整理和收集了关于nftables相关的信息,内容比较长,可以保存后,需要时再看。
表
family 指代以下表类型之一:ip、arp、ip6、bridge、inet、netdev。默认为 ip。
nft list tables [<family>]nft [-n] [-a] list table [<family>] <name>nft<br>(add | delete | flush) table [<family>] <name>
参数 -n 以数字格式显示地址和其他使用名称表示的信息。-a 参数用于显示每条规则的句柄(即数字标识符)。
链
type
要创建的链的类型。可能的类型有:
- filter: 支持
arp、bridge、ip、ip6 和 inet 表族。 - route:标记数据包(类似于 output 钩子的 mangle 功能,对于其他钩子,请改用 filter 类型),支持
ip 和 ip6 。 - nat:用于执行网络地址转换, 支持
ip 和 ip6 。
hook
数据包在内核中处理时经过的特定阶段。
ip、ip6 和 inet 族可用的钩子有:prerouting、input、forward、output、postrouting。arp 族可用的钩子有:input、output。netdev 族可用的钩子有:ingress、egress。
priority
是同个 Netfilter Hook 点下用一个数字决定规则链执行顺序,数值越小、越先运行。数字越小,执行越早;数值越大,执行越晚 。
| | |
|---|
| conntrack_defrag(NF_IP_PRI_CONNTRACK_DEFRAG) | | |
| | |
| selinux_first(NF_IP_PRI_SELINUX_FIRST) | | |
| conntrack(NF_IP_PRI_CONNTRACK) | | |
| | |
| nat_dst(NF_IP_PRI_NAT_DST) | | |
| | |
| security(NF_IP_PRI_SECURITY) | | |
| nat_src(NF_IP_PRI_NAT_SRC) | | |
| selinux_last(NF_IP_PRI_SELINUX_LAST) | | |
| conntrack_helper(NF_IP_PRI_CONNTRACK_HELPER) | | |
policy
是控制基础链中数据包流向的默认语句。
可能的取值有:accept(默认)和 drop。
警告:将策略设置为 drop 会丢弃所有未被规则集接受的数据包。
nft<br>(add | create) chain [<family>] <table> <name> [ { type <type> hook <hook> [device <device>] priority <priority> ; [policy <policy> ;] } ]nft<br>(delete | list | flush) chain [<family>] <table> <name>nft rename chain [<family>] <table> <name> <newname>
规则
handle 是一个标识特定规则的内部数字。
nft add rule [<family>] <table> <chain> <matches> <statement>nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statement>nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statement>nft delete rule [<family>] <table> <chain> [handle <handle>]
插入的规则默认放置在链的开头。但是,如果指定了 position handle,则新规则将插入到具有该句柄的现有规则之前。
匹配项(matches)
matches 是用于访问特定数据包信息并据此创建过滤条件的线索。
Ip
| | |
|---|
dscp | Differentiated Services Code Point(差分服务代码点) | ip dscp cs1ip dscp != cs1ip dscp 0x38ip dscp != 0x20ip dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef } |
length | 数据包总长度(Total packet length) | ip length 232ip length != 233ip length 333-435ip length != 333-453ip length { 333, 553, 673, 838 } |
id | IPv4 报文头部里的 IP 标识字段(IP ID) | ip id 22ip id != 233ip id 33-45ip id != 33-45ip id { 33, 55, 67, 88 } |
frag-off | | ip frag-off & 0x1fff != 0 # 匹配分片ip frag-off & 0x2000 != 0 # 匹配 MF 标志ip frag-off & 0x4000 != 0 # 匹配 DF 标志 |
ttl | | ip ttl 0ip ttl 233ip ttl 33-55ip ttl != 45-50ip ttl { 43, 53, 45 }ip ttl { 33-55 } |
protocol | 上层协议(Upper layer protocol) | ip protocol tcpip protocol 6ip protocol != tcpip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp } |
checksum | IP 头部校验和(IP header checksum) | ip checksum 13172ip checksum 22ip checksum != 233ip checksum 33-45ip checksum != 33-45ip checksum { 33, 55, 67, 88 }ip checksum { 33-55 } |
saddr | | ip saddr 192.168.2.0/24ip saddr != 192.168.2.0/24ip saddr 192.168.3.1ip saddr != 1.1.1.1ip saddr 1.1.1.1ip saddr & 0xff == 1ip saddr & 0.0.0.255 < 0.0.0.127 |
