diff options
| author | Florian Westphal <fw@strlen.de> | 2017-09-29 13:55:54 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2017-09-29 13:55:54 +0200 |
| commit | 54a0c5dc0f4db879ad2f44fc77bcd2568719be42 (patch) | |
| tree | 5d5e17e0fca1c3cdd9fd582f17273705f8d6555f /doc/nft.xml | |
| parent | 28180991740e6942adfb12650ff2472d73e89387 (diff) | |
| parent | 26589362c1a3a7c3f0fdb5e70e831bcb4077b0d1 (diff) | |
Merge branch 'ct_rt_syntax_06'
inet family (and others, e.g. bridge) lack context to figure out the
layer 3 address type.
examples:
ct original saddr $addr
rt nexthop $addr
We can't use $addr, because it might be a set reference, e.g.
ct original saddr @whitelist
currently implemented workaround is to use 'meta nfproto' to provide the
l3 context, e.g.
meta nfproto ip rt nexthop 10.2.3.4
i.e. users need to fill dependency manually.
Pablo suggested to instead specify ip saddr, ip6 saddr:
ct original ip saddr $address
and then let nft handle the dependency injection, these changes do this.
Old syntax is preserved.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc/nft.xml')
| -rw-r--r-- | doc/nft.xml | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index 9d97a782..c0f42ddc 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -608,7 +608,6 @@ filter input iif $int_ifs accept hybrid IPv4/IPv6 tables. The <literal>meta</literal> expression <literal>nfproto</literal> keyword can be used to test which family (ipv4 or ipv6) context the packet is being processed in. - When no address family is specified, <literal>ip</literal> is used by default. </para> @@ -2905,8 +2904,8 @@ filter output rt classid 10 # IP family dependent rt expressions ip filter output rt nexthop 192.168.0.1 ip6 filter output rt nexthop fd00::1 -inet filter meta nfproto ipv4 output rt nexthop 192.168.0.1 -inet filter meta nfproto ipv6 output rt nexthop fd00::1 +inet filter output rt ip nexthop 192.168.0.1 +inet filter output rt ip6 nexthop fd00::1 </programlisting> </example> </para> @@ -4025,8 +4024,6 @@ ip6 filter input frag more-fragments 1 counter <group choice="req"> <arg>l3proto</arg> <arg>protocol</arg> - <arg>saddr</arg> - <arg>daddr</arg> <arg>proto-src</arg> <arg>proto-dst</arg> <arg>bytes</arg> @@ -4035,6 +4032,22 @@ ip6 filter input frag more-fragments 1 counter <arg>zone</arg> </group> </cmdsynopsis> + <cmdsynopsis> + <command>ct</command> + <group choice="req"> + <arg>original</arg> + <arg>reply</arg> + </group> + <group choice="req"> + <arg>ip</arg> + <arg>ip6</arg> + </group> + <group choice="req"> + <arg>saddr</arg> + <arg>daddr</arg> + </group> + </cmdsynopsis> + </para> <para> <table frame="all"> |