Add net-firewall/nftables-0.4, net-firewall/nftables-0.4.1.9999, net-firewall/nftables-0.4.2.9999, update net-firewall/nftables-9999

8 files changed, 5967 insertions, 14 deletions

diff --git a/net-firewall/nftables/Manifest b/net-firewall/nftables/Manifest
index e08b529f..8215c5db 100644
--- a/net-firewall/nftables/Manifest
+++ b/net-firewall/nftables/Manifest
@@ -1,8 +1,15 @@
+AUX nftables-0.4-nftables.8 30392 SHA256 772062e1e8b65c6f825a644c199b62d590fad93fd63ded7f52a0c76cda926690 SHA512 13475548e2720f84e0f2cc437260438429ad8fc457a2920d36b7f27a05799d2152c7ed9f9ff7043a852700b074a76aaa230c4ab5e67c13a2e84f7ce0ac473a52 WHIRLPOOL 644d93ac68dec16b29372ea0ee138077510a3c48d2801e372a6b4b6047037039aec21d9960e0da03bedccbafee722016b19201ca9eed73ba075a4c6cc396c09a
+AUX nftables-0.4.1-nftables.8 30461 SHA256 97ba96a0dce959d9d2a5e26f7e7d27a2e3e33d93aeff69fa26a801959ed6abdf SHA512 1c4a193c255ac5f89fe303c2125515b383a41dbb6fcdbb0abc02640b6b7863cf7b6cc679b13656461d57bad27627843669eafdf33cf308175ae9bc812f4116ff WHIRLPOOL 11afa35800ac96d111a5d95efcf1d2b2ae1326a654a692e26e47f15fc84e100e07639748341264e7c2006351badadbc6a79f13de9ee624868b65191c477ce1a1
+AUX nftables-0.4.2-nftables.8 30927 SHA256 0f1b98148486dcd42c9febda555ce395c8937b1ae78f58be36e4656dfaa71104 SHA512 6513bd82fed18391e8eb0cfadb225cd08e4597b4ab3b4b438eac3ed70c1824378cff42d7e0782be38262cac12d716dd68d2e985913ac6d3681fb50b7013f2b61 WHIRLPOOL 242da52c6209d8e537cf812a7568da1538fb36a86898f10df4e65120728a04fd976ea479c6f59cf90969cb958b628d8c25a5aa0b6ea07a25274bf1bb7bc53a57
 AUX nftables.8 9645 SHA256 bec3d7dcdc424691269852c9c322bb6ad770b6cfec4939920e32fa67ca8caac2 SHA512 aaf74c4bf0a854f3993b7ed5b9cecd436baa0bfc6b5ff119574d45c2504e5e772fc7cf41e1108b7f9cc013132c0bc0a86c6262cbfa870e639ad40ae93e25e4dc WHIRLPOOL e1c082fc3a56a9a0eb4782dfd9253857668052025d471e5124fc836246bc33b794f6d2293c46e2d5b0d8d1761b454ec8c21eb627ed95e97f07fe47f704dcdae2
 AUX nftables.confd 655 SHA256 d5e3077345dfea02849a70aea220396322a10c3808f0303b988119adbc56fdbd SHA512 8370abcdc89fcd9da5dc7d1620be6afb4633b8bcd0a8a120b464cc1a7e1fab6f34956c293da3f6d3cbe1f7a2e03038fd0c94a614137ae5657d29ffdb5f3fa144 WHIRLPOOL e39d13f996e620aa82714cb18e4f57624faa302f2259a44cc065804edf95fe07a314f744d17a76be6941c3771da6b233a19ae5b6b2f63783847121c63339197f
 AUX nftables.init 4299 SHA256 293d5a0ef687c69fffdce912a833cf5812272c0baae9f59d603ada8efa5828a6 SHA512 ec43cc630b45ea2726044b30925e04f16fdb48ff2ee1871c112fde5b406f47c75b53ce05db4dfab8558156da96e9bf484ebab1f00f5cda20bbe8597c63b178fe WHIRLPOOL 0209ae515a046e5222f59832a80bf10663acaad28b5ac13771035575fcfda761049544b5428bbffe5aefc096fd6e1ab09fc1c6efbb368d45fd97636731857189
 DIST nftables-0.2.tar.bz2 154821 SHA256 2b947f1ed5b66e042fbda7e5bb8353e9697a1c2cec4ea99ccbc822d2e89c505f SHA512 319f3de619634a31ed5903f87623cdf6f9f8f69124cd451d659ecc87121c97a7b9cc352a591d37a24b41c8b0a71c2da77928cdf0858f7f1269c2c1336784cf43 WHIRLPOOL 97c49af74660e5993cbbca81336fa1c7def81ca9e44d39c3405fb060713d472933172e98c59f9ae094cb8e8d5467ab540f69225798eacaf5c64cbb02ae9612e4
 DIST nftables-0.3.tar.bz2 160585 SHA256 4d372645442d89675c7148b8a0a112c4825b57edf8bad15ddf9a08c220229c2f SHA512 76e280e6c42ad3c1d70d0b16c2d488ba92ffae1611241a9949f537da143f613ba06d5b2d7fbc40f0b51ac26a4e35cb93954816bab99dc0f485ef5797e1fcf1a0 WHIRLPOOL 019478f5be2204e9d48df47fab0cd6c07650accbc10c0857cea22c407965db71986c3f03e07b205ac80aa1cfaf4550d25896d1f25ec7f2b859fd24d5a2f774e5
+DIST nftables-0.4.tar.bz2 362120 SHA256 f6ca69b75c68915f9f3a3972274ec68354dfbbcfc0b9fc55c813a0525c351d3c SHA512 0932cf987da602285fbf7c7f61328b0d74d687889c2d4a5bd2bd7fe11e8b99433bc5ee53ebbddadf2c90e40acdcb28f6babf07e11feedff815c571c3b782dffc WHIRLPOOL 1604010f260247c2fd98d33ca931eb0be6f38097937983aadfbdf2eb44fd3827212d00e6e6351821ccd8a2696fc696d9e7ec102d447387f930b8fb2afadc22a8
 EBUILD nftables-0.2.ebuild 1046 SHA256 1a10625878573fa3d3e25d6af8833bb0ed51caadab60685ead2c7db6642018d9 SHA512 60ebf308e2885ee409a617b08a82e465b9cc514f43d2ba2a56ee3757259174a8c37001d4e9225431509e63b606d7ab7af86a931541f564029d077cb5417694a5 WHIRLPOOL 0acec148bad096a0f74fbdffce7eb3a43bf6da12cffb2bd6bb66202950c5f1e45aa3a254bca88af7078370ee4f70c890246447908137016d93424a0d07ff273a
 EBUILD nftables-0.3-r2.ebuild 1294 SHA256 d97720a7c9b5ba4ed52b7fe679289fc712cf90ababd675d96c6fe6f3c5480ee1 SHA512 c9411d14025fc1926c6ded8d2ce3823545c513d54b843ca3f9d3c4f0b05bbd44c2f530996471ef941b07af1b7d99de9e1c5acd596ede4e9dd285130c8ca5f971 WHIRLPOOL 266ff2c135c9cf3c42222ee178e7ea4cf20a5f6f620e4127a6151c92c0888fb3a7cb1d916d28cfe4cc09d12b6ab33c543646c12dd2c9a165cfc8feea464ecac3
-EBUILD nftables-9999.ebuild 784 SHA256 82ab14d4dfcb6c3abbfb3e7af487e68b7107bdd27d161fc2b58ca37b92351acd SHA512 a6ec0ae8fa4860576d37a1c6b7230e00d3c99d65db19bff46521250e4ea604f161e252b195c43c99d482b6ebd8b6270d4c14c567cf4987752efa3d3e9a324719 WHIRLPOOL 2166b120b9fa8d4d8de3889f2d18ab6f813ba1d564e30be57becff0a3edc3f34aa99c22f2fa762451b8993d07b1539e8ead0e8f420230563a2f30e2256f5118e
+EBUILD nftables-0.4.1.9999.ebuild 1324 SHA256 dd76fbec5c6a4419258924f47b02b10f22ab8904ddaf506bb91bbe3f89983f9b SHA512 c1089884b852f4d0dec0fb5d9722a63dc5881f0e2a73397dc8cf798bc72cc901d350b6622fe8d7cdfdb2bd7e9ae69297d488073ca04f94a7729d6c79b907a4ad WHIRLPOOL ac03c64fa8a12aafc8e84c302cb4c30fbd2f98bddbc3e9bbf30c521a636ff9beb16b1280f33985710a271e8f562c70f522755a5c38385b6e98cae09e538737a6
+EBUILD nftables-0.4.2.9999.ebuild 1378 SHA256 55f6cacffae8696df02780f6e6854a2202c66d62fb3e377e7b6f6b8ee56332f6 SHA512 a030739319f3b8bb7d774676f33a2ab4ad4d8871c1aeb4cdc34e481722519ca1c9b35a9dbdea92ac59b26c386c68ee4b9cf74703942ffb7e5b616ace5b580642 WHIRLPOOL d2d36003f3df5aa5ef27f109687d8981ba98fd8991c65ce1088e9060664410c6d330e91e8b8347d2b7c93529e747f021742ecbc1920777431c8dbc19c3edba61
+EBUILD nftables-0.4.ebuild 1348 SHA256 97f39a097e89ed5b4ac6dfab0586888aa2ccc6119f6d87b5c2bde168c1efa81f SHA512 367a659e99a89d3c829743e96a0727fb4fa117a2aa450cce073645780020a1f6d3b520527cd7899e1aecc09c2e88de4a30c91b50c82feeb2a83833fff59d61b8 WHIRLPOOL 576e49f0488de029a9e5bacd40d500c0d16df293d7273dfd958e33a0fe52a7b3af870f725019e8c2c5814639eac8012f5966d1df72baf894df5238b74482ba7f
+EBUILD nftables-9999.ebuild 1298 SHA256 3fbdc894ed3b7a49820f835ae4bfd7c00dcc19a7d09bcaeaf74dea5a7b634c51 SHA512 e5d5fec0c13bc1129d8f1400dd14e9b45a2b64afddad660b44a2fb6bcfab4596235e917bb8ea883727ca8b66c7d1fd3c25ab42ac9f62940bcb72e4119447ec11 WHIRLPOOL 00fca81273cecb2582cf070cb43a64d5f69e01961c52f1a0be7e6321180d478622152c3aa8d97367b6224615a5e82d4e1c04b1028c92a34f2fbcdd87ed8dd63e
diff --git a/net-firewall/nftables/files/nftables-0.4-nftables.8 b/net-firewall/nftables/files/nftables-0.4-nftables.8
new file mode 100644
index 00000000..89ad7293
--- /dev/null
+++ b/net-firewall/nftables/files/nftables-0.4-nftables.8
@@ -0,0 +1,1904 @@
+'\" t -*- coding: us-ascii -*-
+.if \n(.g .ds T< \\FC
+.if \n(.g .ds T> \\F[\n[.fam]]
+.de URL
+\\$2 \(la\\$1\(ra\\$3
+..
+.if \n(.g .mso www.tmac
+.TH nft 8 "4 June 2015" "" ""
+.SH NAME
+nft \- Administration tool for packet filtering and classification 
+.SH SYNOPSIS
+'nh
+.fi
+.ad l
+\fBnft\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[
+\fB-n/--numeric\fR
+] [
+\fB-I/--includepath\fR
+\fIdirectory\fR
+] [
+\fB-f/--file\fR
+\fIfilename\fR
+| 
+\fB-i/--interactive\fR
+| 
+\fIcmd\fR
+\&...]
+'in \n(.iu-\nxu
+.ad b
+'hy
+'nh
+.fi
+.ad l
+\fBnft\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[
+\fB-h/--help\fR
+] [
+\fB-v/--version\fR
+]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.SH DESCRIPTION
+nft is used to set up, maintain and inspect packet
+filtering and classification rules in the Linux kernel.
+.SH OPTIONS
+For a full summary of options, run \fBnft --help\fR.
+.TP 
+\*(T<\fB\-h/\-\-help\fR\*(T>
+Show help message and all options.
+.TP 
+\*(T<\fB\-v/\-\-version\fR\*(T>
+Show version.
+.TP 
+\*(T<\fB\-n/\-\-numeric\fR\*(T>
+Numeric output: Addresses and other information
+that might need network traffic to resolve to symbolic names
+are shown numerically (default behaviour). When used twice,
+internet services are translated. When used twice, internet
+services and UIDs/GIDs are also shown numerically. When used
+three times, protocol numbers are also shown numerically.
+.TP 
+\*(T<\fB\-N\fR\*(T>
+Translate IP addresses to DNS names.
+.TP 
+\*(T<\fB\-a/\-\-handle\fR\*(T>
+Show rule handles in output.
+.TP 
+\*(T<\fB\-I/\-\-includepath \fR\*(T>\fIdirectory\fR
+Add the directory \fIdirectory\fR to the list of directories to by searched for included files.
+.TP 
+\*(T<\fB\-f/\-\-file \fR\*(T>\fIfilename\fR
+Read input from \fIfilename\fR.
+.TP 
+\*(T<\fB\-i/\-\-interactive\fR\*(T>
+Read input from an interactive readline CLI.
+.SH "INPUT FILE FORMAT"
+.SS "LEXICAL CONVENTIONS"
+Input is parsed line-wise. When the last character of a line just before
+the newline character is a non-quoted backslash (\*(T<\e\*(T>),
+the next line is treated as a continuation. Multiple commands on the
+same line can be separated using a semicolon (\*(T<;\*(T>).
+.PP
+A hash sign (\*(T<#\*(T>) begins a comment. All following characters
+on the same line are ignored.
+.PP
+Identifiers begin with an alphabetic character (\*(T<a\-z,A\-Z\*(T>),
+followed zero or more alphanumeric characters (\*(T<a\-z,A\-Z,0\-9\*(T>)
+and the characters slash (\*(T</\*(T>), backslash (\*(T<\e\*(T>),
+underscore (\*(T<_\*(T>) and dot (\*(T<.\*(T>). Identifiers
+using different characters or clashing with a keyword need to be enclosed in
+double quotes (\*(T<"\*(T>).
+.PP
+.SS "INCLUDE FILES"
+'nh
+.fi
+.ad l
+\fBinclude\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+\fIfilename\fR
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+Other files can be included by using the \fBinclude\fR statement.
+The directories to be searched for include files can be specified using
+the \*(T<\fB\-I/\-\-includepath\fR\*(T> option.
+.SS "SYMBOLIC VARIABLES"
+'nh
+.fi
+.ad l
+\fBdefine\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+variable \fIexpr\fR
+'in \n(.iu-\nxu
+.ad b
+'hy
+'nh
+.fi
+.ad l
+\fB$variable\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+Symbolic variables can be defined using the \fBdefine\fR statement.
+Variable references are expressions and can be used initialize other variables.
+The scope of a definition is the current block and all blocks contained within.
+
+\fBUsing symbolic variables\fR
+.PP
+.nf
+\*(T<
+define int_if1 = eth0
+define int_if2 = eth1
+define int_ifs = { $int_if1, $int_if2 }
+
+filter input iif $int_ifs accept
+					\*(T>
+.fi
+.SH "ADDRESS FAMILIES"
+Address families determine the type of packets which are processed. For each address
+family the kernel contains so called hooks at specific stages of the packet processing
+paths, which invoke nftables if rules for these hooks exist.
+.PP
+.TP 
+\*(T<\fBip\fR\*(T>
+IPv4 address family.