daddr | 目标地址(Destination address) | ip daddr 192.168.0.1ip daddr != 192.168.0.1ip daddr 192.168.0.1-192.168.0.250ip daddr 10.0.0.0-10.255.255.255ip daddr 172.16.0.0-172.31.255.255ip daddr 192.168.3.1-192.168.4.250ip daddr != 192.168.0.1-192.168.0.250ip daddr { 192.168.0.1-192.168.0.250 }ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } |
version | IP 头部版本(IP header version) | ip version 4 |
hdrlength | IP 头部长度(IP header length) | ip hdrlength 0 |
Ip6
| | |
|---|
dscp | Differentiated Services Code Point(差分服务代码点) | ip6 dscp cs1ip6 dscp != cs1ip6 dscp 0x38ip6 dscp != 0x20ip6 dscp { cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef } |
flowlabel | | ip6 flowlabel 22ip6 flowlabel != 233ip6 flowlabel { 33, 55, 67, 88 }ip6 flowlabel { 33-55 } |
length | | ip6 length 232ip6 length != 233ip6 length 333-435ip6 length != 333-453ip6 length { 333, 553, 673, 838 } |
nexthdr | 下一头部协议(Next header protocol) | ip6 nexthdr { esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6 }ip6 nexthdr 22ip6 nexthdr != 33-45 |
hoplimit | | ip6 hoplimit 22ip6 hoplimit != 233ip6 hoplimit 33-45ip6 hoplimit {33, 55, 67, 88}ip6 hoplimit {33-55} |
saddr | | ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234ip6 saddr 1234:1234::1234ip6 saddr ::1234:1234:1234:1234:1234:1234:1234ip6 saddr ::/64ip6 saddr != ::1234:1234:1234:1234:1234:1234:1234ip6 saddr 1234::1234:1234:1234:1234:1234:1234ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234/64 |
daddr | 目标地址(Destination address) | ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234ip6 daddr != 1234:1234::1234ip6 daddr 1234:1234::1234ip6 daddr ::1234:1234:1234:1234:1234:1234:1234ip6 daddr ::/64ip6 daddr 1234::1234:1234:1234:1234:1234:1234ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234/64 |
Tcp
| | |
|---|
dport | | tcp dport 22tcp dport != 33-45tcp dport { 33-55 }tcp dport { telnet, http, https }tcp dport vmap { 22 : accept, 23 : drop }tcp dport vmap { 25:accept, 28:drop } |
sport | | tcp sport 22tcp sport != 33-45tcp sport { 33, 55, 67, 88 }tcp sport { 33-55 }tcp sport vmap { 25:accept, 28:drop }tcp sport 1024tcp dport 22 |
sequence | | tcp sequence 22tcp sequence != 33-45tcp sequence { 33, 55, 67, 88 }tcp sequence { 33-55 } |
ackseq | 确认号(Acknowledgment number) | tcp ackseq 22tcp ackseq != 33-45tcp ackseq { 33, 55, 67, 88 }tcp ackseq { 33-55 } |
flags | | tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr }tcp flags cwrtcp flags != cwr |
window | | tcp window 22tcp window != 33-45tcp window { 33, 55, 67, 88 }tcp window { 33-55 } |
checksum | | tcp checksum 22tcp checksum != 33-45tcp checksum { 33, 55, 67, 88 }tcp checksum { 33-55 } |
urgptr | | tcp urgptr 22tcp urgptr != 33-45tcp urgptr { 33, 55, 67, 88 } |
doff | | tcp doff 8 |
Udp
| | |
|---|
dport | | udp dport 22udp dport != 33-45udp dport { 33-55 }udp dport { telnet, http, https }udp dport vmap { 22 : accept, 23 : drop }udp dport vmap { 25:accept, 28:drop } |
sport | | udp sport 22udp sport != 33-45udp sport { 33, 55, 67, 88 }udp sport { 33-55 }udp sport vmap { 25:accept, 28:drop }udp sport 1024udp dport 22 |
