diff options
author | Florian Westphal <fw@strlen.de> | 2018-02-28 15:32:11 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-02-28 17:02:40 +0100 |
commit | f5ce1df94b01911b5d32111a5ca576b812148145 (patch) | |
tree | 6f15f5e41f113f43a086f577b9c779bf1e540db1 | |
parent | a47130611ce32678cf46722188910a4c9f2914f8 (diff) |
doc: add example for rule add/delete
also mention that 'ip' is used when the family gets omitted.
Signed-off-by: Florian Westphal <fw@strlen.de>
-rw-r--r-- | doc/nft.xml | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index b6b5506c..245f19e4 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -823,6 +823,9 @@ filter input iif $int_ifs accept </cmdsynopsis> </para> <para> + Rules are added to <literal>chain</literal> in the given <literal>table</literal>. + If the <literal>family</literal> is not specified, the <literal>ip</literal> family + is used. Rules are constructed from two kinds of components according to a set of grammatical rules: expressions and statements. </para> @@ -864,6 +867,30 @@ filter input iif $int_ifs accept </listitem> </varlistentry> </variablelist> + + <example> + <title>add a rule to ip table input chain</title> + <programlisting> +nft add rule filter output ip daddr 192.168.0.0/24 accept # 'ip filter' is assumed +# same command, slightly more verbose +nft add rule ip filter output ip daddr 192.168.0.0/24 accept + + </programlisting> + </example> + <example> + <title>delete rule from inet table</title> + <programlisting> +# nft -a list ruleset +table inet filter { + chain input { + type filter hook input priority 0; policy accept; + ct state established,related accept # handle 4 + ip saddr 10.1.1.1 tcp dport ssh accept # handle 5 + ... +# delete the rule with handle 5 +# nft delete rule inet filter input handle 5 + </programlisting> + </example> </refsect1> <refsect1> |