+.TP 
+\*(T<\fBip6\fR\*(T>
+IPv6 address family.
+.TP 
+\*(T<\fBinet\fR\*(T>
+Internet (IPv4/IPv6) address family.
+.TP 
+\*(T<\fBarp\fR\*(T>
+ARP address family, handling packets vi 
+.TP 
+\*(T<\fBbridge\fR\*(T>
+Bridge address family, handling packets which traverse a bridge device.
+.PP
+All nftables objects exist in address family specific namespaces, therefore
+all identifiers include an address family. If an identifier is specified without
+an address family, the \*(T<ip\*(T> family is used by default.
+.SS "IPV4/IPV6/INET ADDRESS FAMILIES"
+The IPv4/IPv6/Inet address families handle IPv4, IPv6 or both types of packets. They
+contain five hooks at different packet processing stages in the network stack.
+.PP
+\fBIPv4/IPv6/Inet address family hooks\fR
+.TS
+allbox ;
+l | l.
+T{
+Hook
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+prerouting
+T}	T{
+All packets entering the system are processed by the prerouting hook. It is invoked
+before the routing process and is used for early filtering or changing packet
+attributes that affect routing.
+T}
+T{
+input
+T}	T{
+Packets delivered to the local system are processed by the input hook.
+T}
+T{
+forward
+T}	T{
+Packets forwarded to a different host are processed by the forward hook.
+T}
+T{
+output
+T}	T{
+Packets sent by local processes are processed by the output hook.
+T}
+T{
+postrouting
+T}	T{
+All packets leaving the system are processed by the postrouting hook.
+T}
+.TE
+.SS "ARP ADDRESS FAMILY"
+The ARP address family handles ARP packets received and sent by the system. It is commonly used
+to mangle ARP packets for clustering.
+.PP
+\fBARP address family hooks\fR
+.TS
+allbox ;
+l | l.
+T{
+Hook
+T}	T{
+Description
+T}
+.T&
+l | l
+l | l.
+T{
+input
+T}	T{
+Packets delivered to the local system are processed by the input hook.
+T}
+T{
+output
+T}	T{
+Packets send by the local system are processed by the output hook.
+T}
+.TE
+.SS "BRIDGE ADDRESS FAMILY"
+The bridge address family handles ethernet packets traversing bridge devices.
+.SH TABLES
+'nh
+.fi
+.ad l
+{add | delete | list | flush} \fBtable\fR [\fIfamily\fR] {\fItable\fR}
+.ad b
+'hy
+.PP
+Tables are containers for chains and sets. They are identified by their address family
+and their name. The address family must be one of
+\*(T<ip\*(T>, \*(T<ip6\*(T>, \*(T<inet\*(T>, \*(T<arp\*(T>, \*(T<bridge\*(T>.
+The \*(T<inet\*(T> address family is a dummy family which is used to create
+hybrid IPv4/IPv6 tables.
+When no address family is specified, \*(T<ip\*(T> is used by default.
+.TP 
+\*(T<\fBadd\fR\*(T>
+Add a new table for the given family with the given name.
+.TP 
+\*(T<\fBdelete\fR\*(T>
+Delete the specified table.
+.TP 
+\*(T<\fBlist\fR\*(T>
+List all chains and rules of the specified table.
+.TP 
+\*(T<\fBflush\fR\*(T>
+Flush all chains and rules of the specified table.
+.SH CHAINS
+'nh
+.fi
+.ad l
+{add} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {\fIhook\fR} {\fIpriority\fR}
+.ad b
+'hy
+'nh
+.fi
+.ad l
+{add | create | delete | list | flush} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR}
+.ad b
+'hy
+'nh
+.fi
+.ad l
+{rename} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {\fInewname\fR}
+.ad b
+'hy
+.PP
+Chains are containers for rules. They exist in two kinds,
+base chains and regular chains. A base chain is an entry point for
+packets from the networking stack, a regular chain may be used
+as jump target and is used for better rule organization.
+.TP 
+\*(T<\fBadd\fR\*(T>
+Add a new chain in the specified table. When a hook and priority
+value are specified, the chain is created as a base chain and hooked
+up to the networking stack.
+.TP 
+\*(T<\fBcreate\fR\*(T>
+Simlar to the \fBadd\fR command, but returns an error if the
+chain already exists.
+.TP 
+\*(T<\fBdelete\fR\*(T>
+Delete the specified chain. The chain must not contain any rules or be
+used as jump target.
+.TP 
+\*(T<\fBrename\fR\*(T>
+Rename the specified chain.
+.TP 
+\*(T<\fBlist\fR\*(T>
+List all rules of the specified chain.
+.TP 
+\*(T<\fBflush\fR\*(T>
+Flush all rules of the specified chain.
+.SH RULES
+'nh
+.fi
+.ad l
+[add | insert] \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} [position \fIposition\fR] {\fIstatement\fR}\&...
+.ad b
+'hy
+'nh
+.fi
+.ad l
+{delete} \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {handle \fIhandle\fR}
+.ad b
+'hy
+.PP
+Rules are constructed from two kinds of components according to a set
+of grammatical rules: expressions and statements.
+.TP 
+\*(T<\fBadd\fR\*(T>
+Add a new rule described by the list of statements. The rule is appended to the
+given chain unless a position is specified, in which case the rule is appended to
+the rule given by the position.
+.TP 
+\*(T<\fBinsert\fR\*(T>
+Similar to the \fBadd\fR command, but the rule is prepended to the
+beginning of the chain or before the rule at the given position.
+.TP 
+\*(T<\fBdelete\fR\*(T>
+Delete the specified rule.
+.SH EXPRESSIONS
+Expressions represent values, either constants like network addresses, port numbers etc. or data
+gathered from the packet during ruleset evaluation. Expressions can be combined using binary,
+logical, relational and other types of expressions to form complex or relational (match) expressions.
+They are also used as arguments to certain types of operations, like NAT, packet marking etc.
+.PP
+Each expression has a data type, which determines the size, parsing and representation of
+symbolic values and type compatibility with other expressions.
+.SS "DESCRIBE COMMAND"
+'nh
+.fi
+.ad l
+\fBdescribe\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+{\fIexpression\fR}
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+The \fBdescribe\fR command shows information about the type of an expression and
+its data type.
+.PP
+\fBThe describe command\fR
+.PP
+.nf
+\*(T<
+$ nft describe tcp flags
+payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits
+
+pre\-defined symbolic constants:
+fin                           	0x01
+syn                           	0x02
+rst                           	0x04
+psh                           	0x08
+ack                           	0x10
+urg                           	0x20
+ecn                           	0x40
+cwr                           	0x80
+				\*(T>
+.fi
+.SH "DATA TYPES"
+Data types determine the size, parsing and representation of symbolic values and type compatibility
+of expressions. A number of global data types exist, in addition some expression types define further
+data types specific to the expression type. Most data types have a fixed size, some however may have
+a dynamic size, f.i. the string type.
+.PP
+Types may be derived from lower order types, f.i. the IPv4 address type is derived from the integer
+type, meaning an IPv4 address can also be specified as an integer value.
+.PP
+In certain contexts (set and map definitions) it is necessary to explicitly specify a data type.
+Each type has a name which is used for this.
+.SS "INTEGER TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+Integer
+T}	T{
+integer
+T}	T{
+variable
+T}	T{
+-
+T}
+.TE
+.PP
+The integer type is used for numeric values. It may be specified as decimal, hexadecimal
+or octal number. The integer type doesn't have a fixed size, its size is determined by the
+expression for which it is used.
+.SS "BITMASK TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+Bitmask
+T}	T{
+bitmask
+T}	T{
+variable
+T}	T{
+integer
+T}
+.TE
+.PP
+The bitmask type (\fBbitmask\fR) is used for bitmasks. 
+.SS "STRING TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+String
+T}	T{
+string
+T}	T{
+variable
+T}	T{
+-
+T}
+.TE
+.PP
+The string type is used to for character strings. A string begins with an alphabetic character
+(a-zA-Z) followed by zero or more alphanumeric characters or the characters \*(T</\*(T>,
+\*(T<\-\*(T>, \*(T<_\*(T> and \*(T<.\*(T>. In addition anything enclosed
+in double quotes (\*(T<"\*(T>) is recognized as a string.
+.PP
+\fBString specification\fR
+.PP
+.nf
+\*(T<
+# Interface name
+filter input iifname eth0
+
+# Weird interface name
+filter input iifname "(eth0)"
+				\*(T>
+.fi
+.SS "LINK LAYER ADDRESS TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+Link layer address
+T}	T{
+lladdr
+T}	T{
+variable
+T}	T{
+integer
+T}
+.TE
+.PP
+The link layer address type is used for link layer addresses. Link layer addresses are specified
+as a variable amount of groups of two hexadecimal digits separated using colons (\*(T<:\*(T>).
+.PP
+\fBLink layer address specification\fR
+.PP
+.nf
+\*(T<
+# Ethernet destination MAC address
+filter input ether daddr 20:c9:d0:43:12:d9
+				\*(T>
+.fi
+.SS "IPV4 ADDRESS TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+IPv4 address
+T}	T{
+ipv4_addr
+T}	T{
+32 bit
+T}	T{
+integer
+T}
+.TE
+.PP
+The IPv4 address type is used for IPv4 addresses. Addresses are specified in either dotted decimal,
+dotted hexadecimal, dotted octal, decimal, hexadecimal, octal notation or as a host name. A host name
+will be resolved using the standard system resolver.
+.PP
+\fBIPv4 address specification\fR
+.PP
+.nf
+\*(T<
+# dotted decimal notation
+filter output ip daddr 127.0.0.1
+
+# host name
+filter output ip daddr localhost
+				\*(T>
+.fi
+.SS "IPV6 ADDRESS TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+IPv6 address
+T}	T{
+ipv6_addr
+T}	T{
+128 bit
+T}	T{
+integer
+T}
+.TE
+.PP
+The IPv6 address type is used for IPv6 addresses. FIXME
+.PP
+\fBIPv6 address specification\fR
+.PP
+.nf
+\*(T<
+# abbreviated loopback address
+filter output ip6 daddr ::1
+				\*(T>
+.fi
+.SH "PRIMARY EXPRESSIONS"
+The lowest order expression is a primary expression, representing either a constant or a single
+datum from a packet's payload, meta data or a stateful module. 
+.SS "META EXPRESSIONS"
+'nh
+.fi
+.ad l
+\fBmeta\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+{length | nfproto | l4proto | protocol | priority}
+'in \n(.iu-\nxu
+.ad b
+'hy
+'nh
+.fi
+.ad l
+[meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype | skuid | skgid | nftrace | rtclassid}
+.ad b
+'hy
+.PP
+A meta expression refers to meta data associated with a packet.
+.PP
+There are two types of meta expressions: unqualified and qualified meta expressions.
+Qualified meta expressions require the \fBmeta\fR keyword before the
+meta key, unqualified meta expressions can be specified by using the meta key directly
+or as qualified meta expressions.
+.PP
+\fBMeta expression types\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+length
+T}	T{
+Length of the packet in bytes
+T}	T{
+integer (32 bit)
+T}
+T{
+protocol
+T}	T{
+Ethertype protocol value
+T}	T{
+ether_type
+T}
+T{
+priority
+T}	T{
+TC packet priority
+T}	T{
+integer (32 bit)
+T}
+T{
+mark
+T}	T{
+Packet mark
+T}	T{
+packetmark
+T}
+T{
+iif
+T}	T{
+Input interface index
+T}	T{
+iface_index
+T}
+T{
+iifname
+T}	T{
+Input interface name
+T}	T{
+string
+T}
+T{
+iiftype
+T}	T{
+Input interface type
+T}	T{
+iface_type
+T}
+T{
+oif
+T}	T{
+Output interface index
+T}	T{
+iface_index
+T}
+T{
+oifname
+T}	T{
+Output interface name
+T}	T{
+string
+T}
+T{
+oiftype
+T}	T{
+Output interface hardware type
+T}	T{
+iface_type
+T}
+T{
+skuid
+T}	T{
+UID associated with originating socket
+T}	T{
+uid
+T}
+T{
+skgid
+T}	T{
+GID associated with originating socket
+T}	T{
+gid
+T}
+T{
+rtclassid
+T}	T{
+Routing realm
+T}	T{
+realm
+T}
+.TE
+.PP
+\fBMeta expression specific types\fR
+.TS
+allbox ;
+l | l.
+T{
+Type
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+iface_index
+T}	T{
+Interface index (32 bit number). Can be specified numerically
+or as name of an existing interface.
+T}
+T{
+ifname
+T}	T{
+Interface name (16 byte string). Does not have to exist.
+T}
+T{
+iface_type
+T}	T{
+Interface type (16 bit number).
+T}
+T{
+uid
+T}	T{
+User ID (32 bit number). Can be specified numerically or as
+user name.
+T}
+T{
+gid
+T}	T{
+Group ID (32 bit number). Can be specified numerically or as
+group name.
+T}
+T{
+realm
+T}	T{
+Routing Realm (32 bit number). Can be specified numerically
+or as symbolic name defined in /etc/iproute2/rt_realms.
+T}
+.TE
+.PP
+\fBUsing meta expressions\fR
+.PP
+.nf
+\*(T<
+# qualified meta expression
+filter output meta oif eth0
+
+# unqualified meta expression
+filter output oif eth0
+					\*(T>
+.fi
+.SH "PAYLOAD EXPRESSIONS"
+Payload expressions refer to data from the packet's payload.
+.SS "ETHERNET HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBether\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIethernet header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBEthernet header expression types\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l
+l | l | l
+l | l | l.
+T{
+daddr
+T}	T{
+Destination MAC address
+T}	T{
+ether_addr
+T}
+T{
+saddr
+T}	T{
+Source MAC address
+T}	T{
+ether_addr
+T}
+T{
+type
+T}	T{
+EtherType
+T}	T{
+ether_type
+T}
+.TE
+.SS "VLAN HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBvlan\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIVLAN header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBVLAN header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+id
+T}	T{
+VLAN ID (VID)
+T}	T{
+integer (12 bit)
+T}
+T{
+cfi
+T}	T{
+Canonical Format Indicator
+T}	T{
+flag
+T}
+T{
+pcp
+T}	T{
+Priority code point
+T}	T{
+integer (3 bit)
+T}
+T{
+type
+T}	T{
+EtherType
+T}	T{
+ethertype
+T}
+.TE
+.SS "ARP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBarp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIARP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBARP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+htype
+T}	T{
+ARP hardware type
+T}	T{
+FIXME
+T}
+T{
+ptype
+T}	T{
+EtherType
+T}	T{
+ethertype
+T}
+T{
+hlen
+T}	T{
+Hardware address len
+T}	T{
+integer (8 bit)
+T}
+T{
+plen
+T}	T{
+Protocol address len
+T}	T{
+integer (8 bit)
+T}
+T{
+op
+T}	T{
+Operation
+T}	T{
+FIXME
+T}
+.TE
+.SS "IPV4 HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBip\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIIPv4 header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBIPv4 header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+version
+T}	T{
+IP header version (4)
+T}	T{
+integer (4 bit)
+T}
+T{
+hdrlength
+T}	T{
+IP header length including options
+T}	T{
+integer (4 bit) FIXME scaling
+T}
+T{
+tos
+T}	T{
+Type Of Service
+T}	T{
+FIXME
+T}
+T{
+length
+T}	T{
+Total packet length
+T}	T{
+integer (16 bit)
+T}
+T{
+id
+T}	T{
+IP ID
+T}	T{
+integer (16 bit)
+T}
+T{
+frag-off
+T}	T{
+Fragment offset
+T}	T{
+integer (16 bit)
+T}
+T{
+ttl
+T}	T{
+Time to live
+T}	T{
+integer (8 bit)
+T}
+T{
+protocol
+T}	T{
+Upper layer protocol
+T}	T{
+inet_proto
+T}
+T{
+checksum
+T}	T{
+IP header checksum
+T}	T{
+integer (16 bit)
+T}
+T{
+saddr
+T}	T{
+Source address
+T}	T{
+ipv4_addr
+T}
+T{
+daddr
+T}	T{
+Destination address
+T}	T{
+ipv4_addr
+T}
+.TE
+.SS "IPV6 HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBip6\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIIPv6 header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBIPv6 header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+version
+T}	T{
+IP header version (6)
+T}	T{
+integer (4 bit)
+T}
+T{
+priority
+T}	T{
+T}	T{
+T}
+T{
+flowlabel
+T}	T{
+Flow label
+T}	T{
+T}
+T{
+length
+T}	T{
+Payload length
+T}	T{
+integer (16 bit)
+T}
+T{
+nexthdr
+T}	T{
+Nexthdr protocol
+T}	T{
+inet_proto
+T}
+T{
+hoplimit
+T}	T{
+Hop limit
+T}	T{
+integer (8 bit)
+T}
+T{
+saddr
+T}	T{
+Source address
+T}	T{
+ipv6_addr
+T}
+T{
+daddr
+T}	T{
+Destination address
+T}	T{
+ipv6_addr
+T}
+.TE
+.SS "TCP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBtcp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fITCP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBTCP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+sport
+T}	T{
+Source port
+T}	T{
+inet_service
+T}
+T{
+dport
+T}	T{
+Destination port
+T}	T{
+inet_service
+T}
+T{
+sequence
+T}	T{
+Sequence number
+T}	T{
+integer (32 bit)
+T}
+T{
+ackseq
+T}	T{
+Acknowledgement number
+T}	T{
+integer (32 bit)
+T}
+T{
+doff
+T}	T{
+Data offset
+T}	T{
+integer (4 bit) FIXME scaling
+T}
+T{
+reserved
+T}	T{
+Reserved area
+T}	T{
+FIXME
+T}
+T{
+flags
+T}	T{
+TCP flags
+T}	T{
+tcp_flags
+T}
+T{
+window
+T}	T{
+Window
+T}	T{
+integer (16 bit)
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}	T{
+integer (16 bit)
+T}
+T{
+urgptr
+T}	T{
+Urgent pointer
+T}	T{
+integer (16 bit)
+T}
+.TE
+.SS "UDP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBudp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIUDP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBUDP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+sport
+T}	T{
+Source port
+T}	T{
+inet_service
+T}
+T{
+dport
+T}	T{
+Destination port
+T}	T{
+inet_service
+T}
+T{
+length
+T}	T{
+Total packet length
+T}	T{
+integer (16 bit)
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}	T{
+integer (16 bit)
+T}
+.TE
+.SS "UDP-LITE HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBudplite\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIUDP-Lite header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBUDP-Lite header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+sport
+T}	T{
+Source port
+T}	T{
+inet_service
+T}
+T{
+dport
+T}	T{
+Destination port
+T}	T{
+inet_service
+T}
+T{
+cscov
+T}	T{
+Checksum coverage
+T}	T{
+integer (16 bit)
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}	T{
+integer (16 bit)
+T}
+.TE
+.SS "SCTP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBsctp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fISCTP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBSCTP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+sport
+T}	T{
+Source port
+T}	T{
+inet_service
+T}
+T{
+dport
+T}	T{
+Destination port
+T}	T{
+inet_service
+T}
+T{
+vtag
+T}	T{
+Verfication Tag
+T}	T{
+integer (32 bit)
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}	T{
+integer (32 bit)
+T}
+.TE
+.SS "DCCP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBdccp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIDCCP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBDCCP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l
+l | l | l.
+T{
+sport
+T}	T{
+Source port
+T}	T{
+inet_service
+T}
+T{
+dport
+T}	T{
+Destination port
+T}	T{
+inet_service
+T}
+.TE
+.SS "AUTHENTICATION HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBah\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIAH header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBAH header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+nexthdr
+T}	T{
+Next header protocol
+T}	T{
+inet_service
+T}
+T{
+hdrlength
+T}	T{
+AH Header length
+T}	T{
+integer (8 bit)
+T}
+T{
+reserved
+T}	T{
+Reserved area
+T}	T{
+FIXME
+T}
+T{
+spi
+T}	T{
+Security Parameter Index
+T}	T{
+integer (32 bit)
+T}
+T{
+sequence
+T}	T{
+Sequence number
+T}	T{
+integer (32 bit)
+T}
+.TE
+.SS "ENCRYPTED SECURITY PAYLOAD HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBesp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIESP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBESP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l
+l | l | l.
+T{
+spi
+T}	T{
+Security Parameter Index
+T}	T{
+integer (32 bit)
+T}
+T{
+sequence
+T}	T{
+Sequence number
+T}	T{
+integer (32 bit)
+T}
+.TE
+.SS "IPCOMP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBipcomp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIIPComp header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBIPComp header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l
+l | l | l
+l | l | l.
+T{
+nexthdr
+T}	T{
+Next header protocol
+T}	T{
+inet_service
+T}
+T{
+flags
+T}	T{
+Flags
+T}	T{
+FIXME
+T}
+T{
+cfi
+T}	T{
+Compression Parameter Index
+T}	T{
+FIXME
+T}
+.TE
+.SH BLA
+.SS "IPV6 EXTENSION HEADER EXPRESSIONS"
+IPv6 extension header expressions refer to data from an IPv6 packet's extension headers.
+.SS "CONNTRACK EXPRESSIONS"
+Conntrack expressions refer to meta data of the connection tracking entry associated with a packet.
+.PP
+'nh
+.fi
+.ad l
+\fBct\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+{state | direction | status | mark | expiration | helper | l3proto | saddr | daddr | protocol | proto-src | proto-dst}
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBConntrack expressions\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+state
+T}	T{
+State of the connection
+T}	T{
+ct_state
+T}
+T{
+direction
+T}	T{
+Direction of the packet relative to the connection
+T}	T{
+ct_dir
+T}
+T{
+status
+T}	T{
+Status of the connection
+T}	T{
+ct_status
+T}
+T{
+mark
+T}	T{
+Connection mark
+T}	T{
+packetmark
+T}
+T{
+expiration
+T}	T{
+Connection expiration time
+T}	T{
+time
+T}
+T{
+helper
+T}	T{
+Helper associated with the connection
+T}	T{
+string
+T}
+T{
+l3proto
+T}	T{
+Layer 3 protocol of the connection
+T}	T{
+nf_proto FIXME
+T}
+T{
+saddr
+T}	T{
+Source address of the connection for the given direction
+T}	T{
+ipv4_addr/ipv6_addr
+T}
+T{
+daddr
+T}	T{
+Destination address of the connection for the given direction
+T}	T{
+ipv4_addr/ipv6_addr
+T}
+T{
+protocol
+T}	T{
+Layer 4 protocol of the connection for the given direction
+T}	T{
+inet_proto
+T}
+T{
+proto-src
+T}	T{
+Layer 4 protocol source for the given direction
+T}	T{
+FIXME
+T}
+T{
+proto-dst
+T}	T{
+Layer 4 protocol destination for the given direction
+T}	T{
+FIXME
+T}
+.TE
+.SH STATEMENTS
+Statements represent actions to be performed. They can alter control flow (return, jump
+to a different chain, accept or drop the packet) or can perform actions, such as logging,
+rejecting a packet, etc.
+.PP
+Statements exist in two kinds. Terminal statements unconditionally terminate evaluation
+of the current rule, non-terminal statements either only conditionally or never terminate
+evaluation of the current rule, in other words, they are passive from the ruleset evaluation
+perspective. There can be an arbitrary amount of non-terminal statements in a rule, but
+only a single terminal statement as the final statement.
+.SS "VERDICT STATEMENT"
+The verdict statement alters control flow in the ruleset and issues
+policy decisions for packets.
+.PP
+'nh
+.fi
+.ad l
+{accept | drop | queue | continue | return}
+.ad b
+'hy
+'nh
+.fi
+.ad l
+{jump | goto} {\fIchain\fR}
+.ad b
+'hy
+.PP
+.TP 
+\*(T<\fBaccept\fR\*(T>
+Terminate ruleset evaluation and accept the packet.
+.TP 
+\*(T<\fBdrop\fR\*(T>
+Terminate ruleset evaluation and drop the packet.
+.TP 
+\*(T<\fBqueue\fR\*(T>
+Terminate ruleset evaluation and queue the packet to userspace.
+.TP 
+\*(T<\fBcontinue\fR\*(T>
+Continue ruleset evaluation with the next rule. FIXME
+.TP 
+\*(T<\fBreturn\fR\*(T>
+Return from the current chain and continue evaluation at the
+next rule in the last chain. If issued in a base chain, it is
+equivalent to \fBaccept\fR.
+.TP 
+\*(T<\fBjump \fR\*(T>\fIchain\fR
+Continue evaluation at the first rule in \fIchain\fR.
+The current position in the ruleset is pushed to a call stack and evaluation
+will continue there when the new chain is entirely evaluated of a
+\fBreturn\fR verdict is issued.
+.TP 
+\*(T<\fBgoto \fR\*(T>\fIchain\fR
+Similar to \fBjump\fR, but the current position is not pushed
+to the call stack, meaning that after the new chain evaluation will continue
+at the last chain instead of the one containing the goto statement.
+.PP
+\fBVerdict statements\fR
+.PP
+.nf
+\*(T<
+# process packets from eth0 and the internal network in from_lan
+# chain, drop all packets from eth0 with different source addresses.
+
+filter input iif eth0 ip saddr 192.168.0.0/24 jump from_lan
+filter input iif eth0 drop
+					\*(T>
+.fi
+.SS "LOG STATEMENT"
+.SS "REJECT STATEMENT"
+.SS "COUNTER STATEMENT"
+.SS "META STATEMENT"
+.SS "LIMIT STATEMENT"
+.SS "NAT STATEMENT"
+.SS "QUEUE STATEMENT"
+.SH "ADDITIONAL COMMANDS"
+These are some additional commands included in nft.
+.SS EXPORT
+Export your current ruleset in XML or JSON format to stdout.
+.PP
+Examples:
+
+.nf
+\*(T<
+% nft export xml
+[...]
+% nft export json
+[...]
+				\*(T>
+.fi
+.SS MONITOR
+The monitor command allows you to listen to Netlink events produced
+by the nf_tables subsystem, related to creation and deletion of objects.
+When they ocurr, nft will print to stdout the monitored events in either
+XML, JSON or native nft format.
+.PP
+To filter events related to a concrete object, use one of the keywords 'tables', 'chains', 'sets', 'rules', 'elements'.
+.PP
+To filter events related to a concrete action, use keyword 'new' or 'destroy'.
+.PP
+Hit ^C to finish the monitor operation.
+.PP
+\fBListen to all events, report in native nft format\fR
+.PP
+.nf
+\*(T<
+% nft monitor
+				\*(T>
+.fi
+.PP
+\fBListen to added tables, report in XML format\fR
+.PP
+.nf
+\*(T<
+% nft monitor new tables xml
+				\*(T>
+.fi
+.PP
+\fBListen to deleted rules, report in JSON format\fR
+.PP
+.nf
+\*(T<
+% nft monitor destroy rules json
+				\*(T>
+.fi
+.PP
+\fBListen to both new and destroyed chains, in native nft format\fR
+.PP
+.nf
+\*(T<
+% nft monitor chains
+				\*(T>
+.fi
+.SH "ERROR REPORTING"
+When an error is detected, nft shows the line(s) containing the error, the position
+of the erroneous parts in the input stream and marks up the erroneous parts using
+carrets (\*(T<^\*(T>). If the error results from the combination of two
+expressions or statements, the part imposing the constraints which are violated is
+marked using tildes (\*(T<~\*(T>).
+.PP
+For errors returned by the kernel, nft can't detect which parts of the input caused
+the error and the entire command is marked.
+.PP
+\fBError caused by single incorrect expression\fR
+.PP
+.nf
+\*(T<
+<cmdline>:1:19\-22: Error: Interface does not exist
+filter output oif eth0
+                  ^^^^
+			\*(T>
+.fi
+.PP
+\fBError caused by invalid combination of two expressions\fR
+.PP
+.nf
+\*(T<
+<cmdline>:1:28\-36: Error: Right hand side of relational expression (==) must be constant
+filter output tcp dport == tcp dport
+                        ~~ ^^^^^^^^^
+			\*(T>
+.fi
+.PP
+\fBError returned by the kernel\fR
+.PP
+.nf
+\*(T<
+<cmdline>:0:0\-23: Error: Could not process rule: Operation not permitted
+filter output oif wlan0
+^^^^^^^^^^^^^^^^^^^^^^^
+			\*(T>
+.fi
+.SH "EXIT STATUS"
+On success, nft exits with a status of 0. Unspecified
+errors cause it to exit with a status of 1, memory allocation
+errors with a status of 2, unable to open Netlink socket with 3.
+.SH "SEE ALSO"
+iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8)
+.SH AUTHORS
+nftables was written by Patrick McHardy.
+.SH COPYRIGHT
+Copyright \(co 2008-2014 Patrick McHardy <\*(T<kaber@trash.net\*(T>>
+.PP
+nftables is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 2 as
+published by the Free Software Foundation.
+.PP
+This documentation is licenced under the terms of the Creative
+Commons Attribution-ShareAlike 4.0 license,
+.URL http://creativecommons.org/licenses/by-sa/4.0/ "CC BY-SA 4.0"
+\&.
diff --git a/net-firewall/nftables/files/nftables-0.4.1-nftables.8 b/net-firewall/nftables/files/nftables-0.4.1-nftables.8
new file mode 100644
index 00000000..8e98f6d9
--- /dev/null
+++ b/net-firewall/nftables/files/nftables-0.4.1-nftables.8
@@ -0,0 +1,1906 @@
+'\" t -*- coding: us-ascii -*-
+.if \n(.g .ds T< \\FC
+.if \n(.g .ds T> \\F[\n[.fam]]
+.de URL
+\\$2 \(la\\$1\(ra\\$3
+..
+.if \n(.g .mso www.tmac
+.TH nft 8 "5 June 2015" "" ""
+.SH NAME
+nft \- Administration tool for packet filtering and classification 
+.SH SYNOPSIS
+'nh
+.fi
+.ad l
+\fBnft\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[
+\fB-n/--numeric\fR
+] [
+\fB-I/--includepath\fR
+\fIdirectory\fR
+] [
+\fB-f/--file\fR
+\fIfilename\fR
+| 
+\fB-i/--interactive\fR
+| 
+\fIcmd\fR
+\&...]
+'in \n(.iu-\nxu
+.ad b
+'hy
+'nh
+.fi
+.ad l
+\fBnft\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[
+\fB-h/--help\fR
+] [
+\fB-v/--version\fR
+]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.SH DESCRIPTION
+nft is used to set up, maintain and inspect packet
+filtering and classification rules in the Linux kernel.
+.SH OPTIONS
+For a full summary of options, run \fBnft --help\fR.
+.TP 
+\*(T<\fB\-h/\-\-help\fR\*(T>
+Show help message and all options.
+.TP 
+\*(T<\fB\-v/\-\-version\fR\*(T>
+Show version.
+.TP 
+\*(T<\fB\-n/\-\-numeric\fR\*(T>
+Numeric output: Addresses and other information
+that might need network traffic to resolve to symbolic names
+are shown numerically (default behaviour). When used twice,
+internet services are translated. When used twice, internet
+services and UIDs/GIDs are also shown numerically. When used
+three times, protocol numbers are also shown numerically.
+.TP 
+\*(T<\fB\-N\fR\*(T>
+Translate IP addresses to DNS names.
+.TP 
+\*(T<\fB\-a/\-\-handle\fR\*(T>
+Show rule handles in output.
+.TP 
+\*(T<\fB\-I/\-\-includepath \fR\*(T>\fIdirectory\fR
+Add the directory \fIdirectory\fR to the list of directories to by searched for included files.
+.TP 
+\*(T<\fB\-f/\-\-file \fR\*(T>\fIfilename\fR
+Read input from \fIfilename\fR.
+.TP 
+\*(T<\fB\-i/\-\-interactive\fR\*(T>
+Read input from an interactive readline CLI.
+.SH "INPUT FILE FORMAT"
+.SS "LEXICAL CONVENTIONS"
+Input is parsed line-wise. When the last character of a line just before
+the newline character is a non-quoted backslash (\*(T<\e\*(T>),
+the next line is treated as a continuation. Multiple commands on the
+same line can be separated using a semicolon (\*(T<;\*(T>).
+.PP
+A hash sign (\*(T<#\*(T>) begins a comment. All following characters
+on the same line are ignored.
+.PP
+Identifiers begin with an alphabetic character (\*(T<a\-z,A\-Z\*(T>),
+followed zero or more alphanumeric characters (\*(T<a\-z,A\-Z,0\-9\*(T>)
+and the characters slash (\*(T</\*(T>), backslash (\*(T<\e\*(T>),
+underscore (\*(T<_\*(T>) and dot (\*(T<.\*(T>). Identifiers
+using different characters or clashing with a keyword need to be enclosed in
+double quotes (\*(T<"\*(T>).
+.PP
+.SS "INCLUDE FILES"
+'nh
+.fi
+.ad l
+\fBinclude\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+\fIfilename\fR
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+Other files can be included by using the \fBinclude\fR statement.
+The directories to be searched for include files can be specified using
+the \*(T<\fB\-I/\-\-includepath\fR\*(T> option.
+.SS "SYMBOLIC VARIABLES"
+'nh
+.fi
+.ad l
+\fBdefine\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+variable \fIexpr\fR
+'in \n(.iu-\nxu
+.ad b
+'hy
+'nh
+.fi
+.ad l
+\fB$variable\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+Symbolic variables can be defined using the \fBdefine\fR statement.
+Variable references are expressions and can be used initialize other variables.
+The scope of a definition is the current block and all blocks contained within.
+
+\fBUsing symbolic variables\fR
+.PP
+.nf
+\*(T<
+define int_if1 = eth0
+define int_if2 = eth1
+define int_ifs = { $int_if1, $int_if2 }
+
+filter input iif $int_ifs accept
+					\*(T>
+.fi
+.SH "ADDRESS FAMILIES"
+Address families determine the type of packets which are processed. For each address
+family the kernel contains so called hooks at specific stages of the packet processing
+paths, which invoke nftables if rules for these hooks exist.
+.PP
+.TP 
+\*(T<\fBip\fR\*(T>
+IPv4 address family.
+.TP 
+\*(T<\fBip6\fR\*(T>
+IPv6 address family.
+.TP 
+\*(T<\fBinet\fR\*(T>
+Internet (IPv4/IPv6) address family.
+.TP 
+\*(T<\fBarp\fR\*(T>
+ARP address family, handling packets vi 
+.TP 
+\*(T<\fBbridge\fR\*(T>
+Bridge address family, handling packets which traverse a bridge device.
+.PP
+All nftables objects exist in address family specific namespaces, therefore
+all identifiers include an address family. If an identifier is specified without
+an address family, the \*(T<ip\*(T> family is used by default.
+.SS "IPV4/IPV6/INET ADDRESS FAMILIES"
+The IPv4/IPv6/Inet address families handle IPv4, IPv6 or both types of packets. They
+contain five hooks at different packet processing stages in the network stack.
+.PP
+\fBIPv4/IPv6/Inet address family hooks\fR
+.TS
+allbox ;
+l | l.
+T{
+Hook
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+prerouting
+T}	T{
+All packets entering the system are processed by the prerouting hook. It is invoked
+before the routing process and is used for early filtering or changing packet
+attributes that affect routing.
+T}
+T{
+input
+T}	T{
+Packets delivered to the local system are processed by the input hook.
+T}
+T{
+forward
+T}	T{
+Packets forwarded to a different host are processed by the forward hook.
+T}
+T{
+output
+T}	T{
+Packets sent by local processes are processed by the output hook.
+T}
+T{
+postrouting
+T}	T{
+All packets leaving the system are processed by the postrouting hook.
+T}
+.TE
+.SS "ARP ADDRESS FAMILY"
+The ARP address family handles ARP packets received and sent by the system. It is commonly used
+to mangle ARP packets for clustering.
+.PP
+\fBARP address family hooks\fR
+.TS
+allbox ;
+l | l.
+T{
+Hook
+T}	T{
+Description
+T}
+.T&
+l | l
+l | l.
+T{
+input
+T}	T{
+Packets delivered to the local system are processed by the input hook.
+T}
+T{
+output
+T}	T{
+Packets send by the local system are processed by the output hook.
+T}
+.TE
+.SS "BRIDGE ADDRESS FAMILY"
+The bridge address family handles ethernet packets traversing bridge devices.
+.SH TABLES
+'nh
+.fi
+.ad l
+{add | delete | list | flush} \fBtable\fR [\fIfamily\fR] {\fItable\fR}
+.ad b
+'hy
+.PP
+Tables are containers for chains and sets. They are identified by their address family
+and their name. The address family must be one of
+\*(T<ip\*(T>, \*(T<ip6\*(T>, \*(T<inet\*(T>, \*(T<arp\*(T>, \*(T<bridge\*(T>.
+The \*(T<inet\*(T> address family is a dummy family which is used to create
+hybrid IPv4/IPv6 tables.
+When no address family is specified, \*(T<ip\*(T> is used by default.
+.TP 
+\*(T<\fBadd\fR\*(T>
+Add a new table for the given family with the given name.
+.TP 
+\*(T<\fBdelete\fR\*(T>
+Delete the specified table.
+.TP 
+\*(T<\fBlist\fR\*(T>
+List all chains and rules of the specified table.
+.TP 
+\*(T<\fBflush\fR\*(T>
+Flush all chains and rules of the specified table.
+.SH CHAINS
+'nh
+.fi
+.ad l
+{add} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {\fIhook\fR} {\fIpriority\fR} {\fIpolicy\fR}
+.ad b
+'hy
+'nh
+.fi
+.ad l
+{add | create | delete | list | flush} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR}
+.ad b
+'hy
+'nh
+.fi
+.ad l
+{rename} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {\fInewname\fR}
+.ad b
+'hy
+.PP
+Chains are containers for rules. They exist in two kinds,
+base chains and regular chains. A base chain is an entry point for
+packets from the networking stack, a regular chain may be used
+as jump target and is used for better rule organization.
+.TP 
+\*(T<\fBadd\fR\*(T>
+Add a new chain in the specified table. When a hook and priority
+value are specified, the chain is created as a base chain and hooked
+up to the networking stack.
+.TP 
+\*(T<\fBcreate\fR\*(T>
+Simlar to the \fBadd\fR command, but returns an error if the
+chain already exists.
+.TP 
+\*(T<\fBdelete\fR\*(T>
+Delete the specified chain. The chain must not contain any rules or be
+used as jump target.
+.TP 
+\*(T<\fBrename\fR\*(T>
+Rename the specified chain.
+.TP 
+\*(T<\fBlist\fR\*(T>
+List all rules of the specified chain.
+.TP 
+\*(T<\fBflush\fR\*(T>
+Flush all rules of the specified chain.
+.SH RULES
+'nh
+.fi
+.ad l
+[add | insert] \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} [position \fIposition\fR] {\fIstatement\fR}\&...
+.ad b
+'hy
+'nh
+.fi
+.ad l
+{delete} \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {handle \fIhandle\fR}
+.ad b
+'hy
+.PP
+Rules are constructed from two kinds of components according to a set
+of grammatical rules: expressions and statements.
+.TP 
+\*(T<\fBadd\fR\*(T>
+Add a new rule described by the list of statements. The rule is appended to the
+given chain unless a position is specified, in which case the rule is appended to
+the rule given by the position.
+.TP 
+\*(T<\fBinsert\fR\*(T>
+Similar to the \fBadd\fR command, but the rule is prepended to the
+beginning of the chain or before the rule at the given position.
+.TP 
+\*(T<\fBdelete\fR\*(T>
+Delete the specified rule.
+.SH EXPRESSIONS
+Expressions represent values, either constants like network addresses, port numbers etc. or data
+gathered from the packet during ruleset evaluation. Expressions can be combined using binary,
+logical, relational and other types of expressions to form complex or relational (match) expressions.
+They are also used as arguments to certain types of operations, like NAT, packet marking etc.
+.PP
+Each expression has a data type, which determines the size, parsing and representation of
+symbolic values and type compatibility with other expressions.
+.SS "DESCRIBE COMMAND"
+'nh
+.fi
+.ad l
+\fBdescribe\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+{\fIexpression\fR}
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+The \fBdescribe\fR command shows information about the type of an expression and
+its data type.
+.PP
+\fBThe describe command\fR
+.PP
+.nf
+\*(T<
+$ nft describe tcp flags
+payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits
+
+pre\-defined symbolic constants:
+fin                           	0x01
+syn                           	0x02
+rst                           	0x04
+psh                           	0x08
+ack                           	0x10
+urg                           	0x20
+ecn                           	0x40
+cwr                           	0x80
+				\*(T>
+.fi
+.SH "DATA TYPES"
+Data types determine the size, parsing and representation of symbolic values and type compatibility
+of expressions. A number of global data types exist, in addition some expression types define further
+data types specific to the expression type. Most data types have a fixed size, some however may have
+a dynamic size, f.i. the string type.
+.PP
+Types may be derived from lower order types, f.i. the IPv4 address type is derived from the integer
+type, meaning an IPv4 address can also be specified as an integer value.
+.PP
+In certain contexts (set and map definitions) it is necessary to explicitly specify a data type.
+Each type has a name which is used for this.
+.SS "INTEGER TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+Integer
+T}	T{
+integer
+T}	T{
+variable
+T}	T{
+-
+T}
+.TE
+.PP
+The integer type is used for numeric values. It may be specified as decimal, hexadecimal
+or octal number. The integer type doesn't have a fixed size, its size is determined by the
+expression for which it is used.
+.SS "BITMASK TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+Bitmask
+T}	T{
+bitmask
+T}	T{
+variable
+T}	T{
+integer
+T}
+.TE
+.PP
+The bitmask type (\fBbitmask\fR) is used for bitmasks. 
+.SS "STRING TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+String
+T}	T{
+string
+T}	T{
+variable
+T}	T{
+-
+T}
+.TE
+.PP
+The string type is used to for character strings. A string begins with an alphabetic character
+(a-zA-Z) followed by zero or more alphanumeric characters or the characters \*(T</\*(T>,
+\*(T<\-\*(T>, \*(T<_\*(T> and \*(T<.\*(T>. In addition anything enclosed
+in double quotes (\*(T<"\*(T>) is recognized as a string.
+.PP
+\fBString specification\fR
+.PP
+.nf
+\*(T<
+# Interface name
+filter input iifname eth0
+
+# Weird interface name
+filter input iifname "(eth0)"
+				\*(T>
+.fi
+.SS "LINK LAYER ADDRESS TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+Link layer address
+T}	T{
+lladdr
+T}	T{
+variable
+T}	T{
+integer
+T}
+.TE
+.PP
+The link layer address type is used for link layer addresses. Link layer addresses are specified
+as a variable amount of groups of two hexadecimal digits separated using colons (\*(T<:\*(T>).
+.PP
+\fBLink layer address specification\fR
+.PP
+.nf
+\*(T<
+# Ethernet destination MAC address
+filter input ether daddr 20:c9:d0:43:12:d9
+				\*(T>
+.fi
+.SS "IPV4 ADDRESS TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+IPv4 address
+T}	T{
+ipv4_addr
+T}	T{
+32 bit
+T}	T{
+integer
+T}
+.TE
+.PP
+The IPv4 address type is used for IPv4 addresses. Addresses are specified in either dotted decimal,
+dotted hexadecimal, dotted octal, decimal, hexadecimal, octal notation or as a host name. A host name
+will be resolved using the standard system resolver.
+.PP
+\fBIPv4 address specification\fR
+.PP
+.nf
+\*(T<
+# dotted decimal notation
+filter output ip daddr 127.0.0.1
+
+# host name
+filter output ip daddr localhost
+				\*(T>
+.fi
+.SS "IPV6 ADDRESS TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+IPv6 address
+T}	T{
+ipv6_addr
+T}	T{
+128 bit
+T}	T{
+integer
+T}
+.TE
+.PP
+The IPv6 address type is used for IPv6 addresses. FIXME
+.PP
+\fBIPv6 address specification\fR
+.PP
+.nf
+\*(T<
+# abbreviated loopback address
+filter output ip6 daddr ::1
+				\*(T>
+.fi
+.SH "PRIMARY EXPRESSIONS"
+The lowest order expression is a primary expression, representing either a constant or a single
+datum from a packet's payload, meta data or a stateful module. 
+.SS "META EXPRESSIONS"
+'nh
+.fi
+.ad l
+\fBmeta\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+{length | nfproto | l4proto | protocol | priority}
+'in \n(.iu-\nxu
+.ad b
+'hy
+'nh
+.fi
+.ad l
+[meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype | skuid | skgid | nftrace | rtclassid}
+.ad b
+'hy
+.PP
+A meta expression refers to meta data associated with a packet.
+.PP
+There are two types of meta expressions: unqualified and qualified meta expressions.
+Qualified meta expressions require the \fBmeta\fR keyword before the
+meta key, unqualified meta expressions can be specified by using the meta key directly
+or as qualified meta expressions.
+.PP
+\fBMeta expression types\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+length
+T}	T{
+Length of the packet in bytes
+T}	T{
+integer (32 bit)
+T}
+T{
+protocol
+T}	T{
+Ethertype protocol value
+T}	T{
+ether_type
+T}
+T{
+priority
+T}	T{
+TC packet priority
+T}	T{
+integer (32 bit)
+T}
+T{
+mark
+T}	T{
+Packet mark
+T}	T{
+packetmark
+T}
+T{
+iif
+T}	T{
+Input interface index
+T}	T{
+iface_index
+T}
+T{
+iifname
+T}	T{
+Input interface name
+T}	T{
+string
+T}
+T{
+iiftype
+T}	T{
+Input interface type
+T}	T{
+iface_type
+T}
+T{
+oif
+T}	T{
+Output interface index
+T}	T{
+iface_index
+T}
+T{
+oifname
+T}	T{
+Output interface name
+T}	T{
+string
+T}
+T{
+oiftype
+T}	T{
+Output interface hardware type
+T}	T{
+iface_type
+T}
+T{
+skuid
+T}	T{
+UID associated with originating socket
+T}	T{
+uid
+T}
+T{
+skgid
+T}	T{
+GID associated with originating socket
+T}	T{
+gid
+T}
+T{
+rtclassid
+T}	T{
+Routing realm
+T}	T{
+realm
+T}
+.TE
+.PP
+\fBMeta expression specific types\fR
+.TS
+allbox ;
+l | l.
