diff options
| author | Phil Sutter <phil@nwl.cc> | 2018-05-09 16:03:42 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-05-09 18:29:21 +0200 |
| commit | 816d8c7659c1d90ce6827baaa939820a3bae2ae0 (patch) | |
| tree | fca73c0fcee84c77dfd27a4067dd3f27aa25e79d /doc/nft.xml | |
| parent | 5a7775a1d699ced8a0c760d4849c4e84bac9268a (diff) | |
Support 'add/insert rule index <IDX>'
Allow to specify an absolute rule position in add/insert commands like
with iptables. The translation to rule handle takes place in userspace,
so no kernel support for this is needed. Possible undesired effects are
pointed out in man page to make users aware that this way of specifying
a rule location might not be ideal.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc/nft.xml')
| -rw-r--r-- | doc/nft.xml | 31 |
1 files changed, 24 insertions, 7 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index b80c8c43..ab94bff4 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -875,13 +875,19 @@ add table inet mytable <arg choice="opt"><replaceable>family</replaceable></arg> <replaceable>table</replaceable> <replaceable>chain</replaceable> - <arg choice="opt"> - <group choice="req"> - <arg>handle</arg> - <arg>position</arg> - </group> - <replaceable>handle</replaceable> - </arg> + <group choice="opt"> + <arg> + <group choice="req"> + <arg>handle</arg> + <arg>position</arg> + </group> + <replaceable>handle</replaceable> + </arg> + <arg> + <literal>index</literal> + <replaceable>index</replaceable> + </arg> + </group> <replaceable>statement</replaceable>... </cmdsynopsis> <cmdsynopsis> @@ -909,6 +915,17 @@ add table inet mytable Rules are constructed from two kinds of components according to a set of grammatical rules: expressions and statements. </para> + <para> + The <literal>add</literal> and <literal>insert</literal> commands support an optional + location specifier, which is either a <replaceable>handle</replaceable> of an existing + rule or an absolute <replaceable>index</replaceable> (starting at zero). Internally, + rule locations are always identified by <replaceable>handle</replaceable> and the + translation from <replaceable>index</replaceable> happens in userspace. This has two + potential implications in case a concurrent ruleset change happens after the translation + was done: The effective rule index might change if a rule was inserted or deleted before + the referred one. If the referred rule was deleted, the command is rejected by the + kernel just as if an invalid <replaceable>handle</replaceable> was given. + </para> <variablelist> <varlistentry> |