifpvid
- bri-iifvproto
- time-ns
- time-day
- time-hour
- sdif
- sdifname
- bri-broute
-
name: bitwise-ops
type: enum
entries:
-
name: mask-xor # aka bool (old name)
doc: >-
mask-and-xor operation used to implement NOT, AND, OR and XOR boolean
operations
-
name: lshift
-
name: rshift
-
name: and
-
name: or
-
name: xor
-
name: cmp-ops
type: enum
entries:
- eq
- neq
- lt
- lte
- gt
- gte
-
name: object-type
type: enum
entries:
- unspec
- counter
- quota
- ct-helper
- limit
- connlimit
- tunnel
- ct-timeout
- secmark
- ct-expect
- synproxy
-
name: nat-range-flags
type: flags
entries:
- map-ips
- proto-specified
- proto-random
- persistent
- proto-random-fully
- proto-offset
- netmap
-
name: table-flags
type: flags
entries:
- dormant
- owner
- persist
-
name: chain-flags
type: flags
entries:
- base
- hw-offload
- binding
-
name: set-flags
type: flags
entries:
- anonymous
- constant
- interval
- map
- timeout
- eval
- object
- concat
- expr
-
name: set-elem-flags
type: flags
entries:
- interval-end
- catchall
-
name: lookup-flags
type: flags
entries:
- invert
-
name: ct-keys
type: enum
entries:
- state
- direction
- status
- mark
- secmark
- expiration
- helper
- l3protocol
- src
- dst
- protocol
- proto-src
- proto-dst
- labels
- pkts
- bytes
- avgpkt
- zone
- eventmask
- src-ip
- dst-ip
- src-ip6
- dst-ip6
- ct-id
-
name: ct-direction
type: enum
entries:
- original
- reply
-
name: quota-flags
type: flags
entries:
- invert
- depleted
-
name: verdict-code
type: enum
entries:
- name: continue
value: 0xffffffff
- name: break
value: 0xfffffffe
- name: jump
value: 0xfffffffd
- name: goto
value: 0xfffffffc
- name: return
value: 0xfffffffb
- name: drop
value: 0
- name: accept
value: 1
- name: stolen
value: 2
- name: queue
value: 3
- name: repeat
value: 4
-
name: fib-result
type: enum
entries:
- oif
- oifname
- addrtype
-
name: fib-flags
type: flags
entries:
- saddr
- daddr
- mark
- iif
- oif
- present
-
name: reject-types
type: enum
entries:
- icmp-unreach
- tcp-rst
- icmpx-unreach
-
name: reject-inet-code
doc: These codes are mapped to real ICMP and ICMPv6 codes.
type: enum
entries:
- icmpx-no-route
- icmpx-port-unreach
- icmpx-host-unreach
- icmpx-admin-prohibited
-
name: payload-base
type: enum
entries:
- link-layer-header
- network-header
- transport-header
- inner-header
- tun-header
-
name: range-ops
doc: Range operator
type: enum
entries:
- eq
- neq
-
name: registers
doc: |
nf_tables registers.
nf_tables used to have five registers: a verdict register and four data
registers of size 16. The data registers have been changed to 16 registers
of size 4. For compatibility reasons, the NFT_REG_[1-4] registers still
map to areas of size 16, the 4 byte registers are addressed using
NFT_REG32_00 - NFT_REG32_15.
