From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: [PATCH v2] doc: Complete the documentation of statements Date: Thu, 12 May 2016 11:44:39 +0200 Message-ID: <20160512094439.GA1694@salvia> References: <20160512080845.GA25231@shivani> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: netfilter-devel@vger.kernel.org To: Shivani Bhardwaj Return-path: Received: from mail.us.es ([193.147.175.20]:38614 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752250AbcELJop (ORCPT ); Thu, 12 May 2016 05:44:45 -0400 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id 062791B5355 for ; Thu, 12 May 2016 11:44:43 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id D09432687DC for ; Thu, 12 May 2016 11:44:42 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 761942687EE for ; Thu, 12 May 2016 11:44:40 +0200 (CEST) Content-Disposition: inline In-Reply-To: <20160512080845.GA25231@shivani> Sender: netfilter-devel-owner@vger.kernel.org List-ID: On Thu, May 12, 2016 at 01:38:45PM +0530, Shivani Bhardwaj wrote: > Add documentation corresponding to LOG STATEMENT, NFLOG STATEMENT, > REJECT STATEMENT, COUNTER STATEMENT, META STATEMENT, LIMIT STATEMENT, > NAT STATEMENT and QUEUE STATEMENT. > > Signed-off-by: Shivani Bhardwaj > --- > Changes in v2: > Add more content to the description. > > doc/nft.xml | 259 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 258 insertions(+), 1 deletion(-) > > diff --git a/doc/nft.xml b/doc/nft.xml > index e4d227c..be3a713 100644 > --- a/doc/nft.xml > +++ b/doc/nft.xml > @@ -2185,37 +2185,294 @@ filter input iif eth0 drop > > > Log statement > + > + log > + > + prefix > + level > + > + > + > > + The log statement enables ^^^^^^^^^^ This has accidentally slipped through, right? > logging of matching packets. When this statement is used from a > rule, the Linux kernel will print some information on all matching > packets, such as header fields, via the kernel log (where it can be > read with dmesg(1) or read in the syslog). This is a non-terminating > statement, so the rule evaluation continues after the packet is > logged. > + > + LOG statement > + > + > + > + > + > + > + Keyword > + Description > + Type > + > + > + > + > + level > + Level of logging > + unsigned integer (32 bit), emerg, alert, crit, err, warn [default], notice, info, debug > + > + > + prefix > + Prefix log messages > + string > + > + > + > +
> > > > + nflog statement > + > + log > + group > + > + prefix > + queue-threshold > + snaplen > + > + > + > + > + The nflog statement provides logging of matching packets. When this statement is set for a rule, the Linux kernel will pass the packet to the loaded logging backend to log the packet. This is used in combination with nfnetlink_log as logging backend, which will multicast the packet through a netlink socket to the specified multicast group. One or more userspace processes may subscribe to the group to receive the packets. Like log statement, this is a non-terminating statement, i.e. rule traversal continues at the next rule. It is necessary to mention the group [default 0] to consider logging with nflog. We don't have a nflog statement, actually this is integrated into 'log' itself. So if you indique the group, then it is assumed that you want to use logging through nflog. > + > + NFLOG statement > + > + > + > + > + > + > + Keyword > + Description > + Type > + > + > + > + > + prefix > + Prepend to log messages > + string > + > + > + group > + Netlink group to send messages to > + unsigned integer (32 bit) > + > + > + snaplen > + Length of payload to include in netlink message > + unsigned integer (32 bit) > + > + > + queue-threshold > + Queue threshold value > + unsigned integer (32 bit) > + > + > + > +
> + > + > + > Reject statement > > + A reject statement is used to send back an error packet in response to the matched packet otherwise it is equivalent to drop so it is a terminating statement, ending rule traversal. This statement is only valid in the input, forward and output chains, and user-defined chains which are only called from those chains. > + > + REJECT statement (ipv4) ^^^^^^ No need for upper case, in nftables we don't use upper case notation anymore as in iptables targets. > + > + > + > + > + > + > + Keyword > + Description > + Type > + > + > + > + > + with icmp type > + ICMP response to be sent to the host > + unsigned integer (8 bit), net-unreachable, host-unreachable, prot-unreachable, port-unreachable [default], net-prohibited, host-prohibited, admin-prohibited > + > + > + with > + Used on rules which only match the TCP > + tcp reset > + > + > + > +
> + > + REJECT statement (ipv6) > + > + > + > + > + > + > + Keyword > + Description > + Type > + > + > + > + > + with icmpv6 type > + ICMP6 response to be sent to the host > + unsigned integer (8 bit), no-route, admin-prohibited, addr-unreachable, port-unreachable [default], policy-fail, reject-route > + > + > + with > + Used on rules which only match the TCP > + tcp reset > + > + > + > +
> > > > Counter statement > > + A counter statement sets the hit count of packets along with the number of bytes. > > > > Meta statement > > + A meta statement sets the value of a meta expression. > + The existing meta fields are: length, > nfproto, l4proto, protocol, priority, mark, iif, iifname, iiftype, > oif, oifname, oiftype, skuid, skgid, nftrace, rtclassid, ibriport, > obriport, pkttype, cpu, iifgroup, oifgroup, cgroup. We actually support a bunch of this, have a look at: net/netfilter/nft_meta.c so you know which ones we support ;) > > > > + > + limit > + > + rate > + burst > + > + > + > Limit statement > > + A limit statement is used to set a specified limit attribute. > + > + Limit statement > + > + > + > + > + > + > + Keyword > + Description > + Type > + > + > + > + > + rate > + Maximum average matching rate > + size (bytes, kbytes, mbytes)/time (second, minute, hour, day, week) > + > + > + burst > + Maximum initial number of packets > + packets, size (bytes, kbytes, mbytes) > + > + > + > +
> > > - > + > NAT statement > + > + > + snat > + dnat > + > + flags > + > > + The nat statement is only valid in the nat table. I'd suggest "... is only valid from nat chain types." We don't have a nat table anymore, instead we have a nat chain type. Thanks for following up on this!