The netlink layer sits in between the mnl and the rule layers, remove
it. We can remove alloc_nftnl_chain() and consolidate infrastructure in
the src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The netlink layer sits in between the mnl and the rule layers, remove
it. We can remove alloc_nftnl_table() and consolidate infrastructure in
the src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 24 Aug 2018 11:26:57 +0000 (13:26 +0200)]
parser_bison: Fix for ECN keyword in LHS of relational
Of all possible TCP flags, 'ecn' is special since it is recognized by
lex as a keyword (there is a a field in IPv4 and IPv6 headers with the
same name). Therefore it is listed in keyword_expr, but that was
sufficient for RHS only. The following statement reproduces the issue:
| tcp flags & (syn | ecn) == (syn | ecn)
The solution is to limit binop expressions to accept an RHS expression
on RHS ("real" LHS expressions don't make much sense there anyway),
which then allows keyword_expr to occur there. In order to maintain the
recursive behaviour if braces are present, allow primary_rhs_expr to
consist of a basic_rhs_expr enclosed in braces. This in turn requires
for braced RHS part in relational_expr to be dropped, otherwise bison
complains about shift/reduce conflict.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This function overrides the left pointer. Instead update this function
to return the range that we found to enclose the left element. Note that
we may not find a closing right element - therefore, it is a standalone
element - in that case this function returns NULL.
Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
segtree: bogus range via get set element on existing elements
table ip x {
set y {
type inet_service
flags interval
elements = { 10, 20-30, 40, 50-60 }
}
}
# nft get element x y { 20-40 }
table ip x {
set y {
type inet_service
flags interval
elements = { 20-40 }
}
}
20 and 40 exist in the tree, but they are part of different ranges.
This patch adds a new get_set_decompose() function to validate that the
left and the right side of the range.
Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 25 Sep 2018 12:24:16 +0000 (14:24 +0200)]
tests: shell: Improve performance of 0021prio_0
This test called nft binary 391 times and took about 38s to complete on
my testing VM. Improve this by writing all commands into a temporary
file for processing in a single nft call. Reduces run-time to about 4s.
Interestingly, piping the sub-process's output directly into 'nft -f -'
leads to spurious errors (parser complaining about perfectly fine
syntax). It seems like handling large input this way is not possible.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Tue, 25 Sep 2018 12:24:15 +0000 (14:24 +0200)]
tests: shell: Improve gen_chains() in 0021prio_0
Enhance the function to accept an optional fourth parameter specifying
the device name, then use it for netdev family. Also remove dubled empty
lines and instead put together what belongs together.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Tue, 25 Sep 2018 12:24:14 +0000 (14:24 +0200)]
tests: shell: Drop one-time use variables in 0021prio_0
There is really no point in declaring a variable which is used just
once. Also mark function local variables as such to make sure they don't
overwrite global ones.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Tue, 25 Sep 2018 12:24:12 +0000 (14:24 +0200)]
parser_bison: Fix for chain prio name 'out'
Since 'out' is defined as a keyword in scanner.l, using it as a chain
priority name without quotes is not possible. Fix this by introducing
'extended_prio_name' in bison which may be either a string (as before)
or OUT, which is then converted into a string.
Fixes: c8a0e8c90e2d1 ("src: Set/print standard chain prios with textual names") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
evaluate: throw distinct error if map exists but contains no objects
nft would throw misleading error in case map exists but doesn't contain
expected objects.
nft add rule filter in ct helper set tcp dport map @foo
Error: Expression is not a map
add rule filter in ct helper set tcp dport map @foo
^^^^
nft list table filter
table ip filter {
map foo {
type inet_service : ifname
}
...
clarify this.
Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Fri, 14 Sep 2018 09:00:23 +0000 (11:00 +0200)]
doc: Review man page building in Makefile.am
Previously, changes to any of the included adoc snippets in nft.txt were
not detected and hence the man page not updated (unless 'make clean' was
called). It seems like the '.txt.8' target only considers foo.txt when
trying to generate foo.8, so get rid of that and introduce a dedicated
target for nft.8.
