@@ -122,30 +122,17 @@ integer
The boolean type is a syntactical helper type in user space. It's use is in the right-hand side of a (typically implicit) relational expression to change the expression on the left-hand side into a boolean check (usually for existence). +
-The following keywords will automatically resolve into a boolean type with given value:
-The bitmask type (bitmask) is used for bitmasks.
-
+.The following keywords will automatically resolve into a boolean type with given value
[options="header"]
|==================
|Keyword | Value
-|exits |
+|exists |
1 |
missing |
0
|===================
-[options="header"]
-|======================================
-|Expression | Behaviour
-|fib |
-Check route existence.
-|exthdr|
-Check IPv6 extension header existence.
-|tcp option |
-Check TCP option header existence.
-|===================
-
-.expressions support a boolean comparison:
+.expressions support a boolean comparison
[options="header"]
|======================================
|Expression | Behaviour
@@ -228,15 +215,15 @@ ICMP CODE TYPE
[options="header"]
|==================
|Name | Keyword | Size | Base type
-|ICMP Type |
-icmp_type |
+|ICMP Code |
+icmp_code |
8 bit |
integer
|===================
The ICMP Code type is used to conveniently specify the ICMP header's code field.
-.Keywords may be used when specifying the ICMP type
+.Keywords may be used when specifying the ICMP code
[options="header"]
|==================
|Keyword | Value
@@ -325,7 +312,7 @@ ICMPV6 CODE TYPE
|==================
|Name | Keyword | Size | Base type
|ICMPv6 Code |
-icmpv6_type |
+icmpv6_code |
8 bit |
integer
|===================
@@ -356,7 +343,7 @@ ICMPVX CODE TYPE
|==================
|Name | Keyword | Size | Base type
|ICMPvX Code |
-icmpv6_type |
+icmpv6_code |
8 bit |
integer
|===================
@@ -397,7 +384,7 @@ ct_status|
4 byte|
bitmask
|conntrack event bits|
-ct_events |
+ct_event |
4 byte |
bitmask
|conntrack label|
@@ -441,7 +428,7 @@ For each of the types above, keywords are available for convenience:
|expected|
1
|seen-reply|
-1
+2
|assured|
4
|confirmed|
@@ -186,7 +186,7 @@ RULESET
-------
[verse]
{list | flush} *ruleset* ['family']
-\{export\} [*ruleset*] {'format'}
+export [*ruleset*] 'format'
The *ruleset* keyword is used to identify the whole set of tables, chains, etc. currently in place in kernel. The following *ruleset* commands exist:
@@ -304,13 +304,10 @@ Rules are added to chain in the given table. If the family is not specified, the
The add and insert commands support an optional location specifier, which is either a 'handle' of an existing rule or an 'index' (starting at zero). Internally, rule locations are always identified by 'handle' and the translation from 'index' happens in userspace. This has two potential implications in case a concurrent ruleset change happens after the translation was done: The effective rule index might change if a rule was inserted or deleted before the referred one. If the referred rule was deleted, the command is rejected by the kernel just as if an invalid 'handle' was given.
-*add*::
-Add a new rule described by the list of statements. The rule is appended to the given chain unless a position is specified, in which case the rule is appended to the rule given by the 'handle'. The alternative name position is deprecated and should not be used anymore.
-
-*insert*:: Similar to the *add* command, but the rule is prepended to the beginning of the chain or before the rule at the given position.
-
+[horizontal]
+*add*:: Add a new rule described by the list of statements. The rule is appended to the given chain unless a position is specified, in which case the rule is appended to the rule given by the 'handle'. The alternative name position is deprecated and should not be used anymore.
+*insert*:: Similar to the *add* command, but the rule is prepended to the beginning of the chain or before the rule with the given 'handle'.
*replace*:: Similar to the add command, but the rule replaces the specified rule.
-
*delete*:: Delete the specified rule.
.*add a rule to ip table input chain*
@@ -41,6 +41,11 @@ EtherType|
ether_type
|==================
+ARP HEADER EXPRESSION
+~~~~~~~~~~~~~~~~~~~~~
+[verse]
+*arp* ['ARP' 'header' 'field']
+
.ARP HEADER EXPRESSION
[options="header"]
|==================
@@ -412,7 +417,7 @@ RAW PAYLOAD EXPRESSION
The raw payload expression instructs to load lengthbits starting at offsetbits. Bit 0 refers to the very first bit -- in the C programming language, this corresponds to the topmost bit, i.e. 0x80 in case of an octet. They are useful to match headers that do not have a human-readable template expression yet. Note that nft will not add dependencies for Raw payload expressions. If you e.g. want to match protocol fields of a transport header with protocol number 5, you need to manually exclude packets that have a different transport header, for instance my using meta l4proto 5 before the raw expression.
-.Support payload protocol bases
+.Supported payload protocol bases
[options="header"]
|==================
|Base| Description
@@ -585,6 +590,6 @@ average bytes per packet, see description for packets keyword |
integer (64 bit)
|zone|
conntrack zone |
-integer (64 bit)
+integer (16 bit)
|==========================================
A description of conntrack-specific types listed above can be found sub-section CONNTRACK TYPES above.
@@ -22,7 +22,7 @@ real hook protocol family, useful only in inet table|
integer (32 bit)
|l4proto|
layer 4 protocol, skips ipv6 extension headers|
-integer (32 bit)
+integer (8 bit)
|protocol|
EtherType protocol value|
ether_type
@@ -40,7 +40,7 @@ Input interface name |
ifname
|iiftype|
Input interface type|
-iface_itype
+iface_type
|oif|
Output interface index|
iface_index
@@ -14,7 +14,7 @@ name of helper type |
quoted string (e.g. "ftp")
|protocol |
layer 4 protocol of the helper |
-address family (e.g. ip)
+string (e.g. ip)
|l3proto |
layer 3 protocol of the helper |
address family (e.g. ip)
@@ -80,7 +80,7 @@ Number of packets to queue inside the kernel before sending them to userpace |
unsigned integer (32 bit)
|==================================
-.log statement options
+.log-flags
[options="header"]
|==================
| Flag | Description
@@ -235,7 +235,7 @@ A limit statement matches at a limited rate using a token bucket filter. A rule
.limit statement values
[options="header"]
|==================
-|Value | Description | Type|
+|Value | Description | Type
|packet_number |
Number of packets |
unsigned integer (32 bit)
Correct some typo mistakes done while converting man page source to asciidoc. Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com> --- doc/data-types.txt | 33 ++++++++++----------------------- doc/nft.txt | 11 ++++------- doc/payload-expression.txt | 9 +++++++-- doc/primary-expression.txt | 4 ++-- doc/stateful-objects.txt | 2 +- doc/statements.txt | 4 ++-- 6 files changed, 26 insertions(+), 37 deletions(-)