# SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) --- name: nftables protocol: netlink-raw protonum: 12 doc: >- Netfilter nftables configuration over netlink. definitions: - name: nfgenmsg type: struct members: - name: nfgen-family type: u8 - name: version type: u8 - name: res-id byte-order: big-endian type: u16 - name: meta-keys type: enum entries: - len - protocol - priority - mark - iif - oif - iifname - oifname - iftype - oiftype - skuid - skgid - nftrace - rtclassid - secmark - nfproto - l4-proto - bri-iifname - bri-oifname - pkttype - cpu - iifgroup - oifgroup - cgroup - prandom - secpath - iifkind - oifkind - bri-iifpvid - bri-iifvproto - time-ns - time-day - time-hour - sdif - sdifname - bri-broute - name: bitwise-ops type: enum entries: - name: mask-xor # aka bool (old name) doc: >- mask-and-xor operation used to implement NOT, AND, OR and XOR boolean operations - name: lshift - name: rshift - name: and - name: or - name: xor - name: cmp-ops type: enum entries: - eq - neq - lt - lte - gt - gte - name: object-type type: enum entries: - unspec - counter - quota - ct-helper - limit - connlimit - tunnel - ct-timeout - secmark - ct-expect - synproxy - name: nat-range-flags type: flags entries: - map-ips - proto-specified - proto-random - persistent - proto-random-fully - proto-offset - netmap - name: table-flags type: flags entries: - dormant - owner - persist - name: chain-flags type: flags entries: - base - hw-offload - binding - name: set-flags type: flags entries: - anonymous - constant - interval - map - timeout - eval - object - concat - expr - name: set-elem-flags type: flags entries: - interval-end - catchall - name: lookup-flags type: flags entries: - invert - name: ct-keys type: enum entries: - state - direction - status - mark - secmark - expiration - helper - l3protocol - src - dst - protocol - proto-src - proto-dst - labels - pkts - bytes - avgpkt - zone - eventmask - src-ip - dst-ip - src-ip6 - dst-ip6 - ct-id - name: ct-direction type: enum entries: - original - reply - name: quota-flags type: flags entries: - invert - depleted - name: verdict-code type: enum entries: - name: continue value: 0xffffffff - name: break value: 0xfffffffe - name: jump value: 0xfffffffd - name: goto value: 0xfffffffc - name: return value: 0xfffffffb - name: drop value: 0 - name: accept value: 1 - name: stolen value: 2 - name: queue value: 3 - name: repeat value: 4 - name: fib-result type: enum entries: - oif - oifname - addrtype - name: fib-flags type: flags entries: - saddr - daddr - mark - iif - oif - present - name: reject-types type: enum entries: - icmp-unreach - tcp-rst - icmpx-unreach - name: reject-inet-code doc: These codes are mapped to real ICMP and ICMPv6 codes. type: enum entries: - icmpx-no-route - icmpx-port-unreach - icmpx-host-unreach - icmpx-admin-prohibited - name: payload-base type: enum entries: - link-layer-header - network-header - transport-header - inner-header - tun-header - name: range-ops doc: Range operator type: enum entries: - eq - neq - name: registers doc: | nf_tables registers. nf_tables used to have five registers: a verdict register and four data registers of size 16. The data registers have been changed to 16 registers of size 4. For compatibility reasons, the NFT_REG_[1-4] registers still map to areas of size 16, the 4 byte registers are addressed using NFT_REG32_00 - NFT_REG32_15. type: enum entries: - name: reg-verdict - name: reg-1 - name: reg-2 - name: reg-3 - name: reg-4 - name: reg32-00 value: 8 - name: reg32-01 - name: reg32-02 - name: reg32-03 - name: reg32-04 - name: reg32-05 - name: reg32-06 - name: reg32-07 - name: reg32-08 - name: reg32-09 - name: reg32-10 - name: reg32-11 - name: reg32-12 - name: reg32-13 - name: reg32-14 - name: reg32-15 - name: numgen-types type: enum entries: - incremental - random - name: log-level doc: nf_tables log levels type: enum entries: - name: emerg doc: system is unusable - name: alert doc: action must be taken immediately - name: crit doc: critical conditions - name: err doc: error conditions - name: warning doc: warning conditions - name: notice doc: normal but significant condition - name: info doc: informational - name: debug doc: debug-level messages - name: audit doc: enabling audit logging - name: log-flags doc: nf_tables log flags header: linux/netfilter/nf_log.h type: flags entries: - name: tcpseq doc: Log TCP sequence numbers - name: tcpopt doc: Log TCP options - name: ipopt doc: Log IP options - name: uid doc: Log UID owning local socket - name: nflog doc: Unsupported, don't reuse - name: macdecode doc: Decode MAC header attribute-sets: - name: log-attrs doc: log expression netlink attributes attributes: # Mentioned in nft_log_init() - name: group doc: netlink group to send messages to type: u16 byte-order: big-endian - name: prefix doc: prefix to prepend to log messages type: string - name: snaplen doc: length of payload to include in netlink message type: u32 byte-order: big-endian - name: qthreshold doc: queue threshold type: u16 byte-order: big-endian - name: level doc: log level type: u32 enum: log-level byte-order: big-endian - name: flags doc: logging flags type: u32 enum: log-flags byte-order: big-endian - name: numgen-attrs doc: nf_tables number generator expression netlink attributes attributes: - name: dreg doc: destination register type: u32 enum: registers - name: modulus doc: maximum counter value type: u32 byte-order: big-endian - name: type doc: operation type type: u32 byte-order: big-endian enum: numgen-types - name: offset doc: offset to be added to the counter type: u32 byte-order: big-endian - name: range-attrs attributes: # Mentioned in net/netfilter/nft_range.c - name: sreg doc: source register of data to compare type: u32 byte-order: big-endian enum: registers - name: op doc: cmp operation type: u32 byte-order: big-endian enum: range-ops checks: max: 255 - name: from-data doc: data range from type: nest nested-attributes: data-attrs - name: to-data doc: data range to type: nest nested-attributes: data-attrs - name: batch-attrs attributes: - name: genid doc: generation ID for this changeset type: u32 byte-order: big-endian - name: table-attrs attributes: - name: name type: string doc: name of the table - name: flags type: u32 byte-order: big-endian doc: bitmask of flags enum: table-flags enum-as-flags: true - name: use type: u32 byte-order: big-endian doc: number of chains in this table - name: handle type: u64 byte-order: big-endian doc: numeric handle of the table - name: pad type: pad - name: userdata type: binary doc: user data - name: owner type: u32 byte-order: big-endian doc: owner of this table through netlink portID - name: chain-attrs attributes: - name: table type: string doc: name of the table containing the chain - name: handle type: u64 byte-order: big-endian doc: numeric handle of the chain - name: name type: string doc: name of the chain - name: hook type: nest nested-attributes: nft-hook-attrs doc: hook specification for basechains - name: policy type: u32 byte-order: big-endian doc: numeric policy of the chain - name: use type: u32 byte-order: big-endian doc: number of references to this chain - name: type type: string doc: type name of the chain - name: counters type: nest nested-attributes: nft-counter-attrs doc: counter specification of the chain - name: flags type: u32 byte-order: big-endian doc: chain flags enum: chain-flags enum-as-flags: true - name: id type: u32 byte-order: big-endian doc: uniquely identifies a chain in a transaction - name: userdata type: binary doc: user data - name: counter-attrs attributes: - name: bytes type: u64 byte-order: big-endian - name: packets type: u64 byte-order: big-endian - name: pad type: pad - name: nft-hook-attrs attributes: - name: num type: u32 byte-order: big-endian - name: priority type: s32 byte-order: big-endian - name: dev type: string doc: net device name - name: devs type: nest nested-attributes: hook-dev-attrs doc: list of net devices - name: hook-dev-attrs attributes: - name: name type: string multi-attr: true - name: nft-counter-attrs attributes: - name: bytes type: u64 byte-order: big-endian - name: packets type: u64 byte-order: big-endian - name: rule-attrs attributes: - name: table type: string doc: name of the table containing the rule - name: chain type: string doc: name of the chain containing the rule - name: handle type: u64 byte-order: big-endian doc: numeric handle of the rule - name: expressions type: nest