length | 数据包总长度(Total packet length) | udp length 6666udp length != 50-65udp length { 50, 65 }udp length { 35-50 } |
checksum | | udp checksum 22udp checksum != 33-45udp checksum { 33, 55, 67, 88 }udp checksum { 33-55 } |
Udplite
UDP 必须校验整个数据包完整性,错一点就丢包;UDPLite 只校验头部+部分关键载荷,后面数据错了也不丢包,专门扛弱网卡顿
| | |
|---|
dport | | udplite dport 22udplite dport != 33-45udplite dport { 33-55 }udplite dport { telnet, http, https }udplite dport vmap { 22 : accept, 23 : drop }udplite dport vmap { 25:accept, 28:drop } |
sport | | udplite sport 22udplite sport != 33-45udplite sport { 33, 55, 67, 88 }udplite sport { 33-55 }udplite sport vmap { 25:accept, 28:drop }udplite sport 1024udplite dport 22 |
checksum | | udplite checksum 22udplite checksum != 33-45udplite checksum { 33, 55, 67, 88 }udplite checksum { 33-55 } |
Sctp
用于匹配和过滤 SCTP(流控制传输协议) 数据包的协议匹配模块,可匹配端口、校验和、验证标签及块类型等字段
| | |
|---|
dport | | sctp dport 22sctp dport != 33-45sctp dport { 33-55 }sctp dport { telnet, http, https }sctp dport vmap { 22 : accept, 23 : drop }sctp dport vmap { 25:accept, 28:drop } |
sport | | sctp sport 22sctp sport != 33-45sctp sport { 33, 55, 67, 88 }sctp sport { 33-55 }sctp sport vmap { 25:accept, 28:drop }sctp sport 1024sctp dport 22 |
checksum | | sctp checksum 22sctp checksum != 33-45sctp checksum { 33, 55, 67, 88 }sctp checksum { 33-55 } |
vtag | | sctp vtag 22sctp vtag != 33-45sctp vtag { 33, 55, 67, 88 } |
chunk | | sctp chunk initsctp chunk init != 33-45sctp chunk init { 33, 55, 67, 88 } |
chunk | | sctp chunk init flags 0x1sctp chunk init flags != 0x1sctp chunk init flags { 0x1, 0x2 } |
Dccp
匹配 |过滤 DCCP(数据报拥塞控制协议) 包的模块,可匹配端口与包类型(request/data/ack 等)
| | |
|---|
dport | | dccp dport 22dccp dport != 33-45dccp dport { 33-55 }dccp dport { telnet, http, https }dccp dport vmap { 22 : accept, 23 : drop }dccp dport vmap { 25:accept, 28:drop } |
sport | | dccp sport 22dccp sport != 33-45dccp sport { 33, 55, 67, 88 }dccp sport { 33-55 }dccp sport vmap { 25:accept, 28:drop }dccp sport 1024dccp dport 22 |
type | DCCP 数据包类型(DCCP packet type) | dccp type { request, response, data, ack, dataack, closereq, close, reset, sync, syncack } |
Ah
匹配 | 过滤 IPsec AH(认证头,协议号 51) 数据包的模块,可匹配 SPI、序列号、头长度、下一跳协议 等字段
| | |
|---|
nexthdr | 下一头部协议(上层协议)(Next header protocol(upper layer protocol)) | ah nexthdr { esp, ah, comp, udp, udplite, tcp, dccp, sctp }ah nexthdr 22ah nexthdr != 33-45 |
hdrlength | AH 头部长度(AH header length) | ah hdrlength 11-23ah hdrlength != 11-23ah hdrlength { 11, 23, 44 } |
reserved | | ah reserved 22ah reserved != 33-45ah reserved { 23, 100 }ah reserved { 33-55 } |
spi | | ah spi 111ah spi != 111-222ah spi { 111, 122 } |
sequence | | ah sequence 123ah sequence { 23, 25, 33 }ah sequence != 23-33 |
Esp
匹配 IPsec ESP 封装安全载荷(协议号 50),用于加密 + 封装 IPsec 数据包,可匹配 SPI、序列号
| | |
|---|
spi | | esp spi 111esp spi != 111-222esp spi { 111, 122 } |
sequence | | esp sequence 123esp sequence { 23, 25, 33 }esp sequence != 23-33 |
Comp
comp:匹配 IP 压缩协议(IPComp),IP 层数据压缩协议,用来压缩 IPsec 流量减负
| | |
|---|
nexthdr | 下一头部协议(上层协议)(Next header protocol(upper layer protocol)) | comp nexthdr != espcomp nexthdr { esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp } |
flags | | comp flags 0x0comp flags != 0x33-0x45comp flags { 0x33, 0x55, 0x67, 0x88 } |
cpi | 压缩参数索引(Compression Parameter Index) | comp cpi 22comp cpi != 33-45comp cpi { 33, 55, 67, 88 } |
Icmp
| | |
|---|
type | ICMP 数据包类型(ICMP packet type) | icmp type { echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation } |
code | ICMP 数据包代码(ICMP packet code) | icmp code 111icmp code != 33-55icmp code { 2, 4, 54, 33, 56 } |
checksum | ICMP 数据包校验和(ICMP packet checksum) | icmp checksum 12343icmp checksum != 11-343icmp checksum { 1111, 222, 343 } |
id | ICMP 数据包 ID(ICMP packet ID) | icmp id 12343icmp id != 11-343icmp id { 1111, 222, 343 } |
sequence | ICMP 数据包序列号(ICMP packet sequence) | icmp sequence 12343icmp sequence != 11-343icmp sequence { 1111, 222, 343 } |
mtu | ICMP 数据包 MTU(ICMP packet MTU) | icmp mtu 12343icmp mtu != 11-343icmp mtu { 1111, 222, 343 } |
gateway | ICMP 数据包网关(ICMP packet gateway) | icmp gateway 12343icmp gateway != 11-343icmp gateway { 1111, 222, 343 } |
Icmpv6
| | |
|---|
type | ICMPv6 数据包类型(ICMPv6 packet type) | icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, parameter-problem, mld2-listener-report } |
code | ICMPv6 数据包代码(ICMPv6 packet code) | icmpv6 code 4icmpv6 code 3-66icmpv6 code { 5, 6, 7 } |
checksum | ICMPv6 数据包校验和(ICMPv6 packet checksum) | icmpv6 checksum 12343icmpv6 checksum != 11-343icmpv6 checksum { 1111, 222, 343 } |
id | ICMPv6 数据包 ID(ICMPv6 packet ID) | icmpv6 id 12343icmpv6 id != 11-343icmpv6 id { 1111, 222, 343 } |
sequence | ICMPv6 数据包序列号(ICMPv6 packet sequence) | icmpv6 sequence 12343icmpv6 sequence != 11-343icmpv6 sequence { 1111, 222, 343 } |
mtu | ICMPv6 数据包 MTU(ICMPv6 packet MTU) | icmpv6 mtu 12343icmpv6 mtu != 11-343icmpv6 mtu { 1111, 222, 343 } |
max-delay | ICMPv6 数据包最大延迟(ICMPv6 packet max delay) | icmpv6 max-delay 22icmpv6 max-delay != 33-45icmpv6 max-delay { 33, 55, 67, 88 } |
Frag
匹配 IP 分片报文,专门识别、匹配被分片的 IP 数据包,可控制分片包放行 / 丢弃
| | |
|---|
nexthdr | 下一头部协议(Next header protocol) | frag nexthdr { icmpv6, udplite, comp, udp, ah, sctp, esp, dccp, tcp }frag nexthdr 22frag nexthdr != 33-45 |
reserved | | frag reserved 22frag reserved != 33-45frag reserved { 33, 55, 67, 88 } |
frag-off | | frag frag-off 22frag frag-off != 33-45frag frag-off { 33, 55, 67, 88 } |
more-fragments | | frag more-fragments 0 |
id | | frag id 1 |
Hbh
IPv6 逐跳扩展头,链路沿途所有节点都必须解析处理的 IPv6 扩展报文头。
| | |
|---|
nexthdr | 下一协议头部(Next protocol header) | hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6 }hbh nexthdr 22hbh nexthdr != 33-45 |
hdrlength | | hbh hdrlength 22hbh hdrlength != 33-45hbh hdrlength { 33, 55, 67, 88 } |
Mh
IPv6 移动扩展头,专门用于 IPv6 移动 IP 终端漫游切换的控制报文。
| | |
|---|
nexthdr | 下一协议头部(Next protocol header) | mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }mh nexthdr 22mh nexthdr != 33-45 |
hdrlength | | mh hdrlength 22mh hdrlength != 33-45mh hdrlength { 33, 55, 67, 88 } |
