Logo of The Linux Kernel

The Linux Kernel

next-20260306

Quick search

Contents

  • Development process
  • Submitting patches
  • Code of conduct
  • Maintainer handbook
  • All development-process docs
  • Core API
  • Driver APIs
  • Subsystems
    • Core subsystems
    • Human interfaces
    • Networking interfaces
      • Networking
      • NetLabel
      • InfiniBand
      • ISDN
      • MHI
    • Storage interfaces
    • Other subsystems
  • Locking
  • Licensing rules
  • Writing documentation
  • Development tools
  • Testing guide
  • Hacking guide
  • Tracing
  • Fault injection
  • Livepatching
  • Rust
  • Administration
  • Build system
  • Reporting issues
  • Userspace tools
  • Userspace API
  • Firmware
  • Firmware and Devicetree
  • CPU architectures
  • Unsorted documentation
  • Translations

This Page

  • Show Source

Family nftables netlink specification¶

Contents

  • Family nftables netlink specification

    • Summary

    • Operations

      • batch-begin

      • batch-end

      • newtable

      • gettable

      • deltable

      • destroytable

      • newchain

      • getchain

      • delchain

      • destroychain

      • newrule

      • getrule

      • getrule-reset

      • delrule

      • destroyrule

      • newset

      • getset

      • delset

      • destroyset

      • newsetelem

      • getsetelem

      • getsetelem-reset

      • delsetelem

      • destroysetelem

      • getgen

      • newobj

      • getobj

      • delobj

      • destroyobj

      • newflowtable

      • getflowtable

      • delflowtable

      • destroyflowtable

    • Multicast groups

    • Definitions

      • nfgenmsg

      • meta-keys

      • bitwise-ops

      • cmp-ops

      • object-type

      • nat-range-flags

      • table-flags

      • chain-flags

      • set-flags

      • set-elem-flags

      • lookup-flags

      • ct-keys

      • ct-direction

      • quota-flags

      • verdict-code

      • fib-result

      • fib-flags

      • reject-types

      • reject-inet-code

      • payload-base

      • range-ops

      • registers

      • numgen-types

      • log-level

      • log-flags

    • Attribute sets

      • log-attrs

      • numgen-attrs

      • range-attrs

      • batch-attrs

      • table-attrs

      • chain-attrs

      • counter-attrs

      • nft-hook-attrs

      • hook-dev-attrs

      • nft-counter-attrs

      • rule-attrs

      • expr-list-attrs

      • expr-attrs

      • rule-compat-attrs

      • set-attrs

      • set-desc-attrs

      • set-desc-concat-attrs

      • set-field-attrs

      • set-list-attrs

      • setelem-attrs

      • setelem-list-elem-attrs

      • setelem-list-attrs

      • gen-attrs

      • obj-attrs

      • quota-attrs

      • flowtable-attrs

      • flowtable-hook-attrs

      • expr-bitwise-attrs

      • expr-cmp-attrs

      • data-attrs

      • verdict-attrs

      • expr-counter-attrs

      • expr-fib-attrs

      • expr-ct-attrs

      • expr-flow-offload-attrs

      • expr-immediate-attrs

      • expr-lookup-attrs

      • expr-masq-attrs

      • expr-meta-attrs

      • expr-nat-attrs

      • expr-payload-attrs

      • expr-reject-attrs

      • expr-target-attrs

      • expr-tproxy-attrs

      • expr-objref-attrs

      • compat-target-attrs

      • compat-match-attrs

      • compat-attrs

    • Sub-messages

      • expr-ops

      • obj-data

Summary¶

Netfilter nftables configuration over netlink.

Operations¶

batch-begin¶

Start a batch of operations

attribute-set:

batch-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[genid]

reply
attributes:

[genid]

batch-end¶

Finish a batch of operations

attribute-set:

batch-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[genid]

newtable¶

Create a new table.

attribute-set:

table-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name, flags, userdata]

gettable¶

Get / dump tables.

attribute-set:

table-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name]

reply
attributes:

[name, use, handle, flags, owner, userdata]

dump:
reply
attributes:

[name, use, handle, flags, owner, userdata]

deltable¶

Delete an existing table.

attribute-set:

table-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name, handle]

destroytable¶

Delete an existing table with destroy semantics (ignoring ENOENT errors).

