### libnftables JSON Schema: Command Objects (Example) Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Illustrates how standard nftables CLI commands are translated into JSON format for libnftables. This example shows 'flush ruleset', 'add table', 'add chain', and 'add rule' commands. ```json { "nftables": [ { "flush": { "ruleset": null } }, { "add": { "table": { "family": "inet", "name": "mytable" } } }, { "add": { "chain": { "family": "inet", "table": "mytable", "name": "mychain" } } }, { "add": { "rule": { "family": "inet", "table": "mytable", "chain": "mychain", "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": 22 } }, { "accept": null } ] } } } ] } ``` -------------------------------- ### libnftables JSON Schema: Create Command Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Outlines the JSON structure for the 'create' command in libnftables. Similar to 'add', but returns an error if the element already exists. ```json { "create": _ADD_OBJECT_ } ``` -------------------------------- ### List RuleSet Elements with JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Lists ruleset elements using JSON. Supports listing various elements like tables, chains, sets, maps, counters, quotas, limits, meter, flowtables, and expectations. Plural forms list all objects of a kind, optionally filtered by family and table. ```json { "list": _LIST_OBJECT_ } _LIST_OBJECT_ := _TABLE_ | _TABLES_ | _CHAIN_ | _CHAINS_ | _SET_ | _SETS_ | _MAP_ | _MAPS | COUNTER_ | _COUNTERS_ | _QUOTA_ | _QUOTAS_ | _CT_HELPER_ | _CT_HELPERS_ | _LIMIT_ | _LIMITS_ | _RULESET_ | _METER_ | _METERS_ | _FLOWTABLE_ | _FLOWTABLES_ | _CT_TIMEOUT_ | _CT_EXPECTATION_ ``` -------------------------------- ### libnftables JSON Schema: Metainfo Object Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Defines the structure for the metainfo object in libnftables JSON output. This object includes version, release name, and JSON schema version information. ```json { "metainfo": { "version": _STRING_, "release_name": _STRING_, "json_schema_version": _NUMBER_ } } ``` -------------------------------- ### Ruleset Manipulation Commands Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Commands for adding, deleting, listing, resetting, flushing, and renaming elements within the ruleset. ```APIDOC ## INSERT ``` **{ "insert":** _RULE_ **} ``` This command is identical to **add** for rules, but instead of appending the rule to the chain by default, it inserts at first position. If a **handle** or **index** property is given, the rule is inserted before the rule identified by those properties. ## DELETE ``` **{ "delete":** _ADD_OBJECT_ **} ``` Delete an object from the ruleset. Only the minimal number of properties required to uniquely identify an object is generally needed in _ADD_OBJECT_. For most ruleset elements, this is **family** and **table** plus either **handle** or **name** (except rules since they don’t have a name). ## LIST ``` **{ "list":** _LIST_OBJECT_ **} _LIST_OBJECT_ := _TABLE_ | _TABLES_ | _CHAIN_ | _CHAINS_ | _SET_ | _SETS_ | _MAP_ | _MAPS_ | COUNTER_ | _COUNTERS_ | _QUOTA_ | _QUOTAS_ | _CT_HELPER_ | _CT_HELPERS_ | _LIMIT_ | _LIMITS_ | _RULESET_ | _METER_ | _METERS_ | _FLOWTABLE_ | _FLOWTABLES_ | _CT_TIMEOUT_ | _CT_EXPECTATION_ ``` List ruleset elements. The plural forms are used to list all objects of that kind, optionally filtered by **family** and for some, also **table**. ## RESET ``` **{ "reset":** _RESET_OBJECT_ **} _RESET_OBJECT_ := _COUNTER_ | _COUNTERS_ | _QUOTA_ | _QUOTAS_ | _RULE_ | _RULES_ | _SET_ | _MAP_ | _ELEMENT_ ``` Reset state in suitable objects, i.e. zero their internal counter. ## FLUSH ``` **{ "flush":** _FLUSH_OBJECT_ **} _FLUSH_OBJECT_ := _TABLE_ | _CHAIN_ | _SET_ | _MAP_ | _METER_ | _RULESET_ ``` Empty contents in given object, e.g. remove all chains from given **table** or remove all elements from given **set**. ## RENAME ``` **{ "rename":** _CHAIN_ **} ``` Rename a chain. The new name is expected in a dedicated property named **newname**. ``` -------------------------------- ### Verdict Actions JSON Format Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Specifies the JSON format for verdict actions such as accept, drop, continue, return, jump, and goto. Jump and goto verdicts require a target chain name. ```json { "accept": null } { "drop": null } { "continue": null } { "return": null } { "jump": { "target": _STRING_ } } { "goto": { "target": _STRING_ } } ``` -------------------------------- ### Immediate Values in libnftables Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Represents basic, constant values within libnftables expressions. Supports strings, numbers, and booleans. Special string formats allow for set references (@STRING) and wildcard expressions (*). ```JSON _STRING_ _NUMBER_ _BOOLEAN_ ``` -------------------------------- ### Meter Application with libnftables JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'meter' object applies a statement using a meter. It requires the meter 'name', a 'key' for lookup, and the 'stmt' to execute. ```json { "meter": { "name": _STRING_, "key": _EXPRESSION_, "stmt": _STATEMENT_ } } ``` -------------------------------- ### Packet Queuing with libnftables JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'queue' object sends packets to userspace. It requires a queue 'num' and optional 'flags' like 'bypass' or 'fanout'. ```json { "queue": { "num": _EXPRESSION_, "flags": _FLAGS_ } } ``` -------------------------------- ### libnftables JSON Schema: Add Command Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Specifies the JSON structure for the 'add' command in libnftables. This command is used to add various ruleset elements like tables, chains, and rules. ```json { "add": _ADD_OBJECT_ } ``` -------------------------------- ### Connection Tracking Helper with libnftables JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'ct helper' object enables a specified conntrack helper for a packet. It requires a reference to the CT helper. ```json { "ct helper": _EXPRESSION_ } ``` -------------------------------- ### Routing Data Reference in libnftables Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Creates a reference to packet routing data. It requires a 'key' (e.g., 'classid', 'nexthop') and optionally a 'family' ('ip' or 'ip6'). ```JSON { "rt": { "key": _RT_KEY_, "family": _RT_FAMILY_ }} _RT_KEY_ := "classid" | "nexthop" | "mtu" _RT_FAMILY_ := "ip" | "ip6" ``` -------------------------------- ### Packet Logging with libnftables JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'log' object captures packet information for logging purposes. It supports options for prefix, group, snaplen, queue threshold, log level, and flags. ```json { "log": { "prefix": _STRING_, "group": _NUMBER_, "snaplen": _NUMBER_, "queue-threshold": _NUMBER_, "level": _LEVEL_, "flags": _FLAGS_ } } ``` -------------------------------- ### libnftables JSON API: Verdicts Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Verdicts in libnftables JSON API terminate packet traversal or delegate to other chains. Supported verdicts include accept, drop, continue, return, jump, and goto. 'jump' and 'goto' require a target chain name. ```json { "accept": null } { "drop": null } { "continue": null } { "return": null } { "jump": { "target": "******_STRING_******" } } { "goto": { "target": "******_STRING_******" } } ``` -------------------------------- ### Conntrack Helper Object Schema Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Defines a conntrack helper, which assists in tracking network connections. It specifies the family, table, name, handle, type, protocol, and layer 3 protocol. This is crucial for stateful firewalling. ```json { "ct helper": { "family": _STRING_, "table": _STRING_, "name": _STRING_, "handle": _NUMBER_, "type": _STRING_, "protocol": _CTH_PROTO_, "l3proto": _STRING_ } } _CTH_PROTO_ := "tcp" | "udp" ``` -------------------------------- ### List Expressions in libnftables Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Constructs a list by combining an arbitrary number of other expressions. This is represented as a JSON array containing the individual expressions. ```JSON _ARRAY_ ``` -------------------------------- ### Insert Rule with JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Inserts a rule into a chain using JSON. By default, it appends the rule, but can insert at the beginning or before a