# SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause)
---
name: nftables
protocol: netlink-raw
protonum: 12

doc: >-
  Netfilter nftables configuration over netlink.

definitions:
  -
    name: nfgenmsg
    type: struct
    members:
      -
        name: nfgen-family
        type: u8
      -
        name: version
        type: u8
      -
        name: res-id
        byte-order: big-endian
        type: u16
  -
    name: meta-keys
    type: enum
    entries:
      - len
      - protocol
      - priority
      - mark
      - iif
      - oif
      - iifname
      - oifname
      - iftype
      - oiftype
      - skuid
      - skgid
      - nftrace
      - rtclassid
      - secmark
      - nfproto
      - l4-proto
      - bri-iifname
      - bri-oifname
      - pkttype
      - cpu
      - iifgroup
      - oifgroup
      - cgroup
      - prandom
      - secpath
      - iifkind
      - oifkind
      - bri-iifpvid
      - bri-iifvproto
      - time-ns
      - time-day
      - time-hour
      - sdif
      - sdifname
      - bri-broute
  -
    name: bitwise-ops
    type: enum
    entries:
      -
        name: mask-xor  # aka bool (old name)
        doc: >-
          mask-and-xor operation used to implement NOT, AND, OR and XOR boolean
          operations
      -
        name: lshift
      -
        name: rshift
      -
        name: and
      -
        name: or
      -
        name: xor
  -
    name: cmp-ops
    type: enum
    entries:
      - eq
      - neq
      - lt
      - lte
      - gt
      - gte
  -
    name: object-type
    type: enum
    entries:
      - unspec
      - counter
      - quota
      - ct-helper
      - limit
      - connlimit
      - tunnel
      - ct-timeout
      - secmark
      - ct-expect
      - synproxy
  -
    name: nat-range-flags
    type: flags
    entries:
      - map-ips
      - proto-specified
      - proto-random
      - persistent
      - proto-random-fully
      - proto-offset
      - netmap
  -
    name: table-flags
    type: flags
    entries:
      - dormant
      - owner
      - persist
  -
    name: chain-flags
    type: flags
    entries:
      - base
      - hw-offload
      - binding
  -
    name: set-flags
    type: flags
    entries:
      - anonymous
      - constant
      - interval
      - map
      - timeout
      - eval
      - object
      - concat
      - expr
  -
    name: set-elem-flags
    type: flags
    entries:
      - interval-end
      - catchall
  -
    name: lookup-flags
    type: flags
    entries:
      - invert
  -
    name: ct-keys
    type: enum
    entries:
      - state
      - direction
      - status
      - mark
      - secmark
      - expiration
      - helper
      - l3protocol
      - src
      - dst
      - protocol
      - proto-src
      - proto-dst
      - labels
      - pkts
      - bytes
      - avgpkt
      - zone
      - eventmask
      - src-ip
      - dst-ip
      - src-ip6
      - dst-ip6
      - ct-id
  -
    name: ct-direction
    type: enum
    entries:
      - original
      - reply
  -
    name: quota-flags
    type: flags
    entries:
      - invert
      - depleted
  -
    name: verdict-code
    type: enum
    entries:
      - name: continue
        value: 0xffffffff
      - name: break
        value: 0xfffffffe
      - name: jump
        value: 0xfffffffd
      - name: goto
        value: 0xfffffffc
      - name: return
        value: 0xfffffffb
      - name: drop
        value: 0
      - name: accept
        value: 1
      - name: stolen
        value: 2
      - name: queue
        value: 3
      - name: repeat
        value: 4
  -
    name: fib-result
    type: enum
    entries:
      - oif
      - oifname
      - addrtype
  -
    name: fib-flags
    type: flags
    entries:
      - saddr
      - daddr
      - mark
      - iif
      - oif
      - present
  -
    name: reject-types
    type: enum
    entries:
      - icmp-unreach
      - tcp-rst
      - icmpx-unreach
  -
    name: reject-inet-code
    doc: These codes are mapped to real ICMP and ICMPv6 codes.
    type: enum
    entries:
      - icmpx-no-route
      - icmpx-port-unreach
      - icmpx-host-unreach
      - icmpx-admin-prohibited
  -
    name: payload-base
    type: enum
    entries:
      - link-layer-header
      - network-header
      - transport-header
      - inner-header
      - tun-header
  -
    name: range-ops
    doc: Range operator
    type: enum
    entries:
      - eq
      - neq
  -
    name: registers
    doc: |
      nf_tables registers.
      nf_tables used to have five registers: a verdict register and four data
      registers of size 16. The data registers have been changed to 16 registers
      of size 4. For compatibility reasons, the NFT_REG_[1-4] registers still
      map to areas of size 16, the 4 byte registers are addressed using
      NFT_REG32_00 - NFT_REG32_15.
    type: enum
    entries:
      -
        name: reg-verdict
      -
        name: reg-1
      -
        name: reg-2
      -
        name: reg-3
      -
        name: reg-4
      -
        name: reg32-00
        value: 8
      -
        name: reg32-01
      -
        name: reg32-02
      -
        name: reg32-03
      -
        name: reg32-04
      -
        name: reg32-05
      -
        name: reg32-06
      -
        name: reg32-07
      -
        name: reg32-08
      -
        name: reg32-09
      -
        name: reg32-10
      -
        name: reg32-11
      -
        name: reg32-12
      -
        name: reg32-13
      -
        name: reg32-14
      -
        name: reg32-15
  -
    name: numgen-types
    type: enum
    entries:
      - incremental
      - random
  -
    name: log-level
    doc: nf_tables log levels
    type: enum
    entries:
      -
        name: emerg
        doc: system is unusable
      -
        name: alert
        doc: action must be taken immediately
      -
        name: crit
        doc: critical conditions
      -
        name: err
        doc: error conditions
      -
        name: warning
        doc: warning conditions
      -
        name: notice
        doc: normal but significant condition
      -
        name: info
        doc: informational
      -
        name: debug
        doc: debug-level messages
      -
        name: audit
        doc: enabling audit logging
  -
    name: log-flags
    doc: nf_tables log flags
    header: linux/netfilter/nf_log.h
    type: flags
    entries:
      -
        name: tcpseq
        doc: Log TCP sequence numbers
      -
        name: tcpopt
        doc: Log TCP options
      -
        name: ipopt
        doc: Log IP options
      -
        name: uid
        doc: Log UID owning local socket
      -
        name: nflog
        doc: Unsupported, don't reuse
      -
        name: macdecode
        doc: Decode MAC header

attribute-sets:
  -
    name: log-attrs
    doc: log expression netlink attributes
    attributes:
      # Mentioned in nft_log_init()
      -
        name: group
        doc: netlink group to send messages to
        type: u16
        byte-order: big-endian
      -
        name: prefix
        doc: prefix to prepend to log messages
        type: string
      -
        name: snaplen
        doc: length of payload to include in netlink message
        type: u32
        byte-order: big-endian
      -
        name: qthreshold
        doc: queue threshold
        type: u16
        byte-order: big-endian
      -
        name: level
        doc: log level
        type: u32
        enum: log-level
        byte-order: big-endian
      -
        name: flags
        doc: logging flags
        type: u32
        enum: log-flags
        byte-order: big-endian
  -
    name: numgen-attrs
    doc: nf_tables number generator expression netlink attributes
    attributes:
      -
        name: dreg
        doc: destination register
        type: u32
        enum: registers
      -
        name: modulus
        doc: maximum counter value
        type: u32
        byte-order: big-endian
      -
        name: type
        doc: operation type
        type: u32
        byte-order: big-endian
        enum: numgen-types
      -
        name: offset
        doc: offset to be added to the counter
        type: u32
        byte-order: big-endian
  -
    name: range-attrs
    attributes:
      # Mentioned in net/netfilter/nft_range.c
      -
        name: sreg
        doc: source register of data to compare
        type: u32
        byte-order: big-endian
        enum: registers
      -
        name: op
        doc: cmp operation
        type: u32
        byte-order: big-endian
        enum: range-ops
        checks:
          max: 255
      -
        name: from-data
        doc: data range from
        type: nest
        nested-attributes: data-attrs
      -
        name: to-data
        doc: data range to
        type: nest
        nested-attributes: data-attrs
  -
    name: batch-attrs
    attributes:
      -
        name: genid
        doc: generation ID for this changeset
        type: u32
        byte-order: big-endian
  -
    name: table-attrs
    attributes:
      -
        name: name
        type: string
        doc: name of the table
      -
        name: flags
        type: u32
        byte-order: big-endian
        doc: bitmask of flags
        enum: table-flags
        enum-as-flags: true
      -
        name: use
        type: u32
        byte-order: big-endian
        doc: number of chains in this table
      -
        name: handle
        type: u64
        byte-order: big-endian
        doc: numeric handle of the table
      -
        name: pad
        type: pad
      -
        name: userdata
        type: binary
        doc: user data
      -
        name: owner
        type: u32
        byte-order: big-endian
        doc: owner of this table through netlink portID
  -
    name: chain-attrs
    attributes:
      -
        name: table
        type: string
        doc: name of the table containing the chain
      -
        name: handle
        type: u64
        byte-order: big-endian
        doc: numeric handle of the chain
      -
        name: name
        type: string
        doc: name of the chain
      -
        name: hook
        type: nest
