From fda79e96bcaa5fc927523b582bfc42c8ad22deca Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Fri, 16 Jun 2017 21:18:45 +0200
Subject: evaluate: reject meta nfproto outside of inet family

meta nfproto loads the hook family type of the current rule context
in the kernel, i.e. it will be NFPROTO_IPV6 for ip6 family,
NFPROTO_BRIDGE for bridge and so on.

The only case where this is useful is the inet pseudo family,
where this is useful to determine the real hook family
(NFPROTO_IPV4 or NFPROTO_IPV6).

In all other families 'meta nfproto' is either always true or false.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/nft.xml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'doc/nft.xml')

diff --git a/doc/nft.xml b/doc/nft.xml
index d0d37396..e9ccd63c 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -478,7 +478,9 @@ filter input iif $int_ifs accept
 			</simplelist>.
 
 			The <literal>inet</literal> address family is a dummy family which is used to create
-			hybrid IPv4/IPv6 tables.
+			hybrid IPv4/IPv6 tables.  The <literal>meta</literal> expression <literal>nfproto</literal>
+			keyword can be used to test which family (ipv4 or ipv6) context the packet is being processed in.
+
 
 			When no address family is specified, <literal>ip</literal> is used by default.
 		</para>
@@ -1906,6 +1908,11 @@ filter output icmpv6 type { echo-request, echo-reply }
 								<entry>Length of the packet in bytes</entry>
 								<entry>integer (32 bit)</entry>
 							</row>
+							<row>
+								<entry>nfproto</entry>
+								<entry>real hook protocol family, useful only in inet table</entry>
+								<entry>integer (32 bit)</entry>
+							</row>
 							<row>
 								<entry>protocol</entry>
 								<entry>Ethertype protocol value</entry>
-- 
cgit v1.2.3