Setting packet metainformation: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
m (→‎mark and conntrack mark: fixed mark setting example)
(refresh introductory paragraph)
Line 1: Line 1:
You can set some metainformation in a packet: one of mark, priority or nftrace.
You can set some [[Matching_packet_metainformation |metainformation]] in a packet. Current supported options are:
* mark -- packet mark
* priority -- packet priority
* nftrace -- nftrace debugging bit
* pkttype -- packet type
* secmark -- packet secmark


Please note that you require a Linux kernel >= 3.14 to use these features.
Please note that you require a Linux kernel >= 3.14 to use these features.

Revision as of 10:43, 17 December 2019

You can set some metainformation in a packet. Current supported options are:

  • mark -- packet mark
  • priority -- packet priority
  • nftrace -- nftrace debugging bit
  • pkttype -- packet type
  • secmark -- packet secmark

Please note that you require a Linux kernel >= 3.14 to use these features.

mark

The following example shows how to set the packet mark:

% nft add rule route output mark set 123

mark and conntrack mark

You can save/restore conntrack mark like in iptables.

In this example, the nf_tables engine set the packet mark to 1. In the last rule, that mark is store in the conntrack entry associated with the flow:

% nft add rule filter forward meta mark set 1
% nft add rule filter forward ct mark set mark

In this example, the conntrack mark is stored in the packet.

% nft add rule filter forward meta mark set ct mark

priority

You can set the priority of a packet.

This example shows a similar operation to what "-j CLASSIFY" does in iptables:

% nft add table mangle
% nft add chain postrouting {type route hook output priority -150\; }
% nft add rule mangle postrouting tcp sport 80 meta priority set 1


Warning: There is a bug in the priority syntax that will be fixed in following versions of nftables.

nftrace

Setting nftrace in a packet will report the journey through the nf_tables stack.

% nft add rule filter forward udp dport 53 meta nftrace set 1

combination of options

Given the flexible design of nftables, remember you can perform several actions to a packet in one rule:

% nft add rule filter forward ip saddr 192.168.1.1 meta nftrace set 1 meta priority set 2 meta mark set 123