summaryrefslogtreecommitdiffstats
path: root/doc
Commit message (Collapse)AuthorAgeFilesLines
* doc: nft.8: describe inet ingress hookPablo Neira Ayuso12 days1-4/+17
| | | | | | Available since Linux kernel >= 5.10. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: migrate man page examples with `meter` directive to setsDevin Bayer2020-10-012-15/+26
| | | | | | | this updates the two examples in the man page that use the obsolete `meter` to use sets. I also fixed a bit of formatting for the conntrack expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: added documentation on "socket wildcard"Balazs Scheidler2020-08-291-3/+8
| | | | | Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: rearrange help output to group related options togetherArturo Borrero Gonzalez2020-07-291-38/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It has been reported that nft options are a bit chaotic. With a growing list of options for the nft CLI, we can do better when presenting them to the user who requests help. This patch introduces a textual output grouping for options, in 4 groups: * Options (general) -- common Unix utility options * Options (operative) -- the options that modify the operative behaviour of nft * Options (translation) -- output text modifiers for data translation * Options (parsing) -- output text modifiers for parsing and other operations There is no behavior change in this patch, is mostly a cosmetic change in the hope that users will find the nft tool a bit less confusing to use. After this patch, the help output is: === 8< === % nft --help Usage: nft [ options ] [ cmds... ] Options (general): -h, help Show this help -v, version Show version information -V Show extended version information Options (ruleset input handling): -f, file <filename> Read input from <filename> -i, interactive Read input from interactive CLI -I, includepath <directory> Add <directory> to the paths searched for include files. Defaul[..] -c, check Check commands validity without actually applying the changes. Options (ruleset list formatting): -a, handle Output rule handle. -s, stateless Omit stateful information of ruleset. -t, terse Omit contents of sets. -S, service Translate ports to service names as described in /etc/services. -N, reversedns Translate IP addresses to names. -u, guid Print UID/GID as defined in /etc/passwd and /etc/group. -n, numeric Print fully numerical output. -y, numeric-priority Print chain priority numerically. -p, numeric-protocol Print layer 4 protocols numerically. -T, numeric-time Print time values numerically. Options (command output format): -e, echo Echo what has been added, inserted or replaced. -j, json Format output in JSON -d, debug <level [,level...]> Specify debugging level (scanner, parser, eval, netlink, mnl, p[..] === 8< === While at it, refresh the man page to better reflex this new grouping, and add some missing options. Joint work with Pablo. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: revisit meta/rt primary expressions and ct statementFlorian Westphal2020-06-252-4/+12
| | | | | | | Clarify meta/rt ipsec examples and document that 'ct helper set' needs to be used *after* conntrack lookup. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Document notrack statementPhil Sutter2020-06-221-0/+14
| | | | | | | | Merely a stub, but better to mention it explicitly instead of having it appear in synproxy examples and letting users guess as to what it does. Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de>
* datatype: add frag-needed (ipv4) to reject optionsMichael Braun2020-05-281-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | This enables to send icmp frag-needed messages using reject target. I have a bridge with connects an gretap tunnel with some ethernet lan. On the gretap device I use ignore-df to avoid packets being lost without icmp reject to the sender of the bridged packet. Still I want to avoid packet fragmentation with the gretap packets. So I though about adding an nftables rule like this: nft insert rule bridge filter FORWARD \ ip protocol tcp \ ip length > 1400 \ ip frag-off & 0x4000 != 0 \ reject with icmp type frag-needed This would reject all tcp packets with ip dont-fragment bit set that are bigger than some threshold (here 1400 bytes). The sender would then receive ICMP unreachable - fragmentation needed and reduce its packet size (as defined with PMTU). [ pablo: update tests/py ] Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix tentative generation of nft.8 after disabled docLaura Garcia Liebana2020-05-181-1/+1
| | | | | | | | | | | | | | | | | | | Despite doc generation is disabled, the makefile is trying to build it. $ ./configure --disable-man-doc $ make Making all in doc make[2]: Entering directory '/workdir/build-pkg/workdir/doc' make[2]: *** No rule to make target 'nft.8', needed by 'all-am'. Stop. make[2]: Leaving directory '/workdir/build-pkg/workdir/doc' make[1]: *** [Makefile:479: all-recursive] Error 1 make[1]: Leaving directory '/workdir/build-pkg/workdir' make: *** [Makefile:388: all] Error 2 Fixes: 4f2813a313ae0 ("build: Include generated man pages in dist tarball") Reported-by: Adan Marin Jacquot <adan.marin@zevenet.com> Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: Add support for the 'id' keyBrett Mastbergen2020-05-011-1/+4
| | | | | | | | | The 'id' key allows for matching on the id of the conntrack entry. v2: Remove ct_id_type Signed-off-by: Brett Mastbergen <brett.mastbergen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: Include generated man pages in dist tarballMatt Turner2020-04-191-9/+8
| | | | | | | | | | | | | | | | | | Most projects ship pre-generated man pages in the distribution tarball so that builders don't need the documentation tools installed, similar to how bison-generated sources are included. To do this, we conditionalize the presence check of a2x on whether nft.8 already exists in the source directory, as it would exist if included in the distribution tarball. Secondly, we move the 'if BUILD_MAN' conditional to around the man page generation rules. This ensures that the man pages are unconditionally installed. Also only add the man pages to CLEANFILES if their generation is enabled. Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add hashing expressions descriptionLaura Garcia Liebana2020-04-011-0/+29
| | | | | | | | The hashing expressions jhash and symhash are missing in the nft manual. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft.8: Mention wildcard interface matchingPhil Sutter2020-02-101-0/+7
| | | | | | | Special meaning of asterisk in interface names wasn't described anywhere. Signed-off-by: Phil Sutter <phil@nwl.cc>
* doc: nft.8: Describe element commands in their own sectionPhil Sutter2020-02-071-3/+37
| | | | | | | This unifies the redundant information in sets and maps sections and also covers 'get' command. Signed-off-by: Phil Sutter <phil@nwl.cc>
* meta: add slave device matchingFlorian Westphal2020-01-031-0/+6
| | | | | | | | Adds "meta sdif" and "meta sdifname". Both only work in input/forward hook of ipv4/ipv6/inet family. Cc: Martin Willi <martin@strongswan.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Fix typo in IGMP sectionBenjamin Poirier2019-12-301-1/+1
| | | | | Signed-off-by: Benjamin Poirier <benjamin.poirier@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: mention 'typeof' as alternative to 'type' keywordFlorian Westphal2019-12-171-3/+9
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Remove repeated paragraph and fix typonl67202019-12-091-7/+1
| | | | | | | [ Florian: Expand "ininterface" to "incoming interface" ] Signed-off-by: nl6720 <nl6720@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Clarify conditions under which a reject verdict is permissibleDuncan Roe2019-12-061-2/+3
| | | | | | | | | A phrase like "input chain" is a throwback to xtables documentation. In nft, chains are containers for rules. They do have a type, but what's important here is which hook each uses. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: fix inconsistency in set statement documentation.Jeremy Sowden2019-12-021-4/+9
| | | | | | | | | | | | | | The description of the set statement asserts that the set must have been created with the "dynamic" flag. However, this is not the case, and it is contradicted by the following example in which the "dynamic" flag does not appear. In fact, one or both of the "dynamic" or the "timeout" flags need to be used, depending on what the set statement contains. Amend the description to explain this more accurately. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft.8: Fix nat family spec positionPhil Sutter2019-11-271-2/+2
| | | | | | | | | | In inet family nat statements, ip/ip6 keyword must come before 'to' keyword, not after. Fixes: fbe27464dee45 ("src: add nat support for the inet family") Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft.8: Describe numgen expressionPhil Sutter2019-11-271-0/+26
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Drop incorrect requirement for nft configsPhil Sutter2019-11-061-2/+1
| | | | | | The shebang is not needed in files to be used with --file parameter. Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: flowtable: add support for delete command by handleEric Jallot2019-11-062-0/+4
| | | | | | | Also, display handle when listing with '-a'. Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fix missing family in plural forms list command.Eric Jallot2019-10-311-6/+7
| | | | | | Fixes: 067ac215e93f ("doc: update nft list plural form parameters") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: flowtable: add support for named flowtable listingEric Jallot2019-10-311-4/+4
| | | | | | | | | | | | | | | | | | | | This patch allows you to dump a named flowtable. # nft list flowtable inet t f table inet t { flowtable f { hook ingress priority filter + 10 devices = { eth0, eth1 } } } Also: libnftables-json.adoc: fix missing quotes. Fixes: db0697ce7f60 ("src: support for flowtable listing") Fixes: 872f373dc50f ("doc: Add JSON schema documentation") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add missing output flag documentation.Jeremy Sowden2019-10-231-0/+6
| | | | | | | | The documentation for NFT_CTX_OUTPUT_FLAG_NUMERIC_TIME and NFT_CTX_OUTPUT_FLAG_NUMERIC_ALL is incomplete. Add the missing bits. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add --terse to suppress output of set elements.Jeremy Sowden2019-10-222-9/+16
| | | | | | | | | | | | Listing an entire ruleset or a table with `nft list` prints the elements of all set definitions within the ruleset or table. Seeing the full set contents is not often necessary especially when requesting to see someone's ruleset for help and support purposes. Add a new option '-t, --terse' options to suppress the output of set contents. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1374 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use `-T` as the short option for `--numeric-time`.Jeremy Sowden2019-10-221-1/+1
| | | | | | | | | A new `--terse` option will be introduced in a later patch. Change the short option used for `--numeric-time` from `-t` to `-T` in order to leave `-t` free. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: extend 'nft describe' to allow listing data typesFlorian Westphal2019-10-142-1/+16
