1# SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 2--- 3name: nftables 4protocol: netlink-raw 5protonum: 12 6 7doc: >- 8 Netfilter nftables configuration over netlink. 9 10definitions: 11 - 12 name: nfgenmsg 13 type: struct 14 members: 15 - 16 name: nfgen-family 17 type: u8 18 - 19 name: version 20 type: u8 21 - 22 name: res-id 23 byte-order: big-endian 24 type: u16 25 - 26 name: meta-keys 27 type: enum 28 entries: 29 - len 30 - protocol 31 - priority 32 - mark 33 - iif 34 - oif 35 - iifname 36 - oifname 37 - iftype 38 - oiftype 39 - skuid 40 - skgid 41 - nftrace 42 - rtclassid 43 - secmark 44 - nfproto 45 - l4-proto 46 - bri-iifname 47 - bri-oifname 48 - pkttype 49 - cpu 50 - iifgroup 51 - oifgroup 52 - cgroup 53 - prandom 54 - secpath 55 - iifkind 56 - oifkind 57 - bri-iifpvid 58 - bri-iifvproto 59 - time-ns 60 - time-day 61 - time-hour 62 - sdif 63 - sdifname 64 - bri-broute 65 - 66 name: bitwise-ops 67 type: enum 68 entries: 69 - 70 name: mask-xor # aka bool (old name) 71 doc: >- 72 mask-and-xor operation used to implement NOT, AND, OR and XOR boolean 73 operations 74 - 75 name: lshift 76 - 77 name: rshift 78 - 79 name: and 80 - 81 name: or 82 - 83 name: xor 84 - 85 name: cmp-ops 86 type: enum 87 entries: 88 - eq 89 - neq 90 - lt 91 - lte 92 - gt 93 - gte 94 - 95 name: object-type 96 type: enum 97 entries: 98 - unspec 99 - counter 100 - quota 101 - ct-helper 102 - limit 103 - connlimit 104 - tunnel 105 - ct-timeout 106 - secmark 107 - ct-expect 108 - synproxy 109 - 110 name: nat-range-flags 111 type: flags 112 entries: 113 - map-ips 114 - proto-specified 115 - proto-random 116 - persistent 117 - proto-random-fully 118 - proto-offset 119 - netmap 120 - 121 name: table-flags 122 type: flags 123 entries: 124 - dormant 125 - owner 126 - persist 127 - 128 name: chain-flags 129 type: flags 130 entries: 131 - base 132 - hw-offload 133 - binding 134 - 135 name: set-flags 136 type: flags 137 entries: 138 - anonymous 139 - constant 140 - interval 141 - map 142 - timeout 143 - eval 144 - object 145 - concat 146 - expr 147 - 148 name: set-elem-flags 149 type: flags 150 entries: 151 - interval-end 152 - catchall 153 - 154 name: lookup-flags 155 type: flags 156 entries: 157 - invert 158 - 159 name: ct-keys 160 type: enum 161 entries: 162 - state 163 - direction 164 - status 165 - mark 166 - secmark 167 - expiration 168 - helper 169 - l3protocol 170 - src 171 - dst 172 - protocol 173 - proto-src 174 - proto-dst 175 - labels 176 - pkts 177 - bytes 178 - avgpkt 179 - zone 180 - eventmask 181 - src-ip 182 - dst-ip 183 - src-ip6 184 - dst-ip6 185 - ct-id 186 - 187 name: ct-direction 188 type: enum 189 entries: 190 - original 191 - reply 192 - 193 name: quota-flags 194 type: flags 195 entries: 196 - invert 197 - depleted 198 - 199 name: verdict-code 200 type: enum 201 entries: 202 - name: continue 203 value: 0xffffffff 204 - name: break 205 value: 0xfffffffe 206 - name: jump 207 value: 0xfffffffd 208 - name: goto 209 value: 0xfffffffc 210 - name: return 211 value: 0xfffffffb 212 - name: drop 213 value: 0 214 - name: accept 215 value: 1 216 - name: stolen 217 value: 2 218 - name: queue 219 value: 3 220 - name: repeat 221 value: 4 222 - 223 name: fib-result 224 type: enum 225 entries: 226 - oif 227 - oifname 228 - addrtype 229 - 230 name: fib-flags 231 type: flags 232 entries: 233 - saddr 234 - daddr 235 - mark 236 - iif 237 - oif 238 - present 239 - 240 name: reject-types 241 type: enum 242 entries: 243 - icmp-unreach 244 - tcp-rst 245 - icmpx-unreach 246 - 247 name: reject-inet-code 248 doc: These codes are mapped to real ICMP and ICMPv6 codes. 249 type: enum 250 entries: 251 - icmpx-no-route 252 - icmpx-port-unreach 253 - icmpx-host-unreach 254 - icmpx-admin-prohibited 255 - 256 name: payload-base 257 type: enum 258 entries: 259 - link-layer-header 260 - network-header 261 - transport-header 262 - inner-header 263 - tun-header 264 - 265 name: range-ops 266 doc: Range operator 267 type: enum 268 entries: 269 - eq 270 - neq 271 - 272 name: registers 273 doc: | 274 nf_tables registers. 275 nf_tables used to have five registers: a verdict register and four data 276 registers of size 16. The data registers have been changed to 16 registers 277 of size 4. For compatibility reasons, the NFT_REG_[1-4] registers still 278 map to areas of size 16, the 4 byte registers are addressed using 279 NFT_REG32_00 - NFT_REG32_15. 