diff options
| -rw-r--r-- | doc/data-types.txt | 2 | ||||
| -rw-r--r-- | doc/nft.txt | 21 | ||||
| -rw-r--r-- | doc/payload-expression.txt | 40 | ||||
| -rw-r--r-- | doc/primary-expression.txt | 10 | ||||
| -rw-r--r-- | doc/statements.txt | 8 |
5 files changed, 40 insertions, 41 deletions
diff --git a/doc/data-types.txt b/doc/data-types.txt index 8bbdd573..7a02a21a 100644 --- a/doc/data-types.txt +++ b/doc/data-types.txt @@ -24,7 +24,7 @@ variable | integer |=================== -The bitmask type (bitmask) is used for bitmasks. +The bitmask type (*bitmask*) is used for bitmasks. STRING TYPE ~~~~~~~~~~~~ diff --git a/doc/nft.txt b/doc/nft.txt index 0f824a52..20ae54be 100644 --- a/doc/nft.txt +++ b/doc/nft.txt @@ -17,7 +17,7 @@ DESCRIPTION ----------- nft is the command line tool used to set up, maintain and inspect packet filtering and classification rules in the Linux kernel, in the nftables -framework. The Linux kernel subsystem is known as nf_tables, and `nft' stands +framework. The Linux kernel subsystem is known as nf_tables, and `nf' stands for Netfilter. OPTIONS @@ -145,12 +145,12 @@ address family the kernel contains so called hooks at specific stages of the packet processing paths, which invoke nftables if rules for these hooks exist. [horizontal] -ip:: IPv4 address family. -ip6:: IPv6 address family. -inet:: Internet (IPv4/IPv6) address family. -arp:: ARP address family, handling IPv4 ARP packets. -bridge:: Bridge address family, handling packets which traverse a bridge device. -netdev:: Netdev address family, handling packets from ingress. +*ip*:: IPv4 address family. +*ip6*:: IPv6 address family. +*inet*:: Internet (IPv4/IPv6) address family. +*arp*:: ARP address family, handling IPv4 ARP packets. +*bridge*:: Bridge address family, handling packets which traverse a bridge device. +*netdev*:: Netdev address family, handling packets from ingress. All nftables objects exist in address family specific namespaces, therefore all identifiers include an address family. If an identifier is specified without an @@ -232,7 +232,7 @@ no packet filtering will happen anymore, so the kernel accepts any valid packet it receives. *export*:: Print the ruleset in machine readable format. The mandatory 'format' -parameter may be either *xml* or *json*. +parameter may be either xml or json. It is possible to limit *list* and *flush* to a specific address family only. For a list of valid family names, see <<ADDRESS_FAMILIES>> above. @@ -360,7 +360,7 @@ RULES replace *rule* ['family'] 'table' 'chain' handle 'handle' 'statement'... delete *rule* ['family'] 'table' 'chain' handle 'handle' -Rules are added to chain in the given table. If the family is not specified, the +Rules are added to chains in the given table. If the family is not specified, the ip family is used. Rules are constructed from two kinds of components according to a set of grammatical rules: expressions and statements. @@ -571,7 +571,6 @@ numbers etc. or data gathered from the packet during ruleset evaluation. Expressions can be combined using binary, logical, relational and other types of expressions to form complex or relational (match) expressions. They are also used as arguments to certain types of operations, like NAT, packet marking etc. -+ Each expression has a data type, which determines the size, parsing and representation of symbolic values and type compatibility with other expressions. @@ -717,7 +716,7 @@ filter output tcp dport == tcp dport ----------------------------- <cmdline>:0:0-23: Error: Could not process rule: Operation not permitted filter output oif wlan0 - ^^^^^^^^^^^^^^^^^^^^^^^ +^^^^^^^^^^^^^^^^^^^^^^^ --------------------------------- EXIT STATUS diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt index 8fc1c917..b67818b6 100644 --- a/doc/payload-expression.txt +++ b/doc/payload-expression.txt @@ -70,7 +70,7 @@ arp_op IPV4 HEADER EXPRESSION ~~~~~~~~~~~~~~~~~~~~~~ [verse] -ip ['IPv4' 'header' 'field'] +*ip* ['IPv4' 'header' 'field'] .IPv4 header expression [options="header"] @@ -117,7 +117,7 @@ ipv4_addr ICMP HEADER EXPRESSION ~~~~~~~~~~~~~~~~~~~~~~ [verse] -icmp ['ICMP' 'header' 'field'] +*icmp* ['ICMP' 'header' 'field'] .ICMP header expression [options="header"] @@ -131,7 +131,7 @@ ICMP code field | integer (8 bit) |checksum| ICMP checksum field | -integer (16 nit) +integer (16 bit) |id| ID of echo request/response | integer (16 bit) @@ -143,19 +143,19 @@ gateway of redirects| integer (32 bit) |mtu| MTU of path MTU discovery| -integer (32 bit) +integer (16 bit) |============================ IPV6 HEADER EXPRESSION ~~~~~~~~~~~~~~~~~~~~~~ [verse] -ip6 ['IPv6' 'header' 'field'] +*ip6* ['IPv6' 'header' 'field'] -This expression refers to the ipv6 header fields. Caution when using ip6 -nexthdr, the value only refers to the next header, i.e. ip6 nexthdr tcp will +This expression refers to the ipv6 header fields. Caution when using *ip6 +nexthdr*, the value only refers to the next header, i.e. *ip6 nexthdr tcp* will only match if the ipv6 packet does not contain any extension headers. Packets that are fragmented or e.g. contain a routing extension headers will not be -matched. Please use meta l4proto if you wish