Data types
nft describe
You can use nft describe to get information about a data type, to find out the data type of a particular selector, and to list predefined symbolic constants for that selector. Some examples:
% nft describe iif meta expression, datatype iface_index (network interface index) (basetype integer), 32 bits % nft describe iifname meta expression, datatype ifname (network interface name) (basetype string), 16 characters % nft describe tcp flags payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits pre-defined symbolic constants (in hexadecimal): fin 0x01 syn 0x02 rst 0x04 psh 0x08 ack 0x10 urg 0x20 ecn 0x40 cwr 0x80
List of data types
Date and time types
Date and time types | |||
---|---|---|---|
Data Type | Description | Expressions | Notes |
day | Day of week of packet reception (8 bit integer, with pre-defined symbolic constants):
|
meta day | Sunday = 0, Saturday = 6.
Symbolic constants are case insensitive, and unique abbreviations are accepted: Sun = sun = Sunday = 0. |
hour | Hour of day of packet reception (32 bit integer).
Specify as string in 24-hour format, hh:mm[:ss]. |
meta hour | Seconds are optional: 17:00 = 17:00:00. |
time | Relative time of packet reception (64 bit integer). | meta time | Can be specified as a date in ISO format, i.e. "2019-06-06 17:00". Hour and seconds are optional and can be omitted if desired. If omitted, midnight will be assumed. The following three are equivalent: "2019-06-06" = "2019-06-06 00:00" = "2019-06-06 00:00:00".
When an integer is specified, it is assumed to be a UNIX timestamp. |
Network interface types
Network interface types | |||
---|---|---|---|
Data Type | Description | Expressions | Notes |
devgroup | Device group (32 bit integer). | meta {iifgroup | oifgroup} | Can be specified numerically or as symbolic name defined in /etc/iproute2/group. |
iface_index | Interface index (32 bit integer). | meta {iif | oif} | Can be specified numerically or as name of an existing interface.
Use ifname instead for interfaces whose name and/or index can change (i.e. those that appear / disappear dynamically). |
iface_type | Interface type (16 bit integer, with pre-defined symbolic constants):
|
meta {iiftype | oiftype} | |
ifkind | Interface kind name (16 byte string). | meta {iifkind | oifkind} | dev->rtnl_link_ops->kind
The man 8 ip-link TYPES section lists valid ifkinds. It's missing at least one: tun. |
ifname | Interface name (16 byte string). | meta {iifname | oifname} | Does not have to exist.
Slower than iface_index but good for interfaces that can dynamically appear / disappear. |
Ethernet types
Ethernet types | |||
---|---|---|---|
Data Type | Description | Expressions | Notes |
ether_addr | Ethernet address (48 bit integer). |
|
|
ether_type | EtherType (16 bit integer, with pre-defined symbolic constants):
|
meta protocol | ether.h has known types.
NOTE that ether.h lists EtherTypes in network order, while nft uses little-endian order on x86. (Check output of nft describe ether_type.) |
ARP types
ARP types | |||
---|---|---|---|
Data Type | Description | Expressions | Notes |
ARP HLEN, hardware address length in octets (8 bit integer) | arp hlen «HLEN» | Unnamed 8-bit integer in nftables.
For ethernet HLEN = 6. | |
ARP HTYPE, hardware type (16 bit integer) | arp htype «HTYPE» | Unnamed 16-bit integer in nftables.
if_arp.h has known types. | |
ARP PLEN, internetwork address length in octets (8 bit integer) | arp plen «PLEN» | Unnamed 8-bit integer in nftables.
For IPv4 PLEN = 4. | |
arp_op | ARP operation (16 bit integer, with pre-defined symbolic constants):
|
arp operation «arp_op» |
IP types
IP types | |||
---|---|---|---|
Data Type | Description | Expressions | Notes |
inet_proto | Internet protocol (8 bit integer, with pre-defined symbolic constants):
|
|
in.h has known types. |
inet_service | Network service port number (16 bit integer). | ||
ipv4_addr | IPv4 address (32 bit integer). |
|
|
ipv6_addr | IPv6 address (128 bit integer). |
|
Conntrack types
Conntrack types | |||
---|---|---|---|
Data Type | Description | Expressions | Notes |
ct_dir | Conntrack direction (8 bit integer). | Symbolic constants:
original 0 reply 1 | |
ct_event | Conntrack event bits (4 byte bitmask). | Symbolic constants:
new 1 related 2 destroy 4 reply 8 assured 16 protoinfo 32 helper 64 mark 128 seqadj 256 secmark 512 label 1024 | |
ct_label | Conntrack label (128 bit bitmask). | ||
ct_state | Conntrack state (4 byte bitmask). | Symbolic constants:
invalid 1 established 2 related 4 new 8 untracked 64 | |
ct_status | Conntrack status (4 byte bitmask). | Symbolic constants:
expected 1 seen-reply 2 assured 4 confirmed 8 snat 16 dnat 32 dying 512 |
Other types
Other types | |||
---|---|---|---|
Data Type | Description | Expressions | Notes |
gid | Group ID (32 bit integer). | meta skgid | Can be specified numerically or as group name. |
mark | Packet mark (32 bit integer). | ||
pkt_type | Packet type (8 bit integer, with pre-defined symbolic constants):
|
meta pkttype | |
realm | Routing Realm (32 bit integer). | meta rtclassid | Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms.
Routing realm references: |
uid | User ID (32 bit integer). | meta skuid | Can be specified numerically or as user name. |