Documentation and a build fix

Documentation and a build fix

[Jan Engelhardt]

The following changes since commit eec83c7ce4351359cae797840d63cf4ef2809c95:

  bump version to 1.4.17 (2012-12-25 13:38:36 +0100)

are available in the git repository at:

  git://git.inai.de/iptables master

for you to fetch changes up to 070e9ad8fe6380be3fe19924cd50619e540382d0:

  build: resolve link failure for ip6t_NETMAP (2012-12-26 00:00:11 +0100)

----------------------------------------------------------------
Jan Engelhardt (13):
      doc: add package version to all manpages
      doc: fixup omissions in ip6tables-restore.8
      doc: document iptables-restore's -t option
      doc: document iptables-restore's -v option
      doc: document iptables-restore's -M option
      doc: document iptables-restore's -h option
      doc: name the supported log levels for ipt_LOG
      src: remove faulty deprecated marker in libipt_LOG source
      iptables: fix order of internal commands list
      iptables: implement --line-numbers for iptables -S
      doc: mention -m in the manpage
      doc: document the -4 and -6 options
      build: resolve link failure for ip6t_NETMAP

 extensions/GNUmakefile.in                          |    3 +-
 extensions/libip6t_LOG.c                           |    2 +-
 extensions/libip6t_LOG.man                         |    5 ++-
 extensions/libipt_LOG.c                            |    2 +-
 extensions/libipt_LOG.man                          |    5 ++-
 include/ip6tables.h                                |    3 +-
 include/iptables.h                                 |    3 +-
 iptables/.gitignore                                |    5 ++-
 iptables/Makefile.am                               |   34 +++++++++++++++----
 ...{ip6tables-restore.8 => ip6tables-restore.8.in} |   22 ++++++++++--
 iptables/{ip6tables-save.8 => ip6tables-save.8.in} |    2 +-
 iptables/ip6tables-save.c                          |    2 +-
 iptables/ip6tables.8.in                            |   18 +++++++++-
 iptables/ip6tables.c                               |   35 +++++++++++---------
 iptables/{iptables-apply.8 => iptables-apply.8.in} |    2 +-
 iptables/iptables-extensions.8.in                  |    2 +-
 .../{iptables-restore.8 => iptables-restore.8.in}  |   20 +++++++++--
 iptables/{iptables-save.8 => iptables-save.8.in}   |    2 +-
 iptables/iptables-save.c                           |    2 +-
 iptables/{iptables-xml.1 => iptables-xml.1.in}     |    2 +-
 iptables/iptables.8.in                             |   18 +++++++++-
 iptables/iptables.c                                |   35 +++++++++++---------
 22 files changed, 161 insertions(+), 63 deletions(-)
 rename iptables/{ip6tables-restore.8 => ip6tables-restore.8.in} (72%)
 rename iptables/{ip6tables-save.8 => ip6tables-save.8.in} (96%)
 rename iptables/{iptables-apply.8 => iptables-apply.8.in} (95%)
 rename iptables/{iptables-restore.8 => iptables-restore.8.in} (71%)
 rename iptables/{iptables-save.8 => iptables-save.8.in} (96%)
 rename iptables/{iptables-xml.1 => iptables-xml.1.in} (97%)

[PATCH 01/13] doc: add package version to all manpages

[Jan Engelhardt]

