|author||Duncan Roe <firstname.lastname@example.org>||2018-08-06 11:14:48 +1000|
|committer||Pablo Neira Ayuso <email@example.com>||2018-08-06 13:09:35 +0200|
doc: Changes following detailed comparison with last XML version
These were found by a combination of tkdiff and side-by-side man pages Most changes preserve or (occasionally) fix highlighting, casing or plurality. No major omissions were found. - data-types.txt: (Nothing special) - nft.txt: -- changed "`nft' stands for Netfilter" back to "`nf' stands for Netfilter" -- removed mysterious plus sign - payload-expression.txt: -- XML had MTU as 16-bit so changed back from 32. Is that correct? - primary-expression.txt: (Nothing special) - statements.txt: (Nothing special) This patch does not address any of the following observations: 1. Title has changed from nft to NFT 2. There is no attempt at justification. 3. There is no attempt at hyphenation. 4. Long lines of code now wrap instead of indenting nicely. See e.g. "tcp option" line under EXTENSION HEADER EXPRESSIONS 5. Tables have a lot of empty lines in them. 6. Occasionally there is severe wrapping, e.g. under CHAINS see add/create/delete/&c. which wrap at about cc40. Signed-off-by: Duncan Roe <firstname.lastname@example.org> Signed-off-by: Pablo Neira Ayuso <email@example.com>
Diffstat (limited to 'doc/nft.txt')
1 files changed, 10 insertions, 11 deletions
diff --git a/doc/nft.txt b/doc/nft.txt
index 0f824a52..20ae54be 100644
@@ -17,7 +17,7 @@ DESCRIPTION
nft is the command line tool used to set up, maintain and inspect packet
filtering and classification rules in the Linux kernel, in the nftables
-framework. The Linux kernel subsystem is known as nf_tables, and `nft' stands
+framework. The Linux kernel subsystem is known as nf_tables, and `nf' stands
@@ -145,12 +145,12 @@ address family the kernel contains so called hooks at specific stages of the
packet processing paths, which invoke nftables if rules for these hooks exist.
-ip:: IPv4 address family.
-ip6:: IPv6 address family.
-inet:: Internet (IPv4/IPv6) address family.
-arp:: ARP address family, handling IPv4 ARP packets.
-bridge:: Bridge address family, handling packets which traverse a bridge device.
-netdev:: Netdev address family, handling packets from ingress.
+*ip*:: IPv4 address family.
+*ip6*:: IPv6 address family.
+*inet*:: Internet (IPv4/IPv6) address family.
+*arp*:: ARP address family, handling IPv4 ARP packets.
+*bridge*:: Bridge address family, handling packets which traverse a bridge device.
+*netdev*:: Netdev address family, handling packets from ingress.
All nftables objects exist in address family specific namespaces, therefore all
identifiers include an address family. If an identifier is specified without an
@@ -232,7 +232,7 @@ no packet filtering will happen anymore, so the kernel accepts any valid packet
*export*:: Print the ruleset in machine readable format. The mandatory 'format'
-parameter may be either *xml* or *json*.
+parameter may be either xml or json.
It is possible to limit *list* and *flush* to a specific address family only.
For a list of valid family names, see <<ADDRESS_FAMILIES>> above.
@@ -360,7 +360,7 @@ RULES
replace *rule* ['family'] 'table' 'chain' handle 'handle' 'statement'...
delete *rule* ['family'] 'table' 'chain' handle 'handle'
-Rules are added to chain in the given table. If the family is not specified, the
+Rules are added to chains in the given table. If the family is not specified, the
ip family is used. Rules are constructed from two kinds of components according
to a set of grammatical rules: expressions and statements.
@@ -571,7 +571,6 @@ numbers etc. or data gathered from the packet during ruleset evaluation.
Expressions can be combined using binary, logical, relational and other types of
expressions to form complex or relational (match) expressions. They are also
used as arguments to certain types of operations, like NAT, packet marking etc.
Each expression has a data type, which determines the size, parsing and
representation of symbolic values and type compatibility with other expressions.
@@ -717,7 +716,7 @@ filter output tcp dport == tcp dport
<cmdline>:0:0-23: Error: Could not process rule: Operation not permitted
filter output oif wlan0