Setting packet metainformation: Difference between revisions
Jump to navigation
Jump to search
(Created page with "You can set some metainformation in a packet: one of mark, priority or nftrace. Please note that you require a Linux kernel >= 3.14 to use these features. == mark == The fol...") |
(Added pkttype section. Moved intro description of keywords to the appropriate sections.) |
||
| (5 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
You can set some metainformation in a packet | You can set some [[Matching_packet_metainformation |metainformation]] in a packet. Please note that you require a Linux kernel >= 3.14 to use these features. | ||
== packet mark == | |||
== mark == | |||
The following example shows how to set the packet mark: | The following example shows how to set the packet mark: | ||
| Line 10: | Line 8: | ||
</source> | </source> | ||
== mark and conntrack mark == | |||
== packet mark and conntrack mark == | |||
You can save/restore conntrack mark like in iptables. | You can save/restore conntrack mark like in iptables. | ||
| Line 18: | Line 17: | ||
<source lang="bash"> | <source lang="bash"> | ||
% nft add rule filter forward meta mark 1 | % nft add rule filter forward meta mark set 1 | ||
% nft add rule filter forward ct mark set mark | % nft add rule filter forward ct mark set mark | ||
</source> | </source> | ||
| Line 27: | Line 26: | ||
</source> | </source> | ||
== priority == | |||
== packet secmark == | |||
* You can use [[Secmark|secmark objects]] to set [https://selinuxproject.org/page/NB_Networking#SECMARK SECMARK] labels on packets. | |||
* New in [https://marc.info/?l=netfilter&m=157532146917292&w=2 nftables 0.9.3], you can set the packet secmark from its associated [[Setting_packet_connection_tracking_metainformation#ct_secmark_set_-_Set_conntrack_secmark_from_packet_secmark|conntrack secmark]]: | |||
<source> | |||
meta secmark set ct secmark | |||
</source> | |||
== packet priority == | |||
You can set the priority of a packet. | You can set the priority of a packet. | ||
| Line 41: | Line 50: | ||
'''Warning''': There is a bug in the priority syntax that will be fixed in following versions of nftables. | '''Warning''': There is a bug in the priority syntax that will be fixed in following versions of nftables. | ||
Setting nftrace in a packet will report the journey through the nf_tables stack | == ''pkttype'' == | ||
You can set the [[Data_types#Other_types|packet type]]: | |||
<source> | |||
meta pkttype set {pkt_type} | |||
</source> | |||
== ''nftrace'' == | |||
Setting the [[Ruleset_debug/tracing|''nftrace'' debugging bit]] in a packet will report the journey through the nf_tables stack: | |||
<source lang="bash"> | <source lang="bash"> | ||
% nft add rule filter forward udp dport 53 meta nftrace set 1 | % nft add rule filter forward udp dport 53 meta nftrace set 1 | ||
</source> | </source> | ||
== combination of options == | == combination of options == | ||
Latest revision as of 18:33, 16 April 2021
You can set some metainformation in a packet. Please note that you require a Linux kernel >= 3.14 to use these features.
packet mark
The following example shows how to set the packet mark:
% nft add rule route output mark set 123
packet mark and conntrack mark
You can save/restore conntrack mark like in iptables.
In this example, the nf_tables engine set the packet mark to 1. In the last rule, that mark is store in the conntrack entry associated with the flow:
% nft add rule filter forward meta mark set 1
% nft add rule filter forward ct mark set mark
In this example, the conntrack mark is stored in the packet.
% nft add rule filter forward meta mark set ct mark
packet secmark
- You can use secmark objects to set SECMARK labels on packets.
- New in nftables 0.9.3, you can set the packet secmark from its associated conntrack secmark:
meta secmark set ct secmark
packet priority
You can set the priority of a packet.
This example shows a similar operation to what "-j CLASSIFY" does in iptables:
% nft add table mangle
% nft add chain postrouting {type route hook output priority -150\; }
% nft add rule mangle postrouting tcp sport 80 meta priority set 1
Warning: There is a bug in the priority syntax that will be fixed in following versions of nftables.
pkttype
You can set the packet type:
meta pkttype set {pkt_type}
nftrace
Setting the nftrace debugging bit in a packet will report the journey through the nf_tables stack:
% nft add rule filter forward udp dport 53 meta nftrace set 1
combination of options
Given the flexible design of nftables, remember you can perform several actions to a packet in one rule:
% nft add rule filter forward ip saddr 192.168.1.1 meta nftrace set 1 meta priority set 2 meta mark set 123