specific rule using handle or index. ```json { "insert": _RULE_ } ``` -------------------------------- ### Meta Data Reference in libnftables Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Creates a reference to packet meta-data. The 'key' property specifies which meta-data item to access, such as packet length, protocol, or interface names. ```JSON { "meta": { "key": _META_KEY_ }} _META_KEY_ := "length" | "protocol" | "priority" | "random" | "mark" | "iif" | "iifname" | "iiftype" | "oif" | "oifname" | "oiftype" | "skuid" | "skgid" | "nftrace" | "rtclassid" | "ibriport" | "obriport" | "ibridgename" | "obridgename" | "pkttype" | "cpu" | "iifgroup" | "oifgroup" | "cgroup" | "nfproto" | "l4proto" | "secpath" ``` -------------------------------- ### Connection Tracking Expectation with libnftables JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'ct expectation' object assigns a connection tracking expectation. It requires a reference to the CT expectation. ```json { "ct expectation": _EXPRESSION_ } ``` -------------------------------- ### Set Manipulation with libnftables JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'set' object allows dynamic addition or update of elements within a set. It requires an 'op' ('add' or 'update'), the 'elem' to manipulate, and the 'set' reference. ```json { "set": { "op": _STRING_, "elem": _EXPRESSION_, "set": _STRING_ } } ``` -------------------------------- ### Ruleset Element Objects Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Definitions for the JSON objects representing tables, chains, and rules within the ruleset. ```APIDOC # RULESET ELEMENTS ## TABLE ``` **{ "table": {** ** "family":** _STRING_**,** ** "name":** _STRING_**,** ** "handle":** _NUMBER_**,** ** "flags":** _TABLE_FLAGS_ **}} _TABLE_FLAGS_ := _TABLE_FLAG_ | **[** _TABLE_FLAG_LIST_ **] _TABLE_FLAG_LIST_ := _TABLE_FLAG_ [**,** _TABLE_FLAG_LIST_ ] _TABLE_FLAG_ := **"dormant"** | **"owner"** | **"persist"** ``` This object describes a table. **family** The table’s family, e.g. **"ip"** or **"ip6"**. **name** The table’s name. **handle** The table’s handle. In input, it is used only in **delete** command as alternative to **name**. **flags** The table’s flags. ## CHAIN ``` **{ "chain": {** ** "family":** _STRING_**,** ** "table":** _STRING_**,** ** "name":** _STRING_**,** ** "newname":** _STRING_**,** ** "handle":** _NUMBER_**,** ** "type":** _STRING_**,** ** "hook":** _STRING_**,** ** "prio":** _NUMBER_**,** ** "dev":** _STRING_**,** ** "policy":** _STRING_ **}} ``` This object describes a chain. **family** The table’s family. **table** The table’s name. **name** The chain’s name. **handle** The chain’s handle. In input, it is used only in **delete** command as alternative to **name**. **newname** A new name for the chain, only relevant in the **rename** command. The following properties are required for base chains: **type** The chain’s type. **hook** The chain’s hook. **prio** The chain’s priority. **dev** The chain’s bound interface (if in the netdev family). **policy** The chain’s policy. ## RULE ``` **{ "rule": {** ** "family":** _STRING_**,** ** "table":** _STRING_**,** ** "chain":** _STRING_**,** ** "expr": [** _STATEMENTS_ **],** ** "handle":** _NUMBER_**,** ** "index":** _NUMBER_**,** ** "comment":** _STRING_ **}} _STATEMENTS_ := _STATEMENT_ [**,** _STATEMENTS_ ] ``` This object describes a rule. Basic building blocks of rules are statements. Each rule consists of at least one. **family** The table’s family. **table** The table’s name. **chain** The chain’s name. **expr** An array of statements this rule consists of. In input, it is used in **add** /**insert** /**replace** commands only. **handle** The rule’s handle. In **delete** /**replace** commands, it serves as an identifier of the rule to delete/replace. In **add** /**insert** commands, it serves as an identifier of an existing rule to append/prepend the rule to. **index** The rule’s position for **add** /**insert** commands. It is used as an alternative to **handle** then. **comment** Optional rule comment. ``` -------------------------------- ### Rule Object Structure Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Defines the JSON structure for a rule