nested-attributes: expr-list-attrs doc: list of expressions - name: compat type: nest nested-attributes: rule-compat-attrs doc: compatibility specifications of the rule - name: position type: u64 byte-order: big-endian doc: numeric handle of the previous rule - name: userdata type: binary doc: user data - name: id type: u32 doc: uniquely identifies a rule in a transaction - name: position-id type: u32 doc: transaction unique identifier of the previous rule - name: chain-id type: u32 doc: add the rule to chain by ID, alternative to chain name - name: expr-list-attrs attributes: - name: elem type: nest nested-attributes: expr-attrs multi-attr: true - name: expr-attrs attributes: - name: name type: string doc: name of the expression type - name: data type: sub-message sub-message: expr-ops selector: name doc: type specific data - # Mentioned in nft_parse_compat() in net/netfilter/nft_compat.c name: rule-compat-attrs attributes: - name: proto type: u32 byte-order: big-endian doc: numeric value of the handled protocol - name: flags type: u32 byte-order: big-endian doc: bitmask of flags - name: set-attrs attributes: - name: table type: string doc: table name - name: name type: string doc: set name - name: flags type: u32 enum: set-flags byte-order: big-endian doc: bitmask of enum nft_set_flags - name: key-type type: u32 byte-order: big-endian doc: key data type, informational purpose only - name: key-len type: u32 byte-order: big-endian doc: key data length - name: data-type type: u32 byte-order: big-endian doc: mapping data type - name: data-len type: u32 byte-order: big-endian doc: mapping data length - name: policy type: u32 byte-order: big-endian doc: selection policy - name: desc type: nest nested-attributes: set-desc-attrs doc: set description - name: id type: u32 doc: uniquely identifies a set in a transaction - name: timeout type: u64 doc: default timeout value - name: gc-interval type: u32 doc: garbage collection interval - name: userdata type: binary doc: user data - name: pad type: pad - name: obj-type type: u32 byte-order: big-endian doc: stateful object type - name: handle type: u64 byte-order: big-endian doc: set handle - name: expr type: nest nested-attributes: expr-attrs doc: set expression multi-attr: true - name: expressions type: nest nested-attributes: set-list-attrs doc: list of expressions - name: type type: string doc: set backend type - name: count type: u32 byte-order: big-endian doc: number of set elements - name: set-desc-attrs attributes: - name: size type: u32 byte-order: big-endian doc: number of elements in set - name: concat type: nest nested-attributes: set-desc-concat-attrs doc: description of field concatenation multi-attr: true - name: set-desc-concat-attrs attributes: - name: elem type: nest nested-attributes: set-field-attrs - name: set-field-attrs attributes: - name: len type: u32 byte-order: big-endian - name: set-list-attrs attributes: - name: elem type: nest nested-attributes: expr-attrs multi-attr: true - name: setelem-attrs attributes: - name: key type: nest nested-attributes: data-attrs doc: key value - name: data type: nest nested-attributes: data-attrs doc: data value of mapping - name: flags type: binary doc: bitmask of nft_set_elem_flags - name: timeout type: u64 doc: timeout value - name: expiration type: u64 doc: expiration time - name: userdata type: binary doc: user data - name: expr type: nest nested-attributes: expr-attrs doc: expression - name: objref type: string doc: stateful object reference - name: key-end type: nest nested-attributes: data-attrs doc: closing key value - name: expressions type: nest nested-attributes: expr-list-attrs doc: list of expressions - name: setelem-list-elem-attrs attributes: - name: elem type: nest nested-attributes: setelem-attrs multi-attr: true - name: setelem-list-attrs attributes: - name: table type: string - name: set type: string - name: elements type: nest nested-attributes: setelem-list-elem-attrs - name: set-id type: u32 - name: gen-attrs attributes: - name: id type: u32 byte-order: big-endian doc: ruleset generation id - name: proc-pid type: u32 byte-order: big-endian - name: proc-name type: string - name: obj-attrs attributes: - name: table type: string doc: name of the