Data types
Jump to navigation
Jump to search
nft describe
You can use nft describe to get information about a data type, to find out the data type of a particular selector, and to list predefined symbolic constants for that selector. Some examples:
% nft describe iif
meta expression, datatype iface_index (network interface index) (basetype integer), 32 bits
% nft describe iifname
meta expression, datatype ifname (network interface name) (basetype string), 16 characters
% nft describe tcp flags
payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits
pre-defined symbolic constants (in hexadecimal):
fin 0x01
syn 0x02
rst 0x04
psh 0x08
ack 0x10
urg 0x20
ecn 0x40
cwr 0x80
List of data types
Date and time types
| Date and time types | |||
|---|---|---|---|
| Data Type | Description | Expressions | Notes |
| day | Day of week of packet reception (8 bit integer, with pre-defined symbolic constants):
|
meta day | Sunday = 0, Saturday = 6.
Symbolic constants are case insensitive, and unique abbreviations are accepted: Sun = sun = Sunday = 0. |
| hour | Hour of day of packet reception (32 bit integer).
Specify as string in 24-hour format, hh:mm[:ss]. |
meta hour | Seconds are optional: 17:00 = 17:00:00. |
| time | Relative time of packet reception (64 bit integer). | meta time | Can be specified as a date in ISO format, i.e. "2019-06-06 17:00". Hour and seconds are optional and can be omitted if desired. If omitted, midnight will be assumed. The following three are equivalent: "2019-06-06" = "2019-06-06 00:00" = "2019-06-06 00:00:00".
When an integer is specified, it is assumed to be a UNIX timestamp. |
Network interface types
| Network interface types | |||
|---|---|---|---|
| Data Type | Description | Expressions | Notes |
| devgroup | Device group (32 bit integer). | meta {iifgroup | oifgroup} | Can be specified numerically or as symbolic name defined in /etc/iproute2/group. |
| iface_index | Interface index (32 bit integer). | meta {iif | oif} | Can be specified numerically or as name of an existing interface.
Use ifname instead for interfaces whose name and/or index can change (i.e. those that appear / disappear dynamically). |
| iface_type | Interface type (16 bit integer, with pre-defined symbolic constants):
|
meta {iiftype | oiftype} | |
| ifkind | Interface kind name (16 byte string). | meta {iifkind | oifkind} | dev->rtnl_link_ops->kind
The man 8 ip-link TYPES section lists valid ifkinds. It's missing at least one: tun. |
| ifname | Interface name (16 byte string). | meta {iifname | oifname} | Does not have to exist.
Slower than iface_index but good for interfaces that can dynamically appear / disappear. |
Ethernet types
| Ethernet types | |||
|---|---|---|---|
| Data Type | Description | Expressions | Notes |
| ether_addr | Ethernet address (48 bit integer). |
|
|
| ether_type | EtherType (16 bit integer, with pre-defined symbolic constants):
|
meta protocol | ether.h has known types.
NOTE that ether.h lists EtherTypes in network order, while nft uses little-endian order on x86. (Check output of nft describe ether_type.) |
ARP types
| ARP types | |||
|---|---|---|---|
| Data Type | Description | Expressions | Notes |
| ARP HLEN, hardware address length in octets (8 bit integer) | arp hlen «HLEN» | Unnamed 8-bit integer in nftables.
For ethernet HLEN = 6. | |
| ARP HTYPE, hardware type (16 bit integer) | arp htype «HTYPE» | Unnamed 16-bit integer in nftables.
if_arp.h has known types. | |
| ARP PLEN, internetwork address length in octets (8 bit integer) | arp plen «PLEN» | Unnamed 8-bit integer in nftables.
For IPv4 PLEN = 4. | |
| arp_op | ARP operation (16 bit integer, with pre-defined symbolic constants):
|
arp operation «arp_op» | |
IP types
| IP types | |||
|---|---|---|---|
| Data Type | Description | Expressions | Notes |
| inet_proto | Internet protocol (8 bit integer, with pre-defined symbolic constants):
|
|
in.h has known types. |
| inet_service | Network service port number (16 bit integer). | ||
| ipv4_addr | IPv4 address (32 bit integer). |
|
|
| ipv6_addr | IPv6 address (128 bit integer). |
|
|
Conntrack types
| Conntrack types | |||
|---|---|---|---|
| Data Type | Description | Expressions | Notes |
| ct_dir | Conntrack direction (8 bit integer). | Symbolic constants:
original 0 reply 1 | |
| ct_event | Conntrack event bits (4 byte bitmask). | Symbolic constants:
new 1 related 2 destroy 4 reply 8 assured 16 protoinfo 32 helper 64 mark 128 seqadj 256 secmark 512 label 1024 | |
| ct_label | Conntrack label (128 bit bitmask). | ||
| ct_state | Conntrack state (4 byte bitmask). | Symbolic constants:
invalid 1 established 2 related 4 new 8 untracked 64 | |
| ct_status | Conntrack status (4 byte bitmask). | Symbolic constants:
expected 1 seen-reply 2 assured 4 confirmed 8 snat 16 dnat 32 dying 512 | |
Other types
| Other types | |||
|---|---|---|---|
| Data Type | Description | Expressions | Notes |
| gid | Group ID (32 bit integer). | meta skgid | Can be specified numerically or as group name. |
| mark | Packet mark (32 bit integer). | ||
| pkt_type | Packet type (8 bit integer, with pre-defined symbolic constants):
|
meta pkttype | |
| realm | Routing Realm (32 bit integer). | meta rtclassid | Can be specified numerically or as symbolic name defined in /etc/iproute2/rt_realms.
Routing realm references: |
| uid | User ID (32 bit integer). | meta skuid | Can be specified numerically or as user name. |