1
Index: b/iptables/extensions/libip6t_HL.man
2
===================================================================
3
--- a/iptables/extensions/libip6t_HL.man 2007-01-23 07:50:00.000000000 -0500
4
+++ b/iptables/extensions/libip6t_HL.man 2008-02-18 09:57:13.607710823 -0500
7
.B Don't ever set or increment the value on packets that leave your local network!
9
-.BI "--hl-set " "value"
10
+.BI "\-\-hl-set " "value"
11
Set the Hop Limit to `value'.
13
-.BI "--hl-dec " "value"
14
+.BI "\-\-hl-dec " "value"
15
Decrement the Hop Limit `value' times.
17
-.BI "--hl-inc " "value"
18
+.BI "\-\-hl-inc " "value"
19
Increment the Hop Limit `value' times.
20
Index: b/iptables/extensions/libip6t_LOG.man
21
===================================================================
22
--- a/iptables/extensions/libip6t_LOG.man 2007-01-23 07:50:00.000000000 -0500
23
+++ b/iptables/extensions/libip6t_LOG.man 2008-02-18 09:57:13.607710823 -0500
25
separate rules with the same matching criteria, first using target LOG
26
then DROP (or REJECT).
28
-.BI "--log-level " "level"
29
+.BI "\-\-log-level " "level"
30
Level of logging (numeric or see \fIsyslog.conf\fP(5)).
32
-.BI "--log-prefix " "prefix"
33
+.BI "\-\-log-prefix " "prefix"
34
Prefix log messages with the specified prefix; up to 29 letters long,
35
and useful for distinguishing messages in the logs.
37
-.B --log-tcp-sequence
38
+.B \-\-log-tcp-sequence
39
Log TCP sequence numbers. This is a security risk if the log is
43
+.B \-\-log-tcp-options
44
Log options from the TCP packet header.
47
+.B \-\-log-ip-options
48
Log options from the IPv6 packet header.
52
Log the userid of the process which generated the packet.
53
Index: b/iptables/extensions/libip6t_MARK.man
54
===================================================================
55
--- a/iptables/extensions/libip6t_MARK.man 2007-01-23 07:50:00.000000000 -0500
56
+++ b/iptables/extensions/libip6t_MARK.man 2008-02-18 09:57:13.607710823 -0500
61
-.BI "--set-mark " "mark"
62
+.BI "\-\-set-mark " "mark"
63
Index: b/iptables/extensions/libip6t_REJECT.man
64
===================================================================
65
--- a/iptables/extensions/libip6t_REJECT.man 2007-01-23 07:50:00.000000000 -0500
66
+++ b/iptables/extensions/libip6t_REJECT.man 2008-02-18 09:57:13.607710823 -0500
68
chains. The following option controls the nature of the error packet
71
-.BI "--reject-with " "type"
72
+.BI "\-\-reject-with " "type"
76
Index: b/iptables/extensions/libip6t_TCPMSS.man
77
===================================================================
78
--- a/iptables/extensions/libip6t_TCPMSS.man 2007-01-23 07:50:00.000000000 -0500
79
+++ b/iptables/extensions/libip6t_TCPMSS.man 2008-02-18 09:57:13.619709852 -0500
81
the maximum size for that connection (usually limiting it to your
82
outgoing interface's MTU minus 60). Of course, it can only be used
86
It is only valid in the
90
Workaround: activate this option and add a rule to your firewall
93
- ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
94
- -j TCPMSS --clamp-mss-to-pmtu
95
+ ip6tables \-t mangle \-A FORWARD \-p tcp \-\-tcp-flags SYN,RST SYN \\
96
+ \-j TCPMSS \-\-clamp-mss-to-pmtu
99
-.BI "--set-mss " "value"
100
+.BI "\-\-set-mss " "value"
101
Explicitly set MSS option to specified value.
103
-.B "--clamp-mss-to-pmtu"
104
-Automatically clamp MSS value to (path_MTU - 60).
105
+.B "\-\-clamp-mss-to-pmtu"
106
+Automatically clamp MSS value to (path_MTU \- 60).
108
These options are mutually exclusive.
110
Index: b/iptables/extensions/libip6t_ah.man
111
===================================================================
112
--- a/iptables/extensions/libip6t_ah.man 2007-01-23 07:50:00.000000000 -0500
113
+++ b/iptables/extensions/libip6t_ah.man 2008-02-18 09:57:13.619709852 -0500
115
This module matches the parameters in Authentication header of IPsec packets.
117
-.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
118
+.BR "\-\-ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
121
-.BR "--ahlen " "[!] \fIlength"
122
+.BR "\-\-ahlen " "[!] \fIlength"
123
Total length of this header in octets.
127
Matches if the reserved field is filled with zero.
128
Index: b/iptables/extensions/libip6t_condition.man
129
===================================================================
130
--- a/iptables/extensions/libip6t_condition.man 2007-01-23 07:50:00.000000000 -0500
131
+++ b/iptables/extensions/libip6t_condition.man 2008-02-18 09:57:13.619709852 -0500
133
This matches if a specific /proc filename is '0' or '1'.
135
-.BR "--condition " "[!] \fIfilename"
136
+.BR "\-\-condition " "[!] \fIfilename"
137
Match on boolean value stored in /proc/net/ip6t_condition/filename file
138
Index: b/iptables/extensions/libip6t_connlimit.man
139
===================================================================
140
--- a/iptables/extensions/libip6t_connlimit.man 2007-08-06 04:51:05.000000000 -0400
141
+++ b/iptables/extensions/libip6t_connlimit.man 2008-02-18 09:57:13.619709852 -0500
143
Allows you to restrict the number of parallel connections to a server per
144
client IP address (or client address block).
146
-[\fB!\fR] \fB--connlimit-above \fIn\fR
147
+[\fB!\fR] \fB\-\-connlimit-above \fIn\fR
148
Match if the number of existing connections is (not) above \fIn\fR.
150
-\fB--connlimit-mask\fR \fIprefix_length\fR
151
+\fB\-\-connlimit-mask\fR \fIprefix_length\fR
152
Group hosts using the prefix length. For IPv4, this must be a number between
153
(including) 0 and 32. For IPv6, between 0 and 128.
157
# allow 2 telnet connections per client host
158
-ip6tables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
159
+ip6tables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit-above 2 \-j REJECT
161
# you can also match the other way around:
162
-ip6tables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
163
+ip6tables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit ! \-\-connlimit-above 2 \-j ACCEPT
165
# limit the number of parallel HTTP requests to 16 per class C sized \
166
network (24 bit netmask)
167
-ip6tables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
168
---connlimit-mask 24 -j REJECT
169
+ip6tables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit-above 16
170
+-\-connlimit-mask 24 \-j REJECT
172
# limit the number of parallel HTTP requests to 16 for the link local network \
174
-ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above
175
-16 --connlimit-mask 64 -j REJECT
176
+ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit-above
177
+16 \-\-connlimit-mask 64 \-j REJECT
178
Index: b/iptables/extensions/libip6t_dst.man
179
===================================================================
180
--- a/iptables/extensions/libip6t_dst.man 2007-01-23 07:50:00.000000000 -0500
181
+++ b/iptables/extensions/libip6t_dst.man 2008-02-18 09:57:13.623710190 -0500
183
This module matches the parameters in Destination Options header
185
-.BR "--dst-len " "[!] \fIlength"
186
+.BR "\-\-dst-len " "[!] \fIlength"
187
Total length of this header in octets.
189
-.BR "--dst-opts " "\fItype\fP[:\fIlength\fP][,\fItype\fP[:\fIlength\fP]...]"
190
+.BR "\-\-dst-opts " "\fItype\fP[:\fIlength\fP][,\fItype\fP[:\fIlength\fP]...]"
191
numeric type of option and the length of the option data in octets.
192
Index: b/iptables/extensions/libip6t_frag.man
193
===================================================================
194
--- a/iptables/extensions/libip6t_frag.man 2008-02-18 09:57:13.599710947 -0500
195
+++ b/iptables/extensions/libip6t_frag.man 2008-02-18 09:57:13.623710190 -0500
197
This module matches the parameters in Fragment header.
199
-.BR "--fragid " "[!] \fIid\fP[:\fIid\fP]"
200
+.BR "\-\-fragid " "[!] \fIid\fP[:\fIid\fP]"
201
Matches the given Identification or range of it.
203
-.BR "--fraglen " "[!] \fIlength\fP"
204
+.BR "\-\-fraglen " "[!] \fIlength\fP"
205
This option cannot be used with kernel version 2.6.10 or later. The length of
206
Fragment header is static and this option doesn't make sense.
210
Matches if the reserved fields are filled with zero.
213
+.BR "\-\-fragfirst "
214
Matches on the first fragment.
217
+.BR "[\-\-fragmore]"
218
Matches if there are more fragments.
221
+.BR "[\-\-fraglast]"
222
Matches if this is the last fragment.
223
Index: b/iptables/extensions/libip6t_hbh.man
224
===================================================================
225
--- a/iptables/extensions/libip6t_hbh.man 2007-01-23 07:50:00.000000000 -0500
226
+++ b/iptables/extensions/libip6t_hbh.man 2008-02-18 09:57:13.623710190 -0500
228
This module matches the parameters in Hop-by-Hop Options header
230
-.BR "--hbh-len " "[!] \fIlength\fP"
231
+.BR "\-\-hbh-len " "[!] \fIlength\fP"
232
Total length of this header in octets.
234
-.BR "--hbh-opts " "\fItype\fP[:\fIlength\fP][,\fItype\fP[:\fIlength\fP]...]"
235
+.BR "\-\-hbh-opts " "\fItype\fP[:\fIlength\fP][,\fItype\fP[:\fIlength\fP]...]"
236
numeric type of option and the length of the option data in octets.
237
Index: b/iptables/extensions/libip6t_hl.man
238
===================================================================
239
--- a/iptables/extensions/libip6t_hl.man 2007-01-23 07:50:00.000000000 -0500
240
+++ b/iptables/extensions/libip6t_hl.man 2008-02-18 09:57:13.623710190 -0500
242
This module matches the Hop Limit field in the IPv6 header.
244
-.BR "--hl-eq " "[!] \fIvalue\fP"
245
+.BR "\-\-hl-eq " "[!] \fIvalue\fP"
246
Matches if Hop Limit equals \fIvalue\fP.
248
-.BI "--hl-lt " "value"
249
+.BI "\-\-hl-lt " "value"
250
Matches if Hop Limit is less than \fIvalue\fP.
252
-.BI "--hl-gt " "value"
253
+.BI "\-\-hl-gt " "value"
254
Matches if Hop Limit is greater than \fIvalue\fP.
255
Index: b/iptables/extensions/libip6t_icmp6.man
256
===================================================================
257
--- a/iptables/extensions/libip6t_icmp6.man 2007-03-21 20:04:36.000000000 -0400
258
+++ b/iptables/extensions/libip6t_icmp6.man 2008-02-18 09:57:13.623710190 -0500
260
-This extension can be used if `--protocol ipv6-icmp' or `--protocol icmpv6' is
261
+This extension can be used if `-\-protocol ipv6-icmp' or `-\-protocol icmpv6' is
262
specified. It provides the following option:
264
-.BR "--icmpv6-type " "[!] \fItype\fP[/\fIcode\fP]|\fItypename\fP"
265
+.BR "\-\-icmpv6-type " "[!] \fItype\fP[/\fIcode\fP]|\fItypename\fP"
266
This allows specification of the ICMPv6 type, which can be a numeric
271
or one of the ICMPv6 type names shown by the command
273
- ip6tables -p ipv6-icmp -h
274
+ ip6tables \-p ipv6-icmp \-h
276
Index: b/iptables/extensions/libip6t_ipv6header.man
277
===================================================================
278
--- a/iptables/extensions/libip6t_ipv6header.man 2007-01-23 07:50:00.000000000 -0500
279
+++ b/iptables/extensions/libip6t_ipv6header.man 2008-02-18 09:57:13.623710190 -0500
281
This module matches IPv6 extension headers and/or upper layer header.
283
-.BR "--header " "[!] \fIheader\fP[,\fIheader\fP...]"
284
+.BR "\-\-header " "[!] \fIheader\fP[,\fIheader\fP...]"
285
Matches the packet which EXACTLY includes all specified headers. The headers
286
encapsulated with ESP header are out of scope.
289
which matches any upper layer protocol header. A protocol name from /etc/protocols and numeric value also allowed. The number 255 is equivalent to
294
Matches if the packet includes all specified headers with
298
Index: b/iptables/extensions/libip6t_length.man
299
===================================================================
300
--- a/iptables/extensions/libip6t_length.man 2007-01-23 07:50:00.000000000 -0500
301
+++ b/iptables/extensions/libip6t_length.man 2008-02-18 09:57:13.623710190 -0500
303
This module matches the length of the IPv6 payload in octets, or range of it.
304
IPv6 header itself isn't counted.
306
-.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
307
+.BR "\-\-length " "[!] \fIlength\fP[:\fIlength\fP]"
308
Index: b/iptables/extensions/libip6t_mh.man
309
===================================================================
310
--- a/iptables/extensions/libip6t_mh.man 2007-03-21 20:04:36.000000000 -0400
311
+++ b/iptables/extensions/libip6t_mh.man 2008-02-18 09:57:13.623710190 -0500
313
-This extension is loaded if `--protocol ipv6-mh' or `--protocol mh' is
314
+This extension is loaded if `-\-protocol ipv6-mh' or `-\-protocol mh' is
315
specified. It provides the following option:
317
-.BR "--mh-type " "[!] \fItype\fP[:\fItype\fP]"
318
+.BR "\-\-mh-type " "[!] \fItype\fP[:\fItype\fP]"
319
This allows specification of the Mobility Header(MH) type, which can be
323
or one of the MH type names shown by the command
325
- ip6tables -p ipv6-mh -h
326
+ ip6tables \-p ipv6-mh \-h
328
Index: b/iptables/extensions/libip6t_multiport.man
329
===================================================================
330
--- a/iptables/extensions/libip6t_multiport.man 2007-01-23 07:50:00.000000000 -0500
331
+++ b/iptables/extensions/libip6t_multiport.man 2008-02-18 09:57:13.623710190 -0500
333
This module matches a set of source or destination ports. Up to 15
334
ports can be specified. It can only be used in conjunction
342
-.BR "--source-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
343
+.BR "\-\-source-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
344
Match if the source port is one of the given ports. The flag
347
is a convenient alias for this option.
349
-.BR "--destination-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
350
+.BR "\-\-destination-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
351
Match if the destination port is one of the given ports. The flag
354
is a convenient alias for this option.
356
-.BR "--ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
357
+.BR "\-\-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
358
Match if the both the source and destination ports are equal to each
359
other and to one of the given ports.
360
Index: b/iptables/extensions/libip6t_owner.man
361
===================================================================
362
--- a/iptables/extensions/libip6t_owner.man 2007-01-23 07:50:00.000000000 -0500
363
+++ b/iptables/extensions/libip6t_owner.man 2008-02-18 09:57:13.623710190 -0500
365
chain, and even this some packets (such as ICMPv6 ping responses) may
366
have no owner, and hence never match. This is regarded as experimental.
368
-.BI "--uid-owner " "userid"
369
+.BI "\-\-uid-owner " "userid"
370
Matches if the packet was created by a process with the given
373
-.BI "--gid-owner " "groupid"
374
+.BI "\-\-gid-owner " "groupid"
375
Matches if the packet was created by a process with the given
378
-.BI "--pid-owner " "processid"
379
+.BI "\-\-pid-owner " "processid"
380
Matches if the packet was created by a process with the given
383
-.BI "--sid-owner " "sessionid"
384
+.BI "\-\-sid-owner " "sessionid"
385
Matches if the packet was created by a process in the given session
388
Index: b/iptables/extensions/libip6t_policy.man
389
===================================================================
390
--- a/iptables/extensions/libip6t_policy.man 2007-01-23 07:50:00.000000000 -0500
391
+++ b/iptables/extensions/libip6t_policy.man 2008-02-18 09:57:13.623710190 -0500
393
This modules matches the policy used by IPsec for handling a packet.
395
-.BI "--dir " "in|out"
396
+.BI "\-\-dir " "in|out"
397
Used to select whether to match the policy used for decapsulation or the
398
policy that will be used for encapsulation.
401
.B POSTROUTING, OUTPUT and FORWARD
404
-.BI "--pol " "none|ipsec"
405
+.BI "\-\-pol " "none|ipsec"
406
Matches if the packet is subject to IPsec processing.
410
Selects whether to match the exact policy or match if any rule of
411
the policy matches the given policy.
414
+.BI "\-\-reqid " "id"
415
Matches the reqid of the policy rule. The reqid can be specified with
422
+.BI "\-\-spi " "spi"
423
Matches the SPI of the SA.
425
-.BI "--proto " "ah|esp|ipcomp"
426
+.BI "\-\-proto " "ah|esp|ipcomp"
427
Matches the encapsulation protocol.
429
-.BI "--mode " "tunnel|transport"
430
+.BI "\-\-mode " "tunnel|transport"
431
Matches the encapsulation mode.
433
-.BI "--tunnel-src " "addr[/mask]"
434
+.BI "\-\-tunnel-src " "addr[/mask]"
435
Matches the source end-point address of a tunnel mode SA.
436
-Only valid with --mode tunnel.
437
+Only valid with \-\-mode tunnel.
439
-.BI "--tunnel-dst " "addr[/mask]"
440
+.BI "\-\-tunnel-dst " "addr[/mask]"
441
Matches the destination end-point address of a tunnel mode SA.
442
-Only valid with --mode tunnel.
443
+Only valid with \-\-mode tunnel.
447
Start the next element in the policy specification. Can only be used with
450
Index: b/iptables/extensions/libip6t_rt.man
451
===================================================================
452
--- a/iptables/extensions/libip6t_rt.man 2007-01-23 07:50:00.000000000 -0500
453
+++ b/iptables/extensions/libip6t_rt.man 2008-02-18 09:57:13.623710190 -0500
455
Match on IPv6 routing header
457
-.BR "--rt-type" " [!] \fItype\fP"
458
+.BR "\-\-rt-type" " [!] \fItype\fP"
459
Match the type (numeric).
461
-.BR "--rt-segsleft" " [!] \fInum\fP[:\fInum\fP]"
462
+.BR "\-\-rt-segsleft" " [!] \fInum\fP[:\fInum\fP]"
463
Match the `segments left' field (range).
465
-.BR "--rt-len" " [!] \fIlength\fP"
466
+.BR "\-\-rt-len" " [!] \fIlength\fP"
467
Match the length of this header.
471
Match the reserved field, too (type=0)
473
-.BR "--rt-0-addrs" " \fIADDR\fP[,\fIADDR\fP...]"
474
+.BR "\-\-rt-0-addrs" " \fIADDR\fP[,\fIADDR\fP...]"
475
Match type=0 addresses (list).
477
-.BR "--rt-0-not-strict"
478
+.BR "\-\-rt-0-not-strict"
479
List of type=0 addresses is not a strict list.
480
Index: b/iptables/extensions/libip6t_tcp.man
481
===================================================================
482
--- a/iptables/extensions/libip6t_tcp.man 2007-08-06 04:51:05.000000000 -0400
483
+++ b/iptables/extensions/libip6t_tcp.man 2008-02-18 09:57:13.643709762 -0500
485
-These extensions can be used if `--protocol tcp' is specified. It
486
+These extensions can be used if `-\-protocol tcp' is specified. It
487
provides the following options:
489
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
490
+.BR "\-\-source-port " "[!] \fIport\fP[:\fIport\fP]"
491
Source port or port range specification. This can either be a service
492
name or a port number. An inclusive range can also be specified,
496
If the second port greater then the first they will be swapped.
500
is a convenient alias for this option.
502
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
503
+.BR "\-\-destination-port " "[!] \fIport\fP[:\fIport\fP]"
504
Destination port or port range specification. The flag
507
is a convenient alias for this option.
509
-.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
510
+.BR "\-\-tcp-flags " "[!] \fImask\fP \fIcomp\fP"
511
Match when the TCP flags are as specified. The first argument is the
512
flags which we should examine, written as a comma-separated list, and
513
the second argument is a comma-separated list of flags which must be
515
.BR "SYN ACK FIN RST URG PSH ALL NONE" .
518
- ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
519
+ ip6tables \-A FORWARD \-p tcp \-\-tcp-flags SYN,ACK,FIN,RST SYN
521
will only match packets with the SYN flag set, and the ACK, FIN and
526
Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
527
cleared. Such packets are used to request TCP connection initiation;
528
for example, blocking such packets coming in an interface will prevent
529
incoming TCP connections, but outgoing TCP connections will be
531
-It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP.
532
-If the "!" flag precedes the "--syn", the sense of the
533
+It is equivalent to \fB\-\-tcp-flags SYN,RST,ACK,FIN SYN\fP.
534
+If the "!" flag precedes the "\-\-syn", the sense of the
537
-.BR "--tcp-option " "[!] \fInumber\fP"
538
+.BR "\-\-tcp-option " "[!] \fInumber\fP"
539
Match if TCP option set.
540
Index: b/iptables/extensions/libipt_CLUSTERIP.man
541
===================================================================
542
--- a/iptables/extensions/libipt_CLUSTERIP.man 2007-01-23 07:50:00.000000000 -0500
543
+++ b/iptables/extensions/libipt_CLUSTERIP.man 2008-02-18 09:57:13.643709762 -0500
545
them. Connections are statically distributed between the nodes in this
550
Create a new ClusterIP. You always have to set this on the first rule
551
for a given ClusterIP.
553
-.BI "--hashmode " "mode"
554
+.BI "\-\-hashmode " "mode"
555
Specify the hashing mode. Has to be one of
556
.B sourceip, sourceip-sourceport, sourceip-sourceport-destport
558
-.BI "--clustermac " "mac"
559
+.BI "\-\-clustermac " "mac"
560
Specify the ClusterIP MAC address. Has to be a link-layer multicast address
562
-.BI "--total-nodes " "num"
563
+.BI "\-\-total-nodes " "num"
564
Number of total nodes within this cluster.
566
-.BI "--local-node " "num"
567
+.BI "\-\-local-node " "num"
568
Local node number within this cluster.
570
-.BI "--hash-init " "rnd"
571
+.BI "\-\-hash-init " "rnd"
572
Specify the random seed used for hash initialization.
573
Index: b/iptables/extensions/libipt_DNAT.man
574
===================================================================
575
--- a/iptables/extensions/libipt_DNAT.man 2007-06-24 19:26:35.000000000 -0400
576
+++ b/iptables/extensions/libipt_DNAT.man 2008-02-18 09:57:13.643709762 -0500
578
also be mangled), and rules should cease being examined. It takes one
581
-.BR "--to-destination " "[\fIipaddr\fP][-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
582
+.BR "\-\-to-destination " "[\fIipaddr\fP][\-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
583
which can specify a single new destination IP address, an inclusive
584
range of IP addresses, and optionally, a port range (which is only
585
valid if the rule also specifies
591
If no port range is specified, then the destination port will never be
592
modified. If no IP address is specified then only the destination port
595
-In Kernels up to 2.6.10 you can add several --to-destination options. For
596
+In Kernels up to 2.6.10 you can add several \-\-to-destination options. For
597
those kernels, if you specify more than one destination address, either via an
598
-address range or multiple --to-destination options, a simple round-robin (one
599
+address range or multiple \-\-to-destination options, a simple round-robin (one
600
after another in cycle) load balancing takes place between these addresses.
601
Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
609
is used then port mapping will be randomized (kernel >= 2.6.22).
612
Index: b/iptables/extensions/libipt_ECN.man
613
===================================================================
614
--- a/iptables/extensions/libipt_ECN.man 2007-01-23 07:50:00.000000000 -0500
615
+++ b/iptables/extensions/libipt_ECN.man 2008-02-18 09:57:13.643709762 -0500
617
This target allows to selectively work around known ECN blackholes.
618
It can only be used in the mangle table.
620
-.BI "--ecn-tcp-remove"
621
+.BI "\-\-ecn-tcp-remove"
622
Remove all ECN bits from the TCP header. Of course, it can only be used
626
Index: b/iptables/extensions/libipt_LOG.man
627
===================================================================
628
--- a/iptables/extensions/libipt_LOG.man 2007-01-23 07:50:00.000000000 -0500
629
+++ b/iptables/extensions/libipt_LOG.man 2008-02-18 09:57:13.643709762 -0500
631
separate rules with the same matching criteria, first using target LOG
632
then DROP (or REJECT).
634
-.BI "--log-level " "level"
635
+.BI "\-\-log-level " "level"
636
Level of logging (numeric or see \fIsyslog.conf\fP(5)).
638
-.BI "--log-prefix " "prefix"
639
+.BI "\-\-log-prefix " "prefix"
640
Prefix log messages with the specified prefix; up to 29 letters long,
641
and useful for distinguishing messages in the logs.
643
-.B --log-tcp-sequence
644
+.B \-\-log-tcp-sequence
645
Log TCP sequence numbers. This is a security risk if the log is
648
-.B --log-tcp-options
649
+.B \-\-log-tcp-options
650
Log options from the TCP packet header.
653
+.B \-\-log-ip-options
654
Log options from the IP packet header.
658
Log the userid of the process which generated the packet.
659
Index: b/iptables/extensions/libipt_MARK.man
660
===================================================================
661
--- a/iptables/extensions/libipt_MARK.man 2007-01-23 07:50:00.000000000 -0500
662
+++ b/iptables/extensions/libipt_MARK.man 2008-02-18 09:57:13.643709762 -0500
665
table. It can for example be used in conjunction with iproute2.
667
-.BI "--set-mark " "value"
668
+.BI "\-\-set-mark " "value"
671
-.BI "--and-mark " "value"
672
+.BI "\-\-and-mark " "value"
673
Binary AND the nfmark with value
675
-.BI "--or-mark " "value"
676
+.BI "\-\-or-mark " "value"
677
Binary OR the nfmark with value
678
Index: b/iptables/extensions/libipt_MASQUERADE.man
679
===================================================================
680
--- a/iptables/extensions/libipt_MASQUERADE.man 2007-06-24 19:26:35.000000000 -0400
681
+++ b/iptables/extensions/libipt_MASQUERADE.man 2008-02-18 09:57:13.643709762 -0500
683
next dialup is unlikely to have the same interface address (and hence
684
any established connections are lost anyway). It takes one option:
686
-.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
687
+.BR "\-\-to-ports " "\fIport\fP[\-\fIport\fP]"
688
This specifies a range of source ports to use, overriding the default
690
source port-selection heuristics (see above). This is only valid
691
if the rule also specifies
700
Randomize source port mapping
704
is used then port mapping will be randomized (kernel >= 2.6.21).
707
Index: b/iptables/extensions/libipt_NETMAP.man
708
===================================================================
709
--- a/iptables/extensions/libipt_NETMAP.man 2007-01-23 07:50:00.000000000 -0500
710
+++ b/iptables/extensions/libipt_NETMAP.man 2008-02-18 09:57:13.643709762 -0500
715
-.BI "--to " "address[/mask]"
716
+.BI "\-\-to " "address[/mask]"
717
Network address to map to. The resulting address will be constructed in the
718
following way: All 'one' bits in the mask are filled in from the new `address'.
719
All bits that are zero in the mask are filled in from the original address.
720
Index: b/iptables/extensions/libipt_REDIRECT.man
721
===================================================================
722
--- a/iptables/extensions/libipt_REDIRECT.man 2007-06-24 19:26:35.000000000 -0400
723
+++ b/iptables/extensions/libipt_REDIRECT.man 2008-02-18 09:57:13.643709762 -0500
725
(locally-generated packets are mapped to the 127.0.0.1 address). It
728
-.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
729
+.BR "\-\-to-ports " "\fIport\fP[\-\fIport\fP]"
730
This specifies a destination port or range of ports to use: without
731
this, the destination port is never altered. This is only valid
732
if the rule also specifies
744
is used then port mapping will be randomized (kernel >= 2.6.22).
747
Index: b/iptables/extensions/libipt_REJECT.man
748
===================================================================
749
--- a/iptables/extensions/libipt_REJECT.man 2007-01-23 07:50:00.000000000 -0500
750
+++ b/iptables/extensions/libipt_REJECT.man 2008-02-18 09:57:13.643709762 -0500
752
chains. The following option controls the nature of the error packet
755
-.BI "--reject-with " "type"
756
+.BI "\-\-reject-with " "type"
757
The type given can be
759
.B " icmp-net-unreachable"
760
Index: b/iptables/extensions/libipt_SAME.man
761
===================================================================
762
--- a/iptables/extensions/libipt_SAME.man 2008-02-18 09:57:13.599710947 -0500
763
+++ b/iptables/extensions/libipt_SAME.man 2008-02-18 09:57:13.643709762 -0500
765
Similar to SNAT/DNAT depending on chain: it takes a range of addresses
766
-(`--to 1.2.3.4-1.2.3.7') and gives a client the same
767
+(`-\-to 1.2.3.4-1.2.3.7') and gives a client the same
768
source-/destination-address for each connection.
770
-.BI "--to " "<ipaddr>-<ipaddr>"
771
+.BI "\-\-to " "<ipaddr>-<ipaddr>"
772
Addresses to map source to. May be specified more than once for
777
Don't use the destination-ip in the calculations when selecting the
782
Port mapping will be forcibly randomized to avoid attacks based on
783
port prediction (kernel >= 2.6.21).
784
Index: b/iptables/extensions/libipt_SET.man
785
===================================================================
786
--- a/iptables/extensions/libipt_SET.man 2007-01-23 07:50:00.000000000 -0500
787
+++ b/iptables/extensions/libipt_SET.man 2008-02-18 09:57:13.643709762 -0500
789
This modules adds and/or deletes entries from IP sets which can be defined
792
-.BR "--add-set " "setname flag[,flag...]"
