From 594968b4fd4a68e57868b316c904ec676c6618c3 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Sat, 24 Feb 2018 14:43:16 +0100 Subject: doc: document raw protocol expression Signed-off-by: Florian Westphal --- doc/nft.xml | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) (limited to 'doc/nft.xml') diff --git a/doc/nft.xml b/doc/nft.xml index 6748265c..bddc527f 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -3757,6 +3757,65 @@ inet filter output rt ip6 nexthop fd00::1 + + Raw payload expression + + + @ + base,offset,length + + + + The raw payload expression instructs to load lengthbits starting at offsetbits. + Bit 0 refers the the very first bit -- in the C programming language, this corresponds to the topmost bit, i.e. 0x80 in case of an octet. + They are useful to match headers that do not have a human-readable template expression yet. + Note that nft will not add dependencies for Raw payload expressions. + If you e.g. want to match protocol fields of a transport header with protocol number 5, you need to manually + exclude packets that have a different transport header, for instance my using meta l4proto 5 before + the raw expression. + + + Supported payload protocol bases + + + + + + Base + Description + + + + + ll + Link layer, for example the ethernet header + + + nh + Network header, for example IPv4 or IPv6 + + + th + Transport Header, for example TCP + + + +
+ + + Matching destination port of both UDP and TCP + +inet filter input meta l4proto {tcp, udp} @th,16,16 { dns, http } + + + + Rewrite arp packet target hardware address if target protocol address matches a given address + +input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept + + + + Extension header expressions -- cgit v1.2.3