summaryrefslogtreecommitdiffstats
path: root/doc
Commit message (Collapse)AuthorAgeFilesLines
* Implement 'reset rule' and 'reset rules' commandsPhil Sutter11 days2-2/+6
| | | | | | | | Reset rule counters and quotas in kernel, i.e. without having to reload them. Requires respective kernel patch to support NFT_MSG_GETRULE_RESET message type. Signed-off-by: Phil Sutter <phil@nwl.cc>
* doc: add gretap matching expressionPablo Neira Ayuso2023-01-021-0/+20
| | | | | | | | Document new gretap matching expression. This includes support for matching the encapsulated ethernet frame layer 2, 3 and 4 headers within the gre header. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add geneve matching expressionPablo Neira Ayuso2023-01-021-0/+33
| | | | | Document new geneve matching expression. This includes support for matching the encapsulated ethernet frame layer 2, 3 and 4 headers.
* doc: add gre matching expressionPablo Neira Ayuso2023-01-021-0/+30
| | | | | | | Document new vxlan matching expression. This includes support for matching the encapsulated ethernet frame layer 3 and 4 headers. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add vxlan matching expressionPablo Neira Ayuso2023-01-021-0/+71
| | | | | | | Document new vxlan matching expression. This includes support for matching the encapsulated ethernet frame layer 2, 3 and 4 headers. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add/update can be used with maps tooFlorian Westphal2022-12-131-0/+4
| | | | | | | The man page implies that add/update are only supported with sets, but this can be used with maps as well. Signed-off-by: Florian Westphal <fw@strlen.de>
* xt: Rewrite unsupported compat expression dumpingPhil Sutter2022-12-132-3/+32
| | | | | | | | | Choose a format which provides more information and is easily parseable. Then teach parsers about it and make it explicitly reject the ruleset giving a meaningful explanation. Also update the man pages with some more details. Signed-off-by: Phil Sutter <phil@nwl.cc>
* doc: statements: fwd supports for sending packets via neighbouring layerPablo Neira Ayuso2022-12-071-0/+17
| | | | | | | Document ability to forward packets through neighbour layer added in 30d45266bf38 ("expr: extend fwd statement to support address and family"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: payload-expression.txt: Mention that 'ih' existsHarald Welte2022-12-061-0/+2
| | | | | | | | | | | Back in commit b67abc51ba6f ("src: raw payload match and mangle on inner header / payload data") a new payload expression 'ih' was added, but the documentation wasn't updated accordingly. Let's at least mention in the man page that it exists at all. Signed-off-by: Harald Welte <laforge@gnumonks.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: no reset support for limitPablo Neira Ayuso2022-11-091-1/+1
| | | | | | | Remove reset command, this not supported for ratelimit. Fixes: eff2d606d20d ("doc: document a few reset commands supported by the parser") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: document a few reset commands supported by the parserPablo Neira Ayuso2022-11-091-2/+10
| | | | | | | | | | | | | The following are missing in the manpage: *reset counters* ['family'] *reset quotas* ['family'] *reset counters* ['family'] *table* 'table' *reset quotas* ['family'] *table* 'table' While at it, expand type to the supported stateful objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: mention vlan matching in ip/ip6/inet familiesFlorian Westphal2022-09-281-0/+8
| | | | | | | It only works if vlan_reorder is turned off to disable the vlan tag removal. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc, src: make some spelling and grammatical improvementsJeremy Sowden2022-09-225-14/+14
| | | | | | | | | | | | | Fix a couple of spelling mistakes: 'expresion' -> 'expression' and correct some non-native usages: 'allows to' -> 'allows one to' Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: add nft_ctx_add_var() and nft_ctx_clear_vars() docsFernando Fernandez Mancera2022-09-161-0/+11
| | | | | | | | Add missing documentation for nft_ctx_add_var() and nft_ctx_clear_vars() functions. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow burst 0 for byte ratelimit and use it as defaultPablo Neira Ayuso2022-08-311-2/+7
