NFTables.Expr.Protocols (NFTables v0.8.2)
View SourceSpecialized protocol matching for SCTP, DCCP, and GRE.
Provides convenient functions for matching less common protocols that are not part of the standard TCP/UDP/ICMP set. Essential for telephony, streaming, tunneling, and advanced networking scenarios.
Import
import NFTables.Expr.ProtocolsSupported Protocols
- SCTP (Stream Control Transmission Protocol) - Reliable, message-oriented transport
- DCCP (Datagram Congestion Control Protocol) - Congestion-controlled unreliable datagrams
- GRE (Generic Routing Encapsulation) - Tunneling protocol
Examples
# SCTP port matching (use generic dport/sport from Port module)
sctp() |> dport(9899) |> accept()
# DCCP with ports
dccp() |> sport(5000) |> dport(6000) |> counter()
# GRE tunnel matching
gre() |> gre_version(0) |> accept()
gre() |> gre_key(12345) |> set_mark(1)For more information, see the nftables protocol matching wiki.
Summary
Functions
Match DCCP protocol.
Match GRE protocol.
Match GRE flags.
Match GRE key.
Match GRE version.
Match SCTP protocol.
Functions
@spec dccp(NFTables.Expr.t()) :: NFTables.Expr.t()
Match DCCP protocol.
DCCP is a transport protocol that provides congestion control for unreliable datagrams. Useful for real-time applications that can tolerate packet loss but need congestion control (e.g., streaming media, online gaming).
Examples
# Match any DCCP traffic
dccp()
|> counter()
# DCCP with logging
dccp()
|> log("DCCP packet: ")
|> accept()Protocol Number
DCCP uses IP protocol number 33.
@spec gre(NFTables.Expr.t()) :: NFTables.Expr.t()
Match GRE protocol.
GRE is a tunneling protocol used to encapsulate packets inside IP packets. Common uses include VPNs, PPTP, and network virtualization (e.g., NVGRE).
Examples
# Match any GRE traffic
gre()
|> counter()
# GRE tunnel from specific source
gre()
|> source_ip("10.0.0.1")
|> accept()Protocol Number
GRE uses IP protocol number 47.
@spec gre_flags(NFTables.Expr.t(), non_neg_integer()) :: NFTables.Expr.t()
Match GRE flags.
GRE flags control optional features:
- Checksum present
- Routing present
- Key present
- Sequence number present
- Strict source route
Examples
# Match GRE packets with key flag set
gre_flags(0x2000) # Key bit
|> accept()Flags Bitmask
- 0x8000: Checksum present
- 0x4000: Routing present
- 0x2000: Key present
- 0x1000: Sequence number present
- 0x0800: Strict source route
@spec gre_key(NFTables.Expr.t(), non_neg_integer()) :: NFTables.Expr.t()
Match GRE key.
The GRE key field is used to identify traffic flows within GRE tunnels. Commonly used for:
- Multi-tenant isolation
- Traffic classification
- GRE over IPsec
Examples
# Match specific GRE tunnel key
gre_key(12345)
|> accept()
# Route based on GRE key
gre_key(100)
|> set_mark(1)
|> accept()Notes
The key field must be present in the GRE header (flags bit set). Not all GRE packets include a key field.
@spec gre_version(NFTables.Expr.t(), non_neg_integer()) :: NFTables.Expr.t()
Match GRE version.
GRE has two versions:
- Version 0: Standard GRE (RFC 2784)
- Version 1: Enhanced GRE used by PPTP (RFC 2637)
Examples
# Match standard GRE (version 0)
gre_version(0)
|> accept()
# Match PPTP GRE (version 1)
gre_version(1)
|> log("PPTP tunnel: ")
|> accept()@spec sctp(NFTables.Expr.t()) :: NFTables.Expr.t()
Match SCTP protocol.
SCTP is a reliable, message-oriented transport protocol that combines features of TCP and UDP. Common uses include telephony signaling (SS7), WebRTC data channels, and high-availability clustering.
Examples
# Match any SCTP traffic
sctp()
|> accept()
# Combine with other matchers
sctp()
|> source_ip("192.168.1.0/24")
|> counter()Protocol Number
SCTP uses IP protocol number 132.