|
 |
0ac2f3 |
From 7c371119412595ad2d063b91fdea616dcacb4eed Mon Sep 17 00:00:00 2001
|
|
|
0ac2f3 |
From: Andrea Claudi <aclaudi@redhat.com>
|
|
|
0ac2f3 |
Date: Tue, 9 Jun 2020 15:45:56 +0200
|
|
|
0ac2f3 |
Subject: [PATCH] man: tc-ct.8: Add manual page for ct tc action
|
|
|
0ac2f3 |
|
|
|
0ac2f3 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1844637
|
|
|
0ac2f3 |
Upstream Status: iproute2.git commit 924c43778a845
|
|
|
0ac2f3 |
|
|
|
0ac2f3 |
commit 924c43778a8453e2cd0fd1440b9224bed9c87c0d
|
|
|
0ac2f3 |
Author: Paul Blakey <paulb@mellanox.com>
|
|
|
0ac2f3 |
Date: Thu May 14 17:10:20 2020 +0300
|
|
|
0ac2f3 |
|
|
|
0ac2f3 |
man: tc-ct.8: Add manual page for ct tc action
|
|
|
0ac2f3 |
|
|
|
0ac2f3 |
Signed-off-by: Paul Blakey <paulb@mellanox.com>
|
|
|
0ac2f3 |
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
|
|
|
0ac2f3 |
---
|
|
|
0ac2f3 |
man/man8/tc-ct.8 | 107 +++++++++++++++++++++++++++++++++++++++++++
|
|
|
0ac2f3 |
man/man8/tc-flower.8 | 6 +++
|
|
|
0ac2f3 |
2 files changed, 113 insertions(+)
|
|
|
0ac2f3 |
create mode 100644 man/man8/tc-ct.8
|
|
|
0ac2f3 |
|
|
|
0ac2f3 |
diff --git a/man/man8/tc-ct.8 b/man/man8/tc-ct.8
|
|
|
0ac2f3 |
new file mode 100644
|
|
|
0ac2f3 |
index 0000000000000..45d29320f1d01
|
|
|
0ac2f3 |
--- /dev/null
|
|
|
0ac2f3 |
+++ b/man/man8/tc-ct.8
|
|
|
0ac2f3 |
@@ -0,0 +1,107 @@
|
|
|
0ac2f3 |
+.TH "ct action in tc" 8 "14 May 2020" "iproute2" "Linux"
|
|
|
0ac2f3 |
+.SH NAME
|
|
|
0ac2f3 |
+ct \- tc connection tracking action
|
|
|
0ac2f3 |
+.SH SYNOPSIS
|
|
|
0ac2f3 |
+.in +8
|
|
|
0ac2f3 |
+.ti -8
|
|
|
0ac2f3 |
+.BR "tc ... action ct commit [ force ] [ zone "
|
|
|
0ac2f3 |
+.IR ZONE
|
|
|
0ac2f3 |
+.BR "] [ mark "
|
|
|
0ac2f3 |
+.IR MASKED_MARK
|
|
|
0ac2f3 |
+.BR "] [ label "
|
|
|
0ac2f3 |
+.IR MASKED_LABEL
|
|
|
0ac2f3 |
+.BR "] [ nat "
|
|
|
0ac2f3 |
+.IR NAT_SPEC
|
|
|
0ac2f3 |
+.BR "]"
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+.ti -8
|
|
|
0ac2f3 |
+.BR "tc ... action ct [ nat ] [ zone "
|
|
|
0ac2f3 |
+.IR ZONE
|
|
|
0ac2f3 |
+.BR "]"
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+.ti -8
|
|
|
0ac2f3 |
+.BR "tc ... action ct clear"
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+.SH DESCRIPTION
|
|
|
0ac2f3 |
+The ct action is a tc action for sending packets and interacting with the netfilter conntrack module.
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+It can (as shown in the synopsis, in order):
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+Send the packet to conntrack, and commit the connection, while configuring
|
|
|
0ac2f3 |
+a 32bit mark, 128bit label, and src/dst nat.
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+Send the packet to conntrack, which will mark the packet with the connection's state and
|
|
|
0ac2f3 |
+configured metadata (mark/label), and execute previous configured nat.
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+Clear the packet's of previous connection tracking state.
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+.SH OPTIONS
|
|
|
0ac2f3 |
+.TP
|
|
|
0ac2f3 |
+.BI zone " ZONE"
|
|
|
0ac2f3 |
+Specify a conntrack zone number on which to send the packet to conntrack.
|
|
|
0ac2f3 |
+.TP
|
|
|
0ac2f3 |
+.BI mark " MASKED_MARK"
|
|
|
0ac2f3 |
+Specify a masked 32bit mark to set for the connection (only valid with commit).
|
|
|
0ac2f3 |
+.TP
|
|
|
0ac2f3 |
+.BI label " MASKED_LABEL"
|
|
|
0ac2f3 |
+Specify a masked 128bit label to set for the connection (only valid with commit).
|
|
|
0ac2f3 |
+.TP
|
|
|
0ac2f3 |
+.BI nat " NAT_SPEC"
|
|
|
0ac2f3 |
+.BI Where " NAT_SPEC " ":= {src|dst} addr" " addr1" "[-" "addr2" "] [port " "port1" "[-" "port2" "]]"
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+Specify src/dst and range of nat to configure for the connection (only valid with commit).
