Signed-off-by: Phil Sutter <p...@nwl.cc> --- doc/nft.xml | 230 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 230 insertions(+)
diff --git a/doc/nft.xml b/doc/nft.xml
index 91b9bb378c80a..3ef88a79efd70 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -1921,6 +1921,232 @@ filter output icmpv6 type { echo-request, echo-reply }
</programlisting>
</example>
</refsect2>
+ <refsect2>
+ <title>Conntrack types</title>
+ <para>
+ This is an overview of types used in
<command>ct</command>
+ expression and statement:
+ <table frame="all">
+ <tgroup cols="4" align="left"
colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <colspec colname="c3"/>
+ <colspec colname="c4"/>
+ <thead>
+ <row>
+
<entry>Name</entry>
+
<entry>Keyword</entry>
+
<entry>Size</entry>
+ <entry>Base
type</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+
<entry>conntrack state</entry>
+
<entry>ct_state</entry>
+ <entry>4
byte</entry>
+
<entry>bitmask</entry>
+ </row>
+ <row>
+
<entry>conntrack direction</entry>
+
<entry>ct_dir</entry>
+ <entry>8
bit</entry>
+
<entry>integer</entry>
+ </row>
+ <row>
+
<entry>conntrack status</entry>
+
<entry>ct_status</entry>
+ <entry>4
byte</entry>
+
<entry>bitmask</entry>
+ </row>
+ <row>
+
<entry>conntrack event bits</entry>
+
<entry>ct_event</entry>
+ <entry>4
byte</entry>
+
<entry>bitmask</entry>
+ </row>
+ <row>
+
<entry>conntrack label</entry>
+
<entry>ct_label</entry>
+ <entry>128
bit</entry>
+
<entry>bitmask</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ <para>
+ For each of the types above, keywords are
available for convenience:
+ <table frame="all">
+ <title>conntrack state
(ct_state)</title>
+ <tgroup cols="2" align="left"
colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <thead>
+ <row>
+
<entry>Keyword</entry>
+
<entry>Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+
<entry>invalid</entry>
+ <entry>1</entry>
+ </row>
+ <row>
+
<entry>established</entry>
+ <entry>2</entry>
+ </row>
+ <row>
+
<entry>related</entry>
+ <entry>4</entry>
+ </row>
+ <row>
+
<entry>new</entry>
+ <entry>8</entry>
+ </row>
+ <row>
+
<entry>untracked</entry>
+
<entry>64</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <table frame="all">
+ <title>conntrack direction
(ct_dir)</title>
+ <tgroup cols="2" align="left"
colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <thead>
+ <row>
+
<entry>Keyword</entry>
+
<entry>Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+
<entry>original</entry>
+ <entry>0</entry>
+ </row>
+ <row>
+
<entry>reply</entry>
+ <entry>1</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <table frame="all">
+ <title>conntrack status
(ct_status)</title>
+ <tgroup cols="2" align="left"
colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <thead>
+ <row>
+
<entry>Keyword</entry>
+
<entry>Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+
<entry>expected</entry>
+ <entry>1</entry>
+ </row>
+ <row>
+
<entry>seen-reply</entry>
+ <entry>2</entry>
+ </row>
+ <row>
+
<entry>assured</entry>
+ <entry>4</entry>
+ </row>
+ <row>
+
<entry>confirmed</entry>
+ <entry>8</entry>
+ </row>
+ <row>
+
<entry>snat</entry>
+
<entry>16</entry>
+ </row>
+ <row>
+
<entry>dnat</entry>
+
<entry>32</entry>
+ </row>
+ <row>
+
<entry>dying</entry>
+
<entry>512</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <table frame="all">
+ <title>conntrack event bits
(ct_event)</title>
+ <tgroup cols="2" align="left"
colsep="1" rowsep="1">
+ <colspec colname="c1"/>
+ <colspec colname="c2"/>
+ <thead>
+ <row>
+
<entry>Keyword</entry>
+
<entry>Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+
<entry>new</entry>
+ <entry>1</entry>
+ </row>
+ <row>
+
<entry>related</entry>
+ <entry>2</entry>
+ </row>
+ <row>
+
<entry>destroy</entry>
+ <entry>4</entry>
+ </row>
+ <row>
+
<entry>reply</entry>
+ <entry>8</entry>
+ </row>
+ <row>
+
<entry>assured</entry>
+
<entry>16</entry>
+ </row>
+ <row>
+
<entry>protoinfo</entry>
+
<entry>32</entry>
+ </row>
+ <row>
+
<entry>helper</entry>
+
<entry>64</entry>
+ </row>
+ <row>
+
<entry>mark</entry>
+
<entry>128</entry>
+ </row>
+ <row>
+
<entry>seqadj</entry>
+
<entry>256</entry>
+ </row>
+ <row>
+
<entry>secmark</entry>
+
<entry>512</entry>
+ </row>
+ <row>
+
<entry>label</entry>
+
<entry>1024</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <para>
+ Possible keywords for conntrack label
type
+ (<command>ct_label</command>) are read
at runtime from
+ <literal>/etc/connlabel.conf</literal>.
+ </para>
+ </para>
+ </refsect2>
</refsect1>
<refsect1>
@@ -3577,6 +3803,10 @@ ip6 filter input frag more-fragments 1 counter
</tgroup>
</table>
</para>
+ <para>
+ A description of conntrack-specific types
listed above can be
+ found sub-section <literal>CONNTRACK
TYPES</literal> above.
+ </para>
</refsect2>
</refsect1>
--
2.13.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
