summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhil Sutter <phil@nwl.cc>2017-08-10 19:29:17 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2017-08-14 11:32:20 +0200
commit3b5b389ae7cf34ff5b94ca3b7c96953715e56ba6 (patch)
tree4704b060a12bcccd03995b80f045dbe72d8c386f
parent8969206a63db5710a4889e6fe56523830c84633f (diff)
nft.8: Review reject statement description
- Describe 'type' argument datatypes in DATA TYPES section, then remove value list from reject statement description and refer to that section instead. - Fix synopsis: 'with ...' is optional. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--doc/nft.xml317
1 files changed, 256 insertions, 61 deletions
diff --git a/doc/nft.xml b/doc/nft.xml
index 05790ba6..b1ca356e 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -1800,6 +1800,83 @@ filter output icmp type { echo-request, echo-reply }
</example>
</refsect2>
<refsect2>
+ <title>ICMP Code type</title>
+ <para>
+ <table frame="all">
+ <tgroup cols="4" align="left" colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <colspec colname="c3"/>
+ <colspec colname="c4"/>
+ <thead>
+ <row>
+ <entry>Name</entry>
+ <entry>Keyword</entry>
+ <entry>Size</entry>
+ <entry>Base type</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>ICMP Code</entry>
+ <entry>icmp_code</entry>
+ <entry>8 bit</entry>
+ <entry>integer</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ <para>
+ The ICMP Code type is used to conveniently specify the ICMP header's code field.
+ </para>
+ <para>
+ The following keywords may be used when specifying the ICMP code:
+ <table frame="all">
+ <tgroup cols="2" align="left" colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <thead>
+ <row>
+ <entry>Keyword</entry>
+ <entry>Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>net-unreachable</entry>
+ <entry>0</entry>
+ </row>
+ <row>
+ <entry>host-unreachable</entry>
+ <entry>1</entry>
+ </row>
+ <row>
+ <entry>prot-unreachable</entry>
+ <entry>2</entry>
+ </row>
+ <row>
+ <entry>port-unreachable</entry>
+ <entry>3</entry>
+ </row>
+ <row>
+ <entry>net-prohibited</entry>
+ <entry>9</entry>
+ </row>
+ <row>
+ <entry>host-prohibited</entry>
+ <entry>10</entry>
+ </row>
+ <row>
+ <entry>admin-prohibited</entry>
+ <entry>13</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ </refsect2>
+ <refsect2>
<title>ICMPv6 Type type</title>
<para>
<table frame="all">
@@ -1932,6 +2009,146 @@ filter output icmpv6 type { echo-request, echo-reply }
</example>
</refsect2>
<refsect2>
+ <title>ICMPv6 Code type</title>
+ <para>
+ <table frame="all">
+ <tgroup cols="4" align="left" colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <colspec colname="c3"/>
+ <colspec colname="c4"/>
+ <thead>
+ <row>
+ <entry>Name</entry>
+ <entry>Keyword</entry>
+ <entry>Size</entry>
+ <entry>Base type</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>ICMPv6 Code</entry>
+ <entry>icmpv6_code</entry>
+ <entry>8 bit</entry>
+ <entry>integer</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ <para>
+ The ICMPv6 Code type is used to conveniently specify the ICMPv6 header's code field.
+ </para>
+ <para>
+ The following keywords may be used when specifying the ICMPv6 code:
+ <table frame="all">
+ <tgroup cols="2" align="left" colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <thead>
+ <row>
+ <entry>Keyword</entry>
+ <entry>Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>no-route</entry>
+ <entry>0</entry>
+ </row>
+ <row>
+ <entry>admin-prohibited</entry>
+ <entry>1</entry>
+ </row>
+ <row>
+ <entry>addr-unreachable</entry>
+ <entry>3</entry>
+ </row>
+ <row>
+ <entry>port-unreachable</entry>
+ <entry>4</entry>
+ </row>
+ <row>
+ <entry>policy-fail</entry>
+ <entry>5</entry>
+ </row>
+ <row>
+ <entry>reject-route</entry>
+ <entry>6</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ </refsect2>
+ <refsect2>
+ <title>ICMPvX Code type</title>
+ <para>
+ <table frame="all">
+ <tgroup cols="4" align="left" colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <colspec colname="c3"/>
+ <colspec colname="c4"/>
+ <thead>
+ <row>
+ <entry>Name</entry>
+ <entry>Keyword</entry>
+ <entry>Size</entry>
+ <entry>Base type</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>ICMPvX Code</entry>
+ <entry>icmpx_code</entry>
+ <entry>8 bit</entry>
+ <entry>integer</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ <para>
+ The ICMPvX Code type abstraction is a set of values which
+ overlap between ICMP and ICMPv6 Code types to be used from the
+ inet family.