table containing the expression - name: name type: string doc: name of this expression type - name: type type: u32 enum: object-type byte-order: big-endian doc: stateful object type - name: data type: sub-message sub-message: obj-data selector: type doc: stateful object data - name: use type: u32 byte-order: big-endian doc: number of references to this expression - name: handle type: u64 byte-order: big-endian doc: object handle - name: pad type: pad - name: userdata type: binary doc: user data - name: quota-attrs attributes: - name: bytes type: u64 byte-order: big-endian - name: flags type: u32 byte-order: big-endian enum: quota-flags - name: pad type: pad - name: consumed type: u64 byte-order: big-endian - name: flowtable-attrs attributes: - name: table type: string - name: name type: string - name: hook type: nest nested-attributes: flowtable-hook-attrs - name: use type: u32 byte-order: big-endian - name: handle type: u64 byte-order: big-endian - name: pad type: pad - name: flags type: u32 byte-order: big-endian - name: flowtable-hook-attrs attributes: - name: num type: u32 byte-order: big-endian - name: priority type: u32 byte-order: big-endian - name: devs type: nest nested-attributes: hook-dev-attrs - name: expr-bitwise-attrs doc: | The bitwise expression supports boolean and shift operations. It implements the boolean operations by performing the following operation:: dreg = (sreg & mask) ^ xor with these mask and xor values: op mask xor ---- ---- --- NOT: 1 1 OR: ~x x XOR: 1 x AND: x 0 attributes: - name: sreg type: u32 byte-order: big-endian - name: dreg type: u32 byte-order: big-endian - name: len type: u32 byte-order: big-endian - name: mask type: nest nested-attributes: data-attrs - name: xor type: nest nested-attributes: data-attrs - name: op type: u32 byte-order: big-endian enum: bitwise-ops checks: max: 255 - name: data type: nest nested-attributes: data-attrs - name: expr-cmp-attrs attributes: - name: sreg type: u32 byte-order: big-endian - name: op type: u32 byte-order: big-endian enum: cmp-ops - name: data type: nest nested-attributes: data-attrs - name: data-attrs attributes: - name: value type: binary # sub-type: u8 - name: verdict type: nest nested-attributes: verdict-attrs - name: verdict-attrs attributes: - name: code doc: nf_tables verdict type: u32 byte-order: big-endian enum: verdict-code - name: chain doc: jump target chain name type: string - name: chain-id doc: jump target chain ID type: u32 byte-order: big-endian - name: expr-counter-attrs attributes: - name: bytes type: u64 byte-order: big-endian doc: Number of bytes - name: packets type: u64 byte-order: big-endian doc: Number of packets - name: pad type: pad - name: expr-fib-attrs attributes: - name: dreg type: u32 byte-order: big-endian - name: result type: u32 byte-order: big-endian enum: fib-result - name: flags type: u32 byte-order: big-endian enum: fib-flags - name: expr-ct-attrs attributes: - name: dreg type: u32 byte-order: big-endian - name: key type: u32 byte-order: big-endian enum: ct-keys - name: direction type: u8 enum: ct-direction - name: sreg type: u32 byte-order: big-endian - name: expr-flow-offload-attrs attributes: - name: name type: string doc: Flow offload table name - name: expr-immediate-attrs attributes: - name: dreg type: u32 byte-order: big-endian - name: data type: nest nested-attributes: data-attrs - name: expr-lookup-attrs attributes: - name: set type: string doc: Name of set to use - name: set-id type: u32 byte-order: big-endian doc: ID of set to use - name: sreg type: u32 byte-order: big-endian - name: dreg type: u32 byte-order: big-endian - name: flags type: u32 byte-order: big-endian enum: lookup-flags - name: expr-masq-attrs attributes: - name: flags type: u32 byte-order: big-endian enum: nat-range-flags enum-as-flags: true - name: reg-proto-min type: u32 byte-order: big-endian enum: registers - name: reg-proto-max type: u32 byte-order: big-endian enum: registers - name: expr-meta-attrs attributes: - name: dreg type: u32 byte-order: big-endian - name: key type: u32 byte-order: big-endian enum: meta-keys - name: sreg type: u32 byte-order: big-endian - name: expr-nat-attrs attributes: - name: type type: u32 byte-order: big-endian - name: family