+T{
+Type
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+iface_index
+T}	T{
+Interface index (32 bit number). Can be specified numerically
+or as name of an existing interface.
+T}
+T{
+ifname
+T}	T{
+Interface name (16 byte string). Does not have to exist.
+T}
+T{
+iface_type
+T}	T{
+Interface type (16 bit number).
+T}
+T{
+uid
+T}	T{
+User ID (32 bit number). Can be specified numerically or as
+user name.
+T}
+T{
+gid
+T}	T{
+Group ID (32 bit number). Can be specified numerically or as
+group name.
+T}
+T{
+realm
+T}	T{
+Routing Realm (32 bit number). Can be specified numerically
+or as symbolic name defined in /etc/iproute2/rt_realms.
+T}
+.TE
+.PP
+\fBUsing meta expressions\fR
+.PP
+.nf
+\*(T<
+# qualified meta expression
+filter output meta oif eth0
+
+# unqualified meta expression
+filter output oif eth0
+					\*(T>
+.fi
+.SH "PAYLOAD EXPRESSIONS"
+Payload expressions refer to data from the packet's payload.
+.SS "ETHERNET HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBether\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIethernet header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBEthernet header expression types\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l
+l | l | l
+l | l | l.
+T{
+daddr
+T}	T{
+Destination MAC address
+T}	T{
+ether_addr
+T}
+T{
+saddr
+T}	T{
+Source MAC address
+T}	T{
+ether_addr
+T}
+T{
+type
+T}	T{
+EtherType
+T}	T{
+ether_type
+T}
+.TE
+.SS "VLAN HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBvlan\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIVLAN header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBVLAN header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+id
+T}	T{
+VLAN ID (VID)
+T}	T{
+integer (12 bit)
+T}
+T{
+cfi
+T}	T{
+Canonical Format Indicator
+T}	T{
+flag
+T}
+T{
+pcp
+T}	T{
+Priority code point
+T}	T{
+integer (3 bit)
+T}
+T{
+type
+T}	T{
+EtherType
+T}	T{
+ethertype
+T}
+.TE
+.SS "ARP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBarp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIARP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBARP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+htype
+T}	T{
+ARP hardware type
+T}	T{
+FIXME
+T}
+T{
+ptype
+T}	T{
+EtherType
+T}	T{
+ethertype
+T}
+T{
+hlen
+T}	T{
+Hardware address len
+T}	T{
+integer (8 bit)
+T}
+T{
+plen
+T}	T{
+Protocol address len
+T}	T{
+integer (8 bit)
+T}
+T{
+op
+T}	T{
+Operation
+T}	T{
+FIXME
+T}
+.TE
+.SS "IPV4 HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBip\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIIPv4 header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBIPv4 header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+version
+T}	T{
+IP header version (4)
+T}	T{
+integer (4 bit)
+T}
+T{
+hdrlength
+T}	T{
+IP header length including options
+T}	T{
+integer (4 bit) FIXME scaling
+T}
+T{
+tos
+T}	T{
+Type Of Service
+T}	T{
+FIXME
+T}
+T{
+length
+T}	T{
+Total packet length
+T}	T{
+integer (16 bit)
+T}
+T{
+id
+T}	T{
+IP ID
+T}	T{
+integer (16 bit)
+T}
+T{
+frag-off
+T}	T{
+Fragment offset
+T}	T{
+integer (16 bit)
+T}
+T{
+ttl
+T}	T{
+Time to live
+T}	T{
+integer (8 bit)
+T}
+T{
+protocol
+T}	T{
+Upper layer protocol
+T}	T{
+inet_proto
+T}
+T{
+checksum
+T}	T{
+IP header checksum
+T}	T{
+integer (16 bit)
+T}
+T{
+saddr
+T}	T{
+Source address
+T}	T{
+ipv4_addr
+T}
+T{
+daddr
+T}	T{
+Destination address
+T}	T{
+ipv4_addr
+T}
+.TE
+.SS "IPV6 HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBip6\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIIPv6 header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBIPv6 header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+version
+T}	T{
+IP header version (6)
+T}	T{
+integer (4 bit)
+T}
+T{
+priority
+T}	T{
+T}	T{
+T}
+T{
+flowlabel
+T}	T{
+Flow label
+T}	T{
+T}
+T{
+length
+T}	T{
+Payload length
+T}	T{
+integer (16 bit)
+T}
+T{
+nexthdr
+T}	T{
+Nexthdr protocol
+T}	T{
+inet_proto
+T}
+T{
+hoplimit
+T}	T{
+Hop limit
+T}	T{
+integer (8 bit)
+T}
+T{
+saddr
+T}	T{
+Source address
+T}	T{
+ipv6_addr
+T}
+T{
+daddr
+T}	T{
+Destination address
+T}	T{
+ipv6_addr
+T}
+.TE
+.SS "TCP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBtcp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fITCP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBTCP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+sport
+T}	T{
+Source port
+T}	T{
+inet_service
+T}
+T{
+dport
+T}	T{
+Destination port
+T}	T{
+inet_service
+T}
+T{
+sequence
+T}	T{
+Sequence number
+T}	T{
+integer (32 bit)
+T}
+T{
+ackseq
+T}	T{
+Acknowledgement number
+T}	T{
+integer (32 bit)
+T}
+T{
+doff
+T}	T{
+Data offset
+T}	T{
+integer (4 bit) FIXME scaling
+T}
+T{
+reserved
+T}	T{
+Reserved area
+T}	T{
+FIXME
+T}
+T{
+flags
+T}	T{
+TCP flags
+T}	T{
+tcp_flags
+T}
+T{
+window
+T}	T{
+Window
+T}	T{
+integer (16 bit)
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}	T{
+integer (16 bit)
+T}
+T{
+urgptr
+T}	T{
+Urgent pointer
+T}	T{
+integer (16 bit)
+T}
+.TE
+.SS "UDP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBudp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIUDP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBUDP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+sport
+T}	T{
+Source port
+T}	T{
+inet_service
+T}
+T{
+dport
+T}	T{
+Destination port
+T}	T{
+inet_service
+T}
+T{
+length
+T}	T{
+Total packet length
+T}	T{
+integer (16 bit)
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}	T{
+integer (16 bit)
+T}
+.TE
+.SS "UDP-LITE HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBudplite\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIUDP-Lite header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBUDP-Lite header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+sport
+T}	T{
+Source port
+T}	T{
+inet_service
+T}
+T{
+dport
+T}	T{
+Destination port
+T}	T{
+inet_service
+T}
+T{
+cscov
+T}	T{
+Checksum coverage
+T}	T{
+integer (16 bit)
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}	T{
+integer (16 bit)
+T}
+.TE
+.SS "SCTP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBsctp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fISCTP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBSCTP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+sport
+T}	T{
+Source port
+T}	T{
+inet_service
+T}
+T{
+dport
+T}	T{
+Destination port
+T}	T{
+inet_service
+T}
+T{
+vtag
+T}	T{
+Verfication Tag
+T}	T{
+integer (32 bit)
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}	T{
+integer (32 bit)
+T}
+.TE
+.SS "DCCP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBdccp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIDCCP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBDCCP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l
+l | l | l.
+T{
+sport
+T}	T{
+Source port
+T}	T{
+inet_service
+T}
+T{
+dport
+T}	T{
+Destination port
+T}	T{
+inet_service
+T}
+.TE
+.SS "AUTHENTICATION HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBah\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIAH header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBAH header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+nexthdr
+T}	T{
+Next header protocol
+T}	T{
+inet_service
+T}
+T{
+hdrlength
+T}	T{
+AH Header length
+T}	T{
+integer (8 bit)
+T}
+T{
+reserved
+T}	T{
+Reserved area
+T}	T{
+FIXME
+T}
+T{
+spi
+T}	T{
+Security Parameter Index
+T}	T{
+integer (32 bit)
+T}
+T{
+sequence
+T}	T{
+Sequence number
+T}	T{
+integer (32 bit)
+T}
+.TE
+.SS "ENCRYPTED SECURITY PAYLOAD HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBesp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIESP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBESP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l
+l | l | l.
+T{
+spi
+T}	T{
+Security Parameter Index
+T}	T{
+integer (32 bit)
+T}
+T{
+sequence
+T}	T{
+Sequence number
+T}	T{
+integer (32 bit)
+T}
+.TE
+.SS "IPCOMP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBipcomp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIIPComp header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBIPComp header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l
+l | l | l
+l | l | l.
+T{
+nexthdr
+T}	T{
+Next header protocol
+T}	T{
+inet_service
+T}
+T{
+flags
+T}	T{
+Flags
+T}	T{
+FIXME
+T}
+T{
+cfi
+T}	T{
+Compression Parameter Index
+T}	T{
+FIXME
+T}
+.TE
+.SH BLA
+.SS "IPV6 EXTENSION HEADER EXPRESSIONS"
+IPv6 extension header expressions refer to data from an IPv6 packet's extension headers.
+.SS "CONNTRACK EXPRESSIONS"
+Conntrack expressions refer to meta data of the connection tracking entry associated with a packet.
+.PP
+'nh
+.fi
+.ad l
+\fBct\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+{state | direction | status | mark | expiration | helper | l3proto | saddr | daddr | protocol | proto-src | proto-dst}
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBConntrack expressions\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+state
+T}	T{
+State of the connection
+T}	T{
+ct_state
+T}
+T{
+direction
+T}	T{
+Direction of the packet relative to the connection
+T}	T{
+ct_dir
+T}
+T{
+status
+T}	T{
+Status of the connection
+T}	T{
+ct_status
+T}
+T{
+mark
+T}	T{
+Connection mark
+T}	T{
+packetmark
+T}
+T{
+expiration
+T}	T{
+Connection expiration time
+T}	T{
+time
+T}
+T{
+helper
+T}	T{
+Helper associated with the connection
+T}	T{
+string
+T}
+T{
+l3proto
+T}	T{
+Layer 3 protocol of the connection
+T}	T{
+nf_proto FIXME
+T}
+T{
+saddr
+T}	T{
+Source address of the connection for the given direction
+T}	T{
+ipv4_addr/ipv6_addr
+T}
+T{
+daddr
+T}	T{
+Destination address of the connection for the given direction
+T}	T{
+ipv4_addr/ipv6_addr
+T}
+T{
+protocol
+T}	T{
+Layer 4 protocol of the connection for the given direction
+T}	T{
+inet_proto
+T}
+T{
+proto-src
+T}	T{
+Layer 4 protocol source for the given direction
+T}	T{
+FIXME
+T}
+T{
+proto-dst
+T}	T{
+Layer 4 protocol destination for the given direction
+T}	T{
+FIXME
+T}
+.TE
+.SH STATEMENTS
+Statements represent actions to be performed. They can alter control flow (return, jump
+to a different chain, accept or drop the packet) or can perform actions, such as logging,
+rejecting a packet, etc.
+.PP
+Statements exist in two kinds. Terminal statements unconditionally terminate evaluation
+of the current rule, non-terminal statements either only conditionally or never terminate
+evaluation of the current rule, in other words, they are passive from the ruleset evaluation
+perspective. There can be an arbitrary amount of non-terminal statements in a rule, but
+only a single terminal statement as the final statement.
+.SS "VERDICT STATEMENT"
+The verdict statement alters control flow in the ruleset and issues
+policy decisions for packets.
+.PP
+'nh
+.fi
+.ad l
+{accept | drop | queue | continue | return}
+.ad b
+'hy
+'nh
+.fi
+.ad l
+{jump | goto} {\fIchain\fR}
+.ad b
+'hy
+.PP
+.TP 
+\*(T<\fBaccept\fR\*(T>
+Terminate ruleset evaluation and accept the packet.
+.TP 
+\*(T<\fBdrop\fR\*(T>
+Terminate ruleset evaluation and drop the packet.
+.TP 
+\*(T<\fBqueue\fR\*(T>
+Terminate ruleset evaluation and queue the packet to userspace.
+.TP 
+\*(T<\fBcontinue\fR\*(T>
+Continue ruleset evaluation with the next rule. FIXME
+.TP 
+\*(T<\fBreturn\fR\*(T>
+Return from the current chain and continue evaluation at the
+next rule in the last chain. If issued in a base chain, it is
+equivalent to \fBaccept\fR.
+.TP 
+\*(T<\fBjump \fR\*(T>\fIchain\fR
+Continue evaluation at the first rule in \fIchain\fR.
+The current position in the ruleset is pushed to a call stack and evaluation
+will continue there when the new chain is entirely evaluated of a
+\fBreturn\fR verdict is issued.
+.TP 
+\*(T<\fBgoto \fR\*(T>\fIchain\fR
+Similar to \fBjump\fR, but the current position is not pushed
+to the call stack, meaning that after the new chain evaluation will continue
+at the last chain instead of the one containing the goto statement.
+.PP
+\fBVerdict statements\fR
+.PP
+.nf
+\*(T<
+# process packets from eth0 and the internal network in from_lan
+# chain, drop all packets from eth0 with different source addresses.
+
+filter input iif eth0 ip saddr 192.168.0.0/24 jump from_lan
+filter input iif eth0 drop
+					\*(T>
+.fi
+.SS "LOG STATEMENT"
+.SS "REJECT STATEMENT"
+.SS "COUNTER STATEMENT"
+.SS "META STATEMENT"
+.SS "LIMIT STATEMENT"
+.SS "NAT STATEMENT"
+.SS "QUEUE STATEMENT"
+.SH "ADDITIONAL COMMANDS"
+These are some additional commands included in nft.
+.SS EXPORT
+Export your current ruleset in XML or JSON format to stdout.
+.PP
+Examples:
+
+.nf
+\*(T<
+% nft export xml
+[...]
+% nft export json
+[...]
+				\*(T>
+.fi
+.SS MONITOR
+The monitor command allows you to listen to Netlink events produced
+by the nf_tables subsystem, related to creation and deletion of objects.
+When they ocurr, nft will print to stdout the monitored events in either
+XML, JSON or native nft format.
+.PP
+To filter events related to a concrete object, use one of the keywords 'tables', 'chains', 'sets', 'rules', 'elements'.
+.PP
+To filter events related to a concrete action, use keyword 'new' or 'destroy'.
+.PP
+Hit ^C to finish the monitor operation.
+.PP
+\fBListen to all events, report in native nft format\fR
+.PP
+.nf
+\*(T<
+% nft monitor
+				\*(T>
+.fi
+.PP
+\fBListen to added tables, report in XML format\fR
+.PP
+.nf
+\*(T<
+% nft monitor new tables xml
+				\*(T>
+.fi
+.PP
+\fBListen to deleted rules, report in JSON format\fR
+.PP
+.nf
+\*(T<
+% nft monitor destroy rules json
+				\*(T>
+.fi
+.PP
+\fBListen to both new and destroyed chains, in native nft format\fR
+.PP
+.nf
+\*(T<
+% nft monitor chains
+				\*(T>
+.fi
+.SH "ERROR REPORTING"
+When an error is detected, nft shows the line(s) containing the error, the position
+of the erroneous parts in the input stream and marks up the erroneous parts using
+carrets (\*(T<^\*(T>). If the error results from the combination of two
+expressions or statements, the part imposing the constraints which are violated is
+marked using tildes (\*(T<~\*(T>).
+.PP
+For errors returned by the kernel, nft can't detect which parts of the input caused
+the error and the entire command is marked.
+.PP
+\fBError caused by single incorrect expression\fR
+.PP
+.nf
+\*(T<
+<cmdline>:1:19\-22: Error: Interface does not exist
+filter output oif eth0
+                  ^^^^
+			\*(T>
+.fi
+.PP
+\fBError caused by invalid combination of two expressions\fR
+.PP
+.nf
+\*(T<
+<cmdline>:1:28\-36: Error: Right hand side of relational expression (==) must be constant
+filter output tcp dport == tcp dport
+                        ~~ ^^^^^^^^^
+			\*(T>
+.fi
+.PP
+\fBError returned by the kernel\fR
+.PP
+.nf
+\*(T<
+<cmdline>:0:0\-23: Error: Could not process rule: Operation not permitted
+filter output oif wlan0
+^^^^^^^^^^^^^^^^^^^^^^^
+			\*(T>
+.fi
+.SH "EXIT STATUS"
+On success, nft exits with a status of 0. Unspecified
+errors cause it to exit with a status of 1, memory allocation
+errors with a status of 2, unable to open Netlink socket with 3.
+.SH "SEE ALSO"
+iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8)
+.PP
+There is an official wiki at: http://wiki.nftables.org
+.SH AUTHORS
+nftables was written by Patrick McHardy.
+.SH COPYRIGHT
+Copyright 2008-2014 Patrick McHardy <\*(T<kaber@trash.net\*(T>>
+.PP
+nftables is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 2 as
+published by the Free Software Foundation.
+.PP
+This documentation is licenced under the terms of the Creative
+Commons Attribution-ShareAlike 4.0 license,
+.URL http://creativecommons.org/licenses/by-sa/4.0/ "CC BY-SA 4.0"
+\&.
diff --git a/net-firewall/nftables/files/nftables-0.4.2-nftables.8 b/net-firewall/nftables/files/nftables-0.4.2-nftables.8
new file mode 100644
index 00000000..54791d31
--- /dev/null
+++ b/net-firewall/nftables/files/nftables-0.4.2-nftables.8
@@ -0,0 +1,1931 @@
+'\" t -*- coding: us-ascii -*-
+.if \n(.g .ds T< \\FC
+.if \n(.g .ds T> \\F[\n[.fam]]
+.de URL
+\\$2 \(la\\$1\(ra\\$3
+..
+.if \n(.g .mso www.tmac
+.TH nft 8 "5 June 2015" "" ""
+.SH NAME
+nft \- Administration tool for packet filtering and classification 
+.SH SYNOPSIS
+'nh
+.fi
+.ad l
+\fBnft\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[
+\fB-n/--numeric\fR
+] [
+\fB-I/--includepath\fR
+\fIdirectory\fR
+] [
+\fB-f/--file\fR
+\fIfilename\fR
+| 
+\fB-i/--interactive\fR
+| 
+\fIcmd\fR
+\&...]
+'in \n(.iu-\nxu
+.ad b
+'hy
+'nh
+.fi
+.ad l
+\fBnft\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[
+\fB-h/--help\fR
+] [
+\fB-v/--version\fR
+]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.SH DESCRIPTION
+nft is used to set up, maintain and inspect packet
+filtering and classification rules in the Linux kernel.
+.SH OPTIONS
+For a full summary of options, run \fBnft --help\fR.
+.TP 
+\*(T<\fB\-h/\-\-help\fR\*(T>
+Show help message and all options.
+.TP 
+\*(T<\fB\-v/\-\-version\fR\*(T>
+Show version.
+.TP 
+\*(T<\fB\-n/\-\-numeric\fR\*(T>
+Numeric output: Addresses and other information
+that might need network traffic to resolve to symbolic names
+are shown numerically (default behaviour). When used twice,
+internet services are translated. When used twice, internet
+services and UIDs/GIDs are also shown numerically. When used
+three times, protocol numbers are also shown numerically.
+.TP 
+\*(T<\fB\-N\fR\*(T>
+Translate IP addresses to DNS names.
+.TP 
+\*(T<\fB\-a/\-\-handle\fR\*(T>
+Show rule handles in output.
+.TP 
+\*(T<\fB\-I/\-\-includepath \fR\*(T>\fIdirectory\fR
+Add the directory \fIdirectory\fR to the list of directories to by searched for included files.
+.TP 
+\*(T<\fB\-f/\-\-file \fR\*(T>\fIfilename\fR
+Read input from \fIfilename\fR.
+.TP 
+\*(T<\fB\-i/\-\-interactive\fR\*(T>
+Read input from an interactive readline CLI.
+.SH "INPUT FILE FORMAT"
+.SS "LEXICAL CONVENTIONS"
+Input is parsed line-wise. When the last character of a line just before
+the newline character is a non-quoted backslash (\*(T<\e\*(T>),
+the next line is treated as a continuation. Multiple commands on the
+same line can be separated using a semicolon (\*(T<;\*(T>).
+.PP
+A hash sign (\*(T<#\*(T>) begins a comment. All following characters
+on the same line are ignored.
+.PP
+Identifiers begin with an alphabetic character (\*(T<a\-z,A\-Z\*(T>),
+followed zero or more alphanumeric characters (\*(T<a\-z,A\-Z,0\-9\*(T>)
+and the characters slash (\*(T</\*(T>), backslash (\*(T<\e\*(T>),
+underscore (\*(T<_\*(T>) and dot (\*(T<.\*(T>). Identifiers
+using different characters or clashing with a keyword need to be enclosed in
+double quotes (\*(T<"\*(T>).
+.PP
+.SS "INCLUDE FILES"
+'nh
+.fi
+.ad l
+\fBinclude\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+\fIfilename\fR
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+Other files can be included by using the \fBinclude\fR statement.
+The directories to be searched for include files can be specified using
+the \*(T<\fB\-I/\-\-includepath\fR\*(T> option.
+.SS "SYMBOLIC VARIABLES"
+'nh
+.fi
+.ad l
+\fBdefine\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+variable \fIexpr\fR
+'in \n(.iu-\nxu
+.ad b
+'hy
+'nh
+.fi
+.ad l
+\fB$variable\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+Symbolic variables can be defined using the \fBdefine\fR statement.
+Variable references are expressions and can be used initialize other variables.
+The scope of a definition is the current block and all blocks contained within.
+
+\fBUsing symbolic variables\fR
+.PP
+.nf
+\*(T<
+define int_if1 = eth0
+define int_if2 = eth1
+define int_ifs = { $int_if1, $int_if2 }
+
+filter input iif $int_ifs accept
+					\*(T>
+.fi
+.SH "ADDRESS FAMILIES"
+Address families determine the type of packets which are processed. For each address
+family the kernel contains so called hooks at specific stages of the packet processing
+paths, which invoke nftables if rules for these hooks exist.
+.PP
+.TP 
+\*(T<\fBip\fR\*(T>
+IPv4 address family.
+.TP 
+\*(T<\fBip6\fR\*(T>
+IPv6 address family.
+.TP 
+\*(T<\fBinet\fR\*(T>
+Internet (IPv4/IPv6) address family.
+.TP 
+\*(T<\fBarp\fR\*(T>
+ARP address family, handling packets vi 
+.TP 
+\*(T<\fBbridge\fR\*(T>
+Bridge address family, handling packets which traverse a bridge device.
+.TP 
+\*(T<\fBnetdev\fR\*(T>
+Netdev address family, handling packets from ingress.
+.PP
+All nftables objects exist in address family specific namespaces, therefore
+all identifiers include an address family. If an identifier is specified without
+an address family, the \*(T<ip\*(T> family is used by default.
+.SS "IPV4/IPV6/INET ADDRESS FAMILIES"
+The IPv4/IPv6/Inet address families handle IPv4, IPv6 or both types of packets. They
+contain five hooks at different packet processing stages in the network stack.
+.PP
+\fBIPv4/IPv6/Inet address family hooks\fR
+.TS
+allbox ;
+l | l.
+T{
+Hook
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+prerouting
+T}	T{
+All packets entering the system are processed by the prerouting hook. It is invoked
+before the routing process and is used for early filtering or changing packet
+attributes that affect routing.
+T}
+T{
+input
+T}	T{
+Packets delivered to the local system are processed by the input hook.
+T}
+T{
+forward
+T}	T{
+Packets forwarded to a different host are processed by the forward hook.
+T}
+T{
+output
+T}	T{
+Packets sent by local processes are processed by the output hook.
+T}
+T{
+postrouting
+T}	T{
+All packets leaving the system are processed by the postrouting hook.
+T}
+.TE
+.SS "ARP ADDRESS FAMILY"
+The ARP address family handles ARP packets received and sent by the system. It is commonly used
+to mangle ARP packets for clustering.
+.PP
+\fBARP address family hooks\fR
+.TS
+allbox ;
+l | l.
+T{
+Hook
+T}	T{
+Description
+T}
+.T&
+l | l
+l | l.
+T{
+input
+T}	T{
+Packets delivered to the local system are processed by the input hook.
+T}
+T{
+output
+T}	T{
+Packets send by the local system are processed by the output hook.
+T}
+.TE
+.SS "BRIDGE ADDRESS FAMILY"
+The bridge address family handles ethernet packets traversing bridge devices.
+.SS "NETDEV ADDRESS FAMILY"
+The Netdev address family handles packets from ingress.
+.PP
+\fBNetdev address family hooks\fR
+.TS
+allbox ;
+l | l.
+T{
+Hook
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+ingress
+T}	T{
+All packets entering the system are processed by this hook. It is invoked
+before layer 3 protocol handlers and it can be used for early filtering and
+policing.
+T}
+.TE
+.SH TABLES
+'nh
+.fi
+.ad l
+{add | delete | list | flush} \fBtable\fR [\fIfamily\fR] {\fItable\fR}
+.ad b
+'hy
+.PP
+Tables are containers for chains and sets. They are identified by their address family
+and their name. The address family must be one of
+\*(T<ip\*(T>, \*(T<ip6\*(T>, \*(T<inet\*(T>, \*(T<arp\*(T>, \*(T<bridge\*(T>, \*(T<netdev\*(T>.
+The \*(T<inet\*(T> address family is a dummy family which is used to create
+hybrid IPv4/IPv6 tables.
+When no address family is specified, \*(T<ip\*(T> is used by default.
+.TP 
+\*(T<\fBadd\fR\*(T>
+Add a new table for the given family with the given name.
+.TP 
+\*(T<\fBdelete\fR\*(T>
+Delete the specified table.
+.TP 
+\*(T<\fBlist\fR\*(T>
+List all chains and rules of the specified table.
+.TP 
+\*(T<\fBflush\fR\*(T>
+Flush all chains and rules of the specified table.
+.SH CHAINS
+'nh
+.fi
+.ad l
+{add} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {\fIhook\fR} {\fIpriority\fR} {\fIpolicy\fR}
+.ad b
+'hy
+'nh
+.fi
+.ad l
+{add | create | delete | list | flush} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR}
+.ad b
+'hy
+'nh
+.fi
+.ad l
+{rename} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {\fInewname\fR}
+.ad b
+'hy
+.PP
+Chains are containers for rules. They exist in two kinds,
+base chains and regular chains. A base chain is an entry point for
+packets from the networking stack, a regular chain may be used
+as jump target and is used for better rule organization.
+.TP 
+\*(T<\fBadd\fR\*(T>
+Add a new chain in the specified table. When a hook and priority
+value are specified, the chain is created as a base chain and hooked
+up to the networking stack.
+.TP 
+\*(T<\fBcreate\fR\*(T>
+Simlar to the \fBadd\fR command, but returns an error if the
+chain already exists.
+.TP 
+\*(T<\fBdelete\fR\*(T>
+Delete the specified chain. The chain must not contain any rules or be
+used as jump target.
+.TP 
+\*(T<\fBrename\fR\*(T>
+Rename the specified chain.
+.TP 
+\*(T<\fBlist\fR\*(T>
+List all rules of the specified chain.
+.TP 
+\*(T<\fBflush\fR\*(T>
+Flush all rules of the specified chain.
+.SH RULES
+'nh
+.fi
+.ad l
+[add | insert] \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} [position \fIposition\fR] {\fIstatement\fR}\&...
+.ad b
+'hy
+'nh
+.fi
+.ad l
+{delete} \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {handle \fIhandle\fR}
+.ad b
+'hy
+.PP
+Rules are constructed from two kinds of components according to a set
+of grammatical rules: expressions and statements.
+.TP 
+\*(T<\fBadd\fR\*(T>
+Add a new rule described by the list of statements. The rule is appended to the
+given chain unless a position is specified, in which case the rule is appended to
+the rule given by the position.
+.TP 
+\*(T<\fBinsert\fR\*(T>
+Similar to the \fBadd\fR command, but the rule is prepended to the
+beginning of the chain or before the rule at the given position.
+.TP 
+\*(T<\fBdelete\fR\*(T>
+Delete the specified rule.
+.SH EXPRESSIONS
+Expressions represent values, either constants like network addresses, port numbers etc. or data
+gathered from the packet during ruleset evaluation. Expressions can be combined using binary,
+logical, relational and other types of expressions to form complex or relational (match) expressions.
+They are also used as arguments to certain types of operations, like NAT, packet marking etc.
+.PP
+Each expression has a data type, which determines the size, parsing and representation of
+symbolic values and type compatibility with other expressions.
+.SS "DESCRIBE COMMAND"
+'nh
+.fi
+.ad l
+\fBdescribe\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+{\fIexpression\fR}
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+The \fBdescribe\fR command shows information about the type of an expression and
+its data type.
+.PP
+\fBThe describe command\fR
+.PP
+.nf
+\*(T<
+$ nft describe tcp flags
+payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits
+
+pre\-defined symbolic constants:
+fin                           	0x01
+syn                           	0x02
+rst                           	0x04
+psh                           	0x08
+ack                           	0x10
+urg                           	0x20
+ecn                           	0x40
+cwr                           	0x80
+				\*(T>
+.fi
+.SH "DATA TYPES"
+Data types determine the size, parsing and representation of symbolic values and type compatibility
+of expressions. A number of global data types exist, in addition some expression types define further
+data types specific to the expression type. Most data types have a fixed size, some however may have
+a dynamic size, f.i. the string type.
+.PP
+Types may be derived from lower order types, f.i. the IPv4 address type is derived from the integer
+type, meaning an IPv4 address can also be specified as an integer value.
+.PP
+In certain contexts (set and map definitions) it is necessary to explicitly specify a data type.
+Each type has a name which is used for this.
+.SS "INTEGER TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+Integer
+T}	T{
+integer
+T}	T{
+variable
+T}	T{
+-
+T}
+.TE
+.PP
+The integer type is used for numeric values. It may be specified as decimal, hexadecimal
+or octal number. The integer type doesn't have a fixed size, its size is determined by the
+expression for which it is used.
+.SS "BITMASK TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+Bitmask
+T}	T{
+bitmask
+T}	T{
+variable
+T}	T{
+integer
+T}
+.TE
+.PP
+The bitmask type (\fBbitmask\fR) is used for bitmasks. 
+.SS "STRING TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+String
+T}	T{
+string
+T}	T{
+variable
+T}	T{
+-
+T}
+.TE
+.PP
+The string type is used to for character strings. A string begins with an alphabetic character
+(a-zA-Z) followed by zero or more alphanumeric characters or the characters \*(T</\*(T>,
+\*(T<\-\*(T>, \*(T<_\*(T> and \*(T<.\*(T>. In addition anything enclosed
+in double quotes (\*(T<"\*(T>) is recognized as a string.