type: enum
entries:
-
name: reg-verdict
-
name: reg-1
-
name: reg-2
-
name: reg-3
-
name: reg-4
-
name: reg32-00
value: 8
-
name: reg32-01
-
name: reg32-02
-
name: reg32-03
-
name: reg32-04
-
name: reg32-05
-
name: reg32-06
-
name: reg32-07
-
name: reg32-08
-
name: reg32-09
-
name: reg32-10
-
name: reg32-11
-
name: reg32-12
-
name: reg32-13
-
name: reg32-14
-
name: reg32-15
-
name: numgen-types
type: enum
entries:
- incremental
- random
-
name: log-level
doc: nf_tables log levels
type: enum
entries:
-
name: emerg
doc: system is unusable
-
name: alert
doc: action must be taken immediately
-
name: crit
doc: critical conditions
-
name: err
doc: error conditions
-
name: warning
doc: warning conditions
-
name: notice
doc: normal but significant condition
-
name: info
doc: informational
-
name: debug
doc: debug-level messages
-
name: audit
doc: enabling audit logging
-
name: log-flags
doc: nf_tables log flags
header: linux/netfilter/nf_log.h
type: flags
entries:
-
name: tcpseq
doc: Log TCP sequence numbers
-
name: tcpopt
doc: Log TCP options
-
name: ipopt
doc: Log IP options
-
name: uid
doc: Log UID owning local socket
-
name: nflog
doc: Unsupported, don't reuse
-
name: macdecode
doc: Decode MAC header
attribute-sets:
-
name: log-attrs
doc: log expression netlink attributes
attributes:
# Mentioned in nft_log_init()
-
name: group
doc: netlink group to send messages to
type: u16
byte-order: big-endian
-
name: prefix
doc: prefix to prepend to log messages
type: string
-
name: snaplen
doc: length of payload to include in netlink message
type: u32
byte-order: big-endian
-
name: qthreshold
doc: queue threshold
type: u16
byte-order: big-endian
-
name: level
doc: log level
type: u32
enum: log-level
byte-order: big-endian
-
name: flags
doc: logging flags
type: u32
enum: log-flags
byte-order: big-endian
-
name: numgen-attrs
doc: nf_tables number generator expression netlink attributes
attributes:
-
name: dreg
doc: destination register
type: u32
enum: registers
-
name: modulus
doc: maximum counter value
type: u32
byte-order: big-endian
-
name: type
doc: operation type
type: u32
byte-order: big-endian
enum: numgen-types
-
name: offset
doc: offset to be added to the counter
type: u32
byte-order: big-endian
-
name: range-attrs
attributes:
# Mentioned in net/netfilter/nft_range.c
-
name: sreg
doc: source register of data to compare
type: u32
byte-order: big-endian
enum: registers
-
name: op
doc: cmp operation
type: u32
byte-order: big-endian
enum: range-ops
checks:
max: 255
-
name: from-data
doc: data range from
type: nest
nested-attributes: data-attrs
-
name: to-data
doc: data range to
type: nest
nested-attributes: data-attrs
-
name: batch-attrs
attributes:
-
name: genid
doc: generation ID for this changeset
type: u32
byte-order: big-endian
-
name: table-attrs
attributes:
-
name: name
type: string
doc: name of the table
-
name: flags
type: u32
byte-order: big-endian
doc: bitmask of flags
enum: table-flags
enum-as-flags: true
-
name: use
type: u32
byte-order: big-endian
doc: number of chains in this table
-
name: handle
type: u64
byte-order: big-endian
doc: numeric handle of the table
-
name: pad
type: pad
-
name: userdata
type: binary
doc: user data
-
name: owner
type: u32
byte-order: big-endian
doc: owner of this table through netlink portID
-
name: chain-attrs
attributes:
-
name: table
type: string
doc: name of the table containing the chain
-
name: handle
type: u64
byte-order: big-endian
doc: numeric handle of the chain
-
name: name
type: string
doc: name of the chain
-
name: hook
type: nest
nested-attributes: nft-hook-attrs