793
+.BR "\-\-add-set " "setname flag[,flag...]"
794
add the address(es)/port(s) of the packet to the sets
796
-.BR "--del-set " "setname flag[,flag...]"
797
+.BR "\-\-del-set " "setname flag[,flag...]"
798
delete the address(es)/port(s) of the packet from the sets,
801
Index: b/iptables/extensions/libipt_SNAT.man
802
===================================================================
803
--- a/iptables/extensions/libipt_SNAT.man 2007-06-24 19:26:35.000000000 -0400
804
+++ b/iptables/extensions/libipt_SNAT.man 2008-02-18 09:57:13.643709762 -0500
806
mangled), and rules should cease being examined. It takes one type
809
-.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
810
+.BR "\-\-to-source " "\fIipaddr\fP[\-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
811
which can specify a single new source IP address, an inclusive range
812
of IP addresses, and optionally, a port range (which is only valid if
813
the rule also specifies
819
If no port range is specified, then source ports below 512 will be
820
mapped to other ports below 512: those between 512 and 1023 inclusive
821
will be mapped to ports below 1024, and other ports will be mapped to
822
1024 or above. Where possible, no port alteration will
824
-In Kernels up to 2.6.10, you can add several --to-source options. For those
825
+In Kernels up to 2.6.10, you can add several \-\-to-source options. For those
826
kernels, if you specify more than one source address, either via an address
827
-range or multiple --to-source options, a simple round-robin (one after another
828
+range or multiple \-\-to-source options, a simple round-robin (one after another
829
in cycle) takes place between these addresses.
830
Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
838
is used then port mapping will be randomized (kernel >= 2.6.21).
841
Index: b/iptables/extensions/libipt_TARPIT.man
842
===================================================================
843
--- a/iptables/extensions/libipt_TARPIT.man 2008-02-18 09:57:13.543710946 -0500
844
+++ b/iptables/extensions/libipt_TARPIT.man 2008-02-18 09:57:13.643709762 -0500
847
To tarpit connections to TCP port 80 destined for the current machine:
849
-iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
850
+iptables \-A INPUT \-p tcp \-m tcp \-\-dport 80 \-j TARPIT
852
To significantly slow down Code Red/Nimda-style scans of unused address
853
space, forward unused ip addresses to a Linux box not acting as a router
854
(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
855
forwarding on the Linux box, and add:
857
-iptables -A FORWARD -p tcp -j TARPIT
858
+iptables \-A FORWARD \-p tcp \-j TARPIT
860
-iptables -A FORWARD -j DROP
861
+iptables \-A FORWARD \-j DROP
864
If you use the conntrack module while you are using TARPIT, you should
866
resources for each TARPITted connection. To TARPIT incoming
867
connections to the standard IRC port while using conntrack, you could:
869
-iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
870
+iptables \-t raw \-A PREROUTING \-p tcp \-\-dport 6667 \-j NOTRACK
872
-iptables -A INPUT -p tcp --dport 6667 -j TARPIT
873
+iptables \-A INPUT \-p tcp \-\-dport 6667 \-j TARPIT
874
Index: b/iptables/extensions/libipt_TCPMSS.man
875
===================================================================
876
--- a/iptables/extensions/libipt_TCPMSS.man 2007-01-23 07:50:00.000000000 -0500
877
+++ b/iptables/extensions/libipt_TCPMSS.man 2008-02-18 09:57:13.643709762 -0500
879
the maximum size for that connection (usually limiting it to your
880
outgoing interface's MTU minus 40). Of course, it can only be used
884
It is only valid in the
888
Workaround: activate this option and add a rule to your firewall
891
- iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
892
- -j TCPMSS --clamp-mss-to-pmtu
893
+ iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp-flags SYN,RST SYN \\
894
+ \-j TCPMSS \-\-clamp-mss-to-pmtu
897
-.BI "--set-mss " "value"
898
+.BI "\-\-set-mss " "value"
899
Explicitly set MSS option to specified value.
901
-.B "--clamp-mss-to-pmtu"
902
-Automatically clamp MSS value to (path_MTU - 40).
903
+.B "\-\-clamp-mss-to-pmtu"
904
+Automatically clamp MSS value to (path_MTU \- 40).
906
These options are mutually exclusive.
907
Index: b/iptables/extensions/libipt_TOS.man
908
===================================================================
909
--- a/iptables/extensions/libipt_TOS.man 2007-01-23 07:50:00.000000000 -0500
910
+++ b/iptables/extensions/libipt_TOS.man 2008-02-18 09:57:13.643709762 -0500
915
-.BI "--set-tos " "tos"
916
+.BI "\-\-set-tos " "tos"
917
You can use a numeric TOS values, or use
920
+ iptables \-j TOS \-h
922
to see the list of valid TOS names.
923
Index: b/iptables/extensions/libipt_TTL.man
924
===================================================================
925
--- a/iptables/extensions/libipt_TTL.man 2007-01-23 07:50:00.000000000 -0500
926
+++ b/iptables/extensions/libipt_TTL.man 2008-02-18 09:57:13.643709762 -0500
931
-.BI "--ttl-set " "value"
932
+.BI "\-\-ttl-set " "value"
933
Set the TTL value to `value'.
935
-.BI "--ttl-dec " "value"
936
+.BI "\-\-ttl-dec " "value"
937
Decrement the TTL value `value' times.
939
-.BI "--ttl-inc " "value"
940
+.BI "\-\-ttl-inc " "value"
941
Increment the TTL value `value' times.
942
Index: b/iptables/extensions/libipt_ULOG.man
943
===================================================================
944
--- a/iptables/extensions/libipt_ULOG.man 2007-01-23 07:50:00.000000000 -0500
945
+++ b/iptables/extensions/libipt_ULOG.man 2008-02-18 09:57:13.647710538 -0500
947
Like LOG, this is a "non-terminating target", i.e. rule traversal
948
continues at the next rule.
950
-.BI "--ulog-nlgroup " "nlgroup"
951
+.BI "\-\-ulog-nlgroup " "nlgroup"
952
This specifies the netlink group (1-32) to which the packet is sent.
955
-.BI "--ulog-prefix " "prefix"
956
+.BI "\-\-ulog-prefix " "prefix"
957
Prefix log messages with the specified prefix; up to 32 characters
958
long, and useful for distinguishing messages in the logs.
960
-.BI "--ulog-cprange " "size"
961
+.BI "\-\-ulog-cprange " "size"
962
Number of bytes to be copied to userspace. A value of 0 always copies
963
the entire packet, regardless of its size. Default is 0.
965
-.BI "--ulog-qthreshold " "size"
966
+.BI "\-\-ulog-qthreshold " "size"
967
Number of packet to queue inside kernel. Setting this value to, e.g. 10
968
accumulates ten packets inside the kernel and transmits them as one
969
netlink multipart message to userspace. Default is 1 (for backwards
970
Index: b/iptables/extensions/libipt_addrtype.man
971
===================================================================
972
--- a/iptables/extensions/libipt_addrtype.man 2007-01-23 07:50:00.000000000 -0500
973
+++ b/iptables/extensions/libipt_addrtype.man 2008-02-18 09:57:13.647710538 -0500
978
-.BI "--src-type " "type"
979
+.BI "\-\-src-type " "type"
980
Matches if the source address is of given type
982
-.BI "--dst-type " "type"
983
+.BI "\-\-dst-type " "type"
984
Matches if the destination address is of given type
985
Index: b/iptables/extensions/libipt_ah.man
986
===================================================================
987
--- a/iptables/extensions/libipt_ah.man 2007-01-23 07:50:00.000000000 -0500
988
+++ b/iptables/extensions/libipt_ah.man 2008-02-18 09:57:13.647710538 -0500
990
This module matches the SPIs in Authentication header of IPsec packets.
992
-.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
993
+.BR "\-\-ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
994
Index: b/iptables/extensions/libipt_condition.man
995
===================================================================
996
--- a/iptables/extensions/libipt_condition.man 2007-01-23 07:50:00.000000000 -0500
997
+++ b/iptables/extensions/libipt_condition.man 2008-02-18 09:57:13.647710538 -0500
999
This matches if a specific /proc filename is '0' or '1'.
1001
-.BI "--condition " "[!] \fIfilename\fP"
1002
+.BI "\-\-condition " "[!] \fIfilename\fP"
1003
Match on boolean value stored in /proc/net/ipt_condition/filename file
1004
Index: b/iptables/extensions/libipt_connlimit.man
1005
===================================================================
1006
--- a/iptables/extensions/libipt_connlimit.man 2007-08-06 04:51:05.000000000 -0400
1007
+++ b/iptables/extensions/libipt_connlimit.man 2008-02-18 09:57:13.647710538 -0500
1009
Allows you to restrict the number of parallel connections to a server per
1010
client IP address (or client address block).
1012
-[\fB!\fR] \fB--connlimit-above \fIn\fR
1013
+[\fB!\fR] \fB\-\-connlimit-above \fIn\fR
1014
Match if the number of existing connections is (not) above \fIn\fR.
1016
-\fB--connlimit-mask\fR \fIprefix_length\fR
1017
+\fB\-\-connlimit-mask\fR \fIprefix_length\fR
1018
Group hosts using the prefix length. For IPv4, this must be a number between
1019
(including) 0 and 32. For IPv6, between 0 and 128.
1023
# allow 2 telnet connections per client host
1024
-iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
1025
+iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit-above 2 \-j REJECT
1027
# you can also match the other way around:
1028
-iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
1029
+iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit ! \-\-connlimit-above 2 \-j ACCEPT
1031
# limit the number of parallel HTTP requests to 16 per class C sized \
1032
network (24 bit netmask)
1033
-iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
1034
---connlimit-mask 24 -j REJECT
1035
+iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit-above 16
1036
+-\-connlimit-mask 24 \-j REJECT
1038
# limit the number of parallel HTTP requests to 16 for the link local network \
1040
-ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above
1041
-16 --connlimit-mask 64 -j REJECT
1042
+ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit-above
1043
+16 \-\-connlimit-mask 64 \-j REJECT
1044
Index: b/iptables/extensions/libipt_conntrack.man
1045
===================================================================
1046
--- a/iptables/extensions/libipt_conntrack.man 2007-01-23 07:50:00.000000000 -0500
1047
+++ b/iptables/extensions/libipt_conntrack.man 2008-02-18 09:57:13.659709819 -0500
1049
(this module is present only if iptables was compiled under a kernel
1050
supporting this feature)
1052
-.BI "--ctstate " "state"
1053
+.BI "\-\-ctstate " "state"
1054
Where state is a comma separated list of the connection states to
1055
match. Possible states are
1058
A virtual state, matching if the original destination differs from the
1061
-.BI "--ctproto " "proto"
1062
+.BI "\-\-ctproto " "proto"
1063
Protocol to match (by number or name)
1065
-.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]"
1066
+.BI "\-\-ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]"
1067
Match against original source address
1069
-.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]"
1070
+.BI "\-\-ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]"
1071
Match against original destination address
1073
-.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]"
1074
+.BI "\-\-ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]"
1075
Match against reply source address
1077
-.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]"
1078
+.BI "\-\-ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]"
1079
Match against reply destination address
1081
-.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]"
1082
+.BI "\-\-ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]"
1083
Match against internal conntrack states
1085
-.BI "--ctexpire " "\fItime\fP[\fI:time\fP]"
1086
+.BI "\-\-ctexpire " "\fItime\fP[\fI:time\fP]"
1087
Match remaining lifetime in seconds against given value
1088
or range of values (inclusive)
1089
Index: b/iptables/extensions/libipt_ecn.man
1090
===================================================================
1091
--- a/iptables/extensions/libipt_ecn.man 2007-01-23 07:50:00.000000000 -0500
1092
+++ b/iptables/extensions/libipt_ecn.man 2008-02-18 09:57:13.659709819 -0500
1094
This allows you to match the ECN bits of the IPv4 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168
1096
-.BI "--ecn-tcp-cwr"
1097
+.BI "\-\-ecn-tcp-cwr"
1098
This matches if the TCP ECN CWR (Congestion Window Received) bit is set.
1100
-.BI "--ecn-tcp-ece"
1101
+.BI "\-\-ecn-tcp-ece"
1102
This matches if the TCP ECN ECE (ECN Echo) bit is set.
1104
-.BI "--ecn-ip-ect " "num"
1105
+.BI "\-\-ecn-ip-ect " "num"
1106
This matches a particular IPv4 ECT (ECN-Capable Transport). You have to specify
1107
a number between `0' and `3'.
1108
Index: b/iptables/extensions/libipt_icmp.man
1109
===================================================================
1110
--- a/iptables/extensions/libipt_icmp.man 2007-03-21 20:04:36.000000000 -0400
1111
+++ b/iptables/extensions/libipt_icmp.man 2008-02-18 09:57:13.659709819 -0500
1113
-This extension can be used if `--protocol icmp' is specified. It
1114
+This extension can be used if `-\-protocol icmp' is specified. It
1115
provides the following option:
1117
-.BR "--icmp-type " "[!] \fItypename\fP"
1118
+.BR "\-\-icmp-type " "[!] \fItypename\fP"
1119
This allows specification of the ICMP type, which can be a numeric
1120
ICMP type, or one of the ICMP type names shown by the command
1122
- iptables -p icmp -h
1123
+ iptables \-p icmp \-h
1125
Index: b/iptables/extensions/libipt_iprange.man
1126
===================================================================
1127
--- a/iptables/extensions/libipt_iprange.man 2007-01-23 07:50:00.000000000 -0500
1128
+++ b/iptables/extensions/libipt_iprange.man 2008-02-18 09:57:13.659709819 -0500
1130
This matches on a given arbitrary range of IPv4 addresses
1132
-.BI "[!]" "--src-range " "ip-ip"
1133
+.BI "[!]" "\-\-src-range " "ip-ip"
1134
Match source IP in the specified range.
1136
-.BI "[!]" "--dst-range " "ip-ip"
1137
+.BI "[!]" "\-\-dst-range " "ip-ip"
1138
Match destination IP in the specified range.
1139
Index: b/iptables/extensions/libipt_ipv4options.man
1140
===================================================================
1141
--- a/iptables/extensions/libipt_ipv4options.man 2008-02-18 09:57:13.559711088 -0500
1142
+++ b/iptables/extensions/libipt_ipv4options.man 2008-02-18 09:57:13.659709819 -0500
1144
Match on IPv4 header options like source routing, record route,
1145
timestamp and router-alert.
1149
To match packets with the flag strict source routing.
1153
To match packets with the flag loose source routing.
1157
To match packets with no flag for source routing.
1159
-.B "\fR[\fB!\fR]\fB --rr"
1160
+.B "\fR[\fB!\fR]\fB \-\-rr"
1161
To match packets with the RR flag.
1163
-.B "\fR[\fB!\fR]\fB --ts"
1164
+.B "\fR[\fB!\fR]\fB \-\-ts"
1165
To match packets with the TS flag.
1167
-.B "\fR[\fB!\fR]\fB --ra"
1168
+.B "\fR[\fB!\fR]\fB \-\-ra"
1169
To match packets with the router-alert option.
1171
-.B "\fR[\fB!\fR]\fB --any-opt"
1172
+.B "\fR[\fB!\fR]\fB \-\-any-opt"
1173
To match a packet with at least one IP option, or no IP option
1174
at all if ! is chosen.
1178
-$ iptables -A input -m ipv4options --rr -j DROP
1179
+$ iptables \-A input \-m ipv4options \-\-rr \-j DROP
1180
will drop packets with the record-route flag.
1182
-$ iptables -A input -m ipv4options --ts -j DROP
1183
+$ iptables \-A input \-m ipv4options \-\-ts \-j DROP
1184
will drop packets with the timestamp flag.
1185
Index: b/iptables/extensions/libipt_length.man
1186
===================================================================
1187
--- a/iptables/extensions/libipt_length.man 2007-01-23 07:50:00.000000000 -0500
1188
+++ b/iptables/extensions/libipt_length.man 2008-02-18 09:57:13.659709819 -0500
1190
This module matches the length of a packet against a specific value
1193
-.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
1194
+.BR "\-\-length " "[!] \fIlength\fP[:\fIlength\fP]"
1195
Index: b/iptables/extensions/libipt_multiport.man
1196
===================================================================
1197
--- a/iptables/extensions/libipt_multiport.man 2007-01-23 07:50:00.000000000 -0500
1198
+++ b/iptables/extensions/libipt_multiport.man 2008-02-18 09:57:13.659709819 -0500
1200
This module matches a set of source or destination ports. Up to 15
1201
ports can be specified. A port range (port:port) counts as two
1202
ports. It can only be used in conjunction with
1209
-.BR "--source-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
1210
+.BR "\-\-source-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
1211
Match if the source port is one of the given ports. The flag
1214
is a convenient alias for this option.
1216
-.BR "--destination-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
1217
+.BR "\-\-destination-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
1218
Match if the destination port is one of the given ports. The flag
1221
is a convenient alias for this option.
1223
-.BR "--ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
1224
+.BR "\-\-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
1225
Match if either the source or destination ports are equal to one of
1227
Index: b/iptables/extensions/libipt_owner.man
1228
===================================================================
1229
--- a/iptables/extensions/libipt_owner.man 2007-01-23 07:50:00.000000000 -0500
1230
+++ b/iptables/extensions/libipt_owner.man 2008-02-18 09:57:13.659709819 -0500
1232
chain, and even this some packets (such as ICMP ping responses) may
1233
have no owner, and hence never match.
1235
-.BI "--uid-owner " "userid"
1236
+.BI "\-\-uid-owner " "userid"
1237
Matches if the packet was created by a process with the given
1240
-.BI "--gid-owner " "groupid"
1241
+.BI "\-\-gid-owner " "groupid"
1242
Matches if the packet was created by a process with the given
1245
-.BI "--pid-owner " "processid"
1246
+.BI "\-\-pid-owner " "processid"
1247
Matches if the packet was created by a process with the given
1250
-.BI "--sid-owner " "sessionid"
1251
+.BI "\-\-sid-owner " "sessionid"
1252
Matches if the packet was created by a process in the given session
1255
-.BI "--cmd-owner " "name"
1256
+.BI "\-\-cmd-owner " "name"
1257
Matches if the packet was created by a process with the given command name.
1258
(this option is present only if iptables was compiled under a kernel
1259
supporting this feature)
1260
Index: b/iptables/extensions/libipt_policy.man
1261
===================================================================
1262
--- a/iptables/extensions/libipt_policy.man 2007-01-23 07:50:00.000000000 -0500
1263
+++ b/iptables/extensions/libipt_policy.man 2008-02-18 09:57:13.659709819 -0500
1265
This modules matches the policy used by IPsec for handling a packet.
1267
-.BI "--dir " "in|out"
1268
+.BI "\-\-dir " "in|out"
1269
Used to select whether to match the policy used for decapsulation or the
1270
policy that will be used for encapsulation.
1273
.B POSTROUTING, OUTPUT and FORWARD
1276
-.BI "--pol " "none|ipsec"
1277
+.BI "\-\-pol " "none|ipsec"
1278
Matches if the packet is subject to IPsec processing.
1282
Selects whether to match the exact policy or match if any rule of
1283
the policy matches the given policy.
1285
-.BI "--reqid " "id"
1286
+.BI "\-\-reqid " "id"
1287
Matches the reqid of the policy rule. The reqid can be specified with
1294
+.BI "\-\-spi " "spi"
1295
Matches the SPI of the SA.
1297
-.BI "--proto " "ah|esp|ipcomp"
1298
+.BI "\-\-proto " "ah|esp|ipcomp"
1299
Matches the encapsulation protocol.
1301
-.BI "--mode " "tunnel|transport"
1302
+.BI "\-\-mode " "tunnel|transport"
1303
Matches the encapsulation mode.
1305
-.BI "--tunnel-src " "addr[/mask]"
1306
+.BI "\-\-tunnel-src " "addr[/mask]"
1307
Matches the source end-point address of a tunnel mode SA.
1308
-Only valid with --mode tunnel.
1309
+Only valid with \-\-mode tunnel.
1311
-.BI "--tunnel-dst " "addr[/mask]"
1312
+.BI "\-\-tunnel-dst " "addr[/mask]"
1313
Matches the destination end-point address of a tunnel mode SA.
1314
-Only valid with --mode tunnel.
1315
+Only valid with \-\-mode tunnel.
1319
Start the next element in the policy specification. Can only be used with
1322
Index: b/iptables/extensions/libipt_realm.man
1323
===================================================================
1324
--- a/iptables/extensions/libipt_realm.man 2007-01-23 07:50:00.000000000 -0500
1325
+++ b/iptables/extensions/libipt_realm.man 2008-02-18 09:57:13.659709819 -0500
1327
This matches the routing realm. Routing realms are used in complex routing
1328
setups involving dynamic routing protocols like BGP.
1330
-.BI "--realm " "[!] " "value[/mask]"
1331
+.BI "\-\-realm " "[!] " "value[/mask]"
1332
Matches a given realm number (and optionally mask). If not a number, value
1333
can be a named realm from /etc/iproute2/rt_realms (mask can not be used in
1335
Index: b/iptables/extensions/libipt_recent.man
1336
===================================================================
1337
--- a/iptables/extensions/libipt_recent.man 2008-02-18 09:57:13.583710616 -0500
1338
+++ b/iptables/extensions/libipt_recent.man 2008-02-18 09:57:13.659709819 -0500
1340
to connect to port 139 on your firewall and then DROP all future
1341
packets from them without considering them.
1343
-.BI "--name " "name"
1344
+.BI "\-\-name " "name"
1345
Specify the list to use for the commands. If no name is given then 'DEFAULT'
1348
-[\fB!\fR] \fB--set\fR
1349
+[\fB!\fR] \fB\-\-set\fR
1350
This will add the source address of the packet to the list. If the
1351
source address is already in the list, this will update the existing
1352
entry. This will always return success (or failure if `!' is passed
1355
-[\fB!\fR] \fB--rcheck\fR
1356
+[\fB!\fR] \fB\-\-rcheck\fR
1357
Check if the source address of the packet is currently in
1360
-[\fB!\fR] \fB--update\fR
1361
-Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it
1362
+[\fB!\fR] \fB\-\-update\fR
1363
+Like \fB\-\-rcheck\fR, except it will update the "last seen" timestamp if it
1366
-[\fB!\fR] \fB--remove\fR
1367
+[\fB!\fR] \fB\-\-remove\fR
1368
Check if the source address of the packet is currently in the list and
1369
if so that address will be removed from the list and the rule will
1370
return true. If the address is not found, false is returned.
1372
-[\fB!\fR] \fB--seconds \fIseconds\fR
1373
-This option must be used in conjunction with one of \fB--rcheck\fR or
1374
-\fB--update\fR. When used, this will narrow the match to only happen
1375
+[\fB!\fR] \fB\-\-seconds \fIseconds\fR
1376
+This option must be used in conjunction with one of \fB\-\-rcheck\fR or
1377
+\fB\-\-update\fR. When used, this will narrow the match to only happen
1378
when the address is in the list and was seen within the last given
1381
-[\fB!\fR] \fB--hitcount \fIhits\fR
1382
-This option must be used in conjunction with one of \fB--rcheck\fR or
1383
-\fB--update\fR. When used, this will narrow the match to only happen
1384
+[\fB!\fR] \fB\-\-hitcount \fIhits\fR
1385
+This option must be used in conjunction with one of \fB\-\-rcheck\fR or
1386
+\fB\-\-update\fR. When used, this will narrow the match to only happen
1387
when the address is in the list and packets had been received greater
1388
than or equal to the given value. This option may be used along with
1389
-\fB--seconds\fR to create an even narrower match requiring a certain
1390
+\fB\-\-seconds\fR to create an even narrower match requiring a certain
1391
number of hits within a specific time frame.
1394
-This option must be used in conjunction with one of \fB--rcheck\fR or
1395
-\fB--update\fR. When used, this will narrow the match to only happen
1397
+This option must be used in conjunction with one of \fB\-\-rcheck\fR or
1398
+\fB\-\-update\fR. When used, this will narrow the match to only happen
1399
when the address is in the list and the TTL of the current packet
1400
-matches that of the packet which hit the \fB--set\fR rule. This may be
1401
+matches that of the packet which hit the \fB\-\-set\fR rule. This may be
1402
useful if you have problems with people faking their source address in
1403
order to DoS you via this module by disallowing others access to your
1404
site by sending bogus packets to you.
1406
-\fB--name \fIname\fR
1407
+\fB\-\-name \fIname\fR
1408
Name of the recent list to be used. DEFAULT used if none given.
1412
Match/Save the source address of each packet in the recent list table (default).
1416
Match/Save the destination address of each packet in the recent list table.
1420
-# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
1421
+# iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP
1423
-# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
1424
+# iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
1426
Official website (http://snowman.net/projects/ipt_recent/) also has
1427
some examples of usage.
1429
echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
1430
to Add to the DEFAULT list
1432
-echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
1433
+echo \-xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
1434
to Remove from the DEFAULT list
1436
echo clear > /proc/net/ipt_recent/DEFAULT
1437
Index: b/iptables/extensions/libipt_set.man
1438
===================================================================
1439
--- a/iptables/extensions/libipt_set.man 2007-01-23 07:50:00.000000000 -0500
1440
+++ b/iptables/extensions/libipt_set.man 2008-02-18 09:57:13.663710413 -0500
1442
This modules macthes IP sets which can be defined by ipset(8).
1444
-.BR "--set " "setname flag[,flag...]"
1445
+.BR "\-\-set " "setname flag[,flag...]"
1450
and there can be no more than six of them. Hence the command
1452
- iptables -A FORWARD -m set --set test src,dst
1453
+ iptables \-A FORWARD \-m set \-\-set test src,dst
1455
will match packets, for which (depending on the type of the set) the source
1456
address or port number of the packet can be found in the specified set. If
1457
Index: b/iptables/extensions/libipt_tcp.man
1458
===================================================================
1459
--- a/iptables/extensions/libipt_tcp.man 2007-03-21 20:04:36.000000000 -0400
1460
+++ b/iptables/extensions/libipt_tcp.man 2008-02-18 09:57:13.663710413 -0500
1462
-These extensions can be used if `--protocol tcp' is specified. It
1463
+These extensions can be used if `-\-protocol tcp' is specified. It
1464
provides the following options:
1466
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
1467
+.BR "\-\-source-port " "[!] \fIport\fP[:\fIport\fP]"
1468
Source port or port range specification. This can either be a service
1469
name or a port number. An inclusive range can also be specified,
1473
If the second port greater then the first they will be swapped.
1477
is a convenient alias for this option.
1479
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
1480
+.BR "\-\-destination-port " "[!] \fIport\fP[:\fIport\fP]"
1481
Destination port or port range specification. The flag
1484
is a convenient alias for this option.
1486
-.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
1487
+.BR "\-\-tcp-flags " "[!] \fImask\fP \fIcomp\fP"
1488
Match when the TCP flags are as specified. The first argument is the
1489
flags which we should examine, written as a comma-separated list, and
1490
the second argument is a comma-separated list of flags which must be
1492
.BR "SYN ACK FIN RST URG PSH ALL NONE" .
1495
- iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
1496
+ iptables \-A FORWARD \-p tcp \-\-tcp-flags SYN,ACK,FIN,RST SYN
1498
will only match packets with the SYN flag set, and the ACK, FIN and
1503
Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
1504
cleared. Such packets are used to request TCP connection initiation;
1505
for example, blocking such packets coming in an interface will prevent
1506
incoming TCP connections, but outgoing TCP connections will be
1508
-It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP.
1509
-If the "!" flag precedes the "--syn", the sense of the
1510
+It is equivalent to \fB\-\-tcp-flags SYN,RST,ACK,FIN SYN\fP.
1511
+If the "!" flag precedes the "\-\-syn", the sense of the
1514
-.BR "--tcp-option " "[!] \fInumber\fP"
1515
+.BR "\-\-tcp-option " "[!] \fInumber\fP"
1516
Match if TCP option set.
1517
Index: b/iptables/extensions/libipt_tos.man
1518
===================================================================
1519
--- a/iptables/extensions/libipt_tos.man 2007-01-23 07:50:00.000000000 -0500
1520
+++ b/iptables/extensions/libipt_tos.man 2008-02-18 09:57:13.663710413 -0500
1522
This module matches the 8 bits of Type of Service field in the IP
1523
header (ie. including the precedence bits).
1526
+.BI "\-\-tos " "tos"
1527
The argument is either a standard name, (use
1529
- iptables -m tos -h
1530
+ iptables \-m tos \-h
1532
to see the list), or a numeric value to match.
1533
Index: b/iptables/extensions/libipt_ttl.man
1534
===================================================================
1535
--- a/iptables/extensions/libipt_ttl.man 2007-01-23 07:50:00.000000000 -0500
1536
+++ b/iptables/extensions/libipt_ttl.man 2008-02-18 09:57:13.663710413 -0500
1538
This module matches the time to live field in the IP header.
1540
-.BI "--ttl-eq " "ttl"
1541
+.BI "\-\-ttl-eq " "ttl"
1542
Matches the given TTL value.
1544
-.BI "--ttl-gt " "ttl"
1545
+.BI "\-\-ttl-gt " "ttl"
1546
Matches if TTL is greater than the given TTL value.
1548
-.BI "--ttl-lt " "ttl"
1549
+.BI "\-\-ttl-lt " "ttl"
1550
Matches if TTL is less than the given TTL value.
1551
Index: b/iptables/extensions/libxt_CLASSIFY.man
1552
===================================================================
1553
--- a/iptables/extensions/libxt_CLASSIFY.man 2007-12-22 07:44:18.000000000 -0500
1554
+++ b/iptables/extensions/libxt_CLASSIFY.man 2008-02-18 09:57:13.663710413 -0500
1556
This module allows you to set the skb->priority value (and thus classify the packet into a specific CBQ class).
1558
-.BI "--set-class " "MAJOR:MINOR"
1559
+.BI "\-\-set-class " "MAJOR:MINOR"
1560
Set the major and minor class value.
1561
Index: b/iptables/extensions/libxt_CONNMARK.man
1562
===================================================================
1563
--- a/iptables/extensions/libxt_CONNMARK.man 2007-12-22 07:44:18.000000000 -0500
1564
+++ b/iptables/extensions/libxt_CONNMARK.man 2008-02-18 09:57:13.663710413 -0500
1566
This module sets the netfilter mark value associated with a connection
1568
-.B --set-mark mark[/mask]
1569
+.B \-\-set-mark mark[/mask]
1570
Set connection mark. If a mask is specified then only those bits set in the
1573
-.B --save-mark [--mask mask]
1574
+.B \-\-save-mark [\-\-mask mask]
1575
Copy the netfilter packet mark value to the connection mark. If a mask
1576
is specified then only those bits are copied.
1578
-.B --restore-mark [--mask mask]
1579
+.B \-\-restore-mark [\-\-mask mask]
1580
Copy the connection mark value to the packet. If a mask is specified
1581
then only those bits are copied. This is only valid in the
1583
Index: b/iptables/extensions/libxt_CONNSECMARK.man
1584
===================================================================
1585
--- a/iptables/extensions/libxt_CONNSECMARK.man 2007-12-22 07:44:18.000000000 -0500
1586
+++ b/iptables/extensions/libxt_CONNSECMARK.man 2008-02-18 09:57:13.663710413 -0500
1593
If the packet has a security marking, copy it to the connection
1594
if the connection is not marked.
1598
If the packet does not have a security marking, and the connection
1599
does, copy the security marking from the connection to the packet.
1601
Index: b/iptables/extensions/libxt_DSCP.man
1602
===================================================================
1603
--- a/iptables/extensions/libxt_DSCP.man 2007-12-22 07:44:18.000000000 -0500
1604
+++ b/iptables/extensions/libxt_DSCP.man 2008-02-18 09:57:13.663710413 -0500
1606
header of the IPv4 packet. As this manipulates a packet, it can only
1607
be used in the mangle table.
1609
-.BI "--set-dscp " "value"
1610
+.BI "\-\-set-dscp " "value"
1611
Set the DSCP field to a numerical value (can be decimal or hex)
1613
-.BI "--set-dscp-class " "class"
1614
+.BI "\-\-set-dscp-class " "class"
1615
Set the DSCP field to a DiffServ class.
1616
Index: b/iptables/extensions/libxt_NFLOG.man
1617
===================================================================
1618
--- a/iptables/extensions/libxt_NFLOG.man 2007-12-22 07:44:18.000000000 -0500
1619
+++ b/iptables/extensions/libxt_NFLOG.man 2008-02-18 09:57:13.663710413 -0500
1621
may subscribe to the group to receive the packets. Like LOG, this is a
1622
non-terminating target, i.e. rule traversal continues at the next rule.
1624
-.BI "--nflog-group " "nlgroup"
1625
-The netlink group (1 - 2^32-1) to which packets are (only applicable for
1626
+.BI "\-\-nflog-group " "nlgroup"
1627
+The netlink group (1 \- 2^32-1) to which packets are (only applicable for
1628
nfnetlink_log). The default value is 0.
1630
-.BI "--nflog-prefix " "prefix"
1631
+.BI "\-\-nflog-prefix " "prefix"
1632
A prefix string to include in the log message, up to 64 characters
1633
long, useful for distinguishing messages in the logs.
1635
-.BI "--nflog-range " "size"
1636
+.BI "\-\-nflog-range " "size"
1637
The number of bytes to be copied to userspace (only applicable for
1638
nfnetlink_log). nfnetlink_log instances may specify their own
1639
range, this option overrides it.
1641
-.BI "--nflog-threshold " "size"
1642
+.BI "\-\-nflog-threshold " "size"
1643
Number of packets to queue inside the kernel before sending them
1644
to userspace (only applicable for nfnetlink_log). Higher values
1645
result in less overhead per packet, but increase delay until the
1646
Index: b/iptables/extensions/libxt_NFQUEUE.man
1647
===================================================================
1648
--- a/iptables/extensions/libxt_NFQUEUE.man 2008-02-18 09:57:13.599710947 -0500
1649
+++ b/iptables/extensions/libxt_NFQUEUE.man 2008-02-18 09:57:13.663710413 -0500
1651
you to put a packet into any specific queue, identified by its 16-bit queue
1654
-.BR "--queue-num " "\fIvalue"
1655
+.BR "\-\-queue-num " "\fIvalue"
1656
This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0.
1658
It can only be used with Kernel versions 2.6.14 or later, since it requires
1659
Index: b/iptables/extensions/libxt_SECMARK.man
1660
===================================================================
1661
--- a/iptables/extensions/libxt_SECMARK.man 2007-12-22 07:44:18.000000000 -0500
1662
+++ b/iptables/extensions/libxt_SECMARK.man 2008-02-18 09:57:13.663710413 -0500
1667
-.BI "--selctx " "security_context"
1668
+.BI "\-\-selctx " "security_context"
1669
Index: b/iptables/extensions/libxt_comment.man
1670
===================================================================
1671
--- a/iptables/extensions/libxt_comment.man 2007-12-22 07:44:18.000000000 -0500
1672
+++ b/iptables/extensions/libxt_comment.man 2008-02-18 09:57:13.663710413 -0500
1674
Allows you to add comments (up to 256 characters) to any rule.
1676
-.BI "--comment " "comment"
1677
+.BI "\-\-comment " "comment"
1680
-iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A privatized IP block"
1681
+iptables \-A INPUT \-s 192.168.0.0/16 \-m comment \-\-comment "A privatized IP block"
1682
Index: b/iptables/extensions/libxt_connbytes.man
1683
===================================================================
1684
--- a/iptables/extensions/libxt_connbytes.man 2008-02-18 09:57:13.599710947 -0500
1685
+++ b/iptables/extensions/libxt_connbytes.man 2008-02-18 09:57:13.663710413 -0500
1687
The transferred bytes per connection can also be viewed through
1688
/proc/net/ip_conntrack and accessed via ctnetlink
1690
-[\fB!\fR]\fB --connbytes \fIfrom\fB:\fR[\fIto\fR]
1691
+[\fB!\fR]\fB \-\-connbytes \fIfrom\fB:\fR[\fIto\fR]
1692
match packets from a connection whose packets/bytes/average packet
1693
size is more than FROM and less than TO bytes/packets. if TO is
1694
omitted only FROM check is done. "!" is used to match packets not
1695
falling in the range.
1697
-\fB--connbytes-dir\fR [\fBoriginal\fR|\fBreply\fR|\fBboth\fR]
1698
+\fB\-\-connbytes-dir\fR [\fBoriginal\fR|\fBreply\fR|\fBboth\fR]
1699
which packets to consider
1701
-\fB--connbytes-mode\fR [\fBpackets\fR|\fBbytes\fR|\fBavgpkt\fR]
1702
+\fB\-\-connbytes-mode\fR [\fBpackets\fR|\fBbytes\fR|\fBavgpkt\fR]
1703
whether to check the amount of packets, number of bytes transferred or
1704
the average size (in bytes) of all packets received so far. Note that
1705
when "both" is used together with "avgpkt", and data is going (mainly)
1707
be about half of the actual data packets.
1710
-iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ...
1711
+iptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes-dir both \-\-connbytes-mode bytes ...
1712
Index: b/iptables/extensions/libxt_connmark.man
1713
===================================================================
1714
--- a/iptables/extensions/libxt_connmark.man 2007-12-22 07:44:18.000000000 -0500
1715
+++ b/iptables/extensions/libxt_connmark.man 2008-02-18 09:57:13.663710413 -0500
1720
-.BI "--mark " "value[/mask]"
1721
+.BI "\-\-mark " "value[/mask]"
1722
Matches packets in connections with the given mark value (if a mask is
1723
specified, this is logically ANDed with the mark before the
1725
Index: b/iptables/extensions/libxt_dccp.man
1726
===================================================================
1727
--- a/iptables/extensions/libxt_dccp.man 2007-12-22 07:44:18.000000000 -0500
1728
+++ b/iptables/extensions/libxt_dccp.man 2008-02-18 09:57:13.663710413 -0500
1731
-\fB--source-port\fR,\fB--sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
1732
+\fB\-\-source-port\fR,\fB\-\-sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
1734
-\fB--destination-port\fR,\fB--dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
1735
+\fB\-\-destination-port\fR,\fB\-\-dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
1737
-\fB--dccp-types\fR [\fB!\fR] \fImask\fP
1738
+\fB\-\-dccp-types\fR [\fB!\fR] \fImask\fP
1739
Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated
1740
list of packet types. Packet types are:
1741
.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" .
1743
-\fB--dccp-option\fR [\fB!\fR\] \fInumber\fP
1744
+\fB\-\-dccp-option\fR [\fB!\fR\] \fInumber\fP
1745
Match if DCP option set.
1746
Index: b/iptables/extensions/libxt_dscp.man
1747
===================================================================
1748
--- a/iptables/extensions/libxt_dscp.man 2008-02-18 09:57:13.599710947 -0500
1749
+++ b/iptables/extensions/libxt_dscp.man 2008-02-18 09:57:13.663710413 -0500
1751
This module matches the 6 bit DSCP field within the TOS field in the
1752
IP header. DSCP has superseded TOS within the IETF.
1754
-.BI "--dscp " "value"
1755
+.BI "\-\-dscp " "value"
1756
Match against a numeric (decimal or hex) value [0-63].
1758
-.BI "--dscp-class " "\fIDiffServ Class\fP"
1759
+.BI "\-\-dscp-class " "\fIDiffServ Class\fP"
1760
Match the DiffServ class. This value may be any of the
1761
BE, EF, AFxx or CSx classes. It will then be converted
1762
into its according numeric value.
1763
Index: b/iptables/extensions/libxt_esp.man
1764
===================================================================
1765
--- a/iptables/extensions/libxt_esp.man 2007-12-22 07:44:18.000000000 -0500
1766
+++ b/iptables/extensions/libxt_esp.man 2008-02-18 09:57:13.663710413 -0500
1768
This module matches the SPIs in ESP header of IPsec packets.
1770
-.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]"
1771
+.BR "\-\-espspi " "[!] \fIspi\fP[:\fIspi\fP]"
1772
Index: b/iptables/extensions/libxt_hashlimit.man
1773
===================================================================
1774
--- a/iptables/extensions/libxt_hashlimit.man 2008-02-18 09:57:13.599710947 -0500
1775
+++ b/iptables/extensions/libxt_hashlimit.man 2008-02-18 09:57:13.663710413 -0500
1778
with a single iptables rule.
1780
-.BI "--hashlimit " "rate"
1781
+.BI "\-\-hashlimit " "rate"
1782
A rate just like the limit match
1784
-.BI "--hashlimit-burst " "num"
1785
+.BI "\-\-hashlimit-burst " "num"
1786
Burst value, just like limit match
1788
-.BI "--hashlimit-mode " "dstip,srcip,dstport,srcport"
1789
+.BI "\-\-hashlimit-mode " "dstip,srcip,dstport,srcport"
1790
A comma-separated list of objects to take into consideration
1792
-.BI "--hashlimit-name " "foo"
1793
+.BI "\-\-hashlimit-name " "foo"
1794
The name for the /proc/net/ipt_hashlimit/foo entry
1796
-.BI "--hashlimit-htable-size " "num"
1797
+.BI "\-\-hashlimit-htable-size " "num"
1798
The number of buckets of the hash table
1800
-.BI "--hashlimit-htable-max " "num"
1801
+.BI "\-\-hashlimit-htable-max " "num"
1802
Maximum entries in the hash
1804
-.BI "--hashlimit-htable-expire " "num"
1805
+.BI "\-\-hashlimit-htable-expire " "num"
1806
After how many milliseconds do hash entries expire
1808
-.BI "--hashlimit-htable-gcinterval " "num"
1809
+.BI "\-\-hashlimit-htable-gcinterval " "num"
1810
How many milliseconds between garbage collection intervals
1811
Index: b/iptables/extensions/libxt_helper.man
1812
===================================================================
1813
--- a/iptables/extensions/libxt_helper.man 2007-12-22 07:44:18.000000000 -0500
1814
+++ b/iptables/extensions/libxt_helper.man 2008-02-18 09:57:13.663710413 -0500
1816
This module matches packets related to a specific conntrack-helper.
1818
-.BI "--helper " "string"
1819
+.BI "\-\-helper " "string"
1820
Matches packets related to the specified conntrack-helper.
1823
string can be "ftp" for packets related to a ftp-session on default port.
1824
-For other ports append -portnr to the value, ie. "ftp-2121".
1825
+For other ports append \-portnr to the value, ie. "ftp-2121".
1827
Same rules apply for other conntrack-helpers.
1829
Index: b/iptables/extensions/libxt_limit.man
1830
===================================================================
1831
--- a/iptables/extensions/libxt_limit.man 2007-12-22 07:44:18.000000000 -0500
1832
+++ b/iptables/extensions/libxt_limit.man 2008-02-18 09:57:13.663710413 -0500
1835
target to give limited logging, for example.
1837
-.BI "--limit " "rate"
1838
+.BI "\-\-limit " "rate"
1839
Maximum average matching rate: specified as a number, with an optional
1840
`/second', `/minute', `/hour', or `/day' suffix; the default is
1843
-.BI "--limit-burst " "number"
1844
+.BI "\-\-limit-burst " "number"
1845
Maximum initial number of packets to match: this number gets
1846
recharged by one every time the limit specified above is not reached,
1847
up to this number; the default is 5.
1848
Index: b/iptables/extensions/libxt_mac.man
1849
===================================================================
1850
--- a/iptables/extensions/libxt_mac.man 2007-12-22 07:44:18.000000000 -0500
1851
+++ b/iptables/extensions/libxt_mac.man 2008-02-18 09:57:13.663710413 -0500
1854
-.BR "--mac-source " "[!] \fIaddress\fP"
1855
+.BR "\-\-mac-source " "[!] \fIaddress\fP"
1856
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
1857
Note that this only makes sense for packets coming from an Ethernet device
1859
Index: b/iptables/extensions/libxt_mark.man
1860
===================================================================
1861
--- a/iptables/extensions/libxt_mark.man 2007-12-22 07:44:18.000000000 -0500
1862
+++ b/iptables/extensions/libxt_mark.man 2008-02-18 09:57:13.663710413 -0500
1867
-.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
1868
+.BR "\-\-mark " "\fIvalue\fP[/\fImask\fP]"
1869
Matches packets with the given unsigned mark value (if a \fImask\fP is
1870
specified, this is logically ANDed with the \fImask\fP before the
1872
Index: b/iptables/extensions/libxt_physdev.man
1873
===================================================================
1874
--- a/iptables/extensions/libxt_physdev.man 2008-02-18 09:57:13.591711253 -0500
1875
+++ b/iptables/extensions/libxt_physdev.man 2008-02-18 09:57:13.663710413 -0500
1877
a transparent bridging IP firewall and is only useful for kernel versions
1878
above version 2.5.44.