| | | | | | | | | | | | | | | | | nft describe ct_status before: symbol expression, datatype invalid (invalid), 0 bits after: datatype ct_status (conntrack status) (basetype bitmask, integer), 32 bits pre-defined symbolic constants (in hexadecimal): expected 0x00000001 seen-reply 0x00000002 [..] Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: Introduce new conditions 'time', 'day' and 'hour'Ander Juaristi2019-09-062-3/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These keywords introduce new checks for a timestamp, an absolute date (which is converted to a timestamp), an hour in the day (which is converted to the number of seconds since midnight) and a day of week. When converting an ISO date (eg. 2019-06-06 17:00) to a timestamp, we need to substract it the GMT difference in seconds, that is, the value of the 'tm_gmtoff' field in the tm structure. This is because the kernel doesn't know about time zones. And hence the kernel manages different timestamps than those that are advertised in userspace when running, for instance, date +%s. The same conversion needs to be done when converting hours (e.g 17:00) to seconds since midnight as well. The result needs to be computed modulo 86400 in case GMT offset (difference in seconds from UTC) is negative. We also introduce a new command line option (-t, --seconds) to show the actual timestamps when printing the values, rather than the ISO dates, or the hour. Some usage examples: time < "2019-06-06 17:00" drop; time < "2019-06-06 17:20:20" drop; time < 12341234 drop; day "Saturday" drop; day 6 drop; hour >= 17:00 drop; hour >= "17:00:01" drop; hour >= 63000 drop; We need to convert an ISO date to a timestamp without taking into account the time zone offset, since comparison will be done in kernel space and there is no time zone information there. Overwriting TZ is portable, but will cause problems when parsing a ruleset that has 'time' and 'hour' rules. Parsing an 'hour' type must not do time zone conversion, but that will be automatically done if TZ has been overwritten to UTC. Hence, we use timegm() to parse the 'time' type, even though it's not portable. Overwriting TZ seems to be a much worse solution. Finally, be aware that timestamps are converted to nanoseconds when transferring to the kernel (as comparison is done with nanosecond precision), and back to seconds when retrieving them for printing. We swap left and right values in a range to properly handle cross-day hour ranges (e.g. 23:15-03:22). Signed-off-by: Ander Juaristi <a@juaristi.eus> Reviewed-by: Florian Westphal <fw@strlen.de>
* doc: don't check asciidoc output with xmllintArturo Borrero Gonzalez2019-08-151-1/+1
| | | | | | | | | | We don't need to check asciidoc output with xmllint because the generated XML is generated by a tool, not by a human. Moreover, xmllint can cause problems because it will try to download the DTD and that is problematic in build systems with no network access. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fib: explain example in more detailFlorian Westphal2019-07-251-0/+6
| | | | | | | | | As noted by Felix Dreissig, fib documentation is quite terse, so explain the 'saddr . iif' example with a few more words. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1220 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fib: explain example in more detailFlorian Westphal2019-07-221-0/+6
| | | | | | | | As noted by Felix Dreissig, fib documentation is quite terse, so explain the 'saddr . iif' example with a few more words. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1220 Signed-off-by: Florian Westphal <fw@strlen.de>
* src: introduce SYNPROXY matchingFernando Fernandez Mancera2019-07-171-0/+87
| | | | | | | | | | | | | | | | | | | | Add support for "synproxy" statement. For example (for TCP port 8888): table ip x { chain y { type filter hook prerouting priority raw; policy accept; tcp dport 8888 tcp flags syn notrack } chain z { type filter hook input priority filter; policy accept; tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm ct state invalid drop } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ct expectations supportSt├ęphane Veyret2019-07-162-3/+101
| | | | | | | This modification allow to directly add/list/delete expectations. Signed-off-by: St├ęphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: add pseudo th protocol to match d/sport in generic wayFlorian Westphal2019-07-151-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Problem: Its not possible to easily match both udp and tcp in a single rule. ... input ip protocol { tcp,udp } dport 53 will not work, as bison expects "tcp dport" or "sctp dport", or any other transport protocol name. Its possible to match the sport and dport via raw payload expressions, e.g.: ... input ip protocol { tcp,udp } @th,16,16 53 but its not very readable. Furthermore, its not possible to use this for set definitions: table inet filter { set myset { type ipv4_addr . inet_proto . inet_service } chain forward { type filter hook forward priority filter; policy accept; ip daddr . ip protocol . @th,0,16 @myset } } # nft -f test test:7:26-35: Error: can not use variable sized data types (integer) in concat expressions During the netfilter workshop Pablo suggested to add an alias to do raw sport/dport matching more readable, and make it use the inet_service type automatically. So, this change makes @th,0,16 work for the set definition case by setting the data type to inet_service. A new "th s|dport" syntax is provided as readable alternative: ip protocol { tcp, udp } th dport 53 As "th" is an alias for the raw expression, no dependency is generated -- its the users responsibility to add a suitable test to select the l4 header types that should be matched. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: add support for matching IPv4 optionsStephen Suryaputra2019-07-041-2/+27
