diff options
author | Phil Sutter <phil@nwl.cc> | 2017-08-10 19:29:16 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-08-14 11:32:20 +0200 |
commit | 8969206a63db5710a4889e6fe56523830c84633f (patch) | |
tree | 31baf737f937df384a6bb64a0eedc2a96c49b453 /doc/nft.xml | |
parent | e24da35ee3000d5373056ce58677e02cb878f7f7 (diff) |
nft.8: Describe conntrack types
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc/nft.xml')
-rw-r--r-- | doc/nft.xml | 230 |
1 files changed, 230 insertions, 0 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index de8c2cb9..05790ba6 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -1931,6 +1931,232 @@ filter output icmpv6 type { echo-request, echo-reply } </programlisting> </example> </refsect2> + <refsect2> + <title>Conntrack types</title> + <para> + This is an overview of types used in <command>ct</command> + expression and statement: + <table frame="all"> + <tgroup cols="4" align="left" colsep="1" rowsep="1"> + <colspec colname="c1"/> + <colspec colname="c2"/> + <colspec colname="c3"/> + <colspec colname="c4"/> + <thead> + <row> + <entry>Name</entry> + <entry>Keyword</entry> + <entry>Size</entry> + <entry>Base type</entry> + </row> + </thead> + <tbody> + <row> + <entry>conntrack state</entry> + <entry>ct_state</entry> + <entry>4 byte</entry> + <entry>bitmask</entry> + </row> + <row> + <entry>conntrack direction</entry> + <entry>ct_dir</entry> + <entry>8 bit</entry> + <entry>integer</entry> + </row> + <row> + <entry>conntrack status</entry> + <entry>ct_status</entry> + <entry>4 byte</entry> + <entry>bitmask</entry> + </row> + <row> + <entry>conntrack event bits</entry> + <entry>ct_event</entry> + <entry>4 byte</entry> + <entry>bitmask</entry> + </row> + <row> + <entry>conntrack label</entry> + <entry>ct_label</entry> + <entry>128 bit</entry> + <entry>bitmask</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <para> + For each of the types above, keywords are available for convenience: + <table frame="all"> + <title>conntrack state (ct_state)</title> + <tgroup cols="2" align="left" colsep="1" rowsep="1"> + <colspec colname="c1"/> + <colspec colname="c2"/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Value</entry> + </row> + </thead> + <tbody> + <row> + <entry>invalid</entry> + <entry>1</entry> + </row> + <row> + <entry>established</entry> + <entry>2</entry> + </row> + <row> + <entry>related</entry> + <entry>4</entry> + </row> + <row> + <entry>new</entry> + <entry>8</entry> + </row> + <row> + <entry>untracked</entry> + <entry>64</entry> + </row> + </tbody> + </tgroup> + </table> + + <table frame="all"> + <title>conntrack direction (ct_dir)</title> + <tgroup cols="2" align="left" colsep="1" rowsep="1"> + <colspec colname="c1"/> + <colspec colname="c2"/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Value</entry> + </row> + </thead> + <tbody> + <row> + <entry>original</entry> + <entry>0</entry> + </row> + <row> + <entry>reply</entry> + <entry>1</entry> + </row> + </tbody> + </tgroup> + </table> + + <table frame="all"> + <title>conntrack status (ct_status)</title> + <tgroup cols="2" align="left" colsep="1" rowsep="1"> + <colspec colname="c1"/> + <colspec colname="c2"/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Value</entry> + </row> + </thead> + <tbody> + <row> + <entry>expected</entry> + <entry>1</entry> + </row> + <row> + <entry>seen-reply</entry> + <entry>2</entry> + </row> + <row> + <entry>assured</entry> + <entry>4</entry> + </row> + <row> + <entry>confirmed</entry> + <entry>8</entry> + </row> + <row> + <entry>snat</entry> + <entry>16</entry> + </row> + <row> + <entry>dnat</entry> + <entry>32</entry> + </row> + <row> + <entry>dying</entry> + <entry>512</entry> + </row> + </tbody> + </tgroup> + </table> + + <table frame="all"> + <title>conntrack event bits (ct_event)</title> + <tgroup cols="2" align="left" colsep="1" rowsep="1"> + <colspec colname="c1"/> + <colspec colname="c2"/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Value</entry> + </row> + </thead> + <tbody> + <row> + <entry>new</entry> + <entry>1</entry> + </row> + <row> + <entry>related</entry> + <entry>2</entry> + </row> + <row> + <entry>destroy</entry> + <entry>4</entry> + </row> + <row> + <entry>reply</entry> + <entry>8</entry> + </row> + <row> + <entry>assured</entry> + <entry>16</entry> + </row> + <row> + <entry>protoinfo</entry> + <entry>32</entry> + </row> + <row> + <entry>helper</entry> + <entry>64</entry> + </row> + <row> + <entry>mark</entry> + <entry>128</entry> + </row> + <row> + <entry>seqadj</entry> + <entry>256</entry> + </row> + <row> + <entry>secmark</entry> + <entry>512</entry> + </row> + <row> + <entry>label</entry> + <entry>1024</entry> + </row> + </tbody> + </tgroup> + </table> + <para> + Possible keywords for conntrack label type + (<command>ct_label</command>) are read at runtime from + <literal>/etc/connlabel.conf</literal>. + </para> + </para> + </refsect2> </refsect1> <refsect1> @@ -3587,6 +3813,10 @@ ip6 filter input frag more-fragments 1 counter </tgroup> </table> </para> + <para> + A description of conntrack-specific types listed above can be + found sub-section <literal>CONNTRACK TYPES</literal> above. + </para> </refsect2> </refsect1> |