| | | | | | | | | | | | | | | | | Packet-based limit burst is set to 5, as in iptables. However, byte-based limit burst adds to the rate to calculate the bucket size, and this is also sets this to 5 (... bytes in this case). Update it to use zero byte burst by default instead. This patch also updates manpage to describe how the burst value influences the kernel module's token bucket in each of the two modes. This documentation update is based on original text by Phil Sutter. Adjust tests/py to silence warnings due to mismatching byte burst. Fixes: 285baccfea46 ("src: disallow burst 0 in ratelimits") Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft.8: Add missing '-T' in synopsisPhil Sutter2022-08-301-1/+1
| | | | | | | | Originally a typo in fixed commit: It added 't' in lower case, but meanwhile '-t' was added as well. Fixes: f8f32deda31df ("meta: Introduce new conditions 'time', 'day' and 'hour'") Signed-off-by: Phil Sutter <phil@nwl.cc>
* doc: Document limitations of ipsec expression with xfrm_interfacePhil Sutter2022-07-281-0/+4
| | | | | | | | Point at a possible solution to match IPsec info of locally generated traffic routed to an xfrm-type interface. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add tcp option reset supportFlorian Westphal2022-02-281-1/+8
| | | | | | | This allows to replace a tcp option with nops, similar to the TCPOPTSTRIP feature of iptables. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: add undefine and redefine keywordsPierre Ducroquet2022-02-071-0/+6
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add ruleset optimization infrastructurePablo Neira Ayuso2022-01-151-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a new -o/--optimize option to enable ruleset optimization. You can combine this option with the dry run mode (--check) to review the proposed ruleset updates without actually loading the ruleset, e.g. # nft -c -o -f ruleset.test Merging: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter accept ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter accept ruleset.nft:18:3-37: ip daddr 192.168.0.3 counter accept into: ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept This infrastructure collects the common statements that are used in rules, then it builds a matrix of rules vs. statements. Then, it looks for common statements in consecutive rules which allows to merge rules. This ruleset optimization always performs an implicit dry run to validate that the original ruleset is correct. Then, on a second pass, it performs the ruleset optimization and add the rules into the kernel (unless --check has been specified by the user). From libnftables perspective, there is a new API to enable this feature: uint32_t nft_ctx_get_optimize(struct nft_ctx *ctx); void nft_ctx_set_optimize(struct nft_ctx *ctx, uint32_t flags); This patch adds support for the first optimization: Collapse a linear list of rules matching on a single selector into a set as exposed in the example above. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tcpopt: remove KIND keywordFlorian Westphal2021-12-011-12/+17
| | | | | | | | | | | | | | | | tcp option <foo> kind ... never makes any sense, as "tcp option <foo>" already tells the kernel to look for the foo <kind>. "tcp option sack kind 5" matches if the sack option is present; its a more complicated form of the simpler "tcp option sack exists". "tcp option sack kind 1" (or any other value than 5) will never match. So remove this. Test cases are converted to "exists". Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: update ct timeout section with the state namesFlorian Westphal2021-11-081-0/+11
| | | | | | | | docs are too terse and did not have the list of valid timeout states. While at it, adjust default stream timeout of udp to 120, this is the current kernel default. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: Support netdev egress hookLukas Wunner2021-10-282-10/+30
| | | | | | | | | Add userspace support for the netdev egress hook which is queued up for v5.16-rc1, complete with documentation and tests. Usage is identical to the ingress hook. Signed-off-by: Lukas Wunner <lukas@wunner.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: libnftables-json: make the example valid libnftables JSON inputŠtěpán Němec2021-10-111-2/+3
