summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorPhil Sutter <phil@nwl.cc>2017-08-10 19:29:16 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2017-08-14 11:32:20 +0200
commit8969206a63db5710a4889e6fe56523830c84633f (patch)
tree31baf737f937df384a6bb64a0eedc2a96c49b453 /doc
parente24da35ee3000d5373056ce58677e02cb878f7f7 (diff)
nft.8: Describe conntrack types
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc')
-rw-r--r--doc/nft.xml230
1 files changed, 230 insertions, 0 deletions
diff --git a/doc/nft.xml b/doc/nft.xml
index de8c2cb9..05790ba6 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -1931,6 +1931,232 @@ filter output icmpv6 type { echo-request, echo-reply }
</programlisting>
</example>
</refsect2>
+ <refsect2>
+ <title>Conntrack types</title>
+ <para>
+ This is an overview of types used in <command>ct</command>
+ expression and statement:
+ <table frame="all">
+ <tgroup cols="4" align="left" colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <colspec colname="c3"/>
+ <colspec colname="c4"/>
+ <thead>
+ <row>
+ <entry>Name</entry>
+ <entry>Keyword</entry>
+ <entry>Size</entry>
+ <entry>Base type</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>conntrack state</entry>
+ <entry>ct_state</entry>
+ <entry>4 byte</entry>
+ <entry>bitmask</entry>
+ </row>
+ <row>
+ <entry>conntrack direction</entry>
+ <entry>ct_dir</entry>
+ <entry>8 bit</entry>
+ <entry>integer</entry>
+ </row>
+ <row>
+ <entry>conntrack status</entry>
+ <entry>ct_status</entry>
+ <entry>4 byte</entry>
+ <entry>bitmask</entry>
+ </row>
+ <row>
+ <entry>conntrack event bits</entry>
+ <entry>ct_event</entry>
+ <entry>4 byte</entry>
+ <entry>bitmask</entry>
+ </row>
+ <row>
+ <entry>conntrack label</entry>
+ <entry>ct_label</entry>
+ <entry>128 bit</entry>
+ <entry>bitmask</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ <para>
+ For each of the types above, keywords are available for convenience:
+ <table frame="all">
+ <title>conntrack state (ct_state)</title>
+ <tgroup cols="2" align="left" colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <thead>
+ <row>
+ <entry>Keyword</entry>
+ <entry>Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>invalid</entry>
+ <entry>1</entry>
+ </row>
+ <row>
+ <entry>established</entry>
+ <entry>2</entry>
+ </row>
+ <row>
+ <entry>related</entry>
+ <entry>4</entry>
+ </row>
+ <row>
+ <entry>new</entry>
+ <entry>8</entry>
+ </row>
+ <row>
+ <entry>untracked</entry>
+ <entry>64</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <table frame="all">
+ <title>conntrack direction (ct_dir)</title>
+ <tgroup cols="2" align="left" colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <thead>
+ <row>
+ <entry>Keyword</entry>
+ <entry>Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>original</entry>
+ <entry>0</entry>
+ </row>
+ <row>
+ <entry>reply</entry>
+ <entry>1</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <table frame="all">
+ <title>conntrack status (ct_status)</title>
+ <tgroup cols="2" align="left" colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <thead>
+ <row>
+ <entry>Keyword</entry>
+ <entry>Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>expected</entry>
+ <entry>1</entry>
+ </row>
+ <row>
+ <entry>seen-reply</entry>
+ <entry>2</entry>
+ </row>
+ <row>
+ <entry>assured</entry>
+ <entry>4</entry>
+ </row>
+ <row>
+ <entry>confirmed</entry>
+ <entry>8</entry>
+ </row>
+ <row>
+ <entry>snat</entry>
+ <entry>16</entry>
+ </row>
+ <row>
+ <entry>dnat</entry>
+ <entry>32</entry>
+ </row>
+ <row>
+ <entry>dying</entry>
+ <entry>512</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <table frame="all">
+ <title>conntrack event bits (ct_event)</title>
+ <tgroup cols="2" align="left" colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <thead>
+ <row>
+ <entry>Keyword</entry>
+ <entry>Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>new</entry>
+ <entry>1</entry>
+ </row>
+ <row>
+ <entry>related</entry>
+ <entry>2</entry>
+ </row>
+ <row>
+ <entry>destroy</entry>
+ <entry>4</entry>
+ </row>
+ <row>
+ <entry>reply</entry>
+ <entry>8</entry>
+ </row>
+ <row>
+ <entry>assured</entry>
+ <entry>16</entry>
+ </row>
+ <row>
+ <entry>protoinfo</entry>
+ <entry>32</entry>
+ </row>
+ <row>
+ <entry>helper</entry>
+ <entry>64</entry>
+ </row>
+ <row>
+ <entry>mark</entry>
+ <entry>128</entry>
+ </row>
+ <row>
+ <entry>seqadj</entry>
+ <entry>256</entry>
+ </row>
+ <row>
+ <entry>secmark</entry>
+ <entry>512</entry>
+ </row>
+ <row>
+ <entry>label</entry>
+ <entry>1024</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <para>
+ Possible keywords for conntrack label type
+ (<command>ct_label</command>) are read at runtime from
+ <literal>/etc/connlabel.conf</literal>.
+ </para>
+ </para>
+ </refsect2>
</refsect1>
<refsect1>
@@ -3587,6 +3813,10 @@ ip6 filter input frag more-fragments 1 counter
</tgroup>
</table>
</para>
+ <para>
+ A description of conntrack-specific types listed above can be
+ found sub-section <literal>CONNTRACK TYPES</literal> above.
+ </para>
</refsect2>
</refsect1>