280 type: enum 281 entries: 282 - 283 name: reg-verdict 284 - 285 name: reg-1 286 - 287 name: reg-2 288 - 289 name: reg-3 290 - 291 name: reg-4 292 - 293 name: reg32-00 294 value: 8 295 - 296 name: reg32-01 297 - 298 name: reg32-02 299 - 300 name: reg32-03 301 - 302 name: reg32-04 303 - 304 name: reg32-05 305 - 306 name: reg32-06 307 - 308 name: reg32-07 309 - 310 name: reg32-08 311 - 312 name: reg32-09 313 - 314 name: reg32-10 315 - 316 name: reg32-11 317 - 318 name: reg32-12 319 - 320 name: reg32-13 321 - 322 name: reg32-14 323 - 324 name: reg32-15 325 - 326 name: numgen-types 327 type: enum 328 entries: 329 - incremental 330 - random 331 - 332 name: log-level 333 doc: nf_tables log levels 334 type: enum 335 entries: 336 - 337 name: emerg 338 doc: system is unusable 339 - 340 name: alert 341 doc: action must be taken immediately 342 - 343 name: crit 344 doc: critical conditions 345 - 346 name: err 347 doc: error conditions 348 - 349 name: warning 350 doc: warning conditions 351 - 352 name: notice 353 doc: normal but significant condition 354 - 355 name: info 356 doc: informational 357 - 358 name: debug 359 doc: debug-level messages 360 - 361 name: audit 362 doc: enabling audit logging 363 - 364 name: log-flags 365 doc: nf_tables log flags 366 header: linux/netfilter/nf_log.h 367 type: flags 368 entries: 369 - 370 name: tcpseq 371 doc: Log TCP sequence numbers 372 - 373 name: tcpopt 374 doc: Log TCP options 375 - 376 name: ipopt 377 doc: Log IP options 378 - 379 name: uid 380 doc: Log UID owning local socket 381 - 382 name: nflog 383 doc: Unsupported, don't reuse 384 - 385 name: macdecode 386 doc: Decode MAC header 387 388attribute-sets: 389 - 390 name: log-attrs 391 doc: log expression netlink attributes 392 attributes: 393 # Mentioned in nft_log_init() 394 - 395 name: group 396 doc: netlink group to send messages to 397 type: u16 398 byte-order: big-endian 399 - 400 name: prefix 401 doc: prefix to prepend to log messages 402 type: string 403 - 404 name: snaplen 405 doc: length of payload to include in netlink message 406 type: u32 407 byte-order: big-endian 408 - 409 name: qthreshold 410 doc: queue threshold 411 type: u16 412 byte-order: big-endian 413 - 414 name: level 415 doc: log level 416 type: u32 417 enum: log-level 418 byte-order: big-endian 419 - 420 name: flags 421 doc: logging flags 422 type: u32 423 enum: log-flags 424 byte-order: big-endian 425 - 426 name: numgen-attrs 427 doc: nf_tables number generator expression netlink attributes 428 attributes: 429 - 430 name: dreg 431 doc: destination register 432 type: u32 433 enum: registers 434 - 435 name: modulus 436 doc: maximum counter value 437 type: u32 438 byte-order: big-endian 439 - 440 name: type 441 doc: operation type 442 type: u32 443 byte-order: big-endian 444 enum: numgen-types 445 - 446 name: offset 447 doc: offset to be added to the counter 448 type: u32 449 byte-order: big-endian 450 - 451 name: range-attrs 452 attributes: 453 # Mentioned in net/netfilter/nft_range.c 454 - 455 name: sreg 456 doc: source register of data to compare 457 type: u32 458 byte-order: big-endian 459 enum: registers 460 - 461 name: op 462 doc: cmp operation 463 type: u32 464 byte-order: big-endian 465 enum: range-ops 466 checks: 467 max: 255 468 - 469 name: from-data 470 doc: data range from 471 type: nest 472 nested-attributes: data-attrs 473 - 474 name: to-data 475 doc: data range to 476 type: nest 477 nested-attributes: data-attrs 478 - 479 name: batch-attrs 480 attributes: 481 - 482 name: genid 483 doc: generation ID for this changeset 484 type: u32 485 byte-order: big-endian 486 - 487 name: table-attrs 488 attributes: 489 - 490 name: name 491 type: string 492 doc: name of the table 493 - 494 name: flags 495 type: u32 496 byte-order: big-endian 497 doc: bitmask of flags 498 enum: table-flags 499 enum-as-flags: true 500 - 501 name: use 502 type: u32 503 byte-order: big-endian 504 doc: number of chains in this table 505 - 506 name: handle 507 type: u64 508 byte-order: big-endian 509 doc: numeric handle of the table 510 - 511 name: pad 512 type: pad 513 - 514 name: userdata 515 type: binary 516 doc: user data 517 - 518 name: owner 519 type: u32 520 byte-order: big-endian 521 doc: owner of this table through netlink portID 522 - 523 name: chain-attrs 524 attributes: 525 - 526 name: table 527 type: string 528 doc: name of the table containing the chain 529 - 530 name: handle 531 type: u64 532 byte-order: big-endian 533 doc: numeric handle of the chain 534 - 535 name: name 536 type: string 537 doc: name of the chain 538 - 539 name: hook 540 type: nest 541 nested-attributes: nft-hook-attrs 542 doc: hook specification for basechains 543 - 544 name: policy 545 type: u32 546 byte-order: big-endian 547 doc: numeric policy of the chain 548 - 549 name: use 550 type: u32 551 byte-order: big-endian 552 doc: number of references to this chain 553 - 554 name: type 555 type: string 556 doc: type name of the chain 557 - 558 name: counters 559 type: nest 560 nested-attributes: nft-counter-attrs 561 doc: counter specification of the chain 562 - 563 name: flags 564 type: u32 565 byte-order: big-endian 566 doc: chain flags 567 enum: chain-flags 568 enum-as-flags: true 569 - 570 name: id 571 type: u32 572 byte-order: big-endian 573 doc: uniquely identifies a chain in a transaction 574 - 575 name: userdata 576 type: binary 577 doc: user data 578 - 579 name: counter-attrs 580 