From fac10ea799fe9b6158d74f66d6ad46536d38a545 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Wed, 18 Mar 2009 04:55:00 +0100 Subject: Initial commit --- doc/.gitignore | 2 + doc/Makefile.in | 14 + doc/nftables.xml | 966 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 982 insertions(+) create mode 100644 doc/.gitignore create mode 100644 doc/Makefile.in create mode 100644 doc/nftables.xml (limited to 'doc') diff --git a/doc/.gitignore b/doc/.gitignore new file mode 100644 index 00000000..fc24d499 --- /dev/null +++ b/doc/.gitignore @@ -0,0 +1,2 @@ +nftables.8 +nftables.pdf diff --git a/doc/Makefile.in b/doc/Makefile.in new file mode 100644 index 00000000..497e17ab --- /dev/null +++ b/doc/Makefile.in @@ -0,0 +1,14 @@ +mandocs-@CONFIG_MAN@ += doc/nftables.8 +pdfdocs-@CONFIG_PDF@ += doc/nftables.pdf + +all: $(mandocs-y) $(pdfdocs-y) +clean: + @echo -e " CLEAN\t\tdoc" + $(RM) $(mandocs-y) $(pdfdocs-y) + +install: + @echo -e " INSTALL\tdoc" + $(MKDIR_P) $(DESTDIR)/${mandir}/man8 + $(INSTALL) -m 755 -o root -g root $(mandocs-y) $(DESTDIR)/${mandir}/man8/ + $(MKDIR_P) $(DESTDIR)/${pdfdir} + $(INSTALL) -m 755 -o root -g root $(pdfdocs-y) $(DESTDIR)/${pdfdir}/ diff --git a/doc/nftables.xml b/doc/nftables.xml new file mode 100644 index 00000000..ec6de38a --- /dev/null +++ b/doc/nftables.xml @@ -0,0 +1,966 @@ + + + + + + + Patrick + McHardy + kaber@trash.net + + + 2008 + Patrick McHardy + + + + + nftables + 8 + + + + nftables + + Administration tool for packet filtering and classification + + + + + + nftables + + + + + + directory + + + + + filename + + + + + + cmd + + + + + nftables + + + + + + + + + + + Description + + nftables is used to set up, maintain and inspect packet + filtering and classification rules in the Linux kernel. + + + + + Options + + For a full summary of options, run nftables --help. + + + + + + + + Show help message and all options. + + + + + + + + Show version. + + + + + + + + Numeric output: IP addresses and other information + that might need network traffic to resolve to symbolic names + are shown numerically. + + + + + + + + Add the directory directory to the list of directories to by searched for included files. + + + + + + + + Read input from filename. + + + + + + + + Read input from an interactive readline CLI. + + + + + + + + Input file format + + Input is parsed line-wise. When the last character of a line just before + the newline character is a non-quoted backslash (\), + the newline is treated as a line continuation. + + + A # begins a comment. All following characters on + the same line are ignored. + + + Other files can be included by using + include "filename". + + + + + Tables + + + table + + add + delete + list + flush + + family + table + + + + + Tables are containers for chains. They are identified by their family + and their name. The family must be one of + + + ip + ip6 + arp + bridge + . + + When no family is specified, ip is used by default. + + + + + + + + Add a new table for the given family with the given name. + + + + + + + + Delete the specified table. + + + + + + + + List all chains and rules of the specified table. + + + + + + + + Flush all chains and rules of the specified table. + + + + + + + + Chains + + + chain + add + family + table + chain + hook + priority + + + chain + + add + delete + list + flush + + family + table + chain + + + + + Chains are containers for rules. They exist in two kinds, + basechains and regular chains. A basecase is an entry point for + packets from the networking stack, a regular chain may be used + as jump target and is used for better rule organization. + + + + + + + + Add a new chain in the specified table. When a hook and priority + value are specified, the chain is created as a base chain and hooked + up to the networking stack. + + + + + + + + Delete the specified chain. + + + + + + + + List all rules of the specified chain. + + + + + + + + Flush all rules of the specified chain. + + + + + + + + Rules + + + rule + + add + delete + + family + table + chain + handle handle + statement + + + + Rules are constructed from two kinds of components according to a set + of rules: expressions and statements. The lowest order expression is a + primary expression, representing either a constant or a single datum + from a packets payload, meta data or a stateful module. Primary expressions + can be used as arguments to relational expressions (equality, + set membership, ...) to construct match expressions. + + + + + Primary expressions + + Meta expressions + + A meta expression refers to meta data associated with a packet. + + + Meta expressions + + + + + + + Keyword + Description + Type + + + + + length + Length of the packet in bytes + Numeric (32 bit) + + + protocol + Ethertype protocol value + ethertype + + + priority + TC packet priority + Numeric (32 bit) + + + mark + Packet mark + packetmark + + + iif + Input interface index + ifindex + + + iifname + Input interface name + ifname + + + iiftype + Input interface hardware type + hwtype + + + oif + Output interface index + ifindex + + + oifname + Output interface name + ifname + + + oiftype + Output interface hardware type + hwtype + + + skuid + UID associated with originating socket + uid + + + skgid + GID associated with originating socket + gid + + + rtclassid + Routing realm + realm + + + +
+ + Meta expression specific types + + + + + + Type + Description + + + + + ifindex + + Interface index (32 bit number). Can be specified numerically + or as name of an existing interface. + + + + ifname + + Interface name (16 byte string). Does not have to exist. + + + + uid + + User ID (32 bit number). Can be specified numerically or as + user name. + + + + gid + + Group ID (32 bit number). Can be specified numerically or as + group name. + + + + realm + + Routing Realm (32 bit number). Can be specified numerically + or as symbolic name defined in /etc/iproute2/rt_realms. + + + + +
+ + + + Payload expressions + + Ethernet header expression + + + + + + Keyword + Description + + + + + daddr + Destination address + + + saddr + Source address + + + type + EtherType + + + +
+ + + VLAN header expression + + + + + + Keyword + Description + + + + + id + VLAN ID (VID) + + + cfi + Canonical Format Indicator + + + pcp + Priority code point + + + type + EtherType + + + +
+ + + ARP header expression + + + + + + Keyword + Description + + + + + htype + ARP hardware type + + + ptype + EtherType + + + hlen + Hardware address len + + + plen + Protocol address len + + + op + Operation + + + +
+ + + IPv4 header expression + + + + + + Keyword + Description + + + + + version + IP header version (4) + + + hdrlength + IP header length including options + + + tos + Type Of Service + + + length + Total packet length + + + id + IP ID + + + frag-off + Fragment offset + + + ttl + Time to live + + + protocol + Upper layer protocol + + + checksum + IP header checksum + + + saddr + Source address + + + daddr + Destination address + + + +
+ + + IPv6 header expression + + + + + + Keyword + Description + + + + + version + IP header version (6) + + + priority + + + + flowlabel + + + + length + + + + nexthdr + Nexthdr protocol + + + hoplimit + + + + saddr + Source address + + + daddr + Destination address + + + +
+ + + SCTP header expression + + + + + + Keyword + Description + + + + + sport + Source port + + + dport + Destination port + + + vtag + Verfication Tag + + + checksum + Checksum + + + +
+ + + DCCP header expression + + + + + + Keyword + Description + + + + + sport + Source port + + + dport + Destination port + + + +
+ + + TCP header expression + + + + + + Keyword + Description + + + + + sport + Source port + + + dport + Destination port + + + sequence + Sequence number + + + ackseq + Acknowledgement number + + + doff + Data offset + + + reserved + Reserved area + + + flags + TCP flags + + + window + Window + + + checksum + Checksum + + + urgptr + Urgent pointer + + + +
+ + + UDP header expression + + + + + + Keyword + Description + + + + + sport + Source port + + + dport + Destination port + + + length + Total packet length + + + checksum + Checksum + + + +
+ + + UDP-Lite header expression + + + + + + Keyword + Description + + + + + sport + Source port + + + dport + Destination port + + + cscov + Checksum coverage + + + checksum + Checksum + + + +
+ + + + AH header expression + + + + + + Keyword + Description + + + + + nexthdr + Next header protocol + + + hdrlength + AH Header length + + + reserved + Reserved area + + + spi + Security Parameter Index + + + sequence + Sequence number + + + +
+ + + ESP header expression + + + + + + Keyword + Description + + + + + spi + Security Parameter Index + + + sequence + Sequence number + + + +
+ + + IPComp header expression + + + + + + Keyword + Description + + + + + nexthdr + Next header protocol + + + flags + Flags + + + cfi + Compression Parameter Index + + + +
+ + + + + Exit status + + On success, nftables exits with a status of 0. Unspecified + errors cause it to exit with a status of 1, memory allocation + errors with a status of 2. + + + + + See Also + + + iptables(8) + ip6tables(8) + arptables(8) + ebtables(8) + ip(8) + tc(8) + + + + + + Authors + + nftables was written by Patrick McHardy. + + + + + Copyright + + Copyright © 2008 Patrick McHardy kaber@trash.net + + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License version 2 as + published by the Free Software Foundation. + + + -- cgit v1.2.3