summaryrefslogtreecommitdiffstats
path: root/doc
Commit message (Collapse)AuthorAgeFilesLines
* doc: nft.8 document use of -f option to start nft scriptsDuncan Roe2017-11-201-0/+3
| | | | | | | | | The man page didn't document nft scripts at all before, so putting that with the -f option seemed as good a place as any. It does work to start scripts is also updated. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: nft.8 simplify initial SYNOPSIS lineDuncan Roe2017-10-241-52/+14
| | | | | | | | | In the style of tcpdump.8: where options have short and long forms, only show short form in synopsis but mention long form in description. Re-order option descriptions to match order in synopsis (move -N to just after -n). Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft.8 change "Native Address Translation" to "Network Address Translation"Duncan Roe2017-10-171-1/+1
| | | | | | | | | | A Google search for "Native Address Translation" found 1 entry (http://encyclopedia2.thefreedictionary.com/Native+address+translation) which redirects to .../Network+address+translation. All other matches are to entries about "Network Address Translation". Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft.8 Document rule replaceDuncan Roe2017-10-091-0/+17
| | | | | | | Insert synopsis and description between those for add|insert and delete Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft.8 add chain synopsisDuncan Roe2017-10-061-2/+2
| | | | | | | | | | | | | | | | | The man page says this: > {add | create} chain [family] table chain [ { {type} {hook} [device] {priority} } [policy] ] But I suggest it should say this: > {add | create} chain [family] table chain [ { {type} {hook} [device] {priority ;} [policy ;] } ] i.e. the policy tuple should be inside the braces along with type, hook, device & priority. Also the device & priority tuples each need to be followed by a semicolon. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: update man pageFlorian Westphal2017-09-291-5/+18
| | | | | | | you can now use "rt ip|ip6 nexthop" and "ct original|reply ip|ip6 saddr|daddr" to tell nft if you want to match ipv4 or ipv6. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: nft: Fix and enhance synopsis sectionPhil Sutter2017-08-281-24/+50
| | | | | | | | | | | | | | | | | | | This patch addresses shortcomings in the main synopsis section illustrating possible invocations of nft command: - Fix font styles to correctly put options into bold font and meta characters (brackets, pipes) into normal font. - Add missing options to synopsis line. - Use curly braces where either one of the alternatives is required. - Remove choice="opt" attribute since that is the default anyway. - Note that --includepath option is allowed to be given multiple times. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: convert expr_rt byteorder when evaluating statment argFlorian Westphal2017-08-281-2/+2
| | | | | | | | | | | | | | expr_rt might write data in host byte order, so make sure to convert if needed. This makes 'tcp option maxseg size rt mtu' actually work, right now such rules are no-ops because nft_exthdr never increases the mss. While at it, extend the example to not bother testing non-syn packets. Reported-by: Matteo Croce <technoboy85@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rt: add path mtu supportFlorian Westphal2017-08-221-0/+7
| | | | | | | | | | Only use case is to allow similar behaviour to iptables TCPMSS --clamp-mss-to-pmtu, by combining this with exthdr statement: tcp option maxseg size set rt mtu Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add tcp options set supportFlorian Westphal2017-08-221-0/+16
| | | | | | | | | | | | This adds support for tcp mss mangling: nft add rule filter input tcp option maxseg size 1200 Its also possible to change other tcp option fields, but maxseg is one of the more useful ones to change. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* man: use https for wiki linkDaniel Kahn Gillmor2017-08-141-1/+1
| | | | | | | | | | https works for the wiki, and users should prefer it by default, whether they are logging in (to protect their credentials) or whether they're reading data (to protect the integrity of the content). Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* man: Fix typo.Varsha Rao2017-08-141-1/+1
| | | | | | | The word 'occur' is misspelled as 'ocurr'. This patch fixes it. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft.8: Complete short description of arp familyPhil Sutter2017-08-141-1/+1
| | | | | | | Although not very informational, still better than ending mid-sentence. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft.8: Describe base chain detailsPhil Sutter2017-08-141-9/+85
