diff options
author | Florian Westphal <fw@strlen.de> | 2016-09-15 17:28:00 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2016-10-28 13:17:44 +0200 |
commit | 4a75ed32132d8e2292dd276f3ea7f4edec4f3d06 (patch) | |
tree | 1c095dc262a953ebb816d1770ccbdef1724e3e00 /doc | |
parent | dfd92948a0a88a9f245e71c1cfb63ae670e6e7c1 (diff) |
src: add fib expression
This adds the 'fib' expression which can be used to
obtain the output interface from the route table based on either
source or destination address of a packet.
This can be used to e.g. add reverse path filtering:
# drop if not coming from the same interface packet
# arrived on
# nft add rule x prerouting fib saddr . iif oif eq 0 drop
# accept only if from eth0
# nft add rule x prerouting fib saddr . iif oif eq "eth0" accept
# accept if from any valid interface
# nft add rule x prerouting fib saddr oif accept
Querying of address type is also supported. This can be used
to e.g. only accept packets to addresses configured in the same
interface:
# fib daddr . iif type local
Its also possible to use mark and verdict map, e.g.:
# nft add rule x prerouting meta mark set 0xdead fib daddr . mark type vmap {
blackhole : drop,
prohibit : drop,
unicast : accept
}
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/nft.xml | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index e6b98ae7..1ff70b07 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -1222,7 +1222,82 @@ filter output oif eth0 </example> </para> </refsect2> + <refsect2> + <title>fib expressions</title> + <para> + <cmdsynopsis> + <command>fib</command> + <group choice="req"> + <arg>saddr</arg> + <arg>daddr</arg> + <group choice="opt"> + <arg>mark</arg> + <arg>iif</arg> + <arg>oif</arg> + </group> + </group> + <group choice="req"> + <arg>oif</arg> + <arg>oifname</arg> + <arg>type</arg> + </group> + </cmdsynopsis> + </para> + <para> + A fib expression queries the fib (forwarding information base) + to obtain information such as the output interface index a particular address would use. The input is a tuple of elements that is used as input to the fib lookup + functions. + </para> + <para> + <table frame="all"> + <title>fib expression specific types</title> + <tgroup cols='3' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>oif</entry> + <entry>Output interface index</entry> + <entry>integer (32 bit)</entry> + </row> + <row> + <entry>oifname</entry> + <entry>Output interface name</entry> + <entry>string</entry> + </row> + <row> + <entry>type</entry> + <entry>Address type</entry> + <entry>fib_addrtype</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <para> + <example> + <title>Using fib expressions</title> + <programlisting> +# drop packets without a reverse path +filter prerouting fib saddr . iif oif eq 0 drop +# drop packets to address not configured on ininterface +filter input fib daddr . iif type not { local, broadcast, multicast } drop + +# perform lookup in a specific 'blackhole' table (0xdead, needs ip appropriate ip rule) +filter prerouting meta mark set 0xdead fib daddr . mark type vmap { backhole : drop, prohibit : jump prohibited, unreachable : drop } + </programlisting> + </example> + </para> + </refsect2> <refsect2> <title>Routing expressions</title> <para> |