Family nftables netlink 规范¶
概要¶
通过 netlink 进行 Netfilter nftables 配置。
操作¶
batch-begin¶
开始一批操作
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
genid]
- reply
- attributes:
[
genid]
batch-end¶
完成一批操作
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
genid]
newtable¶
创建一个新表。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
gettable¶
获取/转储表。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
- reply
- attributes:
[
name]
deltable¶
删除现有表。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
destroytable¶
删除具有销毁语义的现有表(忽略 ENOENT 错误)。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
newchain¶
创建一个新链。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
getchain¶
获取/转储链。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
- reply
- attributes:
[
name]
delchain¶
删除现有链。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
destroychain¶
删除具有销毁语义的现有链(忽略 ENOENT 错误)。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
newrule¶
创建一个新规则。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
getrule¶
获取/转储规则。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
- reply
- attributes:
[
name]
getrule-reset¶
获取/转储规则并重置有状态表达式。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
- reply
- attributes:
[
name]
delrule¶
删除现有规则。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
destroyrule¶
删除具有销毁语义的现有规则(忽略 ENOENT 错误)。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
newset¶
创建一个新集合。
getset¶
获取/转储集合。
delset¶
删除现有集合。
destroyset¶
删除具有销毁语义的现有集合(忽略 ENOENT 错误)。
newsetelem¶
创建一个新集合元素。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
getsetelem¶
获取/转储集合元素。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
- reply
- attributes:
[
name]
getsetelem-reset¶
获取/转储集合元素并重置有状态表达式。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
- reply
- attributes:
[
name]
delsetelem¶
删除现有集合元素。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
destroysetelem¶
删除具有销毁语义的现有集合元素。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
getgen¶
获取/转储规则集生成。
newobj¶
创建一个新的有状态对象。
getobj¶
获取/转储有状态对象。
delobj¶
删除现有的有状态对象。
destroyobj¶
删除具有销毁语义的现有有状态对象。
newflowtable¶
创建一个新的流表。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
getflowtable¶
获取/转储流表。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
- reply
- attributes:
[
name]
delflowtable¶
删除现有流表。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
destroyflowtable¶
删除具有销毁语义的现有流表。
- attribute-set:
- fixed-header:
- do:
- request
- attributes:
[
name]
多播组¶
mgmt
定义¶
nfgenmsg¶
- type:
struct
- members:
- nfgen-family (
u8): - version (
u8): - res-id (
u16):
- nfgen-family (
meta-keys¶
- type:
enum
- entries:
lenprotocolprioritymarkiifoifiifnameoifnameiftypeoiftypeskuidskgidnftracertclassidsecmarknfprotol4-protobri-iifnamebri-oifnamepkttypecpuiifgroupoifgroupcgroupprandomsecpathiifkindoifkindbri-iifpvidbri-iifvprototime-nstime-daytime-hoursdifsdifnamebri-broute
bitwise-ops¶
- type:
enum
- entries:
boollshiftrshift
cmp-ops¶
- type:
enum
- entries:
eqneqltltegtgte
object-type¶
- type:
enum
