* Documentation fixes to iptables
@ 2012-10-10 12:26 Jan Engelhardt
2012-10-10 12:26 ` [PATCH 1/9] doc: rename .8.in files to .8in Jan Engelhardt
` (9 more replies)
0 siblings, 10 replies; 14+ messages in thread
From: Jan Engelhardt @ 2012-10-10 12:26 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
I would say this is material that can go into nf/stable as well.
===
The following changes since commit 9921f2b9a241750e4730fc7d486687c6a32779f4:
build: resolve compile abort in libxt_limit on RHEL5 (2012-10-10 13:28:29 +0200)
are available in the git repository at:
git://git.inai.de/iptables master
for you to fetch changes up to 60f59034fca30c4b2b5177600e81c6e7f07651a6:
src: remove faulty deprecated marker in libipt_LOG source (2012-10-10 14:25:25 +0200)
----------------------------------------------------------------
Jan Engelhardt (9):
doc: rename .8.in files to .8in
doc: add package version to all manpages
doc: fixup omissions in ip6tables-restore.8
doc: document iptables-restore's -t option
doc: document iptables-restore's -v option
doc: document iptables-restore's -M option
doc: document iptables-restore's -h option
doc: name the supported log levels for ipt_LOG
src: remove faulty deprecated marker in libipt_LOG source
extensions/libip6t_LOG.c | 2 +-
extensions/libip6t_LOG.man | 5 ++++-
extensions/libipt_LOG.c | 2 +-
extensions/libipt_LOG.man | 5 ++++-
iptables/.gitignore | 4 +---
iptables/Makefile.am | 9 +++------
iptables/{ip6tables-restore.8 => ip6tables-restore.8in} | 22 +++++++++++++++++++---
iptables/{ip6tables-save.8 => ip6tables-save.8in} | 2 +-
iptables/{ip6tables.8.in => ip6tables.8in} | 2 +-
iptables/{iptables-apply.8 => iptables-apply.8in} | 2 +-
.../{iptables-extensions.8.in => iptables-extensions.8in} | 2 +-
iptables/{iptables-restore.8 => iptables-restore.8in} | 20 +++++++++++++++++---
iptables/{iptables-save.8 => iptables-save.8in} | 2 +-
iptables/{iptables.8.in => iptables.8in} | 2 +-
14 files changed, 56 insertions(+), 25 deletions(-)
rename iptables/{ip6tables-restore.8 => ip6tables-restore.8in} (72%)
rename iptables/{ip6tables-save.8 => ip6tables-save.8in} (96%)
rename iptables/{ip6tables.8.in => ip6tables.8in} (99%)
rename iptables/{iptables-apply.8 => iptables-apply.8in} (95%)
rename iptables/{iptables-extensions.8.in => iptables-extensions.8in} (94%)
rename iptables/{iptables-restore.8 => iptables-restore.8in} (71%)
rename iptables/{iptables-save.8 => iptables-save.8in} (96%)
rename iptables/{iptables.8.in => iptables.8in} (99%)
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 1/9] doc: rename .8.in files to .8in
2012-10-10 12:26 Documentation fixes to iptables Jan Engelhardt
@ 2012-10-10 12:26 ` Jan Engelhardt
2012-10-10 16:20 ` Pablo Neira Ayuso
2012-10-10 12:26 ` [PATCH 2/9] doc: add package version to all manpages Jan Engelhardt
` (8 subsequent siblings)
9 siblings, 1 reply; 14+ messages in thread
From: Jan Engelhardt @ 2012-10-10 12:26 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
This allows us to use a suffix rule for all of the manpages at once,
especially useful in light of the next patch.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
iptables/Makefile.am | 7 +-
iptables/ip6tables.8.in | 433 ------------------------------------
iptables/ip6tables.8in | 433 ++++++++++++++++++++++++++++++++++++
iptables/iptables-extensions.8.in | 27 ---
iptables/iptables-extensions.8in | 27 +++
iptables/iptables.8.in | 438 -------------------------------------
iptables/iptables.8in | 438 +++++++++++++++++++++++++++++++++++++
7 files changed, 900 insertions(+), 903 deletions(-)
delete mode 100644 iptables/ip6tables.8.in
create mode 100644 iptables/ip6tables.8in
delete mode 100644 iptables/iptables-extensions.8.in
create mode 100644 iptables/iptables-extensions.8in
delete mode 100644 iptables/iptables.8.in
create mode 100644 iptables/iptables.8in
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index 61e78db..65776a3 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -38,13 +38,10 @@ if ENABLE_IPV6
v6_sbin_links = ip6tables ip6tables-restore ip6tables-save
endif
-iptables.8: ${srcdir}/iptables.8.in
+.8in.8:
${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@;
-ip6tables.8: ${srcdir}/ip6tables.8.in
- ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@;
-
-iptables-extensions.8: ${srcdir}/iptables-extensions.8.in ../extensions/matches.man ../extensions/targets.man
+iptables-extensions.8: ${srcdir}/iptables-extensions.8in ../extensions/matches.man ../extensions/targets.man
${AM_VERBOSE_GEN} sed -e \
's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' \
-e '/@MATCH@/ r ../extensions/matches.man' \
diff --git a/iptables/ip6tables.8.in b/iptables/ip6tables.8.in
deleted file mode 100644
index 078bcac..0000000
--- a/iptables/ip6tables.8.in
+++ /dev/null
@@ -1,433 +0,0 @@
-.TH IP6TABLES 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
-.\"
-.\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
-.\" It is based on iptables man page.
-.\"
-.\" iptables page by Herve Eychenne <rv@wallfire.org>
-.\" It is based on ipchains man page.
-.\"
-.\" ipchains page by Paul ``Rusty'' Russell March 1997
-.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-ip6tables \(em IPv6 packet filter administration
-.SH SYNOPSIS
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
-\fIchain rule-specification\fP [\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP]
-\fIrule-specification\fP [\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-R\fP \fIchain rulenum
-rule-specification\fP [\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-D\fP \fIchain rulenum\fP
-[\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-S\fP [\fIchain\fP [\fIrulenum\fP]]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP}
-[\fIchain\fP [\fIrulenum\fP]] [\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
-[\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP
-.SH DESCRIPTION
-\fBIp6tables\fP is used to set up, maintain, and inspect the
-tables of IPv6 packet
-filter rules in the Linux kernel. Several different tables
-may be defined. Each table contains a number of built-in
-chains and may also contain user-defined chains.
-.PP
-Each chain is a list of rules which can match a set of packets. Each
-rule specifies what to do with a packet that matches. This is called
-a `target', which may be a jump to a user-defined chain in the same
-table.
-.SH TARGETS
-A firewall rule specifies criteria for a packet and a target. If the
-packet does not match, the next rule in the chain is the examined; if
-it does match, then the next rule is specified by the value of the
-target, which can be the name of a user-defined chain or one of the
-special values \fBACCEPT\fP, \fBDROP\fP, \fBQUEUE\fP or \fBRETURN\fP.
-.PP
-\fBACCEPT\fP means to let the packet through.
-\fBDROP\fP means to drop the packet on the floor.
-\fBQUEUE\fP means to pass the packet to userspace.
-(How the packet can be received
-by a userspace process differs by the particular queue handler. 2.4.x
-and 2.6.x kernels up to 2.6.13 include the \fBip_queue\fP
-queue handler. Kernels 2.6.14 and later additionally include the
-\fBnfnetlink_queue\fP queue handler. Packets with a target of QUEUE will be
-sent to queue number '0' in this case. Please also see the \fBNFQUEUE\fP
-target as described later in this man page.)
-\fBRETURN\fP means stop traversing this chain and resume at the next
-rule in the
-previous (calling) chain. If the end of a built-in chain is reached
-or a rule in a built-in chain with target \fBRETURN\fP
-is matched, the target specified by the chain policy determines the
-fate of the packet.
-.SH TABLES
-There are currently three independent tables (which tables are present
-at any time depends on the kernel configuration options and which
-modules are present).
-.TP
-\fB\-t\fP, \fB\-\-table\fP \fItable\fP
-This option specifies the packet matching table which the command
-should operate on. If the kernel is configured with automatic module
-loading, an attempt will be made to load the appropriate module for
-that table if it is not already there.
-
-The tables are as follows:
-.RS
-.TP .4i
-\fBfilter\fP:
-This is the default table (if no \-t option is passed). It contains
-the built-in chains \fBINPUT\fP (for packets destined to local sockets),
-\fBFORWARD\fP (for packets being routed through the box), and
-\fBOUTPUT\fP (for locally-generated packets).
-.TP
-\fBmangle\fP:
-This table is used for specialized packet alteration. Until kernel
-2.4.17 it had two built-in chains: \fBPREROUTING\fP
-(for altering incoming packets before routing) and \fBOUTPUT\fP
-(for altering locally-generated packets before routing).
-Since kernel 2.4.18, three other built-in chains are also supported:
-\fBINPUT\fP (for packets coming into the box itself), \fBFORWARD\fP
-(for altering packets being routed through the box), and \fBPOSTROUTING\fP
-(for altering packets as they are about to go out).
-.TP
-\fBraw\fP:
-This table is used mainly for configuring exemptions from connection
-tracking in combination with the NOTRACK target. It registers at the netfilter
-hooks with higher priority and is thus called before ip_conntrack, or any other
-IP tables. It provides the following built-in chains: \fBPREROUTING\fP
-(for packets arriving via any network interface) \fBOUTPUT\fP
-(for packets generated by local processes)
-.TP
-\fBsecurity\fP:
-This table is used for Mandatory Access Control (MAC) networking rules, such
-as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
-Mandatory Access Control is implemented by Linux Security Modules such as
-SELinux. The security table is called after the filter table, allowing any
-Discretionary Access Control (DAC) rules in the filter table to take effect
-before MAC rules. This table provides the following built-in chains:
-\fBINPUT\fP (for packets coming into the box itself),
-\fBOUTPUT\fP (for altering locally-generated packets before routing), and
-\fBFORWARD\fP (for altering packets being routed through the box).
-.RE
-.SH OPTIONS
-The options that are recognized by
-\fBip6tables\fP can be divided into several different groups.
-.SS COMMANDS
-These options specify the specific action to perform. Only one of them
-can be specified on the command line unless otherwise specified
-below. For all the long versions of the command and option names, you
-need to use only enough letters to ensure that
-\fBip6tables\fP can differentiate it from all other options.
-.TP
-\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
-Append one or more rules to the end of the selected chain.
-When the source and/or destination names resolve to more than one
-address, a rule will be added for each possible address combination.
-.TP
-\fB\-C\fP, \fB\-\-check\fP \fIchain rule-specification\fP
-Check whether a rule matching the specification does exist in the
-selected chain. This command uses the same logic as \fB\-D\fP to
-find a matching entry, but does not alter the existing iptables
-configuration and uses its exit code to indicate success or failure.
-.TP
-\fB\-D\fP, \fB\-\-delete\fP \fIchain rule-specification\fP
-.ns
-.TP
-\fB\-D\fP, \fB\-\-delete\fP \fIchain rulenum\fP
-Delete one or more rules from the selected chain. There are two
-versions of this command: the rule can be specified as a number in the
-chain (starting at 1 for the first rule) or a rule to match.
-.TP
-\fB\-I\fP, \fB\-\-insert\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
-Insert one or more rules in the selected chain as the given rule
-number. So, if the rule number is 1, the rule or rules are inserted
-at the head of the chain. This is also the default if no rule number
-is specified.
-.TP
-\fB\-R\fP, \fB\-\-replace\fP \fIchain rulenum rule-specification\fP
-Replace a rule in the selected chain. If the source and/or
-destination names resolve to multiple addresses, the command will
-fail. Rules are numbered starting at 1.
-.TP
-\fB\-L\fP, \fB\-\-list\fP [\fIchain\fP]
-List all rules in the selected chain. If no chain is selected, all
-chains are listed. Like every other ip6tables command, it applies to the
-specified table (filter is the default).
-.IP ""
-Please note that it is often used with the \fB\-n\fP
-option, in order to avoid long reverse DNS lookups.
-It is legal to specify the \fB\-Z\fP
-(zero) option as well, in which case the chain(s) will be atomically
-listed and zeroed. The exact output is affected by the other
-arguments given. The exact rules are suppressed until you use
-.nf
- ip6tables \-L \-v
-.fi
-.TP
-\fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP]
-Print all rules in the selected chain. If no chain is selected, all
-chains are printed like ip6tables-save. Like every other ip6tables command,
-it applies to the specified table (filter is the default).
-.TP
-\fB\-F\fP, \fB\-\-flush\fP [\fIchain\fP]
-Flush the selected chain (all the chains in the table if none is given).
-This is equivalent to deleting all the rules one by one.
-.TP
-\fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP [\fIrulenum\fP]]
-Zero the packet and byte counters in all chains, or only the given chain,
-or only the given rule in a chain. It is legal to
-specify the
-\fB\-L\fP, \fB\-\-list\fP
-(list) option as well, to see the counters immediately before they are
-cleared. (See above.)
-.TP
-\fB\-N\fP, \fB\-\-new\-chain\fP \fIchain\fP
-Create a new user-defined chain by the given name. There must be no
-target of that name already.
-.TP
-\fB\-X\fP, \fB\-\-delete\-chain\fP [\fIchain\fP]
-Delete the optional user-defined chain specified. There must be no references
-to the chain. If there are, you must delete or replace the referring rules
-before the chain can be deleted. The chain must be empty, i.e. not contain
-any rules. If no argument is given, it will attempt to delete every
-non-builtin chain in the table.
-.TP
-\fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP
-Set the policy for the chain to the given target. See the section \fBTARGETS\fP
-for the legal targets. Only built-in (non-user-defined) chains can have
-policies, and neither built-in nor user-defined chains can be policy
-targets.
-.TP
-\fB\-E\fP, \fB\-\-rename\-chain\fP \fIold\-chain new\-chain\fP
-Rename the user specified chain to the user supplied name. This is
-cosmetic, and has no effect on the structure of the table.
-.TP
-\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
-Append one or more rules to the end of the selected chain.
-When the source and/or destination names resolve to more than one
-address, a rule will be added for each possible address combination.
-.TP
-\fB\-h\fP
-Help.
-Give a (currently very brief) description of the command syntax.
-.SS PARAMETERS
-The following parameters make up a rule specification (as used in the
-add, delete, insert, replace and append commands).
-.TP
-[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
-The protocol of the rule or of the packet to check.
-The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
-\fBicmpv6\fP, \fBesp\fP, \fBmh\fP or the special keyword "\fBall\fP",
-or it can be a numeric value, representing one of these protocols or a
-different one. A protocol name from /etc/protocols is also allowed.
-But IPv6 extension headers except \fBesp\fP are not allowed.
-\fBesp\fP and \fBipv6\-nonext\fP
-can be used with Kernel version 2.6.11 or later.
-A "!" argument before the protocol inverts the
-test. The number zero is equivalent to \fBall\fP, which means that you cannot
-test the protocol field for the value 0 directly. To match on a HBH header,
-even if it were the last, you cannot use \fB\-p 0\fP, but always need
-\fB\-m hbh\fP.
-"\fBall\fP"
-will match with all protocols and is taken as default when this
-option is omitted.
-.TP
-[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP]
-Source specification.
-\fIAddress\fP can be either be a hostname,
-a network IP address (with \fB/\fP\fImask\fP), or a plain IP address.
-Names will be resolved once only, before the rule is submitted to the kernel.
-Please note that specifying any name to be resolved with a remote query such as
-DNS is a really bad idea.
-(Resolving network names is not supported at this time.)
-The \fImask\fP is a plain number,
-specifying the number of 1's at the left side of the network mask.
-A "!" argument before the address specification inverts the sense of
-the address. The flag \fB\-\-src\fP
-is an alias for this option.
-Multiple addresses can be specified, but this will \fBexpand to multiple
-rules\fP (when adding with \-A), or will cause multiple rules to be
-deleted (with \-D).
-.TP
-[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP]
-Destination specification.
-See the description of the \fB\-s\fP
-(source) flag for a detailed description of the syntax. The flag
-\fB\-\-dst\fP is an alias for this option.
-.TP
-\fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
-This specifies the target of the rule; i.e., what to do if the packet
-matches it. The target can be a user-defined chain (other than the
-one this rule is in), one of the special builtin targets which decide
-the fate of the packet immediately, or an extension (see \fBEXTENSIONS\fP
-below). If this
-option is omitted in a rule (and \fB\-g\fP
-is not used), then matching the rule will have no
-effect on the packet's fate, but the counters on the rule will be
-incremented.
-.TP
-\fB\-g\fP, \fB\-\-goto\fP \fIchain\fP
-This specifies that the processing should continue in a user
-specified chain. Unlike the \-\-jump option return will not continue
-processing in this chain but instead in the chain that called us via
-\-\-jump.
-.TP
-[\fB!\fP] \fB\-i\fP, \fB\-\-in\-interface\fP \fIname\fP
-Name of an interface via which a packet was received (only for
-packets entering the \fBINPUT\fP, \fBFORWARD\fP and \fBPREROUTING\fP
-chains). When the "!" argument is used before the interface name, the
-sense is inverted. If the interface name ends in a "+", then any
-interface which begins with this name will match. If this option is
-omitted, any interface name will match.
-.TP
-[\fB!\fP] \fB\-o\fP, \fB\-\-out\-interface\fP \fIname\fP
-Name of an interface via which a packet is going to be sent (for packets
-entering the \fBFORWARD\fP, \fBOUTPUT\fP and \fBPOSTROUTING\fP
-chains). When the "!" argument is used before the interface name, the
-sense is inverted. If the interface name ends in a "+", then any
-interface which begins with this name will match. If this option is
-omitted, any interface name will match.
-.\" Currently not supported (header-based)
-.\" .TP
-.\" [\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
-.\" This means that the rule only refers to second and further fragments
-.\" of fragmented packets. Since there is no way to tell the source or
-.\" destination ports of such a packet (or ICMP type), such a packet will
-.\" not match any rules which specify them. When the "!" argument
-.\" precedes the "\-f" flag, the rule will only match head fragments, or
-.\" unfragmented packets.
-.TP
-\fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
-This enables the administrator to initialize the packet and byte
-counters of a rule (during \fBINSERT\fP, \fBAPPEND\fP, \fBREPLACE\fP
-operations).
-.SS "OTHER OPTIONS"
-The following additional options can be specified:
-.TP
-\fB\-v\fP, \fB\-\-verbose\fP
-Verbose output. This option makes the list command show the interface
-name, the rule options (if any), and the TOS masks. The packet and
-byte counters are also listed, with the suffix 'K', 'M' or 'G' for
-1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
-the \fB\-x\fP flag to change this).
-For appending, insertion, deletion and replacement, this causes
-detailed information on the rule or rules to be printed. \fB\-v\fP may be
-specified multiple times to possibly emit more detailed debug statements.
-.TP
-\fB\-n\fP, \fB\-\-numeric\fP
-Numeric output.
-IP addresses and port numbers will be printed in numeric format.
-By default, the program will try to display them as host names,
-network names, or services (whenever applicable).
-.TP
-\fB\-x\fP, \fB\-\-exact\fP
-Expand numbers.
-Display the exact value of the packet and byte counters,
-instead of only the rounded number in K's (multiples of 1000)
-M's (multiples of 1000K) or G's (multiples of 1000M). This option is
-only relevant for the \fB\-L\fP command.
-.TP
-\fB\-\-line\-numbers\fP
-When listing rules, add line numbers to the beginning of each rule,
-corresponding to that rule's position in the chain.
-.TP
-\fB\-\-modprobe=\fP\fIcommand\fP
-When adding or inserting rules into a chain, use \fIcommand\fP
-to load any necessary modules (targets, match extensions, etc).
-.SH MATCH EXTENSIONS
-.PP
-iptables can use extended packet matching and target modules.
-A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
-.SH DIAGNOSTICS
-Various error messages are printed to standard error. The exit code
-is 0 for correct functioning. Errors which appear to be caused by
-invalid or abused command line parameters cause an exit code of 2, and
-other errors cause an exit code of 1.
-.SH BUGS
-Bugs? What's this? ;-)
-Well... the counters are not reliable on sparc64.
-.SH COMPATIBILITY WITH IPCHAINS
-This \fBip6tables\fP
-is very similar to ipchains by Rusty Russell. The main difference is
-that the chains \fBINPUT\fP and \fBOUTPUT\fP
-are only traversed for packets coming into the local host and
-originating from the local host respectively. Hence every packet only
-passes through one of the three chains (except loopback traffic, which
-involves both INPUT and OUTPUT chains); previously a forwarded packet
-would pass through all three.
-.PP
-The other main difference is that \fB\-i\fP refers to the input interface;
-\fB\-o\fP refers to the output interface, and both are available for packets
-entering the \fBFORWARD\fP chain.
-There are several other changes in ip6tables.
-.SH SEE ALSO
-\fBip6tables\-save\fP(8),
-\fBip6tables\-restore\fP(8),
-\fBiptables\fP(8),
-\fBiptables\-apply\fP(8),
-\fBiptables\-extensions\fP(8),
-\fBiptables\-save\fP(8),
-\fBiptables\-restore\fP(8),
-\fBlibipq\fP(3).
-.PP
-The packet-filtering-HOWTO details iptables usage for
-packet filtering,
-the netfilter-extensions-HOWTO details the extensions that are
-not in the standard distribution,
-and the netfilter-hacking-HOWTO details the netfilter internals.
-.br
-See
-.BR "http://www.netfilter.org/" .
-.SH AUTHORS
-Rusty Russell wrote iptables, in early consultation with Michael
-Neuling.
-.PP
-Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
-selection framework in iptables, then wrote the mangle table, the owner match,
-the mark stuff, and ran around doing cool stuff everywhere.
-.PP
-James Morris wrote the TOS target, and tos match.
-.PP
-Jozsef Kadlecsik wrote the REJECT target.
-.PP
-Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as TTL match+target and libipulog.
-.PP
-The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
-Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
-Harald Welte and Rusty Russell.
-.PP
-ip6tables man page created by Andras Kis-Szabo, based on
-iptables man page written by Herve Eychenne <rv@wallfire.org>.
-.\" .. and did I mention that we are incredibly cool people?
-.\" .. sexy, too ..
-.\" .. witty, charming, powerful ..
-.\" .. and most of all, modest ..
-.SH VERSION
-.PP
-This manual page applies to ip6tables @PACKAGE_VERSION@.
diff --git a/iptables/ip6tables.8in b/iptables/ip6tables.8in
new file mode 100644
index 0000000..078bcac
--- /dev/null
+++ b/iptables/ip6tables.8in
@@ -0,0 +1,433 @@
+.TH IP6TABLES 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
+.\"
+.\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
+.\" It is based on iptables man page.
+.\"
+.\" iptables page by Herve Eychenne <rv@wallfire.org>
+.\" It is based on ipchains man page.
+.\"
+.\" ipchains page by Paul ``Rusty'' Russell March 1997
+.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ip6tables \(em IPv6 packet filter administration
+.SH SYNOPSIS
+\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
+\fIchain rule-specification\fP [\fIoptions...\fP]
+.PP
+\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP]
+\fIrule-specification\fP [\fIoptions...\fP]
+.PP
+\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-R\fP \fIchain rulenum
+rule-specification\fP [\fIoptions...\fP]
+.PP
+\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-D\fP \fIchain rulenum\fP
+[\fIoptions...\fP]
+.PP
+\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-S\fP [\fIchain\fP [\fIrulenum\fP]]
+.PP
+\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP}
+[\fIchain\fP [\fIrulenum\fP]] [\fIoptions...\fP]
+.PP
+\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP
+.PP
+\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
+.PP
+\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
+[\fIoptions...\fP]
+.PP
+\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP
+.SH DESCRIPTION
+\fBIp6tables\fP is used to set up, maintain, and inspect the
+tables of IPv6 packet
+filter rules in the Linux kernel. Several different tables
+may be defined. Each table contains a number of built-in
+chains and may also contain user-defined chains.
+.PP
+Each chain is a list of rules which can match a set of packets. Each
+rule specifies what to do with a packet that matches. This is called
+a `target', which may be a jump to a user-defined chain in the same
+table.
+.SH TARGETS
+A firewall rule specifies criteria for a packet and a target. If the
+packet does not match, the next rule in the chain is the examined; if
+it does match, then the next rule is specified by the value of the
+target, which can be the name of a user-defined chain or one of the
+special values \fBACCEPT\fP, \fBDROP\fP, \fBQUEUE\fP or \fBRETURN\fP.
+.PP
+\fBACCEPT\fP means to let the packet through.
+\fBDROP\fP means to drop the packet on the floor.
+\fBQUEUE\fP means to pass the packet to userspace.
+(How the packet can be received
+by a userspace process differs by the particular queue handler. 2.4.x
+and 2.6.x kernels up to 2.6.13 include the \fBip_queue\fP
+queue handler. Kernels 2.6.14 and later additionally include the
+\fBnfnetlink_queue\fP queue handler. Packets with a target of QUEUE will be
+sent to queue number '0' in this case. Please also see the \fBNFQUEUE\fP
+target as described later in this man page.)
+\fBRETURN\fP means stop traversing this chain and resume at the next
+rule in the
+previous (calling) chain. If the end of a built-in chain is reached
+or a rule in a built-in chain with target \fBRETURN\fP
+is matched, the target specified by the chain policy determines the
+fate of the packet.
+.SH TABLES
+There are currently three independent tables (which tables are present
+at any time depends on the kernel configuration options and which
+modules are present).
+.TP
+\fB\-t\fP, \fB\-\-table\fP \fItable\fP
+This option specifies the packet matching table which the command
+should operate on. If the kernel is configured with automatic module
+loading, an attempt will be made to load the appropriate module for
+that table if it is not already there.
+
+The tables are as follows:
+.RS
+.TP .4i
+\fBfilter\fP:
+This is the default table (if no \-t option is passed). It contains
+the built-in chains \fBINPUT\fP (for packets destined to local sockets),
+\fBFORWARD\fP (for packets being routed through the box), and
+\fBOUTPUT\fP (for locally-generated packets).
+.TP
+\fBmangle\fP:
+This table is used for specialized packet alteration. Until kernel
+2.4.17 it had two built-in chains: \fBPREROUTING\fP
+(for altering incoming packets before routing) and \fBOUTPUT\fP
+(for altering locally-generated packets before routing).
+Since kernel 2.4.18, three other built-in chains are also supported:
+\fBINPUT\fP (for packets coming into the box itself), \fBFORWARD\fP
+(for altering packets being routed through the box), and \fBPOSTROUTING\fP
+(for altering packets as they are about to go out).
+.TP
+\fBraw\fP:
+This table is used mainly for configuring exemptions from connection
+tracking in combination with the NOTRACK target. It registers at the netfilter
+hooks with higher priority and is thus called before ip_conntrack, or any other
+IP tables. It provides the following built-in chains: \fBPREROUTING\fP
+(for packets arriving via any network interface) \fBOUTPUT\fP
+(for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules, such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux. The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules. This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
+.RE
+.SH OPTIONS
+The options that are recognized by
+\fBip6tables\fP can be divided into several different groups.
+.SS COMMANDS
+These options specify the specific action to perform. Only one of them
+can be specified on the command line unless otherwise specified
+below. For all the long versions of the command and option names, you
+need to use only enough letters to ensure that
+\fBip6tables\fP can differentiate it from all other options.
+.TP
+\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
+Append one or more rules to the end of the selected chain.
+When the source and/or destination names resolve to more than one
+address, a rule will be added for each possible address combination.
+.TP
+\fB\-C\fP, \fB\-\-check\fP \fIchain rule-specification\fP
+Check whether a rule matching the specification does exist in the
+selected chain. This command uses the same logic as \fB\-D\fP to
+find a matching entry, but does not alter the existing iptables
+configuration and uses its exit code to indicate success or failure.
+.TP
+\fB\-D\fP, \fB\-\-delete\fP \fIchain rule-specification\fP
+.ns
+.TP
+\fB\-D\fP, \fB\-\-delete\fP \fIchain rulenum\fP
+Delete one or more rules from the selected chain. There are two
+versions of this command: the rule can be specified as a number in the
+chain (starting at 1 for the first rule) or a rule to match.
+.TP
+\fB\-I\fP, \fB\-\-insert\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
+Insert one or more rules in the selected chain as the given rule
+number. So, if the rule number is 1, the rule or rules are inserted
+at the head of the chain. This is also the default if no rule number
+is specified.
+.TP
+\fB\-R\fP, \fB\-\-replace\fP \fIchain rulenum rule-specification\fP
+Replace a rule in the selected chain. If the source and/or
+destination names resolve to multiple addresses, the command will
+fail. Rules are numbered starting at 1.
+.TP
+\fB\-L\fP, \fB\-\-list\fP [\fIchain\fP]
+List all rules in the selected chain. If no chain is selected, all
+chains are listed. Like every other ip6tables command, it applies to the
+specified table (filter is the default).
+.IP ""
+Please note that it is often used with the \fB\-n\fP
+option, in order to avoid long reverse DNS lookups.
+It is legal to specify the \fB\-Z\fP
+(zero) option as well, in which case the chain(s) will be atomically
+listed and zeroed. The exact output is affected by the other
+arguments given. The exact rules are suppressed until you use
+.nf
+ ip6tables \-L \-v
+.fi
+.TP
+\fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP]
+Print all rules in the selected chain. If no chain is selected, all
+chains are printed like ip6tables-save. Like every other ip6tables command,
+it applies to the specified table (filter is the default).
+.TP
+\fB\-F\fP, \fB\-\-flush\fP [\fIchain\fP]
+Flush the selected chain (all the chains in the table if none is given).
+This is equivalent to deleting all the rules one by one.
+.TP
+\fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP [\fIrulenum\fP]]
+Zero the packet and byte counters in all chains, or only the given chain,
+or only the given rule in a chain. It is legal to
+specify the
+\fB\-L\fP, \fB\-\-list\fP
+(list) option as well, to see the counters immediately before they are
+cleared. (See above.)
+.TP
+\fB\-N\fP, \fB\-\-new\-chain\fP \fIchain\fP
+Create a new user-defined chain by the given name. There must be no
+target of that name already.
+.TP
+\fB\-X\fP, \fB\-\-delete\-chain\fP [\fIchain\fP]
+Delete the optional user-defined chain specified. There must be no references
+to the chain. If there are, you must delete or replace the referring rules
+before the chain can be deleted. The chain must be empty, i.e. not contain
+any rules. If no argument is given, it will attempt to delete every
+non-builtin chain in the table.
+.TP
+\fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP
+Set the policy for the chain to the given target. See the section \fBTARGETS\fP
+for the legal targets. Only built-in (non-user-defined) chains can have
+policies, and neither built-in nor user-defined chains can be policy
+targets.
+.TP
+\fB\-E\fP, \fB\-\-rename\-chain\fP \fIold\-chain new\-chain\fP
+Rename the user specified chain to the user supplied name. This is
+cosmetic, and has no effect on the structure of the table.
+.TP
+\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
+Append one or more rules to the end of the selected chain.
+When the source and/or destination names resolve to more than one
+address, a rule will be added for each possible address combination.
+.TP
+\fB\-h\fP
+Help.
+Give a (currently very brief) description of the command syntax.
+.SS PARAMETERS
+The following parameters make up a rule specification (as used in the
+add, delete, insert, replace and append commands).
+.TP
+[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
+The protocol of the rule or of the packet to check.
+The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
+\fBicmpv6\fP, \fBesp\fP, \fBmh\fP or the special keyword "\fBall\fP",
+or it can be a numeric value, representing one of these protocols or a
+different one. A protocol name from /etc/protocols is also allowed.
+But IPv6 extension headers except \fBesp\fP are not allowed.
+\fBesp\fP and \fBipv6\-nonext\fP
+can be used with Kernel version 2.6.11 or later.
+A "!" argument before the protocol inverts the
+test. The number zero is equivalent to \fBall\fP, which means that you cannot
+test the protocol field for the value 0 directly. To match on a HBH header,
+even if it were the last, you cannot use \fB\-p 0\fP, but always need
+\fB\-m hbh\fP.
+"\fBall\fP"
+will match with all protocols and is taken as default when this
+option is omitted.
+.TP
+[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP]
+Source specification.
+\fIAddress\fP can be either be a hostname,
+a network IP address (with \fB/\fP\fImask\fP), or a plain IP address.
+Names will be resolved once only, before the rule is submitted to the kernel.
+Please note that specifying any name to be resolved with a remote query such as
+DNS is a really bad idea.
+(Resolving network names is not supported at this time.)
+The \fImask\fP is a plain number,
+specifying the number of 1's at the left side of the network mask.
+A "!" argument before the address specification inverts the sense of
+the address. The flag \fB\-\-src\fP
+is an alias for this option.
+Multiple addresses can be specified, but this will \fBexpand to multiple
+rules\fP (when adding with \-A), or will cause multiple rules to be
+deleted (with \-D).
+.TP
+[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP]
+Destination specification.
+See the description of the \fB\-s\fP
+(source) flag for a detailed description of the syntax. The flag
+\fB\-\-dst\fP is an alias for this option.
+.TP
+\fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
+This specifies the target of the rule; i.e., what to do if the packet
+matches it. The target can be a user-defined chain (other than the
+one this rule is in), one of the special builtin targets which decide
+the fate of the packet immediately, or an extension (see \fBEXTENSIONS\fP
+below). If this
+option is omitted in a rule (and \fB\-g\fP
+is not used), then matching the rule will have no
+effect on the packet's fate, but the counters on the rule will be
+incremented.
+.TP
+\fB\-g\fP, \fB\-\-goto\fP \fIchain\fP
+This specifies that the processing should continue in a user
+specified chain. Unlike the \-\-jump option return will not continue
+processing in this chain but instead in the chain that called us via
+\-\-jump.
+.TP
+[\fB!\fP] \fB\-i\fP, \fB\-\-in\-interface\fP \fIname\fP
+Name of an interface via which a packet was received (only for
+packets entering the \fBINPUT\fP, \fBFORWARD\fP and \fBPREROUTING\fP
+chains). When the "!" argument is used before the interface name, the
+sense is inverted. If the interface name ends in a "+", then any
+interface which begins with this name will match. If this option is
+omitted, any interface name will match.
+.TP
+[\fB!\fP] \fB\-o\fP, \fB\-\-out\-interface\fP \fIname\fP
+Name of an interface via which a packet is going to be sent (for packets
+entering the \fBFORWARD\fP, \fBOUTPUT\fP and \fBPOSTROUTING\fP
+chains). When the "!" argument is used before the interface name, the
+sense is inverted. If the interface name ends in a "+", then any
+interface which begins with this name will match. If this option is
+omitted, any interface name will match.
+.\" Currently not supported (header-based)
+.\" .TP
+.\" [\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
+.\" This means that the rule only refers to second and further fragments
+.\" of fragmented packets. Since there is no way to tell the source or
+.\" destination ports of such a packet (or ICMP type), such a packet will
+.\" not match any rules which specify them. When the "!" argument
+.\" precedes the "\-f" flag, the rule will only match head fragments, or
+.\" unfragmented packets.
+.TP
+\fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
+This enables the administrator to initialize the packet and byte
+counters of a rule (during \fBINSERT\fP, \fBAPPEND\fP, \fBREPLACE\fP
+operations).
+.SS "OTHER OPTIONS"
+The following additional options can be specified:
+.TP
+\fB\-v\fP, \fB\-\-verbose\fP
+Verbose output. This option makes the list command show the interface
+name, the rule options (if any), and the TOS masks. The packet and
+byte counters are also listed, with the suffix 'K', 'M' or 'G' for
+1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
+the \fB\-x\fP flag to change this).
+For appending, insertion, deletion and replacement, this causes
+detailed information on the rule or rules to be printed. \fB\-v\fP may be
+specified multiple times to possibly emit more detailed debug statements.
+.TP
+\fB\-n\fP, \fB\-\-numeric\fP
+Numeric output.
+IP addresses and port numbers will be printed in numeric format.
+By default, the program will try to display them as host names,
+network names, or services (whenever applicable).
+.TP
+\fB\-x\fP, \fB\-\-exact\fP
+Expand numbers.
+Display the exact value of the packet and byte counters,
+instead of only the rounded number in K's (multiples of 1000)
+M's (multiples of 1000K) or G's (multiples of 1000M). This option is
+only relevant for the \fB\-L\fP command.
+.TP
+\fB\-\-line\-numbers\fP
+When listing rules, add line numbers to the beginning of each rule,
+corresponding to that rule's position in the chain.
+.TP
+\fB\-\-modprobe=\fP\fIcommand\fP
+When adding or inserting rules into a chain, use \fIcommand\fP
+to load any necessary modules (targets, match extensions, etc).
+.SH MATCH EXTENSIONS
+.PP
+iptables can use extended packet matching and target modules.
+A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
+.SH DIAGNOSTICS
+Various error messages are printed to standard error. The exit code
+is 0 for correct functioning. Errors which appear to be caused by
+invalid or abused command line parameters cause an exit code of 2, and
+other errors cause an exit code of 1.
+.SH BUGS
+Bugs? What's this? ;-)
+Well... the counters are not reliable on sparc64.
+.SH COMPATIBILITY WITH IPCHAINS
+This \fBip6tables\fP
+is very similar to ipchains by Rusty Russell. The main difference is
+that the chains \fBINPUT\fP and \fBOUTPUT\fP
+are only traversed for packets coming into the local host and
+originating from the local host respectively. Hence every packet only
+passes through one of the three chains (except loopback traffic, which
+involves both INPUT and OUTPUT chains); previously a forwarded packet
+would pass through all three.
+.PP
+The other main difference is that \fB\-i\fP refers to the input interface;
+\fB\-o\fP refers to the output interface, and both are available for packets
+entering the \fBFORWARD\fP chain.
+There are several other changes in ip6tables.
+.SH SEE ALSO
+\fBip6tables\-save\fP(8),
+\fBip6tables\-restore\fP(8),
+\fBiptables\fP(8),
+\fBiptables\-apply\fP(8),
+\fBiptables\-extensions\fP(8),
+\fBiptables\-save\fP(8),
+\fBiptables\-restore\fP(8),
+\fBlibipq\fP(3).
+.PP
+The packet-filtering-HOWTO details iptables usage for
+packet filtering,
+the netfilter-extensions-HOWTO details the extensions that are
+not in the standard distribution,
+and the netfilter-hacking-HOWTO details the netfilter internals.
+.br
+See
+.BR "http://www.netfilter.org/" .
+.SH AUTHORS
+Rusty Russell wrote iptables, in early consultation with Michael
+Neuling.
+.PP
+Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
+selection framework in iptables, then wrote the mangle table, the owner match,
+the mark stuff, and ran around doing cool stuff everywhere.
+.PP
+James Morris wrote the TOS target, and tos match.
+.PP
+Jozsef Kadlecsik wrote the REJECT target.
+.PP
+Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as TTL match+target and libipulog.
+.PP
+The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
+Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
+Harald Welte and Rusty Russell.
+.PP
+ip6tables man page created by Andras Kis-Szabo, based on
+iptables man page written by Herve Eychenne <rv@wallfire.org>.
+.\" .. and did I mention that we are incredibly cool people?
+.\" .. sexy, too ..
+.\" .. witty, charming, powerful ..
+.\" .. and most of all, modest ..
+.SH VERSION
+.PP
+This manual page applies to ip6tables @PACKAGE_VERSION@.
diff --git a/iptables/iptables-extensions.8.in b/iptables/iptables-extensions.8.in
deleted file mode 100644
index e02c81f..0000000
--- a/iptables/iptables-extensions.8.in
+++ /dev/null
@@ -1,27 +0,0 @@
-.TH iptables-extensions 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
-.SH NAME
-iptables-extensions \(em list of extensions in the standard iptables distribution
-.SH SYNOPSIS
-\fBip6tables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
-[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
-.PP
-\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
-[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
-.SH MATCH EXTENSIONS
-iptables can use extended packet matching modules
-with the \fB\-m\fP or \fB\-\-match\fP
-options, followed by the matching module name; after these, various
-extra command line options become available, depending on the specific
-module. You can specify multiple extended match modules in one line,
-and you can use the \fB\-h\fP or \fB\-\-help\fP
-options after the module has been specified to receive help specific
-to that module.
-.PP
-If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an
-unknown option is encountered, iptables will try load a match module of the
-same name as the protocol, to try making the option available.
-.\" @MATCH@
-.SH TARGET EXTENSIONS
-iptables can use extended target modules: the following are included
-in the standard distribution.
-.\" @TARGET@
diff --git a/iptables/iptables-extensions.8in b/iptables/iptables-extensions.8in
new file mode 100644
index 0000000..e02c81f
--- /dev/null
+++ b/iptables/iptables-extensions.8in
@@ -0,0 +1,27 @@
+.TH iptables-extensions 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
+.SH NAME
+iptables-extensions \(em list of extensions in the standard iptables distribution
+.SH SYNOPSIS
+\fBip6tables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
+[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
+.PP
+\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
+[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
+.SH MATCH EXTENSIONS
+iptables can use extended packet matching modules
+with the \fB\-m\fP or \fB\-\-match\fP
+options, followed by the matching module name; after these, various
+extra command line options become available, depending on the specific
+module. You can specify multiple extended match modules in one line,
+and you can use the \fB\-h\fP or \fB\-\-help\fP
+options after the module has been specified to receive help specific
+to that module.
+.PP
+If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an
+unknown option is encountered, iptables will try load a match module of the
+same name as the protocol, to try making the option available.
+.\" @MATCH@
+.SH TARGET EXTENSIONS
+iptables can use extended target modules: the following are included
+in the standard distribution.
+.\" @TARGET@
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
deleted file mode 100644
index d6b409d..0000000
--- a/iptables/iptables.8.in
+++ /dev/null
@@ -1,438 +0,0 @@
-.TH IPTABLES 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
-.\"
-.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
-.\" It is based on ipchains page.
-.\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG)
-.\"
-.\" ipchains page by Paul ``Rusty'' Russell March 1997
-.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-iptables \(em administration tool for IPv4 packet filtering and NAT
-.SH SYNOPSIS
-\fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
-\fIchain\fP \fIrule-specification\fP
-.PP
-\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
-.PP
-\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-R\fP \fIchain rulenum rule-specification\fP
-.PP
-\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-D\fP \fIchain rulenum\fP
-.PP
-\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-S\fP [\fIchain\fP [\fIrulenum\fP]]
-.PP
-\fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP} [\fIchain\fP [\fIrulenum\fP]] [\fIoptions...\fP]
-.PP
-\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP
-.PP
-\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
-.PP
-\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
-.PP
-\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP
-.PP
-rule-specification = [\fImatches...\fP] [\fItarget\fP]
-.PP
-match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
-.PP
-target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
-.SH DESCRIPTION
-\fBIptables\fP is used to set up, maintain, and inspect the
-tables of IPv4 packet
-filter rules in the Linux kernel. Several different tables
-may be defined. Each table contains a number of built-in
-chains and may also contain user-defined chains.
-.PP
-Each chain is a list of rules which can match a set of packets. Each
-rule specifies what to do with a packet that matches. This is called
-a `target', which may be a jump to a user-defined chain in the same
-table.
-.SH TARGETS
-A firewall rule specifies criteria for a packet and a target. If the
-packet does not match, the next rule in the chain is the examined; if
-it does match, then the next rule is specified by the value of the
-target, which can be the name of a user-defined chain or one of the
-special values \fBACCEPT\fP, \fBDROP\fP, \fBQUEUE\fP or \fBRETURN\fP.
-.PP
-\fBACCEPT\fP means to let the packet through.
-\fBDROP\fP means to drop the packet on the floor.
-\fBQUEUE\fP means to pass the packet to userspace.
-(How the packet can be received
-by a userspace process differs by the particular queue handler. 2.4.x
-and 2.6.x kernels up to 2.6.13 include the \fBip_queue\fP
-queue handler. Kernels 2.6.14 and later additionally include the
-\fBnfnetlink_queue\fP queue handler. Packets with a target of QUEUE will be
-sent to queue number '0' in this case. Please also see the \fBNFQUEUE\fP
-target as described later in this man page.)
-\fBRETURN\fP means stop traversing this chain and resume at the next
-rule in the
-previous (calling) chain. If the end of a built-in chain is reached
-or a rule in a built-in chain with target \fBRETURN\fP
-is matched, the target specified by the chain policy determines the
-fate of the packet.
-.SH TABLES
-There are currently three independent tables (which tables are present
-at any time depends on the kernel configuration options and which
-modules are present).
-.TP
-\fB\-t\fP, \fB\-\-table\fP \fItable\fP
-This option specifies the packet matching table which the command
-should operate on. If the kernel is configured with automatic module
-loading, an attempt will be made to load the appropriate module for
-that table if it is not already there.
-
-The tables are as follows:
-.RS
-.TP .4i
-\fBfilter\fP:
-This is the default table (if no \-t option is passed). It contains
-the built-in chains \fBINPUT\fP (for packets destined to local sockets),
-\fBFORWARD\fP (for packets being routed through the box), and
-\fBOUTPUT\fP (for locally-generated packets).
-.TP
-\fBnat\fP:
-This table is consulted when a packet that creates a new
-connection is encountered. It consists of three built-ins: \fBPREROUTING\fP
-(for altering packets as soon as they come in), \fBOUTPUT\fP
-(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
-(for altering packets as they are about to go out).
-.TP
-\fBmangle\fP:
-This table is used for specialized packet alteration. Until kernel
-2.4.17 it had two built-in chains: \fBPREROUTING\fP
-(for altering incoming packets before routing) and \fBOUTPUT\fP
-(for altering locally-generated packets before routing).
-Since kernel 2.4.18, three other built-in chains are also supported:
-\fBINPUT\fP (for packets coming into the box itself), \fBFORWARD\fP
-(for altering packets being routed through the box), and \fBPOSTROUTING\fP
-(for altering packets as they are about to go out).
-.TP
-\fBraw\fP:
-This table is used mainly for configuring exemptions from connection
-tracking in combination with the NOTRACK target. It registers at the netfilter
-hooks with higher priority and is thus called before ip_conntrack, or any other
-IP tables. It provides the following built-in chains: \fBPREROUTING\fP
-(for packets arriving via any network interface) \fBOUTPUT\fP
-(for packets generated by local processes)
-.TP
-\fBsecurity\fP:
-This table is used for Mandatory Access Control (MAC) networking rules, such
-as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
-Mandatory Access Control is implemented by Linux Security Modules such as
-SELinux. The security table is called after the filter table, allowing any
-Discretionary Access Control (DAC) rules in the filter table to take effect
-before MAC rules. This table provides the following built-in chains:
-\fBINPUT\fP (for packets coming into the box itself),
-\fBOUTPUT\fP (for altering locally-generated packets before routing), and
-\fBFORWARD\fP (for altering packets being routed through the box).
-.RE
-.SH OPTIONS
-The options that are recognized by
-\fBiptables\fP can be divided into several different groups.
-.SS COMMANDS
-These options specify the desired action to perform. Only one of them
-can be specified on the command line unless otherwise stated
-below. For long versions of the command and option names, you
-need to use only enough letters to ensure that
-\fBiptables\fP can differentiate it from all other options.
-.TP
-\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
-Append one or more rules to the end of the selected chain.
-When the source and/or destination names resolve to more than one
-address, a rule will be added for each possible address combination.
-.TP
-\fB\-C\fP, \fB\-\-check\fP \fIchain rule-specification\fP
-Check whether a rule matching the specification does exist in the
-selected chain. This command uses the same logic as \fB\-D\fP to
-find a matching entry, but does not alter the existing iptables
-configuration and uses its exit code to indicate success or failure.
-.TP
-\fB\-D\fP, \fB\-\-delete\fP \fIchain rule-specification\fP
-.ns
-.TP
-\fB\-D\fP, \fB\-\-delete\fP \fIchain rulenum\fP
-Delete one or more rules from the selected chain. There are two
-versions of this command: the rule can be specified as a number in the
-chain (starting at 1 for the first rule) or a rule to match.
-.TP
-\fB\-I\fP, \fB\-\-insert\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
-Insert one or more rules in the selected chain as the given rule
-number. So, if the rule number is 1, the rule or rules are inserted
-at the head of the chain. This is also the default if no rule number
-is specified.
-.TP
-\fB\-R\fP, \fB\-\-replace\fP \fIchain rulenum rule-specification\fP
-Replace a rule in the selected chain. If the source and/or
-destination names resolve to multiple addresses, the command will
-fail. Rules are numbered starting at 1.
-.TP
-\fB\-L\fP, \fB\-\-list\fP [\fIchain\fP]
-List all rules in the selected chain. If no chain is selected, all
-chains are listed. Like every other iptables command, it applies to the
-specified table (filter is the default), so NAT rules get listed by
-.nf
- iptables \-t nat \-n \-L
-.fi
-Please note that it is often used with the \fB\-n\fP
-option, in order to avoid long reverse DNS lookups.
-It is legal to specify the \fB\-Z\fP
-(zero) option as well, in which case the chain(s) will be atomically
-listed and zeroed. The exact output is affected by the other
-arguments given. The exact rules are suppressed until you use
-.nf
- iptables \-L \-v
-.fi
-.TP
-\fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP]
-Print all rules in the selected chain. If no chain is selected, all
-chains are printed like iptables-save. Like every other iptables command,
-it applies to the specified table (filter is the default).
-.TP
-\fB\-F\fP, \fB\-\-flush\fP [\fIchain\fP]
-Flush the selected chain (all the chains in the table if none is given).
-This is equivalent to deleting all the rules one by one.
-.TP
-\fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP [\fIrulenum\fP]]
-Zero the packet and byte counters in all chains, or only the given chain,
-or only the given rule in a chain. It is legal to
-specify the
-\fB\-L\fP, \fB\-\-list\fP
-(list) option as well, to see the counters immediately before they are
-cleared. (See above.)
-.TP
-\fB\-N\fP, \fB\-\-new\-chain\fP \fIchain\fP
-Create a new user-defined chain by the given name. There must be no
-target of that name already.
-.TP
-\fB\-X\fP, \fB\-\-delete\-chain\fP [\fIchain\fP]
-Delete the optional user-defined chain specified. There must be no references
-to the chain. If there are, you must delete or replace the referring rules
-before the chain can be deleted. The chain must be empty, i.e. not contain
-any rules. If no argument is given, it will attempt to delete every
-non-builtin chain in the table.
-.TP
-\fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP
-Set the policy for the chain to the given target. See the section \fBTARGETS\fP
-for the legal targets. Only built-in (non-user-defined) chains can have
-policies, and neither built-in nor user-defined chains can be policy
-targets.
-.TP
-\fB\-E\fP, \fB\-\-rename\-chain\fP \fIold\-chain new\-chain\fP
-Rename the user specified chain to the user supplied name. This is
-cosmetic, and has no effect on the structure of the table.
-.TP
-\fB\-h\fP
-Help.
-Give a (currently very brief) description of the command syntax.
-.SS PARAMETERS
-The following parameters make up a rule specification (as used in the
-add, delete, insert, replace and append commands).
-.TP
-[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
-The protocol of the rule or of the packet to check.
-The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
-\fBicmp\fP, \fBesp\fP, \fBah\fP, \fBsctp\fP or the special keyword "\fBall\fP",
-or it can be a numeric value, representing one of these protocols or a
-different one. A protocol name from /etc/protocols is also allowed.
-A "!" argument before the protocol inverts the
-test. The number zero is equivalent to \fBall\fP. "\fBall\fP"
-will match with all protocols and is taken as default when this
-option is omitted.
-.TP
-[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
-Source specification. \fIAddress\fP
-can be either a network name, a hostname, a network IP address (with
-\fB/\fP\fImask\fP), or a plain IP address. Hostnames will
-be resolved once only, before the rule is submitted to the kernel.
-Please note that specifying any name to be resolved with a remote query such as
-DNS is a really bad idea.
-The \fImask\fP
-can be either a network mask or a plain number,
-specifying the number of 1's at the left side of the network mask.
-Thus, a mask of \fI24\fP is equivalent to \fI255.255.255.0\fP.
-A "!" argument before the address specification inverts the sense of
-the address. The flag \fB\-\-src\fP is an alias for this option.
-Multiple addresses can be specified, but this will \fBexpand to multiple
-rules\fP (when adding with \-A), or will cause multiple rules to be
-deleted (with \-D).
-.TP
-[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
-Destination specification.
-See the description of the \fB\-s\fP
-(source) flag for a detailed description of the syntax. The flag
-\fB\-\-dst\fP is an alias for this option.
-.TP
-\fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
-This specifies the target of the rule; i.e., what to do if the packet
-matches it. The target can be a user-defined chain (other than the
-one this rule is in), one of the special builtin targets which decide
-the fate of the packet immediately, or an extension (see \fBEXTENSIONS\fP
-below). If this
-option is omitted in a rule (and \fB\-g\fP
-is not used), then matching the rule will have no
-effect on the packet's fate, but the counters on the rule will be
-incremented.
-.TP
-\fB\-g\fP, \fB\-\-goto\fP \fIchain\fP
-This specifies that the processing should continue in a user
-specified chain. Unlike the \-\-jump option return will not continue
-processing in this chain but instead in the chain that called us via
-\-\-jump.
-.TP
-[\fB!\fP] \fB\-i\fP, \fB\-\-in\-interface\fP \fIname\fP
-Name of an interface via which a packet was received (only for
-packets entering the \fBINPUT\fP, \fBFORWARD\fP and \fBPREROUTING\fP
-chains). When the "!" argument is used before the interface name, the
-sense is inverted. If the interface name ends in a "+", then any
-interface which begins with this name will match. If this option is
-omitted, any interface name will match.
-.TP
-[\fB!\fP] \fB\-o\fP, \fB\-\-out\-interface\fP \fIname\fP
-Name of an interface via which a packet is going to be sent (for packets
-entering the \fBFORWARD\fP, \fBOUTPUT\fP and \fBPOSTROUTING\fP
-chains). When the "!" argument is used before the interface name, the
-sense is inverted. If the interface name ends in a "+", then any
-interface which begins with this name will match. If this option is
-omitted, any interface name will match.
-.TP
-[\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
-This means that the rule only refers to second and further fragments
-of fragmented packets. Since there is no way to tell the source or
-destination ports of such a packet (or ICMP type), such a packet will
-not match any rules which specify them. When the "!" argument
-precedes the "\-f" flag, the rule will only match head fragments, or
-unfragmented packets.
-.TP
-\fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
-This enables the administrator to initialize the packet and byte
-counters of a rule (during \fBINSERT\fP, \fBAPPEND\fP, \fBREPLACE\fP
-operations).
-.SS "OTHER OPTIONS"
-The following additional options can be specified:
-.TP
-\fB\-v\fP, \fB\-\-verbose\fP
-Verbose output. This option makes the list command show the interface
-name, the rule options (if any), and the TOS masks. The packet and
-byte counters are also listed, with the suffix 'K', 'M' or 'G' for
-1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
-the \fB\-x\fP flag to change this).
-For appending, insertion, deletion and replacement, this causes
-detailed information on the rule or rules to be printed. \fB\-v\fP may be
-specified multiple times to possibly emit more detailed debug statements.
-.TP
-\fB\-n\fP, \fB\-\-numeric\fP
-Numeric output.
-IP addresses and port numbers will be printed in numeric format.
-By default, the program will try to display them as host names,
-network names, or services (whenever applicable).
-.TP
-\fB\-x\fP, \fB\-\-exact\fP
-Expand numbers.
-Display the exact value of the packet and byte counters,
-instead of only the rounded number in K's (multiples of 1000)
-M's (multiples of 1000K) or G's (multiples of 1000M). This option is
-only relevant for the \fB\-L\fP command.
-.TP
-\fB\-\-line\-numbers\fP
-When listing rules, add line numbers to the beginning of each rule,
-corresponding to that rule's position in the chain.
-.TP
-\fB\-\-modprobe=\fP\fIcommand\fP
-When adding or inserting rules into a chain, use \fIcommand\fP
-to load any necessary modules (targets, match extensions, etc).
-.SH MATCH AND TARGET EXTENSIONS
-.PP
-iptables can use extended packet matching and target modules.
-A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
-.SH DIAGNOSTICS
-Various error messages are printed to standard error. The exit code
-is 0 for correct functioning. Errors which appear to be caused by
-invalid or abused command line parameters cause an exit code of 2, and
-other errors cause an exit code of 1.
-.SH BUGS
-Bugs? What's this? ;-)
-Well, you might want to have a look at http://bugzilla.netfilter.org/
-.SH COMPATIBILITY WITH IPCHAINS
-This \fBiptables\fP
-is very similar to ipchains by Rusty Russell. The main difference is
-that the chains \fBINPUT\fP and \fBOUTPUT\fP
-are only traversed for packets coming into the local host and
-originating from the local host respectively. Hence every packet only
-passes through one of the three chains (except loopback traffic, which
-involves both INPUT and OUTPUT chains); previously a forwarded packet
-would pass through all three.
-.PP
-The other main difference is that \fB\-i\fP refers to the input interface;
-\fB\-o\fP refers to the output interface, and both are available for packets
-entering the \fBFORWARD\fP chain.
-.PP
-The various forms of NAT have been separated out; \fBiptables\fP
-is a pure packet filter when using the default `filter' table, with
-optional extension modules. This should simplify much of the previous
-confusion over the combination of IP masquerading and packet filtering
-seen previously. So the following options are handled differently:
-.nf
- \-j MASQ
- \-M \-S
- \-M \-L
-.fi
-There are several other changes in iptables.
-.SH SEE ALSO
-\fBiptables\-apply\fP(8),
-\fBiptables\-save\fP(8),
-\fBiptables\-restore\fP(8),
-\fBiptables\-extensions\fP(8),
-\fBip6tables\fP(8),
-\fBip6tables\-save\fP(8),
-\fBip6tables\-restore\fP(8),
-\fBlibipq\fP(3).
-.PP
-The packet-filtering-HOWTO details iptables usage for
-packet filtering, the NAT-HOWTO details NAT,
-the netfilter-extensions-HOWTO details the extensions that are
-not in the standard distribution,
-and the netfilter-hacking-HOWTO details the netfilter internals.
-.br
-See
-.BR "http://www.netfilter.org/" .
-.SH AUTHORS
-Rusty Russell originally wrote iptables, in early consultation with Michael
-Neuling.
-.PP
-Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
-selection framework in iptables, then wrote the mangle table, the owner match,
-the mark stuff, and ran around doing cool stuff everywhere.
-.PP
-James Morris wrote the TOS target, and tos match.
-.PP
-Jozsef Kadlecsik wrote the REJECT target.
-.PP
-Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as the TTL, DSCP, ECN matches and targets.
-.PP
-The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
-Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
-Harald Welte and Rusty Russell.
-.PP
-Man page originally written by Herve Eychenne <rv@wallfire.org>.
-.\" .. and did I mention that we are incredibly cool people?
-.\" .. sexy, too ..
-.\" .. witty, charming, powerful ..
-.\" .. and most of all, modest ..
-.SH VERSION
-.PP
-This manual page applies to iptables @PACKAGE_VERSION@.
diff --git a/iptables/iptables.8in b/iptables/iptables.8in
new file mode 100644
index 0000000..d6b409d
--- /dev/null
+++ b/iptables/iptables.8in
@@ -0,0 +1,438 @@
+.TH IPTABLES 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
+.\"
+.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
+.\" It is based on ipchains page.
+.\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG)
+.\"
+.\" ipchains page by Paul ``Rusty'' Russell March 1997
+.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+iptables \(em administration tool for IPv4 packet filtering and NAT
+.SH SYNOPSIS
+\fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
+\fIchain\fP \fIrule-specification\fP
+.PP
+\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
+.PP
+\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-R\fP \fIchain rulenum rule-specification\fP
+.PP
+\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-D\fP \fIchain rulenum\fP
+.PP
+\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-S\fP [\fIchain\fP [\fIrulenum\fP]]
+.PP
+\fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP} [\fIchain\fP [\fIrulenum\fP]] [\fIoptions...\fP]
+.PP
+\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP
+.PP
+\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
+.PP
+\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
+.PP
+\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP
+.PP
+rule-specification = [\fImatches...\fP] [\fItarget\fP]
+.PP
+match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
+.PP
+target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
+.SH DESCRIPTION
+\fBIptables\fP is used to set up, maintain, and inspect the
+tables of IPv4 packet
+filter rules in the Linux kernel. Several different tables
+may be defined. Each table contains a number of built-in
+chains and may also contain user-defined chains.
+.PP
+Each chain is a list of rules which can match a set of packets. Each
+rule specifies what to do with a packet that matches. This is called
+a `target', which may be a jump to a user-defined chain in the same
+table.
+.SH TARGETS
+A firewall rule specifies criteria for a packet and a target. If the
+packet does not match, the next rule in the chain is the examined; if
+it does match, then the next rule is specified by the value of the
+target, which can be the name of a user-defined chain or one of the
+special values \fBACCEPT\fP, \fBDROP\fP, \fBQUEUE\fP or \fBRETURN\fP.
+.PP
+\fBACCEPT\fP means to let the packet through.
+\fBDROP\fP means to drop the packet on the floor.
+\fBQUEUE\fP means to pass the packet to userspace.
+(How the packet can be received
+by a userspace process differs by the particular queue handler. 2.4.x
+and 2.6.x kernels up to 2.6.13 include the \fBip_queue\fP
+queue handler. Kernels 2.6.14 and later additionally include the
+\fBnfnetlink_queue\fP queue handler. Packets with a target of QUEUE will be
+sent to queue number '0' in this case. Please also see the \fBNFQUEUE\fP
+target as described later in this man page.)
+\fBRETURN\fP means stop traversing this chain and resume at the next
+rule in the
+previous (calling) chain. If the end of a built-in chain is reached
+or a rule in a built-in chain with target \fBRETURN\fP
+is matched, the target specified by the chain policy determines the
+fate of the packet.
+.SH TABLES
+There are currently three independent tables (which tables are present
+at any time depends on the kernel configuration options and which
+modules are present).
+.TP
+\fB\-t\fP, \fB\-\-table\fP \fItable\fP
+This option specifies the packet matching table which the command
+should operate on. If the kernel is configured with automatic module
+loading, an attempt will be made to load the appropriate module for
+that table if it is not already there.
+
+The tables are as follows:
+.RS
+.TP .4i
+\fBfilter\fP:
+This is the default table (if no \-t option is passed). It contains
+the built-in chains \fBINPUT\fP (for packets destined to local sockets),
+\fBFORWARD\fP (for packets being routed through the box), and
+\fBOUTPUT\fP (for locally-generated packets).
+.TP
+\fBnat\fP:
+This table is consulted when a packet that creates a new
+connection is encountered. It consists of three built-ins: \fBPREROUTING\fP
+(for altering packets as soon as they come in), \fBOUTPUT\fP
+(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
+(for altering packets as they are about to go out).
+.TP
+\fBmangle\fP:
+This table is used for specialized packet alteration. Until kernel
+2.4.17 it had two built-in chains: \fBPREROUTING\fP
+(for altering incoming packets before routing) and \fBOUTPUT\fP
+(for altering locally-generated packets before routing).
+Since kernel 2.4.18, three other built-in chains are also supported:
+\fBINPUT\fP (for packets coming into the box itself), \fBFORWARD\fP
+(for altering packets being routed through the box), and \fBPOSTROUTING\fP
+(for altering packets as they are about to go out).
+.TP
+\fBraw\fP:
+This table is used mainly for configuring exemptions from connection
+tracking in combination with the NOTRACK target. It registers at the netfilter
+hooks with higher priority and is thus called before ip_conntrack, or any other
+IP tables. It provides the following built-in chains: \fBPREROUTING\fP
+(for packets arriving via any network interface) \fBOUTPUT\fP
+(for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules, such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux. The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules. This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
+.RE
+.SH OPTIONS
+The options that are recognized by
+\fBiptables\fP can be divided into several different groups.
+.SS COMMANDS
+These options specify the desired action to perform. Only one of them
+can be specified on the command line unless otherwise stated
+below. For long versions of the command and option names, you
+need to use only enough letters to ensure that
+\fBiptables\fP can differentiate it from all other options.
+.TP
+\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
+Append one or more rules to the end of the selected chain.
+When the source and/or destination names resolve to more than one
+address, a rule will be added for each possible address combination.
+.TP
+\fB\-C\fP, \fB\-\-check\fP \fIchain rule-specification\fP
+Check whether a rule matching the specification does exist in the
+selected chain. This command uses the same logic as \fB\-D\fP to
+find a matching entry, but does not alter the existing iptables
+configuration and uses its exit code to indicate success or failure.
+.TP
+\fB\-D\fP, \fB\-\-delete\fP \fIchain rule-specification\fP
+.ns
+.TP
+\fB\-D\fP, \fB\-\-delete\fP \fIchain rulenum\fP
+Delete one or more rules from the selected chain. There are two
+versions of this command: the rule can be specified as a number in the
+chain (starting at 1 for the first rule) or a rule to match.
+.TP
+\fB\-I\fP, \fB\-\-insert\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
+Insert one or more rules in the selected chain as the given rule
+number. So, if the rule number is 1, the rule or rules are inserted
+at the head of the chain. This is also the default if no rule number
+is specified.
+.TP
+\fB\-R\fP, \fB\-\-replace\fP \fIchain rulenum rule-specification\fP
+Replace a rule in the selected chain. If the source and/or
+destination names resolve to multiple addresses, the command will
+fail. Rules are numbered starting at 1.
+.TP
+\fB\-L\fP, \fB\-\-list\fP [\fIchain\fP]
+List all rules in the selected chain. If no chain is selected, all
+chains are listed. Like every other iptables command, it applies to the
+specified table (filter is the default), so NAT rules get listed by
+.nf
+ iptables \-t nat \-n \-L
+.fi
+Please note that it is often used with the \fB\-n\fP
+option, in order to avoid long reverse DNS lookups.
+It is legal to specify the \fB\-Z\fP
+(zero) option as well, in which case the chain(s) will be atomically
+listed and zeroed. The exact output is affected by the other
+arguments given. The exact rules are suppressed until you use
+.nf
+ iptables \-L \-v
+.fi
+.TP
+\fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP]
+Print all rules in the selected chain. If no chain is selected, all
+chains are printed like iptables-save. Like every other iptables command,
+it applies to the specified table (filter is the default).
+.TP
+\fB\-F\fP, \fB\-\-flush\fP [\fIchain\fP]
+Flush the selected chain (all the chains in the table if none is given).
+This is equivalent to deleting all the rules one by one.
+.TP
+\fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP [\fIrulenum\fP]]
+Zero the packet and byte counters in all chains, or only the given chain,
+or only the given rule in a chain. It is legal to
+specify the
+\fB\-L\fP, \fB\-\-list\fP
+(list) option as well, to see the counters immediately before they are
+cleared. (See above.)
+.TP
+\fB\-N\fP, \fB\-\-new\-chain\fP \fIchain\fP
+Create a new user-defined chain by the given name. There must be no
+target of that name already.
+.TP
+\fB\-X\fP, \fB\-\-delete\-chain\fP [\fIchain\fP]
+Delete the optional user-defined chain specified. There must be no references
+to the chain. If there are, you must delete or replace the referring rules
+before the chain can be deleted. The chain must be empty, i.e. not contain
+any rules. If no argument is given, it will attempt to delete every
+non-builtin chain in the table.
+.TP
+\fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP
+Set the policy for the chain to the given target. See the section \fBTARGETS\fP
+for the legal targets. Only built-in (non-user-defined) chains can have
+policies, and neither built-in nor user-defined chains can be policy
+targets.
+.TP
+\fB\-E\fP, \fB\-\-rename\-chain\fP \fIold\-chain new\-chain\fP
+Rename the user specified chain to the user supplied name. This is
+cosmetic, and has no effect on the structure of the table.
+.TP
+\fB\-h\fP
+Help.
+Give a (currently very brief) description of the command syntax.
+.SS PARAMETERS
+The following parameters make up a rule specification (as used in the
+add, delete, insert, replace and append commands).
+.TP
+[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
+The protocol of the rule or of the packet to check.
+The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
+\fBicmp\fP, \fBesp\fP, \fBah\fP, \fBsctp\fP or the special keyword "\fBall\fP",
+or it can be a numeric value, representing one of these protocols or a
+different one. A protocol name from /etc/protocols is also allowed.
+A "!" argument before the protocol inverts the
+test. The number zero is equivalent to \fBall\fP. "\fBall\fP"
+will match with all protocols and is taken as default when this
+option is omitted.
+.TP
+[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
+Source specification. \fIAddress\fP
+can be either a network name, a hostname, a network IP address (with
+\fB/\fP\fImask\fP), or a plain IP address. Hostnames will
+be resolved once only, before the rule is submitted to the kernel.
+Please note that specifying any name to be resolved with a remote query such as
+DNS is a really bad idea.
+The \fImask\fP
+can be either a network mask or a plain number,
+specifying the number of 1's at the left side of the network mask.
+Thus, a mask of \fI24\fP is equivalent to \fI255.255.255.0\fP.
+A "!" argument before the address specification inverts the sense of
+the address. The flag \fB\-\-src\fP is an alias for this option.
+Multiple addresses can be specified, but this will \fBexpand to multiple
+rules\fP (when adding with \-A), or will cause multiple rules to be
+deleted (with \-D).
+.TP
+[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
+Destination specification.
+See the description of the \fB\-s\fP
+(source) flag for a detailed description of the syntax. The flag
+\fB\-\-dst\fP is an alias for this option.
+.TP
+\fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
+This specifies the target of the rule; i.e., what to do if the packet
+matches it. The target can be a user-defined chain (other than the
+one this rule is in), one of the special builtin targets which decide
+the fate of the packet immediately, or an extension (see \fBEXTENSIONS\fP
+below). If this
+option is omitted in a rule (and \fB\-g\fP
+is not used), then matching the rule will have no
+effect on the packet's fate, but the counters on the rule will be
+incremented.
+.TP
+\fB\-g\fP, \fB\-\-goto\fP \fIchain\fP
+This specifies that the processing should continue in a user
+specified chain. Unlike the \-\-jump option return will not continue
+processing in this chain but instead in the chain that called us via
+\-\-jump.
+.TP
+[\fB!\fP] \fB\-i\fP, \fB\-\-in\-interface\fP \fIname\fP
+Name of an interface via which a packet was received (only for
+packets entering the \fBINPUT\fP, \fBFORWARD\fP and \fBPREROUTING\fP
+chains). When the "!" argument is used before the interface name, the
+sense is inverted. If the interface name ends in a "+", then any
+interface which begins with this name will match. If this option is
+omitted, any interface name will match.
+.TP
+[\fB!\fP] \fB\-o\fP, \fB\-\-out\-interface\fP \fIname\fP
+Name of an interface via which a packet is going to be sent (for packets
+entering the \fBFORWARD\fP, \fBOUTPUT\fP and \fBPOSTROUTING\fP
+chains). When the "!" argument is used before the interface name, the
+sense is inverted. If the interface name ends in a "+", then any
+interface which begins with this name will match. If this option is
+omitted, any interface name will match.