attributes: 581 - 582 name: bytes 583 type: u64 584 byte-order: big-endian 585 - 586 name: packets 587 type: u64 588 byte-order: big-endian 589 - 590 name: pad 591 type: pad 592 - 593 name: nft-hook-attrs 594 attributes: 595 - 596 name: num 597 type: u32 598 byte-order: big-endian 599 - 600 name: priority 601 type: s32 602 byte-order: big-endian 603 - 604 name: dev 605 type: string 606 doc: net device name 607 - 608 name: devs 609 type: nest 610 nested-attributes: hook-dev-attrs 611 doc: list of net devices 612 - 613 name: hook-dev-attrs 614 attributes: 615 - 616 name: name 617 type: string 618 multi-attr: true 619 - 620 name: nft-counter-attrs 621 attributes: 622 - 623 name: bytes 624 type: u64 625 byte-order: big-endian 626 - 627 name: packets 628 type: u64 629 byte-order: big-endian 630 - 631 name: rule-attrs 632 attributes: 633 - 634 name: table 635 type: string 636 doc: name of the table containing the rule 637 - 638 name: chain 639 type: string 640 doc: name of the chain containing the rule 641 - 642 name: handle 643 type: u64 644 byte-order: big-endian 645 doc: numeric handle of the rule 646 - 647 name: expressions 648 type: nest 649 nested-attributes: expr-list-attrs 650 doc: list of expressions 651 - 652 name: compat 653 type: nest 654 nested-attributes: rule-compat-attrs 655 doc: compatibility specifications of the rule 656 - 657 name: position 658 type: u64 659 byte-order: big-endian 660 doc: numeric handle of the previous rule 661 - 662 name: userdata 663 type: binary 664 doc: user data 665 - 666 name: id 667 type: u32 668 doc: uniquely identifies a rule in a transaction 669 - 670 name: position-id 671 type: u32 672 doc: transaction unique identifier of the previous rule 673 - 674 name: chain-id 675 type: u32 676 doc: add the rule to chain by ID, alternative to chain name 677 - 678 name: expr-list-attrs 679 attributes: 680 - 681 name: elem 682 type: nest 683 nested-attributes: expr-attrs 684 multi-attr: true 685 - 686 name: expr-attrs 687 attributes: 688 - 689 name: name 690 type: string 691 doc: name of the expression type 692 - 693 name: data 694 type: sub-message 695 sub-message: expr-ops 696 selector: name 697 doc: type specific data 698 - 699 # Mentioned in nft_parse_compat() in net/netfilter/nft_compat.c 700 name: rule-compat-attrs 701 attributes: 702 - 703 name: proto 704 type: u32 705 byte-order: big-endian 706 doc: numeric value of the handled protocol 707 - 708 name: flags 709 type: u32 710 byte-order: big-endian 711 doc: bitmask of flags 712 - 713 name: set-attrs 714 attributes: 715 - 716 name: table 717 type: string 718 doc: table name 719 - 720 name: name 721 type: string 722 doc: set name 723 - 724 name: flags 725 type: u32 726 enum: set-flags 727 byte-order: big-endian 728 doc: bitmask of enum nft_set_flags 729 - 730 name: key-type 731 type: u32 732 byte-order: big-endian 733 doc: key data type, informational purpose only 734 - 735 name: key-len 736 type: u32 737 byte-order: big-endian 738 doc: key data length 739 - 740 name: data-type 741 type: u32 742 byte-order: big-endian 743 doc: mapping data type 744 - 745 name: data-len 746 type: u32 747 byte-order: big-endian 748 doc: mapping data length 749 - 750 name: policy 751 type: u32 752 byte-order: big-endian 753 doc: selection policy 754 - 755 name: desc 756 type: nest 757 nested-attributes: set-desc-attrs 758 doc: set description 759 - 760 name: id 761 type: u32 762 doc: uniquely identifies a set in a transaction 763 - 764 name: timeout 765 type: u64 766 doc: default timeout value 767 - 768 name: gc-interval 769 type: u32 770 doc: garbage collection interval 771 - 772 name: userdata 773 type: binary 774 doc: user data 775 - 776 name: pad 777 type: pad 778 - 779 name: obj-type 780 type: u32 781 byte-order: big-endian 782 doc: stateful object type 783 - 784 name: handle 785 type: u64 786 byte-order: big-endian 787 doc: set handle 788 - 789 name: expr 790 type: nest 791 nested-attributes: expr-attrs 792 doc: set expression 793 multi-attr: true 794 - 795 name: expressions 796 type: nest 797 nested-attributes: set-list-attrs 798 doc: list of expressions 799 - 800 name: type 801 type: string 802 doc: set backend type 803 - 804 name: count 805 type: u32 806 byte-order: big-endian 807 doc: number of set elements 808 - 809 name: set-desc-attrs 810 attributes: 811 - 812 name: size 813 type: u32 814 byte-order: big-endian 815 doc: number of elements in set 816 - 817 name: concat 818 type: nest 819 nested-attributes: set-desc-concat-attrs 820 doc: description of field concatenation 821 multi-attr: true 822 - 823 name: set-desc-concat-attrs 824 attributes: 825 - 826 name: elem 827 type: nest 828 nested-attributes: set-field-attrs 829 - 830 name: set-field-attrs 831 attributes: 832 - 833 name: len 834 type: u32 835 byte-order: big-endian 836 - 837 name: set-list-attrs 838 attributes: 839 - 840 name: elem 841 type: nest 842 nested-attributes: expr-attrs 843 multi-attr: true 844 - 845 name: setelem-attrs 846 attributes: 847 - 848 name: key 849 type: nest 850 nested-attributes: data-attrs 851 doc: key value 852 - 853 name: data 854 type: nest 855 nested-attributes: data-attrs 856 doc: data value of mapping 857 - 858 name: flags 859 type: binary 860 doc: bitmask of nft_set_elem_flags 861 - 862 name: timeout 863 type: u64 864 doc: timeout value 865 - 866 name: expiration 867 type: u64 868 doc: expiration time 869 - 870 name: userdata 871 type: binary 872 doc: user data 873 - 874 name: expr 875 type: nest 876 nested-attributes: expr-attrs 877 doc: expression 878 - 879 name: objref 880 type: string 881 doc: stateful object reference 882 - 883 name: key-end 884 type: nest 885 nested-attributes: data-attrs 886 doc: closing key value 887 - 888 name: expressions 889 type: nest 890 nested-attributes: expr-list-attrs 891 doc: list of expressions 892 - 893 name: setelem-list-elem-attrs 894 attributes: 895 - 896 name: elem 897 type: nest 898 nested-attributes: setelem-attrs 899 multi-attr: true 900 - 901 name: setelem-list-attrs 902 attributes: 903 - 904 name: table 905 type: string 906 - 907 name: set 908 type: string 909 - 910 name: elements 911 type: nest 912 nested-attributes: setelem-list-elem-attrs 913 - 914 name: set-id 915 type: u32 916 - 917 name: gen-attrs 918 attributes: 919 - 920 name: id 921 type: u32 922 byte-order: big-endian 923 doc: ruleset generation id 924 - 925 name: proc-pid 926 type: u32 927 byte-order: big-endian 928 - 929 name: proc-name 930 type: string 931 - 932 name: obj-attrs 933 attributes: 934 - 935 name: table 936 type: string 937 doc: name of the table containing the expression 938 - 939 name: name 940 type: string 941 doc: name of this expression type 942 - 943 name: type 944 type: u32 945 enum: object-type 946 byte-order: big-endian 947 doc: stateful object type 948 - 949 name: data 950 type: sub-message 951 sub-message: obj-data 952 selector: type 953 doc: stateful object data 954 - 955 name: use 956 type: u32 957 byte-order: big-endian 958 doc: number of references to this expression 959 - 960 name: handle 961 type: u64 962 byte-order: big-endian 963 doc: object handle 964 - 965 name: pad 966 type: pad 967 - 968 name: userdata 969 type: binary 970 doc: user data 971 - 972 name: quota-attrs 973 attributes: 974 - 975 name: bytes 976 type: u64 977 byte-order: big-endian 978 - 979 name: flags 980 type: u32 981 byte-order: big-endian 982 enum: quota-flags 983 - 984 name: pad 985 type: pad 986 - 987 name: consumed 988 type: u64 989 byte-order: big-endian 990 - 991 name: flowtable-attrs 992 attributes: 993 - 994 name: table 995 type: string 996 - 997 name: name 998 type: string 999 - 1000 name: hook 1001 type: nest 1002 nested-attributes: flowtable-hook-attrs 1003 - 1004 name: use 1005 type: u32 1006 byte-order: big-endian 1007 - 1008 name: handle 1009 type: u64 1010 byte-order: big-endian 1011 - 1012 name: pad 1013 type: pad 1014 - 1015 name: flags 1016 type: u32 1017 byte-order: big-endian 1018 - 1019 name: flowtable-hook-attrs 1020 attributes: 1021 - 1022 name: num 1023 type: u32 1024 byte-order: big-endian 1025 - 1026 name: priority 1027 type: u32 1028 byte-order: big-endian 1029 - 1030 name: devs 1031 type: nest 1032 nested-attributes: hook-dev-attrs 1033 - 1034 name: expr-bitwise-attrs 1035 doc: | 1036 The bitwise expression supports boolean and shift operations. It 1037 implements the boolean operations by performing the following 1038 operation:: 1039 1040 dreg = (sreg & mask) ^ xor 1041 1042 with these mask and xor values: 1043 1044 op mask xor 1045 ---- ---- --- 1046 NOT: 1 1 1047 OR: ~x x 1048 XOR: 1 x 1049 AND: x 0 1050 1051 attributes: 1052 - 1053 name: sreg 1054 type: u32 1055 byte-order: big-endian 1056 - 1057 name: dreg 1058 type: u32 1059 byte-order: big-endian 1060 - 1061 name: len 1062 type: u32 1063 byte-order: big-endian 1064 - 1065 name: mask 1066 type: nest 1067 nested-attributes: data-attrs 1068 - 1069 name: xor 1070 type: nest 1071 nested-attributes: data-attrs 1072 - 1073 name: op 1074 type: u32 1075 byte-order: big-endian 1076 enum: bitwise-ops 1077 checks: 1078 max: 255 1079 - 1080 name: data 1081 type: nest 1082 nested-attributes: data-attrs 1083 - 1084 name: expr-cmp-attrs 1085 attributes: 1086 - 1087 name: sreg 1088 type: u32 1089 byte-order: big-endian 1090 - 1091 name: op 1092 type: u32 1093 byte-order: big-endian 1094 enum: cmp-ops 1095 - 1096 name: data 1097 type: nest 1098 nested-attributes: data-attrs 1099 - 1100 name: data-attrs 1101 attributes: 1102 - 1103 name: value 1104 type: binary 1105 # sub-type: u8 1106 - 1107 name: verdict 1108 type: nest 1109 nested-attributes: verdict-attrs 1110 - 1111 name: verdict-attrs 1112 attributes: 1113 - 1114 name: code 1115 doc: nf_tables verdict 1116 type: u32 1117 byte-order: big-endian 1118 enum: verdict-code 1119 - 1120 name: chain 1121 doc: jump