| | | | | | | | | | | This mostly covers base chain types, but also tries to clarify meaning of priority values, chain policy and the ominous device parameter. Command synopsis is adjusted as well to point out which parts of a base chain definition are optional and which are not. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft.8: Add note about supported hooks for bridge familyPhil Sutter2017-08-141-0/+3
| | | | | | | | | It is the only address family which lacks a table describing supported hooks. Since that would be identical to the one for ip/ip6/inet families, just point there. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft.8: Review reject statement descriptionPhil Sutter2017-08-141-61/+256
| | | | | | | | | | - Describe 'type' argument datatypes in DATA TYPES section, then remove value list from reject statement description and refer to that section instead. - Fix synopsis: 'with ...' is optional. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft.8: Describe conntrack typesPhil Sutter2017-08-141-0/+230
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft.8: Document operations on rulesetPhil Sutter2017-08-141-15/+72
| | | | | | | | | | | | | People new to nftables and yet unaware of 'list ruleset' and 'flush ruleset' commands have a hard time. Therefore put description of those prominently at the top, even before explaining operations on tables and chains. Since 'export ruleset' is closely related, document it here as well and remove it's sparse description from ADDITIONAL COMMANDS section. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Implement --echo optionPhil Sutter2017-08-141-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When used with add, insert or replace commands, nft tool will print event notifications just like 'nft monitor' does for the same commands. Apart from seeing what a given command will turn out in the rule set, this allows to reliably retrieve a new rule's assigned handle (if used together with --handle option). Here are some examples of how it works: | # nft --echo --handle add table ip t | add table ip t | | # nft --echo --handle add chain ip t c \ | '{ type filter hook forward priority 0; }' | add chain ip t c { type filter hook forward priority 0; policy accept; } | | # nft --echo --handle add rule ip t c tcp dport '{22, 80}' accept | add rule ip t c tcp dport { ssh, http } accept # handle 2 | | # nft --echo --handle add set ip t ipset '{ type ipv4_addr; \ | elements = { 192.168.0.1, 192.168.0.2 }; }' | add set ip t ipset { type ipv4_addr; } | add element ip t ipset { 192.168.0.1 } | add element ip t ipset { 192.168.0.2 } Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* man: Document nft monitor ruleset.Varsha Rao2017-07-311-1/+7
| | | | | | | Add documentation for nft monitor ruleset command. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* man: add include statement documentation.Ismo Puustinen2017-06-281-2/+7
| | | | | | | Add to man page information about using the wildcard include statements. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add --check option flagPablo M. Bermudo Garay2017-06-261-0/+11
| | | | | | | | | Sometimes it can be useful to test if a command is valid without applying any change to the rule-set. This commit adds a new option flag (-c | --check) that performs a dry run execution of the commands. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: reject meta nfproto outside of inet familyFlorian Westphal2017-06-181-1/+8
| | | | | | | | | | | | | | | meta nfproto loads the hook family type of the current rule context in the kernel, i.e. it will be NFPROTO_IPV6 for ip6 family, NFPROTO_BRIDGE for bridge and so on. The only case where this is useful is the inet pseudo family, where this is useful to determine the real hook family (NFPROTO_IPV4 or NFPROTO_IPV6). In all other families 'meta nfproto' is either always true or false. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename ct eventmask to eventFlorian Westphal2017-06-071-3/+3
| | | | | | | | ct status isn't named 'statusmask' either. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: display default directory for file inclusion in -h/--helpPablo Neira Ayuso2017-06-071-0/+5
| | | | | | | | | | | If no explicit relative or absolute path is enforced by the user, nft relies on either -I/--includepath or the default include directory that is set at compile time. Given most of our users will rely on packaged versions of nft, provide a way to display the location of this default includepath directory. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft: describe -I override behaviour when path starts by ./ and /Pablo Neira Ayuso2017-06-071-1/+4
| | | | | | | You can override -I by starting your path either using ./ for relative paths and / for absolute paths. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* man: add include directory documentation.Ismo Puustinen2017-06-071-0/+4