|
|
|
0ac2f3 |
+.RS
|
|
|
0ac2f3 |
+.TP
|
|
|
0ac2f3 |
+src/dst - configure src or dst nat
|
|
|
0ac2f3 |
+.TP
|
|
|
0ac2f3 |
+.BI "" "addr1" "/" "addr2" " - IPv4/IPv6 addresses"
|
|
|
0ac2f3 |
+.TP
|
|
|
0ac2f3 |
+.BI "" "port1" "/" "port2" " - Port numbers"
|
|
|
0ac2f3 |
+.RE
|
|
|
0ac2f3 |
+.TP
|
|
|
0ac2f3 |
+.BI nat
|
|
|
0ac2f3 |
+Restore any previous configured nat.
|
|
|
0ac2f3 |
+.TP
|
|
|
0ac2f3 |
+.BI clear
|
|
|
0ac2f3 |
+Remove any conntrack state and metadata (mark/label) from the packet (must only option specified).
|
|
|
0ac2f3 |
+.TP
|
|
|
0ac2f3 |
+.BI force
|
|
|
0ac2f3 |
+Forces conntrack direction for a previously commited connections, so that current direction will become the original direction (only valid with commit).
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+.SH EXAMPLES
|
|
|
0ac2f3 |
+Example showing natted firewall in conntrack zone 2, and conntrack mark usage:
|
|
|
0ac2f3 |
+.EX
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+#Add ingress qdisc on eth0 and eth1 interfaces
|
|
|
0ac2f3 |
+.nf
|
|
|
0ac2f3 |
+$ tc qdisc add dev eth0 handle ingress
|
|
|
0ac2f3 |
+$ tc qdisc add dev eth1 handle ingress
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+#Setup filters on eth0, allowing opening new connections in zone 2, and doing src nat + mark for each new connection
|
|
|
0ac2f3 |
+$ tc filter add dev eth0 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \\
|
|
|
0ac2f3 |
+action ct zone 2 pipe action goto chain 2
|
|
|
0ac2f3 |
+$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_state +trk+new \\
|
|
|
0ac2f3 |
+action ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe action mirred egress redirect dev eth1
|
|
|
0ac2f3 |
+$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \\
|
|
|
0ac2f3 |
+action ct nat pipe action mirred egress redirect dev eth1
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+#Setup filters on eth1, allowing only established connections of zone 2 through, and reverse nat (dst nat in this case)
|
|
|
0ac2f3 |
+$ tc filter add dev eth1 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \\
|
|
|
0ac2f3 |
+action ct zone 2 pipe action goto chain 1
|
|
|
0ac2f3 |
+$ tc filter add dev eth1 ingress prio 1 chain 1 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \\
|
|
|
0ac2f3 |
+action ct nat pipe action mirred egress redirect dev eth0
|
|
|
0ac2f3 |
+.fi
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+.EE
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+.RE
|
|
|
0ac2f3 |
+.SH SEE ALSO
|
|
|
0ac2f3 |
+.BR tc (8),
|
|
|
0ac2f3 |
+.BR tc-flower (8)
|
|
|
0ac2f3 |
+.BR tc-mirred (8)
|
|
|
0ac2f3 |
+.SH AUTHORS
|
|
|
0ac2f3 |
+Paul Blakey <paulb@mellanox.com>
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
|
|
|
0ac2f3 |
+
|
|
|
0ac2f3 |
+Yossi Kuperman <yossiku@mellanox.com>
|
|
|
0ac2f3 |
diff --git a/man/man8/tc-flower.8 b/man/man8/tc-flower.8
|
|
|
0ac2f3 |
index 0f95f303f23b7..02a7256f36ebb 100644
|
|
|
0ac2f3 |
--- a/man/man8/tc-flower.8
|
|
|
0ac2f3 |
+++ b/man/man8/tc-flower.8
|
|
|
0ac2f3 |
@@ -1,5 +1,11 @@
|
|
|
0ac2f3 |
.TH "Flower filter in tc" 8 "22 Oct 2015" "iproute2" "Linux"
|
|
|
0ac2f3 |
|
|
|
0ac2f3 |
+ "Usage: ct clear\n"
|
|
|
0ac2f3 |
+ " ct commit [force] [zone ZONE] [mark MASKED_MARK] [label MASKED_LABEL] [nat NAT_SPEC] [OFFLOAD_POLICY]\n"
|
|
|
0ac2f3 |
+ " ct [nat] [zone ZONE] [OFFLOAD_POLICY]\n"
|
|
|
0ac2f3 |
+ "Where: ZONE is the conntrack zone table number\n"
|
|
|
0ac2f3 |
+ " NAT_SPEC is {src|dst} addr addr1[-addr2] [port port1[-port2]]\n"
|
|
|
0ac2f3 |
+ " OFFLOAD_POLICY is [policy_pkts PACKETS] [policy_timeout TIMEOUT]\n"
|
|
|
0ac2f3 |
.SH NAME
|
|
|
0ac2f3 |
flower \- flow based traffic control filter
|
|
|
0ac2f3 |
.SH SYNOPSIS
|
|
|
0ac2f3 |
--
|
|
|
0ac2f3 |
2.26.2
|
|
|
0ac2f3 |
|