target chain name 1122 type: string 1123 - 1124 name: chain-id 1125 doc: jump target chain ID 1126 type: u32 1127 byte-order: big-endian 1128 - 1129 name: expr-counter-attrs 1130 attributes: 1131 - 1132 name: bytes 1133 type: u64 1134 byte-order: big-endian 1135 doc: Number of bytes 1136 - 1137 name: packets 1138 type: u64 1139 byte-order: big-endian 1140 doc: Number of packets 1141 - 1142 name: pad 1143 type: pad 1144 - 1145 name: expr-fib-attrs 1146 attributes: 1147 - 1148 name: dreg 1149 type: u32 1150 byte-order: big-endian 1151 - 1152 name: result 1153 type: u32 1154 byte-order: big-endian 1155 enum: fib-result 1156 - 1157 name: flags 1158 type: u32 1159 byte-order: big-endian 1160 enum: fib-flags 1161 - 1162 name: expr-ct-attrs 1163 attributes: 1164 - 1165 name: dreg 1166 type: u32 1167 byte-order: big-endian 1168 - 1169 name: key 1170 type: u32 1171 byte-order: big-endian 1172 enum: ct-keys 1173 - 1174 name: direction 1175 type: u8 1176 enum: ct-direction 1177 - 1178 name: sreg 1179 type: u32 1180 byte-order: big-endian 1181 - 1182 name: expr-flow-offload-attrs 1183 attributes: 1184 - 1185 name: name 1186 type: string 1187 doc: Flow offload table name 1188 - 1189 name: expr-immediate-attrs 1190 attributes: 1191 - 1192 name: dreg 1193 type: u32 1194 byte-order: big-endian 1195 - 1196 name: data 1197 type: nest 1198 nested-attributes: data-attrs 1199 - 1200 name: expr-lookup-attrs 1201 attributes: 1202 - 1203 name: set 1204 type: string 1205 doc: Name of set to use 1206 - 1207 name: set-id 1208 type: u32 1209 byte-order: big-endian 1210 doc: ID of set to use 1211 - 1212 name: sreg 1213 type: u32 1214 byte-order: big-endian 1215 - 1216 name: dreg 1217 type: u32 1218 byte-order: big-endian 1219 - 1220 name: flags 1221 type: u32 1222 byte-order: big-endian 1223 enum: lookup-flags 1224 - 1225 name: expr-masq-attrs 1226 attributes: 1227 - 1228 name: flags 1229 type: u32 1230 byte-order: big-endian 1231 enum: nat-range-flags 1232 enum-as-flags: true 1233 - 1234 name: reg-proto-min 1235 type: u32 1236 byte-order: big-endian 1237 enum: registers 1238 - 1239 name: reg-proto-max 1240 type: u32 1241 byte-order: big-endian 1242 enum: registers 1243 - 1244 name: expr-meta-attrs 1245 attributes: 1246 - 1247 name: dreg 1248 type: u32 1249 byte-order: big-endian 1250 - 1251 name: key 1252 type: u32 1253 byte-order: big-endian 1254 enum: meta-keys 1255 - 1256 name: sreg 1257 type: u32 1258 byte-order: big-endian 1259 - 1260 name: expr-nat-attrs 1261 attributes: 1262 - 1263 name: type 1264 type: u32 1265 byte-order: big-endian 1266 - 1267 name: family 1268 type: u32 1269 byte-order: big-endian 1270 - 1271 name: reg-addr-min 1272 type: u32 1273 byte-order: big-endian 1274 - 1275 name: reg-addr-max 1276 type: u32 1277 byte-order: big-endian 1278 - 1279 name: reg-proto-min 1280 type: u32 1281 byte-order: big-endian 1282 - 1283 name: reg-proto-max 1284 type: u32 1285 byte-order: big-endian 1286 - 1287 name: flags 1288 type: u32 1289 byte-order: big-endian 1290 enum: nat-range-flags 1291 enum-as-flags: true 1292 - 1293 name: expr-payload-attrs 1294 doc: nf_tables payload expression netlink attributes 1295 attributes: 1296 - 1297 name: dreg 1298 doc: destination register to load data into 1299 type: u32 1300 byte-order: big-endian 1301 enum: registers 1302 - 1303 name: base 1304 doc: payload base 1305 type: u32 1306 enum: payload-base 1307 byte-order: big-endian 1308 - 1309 name: offset 1310 doc: payload offset relative to base 1311 type: u32 1312 byte-order: big-endian 1313 - 1314 name: len 1315 doc: payload length 1316 type: u32 1317 byte-order: big-endian 1318 - 1319 name: sreg 1320 doc: source register to load data from 1321 type: u32 1322 byte-order: big-endian 1323 enum: registers 1324 - 1325 name: csum-type 1326 doc: checksum type 1327 type: u32 1328 byte-order: big-endian 1329 - 1330 name: csum-offset 1331 doc: checksum offset relative to base 1332 type: u32 1333 byte-order: big-endian 1334 - 1335 name: csum-flags 1336 doc: checksum flags 1337 type: u32 1338 byte-order: big-endian 1339 - 1340 name: expr-reject-attrs 1341 attributes: 1342 - 1343 name: type 1344 type: u32 1345 byte-order: big-endian 1346 enum: reject-types 1347 - 1348 name: icmp-code 1349 type: u8 1350 - 1351 name: expr-target-attrs 1352 attributes: 1353 - 1354 name: name 1355 type: string 1356 - 1357 name: rev 1358 type: u32 1359 byte-order: big-endian 1360 - 1361 name: info 1362 type: binary 1363 - 1364 name: expr-tproxy-attrs 1365 attributes: 1366 - 1367 name: family 1368 type: u32 1369 byte-order: big-endian 1370 - 1371 name: reg-addr 1372 type: u32 1373 byte-order: big-endian 1374 - 1375 name: reg-port 1376 type: u32 1377 byte-order: big-endian 1378 - 1379 name: expr-objref-attrs 1380 attributes: 1381 - 1382 name: imm-type 1383 type: u32 1384 byte-order: big-endian 1385 - 1386 name: imm-name 1387 type: string 1388 doc: object name 1389 - 1390 