Questo contenuto non è disponibile nella lingua selezionata.
6.5. Using verdict maps in nftables commands
Verdict maps, which are also known as dictionaries, enable
nft
to perform an action based on packet information by mapping match criteria to an action.
6.5.1. Using anonymous maps in nftables
An anonymous map is a
{ match_criteria : action }
statement that you use directly in a rule. The statement can contain multiple comma-separated mappings.
The drawback of an anonymous map is that if you want to change the map, you must replace the rule. For a dynamic solution, use named maps as described in Section 6.5.2, “Using named maps in nftables”.
The example describes how to use an anonymous map to route both TCP and UDP packets of the IPv4 and IPv6 protocol to different chains to count incoming TCP and UDP packets separately.
Procedure 6.15. Using anonymous maps in nftables
- Create the example_table:
# nft add table inet example_table
- Create the
tcp_packets
chain in example_table:# nft add chain inet example_table tcp_packets
- Add a rule to
tcp_packets
that counts the traffic in this chain:# nft add rule inet example_table tcp_packets counter
- Create the
udp_packets
chain in example_table:# nft add chain inet example_table udp_packets
- Add a rule to
udp_packets
that counts the traffic in this chain:# nft add rule inet example_table udp_packets counter
- Create a chain for incoming traffic. For example, to create a chain named
incoming_traffic
in example_table that filters incoming traffic:# nft add chain inet example_table incoming_traffic { type filter hook input priority 0 \; }
- Add a rule with an anonymous map to
incoming_traffic
:# nft add rule inet example_table incoming_traffic ip protocol vmap { tcp : jump tcp_packets, udp : jump udp_packets }
The anonymous map distinguishes the packets and sends them to the different counter chains based on their protocol. - To list the traffic counters, display example_table:
# nft list table inet example_table table inet example_table { chain tcp_packets { counter packets 36379 bytes 2103816 } chain udp_packets { counter packets 10 bytes 1559 } chain incoming_traffic { type filter hook input priority filter; policy accept; ip protocol vmap { tcp : jump tcp_packets, udp : jump udp_packets } } }
The counters in thetcp_packets
andudp_packets
chain display both the number of received packets and bytes.
6.5.2. Using named maps in nftables
The
nftables
framework supports named maps. You can use these maps in multiple rules within a table. Another benefit over anonymous maps is that you can update a named map without replacing the rules that use it.
When you create a named map, you must specify the type of elements:
ipv4_addr
for a map whose match part contains anIPv4
address, such as192.0.2.1
.ipv6_addr
for a map whose match part contains anIPv6
address, such as2001:db8:1::1
.ether_addr
for a map whose match part contains a media access control (MAC
) address, such as52:54:00:6b:66:42
.inet_proto
for a map whose match part contains an Internet protocol type, such astcp
.inet_service
for a map whose match part contains an Internet services name port number, such asssh
or22
.mark
for a map whose match part contains a packet mark. A packet mark can be any positive 32-bit integer value (0
to2147483647
).counter
for a map whose match part contains a counter value. The counter value can be any positive 64-bit integer value.quota
for a map whose match part contains a quota value. The quota value can be any positive 64-bit integer value.
The example describes how to allow or drop incoming packets based on their source IP address. Using a named map, you require only a single rule to configure this scenario while the IP addresses and actions are dynamically stored in the map. The procedure also describes how to add and remove entries from the map.
Procedure 6.16. Using named maps in nftables
- Create a table. For example, to create a table named example_table that processes
IPv4
packets:# nft add table ip example_table
- Create a chain. For example, to create a chain named example_chain in example_table:
# nft add chain ip example_table example_chain { type filter hook input priority 0 \; }
Important
To avoid that the shell interprets the semicolons as the end of the command, you must escape the semicolons with a backslash. - Create an empty map. For example, to create a map for
IPv4
addresses:# nft add map ip example_table example_map { type ipv4_addr : verdict \; }
- Create rules that use the map. For example, the following command adds a rule to example_chain in example_table that applies actions to
IPv4
addresses which are both defined in example_map:# nft add rule example_table example_chain ip saddr vmap @example_map
- Add
IPv4
addresses and corresponding actions to example_map:# nft add element ip example_table example_map { 192.0.2.1 : accept, 192.0.2.2 : drop }
This example defines the mappings ofIPv4
addresses to actions. In combination with the rule created above, the firewall accepts packet from192.0.2.1
and drops packets from192.0.2.2
. - Optionally, enhance the map by adding another IP address and action statement:
# nft add element ip example_table example_map { 192.0.2.3 : accept }
- Optionally, remove an entry from the map:
# nft delete element ip example_table example_map { 192.0.2.1 }
- Optionally, display the rule set:
# nft list ruleset table ip example_table { map example_map { type ipv4_addr : verdict elements = { 192.0.2.2 : drop, 192.0.2.3 : accept } } chain example_chain { type filter hook input priority filter; policy accept; ip saddr vmap @example_map } }
6.5.3. Related information
For further details about verdict maps, see the
Maps
section in the nft(8)
man page.