Some manpages already had this - expand it to all of them. This is
useful to determine how old random renditions of these manpages on the
Internet actually are.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/.gitignore               |    5 +--
 iptables/Makefile.am              |   34 ++++++++++++---
 iptables/ip6tables-restore.8      |   52 ----------------------
 iptables/ip6tables-restore.8.in   |   52 ++++++++++++++++++++++
 iptables/ip6tables-save.8         |   53 ----------------------
 iptables/ip6tables-save.8.in      |   53 ++++++++++++++++++++++
 iptables/ip6tables.8.in           |    2 +-
 iptables/iptables-apply.8         |   44 -------------------
 iptables/iptables-apply.8.in      |   44 +++++++++++++++++++
 iptables/iptables-extensions.8.in |    2 +-
 iptables/iptables-restore.8       |   50 ---------------------
 iptables/iptables-restore.8.in    |   50 +++++++++++++++++++++
 iptables/iptables-save.8          |   51 ----------------------
 iptables/iptables-save.8.in       |   51 ++++++++++++++++++++++
 iptables/iptables-xml.1           |   87 -------------------------------------
 iptables/iptables-xml.1.in        |   87 +++++++++++++++++++++++++++++++++++++
 iptables/iptables.8.in            |    2 +-
 17 files changed, 370 insertions(+), 349 deletions(-)
 delete mode 100644 iptables/ip6tables-restore.8
 create mode 100644 iptables/ip6tables-restore.8.in
 delete mode 100644 iptables/ip6tables-save.8
 create mode 100644 iptables/ip6tables-save.8.in
 delete mode 100644 iptables/iptables-apply.8
 create mode 100644 iptables/iptables-apply.8.in
 delete mode 100644 iptables/iptables-restore.8
 create mode 100644 iptables/iptables-restore.8.in
 delete mode 100644 iptables/iptables-save.8
 create mode 100644 iptables/iptables-save.8.in
 delete mode 100644 iptables/iptables-xml.1
 create mode 100644 iptables/iptables-xml.1.in

diff --git a/iptables/.gitignore b/iptables/.gitignore
index 4fc63aa..1141d87 100644
--- a/iptables/.gitignore
+++ b/iptables/.gitignore
@@ -1,11 +1,10 @@
+/*.1
+/*.8
 /ip6tables
-/ip6tables.8
 /ip6tables-save
 /ip6tables-restore
 /ip6tables-static
 /iptables
-/iptables.8
-/iptables-extensions.8
 /iptables-save
 /iptables-restore
 /iptables-static
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index 61e78db..0f4c1f6 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -27,8 +27,8 @@ xtables_multi_LDADD   += ../libxtables/libxtables.la -lm
 sbin_PROGRAMS    = xtables-multi
 man_MANS         = iptables.8 iptables-restore.8 iptables-save.8 \
                    iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
-                   ip6tables-save.8 iptables-extensions.8
-CLEANFILES       = iptables.8 ip6tables.8
+                   ip6tables-save.8 iptables-extensions.8 iptables-apply.8
+CLEANFILES       = ${man_MANS}
 
 vx_bin_links   = iptables-xml
 if ENABLE_IPV4
@@ -38,14 +38,36 @@ if ENABLE_IPV6
 v6_sbin_links  = ip6tables ip6tables-restore ip6tables-save
 endif
 
-iptables.8: ${srcdir}/iptables.8.in
-	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@;
+fill_in_date = ${AM_V_GEN} sed -e \
+               's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' \
+               $< >$@;
+
+iptables-xml.1: ${srcdir}/iptables-xml.1.in
+	${fill_in_date}
+
+ip6tables-restore.8: ${srcdir}/ip6tables-restore.8.in
+	${fill_in_date}
+
+ip6tables-save.8: ${srcdir}/ip6tables-save.8.in
+	${fill_in_date}
 
 ip6tables.8: ${srcdir}/ip6tables.8.in
-	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@;
+	${fill_in_date}
+
+iptables-apply.8: ${srcdir}/iptables-apply.8.in
+	${fill_in_date}
+
+iptables-restore.8: ${srcdir}/iptables-restore.8.in
+	${fill_in_date}
+
+iptables-save.8: ${srcdir}/iptables-save.8.in
+	${fill_in_date}
+
+iptables.8: ${srcdir}/iptables.8.in
+	${fill_in_date}
 
