man nftables Japanese translation

Japanese translation of the manual displayed by man nftables.

name

nft-Nftables framework management tool for packet filtering and classification

Overview

nft [ -nNscae ] [ -I directory ] [ -f filename | -i | cmd ...]
nft -h
nft -v

Description

nft is a command line tool used by the Linux kernel of the nftables framework to set, manage, and inspect packet filtering and classification rules. The Linux kernel subsystem is known as nf_tables, where nf stands for Netfilter.

option

Run nft --help to see a complete summary of the options.

Input file format

Vocabulary rules

The input is parsed line by line. If the last character on a line (immediately before the newline character) is an unquoted backslash (\), the next line is treated as a continuation. Multiple commands on the same line can be separated using a semicolon (; ).

The hash sign ( #) starts the comment. All subsequent characters on the same line are ignored.

Identifiers begin with an alphabetic character (az, AZ), with zero or more alphanumeric characters (az, AZ, 0-9), a slash (/), a backslash (\), and an underscore ( It is followed by the characters _) and dots ( .). Identifiers that use different characters or conflict with keywords must be enclosed in double quotes ( ").

Read file

You can use the include statement to read other files. The directory to search for include files can be specified using the -I / --includepath option. To override this behavior, either prefix the path with ./ to force the files in the current working directory (that is, relative paths) to be included, or use the / absolute path. Specifies the location of the file to be represented.

If -I / --includepath is not specified, nft will use the default directory specified at compile time. This default directory can be obtained with the -h / --help option.

The include statement supports the usual shell wildcard symbols (*, ? , []). If the include statement uses wildcard symbols, no error will occur even if there is no match for the include statement. This allows you to specify a potentially empty include directory, such as `ʻinclude / etc / firewall / rules / * . Wildcard matches are read alphabetically. Files that start with a dot ( .``) do not match in the include statement.

Variable symbol

Variable expression definition

$variable

Variable symbols can be defined using the define statement. Variable references are expressions and can be used to initialize other variables. The scope of the definition is the current block and all the blocks contained within it.

Variable usage example


define int_if1 = eth0
define int_if2 = eth1
define int_ifs = { $int_if1, $int_if2 }

filter input iif $int_ifs accept

Address family

The address family determines the type of packet processed. For each address family, the kernel contains hooks that represent specific stages of the packet processing process. These hooks call nftables if the hook's rules exist.

All identifiers include an address family because all nftables objects reside in an address family-specific namespace. If you specify an identifier without an address family, the ip family is used by default.

IPV4 / IPV6 / INET address family

The IPv4 / IPv6 / Inet address family handles IPv4, IPv6, or both types of packets. They contain five hooks at different packet processing stages of the network stack.

IPv4 / IPv6 / Inet Address Family Hook

hook Description
prerouting All packets entering the system are processed by the prerouting hook. It is called before the routing process and is used for early filtering or modification of packet attributes that affect routing.
input Packets delivered to the local system are processed by the input hook.
forward Packets forwarded to another host are processed by the forward hook.
output Packets sent by the local process are processed by the output hook.
postrouting All packets leaving the system are processed by the postrouting hook.

ARP address family

The ARP address family handles ARP packets sent and received by the system. It is typically used to mangle ARP packets for clustering.

ARP address family hook

hook Description
input Packets delivered to the local system are processed by the input hook.
output Packets sent by the local system are processed by the output hook.

Bridge address family

The bridge address family handles Ethernet packets that pass through the bridge device.

The list of supported hooks is the same as the IPv4 / IPv6 / Inet address family above.

NETDEV address family

The Netdev address family handles packets from ingress.

Netdev address family hook

hook Description
ingress All packets entering the system are processed by this hook. Called before the Layer 3 protocol handler, it can be used for early filtering and policing.

Rule set

{list | flush} ruleset [family]
export [ruleset] format

The ruleset keyword is used to identify the entire set of tables, chains, etc. currently located in the kernel. The following ruleset commands exist.

It is possible to limit the list and flush only specific address families. See Address Family (#Address Family) above for a list of valid family names.

Note that, contrary to expectations, the output produced by export cannot be parsed by nft -f. Instead, the output of the list command serves that purpose.

table

{add | create} table [family] table [ { flags flags } ]
{delete | list | flush} table [family] table
delete table [family] handle handle

Tables are containers for chains, sets, and stateful objects. They are identified by address family and name. The address family must be one of ip, ip6, inet, arp, bridge, netdev. The inet address family is a dummy family used to create hybrid IPv4 / IPv6 tables. You can use the meta-expression nfproto keyword to test the family (IPv4 or IPv6) context in which packets are being processed. If no address family is specified, ip is used by default. The only difference between add and create is that create returns an error, while add does not return an error if the specified table already exists.

Table flag

flag Description
dormant The table is not evaluated(Base chain is not registered)

Example of adding, modifying, or deleting a table


#Launch nft in interactive mode
nft --interactive

#Create a new table.
create table inet mytable

#Add new base chain:Get input packet
add chain inet mytable myin { type filter hook input priority 0; }

#Add a single counter to the chain
add rule inet mytable myin counter

#Temporarily disable the table(Rules are not evaluated)
add table inet mytable { flags dormant; }

#Reactivate the table:
add table inet mytable

chain

{add | create} chain [family] table chain [ { type type hook hook [device device] priority priority ; [policy policy ;] } ]
{delete | list | flush} chain [family] table chain
delete chain [family] table handle handle
rename chain [family] table chain newname

A chain is a container for rules. There are two types of chains, base chains and regular chains. The base chain is the entry point for packets from the networking stack. Regular chains can be used as jump targets and are used for better rule formation.

For base chains, the type, hook, and priority parameters are required.

Supported chain types

type family hook Description
filter all all Standard chain type that can be used without hesitation.
nat ip, ip6 prerouting, input, output, postrouting This type of chain performs network address translation based on the conntrack entry. Only the first packet of the connection actually goes through this chain. The rule is usually a conntrack entry created(For example, NAT statement)Define the details of.
route ip, ip6 output If a packet goes through this type of chain and is about to accept it, a new route search will be performed if the relevant part of the IP header has changed. This implements a policy routing selector, for example in nftables.

Apart from the special case above (for example, the nat type does not support forward hooks, or the route type only supports output hooks), there are two more quirks to note.

The priority parameter accepts a signed integer value that specifies the order in which chains with the same hook value are traversed. The order is ascending. That is, low priority values take precedence over high values.

The base chain also allows you to set chain policies. The policy sets what happens to packets that are not explicitly accepted or rejected by the predefined rules. The supported policy values are `ʻaccept(default) or drop``.

rule

[add | insert] rule [family] table chain [ {handle | position} handle | index index] statement...
replace rule [family] table chain handle handle statement...
delete rule [family] table chain handle handle

The rule is added to the chain of the specified table. If no family is specified, the ip family will be used. A rule consists of two types of components according to a set of grammatical rules. Expressions and statements.

The add and insert commands support arbitrary position specifiers. This is either the handle or index (starting from zero) of an existing rule. Internally, the location of the rule is always identified by the handle, and the conversion from the index is done in user space. If simultaneous ruleset changes occur after conversion, this has two potential implications. If a rule is inserted or deleted before the referenced rule, the valid rule index may change. If the referenced rule is deleted, the command will be rejected by the kernel, as if an invalid handle was specified.

Example of adding a rule to the input chain of iptables


# 'ip filter'Is expected
nft add rule filter output ip daddr 192.168.0.0/24 accept
#Same command, a little more detail
nft add rule ip filter output ip daddr 192.168.0.0/24 accept

Example of deleting a rule from the inet table


nft -a list ruleset

table inet filter {
  chain input {
    type filter hook input priority 0; policy accept;
    ct state established,related accept # handle 4
    ip saddr 10.1.1.1 tcp dport ssh accept # handle 5
    ...

#Delete the rule of handle 5.
nft delete rule inet filter input handle 5

set

nftables provides two types of set concepts. Anonymous sets are sets that do not have a specific name. The members of the set are enclosed in curly braces and the elements are separated by commas when creating rules that use the set. When the rule is deleted, so is the set. You cannot update them. That is, once an anonymous set is declared, it cannot be updated unless the rules that use the anonymous set are deleted or modified.

An example of accepting a specific subnet and port using an anonymous set


nft add rule filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport { 22, 443 } accept

A named set is the first set that must be defined before it can be referenced in a rule. Unlike anonymous sets, elements can be added or removed from named sets at any time. The set is referenced by the rule by prefixing the set name with @.

An example of accepting an address and port using a named set


nft add rule filter input ip saddr @allowed_hosts tcp dport @allowed_ports accept

The sets ʻallowed_hosts`` and ʻallowed_ports`` must be created first.

The next section details the nft set syntax.

add set [family] table set { type type ; [flags flags ;] [timeout timeout ;] [gc-interval gc-interval ;] [elements = { element[,...] } ;] [size size ;] [policy policy ;] [auto-merge auto-merge ;] }
{delete | list | flush} set [family] table set
delete set [family] table handle handle
{add | delete} element [family] table set { element[,...] }

A set is an element container of a user-defined data type that is uniquely identified by a user-defined name and attached to a table.

Set specifications

keyword Description type
type Set element data type String: ipv4_addr, ipv6_addr, ether_addr, inet_proto, inet_service, mark
flags Set the flag String: constant, interval, timeout
timeout The amount of time an element stays in the set. Set is packet path(Rule set)Required if added from. String:Unit after decimal number(d, h, m, s)Is added.
gc-interval Garbage collection interval. Only available when timeout or flag timeout is active String:Unit after decimal number(d, h, m, s)Is added.
elements Elements included in the set Set the data type.
size Maximum number of elements in the set. Set is packet path(Rule set)Required if added from. Unsigned integer(64-bit)
policy Set the policy. String: performance [default], memory
auto-merge adjacent/Automatic merging of duplicate set elements(interval set only)

map

add map [family] table map { type type [flags flags ;] [elements = { element[,...] };] [size size ;] [policy policy ;] }
{delete | list | flush} map [family] table map
{add | delete} element [family] table map { elements = { element[,...] } ; }

Maps store data based on a specific key used as input, are uniquely identified by a user-defined name, and are attached to a table.

Map specifications

keyword Description type
type Map element data type key_name:valueSpecify in the format of. Types that can be used as values: ipv4_addr, ipv6_addr, ether_addr, inet_proto, inet_service, mark, counter, quota。 couterWhenquotaCannot be used as a key name.
flags Map flag String: constant, interval
elements Elements included in the map Map data type
size Maximum number of elements in the map Unsigned integer(64-bit)
policy Map policy String: performance [default], memory

Flow table

{add | create} flowtable [family] table flowtable { hook hook priority priority ; devices = { device[,...] } ; }
{delete | list} flowtable [family] table flowtable

Flow tables can be used to speed up packet forwarding in software. Flow table entries are represented by tuples consisting of ingress interfaces, source and destination addresses, source and destination ports; and Layer 3/4 protocols. Each entry caches the destination interface and gateway address, updates the destination link layer address, and forwards the packet. The ttl and hoplimit fields are also reduced. The flow table therefore provides an alternative path that allows the packet to bypass the traditional forwarding path. The flow table is on the ingress hook in front of the prerouting hook. Flows from the forward chain You can use the offload expression to select the flow to offload. Flow tables are identified by address family and name. The address family must be ip, ip6, or inet. The inet address family is a dummy family used to create hybrid IPv4 / IPv6 tables. If no address family is specified, ip is used by default.

Stateful object

{add | delete | list | reset} type [family] table object
delete type [family] table handle handle

Stateful objects are attached to the table and identified by a unique name. They group stateful information from the rule and the keyword type name is used to refer to them in the rule. Example: counter name.

CT

ct helper helper { type type protocol protocol ; [l3proto family ;] }

The ct helper is used to define a connection tracking helper that can be used in combination with the ct helper set statement. type and protocol are required. l3proto is derived from the table family by default. That is, if the kernel supports it, the kernel will try to load both IPv4 and IPv6 helper backends in the inet table.

conntrack helper spec

keyword Description type
type Helper type name Quotated string(Example: "ftp")
protocol Helper Layer 4 Protocol String(Example: tcp)
l3proto Helper Layer 3 Protocol Address family(Example: ip)

FTP helper definition and assignment

Unlike iptables, helper assignments should be done, for example, with the default 0 hook priority after the conntrack search is complete.

table inet myhelpers {
  ct helper ftp-standard {
    type "ftp" protocol tcp
  }
  chain prerouting {
    type filter hook prerouting priority 0;
    tcp dport 21 ct helper set "ftp-standard"
  }
}

counter

counter [packets bytes]

Counter specifications

keyword Description type
packets Initial number of packets Unsigned integer(64-bit)
bytes Initial number of bytes Unsigned integer(64-bit)

quota

quota [over | until] [used]

Quota specifications

keyword Description type
quota Quota limit. Used as the quota name. Unsigned integer(64-bit)And strings(bytes, kbytes, mbytes)Specify the two arguments of.overWhenuntilIs before these arguments
used Initial value of used quota Unsigned integer(64-bit)And strings(bytes, kbytes, mbytes)Specify the two arguments of.

formula

The expression represents the value of either a constant such as a network address or port number, or the data collected from the packet during rule set evaluation. You can combine formulas with binary, logical, relational, and other types of formulas to form complex or relational (matching) formulas. They are also used as arguments for certain types of operations, such as NAT and packet marking.

Each expression has a data type, which determines the size, parsing, representation, and type compatibility of symbolic values with other expressions.

DESCRIBE command

describe expression

The describe command displays information about the type of expression and its data type.

$ nft describe tcp flags
payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits

predefined symbolic constants:
fin                           0x01
syn                           0x02
rst                           0x04
psh                           0x08
ack                           0x10
urg                           0x20
ecn                           0x40
cwr                           0x80

Data type

The data type determines the size, parsing, representation, and expression type compatibility of symbolic values. There are several global data types, and some expression types define additional data types that are specific to that expression type. Most data types are fixed size, but some are dynamic size. (Example: string type)

Types can be derived from lower-order types. The IPv4 address type is derived from the integer type. That is, you can also specify the IPv4 address as an integer value.

In certain contexts (set and map definitions), you need to explicitly specify the data type. Each type has a name used for this.

Integer type

name keyword size Base type
Integer integer variable -

The integer type is used for numbers. You can specify it in decimal, hexadecimal, or octal. The integer type is not a fixed size, its size is determined by the expression used.

Bit mask type

name keyword size Base type
Bitmask bitmask variable integer

The bitmask type (bitmask) is used for the bitmask.

String type

name keyword size Base type
String string variable -

The string type is used for strings. The string begins with an alphabetic character (a-zA-Z), followed by zero or more alphanumeric characters or characters and symbols (/, -, _, .. ) Follows. In addition, anything enclosed in double quotes (") is recognized as a string.

String type specification

#Interface name
filter input iifname eth0

#Strange interface name
filter input iifname "(eth0)"

Link layer address type

name keyword size Base type
Link layer address lladdr variable integer

The link layer address type is used for the link layer address. Link-layer addresses are specified as a two-digit hexadecimal variable number group separated by colons (:).

Link layer addressing


#Ethernet destination MAC address
filter input ether daddr 20:c9:d0:43:12:d9

IPV4 address type

name keyword size Base type
IPv4 address ipv4_addr 32 bit integer

The IPv4 address type is used for IPv4 addresses. The address is specified as a dotted decimal number, a dotted hexadecimal number, a dotted decimal number, a decimal number, a hexadecimal number, an octal number, or a host name. Hostnames are resolved using a standard system resolver.

IPv4 address specification


#Dot decimal notation
filter output ip daddr 127.0.0.1

#hostname
filter output ip daddr localhost

IPV6 address type

name keyword size Base type
IPv6 address ipv6_addr 128 bits integer

The IPv6 address type is used for IPv6 addresses. The address is specified as a host name or as a colon-separated hexadecimal halfword. The address may be enclosed in square brackets ([]) to distinguish it from the port number.

Specifying an IPv6 address


#Omitted loopback address
filter output ip6 daddr ::1

#Specifying an IPv6 address using square brackets
# []None port number(22)Is parsed as part of the ipv6 address.
ip6 nat prerouting tcp dport 2222 dnat to [1ce::d0]:22

Boolean type

name keyword size Base type
Boolean boolean 1 bit integer

Boolean types are syntax helper types in user space. This is the right-hand side of the (usually implicit) relation and is used to change the expression on the left-hand side to a Boolean check (usually `ʻexists``).

The following keywords are automatically resolved to a Boolean type with the specified value.

keyword value
exists 1
missing 0

Boolean specifications

The following formula supports Boolean comparisons.

formula motion
fib Check for the existence of the route.
exthdr Check for the existence of IPv6 extension headers.
tcp option Check for the existence of TCP option headers.
#Match if route exists
filter input fib daddr . iif oif exists

#Matches only unfragmented packets of IPv6 traffic
filter input exthdr frag missing

#Match if TCP timestamp option is present
filter input tcp option timestamp exists

ICMP type

name keyword size Base type
ICMP Type icmp_type 8-bit integer

ICMP type types are used to easily specify the type field in the ICMP header.

You can use the following keywords when specifying the ICMP type:

keyword value
echo-reply 0
destination-unreachable 3
source-quench 4
redirect 5
echo-request 8
router-advertisement 9
router-solicitation 10
time-exceeded 11
parameter-problem 12
timestamp-request 13
timestamp-reply 14
info-request 15
info-reply 16
address-mask-request 17
address-mask-reply 18

ICMP type specification


#Match ping packet
filter output icmp type { echo-request, echo-reply }

ICMP code type

name keyword size Base type
ICMP Code icmp_code 8-bit integer

The ICMP code type is used to easily specify the code fields in the ICMP header.

You can use the following keywords when specifying the ICMP code:

keyword value
net-unreachable 0
host-unreachable 1
prot-unreachable 2
port-unreachable 3
net-prohibited 9
host-prohibited 10
admin-prohibited 13

ICMPV6 type

name keyword size Base type
ICMPv6 Type icmpv6_type 8-bit integer

The ICMPv6 type type is used to easily specify the type field in the ICMPv6 header.

You can use the following keywords when specifying the ICMPv6 type:

keyword value
destination-unreachable 1
packet-too-big 2
time-exceeded 3
parameter-problem 4
echo-request 128
echo-reply 129
mld-listener-query 130
mld-listener-report 131
mld-listener-done 132
mld-listener-reduction 132
nd-router-solicit 133
nd-router-advert 134
nd-neighbor-solicit 135
nd-neighbor-advert 136
nd-redirect 137
router-renumbering 138
ind-neighbor-solicit 141
ind-neighbor-advert 142
mld2-listener-report 143

ICMPv6 type specification


#Match ICMPv6 ping packets
filter output icmpv6 type { echo-request, echo-reply }

ICMPV6 code type

name keyword size Base type
ICMPv6 Code icmpv6_code 8-bit integer

The ICMPv6 code type is used to easily specify the code fields in the ICMPv6 header.

