This replaces the numbers with the matching symbolic names with one
exception: The NAT example used "priority 0" for the prerouting
priority. This is replaced by "dstnat" which has priority -100 which is
the new recommended priority.
Also use spaces instead of tabs for consistency in lines which require
updates.
Signed-off-by: Simon Ruderich <simon@xxxxxxxxxxxx>
---
Hello,
this is mostly similar to my RFC patch with a slightly updated
commit message and additional whitespace changes.
Now that my confusion is mostly lifted this change looks fine to
me.
Regards
Simon
doc/nft.txt | 4 ++--
doc/primary-expression.txt | 8 ++++----
doc/statements.txt | 18 +++++++++---------
3 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/doc/nft.txt b/doc/nft.txt
index e4f32179..55747036 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -319,7 +319,7 @@ nft --interactive
create table inet mytable
# add a new base chain: get input packets
-add chain inet mytable myin { type filter hook input priority 0; }
+add chain inet mytable myin { type filter hook input priority filter; }
# add a single counter to the chain
add rule inet mytable myin counter
@@ -487,7 +487,7 @@ nft add rule ip filter output ip daddr 192.168.0.0/24 accept
# nft -a list ruleset
table inet filter {
chain input {
- type filter hook input priority 0; policy accept;
+ type filter hook input priority filter; policy accept;
ct state established,related accept # handle 4
ip saddr 10.1.1.1 tcp dport ssh accept # handle 5
...
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index e87e8cc2..c24e2636 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -221,7 +221,7 @@ boolean (1 bit)
# exactly what you want).
table inet x {
chain y {
- type filter hook prerouting priority -150; policy accept;
+ type filter hook prerouting priority mangle; policy accept;
socket transparent 1 socket wildcard 0 mark set 0x00000001 accept
}
}
@@ -229,7 +229,7 @@ table inet x {
# Trace packets that corresponds to a socket with a mark value of 15
table inet x {
chain y {
- type filter hook prerouting priority -150; policy accept;
+ type filter hook prerouting priority mangle; policy accept;
socket mark 0x0000000f nftrace set 1
}
}
@@ -237,7 +237,7 @@ table inet x {
# Set packet mark to socket mark
table inet x {
chain y {
- type filter hook prerouting priority -150; policy accept;
+ type filter hook prerouting priority mangle; policy accept;
tcp dport 8080 mark set socket mark
}
}
@@ -280,7 +280,7 @@ If no TTL attribute is passed, make a true IP header and fingerprint TTL true co
# Accept packets that match the "Linux" OS genre signature without comparing TTL.
table inet x {
chain y {
- type filter hook input priority 0; policy accept;
+ type filter hook input priority filter; policy accept;
osf ttl skip name "Linux"
}
}
diff --git a/doc/statements.txt b/doc/statements.txt
index 0973e5ef..c1fd5e55 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -216,7 +216,7 @@ The conntrack statement can be used to set the conntrack mark and conntrack labe
The ct statement sets meta data associated with a connection. The zone id
has to be assigned before a conntrack lookup takes place, i.e. this has to be
done in prerouting and possibly output (if locally generated packets need to be
-placed in a distinct zone), with a hook priority of -300.
+placed in a distinct zone), with a hook priority of *raw* (-300).
Unlike iptables, where the helper assignment happens in the raw table,
the helper needs to be assigned after a conntrack entry has been
@@ -253,11 +253,11 @@ ct mark set meta mark
------------------------------
table inet raw {
chain prerouting {
- type filter hook prerouting priority -300;
+ type filter hook prerouting priority raw;
ct zone set iif map { "eth1" : 1, "veth1" : 2 }
}
chain output {
- type filter hook output priority -300;
+ type filter hook output priority raw;
ct zone set oif map { "eth1" : 1, "veth1" : 2 }
}
}
@@ -278,7 +278,7 @@ packets.
Note that for this statement to be effective, it has to be applied to packets
before a conntrack lookup happens. Therefore, it needs to sit in a chain with
-either prerouting or output hook and a hook priority of -300 or less.
+either prerouting or output hook and a hook priority of -300 (*raw*) or less.
See SYNPROXY STATEMENT for an example usage.
@@ -420,8 +420,8 @@ If used then port mapping is generated based on a 32-bit pseudo-random algorithm
---------------------
# create a suitable table/chain setup for all further examples
add table nat
-add chain nat prerouting { type nat hook prerouting priority 0; }
-add chain nat postrouting { type nat hook postrouting priority 100; }
+add chain nat prerouting { type nat hook prerouting priority dstnat; }
+add chain nat postrouting { type nat hook postrouting priority srcnat; }
# translate source addresses of all packets leaving via eth0 to address 1.2.3.4
add rule nat postrouting oif eth0 snat to 1.2.3.4
@@ -482,21 +482,21 @@ this case the rule will match for both families.
-------------------------------------
table ip x {
chain y {
- type filter hook prerouting priority -150; policy accept;
+ type filter hook prerouting priority mangle; policy accept;
tcp dport ntp tproxy to 1.1.1.1
udp dport ssh tproxy to :2222
}
}
table ip6 x {
chain y {
- type filter hook prerouting priority -150; policy accept;
+ type filter hook prerouting priority mangle; policy accept;
tcp dport ntp tproxy to [dead::beef]
udp dport ssh tproxy to :2222
}
}
table inet x {
chain y {
- type filter hook prerouting priority -150; policy accept;
+ type filter hook prerouting priority mangle; policy accept;
tcp dport 321 tproxy to :ssh
tcp dport 99 tproxy ip to 1.1.1.1:999
udp dport 155 tproxy ip6 to [dead::beef]:smux
--
2.30.1