to match the real transport header +matched. Please use *meta l4proto* if you wish to match the real transport header and ignore any additional extension headers instead. .IPv6 header expression @@ -192,12 +192,12 @@ ipv6_addr |======================= *matching if first extension header indicates a fragment* + -ip6 nexthdr ipv6-frag counter +*ip6* nexthdr ipv6-frag counter ICMPV6 HEADER EXPRESSION ~~~~~~~~~~~~~~~~~~~~~~~~ [verse] -icmpv6 ['ICMPv6' 'header' 'field'] +*icmpv6* ['ICMPv6' 'header' 'field'] .ICMPv6 header expression [options="header"] @@ -232,14 +232,14 @@ integer (16 bit) TCP HEADER EXPRESSION ~~~~~~~~~~~~~~~~~~~~~ [verse] -tcp ['TCP' 'header' 'field'] +*tcp* ['TCP' 'header' 'field'] .TCP header expression [options="header"] |================== |Keyword| Description| Type |sport| -source port| +Source port| inet_service |dport| Destination port| @@ -258,12 +258,12 @@ Reserved area | integer (4 bit) |flags| TCP flags| -tcp_flags +tcp_flag |window| Window| integer (16 bit) |checksum| -checksum| +Checksum| integer (16 bit) |urgptr| Urgent pointer| @@ -273,14 +273,14 @@ integer (16 bit) UDP HEADER EXPRESSION ~~~~~~~~~~~~~~~~~~~~~ [verse] -udp ['UDP' 'header' 'field'] +*udp* ['UDP' 'header' 'field'] .UDP header expression [options="header"] |================== |Keyword| Description| Type |sport| -source port| +Source port| inet_service |dport| Destination port| @@ -303,7 +303,7 @@ UDP-LITE HEADER EXPRESSION |================== |Keyword| Description| Type |sport| -source port| +Source port| inet_service |dport| Destination port| @@ -323,7 +323,7 @@ SCTP HEADER EXPRESSION |================== |Keyword| Description| Type |sport| -source port| +Source port| inet_service |dport| Destination port| @@ -346,7 +346,7 @@ DCCP HEADER EXPRESSION |================== |Keyword| Description| Type |sport| -source port| +Source port| inet_service |dport| Destination port| @@ -604,7 +604,7 @@ integer (64 bit) byte count seen, see description for *packets* keyword | integer (64 bit) |avgpkt| -average bytes per packet, see description for packets keyword | +average bytes per packet, see description for *packets* keyword | integer (64 bit) |zone| conntrack zone | diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 13adfe38..4ca096d8 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -1,7 +1,7 @@ META EXPRESSIONS ~~~~~~~~~~~~~~~~ [verse] -meta {length | nfproto | l4proto | protocol | priority} +*meta* {length | nfproto | l4proto | protocol | priority} [meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype | skuid | skgid | nftrace | rtclassid | ibrname | obrname | pkttype | cpu | iifgroup | oifgroup | cgroup | random | secpath} @@ -75,7 +75,7 @@ packet type| pkt_type |cpu| cpu number processing the packet| -integer (32 bits) +integer (32 bit) |iifgroup| incoming device group| devgroup @@ -87,7 +87,7 @@ control group id | integer (32 bit) |random| pseudo-random number| -integer (32 bits) +integer (32 bit) |secpath| boolean| boolean (1 bit) @@ -205,7 +205,7 @@ table inet x { FIB EXPRESSIONS ~~~~~~~~~~~~~~~ [verse] -fib {saddr | daddr | {mark | iif | oif}} {oif | oifname | type} +*fib* {saddr | daddr | {mark | iif | oif}} {oif | oifname | type} A fib expression queries the fib (forwarding information base) to obtain information such as the output interface index a particular address would use. @@ -242,7 +242,7 @@ filter prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : ROUTING EXPRESSIONS ~~~~~~~~~~~~~~~~~~~ [verse] -rt {classid | nexthop} +*rt* {classid | nexthop} A routing expression refers to routing data associated with a packet. diff --git a/doc/statements.txt b/doc/statements.txt index 8a54a6b3..b8b7a607 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -89,7 +89,7 @@ string: emerg, alert, crit, err, warn [default], notice, info, debug NFLOG group to send messages to| unsigned integer (16 bit) |snaplen| -Length of packet payload to include in netlink messages | +Length of packet payload to include in netlink message | unsigned integer (32 bit) |queue-threshold| Number of packets to queue inside the kernel before sending them to userspace | @@ -247,7 +247,7 @@ mark packet type | pkt_type |nftrace | -ruleset packet tracing on/off. Use monitor trace command to watch traces| +ruleset packet tracing on/off. Use *monitor trace* command to watch traces| 0, 1 |========================== @@ -320,7 +320,7 @@ expression key with address value. | ipv4_addr, ipv6_addr, e.g. abcd::1234, or you can use a mapping, e.g. meta mark map { 10 : 192.168.1.2, 20 : 192.168.1.3 } |port| Specifies that the source/destination address of the packet should be modified. | -port number (16 bits) +port number (16 bit) |=============================== .NAT statement flags @@ -475,7 +475,7 @@ destination. |Expression | Description | Type |address | Specifies that the copy of the packet should be sent to a new gateway.| -ipv4_addr, ipv6_addr, e.g. abcd::1234, or you can use a mapping. e.g. ip saddr map { 192.168.1.2 : 10.1.1.1 } +ipv4_addr, ipv6_addr, e.g. abcd::1234, or you can use a mapping, e.g. ip saddr map { 192.168.1.2 : 10.1.1.1 } |device | Specifies that the copy should be transmitted via device. | string |