You can use the following keywords when specifying the ICMPv6 code:

keyword value
no-route 0
admin-prohibited 1
addr-unreachable 3
port-unreachable 4
policy-fail 5
reject-route 6

ICMPVX code type

name keyword size Base type
ICMPvX Code icmpx_code 8-bit integer

The ICMPvX code type abstraction is a set of duplicate values between the ICMP and ICMPv6 code types used by the inet family.

You can use the following keywords when specifying the ICMPvX code:

keyword value
no-route 0
port-unreachable 1
host-unreachable 2
admin-prohibited 3

Conntrack type

This is an overview of the types used in ct expressions and statements.

name keyword size Base type
conntrack state ct_state 4 bytes bitmask
conntrack direction ct_dir 8-bit integer
conntrack status ct_status 4 bytes bitmask
conntrack event bits ct_event 4 bytes bitmask
conntrack label ct_label 128 bits bitmask

You can use keywords for convenience for each of the above types.

conntrack state(ct_state)

keyword value
invalid 1
established 2
related 4
new 8
untracked 64

conntrack direction(ct_dir)

keyword value
original 0
reply 1

conntrack status(ct_status)

keyword value
expected 1
seen-reply 2
assured 4
confirmed 8
snat 16
dnat 32
dying 512

conntrack event bits(ct_event)

keyword value
new 1
related 2
destroy 4
reply 8
assured 16
protoinfo 32
helper 64
mark 128
seqadj 256
secmark 512
label 1024

The keywords that can be specified for conntrack label type (ct_label) are read from /etc/connlabel.conf at run time.

Linear expression

The lowest-level expression is a linear expression that represents a packet's payload, metadata, or constant or single data from a stateful module.

Meta expression

meta {length | nfproto | l4proto | protocol | priority}
[meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype | skuid | skgid | nftrace | rtclassid | ibrname | obrname | pkttype | cpu | iifgroup | oifgroup | cgroup | random | secpath}

A meta expression is the metadata associated with a packet.

There are two types of meta-expressions: unqualified meta-expressions and qualified meta-expressions. Qualified meta expressions require the meta keyword before the meta key. Unqualified meta-expressions allow you to specify the meta key directly or as a qualified meta-expression. The meta l4proto helps to match specific transport protocols that are part of an IPv4 or IPv6 packet. It also skips IPv6 extension headers present in IPv6 packets.

Meta expression type

keyword Description type
length Packet length(Part-Time Job) integer(32-bit)
nfproto The actual hook protocol family. Only useful for inet tables integer(32-bit)
l4proto Layer 4 protocol. Skip ipv6 extension header integer(8-bit)
protocol EtherType protocol value ether_type
priority TC packet priority tc_handle
mark Packet mark mark
iif Input interface index iface_index
iifname Input interface name ifname
iiftype Input interface type iface_type
oif Output interface index iface_index
oifname Output interface name ifname
oiftype Output interface hardware type iface_type
skuid UID associated with the original socket uid
skgid GID associated with the original socket gid
rtclassid Routing realm realm
ibrname Input bridge interface name ifname
obrname Output bridge interface name ifname
pkttype Packet type pkt_type
cpu CPU number to process the packet integer(32-bit)
iifgroup Receiving device group devgroup
oifgroup Sending device group devgroup
cgroup Control group ID integer(32-bit)
random Pseudo-random number integer(32 bit)
secpath Boolean value boolean(1 bit)

Meta expression specific type

type Description
iface_index Interface index(32-bit number).. It can be a number or the name of an existing interface.
ifname Interface name(16 byte string).. Not required.
iface_type Interface type(16-bit number)。
uid USER ID(32-bit number).. It can be specified as a number or user name.
gid Group ID(32-bit number).. Can be specified as a number or group name.
realm Routing realm(32-bit number).. Numerical value, or/etc/iproute2/rt_realmsIt can be specified as a symbol name defined in.
devgroup_type Device group(32-bit number).. Numerical value or/etc/iproute2/groupIt can be specified as a symbol name defined in.
pkt_type Packet type:Unicast(To localhost),broadcast(To everyone), Multicast(To the group)。

Example of using meta expression


#Qualified meta expression
filter output meta oif eth0

#Unqualified meta expression
filter output oif eth0

#Packs that were the target of ipsec processing
raw prerouting meta secpath exists accept

FIB (Forwarding Information Base) formula

fib {saddr | daddr | {mark | iif | oif}} {oif | oifname | type}

The fib expression queries fib (forwarding information base) to get information such as the egress interface index used by a particular address. The input is a tuple of elements used as input to the fib search function.

fib expression-specific type

keyword Description type
oif Output interface index integer(32 bit)
oifname Output interface name string
type Address type fib_addrtype

FIB expression usage example


#Drop packets without reverse path
filter prerouting fib saddr . iif oif missing drop

#Drop packets to addresses that are not configured on the interface
filter prerouting fib daddr . iif type != { local, broadcast, multicast } drop

#specific'blackhole'Perform a search on the table( 0xdead,Requires proper ip rules)
filter prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : jump prohibited, unreachable : drop }

Routing formula

rt {classid | nexthop}

A routing expression refers to the routing data associated with a packet.

Routing expression type

keyword Description type
classid Routing realm realm
nexthop Routing next hop ipv4_addr / ipv6_addr
mtu Root TCP maximum segment size integer(16 bit)

Routing expression specific type

type Description
realm Routing realm(32-bit number).. Numerically or/etc/iproute2/rt_realmsIt can be specified as a symbol name defined in.

Routing expression usage example


#IP family independent rt expression
filter output rt classid 10

#IP family dependent rt expression
ip filter output rt nexthop 192.168.0.1
ip6 filter output rt nexthop fd00::1
inet filter output rt ip nexthop 192.168.0.1
inet filter output rt ip6 nexthop fd00::1

Payload expression

The payload expression refers to the data from the packet's payload.

