From 97933e171acf870fd4e2296a87d8118e0f844aaf Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 14 Mar 2017 20:12:17 +0100 Subject: doc: ct zone set support Signed-off-by: Florian Westphal --- doc/nft.xml | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/nft.xml b/doc/nft.xml index de86d2a1..8ea28041 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -3347,6 +3347,7 @@ ip6 filter output log flags all mark label + zone set value @@ -3354,10 +3355,14 @@ ip6 filter output log flags all The ct statement sets meta data associated with a connection. + The zone id has to be assigned before a conntrack lookup takes place, + i.e. this has to be done in prerouting and possibly output (if locally + generated packets need to be placed in a distinct zone), with a hook + priority of -300. - Meta statement types + Conntrack statement types @@ -3380,6 +3385,12 @@ ip6 filter output log flags all Connection tracking label label + + zone + conntrack zone + integer (16 bit) + +
@@ -3391,6 +3402,21 @@ ip6 filter output log flags all ct set mark meta mark + + set zone mapped via interface + +table inet raw { + chain prerouting { + type filter hook prerouting priority -300; + ct zone set iif map { "eth1" : 1, "veth1" : 2 } + } + chain output { + type filter hook output priority -300; + ct zone set oif map { "eth1" : 1, "veth1" : 2 } + } +} + + -- cgit v1.2.3