type: u32 byte-order: big-endian - name: reg-addr-min type: u32 byte-order: big-endian - name: reg-addr-max type: u32 byte-order: big-endian - name: reg-proto-min type: u32 byte-order: big-endian - name: reg-proto-max type: u32 byte-order: big-endian - name: flags type: u32 byte-order: big-endian enum: nat-range-flags enum-as-flags: true - name: expr-payload-attrs doc: nf_tables payload expression netlink attributes attributes: - name: dreg doc: destination register to load data into type: u32 byte-order: big-endian enum: registers - name: base doc: payload base type: u32 enum: payload-base byte-order: big-endian - name: offset doc: payload offset relative to base type: u32 byte-order: big-endian - name: len doc: payload length type: u32 byte-order: big-endian - name: sreg doc: source register to load data from type: u32 byte-order: big-endian enum: registers - name: csum-type doc: checksum type type: u32 byte-order: big-endian - name: csum-offset doc: checksum offset relative to base type: u32 byte-order: big-endian - name: csum-flags doc: checksum flags type: u32 byte-order: big-endian - name: expr-reject-attrs attributes: - name: type type: u32 byte-order: big-endian enum: reject-types - name: icmp-code type: u8 - name: expr-target-attrs attributes: - name: name type: string - name: rev type: u32 byte-order: big-endian - name: info type: binary - name: expr-tproxy-attrs attributes: - name: family type: u32 byte-order: big-endian - name: reg-addr type: u32 byte-order: big-endian - name: reg-port type: u32 byte-order: big-endian - name: expr-objref-attrs attributes: - name: imm-type type: u32 byte-order: big-endian - name: imm-name type: string doc: object name - name: set-sreg type: u32 byte-order: big-endian - name: set-name type: string doc: name of object map - name: set-id type: u32 byte-order: big-endian doc: id of object map - name: compat-target-attrs header: linux/netfilter/nf_tables_compat.h attributes: - name: name type: string checks: max-len: 32 - name: rev type: u32 byte-order: big-endian checks: max: 255 - name: info type: binary - name: compat-match-attrs header: linux/netfilter/nf_tables_compat.h attributes: - name: name type: string checks: max-len: 32 - name: rev type: u32 byte-order: big-endian checks: max: 255 - name: info type: binary - name: compat-attrs header: linux/netfilter/nf_tables_compat.h attributes: - name: name type: string checks: max-len: 32 - name: rev type: u32 byte-order: big-endian checks: max: 255 - name: type type: u32 byte-order: big-endian sub-messages: - name: expr-ops formats: - value: bitwise attribute-set: expr-bitwise-attrs - value: cmp attribute-set: expr-cmp-attrs - value: counter attribute-set: expr-counter-attrs - value: ct attribute-set: expr-ct-attrs - value: fib attribute-set: expr-fib-attrs - value: flow_offload attribute-set: expr-flow-offload-attrs - value: immediate attribute-set: expr-immediate-attrs - value: log attribute-set: log-attrs - value: lookup attribute-set: expr-lookup-attrs - value: match attribute-set: compat-match-attrs - value: meta attribute-set: expr-meta-attrs - value: nat attribute-set: expr-nat-attrs - value: numgen attribute-set: numgen-attrs - value: objref attribute-set: expr-objref-attrs - value: payload attribute-set: expr-payload-attrs - value: quota attribute-set: quota-attrs - value: range attribute-set: range-attrs - value: reject attribute-set: expr-reject-attrs - value: target attribute-set: expr-target-attrs - value: tproxy attribute-set: expr-tproxy-attrs # There're more sub-messages to go: # grep -A10 nft_expr_type # and look for .name\s*=\s*"..." - name: obj-data formats: - value: counter attribute-set: counter-attrs - value: quota attribute-set: quota-attrs operations: enum-model: directional list: - name: batch-begin doc: Start a batch of operations attribute-set: batch-attrs fixed-header: nfgenmsg do: request: value: 0x10 attributes: - genid reply: value: 0x10 attributes: - genid - name: batch-end doc: Finish a batch of operations attribute-set: batch-attrs fixed-header: nfgenmsg do: request: value: 0x11 attributes: - genid - name: newtable doc: Create a new table. attribute-set: table-attrs fixed-header: nfgenmsg do: request: value: 0xa00 attributes: # Mentioned