NFTables.Expr.IP (NFTables v0.8.2)
View SourceIP address matching and IP-layer field functions for Expr.
Provides functions to match source and destination IP addresses for both IPv4 and IPv6, as well as IP-layer fields like TTL (Time To Live) and hop limit. These are fundamental matching functions used in most firewall rules to identify traffic based on IP addresses and IP header fields.
Import
import NFTables.Expr.IPExamples
# IP address matching
source_ip("192.168.1.0/24") |> accept()
dest_ip("10.0.0.1") |> drop()
# TTL/hop limit matching
ttl(:eq, 64) |> accept()
hoplimit(:gt, 1) |> accept()For more information, see the nftables payload expressions wiki.
Summary
Functions
Match destination IP address. Convenience alias for dest_ip/2.
Match destination IP address.
Match IPv6 hop limit.
Match source IP address. Convenience alias for source_ip/2.
Match source IP address.
Match IP TTL (time to live).
Functions
@spec dest(NFTables.Expr.t(), String.t() | binary()) :: NFTables.Expr.t()
Match destination IP address. Convenience alias for dest_ip/2.
Supports dual-arity: can start a new expression or continue an existing one.
Example
# Start new expression
dest("10.0.0.1")
# Continue existing expression
builder |> dest("10.0.0.1")@spec dest_ip(NFTables.Expr.t(), String.t() | binary()) :: NFTables.Expr.t()
Match destination IP address.
Accepts either a string IP ("192.168.1.100") or binary form (<<192, 168, 1, 100>>). Supports dual-arity: can start a new expression or continue an existing one.
Examples
# Start new expression
dest_ip("192.168.1.100") |> accept()
# Continue existing expression
dest_ip("192.168.1.100")
# IPv6
dest_ip("2001:db8::1")@spec hoplimit(NFTables.Expr.t(), atom(), non_neg_integer()) :: NFTables.Expr.t()
Match IPv6 hop limit.
IPv6 equivalent of TTL (Time To Live).
Supports dual-arity: can start a new expression or continue an existing one.
Example
# Start a new expression
hoplimit(:eq, 1)
# Continue an existing expression and chain
builder |> hoplimit(:eq, 1) |> drop()
# Block low hop limit (potential spoofing)
builder |> hoplimit(:lt, 10) |> drop()Use Cases
- IPv6 traceroute blocking
- Anti-spoofing (low hop limits)
- TTL normalization checks
@spec source(NFTables.Expr.t(), String.t() | binary()) :: NFTables.Expr.t()
Match source IP address. Convenience alias for source_ip/2.
Supports dual-arity: can start a new expression or continue an existing one.
Example
# Start new expression
source("192.168.1.100")
# Continue existing expression
builder |> source("192.168.1.100")@spec source_ip(NFTables.Expr.t(), String.t() | binary()) :: NFTables.Expr.t()
Match source IP address.
Accepts either a string IP ("192.168.1.100") or binary form (<<192, 168, 1, 100>>). Supports dual-arity: can start a new expression or continue an existing one.
Examples
# Start new expression
source_ip("192.168.1.100") |> accept()
# Continue existing expression
source_ip("192.168.1.100")
# IPv6
source_ip("2001:db8::1")@spec ttl(NFTables.Expr.t(), atom(), non_neg_integer()) :: NFTables.Expr.t()
Match IP TTL (time to live).
Supports dual-arity: can start a new expression or continue an existing one.
Example
# Start a new expression
ttl(:eq, 64)
# Continue an existing expression and chain
builder |> ttl(:eq, 1) |> drop()
# Match packets with TTL > 64
builder |> ttl(:gt, 64)