diff options
author | Florian Westphal <fw@strlen.de> | 2017-06-16 21:18:45 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2017-06-18 23:28:57 +0200 |
commit | fda79e96bcaa5fc927523b582bfc42c8ad22deca (patch) | |
tree | ac5060ff4c428e80a6b7e4bd430315a292e5ceb2 /doc | |
parent | 7e1ff143442c6c9428f2a1cdb7c751216407437c (diff) |
evaluate: reject meta nfproto outside of inet family
meta nfproto loads the hook family type of the current rule context
in the kernel, i.e. it will be NFPROTO_IPV6 for ip6 family,
NFPROTO_BRIDGE for bridge and so on.
The only case where this is useful is the inet pseudo family,
where this is useful to determine the real hook family
(NFPROTO_IPV4 or NFPROTO_IPV6).
In all other families 'meta nfproto' is either always true or false.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/nft.xml | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index d0d37396..e9ccd63c 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -478,7 +478,9 @@ filter input iif $int_ifs accept </simplelist>. The <literal>inet</literal> address family is a dummy family which is used to create - hybrid IPv4/IPv6 tables. + hybrid IPv4/IPv6 tables. The <literal>meta</literal> expression <literal>nfproto</literal> + keyword can be used to test which family (ipv4 or ipv6) context the packet is being processed in. + When no address family is specified, <literal>ip</literal> is used by default. </para> @@ -1907,6 +1909,11 @@ filter output icmpv6 type { echo-request, echo-reply } <entry>integer (32 bit)</entry> </row> <row> + <entry>nfproto</entry> + <entry>real hook protocol family, useful only in inet table</entry> + <entry>integer (32 bit)</entry> + </row> + <row> <entry>protocol</entry> <entry>Ethertype protocol value</entry> <entry>ether_type</entry> |