Ethernet header expression

ether [Ethernet header field]

Ethernet header expression type

keyword Description type
daddr Destination MAC address ether_addr
saddr Source MAC address ether_addr
type EtherType ether_type

VLAN header expression

vlan [VLAN header field]
keyword Description type
id VLAN ID(VID) integer(12 bit)
cfi Canonical Format Indicator integer(1 bit)
pcp Priority code point integer(3 bits)
type EtherType ether_type

ARP header expression

arp [ARP header field]
keyword Description type
htype ARP hardware type integer(16 bit)
ptype EtherType ether_type
hlen Hardware address length integer(8-bit)
plen Protocol address length integer(8-bit)
operation operation arp_op

IPV4 header expression

ip [IPv4 header field]
keyword Description type
version IP header version(4) integer(4 bits)
hdrlength IP header length including options integer(4 bits)FIXME scaling
dscp Differentiated Services Code Point dscp
ecn Explicit congestion notification(Explicit Congestion Notification) ecn
length Total packet length integer(16 bit)
id IP ID integer(16 bit)
frag-off Fragment offset integer(16 bit)
ttl Survival time(Time to live) integer(8-bit)
protocol Upper layer protocol inet_proto
checksum IP header checksum integer(16 bit)
saddr Source address ipv4_addr
daddr destination address ipv4_addr

ICMP header expression

icmp [ICMP header field]
keyword Description type
type ICMP type field icmp_type
code ICMP code field integer(8-bit)
checksum ICMP checksum field integer(16 bit)
id Echo request/Response ID integer(16 bit)
sequence Echo request/Response sequence number integer(16 bit)
gateway Redirect gateway integer(32-bit)
mtu MTU Path exploration MTU integer(16 bit)

IPV6 header expression

ip6 [IPv6 header field]

This expression references the ipv6 header field. A caveat when using ʻip6 nexthdr``, the value refers only to the next header. That is, ʻip6 nexthdr tcpmatches only if the ipv6 packet does not contain an extension header. It will not be matched if it contains fragmented packets or routing extension headers. Use meta l4proto`` if you want to match the actual transport headers and ignore the additional extension headers instead.

keyword Description type
version IP header version(6) integer(4 bits)
dscp Differentiated Services Code Point dscp
ecn Explicit congestion notification(Explicit Congestion Notification) ecn
flowlabel Flow label integer(20 bits)
length Payload length integer(16 bit)
nexthdr nexthdr protocol inet_proto
hoplimit Hop limit integer(8-bit)
saddr Source address ipv6_addr
daddr destination address ipv6_addr

Match if the first extension header points to a fragment

ip6 nexthdr ipv6-frag counter

ICMPV6 header expression

icmpv6 [ICMPv6 header field]
keyword Description type
type ICMPv6 type field icmpv6_type
code ICMPv6 code field integer(8-bit)
checksum ICMPv6 checksum field integer(16 bit)
parameter-problem Pointer to the problem integer(32-bit)
packet-too-big Oversized MTU integer(32-bit)
id Echo request/Response ID integer(16 bit)
sequence Echo request/Response sequence number integer(16 bit)
max-delay Maximum response delay for MLD queries integer(16 bit)

TCP header expression

tcp [TCP header field]
keyword Description type
sport Source port inet_service
dport Destination port inet_service
sequence Sequence number integer(32-bit)
ackseq Authorization number integer(32-bit)
doff Data offset integer(4 bits)FIXME scaling
reserved Reservation area integer(4 bits)
flags TCP flag tcp_flag
window window integer(16 bit)
checksum Checksum integer(16 bit)
urgptr Emergency pointer integer(16 bit)

UDP header expression

udp [UDP header field]
keyword Description type
sport Source port inet_service
dport Destination port inet_service
length Total packet length integer(16 bit)
checksum Checksum integer(16 bit)

Simple UDP header expression

udplite [UDP-Lite header field]
keyword Description type
sport Source port inet_service
dport Destination port inet_service
checksum Checksum integer(16 bit)

SCTP header expression

sctp [SCTP header field]
keyword Description type
sport Source port inet_service
dport Destination port inet_service
vtag Validation tag integer(32-bit)
checksum Checksum integer(32-bit)

DCCP header expression

dccp [DCCP header field]
keyword Description type
sport Source port inet_service
dport Destination port inet_service

Authentication header expression

ah [AH header field]
keyword Description type
nexthdr The following header protocol inet_proto
hdrlength AH header length integer(8-bit)
reserved Reservation area integer(16 bit)
spi Security parameter index integer(32-bit)
sequence Sequence number integer(32-bit)

Encrypted security payload header expression

esp [ESP header field]
keyword Description type
spi Security parameter index integer(32-bit)
sequence Sequence number integer(32-bit)

IPCOMP header expression

comp [IPComp header field]
keyword Description type
nexthdr The following header protocol inet_proto
flags flag bitmask
cpi Compression parameter index integer(16 bit)

RAW payload expression

@ [base,offset,length]

The Raw payload expression tells you to load lengthbits that start with offsetbits. Bit 0 points to the first bit. In the C programming language, this corresponds to the most significant bit, or 0x80 in the case of octets. These are useful for matching headers that do not yet have a human-readable template expression. Note that nft does not add raw payload expression dependencies. For example, to match the protocol field in the transport header to protocol number 5, you must manually exclude packets with different transport headers. For example, use meta l4proto 5 before the Raw expression.

Supported payload protocol base

base Description
ll Link layer such as ethernet header
nh Network headers such as IPv4 or IPv6
th Transport headers, such as TCP

python


#Destination port that matches both UDP and TCP
inet filter input meta l4proto {tcp, udp} @th,16,16 { dns, http }

#If the target protocol address matches the specified address
#rewrite the target hardware address of the arp packet.
input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept

Extended header expression

Extended header expressions refer to data from variable-sized protocol headers, such as IPv6 extended headers and TCP options.

nftables currently supports matching (searching) for certain ipv6 extension headers or TCP options.

hbh {nexthdr | hdrlength}
frag {nexthdr | frag-off | more-fragments | id}
rt {nexthdr | hdrlength | type | seg-left}
dst {nexthdr | hdrlength}
mh {nexthdr | hdrlength | checksum | type}
srh {flags | tag | sid | seg-left}
tcp option {eol | noop | maxseg | window | sack-permitted | sack | sack0 | sack1 | sack2 | sack3 | timestamp} tcp_option_field

The following syntax is valid only for relational expressions that have a Boolean type on the right side and only check for the existence of headers.