 iptables-extensions.8: ${srcdir}/iptables-extensions.8.in ../extensions/matches.man ../extensions/targets.man
-	${AM_VERBOSE_GEN} sed -e \
+	${AM_V_GEN} sed -e \
 		's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' \
 		-e '/@MATCH@/ r ../extensions/matches.man' \
 		-e '/@TARGET@/ r ../extensions/targets.man' $< >$@;
diff --git a/iptables/ip6tables-restore.8 b/iptables/ip6tables-restore.8
deleted file mode 100644
index 59a3b2e..0000000
--- a/iptables/ip6tables-restore.8
+++ /dev/null
@@ -1,52 +0,0 @@
-.TH IP6TABLES-RESTORE 8 "Jan 30, 2002" "" ""
-.\"
-.\" Man page written by Harald Welte <laforge@gnumonks.org>
-.\" It is based on the iptables man page.
-.\"
-.\"	This program is free software; you can redistribute it and/or modify
-.\"	it under the terms of the GNU General Public License as published by
-.\"	the Free Software Foundation; either version 2 of the License, or
-.\"	(at your option) any later version.
-.\"
-.\"	This program is distributed in the hope that it will be useful,
-.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-.\"	GNU General Public License for more details.
-.\"
-.\"	You should have received a copy of the GNU General Public License
-.\"	along with this program; if not, write to the Free Software
-.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-ip6tables-restore \(em Restore IPv6 Tables
-.SH SYNOPSIS
-\fBip6tables\-restore\fP [\fB\-c\fP] [\fB\-n\fP]
-.SH DESCRIPTION
-.PP
-.B ip6tables-restore
-is used to restore IPv6 Tables from data specified on STDIN. Use 
-I/O redirection provided by your shell to read from a file
-.TP
-\fB\-c\fR, \fB\-\-counters\fR
-restore the values of all packet and byte counters
-.TP
-\fB\-n\fR, \fB\-\-noflush\fR 
-don't flush the previous contents of the table. If not specified, 
-.TP
-\fB\-T\fP, \fB\-\-table\fP \fIname\fP
-Restore only the named table even if the input stream contains other ones.
-.B ip6tables-restore
-flushes (deletes) all previous contents of the respective IPv6 Table.
-.SH BUGS
-None known as of iptables-1.2.1 release
-.SH AUTHORS
-Harald Welte <laforge@gnumonks.org>
-.br
-Andras Kis-Szabo <kisza@sch.bme.hu>
-.SH SEE ALSO
-\fBip6tables\-save\fP(8), \fBip6tables\fP(8)
-.PP
-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
-which details NAT, and the netfilter-hacking-HOWTO which details the
-internals.
diff --git a/iptables/ip6tables-restore.8.in b/iptables/ip6tables-restore.8.in
new file mode 100644
index 0000000..a9859ae
--- /dev/null
+++ b/iptables/ip6tables-restore.8.in
@@ -0,0 +1,52 @@
+.TH ip6tables-restore 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\"	This program is free software; you can redistribute it and/or modify
+.\"	it under the terms of the GNU General Public License as published by
+.\"	the Free Software Foundation; either version 2 of the License, or
+.\"	(at your option) any later version.
+.\"
+.\"	This program is distributed in the hope that it will be useful,
+.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+.\"	GNU General Public License for more details.
+.\"
+.\"	You should have received a copy of the GNU General Public License
+.\"	along with this program; if not, write to the Free Software
+.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ip6tables-restore \(em Restore IPv6 Tables
+.SH SYNOPSIS
+\fBip6tables\-restore\fP [\fB\-c\fP] [\fB\-n\fP]
+.SH DESCRIPTION
+.PP
+.B ip6tables-restore
+is used to restore IPv6 Tables from data specified on STDIN. Use 
+I/O redirection provided by your shell to read from a file
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+restore the values of all packet and byte counters
+.TP
+\fB\-n\fR, \fB\-\-noflush\fR 
+don't flush the previous contents of the table. If not specified, 
+.TP
+\fB\-T\fP, \fB\-\-table\fP \fIname\fP
+Restore only the named table even if the input stream contains other ones.
+.B ip6tables-restore
+flushes (deletes) all previous contents of the respective IPv6 Table.
+.SH BUGS
+None known as of iptables-1.2.1 release
+.SH AUTHORS