+.TP
+[\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
+This means that the rule only refers to second and further fragments
+of fragmented packets. Since there is no way to tell the source or
+destination ports of such a packet (or ICMP type), such a packet will
+not match any rules which specify them. When the "!" argument
+precedes the "\-f" flag, the rule will only match head fragments, or
+unfragmented packets.
+.TP
+\fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
+This enables the administrator to initialize the packet and byte
+counters of a rule (during \fBINSERT\fP, \fBAPPEND\fP, \fBREPLACE\fP
+operations).
+.SS "OTHER OPTIONS"
+The following additional options can be specified:
+.TP
+\fB\-v\fP, \fB\-\-verbose\fP
+Verbose output. This option makes the list command show the interface
+name, the rule options (if any), and the TOS masks. The packet and
+byte counters are also listed, with the suffix 'K', 'M' or 'G' for
+1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
+the \fB\-x\fP flag to change this).
+For appending, insertion, deletion and replacement, this causes
+detailed information on the rule or rules to be printed. \fB\-v\fP may be
+specified multiple times to possibly emit more detailed debug statements.
+.TP
+\fB\-n\fP, \fB\-\-numeric\fP
+Numeric output.
+IP addresses and port numbers will be printed in numeric format.
+By default, the program will try to display them as host names,
+network names, or services (whenever applicable).
+.TP
+\fB\-x\fP, \fB\-\-exact\fP
+Expand numbers.
+Display the exact value of the packet and byte counters,
+instead of only the rounded number in K's (multiples of 1000)
+M's (multiples of 1000K) or G's (multiples of 1000M). This option is
+only relevant for the \fB\-L\fP command.
+.TP
+\fB\-\-line\-numbers\fP
+When listing rules, add line numbers to the beginning of each rule,
+corresponding to that rule's position in the chain.
+.TP
+\fB\-\-modprobe=\fP\fIcommand\fP
+When adding or inserting rules into a chain, use \fIcommand\fP
+to load any necessary modules (targets, match extensions, etc).
+.SH MATCH AND TARGET EXTENSIONS
+.PP
+iptables can use extended packet matching and target modules.
+A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
+.SH DIAGNOSTICS
+Various error messages are printed to standard error. The exit code
+is 0 for correct functioning. Errors which appear to be caused by
+invalid or abused command line parameters cause an exit code of 2, and
+other errors cause an exit code of 1.
+.SH BUGS
+Bugs? What's this? ;-)
+Well, you might want to have a look at http://bugzilla.netfilter.org/
+.SH COMPATIBILITY WITH IPCHAINS
+This \fBiptables\fP
+is very similar to ipchains by Rusty Russell. The main difference is
+that the chains \fBINPUT\fP and \fBOUTPUT\fP
+are only traversed for packets coming into the local host and
+originating from the local host respectively. Hence every packet only
+passes through one of the three chains (except loopback traffic, which
+involves both INPUT and OUTPUT chains); previously a forwarded packet
+would pass through all three.
+.PP
+The other main difference is that \fB\-i\fP refers to the input interface;
+\fB\-o\fP refers to the output interface, and both are available for packets
+entering the \fBFORWARD\fP chain.
+.PP
+The various forms of NAT have been separated out; \fBiptables\fP
+is a pure packet filter when using the default `filter' table, with
+optional extension modules. This should simplify much of the previous
+confusion over the combination of IP masquerading and packet filtering
+seen previously. So the following options are handled differently:
+.nf
+ \-j MASQ
+ \-M \-S
+ \-M \-L
+.fi
+There are several other changes in iptables.
+.SH SEE ALSO
+\fBiptables\-apply\fP(8),
+\fBiptables\-save\fP(8),
+\fBiptables\-restore\fP(8),
+\fBiptables\-extensions\fP(8),
+\fBip6tables\fP(8),
+\fBip6tables\-save\fP(8),
+\fBip6tables\-restore\fP(8),
+\fBlibipq\fP(3).
+.PP
+The packet-filtering-HOWTO details iptables usage for
+packet filtering, the NAT-HOWTO details NAT,
+the netfilter-extensions-HOWTO details the extensions that are
+not in the standard distribution,
+and the netfilter-hacking-HOWTO details the netfilter internals.
+.br
+See
+.BR "http://www.netfilter.org/" .
+.SH AUTHORS
+Rusty Russell originally wrote iptables, in early consultation with Michael
+Neuling.
+.PP
+Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
+selection framework in iptables, then wrote the mangle table, the owner match,
+the mark stuff, and ran around doing cool stuff everywhere.
+.PP
+James Morris wrote the TOS target, and tos match.
+.PP
+Jozsef Kadlecsik wrote the REJECT target.
+.PP
+Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as the TTL, DSCP, ECN matches and targets.
+.PP
+The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
+Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
+Harald Welte and Rusty Russell.
+.PP
+Man page originally written by Herve Eychenne <rv@wallfire.org>.
+.\" .. and did I mention that we are incredibly cool people?
+.\" .. sexy, too ..
+.\" .. witty, charming, powerful ..
+.\" .. and most of all, modest ..
+.SH VERSION
+.PP
+This manual page applies to iptables @PACKAGE_VERSION@.
--
1.7.10.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 2/9] doc: add package version to all manpages
2012-10-10 12:26 Documentation fixes to iptables Jan Engelhardt
2012-10-10 12:26 ` [PATCH 1/9] doc: rename .8.in files to .8in Jan Engelhardt
@ 2012-10-10 12:26 ` Jan Engelhardt
2012-10-10 12:26 ` [PATCH 3/9] doc: fixup omissions in ip6tables-restore.8 Jan Engelhardt
` (7 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Jan Engelhardt @ 2012-10-10 12:26 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
Some manpages already had this - expand it to all of them. This is
useful to determine how old random renditions of these manpages on the
Internet actually are.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
iptables/.gitignore | 4 +--
iptables/Makefile.am | 2 +-
iptables/ip6tables-restore.8 | 52 -------------------------------------
iptables/ip6tables-restore.8in | 52 +++++++++++++++++++++++++++++++++++++
iptables/ip6tables-save.8 | 53 --------------------------------------
iptables/ip6tables-save.8in | 53 ++++++++++++++++++++++++++++++++++++++
iptables/ip6tables.8in | 2 +-
iptables/iptables-apply.8 | 44 -------------------------------
iptables/iptables-apply.8in | 44 +++++++++++++++++++++++++++++++
iptables/iptables-extensions.8in | 2 +-
iptables/iptables-restore.8 | 50 -----------------------------------
iptables/iptables-restore.8in | 50 +++++++++++++++++++++++++++++++++++
iptables/iptables-save.8 | 51 ------------------------------------
iptables/iptables-save.8in | 51 ++++++++++++++++++++++++++++++++++++
iptables/iptables.8in | 2 +-
15 files changed, 255 insertions(+), 257 deletions(-)
delete mode 100644 iptables/ip6tables-restore.8
create mode 100644 iptables/ip6tables-restore.8in
delete mode 100644 iptables/ip6tables-save.8
create mode 100644 iptables/ip6tables-save.8in
delete mode 100644 iptables/iptables-apply.8
create mode 100644 iptables/iptables-apply.8in
delete mode 100644 iptables/iptables-restore.8
create mode 100644 iptables/iptables-restore.8in
delete mode 100644 iptables/iptables-save.8
create mode 100644 iptables/iptables-save.8in
diff --git a/iptables/.gitignore b/iptables/.gitignore
index 4fc63aa..8d7e987 100644
--- a/iptables/.gitignore
+++ b/iptables/.gitignore
@@ -1,11 +1,9 @@
+/*.8
/ip6tables
-/ip6tables.8
/ip6tables-save
/ip6tables-restore
/ip6tables-static
/iptables
-/iptables.8
-/iptables-extensions.8
/iptables-save
/iptables-restore
/iptables-static
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index 65776a3..ecd6115 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -27,7 +27,7 @@ xtables_multi_LDADD += ../libxtables/libxtables.la -lm
sbin_PROGRAMS = xtables-multi
man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \
iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
- ip6tables-save.8 iptables-extensions.8
+ ip6tables-save.8 iptables-extensions.8 iptables-apply.8
CLEANFILES = iptables.8 ip6tables.8
vx_bin_links = iptables-xml
diff --git a/iptables/ip6tables-restore.8 b/iptables/ip6tables-restore.8
deleted file mode 100644
index 59a3b2e..0000000
--- a/iptables/ip6tables-restore.8
+++ /dev/null
@@ -1,52 +0,0 @@
-.TH IP6TABLES-RESTORE 8 "Jan 30, 2002" "" ""
-.\"
-.\" Man page written by Harald Welte <laforge@gnumonks.org>
-.\" It is based on the iptables man page.
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-ip6tables-restore \(em Restore IPv6 Tables
-.SH SYNOPSIS
-\fBip6tables\-restore\fP [\fB\-c\fP] [\fB\-n\fP]
-.SH DESCRIPTION
-.PP
-.B ip6tables-restore
-is used to restore IPv6 Tables from data specified on STDIN. Use
-I/O redirection provided by your shell to read from a file
-.TP
-\fB\-c\fR, \fB\-\-counters\fR
-restore the values of all packet and byte counters
-.TP
-\fB\-n\fR, \fB\-\-noflush\fR
-don't flush the previous contents of the table. If not specified,
-.TP
-\fB\-T\fP, \fB\-\-table\fP \fIname\fP
-Restore only the named table even if the input stream contains other ones.
-.B ip6tables-restore
-flushes (deletes) all previous contents of the respective IPv6 Table.
-.SH BUGS
-None known as of iptables-1.2.1 release
-.SH AUTHORS
-Harald Welte <laforge@gnumonks.org>
-.br
-Andras Kis-Szabo <kisza@sch.bme.hu>
-.SH SEE ALSO
-\fBip6tables\-save\fP(8), \fBip6tables\fP(8)
-.PP
-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
-which details NAT, and the netfilter-hacking-HOWTO which details the
-internals.
diff --git a/iptables/ip6tables-restore.8in b/iptables/ip6tables-restore.8in
new file mode 100644
index 0000000..a9859ae
--- /dev/null
+++ b/iptables/ip6tables-restore.8in
@@ -0,0 +1,52 @@
+.TH ip6tables-restore 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ip6tables-restore \(em Restore IPv6 Tables
+.SH SYNOPSIS
+\fBip6tables\-restore\fP [\fB\-c\fP] [\fB\-n\fP]
+.SH DESCRIPTION
+.PP
+.B ip6tables-restore
+is used to restore IPv6 Tables from data specified on STDIN. Use
+I/O redirection provided by your shell to read from a file
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+restore the values of all packet and byte counters
+.TP
+\fB\-n\fR, \fB\-\-noflush\fR
+don't flush the previous contents of the table. If not specified,
+.TP
+\fB\-T\fP, \fB\-\-table\fP \fIname\fP
+Restore only the named table even if the input stream contains other ones.
+.B ip6tables-restore
+flushes (deletes) all previous contents of the respective IPv6 Table.
+.SH BUGS
+None known as of iptables-1.2.1 release
+.SH AUTHORS
+Harald Welte <laforge@gnumonks.org>
+.br
+Andras Kis-Szabo <kisza@sch.bme.hu>
+.SH SEE ALSO
+\fBip6tables\-save\fP(8), \fBip6tables\fP(8)
+.PP
+The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+which details NAT, and the netfilter-hacking-HOWTO which details the
+internals.
diff --git a/iptables/ip6tables-save.8 b/iptables/ip6tables-save.8
deleted file mode 100644
index 457be82..0000000
--- a/iptables/ip6tables-save.8
+++ /dev/null
@@ -1,53 +0,0 @@
-.TH IP6TABLES-SAVE 8 "Jan 30, 2002" "" ""
-.\"
-.\" Man page written by Harald Welte <laforge@gnumonks.org>
-.\" It is based on the iptables man page.
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-ip6tables-save \(em dump iptables rules to stdout
-.SH SYNOPSIS
-\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP
-.SH DESCRIPTION
-.PP
-.B ip6tables-save
-is used to dump the contents of an IPv6 Table in easily parseable format
-to STDOUT. Use I/O-redirection provided by your shell to write to a file.
-.TP
-\fB\-M\fP \fImodprobe_program\fP
-Specify the path to the modprobe program. By default, iptables-save will
-inspect /proc/sys/kernel/modprobe to determine the executable's path.
-.TP
-\fB\-c\fR, \fB\-\-counters\fR
-include the current values of all packet and byte counters in the output
-.TP
-\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
-restrict output to only one table. If not specified, output includes all
-available tables.
-.SH BUGS
-None known as of iptables-1.2.1 release
-.SH AUTHORS
-Harald Welte <laforge@gnumonks.org>
-.br
-Andras Kis-Szabo <kisza@sch.bme.hu>
-.SH SEE ALSO
-\fBip6tables\-restore\fP(8), \fBip6tables\fP(8)
-.PP
-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
-which details NAT, and the netfilter-hacking-HOWTO which details the
-internals.
diff --git a/iptables/ip6tables-save.8in b/iptables/ip6tables-save.8in
new file mode 100644
index 0000000..f4cd3e0
--- /dev/null
+++ b/iptables/ip6tables-save.8in
@@ -0,0 +1,53 @@
+.TH ip6tables-save 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ip6tables-save \(em dump iptables rules to stdout
+.SH SYNOPSIS
+\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
+[\fB\-t\fP \fItable\fP
+.SH DESCRIPTION
+.PP
+.B ip6tables-save
+is used to dump the contents of an IPv6 Table in easily parseable format
+to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+.TP
+\fB\-M\fP \fImodprobe_program\fP
+Specify the path to the modprobe program. By default, iptables-save will
+inspect /proc/sys/kernel/modprobe to determine the executable's path.
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+include the current values of all packet and byte counters in the output
+.TP
+\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
+restrict output to only one table. If not specified, output includes all
+available tables.
+.SH BUGS
+None known as of iptables-1.2.1 release
+.SH AUTHORS
+Harald Welte <laforge@gnumonks.org>
+.br
+Andras Kis-Szabo <kisza@sch.bme.hu>
+.SH SEE ALSO
+\fBip6tables\-restore\fP(8), \fBip6tables\fP(8)
+.PP
+The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+which details NAT, and the netfilter-hacking-HOWTO which details the
+internals.
diff --git a/iptables/ip6tables.8in b/iptables/ip6tables.8in
index 078bcac..fd0e61b 100644
--- a/iptables/ip6tables.8in
+++ b/iptables/ip6tables.8in
@@ -1,4 +1,4 @@
-.TH IP6TABLES 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
+.TH ip6tables 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
.\"
.\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
.\" It is based on iptables man page.
diff --git a/iptables/iptables-apply.8 b/iptables/iptables-apply.8
deleted file mode 100644
index 66eaf57..0000000
--- a/iptables/iptables-apply.8
+++ /dev/null
@@ -1,44 +0,0 @@
-.\" Title: iptables-apply
-.\" Author: Martin F. Krafft
-.\" Date: Jun 04, 2006
-.\"
-.TH iptables\-apply 8 2006-06-04
-.\" disable hyphenation
-.nh
-.SH NAME
-iptables-apply \- a safer way to update iptables remotely
-.SH SYNOPSIS
-\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] \fIruleset\-file\fP
-.SH "DESCRIPTION"
-.PP
-iptables\-apply will try to apply a new ruleset (as output by
-iptables\-save/read by iptables\-restore) to iptables, then prompt the
-user whether the changes are okay. If the new ruleset cut the existing
-connection, the user will not be able to answer affirmatively. In this
-case, the script rolls back to the previous ruleset after the timeout
-expired. The timeout can be set with \fB\-t\fP.
-.PP
-When called as \fBip6tables\-apply\fP, the script will use
-ip6tables\-save/\-restore instead.
-.SH OPTIONS
-.TP
-\fB\-t\fP \fIseconds\fR, \fB\-\-timeout\fP \fIseconds\fR
-Sets the timeout after which the script will roll back to the previous
-ruleset.
-.TP
-\fB\-h\fP, \fB\-\-help\fP
-Display usage information.
-.TP
-\fB\-V\fP, \fB\-\-version\fP
-Display version information.
-.SH "SEE ALSO"
-.PP
-\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
-.SH LEGALESE
-.PP
-iptables\-apply is copyright by Martin F. Krafft.
-.PP
-This manual page was written by Martin F. Krafft <madduck@madduck.net>
-.PP
-Permission is granted to copy, distribute and/or modify this document
-under the terms of the Artistic License 2.0.
diff --git a/iptables/iptables-apply.8in b/iptables/iptables-apply.8in
new file mode 100644
index 0000000..4fe14c8
--- /dev/null
+++ b/iptables/iptables-apply.8in
@@ -0,0 +1,44 @@
+.\" Title: iptables-apply
+.\" Author: Martin F. Krafft
+.\" Date: Jun 04, 2006
+.\"
+.TH iptables\-apply 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
+.\" disable hyphenation
+.nh
+.SH NAME
+iptables-apply \- a safer way to update iptables remotely
+.SH SYNOPSIS
+\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] \fIruleset\-file\fP
+.SH "DESCRIPTION"
+.PP
+iptables\-apply will try to apply a new ruleset (as output by
+iptables\-save/read by iptables\-restore) to iptables, then prompt the
+user whether the changes are okay. If the new ruleset cut the existing
+connection, the user will not be able to answer affirmatively. In this
+case, the script rolls back to the previous ruleset after the timeout
+expired. The timeout can be set with \fB\-t\fP.
+.PP
+When called as \fBip6tables\-apply\fP, the script will use
+ip6tables\-save/\-restore instead.
