Logo

The Linux Kernel

6.10.0-rc1

Quick search

Contents

  • Development process
  • Submitting patches
  • Code of conduct
  • Maintainer handbook
  • All development-process docs
  • Core API
  • Driver APIs
  • Subsystems
    • Core subsystems
    • Human interfaces
    • Networking interfaces
      • Networking
      • NetLabel
      • InfiniBand
      • ISDN
      • MHI
    • Storage interfaces
    • Other subsystems
  • Locking
  • Licensing rules
  • Writing documentation
  • Development tools
  • Testing guide
  • Hacking guide
  • Tracing
  • Fault injection
  • Livepatching
  • Rust
  • Administration
  • Build system
  • Reporting issues
  • Userspace tools
  • Userspace API
  • Firmware
  • Firmware and Devicetree
  • CPU architectures
  • Unsorted documentation
  • Translations

This Page

  • Show Source

Family nftables netlink specification¶

Contents

  • Family nftables netlink specification

    • Summary

    • Operations

      • batch-begin

      • batch-end

      • newtable

      • gettable

      • deltable

      • destroytable

      • newchain

      • getchain

      • delchain

      • destroychain

      • newrule

      • getrule

      • getrule-reset

      • delrule

      • destroyrule

      • newset

      • getset

      • delset

      • destroyset

      • newsetelem

      • getsetelem

      • getsetelem-reset

      • delsetelem

      • destroysetelem

      • getgen

      • newobj

      • getobj

      • delobj

      • destroyobj

      • newflowtable

      • getflowtable

      • delflowtable

      • destroyflowtable

    • Multicast groups

    • Definitions

      • nfgenmsg

      • meta-keys

      • cmp-ops

      • object-type

      • nat-range-flags

      • table-flags

      • chain-flags

      • set-flags

    • Attribute sets

      • empty-attrs

      • batch-attrs

      • table-attrs

      • chain-attrs

      • counter-attrs

      • nft-hook-attrs

      • hook-dev-attrs

      • nft-counter-attrs

      • rule-attrs

      • expr-list-attrs

      • expr-attrs

      • rule-compat-attrs

      • set-attrs

      • set-desc-attrs

      • set-desc-concat-attrs

      • set-field-attrs

      • set-list-attrs

      • setelem-attrs

      • setelem-list-elem-attrs

      • setelem-list-attrs

      • gen-attrs

      • obj-attrs

      • quota-attrs

      • flowtable-attrs

      • flowtable-hook-attrs

      • expr-cmp-attrs

      • data-attrs

      • verdict-attrs

      • expr-counter-attrs

      • expr-flow-offload-attrs

      • expr-immediate-attrs

      • expr-meta-attrs

      • expr-nat-attrs

      • expr-payload-attrs

      • expr-tproxy-attrs

    • Sub-messages

      • expr-ops

      • obj-data

Summary¶

Netfilter nftables configuration over netlink.

Operations¶

batch-begin¶

Start a batch of operations

attribute-set:

batch-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[genid]

reply
attributes:

[genid]

batch-end¶

Finish a batch of operations

attribute-set:

batch-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[genid]

newtable¶

Create a new table.

attribute-set:

table-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

gettable¶

Get / dump tables.

attribute-set:

table-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

reply
attributes:

[name]

deltable¶

Delete an existing table.

attribute-set:

table-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

destroytable¶

Delete an existing table with destroy semantics (ignoring ENOENT errors).

attribute-set:

table-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

newchain¶

Create a new chain.

attribute-set:

chain-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

getchain¶

Get / dump chains.

attribute-set:

chain-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

reply
attributes:

[name]

delchain¶

Delete an existing chain.

attribute-set:

chain-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

destroychain¶

Delete an existing chain with destroy semantics (ignoring ENOENT errors).

attribute-set:

chain-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

newrule¶

Create a new rule.

attribute-set:

rule-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

getrule¶

Get / dump rules.

attribute-set:

rule-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

reply
attributes:

[name]

getrule-reset¶

Get / dump rules and reset stateful expressions.

attribute-set:

rule-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

reply
attributes:

[name]

delrule¶

Delete an existing rule.

attribute-set:

rule-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

destroyrule¶

Delete an existing rule with destroy semantics (ignoring ENOENT errors).

attribute-set:

rule-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

newset¶

Create a new set.

attribute-set:

set-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

getset¶

Get / dump sets.

attribute-set:

set-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

reply
attributes:

[name]

delset¶

Delete an existing set.