name: set-sreg 1391 type: u32 1392 byte-order: big-endian 1393 - 1394 name: set-name 1395 type: string 1396 doc: name of object map 1397 - 1398 name: set-id 1399 type: u32 1400 byte-order: big-endian 1401 doc: id of object map 1402 - 1403 name: compat-target-attrs 1404 header: linux/netfilter/nf_tables_compat.h 1405 attributes: 1406 - 1407 name: name 1408 type: string 1409 checks: 1410 max-len: 32 1411 - 1412 name: rev 1413 type: u32 1414 byte-order: big-endian 1415 checks: 1416 max: 255 1417 - 1418 name: info 1419 type: binary 1420 - 1421 name: compat-match-attrs 1422 header: linux/netfilter/nf_tables_compat.h 1423 attributes: 1424 - 1425 name: name 1426 type: string 1427 checks: 1428 max-len: 32 1429 - 1430 name: rev 1431 type: u32 1432 byte-order: big-endian 1433 checks: 1434 max: 255 1435 - 1436 name: info 1437 type: binary 1438 - 1439 name: compat-attrs 1440 header: linux/netfilter/nf_tables_compat.h 1441 attributes: 1442 - 1443 name: name 1444 type: string 1445 checks: 1446 max-len: 32 1447 - 1448 name: rev 1449 type: u32 1450 byte-order: big-endian 1451 checks: 1452 max: 255 1453 - 1454 name: type 1455 type: u32 1456 byte-order: big-endian 1457 1458sub-messages: 1459 - 1460 name: expr-ops 1461 formats: 1462 - 1463 value: bitwise 1464 attribute-set: expr-bitwise-attrs 1465 - 1466 value: cmp 1467 attribute-set: expr-cmp-attrs 1468 - 1469 value: counter 1470 attribute-set: expr-counter-attrs 1471 - 1472 value: ct 1473 attribute-set: expr-ct-attrs 1474 - 1475 value: fib 1476 attribute-set: expr-fib-attrs 1477 - 1478 value: flow_offload 1479 attribute-set: expr-flow-offload-attrs 1480 - 1481 value: immediate 1482 attribute-set: expr-immediate-attrs 1483 - 1484 value: log 1485 attribute-set: log-attrs 1486 - 1487 value: lookup 1488 attribute-set: expr-lookup-attrs 1489 - 1490 value: match 1491 attribute-set: compat-match-attrs 1492 - 1493 value: meta 1494 attribute-set: expr-meta-attrs 1495 - 1496 value: nat 1497 attribute-set: expr-nat-attrs 1498 - 1499 value: numgen 1500 attribute-set: numgen-attrs 1501 - 1502 value: objref 1503 attribute-set: expr-objref-attrs 1504 - 1505 value: payload 1506 attribute-set: expr-payload-attrs 1507 - 1508 value: quota 1509 attribute-set: quota-attrs 1510 - 1511 value: range 1512 attribute-set: range-attrs 1513 - 1514 value: reject 1515 attribute-set: expr-reject-attrs 1516 - 1517 value: target 1518 attribute-set: expr-target-attrs 1519 - 1520 value: tproxy 1521 attribute-set: expr-tproxy-attrs 1522 # There're more sub-messages to go: 1523 # grep -A10 nft_expr_type 1524 # and look for .name\s*=\s*"..." 1525 - 1526 name: obj-data 1527 formats: 1528 - 1529 value: counter 1530 attribute-set: counter-attrs 1531 - 1532 value: quota 1533 attribute-set: quota-attrs 1534 1535operations: 1536 enum-model: directional 1537 list: 1538 - 1539 name: batch-begin 1540 doc: Start a batch of operations 1541 attribute-set: batch-attrs 1542 fixed-header: nfgenmsg 1543 do: 1544 request: 1545 value: 0x10 1546 attributes: 1547 - genid 1548 reply: 1549 value: 0x10 1550 attributes: 1551 - genid 1552 - 1553 name: batch-end 1554 doc: Finish a batch of operations 1555 attribute-set: batch-attrs 1556 fixed-header: nfgenmsg 1557 do: 1558 request: 1559 value: 0x11 1560 attributes: 1561 - genid 1562 - 1563 name: newtable 1564 doc: Create a new table. 1565 attribute-set: table-attrs 1566 fixed-header: nfgenmsg 1567 do: 1568 request: 1569 value: 0xa00 1570 attributes: 1571 # Mentioned in nf_tables_newtable() 1572 - name 1573 - flags 1574 - userdata 1575 - 1576 name: gettable 1577 doc: Get / dump tables. 1578 attribute-set: table-attrs 1579 fixed-header: nfgenmsg 1580 do: 1581 request: 1582 value: 0xa01 1583 attributes: 1584 # Mentioned in nf_tables_gettable() 1585 - name 1586 reply: 1587 value: 0xa00 1588 attributes: &get-table 1589 # Mentioned in nf_tables_fill_table_info() 1590 - name 1591 - use 1592 - handle 1593 - flags 1594 - owner 1595 - userdata 1596 dump: 1597 reply: 1598 attributes: *get-table 1599 - 1600 name: deltable 1601 doc: Delete an existing table. 1602 attribute-set: table-attrs 1603 fixed-header: nfgenmsg 1604 do: 1605 request: 1606 value: 0xa02 1607 attributes: &del-table 1608 # Mentioned in nf_tables_deltable() 1609 - name 1610 - handle 1611 - 1612 name: destroytable 1613 doc: | 1614 Delete an existing table with destroy semantics (ignoring ENOENT 1615 errors). 1616 attribute-set: table-attrs 1617 fixed-header: nfgenmsg 1618 do: 1619 request: 1620 value: 0xa1a 1621 attributes: *del-table 1622 - 1623 name: newchain 1624 doc: Create a new chain. 1625 attribute-set: chain-attrs 1626 fixed-header: nfgenmsg 1627 do: 1628 request: 1629 value: 0xa03 1630 attributes: 1631 # Mentioned in nf_tables_newchain() 1632 - table 1633 - handle 1634 - policy 1635 - flags 1636 # Mentioned in nf_tables_updchain() 1637 - hook 1638 - name 1639 - counters 1640 # Mentioned in nf_tables_addchain() 1641 - userdata 1642 # Mentioned in nft_chain_parse_hook() 1643 - type 1644 - 1645 name: getchain 1646 doc: Get / dump chains. 