doc: hook specification for basechains
-
name: policy
type: u32
byte-order: big-endian
doc: numeric policy of the chain
-
name: use
type: u32
byte-order: big-endian
doc: number of references to this chain
-
name: type
type: string
doc: type name of the chain
-
name: counters
type: nest
nested-attributes: nft-counter-attrs
doc: counter specification of the chain
-
name: flags
type: u32
byte-order: big-endian
doc: chain flags
enum: chain-flags
enum-as-flags: true
-
name: id
type: u32
byte-order: big-endian
doc: uniquely identifies a chain in a transaction
-
name: userdata
type: binary
doc: user data
-
name: counter-attrs
attributes:
-
name: bytes
type: u64
byte-order: big-endian
-
name: packets
type: u64
byte-order: big-endian
-
name: pad
type: pad
-
name: nft-hook-attrs
attributes:
-
name: num
type: u32
byte-order: big-endian
-
name: priority
type: s32
byte-order: big-endian
-
name: dev
type: string
doc: net device name
-
name: devs
type: nest
nested-attributes: hook-dev-attrs
doc: list of net devices
-
name: hook-dev-attrs
attributes:
-
name: name
type: string
multi-attr: true
-
name: nft-counter-attrs
attributes:
-
name: bytes
type: u64
byte-order: big-endian
-
name: packets
type: u64
byte-order: big-endian
-
name: rule-attrs
attributes:
-
name: table
type: string
doc: name of the table containing the rule
-
name: chain
type: string
doc: name of the chain containing the rule
-
name: handle
type: u64
byte-order: big-endian
doc: numeric handle of the rule
-
name: expressions
type: nest
nested-attributes: expr-list-attrs
doc: list of expressions
-
name: compat
type: nest
nested-attributes: rule-compat-attrs
doc: compatibility specifications of the rule
-
name: position
type: u64
byte-order: big-endian
doc: numeric handle of the previous rule
-
name: userdata
type: binary
doc: user data
-
name: id
type: u32
doc: uniquely identifies a rule in a transaction
-
name: position-id
type: u32
doc: transaction unique identifier of the previous rule
-
name: chain-id
type: u32
doc: add the rule to chain by ID, alternative to chain name
-
name: expr-list-attrs
attributes:
-
name: elem
type: nest
nested-attributes: expr-attrs
multi-attr: true
-
name: expr-attrs
attributes:
-
name: name
type: string
doc: name of the expression type
-
name: data
type: sub-message
sub-message: expr-ops
selector: name
doc: type specific data
-
# Mentioned in nft_parse_compat() in net/netfilter/nft_compat.c
name: rule-compat-attrs
attributes:
-
name: proto
type: u32
byte-order: big-endian
doc: numeric value of the handled protocol
-
name: flags
type: u32
byte-order: big-endian
doc: bitmask of flags
-
name: set-attrs
attributes:
-
name: table
type: string
doc: table name
-
name: name
type: string
doc: set name
-
name: flags
type: u32
enum: set-flags
byte-order: big-endian
doc: bitmask of enum nft_set_flags
-
name: key-type
type: u32
byte-order: big-endian
doc: key data type, informational purpose only
-
name: key-len
type: u32
byte-order: big-endian
doc: key data length
-
name: data-type
type: u32
byte-order: big-endian
doc: mapping data type
-
name: data-len
type: u32
byte-order: big-endian
doc: mapping data length
-
name: policy
type: u32
byte-order: big-endian
doc: selection policy
-
name: desc
type: nest
nested-attributes: set-desc-attrs
doc: set description
-
name: id
type: u32
doc: uniquely identifies a set in a transaction
-
name: timeout
type: u64
doc: default timeout value
-
name: gc-interval
type: u32
doc: garbage collection interval
-
name: userdata
type: binary
doc: user data
-
name: pad
type: pad
-
name: obj-type
type: u32
byte-order: big-endian