        nested-attributes: nft-hook-attrs
        doc: hook specification for basechains
      -
        name: policy
        type: u32
        byte-order: big-endian
        doc: numeric policy of the chain
      -
        name: use
        type: u32
        byte-order: big-endian
        doc: number of references to this chain
      -
        name: type
        type: string
        doc: type name of the chain
      -
        name: counters
        type: nest
        nested-attributes: nft-counter-attrs
        doc: counter specification of the chain
      -
        name: flags
        type: u32
        byte-order: big-endian
        doc: chain flags
        enum: chain-flags
        enum-as-flags: true
      -
        name: id
        type: u32
        byte-order: big-endian
        doc: uniquely identifies a chain in a transaction
      -
        name: userdata
        type: binary
        doc: user data
  -
    name: counter-attrs
    attributes:
      -
        name: bytes
        type: u64
        byte-order: big-endian
      -
        name: packets
        type: u64
        byte-order: big-endian
      -
        name: pad
        type: pad
  -
    name: nft-hook-attrs
    attributes:
      -
        name: num
        type: u32
        byte-order: big-endian
      -
        name: priority
        type: s32
        byte-order: big-endian
      -
        name: dev
        type: string
        doc: net device name
      -
        name: devs
        type: nest
        nested-attributes: hook-dev-attrs
        doc: list of net devices
  -
    name: hook-dev-attrs
    attributes:
      -
        name: name
        type: string
        multi-attr: true
  -
    name: nft-counter-attrs
    attributes:
      -
        name: bytes
        type: u64
        byte-order: big-endian
      -
        name: packets
        type: u64
        byte-order: big-endian
  -
    name: rule-attrs
    attributes:
      -
        name: table
        type: string
        doc: name of the table containing the rule
      -
        name: chain
        type: string
        doc: name of the chain containing the rule
      -
        name: handle
        type: u64
        byte-order: big-endian
        doc: numeric handle of the rule
      -
        name: expressions
        type: nest
        nested-attributes: expr-list-attrs
        doc: list of expressions
      -
        name: compat
        type: nest
        nested-attributes: rule-compat-attrs
        doc: compatibility specifications of the rule
      -
        name: position
        type: u64
        byte-order: big-endian
        doc: numeric handle of the previous rule
      -
        name: userdata
        type: binary
        doc: user data
      -
        name: id
        type: u32
        doc: uniquely identifies a rule in a transaction
      -
        name: position-id
        type: u32
        doc: transaction unique identifier of the previous rule
      -
        name: chain-id
        type: u32
        doc: add the rule to chain by ID, alternative to chain name
  -
    name: expr-list-attrs
    attributes:
      -
        name: elem
        type: nest
        nested-attributes: expr-attrs
        multi-attr: true
  -
    name: expr-attrs
    attributes:
      -
        name: name
        type: string
        doc: name of the expression type
      -
        name: data
        type: sub-message
        sub-message: expr-ops
        selector: name
        doc: type specific data
  -
    # Mentioned in nft_parse_compat() in net/netfilter/nft_compat.c
    name: rule-compat-attrs
    attributes:
      -
        name: proto
        type: u32
        byte-order: big-endian
        doc: numeric value of the handled protocol
      -
        name: flags
        type: u32
        byte-order: big-endian
        doc: bitmask of flags
  -
    name: set-attrs
    attributes:
      -
        name: table
        type: string
        doc: table name
      -
        name: name
        type: string
        doc: set name
      -
        name: flags
        type: u32
        enum: set-flags
        byte-order: big-endian
        doc: bitmask of enum nft_set_flags
      -
        name: key-type
        type: u32
        byte-order: big-endian
        doc: key data type, informational purpose only
      -
        name: key-len
        type: u32
        byte-order: big-endian
        doc: key data length
      -
        name: data-type
        type: u32
        byte-order: big-endian
        doc: mapping data type
      -
        name: data-len
        type: u32
        byte-order: big-endian
        doc: mapping data length
      -
        name: policy
        type: u32
        byte-order: big-endian
        doc: selection policy
      -
        name: desc
        type: nest
        nested-attributes: set-desc-attrs
        doc: set description
      -
        name: id
        type: u32
        doc: uniquely identifies a set in a transaction
      -
        name: timeout
        type: u64
        doc: default timeout value
      -
        name: gc-interval
        type: u32
        doc: garbage collection interval
      -
        name: userdata
        type: binary
        doc: user data
      -
        name: pad
        type: pad
      -
        name: obj-type
        type: u32
        byte-order: big-endian