1647 attribute-set: chain-attrs 1648 fixed-header: nfgenmsg 1649 do: 1650 request: 1651 value: 0xa04 1652 attributes: 1653 # Mentioned in nf_tables_getchain() 1654 - table 1655 - name 1656 reply: 1657 value: 0xa03 1658 attributes: &get-chain 1659 # Mentioned in nf_tables_fill_chain_info() 1660 - table 1661 - name 1662 - handle 1663 - hook 1664 - policy 1665 - type 1666 - flags 1667 - counters 1668 - id 1669 - use 1670 - userdata 1671 dump: 1672 reply: 1673 attributes: *get-chain 1674 - 1675 name: delchain 1676 doc: Delete an existing chain. 1677 attribute-set: chain-attrs 1678 fixed-header: nfgenmsg 1679 do: 1680 request: 1681 value: 0xa05 1682 attributes: &del-chain 1683 # Mentioned in nf_tables_delchain() 1684 - table 1685 - handle 1686 - name 1687 - hook 1688 - 1689 name: destroychain 1690 doc: | 1691 Delete an existing chain with destroy semantics (ignoring ENOENT 1692 errors). 1693 attribute-set: chain-attrs 1694 fixed-header: nfgenmsg 1695 do: 1696 request: 1697 value: 0xa1b 1698 attributes: *del-chain 1699 - 1700 name: newrule 1701 doc: Create a new rule. 1702 attribute-set: rule-attrs 1703 fixed-header: nfgenmsg 1704 do: 1705 request: 1706 value: 0xa06 1707 attributes: 1708 # Mentioned in nf_tables_newrule() 1709 - table 1710 - chain 1711 - chain-id 1712 - handle 1713 - position 1714 - position-id 1715 - expressions 1716 - userdata 1717 - compat 1718 - 1719 name: getrule 1720 doc: Get / dump rules. 1721 attribute-set: rule-attrs 1722 fixed-header: nfgenmsg 1723 do: 1724 request: 1725 value: 0xa07 1726 attributes: &get-rule-request 1727 # Mentioned in nf_tables_getrule_single() 1728 - table 1729 - chain 1730 - handle 1731 reply: 1732 value: 0xa06 1733 attributes: &get-rule 1734 # Mentioned in nf_tables_fill_rule_info() 1735 - table 1736 - chain 1737 - handle 1738 - position 1739 - expressions 1740 - userdata 1741 dump: 1742 request: 1743 attributes: 1744 # Mentioned in nf_tables_dump_rules_start() 1745 - table 1746 - chain 1747 reply: 1748 attributes: *get-rule 1749 1750 - 1751 name: getrule-reset 1752 doc: Get / dump rules and reset stateful expressions. 1753 attribute-set: rule-attrs 1754 fixed-header: nfgenmsg 1755 do: 1756 request: 1757 value: 0xa19 1758 attributes: *get-rule-request 1759 reply: 1760 value: 0xa06 1761 attributes: *get-rule 1762 dump: 1763 request: 1764 attributes: *get-rule-request 1765 reply: 1766 attributes: *get-rule 1767 - 1768 name: delrule 1769 doc: Delete an existing rule. 1770 attribute-set: rule-attrs 1771 fixed-header: nfgenmsg 1772 do: 1773 request: 1774 value: 0xa08 1775 attributes: &del-rule 1776 - table 1777 - chain 1778 - handle 1779 - id 1780 - 1781 name: destroyrule 1782 doc: | 1783 Delete an existing rule with destroy semantics (ignoring ENOENT errors). 1784 attribute-set: rule-attrs 1785 fixed-header: nfgenmsg 1786 do: 1787 request: 1788 value: 0xa1c 1789 attributes: *del-rule 1790 - 1791 name: newset 1792 doc: Create a new set. 1793 attribute-set: set-attrs 1794 fixed-header: nfgenmsg 1795 do: 1796 request: 1797 value: 0xa09 1798 attributes: 1799 # Mentioned in nf_tables_newset() 1800 - table 1801 - name 1802 - key-len 1803 - id 1804 - key-type 1805 - flags 1806 - data-type 1807 - data-len 1808 - obj-type 1809 - timeout 1810 - gc-interval 1811 - policy 1812 - desc 1813 - userdata 1814 - 1815 name: getset 1816 doc: Get / dump sets. 1817 attribute-set: set-attrs 1818 fixed-header: nfgenmsg 1819 do: 1820 request: 1821 value: 0xa0a 1822 attributes: 1823 # Mentioned in nf_tables_getset() 1824 - table 1825 - name 1826 reply: 1827 value: 0xa09 1828 attributes: &get-set 1829 # Mentioned in nf_tables_fill_set() 1830 - table 1831 - name 1832 - handle 1833 - flags 1834 - key-len 1835 - key-type 1836 - data-type 1837 - data-len 1838 - obj-type 1839 - gc-interval 1840 - policy 1841 - userdata 1842 - desc 1843 - expr 1844 - expressions 1845 dump: 1846 request: 1847 attributes: 1848 # Mentioned in nf_tables_getset() 1849 - table 1850 reply: 1851 attributes: *get-set 1852 - 1853 name: delset 1854 doc: Delete an existing set. 1855 attribute-set: set-attrs 1856 fixed-header: nfgenmsg 1857 do: 1858 request: 1859 value: 0xa0b 1860 attributes: &del-set 1861 # Mentioned in nf_tables_delset() 1862 - table 1863 - handle 1864 - name 1865 - 1866 name: destroyset 1867 doc: | 1868 Delete an existing set with destroy semantics (ignoring ENOENT errors). 1869 attribute-set: set-attrs 1870 fixed-header: nfgenmsg 1871 do: 1872 request: 1873 value: 0xa1d 1874 attributes: *del-set 1875 - 1876 name: newsetelem 1877 doc: Create a new set element. 1878 attribute-set: setelem-list-attrs 1879 fixed-header: nfgenmsg 1880 do: 1881 request: 1882 value: 0xa0c 1883 attributes: 1884 # Mentioned in nf_tables_newsetelem() 1885 - table 1886 - set 1887 - set-id 1888 - elements 1889 - 1890 name: getsetelem 1891 doc: Get / dump set elements. 