exthdr {hbh | frag | rt | dst | mh}
tcp option {eol | noop | maxseg | window | sack-permitted | sack | sack0 | sack1 | sack2 | sack3 | timestamp}

IPv6 extension header

keyword Description
hbh Hop by hop
rt Routing header
Fragment Fragmentation header
dst dst option
mh Mobility header
srh Segment routing header

TCP options

keyword Description TCP option field
eol End of option list kind
noop 1-byte TCP No-op option kind
maxseg TCP maximum segment size kind, length, size
window TCP window scaling kind, length, count
sack-permitted Allowed TCP SACK kind, length
sack TCP selective acknowledgment(TCP Selective Acknowledgement)(Alias for block 0) kind, length, left, right
sack0 TCP selective acknowledgment(block 0) kind, length, left, right
sack1 TCP selective acknowledgment(block 1) kind, length, left, right
sack2 TCP selective acknowledgment(block 2) kind, length, left, right
sack3 TCP selective acknowledgment(block 3) kind, length, left, right
timestamp TCP timestamp kind, length, tsval, tsecr
#Search for TCP options
filter input tcp option sack-permitted kind 1 counter

#IPv6 exthdr search
ip6 filter input frag more-fragments 1 counter

CONNTRACK expression

The conntrack expression references the metadata of the connection tracking entry associated with the packet.

There are three types of conntrack expressions. Some conntrack expressions require the flow direction before the conntrack key, while others are direction-independent and must be used directly. The packets, bytes, and ```avgpkt`` keywords can be used with or without orientation. If you omit the direction, the sum of the original direction and the reply direction is returned. The same applies to zones. If a direction is specified, the zones will match only if the zone ID is associated with the specified direction.

ct {state | direction | status | mark | expiration | helper | label | l3proto | protocol | bytes | packets | avgpkt | zone}
ct {original | reply} {l3proto | protocol | proto-src | proto-dst | bytes | packets | avgpkt | zone}
ct {original | reply} {ip | ip6} {saddr | daddr}
keyword Description type
state Connection status ct_state
direction Packet direction for connection ct_dir
status Connection status ct_status
mark Connection mark mark
expiration Connection expiration date time
helper Helper associated with the connection string
label nftables include pathconnlabel.confConnection tracking label bit or symbolic name defined in ct_label
l3proto Layer 3 protocol for connectivity nf_proto
saddr Source address of the connection in the specified direction ipv4_addr / ipv6_addr
daddr Destination address of the connection in the specified direction ipv4_addr / ipv6_addr
protocol Layer 4 protocol for connections in the specified direction inet_proto
proto-src Layer 4 source protocol in the specified direction integer(16 bit)
proto-dst Layer 4 destination protocol in the specified direction integer(16 bit)
packets The number of packets detected in the specified direction, or the total of the original and the reply integer(64-bit)
bytes Number of detected bytes,packetsSee keyword description integer(64-bit)
avgpkt Average bytes per packet,packetsSee keyword description integer(64-bit)
zone conntrack zone integer(16 bit)

A description of the conntrack-specific types above can be found in the CONNTRACK TYPES subsection above.

statement

The statement represents the action to be taken. You can change the control flow (return, jump to another chain, accept or drop packets), and perform actions such as logging and denying packets.

There are two types of statements. The end statement unconditionally ends the evaluation of the current rule. Non-terminating statements only conditionally terminate or never terminate the evaluation of the current rule. That is, they are passive in terms of ruleset evaluation. The rule can contain any number of non-terminating statements, but only a single terminating statement can be used as the final statement.

Judgment statement

The decision statement modifies the control flow of the ruleset and issues a packet policy decision.

{accept | drop | queue | continue | return}
{jump | goto} chain
#Packets from eth0 and internal network from_Process with lan.
filter input iif eth0 ip saddr 192.168.0.0/24 jump from_lan

#Drop all packets from the chain, eth0 with different source addresses.
filter input iif eth0 drop

Payload statement

The payload statement modifies the contents of the packet. For example, it can be used to set the ip DSCP (differv) header field or the ipv6 flow label.

Route some packets instead of bridging.

# tcp:http 192.160.0.0/Redirect from 16 to your local machine and route instead of bridging
# 00:11:22:33:44:It is assumed that 55 is the local MAC address.
bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport 80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55

#IPv4 DSCP header field settings
ip forward ip dscp set 42

Extended header statement

The extended header statement modifies the packet content of variable-sized headers. This can now be used to change the TCP maximum segment size of a packet, similar to TCPMSS.

#Change tcp mss
tcp flags syn tcp option maxseg size set 1360

#Set the size based on the route information
tcp flags syn tcp option maxseg size set rt mtu

Log statement

log [prefix quoted_string] [level syslog-level] [flags log-flags]
log group nflog_group [prefix quoted_string] [queue-threshold value] [snaplen size]

The log statement enables logging of matching packets. When this statement is used from a rule, the Linux kernel prints information about all matching packets, including header fields, through the kernel log (which can be read by dmesg (1) or syslog). If a group number is specified, the Linux kernel passes the packet to the nfnetlink_log and multicasts the packet through the netlink socket to the specified multicast group. One or more userspace processes may be registered in a group and receive packets. See the libnetfilter_queue documentation for more information. Since this is a non-terminating statement, rule evaluation continues even after the packet is logged.

Log statement options

keyword Description type
prefix Log message prefix Quotated string
level Logging Syslog level string: emerg, alert, crit, err, warn [default], notice, info, debug
group NFLOG group to send a message Unsigned integer(16 bit)
snaplen Length of packet payload to include in netlink messages Unsigned integer(32-bit)
que-threshold Number of packets to queue in the kernel before sending to user space Unsigned integer(32-bit)

Log flag

flag Description
tcp sequence Log the TCP sequence number.
tcp options TCP packet header logging options.
ip options IP /Log options for IPv6 packet headers.
skuid Log the user ID of the process that generated the packet.
ether Decodes the MAC address and protocol.
all Enable all of the above log flags.

Log statement usage example


#Log the UID that generated the packet and IP options
ip filter output log flags skuid flags ip options

#Log TCP sequence numbers and TCP options from TCP packets
ip filter output log flags tcp sequence,options

#Enable all supported log flags
ip6 filter output log flags all

Rejection statement

reject [ with {icmp | icmpv6 | icmpx} type {icmp_code | icmpv6_code | icmpx_code} ]
reject [ with tcp reset ]

The reject statement is used to send back an error packet in response to a matched packet. Otherwise it is the same as drop, so it is an end statement that ends rule traversal. This statement is valid only for input chains, forward chains, output chains, and user-defined chains that are called only from these chains.

The various ICMP deny variables are intended for use with different table families.

variable family type
icmp ip icmp_code
icmpv6 ip6 icmpv6_code
icmpx inet icmpx_code

See the Data Types (# Data Types) section above for a description of the types and a list of supported keywords. The default deny value is generally port-unreachable.

Note that in the bridge family, reject statements are only allowed on basechains that hook into input or prerouting.

Counter statement

The counter statement sets the number of packet hits as well as the number of bytes.

counter [ packets number bytes number ]

CONNTRACK statement

You can use the conntrack statement to set the conntrack mark and the conntrack label.

ct {mark | event | label | zone} set value

The ct statement sets the metadata associated with the connection. The zone ID must be assigned before a conntrack search can be performed. That is, this should be done with prerouting and output (if locally generated packets need to be placed in separate zones) and the hook priority is -300.

Conntrack statement type

keyword Description value
event conntrack event bit bitmask, integer(32-bit)
helper The name of the ct helper object you assign to the connection Quotated string
mark Connection tracking mark mark
label Connection tracking label label
zone conntrack zone integer(16 bit)
#Save the packet nfmark to conntrack
ct mark set meta mark

#Set up mapped zones through the interface
table inet raw {
  chain prerouting {
    type filter hook prerouting priority -300;
    ct zone set iif map { "eth1" : 1, "veth1" : 2 }
  }
  chain output {
    type filter hook output priority -300;
    ct zone set oif map { "eth1" : 1, "veth1" : 2 }
  }
}

#Limit events reported by ctnetlink
ct event set new,related,destroy

Meta statement

The meta statement sets the value of the meta expression. The existing metafields are priority, mark, pkttype, nftrace.

meta {mark | priority | pkttype | nftrace} set value

The meta statement sets the metadata associated with the packet.

Meta statement type

keyword Description value
priority TC packet priority tc_handle
mark Packet mark mark
pkttype Packet type pkt_type
nftrace Ruleset packet tracing on/off. To monitor the tracemonitor traceUse the command. 0, 1

Restriction statement

limit rate [over] packet_number / {second | minute | hour | day} [burst packet_number packets]
limit rate [over] byte_number {bytes | kbytes | mbytes} / {second | minute | hour | day | week} [burst byte_number bytes]

The limit statement matches at a limited rate using the token bucket filter. Rules that use this statement will match until this limit is reached. You can use this in combination with a log statement to limit logging. The optional `ʻover`` keyword matches beyond the specified rate.

value Description type
packet_number Number of packets Unsigned integer(32-bit)
byte_number Number of bytes Unsigned integer(32-bit)

NAT statement

snat to address [:port] [persistent, random, fully-random]
snat to address - address [:port - port] [persistent, random, fully-random]
dnat to address [:port] [persistent, random, fully-random]
dnat to address [:port - port] [persistent, random, fully-random]
masquerade to [:port] [persistent, random, fully-random]
masquerade to [:port - port] [persistent, random, fully-random]
redirect to [:port] [persistent, random, fully-random]
redirect to [:port - port] [persistent, random, fully-random]

The nat statement is valid only from the nat chain type.

The snat and masquerade statements indicate that the source address of the packet should be changed. snat is only valid for postrouting and input chains, but masquerade is only valid for postrouting. The dnat and redirect statements are valid only in the prerouting and output chains and indicate that the destination address of the packet should be changed. You can also use non-base chains that are called from nat chain type base chains. All future packets on this connection will be dropped and rule evaluation will be aborted.

The masquerade statement is a special form of snat that always uses the IP address of the destination sending interface. This is especially useful for gateways with dynamic (public) IP addresses.

The redirect statement is a special form of dnat that always translates the destination address to the address of the local host. This is useful if you only want to change the destination port for incoming traffic on different interfaces.

Note that every nat statement must have both prerouting and postrouting basechains. Otherwise, packets on the return route will not be recognized by netfilter and no reverse translation will occur.

NAT statement value

formula Description type
address Packet source/Indicates that the destination address needs to be changed. You can specify a mapping to associate a list of tuples consisting of any expression key with an address value. ipv4_addr, ipv6_addr,For exampleabcd::1234, Or you can use mapping. meta mark map{ 10:192.168.1.2, 20:192.168.1.3 }
port Packet source/Indicates that the destination address needs to be changed. port number(16 bit)

NAT statement flag

flag Description
persistent Same source for each connection/Give the client the destination address.
random When used, the port mapping is randomized using source and destination addresses, and an MD5 hash mix randomly seeded using the destination port.
fully-random When used, port mappings are generated based on a 32-bit pseudo-random algorithm.

Use of NAT statements

#A table suitable for all other examples/Create a chain setting
add table nat
add chain nat prerouting { type nat hook prerouting priority 0; }
add chain nat postrouting { type nat hook postrouting priority 100; }

#Address 1 the source address of all packets sent via eth0.2.3.Convert to 4
add rule nat postrouting oif eth0 snat to 1.2.3.4

#Destination address 192 for all traffic coming in via eth0.168.1.Redirect to 120
add rule nat prerouting iif eth0 dnat to 192.168.1.120

#Translate the source address of all packets sent via eth0 to anything
#Locally generated packets are used as a source to reach the same destination
add rule nat postrouting oif eth0 masquerade

#Redirect incoming TCP traffic on port 22 to port 2222
add rule nat prerouting tcp dport 22 redirect to :2222

Flow offload statement

The flow offload statement allows you to select a flow that speeds up the transfer over the Layer 3 network stack bypass. You must specify the name of the flow table to offload this flow.

flow offload @flowtable

Queue statement

This statement uses the nfnetlink_queue handler to pass the packet to user space. Packets are queued, identified by a 16-bit queue number. Userspace can inspect and modify packets as needed. Userspace then needs to drop or reinject the packet from the kernel. See the libnetfilter_queue documentation for more information.

queue [num queue_number] [bypass]
queue [num queue_number_from - queue_number_to] [bypass,fanout]

Queue statement value

value Description type
queue_number Set the queue number. The default is 0. Unsigned integer(16 bit)
queue_number_from If fanout is used, set the initial queue within the range. Unsigned integer(16 bit)
queue_number_to If fanout is used, set the end queue within the range. Unsigned integer(16 bit)

Queue statement flag

flag Description
bypass Pass packets if the userspace application cannot back off. Before using this flaglibnetfilter_queueRead the documentation at for performance tuning recommendations.
fanout Distribute packets among multiple queues.

