From 29285956a25ede9aff7d908ee90229af825076ad Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 8 Sep 2016 23:08:01 +0200 Subject: doc: nft: document log, reject, counter, meta, limit, nat and queue statements This patch adds the missing documentation for the aforementioned statements. This is based on original work from Shivani Bhardwaj. Signed-off-by: Pablo Neira Ayuso --- doc/nft.xml | 460 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 457 insertions(+), 3 deletions(-) (limited to 'doc/nft.xml') diff --git a/doc/nft.xml b/doc/nft.xml index e6e8583f..9eed8834 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -2203,36 +2203,490 @@ filter input iif eth0 drop Log statement + + log + prefix + quoted_string + level + syslog-level + + + log + group + nflog_group + prefix + quoted_string + queue-threshold + value + snaplen + size + - + + The log statement enables logging of matching packets. When this statement is used from a rule, the Linux kernel will print some information on all matching packets, such as header fields, via the kernel log (where it can be read with dmesg(1) or read in the syslog). If the group number is specified, the Linux kernel will pass the packet to nfnetlink_log which will multicast the packet through a netlink socket to the specified multicast group. One or more userspace processes may subscribe to the group to receive the packets, see libnetfilter_queue documentation for details. This is a non-terminating statement, so the rule evaluation continues after the packet is logged. + + + + log statement options + + + + + + + Keyword + Description + Type + + + + + prefix + Log message prefix + quoted string + + + syslog-level + Syslog level of logging + string: emerg, alert, crit, err, warn [default], notice, info, debug + + + group + NFLOG group to send messages to + unsigned integer (16 bit) + + + snaplen + Length of packet payload to include in netlink message + unsigned integer (32 bit) + + + queue-threshold + Number of packets to queue inside the kernel before sending them to userspace + unsigned integer (32 bit) + + + +
+ + Reject statement + + reject + with + + icmp + icmp6 + icmpx + + type + + icmp_type + icmp6_type + icmpx_type + + + + reject + with + tcp + reset + + + + A reject statement is used to send back an error packet in response to the matched packet otherwise it is equivalent to drop so it is a terminating statement, ending rule traversal. This statement is only valid in the input, forward and output chains, and user-defined chains which are only called from those chains. + + reject statement type (ip) + + + + + + + Value + Description + Type + + + + + icmp_type + ICMP type response to be sent to the host + net-unreachable, host-unreachable, prot-unreachable, port-unreachable [default], net-prohibited, host-prohibited, admin-prohibited + + + +
+ + reject statement type (ip6) + + + + + + + Value + Description + Type + + + + + icmp6_type + ICMPv6 type response to be sent to the host + no-route, admin-prohibited, addr-unreachable, port-unreachable [default], policy-fail, reject-route + + + +
+ + reject statement type (inet) + + + + + + + Value + Description + Type + + + + + icmpx_type + ICMPvXtype abstraction response to be sent to the host, this is a set of types that overlap in IPv4 and IPv6 to be used from the inet family. + port-unreachable [default], admin-prohibited, no-route, host-unreachable + + + +
Counter statement + A counter statement sets the hit count of packets along with the number of bytes. + + + counter + packets + number + + bytes + number + + + + Meta statement + A meta statement sets the value of a meta expression. + The existing meta fields are: priority, mark, pkttype, nftrace. + + + + meta + + mark + priority + pkttype + nftrace + + set + value + + + + A meta statement sets meta data associated with a packet. + + + + Meta statement types + + + + + + + Keyword + Description + Value + + + + + priority + TC packet priority + tc_handle + + + mark + Packet mark + mark + + + pkttype + packet type + pkt_type + + + nftrace + ruleset packet tracing on/off. Use monitor trace command to watch traces + 0, 1 + + + +
+ + Limit statement + + limit + rate + over + packet_number + / + + second + minute + hour + day + + burst packet_number packets + + + limit + rate + over + byte_number + + bytes + kbytes + mbytes + + / + + second + minute + hour + day + week + + burst byte_number bytes + + + + A limit statement matches at a limited rate using a token bucket filter. A rule using this statement will match until this limit is reached. It can be used in combination with the log statement to give limited logging. The over keyword, that is optional, makes it match over the specified rate. + + limit statement values + + + + + + + Value + Description + Type + + + + + packet_number + Number of packets + unsigned integer (32 bit) + + + byte_number + Number of bytes + unsigned integer (32 bit) + + + +
- - NAT statement + + NAT statements + + snat + to + address + :port + persistent, random, fully-random + + + snat + to + address - address + :port - port + persistent, random, fully-random + + + dnat + to + address + :port + persistent, random, fully-random + + + dnat + to + address + :port - port + persistent, random, fully-random + + + + The nat statements are only valid from nat chain types. + + + The snat statement is only valid in the postrouting and input hooks, it specifies that the source address of the packet should be modified. The dnat statement is only valid in the prerouting and output chains, it specifies that the destination address of the packet should be modified. You can use non-base chains which are called from base chains of nat chain type too. All future packets in this connection will also be mangled, and rules should cease being examined. + + + + NAT statement values + + + + + + + Expression + Description + Type + + + + + address + Specifies that the source/destination address of the packet should be modified. You may specify a mapping to relate a list of tuples composed of arbitrary expression key with address value. + ipv4_addr, ipv6_addr, eg. abcd::1234, or you can use a mapping, eg. meta mark map { 10 : 192.168.1.2, 20 : 192.168.1.3 } + + + port + Specifies that the source/destination address of the packet should be modified. + port number (16 bits) + + + +
+ + NAT statement flags + + + + + + Flag + Description + + + + + persistent + Gives a client the same source-/destination-address for each connection. + + + random + If used then port mapping will be randomized using a random seeded MD5 hash mix using source and destination address and destination port. + + + fully-random + If used then port mapping is generated based on a 32-bit pseudo-random algorithm. + + + +
+ Queue statement + This statement passes the packet to userspace using the nfnetlink_queue handler. The packet is put into the queue identified by its 16-bit queue number. Userspace can inspect and modify the packet if desired. Userspace must then drop or reinject the packet into the kernel. See libnetfilter_queue documentation for details. + + + + queue + num + queue_number + bypass + + + queue + num + queue_number_from - queue_number_to + bypass,fanout + + + + + queue statement values + + + + + + + Value + Description + Type + + + + + queue_number + Sets queue number, default is 0. + unsigned integer (16 bit) + + + queue_number_from + Sets initial queue in the range, if fanout is used. + unsigned integer (16 bit) + + + queue_number_to + Sets closing queue in the range, if fanout is used. + unsigned integer (16 bit) + + + +
+ + queue statement flags + + + + + + Flag + Description + + + + + bypass + Let packets go through if userspace application cannot back off. Before using this flag, read libnetfilter_queue documentation for performance tuning recomendations. + + + fanout + Distribute packets between several queues. + + + +
-- cgit v1.2.3