+.PP
+\fBString specification\fR
+.PP
+.nf
+\*(T<
+# Interface name
+filter input iifname eth0
+
+# Weird interface name
+filter input iifname "(eth0)"
+				\*(T>
+.fi
+.SS "LINK LAYER ADDRESS TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+Link layer address
+T}	T{
+lladdr
+T}	T{
+variable
+T}	T{
+integer
+T}
+.TE
+.PP
+The link layer address type is used for link layer addresses. Link layer addresses are specified
+as a variable amount of groups of two hexadecimal digits separated using colons (\*(T<:\*(T>).
+.PP
+\fBLink layer address specification\fR
+.PP
+.nf
+\*(T<
+# Ethernet destination MAC address
+filter input ether daddr 20:c9:d0:43:12:d9
+				\*(T>
+.fi
+.SS "IPV4 ADDRESS TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+IPv4 address
+T}	T{
+ipv4_addr
+T}	T{
+32 bit
+T}	T{
+integer
+T}
+.TE
+.PP
+The IPv4 address type is used for IPv4 addresses. Addresses are specified in either dotted decimal,
+dotted hexadecimal, dotted octal, decimal, hexadecimal, octal notation or as a host name. A host name
+will be resolved using the standard system resolver.
+.PP
+\fBIPv4 address specification\fR
+.PP
+.nf
+\*(T<
+# dotted decimal notation
+filter output ip daddr 127.0.0.1
+
+# host name
+filter output ip daddr localhost
+				\*(T>
+.fi
+.SS "IPV6 ADDRESS TYPE"
+.TS
+allbox ;
+l | l | l | l.
+T{
+Name
+T}	T{
+Keyword
+T}	T{
+Size
+T}	T{
+Base type
+T}
+.T&
+l | l | l | l.
+T{
+IPv6 address
+T}	T{
+ipv6_addr
+T}	T{
+128 bit
+T}	T{
+integer
+T}
+.TE
+.PP
+The IPv6 address type is used for IPv6 addresses. FIXME
+.PP
+\fBIPv6 address specification\fR
+.PP
+.nf
+\*(T<
+# abbreviated loopback address
+filter output ip6 daddr ::1
+				\*(T>
+.fi
+.SH "PRIMARY EXPRESSIONS"
+The lowest order expression is a primary expression, representing either a constant or a single
+datum from a packet's payload, meta data or a stateful module. 
+.SS "META EXPRESSIONS"
+'nh
+.fi
+.ad l
+\fBmeta\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+{length | nfproto | l4proto | protocol | priority}
+'in \n(.iu-\nxu
+.ad b
+'hy
+'nh
+.fi
+.ad l
+[meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype | skuid | skgid | nftrace | rtclassid}
+.ad b
+'hy
+.PP
+A meta expression refers to meta data associated with a packet.
+.PP
+There are two types of meta expressions: unqualified and qualified meta expressions.
+Qualified meta expressions require the \fBmeta\fR keyword before the
+meta key, unqualified meta expressions can be specified by using the meta key directly
+or as qualified meta expressions.
+.PP
+\fBMeta expression types\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+length
+T}	T{
+Length of the packet in bytes
+T}	T{
+integer (32 bit)
+T}
+T{
+protocol
+T}	T{
+Ethertype protocol value
+T}	T{
+ether_type
+T}
+T{
+priority
+T}	T{
+TC packet priority
+T}	T{
+integer (32 bit)
+T}
+T{
+mark
+T}	T{
+Packet mark
+T}	T{
+packetmark
+T}
+T{
+iif
+T}	T{
+Input interface index
+T}	T{
+iface_index
+T}
+T{
+iifname
+T}	T{
+Input interface name
+T}	T{
+string
+T}
+T{
+iiftype
+T}	T{
+Input interface type
+T}	T{
+iface_type
+T}
+T{
+oif
+T}	T{
+Output interface index
+T}	T{
+iface_index
+T}
+T{
+oifname
+T}	T{
+Output interface name
+T}	T{
+string
+T}
+T{
+oiftype
+T}	T{
+Output interface hardware type
+T}	T{
+iface_type
+T}
+T{
+skuid
+T}	T{
+UID associated with originating socket
+T}	T{
+uid
+T}
+T{
+skgid
+T}	T{
+GID associated with originating socket
+T}	T{
+gid
+T}
+T{
+rtclassid
+T}	T{
+Routing realm
+T}	T{
+realm
+T}
+.TE
+.PP
+\fBMeta expression specific types\fR
+.TS
+allbox ;
+l | l.
+T{
+Type
+T}	T{
+Description
+T}
+.T&
+l | l.
+T{
+iface_index
+T}	T{
+Interface index (32 bit number). Can be specified numerically
+or as name of an existing interface.
+T}
+T{
+ifname
+T}	T{
+Interface name (16 byte string). Does not have to exist.
+T}
+T{
+iface_type
+T}	T{
+Interface type (16 bit number).
+T}
+T{
+uid
+T}	T{
+User ID (32 bit number). Can be specified numerically or as
+user name.
+T}
+T{
+gid
+T}	T{
+Group ID (32 bit number). Can be specified numerically or as
+group name.
+T}
+T{
+realm
+T}	T{
+Routing Realm (32 bit number). Can be specified numerically
+or as symbolic name defined in /etc/iproute2/rt_realms.
+T}
+.TE
+.PP
+\fBUsing meta expressions\fR
+.PP
+.nf
+\*(T<
+# qualified meta expression
+filter output meta oif eth0
+
+# unqualified meta expression
+filter output oif eth0
+					\*(T>
+.fi
+.SH "PAYLOAD EXPRESSIONS"
+Payload expressions refer to data from the packet's payload.
+.SS "ETHERNET HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBether\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIethernet header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBEthernet header expression types\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l
+l | l | l
+l | l | l.
+T{
+daddr
+T}	T{
+Destination MAC address
+T}	T{
+ether_addr
+T}
+T{
+saddr
+T}	T{
+Source MAC address
+T}	T{
+ether_addr
+T}
+T{
+type
+T}	T{
+EtherType
+T}	T{
+ether_type
+T}
+.TE
+.SS "VLAN HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBvlan\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIVLAN header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBVLAN header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+id
+T}	T{
+VLAN ID (VID)
+T}	T{
+integer (12 bit)
+T}
+T{
+cfi
+T}	T{
+Canonical Format Indicator
+T}	T{
+flag
+T}
+T{
+pcp
+T}	T{
+Priority code point
+T}	T{
+integer (3 bit)
+T}
+T{
+type
+T}	T{
+EtherType
+T}	T{
+ethertype
+T}
+.TE
+.SS "ARP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBarp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIARP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBARP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+htype
+T}	T{
+ARP hardware type
+T}	T{
+FIXME
+T}
+T{
+ptype
+T}	T{
+EtherType
+T}	T{
+ethertype
+T}
+T{
+hlen
+T}	T{
+Hardware address len
+T}	T{
+integer (8 bit)
+T}
+T{
+plen
+T}	T{
+Protocol address len
+T}	T{
+integer (8 bit)
+T}
+T{
+op
+T}	T{
+Operation
+T}	T{
+FIXME
+T}
+.TE
+.SS "IPV4 HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBip\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIIPv4 header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBIPv4 header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+version
+T}	T{
+IP header version (4)
+T}	T{
+integer (4 bit)
+T}
+T{
+hdrlength
+T}	T{
+IP header length including options
+T}	T{
+integer (4 bit) FIXME scaling
+T}
+T{
+tos
+T}	T{
+Type Of Service
+T}	T{
+FIXME
+T}
+T{
+length
+T}	T{
+Total packet length
+T}	T{
+integer (16 bit)
+T}
+T{
+id
+T}	T{
+IP ID
+T}	T{
+integer (16 bit)
+T}
+T{
+frag-off
+T}	T{
+Fragment offset
+T}	T{
+integer (16 bit)
+T}
+T{
+ttl
+T}	T{
+Time to live
+T}	T{
+integer (8 bit)
+T}
+T{
+protocol
+T}	T{
+Upper layer protocol
+T}	T{
+inet_proto
+T}
+T{
+checksum
+T}	T{
+IP header checksum
+T}	T{
+integer (16 bit)
+T}
+T{
+saddr
+T}	T{
+Source address
+T}	T{
+ipv4_addr
+T}
+T{
+daddr
+T}	T{
+Destination address
+T}	T{
+ipv4_addr
+T}
+.TE
+.SS "IPV6 HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBip6\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIIPv6 header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBIPv6 header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+version
+T}	T{
+IP header version (6)
+T}	T{
+integer (4 bit)
+T}
+T{
+priority
+T}	T{
+T}	T{
+T}
+T{
+flowlabel
+T}	T{
+Flow label
+T}	T{
+T}
+T{
+length
+T}	T{
+Payload length
+T}	T{
+integer (16 bit)
+T}
+T{
+nexthdr
+T}	T{
+Nexthdr protocol
+T}	T{
+inet_proto
+T}
+T{
+hoplimit
+T}	T{
+Hop limit
+T}	T{
+integer (8 bit)
+T}
+T{
+saddr
+T}	T{
+Source address
+T}	T{
+ipv6_addr
+T}
+T{
+daddr
+T}	T{
+Destination address
+T}	T{
+ipv6_addr
+T}
+.TE
+.SS "TCP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBtcp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fITCP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBTCP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+sport
+T}	T{
+Source port
+T}	T{
+inet_service
+T}
+T{
+dport
+T}	T{
+Destination port
+T}	T{
+inet_service
+T}
+T{
+sequence
+T}	T{
+Sequence number
+T}	T{
+integer (32 bit)
+T}
+T{
+ackseq
+T}	T{
+Acknowledgement number
+T}	T{
+integer (32 bit)
+T}
+T{
+doff
+T}	T{
+Data offset
+T}	T{
+integer (4 bit) FIXME scaling
+T}
+T{
+reserved
+T}	T{
+Reserved area
+T}	T{
+FIXME
+T}
+T{
+flags
+T}	T{
+TCP flags
+T}	T{
+tcp_flags
+T}
+T{
+window
+T}	T{
+Window
+T}	T{
+integer (16 bit)
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}	T{
+integer (16 bit)
+T}
+T{
+urgptr
+T}	T{
+Urgent pointer
+T}	T{
+integer (16 bit)
+T}
+.TE
+.SS "UDP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBudp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIUDP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBUDP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+sport
+T}	T{
+Source port
+T}	T{
+inet_service
+T}
+T{
+dport
+T}	T{
+Destination port
+T}	T{
+inet_service
+T}
+T{
+length
+T}	T{
+Total packet length
+T}	T{
+integer (16 bit)
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}	T{
+integer (16 bit)
+T}
+.TE
+.SS "UDP-LITE HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBudplite\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIUDP-Lite header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBUDP-Lite header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+sport
+T}	T{
+Source port
+T}	T{
+inet_service
+T}
+T{
+dport
+T}	T{
+Destination port
+T}	T{
+inet_service
+T}
+T{
+cscov
+T}	T{
+Checksum coverage
+T}	T{
+integer (16 bit)
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}	T{
+integer (16 bit)
+T}
+.TE
+.SS "SCTP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBsctp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fISCTP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBSCTP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+sport
+T}	T{
+Source port
+T}	T{
+inet_service
+T}
+T{
+dport
+T}	T{
+Destination port
+T}	T{
+inet_service
+T}
+T{
+vtag
+T}	T{
+Verfication Tag
+T}	T{
+integer (32 bit)
+T}
+T{
+checksum
+T}	T{
+Checksum
+T}	T{
+integer (32 bit)
+T}
+.TE
+.SS "DCCP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBdccp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIDCCP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBDCCP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l
+l | l | l.
+T{
+sport
+T}	T{
+Source port
+T}	T{
+inet_service
+T}
+T{
+dport
+T}	T{
+Destination port
+T}	T{
+inet_service
+T}
+.TE
+.SS "AUTHENTICATION HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBah\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIAH header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBAH header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+nexthdr
+T}	T{
+Next header protocol
+T}	T{
+inet_service
+T}
+T{
+hdrlength
+T}	T{
+AH Header length
+T}	T{
+integer (8 bit)
+T}
+T{
+reserved
+T}	T{
+Reserved area
+T}	T{
+FIXME
+T}
+T{
+spi
+T}	T{
+Security Parameter Index
+T}	T{
+integer (32 bit)
+T}
+T{
+sequence
+T}	T{
+Sequence number
+T}	T{
+integer (32 bit)
+T}
+.TE
+.SS "ENCRYPTED SECURITY PAYLOAD HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBesp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIESP header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBESP header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l
+l | l | l.
+T{
+spi
+T}	T{
+Security Parameter Index
+T}	T{
+integer (32 bit)
+T}
+T{
+sequence
+T}	T{
+Sequence number
+T}	T{
+integer (32 bit)
+T}
+.TE
+.SS "IPCOMP HEADER EXPRESSION"
+'nh
+.fi
+.ad l
+\fBipcomp\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+[\fIIPComp header field\fR]
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBIPComp header expression\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l
+l | l | l
+l | l | l.
+T{
+nexthdr
+T}	T{
+Next header protocol
+T}	T{
+inet_service
+T}
+T{
+flags
+T}	T{
+Flags
+T}	T{
+FIXME
+T}
+T{
+cfi
+T}	T{
+Compression Parameter Index
+T}	T{
+FIXME
+T}
+.TE
+.SH BLA
+.SS "IPV6 EXTENSION HEADER EXPRESSIONS"
+IPv6 extension header expressions refer to data from an IPv6 packet's extension headers.
+.SS "CONNTRACK EXPRESSIONS"
+Conntrack expressions refer to meta data of the connection tracking entry associated with a packet.
+.PP
+'nh
+.fi
+.ad l
+\fBct\fR \kx
+.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
+'in \n(.iu+\nxu
+{state | direction | status | mark | expiration | helper | l3proto | saddr | daddr | protocol | proto-src | proto-dst}
+'in \n(.iu-\nxu
+.ad b
+'hy
+.PP
+\fBConntrack expressions\fR
+.TS
+allbox ;
+l | l | l.
+T{
+Keyword
+T}	T{
+Description
+T}	T{
+Type
+T}
+.T&
+l | l | l.
+T{
+state
+T}	T{
+State of the connection
+T}	T{
+ct_state
+T}
+T{
+direction
+T}	T{
+Direction of the packet relative to the connection
+T}	T{
+ct_dir
+T}
+T{
+status
+T}	T{
+Status of the connection
+T}	T{
+ct_status
+T}
+T{
+mark
+T}	T{
+Connection mark
+T}	T{
+packetmark
+T}
+T{
+expiration
+T}	T{
+Connection expiration time
+T}	T{
+time
+T}
+T{
+helper
+T}	T{
+Helper associated with the connection
+T}	T{
+string
+T}
+T{
+l3proto
+T}	T{
+Layer 3 protocol of the connection
+T}	T{
+nf_proto FIXME
+T}
+T{
+saddr
+T}	T{
+Source address of the connection for the given direction
+T}	T{
+ipv4_addr/ipv6_addr
+T}
+T{
+daddr
+T}	T{
+Destination address of the connection for the given direction
+T}	T{
+ipv4_addr/ipv6_addr
+T}
+T{
+protocol
+T}	T{
+Layer 4 protocol of the connection for the given direction
+T}	T{
+inet_proto
+T}
+T{
+proto-src
+T}	T{
+Layer 4 protocol source for the given direction
+T}	T{
+FIXME
+T}
+T{
+proto-dst
+T}	T{
+Layer 4 protocol destination for the given direction
+T}	T{
+FIXME
+T}
+.TE
+.SH STATEMENTS
+Statements represent actions to be performed. They can alter control flow (return, jump
+to a different chain, accept or drop the packet) or can perform actions, such as logging,
+rejecting a packet, etc.
