From: Florian Westphal Date: Tue, 14 Mar 2017 19:12:17 +0000 (+0100) Subject: doc: ct zone set support X-Git-Tag: v0.8~203 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97933e171acf870fd4e2296a87d8118e0f844aaf;p=thirdparty%2Fnftables.git doc: ct zone set support Signed-off-by: Florian Westphal --- diff --git a/doc/nft.xml b/doc/nft.xml index de86d2a18..8ea280417 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -3347,6 +3347,7 @@ ip6 filter output log flags all mark label + zone set value @@ -3354,10 +3355,14 @@ ip6 filter output log flags all The ct statement sets meta data associated with a connection. + The zone id has to be assigned before a conntrack lookup takes place, + i.e. this has to be done in prerouting and possibly output (if locally + generated packets need to be placed in a distinct zone), with a hook + priority of -300. - Meta statement types + Conntrack statement types @@ -3380,6 +3385,12 @@ ip6 filter output log flags all Connection tracking label label + + zone + conntrack zone + integer (16 bit) + +
@@ -3391,6 +3402,21 @@ ip6 filter output log flags all ct set mark meta mark + + set zone mapped via interface + +table inet raw { + chain prerouting { + type filter hook prerouting priority -300; + ct zone set iif map { "eth1" : 1, "veth1" : 2 } + } + chain output { + type filter hook output priority -300; + ct zone set oif map { "eth1" : 1, "veth1" : 2 } + } +} + +