type | | mh type { binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message }mh type home-agent-switch-messagemh type != home-agent-switch-message |
reserved | | mh reserved 22mh reserved != 33-45mh reserved { 33, 55, 67, 88 } |
checksum | | mh checksum 22mh checksum != 33-45mh checksum { 33, 55, 67, 88 } |
Rt
IPv6 路由扩展头,手动指定报文转发途经节点、自定义路由路径的 IPv6 扩展头。
| | |
|---|
nexthdr | 下一协议头部(Next protocol header) | rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }rt nexthdr 22rt nexthdr != 33-45 |
hdrlength | | rt hdrlength 22rt hdrlength != 33-45rt hdrlength { 33, 55, 67, 88 } |
type | | rt type 22rt type != 33-45rt type { 33, 55, 67, 88 } |
seg-left | | rt seg-left 22rt seg-left != 33-45rt seg-left { 33, 55, 67, 88 } |
Vlan
匹配二层 802.1Q VLAN 标签,用来识别和过滤带 VLAN 标记的以太网帧。
| | |
|---|
id | | vlan id 4094 |
cfi | | vlan cfi 0 |
pcp | | vlan pcp 7 |
Arp
二层地址解析协议,负责 IP 与 MAC 地址互相解析的局域网基础报文
| | |
|---|
ptype | | arp ptype 0x0800 |
htype | | arp htype 1arp htype != 33-45arp htype { 33, 55, 67, 88 } |
hlen | | arp hlen 1arp hlen != 33-45arp hlen { 33, 55, 67, 88 } |
plen | | arp plen 1arp plen != 33-45arp plen { 33, 55, 67, 88 } |
operation | | arp operation { nak, inreply, inrequest, rreply, rrequest, reply, request } |
Ct
nftables 的带状态核心,跟踪并匹配数据包所属连接的状态与元数据
| | |
|---|
state | | ct state { new, established, related, untracked }ct state != relatedct state establishedct state 8 |
direction | 数据包相对于连接的方向(Direction of the packet relative to the connection) | ct direction originalct direction != originalct direction { reply, original } |
status | | ct status expectedct status != expectedct status { expected, seen-reply, assured, confirmed, snat, dnat, dying } |
mark [set] | | ct mark 0ct mark != 0ct mark 0x00000f00ct mark != 0x00000f00ct mark or 0x3 == 0x1ct mark or 0x3 != 0x1ct mark and 0x3 == 0x1ct mark and 0x3 != 0x1ct mark xor 0x3 == 0x1ct mark xor 0x3 != 0x1ct mark set 0x11 xor 0x10ct mark set 0x11 or 0x10ct mark set 0x11 and 0x10 |
expiration | 连接过期时间(Connection expiration) | ct expiration 30ct expiration != 33-45ct expiration 33sct expiration 1m30sct expiration { 1m7s, 33s, 55s, 1m28s } |
helper "" | 与连接关联的助手(Helper associated with the connection) | ct helper "ftp" [original | reply] |
bytes | | ct original bytes > 100000ct bytes > 100000 [original | reply] |
packets | | ct reply packets < 100 [original | reply] |
ip saddr | | ct original ip saddr 192.168.0.1ct reply ip saddr 192.168.0.1ct original ip saddr 192.168.1.0/24ct reply ip saddr 192.168.1.0/24 [original | reply] |
ip daddr | | ct original ip daddr 192.168.0.1ct reply ip daddr 192.168.0.1ct original ip daddr 192.168.1.0/24ct reply ip daddr 192.168.1.0/24 [original | reply] |
l3proto | | ct original l3proto ipv4 [original | reply] |
protocol | | ct original protocol 6 [original | reply] |
proto-dst | | ct original proto-dst 22 [original | reply] |
proto-src | | ct reply proto-src 53 |
count [over] | | ct count over 2 tcp dport 22 add @ssh_flood { ip saddr ct count over 2 } reject [这需要一个已存在的 ssh_flood 集合,即 add set filter ssh_flood { type ipv4_addr; flags dynamic; }] |
Meta
匹配数据包非负载的基础属性(接口、长度、标记、时间等) 根据元信息匹配数据包。
| | |
|---|
iifname | 输入接口名称(Input interface name) | meta iifname "eth0"meta iifname != "eth0"meta iifname { "eth0", "lo" }meta iifname "eth*" |
oifname | 输出接口名称(Output interface name) | meta oifname "eth0"meta oifname != "eth0"meta oifname { "eth0", "lo" }meta oifname "eth*" |
iif | 输入接口索引(Input interface index) | meta iif eth0 |
oif | 输出接口索引(Output interface index) | meta oif lometa oif != lometa oif { eth0, lo } |
iiftype | 输入接口类型(Input interface type) | meta iiftype { ether, ppp, ipip, ipip6, loopback, sit, ipgre }meta iiftype != ethermeta iiftype ether |
oiftype | 输出接口硬件类型(Output interface hardware type) | meta oiftype { ether, ppp, ipip, ipip6, loopback, sit, ipgre }meta oiftype != ethermeta oiftype ether |
length | 数据包长度(字节)(Packet length in bytes) | meta length 1000meta length != 1000meta length > 1000meta length 33-45meta length != 33-45meta length { 33, 55, 67, 88 }meta length { 33-55, 67-88 } |
protocol | 以太网类型协议(Ethertype protocol) | meta protocol ipmeta protocol != ipmeta protocol { ip, arp, ip6, vlan } |
nfproto | | meta nfproto ipv4meta nfproto != ipv6meta nfproto { ipv4, ipv6 } |
l4proto | | meta l4proto 22meta l4proto != 233meta l4proto 33-45meta l4proto { 33, 55, 67, 88 }meta l4proto { 33-55 } |
mark [set] | | meta mark 0x4meta mark 0x00000032meta mark and 0x03 == 0x01meta mark and 0x03 != 0x01meta mark or 0x03 == 0x01meta mark or 0x03 != 0x01meta mark xor 0x03 == 0x01meta mark xor 0x03 != 0x01meta mark set 0xffffffc8 xor 0x16meta mark set 0x16 and 0x16meta mark set 0xffffffe9 or 0x16meta mark set 0xffffffde and 0x16meta mark set 0x10 or 0x10 |
priority [set] | 流量控制优先级(Traffic control priority) | meta priority nonemeta priority 0x1:0x2meta priority 0x1meta priority set 0x1:0x2 |
secmark [set] | | meta secmark 0x4meta secmark != 0x4meta secmark 0xffffffdemeta secmark 0x00000032meta secmark and 0x03 == 0x01meta secmark and 0x03 != 0x01meta secmark or 0x03 == 0x01meta secmark or 0x03 != 0x01meta secmark xor 0x03 == 0x01meta secmark xor 0x03 != 0x01meta secmark set 0xffffffc8 xor 0x16meta secmark set 0x16 and 0x16meta secmark set 0xffffffe9 or 0x16meta secmark set 0xffffffde and 0x16meta secmark set 0x10 or 0x10 |
skuid | | meta skuid 3000meta skuid != 3001-3005meta skuid { 2001-2005 }meta skuid { 3001-3005 } |
skgid | | meta skgid 3000meta skgid 3001-3005meta skgid != 2001-2005meta skgid { 2001-2005 } |
rtclassid | | meta rtclassid cosmos |
pkttype | | meta pkttype broadcastmeta pkttype != broadcastmeta pkttype { broadcast, unicast, multicast } |
cpu | | meta cpu 1meta cpu != 1meta cpu 1-3meta cpu != 1-2meta cpu { 2,3 }meta cpu { 2-3, 5-7 } |
iifgroup | 输入接口组(Input interface group) | meta iifgroup 0meta iifgroup != 0meta iifgroup defaultmeta iifgroup != defaultmeta iifgroup { default }meta iifgroup { 11,33 }meta iifgroup { 11-33 } |
