summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/nft.xml94
1 files changed, 85 insertions, 9 deletions
diff --git a/doc/nft.xml b/doc/nft.xml
index c9eb48cf..0e795e3c 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -626,20 +626,26 @@ filter input iif $int_ifs accept
<title>Chains</title>
<para>
<cmdsynopsis>
- <arg choice="req">add</arg>
+ <group choice="req">
+ <arg>add</arg>
+ <arg>create</arg>
+ </group>
<command>chain</command>
<arg choice="opt"><replaceable>family</replaceable></arg>
- <arg choice="req"><replaceable>table</replaceable></arg>
- <arg choice="req"><replaceable>chain</replaceable></arg>
- <arg choice="req"><replaceable>hook</replaceable></arg>
- <arg choice="req"><replaceable>priority</replaceable></arg>
- <arg choice="req"><replaceable>policy</replaceable></arg>
- <arg choice="req"><replaceable>device</replaceable></arg>
+ <arg choice="plain"><replaceable>table</replaceable></arg>
+ <arg choice="plain"><replaceable>chain</replaceable></arg>
+ <arg choice="opt">
+ <arg choice="req">
+ <arg choice="req"><replaceable>type</replaceable></arg>
+ <arg choice="req"><replaceable>hook</replaceable></arg>
+ <arg choice="opt"><replaceable>device</replaceable></arg>
+ <arg choice="req"><replaceable>priority</replaceable></arg>
+ </arg>
+ <arg choice="opt"><replaceable>policy</replaceable></arg>
+ </arg>
</cmdsynopsis>
<cmdsynopsis>
<group choice="req">
- <arg>add</arg>
- <arg>create</arg>
<arg>delete</arg>
<arg>list</arg>
<arg>flush</arg>
@@ -720,6 +726,76 @@ filter input iif $int_ifs accept
</listitem>
</varlistentry>
</variablelist>
+
+ <para>
+ For base chains, <command>type</command>, <command>hook</command> and <command>priority</command> parameters are mandatory.
+ </para>
+ <para>
+ <table frame="all">
+ <title>Supported chain types</title>
+ <tgroup cols="4" align="left" colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <colspec colname="c3"/>
+ <colspec colname="c4"/>
+ <thead>
+ <row>
+ <entry>Type</entry>
+ <entry>Families</entry>
+ <entry>Hooks</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>filter</entry>
+ <entry>all</entry>
+ <entry>all</entry>
+ <entry>Standard chain type to use in doubt.</entry>
+ </row>
+ <row>
+ <entry>nat</entry>
+ <entry>ip, ip6</entry>
+ <entry>prerouting, input, output, postrouting</entry>
+ <entry>Chains of this type perform Native Address Translation based on conntrack entries. Only the first packet of a connection actually traverses this chain - its rules usually define details of the created conntrack entry (NAT statements for instance).</entry>
+ </row>
+ <row>
+ <entry>route</entry>
+ <entry>ip, ip6</entry>
+ <entry>output</entry>
+ <entry>If a packet has traversed a chain of this
+ type and is about to be accepted, a new route
+ lookup is performed if relevant parts of the IP
+ header have changed. This allows to e.g.
+ implement policy routing selectors in
+ nftables.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ <para>
+ Apart from the special cases illustrated above (e.g. <literal>nat</literal> type not supporting <literal>forward</literal> hook or <literal>route</literal> type only supporting <literal>output</literal> hook), there are two further quirks worth noticing:
+ <itemizedlist>
+ <listitem>
+ <literal>netdev</literal> family supports merely a single
+ combination, namely <literal>filter</literal> type and
+ <literal>ingress</literal> hook. Base chains in this family also require the <literal>device</literal> parameter to be present since they exist per incoming interface only.
+ </listitem>
+ <listitem>
+ <literal>arp</literal> family supports only
+ <literal>input</literal> and <literal>output</literal>
+ hooks, both in chains of type
+ <literal>filter</literal>.
+ </listitem>
+ </itemizedlist>
+ </para>
+ <para>
+ The <literal>priority</literal> parameter accepts a signed integer value which specifies the order in which chains with same <literal>hook</literal> value are traversed. The ordering is ascending, i.e. lower priority values have precedence over higher ones.
+ </para>
+ <para>
+ Base chains also allow to set the chain's <literal>policy</literal>, i.e. what happens to packets not explicitly accepted or refused in contained rules. Supported policy values are <literal>accept</literal> (which is the default) or <literal>drop</literal>.
+ </para>
</refsect1>
<refsect1>