+Harald Welte <laforge@gnumonks.org>
+.br
+Andras Kis-Szabo <kisza@sch.bme.hu>
+.SH SEE ALSO
+\fBip6tables\-save\fP(8), \fBip6tables\fP(8)
+.PP
+The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+which details NAT, and the netfilter-hacking-HOWTO which details the
+internals.
diff --git a/iptables/ip6tables-save.8 b/iptables/ip6tables-save.8
deleted file mode 100644
index 457be82..0000000
--- a/iptables/ip6tables-save.8
+++ /dev/null
@@ -1,53 +0,0 @@
-.TH IP6TABLES-SAVE 8 "Jan 30, 2002" "" ""
-.\"
-.\" Man page written by Harald Welte <laforge@gnumonks.org>
-.\" It is based on the iptables man page.
-.\"
-.\"	This program is free software; you can redistribute it and/or modify
-.\"	it under the terms of the GNU General Public License as published by
-.\"	the Free Software Foundation; either version 2 of the License, or
-.\"	(at your option) any later version.
-.\"
-.\"	This program is distributed in the hope that it will be useful,
-.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-.\"	GNU General Public License for more details.
-.\"
-.\"	You should have received a copy of the GNU General Public License
-.\"	along with this program; if not, write to the Free Software
-.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-ip6tables-save \(em dump iptables rules to stdout
-.SH SYNOPSIS
-\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP
-.SH DESCRIPTION
-.PP
-.B ip6tables-save
-is used to dump the contents of an IPv6 Table in easily parseable format
-to STDOUT. Use I/O-redirection provided by your shell to write to a file.
-.TP
-\fB\-M\fP \fImodprobe_program\fP
-Specify the path to the modprobe program. By default, iptables-save will
-inspect /proc/sys/kernel/modprobe to determine the executable's path.
-.TP
-\fB\-c\fR, \fB\-\-counters\fR
-include the current values of all packet and byte counters in the output
-.TP
-\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
-restrict output to only one table. If not specified, output includes all
-available tables.
-.SH BUGS
-None known as of iptables-1.2.1 release
-.SH AUTHORS
-Harald Welte <laforge@gnumonks.org>
-.br
-Andras Kis-Szabo <kisza@sch.bme.hu>
-.SH SEE ALSO
-\fBip6tables\-restore\fP(8), \fBip6tables\fP(8)
-.PP
-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
-which details NAT, and the netfilter-hacking-HOWTO which details the
-internals.
diff --git a/iptables/ip6tables-save.8.in b/iptables/ip6tables-save.8.in
new file mode 100644
index 0000000..f4cd3e0
--- /dev/null
+++ b/iptables/ip6tables-save.8.in
@@ -0,0 +1,53 @@
+.TH ip6tables-save 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\"	This program is free software; you can redistribute it and/or modify
+.\"	it under the terms of the GNU General Public License as published by
+.\"	the Free Software Foundation; either version 2 of the License, or
+.\"	(at your option) any later version.
+.\"
+.\"	This program is distributed in the hope that it will be useful,
+.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+.\"	GNU General Public License for more details.
+.\"
+.\"	You should have received a copy of the GNU General Public License
+.\"	along with this program; if not, write to the Free Software
+.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ip6tables-save \(em dump iptables rules to stdout
+.SH SYNOPSIS
+\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
+[\fB\-t\fP \fItable\fP
+.SH DESCRIPTION
+.PP
+.B ip6tables-save
+is used to dump the contents of an IPv6 Table in easily parseable format
+to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+.TP
+\fB\-M\fP \fImodprobe_program\fP
+Specify the path to the modprobe program. By default, iptables-save will
+inspect /proc/sys/kernel/modprobe to determine the executable's path.
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+include the current values of all packet and byte counters in the output
+.TP
+\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
+restrict output to only one table. If not specified, output includes all