in nf_tables_newtable() - name - flags - userdata - name: gettable doc: Get / dump tables. attribute-set: table-attrs fixed-header: nfgenmsg do: request: value: 0xa01 attributes: # Mentioned in nf_tables_gettable() - name reply: value: 0xa00 attributes: &get-table # Mentioned in nf_tables_fill_table_info() - name - use - handle - flags - owner - userdata dump: reply: attributes: *get-table - name: deltable doc: Delete an existing table. attribute-set: table-attrs fixed-header: nfgenmsg do: request: value: 0xa02 attributes: &del-table # Mentioned in nf_tables_deltable() - name - handle - name: destroytable doc: | Delete an existing table with destroy semantics (ignoring ENOENT errors). attribute-set: table-attrs fixed-header: nfgenmsg do: request: value: 0xa1a attributes: *del-table - name: newchain doc: Create a new chain. attribute-set: chain-attrs fixed-header: nfgenmsg do: request: value: 0xa03 attributes: # Mentioned in nf_tables_newchain() - table - handle - policy - flags # Mentioned in nf_tables_updchain() - hook - name - counters # Mentioned in nf_tables_addchain() - userdata # Mentioned in nft_chain_parse_hook() - type - name: getchain doc: Get / dump chains. attribute-set: chain-attrs fixed-header: nfgenmsg do: request: value: 0xa04 attributes: # Mentioned in nf_tables_getchain() - table - name reply: value: 0xa03 attributes: &get-chain # Mentioned in nf_tables_fill_chain_info() - table - name - handle - hook - policy - type - flags - counters - id - use - userdata dump: reply: attributes: *get-chain - name: delchain doc: Delete an existing chain. attribute-set: chain-attrs fixed-header: nfgenmsg do: request: value: 0xa05 attributes: &del-chain # Mentioned in nf_tables_delchain() - table - handle - name - hook - name: destroychain doc: | Delete an existing chain with destroy semantics (ignoring ENOENT errors). attribute-set: chain-attrs fixed-header: nfgenmsg do: request: value: 0xa1b attributes: *del-chain - name: newrule doc: Create a new rule. attribute-set: rule-attrs fixed-header: nfgenmsg do: request: value: 0xa06 attributes: # Mentioned in nf_tables_newrule() - table - chain - chain-id - handle - position - position-id - expressions - userdata - compat - name: getrule doc: Get / dump rules. attribute-set: rule-attrs fixed-header: nfgenmsg do: request: value: 0xa07 attributes: &get-rule-request # Mentioned in nf_tables_getrule_single() - table - chain - handle reply: value: 0xa06 attributes: &get-rule # Mentioned in nf_tables_fill_rule_info() - table - chain - handle - position - expressions - userdata dump: request: attributes: # Mentioned in nf_tables_dump_rules_start() - table - chain reply: attributes: *get-rule - name: getrule-reset doc: Get / dump rules and reset stateful expressions. attribute-set: rule-attrs fixed-header: nfgenmsg do: request: value: 0xa19 attributes: *get-rule-request reply: value: 0xa06 attributes: *get-rule dump: request: attributes: *get-rule-request reply: attributes: *get-rule - name: delrule doc: Delete an existing rule. attribute-set: rule-attrs fixed-header: nfgenmsg do: request: value: 0xa08 attributes: &del-rule - table - chain - handle - id - name: destroyrule doc: | Delete an existing rule with destroy semantics (ignoring ENOENT errors). attribute-set: rule-attrs fixed-header: nfgenmsg do: request: value: 0xa1c attributes: *del-rule - name: newset doc: Create a new set. attribute-set: set-attrs fixed-header: nfgenmsg do: request: value: 0xa09 attributes: # Mentioned in nf_tables_newset() - table - name - key-len - id - key-type - flags - data-type - data-len - obj-type - timeout - gc-interval - policy - desc - userdata - name: getset doc: Get / dump sets. attribute-set: set-attrs fixed-header: nfgenmsg do: request: value: 0xa0a attributes: # Mentioned in nf_tables_getset() - table - name reply: value: 0xa09 attributes: &get-set # Mentioned in nf_tables_fill_set() - table - name - handle - flags - key-len - key-type - data-type - data-len - obj-type - gc-interval - policy - userdata - desc - expr - expressions dump: request: attributes: # Mentioned in nf_tables_getset() - table reply: attributes: *get-set - name: delset doc: Delete an existing set. attribute-set: set-attrs fixed-header: nfgenmsg do: request: value: 0xa0b attributes: &del-set # Mentioned in nf_tables_delset() - table - handle - name - name: destroyset doc: | Delete an existing set with destroy semantics (ignoring ENOENT errors). attribute-set: set-attrs fixed-header: nfgenmsg do: request: value: 0xa1d attributes: *del-set - name: newsetelem doc: Create a new set element. attribute-set: setelem-list-attrs fixed-header: nfgenmsg do: request: value: 0xa0c attributes: # Mentioned in nf_tables_newsetelem() - table - set - set-id - elements - name: getsetelem doc: Get / dump set elements. attribute-set: setelem-list-attrs fixed-header: nfgenmsg do: request: value: 0xa0d attributes: # Mentioned in nf_tables_getsetelem() - table - set - elements reply: value: 0xa0c attributes: # Mentioned in nf_tables_fill_setelem_info() - elements dump: request: attributes: &dump-set-request # Mentioned in nft_set_dump_ctx_init() - table - set reply: attributes: &dump-set # Mentioned in nf_tables_dump_set() - table - set - elements - name: getsetelem-reset doc: Get / dump set elements and reset stateful expressions. attribute-set: setelem-list-attrs fixed-header: nfgenmsg do: request: value: 0xa21 attributes: # Mentioned in nf_tables_getsetelem_reset() - elements reply: value: 0xa0c attributes: # Mentioned in nf_tables_dumpreset_set() - table - set - elements dump: request: attributes: *dump-set-request reply: attributes: *dump-set - name: delsetelem doc: Delete an existing set element. attribute-set: setelem-list-attrs fixed-header: nfgenmsg do: request: value: 0xa0e attributes: &del-setelem # Mentioned in nf_tables_delsetelem() - table - set - elements - name: destroysetelem doc: Delete an existing set element with destroy semantics. attribute-set: setelem-list-attrs fixed-header: nfgenmsg do: request: value: 0xa1e attributes: *del-setelem - name: getgen doc: Get / dump rule-set generation. attribute-set: gen-attrs fixed-header: nfgenmsg do: request: value: 0xa10 reply: value: 0xa0f attributes: &get-gen # Mentioned in nf_tables_fill_gen_info() - id - proc-pid - proc-name dump: reply: attributes: *get-gen - name: newobj doc: Create a new stateful object. attribute-set: obj-attrs fixed-header: nfgenmsg do: request: value: 0xa12 attributes: # Mentioned in nf_tables_newobj() - type - name - data - table - userdata - name: getobj doc: Get / dump stateful objects. attribute-set: obj-attrs fixed-header: nfgenmsg do: request: value: 0xa13 attributes: # Mentioned in nf_tables_getobj_single() - name - type - table reply: value: 0xa12 attributes: &obj-info # Mentioned in nf_tables_fill_obj_info() - table - name - type - handle - use - data - userdata dump: request: attributes: # Mentioned in nf_tables_dump_obj_start() - table - type reply: attributes: *obj-info - name: delobj doc: Delete an existing stateful object. attribute-set: obj-attrs fixed-header: nfgenmsg do: request: value: 0xa14 attributes: # Mentioned in nf_tables_delobj() - table - name - type - handle - name: destroyobj doc: Delete an existing stateful object with destroy semantics. attribute-set: obj-attrs fixed-header: nfgenmsg do: request: value: 0xa1f attributes: # Mentioned in nf_tables_delobj() - table - name - type - handle - name: newflowtable doc: Create a new flow table. attribute-set: flowtable-attrs fixed-header: nfgenmsg do: request: value: 0xa16 attributes: # Mentioned in nf_tables_newflowtable() - table - name - hook - flags - name: getflowtable doc: Get / dump flow tables. attribute-set: flowtable-attrs fixed-header: nfgenmsg do: request: value: 0xa17 attributes: # Mentioned in nf_tables_getflowtable() - name - table reply: value: 0xa16 attributes: &flowtable-info # Mentioned in nf_tables_fill_flowtable_info() - table - name - handle - use - flags - hook dump: reply: attributes: *flowtable-info - name: delflowtable doc: Delete an existing flow table. attribute-set: flowtable-attrs fixed-header: nfgenmsg do: request: value: 0xa18 attributes: &del-flowtable # Mentioned in nf_tables_delflowtable() - table - name - handle - hook - name: destroyflowtable doc: Delete an existing flow table with destroy semantics. attribute-set: flowtable-attrs fixed-header: nfgenmsg do: request: value: 0xa20 attributes: *del-flowtable mcast-groups: list: - name: mgmt