diff options
| author | Phil Sutter <phil@nwl.cc> | 2017-03-11 14:31:41 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-03-13 12:13:50 +0100 |
| commit | 70c0d26675194ba66cb3c3d5c6af5bdbdf8504f1 (patch) | |
| tree | 1d17d596a5e577f197f08a39e08ab066227c7827 /doc | |
| parent | cd903c123c25b3687140c38f639677bbdbbcab73 (diff) | |
doc: Document boolean type and applications
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/nft.xml | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index 990b9368..de86d2a1 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -1329,6 +1329,110 @@ filter output ip6 daddr ::1 </programlisting> </example> </refsect2> + + <refsect2> + <title>Boolean type</title> + <para> + <table frame="all"> + <tgroup cols='4' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <colspec colname='c4'/> + <thead> + <row> + <entry>Name</entry> + <entry>Keyword</entry> + <entry>Size</entry> + <entry>Base type</entry> + </row> + </thead> + <tbody> + <row> + <entry>Boolean</entry> + <entry>boolean</entry> + <entry>1 bit</entry> + <entry>integer</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <para> + The boolean type is a syntactical helper type in user space. + It's use is in the right-hand side of a (typically implicit) + relational expression to change the expression on the left-hand + side into a boolean check (usually for existence). + </para> + <para> + The following keywords will automatically resolve into a boolean + type with given value: + <table frame="all"> + <tgroup cols='2' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Value</entry> + </row> + </thead> + <tbody> + <row> + <entry>exists</entry> + <entry>1</entry> + </row> + <row> + <entry>missing</entry> + <entry>0</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <example> + <title>Boolean specification</title> + <para> + The following expressions support a boolean comparison: + <table frame="all"> + <tgroup cols='2' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <thead> + <row> + <entry>Expression</entry> + <entry>Behaviour</entry> + </row> + </thead> + <tbody> + <row> + <entry>fib</entry> + <entry>Check route existence.</entry> + </row> + <row> + <entry>exthdr</entry> + <entry>Check IPv6 extension header existence.</entry> + </row> + <row> + <entry>tcp option</entry> + <entry>Check TCP option header existence.</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <programlisting> +# match if route exists +filter input fib iif saddr exists + +# match only non-fragmented packets in IPv6 traffic +filter input exthdr frag missing + +# match if TCP timestamp option is present +filter input tcp option timestamp exists + </programlisting> + </example> + </refsect2> </refsect1> <refsect1> @@ -2536,6 +2640,36 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1 <arg choice="none"><replaceable>tcp_option_field</replaceable></arg> </cmdsynopsis> <para> + The following syntaxes are valid only in a relational expression + with boolean type on right-hand side for checking header existence only: + </para> + <cmdsynopsis> + <command>exthdr</command> + <group choice="req"> + <arg>hbh</arg> + <arg>frag</arg> + <arg>rt</arg> + <arg>dst</arg> + <arg>mh</arg> + </group> + </cmdsynopsis> + <cmdsynopsis> + <command>tcp option</command> + <group choice="req"> + <arg>eol</arg> + <arg>noop</arg> + <arg>maxseg</arg> + <arg>window</arg> + <arg>sack-permitted</arg> + <arg>sack</arg> + <arg>sack0</arg> + <arg>sack1</arg> + <arg>sack2</arg> + <arg>sack3</arg> + <arg>timestamp</arg> + </group> + </cmdsynopsis> + <para> <table frame="all"> <title>IPv6 extension headers</title> <tgroup cols='2' align='left' colsep='1' rowsep='1'> |