doc: stateful object type
-
name: handle
type: u64
byte-order: big-endian
doc: set handle
-
name: expr
type: nest
nested-attributes: expr-attrs
doc: set expression
multi-attr: true
-
name: expressions
type: nest
nested-attributes: set-list-attrs
doc: list of expressions
-
name: type
type: string
doc: set backend type
-
name: count
type: u32
byte-order: big-endian
doc: number of set elements
-
name: set-desc-attrs
attributes:
-
name: size
type: u32
byte-order: big-endian
doc: number of elements in set
-
name: concat
type: nest
nested-attributes: set-desc-concat-attrs
doc: description of field concatenation
multi-attr: true
-
name: set-desc-concat-attrs
attributes:
-
name: elem
type: nest
nested-attributes: set-field-attrs
-
name: set-field-attrs
attributes:
-
name: len
type: u32
byte-order: big-endian
-
name: set-list-attrs
attributes:
-
name: elem
type: nest
nested-attributes: expr-attrs
multi-attr: true
-
name: setelem-attrs
attributes:
-
name: key
type: nest
nested-attributes: data-attrs
doc: key value
-
name: data
type: nest
nested-attributes: data-attrs
doc: data value of mapping
-
name: flags
type: binary
doc: bitmask of nft_set_elem_flags
-
name: timeout
type: u64
doc: timeout value
-
name: expiration
type: u64
doc: expiration time
-
name: userdata
type: binary
doc: user data
-
name: expr
type: nest
nested-attributes: expr-attrs
doc: expression
-
name: objref
type: string
doc: stateful object reference
-
name: key-end
type: nest
nested-attributes: data-attrs
doc: closing key value
-
name: expressions
type: nest
nested-attributes: expr-list-attrs
doc: list of expressions
-
name: setelem-list-elem-attrs
attributes:
-
name: elem
type: nest
nested-attributes: setelem-attrs
multi-attr: true
-
name: setelem-list-attrs
attributes:
-
name: table
type: string
-
name: set
type: string
-
name: elements
type: nest
nested-attributes: setelem-list-elem-attrs
-
name: set-id
type: u32
-
name: gen-attrs
attributes:
-
name: id
type: u32
byte-order: big-endian
doc: ruleset generation id
-
name: proc-pid
type: u32
byte-order: big-endian
-
name: proc-name
type: string
-
name: obj-attrs
attributes:
-
name: table
type: string
doc: name of the table containing the expression
-
name: name
type: string
doc: name of this expression type
-
name: type
type: u32
enum: object-type
byte-order: big-endian
doc: stateful object type
-
name: data
type: sub-message
sub-message: obj-data
selector: type
doc: stateful object data
-
name: use
type: u32
byte-order: big-endian
doc: number of references to this expression
-
name: handle
type: u64
byte-order: big-endian
doc: object handle
-
name: pad
type: pad
-
name: userdata
type: binary
doc: user data
-
name: quota-attrs
attributes:
-
name: bytes
type: u64
byte-order: big-endian
-
name: flags
type: u32
byte-order: big-endian
enum: quota-flags
-
name: pad
type: pad
-
name: consumed
type: u64
byte-order: big-endian
-
name: flowtable-attrs
attributes:
-
name: table
type: string
-
name: name
type: string
-
name: hook
type: nest
nested-attributes: flowtable-hook-attrs
-
name: use
type: u32
byte-order: big-endian
-
name: handle
type: u64
byte-order: big-endian
-
name: pad
type: pad
-
name: flags
type: u32
byte-order: big-endian
-
name: flowtable-hook-attrs
attributes:
-
name: num
type: u32
byte-order: big-endian
-
name: priority
type: u32
byte-order: big-endian
-
name: devs
type: nest
nested-attributes: hook-dev-attrs
-
name: expr-bitwise-attrs
doc: |
The bitwise expression supports boolean and shift operations. It
implements the boolean operations by performing the following
operation::