object, specifying family, table, chain, handle, index, and an array of statements ('expr'). Includes an optional comment field. ```json { "rule": { "family": _STRING_, "table": _STRING_, "chain": _STRING_, "expr": [ _STATEMENTS_ ], "handle": _NUMBER_, "index": _NUMBER_, "comment": _STRING_ } } _STATEMENTS_ := _STATEMENT_ [, _STATEMENTS_ ] ``` -------------------------------- ### OSF JSON Format for OS Fingerprinting Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Defines the JSON structure for performing OS fingerprinting. Supports matching the OS name and configuring how the packet's TTL value is compared using 'loose' or 'skip' options. ```json { "osf": { "key": _OSF_KEY_, "ttl": _OSF_TTL_ } } _OSF_KEY_ := "name" _OSF_TTL_ := "loose" | "skip" ``` -------------------------------- ### libnftables JSON: Set and Map Object Structure Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Defines the JSON structure for representing network sets and maps in libnftables. Includes properties like family, table, name, type, policy, flags, elements, and timeouts. Maps are a specialization of sets for key-value translation. ```json { "set": { "family": _STRING_, "table": _STRING_, "name": _STRING_, "handle": _NUMBER_, "type": _SET_TYPE_, "policy": _SET_POLICY_, "flags": [ _SET_FLAG_LIST_ ], "elem": _SET_ELEMENTS_, "timeout": _NUMBER_, "gc-interval": _NUMBER_, "size": _NUMBER_, "auto-merge": _BOOLEAN_ } } { "map": { "family": _STRING_, "table": _STRING_, "name": _STRING_, "handle": _NUMBER_, "type": _SET_TYPE_, "map": _STRING_, "policy": _SET_POLICY_, "flags": [ _SET_FLAG_LIST_ ], "elem": _SET_ELEMENTS_, "timeout": _NUMBER_, "gc-interval": _NUMBER_, "size": _NUMBER_, "auto-merge": _BOOLEAN_ } } ``` -------------------------------- ### Prefix Expression in libnftables Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Constructs an IPv4 or IPv6 prefix. It requires an address part ('addr') and a prefix length ('len'). ```JSON { "prefix": { "addr": _EXPRESSION_, "len": _NUMBER_ }} ``` -------------------------------- ### Limit Object Schema Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Represents a rate limit configuration. It includes parameters for family, table, name, handle, rate, time period (per), burst capacity, unit (packets or bytes), and an inversion flag. Used for traffic shaping and rate control. ```json { "limit": { "family": _STRING_, "table": _STRING_, "name": _STRING_, "handle": _NUMBER_, "rate": _NUMBER_, "per": _STRING_, "burst": _NUMBER_, "unit": _LIMIT_UNIT_, "inv": _BOOLEAN_ } } _LIMIT_UNIT_ := "packets" | "bytes" ``` -------------------------------- ### Map Expression in libnftables Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Maps a key to a corresponding value or target. It requires a 'key' expression and a 'data' expression within a nested object structure. ```JSON { "map": { "key": _EXPRESSION_, "data": _EXPRESSION_ }} ``` -------------------------------- ### libnftables JSON Schema: Replace Command Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Defines the JSON structure for the 'replace' command in libnftables, used for modifying existing rules. The 'handle' property is mandatory to identify the rule being replaced. ```json { "replace": _RULE_ } ``` -------------------------------- ### Binary Operations JSON Format Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Defines the JSON format for binary operations like bitwise OR, XOR, AND, left shift, and right shift. Each operation expects an array with at least two expressions. ```json { "|": [ _EXPRESSION_, _EXPRESSIONS_ ] } { "^": [ _EXPRESSION_, _EXPRESSIONS_ ] } { "&": [ _EXPRESSION_, _EXPRESSIONS_ ] } { "<<": [ _EXPRESSION_, _EXPRESSIONS_ ] } { ">>": [ _EXPRESSION_, _EXPRESSIONS_ ] } _EXPRESSIONS_ := _EXPRESSION_ | _EXPRESSION_"," _EXPRESSIONS_ ``` -------------------------------- ### libnftables JSON API: Match Expressions Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'match' object compares a left-hand side expression (packet data) with a right-hand side expression (constant value) using a specified operator. If the comparison is true, the rule proceeds; otherwise, it moves to the next rule. The 'op' parameter is mandatory. ```json { "match": { "left": _EXPRESSION_, "right": _EXPRESSION_, "op": _STRING_ } } ``` -------------------------------- ### ELEM JSON Format for Explicit Element Object Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Defines the JSON structure for explicitly setting an element object, allowing for optional timeout, expiry, and comment fields. Otherwise, it can be replaced by the value of 'val'. ```json { "elem": { "val": _EXPRESSION_, "timeout": _NUMBER_, "expires": _NUMBER_, "comment": _STRING_ } } ``` -------------------------------- ### Reset Object State with JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Resets the state of suitable objects, such as zeroing their internal counters, using JSON. Applicable objects include counters, quotas, rules, sets, and maps. ```json { "reset": _RESET_OBJECT_ } _RESET_OBJECT_ := _COUNTER_ | _COUNTERS_ | _QUOTA_ | _QUOTAS_ | _RULE_ | _RULES_ | _SET_ | _MAP_ | _ELEMENT_ ``` -------------------------------- ### Verdict Mapping with libnftables JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'vmap' object applies a verdict conditionally based on a key. It requires a 'key' for matching and 'data' which contains value/verdict pairs. ```json { "vmap": { "key": _EXPRESSION_, "data": _EXPRESSION_ } } ``` -------------------------------- ### Chain Object Structure Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Defines the JSON structure for a chain object, including family, table, name, handle, and optional properties like type, hook, prio, dev, and policy. 'newname' is used for renaming. ```json { "chain": { "family": _STRING_, "table": _STRING_, "name": _STRING_, "newname": _STRING_, "handle": _NUMBER_, "type": _STRING_, "hook": _STRING_, "prio": _NUMBER_, "dev": _STRING_, "policy": _STRING_ } } ``` -------------------------------- ### SOCKET JSON Format for Packet Socket Reference Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Specifies the JSON format for constructing a reference to a packet's socket. Currently, only the key 'transparent' is supported. ```json { "socket": { "key": _SOCKET_KEY_ } } _SOCKET_KEY_ := "transparent" ``` -------------------------------- ### Connection Tracking Timeout Policy with libnftables JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'ct timeout' object assigns a connection tracking timeout policy. It requires a reference to the CT timeout policy. ```json { "ct timeout": _EXPRESSION_ } ``` -------------------------------- ### Conntrack Expectation Object Schema Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Represents a conntrack expectation, used for tracking expected connections. It defines family, table, name, handle, layer 3 protocol, protocol, destination port, timeout, and size. Essential for certain stateful connection tracking scenarios. ```json { "ct expectation": { "family": _STRING_, "table": _STRING_, "name": _STRING_, "handle": _NUMBER_, "l3proto": _STRING_, "protocol": _CTH_PROTO_, "dport": _NUMBER_, "timeout": _NUMBER_, "size": _NUMBER_ } } _CTH_PROTO_ := "tcp" | "udp" | "dccp" | "sctp" | "gre" | "icmpv6" | "icmp" | "generic" ``` -------------------------------- ### libnftables JSON: Counter Object Structure Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Describes the JSON structure for a named counter in libnftables. It includes the counter's family, table, name, handle, and the current packet and byte counts. ```json { "counter": { "family": _STRING_, "table": _STRING_, "name": _STRING_, "handle": _NUMBER_, "packets": _NUMBER_, "bytes": _NUMBER_ } } ``` -------------------------------- ### libnftables JSON API: Forward (FWD) Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'fwd' object forwards packets to a different destination, specifying the output interface ('dev'), address family ('family'), and the destination IP address ('addr'). Both 'family' and 'addr' are required if either is present. ```json { "fwd": { "dev": _EXPRESSION_, "family": _FWD_FAMILY_, "addr": _EXPRESSION_ } } _FWD_FAMILY_ := "ip" | "ip6" ``` -------------------------------- ### Set Expression in libnftables Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Creates an anonymous set from a single expression or a list of expressions. For mappings, it