While doing so, apply a few other minor changes:
* Although nft.8 target has to list all included adoc snippets as a
dependency, it is sufficient to call a2x with the main one (i.e.,
nft.txt) only.
* Keep common a2x parameters in a variable.
* Use ${A2X} everywhere and hide all calls behind ${AM_V_GEN}, not just
the one for nft.8.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 14 Sep 2018 09:00:14 +0000 (11:00 +0200)]
nft.8: Update meta pkt_type value description
Commit 8a7f6de536408 ("meta: fix pkttype name and add 'other' symbol")
deprecated pkt_type value 'unicast' (for it being misleading) and
introduced 'host' and 'other' but it did not update documentation
accordingly. Fix this by replacing 'unicast' with 'host' in
documentation and adding 'other'.
While being at it, make sure these literal values are recognized as
such: Put them in all lower-case (as required by the parser) and in bold
font (to stand out a bit more).
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 11 Sep 2018 20:14:25 +0000 (22:14 +0200)]
json: Make inet_service_type_json() respect literal level
This brings inet_service_type_json() on par with
inet_service_type_print(). Despite datatype_print()'s ability to use the
'print' callback, a dedicated 'json' callback is required to make port
numbers appear as numbers in JSON output instead of strings. Therefore
go with a bit of code duplication here.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Tue, 11 Sep 2018 20:14:24 +0000 (22:14 +0200)]
json: Fix datatype_json() for literal level
If a datatype doesn't provide a 'json' callback, datatype_json() uses
fmemopen() to grab the output from 'print' callback. When doing so,
reuse the existing output context instead of creating a dedicated one to
make sure all output-related settings are exactly as expected.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Wed, 29 Aug 2018 14:33:38 +0000 (16:33 +0200)]
tests/py: Check differing rule output for sanity
If an added rule's listing differs from the input (either expected or
not), reinsert that output and check payload again to make sure the
asymmetry doesn't lead to (internal) changes in ruleset.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
yields:
Error: can not use variable sized data types (integer) in concat expressions
icmpv6 type . icmpv6 code @in_icmpv6_types
~~~~~~~~~~~~~~^^^^^^^^^^^
Change 'code' type to the icmp/icmpv6 code type.
Needs minor change to test suite as nft will now display
human-readable names instead of numeric codes.
Phil Sutter [Wed, 29 Aug 2018 14:33:39 +0000 (16:33 +0200)]
tests/py: Make nft-test.py a little more robust
When adding a new test, missing payload file causes nft-test.py to choke
due to accessing undeclared variables. Fix this by making sure relevant
variables are declared outside of try-catch blocks.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Harsha Sharma [Mon, 13 Aug 2018 23:06:56 +0000 (01:06 +0200)]
src: add ct timeout support
This patch adds support for adding, listing and deleting ct timeout
objects which can be assigned via rule to assign connection tracking
timeout policies via objref infrastructure.
Note: Original patch has been rework to use fixed size array for
timeouts and to validate timeout policy from the evaluation phase, once
we have access to the layer 4 protocol number. --pablo
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 29 Aug 2018 14:25:09 +0000 (16:25 +0200)]
parser_json: Fix crash in error reporting
When trying to add a chain to a non-existing table, error reporting
tries to dereference indesc pointer of the table's location. Hence make
sure the latter is initialized correctly.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 29 Aug 2018 14:23:28 +0000 (16:23 +0200)]
JSON: Add metainfo object to all output
Right now this object merely contains the nftables version and release
name as well as a JSON schema version, but it could be extended
arbitrarily. In the future, this will also allow for non-compatible
schema changes should the need for this arise.
Adjust the parser to accept metainfo objects and make it verify
json_schema_version to be less than or equal to the one hard-coded in
the library.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 29 Aug 2018 14:23:23 +0000 (16:23 +0200)]
JSON: Review verdict statement and expression
Change jump and goto verdicts to become extensible by dedicating an
object for the target parameter.
While being at it, drop break and queue verdict expressions since they
don't seem to exist, no idea where I got those from in the first place.