attribute-set:

set-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

destroyset¶

Delete an existing set with destroy semantics (ignoring ENOENT errors).

attribute-set:

set-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

newsetelem¶

Create a new set element.

attribute-set:

setelem-list-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

getsetelem¶

Get / dump set elements.

attribute-set:

setelem-list-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

reply
attributes:

[name]

getsetelem-reset¶

Get / dump set elements and reset stateful expressions.

attribute-set:

setelem-list-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

reply
attributes:

[name]

delsetelem¶

Delete an existing set element.

attribute-set:

setelem-list-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

destroysetelem¶

Delete an existing set element with destroy semantics.

attribute-set:

setelem-list-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

getgen¶

Get / dump rule-set generation.

attribute-set:

gen-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

reply
attributes:

[name]

newobj¶

Create a new stateful object.

attribute-set:

obj-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

getobj¶

Get / dump stateful objects.

attribute-set:

obj-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

reply
attributes:

[name]

delobj¶

Delete an existing stateful object.

attribute-set:

obj-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

destroyobj¶

Delete an existing stateful object with destroy semantics.

attribute-set:

obj-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

newflowtable¶

Create a new flow table.

attribute-set:

flowtable-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

getflowtable¶

Get / dump flow tables.

attribute-set:

flowtable-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

reply
attributes:

[name]

delflowtable¶

Delete an existing flow table.

attribute-set:

flowtable-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

destroyflowtable¶

Delete an existing flow table with destroy semantics.

attribute-set:

flowtable-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

Multicast groups¶

  • mgmt

Definitions¶

nfgenmsg¶

type:

struct

members:
nfgen-family (u8):

version (u8):

res-id (u16):

meta-keys¶

type:

enum

entries:

  • len

  • protocol

  • priority

  • mark

  • iif

  • oif

  • iifname

  • oifname

  • iftype

  • oiftype

  • skuid

  • skgid

  • nftrace

  • rtclassid

  • secmark

  • nfproto

  • l4-proto

  • bri-iifname

  • bri-oifname

  • pkttype

  • cpu

  • iifgroup

  • oifgroup

  • cgroup

  • prandom

  • secpath

  • iifkind

  • oifkind

  • bri-iifpvid

  • bri-iifvproto

  • time-ns

  • time-day

  • time-hour

  • sdif

  • sdifname

  • bri-broute

cmp-ops¶

type:

enum

entries:

  • eq

  • neq

  • lt

  • lte

  • gt

  • gte

object-type¶

type:

enum

entries:

  • unspec

  • counter

  • quota

  • ct-helper

  • limit

  • connlimit

  • tunnel

  • ct-timeout

  • secmark

  • ct-expect

  • synproxy

nat-range-flags¶

type:

flags

entries:

  • map-ips

  • proto-specified

  • proto-random

  • persistent

  • proto-random-fully

  • proto-offset

  • netmap

table-flags¶

type:

flags

entries:

  • dormant

  • owner

  • persist

chain-flags¶

type:

flags

entries:

  • base

  • hw-offload

  • binding

set-flags¶

type:

flags

entries:

  • anonymous

  • constant

  • interval

  • map

  • timeout

  • eval

  • object

  • concat

  • expr

Attribute sets¶

empty-attrs¶

name (string)¶

batch-attrs¶

genid (u32)¶

byte-order:

big-endian

table-attrs¶

name (string)¶

doc:

name of the table

flags (u32)¶

byte-order:

big-endian

doc:

bitmask of flags

enum:

table-flags

enum-as-flags:

True

use (u32)¶

byte-order:

big-endian

doc:

number of chains in this table

handle (u64)¶

byte-order:

big-endian

doc:

numeric handle of the table

userdata (binary)¶

doc:

user data

chain-attrs¶

table (string)¶

doc:

name of the table containing the chain

handle (u64)¶

byte-order:

big-endian

doc:

numeric handle of the chain

name (string)¶

doc:

name of the chain

hook (nest)¶

nested-attributes:

nft-hook-attrs

doc:

hook specification for basechains

policy (u32)¶

byte-order:

big-endian

doc:

numeric policy of the chain

use (u32)¶

byte-order:

big-endian

doc:

number of references to this chain

type (string)¶

doc:

type name of the chain

counters (nest)¶

nested-attributes:

nft-counter-attrs

doc:

counter specification of the chain

flags (u32)¶

byte-order:

big-endian

doc:

chain flags

enum:

chain-flags

enum-as-flags:

True

id (u32)¶

byte-order:

big-endian

doc:

uniquely identifies a chain in a transaction

userdata (binary)¶

doc:

user data

counter-attrs¶

bytes (u64)¶

byte-order:

big-endian

packets (u64)¶

byte-order:

big-endian

pad (pad)¶

nft-hook-attrs¶

num (u32)¶

byte-order:

big-endian

priority (s32)¶

byte-order:

big-endian

dev (string)¶

doc:

net device name

devs (nest)¶

nested-attributes:

hook-dev-attrs

doc:

list of net devices

hook-dev-attrs¶

name (string)¶

multi-attr:

True

nft-counter-attrs¶

bytes (u64)¶

packets (u64)¶

rule-attrs¶

table (string)¶

doc:

name of the table containing the rule

chain (string)¶

doc:

name of the chain containing the rule

handle (u64)¶

byte-order:

big-endian

doc:

numeric handle of the rule

expressions (nest)¶

nested-attributes:

expr-list-attrs

doc:

list of expressions

compat (nest)¶

nested-attributes:

rule-compat-attrs

doc:

compatibility specifications of the rule

position (u64)¶

byte-order:

big-endian

doc:

numeric handle of the previous rule

userdata (binary)¶

doc:

user data

id (u32)¶

doc:

uniquely identifies a rule in a transaction

position-id (u32)¶

doc:

transaction unique identifier of the previous rule

chain-id (u32)¶

doc:

add the rule to chain by ID, alternative to chain name

expr-list-attrs¶

elem (nest)¶

nested-attributes:

expr-attrs

multi-attr:

True

expr-attrs¶

name (string)¶

doc:

name of the expression type

data (sub-message)¶

sub-message:

expr-ops

selector:

name

doc:

type specific data

rule-compat-attrs¶

proto (binary)¶

doc:

numeric value of the handled protocol

flags (binary)¶

doc:

bitmask of flags

set-attrs¶

table (string)¶

doc:

table name

name (string)¶

doc:

set name

flags (u32)¶

enum:

set-flags

byte-order:

big-endian

doc:

bitmask of enum nft_set_flags

key-type (u32)¶

byte-order:

big-endian

doc:

key data type, informational purpose only

key-len (u32)¶

byte-order:

big-endian

doc:

key data length

data-type (u32)¶

byte-order:

big-endian

doc:

mapping data type

data-len (u32)¶

byte-order:

big-endian

doc:

mapping data length

policy (u32)¶

byte-order:

big-endian

doc:

selection policy

desc (nest)¶

nested-attributes:

set-desc-attrs

doc:

set description

id (u32)¶

doc:

uniquely identifies a set in a transaction

timeout (u64)¶

doc:

default timeout value

gc-interval (u32)¶

doc:

garbage collection interval

userdata (binary)¶

doc:

user data

pad (pad)¶

obj-type (u32)¶

byte-order:

big-endian

doc:

stateful object type

handle (u64)¶

byte-order:

big-endian

doc:

set handle

expr (nest)¶

nested-attributes:

expr-attrs

doc:

set expression

multi-attr:

True

expressions (nest)¶

nested-attributes:

set-list-attrs

doc:

list of expressions

set-desc-attrs¶

size (u32)¶

byte-order:

big-endian

doc:

number of elements in set

concat (nest)¶

nested-attributes:

set-desc-concat-attrs

doc:

description of field concatenation

multi-attr:

True

set-desc-concat-attrs¶

elem (nest)¶

nested-attributes:

set-field-attrs

set-field-attrs¶

len (u32)¶

byte-order:

big-endian

set-list-attrs¶

elem (nest)¶

nested-attributes:

expr-attrs

multi-attr:

True

setelem-attrs¶

key (nest)¶

nested-attributes:

data-attrs

doc:

key value

data (nest)¶

nested-attributes:

data-attrs

doc:

data value of mapping

flags (binary)¶

doc:

bitmask of nft_set_elem_flags

timeout (u64)¶

doc:

timeout value

expiration (u64)¶

doc:

expiration time

userdata (binary)¶

doc:

user data

expr (nest)¶

nested-attributes:

expr-attrs

doc:

expression

objref (string)¶

doc:

stateful object reference

key-end (nest)¶

nested-attributes:

data-attrs

doc:

closing key value

expressions (nest)¶

nested-attributes:

expr-list-attrs

doc:

list of expressions

setelem-list-elem-attrs¶

elem (nest)¶

nested-attributes:

setelem-attrs

multi-attr:

True

setelem-list-attrs¶

table (string)¶

set (string)¶

elements (nest)¶

nested-attributes:

setelem-list-elem-attrs

set-id (u32)¶

gen-attrs¶

id (u32)¶

byte-order:

big-endian

doc:

ruleset generation id

proc-pid (u32)¶

byte-order:

big-endian

proc-name (string)¶

obj-attrs¶

table (string)¶

doc:

name of the table containing the expression

name (string)¶

doc:

name of this expression type

type (u32)¶

enum:

object-type

byte-order:

big-endian

doc:

stateful object type

data (sub-message)¶

sub-message:

obj-data

selector:

type

doc:

stateful object data

use (u32)¶

byte-order:

big-endian

doc:

number of references to this expression

handle (u64)¶

byte-order:

big-endian

doc:

object handle

pad (pad)¶

userdata (binary)¶

doc:

user data

quota-attrs¶

bytes (u64)¶

byte-order:

big-endian

flags (u32)¶

byte-order:

big-endian

pad (pad)¶

consumed (u64)¶

byte-order:

big-endian

flowtable-attrs¶

table (string)¶

name (string)¶

hook (nest)¶

nested-attributes:

flowtable-hook-attrs

use (u32)¶

byte-order:

big-endian

handle (u64)¶

byte-order:

big-endian

pad (pad)¶

flags (u32)¶

byte-order:

big-endian

flowtable-hook-attrs¶

num (u32)¶

byte-order:

big-endian

priority (u32)¶

byte-order:

big-endian

devs (nest)¶

nested-attributes:

hook-dev-attrs

expr-cmp-attrs¶

sreg (u32)¶

byte-order:

big-endian

op (u32)¶

byte-order:

big-endian

enum:

cmp-ops

data (nest)¶

nested-attributes:

data-attrs

data-attrs¶

value (binary)¶

verdict (nest)¶

nested-attributes:

verdict-attrs

verdict-attrs¶

code (u32)¶

byte-order:

big-endian

chain (string)¶

chain-id (u32)¶

expr-counter-attrs¶

bytes (u64)¶

doc:

Number of bytes

packets (u64)¶

doc:

Number of packets

pad (pad)¶

expr-flow-offload-attrs¶

name (string)¶

doc:

Flow offload table name

expr-immediate-attrs¶

dreg (u32)¶

byte-order:

big-endian

data (nest)¶

nested-attributes:

data-attrs

expr-meta-attrs¶

dreg (u32)¶

byte-order:

big-endian

key (u32)¶

byte-order:

big-endian

enum:

meta-keys

sreg (u32)¶

byte-order:

big-endian

expr-nat-attrs¶

type (u32)¶

byte-order:

big-endian

family (u32)¶

byte-order:

big-endian

reg-addr-min (u32)¶

byte-order:

big-endian

reg-addr-max (u32)¶

byte-order:

big-endian

reg-proto-min (u32)¶

byte-order:

big-endian

reg-proto-max (u32)¶

byte-order:

big-endian

flags (u32)¶

byte-order:

big-endian

enum:

nat-range-flags

enum-as-flags:

True

expr-payload-attrs¶

dreg (u32)¶

byte-order:

big-endian

base (u32)¶

byte-order:

big-endian

offset (u32)¶

byte-order:

big-endian

len (u32)¶

byte-order:

big-endian

sreg (u32)¶

byte-order:

big-endian

csum-type (u32)¶

byte-order:

big-endian

csum-offset (u32)¶

byte-order:

big-endian

csum-flags (u32)¶

byte-order:

big-endian

expr-tproxy-attrs¶

family (u32)¶

byte-order:

big-endian

reg-addr (u32)¶

byte-order:

big-endian

reg-port (u32)¶

byte-order:

big-endian

Sub-messages¶

expr-ops¶

  • bitwise

  • cmp
    attribute-set:

    expr-cmp-attrs

  • counter
    attribute-set:

    expr-counter-attrs

  • ct

  • flow_offload
    attribute-set:

    expr-flow-offload-attrs

  • immediate
    attribute-set:

    expr-immediate-attrs

  • lookup

  • meta
    attribute-set:

    expr-meta-attrs

  • nat
    attribute-set:

    expr-nat-attrs

  • payload
    attribute-set:

    expr-payload-attrs

  • tproxy
    attribute-set:

    expr-tproxy-attrs

obj-data¶

  • counter
    attribute-set:

    counter-attrs

  • quota
    attribute-set:

    quota-attrs

©The kernel development community. | Powered by Sphinx 7.3.7 & Alabaster 0.7.16 | Page source