1892 attribute-set: setelem-list-attrs 1893 fixed-header: nfgenmsg 1894 do: 1895 request: 1896 value: 0xa0d 1897 attributes: 1898 # Mentioned in nf_tables_getsetelem() 1899 - table 1900 - set 1901 - elements 1902 reply: 1903 value: 0xa0c 1904 attributes: 1905 # Mentioned in nf_tables_fill_setelem_info() 1906 - elements 1907 dump: 1908 request: 1909 attributes: &dump-set-request 1910 # Mentioned in nft_set_dump_ctx_init() 1911 - table 1912 - set 1913 reply: 1914 attributes: &dump-set 1915 # Mentioned in nf_tables_dump_set() 1916 - table 1917 - set 1918 - elements 1919 - 1920 name: getsetelem-reset 1921 doc: Get / dump set elements and reset stateful expressions. 1922 attribute-set: setelem-list-attrs 1923 fixed-header: nfgenmsg 1924 do: 1925 request: 1926 value: 0xa21 1927 attributes: 1928 # Mentioned in nf_tables_getsetelem_reset() 1929 - elements 1930 reply: 1931 value: 0xa0c 1932 attributes: 1933 # Mentioned in nf_tables_dumpreset_set() 1934 - table 1935 - set 1936 - elements 1937 dump: 1938 request: 1939 attributes: *dump-set-request 1940 reply: 1941 attributes: *dump-set 1942 - 1943 name: delsetelem 1944 doc: Delete an existing set element. 1945 attribute-set: setelem-list-attrs 1946 fixed-header: nfgenmsg 1947 do: 1948 request: 1949 value: 0xa0e 1950 attributes: &del-setelem 1951 # Mentioned in nf_tables_delsetelem() 1952 - table 1953 - set 1954 - elements 1955 - 1956 name: destroysetelem 1957 doc: Delete an existing set element with destroy semantics. 1958 attribute-set: setelem-list-attrs 1959 fixed-header: nfgenmsg 1960 do: 1961 request: 1962 value: 0xa1e 1963 attributes: *del-setelem 1964 - 1965 name: getgen 1966 doc: Get / dump rule-set generation. 1967 attribute-set: gen-attrs 1968 fixed-header: nfgenmsg 1969 do: 1970 request: 1971 value: 0xa10 1972 reply: 1973 value: 0xa0f 1974 attributes: &get-gen 1975 # Mentioned in nf_tables_fill_gen_info() 1976 - id 1977 - proc-pid 1978 - proc-name 1979 dump: 1980 reply: 1981 attributes: *get-gen 1982 - 1983 name: newobj 1984 doc: Create a new stateful object. 1985 attribute-set: obj-attrs 1986 fixed-header: nfgenmsg 1987 do: 1988 request: 1989 value: 0xa12 1990 attributes: 1991 # Mentioned in nf_tables_newobj() 1992 - type 1993 - name 1994 - data 1995 - table 1996 - userdata 1997 - 1998 name: getobj 1999 doc: Get / dump stateful objects. 2000 attribute-set: obj-attrs 2001 fixed-header: nfgenmsg 2002 do: 2003 request: 2004 value: 0xa13 2005 attributes: 2006 # Mentioned in nf_tables_getobj_single() 2007 - name 2008 - type 2009 - table 2010 reply: 2011 value: 0xa12 2012 attributes: &obj-info 2013 # Mentioned in nf_tables_fill_obj_info() 2014 - table 2015 - name 2016 - type 2017 - handle 2018 - use 2019 - data 2020 - userdata 2021 dump: 2022 request: 2023 attributes: 2024 # Mentioned in nf_tables_dump_obj_start() 2025 - table 2026 - type 2027 reply: 2028 attributes: *obj-info 2029 - 2030 name: delobj 2031 doc: Delete an existing stateful object. 2032 attribute-set: obj-attrs 2033 fixed-header: nfgenmsg 2034 do: 2035 request: 2036 value: 0xa14 2037 attributes: 2038 # Mentioned in nf_tables_delobj() 2039 - table 2040 - name 2041 - type 2042 - handle 2043 - 2044 name: destroyobj 2045 doc: Delete an existing stateful object with destroy semantics. 2046 attribute-set: obj-attrs 2047 fixed-header: nfgenmsg 2048 do: 2049 request: 2050 value: 0xa1f 2051 attributes: 2052 # Mentioned in nf_tables_delobj() 2053 - table 2054 - name 2055 - type 2056 - handle 2057 - 2058 name: newflowtable 2059 doc: Create a new flow table. 2060 attribute-set: flowtable-attrs 2061 fixed-header: nfgenmsg 2062 do: 2063 request: 2064 value: 0xa16 2065 attributes: 2066 # Mentioned in nf_tables_newflowtable() 2067 - table 2068 - name 2069 - hook 2070 - flags 2071 - 2072 name: getflowtable 2073 doc: Get / dump flow tables. 2074 attribute-set: flowtable-attrs 2075 fixed-header: nfgenmsg 2076 do: 2077 request: 2078 value: 0xa17 2079 attributes: 2080 # Mentioned in nf_tables_getflowtable() 2081 - name 2082 - table 2083 reply: 2084 value: 0xa16 2085 attributes: &flowtable-info 2086 # Mentioned in nf_tables_fill_flowtable_info() 2087 - table 2088 - name 2089 - handle 2090 - use 2091 - flags 2092 - hook 2093 dump: 2094 reply: 2095 attributes: *flowtable-info 2096 - 2097 name: delflowtable 2098 doc: Delete an existing flow table. 2099 attribute-set: flowtable-attrs 2100 fixed-header: nfgenmsg 2101 do: 2102 request: 2103 value: 0xa18 2104 attributes: &del-flowtable 2105 # Mentioned in nf_tables_delflowtable() 2106 - table 2107 - name 2108 - handle 2109 - hook 2110 - 2111 name: destroyflowtable 2112 doc: Delete an existing flow table with destroy semantics. 2113 attribute-set: flowtable-attrs 2114 fixed-header: nfgenmsg 2115 do: 2116 request: 2117 value: 0xa20 2118 attributes: *del-flowtable 2119 2120mcast-groups: 2121 list: 2122 - 2123 name: mgmt 2124