+available tables.
+.SH BUGS
+None known as of iptables-1.2.1 release
+.SH AUTHORS
+Harald Welte <laforge@gnumonks.org>
+.br
+Andras Kis-Szabo <kisza@sch.bme.hu>
+.SH SEE ALSO
+\fBip6tables\-restore\fP(8), \fBip6tables\fP(8)
+.PP
+The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+which details NAT, and the netfilter-hacking-HOWTO which details the
+internals.
diff --git a/iptables/ip6tables.8.in b/iptables/ip6tables.8.in
index 078bcac..fd0e61b 100644
--- a/iptables/ip6tables.8.in
+++ b/iptables/ip6tables.8.in
@@ -1,4 +1,4 @@
-.TH IP6TABLES 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
+.TH ip6tables 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
 .\"
 .\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
 .\" It is based on iptables man page.
diff --git a/iptables/iptables-apply.8 b/iptables/iptables-apply.8
deleted file mode 100644
index 66eaf57..0000000
--- a/iptables/iptables-apply.8
+++ /dev/null
@@ -1,44 +0,0 @@
-.\"     Title: iptables-apply
-.\"    Author: Martin F. Krafft
-.\"      Date: Jun 04, 2006
-.\"
-.TH iptables\-apply 8 2006-06-04
-.\" disable hyphenation
-.nh
-.SH NAME
-iptables-apply \- a safer way to update iptables remotely
-.SH SYNOPSIS
-\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] \fIruleset\-file\fP
-.SH "DESCRIPTION"
-.PP
-iptables\-apply will try to apply a new ruleset (as output by
-iptables\-save/read by iptables\-restore) to iptables, then prompt the
-user whether the changes are okay. If the new ruleset cut the existing
-connection, the user will not be able to answer affirmatively. In this
-case, the script rolls back to the previous ruleset after the timeout
-expired. The timeout can be set with \fB\-t\fP.
-.PP
-When called as \fBip6tables\-apply\fP, the script will use
-ip6tables\-save/\-restore instead.
-.SH OPTIONS
-.TP
-\fB\-t\fP \fIseconds\fR, \fB\-\-timeout\fP \fIseconds\fR
-Sets the timeout after which the script will roll back to the previous
-ruleset.
-.TP
-\fB\-h\fP, \fB\-\-help\fP
-Display usage information.
-.TP
-\fB\-V\fP, \fB\-\-version\fP
-Display version information.
-.SH "SEE ALSO"
-.PP
-\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
-.SH LEGALESE
-.PP
-iptables\-apply is copyright by Martin F. Krafft.
-.PP
-This manual page was written by Martin F. Krafft <madduck@madduck.net>
-.PP
-Permission is granted to copy, distribute and/or modify this document
-under the terms of the Artistic License 2.0.
diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in
new file mode 100644
index 0000000..4fe14c8
--- /dev/null
+++ b/iptables/iptables-apply.8.in
@@ -0,0 +1,44 @@
+.\"     Title: iptables-apply
+.\"    Author: Martin F. Krafft
+.\"      Date: Jun 04, 2006
+.\"
+.TH iptables\-apply 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
+.\" disable hyphenation
+.nh
+.SH NAME
+iptables-apply \- a safer way to update iptables remotely
+.SH SYNOPSIS
+\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] \fIruleset\-file\fP
+.SH "DESCRIPTION"
+.PP
+iptables\-apply will try to apply a new ruleset (as output by
+iptables\-save/read by iptables\-restore) to iptables, then prompt the
+user whether the changes are okay. If the new ruleset cut the existing
+connection, the user will not be able to answer affirmatively. In this
+case, the script rolls back to the previous ruleset after the timeout
+expired. The timeout can be set with \fB\-t\fP.
+.PP
+When called as \fBip6tables\-apply\fP, the script will use
+ip6tables\-save/\-restore instead.
+.SH OPTIONS
+.TP
+\fB\-t\fP \fIseconds\fR, \fB\-\-timeout\fP \fIseconds\fR
+Sets the timeout after which the script will roll back to the previous
+ruleset.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Display usage information.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Display version information.
+.SH "SEE ALSO"
+.PP
+\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
+.SH LEGALESE
+.PP
+iptables\-apply is copyright by Martin F. Krafft.
+.PP
+This manual page was written by Martin F. Krafft <madduck@madduck.net>