expects an array of two-element arrays. ```JSON { "set": _SET_ } _SET_ := _EXPRESSION_ | [ _EXPRESSION_LIST_ ] ``` -------------------------------- ### Network Address Translation (NAT) with libnftables JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index This section covers various NAT operations: 'snat' (source NAT), 'dnat' (destination NAT), 'masquerade' (dynamic source NAT), and 'redirect' (port redirection). These require specifying addresses, ports, and optionally families and flags for translation. ```json { "snat": { "addr": _EXPRESSION_, "family": _STRING_, "port": _EXPRESSION_, "flags": _FLAGS_ } } { "dnat": { "addr": _EXPRESSION_, "family": _STRING_, "port": _EXPRESSION_, "flags": _FLAGS_ } } { "masquerade": { "port": _EXPRESSION_, "flags": _FLAGS_ } } { "redirect": { "port": _EXPRESSION_, "flags": _FLAGS_ } } ``` -------------------------------- ### libnftables JSON API: Limit Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'limit' object defines rate limiting for packets or bytes. It specifies the rate, its unit, the time period ('per'), and optional burst capacity. An 'inv' flag can invert the match condition. ```json { "limit": { "rate": _NUMBER_, "rate_unit": _STRING_, "per": _STRING_, "burst": _NUMBER_, "burst_unit": _STRING_, "inv": _BOOLEAN_ } } { "limit": _STRING_ } ``` -------------------------------- ### libnftables JSON: Element Manipulation Object Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Specifies the JSON structure for manipulating individual elements within a named set in libnftables. It requires family, table, set name, and the element(s) to be added or modified. ```json { "element": { "family": _STRING_, "table": _STRING_, "name": _STRING_, "elem": _SET_ELEM_ } } ``` -------------------------------- ### Table Object Structure Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Defines the JSON structure for a table object, including its family, name, handle, and optional flags like 'dormant', 'owner', or 'persist'. ```json { "table": { "family": _STRING_, "name": _STRING_, "handle": _NUMBER_, "flags": _TABLE_FLAGS_ } } _TABLE_FLAGS_ := _TABLE_FLAG_ | [ _TABLE_FLAG_LIST_ ] _TABLE_FLAG_LIST_ := _TABLE_FLAG_ [, _TABLE_FLAG_LIST_ ] _TABLE_FLAG_ := "dormant" | "owner" | "persist" ``` -------------------------------- ### Quota Object Schema Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Represents a named quota for network traffic. It includes details such as family, table, name, handle, byte limits, used bytes, and an inversion flag. This schema is used for defining and managing traffic quotas. ```json { "quota": { "family": _STRING_, "table": _STRING_, "name": _STRING_, "handle": _NUMBER_, "bytes": _NUMBER_, "used": _NUMBER_, "inv": _BOOLEAN_ } } ``` -------------------------------- ### Packet Rejection with libnftables JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'reject' object is used to reject a packet and send an error reply. It requires a 'type' (e.g., 'tcp reset', 'icmpx') and an optional 'expr' for the ICMP code. ```json { "reject": { "type": _STRING_, "expr": _EXPRESSION_ } } ``` -------------------------------- ### Packet Duplication with libnftables JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'dup' object duplicates a packet to a different destination. It requires an address and optionally an interface for duplication. This is useful for mirroring traffic. ```json { "dup": { "addr": _EXPRESSION_, "dev": _EXPRESSION_ } } ``` -------------------------------- ### Rename Chain with JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Renames a chain using JSON. The new name is specified in a dedicated property named 'newname'. ```json { "rename": _CHAIN_ } ``` -------------------------------- ### HASH JSON Formats for Packet Data Hashing Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Defines JSON structures for hashing packet data using either 'jhash' or 'symhash'. Both support modulus and offset. 