- entries:
unspeccounterquotact-helperlimitconnlimittunnelct-timeoutsecmarkct-expectsynproxy
nat-range-flags¶
- type:
flags
- entries:
map-ipsproto-specifiedproto-randompersistentproto-random-fullyproto-offsetnetmap
table-flags¶
- type:
flags
- entries:
dormantownerpersist
chain-flags¶
- type:
flags
- entries:
basehw-offloadbinding
set-flags¶
- type:
flags
- entries:
anonymousconstantintervalmaptimeoutevalobjectconcatexpr
lookup-flags¶
- type:
flags
- entries:
invert
ct-keys¶
- type:
enum
- entries:
statedirectionstatusmarksecmarkexpirationhelperl3protocolsrcdstprotocolproto-srcproto-dstlabelspktsbytesavgpktzoneeventmasksrc-ipdst-ipsrc-ip6dst-ip6ct-id
ct-direction¶
- type:
enum
- entries:
originalreply
quota-flags¶
- type:
flags
- entries:
invertdepleted
verdict-code¶
- type:
enum
- entries:
- continue:
- break:
- jump:
- goto:
- return:
- drop:
- accept:
- stolen:
- queue:
- repeat:
fib-result¶
- type:
enum
- entries:
oifoifnameaddrtype
fib-flags¶
- type:
flags
- entries:
saddrdaddrmarkiifoifpresent
reject-types¶
- type:
enum
- entries:
icmp-unreachtcp-rsticmpx-unreach
属性集¶
empty-attrs¶
name (string)¶
batch-attrs¶
genid (u32)¶
- byte-order:
big-endian
table-attrs¶
name (string)¶
- doc:
table 的名称
flags (u32)¶
- byte-order:
big-endian
- doc:
flags 的位掩码
- enum:
- enum-as-flags:
True
use (u32)¶
- byte-order:
big-endian
- doc:
此表中的链数
handle (u64)¶
- byte-order:
big-endian
- doc:
表的数字句柄
userdata (binary)¶
- doc:
用户数据
chain-attrs¶
table (string)¶
- doc:
包含链的表的名称
handle (u64)¶
- byte-order:
big-endian
- doc:
链的数字句柄
name (string)¶
- doc:
链的名称
hook (nest)¶
- nested-attributes:
- doc:
basechains 的 hook 规范
policy (u32)¶
- byte-order:
big-endian
- doc:
链的数字策略
use (u32)¶
- byte-order:
big-endian
- doc:
对此链的引用数
type (string)¶
- doc:
链的类型名称
counters (nest)¶
- nested-attributes:
- doc:
链的计数器规范
flags (u32)¶
- byte-order:
big-endian
- doc:
链 flags
- enum:
- enum-as-flags:
True
id (u32)¶
- byte-order:
big-endian
- doc:
唯一标识事务中的链
userdata (binary)¶
- doc:
用户数据
counter-attrs¶
bytes (u64)¶
- byte-order:
big-endian
packets (u64)¶
- byte-order:
big-endian
pad (pad)¶
nft-hook-attrs¶
num (u32)¶
- byte-order:
big-endian
priority (s32)¶
- byte-order:
big-endian
dev (string)¶
- doc:
网络设备名称
devs (nest)¶
- nested-attributes:
- doc:
网络设备列表
hook-dev-attrs¶
name (string)¶
- multi-attr:
True
nft-counter-attrs¶
bytes (u64)¶
packets (u64)¶
rule-attrs¶
table (string)¶
- doc:
包含规则的表的名称
chain (string)¶
- doc:
包含规则的链的名称
handle (u64)¶
- byte-order:
big-endian
- doc:
规则的数字句柄
expressions (nest)¶
- nested-attributes:
- doc:
表达式列表
compat (nest)¶
- nested-attributes:
- doc:
规则的兼容性规范
position (u64)¶
- byte-order:
big-endian
- doc:
前一条规则的数字句柄
userdata (binary)¶
- doc:
用户数据
id (u32)¶
- doc:
唯一标识事务中的规则
position-id (u32)¶
- doc:
前一条规则的事务唯一标识符
chain-id (u32)¶
- doc:
通过 ID 将规则添加到链,作为链名称的替代方法
expr-list-attrs¶
elem (nest)¶
- nested-attributes:
- multi-attr:
True
expr-attrs¶
name (string)¶
- doc:
表达式类型的名称
data (sub-message)¶
- sub-message:
- selector:
name
- doc:
特定于类型的数据