+.PP
+Permission is granted to copy, distribute and/or modify this document
+under the terms of the Artistic License 2.0.
diff --git a/iptables/iptables-extensions.8.in b/iptables/iptables-extensions.8.in
index 9ec3fb0..bbc3e86 100644
--- a/iptables/iptables-extensions.8.in
+++ b/iptables/iptables-extensions.8.in
@@ -1,4 +1,4 @@
-.TH iptables-extensions 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
+.TH iptables-extensions 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
 .SH NAME
 iptables-extensions \(em list of extensions in the standard iptables distribution
 .SH SYNOPSIS
diff --git a/iptables/iptables-restore.8 b/iptables/iptables-restore.8
deleted file mode 100644
index 0dd20cb..0000000
--- a/iptables/iptables-restore.8
+++ /dev/null
@@ -1,50 +0,0 @@
-.TH IPTABLES-RESTORE 8 "Jan 04, 2001" "" ""
-.\"
-.\" Man page written by Harald Welte <laforge@gnumonks.org>
-.\" It is based on the iptables man page.
-.\"
-.\"	This program is free software; you can redistribute it and/or modify
-.\"	it under the terms of the GNU General Public License as published by
-.\"	the Free Software Foundation; either version 2 of the License, or
-.\"	(at your option) any later version.
-.\"
-.\"	This program is distributed in the hope that it will be useful,
-.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-.\"	GNU General Public License for more details.
-.\"
-.\"	You should have received a copy of the GNU General Public License
-.\"	along with this program; if not, write to the Free Software
-.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-iptables-restore \(em Restore IP Tables
-.SH SYNOPSIS
-\fBiptables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] [\fB\-T\fP \fIname\fP]
-.SH DESCRIPTION
-.PP
-.B iptables-restore
-is used to restore IP Tables from data specified on STDIN. Use 
-I/O redirection provided by your shell to read from a file
-.TP
-\fB\-c\fR, \fB\-\-counters\fR
-restore the values of all packet and byte counters
-.TP
-\fB\-n\fR, \fB\-\-noflush\fR 
-don't flush the previous contents of the table. If not specified, 
-.B iptables-restore
-flushes (deletes) all previous contents of the respective IP Table.
-.TP
-\fB\-T\fP, \fB\-\-table\fP \fIname\fP
-Restore only the named table even if the input stream contains other ones.
-.SH BUGS
-None known as of iptables-1.2.1 release
-.SH AUTHOR
-Harald Welte <laforge@gnumonks.org>
-.SH SEE ALSO
-\fBiptables\-save\fP(8), \fBiptables\fP(8)
-.PP
-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
-which details NAT, and the netfilter-hacking-HOWTO which details the
-internals.
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
new file mode 100644
index 0000000..37faae0
--- /dev/null
+++ b/iptables/iptables-restore.8.in
@@ -0,0 +1,50 @@
+.TH iptables-restore 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\"	This program is free software; you can redistribute it and/or modify
+.\"	it under the terms of the GNU General Public License as published by
+.\"	the Free Software Foundation; either version 2 of the License, or
+.\"	(at your option) any later version.
+.\"
+.\"	This program is distributed in the hope that it will be useful,
+.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+.\"	GNU General Public License for more details.
+.\"
+.\"	You should have received a copy of the GNU General Public License
+.\"	along with this program; if not, write to the Free Software
+.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+iptables-restore \(em Restore IP Tables
+.SH SYNOPSIS
+\fBiptables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] [\fB\-T\fP \fIname\fP]
+.SH DESCRIPTION
+.PP
+.B iptables-restore
+is used to restore IP Tables from data specified on STDIN. Use 
+I/O redirection provided by your shell to read from a file
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+restore the values of all packet and byte counters
+.TP
+\fB\-n\fR, \fB\-\-noflush\fR 
+don't flush the previous contents of the table. If not specified, 
+.B iptables-restore
