path: root/doc/primary-expression.txt
diff options
Diffstat (limited to 'doc/primary-expression.txt')
1 files changed, 15 insertions, 7 deletions
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 48a7609d..e87e8cc2 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -123,7 +123,7 @@ integer (32 bit)
pseudo-random number|
integer (32 bit)
+true if packet was ipsec encrypted |
boolean (1 bit)
Input interface kind |
@@ -162,7 +162,7 @@ Device group (32 bit number). Can be specified numerically or as symbolic name d
Packet type: *host* (addressed to local host), *broadcast* (to all),
*multicast* (to group), *other* (addressed to another host).
-Interface kind (16 byte string). Does not have to exist.
+Interface kind (16 byte string). See TYPES in ip-link(8) for a list.
Either an integer or a date in ISO format. For example: "2019-06-06 17:00".
Hour and seconds are optional and can be omitted if desired. If omitted,
@@ -183,18 +183,19 @@ For example, 17:00 and 17:00:00 would be equivalent.
# qualified meta expression
filter output meta oif eth0
+filter forward meta iifkind { "tun", "veth" }
# unqualified meta expression
filter output oif eth0
-# packet was subject to ipsec processing
+# incoming packet was subject to ipsec processing
raw prerouting meta ipsec exists accept
-*socket* {*transparent* | *mark*}
+*socket* {*transparent* | *mark* | *wildcard*}
Socket expression can be used to search for an existing open TCP/UDP socket and
its attributes that can be associated with a packet. It looks for an established
@@ -208,15 +209,20 @@ or non-zero bound listening socket (possibly with a non-local address).
Value of the IP_TRANSPARENT socket option in the found socket. It can be 0 or 1.|
boolean (1 bit)
|mark| Value of the socket mark (SOL_SOCKET, SO_MARK). | mark
+Indicates whether the socket is wildcard-bound (e.g. or ::0). |
+boolean (1 bit)
.Using socket expression
-# Mark packets that correspond to a transparent socket
+# Mark packets that correspond to a transparent socket. "socket wildcard 0"
+# means that zero-bound listener sockets are NOT matched (which is usually
+# exactly what you want).
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
- socket transparent 1 mark set 0x00000001 accept
+ socket transparent 1 socket wildcard 0 mark set 0x00000001 accept
@@ -362,13 +368,15 @@ Routing Realm (32 bit number). Can be specified numerically or as symbolic name
# IP family independent rt expression
filter output rt classid 10
-filter output rt ipsec missing
# IP family dependent rt expressions
ip filter output rt nexthop
ip6 filter output rt nexthop fd00::1
inet filter output rt ip nexthop
inet filter output rt ip6 nexthop fd00::1
+# outgoing packet will be encapsulated/encrypted by ipsec
+filter output rt ipsec exists