Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
doc/nft.xml | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 59 insertions(+)
diff --git a/doc/nft.xml b/doc/nft.xml
index 6748265c8ae8..bddc527f19a7 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -3757,6 +3757,65 @@ inet filter output rt ip6 nexthop fd00::1
</table>
</para>
</refsect2>
+ <refsect2>
+ <title>Raw payload expression</title>
+ <para>
+ <cmdsynopsis>
+ <command>@</command>
+ <arg opt="req"><replaceable>base,offset,length</replaceable></arg>
+ </cmdsynopsis>
+ </para>
+
+ The raw payload expression instructs to load <replaceable>length</replaceable>bits starting at <replaceable>offset</replaceable>bits.
+ Bit 0 refers the the very first bit -- in the C programming language, this corresponds to the topmost bit, i.e. 0x80 in case of an octet.
+ They are useful to match headers that do not have a human-readable template expression yet.
+ Note that nft will not add dependencies for Raw payload expressions.
+ If you e.g. want to match protocol fields of a transport header with protocol number 5, you need to manually
+ exclude packets that have a different transport header, for instance my using <literal>meta l4proto 5</literal> before
+ the raw expression.
+
+ <table frame="all">
+ <title>Supported payload protocol bases</title>
+ <tgroup cols="2" align="left" colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <thead>
+ <row>
+ <entry>Base</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>ll</entry>
+ <entry>Link layer, for example the ethernet header</entry>
+ </row>
+ <row>
+ <entry>nh</entry>
+ <entry>Network header, for example IPv4 or IPv6</entry>
+ </row>
+ <row>
+ <entry>th</entry>
+ <entry>Transport Header, for example TCP</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <para>
+ <example>
+ <title>Matching destination port of both UDP and TCP</title>
+ <programlisting>
+inet filter input meta l4proto {tcp, udp} @th,16,16 { dns, http }
+ </programlisting>
+ </example>
+ <example>
+ <title>Rewrite arp packet target hardware address if target protocol address matches a given address</title>
+ <programlisting>
+input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept
+ </programlisting>
+ </example>
+ </para>
+ </refsect2>
<refsect2>
<title>Extension header expressions</title>
--
2.16.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