+ </para>
+ <para>
+ The following keywords may be used when specifying the ICMPvX code:
+ <table frame="all">
+ <tgroup cols="2" align="left" colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <thead>
+ <row>
+ <entry>Keyword</entry>
+ <entry>Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>no-route</entry>
+ <entry>0</entry>
+ </row>
+ <row>
+ <entry>port-unreachable</entry>
+ <entry>1</entry>
+ </row>
+ <row>
+ <entry>host-unreachable</entry>
+ <entry>2</entry>
+ </row>
+ <row>
+ <entry>admin-prohibited</entry>
+ <entry>3</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ </refsect2>
+ <refsect2>
<title>Conntrack types</title>
<para>
This is an overview of types used in <command>ct</command>
@@ -4093,95 +4310,73 @@ ip6 filter output log flags all
<para>
<cmdsynopsis>
<command>reject</command>
- <arg choice="none">with</arg>
- <group choice="req">
- <arg>icmp</arg>
- <arg>icmp6</arg>
- <arg>icmpx</arg>
- </group>
- <arg choice="none">type</arg>
- <group choice="req">
- <arg>icmp_type</arg>
- <arg>icmp6_type</arg>
- <arg>icmpx_type</arg>
- </group>
+ <arg choice="opt">
+ <arg choice="none">with</arg>
+ <group choice="req">
+ <arg>icmp</arg>
+ <arg>icmp6</arg>
+ <arg>icmpx</arg>
+ </group>
+ <arg choice="none">type</arg>
+ <group choice="req">
+ <arg>icmp_type</arg>
+ <arg>icmp6_type</arg>
+ <arg>icmpx_type</arg>
+ </group>
+ </arg>
</cmdsynopsis>
<cmdsynopsis>
<command>reject</command>
- <arg choice="none">with</arg>
- <arg choice="req">tcp</arg>
- <arg choice="req">reset</arg>
+ <arg choice="opt">
+ <arg choice="none">with</arg>
+ <arg choice="req">tcp</arg>
+ <arg choice="req">reset</arg>
+ </arg>
</cmdsynopsis>
</para>
<para>
A reject statement is used to send back an error packet in response to the matched packet otherwise it is equivalent to drop so it is a terminating statement, ending rule traversal. This statement is only valid in the input, forward and output chains, and user-defined chains which are only called from those chains.
+ </para>
+ <para>
+ The different ICMP reject variants are meant for use in different table families:
<table frame="all">
- <title>reject statement type (ip)</title>
- <tgroup cols='3' align='left' colsep='1' rowsep='1'>
- <colspec colname='c1'/>
- <colspec colname='c2'/>
- <colspec colname='c3'/>
- <thead>
- <row>
- <entry>Value</entry>
- <entry>Description</entry>
- <entry>Type</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry>icmp_type</entry>
- <entry>ICMP type response to be sent to the host</entry>
- <entry>net-unreachable, host-unreachable, prot-unreachable, port-unreachable [default], net-prohibited, host-prohibited, admin-prohibited</entry>
- </row>
- </tbody>
- </tgroup>
- </table>
- <table frame="all">
- <title>reject statement type (ip6)</title>
<tgroup cols='3' align='left' colsep='1' rowsep='1'>
<colspec colname='c1'/>
<colspec colname='c2'/>
<colspec colname='c3'/>
<thead>
<row>
- <entry>Value</entry>
- <entry>Description</entry>
+ <entry>Variant</entry>
+ <entry>Family</entry>
<entry>Type</entry>
</row>
</thead>
<tbody>
<row>
- <entry>icmp6_type</entry>
- <entry>ICMPv6 type response to be sent to the host</entry>
- <entry>no-route, admin-prohibited, addr-unreachable, port-unreachable [default], policy-fail, reject-route</entry>
+ <entry>icmp</entry>
+ <entry>ip</entry>
+ <entry>icmp_code</entry>
</row>
- </tbody>
- </tgroup>
- </table>
- <table frame="all">
- <title>reject statement type (inet)</title>
- <tgroup cols='3' align='left' colsep='1' rowsep='1'>
- <colspec colname='c1'/>
- <colspec colname='c2'/>
- <colspec colname='c3'/>
- <thead>
<row>
- <entry>Value</entry>
- <entry>Description</entry>
- <entry>Type</entry>
+ <entry>icmp6</entry>
+ <entry>ip6</entry>
+ <entry>icmpv6_code</entry>
</row>
- </thead>
- <tbody>
<row>
- <entry>icmpx_type</entry>
- <entry>ICMPvXtype abstraction response to be sent to the host, this is a set of types that overlap in IPv4 and IPv6 to be used from the inet family.</entry>
- <entry>port-unreachable [default], admin-prohibited, no-route, host-unreachable</entry>
+ <entry>icmpx</entry>
+ <entry>inet</entry>
+ <entry>icmpx_code</entry>
</row>
</tbody>
</tgroup>
</table>
</para>
+ <para>
+ For a description of the different types and a list of supported
+ keywords refer to <literal>DATA TYPES</literal> section above.
+ The common default reject value is
+ <command>port-unreachable</command>.
+ </para>
</refsect2>
<refsect2>
<title>Counter statement</title>