| | | | | | | | | Add capability to have rules matching IPv4 options. This is developed mainly to support dropping of IP packets with loose and/or strict source route route options. Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Accept -j flagPhil Sutter2019-06-131-7/+2
| | | | | | | | | | | | Make 'nft -j monitor' equal to 'nft monitor json' and change documentation to use only the first variant since that is more intuitive and also consistent with other commands. While being at it, drop references to XML from monitor section - it was never supported. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for arp sender and target ethernet and IPv4 addressesPablo Neira Ayuso2019-05-241-1/+13
| | | | | | | | | | | | | | | | | | | | | | | | # nft add table arp x # nft add chain arp x y { type filter hook input priority 0\; } # nft add rule arp x y arp saddr ip 192.168.2.1 counter Testing this: # ip neigh flush dev eth0 # ping 8.8.8.8 # nft list ruleset table arp x { chain y { type filter hook input priority filter; policy accept; arp saddr ip 192.168.2.1 counter packets 1 bytes 46 } } You can also specify hardware sender address, eg. # nft add rule arp x y arp saddr ether aa:bb:cc:aa:bb:cc drop counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Support nat in inet familyPhil Sutter2019-05-091-0/+5
| | | | | | | | Add the missing bits to JSON parser, printer, man page and testsuite. Fixes: fbe27464dee45 ("src: add nat support for the inet family") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Review man page synopsesPhil Sutter2019-05-085-118/+164
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix use of font typefaces: - *bold* for terminals - 'italic' for non-terminals - plain for meta-characters Apart from that: * Variable definitions require an equals sign * 'auto-merge' option in set spec does not take a parameter * List header fields in payload expressions instead of unexplained placeholder * Introduce non-terminals in some places to avoid repetitions or clarify syntax * Fix syntax for ip6 header expresssion example * Reorganize ct expression synopsis into four parts: 1) direction not allowed 2) direction optional 3) direction mandatory 4) direction and family mandatory * Add missing 'version' keyword to osf expression * Clarify verdict statements example topic * Add synopses for payload and exthdr statements * Fix typo: differv -> diffserv * Reorganize reject statement synopsis to point out which code type is required for which type arg * Counter statement requires either one of 'packets' or 'bytes' args or both, none is an invalid variant * Limit statement accepts a unit in burst, too * Improve language in limit statement description a bit Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add nat support for the inet familyFlorian Westphal2019-04-092-4/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | consider a simple ip6 nat table: table ip6 nat { chain output { type nat hook output priority 0; policy accept; dnat to dead:2::99 } Now consider same ruleset, but using 'table inet nat': nft now lacks context to determine address family to parse 'to $address'. This adds code to make the following work: table inet nat { [ .. ] # detect af from network protocol context: ip6 daddr dead::2::1 dnat to dead:2::99 # use new dnat ip6 keyword: dnat ip6 to dead:2::99 } On list side, the keyword is only shown in the inet family, else the short version (dnat to ...) is used as the family is redundant when the table already mandates the ip protocol version supported. Address mismatches such as table ip6 { .. dnat ip to 1.2.3.4 are detected/handled during the evaluation phase. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add osf version option to man pageFernando Fernandez Mancera2019-04-081-0/+2
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: update nft list plural form parametersFernando Fernandez Mancera2019-04-081-0/+6
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Add minimal description of (v)map statementsPhil Sutter2019-04-031-0/+34
| | | | | | | | Although quite useful, these were missing in man page. Content loosely based on wiki documentation. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use 'flow add' syntaxPablo Neira Ayuso2019-03-202-5/+5
| | | | | | As discussed during NFWS 2018. Old syntax is stilled allowed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: update goto/jump help textFlorian Westphal2019-03-011-3/+18
| | | | | | | | pointed out by redsh on #netfilter: uses "of" instead of "or". While at it, explain continue and update return statement. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: add iifkind and oifkind supportwenxu2019-01-281-1/+7
| | | | | | | | | | This can be used to match the kind type of iif or oif interface of the packet. Example: add rule inet raw prerouting meta iifkind "vrf" accept Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: fix non-working exampleFlorian Westphal2019-01-251-1/+1
| | | | | | | nft doesn't have the context to translate "dns" or "http" as being service names here. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add igmp supportPablo Neira Ayuso2019-01-091-0/+28
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>