4. CLI Tool¶
The nbroker-cli CLI tool can be used to setup a communication over ZMQ with the nbroker daemon in order to control it. Running nbroker-cli you get a prompt where you can issue commands in text format with autocompletion.
$ nbroker-cli
tcp://127.0.0.1:5555>
Below you can find the list of supported commands, for an updated list please check the nbroker-cli help:
- default port PORT pass|drop
- set port PORT match FILTER pass|drop|steer-to [PORT]
- delete port PORT filtering|steering match FILTER
- delete port PORT filtering|steering rule ID
- clear port PORT filtering|steering
- rules port PORT filtering|steering
- gc idle-for SECONDS
- help
- quit
In general, a command is composed by an action (e.g. “set”) followed by parameters. Each parameter is composed by an identifier (e.g. “match”) and a value (e.g. “shost 10.0.0.1”). The parameters can appear in any order. Some parameters are mandatory, whereas others are optional.
Cammand examples:
- “default port ens9 pass” - set a pass all default
- “default port ens9 drop” - set a drop all default
- “default port 4 drop” - same as above, but using port index
- “set port ens9 match shost 10.0.0.1 drop” - set a rule to drop source host 10.0.0.1 traffic
- “set port ens9 match dport 80 steer-to enp1s0f1” - set a steering rule for traffic matching destination port 80
- “set port ens9 rule 1 match dport 80 steer-to enp1s0f1” - same as above, but provide a rule id. Possibly override existing rule
- “delete port ens9 filtering match shost 10.0.0.1” - delete a previously set filtering rule
- “delete port ens9 steering match dport 80” - delete a previously set steering rule
- “delete port ens9 steering rule 1” - delete a steering rule by using its id
- “clear port ens9 filtering” - delete all the filtering rules
- “rules port 1 filtering” - list all the active filtering rules
- “gc idle-for 60” - delete rules which have been set more than 60 seconds ago
Syntax supported by the “match” option:
- “smac 11:22:33:44:55:66” - a source MAC
- “dmac 11:22:33:44:55:66” - a destination MAC
- “shost 10.0.0.1” - a single source host
- “dhost 10.0.0.1” - a single destination host
- “shost 10.0.0.0/24” - a group of source hosts specified by the network CIDR
- “shost 10.0.0.0 netmask 255.255.255.0” - same as above, explicit netmask
- “shost 2001:db8::2:1” - IPv6 addresses are supported
- “sport 80” - source port 80
- “dport 443” - destination port 443
- “sport portrang 1-1023” - any source port in range 1-1023, if supported
- “vlan 1”
- “proto tcp” - L3 protocol by name
- “proto 6” - protocol by number
Multiple values can be specified into the match value to compose a logic and filter.
Example:
- “set port ens9 match sport 80 dport 1234 drop” - set a rule to drop source port 80 and destination port 1234
When issuing a command, the result output is composed by a status code and an explanatory message, a few examples:
- 0 OK
- 4 Invalid device port
- 8 Error while setting the command on the device