summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/data-types.txt6
-rw-r--r--doc/libnftables-json.adoc145
-rw-r--r--doc/libnftables.adoc10
-rw-r--r--doc/nft.txt30
-rw-r--r--doc/primary-expression.txt2
5 files changed, 97 insertions, 96 deletions
diff --git a/doc/data-types.txt b/doc/data-types.txt
index 5c132f86..90e19a8b 100644
--- a/doc/data-types.txt
+++ b/doc/data-types.txt
@@ -9,8 +9,8 @@ variable |
-
|===================
-The integer type is used for numeric values. It may be specified as decimal,
-hexadecimal or octal number. The integer type doesn't have a fixed size, its
+The integer type is used for numeric values. It may be specified as a decimal,
+hexadecimal or octal number. The integer type does not have a fixed size, its
size is determined by the expression for which it is used.
BITMASK TYPE
@@ -39,7 +39,7 @@ variable |
The string type is used for character strings. A string begins with an
alphabetic character (a-zA-Z) followed by zero or more alphanumeric characters
-or the characters /, -, _ and .. In addition anything enclosed in double
+or the characters /, -, _ and .. In addition, anything enclosed in double
quotes (") is recognized as a string.
.String specification
diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc
index c95ab320..dbe5ac33 100644
--- a/doc/libnftables-json.adoc
+++ b/doc/libnftables-json.adoc
@@ -28,14 +28,14 @@ libnftables-json - Supported JSON schema by libnftables
== DESCRIPTION
libnftables supports JSON formatted input and output. This is implemented as an
alternative frontend to the standard CLI syntax parser, therefore basic
-behaviour is identical and for (almost) any operation available in standard
-syntax there should be an equivalent one in JSON.
+behaviour is identical and, for (almost) any operation available in standard
+syntax, there should be an equivalent one in JSON.
JSON input may be provided in a single string as parameter to
*nft_run_cmd_from_buffer()* or in a file identified by the 'filename' parameter
-of *nft_run_cmd_from_filename()* function.
+of the *nft_run_cmd_from_filename()* function.
-JSON output has to be enabled via *nft_ctx_output_set_json()* function, turning
+JSON output has to be enabled via the *nft_ctx_output_set_json()* function, turning
library standard output into JSON format. Error output remains unaffected.
== GLOBAL STRUCTURE
@@ -44,12 +44,12 @@ property named 'nftables'. Its value is an array containing commands (for
input) or ruleset elements (for output).
A command is an object with a single property whose name identifies the command.
-Its value is a ruleset element - basically identical to output elements apart
+Its value is a ruleset element - basically identical to output elements, apart
from certain properties which may be interpreted differently or are required
when output generally omits them.
== METAINFO OBJECT
-In output, the first object in *nftables* array is a special one containing
+In output, the first object in an *nftables* array is a special one containing
library information. Its content is as follows:
[verse]
@@ -60,10 +60,10 @@ library information. Its content is as follows:
*}}*
The values of *version* and *release_name* properties are equal to the package
-version and release name as printed by *nft -v*. The value of
+version and release name as printed by *nft -v*. The value of the
*json_schema_version* property is an integer indicating the schema version.
-If supplied in library input, the parser will verify *json_schema_version* value
+If supplied in library input, the parser will verify the *json_schema_version* value
to not exceed the internally hardcoded one (to make sure the given schema is
fully understood). In future, a lower number than the internal one may activate
compatibility mode to parse outdated and incompatible JSON input.
@@ -127,7 +127,7 @@ Add a new ruleset element to the kernel.
[verse]
*{ "replace":* 'RULE' *}*
-Replace a rule. In 'RULE', *handle* property is mandatory and identifies the
+Replace a rule. In 'RULE', the *handle* property is mandatory and identifies the
rule to be replaced.
=== CREATE
@@ -151,7 +151,7 @@ properties.
Delete an object from the ruleset. Only the minimal number of properties
required to uniquely identify an object is generally needed in 'ADD_OBJECT'. For
-most ruleset elements this is *family* and *table* plus either *handle* or
+most ruleset elements, this is *family* and *table* plus either *handle* or
*name* (except rules since they don't have a name).
=== LIST
@@ -213,7 +213,7 @@ This object describes a table.
*name*::
The table's name.
*handle*::
- The table's handle. In input, used only in *delete* command as
+ The table's handle. In input, it is used only in *delete* command as
alternative to *name*.