| | | | | | | Short include directory introduction is added to the man page. Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Fix typo in manpageBertrand Bonnefoy-Claudet2017-05-291-1/+1
| | | | | | | s/Simlar/Similar Signed-off-by: Bertrand Bonnefoy-Claudet <bertrandbc@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft.8: Enhance NAT documentationPhil Sutter2017-05-041-1/+57
| | | | | | | | | | This adds documentation about masquerade and redirect statements, points out that for any NAT statement both prerouting and postrouting chains are required and adds a bunch of examples to the section's end. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add conntrack event mask supportFlorian Westphal2017-04-241-0/+15
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: revisit fib examplesPablo Neira Ayuso2017-04-071-4/+4
| | | | | | There are several typos there that may confuse users, fix them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Document add / delete element operations of sets and mapsElise Lennion2017-03-201-0/+58
| | | | | | | | | The add / delete operations weren't documented yet. They fit better in the sets and maps blocks since these operations are used to directly modify their content. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: Allow flushing mapsElise Lennion2017-03-201-0/+9
| | | | | | | | | | | | | | This patch enables the command flush on maps, which removes all entries in it: $ nft flush map filter map1 Command above flushes map 'map1' in table 'filter'. The documentation was updated accordingly. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Describe ICMP(v6) expression and typesPhil Sutter2017-03-201-0/+380
| | | | | | | | | This adds a description of the icmp and icmpv6 expressions (to match various ICMP header fields) as well as the icmp and icmpv6 type types (yay) which are used for ICMP(v6) type field. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: ct helper objects and helper set supportFlorian Westphal2017-03-161-0/+76
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fix ct mark set exampleFlorian Westphal2017-03-151-1/+1
| | | | | Fixes: 0d7fdb10b10c7a6c ("doc: payload and conntrack statement") Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: ct zone set supportFlorian Westphal2017-03-151-1/+27
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Document boolean type and applicationsPhil Sutter2017-03-131-0/+134
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: revisit tcp options supportPablo Neira Ayuso2017-02-281-11/+28
| | | | | | | | | | | | | | | | | | | Rework syntax, add tokens so we can extend the grammar more easily. This has triggered several syntax changes with regards to the original patch, specifically: tcp option sack0 left 1 There is no space between sack and the block number anymore, no more offset field, now they are a single field. Just like we do with rt, rt0 and rt2. This simplifies our grammar and that is good since it makes our life easier when extending it later on to accomodate new features. I have also renamed sack_permitted to sack-permitted. I couldn't find any option using underscore so far, so let's keep it consistent with what we have. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add conntrack zone supportFlorian Westphal2017-02-281-1/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This enables zone get/set support. As the zone can be optionally tied to a direction as well we need a new token for this (unless we turn reply/original into tokens in which case we could handle zone via STRING). There was some discussion on how zone set support should be handled, especially 'zone set 1'. There are several issues to consider: 1. its not possible to change a zone 'later on', any given conntrack flow has exactly one zone for its entire lifetime. 2. to create conntracks in a given zone, the zone therefore has to be assigned *before* the packet gets picked up by conntrack (so that lookup finds the correct existing flow or the flow is created with the desired zone id). In iptables, this is enforced because zones are assigned with CT target and this is restricted to the 'raw' table in iptables, which runs after defragmentation but before connection tracking. 3. Thus, in nftables the 'ct zone set' rule needs to hook before conntrack too, e.g. via table raw { chain pre { type filter hook prerouting priority -300; iif eth3 ct zone set 23 } chain out { type filter hook output priority -300; oif eth3 ct zone set 23 } } ... but this is not enforced. There were two alternatives to better document this. One was to use an explicit 'template' keyword: nft ... template zone set 23 ... but 'connection tracking templates' are a kernel detail that users should not and need not know about. The other one was to use the meta keyword instead since we're (from a practical point of view) assigning the zone to the packet, not the conntrack: nft ... meta zone set 23 However, next patch also supports 'directional' zones, and nft ... meta original zone 23 makes no sense because 'direction' refers to a direction as understood by the connection tracker. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Document mapsElise Lennion2017-02-161-1/+104