1880
-.BR --physdev-in " [!] \fIname\fP"
1881
+.BR \-\-physdev-in " [!] \fIname\fP"
1882
Name of a bridge port via which a packet is received (only for
1883
packets entering the
1886
interface which begins with this name will match. If the packet didn't arrive
1887
through a bridge device, this packet won't match this option, unless \&'!' is used.
1889
-.BR --physdev-out " [!] \fIname\fP"
1890
+.BR \-\-physdev-out " [!] \fIname\fP"
1891
Name of a bridge port via which a packet is going to be sent (for packets
1895
the output device will be, then the packet won't match this option, unless
1898
-.RB "[!] " --physdev-is-in
1899
+.RB "[!] " \-\-physdev-is-in
1900
Matches if the packet has entered through a bridge interface.
1902
-.RB "[!] " --physdev-is-out
1903
+.RB "[!] " \-\-physdev-is-out
1904
Matches if the packet will leave through a bridge interface.
1906
-.RB "[!] " --physdev-is-bridged
1907
+.RB "[!] " \-\-physdev-is-bridged
1908
Matches if the packet is being bridged and therefore is not being routed.
1909
This is only useful in the FORWARD and POSTROUTING chains.
1910
Index: b/iptables/extensions/libxt_pkttype.man
1911
===================================================================
1912
--- a/iptables/extensions/libxt_pkttype.man 2007-12-22 07:44:18.000000000 -0500
1913
+++ b/iptables/extensions/libxt_pkttype.man 2008-02-18 09:57:13.663710413 -0500
1915
This module matches the link-layer packet type.
1917
-.BI "--pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]"
1918
+.BI "\-\-pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]"
1919
Index: b/iptables/extensions/libxt_quota.man
1920
===================================================================
1921
--- a/iptables/extensions/libxt_quota.man 2007-12-22 07:44:18.000000000 -0500
1922
+++ b/iptables/extensions/libxt_quota.man 2008-02-18 09:57:13.667710664 -0500
1924
Implements network quotas by decrementing a byte counter with each
1927
-.BI "--quota " "bytes"
1928
+.BI "\-\-quota " "bytes"
1931
Index: b/iptables/extensions/libxt_sctp.man
1932
===================================================================
1933
--- a/iptables/extensions/libxt_sctp.man 2007-12-22 07:44:18.000000000 -0500
1934
+++ b/iptables/extensions/libxt_sctp.man 2008-02-18 09:57:13.667710664 -0500
1937
-\fB--source-port\fR,\fB--sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
1938
+\fB\-\-source-port\fR,\fB\-\-sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
1940
-\fB--destination-port\fR,\fB--dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
1941
+\fB\-\-destination-port\fR,\fB\-\-dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
1943
-\fB--chunk-types\fR [\fB!\fR] \fBall\fR|\fBany\fR|\fBonly \fIchunktype\fR[\fB:\fIflags\fR] [...]
1944
+\fB\-\-chunk-types\fR [\fB!\fR] \fBall\fR|\fBany\fR|\fBonly \fIchunktype\fR[\fB:\fIflags\fR] [...]
1945
The flag letter in upper case indicates that the flag is to match if set,
1946
in the lower case indicates to match if unset.
1952
-iptables -A INPUT -p sctp --dport 80 -j DROP
1953
+iptables \-A INPUT \-p sctp \-\-dport 80 \-j DROP
1955
-iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP
1956
+iptables \-A INPUT \-p sctp \-\-chunk-types any DATA,INIT \-j DROP
1958
-iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT
1959
+iptables \-A INPUT \-p sctp \-\-chunk-types any DATA:Be \-j ACCEPT
1960
Index: b/iptables/extensions/libxt_state.man
1961
===================================================================
1962
--- a/iptables/extensions/libxt_state.man 2007-12-22 07:44:18.000000000 -0500
1963
+++ b/iptables/extensions/libxt_state.man 2008-02-18 09:57:13.667710664 -0500
1965
This module, when combined with connection tracking, allows access to
1966
the connection tracking state for this packet.
1968
-.BI "--state " "state"
1969
+.BI "\-\-state " "state"
1970
Where state is a comma separated list of the connection states to
1971
match. Possible states are
1973
Index: b/iptables/extensions/libxt_statistic.man
1974
===================================================================
1975
--- a/iptables/extensions/libxt_statistic.man 2007-12-22 07:44:18.000000000 -0500
1976
+++ b/iptables/extensions/libxt_statistic.man 2008-02-18 09:57:13.667710664 -0500
1978
This module matches packets based on some statistic condition.
1979
It supports two distinct modes settable with the
1986
-.BI "--mode " "mode"
1987
+.BI "\-\-mode " "mode"
1988
Set the matching mode of the matching rule, supported modes are
1993
-.BI "--probability " "p"
1994
+.BI "\-\-probability " "p"
1995
Set the probability from 0 to 1 for a packet to be randomly
1996
matched. It works only with the
2001
+.BI "\-\-every " "n"
2002
Match one packet every nth packet. It works only with the
2009
-.BI "--packet " "p"
2010
+.BI "\-\-packet " "p"
2011
Set the initial counter value (0 <= p <= n-1, default 0) for the
2014
Index: b/iptables/extensions/libxt_string.man
2015
===================================================================
2016
--- a/iptables/extensions/libxt_string.man 2007-12-22 07:44:18.000000000 -0500
2017
+++ b/iptables/extensions/libxt_string.man 2008-02-18 09:57:13.667710664 -0500
2019
This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
2021
-.BI "--algo " "bm|kmp"
2022
+.BI "\-\-algo " "bm|kmp"
2023
Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
2025
-.BI "--from " "offset"
2026
+.BI "\-\-from " "offset"
2027
Set the offset from which it starts looking for any matching. If not passed, default is 0.
2029
-.BI "--to " "offset"
2030
+.BI "\-\-to " "offset"
2031
Set the offset from which it starts looking for any matching. If not passed, default is the packet size.
2033
-.BI "--string " "pattern"
2034
+.BI "\-\-string " "pattern"
2035
Matches the given pattern.
2036
-.BI "--hex-string " "pattern"
2037
+.BI "\-\-hex-string " "pattern"
2038
Matches the given pattern in hex notation.
2039
Index: b/iptables/extensions/libxt_tcpmss.man
2040
===================================================================
2041
--- a/iptables/extensions/libxt_tcpmss.man 2007-12-22 07:44:18.000000000 -0500
2042
+++ b/iptables/extensions/libxt_tcpmss.man 2008-02-18 09:57:13.667710664 -0500
2044
This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
2046
-.BI "[!] "--mss " value[:value]"
2047
+.BI "[!] "\-\-mss " value[:value]"
2048
Match a given TCP MSS value or range.
2049
Index: b/iptables/extensions/libxt_time.man
2050
===================================================================
2051
--- a/iptables/extensions/libxt_time.man 2007-12-22 07:44:18.000000000 -0500
2052
+++ b/iptables/extensions/libxt_time.man 2008-02-18 10:02:03.859710286 -0500
2054
This matches if the packet arrival time/date is within a given range. All
2055
options are optional, but are ANDed when specified.
2057
-\fB--datestart\fR \fIYYYY\fR[\fB-\fR\fIMM\fR[\fB-\fR\fIDD\fR[\fBT\fR\fIhh\fR[\fB:\fR\fImm\fR[\fB:\fR\fIss\fR]]]]]
2058
+\fB\-\-datestart\fR \fIYYYY\fR[\fB\-\fR\fIMM\fR[\fB\-\fR\fIDD\fR[\fBT\fR\fIhh\fR[\fB:\fR\fImm\fR[\fB:\fR\fIss\fR]]]]]
2060
-\fB--datestop\fR \fIYYYY\fR[\fB-\fR\fIMM\fR[\fB-\fR\fIDD\fR[\fBT\fR\fIhh\fR[\fB:\fR\fImm\fR[\fB:\fR\fIss\fR]]]]]
2061
+\fB\-\-datestop\fR \fIYYYY\fR[\fB\-\fR\fIMM\fR[\fB\-\fR\fIDD\fR[\fBT\fR\fIhh\fR[\fB:\fR\fImm\fR[\fB:\fR\fIss\fR]]]]]
2063
Only match during the given time, which must be in ISO 8601 "T" notation.
2064
-The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07.
2065
+The possible time range is 1970\-01\-01T00:00:00 to 2038\-01\-19T04:17:07.
2067
-If --datestart or --datestop are not specified, it will default to 1970-01-01
2068
+If \-\-datestart or \-\-datestop are not specified, it will default to 1970-01-01
2069
and 2038-01-19, respectively.
2071
-\fB--timestart\fR \fIhh\fR\fB:\fR\fImm\fR[\fB:\fR\fIss\fR]
2072
+\fB\-\-timestart\fR \fIhh\fR\fB:\fR\fImm\fR[\fB:\fR\fIss\fR]
2074
-\fB--timestop\fR \fIhh\fR\fB:\fR\fImm\fR[\fB:\fR\fIss\fR]
2075
+\fB\-\-timestop\fR \fIhh\fR\fB:\fR\fImm\fR[\fB:\fR\fIss\fR]
2077
Only match during the given daytime. The possible time range is 00:00:00 to
2078
23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted
2081
-[\fB!\fR] \fB--monthday\fR \fIday\fR[\fB,\fR\fIday\fR...]
2082
+[\fB!\fR] \fB\-\-monthday\fR \fIday\fR[\fB,\fR\fIday\fR...]
2084
Only match on the given days of the month. Possible values are \fB1\fR
2085
to \fB31\fR. Note that specifying \fB31\fR will of course not match
2086
-on months which do not have a 31st day; the same goes for 28- or 29-day
2087
+on months which do not have a 31st day; the same goes for 28\- or 29\-day
2090
-[\fB!\fR] \fB--weekdays\fR \fIday\fR[\fB,\fR\fIday\fR...]
2091
+[\fB!\fR] \fB\-\-weekdays\fR \fIday\fR[\fB,\fR\fIday\fR...]
2093
Only match on the given weekdays. Possible values are \fBMon\fR, \fBTue\fR,
2094
\fBWed\fR, \fBThu\fR, \fBFri\fR, \fBSat\fR, \fBSun\fR, or values from \fB1\fR
2095
to \fB7\fR, respectively. You may also use two-character variants (\fBMo\fR,
2101
-Interpret the times given for \fB--datestart\fR, \fB--datestop\fR,
2102
-\fB--timestart\fR and \fB--timestop\fR to be UTC.
2103
+Interpret the times given for \fB\-\-datestart\fR, \fB\-\-datestop\fR,
2104
+\fB\-\-timestart\fR and \fB\-\-timestop\fR to be UTC.
2109
-Interpret the times given for \fB--datestart\fR, \fB--datestop\fR,
2110
-\fB--timestart\fR and \fB--timestop\fR to be local kernel time. (Default)
2111
+Interpret the times given for \fB\-\-datestart\fR, \fB\-\-datestop\fR,
2112
+\fB\-\-timestart\fR and \fB\-\-timestop\fR to be local kernel time. (Default)
2114
EXAMPLES. To match on weekends, use:
2116
--m time --weekdays Sa,Su
2117
+\-m time \-\-weekdays Sa,Su
2119
Or, to match (once) on a national holiday block:
2121
--m time --datestart 2007-12-24 --datestop 2007-12-27
2122
+\-m time \-\-datestart 2007\-12\-24 \-\-datestop 2007\-12\-27
2124
Since the stop time is actually inclusive, you would need the following stop
2125
time to not match the first second of the new day:
2127
--m time --datestart 2007-01-01T17:00 --datestop 2007-01-01T23:59:59
2128
+\-m time \-\-datestart 2007\-01\-01T17:00 \-\-datestop 2007\-01\-01T23:59:59
2132
--m time --timestart 12:30 --timestop 13:30
2133
+\-m time \-\-timestart 12:30 \-\-timestop 13:30
2135
The fourth Friday in the month:
2137
--m time --weekdays Fr --monthdays 22,23,24,25,26,27,28
2138
+\-m time \-\-weekdays Fr \-\-monthdays 22,23,24,25,26,27,28
2140
(Note that this exploits a certain mathematical property. It is not possible to
2141
say "fourth Thursday OR fourth Friday" in one rule. It is possible with
2142
Index: b/iptables/extensions/libxt_u32.man
2143
===================================================================
2144
--- a/iptables/extensions/libxt_u32.man 2007-12-22 07:44:18.000000000 -0500
2145
+++ b/iptables/extensions/libxt_u32.man 2008-02-18 09:57:13.667710664 -0500
2147
specified values. The specification of what to extract is general enough to
2148
find data at given offsets from tcp headers or payloads.
2150
-[\fB!\fR]\fB --u32 \fItests\fR
2151
+[\fB!\fR]\fB \-\-u32 \fItests\fR
2152
The argument amounts to a program in a small language described below.
2154
tests := location "=" value | tests "&&" location "=" value
2157
The IP header contains a total length field in bytes 2-3.
2159
---u32 "\fB0 & 0xFFFF = 0x100:0xFFFF\fR"
2160
+-\-u32 "\fB0 & 0xFFFF = 0x100:0xFFFF\fR"
2166
First test that it is an ICMP packet, true iff byte 9 (protocol) = 1
2168
---u32 "\fB6 & 0xFF = 1 &&\fR ...
2169
+-\-u32 "\fB6 & 0xFF = 1 &&\fR ...
2171
read bytes 6-9, use \fB&\fR to throw away bytes 6-8 and compare the result to
2172
1. Next test that it is not a fragment. (If so, it might be part of such a
2175
First we test that the packet is a tcp packet (similar to ICMP).
2177
---u32 "\fB6 & 0xFF = 6 &&\fR ...
2178
+-\-u32 "\fB6 & 0xFF = 6 &&\fR ...
2180
Next, test that it is not a fragment (same as above).
2182
Index: b/iptables/extensions/libxt_udp.man
2183
===================================================================
2184
--- a/iptables/extensions/libxt_udp.man 2007-12-22 07:44:18.000000000 -0500
2185
+++ b/iptables/extensions/libxt_udp.man 2008-02-18 09:57:13.667710664 -0500
2187
-These extensions can be used if `--protocol udp' is specified. It
2188
+These extensions can be used if `-\-protocol udp' is specified. It
2189
provides the following options:
2191
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
2192
+.BR "\-\-source-port " "[!] \fIport\fP[:\fIport\fP]"
2193
Source port or port range specification.
2194
See the description of the
2197
option of the TCP extension for details.
2199
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
2200
+.BR "\-\-destination-port " "[!] \fIport\fP[:\fIport\fP]"
2201
Destination port or port range specification.
2202
See the description of the
2203
-.B --destination-port
2204
+.B \-\-destination-port
2205
option of the TCP extension for details.
2206
Index: b/iptables/ip6tables-restore.8
2207
===================================================================
2208
--- a/iptables/ip6tables-restore.8 2007-01-23 07:50:01.000000000 -0500
2209
+++ b/iptables/ip6tables-restore.8 2008-02-18 09:57:13.667710664 -0500
2212
ip6tables-restore \- Restore IPv6 Tables
2214
-.BR "ip6tables-restore " "[-c] [-n]"
2215
+.BR "ip6tables-restore " "[\-c] [\-n]"
2219
Index: b/iptables/ip6tables-save.8
2220
===================================================================
2221
--- a/iptables/ip6tables-save.8 2007-01-23 07:50:01.000000000 -0500
2222
+++ b/iptables/ip6tables-save.8 2008-02-18 09:57:13.667710664 -0500
2225
ip6tables-save \- Save IPv6 Tables
2227
-.BR "ip6tables-save " "[-c] [-t table]"
2228
+.BR "ip6tables-save " "[\-c] [\-t table]"
2232
Index: b/iptables/ip6tables.8.in
2233
===================================================================
2234
--- a/iptables/ip6tables.8.in 2008-02-18 09:57:13.599710947 -0500
2235
+++ b/iptables/ip6tables.8.in 2008-02-18 09:57:13.667710664 -0500
2238
ip6tables \- IPv6 packet filter administration
2240
-.BR "ip6tables [-t table] -[AD] " "chain rule-specification [options]"
2241
+.BR "ip6tables [\-t table] \-[AD] " "chain rule-specification [options]"
2243
-.BR "ip6tables [-t table] -I " "chain [rulenum] rule-specification [options]"
2244
+.BR "ip6tables [\-t table] \-I " "chain [rulenum] rule-specification [options]"
2246
-.BR "ip6tables [-t table] -R " "chain rulenum rule-specification [options]"
2247
+.BR "ip6tables [\-t table] \-R " "chain rulenum rule-specification [options]"
2249
-.BR "ip6tables [-t table] -D " "chain rulenum [options]"
2250
+.BR "ip6tables [\-t table] \-D " "chain rulenum [options]"
2252
-.BR "ip6tables [-t table] -[LFZ] " "[chain] [options]"
2253
+.BR "ip6tables [\-t table] \-[LFZ] " "[chain] [options]"
2255
-.BR "ip6tables [-t table] -N " "chain"
2256
+.BR "ip6tables [\-t table] \-N " "chain"
2258
-.BR "ip6tables [-t table] -X " "[chain]"
2259
+.BR "ip6tables [\-t table] \-X " "[chain]"
2261
-.BR "ip6tables [-t table] -P " "chain target [options]"
2262
+.BR "ip6tables [\-t table] \-P " "chain target [options]"
2264
-.BR "ip6tables [-t table] -E " "old-chain-name new-chain-name"
2265
+.BR "ip6tables [\-t table] \-E " "old-chain-name new-chain-name"
2268
is used to set up, maintain, and inspect the tables of IPv6 packet
2270
at any time depends on the kernel configuration options and which
2271
modules are present), as nat table has not been implemented yet.
2273
-.BI "-t, --table " "table"
2274
+.BI "\-t, \-\-table " "table"
2275
This option specifies the packet matching table which the command
2276
should operate on. If the kernel is configured with automatic module
2277
loading, an attempt will be made to load the appropriate module for
2282
-This is the default table (if no -t option is passed). It contains
2283
+This is the default table (if no \-t option is passed). It contains
2286
(for packets coming into the box itself),
2287
@@ -154,89 +154,89 @@
2289
can differentiate it from all other options.
2291
-.BI "-A, --append " "chain rule-specification"
2292
+.BI "\-A, \-\-append " "chain rule-specification"
2293
Append one or more rules to the end of the selected chain.
2294
When the source and/or destination names resolve to more than one
2295
address, a rule will be added for each possible address combination.
2297
-.BI "-D, --delete " "chain rule-specification"
2298
+.BI "\-D, \-\-delete " "chain rule-specification"
2301
-.BI "-D, --delete " "chain rulenum"
2302
+.BI "\-D, \-\-delete " "chain rulenum"
2303
Delete one or more rules from the selected chain. There are two
2304
versions of this command: the rule can be specified as a number in the
2305
chain (starting at 1 for the first rule) or a rule to match.
2308
+.B "\-I, \-\-insert"
2309
Insert one or more rules in the selected chain as the given rule
2310
number. So, if the rule number is 1, the rule or rules are inserted
2311
at the head of the chain. This is also the default if no rule number
2314
-.BI "-R, --replace " "chain rulenum rule-specification"
2315
+.BI "\-R, \-\-replace " "chain rulenum rule-specification"
2316
Replace a rule in the selected chain. If the source and/or
2317
destination names resolve to multiple addresses, the command will
2318
fail. Rules are numbered starting at 1.
2320
-.BR "-L, --list " "[\fIchain\fP]"
2321
+.BR "\-L, \-\-list " "[\fIchain\fP]"
2322
List all rules in the selected chain. If no chain is selected, all
2323
chains are listed. As every other iptables command, it applies to the
2324
specified table (filter is the default), so mangle rules get listed by
2326
- ip6tables -t mangle -n -L
2327
+ ip6tables \-t mangle \-n \-L
2329
Please note that it is often used with the
2332
option, in order to avoid long reverse DNS lookups.
2333
It is legal to specify the
2336
(zero) option as well, in which case the chain(s) will be atomically
2337
listed and zeroed. The exact output is affected by the other
2338
arguments given. The exact rules are suppressed until you use
2344
-.BR "-F, --flush " "[\fIchain\fP]"
2345
+.BR "\-F, \-\-flush " "[\fIchain\fP]"
2346
Flush the selected chain (all the chains in the table if none is given).
2347
This is equivalent to deleting all the rules one by one.
2349
-.BR "-Z, --zero " "[\fIchain\fP]"
2350
+.BR "\-Z, \-\-zero " "[\fIchain\fP]"
2351
Zero the packet and byte counters in all chains. It is legal to
2355
(list) option as well, to see the counters immediately before they are
2356
cleared. (See above.)
2358
-.BI "-N, --new-chain " "chain"
2359
+.BI "\-N, \-\-new-chain " "chain"
2360
Create a new user-defined chain by the given name. There must be no
2361
target of that name already.
2363
-.BR "-X, --delete-chain " "[\fIchain\fP]"
2364
+.BR "\-X, \-\-delete-chain " "[\fIchain\fP]"
2365
Delete the optional user-defined chain specified. There must be no references
2366
to the chain. If there are, you must delete or replace the referring
2367
rules before the chain can be deleted. If no argument is given, it
2368
will attempt to delete every non-builtin chain in the table.
2370
-.BI "-P, --policy " "chain target"
2371
+.BI "\-P, \-\-policy " "chain target"
2372
Set the policy for the chain to the given target. See the section
2374
for the legal targets. Only built-in (non-user-defined) chains can have
2375
policies, and neither built-in nor user-defined chains can be policy
2378
-.BI "-E, --rename-chain " "old-chain new-chain"
2379
+.BI "\-E, \-\-rename-chain " "old-chain new-chain"
2380
Rename the user specified chain to the user supplied name. This is
2381
cosmetic, and has no effect on the structure of the table.
2386
Give a (currently very brief) description of the command syntax.
2388
The following parameters make up a rule specification (as used in the
2389
add, delete, insert, replace and append commands).
2391
-.BR "-p, --protocol " "[!] \fIprotocol\fP"
2392
+.BR "\-p, \-\-protocol " "[!] \fIprotocol\fP"
2393
The protocol of the rule or of the packet to check.
2394
The specified protocol can be one of
2397
will match with all protocols and is taken as default when this
2400
-.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
2401
+.BR "\-s, \-\-source " "[!] \fIaddress\fP[/\fImask\fP]"
2402
Source specification.
2404
can be either a hostname (please note that specifying
2405
@@ -278,18 +278,18 @@
2406
.IR ffff:ffff:ffff:ffff:0000:0000:0000:0000 .
2407
A "!" argument before the address specification inverts the sense of
2408
the address. The flag
2411
is an alias for this option.
2413
-.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
2414
+.BR "\-d, \-\-destination " "[!] \fIaddress\fP[/\fImask\fP]"
2415
Destination specification.
2416
See the description of the
2419
(source) flag for a detailed description of the syntax. The flag
2422
is an alias for this option.
2424
-.BI "-j, --jump " "target"
2425
+.BI "\-j, \-\-jump " "target"
2426
This specifies the target of the rule; i.e., what to do if the packet
2427
matches it. The target can be a user-defined chain (other than the
2428
one this rule is in), one of the special builtin targets which decide
2430
effect on the packet's fate, but the counters on the rule will be
2433
-.BR "-i, --in-interface " "[!] \fIname\fP"
2434
+.BR "\-i, \-\-in-interface " "[!] \fIname\fP"
2435
Name of an interface via which a packet is going to be received (only for
2436
packets entering the
2439
interface which begins with this name will match. If this option is
2440
omitted, any interface name will match.
2442
-.BR "-o, --out-interface " "[!] \fIname\fP"
2443
+.BR "\-o, \-\-out-interface " "[!] \fIname\fP"
2444
Name of an interface via which a packet is going to be sent (for packets
2447
@@ -325,15 +325,15 @@
2449
.\" Currently not supported (header-based)
2451
-.\" .B "[!] " "-f, --fragment"
2452
+.\" .B "[!] " "\-f, \-\-fragment"
2453
.\" This means that the rule only refers to second and further fragments
2454
.\" of fragmented packets. Since there is no way to tell the source or
2455
.\" destination ports of such a packet (or ICMP type), such a packet will
2456
.\" not match any rules which specify them. When the "!" argument
2457
-.\" precedes the "-f" flag, the rule will only match head fragments, or
2458
+.\" precedes the "\-f" flag, the rule will only match head fragments, or
2459
.\" unfragmented packets.
2461
-.B "-c, --set-counters " "PKTS BYTES"
2462
+.B "\-c, \-\-set-counters " "PKTS BYTES"
2463
This enables the administrator to initialize the packet and byte
2464
counters of a rule (during
2466
@@ -343,57 +343,57 @@
2468
The following additional options can be specified:
2471
+.B "\-v, \-\-verbose"
2472
Verbose output. This option makes the list command show the interface
2473
name, the rule options (if any), and the TOS masks. The packet and
2474
byte counters are also listed, with the suffix 'K', 'M' or 'G' for
2475
1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
2479
flag to change this).
2480
For appending, insertion, deletion and replacement, this causes
2481
detailed information on the rule or rules to be printed.
2484
+.B "\-n, \-\-numeric"
2486
IP addresses and port numbers will be printed in numeric format.
2487
By default, the program will try to display them as host names,
2488
network names, or services (whenever applicable).
2491
+.B "\-x, \-\-exact"
2493
Display the exact value of the packet and byte counters,
2494
instead of only the rounded number in K's (multiples of 1000)
2495
M's (multiples of 1000K) or G's (multiples of 1000M). This option is
2496
only relevant for the
2501
-.B "--line-numbers"
2502
+.B "\-\-line-numbers"
2503
When listing rules, add line numbers to the beginning of each rule,
2504
corresponding to that rule's position in the chain.
2506
-.B "--modprobe=command"
2507
+.B "\-\-modprobe=command"
2508
When adding or inserting rules into a chain, use
2510
to load any necessary modules (targets, match extensions, etc).
2511
.SH MATCH EXTENSIONS
2512
ip6tables can use extended packet matching modules. These are loaded
2513
in two ways: implicitly, when
2519
is specified, or with the
2525
options, followed by the matching module name; after these, various
2526
extra command line options become available, depending on the specific
2527
module. You can specify multiple extended match modules in one line,
2534
options after the module has been specified to receive help specific
2538
would pass through all three.
2540
The other main difference is that
2543
refers to the input interface;
2546
refers to the output interface, and both are available for packets
2549
@@ -443,11 +443,11 @@
2550
.\" confusion over the combination of IP masquerading and packet filtering
2551
.\" seen previously. So the following options are handled differently:
2562
There are several other changes in ip6tables.
2564
Index: b/iptables/iptables-restore.8
2565
===================================================================
2566
--- a/iptables/iptables-restore.8 2007-01-23 07:50:01.000000000 -0500
2567
+++ b/iptables/iptables-restore.8 2008-02-18 09:57:13.667710664 -0500
2570
iptables-restore \- Restore IP Tables
2572
-.BR "iptables-restore " "[-c] [-n]"
2573
+.BR "iptables-restore " "[\-c] [\-n]"
2577
Index: b/iptables/iptables-save.8
2578
===================================================================
2579
--- a/iptables/iptables-save.8 2007-01-23 07:50:01.000000000 -0500
2580
+++ b/iptables/iptables-save.8 2008-02-18 09:57:13.667710664 -0500
2583
iptables-save \- Save IP Tables
2585
-.BR "iptables-save " "[-c] [-t table]"
2586
+.BR "iptables-save " "[\-c] [\-t table]"
2590
Index: b/iptables/iptables-xml.8
2591
===================================================================
2592
--- a/iptables/iptables-xml.8 2007-08-06 04:51:06.000000000 -0400
2593
+++ b/iptables/iptables-xml.8 2008-02-18 09:57:13.671710519 -0500
2596
iptables-xml \- Convert iptables-save format to XML
2598
-.BR "iptables-xml " "[-c] [-v]"
2599
+.BR "iptables-xml " "[\-c] [\-v]"
2606
iptables-xml does a mechanistic conversion to a very expressive xml
2607
-format; the only semantic considerations are for -g and -j targets in
2608
+format; the only semantic considerations are for \-g and \-j targets in
2609
order to discriminate between <call> <goto> and <nane-of-target> as it
2610
helps xml processing scripts if they can tell the difference between a
2611
target like SNAT and another chain.
2612
Index: b/iptables/iptables.8.in
2613
===================================================================
2614
--- a/iptables/iptables.8.in 2008-02-18 09:57:13.599710947 -0500
2615
+++ b/iptables/iptables.8.in 2008-02-18 09:57:13.671710519 -0500
2618
iptables \- administration tool for IPv4 packet filtering and NAT
2620
-.BR "iptables [-t table] -[AD] " "chain rule-specification [options]"
2621
+.BR "iptables [\-t table] \-[AD] " "chain rule-specification [options]"
2623
-.BR "iptables [-t table] -I " "chain [rulenum] rule-specification [options]"
2624
+.BR "iptables [\-t table] \-I " "chain [rulenum] rule-specification [options]"
2626
-.BR "iptables [-t table] -R " "chain rulenum rule-specification [options]"
2627
+.BR "iptables [\-t table] \-R " "chain rulenum rule-specification [options]"
2629
-.BR "iptables [-t table] -D " "chain rulenum [options]"
2630
+.BR "iptables [\-t table] \-D " "chain rulenum [options]"
2632
-.BR "iptables [-t table] -[LFZ] " "[chain] [options]"
2633
+.BR "iptables [\-t table] \-[LFZ] " "[chain] [options]"
2635
-.BR "iptables [-t table] -N " "chain"
2636
+.BR "iptables [\-t table] \-N " "chain"
2638
-.BR "iptables [-t table] -X " "[chain]"
2639
+.BR "iptables [\-t table] \-X " "[chain]"
2641
-.BR "iptables [-t table] -P " "chain target [options]"
2642
+.BR "iptables [\-t table] \-P " "chain target [options]"
2644
-.BR "iptables [-t table] -E " "old-chain-name new-chain-name"
2645
+.BR "iptables [\-t table] \-E " "old-chain-name new-chain-name"
2648
is used to set up, maintain, and inspect the tables of IP packet
2650
at any time depends on the kernel configuration options and which
2651
modules are present).
