[PATCH nft 1/2] doc: update meta expression

[PATCH nft 1/2] doc: update meta expression

[Florian Westphal]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 doc/nft.xml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/doc/nft.xml b/doc/nft.xml
index 9eed883..6297674 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -1001,6 +1001,7 @@ filter output ip6 daddr ::1
 						<arg>iifgroup</arg>
 						<arg>oifgroup</arg>
 						<arg>cgroup</arg>
+						<arg>random</arg>
 					</group>
 				</cmdsynopsis>
 			</para>
@@ -1128,6 +1129,11 @@ filter output ip6 daddr ::1
 								<entry>control group id</entry>
 								<entry>integer (32 bits)</entry>
 							</row>
+							<row>
+								<entry>random</entry>
+								<entry>pseudo-random number</entry>
+								<entry>integer (32 bits)</entry>
+							</row>
 						</tbody>
 					</tgroup>
 				</table>
-- 
2.7.3

[PATCH nft 2/2] doc: payload and conntrack statement

[Florian Westphal]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 doc/nft.xml | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 81 insertions(+), 1 deletion(-)

diff --git a/doc/nft.xml b/doc/nft.xml
index 6297674..3b215f8 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -2037,7 +2037,7 @@ filter output oif eth0
 							</row>
 							<row>
 								<entry>label</entry>
-								<entry>Connection tracking label</entry>
+								<entry>Connection tracking label bit or symbolic name defined in connlabel.conf in the nftables include path</entry>
 								<entry>ct_label</entry>
 							</row>
 							<row>
@@ -2207,6 +2207,29 @@ filter input iif eth0 drop
 			</para>
 		</refsect2>
 		<refsect2>
+			<title>Payload statement</title>
+			<para>
+				The payload statement alters packet content.
+				It can be used for example to set ip DSCP (differv) header field or ipv6 flow labels.
+			</para>
+			<para>
+				<example>
+					<title>route some packets instead of bridging</title>
+					<programlisting>
+# redirect tcp:http from 192.160.0.0/16 to local machine for routing instead of bridging
+# assumes 00:11:22:33:44:55 is local MAC address.
+bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport 80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55
+					</programlisting>
+				</example>
+				<example>
+					<title>Set IPv4 DSCP header field</title>
+					<programlisting>
+ip forward ip dscp set 42
+					</programlisting>
+				</example>
+			</para>
+		</refsect2>
+		<refsect2>
 			<title>Log statement</title>
 			<para>
 				<cmdsynopsis>
@@ -2390,6 +2413,63 @@ filter input iif eth0 drop
 
 		</refsect2>
 		<refsect2>
+			<title>Conntrack statement</title>
+			<para>
+				The conntrack statement can be used to set the conntrack mark and conntrack labels.
+			</para>
+			<para>
+				<cmdsynopsis>
+					<command>ct</command>
+					<group choice="req">
+						<arg>mark</arg>
+						<arg>label</arg>
+					</group>
+					<arg choice="none">set</arg>
+					<replaceable>value</replaceable>
+				</cmdsynopsis>
+			</para>
+			<para>
+				The ct statement sets meta data associated with a connection.
+			</para>
+			<para>
+				<table frame="all">
+					<title>Meta statement types</title>
+					<tgroup cols='3' align='left' colsep='1' rowsep='1'>
+						<colspec colname='c1'/>
+						<colspec colname='c2'/>
+						<colspec colname='c3'/>
+						<thead>
+							<row>
+								<entry>Keyword</entry>
+								<entry>Description</entry>
+								<entry>Value</entry>
+							</row>
+						</thead>
+						<tbody>
+							<row>
+								<entry>mark</entry>
+								<entry>Connection tracking mark</entry>
+								<entry>mark</entry>
+							</row>
+							<row>
+								<entry>label</entry>
+								<entry>Connection tracking label</entry>
+								<entry>label</entry>
+							</row>
+						</tbody>
+					</tgroup>
+				</table>
+			</para>
+			<para>
+				<example>
+					<title>save packet nfmark in conntrack</title>
+					<programlisting>
+ct set mark meta mark
+					</programlisting>
+				</example>
+			</para>
+		</refsect2>
+		<refsect2>
 			<title>Meta statement</title>
 			<para>
 				A meta statement sets the value of a meta expression.
-- 
2.7.3

Re: [PATCH nft 1/2] doc: update meta expression

[Pablo Neira Ayuso]

On Fri, Sep 09, 2016 at 12:16:55AM +0200, Florian Westphal wrote:
> Signed-off-by: Florian Westphal <fw@strlen.de>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

Thanks Florian!

Re: [PATCH nft 2/2] doc: payload and conntrack statement

[Pablo Neira Ayuso]

On Fri, Sep 09, 2016 at 12:16:56AM +0200, Florian Westphal wrote:
> Signed-off-by: Florian Westphal <fw@strlen.de>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

BTW, related to payload mangling, Laura sent me this report:

When adding this rule:

  # nft add rule netdev filter ingress \
        ip daddr 192.168.0.92 tcp dport 80 \
        ether daddr set 00:03:2d:2b:74:ec fwd to enp3s0

The listing shows:

  # nft list ruleset
  table netdev filter {
      chain ingress {
         type filter hook ingress device enp0s25 priority 0; policy accept;
         ip daddr 192.168.0.92 tcp dport http ether daddr set ec:74:2b:2d:03:00 fwd to "enp3s0"
                                                              ^^^^^^^^^^^^^^^^^

Note that the MAC address is reversed, probably something wrong in the
delinearize path. In case you have some spare cycle, I didn't look at
this yet.

Another issue she also reported another problem with integers from
sets when using jhash and numgen, actually it's again the lack of
specific endianess of integer_type that is causing the problem so it
is not specific of the new expression.

 # nft --debug=netlink add rule x y meta mark set meta cpu map { 0 : 1, 1 : 2 }
 __map%d x b
 __map%d x 0
        element 00000000  : 00000001 0 [end]    element 01000000  : 00000002 0 [end]
                                                        ^^^^^^^^

note this is also in the wrong byteorder. This one, I'm working on it.

Re: [PATCH nft 2/2] doc: payload and conntrack statement

[Florian Westphal]

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Sep 09, 2016 at 12:16:56AM +0200, Florian Westphal wrote:
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> 
> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
> 
> BTW, related to payload mangling, Laura sent me this report:
> 
> When adding this rule:
> 
>   # nft add rule netdev filter ingress \
>         ip daddr 192.168.0.92 tcp dport 80 \
>         ether daddr set 00:03:2d:2b:74:ec fwd to enp3s0
> 
> The listing shows:
> 
>   # nft list ruleset
>   table netdev filter {
>       chain ingress {
>          type filter hook ingress device enp0s25 priority 0; policy accept;
>          ip daddr 192.168.0.92 tcp dport http ether daddr set ec:74:2b:2d:03:00 fwd to "enp3s0"
>                                                               ^^^^^^^^^^^^^^^^^
> 
> Note that the MAC address is reversed, probably something wrong in the
> delinearize path. In case you have some spare cycle, I didn't look at
> this yet.

Too late for now, but it looks like the postprocessing
for payload statements does not set byteorder of the immediate value
(its 0/undefined).

For ip addresses this doesn't matter as 0 is treated like BIG_ENDIAN.
But ether_addr is set as HOST_ENDIAN.

The normal payload expression path contains conversion calls for this
case:

if (tmp->byteorder == BYTEORDER_HOST_ENDIAN)
           mpz_switch_byteorder(tmp->value, tmp->len / BITS_PER_BYTE);

Will check more later today.