| | | | | | | | | | | - Add missing comma between array elements. - Fix chain 'name' property. - Match 'op' property is mandatory. Fixes: 2e56f533b36a ("doc: Improve example in libnftables-json(5)") Fixes: 90d4ee087171 ("JSON: Make match op mandatory, introduce 'in' operator") Signed-off-by: Štěpán Němec <snemec@redhat.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* doc: fix synopsis of named counter, quota and ct {helper,timeout,expect}Pablo Neira Ayuso2021-09-162-9/+61
| | | | | | Synopsis is not complete. Add examples for counters and quotas. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nfnetlink_log allows one single process through unicastPablo Neira Ayuso2021-09-091-5/+5
| | | | | | | nfnetlink_log uses netlink unicast to send logs to one single process in userspace. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: refer to ulogd manpagePablo Neira Ayuso2021-09-061-2/+3
| | | | | | Refer to the ulogd daemon in the log statement section. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: libnflog handles `log group`, not libnfqDuncan Roe2021-09-061-1/+1
| | | | | Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Missing NFT_CTX_OUTPUT_NUMERIC_SYMBOL in libnftables documentationPablo Neira Ayuso2021-09-061-0/+1
| | | | | | | | Add NFT_CTX_OUTPUT_NUMERIC_SYMBOL to libnftables.adoc to keep it in sync with the nftables/libnftables.h header. Fixes: 685a06447ee4 ("doc: libnftables.adoc misc cleanups") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: queue: consolidate queue statement syntaxPablo Neira Ayuso2021-08-201-2/+2
| | | | | | | | | | | | Print queue statement using the 'queue ... to' syntax to consolidate the syntax around Florian's proposal introduced in 6cf0f2c17bfb ("src: queue: allow use of arbitrary queue expressions"). Retain backward compatibility, 'queue num' syntax is still allowed. Update and add new tests. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: promote 'reject with icmp CODE' syntaxPablo Neira Ayuso2021-07-262-4/+4
| | | | | | | | | | | | | | | | | | | | | | | The kernel already assumes that that ICMP type to reject a packet is destination-unreachable, hence the user specifies the *ICMP code*. Simplify the syntax to: ... reject with icmp port-unreachable this removes the 'type' keyword before the ICMP code to reject the packet with. IIRC, the original intention is to leave room for future extensions that allow to specify both the ICMP type and the ICMP code, this is however not possible with the current inconsistent syntax. Update manpages which also refer to ICMP type. Adjust tests/py to the new syntax. Fixes: 5fdd0b6a0600 ("nft: complete reject support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add --define key=valuePablo Neira Ayuso2021-07-201-0/+4
| | | | | | | | | | | | | | | | | This patch adds a new option to define variables from the command line. # cat test.nft table netdev x { chain y { type filter hook ingress devices = $dev priority 0; counter accept } } # nft --define dev="{ eth0, eth1 }" -f test.nft You can only combine it with -f/--filename. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: queue: allow use of MAP statement for queue number retrievalFlorian Westphal2021-06-211-2/+4
| | | | | | | | | This allows to chose a queue number at run time using map statements, e.g.: queue flags bypass to ip saddr map { 192.168.7/24 : 0, 192.168.0/24 : 1 } Signed-off-by: Florian Westphal <fw@strlen.de>
* src: queue: allow use of arbitrary queue expressionsFlorian Westphal2021-06-211-0/+4
| | | | | | | | | | | | | | | | | | | | | back in 2016 Liping Zhang added support to kernel and libnftnl to specify a source register containing the queue number to use. This was never added to nft itself, so allow this. On linearization side, check if attached expression is a range. If its not, allocate a new register and set NFTNL_EXPR_QUEUE_SREG_QNUM attribute after generating the lowlevel expressions for the kernel. On delinarization we need to check for presence of NFTNL_EXPR_QUEUE_SREG_QNUM and decode the expression(s) when present. Also need to do postprocessing for STMT_QUEUE so that the protocol context is set correctly, without this only raw payload expressions will be shown (@nh,32,...) instead of 'ip ...'. Next patch adds test cases. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: new queue flag input formatFlorian Westphal2021-06-211-2/+2
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add vlan deiPablo Neira Ayuso2021-06-111-3/+3