=== CHAIN
@@ -240,10 +240,10 @@ This object describes a chain.
*name*::
The chain's name.
*handle*::
- The chain's handle. In input, used only in *delete* command as
+ The chain's handle. In input, it is used only in *delete* command as
alternative to *name*.
*newname*::
- A new name for the chain, only relevant in *rename* command.
+ A new name for the chain, only relevant in the *rename* command.
The following properties are required for base chains:
@@ -254,7 +254,7 @@ The following properties are required for base chains:
*prio*::
The chain's priority.
*dev*::
- The chain's bound interface (if in netdev family).
+ The chain's bound interface (if in the netdev family).
*policy*::
The chain's policy.
@@ -274,8 +274,8 @@ ____
'STATEMENTS' := 'STATEMENT' [*,* 'STATEMENTS' ]
____
-This object describes a rule. Basic building blocks of rules are statements,
-each rule consists of at least a single one.
+This object describes a rule. Basic building blocks of rules are statements.
+Each rule consists of at least one.
*family*::
The table's family.
@@ -284,14 +284,14 @@ each rule consists of at least a single one.
*chain*::
The chain's name.
*expr*::
- An array of statements this rule consists of. In input, used in
+ An array of statements this rule consists of. In input, it is used in
*add*/*insert*/*replace* commands only.
*handle*::
- The rule's handle. In *delete*/*replace* commands, serves as identifier
- of the rule to delete/replace. In *add*/*insert* commands, serves as
- identifier of an existing rule to append/prepend the rule to.
+ The rule's handle. In *delete*/*replace* commands, it serves as an identifier
+ of the rule to delete/replace. In *add*/*insert* commands, it serves as
+ an identifier of an existing rule to append/prepend the rule to.
*index*::
- The rule's position for *add*/*insert* commands. Used as alternative to
+ The rule's position for *add*/*insert* commands. It is used as an alternative to
*handle* then.
*comment*::
Optional rule comment.
@@ -347,7 +347,7 @@ that they translate a unique key to a value.
*name*::
The set's name.
*handle*::
- The set's handle. For input, used in *delete* command only.
+ The set's handle. For input, it is used in the *delete* command only.
*type*::
The set's datatype, see below.
*map*::
@@ -452,7 +452,7 @@ This object represents a named counter.
*name*::
The counter's name.
*handle*::
- The counter's handle. In input, used for *delete* command only.
+ The counter's handle. In input, it is used by the *delete* command only.
*packets*::
Packet counter value.
*bytes*::
@@ -479,13 +479,13 @@ This object represents a named quota.
*name*::
The quota's name.
*handle*::
- The quota's handle. In input, used for *delete* command only.
+ The quota's handle. In input, it is used by the *delete* command only.
*bytes*::
Quota threshold.
*used*::
Quota used so far.
*inv*::
- If true, match if quota exceeded.
+ If true, match if the quota has been exceeded.
=== CT HELPER
[verse]
@@ -512,7 +512,7 @@ This object represents a named conntrack helper.
*name*::
The ct helper's name.
*handle*::
- The ct helper's handle. In input, used for *delete* command only.
+ The ct helper's handle. In input, it is used by the *delete* command only.
*type*::
The ct helper type name, e.g. *"ftp"* or *"tftp"*.
*protocol*::
@@ -547,7 +547,7 @@ This object represents a named limit.
*name*::
The limit's name.
*handle*::
- The limit's handle. In input, used for *delete* command only.
+ The limit's handle. In input, it is used by the *delete* command only.
*rate*::
The limit's rate value.
*per*::
@@ -586,19 +586,20 @@ This object represents a named conntrack timeout policy.
*name*::
The ct timeout object's name.
*handle*::
- The ct timeout object's handle. In input, used for *delete* command only.
+ The ct timeout object's handle. In input, it is used by *delete* command only.
*protocol*::
The ct timeout object's layer 4 protocol.
*state*::
- The connection state name, for which timeout value has to be updated, e.g. *"established"*, *"syn_sent"*, *"close"* or *"close_wait"*.
+ The connection state name, e.g. *"established"*, *"syn_sent"*, *"close"* or
+ *"close_wait"*, for which the timeout value has to be updated.
*value*::
- The updated timeout value for specified connection state.
+ The updated timeout value for the specified connection state.
*l3proto*::
The ct timeout object's layer 3 protocol, e.g. *"ip"* or *"ip6"*.
