Signed-off-by: Máté Eckl <ecklm94@xxxxxxxxx> --- doc/payload-expression.txt | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt index d454c95..3f47b4e 100644 --- a/doc/payload-expression.txt +++ b/doc/payload-expression.txt @@ -146,7 +146,12 @@ IPV6 HEADER EXPRESSION [verse] ip6 ['IPv6' 'header' 'field'] -This expression refers to the ipv6 header fields. Caution when using ip6 nexthdr, the value only refers to the next header, i.e. ip6 nexthdr tcp will only match if the ipv6 packet does not contain any extension headers. Packets that are fragmented or e.g. contain a routing extension headers will not be matched. Please use meta l4proto if you wish to match the real transport header and ignore any additional extension headers instead. +This expression refers to the ipv6 header fields. Caution when using ip6 +nexthdr, the value only refers to the next header, i.e. ip6 nexthdr tcp will +only match if the ipv6 packet does not contain any extension headers. Packets +that are fragmented or e.g. contain a routing extension headers will not be +matched. Please use meta l4proto if you wish to match the real transport header +and ignore any additional extension headers instead. .IPv6 header expression [options="header"] @@ -410,7 +415,14 @@ RAW PAYLOAD EXPRESSION [verse] *@* [base,offset,length] -The raw payload expression instructs to load lengthbits starting at offsetbits. Bit 0 refers to the very first bit -- in the C programming language, this corresponds to the topmost bit, i.e. 0x80 in case of an octet. They are useful to match headers that do not have a human-readable template expression yet. Note that nft will not add dependencies for Raw payload expressions. If you e.g. want to match protocol fields of a transport header with protocol number 5, you need to manually exclude packets that have a different transport header, for instance my using meta l4proto 5 before the raw expression. +The raw payload expression instructs to load lengthbits starting at offsetbits. +Bit 0 refers to the very first bit -- in the C programming language, this +corresponds to the topmost bit, i.e. 0x80 in case of an octet. They are useful +to match headers that do not have a human-readable template expression yet. Note +that nft will not add dependencies for Raw payload expressions. If you e.g. want +to match protocol fields of a transport header with protocol number 5, you need +to manually exclude packets that have a different transport header, for instance +my using meta l4proto 5 before the raw expression. .Support payload protocol bases [options="header"] @@ -524,7 +536,13 @@ CONNTRACK EXPRESSIONS ~~~~~~~~~~~~~~~~~~~~~ Conntrack expressions refer to meta data of the connection tracking entry associated with a packet. + -There are three types of conntrack expressions. Some conntrack expressions require the flow direction before the conntrack key, others must be used directly because they are direction agnostic. The *packets*, *bytes* and *avgpkt* keywords can be used with or without a direction. If the direction is omitted, the sum of the original and the reply direction is returned. The same is true for the *zone*, if a direction is given, the zone is only matched if the zone id is tied to the given direction. + +There are three types of conntrack expressions. Some conntrack expressions +require the flow direction before the conntrack key, others must be used +directly because they are direction agnostic. The *packets*, *bytes* and +*avgpkt* keywords can be used with or without a direction. If the direction is +omitted, the sum of the original and the reply direction is returned. The same +is true for the *zone*, if a direction is given, the zone is only matched if the +zone id is tied to the given direction. + [verse] *ct* {state | direction | status | mark | expiration | helper | label | l3proto | protocol | bytes | packets | avgpkt | zone} -- ecklm -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html