For queue, there is a dedicated expression at least.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 29 Aug 2018 14:23:22 +0000 (16:23 +0200)]
JSON: Make meta statement/expression extensible
Lessons learned from fwd statement: We must not assume a given
statement/expression may not receive further properties in the future.
Therefore make meta value an object with a property "key" instead of
just a string containing the key name.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 29 Aug 2018 14:23:21 +0000 (16:23 +0200)]
doc: Review libnftables-json.adoc
Drop the bits for TABLE from synopsis section - adding the remaining
objects there as well is tedious and tends to become unreadable. Instead
assume that readers will find the objects' descriptions in their
sections.
Also fix JSON syntax in many objects: The properties are enclosed in an
object, of course.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 29 Aug 2018 14:23:20 +0000 (16:23 +0200)]
doc: Improve example in libnftables-json(5)
The introductory example was a bit flawed in that the third command
('list ruleset') wouldn't yield expected results due to all three
commands ending in a single transaction and therefore the changes of the
first two commands were not committed yet at the time ruleset was
listed.
Instead demonstrate adding a chain and a rule to the new table.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 24 Aug 2018 11:35:37 +0000 (13:35 +0200)]
doc: Document implicit dependency creation for icmp/icmpv6
As suggested at NFWS, the implicit nfproto dependencies generated by
icmp/icmpv6 header field matches should be documented along with how to
achieve matching on unusual packets.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Wed, 29 Aug 2018 09:37:40 +0000 (11:37 +0200)]
src: tproxy: relax family restrictions
evaluation step currently prohibits
tproxy ip to 1.2.3.4 in ip family, and
tproxy ip6 to dead::1 in ip6.
This seems an arbitrary limitation, just accept this.
The current restriction would make json output support harder than needed,
as the tproxy expression generated from json path would have to
special-case the table its currently in, rather than just using the
family attribute in the json output.
We obviously still reject the family in case it mismatches
the table family (e.g., can't use ip address in ip6 table).
Phil Sutter [Tue, 28 Aug 2018 20:26:56 +0000 (22:26 +0200)]
json: Fix compile error
Commit 9e45a28ca467f ("src: honor /etc/services") broke compiling with
JSON support enabled: inet_service_type_print() is not suited for
converting inet_service datatype into JSON at all.
In order to avoid having to replicate the port value resolving into
human-readable name in inet_service_type_json(), just return a numeric
value. At least for JSON output, this probably makes most sense either
way since the output is expected to be parsed by scripts which have an
easier time with numers than names anyway.
Fixes: 9e45a28ca467f ("src: honor /etc/services") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ccc5da470e76 ("datatype: Replace getnameinfo() by internal lookup table") f0f99006d34b ("datatype: Replace getaddrinfo() by internal lookup table")
so /etc/services is used to interpret service names, eg.
# nft add rule x y tcp dport \"ssh\"
Then, listing looks like:
# nft list ruleset -l
table x {
chain y {
...
tcp dport "ssh"
}
}
Major changes with regards to the original approach are:
1) Services are displayed in text via `-l' option.
2) Services are user-defined, just like mappings in /etc/iproute2/*
files and connlabel.conf, so they are displayed enclosed in quotes.
Note that original service name code was broken since it parses both udp
and tcp service names but it only displays tcp services names as
literal. This is because NI_DGRAM is missing. This patch makes nft falls
back on udp services if no literal was found in the initial tcp service
name query. Proper way to handle would be to add infrastructure to store
protocol context information in struct output_ctx.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Máté Eckl [Thu, 23 Aug 2018 10:51:07 +0000 (12:51 +0200)]
src: Make invalid chain priority error more specific
So far if invalid priority name was specified the error message referred
to the whole chain/flowtable specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
With this patch this reference is made specific to the priority
specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^^^^^^^^^^^^^^
`prio_spec` is also reused to keep naming intuitive. The parser section
formerly named `prio_spec` is renamed to `int_num` as it basically
provides the mathematical set of integer numbers.
Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: integrate stateful expressions into sets and maps
The following example shows how to populate a set from the packet path
using the destination IP address, for each entry there is a counter. The
entry expires after the 1 hour timeout if no packets matching this entry
are seen.
table ip x {
set xyz {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 1h
}
chain y {
type filter hook output priority filter; policy accept;
update @xyz { ip daddr counter } counter
}
}
Similar example, that creates a mapping better IP address and mark,
where the mark is assigned using an incremental sequence generator from
0 to 1 inclusive.
table ip x {
map xyz {
type ipv4_addr : mark
size 65535
flags dynamic,timeout
timeout 1h
}
chain y {
type filter hook input priority filter; policy accept;
update @xyz { ip saddr counter : numgen inc mod 2 }
}
}
Supported stateful statements are: limit, quota, counter and connlimit.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Duncan Roe [Sat, 18 Aug 2018 02:00:59 +0000 (12:00 +1000)]
rule: Fix build failure in rule.c
Commit c8a0e8c90 added #include <linux/netfilter_bridge.h> but that header needs
the definition of IFNAMSIZ from <net/if.h>
Sample build failure:
CC evaluate.lo
In file included from ../include/linux/netfilter_bridge.h:10:0,
from rule.c:32:
/usr/include/linux/if_pppox.h:42:20: error: 'IFNAMSIZ' undeclared here (not in a function)
char dev[IFNAMSIZ]; /* Local device to use */
^
Makefile:687: recipe for target 'rule.lo' failed
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This adds unnecessary complexity to our build infrastructure. People can
just manually generate them in PDF in case they need too. So let's keep
it simple and remove this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 13 Aug 2018 16:58:57 +0000 (18:58 +0200)]
evaluate: reject: Allow icmpx in inet/bridge families
Commit 3e6ab2b335142 added restraints on reject types for bridge and
inet families but aparently those were too strict: If a rule in e.g.
inet family contained a match which introduced a protocol dependency,
icmpx type rejects were disallowed for no obvious reason.
Allow icmpx type rejects in inet family regardless of protocol
dependency since we either have IPv4 or IPv6 traffic in there and for
both icmpx is fine.
Merge restraints in bridge family with those for TCP reset since it
already does what is needed, namely checking that ether proto is either
IPv4 or IPv6.
Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Máté Eckl [Fri, 3 Aug 2018 08:55:33 +0000 (10:55 +0200)]
src: Set/print standard chain prios with textual names
This patch adds the possibility to use textual names to set the chain priority
to standard values so that numeric values do not need to be learnt any more for
basic usage.
Basic arithmetic can also be done with them to ease the addition of
relatively higher/lower priority chains.
Addition and substraction is possible.
Values are also printed with their friendly name within the range of
<basicprio> +- 10.
Also numeric printing is supported in case of -nnn option
(numeric == NFT_NUMERIC_ALL)
The supported name-value pairs and where they are valid is based on how
x_tables use these values when registering their base chains. (See
iptables/nft.c in the iptables repository).
Also see the compatibility matrices extracted from the man page:
Standard priority names and hook compatibility for the bridge family
┌───────┬───────┬─────────────┐
│ │ │ │
│Name │ Value │ Hooks │
├───────┼───────┼─────────────┤
│ │ │ │
│dstnat │ -300 │ prerouting │
├───────┼───────┼─────────────┤
│ │ │ │
│filter │ -200 │ all │
├───────┼───────┼─────────────┤
│ │ │ │
│out │ 100 │ output │
├───────┼───────┼─────────────┤
│ │ │ │
│srcnat │ 300 │ postrouting │
└───────┴───────┴─────────────┘
This can be also applied for flowtables wher it works as a netdev family
chain.
