http://wiki.nftables.org/wiki-nftables/index.php?action=history&feed=atom&title=Output_text_modifiersOutput text modifiers - Revision history2026-06-13T02:58:43ZRevision history for this page on the wikiMediaWiki 1.43.6http://wiki.nftables.org/wiki-nftables/index.php?title=Output_text_modifiers&diff=529&oldid=prevArturo: create page2020-07-22T10:36:59Z<p>create page</p>
<p><b>New page</b></p><div>This page contains information on the several '''output text modifiers''' that nftables support when using the command line interface '''nft'''.<br />
<br />
You can generally check all the output modifiers by using '''nft --help''' or reading the manpage '''nft(8)'''.<br />
<br />
<pre><br />
-n, numeric Print fully numerical output.<br />
-s, stateless Omit stateful information of ruleset.<br />
-N, reversedns Translate IP addresses to names.<br />
-S, service Translate ports to service names as described in /etc/services.<br />
-a, handle Output rule handle.<br />
-j, json Format output in JSON<br />
-u, guid Print UID/GID as defined in /etc/passwd and /etc/group.<br />
-y, numeric-priority Print chain priority numerically.<br />
-p, numeric-protocol Print layer 4 protocols numerically.<br />
-T, numeric-time Print time values numerically.<br />
-t, terse Omit contents of sets.<br />
</pre><br />
<br />
The default output prints some information in numeric form and for well-known names it will use a string instead (like icmp types, conntrack status, chain priorities, etc).<br />
Also, state information such as counter values and set elements are printed as well.<br />
<br />
<pre><br />
% nft list ruleset<br />
table inet filter {<br />
set s {<br />
type inet_service<br />
elements = { 80, 443 }<br />
}<br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
counter packets 4447 bytes 1619415<br />
iif "lo" counter packets 337 bytes 25076 accept<br />
ct state established,related counter packets 44899 bytes 106405802 accept<br />
ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } counter packets 1 bytes 72 accept<br />
tcp dport 22 drop<br />
ip saddr 8.8.8.8 drop<br />
}<br />
}<br />
</pre><br />
<br />
== translation modifiers ==<br />
<br />
Translate various values to text equivalents, or the other way around. We can group here things like ports, DNS names, service names, UID/GID, etc.<br />
<br />
The options can be combined at will. The example below shows service names (instead of the integer number), chain priority value (instead of the well-known string), conntrack/protocol numbers and constants (instead of well-known strings) and shows reverse DNS names (instead of the numeric IP address):<br />
<br />
<pre><br />
% nft -nNSy list ruleset<br />
table inet filter {<br />
set s {<br />
type inet_service<br />
elements = { "http", "https" }<br />
}<br />
<br />
chain input {<br />
type filter hook input priority 0; policy accept;<br />
iif "lo" counter packets 365 bytes 27092 accept<br />
ct state 0x2,0x4 counter packets 48535 bytes 142472901 accept<br />
ip6 nexthdr 58 icmpv6 type { 134, 135, 136 } counter packets 1 bytes 72 accept<br />
ip saddr dns.google counter packets 0 bytes 0<br />
tcp dport "ssh" accept<br />
}<br />
}<br />
</pre><br />
<br />
Note that translating some elements might take additional operation time when generating the output. For example translating IP addresses to names require queries to DNS servers, which can be very slow for large rulesets (and therefore is disabled by default).<br />
<br />
== operations and parsing modifiers ==<br />
<br />
These modifiers add or remove information about the ruleset, generally useful when parsing the output or doing related operations.<br />
<br />
You can display the ruleset without stateful information (for example, without counter values), with handles, and with no set contents:<br />
<br />
<pre><br />
% nft -sta list ruleset<br />
table inet filter { # handle 5<br />
set s { # handle 9<br />
type inet_service<br />
}<br />
<br />
chain input { # handle 1<br />
type filter hook input priority filter; policy accept;<br />
iif "lo" counter accept # handle 3<br />
ct state established,related counter accept # handle 4<br />
ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } counter accept # handle 5<br />
ip saddr 8.8.8.8 counter # handle 8<br />
tcp dport 22 accept # handle 10<br />
}<br />
}<br />
</pre><br />
<br />
Special mention to the JSON representation of the ruleset. The JSON will be printed in a single line fashion. Here we format the JSON using perl's json_pp utility:<br />
<br />
<pre><br />
% nft -j list ruleset | json_pp<br />
{<br />
"nftables" : [<br />
{<br />
"metainfo" : {<br />
"json_schema_version" : 1,<br />
"release_name" : "Capital Idea #2",<br />
"version" : "0.9.6"<br />
}<br />
},<br />
{<br />
"table" : {<br />
"family" : "inet",<br />
"handle" : 5,<br />
"name" : "filter"<br />
}<br />
},<br />
{<br />
"set" : {<br />
"elem" : [<br />
80,<br />
443<br />
],<br />
"family" : "inet",<br />
"handle" : 9,<br />
"name" : "s",<br />
"table" : "filter",<br />
"type" : "inet_service"<br />
}<br />
},<br />
{<br />
"chain" : {<br />
"family" : "inet",<br />
"handle" : 1,<br />
"hook" : "input",<br />
"name" : "input",<br />
"policy" : "accept",<br />
"prio" : 0,<br />
"table" : "filter",<br />
"type" : "filter"<br />
}<br />
},<br />
{<br />
"rule" : {<br />
"chain" : "input",<br />
"expr" : [<br />
{<br />
"counter" : {<br />
"bytes" : 37707381,<br />
"packets" : 8062<br />
}<br />
}<br />
],<br />
"family" : "inet",<br />
"handle" : 7,<br />
"table" : "filter"<br />
}<br />
},<br />
[..]<br />
</pre></div>Arturo