+flushes (deletes) all previous contents of the respective IP Table.
+.TP
+\fB\-T\fP, \fB\-\-table\fP \fIname\fP
+Restore only the named table even if the input stream contains other ones.
+.SH BUGS
+None known as of iptables-1.2.1 release
+.SH AUTHOR
+Harald Welte <laforge@gnumonks.org>
+.SH SEE ALSO
+\fBiptables\-save\fP(8), \fBiptables\fP(8)
+.PP
+The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+which details NAT, and the netfilter-hacking-HOWTO which details the
+internals.
diff --git a/iptables/iptables-save.8 b/iptables/iptables-save.8
deleted file mode 100644
index c2e0a94..0000000
--- a/iptables/iptables-save.8
+++ /dev/null
@@ -1,51 +0,0 @@
-.TH IPTABLES-SAVE 8 "Jan 04, 2001" "" ""
-.\"
-.\" Man page written by Harald Welte <laforge@gnumonks.org>
-.\" It is based on the iptables man page.
-.\"
-.\"	This program is free software; you can redistribute it and/or modify
-.\"	it under the terms of the GNU General Public License as published by
-.\"	the Free Software Foundation; either version 2 of the License, or
-.\"	(at your option) any later version.
-.\"
-.\"	This program is distributed in the hope that it will be useful,
-.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-.\"	GNU General Public License for more details.
-.\"
-.\"	You should have received a copy of the GNU General Public License
-.\"	along with this program; if not, write to the Free Software
-.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-iptables-save \(em dump iptables rules to stdout
-.SH SYNOPSIS
-\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP]
-.SH DESCRIPTION
-.PP
-.B iptables-save
-is used to dump the contents of an IP Table in easily parseable format
-to STDOUT. Use I/O-redirection provided by your shell to write to a file.
-.TP
-\fB\-M\fP \fImodprobe_program\fP
-Specify the path to the modprobe program. By default, iptables-save will
-inspect /proc/sys/kernel/modprobe to determine the executable's path.
-.TP
-\fB\-c\fR, \fB\-\-counters\fR
-include the current values of all packet and byte counters in the output
-.TP
-\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
-restrict output to only one table. If not specified, output includes all
-available tables.
-.SH BUGS
-None known as of iptables-1.2.1 release
-.SH AUTHOR
-Harald Welte <laforge@gnumonks.org>
-.SH SEE ALSO
-\fBiptables\-restore\fP(8), \fBiptables\fP(8)
-.PP
-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
-which details NAT, and the netfilter-hacking-HOWTO which details the
-internals.
diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
new file mode 100644
index 0000000..3d79185
--- /dev/null
+++ b/iptables/iptables-save.8.in
@@ -0,0 +1,51 @@
+.TH iptables-save 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
+.\"
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables man page.
+.\"
+.\"	This program is free software; you can redistribute it and/or modify
+.\"	it under the terms of the GNU General Public License as published by
+.\"	the Free Software Foundation; either version 2 of the License, or
+.\"	(at your option) any later version.
+.\"
+.\"	This program is distributed in the hope that it will be useful,
+.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+.\"	GNU General Public License for more details.
+.\"
+.\"	You should have received a copy of the GNU General Public License
+.\"	along with this program; if not, write to the Free Software
+.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+iptables-save \(em dump iptables rules to stdout
+.SH SYNOPSIS
+\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
+[\fB\-t\fP \fItable\fP]
+.SH DESCRIPTION
+.PP
+.B iptables-save
+is used to dump the contents of an IP Table in easily parseable format
+to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+.TP
+\fB\-M\fP \fImodprobe_program\fP
+Specify the path to the modprobe program. By default, iptables-save will
+inspect /proc/sys/kernel/modprobe to determine the executable's path.
