Module `netfilter`

Low-level Lua interface to the Linux Kernel Netfilter framework.

This header file defines constants used by the C implementation and exposed to Lua.

Tables

action	Table of Netfilter hook verdicts (actions).
arp_hooks	Table of Netfilter hooks in the ARP family.
bridge_hooks	Table of Netfilter hooks in the BRIDGE family.
bridge_priority	Table of Netfilter hook priorities in the BRIDGE family.
family	Table of Netfilter protocol families.
inet_hooks	Table of Netfilter hooks in the INET (IPv4/IPv6) family.
ip_priority	Table of Netfilter hook priorities in the IP family.
netdev_hooks	Table of Netfilter hooks in the NETDEV family.

Class netfilter_hook

netfilter_hook:register (opts)

Registers a Netfilter hook.

Tables

action

Table of Netfilter hook verdicts (actions). These determine the fate of a packet processed by a hook.

Fields:

DROP integer Drop the packet silently.
ACCEPT integer Let the packet pass.
STOLEN integer Packet is consumed by the hook; processing stops.
QUEUE integer Queue the packet to a userspace program.
REPEAT integer Re-inject the packet into the current hook (use with caution).
STOP integer Terminate rule traversal in the current chain (iptables specific).
CONTINUE integer Alias for ACCEPT, primarily for Xtables.
RETURN integer Return from the current chain to the calling chain (iptables specific).

arp_hooks

Table of Netfilter hooks in the ARP family.

Fields:

IN integer For incoming ARP packets.
OUT integer For outgoing ARP packets.
FORWARD integer For forwarded ARP packets (e.g., by an ARP proxy).

bridge_hooks

Table of Netfilter hooks in the BRIDGE family. These define points for processing layer 2 (Ethernet) bridge traffic.

Fields:

PRE_ROUTING integer For packets entering the bridge, before any bridge processing (e.g., ebtables broute chain).
LOCAL_IN integer For bridged packets destined for the bridge interface itself (if IP processing is enabled on the bridge).
FORWARD integer For packets being forwarded by the bridge between its ports (e.g., ebtables filter chain).
LOCAL_OUT integer For packets originating from the bridge interface itself.
POST_ROUTING integer For packets leaving the bridge, after all bridge processing (e.g., ebtables nat chain).

bridge_priority

Table of Netfilter hook priorities in the BRIDGE family. Hooks with lower priority numbers are called earlier.

Fields:

FIRST integer Highest priority for bridge hooks.
NAT_DST_BRIDGED integer Priority for Destination NAT on bridged-only packets (ebtables dnat chain).
FILTER_BRIDGED integer Priority for filtering bridged-only packets (ebtables filter chain in FORWARD).
BRNF integer Priority for bridge netfilter specific operations (interaction between bridge and IP stack).
NAT_DST_OTHER integer Priority for Destination NAT on packets routed through the bridge (iptables PREROUTING on bridge interface).
FILTER_OTHER integer Priority for filtering packets routed through the bridge (iptables FORWARD or INPUT on bridge interface).
NAT_SRC integer Priority for Source NAT on bridged or routed packets (ebtables snat or iptables POSTROUTING).
LAST integer Lowest priority for bridge hooks.

family

Table of Netfilter protocol families.

Fields:

UNSPEC integer Unspecified protocol family.
UNSPEC integer Unspecified protocol family.
INET integer Internetwork protocol family (covering IPv4/IPv6).
IPV4 integer Internet Protocol version 4.
IPV6 integer Internet Protocol version 6.
ARP integer Address Resolution Protocol.
NETDEV integer Network device hooks (ingress/egress).
BRIDGE integer Ethernet bridging hooks.

inet_hooks

Table of Netfilter hooks in the INET (IPv4/IPv6) family. These define points in the network stack where packet processing can occur.

Fields:

PRE_ROUTING integer After packet reception, before routing decision.
LOCAL_IN integer For packets destined to the local machine, after routing.
FORWARD integer For packets to be forwarded to another interface, after routing.
LOCAL_OUT integer For packets generated locally, before sending to an interface.
POST_ROUTING integer Before packets are sent out, after routing and just before handing to hardware.

ip_priority

Table of Netfilter hook priorities in the IP family. Hooks with lower priority numbers are called earlier within the same hook point.

Fields:

FIRST integer Highest priority, hook runs first.
RAW_BEFORE_DEFRAG integer Priority for raw table processing, before packet defragmentation.
CONNTRACK_DEFRAG integer Priority for connection tracking related to defragmentation.
RAW integer Priority for raw table processing.
SELINUX_FIRST integer Early priority for SELinux hooks.
CONNTRACK integer Priority for main connection tracking.
MANGLE integer Priority for mangle table processing (packet alteration).
NAT_DST integer Priority for Destination NAT (nat table, PREROUTING/OUTPUT).
FILTER integer Priority for filter table processing (packet filtering).
SECURITY integer Priority for security modules like SELinux.
NAT_SRC integer Priority for Source NAT (nat table, POSTROUTING/INPUT).
SELINUX_LAST integer Late priority for SELinux hooks.
CONNTRACK_HELPER integer Priority for connection tracking helper modules.
LAST integer Lowest priority, hook runs last.

netdev_hooks

Table of Netfilter hooks in the NETDEV family. These hooks operate at the network device driver level.

Fields:

INGRESS integer For packets as they are received by a network device, very early in the stack.
EGRESS integer For packets just before they are transmitted by a network device, very late in the stack (Kernel 5.16+).

Class netfilter_hook

Represents a registered Netfilter hook. This is a userdata object returned by netfilter.register(). It encapsulates the kernel struct nf_hook_ops and associated Lunatik runtime information necessary to invoke the Lua callback when a packet matches the hook criteria.

netfilter_hook:register (opts)

Registers a Netfilter hook. The hook function will be called for packets matching the specified criteria.

Parameters:

opts table
A table containing the options for the Netfilter hook. It should have the following fields:
- hook (function): The Lua function to be called for each packet. It receives a luadata object representing the packet buffer (skb) and should return an integer verdict (e.g., netfilter.action.ACCEPT).
- pf (integer): The protocol family (e.g., netfilter.family.INET).
- hooknum (integer): The hook number within the protocol family (e.g., netfilter.inet_hooks.LOCAL_OUT).
- priority (integer): The hook priority (e.g., netfilter.ip_priority.FILTER).
- mark (integer, optional): Packet mark to match. If set, the hook is only called for packets with this mark.

Returns:

userdata

Lunatik

Contents

Modules

Topics

Module `netfilter`

Tables

Class netfilter_hook

Tables

Fields:

Fields:

Fields:

Fields:

Fields:

Fields:

Fields:

Fields:

Class netfilter_hook

Parameters:

Returns:

Lunatik

Contents

Modules

Topics

Module netfilter

Tables

Class netfilter_hook

Tables

Fields:

Fields:

Fields:

Fields:

Fields:

Fields:

Fields:

Fields:

Class netfilter_hook

Parameters:

Returns:

Module `netfilter`