From mboxrd@z Thu Jan 1 00:00:00 1970 From: Shivani Bhardwaj Subject: [PATCH v2] doc: Complete the documentation of statements Date: Thu, 12 May 2016 13:38:45 +0530 Message-ID: <20160512080845.GA25231@shivani> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii To: netfilter-devel@vger.kernel.org Return-path: Received: from mail-pf0-f195.google.com ([209.85.192.195]:35551 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751552AbcELIJN (ORCPT ); Thu, 12 May 2016 04:09:13 -0400 Received: by mail-pf0-f195.google.com with SMTP id r187so6803331pfr.2 for ; Thu, 12 May 2016 01:09:12 -0700 (PDT) Received: from shivani ([124.124.47.116]) by smtp.gmail.com with ESMTPSA id a64sm17628145pfa.6.2016.05.12.01.09.10 for (version=TLS1_2 cipher=AES128-SHA bits=128/128); Thu, 12 May 2016 01:09:11 -0700 (PDT) Content-Disposition: inline Sender: netfilter-devel-owner@vger.kernel.org List-ID: Add documentation corresponding to LOG STATEMENT, NFLOG STATEMENT, REJECT STATEMENT, COUNTER STATEMENT, META STATEMENT, LIMIT STATEMENT, NAT STATEMENT and QUEUE STATEMENT. Signed-off-by: Shivani Bhardwaj --- Changes in v2: Add more content to the description. doc/nft.xml | 259 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 258 insertions(+), 1 deletion(-) diff --git a/doc/nft.xml b/doc/nft.xml index e4d227c..be3a713 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -2185,37 +2185,294 @@ filter input iif eth0 drop Log statement + + log + + prefix + level + + + + The log statement enables logging of matching packets. When this statement is used from a rule, the Linux kernel will print some information on all matching packets, such as header fields, via the kernel log (where it can be read with dmesg(1) or read in the syslog). This is a non-terminating statement, so the rule evaluation continues after the packet is logged. + + LOG statement + + + + + + + Keyword + Description + Type + + + + + level + Level of logging + unsigned integer (32 bit), emerg, alert, crit, err, warn [default], notice, info, debug + + + prefix + Prefix log messages + string + + + +
+ nflog statement + + log + group + + prefix + queue-threshold + snaplen + + + + + The nflog statement provides logging of matching packets. When this statement is set for a rule, the Linux kernel will pass the packet to the loaded logging backend to log the packet. This is used in combination with nfnetlink_log as logging backend, which will multicast the packet through a netlink socket to the specified multicast group. One or more userspace processes may subscribe to the group to receive the packets. Like log statement, this is a non-terminating statement, i.e. rule traversal continues at the next rule. It is necessary to mention the group [default 0] to consider logging with nflog. + + NFLOG statement + + + + + + + Keyword + Description + Type + + + + + prefix + Prepend to log messages + string + + + group + Netlink group to send messages to + unsigned integer (32 bit) + + + snaplen + Length of payload to include in netlink message + unsigned integer (32 bit) + + + queue-threshold + Queue threshold value + unsigned integer (32 bit) + + + +
+ + + Reject statement + A reject statement is used to send back an error packet in response to the matched packet otherwise it is equivalent to drop so it is a terminating statement, ending rule traversal. This statement is only valid in the input, forward and output chains, and user-defined chains which are only called from those chains. + + REJECT statement (ipv4) + + + + + + + Keyword + Description + Type + + + + + with icmp type + ICMP response to be sent to the host + unsigned integer (8 bit), net-unreachable, host-unreachable, prot-unreachable, port-unreachable [default], net-prohibited, host-prohibited, admin-prohibited + + + with + Used on rules which only match the TCP + tcp reset + + + +
+ + REJECT statement (ipv6) + + + + + + + Keyword + Description + Type + + + + + with icmpv6 type + ICMP6 response to be sent to the host + unsigned integer (8 bit), no-route, admin-prohibited, addr-unreachable, port-unreachable [default], policy-fail, reject-route + + + with + Used on rules which only match the TCP + tcp reset + + + +
Counter statement + A counter statement sets the hit count of packets along with the number of bytes. Meta statement + A meta statement sets the value of a meta expression. + The existing meta fields are: length, nfproto, l4proto, protocol, priority, mark, iif, iifname, iiftype, oif, oifname, oiftype, skuid, skgid, nftrace, rtclassid, ibriport, obriport, pkttype, cpu, iifgroup, oifgroup, cgroup. + + limit + + rate + burst + + + Limit statement + A limit statement is used to set a specified limit attribute. + + Limit statement + + + + + + + Keyword + Description + Type + + + + + rate + Maximum average matching rate + size (bytes, kbytes, mbytes)/time (second, minute, hour, day, week) + + + burst + Maximum initial number of packets + packets, size (bytes, kbytes, mbytes) + + + +
- + NAT statement + + + snat + dnat + + flags + + The nat statement is only valid in the nat table. It specifies that the source/destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. + + + + NAT statement + + + + + + + Keyword + Description + Type + + + + + snat + Specifies that the source address of the packet should be modified + ipv4 address/ipv6 address + + + dnat + Specifies that the destination address of the packet should be modified + ipv4 address/ipv6 address + + + flags + Flags + random, fully-random, persistent + + + +
Queue statement + + Queue statement + + + + + + + Keyword + Description + Type + + + + + num + Sets queue number + unsigned integer (16 bit) + + + flags + Flags + bypass, fanout + + + total + Sets total load-balanced queues + unsigned integer (16 bit) + + + +
-- 1.9.1