[PATCH 0/3] Minor documentation improvements

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 0/3] Minor documentation improvements
@ 2021-03-07  9:51 Simon Ruderich
  2021-03-07  9:51 ` [PATCH 1/3] doc: add * to include example to actually include files Simon Ruderich
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Simon Ruderich @ 2021-03-07  9:51 UTC (permalink / raw)
  To: simon, netfilter-devel

Hello,

while reading the nft man page I noticed a few minor things which
should be improved by the following patches.

Regards
Simon

Simon Ruderich (3):
  doc: add * to include example to actually include files
  doc: remove duplicate tables in synproxy example
  doc: move drop rule on a separate line in the blackhole example

 doc/nft.txt        |  2 +-
 doc/statements.txt | 20 +++-----------------
 2 files changed, 4 insertions(+), 18 deletions(-)

-- 
2.30.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 1/3] doc: add * to include example to actually include files
  2021-03-07  9:51 [PATCH 0/3] Minor documentation improvements Simon Ruderich
@ 2021-03-07  9:51 ` Simon Ruderich
  2021-03-07  9:51 ` [PATCH 2/3] doc: remove duplicate tables in synproxy example Simon Ruderich
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Simon Ruderich @ 2021-03-07  9:51 UTC (permalink / raw)
  To: simon, netfilter-devel

"/etc/firewall/rules/" causes no error but also doesn't include any
files contained in the directory.

Signed-off-by: Simon Ruderich <simon@ruderich.org>
---
 doc/nft.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/nft.txt b/doc/nft.txt
index 32261e26..e4f32179 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -153,7 +153,7 @@ directory via the *-h*/*--help* option. +
 Include statements support the usual shell wildcard symbols (*,?,[]). Having no
 matches for an include statement is not an error, if wildcard symbols are used
 in the include statement. This allows having potentially empty include
-directories for statements like **include "/etc/firewall/rules/"**. The wildcard
+directories for statements like **include "/etc/firewall/rules/*"**. The wildcard
 matches are loaded in alphabetical order. Files beginning with dot (.) are not
 matched by include statements.
 
-- 
2.30.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH 2/3] doc: remove duplicate tables in synproxy example
  2021-03-07  9:51 [PATCH 0/3] Minor documentation improvements Simon Ruderich
  2021-03-07  9:51 ` [PATCH 1/3] doc: add * to include example to actually include files Simon Ruderich
@ 2021-03-07  9:51 ` Simon Ruderich
  2021-03-07  9:51 ` [PATCH 3/3] doc: move drop rule on a separate line in blackhole example Simon Ruderich
  2021-03-09  1:43 ` [PATCH 0/3] Minor documentation improvements Pablo Neira Ayuso
  3 siblings, 0 replies; 5+ messages in thread
From: Simon Ruderich @ 2021-03-07  9:51 UTC (permalink / raw)
  To: simon, netfilter-devel

The "outcome ruleset" is the same as the two tables in the example.
Don't duplicate this information which just wastes space in the
documentation and can confuse the reader (it took me a while to realize
the tables are the same).

In addition, use the same table name for both tables to make it clear
that they can be the same. They will be merged in the resulting ruleset.

Signed-off-by: Simon Ruderich <simon@ruderich.org>
---
 doc/statements.txt | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/doc/statements.txt b/doc/statements.txt
index aac7c7d6..7bb538a9 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -567,28 +567,13 @@ drop incorrect cookies. Flags combinations not expected during  3WHS will not
 match and continue (e.g. SYN+FIN, SYN+ACK). Finally, drop invalid packets, this
 will be out-of-flow packets that were not matched by SYNPROXY.
 
-    table ip foo {
+    table ip x {
             chain z {
                     type filter hook input priority filter; policy accept;
                     ct state { invalid, untracked } synproxy mss 1460 wscale 9 timestamp sack-perm
                     ct state invalid drop
             }
     }
-
-The outcome ruleset of the steps above should be similar to the one below.
-
-	table ip x {
-		chain y {
-			type filter hook prerouting priority raw; policy accept;
-	                tcp flags syn notrack
-		}
-
-		chain z {
-			type filter hook input priority filter; policy accept;
-	                ct state { invalid, untracked } synproxy mss 1460 wscale 9 timestamp sack-perm
-		        ct state invalid drop
-	        }
-	}
 ---------------------------------------
 
 FLOW STATEMENT
-- 
2.30.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH 3/3] doc: move drop rule on a separate line in blackhole example
  2021-03-07  9:51 [PATCH 0/3] Minor documentation improvements Simon Ruderich
  2021-03-07  9:51 ` [PATCH 1/3] doc: add * to include example to actually include files Simon Ruderich
  2021-03-07  9:51 ` [PATCH 2/3] doc: remove duplicate tables in synproxy example Simon Ruderich
@ 2021-03-07  9:51 ` Simon Ruderich
  2021-03-09  1:43 ` [PATCH 0/3] Minor documentation improvements Pablo Neira Ayuso
  3 siblings, 0 replies; 5+ messages in thread
From: Simon Ruderich @ 2021-03-07  9:51 UTC (permalink / raw)
  To: simon, netfilter-devel

At first I overlooked the "drop". Putting it on a separate line makes it
more visible and also details the separate steps of this rule.

Signed-off-by: Simon Ruderich <simon@ruderich.org>
---
 doc/statements.txt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/statements.txt b/doc/statements.txt
index 7bb538a9..0973e5ef 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -712,7 +712,8 @@ nft add rule ip filter input ip saddr @blackhole counter drop
 # requests occurred per second and ip address.
 nft add rule ip filter input tcp flags syn tcp dport ssh \
     add @flood { ip saddr limit rate over 10/second } \
-    add @blackhole { ip saddr } drop
+    add @blackhole { ip saddr } \
+    drop
 
 # inspect state of the sets.
 nft list set ip filter flood
-- 
2.30.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 0/3] Minor documentation improvements
  2021-03-07  9:51 [PATCH 0/3] Minor documentation improvements Simon Ruderich
                   ` (2 preceding siblings ...)
  2021-03-07  9:51 ` [PATCH 3/3] doc: move drop rule on a separate line in blackhole example Simon Ruderich
@ 2021-03-09  1:43 ` Pablo Neira Ayuso
  3 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2021-03-09  1:43 UTC (permalink / raw)
  To: Simon Ruderich; +Cc: netfilter-devel

On Sun, Mar 07, 2021 at 10:51:33AM +0100, Simon Ruderich wrote:
> Hello,
> 
> while reading the nft man page I noticed a few minor things which
> should be improved by the following patches.

Applied, thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-03-09  1:44 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-07  9:51 [PATCH 0/3] Minor documentation improvements Simon Ruderich
2021-03-07  9:51 ` [PATCH 1/3] doc: add * to include example to actually include files Simon Ruderich
2021-03-07  9:51 ` [PATCH 2/3] doc: remove duplicate tables in synproxy example Simon Ruderich
2021-03-07  9:51 ` [PATCH 3/3] doc: move drop rule on a separate line in blackhole example Simon Ruderich
2021-03-09  1:43 ` [PATCH 0/3] Minor documentation improvements Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).