From 8c226fabc63f21c00ea07b7d484053f797ce994c Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Tue, 9 Mar 2021 11:53:30 +0100 Subject: doc: use symbolic names for chain priorities This replaces the numbers with the matching symbolic names with one exception: The NAT example used "priority 0" for the prerouting priority. This is replaced by "dstnat" which has priority -100 which is the new recommended priority. Also use spaces instead of tabs for consistency in lines which require updates. Signed-off-by: Simon Ruderich Signed-off-by: Pablo Neira Ayuso --- doc/nft.txt | 4 ++-- doc/primary-expression.txt | 8 ++++---- doc/stateful-objects.txt | 2 +- doc/statements.txt | 18 +++++++++--------- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/doc/nft.txt b/doc/nft.txt index e4f32179..55747036 100644 --- a/doc/nft.txt +++ b/doc/nft.txt @@ -319,7 +319,7 @@ nft --interactive create table inet mytable # add a new base chain: get input packets -add chain inet mytable myin { type filter hook input priority 0; } +add chain inet mytable myin { type filter hook input priority filter; } # add a single counter to the chain add rule inet mytable myin counter @@ -487,7 +487,7 @@ nft add rule ip filter output ip daddr 192.168.0.0/24 accept # nft -a list ruleset table inet filter { chain input { - type filter hook input priority 0; policy accept; + type filter hook input priority filter; policy accept; ct state established,related accept # handle 4 ip saddr 10.1.1.1 tcp dport ssh accept # handle 5 ... diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index e87e8cc2..c24e2636 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -221,7 +221,7 @@ boolean (1 bit) # exactly what you want). table inet x { chain y { - type filter hook prerouting priority -150; policy accept; + type filter hook prerouting priority mangle; policy accept; socket transparent 1 socket wildcard 0 mark set 0x00000001 accept } } @@ -229,7 +229,7 @@ table inet x { # Trace packets that corresponds to a socket with a mark value of 15 table inet x { chain y { - type filter hook prerouting priority -150; policy accept; + type filter hook prerouting priority mangle; policy accept; socket mark 0x0000000f nftrace set 1 } } @@ -237,7 +237,7 @@ table inet x { # Set packet mark to socket mark table inet x { chain y { - type filter hook prerouting priority -150; policy accept; + type filter hook prerouting priority mangle; policy accept; tcp dport 8080 mark set socket mark } } @@ -280,7 +280,7 @@ If no TTL attribute is passed, make a true IP header and fingerprint TTL true co # Accept packets that match the "Linux" OS genre signature without comparing TTL. table inet x { chain y { - type filter hook input priority 0; policy accept; + type filter hook input priority filter; policy accept; osf ttl skip name "Linux" } } diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt index 32a3a5c8..c7488b28 100644 --- a/doc/stateful-objects.txt +++ b/doc/stateful-objects.txt @@ -34,7 +34,7 @@ table inet myhelpers { type "ftp" protocol tcp } chain prerouting { - type filter hook prerouting priority 0; + type filter hook prerouting priority filter; tcp dport 21 ct helper set "ftp-standard" } } diff --git a/doc/statements.txt b/doc/statements.txt index 0973e5ef..c1fd5e55 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -216,7 +216,7 @@ The conntrack statement can be used to set the conntrack mark and conntrack labe The ct statement sets meta data associated with a connection. The zone id has to be assigned before a conntrack lookup takes place, i.e. this has to be done in prerouting and possibly output (if locally generated packets need to be -placed in a distinct zone), with a hook priority of -300. +placed in a distinct zone), with a hook priority of *raw* (-300). Unlike iptables, where the helper assignment happens in the raw table, the helper needs to be assigned after a conntrack entry has been @@ -253,11 +253,11 @@ ct mark set meta mark ------------------------------ table inet raw { chain prerouting { - type filter hook prerouting priority -300; + type filter hook prerouting priority raw; ct zone set iif map { "eth1" : 1, "veth1" : 2 } } chain output { - type filter hook output priority -300; + type filter hook output priority raw; ct zone set oif map { "eth1" : 1, "veth1" : 2 } } } @@ -278,7 +278,7 @@ packets. Note that for this statement to be effective, it has to be applied to packets before a conntrack lookup happens. Therefore, it needs to sit in a chain with -either prerouting or output hook and a hook priority of -300 or less. +either prerouting or output hook and a hook priority of -300 (*raw*) or less. See SYNPROXY STATEMENT for an example usage. @@ -420,8 +420,8 @@ If used then port mapping is generated based on a 32-bit pseudo-random algorithm --------------------- # create a suitable table/chain setup for all further examples add table nat -add chain nat prerouting { type nat hook prerouting priority 0; } -add chain nat postrouting { type nat hook postrouting priority 100; } +add chain nat prerouting { type nat hook prerouting priority dstnat; } +add chain nat postrouting { type nat hook postrouting priority srcnat; } # translate source addresses of all packets leaving via eth0 to address 1.2.3.4 add rule nat postrouting oif eth0 snat to 1.2.3.4 @@ -482,21 +482,21 @@ this case the rule will match for both families. ------------------------------------- table ip x { chain y { - type filter hook prerouting priority -150; policy accept; + type filter hook prerouting priority mangle; policy accept; tcp dport ntp tproxy to 1.1.1.1 udp dport ssh tproxy to :2222 } } table ip6 x { chain y { - type filter hook prerouting priority -150; policy accept; + type filter hook prerouting priority mangle; policy accept; tcp dport ntp tproxy to [dead::beef] udp dport ssh tproxy to :2222 } } table inet x { chain y { - type filter hook prerouting priority -150; policy accept; + type filter hook prerouting priority mangle; policy accept; tcp dport 321 tproxy to :ssh tcp dport 99 tproxy ip to 1.1.1.1:999 udp dport 155 tproxy ip6 to [dead::beef]:smux -- cgit v1.2.3