path: root/doc
diff options
authorFlorian Westphal <>2018-02-27 12:48:16 +0100
committerFlorian Westphal <>2018-02-27 12:48:16 +0100
commit48b99f03b5e43eac2bf93251f8fa1c9ceb516abb (patch)
treea2123257cb1d86a90457fb2d6b03f3846e3d63ec /doc
parent5a5cdd5d42f0aa8fc78ac1ff81a423fc40072fea (diff)
doc: mention meta l4proto and ipv6 nexthdr issue wrt. extension headers
Signed-off-by: Florian Westphal <>
Diffstat (limited to 'doc')
1 files changed, 25 insertions, 1 deletions
diff --git a/doc/nft.xml b/doc/nft.xml
index bddc527f..2b88727c 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -2523,6 +2523,9 @@ filter output icmpv6 type { echo-request, echo-reply }
Qualified meta expressions require the <command>meta</command> keyword before the
meta key, unqualified meta expressions can be specified by using the meta key directly
or as qualified meta expressions.
+ Meta l4proto is useful to match a particular transport protocol that is part of either
+ an IPv4 or IPv6 packet. It will also skip any IPv6 extension headers present in an IPv6 packet.
<table frame="all">
@@ -2550,6 +2553,11 @@ filter output icmpv6 type { echo-request, echo-reply }
<entry>integer (32 bit)</entry>
+ <entry>l4proto</entry>
+ <entry>layer 4 protocol, skips ipv6 extension headers</entry>
+ <entry>integer (8 bit)</entry>
+ </row>
+ <row>
<entry>Ethertype protocol value</entry>
@@ -3227,6 +3235,15 @@ inet filter output rt ip6 nexthop fd00::1
+ This expression refers to the ipv6 header fields.
+ Caution when using <command>ip6 nexthdr</command>, the value only refers to
+ the next header, i.e. <command>ip6 nexthdr tcp</command> will only match if the ipv6 packet does not
+ contain any extension headers. Packets that are fragmented or e.g. contain a routing extension headers
+ will not be matched.
+ Please use <command>meta l4proto</command> if you wish to match the real transport header and
+ ignore any additional extension headers instead.
+ </para>
+ <para>
<table frame="all">
<title>IPv6 header expression</title>
<tgroup cols='3' align='left' colsep='1' rowsep='1'>
@@ -3290,8 +3307,15 @@ inet filter output rt ip6 nexthop fd00::1
+ <para>
+ <example>
+ <title>matching if first extension header indicates a fragment</title>
+ <programlisting>
+ip6 nexthdr ipv6-frag counter
+ </programlisting>
+ </example>
+ </para>
<title>ICMPv6 header expression</title>