attribute-set:

table-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name, handle]

newchain¶

Create a new chain.

attribute-set:

chain-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, handle, policy, flags, hook, name, counters, userdata, type]

getchain¶

Get / dump chains.

attribute-set:

chain-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, name]

reply
attributes:

[table, name, handle, hook, policy, type, flags, counters, id, use, userdata]

dump:
reply
attributes:

[table, name, handle, hook, policy, type, flags, counters, id, use, userdata]

delchain¶

Delete an existing chain.

attribute-set:

chain-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, handle, name, hook]

destroychain¶

Delete an existing chain with destroy semantics (ignoring ENOENT errors).

attribute-set:

chain-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, handle, name, hook]

newrule¶

Create a new rule.

attribute-set:

rule-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, chain, chain-id, handle, position, position-id, expressions, userdata, compat]

getrule¶

Get / dump rules.

attribute-set:

rule-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, chain, handle]

reply
attributes:

[table, chain, handle, position, expressions, userdata]

dump:
request
attributes:

[table, chain]

reply
attributes:

[table, chain, handle, position, expressions, userdata]

getrule-reset¶

Get / dump rules and reset stateful expressions.

attribute-set:

rule-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, chain, handle]

reply
attributes:

[table, chain, handle, position, expressions, userdata]

dump:
request
attributes:

[table, chain, handle]

reply
attributes:

[table, chain, handle, position, expressions, userdata]

delrule¶

Delete an existing rule.

attribute-set:

rule-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, chain, handle, id]

destroyrule¶

Delete an existing rule with destroy semantics (ignoring ENOENT errors).

attribute-set:

rule-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, chain, handle, id]

newset¶

Create a new set.

attribute-set:

set-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, name, key-len, id, key-type, flags, data-type, data-len, obj-type, timeout, gc-interval, policy, desc, userdata]

getset¶

Get / dump sets.

attribute-set:

set-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, name]

reply
attributes:

[table, name, handle, flags, key-len, key-type, data-type, data-len, obj-type, gc-interval, policy, userdata, desc, expr, expressions]

dump:
request
attributes:

[table]

reply
attributes:

[table, name, handle, flags, key-len, key-type, data-type, data-len, obj-type, gc-interval, policy, userdata, desc, expr, expressions]

delset¶

Delete an existing set.

attribute-set:

set-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, handle, name]

destroyset¶

Delete an existing set with destroy semantics (ignoring ENOENT errors).

attribute-set:

set-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, handle, name]

newsetelem¶

Create a new set element.

attribute-set:

setelem-list-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, set, set-id, elements]

getsetelem¶

Get / dump set elements.

attribute-set:

setelem-list-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, set, elements]

reply
attributes:

[elements]

dump:
request
attributes:

[table, set]

reply
attributes:

[table, set, elements]

getsetelem-reset¶

Get / dump set elements and reset stateful expressions.

attribute-set:

setelem-list-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[elements]

reply
attributes:

[table, set, elements]

dump:
request
attributes:

[table, set]

reply
attributes:

[table, set, elements]

delsetelem¶

Delete an existing set element.

attribute-set:

setelem-list-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, set, elements]

destroysetelem¶

Delete an existing set element with destroy semantics.

attribute-set:

setelem-list-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, set, elements]

getgen¶

Get / dump rule-set generation.

attribute-set:

gen-attrs

fixed-header:

nfgenmsg

do:

request

reply
attributes:

[id, proc-pid, proc-name]

dump:
reply
attributes:

[id, proc-pid, proc-name]

newobj¶

Create a new stateful object.

attribute-set:

obj-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[type, name, data, table, userdata]

getobj¶

Get / dump stateful objects.

attribute-set:

obj-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name, type, table]

reply
attributes:

[table, name, type, handle, use, data, userdata]

dump:
request
attributes:

[table, type]

reply
attributes:

[table, name, type, handle, use, data, userdata]

delobj¶

Delete an existing stateful object.

attribute-set:

obj-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, name, type, handle]

destroyobj¶

Delete an existing stateful object with destroy semantics.

attribute-set:

obj-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, name, type, handle]

newflowtable¶

Create a new flow table.

attribute-set:

flowtable-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, name, hook, flags]

getflowtable¶

Get / dump flow tables.