+.SH OPTIONS
+.TP
+\fB\-t\fP \fIseconds\fR, \fB\-\-timeout\fP \fIseconds\fR
+Sets the timeout after which the script will roll back to the previous
+ruleset.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Display usage information.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Display version information.
+.SH "SEE ALSO"
+.PP
+\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
+.SH LEGALESE
+.PP
+iptables\-apply is copyright by Martin F. Krafft.
+.PP
+This manual page was written by Martin F. Krafft <madduck@madduck.net>
+.PP
+Permission is granted to copy, distribute and/or modify this document
+under the terms of the Artistic License 2.0.
diff --git a/iptables/iptables-extensions.8in b/iptables/iptables-extensions.8in
index e02c81f..293a21d 100644
--- a/iptables/iptables-extensions.8in
+++ b/iptables/iptables-extensions.8in
@@ -1,4 +1,4 @@
-.TH iptables-extensions 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
+.TH iptables-extensions 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
.SH NAME
iptables-extensions \(em list of extensions in the standard iptables distribution
.SH SYNOPSIS
diff --git a/iptables/iptables-restore.8 b/iptables/iptables-restore.8
deleted file mode 100644
index 0dd20cb..0000000
--- a/iptables/iptables-restore.8
+++ /dev/null
@@ -1,50 +0,0 @@
-.TH IPTABLES-RESTORE 8 "Jan 04, 2001" "" ""
-.\"
-.\" Man page written by Harald Welte <laforge@gnumonks.org>
-.\" It is based on the iptables man page.
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-iptables-restore \(em Restore IP Tables
-.SH SYNOPSIS
-\fBiptables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] [\fB\-T\fP \fIname\fP]
-.SH DESCRIPTION
-.PP
-.B iptables-restore
-is used to restore IP Tables from data specified on STDIN. Use
-I/O redirection provided by your shell to read from a file
-.TP
-\fB\-c\fR, \fB\-\-counters\fR
-restore the values of all packet and byte counters
-.TP
-\fB\-n\fR, \fB\-\-noflush\fR
-don't flush the previous contents of the table. If not specified,
-.B iptables-restore
-flushes (deletes) all previous contents of the respective IP Table.
-.TP
-\fB\-T\fP, \fB\-\-table\fP \fIname\fP
-Restore only the named table even if the input stream contains other ones.
-.SH BUGS
-None known as of iptables-1.2.1 release
-.SH AUTHOR
-Harald Welte <laforge@gnumonks.org>
-.SH SEE ALSO
-\fBiptables\-save\fP(8), \fBiptables\fP(8)
-.PP
-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
-which details NAT, and the netfilter-hacking-HOWTO which details the
-internals.
diff --git a/iptables/iptables-restore.8in b/iptables/iptables-restore.8in
new file mode 100644
index 0000000..37faae0
--- /dev/null
+++ b/iptables/iptables-restore.8in
@@ -0,0 +1,50 @@
+.TH iptables-restore 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+iptables-restore \(em Restore IP Tables
+.SH SYNOPSIS
+\fBiptables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] [\fB\-T\fP \fIname\fP]
+.SH DESCRIPTION
+.PP
+.B iptables-restore
+is used to restore IP Tables from data specified on STDIN. Use
+I/O redirection provided by your shell to read from a file
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+restore the values of all packet and byte counters
+.TP
+\fB\-n\fR, \fB\-\-noflush\fR
+don't flush the previous contents of the table. If not specified,
+.B iptables-restore
+flushes (deletes) all previous contents of the respective IP Table.
+.TP
+\fB\-T\fP, \fB\-\-table\fP \fIname\fP
+Restore only the named table even if the input stream contains other ones.
+.SH BUGS
+None known as of iptables-1.2.1 release
+.SH AUTHOR
+Harald Welte <laforge@gnumonks.org>
+.SH SEE ALSO
+\fBiptables\-save\fP(8), \fBiptables\fP(8)
+.PP
+The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+which details NAT, and the netfilter-hacking-HOWTO which details the
+internals.
diff --git a/iptables/iptables-save.8 b/iptables/iptables-save.8
deleted file mode 100644
index c2e0a94..0000000
--- a/iptables/iptables-save.8
+++ /dev/null
@@ -1,51 +0,0 @@
-.TH IPTABLES-SAVE 8 "Jan 04, 2001" "" ""
-.\"
-.\" Man page written by Harald Welte <laforge@gnumonks.org>
-.\" It is based on the iptables man page.
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-iptables-save \(em dump iptables rules to stdout
-.SH SYNOPSIS
-\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP]
-.SH DESCRIPTION
-.PP
-.B iptables-save
-is used to dump the contents of an IP Table in easily parseable format
-to STDOUT. Use I/O-redirection provided by your shell to write to a file.
-.TP
-\fB\-M\fP \fImodprobe_program\fP
-Specify the path to the modprobe program. By default, iptables-save will
-inspect /proc/sys/kernel/modprobe to determine the executable's path.
-.TP
-\fB\-c\fR, \fB\-\-counters\fR
-include the current values of all packet and byte counters in the output
-.TP
-\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
-restrict output to only one table. If not specified, output includes all
-available tables.
-.SH BUGS
-None known as of iptables-1.2.1 release
-.SH AUTHOR
-Harald Welte <laforge@gnumonks.org>
-.SH SEE ALSO
-\fBiptables\-restore\fP(8), \fBiptables\fP(8)
-.PP
-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
-which details NAT, and the netfilter-hacking-HOWTO which details the
-internals.
diff --git a/iptables/iptables-save.8in b/iptables/iptables-save.8in
new file mode 100644
index 0000000..3d79185
--- /dev/null
+++ b/iptables/iptables-save.8in
@@ -0,0 +1,51 @@
+.TH iptables-save 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+iptables-save \(em dump iptables rules to stdout
+.SH SYNOPSIS
+\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
+[\fB\-t\fP \fItable\fP]
+.SH DESCRIPTION
+.PP
+.B iptables-save
+is used to dump the contents of an IP Table in easily parseable format
+to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+.TP
+\fB\-M\fP \fImodprobe_program\fP
+Specify the path to the modprobe program. By default, iptables-save will
+inspect /proc/sys/kernel/modprobe to determine the executable's path.
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+include the current values of all packet and byte counters in the output
+.TP
+\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
+restrict output to only one table. If not specified, output includes all
+available tables.
+.SH BUGS
+None known as of iptables-1.2.1 release
+.SH AUTHOR
+Harald Welte <laforge@gnumonks.org>
+.SH SEE ALSO
+\fBiptables\-restore\fP(8), \fBiptables\fP(8)
+.PP
+The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+which details NAT, and the netfilter-hacking-HOWTO which details the
+internals.
diff --git a/iptables/iptables.8in b/iptables/iptables.8in
index d6b409d..748d00f 100644
--- a/iptables/iptables.8in
+++ b/iptables/iptables.8in
@@ -1,4 +1,4 @@
-.TH IPTABLES 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
+.TH iptables 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
.\"
.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
.\" It is based on ipchains page.
--
1.7.10.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 3/9] doc: fixup omissions in ip6tables-restore.8
2012-10-10 12:26 Documentation fixes to iptables Jan Engelhardt
2012-10-10 12:26 ` [PATCH 1/9] doc: rename .8.in files to .8in Jan Engelhardt
2012-10-10 12:26 ` [PATCH 2/9] doc: add package version to all manpages Jan Engelhardt
@ 2012-10-10 12:26 ` Jan Engelhardt
2012-10-10 16:21 ` Pablo Neira Ayuso
2012-10-10 12:26 ` [PATCH 4/9] doc: document iptables-restore's -t option Jan Engelhardt
` (6 subsequent siblings)
9 siblings, 1 reply; 14+ messages in thread
From: Jan Engelhardt @ 2012-10-10 12:26 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
iptables/ip6tables-restore.8in | 6 ++++--
iptables/iptables-restore.8in | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/iptables/ip6tables-restore.8in b/iptables/ip6tables-restore.8in
index a9859ae..e9018d0 100644
--- a/iptables/ip6tables-restore.8in
+++ b/iptables/ip6tables-restore.8in
@@ -21,7 +21,7 @@
.SH NAME
ip6tables-restore \(em Restore IPv6 Tables
.SH SYNOPSIS
-\fBip6tables\-restore\fP [\fB\-c\fP] [\fB\-n\fP]
+\fBip6tables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] [\fB\-T\fP \fIname\fP]
.SH DESCRIPTION
.PP
.B ip6tables-restore
@@ -32,7 +32,9 @@ I/O redirection provided by your shell to read from a file
restore the values of all packet and byte counters
.TP
\fB\-n\fR, \fB\-\-noflush\fR
-don't flush the previous contents of the table. If not specified,
+don't flush the previous contents of the table. If not specified,
+\fBip6tables-restore\fP flushes (deletes) all previous contents of the
+respective table.
.TP
\fB\-T\fP, \fB\-\-table\fP \fIname\fP
Restore only the named table even if the input stream contains other ones.
diff --git a/iptables/iptables-restore.8in b/iptables/iptables-restore.8in
index 37faae0..75de847 100644
--- a/iptables/iptables-restore.8in
+++ b/iptables/iptables-restore.8in
@@ -34,7 +34,7 @@ restore the values of all packet and byte counters
\fB\-n\fR, \fB\-\-noflush\fR
don't flush the previous contents of the table. If not specified,
.B iptables-restore
-flushes (deletes) all previous contents of the respective IP Table.
+flushes (deletes) all previous contents of the respective table.
.TP
\fB\-T\fP, \fB\-\-table\fP \fIname\fP
Restore only the named table even if the input stream contains other ones.
--
1.7.10.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 4/9] doc: document iptables-restore's -t option
2012-10-10 12:26 Documentation fixes to iptables Jan Engelhardt
` (2 preceding siblings ...)
2012-10-10 12:26 ` [PATCH 3/9] doc: fixup omissions in ip6tables-restore.8 Jan Engelhardt
@ 2012-10-10 12:26 ` Jan Engelhardt
2012-10-10 12:26 ` [PATCH 5/9] doc: document iptables-restore's -v option Jan Engelhardt
` (5 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Jan Engelhardt @ 2012-10-10 12:26 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
iptables/ip6tables-restore.8in | 5 ++++-
iptables/iptables-restore.8in | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/iptables/ip6tables-restore.8in b/iptables/ip6tables-restore.8in
index e9018d0..e1c9abf 100644
--- a/iptables/ip6tables-restore.8in
+++ b/iptables/ip6tables-restore.8in
@@ -21,7 +21,7 @@
.SH NAME
ip6tables-restore \(em Restore IPv6 Tables
.SH SYNOPSIS
-\fBip6tables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] [\fB\-T\fP \fIname\fP]
+\fBip6tables\-restore\fP [\fB\-cnt\fP] [\fB\-T\fP \fIname\fP]
.SH DESCRIPTION
.PP
.B ip6tables-restore
@@ -36,6 +36,9 @@ don't flush the previous contents of the table. If not specified,
\fBip6tables-restore\fP flushes (deletes) all previous contents of the
respective table.
.TP
+\fB\-t\fP, \fB\-\-test\fP
+Only parse and construct the ruleset, but do not commit it.
+.TP
\fB\-T\fP, \fB\-\-table\fP \fIname\fP
Restore only the named table even if the input stream contains other ones.
.B ip6tables-restore
diff --git a/iptables/iptables-restore.8in b/iptables/iptables-restore.8in
index 75de847..f98488e 100644
--- a/iptables/iptables-restore.8in
+++ b/iptables/iptables-restore.8in
@@ -21,7 +21,7 @@
.SH NAME
iptables-restore \(em Restore IP Tables
.SH SYNOPSIS
-\fBiptables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] [\fB\-T\fP \fIname\fP]
+\fBiptables\-restore\fP [\fB\-cnt\fP] [\fB\-T\fP \fIname\fP]
.SH DESCRIPTION
.PP
.B iptables-restore
@@ -36,6 +36,9 @@ don't flush the previous contents of the table. If not specified,
.B iptables-restore
flushes (deletes) all previous contents of the respective table.
.TP
+\fB\-t\fP, \fB\-\-test\fP
+Only parse and construct the ruleset, but do not commit it.
+.TP
\fB\-T\fP, \fB\-\-table\fP \fIname\fP
Restore only the named table even if the input stream contains other ones.
.SH BUGS
--
1.7.10.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 5/9] doc: document iptables-restore's -v option
2012-10-10 12:26 Documentation fixes to iptables Jan Engelhardt
` (3 preceding siblings ...)
2012-10-10 12:26 ` [PATCH 4/9] doc: document iptables-restore's -t option Jan Engelhardt
@ 2012-10-10 12:26 ` Jan Engelhardt
2012-10-10 12:26 ` [PATCH 6/9] doc: document iptables-restore's -M option Jan Engelhardt
` (4 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Jan Engelhardt @ 2012-10-10 12:26 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
iptables/ip6tables-restore.8in | 5 ++++-
iptables/iptables-restore.8in | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/iptables/ip6tables-restore.8in b/iptables/ip6tables-restore.8in
index e1c9abf..6c0009e 100644
--- a/iptables/ip6tables-restore.8in
+++ b/iptables/ip6tables-restore.8in
@@ -21,7 +21,7 @@
.SH NAME
ip6tables-restore \(em Restore IPv6 Tables
.SH SYNOPSIS
-\fBip6tables\-restore\fP [\fB\-cnt\fP] [\fB\-T\fP \fIname\fP]
+\fBip6tables\-restore\fP [\fB\-cntv\fP] [\fB\-T\fP \fIname\fP]
.SH DESCRIPTION
.PP
.B ip6tables-restore
@@ -39,6 +39,9 @@ respective table.
\fB\-t\fP, \fB\-\-test\fP
Only parse and construct the ruleset, but do not commit it.
.TP
+\fB\-v\fP, \fB\-\-verbose\fP
+Print additional debug info during ruleset processing.
+.TP
\fB\-T\fP, \fB\-\-table\fP \fIname\fP
Restore only the named table even if the input stream contains other ones.
.B ip6tables-restore
diff --git a/iptables/iptables-restore.8in b/iptables/iptables-restore.8in
index f98488e..27440fb 100644
--- a/iptables/iptables-restore.8in
+++ b/iptables/iptables-restore.8in
@@ -21,7 +21,7 @@
.SH NAME
iptables-restore \(em Restore IP Tables
.SH SYNOPSIS
-\fBiptables\-restore\fP [\fB\-cnt\fP] [\fB\-T\fP \fIname\fP]
+\fBiptables\-restore\fP [\fB\-cntv\fP] [\fB\-T\fP \fIname\fP]
.SH DESCRIPTION
.PP
.B iptables-restore
@@ -39,6 +39,9 @@ flushes (deletes) all previous contents of the respective table.
\fB\-t\fP, \fB\-\-test\fP
Only parse and construct the ruleset, but do not commit it.
.TP
+\fB\-v\fP, \fB\-\-verbose\fP
+Print additional debug info during ruleset processing.
+.TP
\fB\-T\fP, \fB\-\-table\fP \fIname\fP
Restore only the named table even if the input stream contains other ones.
.SH BUGS
--
1.7.10.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 6/9] doc: document iptables-restore's -M option
2012-10-10 12:26 Documentation fixes to iptables Jan Engelhardt
` (4 preceding siblings ...)
2012-10-10 12:26 ` [PATCH 5/9] doc: document iptables-restore's -v option Jan Engelhardt
@ 2012-10-10 12:26 ` Jan Engelhardt
2012-10-10 12:26 ` [PATCH 7/9] doc: document iptables-restore's -h option Jan Engelhardt
` (3 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Jan Engelhardt @ 2012-10-10 12:26 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
iptables/ip6tables-restore.8in | 7 ++++++-
iptables/iptables-restore.8in | 7 ++++++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/iptables/ip6tables-restore.8in b/iptables/ip6tables-restore.8in
index 6c0009e..f3419f4 100644
--- a/iptables/ip6tables-restore.8in
+++ b/iptables/ip6tables-restore.8in
@@ -21,7 +21,8 @@
.SH NAME
ip6tables-restore \(em Restore IPv6 Tables
.SH SYNOPSIS
-\fBip6tables\-restore\fP [\fB\-cntv\fP] [\fB\-T\fP \fIname\fP]
+\fBip6tables\-restore\fP [\fB\-cntv\fP] [\fB\-M\fP \fImodprobe\fP]
+[\fB\-T\fP \fIname\fP]
.SH DESCRIPTION
.PP
.B ip6tables-restore
@@ -42,6 +43,10 @@ Only parse and construct the ruleset, but do not commit it.
\fB\-v\fP, \fB\-\-verbose\fP
Print additional debug info during ruleset processing.
.TP
+\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
+Specify the path to the modprobe program. By default, ip6tables-restore will
+inspect /proc/sys/kernel/modprobe to determine the executable's path.
+.TP
\fB\-T\fP, \fB\-\-table\fP \fIname\fP
Restore only the named table even if the input stream contains other ones.
.B ip6tables-restore
diff --git a/iptables/iptables-restore.8in b/iptables/iptables-restore.8in
index 27440fb..c493cf9 100644
--- a/iptables/iptables-restore.8in
+++ b/iptables/iptables-restore.8in
@@ -21,7 +21,8 @@
.SH NAME
iptables-restore \(em Restore IP Tables
.SH SYNOPSIS
-\fBiptables\-restore\fP [\fB\-cntv\fP] [\fB\-T\fP \fIname\fP]
+\fBiptables\-restore\fP [\fB\-cntv\fP] [\fB\-M\fP \fImodprobe\fP]
+[\fB\-T\fP \fIname\fP]
.SH DESCRIPTION
.PP
.B iptables-restore
@@ -42,6 +43,10 @@ Only parse and construct the ruleset, but do not commit it.
\fB\-v\fP, \fB\-\-verbose\fP
Print additional debug info during ruleset processing.
.TP
+\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
+Specify the path to the modprobe program. By default, iptables-restore will
+inspect /proc/sys/kernel/modprobe to determine the executable's path.
+.TP
\fB\-T\fP, \fB\-\-table\fP \fIname\fP
Restore only the named table even if the input stream contains other ones.
.SH BUGS
--
1.7.10.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 7/9] doc: document iptables-restore's -h option
2012-10-10 12:26 Documentation fixes to iptables Jan Engelhardt
` (5 preceding siblings ...)
2012-10-10 12:26 ` [PATCH 6/9] doc: document iptables-restore's -M option Jan Engelhardt
@ 2012-10-10 12:26 ` Jan Engelhardt
2012-10-10 12:26 ` [PATCH 8/9] doc: name the supported log levels for ipt_LOG Jan Engelhardt
` (2 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Jan Engelhardt @ 2012-10-10 12:26 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
iptables/ip6tables-restore.8in | 5 ++++-
iptables/iptables-restore.8in | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/iptables/ip6tables-restore.8in b/iptables/ip6tables-restore.8in
index f3419f4..697a226 100644
--- a/iptables/ip6tables-restore.8in
+++ b/iptables/ip6tables-restore.8in
@@ -21,7 +21,7 @@
.SH NAME
ip6tables-restore \(em Restore IPv6 Tables
.SH SYNOPSIS
-\fBip6tables\-restore\fP [\fB\-cntv\fP] [\fB\-M\fP \fImodprobe\fP]
+\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
[\fB\-T\fP \fIname\fP]
.SH DESCRIPTION
.PP
@@ -32,6 +32,9 @@ I/O redirection provided by your shell to read from a file
\fB\-c\fR, \fB\-\-counters\fR
restore the values of all packet and byte counters
.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print a short option summary.
+.TP
\fB\-n\fR, \fB\-\-noflush\fR
don't flush the previous contents of the table. If not specified,
\fBip6tables-restore\fP flushes (deletes) all previous contents of the
diff --git a/iptables/iptables-restore.8in b/iptables/iptables-restore.8in
index c493cf9..197f013 100644
--- a/iptables/iptables-restore.8in
+++ b/iptables/iptables-restore.8in
@@ -21,7 +21,7 @@
.SH NAME
iptables-restore \(em Restore IP Tables
.SH SYNOPSIS
-\fBiptables\-restore\fP [\fB\-cntv\fP] [\fB\-M\fP \fImodprobe\fP]
+\fBiptables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
[\fB\-T\fP \fIname\fP]
.SH DESCRIPTION
.PP
@@ -32,6 +32,9 @@ I/O redirection provided by your shell to read from a file
\fB\-c\fR, \fB\-\-counters\fR
restore the values of all packet and byte counters
.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print a short option summary.
+.TP
\fB\-n\fR, \fB\-\-noflush\fR
don't flush the previous contents of the table. If not specified,
.B iptables-restore
--
1.7.10.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 8/9] doc: name the supported log levels for ipt_LOG
2012-10-10 12:26 Documentation fixes to iptables Jan Engelhardt
` (6 preceding siblings ...)
2012-10-10 12:26 ` [PATCH 7/9] doc: document iptables-restore's -h option Jan Engelhardt
@ 2012-10-10 12:26 ` Jan Engelhardt
2012-10-10 12:26 ` [PATCH 9/9] src: remove faulty deprecated marker in libipt_LOG source Jan Engelhardt
2012-10-10 12:38 ` Documentation fixes to iptables Pablo Neira Ayuso
9 siblings, 0 replies; 14+ messages in thread
From: Jan Engelhardt @ 2012-10-10 12:26 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
Leonardo Ferreira da Silva Boiko lets it be known that syslogd.conf may
not exist on certain systems. Referencing that manpage is not a good
idea in any case, I believe, since the strings that are accepted are
defined by iptables and not a syslog implementation.
References: http://bugs.debian.org/567564
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
extensions/libip6t_LOG.man | 5 ++++-
extensions/libipt_LOG.man | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/extensions/libip6t_LOG.man b/extensions/libip6t_LOG.man
index b7803fe..0a48640 100644
--- a/extensions/libip6t_LOG.man
+++ b/extensions/libip6t_LOG.man
@@ -11,7 +11,10 @@ separate rules with the same matching criteria, first using target LOG
then DROP (or REJECT).
.TP
\fB\-\-log\-level\fP \fIlevel\fP
-Level of logging (numeric or see \fIsyslog.conf\fP(5)).
+Level of logging, which can be (system-specific) numeric or a mnemonic.
+Possible values are (in decreasing order of priority): \fBemerg\fP,
+\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP
+or \fBdebug\fP.
.TP
\fB\-\-log\-prefix\fP \fIprefix\fP
Prefix log messages with the specified prefix; up to 29 letters long,
diff --git a/extensions/libipt_LOG.man b/extensions/libipt_LOG.man
index 47c35e0..f2574f8 100644
--- a/extensions/libipt_LOG.man
+++ b/extensions/libipt_LOG.man
@@ -11,7 +11,10 @@ separate rules with the same matching criteria, first using target LOG
then DROP (or REJECT).
.TP
\fB\-\-log\-level\fP \fIlevel\fP
-Level of logging (numeric or see \fIsyslog.conf\fP(5)).
+Level of logging, which can be (system-specific) numeric or a mnemonic.
+Possible values are (in decreasing order of priority): \fBemerg\fP,
+\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP
+or \fBdebug\fP.
.TP
\fB\-\-log\-prefix\fP \fIprefix\fP
Prefix log messages with the specified prefix; up to 29 letters long,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 9/9] src: remove faulty deprecated marker in libipt_LOG source
2012-10-10 12:26 Documentation fixes to iptables Jan Engelhardt
` (7 preceding siblings ...)
2012-10-10 12:26 ` [PATCH 8/9] doc: name the supported log levels for ipt_LOG Jan Engelhardt
@ 2012-10-10 12:26 ` Jan Engelhardt
2012-10-10 12:38 ` Documentation fixes to iptables Pablo Neira Ayuso
9 siblings, 0 replies; 14+ messages in thread
From: Jan Engelhardt @ 2012-10-10 12:26 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
The "err" loglevel is not actually deprecated - it is the only name
available to mean the LOG_ERR level.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
extensions/libip6t_LOG.c | 2 +-
extensions/libipt_LOG.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c
index 2b1ae28..8dc94e3 100644
--- a/extensions/libip6t_LOG.c
+++ b/extensions/libip6t_LOG.c
@@ -68,7 +68,7 @@ static const struct ip6t_log_names ip6t_log_names[]
{ .name = "crit", .level = LOG_CRIT },
{ .name = "debug", .level = LOG_DEBUG },
{ .name = "emerg", .level = LOG_EMERG },
- { .name = "error", .level = LOG_ERR }, /* DEPRECATED */
+ { .name = "error", .level = LOG_ERR },
{ .name = "info", .level = LOG_INFO },
{ .name = "notice", .level = LOG_NOTICE },
{ .name = "panic", .level = LOG_EMERG }, /* DEPRECATED */
diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
index 77f16d1..971f3ca 100644
--- a/extensions/libipt_LOG.c
+++ b/extensions/libipt_LOG.c
@@ -68,7 +68,7 @@ static const struct ipt_log_names ipt_log_names[]
{ .name = "crit", .level = LOG_CRIT },
{ .name = "debug", .level = LOG_DEBUG },
{ .name = "emerg", .level = LOG_EMERG },
- { .name = "error", .level = LOG_ERR }, /* DEPRECATED */
+ { .name = "error", .level = LOG_ERR },
{ .name = "info", .level = LOG_INFO },
{ .name = "notice", .level = LOG_NOTICE },
{ .name = "panic", .level = LOG_EMERG }, /* DEPRECATED */
--
1.7.10.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: Documentation fixes to iptables
2012-10-10 12:26 Documentation fixes to iptables Jan Engelhardt
` (8 preceding siblings ...)
2012-10-10 12:26 ` [PATCH 9/9] src: remove faulty deprecated marker in libipt_LOG source Jan Engelhardt
@ 2012-10-10 12:38 ` Pablo Neira Ayuso
2012-10-10 13:04 ` Jan Engelhardt
9 siblings, 1 reply; 14+ messages in thread
From: Pablo Neira Ayuso @ 2012-10-10 12:38 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
On Wed, Oct 10, 2012 at 02:26:23PM +0200, Jan Engelhardt wrote:
>
>
> I would say this is material that can go into nf/stable as well.
Oh no, we're discussing again the same thing... No please, only fixes
go into -stable.
These are enhancements, even if they are mostly doc updates.
Please, hold on a bit with updates (1 week?) until all the dust we got
settles down. Thanks.
> ===
> The following changes since commit 9921f2b9a241750e4730fc7d486687c6a32779f4:
>
> build: resolve compile abort in libxt_limit on RHEL5 (2012-10-10 13:28:29 +0200)
>
> are available in the git repository at:
>
> git://git.inai.de/iptables master
>
> for you to fetch changes up to 60f59034fca30c4b2b5177600e81c6e7f07651a6:
>
> src: remove faulty deprecated marker in libipt_LOG source (2012-10-10 14:25:25 +0200)
>
> ----------------------------------------------------------------
> Jan Engelhardt (9):
> doc: rename .8.in files to .8in
> doc: add package version to all manpages
> doc: fixup omissions in ip6tables-restore.8
> doc: document iptables-restore's -t option
> doc: document iptables-restore's -v option
> doc: document iptables-restore's -M option
> doc: document iptables-restore's -h option
> doc: name the supported log levels for ipt_LOG
> src: remove faulty deprecated marker in libipt_LOG source
>
> extensions/libip6t_LOG.c | 2 +-
> extensions/libip6t_LOG.man | 5 ++++-
> extensions/libipt_LOG.c | 2 +-
> extensions/libipt_LOG.man | 5 ++++-
> iptables/.gitignore | 4 +---
> iptables/Makefile.am | 9 +++------
> iptables/{ip6tables-restore.8 => ip6tables-restore.8in} | 22 +++++++++++++++++++---
> iptables/{ip6tables-save.8 => ip6tables-save.8in} | 2 +-
> iptables/{ip6tables.8.in => ip6tables.8in} | 2 +-
> iptables/{iptables-apply.8 => iptables-apply.8in} | 2 +-
> .../{iptables-extensions.8.in => iptables-extensions.8in} | 2 +-
> iptables/{iptables-restore.8 => iptables-restore.8in} | 20 +++++++++++++++++---
> iptables/{iptables-save.8 => iptables-save.8in} | 2 +-
> iptables/{iptables.8.in => iptables.8in} | 2 +-
> 14 files changed, 56 insertions(+), 25 deletions(-)
> rename iptables/{ip6tables-restore.8 => ip6tables-restore.8in} (72%)
> rename iptables/{ip6tables-save.8 => ip6tables-save.8in} (96%)
> rename iptables/{ip6tables.8.in => ip6tables.8in} (99%)
> rename iptables/{iptables-apply.8 => iptables-apply.8in} (95%)
> rename iptables/{iptables-extensions.8.in => iptables-extensions.8in} (94%)
> rename iptables/{iptables-restore.8 => iptables-restore.8in} (71%)
> rename iptables/{iptables-save.8 => iptables-save.8in} (96%)
> rename iptables/{iptables.8.in => iptables.8in} (99%)
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Documentation fixes to iptables
2012-10-10 12:38 ` Documentation fixes to iptables Pablo Neira Ayuso
@ 2012-10-10 13:04 ` Jan Engelhardt
0 siblings, 0 replies; 14+ messages in thread
From: Jan Engelhardt @ 2012-10-10 13:04 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On Wednesday 2012-10-10 14:38, Pablo Neira Ayuso wrote:
>On Wed, Oct 10, 2012 at 02:26:23PM +0200, Jan Engelhardt wrote:
>>
>>
>> I would say this is material that can go into nf/stable as well.
>
>No please, only fixes go into -stable.
Well, strange that you do not consider these fixes, but oh well.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/9] doc: rename .8.in files to .8in
2012-10-10 12:26 ` [PATCH 1/9] doc: rename .8.in files to .8in Jan Engelhardt
@ 2012-10-10 16:20 ` Pablo Neira Ayuso
0 siblings, 0 replies; 14+ messages in thread
From: Pablo Neira Ayuso @ 2012-10-10 16:20 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
On Wed, Oct 10, 2012 at 02:26:24PM +0200, Jan Engelhardt wrote:
> This allows us to use a suffix rule for all of the manpages at once,
> especially useful in light of the next patch.
>
> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
> ---
> iptables/Makefile.am | 7 +-
> iptables/ip6tables.8.in | 433 ------------------------------------
> iptables/ip6tables.8in | 433 ++++++++++++++++++++++++++++++++++++
> iptables/iptables-extensions.8.in | 27 ---
> iptables/iptables-extensions.8in | 27 +++
> iptables/iptables.8.in | 438 -------------------------------------
> iptables/iptables.8in | 438 +++++++++++++++++++++++++++++++++++++
> 7 files changed, 900 insertions(+), 903 deletions(-)
> delete mode 100644 iptables/ip6tables.8.in
> create mode 100644 iptables/ip6tables.8in
> delete mode 100644 iptables/iptables-extensions.8.in
> create mode 100644 iptables/iptables-extensions.8in
> delete mode 100644 iptables/iptables.8.in
> create mode 100644 iptables/iptables.8in
>
> diff --git a/iptables/Makefile.am b/iptables/Makefile.am
> index 61e78db..65776a3 100644
> --- a/iptables/Makefile.am
> +++ b/iptables/Makefile.am
> @@ -38,13 +38,10 @@ if ENABLE_IPV6
> v6_sbin_links = ip6tables ip6tables-restore ip6tables-save
> endif
>
> -iptables.8: ${srcdir}/iptables.8.in
> +.8in.8:
> ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@;
>
> -ip6tables.8: ${srcdir}/ip6tables.8.in
> - ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@;
> -
> -iptables-extensions.8: ${srcdir}/iptables-extensions.8.in ../extensions/matches.man ../extensions/targets.man
> +iptables-extensions.8: ${srcdir}/iptables-extensions.8in ../extensions/matches.man ../extensions/targets.man
> ${AM_VERBOSE_GEN} sed -e \
> 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' \
> -e '/@MATCH@/ r ../extensions/matches.man' \
> diff --git a/iptables/ip6tables.8.in b/iptables/ip6tables.8.in
> deleted file mode 100644
> index 078bcac..0000000
> --- a/iptables/ip6tables.8.in
> +++ /dev/null
> @@ -1,433 +0,0 @@
> -.TH IP6TABLES 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
> -.\"
> -.\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
> -.\" It is based on iptables man page.
> -.\"
> -.\" iptables page by Herve Eychenne <rv@wallfire.org>
> -.\" It is based on ipchains man page.
> -.\"
> -.\" ipchains page by Paul ``Rusty'' Russell March 1997
> -.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
> -.\"
> -.\" This program is free software; you can redistribute it and/or modify
> -.\" it under the terms of the GNU General Public License as published by
> -.\" the Free Software Foundation; either version 2 of the License, or
> -.\" (at your option) any later version.
> -.\"
> -.\" This program is distributed in the hope that it will be useful,
> -.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
> -.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -.\" GNU General Public License for more details.
> -.\"
> -.\" You should have received a copy of the GNU General Public License
> -.\" along with this program; if not, write to the Free Software
> -.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
> -.\"
> -.\"
> -.SH NAME
> -ip6tables \(em IPv6 packet filter administration
> -.SH SYNOPSIS
> -\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
> -\fIchain rule-specification\fP [\fIoptions...\fP]
> -.PP
> -\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP]
> -\fIrule-specification\fP [\fIoptions...\fP]
> -.PP
> -\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-R\fP \fIchain rulenum
> -rule-specification\fP [\fIoptions...\fP]
> -.PP
> -\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-D\fP \fIchain rulenum\fP
> -[\fIoptions...\fP]
> -.PP
> -\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-S\fP [\fIchain\fP [\fIrulenum\fP]]
> -.PP
> -\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP}
> -[\fIchain\fP [\fIrulenum\fP]] [\fIoptions...\fP]
> -.PP
> -\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP
> -.PP
> -\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
> -.PP
> -\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
> -[\fIoptions...\fP]
> -.PP
> -\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP
> -.SH DESCRIPTION
> -\fBIp6tables\fP is used to set up, maintain, and inspect the
> -tables of IPv6 packet
> -filter rules in the Linux kernel. Several different tables
> -may be defined. Each table contains a number of built-in
> -chains and may also contain user-defined chains.
> -.PP
> -Each chain is a list of rules which can match a set of packets. Each
> -rule specifies what to do with a packet that matches. This is called
> -a `target', which may be a jump to a user-defined chain in the same
> -table.
> -.SH TARGETS
> -A firewall rule specifies criteria for a packet and a target. If the
> -packet does not match, the next rule in the chain is the examined; if
> -it does match, then the next rule is specified by the value of the
> -target, which can be the name of a user-defined chain or one of the
> -special values \fBACCEPT\fP, \fBDROP\fP, \fBQUEUE\fP or \fBRETURN\fP.
> -.PP
> -\fBACCEPT\fP means to let the packet through.
> -\fBDROP\fP means to drop the packet on the floor.
> -\fBQUEUE\fP means to pass the packet to userspace.
> -(How the packet can be received
> -by a userspace process differs by the particular queue handler. 2.4.x
> -and 2.6.x kernels up to 2.6.13 include the \fBip_queue\fP
> -queue handler. Kernels 2.6.14 and later additionally include the
> -\fBnfnetlink_queue\fP queue handler. Packets with a target of QUEUE will be
> -sent to queue number '0' in this case. Please also see the \fBNFQUEUE\fP
> -target as described later in this man page.)
> -\fBRETURN\fP means stop traversing this chain and resume at the next
> -rule in the
> -previous (calling) chain. If the end of a built-in chain is reached
> -or a rule in a built-in chain with target \fBRETURN\fP
> -is matched, the target specified by the chain policy determines the
> -fate of the packet.