| | | | | | | | This patch adds the missing documentation for maps. Also, updates sets policy to match maps. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add TCP option matchingManuel Messner2017-02-121-5/+173
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables nft to match against TCP options. Currently these TCP options are supported: * End of Option List (eol) * No-Operation (noop) * Maximum Segment Size (maxseg) * Window Scale (window) * SACK Permitted (sack_permitted) * SACK (sack) * Timestamps (timestamp) Syntax: tcp options $option_name [$offset] $field_name Example: # count all incoming packets with a specific maximum segment size `x` # nft add rule filter input tcp option maxseg size x counter # count all incoming packets with a SACK TCP option where the third # (counted from zero) left field is greater `x`. # nft add rule filter input tcp option sack 2 left \> x counter If the offset (the `2` in the example above) is zero, it can optionally be omitted. For all non-SACK TCP options it is always zero, thus can be left out. Option names and field names are parsed from templates, similar to meta and ct options rather than via keywords to prevent adding more keywords than necessary. Signed-off-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Document setsElise Lennion2017-02-121-0/+124
| | | | | | | This patch adds the missing documentation for sets. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Document stateful objectsElise Lennion2017-02-121-1/+135
| | | | | | | | This patch adds documentation for stateful objects and updates tables description to mention them. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Include stateless optionElise Lennion2017-01-181-0/+11
| | | | | Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add average bytes per packet counter supportLiping Zhang2017-01-161-3/+10
| | | | | | | | | | | | | | | | | Similar to connbytes extension in iptables, now you can use it to match average bytes per packet a connection has transferred so far. For example, match avgpkt in "BOTH" diretion: # nft add rule x y ct avgpkt \> 100 Match avgpkt in reply direction: # nft add rule x y ct reply avgpkt \< 900 Or match avgpkt in original direction: # nft add rule x y ct original avgpkt \> 200 Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add log flags syntax supportLiping Zhang2016-11-241-0/+56
| | | | | | | | | | | | | | | | | | | | | Now NF_LOG_XXX is exposed to the userspace, we can set it explicitly. Like iptables LOG target, we can log TCP sequence numbers, TCP options, IP options, UID owning local socket and decode MAC header. Note the log flags are mutually exclusive with group. Some examples are listed below: # nft add rule t c log flags tcp sequence,options # nft add rule t c log flags ip options # nft add rule t c log flags skuid # nft add rule t c log flags ether # nft add rule t c log flags all # nft add rule t c log flags all group 1 <cmdline>:1:14-16: Error: flags and group are mutually exclusive add rule t c log flags all group 1 ^^^ Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fix synopsis for ct expressionAnders K. Pedersen2016-10-311-10/+15
| | | | | | | | | | | | | | | | | | | The nft man page command synopsis for the ct expression is currently: ct {state | direction | status | mark | expiration | helper | label | bytes | packets} {original | reply | {l3proto | protocol | saddr | daddr | proto-src | proto-dst | bytes | packets}} which is not correct for the arguments that should be prefixed with "original" or "reply". Change this to ct {state | direction | status | mark | expiration | helper | label | l3proto | protocol | bytes | packets} ct {original | reply} {l3proto | protocol | saddr | daddr | proto-src | proto-dst | bytes | packets} Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Correct description of -n/--numeric optionJon Jensen2016-10-291-7/+5
| | | | | | | | | | | | "When used twice" was used twice in the manpage. :) And as Florian Westphal pointed out, it was also incorrect for the -nn case. Update the manpage and built-in help in main.c to match actual behavior. Signed-off-by: Jon Jensen <jon@endpoint.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* Replace tests/files/expr-rt with Python based tests, and replace ether typeAnders K. Pedersen2016-10-291-3/+3
| | | | | | | with meta nfproto, which generates a bit fewer instructions. Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Florian Westphal <fw@strlen.de>