dreg = (sreg & mask) ^ xor
with these mask and xor values:
op mask xor
---- ---- ---
NOT: 1 1
OR: ~x x
XOR: 1 x
AND: x 0
attributes:
-
name: sreg
type: u32
byte-order: big-endian
-
name: dreg
type: u32
byte-order: big-endian
-
name: len
type: u32
byte-order: big-endian
-
name: mask
type: nest
nested-attributes: data-attrs
-
name: xor
type: nest
nested-attributes: data-attrs
-
name: op
type: u32
byte-order: big-endian
enum: bitwise-ops
checks:
max: 255
-
name: data
type: nest
nested-attributes: data-attrs
-
name: expr-cmp-attrs
attributes:
-
name: sreg
type: u32
byte-order: big-endian
-
name: op
type: u32
byte-order: big-endian
enum: cmp-ops
-
name: data
type: nest
nested-attributes: data-attrs
-
name: data-attrs
attributes:
-
name: value
type: binary
# sub-type: u8
-
name: verdict
type: nest
nested-attributes: verdict-attrs
-
name: verdict-attrs
attributes:
-
name: code
doc: nf_tables verdict
type: u32
byte-order: big-endian
enum: verdict-code
-
name: chain
doc: jump target chain name
type: string
-
name: chain-id
doc: jump target chain ID
type: u32
byte-order: big-endian
-
name: expr-counter-attrs
attributes:
-
name: bytes
type: u64
byte-order: big-endian
doc: Number of bytes
-
name: packets
type: u64
byte-order: big-endian
doc: Number of packets
-
name: pad
type: pad
-
name: expr-fib-attrs
attributes:
-
name: dreg
type: u32
byte-order: big-endian
-
name: result
type: u32
byte-order: big-endian
enum: fib-result
-
name: flags
type: u32
byte-order: big-endian
enum: fib-flags
-
name: expr-ct-attrs
attributes:
-
name: dreg
type: u32
byte-order: big-endian
-
name: key
type: u32
byte-order: big-endian
enum: ct-keys
-
name: direction
type: u8
enum: ct-direction
-
name: sreg
type: u32
byte-order: big-endian
-
name: expr-flow-offload-attrs
attributes:
-
name: name
type: string
doc: Flow offload table name
-
name: expr-immediate-attrs
attributes:
-
name: dreg
type: u32
byte-order: big-endian
-
name: data
type: nest
nested-attributes: data-attrs
-
name: expr-lookup-attrs
attributes:
-
name: set
type: string
doc: Name of set to use
-
name: set-id
type: u32
byte-order: big-endian
doc: ID of set to use
-
name: sreg
type: u32
byte-order: big-endian
-
name: dreg
type: u32
byte-order: big-endian
-
name: flags
type: u32
byte-order: big-endian
enum: lookup-flags
-
name: expr-masq-attrs
attributes:
-
name: flags
type: u32
byte-order: big-endian
enum: nat-range-flags
enum-as-flags: true
-
name: reg-proto-min
type: u32
byte-order: big-endian
enum: registers
-
name: reg-proto-max
type: u32
byte-order: big-endian
enum: registers
-
name: expr-meta-attrs
attributes:
-
name: dreg
type: u32
byte-order: big-endian
-
name: key
type: u32
byte-order: big-endian
enum: meta-keys
-
name: sreg
type: u32
byte-order: big-endian
-
name: expr-nat-attrs
attributes:
-
name: type
type: u32
byte-order: big-endian
-
name: family
type: u32
byte-order: big-endian
-
name: reg-addr-min
type: u32
byte-order: big-endian
-
name: reg-addr-max
type: u32
byte-order: big-endian
-
name: reg-proto-min
type: u32
byte-order: big-endian
-
name: reg-proto-max
type: u32
byte-order: big-endian
-
name: flags
type: u32
byte-order: big-endian
enum: nat-range-flags
enum-as-flags: true
-
name: expr-payload-attrs
doc: nf_tables payload expression netlink attributes
attributes:
-
name: dreg
doc: destination register to load data into
type: u32
byte-order: big-endian
enum: registers
-
name: base
doc: payload base
type: u32
enum: payload-base
byte-order: big-endian
-
name: offset
doc: payload offset relative to base
type: u32
byte-order: big-endian
-
name: len
doc: payload length
type: u32