> -.SH TABLES
> -There are currently three independent tables (which tables are present
> -at any time depends on the kernel configuration options and which
> -modules are present).
> -.TP
> -\fB\-t\fP, \fB\-\-table\fP \fItable\fP
> -This option specifies the packet matching table which the command
> -should operate on. If the kernel is configured with automatic module
> -loading, an attempt will be made to load the appropriate module for
> -that table if it is not already there.
> -
> -The tables are as follows:
> -.RS
> -.TP .4i
> -\fBfilter\fP:
> -This is the default table (if no \-t option is passed). It contains
> -the built-in chains \fBINPUT\fP (for packets destined to local sockets),
> -\fBFORWARD\fP (for packets being routed through the box), and
> -\fBOUTPUT\fP (for locally-generated packets).
> -.TP
> -\fBmangle\fP:
> -This table is used for specialized packet alteration. Until kernel
> -2.4.17 it had two built-in chains: \fBPREROUTING\fP
> -(for altering incoming packets before routing) and \fBOUTPUT\fP
> -(for altering locally-generated packets before routing).
> -Since kernel 2.4.18, three other built-in chains are also supported:
> -\fBINPUT\fP (for packets coming into the box itself), \fBFORWARD\fP
> -(for altering packets being routed through the box), and \fBPOSTROUTING\fP
> -(for altering packets as they are about to go out).
> -.TP
> -\fBraw\fP:
> -This table is used mainly for configuring exemptions from connection
> -tracking in combination with the NOTRACK target. It registers at the netfilter
> -hooks with higher priority and is thus called before ip_conntrack, or any other
> -IP tables. It provides the following built-in chains: \fBPREROUTING\fP
> -(for packets arriving via any network interface) \fBOUTPUT\fP
> -(for packets generated by local processes)
> -.TP
> -\fBsecurity\fP:
> -This table is used for Mandatory Access Control (MAC) networking rules, such
> -as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
> -Mandatory Access Control is implemented by Linux Security Modules such as
> -SELinux. The security table is called after the filter table, allowing any
> -Discretionary Access Control (DAC) rules in the filter table to take effect
> -before MAC rules. This table provides the following built-in chains:
> -\fBINPUT\fP (for packets coming into the box itself),
> -\fBOUTPUT\fP (for altering locally-generated packets before routing), and
> -\fBFORWARD\fP (for altering packets being routed through the box).
> -.RE
> -.SH OPTIONS
> -The options that are recognized by
> -\fBip6tables\fP can be divided into several different groups.
> -.SS COMMANDS
> -These options specify the specific action to perform. Only one of them
> -can be specified on the command line unless otherwise specified
> -below. For all the long versions of the command and option names, you
> -need to use only enough letters to ensure that
> -\fBip6tables\fP can differentiate it from all other options.
> -.TP
> -\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
> -Append one or more rules to the end of the selected chain.
> -When the source and/or destination names resolve to more than one
> -address, a rule will be added for each possible address combination.
> -.TP
> -\fB\-C\fP, \fB\-\-check\fP \fIchain rule-specification\fP
> -Check whether a rule matching the specification does exist in the
> -selected chain. This command uses the same logic as \fB\-D\fP to
> -find a matching entry, but does not alter the existing iptables
> -configuration and uses its exit code to indicate success or failure.
> -.TP
> -\fB\-D\fP, \fB\-\-delete\fP \fIchain rule-specification\fP
> -.ns
> -.TP
> -\fB\-D\fP, \fB\-\-delete\fP \fIchain rulenum\fP
> -Delete one or more rules from the selected chain. There are two
> -versions of this command: the rule can be specified as a number in the
> -chain (starting at 1 for the first rule) or a rule to match.
> -.TP
> -\fB\-I\fP, \fB\-\-insert\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
> -Insert one or more rules in the selected chain as the given rule
> -number. So, if the rule number is 1, the rule or rules are inserted
> -at the head of the chain. This is also the default if no rule number
> -is specified.
> -.TP
> -\fB\-R\fP, \fB\-\-replace\fP \fIchain rulenum rule-specification\fP
> -Replace a rule in the selected chain. If the source and/or
> -destination names resolve to multiple addresses, the command will
> -fail. Rules are numbered starting at 1.
> -.TP
> -\fB\-L\fP, \fB\-\-list\fP [\fIchain\fP]
> -List all rules in the selected chain. If no chain is selected, all
> -chains are listed. Like every other ip6tables command, it applies to the
> -specified table (filter is the default).
> -.IP ""
> -Please note that it is often used with the \fB\-n\fP
> -option, in order to avoid long reverse DNS lookups.
> -It is legal to specify the \fB\-Z\fP
> -(zero) option as well, in which case the chain(s) will be atomically
> -listed and zeroed. The exact output is affected by the other
> -arguments given. The exact rules are suppressed until you use
> -.nf
> - ip6tables \-L \-v
> -.fi
> -.TP
> -\fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP]
> -Print all rules in the selected chain. If no chain is selected, all
> -chains are printed like ip6tables-save. Like every other ip6tables command,
> -it applies to the specified table (filter is the default).
> -.TP
> -\fB\-F\fP, \fB\-\-flush\fP [\fIchain\fP]
> -Flush the selected chain (all the chains in the table if none is given).
> -This is equivalent to deleting all the rules one by one.
> -.TP
> -\fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP [\fIrulenum\fP]]
> -Zero the packet and byte counters in all chains, or only the given chain,
> -or only the given rule in a chain. It is legal to
> -specify the
> -\fB\-L\fP, \fB\-\-list\fP
> -(list) option as well, to see the counters immediately before they are
> -cleared. (See above.)
> -.TP
> -\fB\-N\fP, \fB\-\-new\-chain\fP \fIchain\fP
> -Create a new user-defined chain by the given name. There must be no
> -target of that name already.
> -.TP
> -\fB\-X\fP, \fB\-\-delete\-chain\fP [\fIchain\fP]
> -Delete the optional user-defined chain specified. There must be no references
> -to the chain. If there are, you must delete or replace the referring rules
> -before the chain can be deleted. The chain must be empty, i.e. not contain
> -any rules. If no argument is given, it will attempt to delete every
> -non-builtin chain in the table.
> -.TP
> -\fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP
> -Set the policy for the chain to the given target. See the section \fBTARGETS\fP
> -for the legal targets. Only built-in (non-user-defined) chains can have
> -policies, and neither built-in nor user-defined chains can be policy
> -targets.
> -.TP
> -\fB\-E\fP, \fB\-\-rename\-chain\fP \fIold\-chain new\-chain\fP
> -Rename the user specified chain to the user supplied name. This is
> -cosmetic, and has no effect on the structure of the table.
> -.TP
> -\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
> -Append one or more rules to the end of the selected chain.
> -When the source and/or destination names resolve to more than one
> -address, a rule will be added for each possible address combination.
> -.TP
> -\fB\-h\fP
> -Help.
> -Give a (currently very brief) description of the command syntax.
> -.SS PARAMETERS
> -The following parameters make up a rule specification (as used in the
> -add, delete, insert, replace and append commands).
> -.TP
> -[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
> -The protocol of the rule or of the packet to check.
> -The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
> -\fBicmpv6\fP, \fBesp\fP, \fBmh\fP or the special keyword "\fBall\fP",
> -or it can be a numeric value, representing one of these protocols or a
> -different one. A protocol name from /etc/protocols is also allowed.
> -But IPv6 extension headers except \fBesp\fP are not allowed.
> -\fBesp\fP and \fBipv6\-nonext\fP
> -can be used with Kernel version 2.6.11 or later.
> -A "!" argument before the protocol inverts the
> -test. The number zero is equivalent to \fBall\fP, which means that you cannot
> -test the protocol field for the value 0 directly. To match on a HBH header,
> -even if it were the last, you cannot use \fB\-p 0\fP, but always need
> -\fB\-m hbh\fP.
> -"\fBall\fP"
> -will match with all protocols and is taken as default when this
> -option is omitted.
> -.TP
> -[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP]
> -Source specification.
> -\fIAddress\fP can be either be a hostname,
> -a network IP address (with \fB/\fP\fImask\fP), or a plain IP address.
> -Names will be resolved once only, before the rule is submitted to the kernel.
> -Please note that specifying any name to be resolved with a remote query such as
> -DNS is a really bad idea.
> -(Resolving network names is not supported at this time.)
> -The \fImask\fP is a plain number,
> -specifying the number of 1's at the left side of the network mask.
> -A "!" argument before the address specification inverts the sense of
> -the address. The flag \fB\-\-src\fP
> -is an alias for this option.
> -Multiple addresses can be specified, but this will \fBexpand to multiple
> -rules\fP (when adding with \-A), or will cause multiple rules to be
> -deleted (with \-D).
> -.TP
> -[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP]
> -Destination specification.
> -See the description of the \fB\-s\fP
> -(source) flag for a detailed description of the syntax. The flag
> -\fB\-\-dst\fP is an alias for this option.
> -.TP
> -\fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
> -This specifies the target of the rule; i.e., what to do if the packet
> -matches it. The target can be a user-defined chain (other than the
> -one this rule is in), one of the special builtin targets which decide
> -the fate of the packet immediately, or an extension (see \fBEXTENSIONS\fP
> -below). If this
> -option is omitted in a rule (and \fB\-g\fP
> -is not used), then matching the rule will have no
> -effect on the packet's fate, but the counters on the rule will be
> -incremented.
> -.TP
> -\fB\-g\fP, \fB\-\-goto\fP \fIchain\fP
> -This specifies that the processing should continue in a user
> -specified chain. Unlike the \-\-jump option return will not continue
> -processing in this chain but instead in the chain that called us via
> -\-\-jump.
> -.TP
> -[\fB!\fP] \fB\-i\fP, \fB\-\-in\-interface\fP \fIname\fP
> -Name of an interface via which a packet was received (only for
> -packets entering the \fBINPUT\fP, \fBFORWARD\fP and \fBPREROUTING\fP
> -chains). When the "!" argument is used before the interface name, the
> -sense is inverted. If the interface name ends in a "+", then any
> -interface which begins with this name will match. If this option is
> -omitted, any interface name will match.
> -.TP
> -[\fB!\fP] \fB\-o\fP, \fB\-\-out\-interface\fP \fIname\fP
> -Name of an interface via which a packet is going to be sent (for packets
> -entering the \fBFORWARD\fP, \fBOUTPUT\fP and \fBPOSTROUTING\fP
> -chains). When the "!" argument is used before the interface name, the
> -sense is inverted. If the interface name ends in a "+", then any
> -interface which begins with this name will match. If this option is
> -omitted, any interface name will match.
> -.\" Currently not supported (header-based)
> -.\" .TP
> -.\" [\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
> -.\" This means that the rule only refers to second and further fragments
> -.\" of fragmented packets. Since there is no way to tell the source or
> -.\" destination ports of such a packet (or ICMP type), such a packet will
> -.\" not match any rules which specify them. When the "!" argument
> -.\" precedes the "\-f" flag, the rule will only match head fragments, or
> -.\" unfragmented packets.
> -.TP
> -\fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
> -This enables the administrator to initialize the packet and byte
> -counters of a rule (during \fBINSERT\fP, \fBAPPEND\fP, \fBREPLACE\fP
> -operations).
> -.SS "OTHER OPTIONS"
> -The following additional options can be specified:
> -.TP
> -\fB\-v\fP, \fB\-\-verbose\fP
> -Verbose output. This option makes the list command show the interface
> -name, the rule options (if any), and the TOS masks. The packet and
> -byte counters are also listed, with the suffix 'K', 'M' or 'G' for
> -1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
> -the \fB\-x\fP flag to change this).
> -For appending, insertion, deletion and replacement, this causes
> -detailed information on the rule or rules to be printed. \fB\-v\fP may be
> -specified multiple times to possibly emit more detailed debug statements.
> -.TP
> -\fB\-n\fP, \fB\-\-numeric\fP
> -Numeric output.
> -IP addresses and port numbers will be printed in numeric format.
> -By default, the program will try to display them as host names,
> -network names, or services (whenever applicable).
> -.TP
> -\fB\-x\fP, \fB\-\-exact\fP
> -Expand numbers.
> -Display the exact value of the packet and byte counters,
> -instead of only the rounded number in K's (multiples of 1000)
> -M's (multiples of 1000K) or G's (multiples of 1000M). This option is
> -only relevant for the \fB\-L\fP command.
> -.TP
> -\fB\-\-line\-numbers\fP
> -When listing rules, add line numbers to the beginning of each rule,
> -corresponding to that rule's position in the chain.
> -.TP
> -\fB\-\-modprobe=\fP\fIcommand\fP
> -When adding or inserting rules into a chain, use \fIcommand\fP
> -to load any necessary modules (targets, match extensions, etc).
> -.SH MATCH EXTENSIONS
> -.PP
> -iptables can use extended packet matching and target modules.
> -A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
> -.SH DIAGNOSTICS
> -Various error messages are printed to standard error. The exit code
> -is 0 for correct functioning. Errors which appear to be caused by
> -invalid or abused command line parameters cause an exit code of 2, and
> -other errors cause an exit code of 1.
> -.SH BUGS
> -Bugs? What's this? ;-)
> -Well... the counters are not reliable on sparc64.
> -.SH COMPATIBILITY WITH IPCHAINS
> -This \fBip6tables\fP
> -is very similar to ipchains by Rusty Russell. The main difference is
> -that the chains \fBINPUT\fP and \fBOUTPUT\fP
> -are only traversed for packets coming into the local host and
> -originating from the local host respectively. Hence every packet only
> -passes through one of the three chains (except loopback traffic, which
> -involves both INPUT and OUTPUT chains); previously a forwarded packet
> -would pass through all three.
> -.PP
> -The other main difference is that \fB\-i\fP refers to the input interface;
> -\fB\-o\fP refers to the output interface, and both are available for packets
> -entering the \fBFORWARD\fP chain.
> -There are several other changes in ip6tables.
> -.SH SEE ALSO
> -\fBip6tables\-save\fP(8),
> -\fBip6tables\-restore\fP(8),
> -\fBiptables\fP(8),
> -\fBiptables\-apply\fP(8),
> -\fBiptables\-extensions\fP(8),
> -\fBiptables\-save\fP(8),
> -\fBiptables\-restore\fP(8),
> -\fBlibipq\fP(3).
> -.PP
> -The packet-filtering-HOWTO details iptables usage for
> -packet filtering,
> -the netfilter-extensions-HOWTO details the extensions that are
> -not in the standard distribution,
> -and the netfilter-hacking-HOWTO details the netfilter internals.
> -.br
> -See
> -.BR "http://www.netfilter.org/" .
> -.SH AUTHORS
> -Rusty Russell wrote iptables, in early consultation with Michael
> -Neuling.
> -.PP
> -Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
> -selection framework in iptables, then wrote the mangle table, the owner match,
> -the mark stuff, and ran around doing cool stuff everywhere.
> -.PP
> -James Morris wrote the TOS target, and tos match.
> -.PP
> -Jozsef Kadlecsik wrote the REJECT target.
> -.PP
> -Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as TTL match+target and libipulog.
> -.PP
> -The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
> -Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
> -Harald Welte and Rusty Russell.
> -.PP
> -ip6tables man page created by Andras Kis-Szabo, based on
> -iptables man page written by Herve Eychenne <rv@wallfire.org>.
> -.\" .. and did I mention that we are incredibly cool people?
> -.\" .. sexy, too ..
> -.\" .. witty, charming, powerful ..
> -.\" .. and most of all, modest ..
> -.SH VERSION
> -.PP
> -This manual page applies to ip6tables @PACKAGE_VERSION@.
> diff --git a/iptables/ip6tables.8in b/iptables/ip6tables.8in
NACK this patch.
No reason to change this file to .8in instead of .8.in
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 3/9] doc: fixup omissions in ip6tables-restore.8
2012-10-10 12:26 ` [PATCH 3/9] doc: fixup omissions in ip6tables-restore.8 Jan Engelhardt
@ 2012-10-10 16:21 ` Pablo Neira Ayuso
0 siblings, 0 replies; 14+ messages in thread
From: Pablo Neira Ayuso @ 2012-10-10 16:21 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
On Wed, Oct 10, 2012 at 02:26:26PM +0200, Jan Engelhardt wrote:
> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
> ---
> iptables/ip6tables-restore.8in | 6 ++++--
> iptables/iptables-restore.8in | 2 +-
Same thing. I don't like this change to save just a couple of Makefile
lines.
NACK.
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2012-10-10 16:21 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-10-10 12:26 Documentation fixes to iptables Jan Engelhardt
2012-10-10 12:26 ` [PATCH 1/9] doc: rename .8.in files to .8in Jan Engelhardt
2012-10-10 16:20 ` Pablo Neira Ayuso
2012-10-10 12:26 ` [PATCH 2/9] doc: add package version to all manpages Jan Engelhardt
2012-10-10 12:26 ` [PATCH 3/9] doc: fixup omissions in ip6tables-restore.8 Jan Engelhardt
2012-10-10 16:21 ` Pablo Neira Ayuso
2012-10-10 12:26 ` [PATCH 4/9] doc: document iptables-restore's -t option Jan Engelhardt
2012-10-10 12:26 ` [PATCH 5/9] doc: document iptables-restore's -v option Jan Engelhardt
2012-10-10 12:26 ` [PATCH 6/9] doc: document iptables-restore's -M option Jan Engelhardt
2012-10-10 12:26 ` [PATCH 7/9] doc: document iptables-restore's -h option Jan Engelhardt
2012-10-10 12:26 ` [PATCH 8/9] doc: name the supported log levels for ipt_LOG Jan Engelhardt
2012-10-10 12:26 ` [PATCH 9/9] src: remove faulty deprecated marker in libipt_LOG source Jan Engelhardt
2012-10-10 12:38 ` Documentation fixes to iptables Pablo Neira Ayuso
2012-10-10 13:04 ` Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.