+.PP
+Statements exist in two kinds. Terminal statements unconditionally terminate evaluation
+of the current rule, non-terminal statements either only conditionally or never terminate
+evaluation of the current rule, in other words, they are passive from the ruleset evaluation
+perspective. There can be an arbitrary amount of non-terminal statements in a rule, but
+only a single terminal statement as the final statement.
+.SS "VERDICT STATEMENT"
+The verdict statement alters control flow in the ruleset and issues
+policy decisions for packets.
+.PP
+'nh
+.fi
+.ad l
+{accept | drop | queue | continue | return}
+.ad b
+'hy
+'nh
+.fi
+.ad l
+{jump | goto} {\fIchain\fR}
+.ad b
+'hy
+.PP
+.TP 
+\*(T<\fBaccept\fR\*(T>
+Terminate ruleset evaluation and accept the packet.
+.TP 
+\*(T<\fBdrop\fR\*(T>
+Terminate ruleset evaluation and drop the packet.
+.TP 
+\*(T<\fBqueue\fR\*(T>
+Terminate ruleset evaluation and queue the packet to userspace.
+.TP 
+\*(T<\fBcontinue\fR\*(T>
+Continue ruleset evaluation with the next rule. FIXME
+.TP 
+\*(T<\fBreturn\fR\*(T>
+Return from the current chain and continue evaluation at the
+next rule in the last chain. If issued in a base chain, it is
+equivalent to \fBaccept\fR.
+.TP 
+\*(T<\fBjump \fR\*(T>\fIchain\fR
+Continue evaluation at the first rule in \fIchain\fR.
+The current position in the ruleset is pushed to a call stack and evaluation
+will continue there when the new chain is entirely evaluated of a
+\fBreturn\fR verdict is issued.
+.TP 
+\*(T<\fBgoto \fR\*(T>\fIchain\fR
+Similar to \fBjump\fR, but the current position is not pushed
+to the call stack, meaning that after the new chain evaluation will continue
+at the last chain instead of the one containing the goto statement.
+.PP
+\fBVerdict statements\fR
+.PP
+.nf
+\*(T<
+# process packets from eth0 and the internal network in from_lan
+# chain, drop all packets from eth0 with different source addresses.
+
+filter input iif eth0 ip saddr 192.168.0.0/24 jump from_lan
+filter input iif eth0 drop
+					\*(T>
+.fi
+.SS "LOG STATEMENT"
+.SS "REJECT STATEMENT"
+.SS "COUNTER STATEMENT"
+.SS "META STATEMENT"
+.SS "LIMIT STATEMENT"
+.SS "NAT STATEMENT"
+.SS "QUEUE STATEMENT"
+.SH "ADDITIONAL COMMANDS"
+These are some additional commands included in nft.
+.SS EXPORT
+Export your current ruleset in XML or JSON format to stdout.
+.PP
+Examples:
+
+.nf
+\*(T<
+% nft export xml
+[...]
+% nft export json
+[...]
+				\*(T>
+.fi
+.SS MONITOR
+The monitor command allows you to listen to Netlink events produced
+by the nf_tables subsystem, related to creation and deletion of objects.
+When they ocurr, nft will print to stdout the monitored events in either
+XML, JSON or native nft format.
+.PP
+To filter events related to a concrete object, use one of the keywords 'tables', 'chains', 'sets', 'rules', 'elements'.
+.PP
+To filter events related to a concrete action, use keyword 'new' or 'destroy'.
+.PP
+Hit ^C to finish the monitor operation.
+.PP
+\fBListen to all events, report in native nft format\fR
+.PP
+.nf
+\*(T<
+% nft monitor
+				\*(T>
+.fi
+.PP
+\fBListen to added tables, report in XML format\fR
+.PP
+.nf
+\*(T<
+% nft monitor new tables xml
+				\*(T>
+.fi
+.PP
+\fBListen to deleted rules, report in JSON format\fR
+.PP
+.nf
+\*(T<
+% nft monitor destroy rules json
+				\*(T>
+.fi
+.PP
+\fBListen to both new and destroyed chains, in native nft format\fR
+.PP
+.nf
+\*(T<
+% nft monitor chains
+				\*(T>
+.fi
+.SH "ERROR REPORTING"
+When an error is detected, nft shows the line(s) containing the error, the position
+of the erroneous parts in the input stream and marks up the erroneous parts using
+carrets (\*(T<^\*(T>). If the error results from the combination of two
+expressions or statements, the part imposing the constraints which are violated is
+marked using tildes (\*(T<~\*(T>).
+.PP
+For errors returned by the kernel, nft can't detect which parts of the input caused
+the error and the entire command is marked.
+.PP
+\fBError caused by single incorrect expression\fR
+.PP
+.nf
+\*(T<
+<cmdline>:1:19\-22: Error: Interface does not exist
+filter output oif eth0
+                  ^^^^
+			\*(T>
+.fi
+.PP
+\fBError caused by invalid combination of two expressions\fR
+.PP
+.nf
+\*(T<
+<cmdline>:1:28\-36: Error: Right hand side of relational expression (==) must be constant
+filter output tcp dport == tcp dport
+                        ~~ ^^^^^^^^^
+			\*(T>
+.fi
+.PP
+\fBError returned by the kernel\fR
+.PP
+.nf
+\*(T<
+<cmdline>:0:0\-23: Error: Could not process rule: Operation not permitted
+filter output oif wlan0
+^^^^^^^^^^^^^^^^^^^^^^^
+			\*(T>
+.fi
+.SH "EXIT STATUS"
+On success, nft exits with a status of 0. Unspecified
+errors cause it to exit with a status of 1, memory allocation
+errors with a status of 2, unable to open Netlink socket with 3.
+.SH "SEE ALSO"
+iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8)
+.PP
+There is an official wiki at: http://wiki.nftables.org
+.SH AUTHORS
+nftables was written by Patrick McHardy.
+.SH COPYRIGHT
+Copyright 2008-2014 Patrick McHardy <\*(T<kaber@trash.net\*(T>>
+.PP
+nftables is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 2 as
+published by the Free Software Foundation.
+.PP
+This documentation is licenced under the terms of the Creative
+Commons Attribution-ShareAlike 4.0 license,
+.URL http://creativecommons.org/licenses/by-sa/4.0/ "CC BY-SA 4.0"
+\&.
diff --git a/net-firewall/nftables/nftables-0.4.1.9999.ebuild b/net-firewall/nftables/nftables-0.4.1.9999.ebuild
new file mode 100644
index 00000000..0b9ddfb9
--- /dev/null
+++ b/net-firewall/nftables/nftables-0.4.1.9999.ebuild
@@ -0,0 +1,61 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+inherit autotools git-2 linux-info
+
+DESCRIPTION="nftables aims to replace the existing {ip,ip6,arp,eb}tables framework"
+HOMEPAGE="http://netfilter.org/projects/nftables/"
+EGIT_REPO_URI="git://git.netfilter.org/${PN}.git"
+EGIT_MASTER="next-4.1"
+
+LICENSE="GPL-2"
+SLOT="0"
+#KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
+KEYWORDS=""
+IUSE="debug +doc pdf +readline"
+
+RDEPEND=">=net-libs/libmnl-1.0.3
+	>=net-libs/libnftnl-1.0.2
+	dev-libs/gmp
+	readline? ( sys-libs/readline )"
+DEPEND="${RDEPEND}
+	doc? ( >=app-text/docbook2X-0.8.8-r4 )
+	pdf? ( app-text/dblatex app-text/docbook-sgml-utils[tetex] )
+	sys-devel/bison
+	sys-devel/flex"
+
+pkg_setup() {
+	if kernel_is ge 3 13; then
+		CONFIG_CHECK="~NF_TABLES"
+		linux-info_pkg_setup
+	else
+		eerror "This package requires kernel version 3.13 or newer to work properly."
+	fi
+}
+
+src_prepare() {
+	epatch_user
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		--sbindir="${EPREFIX}"/sbin \
+		$(use_enable debug) \
+		$(use_with readline cli)
+}
+
+src_install() {
+	default
+
+	prune_libtool_files --all
+
+	if ! use doc; then
+		newman "${FILESDIR}"/"${PN}"-0.4.1-nftables.8 nft.8
+	fi
+	newconfd "${FILESDIR}"/${PN}.confd ${PN}
+	newinitd "${FILESDIR}"/${PN}.init ${PN}
+	keepdir /var/lib/nftables
+}
diff --git a/net-firewall/nftables/nftables-0.4.2.9999.ebuild b/net-firewall/nftables/nftables-0.4.2.9999.ebuild
new file mode 100644
index 00000000..d529df76
--- /dev/null
+++ b/net-firewall/nftables/nftables-0.4.2.9999.ebuild
@@ -0,0 +1,65 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+inherit autotools git-2 linux-info
+
+DESCRIPTION="nftables aims to replace the existing {ip,ip6,arp,eb}tables framework"
+HOMEPAGE="http://netfilter.org/projects/nftables/"
+EGIT_REPO_URI="git://git.netfilter.org/${PN}.git"
+EGIT_MASTER="next-4.2"
+
+LICENSE="GPL-2"
+SLOT="0"
+#KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
+KEYWORDS=""
+IUSE="+debug +doc pdf +readline"
+
+RDEPEND=">=net-libs/libmnl-1.0.3
+	>=net-libs/libnftnl-1.0.2
+	dev-libs/gmp
+	readline? ( sys-libs/readline )"
+DEPEND="${RDEPEND}
+	doc? ( >=app-text/docbook2X-0.8.8-r4 )
+	pdf? ( app-text/dblatex app-text/docbook-sgml-utils[tetex] )
+	sys-devel/bison
+	sys-devel/flex"
+
+pkg_setup() {
+	if kernel_is ge 3 13; then
+		CONFIG_CHECK="~NF_TABLES"
+		linux-info_pkg_setup
+	else
+		eerror "This package requires kernel version 3.13 or newer to work properly."
+	fi
+}
+
+src_prepare() {
+	epatch_user
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		--sbindir="${EPREFIX}"/sbin \
+		$(use_enable debug) \
+		$(use_with readline cli)
+}
+
+src_compile() {
+	emake CFLAGS="${CFLAGS} -DDEBUG"
+}
+
+src_install() {
+	default
+
+	prune_libtool_files --all
+
+	if ! use doc; then
+		newman "${FILESDIR}"/"${PN}"-0.4.2-nftables.8 nft.8
+	fi
+	newconfd "${FILESDIR}"/${PN}.confd ${PN}
+	newinitd "${FILESDIR}"/${PN}.init ${PN}
+	keepdir /var/lib/nftables
+}
diff --git a/net-firewall/nftables/nftables-0.4.ebuild b/net-firewall/nftables/nftables-0.4.ebuild
new file mode 100644
index 00000000..46f4c182
--- /dev/null
+++ b/net-firewall/nftables/nftables-0.4.ebuild
@@ -0,0 +1,58 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/nftables/nftables-0.4.ebuild,v 1.3 2014/12/20 14:51:14 mrueg Exp $
+
+EAPI=5
+
+inherit autotools linux-info
+
+DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
+HOMEPAGE="http://netfilter.org/projects/nftables/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="debug +doc pdf +readline"
+SRC_URI="http://netfilter.org/projects/${PN}/files/${P}.tar.bz2"
+
+RDEPEND="net-libs/libmnl
+	>=net-libs/libnftnl-1.0.2
+	dev-libs/gmp
+	readline? ( sys-libs/readline )"
+DEPEND="${RDEPEND}
+	doc? ( >=app-text/docbook2X-0.8.8-r4 )
+	pdf? ( app-text/dblatex app-text/docbook-sgml-utils[tetex] )
+	sys-devel/bison
+	sys-devel/flex"
+
+pkg_setup() {
+	if kernel_is ge 3 13; then
+		CONFIG_CHECK="~NF_TABLES"
+		linux-info_pkg_setup
+	else
+		eerror "This package requires kernel version 3.13 or newer to work properly."
+	fi
+}
+
+src_prepare() {
+	epatch_user
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		--sbindir="${EPREFIX}"/sbin \
+		$(use_enable debug) \
+		$(use_with readline cli)
+}
+
+src_install() {
+	default
+
+	if ! use doc; then
+		newman "${FILESDIR}"/"${P}"-nftables.8 nft.8
+	fi
+	newconfd "${FILESDIR}"/${PN}.confd ${PN}
+	newinitd "${FILESDIR}"/${PN}.init ${PN}
+	keepdir /var/lib/nftables
+}
diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild
index aa563dd2..46236b4f 100644
--- a/net-firewall/nftables/nftables-9999.ebuild
+++ b/net-firewall/nftables/nftables-9999.ebuild
@@ -1,11 +1,12 @@
-# Copyright 1999-2013 Gentoo Foundation
+# Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=4
-inherit autotools git-2
+EAPI=5
+
+inherit autotools git-2 linux-info
 
 DESCRIPTION="nftables aims to replace the existing {ip,ip6,arp,eb}tables framework"
-HOMEPAGE="http://www.netfilter.org/projects/nftables/"
+HOMEPAGE="http://netfilter.org/projects/nftables/"
 EGIT_REPO_URI="git://git.netfilter.org/${PN}.git"
 EGIT_MASTER="master"
 
@@ -13,29 +14,49 @@ LICENSE="GPL-2"
 SLOT="0"
 #KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
 KEYWORDS=""
-IUSE="man pdf"
+IUSE="+debug +doc pdf +readline"
 
-RDEPEND="
+RDEPEND=">=net-libs/libmnl-1.0.3
+	>=net-libs/libnftnl-1.0.2
 	dev-libs/gmp
-	net-libs/libmnl
-	net-libs/libnftnl
-	sys-libs/readline"
+	readline? ( sys-libs/readline )"
 DEPEND="${RDEPEND}
+	doc? ( >=app-text/docbook2X-0.8.8-r4 )
+	pdf? ( app-text/dblatex app-text/docbook-sgml-utils[tetex] )
 	sys-devel/bison
-	sys-devel/flex
-	man? ( app-text/docbook2X )
-	pdf? ( app-text/docbook-sgml-utils[tetex] )"
+	sys-devel/flex"
+
+pkg_setup() {
+	if kernel_is ge 3 13; then
+		CONFIG_CHECK="~NF_TABLES"
+		linux-info_pkg_setup
+	else
+		eerror "This package requires kernel version 3.13 or newer to work properly."
+	fi
+}
 
 src_prepare() {
+	epatch_user
 	eautoreconf
 }
 
 src_configure() {
-	econf --disable-debug
+	econf \
+		--sbindir="${EPREFIX}"/sbin \
+		$(use_enable debug) \
+		$(use_with readline cli)
+}
+
+src_compile() {
+	emake CFLAGS="${CFLAGS} -DDEBUG"
 }
 
 src_install() {
 	default
 
 	prune_libtool_files --all
+
+	newconfd "${FILESDIR}"/${PN}.confd ${PN}
+	newinitd "${FILESDIR}"/${PN}.init ${PN}
+	keepdir /var/lib/nftables
 }