From 0d7fdb10b10c7a6c276cdb467d824db9b032140b Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Tue, 26 Jul 2016 22:04:53 +0200
Subject: doc: payload and conntrack statement

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/nft.xml | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 81 insertions(+), 1 deletion(-)

diff --git a/doc/nft.xml b/doc/nft.xml
index 62976747..3b215f8c 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -2037,7 +2037,7 @@ filter output oif eth0
 							</row>
 							<row>
 								<entry>label</entry>
-								<entry>Connection tracking label</entry>
+								<entry>Connection tracking label bit or symbolic name defined in connlabel.conf in the nftables include path</entry>
 								<entry>ct_label</entry>
 							</row>
 							<row>
@@ -2206,6 +2206,29 @@ filter input iif eth0 drop
 				</example>
 			</para>
 		</refsect2>
+		<refsect2>
+			<title>Payload statement</title>
+			<para>
+				The payload statement alters packet content.
+				It can be used for example to set ip DSCP (differv) header field or ipv6 flow labels.
+			</para>
+			<para>
+				<example>
+					<title>route some packets instead of bridging</title>
+					<programlisting>
+# redirect tcp:http from 192.160.0.0/16 to local machine for routing instead of bridging
+# assumes 00:11:22:33:44:55 is local MAC address.
+bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport 80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55
+					</programlisting>
+				</example>
+				<example>
+					<title>Set IPv4 DSCP header field</title>
+					<programlisting>
+ip forward ip dscp set 42
+					</programlisting>
+				</example>
+			</para>
+		</refsect2>
 		<refsect2>
 			<title>Log statement</title>
 			<para>
@@ -2389,6 +2412,63 @@ filter input iif eth0 drop
 			</para>
 
 		</refsect2>
+		<refsect2>
+			<title>Conntrack statement</title>
+			<para>
+				The conntrack statement can be used to set the conntrack mark and conntrack labels.
+			</para>
+			<para>
+				<cmdsynopsis>
+					<command>ct</command>
+					<group choice="req">
+						<arg>mark</arg>
+						<arg>label</arg>
+					</group>
+					<arg choice="none">set</arg>
+					<replaceable>value</replaceable>
+				</cmdsynopsis>
+			</para>
+			<para>
+				The ct statement sets meta data associated with a connection.
+			</para>
+			<para>
+				<table frame="all">
+					<title>Meta statement types</title>
+					<tgroup cols='3' align='left' colsep='1' rowsep='1'>
+						<colspec colname='c1'/>
+						<colspec colname='c2'/>
+						<colspec colname='c3'/>
+						<thead>
+							<row>
+								<entry>Keyword</entry>
+								<entry>Description</entry>
+								<entry>Value</entry>
+							</row>
+						</thead>
+						<tbody>
+							<row>
+								<entry>mark</entry>
+								<entry>Connection tracking mark</entry>
+								<entry>mark</entry>
+							</row>
+							<row>
+								<entry>label</entry>
+								<entry>Connection tracking label</entry>
+								<entry>label</entry>
+							</row>
+						</tbody>
+					</tgroup>
+				</table>
+			</para>
+			<para>
+				<example>
+					<title>save packet nfmark in conntrack</title>
+					<programlisting>
+ct set mark meta mark
+					</programlisting>
+				</example>
+			</para>
+		</refsect2>
 		<refsect2>
 			<title>Meta statement</title>
 			<para>
-- 
cgit v1.2.3