'jhash' additionally supports an expression and a seed. ```json { "jhash": { "mod": _NUMBER_, "offset": _NUMBER_, "expr": _EXPRESSION_, "seed": _NUMBER_ } } { "symhash": { "mod": _NUMBER_, "offset": _NUMBER_ } } ``` -------------------------------- ### Payload Expression in libnftables (Raw) Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index References a raw part of packet data. It takes a base reference ('ll', 'nh', 'th'), an offset, and a length in bits. ```JSON { "payload": { "base": _BASE_, "offset": _NUMBER_, "len": _NUMBER_ }} _BASE_ := "ll" | "nh" | "th" ``` -------------------------------- ### Xtables Compatibility Fallback with libnftables JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'xt' object represents an xt statement from the xtables compatibility interface. It serves as a fallback when direct translation is not possible, indicating rules managed by 'iptables-nft'. ```json { "xt": { "type": _TYPENAME_, "name": _STRING_ } } ``` -------------------------------- ### FIB JSON Format for Forwarding Information Base Lookups Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Specifies the JSON structure for performing kernel Forwarding Information Base (FIB) lookups. Supports defining the result type (e.g., 'oif', 'oifname', 'type') and optional flags. ```json { "fib": { "result": _FIB_RESULT_, "flags": _FIB_FLAGS_ } } _FIB_RESULT_ := "oif" | "oifname" | "type" _FIB_FLAGS_ := _FIB_FLAG_ | [ _FIB_FLAG_LIST_ ] _FIB_FLAG_LIST_ := _FIB_FLAG_ [ "," _FIB_FLAG_LIST_ ] _FIB_FLAG_ := "saddr" | "daddr" | "mark" | "iif" | "oif" ``` -------------------------------- ### DCCP Option Reference in libnftables Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index References a DCCP option by its type. This expression is used for checking the existence of a DCCP option in a match statement. ```JSON { "dccp option": { "type": _NUMBER_ }} ``` -------------------------------- ### libnftables JSON API: Counters Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Counters track packets and bytes. They can be anonymous, living within a rule, or named, referencing a separate counter object. Initial values for 'packets' and 'bytes' can be provided. ```json { "counter": { "packets": _NUMBER_, "bytes": _NUMBER_ } } { "counter": _STRING_ } ``` -------------------------------- ### Connection Tracking Count Limit with libnftables JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'ct count' object limits the number of connections using conntrack. It takes a 'val' for the connection count threshold and an optional 'inv' boolean to invert the match. ```json { "ct count": { "val": _NUMBER_, "inv": _BOOLEAN_ } } ``` -------------------------------- ### Conntrack Timeout Object Schema Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Defines conntrack timeout policies for network connections. It includes family, table, name, handle, protocol, state, timeout value, and layer 3 protocol. This schema manages how long connection states are maintained. ```json { "ct timeout": { "family": _STRING_, "table": _STRING_, "name": _STRING_, "handle": _NUMBER_, "protocol": _CTH_PROTO_, "state": _STRING_, "value": _NUMBER_, "l3proto": _STRING_ } } _CTH_PROTO_ := "tcp" | "udp" | "dccp" | "sctp" | "gre" | "icmpv6" | "icmp" | "generic" ``` -------------------------------- ### CT JSON Format for Packet Conntrack Data Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Defines the JSON structure for creating a reference to packet conntrack data. Supports specifying key, family (ip or ip6), and direction (original or reply). Some keys may not support direction. ```json { "ct": { "key": _STRING_, "family": _CT_FAMILY_, "dir": _CT_DIRECTION_ } } _CT_FAMILY_ := "ip" | "ip6" _CT_DIRECTION_ := "original" | "reply" ``` -------------------------------- ### Extended Header Field Reference in libnftables Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Creates a reference to a field within an IPv6 extension header. Requires the header name and field name. An offset is used for the 'rt0' protocol. ```JSON { "exthdr": { "name": _STRING_, "field": _STRING_, "offset": _NUMBER_ }} ``` -------------------------------- ### libnftables JSON API: Mangle Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'mangle' object modifies packet data or meta-information. It requires 'key' to specify the data to be changed and 'value' to set the new data. The key can refer to packet headers, payload, meta info, or connection tracking data. ```json { "mangle": { "key": _EXPRESSION_, "value": _EXPRESSION_ } } ``` -------------------------------- ### libnftables JSON: Flowtable Object Structure Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Defines the JSON object for representing a flowtable in libnftables. Key properties include family, table name, flowtable name, handle, hook point, priority, and associated network interfaces. ```json { "flowtable": { "family": _STRING_, "table": _STRING_, "name": _STRING_, "handle": _NUMBER_, "hook": _STRING_, "prio": _NUMBER_, "dev": _FT_INTERFACE_ } } ``` -------------------------------- ### Flush Object Contents with JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Empties the contents of specified objects using JSON. This can be used to remove all chains from a table or all elements from a set. ```json { "flush": _FLUSH_OBJECT_ } _FLUSH_OBJECT_ := _TABLE_ | _CHAIN_ | _SET_ | _MAP_ | _METER_ | _RULESET_ ``` -------------------------------- ### Range Expression in libnftables Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Defines a range of values between a lower and upper boundary. Both boundaries are specified as expressions in an array. ```JSON { "range": [ _EXPRESSION_, _EXPRESSION_ ] } ``` -------------------------------- ### NUMGEN JSON Format for Number Generation Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Specifies the JSON format for creating a number generator. Supports modes like 'inc' (increment) or 'random', a modulus, and an optional offset which defaults to 0. ```json { "numgen": { "mode": _NG_MODE_, "mod": _NUMBER_, "offset": _NUMBER_ } } _NG_MODE_ := "inc" | "random" ``` -------------------------------- ### libnftables JSON API: Disable Connection Tracking (NOTRACK) Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index The 'notrack' object disables connection tracking for a packet. This is a simple null-valued object. ```json { "notrack": null } ``` -------------------------------- ### libnftables JSON API: Quota Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Quota objects enforce limits on data usage, specified in bytes or other units. They can be anonymous or named. The 'inv' flag determines if the match occurs when the quota is exceeded. ```json { "quota": { "val": _NUMBER_, "val_unit": _STRING_, "used": _NUMBER_, "used_unit": _STRING_, "inv": _BOOLEAN_ } } { "quota": _STRING_ } ``` -------------------------------- ### Concatenation Expression in libnftables Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Combines multiple expressions into a single string or sequence. This is achieved by providing an array of expressions within a 'concat' object. ```JSON { "concat": _CONCAT_ } _CONCAT_ := [ _EXPRESSION_LIST_ ] _EXPRESSION_LIST_ := _EXPRESSION_ [ "," _EXPRESSION_LIST_ ] ``` -------------------------------- ### TCP Option Field Reference in libnftables Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index References a field within a TCP option header. Requires the option name and field name. If the field is omitted, it checks for the option's existence. ```JSON { "tcp option": { "name": _STRING_, "field": _STRING_ }} ``` -------------------------------- ### Payload Expression in libnftables (Named Field) Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index References a specific field within a named packet header. It requires the protocol name and the field name. ```JSON { "payload": { "protocol": _STRING_, "field": _STRING_ }} ``` -------------------------------- ### Delete RuleSet Object with JSON Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index Deletes a ruleset object using JSON. Requires minimal properties to uniquely identify the object, such as family and table, along with handle or name for most elements. ```json { "delete": _ADD_OBJECT_ } ``` -------------------------------- ### SCTP Chunk Field Reference in libnftables Source: https://manpages.debian.org/testing/libnftables1/libnftables-json.5.en.html/index References a field within an SCTP chunk. Requires the chunk name and field name. If the field is omitted, it checks for the chunk's existence. ```JSON { "sctp chunk": { "name": _STRING_, "field": _STRING_ }} ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.