NftStatement¶
Description¶
The NftStatement object specifies the action performed when a packet matches a rule. It can be terminal and non-terminal. In a certain rule several non-terminal statements can be considered but only a single terminal statement.
See the nftables documentation on statements for further information.
This object was introduced in InCore 2.1.
| › Inherits: | Object |
|---|
Properties¶
arguments¶
This property holds the type-specific arguments to the statement.
| › Type: | StringList |
|---|---|
| › Signal: | argumentsChanged() |
| › Attributes: | Writable |
type¶
This property holds the statement type specifying the action to perform when a packet matches a rule.
| › Type: | Type |
|---|---|
| › Default: | NftStatement.None |
| › Signal: | typeChanged() |
| › Attributes: | Writable |
Enumerations¶
Type¶
This enumeration describes all supported statement types, i.e. actions.
| Name | Value | Description |
|---|---|---|
NftStatement.None |
0 |
Do not perform any action, i.e. effectively disable the associated rule. |
NftStatement.Accept |
1 |
Accept the packet and stop the remaining rules evaluation. |
NftStatement.Drop |
2 |
Drop the packet and stop the remain rules evaluation. |
NftStatement.Queue |
3 |
Queue the packet to userspace and stop the remain rules evaluation. See the nftables queue reference for details on possible arguments. |
NftStatement.Continue |
4 |
Continue the ruleset evaluation with the next rule. |
NftStatement.Return |
5 |
Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to NftStatement.Accept. |
NftStatement.Jump |
6 |
Continue with the first rule of a chain named as specified in the arguments property. It will continue at the next rule after a return statement is issued. |
NftStatement.GoTo |
7 |
Similar to NftStatement.Jump but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement. |
NftStatement.Log |
8 |
Write messages to the system log according to further parameters specified in the arguments property. See the nftables documentation on logging for details. |
NftStatement.Reject |
9 |
Reject packet with optional protocol-specific reject reasons specified in the arguments property. See the nftables documentation on rejecting traffic and the reject reference for details. |
NftStatement.Counter |
10 |
Count packets with optional settings specified in the arguments property. See the nftables documentation on Counters and the counter reference for details. |
NftStatement.Limit |
11 |
Implement rate limiting with settings specified in the arguments property. See the nftables documentation on Rate limit matchings and the limit reference for details. |
NftStatement.DNat |
12 |
Implement destination address translation with settings specified in the arguments property. See the nftables documentation on Source NAT and the Nat reference for details. |
NftStatement.SNat |
13 |
Implement source address translation with settings specified in the arguments property. See the nftables documentation on Destination NAT and the Nat reference for details. |
NftStatement.Masquerade |
14 |
Implement masquerading with settings specified in the arguments property. See the nftables documentation on Masquerading and the Nat reference for details. |
Example¶
See NftFirewall example on how to use NftStatement.