attribute-set:

flowtable-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[name, table]

reply
attributes:

[table, name, handle, use, flags, hook]

dump:
reply
attributes:

[table, name, handle, use, flags, hook]

delflowtable¶

Delete an existing flow table.

attribute-set:

flowtable-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, name, handle, hook]

destroyflowtable¶

Delete an existing flow table with destroy semantics.

attribute-set:

flowtable-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[table, name, handle, hook]

Multicast groups¶

  • mgmt

Definitions¶

nfgenmsg¶

type:

struct

members:
nfgen-family (u8):

version (u8):

res-id (u16):

meta-keys¶

type:

enum

entries:

  • len

  • protocol

  • priority

  • mark

  • iif

  • oif

  • iifname

  • oifname

  • iftype

  • oiftype

  • skuid

  • skgid

  • nftrace

  • rtclassid

  • secmark

  • nfproto

  • l4-proto

  • bri-iifname

  • bri-oifname

  • pkttype

  • cpu

  • iifgroup

  • oifgroup

  • cgroup

  • prandom

  • secpath

  • iifkind

  • oifkind

  • bri-iifpvid

  • bri-iifvproto

  • time-ns

  • time-day

  • time-hour

  • sdif

  • sdifname

  • bri-broute

bitwise-ops¶

type:

enum

entries:
mask-xor:

mask-and-xor operation used to implement NOT, AND, OR and XOR boolean operations

lshift:

rshift:

and:

or:

xor:

cmp-ops¶

type:

enum

entries:

  • eq

  • neq

  • lt

  • lte

  • gt

  • gte

object-type¶

type:

enum

entries:

  • unspec

  • counter

  • quota

  • ct-helper

  • limit

  • connlimit

  • tunnel

  • ct-timeout

  • secmark

  • ct-expect

  • synproxy

nat-range-flags¶

type:

flags

entries:

  • map-ips

  • proto-specified

  • proto-random

  • persistent

  • proto-random-fully

  • proto-offset

  • netmap

table-flags¶

type:

flags

entries:

  • dormant

  • owner

  • persist

chain-flags¶

type:

flags

entries:

  • base

  • hw-offload

  • binding

set-flags¶

type:

flags

entries:

  • anonymous

  • constant

  • interval

  • map

  • timeout

  • eval

  • object

  • concat

  • expr

set-elem-flags¶

type:

flags

entries:

  • interval-end

  • catchall

lookup-flags¶

type:

flags

entries:

  • invert

ct-keys¶

type:

enum

entries:

  • state

  • direction

  • status

  • mark

  • secmark

  • expiration

  • helper

  • l3protocol

  • src

  • dst

  • protocol

  • proto-src

  • proto-dst

  • labels

  • pkts

  • bytes

  • avgpkt

  • zone

  • eventmask

  • src-ip

  • dst-ip

  • src-ip6

  • dst-ip6

  • ct-id

ct-direction¶

type:

enum

entries:

  • original

  • reply

quota-flags¶

type:

flags

entries:

  • invert

  • depleted

verdict-code¶

type:

enum

entries:
continue:

break:

jump:

goto:

return:

drop:

accept:

stolen:

queue:

repeat:

fib-result¶

type:

enum

entries:

  • oif

  • oifname

  • addrtype

fib-flags¶

type:

flags

entries:

  • saddr

  • daddr

  • mark

  • iif

  • oif

  • present

reject-types¶

type:

enum

entries:

  • icmp-unreach

  • tcp-rst

  • icmpx-unreach

reject-inet-code¶

doc:

These codes are mapped to real ICMP and ICMPv6 codes.

type:

enum

entries:

  • icmpx-no-route

  • icmpx-port-unreach

  • icmpx-host-unreach

  • icmpx-admin-prohibited

payload-base¶

type:

enum

entries:

  • link-layer-header

  • network-header

  • transport-header

  • inner-header

  • tun-header

range-ops¶

doc:

Range operator

type:

enum

entries:

  • eq

  • neq

registers¶

doc:

nf_tables registers. nf_tables used to have five registers: a verdict register and four data registers of size 16. The data registers have been changed to 16 registers of size 4. For compatibility reasons, the NFT_REG_[1-4] registers still map to areas of size 16, the 4 byte registers are addressed using NFT_REG32_00 - NFT_REG32_15.

type:

enum

entries:
reg-verdict:

reg-1:

reg-2:

reg-3:

reg-4:

reg32-00:

reg32-01:

reg32-02:

reg32-03:

reg32-04:

reg32-05:

reg32-06:

reg32-07:

reg32-08:

reg32-09:

reg32-10:

reg32-11:

reg32-12:

reg32-13:

reg32-14:

reg32-15:

numgen-types¶

type:

enum

entries:

  • incremental

  • random

log-level¶

doc:

nf_tables log levels

type:

enum

entries:
emerg:

system is unusable

alert:

action must be taken immediately

crit:

critical conditions

err:

error conditions

warning:

warning conditions

notice:

normal but significant condition

info:

informational

debug:

debug-level messages

audit:

enabling audit logging

log-flags¶

doc:

nf_tables log flags

header:

linux/netfilter/nf_log.h

type:

flags

entries:
tcpseq:

Log TCP sequence numbers

tcpopt:

Log TCP options

ipopt:

Log IP options

uid:

Log UID owning local socket

nflog:

Unsupported, don’t reuse

macdecode:

Decode MAC header

Attribute sets¶

log-attrs¶

log expression netlink attributes

group (u16)¶

doc:

netlink group to send messages to

byte-order:

big-endian

prefix (string)¶

doc:

prefix to prepend to log messages

snaplen (u32)¶

doc:

length of payload to include in netlink message

byte-order:

big-endian

qthreshold (u16)¶

doc:

queue threshold

byte-order:

big-endian

level (u32)¶

doc:

log level

enum:

log-level

byte-order:

big-endian

flags (u32)¶

doc:

logging flags

enum:

log-flags

byte-order:

big-endian

numgen-attrs¶

nf_tables number generator expression netlink attributes

dreg (u32)¶

doc:

destination register

enum:

registers

modulus (u32)¶

doc:

maximum counter value

byte-order:

big-endian

type (u32)¶

doc:

operation type

byte-order:

big-endian

enum:

numgen-types

offset (u32)¶

doc:

offset to be added to the counter

byte-order:

big-endian

range-attrs¶

sreg (u32)¶

doc:

source register of data to compare

byte-order:

big-endian

enum:

registers

op (u32)¶

doc:

cmp operation

byte-order:

big-endian

enum:

range-ops

from-data (nest)¶

doc:

data range from

nested-attributes:

data-attrs

to-data (nest)¶

doc:

data range to

nested-attributes:

data-attrs

batch-attrs¶

genid (u32)¶

doc:

generation ID for this changeset

byte-order:

big-endian

table-attrs¶

name (string)¶

doc:

name of the table

flags (u32)¶

byte-order:

big-endian

doc:

bitmask of flags

enum:

table-flags

enum-as-flags:

True

use (u32)¶

byte-order:

big-endian

doc:

number of chains in this table

handle (u64)¶

byte-order:

big-endian

doc:

numeric handle of the table

pad (pad)¶

userdata (binary)¶

doc:

user data

owner (u32)¶

byte-order:

big-endian

doc:

owner of this table through netlink portID

chain-attrs¶

table (string)¶

doc:

name of the table containing the chain

handle (u64)¶

byte-order:

big-endian

doc:

numeric handle of the chain

name (string)¶

doc:

name of the chain

hook (nest)¶

nested-attributes:

nft-hook-attrs

doc:

hook specification for basechains

policy (u32)¶

byte-order:

big-endian

doc:

numeric policy of the chain

use (u32)¶

byte-order:

big-endian

doc:

number of references to this chain

type (string)¶

doc:

type name of the chain

counters (nest)¶

nested-attributes:

nft-counter-attrs

doc:

counter specification of the chain

flags (u32)¶

byte-order:

big-endian

doc:

chain flags

enum:

chain-flags

enum-as-flags:

True

id (u32)¶

byte-order:

big-endian

doc:

uniquely identifies a chain in a transaction

userdata (binary)¶

doc:

user data

counter-attrs¶

bytes (u64)¶

byte-order:

big-endian

packets (u64)¶

byte-order:

big-endian

pad (pad)¶

nft-hook-attrs¶

num (u32)¶

byte-order:

big-endian

priority (s32)¶

byte-order:

big-endian

dev (string)¶

doc:

net device name

devs (nest)¶

nested-attributes:

hook-dev-attrs

doc:

list of net devices

hook-dev-attrs¶

name (string)¶

multi-attr:

True

nft-counter-attrs¶

bytes (u64)¶

byte-order:

big-endian

packets (u64)¶

byte-order:

big-endian

rule-attrs¶

table (string)¶

doc:

name of the table containing the rule

chain (string)¶

doc:

name of the chain containing the rule

handle (u64)¶

byte-order:

big-endian

doc:

numeric handle of the rule

expressions (nest)¶

nested-attributes:

expr-list-attrs

doc:

list of expressions

compat (nest)¶

nested-attributes:

rule-compat-attrs

doc:

compatibility specifications of the rule

position (u64)¶

byte-order:

big-endian

doc:

numeric handle of the previous rule

userdata (binary)¶

doc:

user data

id (u32)¶

doc:

uniquely identifies a rule in a transaction

position-id (u32)¶

doc:

transaction unique identifier of the previous rule

chain-id (u32)¶

doc:

add the rule to chain by ID, alternative to chain name

expr-list-attrs¶

elem (nest)¶

nested-attributes:

expr-attrs

multi-attr:

True

expr-attrs¶

name (string)¶

doc:

name of the expression type

data (sub-message)¶

sub-message:

expr-ops

selector:

name

doc:

type specific data

rule-compat-attrs¶

proto (u32)¶

byte-order:

big-endian

doc:

numeric value of the handled protocol

flags (u32)¶

byte-order:

big-endian

doc:

bitmask of flags

set-attrs¶

table (string)¶

doc:

table name

name (string)¶

doc:

set name

flags (u32)¶

enum:

set-flags

byte-order:

big-endian

doc:

bitmask of enum nft_set_flags

key-type (u32)¶

byte-order:

big-endian

doc:

key data type, informational purpose only

key-len (u32)¶

byte-order:

big-endian

doc:

key data length

data-type (u32)¶

byte-order:

big-endian

doc:

mapping data type

data-len (u32)¶

byte-order:

big-endian

doc:

mapping data length

policy (u32)¶

byte-order:

big-endian

doc:

selection policy

desc (nest)¶

nested-attributes:

set-desc-attrs

doc:

set description

id (u32)¶

doc:

uniquely identifies a set in a transaction

timeout (u64)¶

doc:

default timeout value

gc-interval (u32)¶

doc:

garbage collection interval

userdata (binary)¶

doc:

user data

pad (pad)¶

obj-type (u32)¶

byte-order:

big-endian

doc:

stateful object type

handle (u64)¶

byte-order:

big-endian

doc:

set handle

expr (nest)¶

nested-attributes:

expr-attrs

doc:

set expression

multi-attr:

True

expressions (nest)¶

nested-attributes:

set-list-attrs

doc:

list of expressions

type (string)¶

doc:

set backend type

count (u32)¶

byte-order:

big-endian

doc:

number of set elements

set-desc-attrs¶

size (u32)¶

byte-order:

big-endian

doc:

number of elements in set

concat (nest)¶

nested-attributes:

set-desc-concat-attrs

doc:

description of field concatenation

multi-attr:

True

set-desc-concat-attrs¶

elem (nest)¶

nested-attributes:

set-field-attrs

set-field-attrs¶

len (u32)¶

byte-order:

big-endian

set-list-attrs¶

elem (nest)¶

nested-attributes:

expr-attrs

multi-attr:

True

setelem-attrs¶

key (nest)¶

nested-attributes:

data-attrs

doc:

key value

data (nest)¶

nested-attributes:

data-attrs

doc:

data value of mapping

flags (binary)¶

doc:

bitmask of nft_set_elem_flags

timeout (u64)¶

doc:

timeout value

expiration (u64)¶

doc:

expiration time

userdata (binary)¶

doc:

user data

expr (nest)¶

nested-attributes:

expr-attrs

doc:

expression

objref (string)¶

doc:

stateful object reference

key-end (nest)¶

nested-attributes:

data-attrs

doc:

closing key value

expressions (nest)¶

nested-attributes:

expr-list-attrs

doc:

list of expressions

setelem-list-elem-attrs¶

elem (nest)¶

nested-attributes:

setelem-attrs

multi-attr:

True

setelem-list-attrs¶

table (string)¶

set (string)¶

elements (nest)¶

nested-attributes:

setelem-list-elem-attrs

set-id (u32)¶

gen-attrs¶

id (u32)¶

byte-order:

big-endian

doc:

ruleset generation id

proc-pid (u32)¶

byte-order:

big-endian

proc-name (string)¶

obj-attrs¶

table (string)¶

doc:

name of the table containing the expression

name (string)¶

doc:

name of this expression type

type (u32)¶

enum:

object-type

byte-order:

big-endian

doc:

stateful object type

data (sub-message)¶

sub-message:

obj-data

selector:

type

doc:

stateful object data

use (u32)¶

byte-order:

big-endian

doc:

number of references to this expression

handle (u64)¶

byte-order:

big-endian

doc:

object handle

pad (pad)¶

userdata (binary)¶

doc:

user data

quota-attrs¶

bytes (u64)¶

byte-order:

big-endian

flags (u32)¶

byte-order:

big-endian

enum:

quota-flags

pad (pad)¶

consumed (u64)¶

byte-order:

big-endian

flowtable-attrs¶

table (string)¶

name (string)¶

hook (nest)¶

nested-attributes:

flowtable-hook-attrs

use (u32)¶

byte-order:

big-endian

handle (u64)¶

byte-order:

big-endian

pad (pad)¶

flags (u32)¶

byte-order:

big-endian

flowtable-hook-attrs¶

num (u32)¶

byte-order:

big-endian

priority (u32)¶

byte-order:

big-endian

devs (nest)¶

nested-attributes:

hook-dev-attrs

expr-bitwise-attrs¶

The bitwise expression supports boolean and shift operations. It implements the boolean operations by performing the following operation:

dreg = (sreg & mask) ^ xor

with these mask and xor values:

op      mask    xor
----    ----    ---
NOT:     1       1
OR:     ~x       x
XOR:     1       x
AND:     x       0

sreg (u32)¶

byte-order:

big-endian

dreg (u32)¶

byte-order:

big-endian

len (u32)¶

byte-order:

big-endian

mask (nest)¶

nested-attributes:

data-attrs

xor (nest)¶

nested-attributes:

data-attrs

op (u32)¶

byte-order:

big-endian

enum:

bitwise-ops

data (nest)¶

nested-attributes:

data-attrs

expr-cmp-attrs¶

sreg (u32)¶

byte-order:

big-endian

op (u32)¶

byte-order:

big-endian

enum:

cmp-ops

data (nest)¶

nested-attributes:

data-attrs

data-attrs¶

value (binary)¶

verdict (nest)¶

nested-attributes:

verdict-attrs

verdict-attrs¶

code (u32)¶

doc:

nf_tables verdict

byte-order:

big-endian

enum:

verdict-code

chain (string)¶

doc:

jump target chain name

chain-id (u32)¶

doc:

jump target chain ID

byte-order:

big-endian

expr-counter-attrs¶

bytes (u64)¶

byte-order:

big-endian

doc:

Number of bytes

packets (u64)¶

byte-order:

big-endian

doc:

Number of packets

pad (pad)¶

expr-fib-attrs¶

dreg (u32)¶

byte-order:

big-endian

result (u32)¶

byte-order:

big-endian

enum:

fib-result

flags (u32)¶

byte-order:

big-endian

enum:

fib-flags

expr-ct-attrs¶

dreg (u32)¶

byte-order:

big-endian

key (u32)¶

byte-order:

big-endian

enum:

ct-keys

direction (u8)¶

enum:

ct-direction

sreg (u32)¶

byte-order:

big-endian

expr-flow-offload-attrs¶

name (string)¶

doc:

Flow offload table name

expr-immediate-attrs¶

dreg (u32)¶

byte-order:

big-endian

data (nest)¶

nested-attributes:

data-attrs

expr-lookup-attrs¶

set (string)¶

doc:

Name of set to use

set-id (u32)¶

byte-order:

big-endian

doc:

ID of set to use

sreg (u32)¶

byte-order:

big-endian

dreg (u32)¶

byte-order:

big-endian

flags (u32)¶

byte-order:

big-endian

enum:

lookup-flags

expr-masq-attrs¶

flags (u32)¶

byte-order:

big-endian

enum:

nat-range-flags

enum-as-flags:

True

reg-proto-min (u32)¶

byte-order:

big-endian

enum:

registers

reg-proto-max (u32)¶

byte-order:

big-endian

enum:

registers

expr-meta-attrs¶

dreg (u32)¶

byte-order:

big-endian

key (u32)¶

byte-order:

big-endian

enum:

meta-keys

sreg (u32)¶

byte-order:

big-endian

expr-nat-attrs¶

type (u32)¶

byte-order:

big-endian

family (u32)¶

byte-order:

big-endian

reg-addr-min (u32)¶

byte-order:

big-endian

reg-addr-max (u32)¶

byte-order:

big-endian

reg-proto-min (u32)¶

byte-order:

big-endian

reg-proto-max (u32)¶

byte-order:

big-endian

flags (u32)¶

byte-order:

big-endian

enum:

nat-range-flags

enum-as-flags:

True

expr-payload-attrs¶

nf_tables payload expression netlink attributes

dreg (u32)¶

doc:

destination register to load data into

byte-order:

big-endian

enum:

registers

base (u32)¶

doc:

payload base

enum:

payload-base

byte-order:

big-endian

offset (u32)¶

doc:

payload offset relative to base

byte-order:

big-endian

len (u32)¶

doc:

payload length

byte-order:

big-endian

sreg (u32)¶

doc:

source register to load data from

byte-order:

big-endian

enum:

registers

csum-type (u32)¶

doc:

checksum type

byte-order:

big-endian

csum-offset (u32)¶

doc:

checksum offset relative to base

byte-order:

big-endian

csum-flags (u32)¶

doc:

checksum flags

byte-order:

big-endian

expr-reject-attrs¶

type (u32)¶

byte-order:

big-endian

enum:

reject-types

icmp-code (u8)¶

expr-target-attrs¶

name (string)¶

rev (u32)¶

byte-order:

big-endian

info (binary)¶

expr-tproxy-attrs¶

family (u32)¶

byte-order:

big-endian

reg-addr (u32)¶

byte-order:

big-endian

reg-port (u32)¶

byte-order:

big-endian

expr-objref-attrs¶

imm-type (u32)¶

byte-order:

big-endian

imm-name (string)¶

doc:

object name

set-sreg (u32)¶

byte-order:

big-endian

set-name (string)¶

doc:

name of object map

set-id (u32)¶

byte-order:

big-endian

doc:

id of object map

compat-target-attrs¶

name (string)¶

rev (u32)¶

byte-order:

big-endian

info (binary)¶

compat-match-attrs¶

name (string)¶

rev (u32)¶

byte-order:

big-endian

info (binary)¶

compat-attrs¶

name (string)¶

rev (u32)¶

byte-order:

big-endian

type (u32)¶

byte-order:

big-endian

Sub-messages¶

expr-ops¶

  • bitwise
    attribute-set:

    expr-bitwise-attrs

  • cmp
    attribute-set:

    expr-cmp-attrs

  • counter
    attribute-set:

    expr-counter-attrs

  • ct
    attribute-set:

    expr-ct-attrs

  • fib
    attribute-set:

    expr-fib-attrs

  • flow_offload
    attribute-set:

    expr-flow-offload-attrs

  • immediate
    attribute-set:

    expr-immediate-attrs

  • log
    attribute-set:

    log-attrs

  • lookup
    attribute-set:

    expr-lookup-attrs

  • match
    attribute-set:

    compat-match-attrs

  • meta
    attribute-set:

    expr-meta-attrs

  • nat
    attribute-set:

    expr-nat-attrs

  • numgen
    attribute-set:

    numgen-attrs

  • objref
    attribute-set:

    expr-objref-attrs

  • payload
    attribute-set:

    expr-payload-attrs

  • quota
    attribute-set:

    quota-attrs

  • range
    attribute-set:

    range-attrs

  • reject
    attribute-set:

    expr-reject-attrs

  • target
    attribute-set:

    expr-target-attrs

  • tproxy
    attribute-set:

    expr-tproxy-attrs

obj-data¶

  • counter
    attribute-set:

    counter-attrs

  • quota
    attribute-set:

    quota-attrs

©The kernel development community. | Powered by Sphinx 7.4.7 & Alabaster 0.7.16 | Page source