byte-order: big-endian
-
name: sreg
doc: source register to load data from
type: u32
byte-order: big-endian
enum: registers
-
name: csum-type
doc: checksum type
type: u32
byte-order: big-endian
-
name: csum-offset
doc: checksum offset relative to base
type: u32
byte-order: big-endian
-
name: csum-flags
doc: checksum flags
type: u32
byte-order: big-endian
-
name: expr-reject-attrs
attributes:
-
name: type
type: u32
byte-order: big-endian
enum: reject-types
-
name: icmp-code
type: u8
-
name: expr-target-attrs
attributes:
-
name: name
type: string
-
name: rev
type: u32
byte-order: big-endian
-
name: info
type: binary
-
name: expr-tproxy-attrs
attributes:
-
name: family
type: u32
byte-order: big-endian
-
name: reg-addr
type: u32
byte-order: big-endian
-
name: reg-port
type: u32
byte-order: big-endian
-
name: expr-objref-attrs
attributes:
-
name: imm-type
type: u32
byte-order: big-endian
-
name: imm-name
type: string
doc: object name
-
name: set-sreg
type: u32
byte-order: big-endian
-
name: set-name
type: string
doc: name of object map
-
name: set-id
type: u32
byte-order: big-endian
doc: id of object map
-
name: compat-target-attrs
header: linux/netfilter/nf_tables_compat.h
attributes:
-
name: name
type: string
checks:
max-len: 32
-
name: rev
type: u32
byte-order: big-endian
checks:
max: 255
-
name: info
type: binary
-
name: compat-match-attrs
header: linux/netfilter/nf_tables_compat.h
attributes:
-
name: name
type: string
checks:
max-len: 32
-
name: rev
type: u32
byte-order: big-endian
checks:
max: 255
-
name: info
type: binary
-
name: compat-attrs
header: linux/netfilter/nf_tables_compat.h
attributes:
-
name: name
type: string
checks:
max-len: 32
-
name: rev
type: u32
byte-order: big-endian
checks:
max: 255
-
name: type
type: u32
byte-order: big-endian
sub-messages:
-
name: expr-ops
formats:
-
value: bitwise
attribute-set: expr-bitwise-attrs
-
value: cmp
attribute-set: expr-cmp-attrs
-
value: counter
attribute-set: expr-counter-attrs
-
value: ct
attribute-set: expr-ct-attrs
-
value: fib
attribute-set: expr-fib-attrs
-
value: flow_offload
attribute-set: expr-flow-offload-attrs
-
value: immediate
attribute-set: expr-immediate-attrs
-
value: log
attribute-set: log-attrs
-
value: lookup
attribute-set: expr-lookup-attrs
-
value: match
attribute-set: compat-match-attrs
-
value: meta
attribute-set: expr-meta-attrs
-
value: nat
attribute-set: expr-nat-attrs
-
value: numgen
attribute-set: numgen-attrs
-
value: objref
attribute-set: expr-objref-attrs
-
value: payload
attribute-set: expr-payload-attrs
-
value: quota
attribute-set: quota-attrs
-
value: range
attribute-set: range-attrs
-
value: reject
attribute-set: expr-reject-attrs
-
value: target
attribute-set: expr-target-attrs
-
value: tproxy
attribute-set: expr-tproxy-attrs
# There're more sub-messages to go:
# grep -A10 nft_expr_type
# and look for .name\s*=\s*"..."
-
name: obj-data
formats:
-
value: counter
attribute-set: counter-attrs
-
value: quota
attribute-set: quota-attrs
operations:
enum-model: directional
list:
-
name: batch-begin
doc: Start a batch of operations
attribute-set: batch-attrs
fixed-header: nfgenmsg
do:
request:
value: 0x10
attributes:
- genid
reply:
value: 0x10
attributes:
- genid
-
name: batch-end
doc: Finish a batch of operations
attribute-set: batch-attrs
fixed-header: nfgenmsg
do:
request:
value: 0x11
attributes:
- genid
-
name: newtable
doc: Create a new table.
attribute-set: table-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa00
attributes:
# Mentioned in nf_tables_newtable()
- name
- flags
- userdata
-
name: gettable
doc: Get / dump tables.
