diff options
| author | Florian Westphal <fw@strlen.de> | 2017-12-01 13:40:21 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2018-01-16 15:57:22 +0100 |
| commit | 49f6e9a846c6c8325b95debe04d5ebc3c01246fb (patch) | |
| tree | 4de70952424cf45846cc67287967fca823edc0c9 /doc | |
| parent | 1dbd13c97e300dcaf6581bc7b0b0f23cc74c6645 (diff) | |
meta: add secpath support
This can be used to check if a packet has a secpath attached to it, i.e.
was subject to ipsec processing. Example:
add rule inet raw prerouting meta secpath exists accept
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/nft.xml | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index cbb3b802..e515b110 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -2504,6 +2504,7 @@ filter output icmpv6 type { echo-request, echo-reply } <arg>oifgroup</arg> <arg>cgroup</arg> <arg>random</arg> + <arg>secpath</arg> </group> </cmdsynopsis> </para> @@ -2641,6 +2642,12 @@ filter output icmpv6 type { echo-request, echo-reply } <entry>pseudo-random number</entry> <entry>integer (32 bits)</entry> </row> + <row> + <entry>secpath</entry> + <entry>boolean</entry> + <entry>boolean (1 bit)</entry> + </row> + </tbody> </tgroup> </table> @@ -2725,6 +2732,9 @@ filter output meta oif eth0 # unqualified meta expression filter output oif eth0 + +# packed was subject to ipsec processing +raw prerouting meta secpath exists accept </programlisting> </example> </para> |