rule-compat-attrs¶
proto (binary)¶
- doc:
处理协议的数字值
flags (binary)¶
- doc:
flags 的位掩码
set-attrs¶
table (string)¶
- doc:
表名
name (string)¶
- doc:
设置名称
flags (u32)¶
- enum:
- byte-order:
big-endian
- doc:
enum nft_set_flags 的位掩码
key-type (u32)¶
- byte-order:
big-endian
- doc:
键数据类型,仅用于提供信息
key-len (u32)¶
- byte-order:
big-endian
- doc:
键数据长度
data-type (u32)¶
- byte-order:
big-endian
- doc:
映射数据类型
data-len (u32)¶
- byte-order:
big-endian
- doc:
映射数据长度
policy (u32)¶
- byte-order:
big-endian
- doc:
选择策略
desc (nest)¶
- nested-attributes:
- doc:
设置描述
id (u32)¶
- doc:
唯一标识事务中的设置
timeout (u64)¶
- doc:
默认超时值
gc-interval (u32)¶
- doc:
垃圾回收间隔
userdata (binary)¶
- doc:
用户数据
pad (pad)¶
obj-type (u32)¶
- byte-order:
big-endian
- doc:
有状态对象类型
handle (u64)¶
- byte-order:
big-endian
- doc:
设置句柄
expr (nest)¶
- nested-attributes:
- doc:
设置表达式
- multi-attr:
True
expressions (nest)¶
- nested-attributes:
- doc:
表达式列表
set-desc-attrs¶
size (u32)¶
- byte-order:
big-endian
- doc:
集合中的元素数
concat (nest)¶
- nested-attributes:
- doc:
字段串联的描述
- multi-attr:
True
set-desc-concat-attrs¶
elem (nest)¶
- nested-attributes:
set-field-attrs¶
len (u32)¶
- byte-order:
big-endian
set-list-attrs¶
elem (nest)¶
- nested-attributes:
- multi-attr:
True
setelem-attrs¶
key (nest)¶
- nested-attributes:
- doc:
键值
data (nest)¶
- nested-attributes:
- doc:
映射的数据值
flags (binary)¶
- doc:
nft_set_elem_flags 的位掩码
timeout (u64)¶
- doc:
超时值
expiration (u64)¶
- doc:
到期时间
userdata (binary)¶
- doc:
用户数据
expr (nest)¶
- nested-attributes:
- doc:
表达式
objref (string)¶
- doc:
有状态对象引用
key-end (nest)¶
- nested-attributes:
- doc:
关闭键值
expressions (nest)¶
- nested-attributes:
- doc:
表达式列表
setelem-list-elem-attrs¶
elem (nest)¶
- nested-attributes:
- multi-attr:
True
setelem-list-attrs¶
table (string)¶
set (string)¶
elements (nest)¶
- nested-attributes:
set-id (u32)¶
gen-attrs¶
id (u32)¶
- byte-order:
big-endian
- doc:
规则集生成 ID
proc-pid (u32)¶
- byte-order:
big-endian
proc-name (string)¶
obj-attrs¶
table (string)¶
- doc:
包含表达式的表的名称
name (string)¶
- doc:
此表达式类型的名称
type (u32)¶
- enum:
- byte-order:
big-endian
- doc:
有状态对象类型
data (sub-message)¶
- sub-message:
- selector:
type
- doc:
有状态对象数据
use (u32)¶
- byte-order:
big-endian
- doc:
对此表达式的引用数
handle (u64)¶
- byte-order:
big-endian
- doc:
对象句柄
pad (pad)¶
userdata (binary)¶
- doc:
用户数据
quota-attrs¶
bytes (u64)¶
- byte-order:
big-endian
flags (u32)¶
- byte-order:
big-endian
- enum:
pad (pad)¶
consumed (u64)¶
- byte-order:
big-endian
flowtable-attrs¶
table (string)¶
name (string)¶
hook (nest)¶
- nested-attributes:
use (u32)¶
- byte-order:
big-endian
handle (u64)¶
- byte-order:
big-endian
pad (pad)¶
flags (u32)¶
- byte-order:
big-endian
flowtable-hook-attrs¶
num (u32)¶
- byte-order:
big-endian
priority (u32)¶
- byte-order:
big-endian
devs (nest)¶
- nested-attributes:
expr-bitwise-attrs¶
sreg (u32)¶
- byte-order:
big-endian
dreg (u32)¶
- byte-order:
big-endian
len (u32)¶
- byte-order:
big-endian
mask (nest)¶
- nested-attributes:
xor (nest)¶
