NFTables.Expr.Metadata (NFTables v0.8.2)
View SourcePacket metadata matching functions for firewall rules.
This module provides functions to match various packet metadata attributes such as packet marks, DSCP values, fragmentation status, packet types, priority levels, and packet length. These are useful for QoS, policy routing, and advanced traffic classification.
Common Use Cases
- Policy routing based on packet marks
- QoS and traffic prioritization
- Filtering fragmented packets
- Blocking broadcast/multicast traffic
- Filtering based on packet size
Import
import NFTables.Expr.MetadataFor more information, see the nftables meta expressions wiki.
Summary
Functions
Match DSCP (Differentiated Services Code Point).
Match fragmented packets.
Match packet length.
Match packet mark (SO_MARK).
Match packet type (unicast, broadcast, multicast).
Match packet priority (SO_PRIORITY).
Functions
@spec dscp(NFTables.Expr.t(), non_neg_integer()) :: NFTables.Expr.t()
Match DSCP (Differentiated Services Code Point).
DSCP is used for QoS classification in IPv4 and IPv6 networks.
Example
# Match expedited forwarding (EF)
dscp(46) |> accept()
# Match assured forwarding class 1 (AF11)
dscp(10) |> accept()@spec fragmented(NFTables.Expr.t(), boolean()) :: NFTables.Expr.t()
Match fragmented packets.
Matches packets based on their fragmentation status. Useful for security policies that want to drop fragmented packets or handle them specially.
Example
# Match and drop fragmented packets
fragmented(true) |> drop()
# Match non-fragmented packets
fragmented(false) |> accept()
# Security: Drop all fragments (common security policy)
fragmented(true) |> log("Fragment detected") |> drop()@spec length(NFTables.Expr.t(), atom(), non_neg_integer()) :: NFTables.Expr.t()
Match packet length.
Supports dual-arity: can start a new expression or continue an existing one.
Example
# Start a new expression
length(:gt, 1000)
# Continue an existing expression
builder |> length(:gt, 1000)
# Match packets exactly 64 bytes
builder |> length(:eq, 64)@spec mark(NFTables.Expr.t(), non_neg_integer()) :: NFTables.Expr.t()
Match packet mark (SO_MARK).
Useful for policy routing and traffic control. Marks are set by other firewall rules or applications and can be used for advanced routing decisions.
Example
# Match packets with mark 100
mark(100) |> accept()
# Use with policy routing
mark(100) |> accept()@spec pkttype(NFTables.Expr.t(), atom()) :: NFTables.Expr.t()
Match packet type (unicast, broadcast, multicast).
Packet Types
:unicast- Unicast packet (point-to-point):broadcast- Broadcast packet (all hosts):multicast- Multicast packet (group communication):other- Other packet types
Example
# Drop broadcast packets
pkttype(:broadcast) |> drop()
# Rate limit multicast
pkttype(:multicast) |> rate_limit(100, :second) |> accept()
# Allow only unicast
pkttype(:unicast) |> accept()@spec priority(NFTables.Expr.t(), atom(), non_neg_integer()) :: NFTables.Expr.t()
Match packet priority (SO_PRIORITY).
Packet priority is used for QoS and traffic shaping. Priority values range from 0 (lowest) to higher values (higher priority).
Operators
:eq- Equal to:ne- Not equal to:lt- Less than:gt- Greater than:le- Less than or equal to:ge- Greater than or equal to
Example
# Match high priority traffic
priority(:gt, 5) |> accept()
# Match specific priority
priority(:eq, 7) |> log("PRIO-7")
# QoS: Lower priority for bulk traffic
priority(:lt, 2) |> set_dscp(10)