== STATEMENTS
-Statements are the building blocks for rules. Each rule consists of at least a
-single statement.
+Statements are the building blocks for rules. Each rule consists of at least
+one.
=== VERDICT
[verse]
@@ -622,9 +623,9 @@ delegates to a different one.
"op":* 'STRING'
*}}*
-Match expression on left hand side (typically a packet header or packet meta
-info) with expression on right hand side (typically a constant value). If the
-statement evaluates true, the next statement in this rule is considered. If not,
+This matches the expression on left hand side (typically a packet header or packet meta
+info) with the expression on right hand side (typically a constant value). If the
+statement evaluates to true, the next statement in this rule is considered. If not,
processing continues with the next rule in the same chain.
*left*::
@@ -650,15 +651,15 @@ processing continues with the next rule in the same chain.
*>=*:: Greater than or equal to
*in*:: Perform a lookup, i.e. test if bits on RHS are contained in LHS value
-Unlike with standard API, the operator is mandatory here. In standard API,
-missing operator may be resolved in two ways depending on the type of expression
-on RHS:
+Unlike with the standard API, the operator is mandatory here. In the standard API,
+a missing operator may be resolved in two ways, depending on the type of expression
+on the RHS:
-- If RHS is a bitmask or a list of bitmasks, the expression resolves into a
- binary operation with not equal operator, like this: '+LHS & RHS != 0+'.
-- In any other case, equal operator is simply inserted.
+- If the RHS is a bitmask or a list of bitmasks, the expression resolves into a
+ binary operation with the inequality operator, like this: '+LHS & RHS != 0+'.
+- In any other case, the equality operator is simply inserted.
-For the non-trivial first case, JSON API supports *in* operator.
+For the non-trivial first case, the JSON API supports the *in* operator.
=== COUNTER
[verse]
@@ -671,7 +672,7 @@ ____
*{ "counter":* 'STRING' *}*
____
-This object represents a byte/packet counter. In Input, no properties are
+This object represents a byte/packet counter. In input, no properties are
required. If given, they act as initial values for the counter.
The first form creates an anonymous counter which lives in the rule it appears
@@ -689,10 +690,10 @@ in. The second form specifies a reference to a named counter object.
"value":* 'EXPRESSION'
*}}*
-Change packet data or meta info.
+This changes the packet data or meta info.
*key*::
- Packet data to be changed, given as *exthdr*, *payload*, *meta*, *ct* or
+ The packet data to be changed, given as an *exthdr*, *payload*, *meta*, *ct* or
*ct helper* expression.
*value*::
Value to change data to.
@@ -756,7 +757,7 @@ The second form specifies a reference to a named limit object.
Unit of *burst*, ignored if *rate_unit* is *"packets"*. Defaults to
*"bytes"*.
*inv*::
- If *true*, matches if limit was exceeded. Defaults to *false*.
+ If *true*, matches if the limit was exceeded. Defaults to *false*.
=== FWD
[verse]
@@ -773,13 +774,13 @@ ____
Forward a packet to a different destination.
*dev*::
- Interface to forward packet to.
+ Interface to forward the packet on.
*family*::
Family of *addr*.
*addr*::
IP(v6) address to forward the packet to.
-Both *family* and *addr* are optional, but if given both need to be present.
+Both *family* and *addr* are optional, but if at least one is given, both must be present.
=== NOTRACK
[verse]
@@ -799,7 +800,7 @@ Duplicate a packet to a different destination.
*addr*::
Address to duplicate packet to.
*dev*::
- Interface to duplicate packet to. May be omitted to not specify an
+ Interface to duplicate packet on. May be omitted to not specify an
interface explicitly.
=== NETWORK ADDRESS TRANSLATION
@@ -918,7 +919,7 @@ All properties are optional.
[verse]
*{ "ct helper":* 'EXPRESSION' *}*
-Enable specified conntrack helper for this packet.
+Enable the specified conntrack helper for this packet.
*ct helper*::
CT helper reference.
@@ -931,7 +932,7 @@ Enable specified conntrack helper for this packet.
"stmt":* 'STATEMENT'
*}}*
-Apply given statement using a meter.
+Apply a given statement using a meter.
*name*::
Meter name.
@@ -981,7 +982,7 @@ Apply a verdict conditionally.
"inv":* 'BOOLEAN'
*}}*
-Limit number of connections using conntrack.
+Limit the number of connections using conntrack.