- nested-attributes:
op (u32)¶
- byte-order:
big-endian
- enum:
data (nest)¶
- nested-attributes:
expr-cmp-attrs¶
sreg (u32)¶
- byte-order:
big-endian
op (u32)¶
- byte-order:
big-endian
- enum:
data (nest)¶
- nested-attributes:
data-attrs¶
value (binary)¶
verdict (nest)¶
- nested-attributes:
verdict-attrs¶
code (u32)¶
- byte-order:
big-endian
- enum:
chain (string)¶
chain-id (u32)¶
expr-counter-attrs¶
bytes (u64)¶
- doc:
字节数
packets (u64)¶
- doc:
数据包数量
pad (pad)¶
expr-fib-attrs¶
dreg (u32)¶
- byte-order:
big-endian
result (u32)¶
- byte-order:
big-endian
- enum:
flags (u32)¶
- byte-order:
big-endian
- enum:
expr-ct-attrs¶
dreg (u32)¶
- byte-order:
big-endian
key (u32)¶
- byte-order:
big-endian
- enum:
direction (u8)¶
- enum:
sreg (u32)¶
- byte-order:
big-endian
expr-flow-offload-attrs¶
name (string)¶
- doc:
流卸载表名称
expr-immediate-attrs¶
dreg (u32)¶
- byte-order:
big-endian
data (nest)¶
- nested-attributes:
expr-lookup-attrs¶
set (string)¶
- doc:
要使用的集合的名称
set id (u32)¶
- byte-order:
big-endian
- doc:
要使用的集合的 ID
sreg (u32)¶
- byte-order:
big-endian
dreg (u32)¶
- byte-order:
big-endian
flags (u32)¶
- byte-order:
big-endian
- enum:
expr-meta-attrs¶
dreg (u32)¶
- byte-order:
big-endian
key (u32)¶
- byte-order:
big-endian
- enum:
sreg (u32)¶
- byte-order:
big-endian
expr-nat-attrs¶
type (u32)¶
- byte-order:
big-endian
family (u32)¶
- byte-order:
big-endian
reg-addr-min (u32)¶
- byte-order:
big-endian
reg-addr-max (u32)¶
- byte-order:
big-endian
reg-proto-min (u32)¶
- byte-order:
big-endian
reg-proto-max (u32)¶
- byte-order:
big-endian
flags (u32)¶
- byte-order:
big-endian
- enum:
- enum-as-flags:
True
expr-payload-attrs¶
dreg (u32)¶
- byte-order:
big-endian
base (u32)¶
- byte-order:
big-endian
offset (u32)¶
- byte-order:
big-endian
len (u32)¶
- byte-order:
big-endian
sreg (u32)¶
- byte-order:
big-endian
csum-type (u32)¶
- byte-order:
big-endian
csum-offset (u32)¶
- byte-order:
big-endian
csum-flags (u32)¶
- byte-order:
big-endian
expr-reject-attrs¶
type (u32)¶
- byte-order:
big-endian
- enum:
icmp-code (u8)¶
expr-target-attrs¶
name (string)¶
rev (u32)¶
- byte-order:
big-endian
info (binary)¶
expr-tproxy-attrs¶
family (u32)¶
- byte-order:
big-endian
reg-addr (u32)¶
- byte-order:
big-endian
reg-port (u32)¶
- byte-order:
big-endian
expr-objref-attrs¶
imm-type (u32)¶
- byte-order:
big-endian
imm-name (string)¶
- doc:
对象名称
set-sreg (u32)¶
- byte-order:
big-endian
set-name (string)¶
- doc:
对象映射的名称
set-id (u32)¶
- byte-order:
big-endian
- doc:
对象映射的 ID
子消息¶
expr-ops¶
- 按位
- attribute-set:
- 比较
- attribute-set:
- counter
- attribute-set:
- ct
- attribute-set:
- fib
- attribute-set:
- flow_offload
- attribute-set:
- immediate
- attribute-set:
- lookup
- attribute-set:
- meta
- attribute-set:
- nat
- attribute-set:
- objref
- attribute-set:
- payload
- attribute-set:
- quota
- attribute-set:
- reject
- attribute-set:
- target
- attribute-set:
- tproxy
- attribute-set:
obj-data¶
- counter
- attribute-set:
- quota
- attribute-set: