From patchwork Thu Aug 10 17:29:16 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 800286 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3xSwBZ3xcLz9s82 for ; Fri, 11 Aug 2017 03:30:14 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753186AbdHJRaM (ORCPT ); Thu, 10 Aug 2017 13:30:12 -0400 Received: from orbyte.nwl.cc ([151.80.46.58]:42469 "EHLO mail.nwl.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752559AbdHJRaK (ORCPT ); Thu, 10 Aug 2017 13:30:10 -0400 Received: from mail.nwl.cc (orbyte.nwl.cc [127.0.0.1]) by mail.nwl.cc (Postfix) with ESMTP id 6CE10681D7; Thu, 10 Aug 2017 19:30:09 +0200 (CEST) Received: from xsao (localhost [IPv6:::1]) by mail.nwl.cc (Postfix) with ESMTP id 469C2681C4; Thu, 10 Aug 2017 19:30:09 +0200 (CEST) From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [nft PATCH 2/6] nft.8: Describe conntrack types Date: Thu, 10 Aug 2017 19:29:16 +0200 Message-Id: <20170810172920.14893-3-phil@nwl.cc> X-Mailer: git-send-email 2.13.1 In-Reply-To: <20170810172920.14893-1-phil@nwl.cc> References: <20170810172920.14893-1-phil@nwl.cc> X-Virus-Scanned: ClamAV using ClamSMTP Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Signed-off-by: Phil Sutter --- doc/nft.xml | 230 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 230 insertions(+) diff --git a/doc/nft.xml b/doc/nft.xml index 91b9bb378c80a..3ef88a79efd70 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -1921,6 +1921,232 @@ filter output icmpv6 type { echo-request, echo-reply } + + Conntrack types + + This is an overview of types used in ct + expression and statement: + + + + + + + + + Name + Keyword + Size + Base type + + + + + conntrack state + ct_state + 4 byte + bitmask + + + conntrack direction + ct_dir + 8 bit + integer + + + conntrack status + ct_status + 4 byte + bitmask + + + conntrack event bits + ct_event + 4 byte + bitmask + + + conntrack label + ct_label + 128 bit + bitmask + + + +
+ + + For each of the types above, keywords are available for convenience: + + conntrack state (ct_state) + + + + + + Keyword + Value + + + + + invalid + 1 + + + established + 2 + + + related + 4 + + + new + 8 + + + untracked + 64 + + + +
+ + + conntrack direction (ct_dir) + + + + + + Keyword + Value + + + + + original + 0 + + + reply + 1 + + + +
+ + + conntrack status (ct_status) + + + + + + Keyword + Value + + + + + expected + 1 + + + seen-reply + 2 + + + assured + 4 + + + confirmed + 8 + + + snat + 16 + + + dnat + 32 + + + dying + 512 + + + +
+ + + conntrack event bits (ct_event) + + + + + + Keyword + Value + + + + + new + 1 + + + related + 2 + + + destroy + 4 + + + reply + 8 + + + assured + 16 + + + protoinfo + 32 + + + helper + 64 + + + mark + 128 + + + seqadj + 256 + + + secmark + 512 + + + label + 1024 + + + +
+ + Possible keywords for conntrack label type + (ct_label) are read at runtime from + /etc/connlabel.conf. + + + @@ -3577,6 +3803,10 @@ ip6 filter input frag more-fragments 1 counter + + A description of conntrack-specific types listed above can be + found sub-section CONNTRACK TYPES above. +