Example:
nft> add table ip x
nft> add chain ip x y { type filter hook prerouting priority raw; }
nft> add chain ip x z { type filter hook prerouting priority mangle + 1; }
nft> add chain ip x w { type filter hook prerouting priority dstnat - 5; }
nft> add chain ip x r { type filter hook prerouting priority filter + 10; }
nft> add chain ip x t { type filter hook prerouting priority security; }
nft> add chain ip x q { type filter hook postrouting priority srcnat + 11; }
nft> add chain ip x h { type filter hook prerouting priority 15; }
nft>
nft> add flowtable ip x y { hook ingress priority filter + 5 ; devices = {enp0s31f6}; }
nft>
nft> add table arp x
nft> add chain arp x y { type filter hook input priority filter + 5; }
nft>
nft> add table bridge x
nft> add chain bridge x y { type filter hook input priority filter + 9; }
nft> add chain bridge x z { type filter hook prerouting priority dstnat; }
nft> add chain bridge x q { type filter hook postrouting priority srcnat; }
nft> add chain bridge x k { type filter hook output priority out; }
nft>
nft> list ruleset
table ip x {
flowtable y {
hook ingress priority filter + 5
devices = { enp0s31f6 }
}
chain y {
type filter hook prerouting priority raw; policy accept;
}
chain z {
type filter hook prerouting priority mangle + 1; policy accept;
}
chain w {
type filter hook prerouting priority dstnat - 5; policy accept;
}
chain r {
type filter hook prerouting priority filter + 10; policy accept;
}
chain t {
type filter hook prerouting priority security; policy accept;
}
chain k {
type filter hook output priority out; policy accept;
}
}
nft> # Everything should fail after this
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain ip x q { type filter hook prerouting priority srcnat + 11; }
Error: 'srcnat' is invalid priority in this context.
add chain ip x q { type filter hook prerouting priority srcnat + 11; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain arp x y { type filter hook input priority raw; }
Error: 'raw' is invalid priority in this context.
add chain arp x y { type filter hook input priority raw; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6}; }
Error: 'magle' is invalid priority.
add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6}; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain bridge x r { type filter hook postrouting priority dstnat; }
Error: 'dstnat' is invalid priority in this context.
add chain bridge x r { type filter hook postrouting priority dstnat; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain bridge x t { type filter hook prerouting priority srcnat; }
Error: 'srcnat' is invalid priority in this context.
add chain bridge x t { type filter hook prerouting priority srcnat; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Duncan Roe [Tue, 7 Aug 2018 03:54:01 +0000 (13:54 +1000)]
doc: user niggles
- data-types.txt: "user space" -> userspace to match usage in statements.txt &
data-types.txt
- nft.txt: "an user-defined" sounds odd to a native English speaker (trust me)
so change to "a user-defined"
These patches are applied on top of Máté's previous 2, but apply fine
without them (2 occurrences of "offset -5 lines").
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Duncan Roe [Mon, 6 Aug 2018 01:14:48 +0000 (11:14 +1000)]
doc: Changes following detailed comparison with last XML version
These were found by a combination of tkdiff and side-by-side man pages
Most changes preserve or (occasionally) fix highlighting, casing or plurality.
No major omissions were found.
- data-types.txt: (Nothing special)
- nft.txt:
-- changed "`nft' stands for Netfilter" back to "`nf' stands for Netfilter"
-- removed mysterious plus sign
- payload-expression.txt:
-- XML had MTU as 16-bit so changed back from 32. Is that correct?
- primary-expression.txt: (Nothing special)
- statements.txt: (Nothing special)
This patch does not address any of the following observations:
1. Title has changed from nft to NFT
2. There is no attempt at justification.
3. There is no attempt at hyphenation.
4. Long lines of code now wrap instead of indenting nicely.
See e.g. "tcp option" line under EXTENSION HEADER EXPRESSIONS
5. Tables have a lot of empty lines in them.
6. Occasionally there is severe wrapping,
e.g. under CHAINS see add/create/delete/&c. which wrap at about cc40.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Duncan Roe [Sat, 4 Aug 2018 08:54:04 +0000 (18:54 +1000)]
doc: Miscellaneous spelling fixes
These were found by ispell -p ./ispell_nft *.txt in nftables/doc.
- ispell.nft: Added some new words
- nft.txt: (nothing special)
- payload-expression.txt: lengthbits and offsetbits were run together
before the conversion to .txt, but the conversion lost the underlining
- primary-expression.txt: ispell suggested rtclassid instead of rtlclassid,
which agres with previous usage
- stateful-objects.txt: (nothing special)
- statements.txt: nonbase chains changed back to non-base chains as it used to
be
projects / thirdparty / nftables.git / log