DUP statement

The dup statement is used to duplicate a packet and send the copy to another destination.

dup to device
dup to address device device

Value of Dup statement

formula Description type
address Indicates that a copy of the packet should be sent to the new gateway. ipv4_addr, ipv6_addr. For exampleabcd::1234.. Or you can use mapping.ip saddr map {192.168.1.2:10.1.1.1}
device Indicates that a copy should be sent through the device. string

Example of using the dup statement


#IP address 10 with eth0.2.3.Send to 4 machines
ip filter forward dup to 10.2.3.4 device "eth0"

#Copy raw frame to another interface
netdetv ingress dup to "eth0"
dup to "eth0"

#Map to gateway Combine with dst addr
dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" }

FWD statement

The fwd statement is used to redirect raw packets to another interface. It can only be used with the ingress hooks of the netdev family. Similar to a dup statement, except that no copy is made.

fwd to device

set statement

The set statement is used to dynamically add or update elements in the set from the packet path. set setname must already exist in the specified table. In addition, sets that are dynamically updated from the nftables ruleset must specify both a maximum set size (to prevent running out of memory) and a timeout (to prevent the number of entries in the set from growing indefinitely). .. The set statement creates, for example, a dynamic blacklist.

{add | update} @setname {expression [timeout timeout] [comment string]}

Simple blacklist example


#family"ip"Table"filter"Declare the set bound to. Timeout and size are required to add elements from the packet path.
nft add set ip filter blackhole "{type ipv4_addr; flags timeout; size 65536;}"

#Whitelist the internal interface.
nft add rule ip filter input meta iifname "internal" accept

#Discard packets from blacklisted IP addresses.
nft add rule ip filter input ip saddr @blackhole counter drop

#If there are more than 10 TCP connection requests per second, blacklist the source IP address.
#The entry times out after 1 minute. After that, if the restricted state continues, the entry may be added again.
nft add rule ip filter input tcp flags syn tcp dport ssh meter flood size 128000 {ip saddr timeout 10s limit rate over 10 / second} add @blackhole {ip saddr timeout 1m} drop

#Check the status of the rate limiting meter.
nft list meter ip filter flood

#Inspect the contents of a black hole:
nft list set ip filter blackhole

#Manually add the two addresses to the set:
nft add element filter blackhole { 10.2.3.4, 10.23.1.42 }

Additional commands

These are some of the additional commands included in nft.

monitor

You can use the monitor command to listen for Netlink events generated by the nf_tables subsystem related to the creation and deletion of objects. When an event occurs, nft prints the monitored event to standard output in either XML, JSON, or native nft format.

To filter events related to concrete objects, use the keywords tables, chains, sets, rules, ```elements, ruleset`` Or use.

Use the keywords new or destroy to filter events related to a specific action.

Press ^ C to end the monitoring operation.

#Listens for all events and outputs a report in native nft format
% nft monitor

#Listen to the added table and output the report in XML format
% nft monitor new tables xml

#Listens for deleted rules and outputs a report in JSON format
% nft monitor destroy rules json

#Waits for both new and destroyed chains in native nft format
% nft monitor chains

#Listens for ruleset events such as tables, chains, rules, sets, counters, quotas in native nft format
% nft monitor ruleset

Error report

When an error is detected, nft indicates the line containing the error, the location of the erroneous part in the input stream, and the caret (^) to mark the erroneous part. I will upload it. If the error is due to a combination of two expressions or statements, the part imposing the violating constraint is marked with a tilde (~).

For errors returned by the kernel nft cannot detect which part of the input is causing the error and the entire command is marked.

Error due to one incorrect expression


<cmdline>:1:19-22: Error: Interface does not exist
filter output oif eth0
                  ^^^^

Error due to invalid combination of two expressions


<cmdline>:1:28-36: Error: Right hand side of relational expression (==) must be constant
filter output tcp dport == tcp dport
                        ~~ ^^^^^^^^^

Error returned by kernel


<cmdline>:0:0-23: Error: Could not process rule: Operation not permitted
filter output oif wlan0
^^^^^^^^^^^^^^^^^^^^^^^

Exit status

If successful, nft exits with status 0. If an unspecified error occurs, it exits with status 1, status 2 is a memory allocation error, and status 3 if the Netlink socket cannot be opened.

Related item

There is an official wiki at https://wiki.nftables.org.

Recommended Posts

man nftables Japanese translation
man systemd Japanese translation
sosreport Japanese translation
streamlit explanation Japanese translation
streamlit tutorial Japanese translation
Dockerfile reference Japanese translation
docker-compose --help Japanese translation
docker help Japanese translation
docker build --help Japanese translation
Japanese translation of sysstat manual
Japanese translation of Linux manual
docker run --help Japanese translation
Biopython Tutorial and Cookbook Japanese translation (4.3)
Docker mysql quick reference Japanese translation
Japanese translation of the e2fsprogs manual
Compose file version 3 reference Japanese translation
Biopython Tutorial and Cookbook Japanese translation (4.1)
Biopython Tutorial and Cookbook Japanese translation (4.5)
Biopython Tutorial and Cookbook Japanese translation (4.8)
Biopython Tutorial and Cookbook Japanese translation (4.7)
Japanese translation of the man-db manual
Appropriate Japanese translation of pytorch tensor_tutorial
Biopython Tutorial and Cookbook Japanese translation (4.9)
Biopython Tutorial and Cookbook Japanese translation (4.6)
Japanese translation of the util-linux manual
Biopython Tutorial and Cookbook Japanese translation (4.2)
Biopython Tutorial and Cookbook Japanese translation (4.4)
Japanese translation of the iproute2 manual
Apache Spark Document Japanese Translation --Quick Start
Japanese translation of the LDP man-pages manual
[Google App Engine] User Objects (Japanese translation)
Getting started: 30 seconds to Keras Japanese translation
Biopython Tutorial and Cookbook Japanese translation (Chapter 1, 2)
Japanese translation: PEP 20 --The Zen of Python