![]() The bridge address family handles Ethernet packets traversing bridge devices. Packets send by the local system are processed by the output hook. It is commonly used to mangle ARP packets for clustering. The ARP address family handles ARP packets received and sent by the system. Packets sent by local processes are processed by the output hook.Īll packets leaving the system are processed by the postrouting hook. Packets forwarded to a different host are processed by the forward hook. Packets delivered to the local system are processed by the input hook. It is invoked before the routing process and is used for early filtering or changing packet attributes that affect routing. Table 1. IPv4/IPv6/Inet address family hooksĪll packets entering the system are processed by the prerouting hook. They contain five hooks at different packet processing stages in the network stack. The IPv4/IPv6/Inet address families handle IPv4, IPv6 or both types of packets. If an identifier is specified without an address family, the ip family is used by default. Netdev address family, handling packets from ingress.Īll nftables objects exist in address family specific namespaces, therefore all identifiers include an address family. For each address family, the kernel contains so called hooks at specific stages of the packet processing paths, which invoke nftables if rules for these hooks exist.ĪRP address family, handling IPv4 ARP packets.īridge address family, handling packets which traverse a bridge device. The scope of a definition is the current block and all blocks contained within.Īddress families determine the type of packets which are processed. Variable references are expressions and can be used initialize other variables. Symbolic variables can be defined using the define statement. Files beginning with dot (.) are not matched by include statements. ![]() The wildcard matches are loaded in alphabetical order. This allows having potentially empty include directories for statements like include "/etc/firewall/rules/". Having no matches for an include statement is not an error, if wildcard symbols are used in the include statement. ![]() Include statements support the usual shell wildcard symbols (\*,?,). You can retrieve this default directory via -h/ -help option. If -I/ -includepath is not specified, then nft relies on the default directory that is specified at compile time. relative path) or / for file location expressed as an absolute path. You can override this behaviour either by prepending './' to your path to force inclusion of files located in the current working directory (i.e. The directories to be searched for include files can be specified using the -I/ -includepath option. Other files can be included by using the include statement. Identifiers using different characters or clashing with a keyword need to be enclosed in double quotes ("). Identifiers begin with an alphabetic character (a-z,A-Z), followed zero or more alphanumeric characters (a-z,A-Z,0-9) and the characters slash (/), backslash (\), underscore (_) and dot (.). All following characters on the same line are ignored. Multiple commands on the same line can be separated using a semicolon ( ).Ī hash sign (#) begins a comment. When the last character of a line, just before the newline character, is a non-quoted backslash (\), the next line is treated as a continuation. Show time, day and hour values in numeric format. You can use quit to exit, or use the EOF marker, normally this is CTRL-D. Read input from an interactive readline CLI. This option may be specified multiple times. To the list of directories to be searched for included files. ![]() See libnftables-json(5) for a schema description. When inserting items into the ruleset usingįormat output in JSON. Translate numeric UID/GID to names as defined by /etc/passwd and /etc/group.Ĭheck commands validity without actually applying the changes. Translate ports to service names as defined by /etc/services. This may slow down your listing since it generates network traffic. Translate IP address to names via reverse DNS lookup. Omit stateful information of rules and stateful objects. The Linux kernel subsystem is known as nf_tables, and 'nf' stands for Netfilter.įor a full summary of options, run nft -help. Nft is the command line tool used to set up, maintain and inspect packet filtering and classification rules in the Linux kernel, in the nftables framework. Nft - Administration tool of the nftables framework for packet filtering and classification
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |