From 5f7aa332ff4d8cdf91a43c04688dfd74e048b1e5 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 14 Mar 2017 17:22:03 +0100 Subject: doc: ct helper objects and helper set support Signed-off-by: Florian Westphal Acked-by: Pablo Neira Ayuso --- doc/nft.xml | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) (limited to 'doc') diff --git a/doc/nft.xml b/doc/nft.xml index 506a1cc7..b3e3d9e7 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -949,6 +949,77 @@ filter input iif $int_ifs accept + + Ct + + + ct + helper + type + type + protocol + protocol + l3proto + family + + + + Ct helper is used to define connection tracking helpers that can then be used in combination with the "ct helper set" statement. + type and protocol are mandatory, l3proto is derived from the table family by default, i.e. in the inet table the kernel will + try to load both the ipv4 and ipv6 helper backends, if they are supported by the kernel. + + + conntrack helper specifications + + + + + + + Keyword + Description + Type + + + + + type + name of helper type + quoted string (e.g. "ftp") + + + protocol + layer 4 protocol of the helper + string (e.g. tcp) + + + l3proto + layer 3 protocol of the helper + address family (e.g. ip) + + + +
+ + defining and assigning ftp helper + + Unlike iptables, helper assignment needs to be performed after the conntrack lookup has completed, for example + with the default 0 hook priority. + + +table inet myhelpers { + ct helper ftp-standard { + type "ftp" protocol tcp + } + chain prerouting { + type filter hook prerouting priority 0; + tcp dport 21 ct helper set "ftp-standard" + } +} + + + + Counter @@ -3375,6 +3446,11 @@ ip6 filter output log flags all + + helper + name of ct helper object to assign to the connection + quoted string + mark Connection tracking mark -- cgit v1.2.3