attribute-set: table-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa01
attributes:
# Mentioned in nf_tables_gettable()
- name
reply:
value: 0xa00
attributes: &get-table
# Mentioned in nf_tables_fill_table_info()
- name
- use
- handle
- flags
- owner
- userdata
dump:
reply:
attributes: *get-table
-
name: deltable
doc: Delete an existing table.
attribute-set: table-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa02
attributes: &del-table
# Mentioned in nf_tables_deltable()
- name
- handle
-
name: destroytable
doc: |
Delete an existing table with destroy semantics (ignoring ENOENT
errors).
attribute-set: table-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa1a
attributes: *del-table
-
name: newchain
doc: Create a new chain.
attribute-set: chain-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa03
attributes:
# Mentioned in nf_tables_newchain()
- table
- handle
- policy
- flags
# Mentioned in nf_tables_updchain()
- hook
- name
- counters
# Mentioned in nf_tables_addchain()
- userdata
# Mentioned in nft_chain_parse_hook()
- type
-
name: getchain
doc: Get / dump chains.
attribute-set: chain-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa04
attributes:
# Mentioned in nf_tables_getchain()
- table
- name
reply:
value: 0xa03
attributes: &get-chain
# Mentioned in nf_tables_fill_chain_info()
- table
- name
- handle
- hook
- policy
- type
- flags
- counters
- id
- use
- userdata
dump:
reply:
attributes: *get-chain
-
name: delchain
doc: Delete an existing chain.
attribute-set: chain-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa05
attributes: &del-chain
# Mentioned in nf_tables_delchain()
- table
- handle
- name
- hook
-
name: destroychain
doc: |
Delete an existing chain with destroy semantics (ignoring ENOENT
errors).
attribute-set: chain-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa1b
attributes: *del-chain
-
name: newrule
doc: Create a new rule.
attribute-set: rule-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa06
attributes:
# Mentioned in nf_tables_newrule()
- table
- chain
- chain-id
- handle
- position
- position-id
- expressions
- userdata
- compat
-
name: getrule
doc: Get / dump rules.
attribute-set: rule-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa07
attributes: &get-rule-request
# Mentioned in nf_tables_getrule_single()
- table
- chain
- handle
reply:
value: 0xa06
attributes: &get-rule
# Mentioned in nf_tables_fill_rule_info()
- table
- chain
- handle
- position
- expressions
- userdata
dump:
request:
attributes:
# Mentioned in nf_tables_dump_rules_start()
- table
- chain
reply:
attributes: *get-rule
-
name: getrule-reset
doc: Get / dump rules and reset stateful expressions.
attribute-set: rule-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa19
attributes: *get-rule-request
reply:
value: 0xa06
attributes: *get-rule
dump:
request:
attributes: *get-rule-request
reply:
attributes: *get-rule
-
name: delrule
doc: Delete an existing rule.
attribute-set: rule-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa08
attributes: &del-rule
- table
- chain
- handle
- id
-
name: destroyrule
doc: |
Delete an existing rule with destroy semantics (ignoring ENOENT errors).
attribute-set: rule-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa1c
attributes: *del-rule
-
name: newset
doc: Create a new set.
attribute-set: set-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa09
attributes:
# Mentioned in nf_tables_newset()
- table
- name
- key-len
- id
- key-type
- flags
- data-type
- data-len
- obj-type
- timeout
- gc-interval
- policy
- desc
- userdata
-
name: getset
doc: Get / dump sets.
attribute-set: set-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa0a
attributes:
# Mentioned in nf_tables_getset()
- table
- name
reply:
value: 0xa09
attributes: &get-set
# Mentioned in nf_tables_fill_set()
- table
- name
- handle
- flags
- key-len
- key-type
- data-type
- data-len
- obj-type
- gc-interval
- policy
- userdata
- desc
- expr
- expressions
dump:
request:
attributes:
# Mentioned in nf_tables_getset()
- table
reply:
attributes: *get-set
-
name: delset
doc: Delete an existing set.
attribute-set: set-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa0b
attributes: &del-set
# Mentioned in nf_tables_delset()
- table
- handle
- name
-
name: destroyset
doc: |
Delete an existing set with destroy semantics (ignoring ENOENT errors).