*val*::
Connection count threshold.
@@ -1003,12 +1004,12 @@ Assign connection tracking timeout policy.
*{ "xt": null }*
This represents an xt statement from xtables compat interface. Sadly, at this
-point it is not possible to provide any further information about its content.
+point, it is not possible to provide any further information about its content.
== EXPRESSIONS
Expressions are the building blocks of (most) statements. In their most basic
-form, they are just immediate values represented as JSON string, integer or
-boolean types.
+form, they are just immediate values represented as a JSON string, integer or
+boolean type.
=== IMMEDIATES
[verse]
@@ -1104,14 +1105,14 @@ ____
Construct a payload expression, i.e. a reference to a certain part of packet
data. The first form creates a raw payload expression to point at a random
number (*len*) of bytes at a certain offset (*offset*) from a given reference
-point (*base*). Following *base* values are accepted:
+point (*base*). The following *base* values are accepted:
*"ll"*::
- Offset is relative to Link Layer header start offset.
+ The offset is relative to Link Layer header start offset.
*"nh"*::
- Offset is relative to Network Layer header start offset.
+ The offset is relative to Network Layer header start offset.
*"th"*::
- Offset is relative to Transport Layer header start offset.
+ The offset is relative to Transport Layer header start offset.
The second form allows to reference a field by name (*field*) in a named packet
header (*protocol*).
@@ -1127,8 +1128,8 @@ header (*protocol*).
Create a reference to a field (*field*) in an IPv6 extension header (*name*).
*offset* is used only for *rt0* protocol.
-If *field* property is not given, expression is to be used as header
-existence check in a *match* statement with boolean on right hand side.
+If the *field* property is not given, the expression is to be used as a header
+existence check in a *match* statement with a boolean on the right hand side.
=== TCP OPTION
[verse]
@@ -1139,8 +1140,8 @@ existence check in a *match* statement with boolean on right hand side.
Create a reference to a field (*field*) of a TCP option header (*name*).
-If *field* property is not given, expression is to be used as TCP option
-existence check in a *match* statement with boolean on right hand side.
+If the *field* property is not given, the expression is to be used as a TCP option
+existence check in a *match* statement with a boolean on the right hand side.
=== META
[verse]
@@ -1191,7 +1192,7 @@ ____
Create a reference to packet conntrack data.
-Some CT keys don't support a direction. In this case *dir* must not be
+Some CT keys do not support a direction. In this case, *dir* must not be
given.
=== NUMGEN
@@ -1255,7 +1256,7 @@ Perform kernel Forwarding Information Base lookups.
*{ "+<<+": [* 'EXPRESSION'*,* 'EXPRESSION' *] }*
*{ ">>": [* 'EXPRESSION'*,* 'EXPRESSION' *] }*
-All binary operations expect an array of exactly two expressions of which the
+All binary operations expect an array of exactly two expressions, of which the
first element denotes the left hand side and the second one the right hand
side.
@@ -1268,7 +1269,7 @@ side.
*{ "jump": { "target":* 'STRING' *}}*
*{ "goto": { "target":* 'STRING' *}}*
-Same as *verdict* statement, but for use in verdict maps.
+Same as the *verdict* statement, but for use in verdict maps.
*jump* and *goto* verdicts expect a target chain name.
@@ -1281,8 +1282,8 @@ Same as *verdict* statement, but for use in verdict maps.
"comment":* 'STRING'
*}}*
-Explicit set element object, in case *timeout*, *expires* or *comment* are
-desired. Otherwise may be replaced by the value of *val*.
+Explicitly set element object, in case *timeout*, *expires* or *comment* are
+desired. Otherwise, it may be replaced by the value of *val*.
=== SOCKET
[verse]
@@ -1308,14 +1309,14 @@ ____
'OSF_TTL' := *"loose"* | *"skip"*
____
-Perform OS fingerprinting. This expression is typically used in LHS of a *match*
+Perform OS fingerprinting. This expression is typically used in the LHS of a *match*
statement.
*key*::
- What part of the fingerprint info to match against. At this point, only
+ Which part of the fingerprint info to match against. At this point, only
the OS name is supported.
