From 48b99f03b5e43eac2bf93251f8fa1c9ceb516abb Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 27 Feb 2018 12:48:16 +0100 Subject: doc: mention meta l4proto and ipv6 nexthdr issue wrt. extension headers Signed-off-by: Florian Westphal --- doc/nft.xml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/doc/nft.xml b/doc/nft.xml index bddc527f..2b88727c 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -2523,6 +2523,9 @@ filter output icmpv6 type { echo-request, echo-reply } Qualified meta expressions require the meta keyword before the meta key, unqualified meta expressions can be specified by using the meta key directly or as qualified meta expressions. + + Meta l4proto is useful to match a particular transport protocol that is part of either + an IPv4 or IPv6 packet. It will also skip any IPv6 extension headers present in an IPv6 packet. @@ -2549,6 +2552,11 @@ filter output icmpv6 type { echo-request, echo-reply } real hook protocol family, useful only in inet tableinteger (32 bit) + + l4proto + layer 4 protocol, skips ipv6 extension headers + integer (8 bit) + protocol Ethertype protocol value @@ -3226,6 +3234,15 @@ inet filter output rt ip6 nexthop fd00::1 IPv6 header field + + This expression refers to the ipv6 header fields. + Caution when using ip6 nexthdr, the value only refers to + the next header, i.e. ip6 nexthdr tcp will only match if the ipv6 packet does not + contain any extension headers. Packets that are fragmented or e.g. contain a routing extension headers + will not be matched. + Please use meta l4proto if you wish to match the real transport header and + ignore any additional extension headers instead. +
IPv6 header expression @@ -3290,8 +3307,15 @@ inet filter output rt ip6 nexthop fd00::1
+ + + matching if first extension header indicates a fragment + +ip6 nexthdr ipv6-frag counter + + + - ICMPv6 header expression -- cgit v1.2.3