lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b7e57c78-3bf5-bf48-0a15-d862e2697df0@solarflare.com>
Date:   Thu, 14 May 2020 15:22:03 +0100
From:   Edward Cree <ecree@...arflare.com>
To:     Paul Blakey <paulb@...lanox.com>, <netdev@...r.kernel.org>,
        <dsahern@...il.com>, <davem@...emloft.net>,
        Jiri Pirko <jiri@...lanox.com>
CC:     <ozsh@...lanox.com>, <roid@...lanox.com>
Subject: Re: [PATCH iproute2/net-next] man: tc-ct.8: Add manual page for ct tc
 action

On 14/05/2020 15:10, Paul Blakey wrote:
> Signed-off-by: Paul Blakey <paulb@...lanox.com>
> ---
>  man/man8/tc-ct.8     | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++
>  man/man8/tc-flower.8 |   6 +++
>  2 files changed, 113 insertions(+)
>  create mode 100644 man/man8/tc-ct.8
Glad to see this, better tc documentation generally is sorely needed.
See comments inline below.

> diff --git a/man/man8/tc-ct.8 b/man/man8/tc-ct.8
> new file mode 100644
> index 0000000..45d2932
> --- /dev/null
> +++ b/man/man8/tc-ct.8
> @@ -0,0 +1,107 @@
> +.TH "ct action in tc" 8 "14 May 2020" "iproute2" "Linux"
> +.SH NAME
> +ct \- tc connection tracking action
> +.SH SYNOPSIS
> +.in +8
> +.ti -8
> +.BR "tc ... action ct commit [ force ] [ zone "
> +.IR ZONE
> +.BR "] [ mark "
> +.IR MASKED_MARK
> +.BR "] [ label "
> +.IR MASKED_LABEL
> +.BR "] [ nat "
> +.IR NAT_SPEC
> +.BR "]"
> +
> +.ti -8
> +.BR "tc ... action ct [ nat ] [ zone "
> +.IR ZONE
> +.BR "]"
> +
> +.ti -8
> +.BR "tc ... action ct clear"
> +
> +.SH DESCRIPTION
> +The ct action is a tc action for sending packets and interacting with the netfilter conntrack module.
> +
> +It can (as shown in the synopsis, in order):
> +
> +Send the packet to conntrack, and commit the connection, while configuring
> +a 32bit mark, 128bit label, and src/dst nat.
> +
> +Send the packet to conntrack, which will mark the packet with the connection's state and
> +configured metadata (mark/label), and execute previous configured nat.
"... and optionally execute..." perhaps?
Since it'll only do this if the 'nat' option was passed.

> +
> +Clear the packet's of previous connection tracking state.
> +
> +.SH OPTIONS
> +.TP
> +.BI zone " ZONE"
> +Specify a conntrack zone number on which to send the packet to conntrack.
> +.TP
> +.BI mark " MASKED_MARK"
> +Specify a masked 32bit mark to set for the connection (only valid with commit).
> +.TP
> +.BI label " MASKED_LABEL"
> +Specify a masked 128bit label to set for the connection (only valid with commit).
> +.TP
> +.BI nat " NAT_SPEC"
> +.BI Where " NAT_SPEC " ":= {src|dst} addr" " addr1" "[-" "addr2" "] [port " "port1" "[-" "port2" "]]"
> +
> +Specify src/dst and range of nat to configure for the connection (only valid with commit).
> +.RS
> +.TP
> +src/dst - configure src or dst nat
> +.TP
> +.BI  "" "addr1" "/" "addr2" " - IPv4/IPv6 addresses"
> +.TP
> +.BI  "" "port1" "/" "port2" " - Port numbers"
> +.RE
> +.TP
> +.BI nat
> +Restore any previous configured nat.
> +.TP
> +.BI clear
> +Remove any conntrack state and metadata (mark/label) from the packet (must only option 
"... must be only option...".

- Ed

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