diff options
author | Florian Westphal <fw@strlen.de> | 2018-07-06 20:54:20 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-07-07 20:57:43 +0200 |
commit | c226486fe6aea2cdb980fb4f61a95c87e36199d3 (patch) | |
tree | 24147a6baf54bb03b3e858200dcc42d314b577be /doc | |
parent | 6b00b9537e181eaf630ecaf0d4e56905eb29d87c (diff) |
doc: describe dynamic flag and caveats for packet-path updates
This fails:
nft add table ip filter
nft add chain ip filter input '{' type filter hook input priority 0 ';' '}'
nft add set ip filter protocols '{' type inet_proto ';' '}'
nft add rule ip filter input iifname lo set add ip protocol @protocols
^^^^^^^^^^^^^^^^^^^
...as wrong set type gets chosen.
Describe dynamic flag and that sets should have both timeout and
max size set.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/nft.xml | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index 7e477314..190a8eec 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -1075,6 +1075,7 @@ table inet filter { </para> <para> Sets are elements containers of an user-defined data type, they are uniquely identified by an user-defined name and attached to tables. + Their behaviour can be tuned with the <literal>flags</literal> that can be specified at set creation time. </para> <variablelist> @@ -1082,7 +1083,8 @@ table inet filter { <term><option>add</option></term> <listitem> <para> - Add a new set in the specified table. + Add a new set in the specified table. See the <literal>Set specification</literal> table below + for more information about how to specify a sets properties. </para> </listitem> </varlistentry> @@ -1150,7 +1152,7 @@ table inet filter { <row> <entry>flags</entry> <entry>set flags</entry> - <entry>string: constant, interval, timeout</entry> + <entry>string: constant, dynamic, interval, timeout</entry> </row> <row> <entry>timeout</entry> @@ -5523,10 +5525,10 @@ dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" } <title>Set statement</title> <para> The set statement is used to dynamically add or update elements in a set from the packet path. - The set <literal>setname</literal> must already exist in the given table. - Furthermore, any set that will be dynamically updated from the nftables ruleset must specify - both a maximum set size (to prevent memory exhaustion) and a timeout (so that number of entries in - set will not grow indefinitely). + The set <literal>setname</literal> must already exist in the given table and must have been + created with the <literal>dynamic</literal> flag. + Furthermore, these sets must specify both a maximum set size (to prevent memory exhaustion) and + a timeout (so that number of entries in set will not grow indefinitely). The set statement can be used to e.g. create dynamic blacklists. </para> <para> |