Hi,
I hope a developer (Florian?) can weigh in on the following terminology
question:
Linux kernel has in include/uapi/linux/netfilter/nf_tables.h:
#define NFT_OBJECT_UNSPEC 0
#define NFT_OBJECT_COUNTER 1
#define NFT_OBJECT_QUOTA 2
#define NFT_OBJECT_CT_HELPER 3
#define NFT_OBJECT_LIMIT 4
#define NFT_OBJECT_CONNLIMIT 5
#define NFT_OBJECT_TUNNEL 6
#define NFT_OBJECT_CT_TIMEOUT 7
#define NFT_OBJECT_SECMARK 8
#define NFT_OBJECT_CT_EXPECT 9
#define NFT_OBJECT_SYNPROXY 10
#define __NFT_OBJECT_MAX 11
#define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1)
The nft man page calls only 5 of these "stateful objects":
ct helper
ct timeout
ct expectation
counter
quota
The wiki currently calls only 2 of these "stateful objects":
counter
quota
I'm fairly sure these are the only two that allow "nft reset".
So my question is: which of the 10 objects currently in nf_tables.h are
properly called "stateful objects"? I mean, they're all named objects,
they all carry state information, they follow much (but not all) of the
same syntax...
I'm guessing that all are "stateful objects" and the presence of "reset"
is just a special feature of 2 of them. But I'll wait on editing wiki
until getting confirmation / clarification.
Thanks,
Frank