oifgroup | 输出接口组(Output interface group) | meta oifgroup 0meta oifgroup != 0meta oifgroup defaultmeta oifgroup != defaultmeta oifgroup { default }meta oifgroup { 11,33 }meta oifgroup { 11-33 } |
cgroup | | meta cgroup 1048577meta cgroup != 1048577meta cgroup { 1048577, 1048578 }meta cgroup 1048577-1048578meta cgroup != 1048577-1048578meta cgroup { 1048577-1048578 } |
语句(Statements)
语句是当数据包匹配规则时执行的动作。它可以是终止性的,也可以是非终止性的。在一条规则中,我们可以包含多个非终止性语句,但只能有一个终止性语句。
裁决语句(Verdict statements)
裁决语句会改变规则集的控制流,并为数据包做出策略决策。有效的裁决语句包括:
- accept:接受数据包,并停止对剩余规则的评估。
- queue:将数据包放入用户空间队列,并停止对剩余规则的评估。
- continue:使用下一条规则继续规则集的评估。
- return:从当前链返回,并在上一个链的下一条规则处继续评估。在基础链中,它等效于 accept。
- jump
<chain>:在 <chain> 的第一条规则处继续评估。在发出 return 语句后,它将在下一条规则处继续。 - goto
<chain>:与 jump 类似,但当新链评估结束后,会在上一个链(而非包含 goto 语句的链)继续评估。
Log
| | |
|---|
log | | |
log level <level> [over] <size> [burst <burst>] | | loglog level emerglog level alertlog level critlog level errlog level warnlog level noticelog level infolog level debug |
log group <group> [queue-threshold <threshold>] [snaplen <size>] [prefix "<prefix>"] | | log prefix aaaaa-aaaaaa group 2 snaplen 33log group 2 queue-threshold 2log group 2 snaplen 33 |
Reject
默认的 reject 操作将使用 ICMP 类型 port-unreachable。icmpx 仅用于 inet 族支持。
| | |
|---|
reject | | |
reject with <type> type <type> | | rejectreject with icmp type host-unreachablereject with icmp type net-unreachablereject with icmp type prot-unreachablereject with icmp type port-unreachablereject with icmp type net-prohibitedreject with icmp type host-prohibitedreject with icmp type admin-prohibitedreject with icmpv6 type no-routereject with icmpv6 type admin-prohibitedreject with icmpv6 type addr-unreachablereject with icmpv6 type port-unreachablereject with icmpx type host-unreachablereject with icmpx type no-routereject with icmpx type admin-prohibitedreject with icmpx type port-unreachableip protocol tcp reject with tcp reset |
Counter
| | |
|---|
counter packets <packets> bytes <bytes> | | countercounter packets 0 bytes 0 |
Limit
| | |
|---|
limit rate [over] <rate> [burst <burst>] | | limit rate 400/minutelimit rate 400/hourlimit rate over 40/daylimit rate over 400/weeklimit rate over 1023/second burst 10 packetslimit rate 1025 kbytes/secondlimit rate 1023000 mbytes/secondlimit rate 1025 bytes/second burst 512 byteslimit rate 1025 kbytes/second burst 1023 kbyteslimit rate 1025 mbytes/second burst 1025 kbyteslimit rate 1025000 mbytes/second burst 1023 mbytes |
Nat
| | |
|---|
dnat to <address> | | dnat to 192.168.3.2dnat to ct mark map { 0x00000014 : 1.2.3.4 } |
snat to <address> | | snat to 192.168.3.2snat to 2001:838:35f:1::-2001:838:35f:2:::100 |
masquerade [<flags>] [to :<port>] | | masquerademasquerade persistent,fully-random,randommasquerade to :1024masquerade to :1024-2048 |
Queue
| | |
|---|
queue num <num> | | queuequeue num 2queue num 2-3queue num 4-5 fanout bypassqueue num 4-5 fanoutqueue num 4-5 |
附加功能(Extras)
导出配置
nft export (xml | json)
监控事件
从 Netlink 创建过滤器以监控事件。
nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]
