Setting packet metainformation

2018-05-04T22:03:05Z

Mate: /* mark and conntrack mark */ fixed mark setting example

You can set some metainformation in a packet: one of mark, priority or nftrace.

Please note that you require a Linux kernel >= 3.14 to use these features.

== mark ==
The following example shows how to set the packet mark:

<source lang="bash">
% nft add rule route output mark set 123
</source>

== mark and conntrack mark ==

You can save/restore conntrack mark like in iptables.

In this example, the nf_tables engine set the packet mark to 1.
In the last rule, that mark is store in the conntrack entry associated with the flow:

<source lang="bash">
% nft add rule filter forward meta mark set 1
% nft add rule filter forward ct mark set mark
</source>

In this example, the conntrack mark is stored in the packet.
<source lang="bash">
% nft add rule filter forward meta mark set ct mark
</source>

== priority ==
You can set the priority of a packet.

This example shows a similar operation to what "-j CLASSIFY" does in iptables:

<source lang="bash">
% nft add table mangle
% nft add chain postrouting {type route hook output priority -150\; }
% nft add rule mangle postrouting tcp sport 80 meta priority set 1
</source>

'''Warning''': There is a bug in the priority syntax that will be fixed in following versions of nftables.

== nftrace ==

Setting nftrace in a packet will report the journey through the nf_tables stack.

<source lang="bash">
% nft add rule filter forward udp dport 53 meta nftrace set 1
</source>

== combination of options ==

Given the flexible design of nftables, remember you can perform several actions to a packet in one rule:

<source lang="bash">
% nft add rule filter forward ip saddr 192.168.1.1 meta nftrace set 1 meta priority set 2 meta mark set 123
</source>

nftables wiki - User contributions [en]

Setting packet metainformation