        doc: stateful object type
      -
        name: handle
        type: u64
        byte-order: big-endian
        doc: set handle
      -
        name: expr
        type: nest
        nested-attributes: expr-attrs
        doc: set expression
        multi-attr: true
      -
        name: expressions
        type: nest
        nested-attributes: set-list-attrs
        doc: list of expressions
      -
        name: type
        type: string
        doc: set backend type
      -
        name: count
        type: u32
        byte-order: big-endian
        doc: number of set elements
  -
    name: set-desc-attrs
    attributes:
      -
        name: size
        type: u32
        byte-order: big-endian
        doc: number of elements in set
      -
        name: concat
        type: nest
        nested-attributes: set-desc-concat-attrs
        doc: description of field concatenation
        multi-attr: true
  -
    name: set-desc-concat-attrs
    attributes:
      -
        name: elem
        type: nest
        nested-attributes: set-field-attrs
  -
    name: set-field-attrs
    attributes:
      -
        name: len
        type: u32
        byte-order: big-endian
  -
    name: set-list-attrs
    attributes:
      -
        name: elem
        type: nest
        nested-attributes: expr-attrs
        multi-attr: true
  -
    name: setelem-attrs
    attributes:
      -
        name: key
        type: nest
        nested-attributes: data-attrs
        doc: key value
      -
        name: data
        type: nest
        nested-attributes: data-attrs
        doc: data value of mapping
      -
        name: flags
        type: binary
        doc: bitmask of nft_set_elem_flags
      -
        name: timeout
        type: u64
        doc: timeout value
      -
        name: expiration
        type: u64
        doc: expiration time
      -
        name: userdata
        type: binary
        doc: user data
      -
        name: expr
        type: nest
        nested-attributes: expr-attrs
        doc: expression
      -
        name: objref
        type: string
        doc: stateful object reference
      -
        name: key-end
        type: nest
        nested-attributes: data-attrs
        doc: closing key value
      -
        name: expressions
        type: nest
        nested-attributes: expr-list-attrs
        doc: list of expressions
  -
    name: setelem-list-elem-attrs
    attributes:
      -
        name: elem
        type: nest
        nested-attributes: setelem-attrs
        multi-attr: true
  -
    name: setelem-list-attrs
    attributes:
      -
        name: table
        type: string
      -
        name: set
        type: string
      -
        name: elements
        type: nest
        nested-attributes: setelem-list-elem-attrs
      -
        name: set-id
        type: u32
  -
    name: gen-attrs
    attributes:
      -
        name: id
        type: u32
        byte-order: big-endian
        doc: ruleset generation id
      -
        name: proc-pid
        type: u32
        byte-order: big-endian
      -
        name: proc-name
        type: string
  -
    name: obj-attrs
    attributes:
      -
        name: table
        type: string
        doc: name of the table containing the expression
      -
        name: name
        type: string
        doc: name of this expression type
      -
        name: type
        type: u32
        enum: object-type
        byte-order: big-endian
        doc: stateful object type
      -
        name: data
        type: sub-message
        sub-message: obj-data
        selector: type
        doc: stateful object data
      -
        name: use
        type: u32
        byte-order: big-endian
        doc: number of references to this expression
      -
        name: handle
        type: u64
        byte-order: big-endian
        doc: object handle
      -
        name: pad
        type: pad
      -
        name: userdata
        type: binary
        doc: user data
  -
    name: quota-attrs
    attributes:
      -
        name: bytes
        type: u64
        byte-order: big-endian
      -
        name: flags
        type: u32
        byte-order: big-endian
        enum: quota-flags
      -
        name: pad
        type: pad
      -
        name: consumed
        type: u64
        byte-order: big-endian
  -
    name: flowtable-attrs
    attributes:
      -
        name: table
        type: string
      -
        name: name
        type: string
      -
        name: hook
        type: nest
        nested-attributes: flowtable-hook-attrs
      -
        name: use
        type: u32
        byte-order: big-endian
      -
        name: handle
        type: u64
        byte-order: big-endian
      -
        name: pad
        type: pad
      -
        name: flags
        type: u32
        byte-order: big-endian
  -
    name: flowtable-hook-attrs
    attributes:
      -
        name: num
        type: u32
        byte-order: big-endian
      -
        name: priority
        type: u32
        byte-order: big-endian
      -
        name: devs
        type: nest
        nested-attributes: hook-dev-attrs
  -
    name: expr-bitwise-attrs
    doc: |
      The bitwise expression supports boolean and shift operations. It
      implements the boolean operations by performing the following
      operation::

          dreg = (sreg & mask) ^ xor

          with these mask and xor values:

          op      mask    xor
          ----    ----    ---
          NOT:     1       1
          OR:     ~x       x
          XOR:     1       x
          AND:     x       0

    attributes:
      -
        name: sreg
        type: u32
        byte-order: big-endian
      -
        name: dreg
        type: u32
        byte-order: big-endian
      -
        name: len
        type: u32
        byte-order: big-endian
      -
        name: mask
        type: nest
        nested-attributes: data-attrs
      -
        name: xor
        type: nest
        nested-attributes: data-attrs
      -
        name: op
        type: u32
        byte-order: big-endian
        enum: bitwise-ops
        checks:
          max: 255
      -
        name: data
        type: nest
        nested-attributes: data-attrs
  -
    name: expr-cmp-attrs
    attributes:
      -
        name: sreg
        type: u32
        byte-order: big-endian
      -
        name: op
        type: u32
        byte-order: big-endian
        enum: cmp-ops
      -
        name: data
        type: nest
        nested-attributes: data-attrs
  -
    name: data-attrs
    attributes:
      -
        name: value
        type: binary
        # sub-type: u8
      -
        name: verdict
        type: nest
        nested-attributes: verdict-attrs
  -
    name: verdict-attrs
    attributes:
      -
        name: code
        doc: nf_tables verdict
        type: u32
        byte-order: big-endian
        enum: verdict-code
      -
        name: chain
        doc: jump target chain name
        type: string
      -
        name: chain-id
        doc: jump target chain ID
        type: u32
        byte-order: big-endian
  -
    name: expr-counter-attrs
    attributes:
      -
        name: bytes
        type: u64
        byte-order: big-endian
        doc: Number of bytes
      -
        name: packets
        type: u64
        byte-order: big-endian
        doc: Number of packets
      -
        name: pad
        type: pad
  -
    name: expr-fib-attrs
    attributes:
      -
        name: dreg
        type: u32
        byte-order: big-endian
      -
        name: result
        type: u32
        byte-order: big-endian
        enum: fib-result
      -
        name: flags
        type: u32
        byte-order: big-endian
        enum: fib-flags
  -
    name: expr-ct-attrs
    attributes:
      -
        name: dreg
        type: u32
        byte-order: big-endian
      -
        name: key
        type: u32
        byte-order: big-endian
        enum: ct-keys
      -
        name: direction
        type: u8
        enum: ct-direction
      -
        name: sreg
        type: u32
        byte-order: big-endian
  -
    name: expr-flow-offload-attrs
    attributes:
      -
        name: name
        type: string
        doc: Flow offload table name
  -
    name: expr-immediate-attrs
    attributes:
      -
        name: dreg
        type: u32
        byte-order: big-endian
      -
        name: data
        type: nest
        nested-attributes: data-attrs
  -
    name: expr-lookup-attrs
    attributes:
      -
        name: set
        type: string
        doc: Name of set to use
      -
        name: set-id
        type: u32
        byte-order: big-endian
        doc: ID of set to use
      -
        name: sreg
        type: u32
        byte-order: big-endian
      -
        name: dreg
        type: u32
        byte-order: big-endian
      -
        name: flags
        type: u32
        byte-order: big-endian
        enum: lookup-flags
  -
    name: expr-masq-attrs
    attributes:
      -
        name: flags
        type: u32
        byte-order: big-endian
        enum: nat-range-flags
        enum-as-flags: true
      -
        name: reg-proto-min
        type: u32
        byte-order: big-endian
        enum: registers
      -
        name: reg-proto-max
        type: u32
        byte-order: big-endian
        enum: registers
  -
    name: expr-meta-attrs
    attributes:
      -
        name: dreg
        type: u32
        byte-order: big-endian
      -
        name: key
        type: u32
        byte-order: big-endian
        enum: meta-keys
      -
        name: sreg
        type: u32
        byte-order: big-endian
  -
    name: expr-nat-attrs
    attributes:
      -
        name: type
        type: u32
        byte-order: big-endian
      -
        name: family
        type: u32
        byte-order: big-endian
      -
        name: reg-addr-min
        type: u32
        byte-order: big-endian
      -
        name: reg-addr-max
        type: u32
        byte-order: big-endian
      -
        name: reg-proto-min
        type: u32
        byte-order: big-endian
      -
        name: reg-proto-max
        type: u32
        byte-order: big-endian
      -
        name: flags
        type: u32
        byte-order: big-endian
        enum: nat-range-flags
        enum-as-flags: true
  -
    name: expr-payload-attrs
    doc: nf_tables payload expression netlink attributes
    attributes:
      -
        name: dreg
        doc: destination register to load data into
        type: u32
        byte-order: big-endian
        enum: registers
      -
        name: base
        doc: payload base
        type: u32
        enum: payload-base
        byte-order: big-endian
      -
        name: offset
        doc: payload offset relative to base
        type: u32
        byte-order: big-endian
      -
        name: len
        doc: payload length
        type: u32
        byte-order: big-endian
      -
        name: sreg
        doc: source register to load data from
        type: u32
        byte-order: big-endian
        enum: registers
      -
        name: csum-type
        doc: checksum type
        type: u32
        byte-order: big-endian
      -
        name: csum-offset
        doc: checksum offset relative to base
        type: u32
        byte-order: big-endian
      -
        name: csum-flags
        doc: checksum flags
        type: u32
        byte-order: big-endian
  -
    name: expr-reject-attrs
    attributes:
      -
        name: type
        type: u32
        byte-order: big-endian
        enum: reject-types
      -
        name: icmp-code
        type: u8
  -
    name: expr-target-attrs
    attributes:
      -
        name: name
        type: string
      -
        name: rev
        type: u32
        byte-order: big-endian
      -
        name: info
        type: binary
  -
    name: expr-tproxy-attrs
    attributes:
      -
        name: family
        type: u32
        byte-order: big-endian
      -
        name: reg-addr
        type: u32
        byte-order: big-endian
      -
        name: reg-port
        type: u32
        byte-order: big-endian
  -
    name: expr-objref-attrs
    attributes:
      -
        name: imm-type
        type: u32
        byte-order: big-endian
      -
        name: imm-name
        type: string
        doc: object name
      -
        name: set-sreg
        type: u32
        byte-order: big-endian
      -
        name: set-name
        type: string
        doc: name of object map
      -
        name: set-id
        type: u32
        byte-order: big-endian
        doc: id of object map
  -
    name: compat-target-attrs
    header: linux/netfilter/nf_tables_compat.h
    attributes:
      -
        name: name
        type: string
        checks:
          max-len: 32
      -
        name: rev
        type: u32
        byte-order: big-endian
        checks:
          max: 255
      -
        name: info
        type: binary
  -
    name: compat-match-attrs
    header: linux/netfilter/nf_tables_compat.h
    attributes:
      -
        name: name
        type: string
        checks:
          max-len: 32
      -
        name: rev
        type: u32
        byte-order: big-endian
        checks:
          max: 255
      -
        name: info
        type: binary
  -
    name: compat-attrs
    header: linux/netfilter/nf_tables_compat.h
    attributes:
      -
        name: name
        type: string
        checks:
          max-len: 32
      -
        name: rev
        type: u32
        byte-order: big-endian
        checks:
          max: 255
      -
        name: type
        type: u32
        byte-order: big-endian

sub-messages:
  -
    name: expr-ops
    formats:
      -
        value: bitwise
        attribute-set: expr-bitwise-attrs
      -
        value: cmp
        attribute-set: expr-cmp-attrs
      -
        value: counter
        attribute-set: expr-counter-attrs
      -
        value: ct
        attribute-set: expr-ct-attrs
      -
        value: fib
        attribute-set: expr-fib-attrs
      -
        value: flow_offload
        attribute-set: expr-flow-offload-attrs
      -
        value: immediate
        attribute-set: expr-immediate-attrs
      -
        value: log
        attribute-set: log-attrs
      -
        value: lookup
        attribute-set: expr-lookup-attrs
      -
        value: match
        attribute-set: compat-match-attrs
      -
        value: meta
        attribute-set: expr-meta-attrs
      -
        value: nat
        attribute-set: expr-nat-attrs
      -
        value: numgen
        attribute-set: numgen-attrs
      -
        value: objref
        attribute-set: expr-objref-attrs
      -
        value: payload
        attribute-set: expr-payload-attrs
      -
        value: quota
        attribute-set: quota-attrs
      -
        value: range
        attribute-set: range-attrs
      -
        value: reject
        attribute-set: expr-reject-attrs
      -
        value: target
        attribute-set: expr-target-attrs
      -
        value: tproxy
        attribute-set: expr-tproxy-attrs
        # There're more sub-messages to go:
        #   grep -A10 nft_expr_type
        # and look for .name\s*=\s*"..."
  -
    name: obj-data
    formats:
      -
        value: counter
        attribute-set: counter-attrs
      -
        value: quota
        attribute-set: quota-attrs

operations:
  enum-model: directional
  list:
    -
      name: batch-begin
      doc: Start a batch of operations
      attribute-set: batch-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0x10
          attributes:
            - genid
        reply:
          value: 0x10
          attributes:
            - genid
    -
      name: batch-end
      doc: Finish a batch of operations
      attribute-set: batch-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0x11
          attributes:
            - genid
    -
      name: newtable
      doc: Create a new table.
      attribute-set: table-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa00
          attributes:
            # Mentioned in nf_tables_newtable()
            - name
            - flags
            - userdata
    -
      name: gettable
      doc: Get / dump tables.
      attribute-set: table-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa01
          attributes:
            # Mentioned in nf_tables_gettable()
            - name
        reply:
          value: 0xa00
          attributes: &get-table
            # Mentioned in nf_tables_fill_table_info()
            - name
            - use
            - handle
            - flags
            - owner
            - userdata
      dump:
        reply:
          attributes: *get-table
    -
      name: deltable
      doc: Delete an existing table.
      attribute-set: table-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa02
          attributes: &del-table
            # Mentioned in nf_tables_deltable()
            - name
            - handle
    -
      name: destroytable
      doc: |
        Delete an existing table with destroy semantics (ignoring ENOENT
        errors).
      attribute-set: table-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa1a
          attributes: *del-table
    -
      name: newchain
      doc: Create a new chain.
      attribute-set: chain-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa03
          attributes:
            # Mentioned in nf_tables_newchain()
            - table
            - handle
            - policy
            - flags
            # Mentioned in nf_tables_updchain()
            - hook
            - name
            - counters
            # Mentioned in nf_tables_addchain()
            - userdata
            # Mentioned in nft_chain_parse_hook()
            - type
    -
      name: getchain
      doc: Get / dump chains.
      attribute-set: chain-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa04
          attributes:
            # Mentioned in nf_tables_getchain()
            - table
            - name
        reply:
          value: 0xa03
          attributes: &get-chain
            # Mentioned in nf_tables_fill_chain_info()
            - table
            - name
            - handle
            - hook
            - policy
            - type
            - flags
            - counters
            - id
            - use
            - userdata
      dump:
        reply:
          attributes: *get-chain
    -
      name: delchain
      doc: Delete an existing chain.
      attribute-set: chain-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa05
          attributes: &del-chain
            # Mentioned in nf_tables_delchain()
            - table
            - handle
            - name
            - hook
    -
      name: destroychain
      doc: |
        Delete an existing chain with destroy semantics (ignoring ENOENT
        errors).
      attribute-set: chain-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa1b
          attributes: *del-chain
    -
      name: newrule
      doc: Create a new rule.
      attribute-set: rule-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa06
          attributes:
            # Mentioned in nf_tables_newrule()
            - table
            - chain
            - chain-id
            - handle
            - position
            - position-id
            - expressions
            - userdata
            - compat
    -
      name: getrule
      doc: Get / dump rules.
      attribute-set: rule-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa07
          attributes: &get-rule-request
            # Mentioned in nf_tables_getrule_single()
            - table
            - chain
            - handle
        reply:
          value: 0xa06
          attributes: &get-rule
            # Mentioned in nf_tables_fill_rule_info()
            - table
            - chain
            - handle
            - position
            - expressions
            - userdata
      dump:
        request:
          attributes:
            # Mentioned in nf_tables_dump_rules_start()
            - table
            - chain
        reply:
          attributes: *get-rule

    -
      name: getrule-reset
      doc: Get / dump rules and reset stateful expressions.
      attribute-set: rule-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa19
          attributes: *get-rule-request
        reply:
          value: 0xa06
          attributes: *get-rule
      dump:
        request:
          attributes: *get-rule-request
        reply:
          attributes: *get-rule
    -
      name: delrule
      doc: Delete an existing rule.
      attribute-set: rule-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa08
          attributes: &del-rule
            - table
            - chain
            - handle
            - id
    -
      name: destroyrule
      doc: |
        Delete an existing rule with destroy semantics (ignoring ENOENT errors).
      attribute-set: rule-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa1c
          attributes: *del-rule
    -
      name: newset
      doc: Create a new set.
      attribute-set: set-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa09
          attributes:
            # Mentioned in nf_tables_newset()
            - table
            - name
            - key-len
            - id
            - key-type
            - flags
            - data-type
            - data-len
            - obj-type
            - timeout
            - gc-interval
            - policy
            - desc
            - userdata
    -
      name: getset
      doc: Get / dump sets.
      attribute-set: set-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa0a
          attributes:
            # Mentioned in nf_tables_getset()
            - table
            - name
        reply:
          value: 0xa09
          attributes: &get-set
            # Mentioned in nf_tables_fill_set()
            - table
            - name
            - handle
            - flags
            - key-len
            - key-type
            - data-type
            - data-len
            - obj-type
            - gc-interval
            - policy
            - userdata
            - desc
            - expr
            - expressions
      dump:
        request:
          attributes:
            # Mentioned in nf_tables_getset()
            - table
        reply:
          attributes: *get-set
    -
      name: delset
      doc: Delete an existing set.
      attribute-set: set-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa0b
          attributes: &del-set
            # Mentioned in nf_tables_delset()
            - table
            - handle
            - name
    -
      name: destroyset
      doc: |
        Delete an existing set with destroy semantics (ignoring ENOENT errors).
      attribute-set: set-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa1d
          attributes: *del-set
    -
      name: newsetelem
      doc: Create a new set element.
      attribute-set: setelem-list-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa0c
          attributes:
            # Mentioned in nf_tables_newsetelem()
            - table
            - set
            - set-id
            - elements
    -
      name: getsetelem
      doc: Get / dump set elements.
      attribute-set: setelem-list-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa0d
          attributes:
            # Mentioned in nf_tables_getsetelem()
            - table
            - set
            - elements
        reply:
          value: 0xa0c
          attributes:
            # Mentioned in nf_tables_fill_setelem_info()
            - elements
      dump:
        request:
          attributes: &dump-set-request
            # Mentioned in nft_set_dump_ctx_init()
            - table
            - set
        reply:
          attributes: &dump-set
            # Mentioned in nf_tables_dump_set()
            - table
            - set
            - elements
    -
      name: getsetelem-reset
      doc: Get / dump set elements and reset stateful expressions.
      attribute-set: setelem-list-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa21
          attributes:
            # Mentioned in nf_tables_getsetelem_reset()
            - elements
        reply:
          value: 0xa0c
          attributes:
            # Mentioned in nf_tables_dumpreset_set()
            - table
            - set
            - elements
      dump:
        request:
          attributes: *dump-set-request
        reply:
          attributes: *dump-set
    -
      name: delsetelem
      doc: Delete an existing set element.
      attribute-set: setelem-list-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa0e
          attributes: &del-setelem
            # Mentioned in nf_tables_delsetelem()
            - table
            - set
            - elements
    -
      name: destroysetelem
      doc: Delete an existing set element with destroy semantics.
      attribute-set: setelem-list-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa1e
          attributes: *del-setelem
    -
      name: getgen
      doc: Get / dump rule-set generation.
      attribute-set: gen-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa10
        reply:
          value: 0xa0f
          attributes: &get-gen
            # Mentioned in nf_tables_fill_gen_info()
            - id
            - proc-pid
            - proc-name
      dump:
        reply:
          attributes: *get-gen
    -
      name: newobj
      doc: Create a new stateful object.
      attribute-set: obj-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa12
          attributes:
            # Mentioned in nf_tables_newobj()
            - type
            - name
            - data
            - table
            - userdata
    -
      name: getobj
      doc: Get / dump stateful objects.
      attribute-set: obj-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa13
          attributes:
            # Mentioned in nf_tables_getobj_single()
            - name
            - type
            - table
        reply:
          value: 0xa12
          attributes: &obj-info
            # Mentioned in nf_tables_fill_obj_info()
            - table
            - name
            - type
            - handle
            - use
            - data
            - userdata
      dump:
        request:
          attributes:
            # Mentioned in nf_tables_dump_obj_start()
            - table
            - type
        reply:
          attributes: *obj-info
    -
      name: delobj
      doc: Delete an existing stateful object.
      attribute-set: obj-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa14
          attributes:
            # Mentioned in nf_tables_delobj()
            - table
            - name
            - type
            - handle
    -
      name: destroyobj
      doc: Delete an existing stateful object with destroy semantics.
      attribute-set: obj-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa1f
          attributes:
            # Mentioned in nf_tables_delobj()
            - table
            - name
            - type
            - handle
    -
      name: newflowtable
      doc: Create a new flow table.
      attribute-set: flowtable-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa16
          attributes:
            # Mentioned in nf_tables_newflowtable()
            - table
            - name
            - hook
            - flags
    -
      name: getflowtable
      doc: Get / dump flow tables.
      attribute-set: flowtable-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa17
          attributes:
            # Mentioned in nf_tables_getflowtable()
            - name
            - table
        reply:
          value: 0xa16
          attributes: &flowtable-info
            # Mentioned in nf_tables_fill_flowtable_info()
            - table
            - name
            - handle
            - use
            - flags
            - hook
      dump:
        reply:
          attributes: *flowtable-info
    -
      name: delflowtable
      doc: Delete an existing flow table.
      attribute-set: flowtable-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa18
          attributes: &del-flowtable
            # Mentioned in nf_tables_delflowtable()
            - table
            - name
            - handle
            - hook
    -
      name: destroyflowtable
      doc: Delete an existing flow table with destroy semantics.
      attribute-set: flowtable-attrs
      fixed-header: nfgenmsg
      do:
        request:
          value: 0xa20
          attributes: *del-flowtable

mcast-groups:
  list:
    -
      name: mgmt