| | | | | | | | | | the CFI bit has been repurposed as DEI "Drop Eligible Indicator" since 802.1Q-2011. The vlan cfi field is still retained for compatibility. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1516 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add LISTING sectionFlorian Westphal2021-06-091-0/+11
| | | | | | | mention various 'nft list' options, such as secmarks, flow tables, and so on. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: nft: ct id does not allow for original|replyPablo Neira Ayuso2021-06-041-2/+2
| | | | | | This is a singleton ct key, move it to where it belongs to. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* statement: connlimit: remove extra whitespace in print functionPablo Neira Ayuso2021-06-041-1/+1
| | | | | | | | | | | | | | | Instead of: ct count 2 accept ^^ simply print: ct count 2 accept While at it, add incomplete reference 'ct count' to manpage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: tiny spelling fix in stateful object section s/an/aFlorian Westphal2021-05-251-1/+1
| | | | | | | | Quoting Duncan Roe: Tiny nit: suggest "by a unique" instead of "by an unique". "a" reads better to this native en-GB speaker at least. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: nft.8: Extend monitor description by tracePhil Sutter2021-05-191-3/+22
| | | | | | Briefly describe 'nft monitor trace' command functionality. Signed-off-by: Phil Sutter <phil@nwl.cc>
* doc: document cgroupv2Pablo Neira Ayuso2021-05-191-1/+16
| | | | | | This patch adds documentation for cgroupsv2 support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: Implement SCTP Chunk matchingPhil Sutter2021-05-192-0/+66
| | | | | | | | Extend exthdr expression to support scanning through SCTP packet chunks and matching on fixed fields' values. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* doc: Reduce size of NAT statement synopsisPhil Sutter2021-05-111-15/+10
| | | | | | | | | Introduce non-terminals representing address and port which may represent ranges as well. Combined with dropping the distinction between PR_FLAGS and PRF_FLAGS, all the lines for each nat statement type can be combined. Signed-off-by: Phil Sutter <phil@nwl.cc>
* doc: no need to define a set in ct statePablo Neira Ayuso2021-03-241-1/+1
| | | | | | ct state are flags, no need to define a set for this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: use symbolic names for chain prioritiesSimon Ruderich2021-03-244-16/+16
| | | | | | | | | | | | | This replaces the numbers with the matching symbolic names with one exception: The NAT example used "priority 0" for the prerouting priority. This is replaced by "dstnat" which has priority -100 which is the new recommended priority. Also use spaces instead of tabs for consistency in lines which require updates. Signed-off-by: Simon Ruderich <simon@ruderich.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: move drop rule on a separate line in blackhole exampleSimon Ruderich2021-03-091-1/+2
| | | | | | | | At first I overlooked the "drop". Putting it on a separate line makes it more visible and also details the separate steps of this rule. Signed-off-by: Simon Ruderich <simon@ruderich.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: remove duplicate tables in synproxy exampleSimon Ruderich2021-03-091-16/+1
| | | | | | | | | | | | | The "outcome ruleset" is the same as the two tables in the example. Don't duplicate this information which just wastes space in the documentation and can confuse the reader (it took me a while to realize the tables are the same). In addition, use the same table name for both tables to make it clear that they can be the same. They will be merged in the resulting ruleset. Signed-off-by: Simon Ruderich <simon@ruderich.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add * to include example to actually include filesSimon Ruderich2021-03-091-1/+1
| | | | | | | | "/etc/firewall/rules/" causes no error but also doesn't include any files contained in the directory. Signed-off-by: Simon Ruderich <simon@ruderich.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft: fix some typos and formatting issuesŠtěpán Němec2021-02-221-11/+11
| | | | | | | | Trying to escape asciidoc (9.1.0) * with \ preserves the backslash in the formatted man page. Bare * works as expected. Signed-off-by: Štěpán Němec <snemec@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>