Setting packet metainformation: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(Added secmark section, showing how to set packet secmark from conntrack secmark.)
(Added pkttype section. Moved intro description of keywords to the appropriate sections.)
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
You can set some [[Matching_packet_metainformation |metainformation]] in a packet. Current supported options are:
You can set some [[Matching_packet_metainformation |metainformation]] in a packet. Please note that you require a Linux kernel >= 3.14 to use these features.
* mark -- packet mark
* priority -- packet priority
* nftrace -- [[Ruleset_debug/tracing|nftrace debugging]] bit
* pkttype -- packet type
* secmark -- packet secmark


Please note that you require a Linux kernel >= 3.14 to use these features.
== packet mark ==
 
== mark ==
The following example shows how to set the packet mark:
The following example shows how to set the packet mark:


Line 16: Line 9:




== mark and conntrack mark ==
== packet mark and conntrack mark ==


You can save/restore conntrack mark like in iptables.
You can save/restore conntrack mark like in iptables.
Line 34: Line 27:




== secmark ==
== packet secmark ==
New in [https://marc.info/?l=netfilter&m=157532146917292&w=2 nftables 0.9.3], you can set the packet secmark from its associated [[Setting_packet_connection_tracking_metainformation#ct_secmark_set_-_Set_conntrack_secmark_from_packet_secmark|conntrack secmark]]:
* You can use [[Secmark|secmark objects]] to set [https://selinuxproject.org/page/NB_Networking#SECMARK SECMARK] labels on packets. 
 
* New in [https://marc.info/?l=netfilter&m=157532146917292&w=2 nftables 0.9.3], you can set the packet secmark from its associated [[Setting_packet_connection_tracking_metainformation#ct_secmark_set_-_Set_conntrack_secmark_from_packet_secmark|conntrack secmark]]:
<source>
<source>
meta secmark set ct secmark
meta secmark set ct secmark
Line 41: Line 36:




== priority ==
== packet priority ==
You can set the priority of a packet.
You can set the priority of a packet.


Line 56: Line 51:




== nftrace ==
== ''pkttype'' ==
 
You can set the [[Data_types#Other_types|packet type]]:
<source>
meta pkttype set {pkt_type}
</source>
 
 
== ''nftrace'' ==


Setting nftrace in a packet will report the journey through the nf_tables stack.
Setting the [[Ruleset_debug/tracing|''nftrace'' debugging bit]] in a packet will report the journey through the nf_tables stack:


<source lang="bash">
<source lang="bash">

Latest revision as of 18:33, 16 April 2021

You can set some metainformation in a packet. Please note that you require a Linux kernel >= 3.14 to use these features.

packet mark

The following example shows how to set the packet mark:

% nft add rule route output mark set 123


packet mark and conntrack mark

You can save/restore conntrack mark like in iptables.

In this example, the nf_tables engine set the packet mark to 1. In the last rule, that mark is store in the conntrack entry associated with the flow:

% nft add rule filter forward meta mark set 1
% nft add rule filter forward ct mark set mark

In this example, the conntrack mark is stored in the packet.

% nft add rule filter forward meta mark set ct mark


packet secmark

meta secmark set ct secmark


packet priority

You can set the priority of a packet.

This example shows a similar operation to what "-j CLASSIFY" does in iptables:

% nft add table mangle
% nft add chain postrouting {type route hook output priority -150\; }
% nft add rule mangle postrouting tcp sport 80 meta priority set 1


Warning: There is a bug in the priority syntax that will be fixed in following versions of nftables.


pkttype

You can set the packet type:

meta pkttype set {pkt_type}


nftrace

Setting the nftrace debugging bit in a packet will report the journey through the nf_tables stack:

% nft add rule filter forward udp dport 53 meta nftrace set 1


combination of options

Given the flexible design of nftables, remember you can perform several actions to a packet in one rule:

% nft add rule filter forward ip saddr 192.168.1.1 meta nftrace set 1 meta priority set 2 meta mark set 123