diff options
authorFlorian Westphal <>2020-06-22 10:24:57 +0200
committerFlorian Westphal <>2020-06-25 20:53:40 +0200
commitfb1486439b6d62cad104b83ecd04ec1a54fc9cae (patch)
parentf16fbe76f62dcb9f7395d1837ad2d056463ba55f (diff)
doc: revisit meta/rt primary expressions and ct statement
Clarify meta/rt ipsec examples and document that 'ct helper set' needs to be used *after* conntrack lookup. Signed-off-by: Florian Westphal <>
2 files changed, 12 insertions, 4 deletions
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 48a7609d..a9c39cbb 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -123,7 +123,7 @@ integer (32 bit)
pseudo-random number|
integer (32 bit)
+true if packet was ipsec encrypted |
boolean (1 bit)
Input interface kind |
@@ -162,7 +162,7 @@ Device group (32 bit number). Can be specified numerically or as symbolic name d
Packet type: *host* (addressed to local host), *broadcast* (to all),
*multicast* (to group), *other* (addressed to another host).
-Interface kind (16 byte string). Does not have to exist.
+Interface kind (16 byte string). See TYPES in ip-link(8) for a list.
Either an integer or a date in ISO format. For example: "2019-06-06 17:00".
Hour and seconds are optional and can be omitted if desired. If omitted,
@@ -183,11 +183,12 @@ For example, 17:00 and 17:00:00 would be equivalent.
# qualified meta expression
filter output meta oif eth0
+filter forward meta iifkind { "tun", "veth" }
# unqualified meta expression
filter output oif eth0
-# packet was subject to ipsec processing
+# incoming packet was subject to ipsec processing
raw prerouting meta ipsec exists accept
@@ -362,13 +363,15 @@ Routing Realm (32 bit number). Can be specified numerically or as symbolic name
# IP family independent rt expression
filter output rt classid 10
-filter output rt ipsec missing
# IP family dependent rt expressions
ip filter output rt nexthop
ip6 filter output rt nexthop fd00::1
inet filter output rt ip nexthop
inet filter output rt ip6 nexthop fd00::1
+# outgoing packet will be encapsulated/encrypted by ipsec
+filter output rt ipsec exists
diff --git a/doc/statements.txt b/doc/statements.txt
index 607aee13..9155f286 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -218,6 +218,11 @@ has to be assigned before a conntrack lookup takes place, i.e. this has to be
done in prerouting and possibly output (if locally generated packets need to be
placed in a distinct zone), with a hook priority of -300.
+Unlike iptables, where the helper assignment happens in the raw table,
+the helper needs to be assigned after a conntrack entry has been
+found, i.e. it will not work when used with hook priorities equal or before
.Conntrack statement types