2653
-.BI "-t, --table " "table"
2654
+.BI "\-t, \-\-table " "table"
2655
This option specifies the packet matching table which the command
2656
should operate on. If the kernel is configured with automatic module
2657
loading, an attempt will be made to load the appropriate module for
2662
-This is the default table (if no -t option is passed). It contains
2663
+This is the default table (if no \-t option is passed). It contains
2666
(for packets destined to local sockets),
2667
@@ -162,90 +162,90 @@
2669
can differentiate it from all other options.
2671
-.BI "-A, --append " "chain rule-specification"
2672
+.BI "\-A, \-\-append " "chain rule-specification"
2673
Append one or more rules to the end of the selected chain.
2674
When the source and/or destination names resolve to more than one
2675
address, a rule will be added for each possible address combination.
2677
-.BI "-D, --delete " "chain rule-specification"
2678
+.BI "\-D, \-\-delete " "chain rule-specification"
2681
-.BI "-D, --delete " "chain rulenum"
2682
+.BI "\-D, \-\-delete " "chain rulenum"
2683
Delete one or more rules from the selected chain. There are two
2684
versions of this command: the rule can be specified as a number in the
2685
chain (starting at 1 for the first rule) or a rule to match.
2687
-.BR "-I, --insert " "\fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP"
2688
+.BR "\-I, \-\-insert " "\fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP"
2689
Insert one or more rules in the selected chain as the given rule
2690
number. So, if the rule number is 1, the rule or rules are inserted
2691
at the head of the chain. This is also the default if no rule number
2694
-.BI "-R, --replace " "chain rulenum rule-specification"
2695
+.BI "\-R, \-\-replace " "chain rulenum rule-specification"
2696
Replace a rule in the selected chain. If the source and/or
2697
destination names resolve to multiple addresses, the command will
2698
fail. Rules are numbered starting at 1.
2700
-.BR "-L, --list " "[\fIchain\fP]"
2701
+.BR "\-L, \-\-list " "[\fIchain\fP]"
2702
List all rules in the selected chain. If no chain is selected, all
2703
chains are listed. Like every other iptables command, it applies to the
2704
specified table (filter is the default), so NAT rules get listed by
2706
- iptables -t nat -n -L
2707
+ iptables \-t nat \-n \-L
2709
Please note that it is often used with the
2712
option, in order to avoid long reverse DNS lookups.
2713
It is legal to specify the
2716
(zero) option as well, in which case the chain(s) will be atomically
2717
listed and zeroed. The exact output is affected by the other
2718
arguments given. The exact rules are suppressed until you use
2724
-.BR "-F, --flush " "[\fIchain\fP]"
2725
+.BR "\-F, \-\-flush " "[\fIchain\fP]"
2726
Flush the selected chain (all the chains in the table if none is given).
2727
This is equivalent to deleting all the rules one by one.
2729
-.BR "-Z, --zero " "[\fIchain\fP]"
2730
+.BR "\-Z, \-\-zero " "[\fIchain\fP]"
2731
Zero the packet and byte counters in all chains. It is legal to
2735
(list) option as well, to see the counters immediately before they are
2736
cleared. (See above.)
2738
-.BI "-N, --new-chain " "chain"
2739
+.BI "\-N, \-\-new-chain " "chain"
2740
Create a new user-defined chain by the given name. There must be no
2741
target of that name already.
2743
-.BR "-X, --delete-chain " "[\fIchain\fP]"
2744
+.BR "\-X, \-\-delete-chain " "[\fIchain\fP]"
2745
Delete the optional user-defined chain specified. There must be no references
2746
to the chain. If there are, you must delete or replace the referring rules
2747
before the chain can be deleted. The chain must be empty, i.e. not contain
2748
any rules. If no argument is given, it will attempt to delete every
2749
non-builtin chain in the table.
2751
-.BI "-P, --policy " "chain target"
2752
+.BI "\-P, \-\-policy " "chain target"
2753
Set the policy for the chain to the given target. See the section
2755
for the legal targets. Only built-in (non-user-defined) chains can have
2756
policies, and neither built-in nor user-defined chains can be policy
2759
-.BI "-E, --rename-chain " "old-chain new-chain"
2760
+.BI "\-E, \-\-rename-chain " "old-chain new-chain"
2761
Rename the user specified chain to the user supplied name. This is
2762
cosmetic, and has no effect on the structure of the table.
2767
Give a (currently very brief) description of the command syntax.
2769
The following parameters make up a rule specification (as used in the
2770
add, delete, insert, replace and append commands).
2772
-.BR "-p, --protocol " "[!] \fIprotocol\fP"
2773
+.BR "\-p, \-\-protocol " "[!] \fIprotocol\fP"
2774
The protocol of the rule or of the packet to check.
2775
The specified protocol can be one of
2778
will match with all protocols and is taken as default when this
2781
-.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
2782
+.BR "\-s, \-\-source " "[!] \fIaddress\fP[/\fImask\fP]"
2783
Source specification.
2785
can be either a network name, a hostname (please note that specifying
2786
@@ -279,18 +279,18 @@
2788
A "!" argument before the address specification inverts the sense of
2789
the address. The flag
2792
is an alias for this option.
2794
-.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
2795
+.BR "\-d, \-\-destination " "[!] \fIaddress\fP[/\fImask\fP]"
2796
Destination specification.
2797
See the description of the
2800
(source) flag for a detailed description of the syntax. The flag
2803
is an alias for this option.
2805
-.BI "-j, --jump " "target"
2806
+.BI "\-j, \-\-jump " "target"
2807
This specifies the target of the rule; i.e., what to do if the packet
2808
matches it. The target can be a user-defined chain (other than the
2809
one this rule is in), one of the special builtin targets which decide
2810
@@ -298,18 +298,18 @@
2813
option is omitted in a rule (and
2816
is not used), then matching the rule will have no
2817
effect on the packet's fate, but the counters on the rule will be
2820
-.BI "-g, --goto " "chain"
2821
+.BI "\-g, \-\-goto " "chain"
2822
This specifies that the processing should continue in a user
2823
-specified chain. Unlike the --jump option return will not continue
2824
+specified chain. Unlike the \-\-jump option return will not continue
2825
processing in this chain but instead in the chain that called us via
2829
-.BR "-i, --in-interface " "[!] \fIname\fP"
2830
+.BR "\-i, \-\-in-interface " "[!] \fIname\fP"
2831
Name of an interface via which a packet was received (only for
2832
packets entering the
2835
interface which begins with this name will match. If this option is
2836
omitted, any interface name will match.
2838
-.BR "-o, --out-interface " "[!] \fIname\fP"
2839
+.BR "\-o, \-\-out-interface " "[!] \fIname\fP"
2840
Name of an interface via which a packet is going to be sent (for packets
2843
@@ -333,15 +333,15 @@
2844
interface which begins with this name will match. If this option is
2845
omitted, any interface name will match.
2847
-.B "[!] " "-f, --fragment"
2848
+.B "[!] " "\-f, \-\-fragment"
2849
This means that the rule only refers to second and further fragments
2850
of fragmented packets. Since there is no way to tell the source or
2851
destination ports of such a packet (or ICMP type), such a packet will
2852
not match any rules which specify them. When the "!" argument
2853
-precedes the "-f" flag, the rule will only match head fragments, or
2854
+precedes the "\-f" flag, the rule will only match head fragments, or
2855
unfragmented packets.
2857
-.BI "-c, --set-counters " "PKTS BYTES"
2858
+.BI "\-c, \-\-set-counters " "PKTS BYTES"
2859
This enables the administrator to initialize the packet and byte
2860
counters of a rule (during
2862
@@ -351,57 +351,57 @@
2864
The following additional options can be specified:
2867
+.B "\-v, \-\-verbose"
2868
Verbose output. This option makes the list command show the interface
2869
name, the rule options (if any), and the TOS masks. The packet and
2870
byte counters are also listed, with the suffix 'K', 'M' or 'G' for
2871
1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
2875
flag to change this).
2876
For appending, insertion, deletion and replacement, this causes
2877
detailed information on the rule or rules to be printed.
2880
+.B "\-n, \-\-numeric"
2882
IP addresses and port numbers will be printed in numeric format.
2883
By default, the program will try to display them as host names,
2884
network names, or services (whenever applicable).
2887
+.B "\-x, \-\-exact"
2889
Display the exact value of the packet and byte counters,
2890
instead of only the rounded number in K's (multiples of 1000)
2891
M's (multiples of 1000K) or G's (multiples of 1000M). This option is
2892
only relevant for the
2897
-.B "--line-numbers"
2898
+.B "\-\-line-numbers"
2899
When listing rules, add line numbers to the beginning of each rule,
2900
corresponding to that rule's position in the chain.
2902
-.B "--modprobe=command"
2903
+.B "\-\-modprobe=command"
2904
When adding or inserting rules into a chain, use
2906
to load any necessary modules (targets, match extensions, etc).
2907
.SH MATCH EXTENSIONS
2908
iptables can use extended packet matching modules. These are loaded
2909
in two ways: implicitly, when
2915
is specified, or with the
2921
options, followed by the matching module name; after these, various
2922
extra command line options become available, depending on the specific
2923
module. You can specify multiple extended match modules in one line,
2930
options after the module has been specified to receive help specific
2934
would pass through all three.
2936
The other main difference is that
2939
refers to the input interface;
2942
refers to the output interface, and both are available for packets
2946
confusion over the combination of IP masquerading and packet filtering
2947
seen previously. So the following options are handled differently:
2956
There are several other changes in iptables.
2958
Index: b/iptables/libipq/ipq_create_handle.3
2959
===================================================================
2960
--- a/iptables/libipq/ipq_create_handle.3 2007-01-23 07:49:50.000000000 -0500
2961
+++ b/iptables/libipq/ipq_create_handle.3 2008-02-18 09:57:13.671710519 -0500
2966
-ipq_create_handle, ipq_destroy_handle - create and destroy libipq handles.
2967
+ipq_create_handle, ipq_destroy_handle \- create and destroy libipq handles.
2969
.B #include <linux/netfilter.h>
2972
.B ipq_destroy_handle
2975
-On failure, -1 is returned.
2976
+On failure, \-1 is returned.
2978
On failure, a descriptive error message will be available
2980
Index: b/iptables/libipq/ipq_errstr.3
2981
===================================================================
2982
--- a/iptables/libipq/ipq_errstr.3 2007-01-23 07:49:50.000000000 -0500
2983
+++ b/iptables/libipq/ipq_errstr.3 2008-02-18 09:57:13.671710519 -0500
2988
-ipq_errstr, ipq_perror - libipq error handling routines
2989
+ipq_errstr, ipq_perror \- libipq error handling routines
2991
.B #include <linux/netfilter.h>
2993
Index: b/iptables/libipq/ipq_message_type.3
2994
===================================================================
2995
--- a/iptables/libipq/ipq_message_type.3 2007-01-23 07:49:50.000000000 -0500
2996
+++ b/iptables/libipq/ipq_message_type.3 2008-02-18 09:57:13.671710519 -0500
3001
-ipq_message_type, ipq_get_packet, ipq_getmsgerr - query queue messages
3002
+ipq_message_type, ipq_get_packet, ipq_getmsgerr \- query queue messages
3004
.B #include <linux/netfilter.h>
3006
Index: b/iptables/libipq/ipq_read.3
3007
===================================================================
3008
--- a/iptables/libipq/ipq_read.3 2007-01-23 07:49:50.000000000 -0500
3009
+++ b/iptables/libipq/ipq_read.3 2008-02-18 09:57:13.671710519 -0500
3014
-ipq_read - read queue messages from ip_queue and read into supplied buffer
3015
+ipq_read \- read queue messages from ip_queue and read into supplied buffer
3017
.B #include <linux/netfilter.h>
3021
functions to access the queue message in the buffer.
3023
-On failure, -1 is returned.
3024
+On failure, \-1 is returned.
3026
On success, a non-zero positive value is returned when no timeout
3028
Index: b/iptables/libipq/ipq_set_mode.3
3029
===================================================================
3030
--- a/iptables/libipq/ipq_set_mode.3 2007-01-23 07:49:50.000000000 -0500
3031
+++ b/iptables/libipq/ipq_set_mode.3 2008-02-18 09:57:13.671710519 -0500
3036
-ipq_set_mode - set the ip_queue queuing mode
3037
+ipq_set_mode \- set the ip_queue queuing mode
3039
.B #include <linux/netfilter.h>
3042
the ip_queue module does not know that a userspace application is ready to
3043
communicate until it receives a message such as this.
3045
-On failure, -1 is returned.
3046
+On failure, \-1 is returned.
3048
On success, a non-zero positive value is returned.
3050
Index: b/iptables/libipq/ipq_set_verdict.3
3051
===================================================================
3052
--- a/iptables/libipq/ipq_set_verdict.3 2007-01-23 07:49:50.000000000 -0500
3053
+++ b/iptables/libipq/ipq_set_verdict.3 2008-02-18 09:57:31.627710501 -0500
3058
-ipq_set_verdict - issue verdict and optionally modified packet to kernel
3059
+ipq_set_verdict \- issue verdict and optionally modified packet to kernel
3061
.B #include <linux/netfilter.h>
3064
The application is responsible for recalculating any packet checksums
3065
when modifying packets.
3067
-On failure, -1 is returned.
3068
+On failure, \-1 is returned.
3070
On success, a non-zero positive value is returned.
3072
Index: b/iptables/extensions/libipt_IPV4OPTSSTRIP.man
3073
===================================================================
3074
--- a/iptables/extensions/libipt_IPV4OPTSSTRIP.man 2008-02-18 09:57:13.551710298 -0500
3075
+++ b/iptables/extensions/libipt_IPV4OPTSSTRIP.man 2008-02-18 09:57:13.671710519 -0500
3078
The target doesn't take any option, and therefore is extremly easy to use :
3080
-# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
3081
+# iptables \-t mangle \-A PREROUTING \-j IPV4OPTSSTRIP
3082
Index: b/iptables/libipq/libipq.3
3083
===================================================================
3084
--- a/iptables/libipq/libipq.3 2007-01-23 07:49:50.000000000 -0500
3085
+++ b/iptables/libipq/libipq.3 2008-02-18 09:57:13.671710519 -0500
3090
- # iptables -A OUTPUT -p icmp -j QUEUE
3091
+ # iptables \-A OUTPUT \-p icmp \-j QUEUE
3093
will cause any locally generated ICMP packets (e.g. ping output) to
3094
be sent to the ip_queue module, which will then attempt to deliver the