*ttl*::
- Define how packet's TTL value is to be matched. This property is
- optional. If omitted, TTL value has to match exactly. A value of *loose*
+ Define how the packet's TTL value is to be matched. This property is
+ optional. If omitted, the TTL value has to match exactly. A value of *loose*
accepts TTL values less than the fingerprint one. A value of *skip*
omits TTL value comparison entirely.
diff --git a/doc/libnftables.adoc b/doc/libnftables.adoc
index 7f6eef8e..ea9626af 100644
--- a/doc/libnftables.adoc
+++ b/doc/libnftables.adoc
@@ -64,7 +64,7 @@ The *nft_ctx_new*() function allocates and returns a new context object.
The parameter 'flags' is unused at this point and should be set to zero.
For convenience, the macro *NFT_CTX_DEFAULT* is defined to that value.
-The *nft_ctx_free*() function frees the context object pointed to by 'ctx' including any caches or buffers it may hold.
+The *nft_ctx_free*() function frees the context object pointed to by 'ctx', including any caches or buffers it may hold.
=== nft_ctx_get_dry_run() and nft_ctx_set_dry_run()
Dry-run setting controls whether ruleset changes are actually committed on kernel side or not.
@@ -99,12 +99,12 @@ NFT_CTX_OUTPUT_REVERSEDNS::
NFT_CTX_OUTPUT_SERVICE::
Print port numbers as services as described in the /etc/services file.
NFT_CTX_OUTPUT_STATELESS::
- If stateless output has been requested then stateful data is not printed.
+ If stateless output has been requested, then stateful data is not printed.
Stateful data refers to those objects that carry run-time data, e.g. the *counter* statement holds packet and byte counter values, making it stateful.
NFT_CTX_OUTPUT_HANDLE::
Upon insertion into the ruleset, some elements are assigned a unique handle for identification purposes.
For example, when deleting a table or chain, it may be identified either by name or handle.
- Rules on the other hand must be deleted by handle because there is no other way to uniquely identify them.
+ Rules on the other hand must be deleted by handle, because there is no other way to uniquely identify them.
This flag makes ruleset listings include handle values.
NFT_CTX_OUTPUT_JSON::
If enabled at compile-time, libnftables accepts input in JSON format and is able to print output in JSON format as well.
@@ -181,7 +181,7 @@ The functions return zero on success, non-zero otherwise.
This may happen if the internal call to *fopencookie*() failed.
The *nft_ctx_unbuffer_output*() and *nft_ctx_unbuffer_error*() functions disable library standard or error output buffering.
-On failure, the functions return non-zero which may only happen if buffering wasn't enabled at the time the function was called.
+On failure, the functions return non-zero which may only happen if buffering was not enabled at the time the function was called.
The *nft_ctx_get_output_buffer*() and *nft_ctx_get_error_buffer*() functions return a pointer to the buffered output (which may be empty).
@@ -191,7 +191,7 @@ The include path defines where these files are searched for.
Libnftables allows to have a list of those paths which are searched in order.
The default include path list contains a single compile-time defined entry (typically '/etc/').
-The *nft_ctx_add_include_path*() function extends the list of include paths in 'ctx' by the one pointed to in 'path'.
+The *nft_ctx_add_include_path*() function extends the list of include paths in 'ctx' by the one given in 'path'.
The function returns zero on success or non-zero if memory allocation failed.
The *nft_ctx_clear_include_paths*() function removes all include paths, even the built-in default one.
diff --git a/doc/nft.txt b/doc/nft.txt
index 88f5b0d4..45af5bb9 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -151,7 +151,7 @@ filter input iif $int_ifs accept
ADDRESS FAMILIES
----------------
Address families determine the type of packets which are processed. For each
-address family the kernel contains so called hooks at specific stages of the
+address family, the kernel contains so called hooks at specific stages of the
packet processing paths, which invoke nftables if rules for these hooks exist.
[horizontal]
@@ -236,7 +236,7 @@ currently in place in kernel. The following *ruleset* commands exist:
[horizontal]
*list*:: Print the ruleset in human-readable format.
-*flush*:: Clear the whole ruleset. Note that unlike iptables, this will remove
+*flush*:: Clear the whole ruleset. Note that, unlike iptables, this will remove
all tables and whatever they contain, effectively leading to an empty ruleset -
no packet filtering will happen anymore, so the kernel accepts any valid packet
it receives.
@@ -349,10 +349,10 @@ Apart from the special cases illustrated above (e.g. *nat* type not supporting
*forward* hook or *route* type only supporting *output* hook), there are two
further quirks worth noticing:
-* netdev family supports merely a single combination, namely *filter* type and
+* The netdev family supports merely a single combination, namely *filter* type and
*ingress* hook. Base chains in this family also require the *device* parameter
to be present since they exist per incoming interface only.
-* arp family supports only *input* and *output* hooks, both in chains of type
+* The arp family supports only the *input* and *output* hooks, both in chains of type
*filter*.
The *priority* parameter accepts a signed integer value or a standard priority
@@ -393,7 +393,7 @@ the others. See the following tables that describe the values and compatibility.
|==================
Basic arithmetic expressions (addition and subtraction) can also be achieved
-with these standard names to ease relative prioritizing, eg. *mangle - 5* stands
+with these standard names to ease relative prioritizing, e.g. *mangle - 5* stands
for *-155*. Values will also be printed like this until the value is not
further than 10 form the standard value.
@@ -423,8 +423,8 @@ just as if an invalid 'handle' was given.
A 'comment' is a single word or a double-quoted (") multi-word string which can
be used to make notes regarding the actual rule. *Note:* If you use bash for
-adding rules, you have to escape the quotation marks (eg. \"enable ssh for
-servers\")
+adding rules, you have to escape the quotation marks, e.g. \"enable ssh for
+servers\".
[horizontal]
*add*:: Add a new rule described by the list of statements. The
@@ -539,7 +539,7 @@ add *map* ['family'] 'table' 'map' { type 'type' [flags 'flags' ;] [elements = {
{delete | list | flush} *map* ['family'] 'table' 'map'
{add | delete} *element* ['family'] 'table' 'map' { elements = { 'elements'[,...] } ; }
-Maps store data based on some specific key used as input, they are uniquely identified by a user-defined name and attached to tables.
+Maps store data based on some specific key used as input. They are uniquely identified by a user-defined name and attached to tables.
[horizontal]
*add*:: Add a new map in the specified table.
@@ -584,15 +584,15 @@ protocols. Each entry also caches the destination interface and the gateway
address - to update the destination link-layer address - to forward packets.
The ttl and hoplimit fields are also decremented. Hence, flowtables provides an
alternative path that allow packets to bypass the classic forwarding path.
-Flowtables reside in the ingress hook, that is located before the prerouting
-hook. You can select what flows you want to offload through the flow offload
+Flowtables reside in the ingress hook that is located before the prerouting
+hook. You can select which flows you want to offload through the flow offload
expression from the forward chain. Flowtables are identified by their address
-family and their name. The address family must be one of ip, ip6, inet. The inet
+family and their name. The address family must be one of ip, ip6, or inet. The inet
address family is a dummy family which is used to create hybrid IPv4/IPv6
tables. When no address family is specified, ip is used by default.
The *priority* can be a signed integer or *filter* which stands for 0. Addition
-and subtraction can be used to set relative priority eg. filter + 5 equals to
+and subtraction can be used to set relative priority, e.g. filter + 5 equals to
5.
[horizontal]
@@ -622,7 +622,7 @@ include::stateful-objects.txt[]
EXPRESSIONS
------------
Expressions represent values, either constants like network addresses, port
-numbers etc. or data gathered from the packet during ruleset evaluation.
+numbers, etc., or data gathered from the packet during ruleset evaluation.
Expressions can be combined using binary, logical, relational and other types of
expressions to form complex or relational (match) expressions. They are also
used as arguments to certain types of operations, like NAT, packet marking etc.
@@ -666,7 +666,7 @@ Types may be derived from lower order types, f.i. the IPv4 address type is
derived from the integer type, meaning an IPv4 address can also be specified as
an integer value. +
-In certain contexts (set and map definitions) it is necessary to explicitly
+In certain contexts (set and map definitions), it is necessary to explicitly
specify a data type. Each type has a name which is used for this.
include::data-types.txt[]
@@ -750,7 +750,7 @@ parts using carets (^). If the error results from the combination of two
expressions or statements, the part imposing the constraints which are violated
is marked using tildes (~). +
-For errors returned by the kernel, nft can't detect which parts of the input
+For errors returned by the kernel, nft cannot detect which parts of the input
caused the error and the entire command is marked.
.Error caused by single incorrect expression
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 6995d327..a964ce92 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -44,7 +44,7 @@ with the same name is created.
|Keyword | Description | Type
|length|
Length of the packet in bytes|
-integer (32 bit)
+integer (32-bit)
|nfproto|
real hook protocol family, useful only in inet table|
integer (32 bit)