attribute-set: set-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa1d
attributes: *del-set
-
name: newsetelem
doc: Create a new set element.
attribute-set: setelem-list-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa0c
attributes:
# Mentioned in nf_tables_newsetelem()
- table
- set
- set-id
- elements
-
name: getsetelem
doc: Get / dump set elements.
attribute-set: setelem-list-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa0d
attributes:
# Mentioned in nf_tables_getsetelem()
- table
- set
- elements
reply:
value: 0xa0c
attributes:
# Mentioned in nf_tables_fill_setelem_info()
- elements
dump:
request:
attributes: &dump-set-request
# Mentioned in nft_set_dump_ctx_init()
- table
- set
reply:
attributes: &dump-set
# Mentioned in nf_tables_dump_set()
- table
- set
- elements
-
name: getsetelem-reset
doc: Get / dump set elements and reset stateful expressions.
attribute-set: setelem-list-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa21
attributes:
# Mentioned in nf_tables_getsetelem_reset()
- elements
reply:
value: 0xa0c
attributes:
# Mentioned in nf_tables_dumpreset_set()
- table
- set
- elements
dump:
request:
attributes: *dump-set-request
reply:
attributes: *dump-set
-
name: delsetelem
doc: Delete an existing set element.
attribute-set: setelem-list-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa0e
attributes: &del-setelem
# Mentioned in nf_tables_delsetelem()
- table
- set
- elements
-
name: destroysetelem
doc: Delete an existing set element with destroy semantics.
attribute-set: setelem-list-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa1e
attributes: *del-setelem
-
name: getgen
doc: Get / dump rule-set generation.
attribute-set: gen-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa10
reply:
value: 0xa0f
attributes: &get-gen
# Mentioned in nf_tables_fill_gen_info()
- id
- proc-pid
- proc-name
dump:
reply:
attributes: *get-gen
-
name: newobj
doc: Create a new stateful object.
attribute-set: obj-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa12
attributes:
# Mentioned in nf_tables_newobj()
- type
- name
- data
- table
- userdata
-
name: getobj
doc: Get / dump stateful objects.
attribute-set: obj-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa13
attributes:
# Mentioned in nf_tables_getobj_single()
- name
- type
- table
reply:
value: 0xa12
attributes: &obj-info
# Mentioned in nf_tables_fill_obj_info()
- table
- name
- type
- handle
- use
- data
- userdata
dump:
request:
attributes:
# Mentioned in nf_tables_dump_obj_start()
- table
- type
reply:
attributes: *obj-info
-
name: delobj
doc: Delete an existing stateful object.
attribute-set: obj-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa14
attributes:
# Mentioned in nf_tables_delobj()
- table
- name
- type
- handle
-
name: destroyobj
doc: Delete an existing stateful object with destroy semantics.
attribute-set: obj-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa1f
attributes:
# Mentioned in nf_tables_delobj()
- table
- name
- type
- handle
-
name: newflowtable
doc: Create a new flow table.
attribute-set: flowtable-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa16
attributes:
# Mentioned in nf_tables_newflowtable()
- table
- name
- hook
- flags
-
name: getflowtable
doc: Get / dump flow tables.
attribute-set: flowtable-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa17
attributes:
# Mentioned in nf_tables_getflowtable()
- name
- table
reply:
value: 0xa16
attributes: &flowtable-info
# Mentioned in nf_tables_fill_flowtable_info()
- table
- name
- handle
- use
- flags
- hook
dump:
reply:
attributes: *flowtable-info
-
name: delflowtable
doc: Delete an existing flow table.
attribute-set: flowtable-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa18
attributes: &del-flowtable
# Mentioned in nf_tables_delflowtable()
- table
- name
- handle
- hook
-
name: destroyflowtable
doc: Delete an existing flow table with destroy semantics.
attribute-set: flowtable-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa20
attributes: *del-flowtable
mcast-groups:
list:
-
name: mgmt