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+include the current values of all packet and byte counters in the output
+.TP
+\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
+restrict output to only one table. If not specified, output includes all
+available tables.
+.SH BUGS
+None known as of iptables-1.2.1 release
+.SH AUTHOR
+Harald Welte <laforge@gnumonks.org>
+.SH SEE ALSO
+\fBiptables\-restore\fP(8), \fBiptables\fP(8)
+.PP
+The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+which details NAT, and the netfilter-hacking-HOWTO which details the
+internals.
diff --git a/iptables/iptables-xml.1 b/iptables/iptables-xml.1
deleted file mode 100644
index 048c2cb..0000000
--- a/iptables/iptables-xml.1
+++ /dev/null
@@ -1,87 +0,0 @@
-.TH IPTABLES-XML 8 "Jul 16, 2007" "" ""
-.\"
-.\" Man page written by Sam Liddicott <azez@ufomechanic.net>
-.\" It is based on the iptables-save man page.
-.\"
-.\"	This program is free software; you can redistribute it and/or modify
-.\"	it under the terms of the GNU General Public License as published by
-.\"	the Free Software Foundation; either version 2 of the License, or
-.\"	(at your option) any later version.
-.\"
-.\"	This program is distributed in the hope that it will be useful,
-.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-.\"	GNU General Public License for more details.
-.\"
-.\"	You should have received a copy of the GNU General Public License
-.\"	along with this program; if not, write to the Free Software
-.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-iptables-xml \(em Convert iptables-save format to XML
-.SH SYNOPSIS
-\fBiptables\-xml\fP [\fB\-c\fP] [\fB\-v\fP]
-.SH DESCRIPTION
-.PP
-.B iptables-xml
-is used to convert the output of iptables-save into an easily manipulatable
-XML format to STDOUT.  Use I/O-redirection provided by your shell to write to 
-a file.
-.TP
-\fB\-c\fR, \fB\-\-combine\fR
-combine consecutive rules with the same matches but different targets. iptables
-does not currently support more than one target per match, so this simulates 
-that by collecting the targets from consecutive iptables rules into one action
-tag, but only when the rule matches are identical. Terminating actions like
-RETURN, DROP, ACCEPT and QUEUE are not combined with subsequent targets.
-.TP
-\fB\-v\fR, \fB\-\-verbose\fR
-Output xml comments containing the iptables line from which the XML is derived
-
-.PP
-iptables-xml does a mechanistic conversion to a very expressive xml
-format; the only semantic considerations are for \-g and \-j targets in
-order to discriminate between <call> <goto> and <nane-of-target> as it
-helps xml processing scripts if they can tell the difference between a
-target like SNAT and another chain.
-
-Some sample output is:
-
-<iptables-rules>
-  <table name="mangle">
-    <chain name="PREROUTING" policy="ACCEPT" packet-count="63436"
-byte-count="7137573">
-      <rule>
-       <conditions>
-        <match>
-          <p>tcp</p>
-        </match>
-        <tcp>
-          <sport>8443</sport>
-        </tcp>
-       </conditions>
-       <actions>
-        <call>
-          <check_ip/>
-        </call>
-        <ACCEPT/>
-       </actions>
-      </rule>
-    </chain>
-  </table>
-</iptables-rules>
-
-.PP
-Conversion from XML to iptables-save format may be done using the 
-iptables.xslt script and xsltproc, or a custom program using
-libxsltproc or similar; in this fashion:
-
-xsltproc iptables.xslt my-iptables.xml | iptables-restore
-
-.SH BUGS
-None known as of iptables-1.3.7 release
-.SH AUTHOR
-Sam Liddicott <azez@ufomechanic.net>
-.SH SEE ALSO
-\fBiptables\-save\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8)
diff --git a/iptables/iptables-xml.1.in b/iptables/iptables-xml.1.in
new file mode 100644
index 0000000..6b440ff
--- /dev/null
+++ b/iptables/iptables-xml.1.in
@@ -0,0 +1,87 @@
+.TH iptables-xml 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
+.\"
+.\" Man page written by Sam Liddicott <azez@ufomechanic.net>
+.\" It is based on the iptables-save man page.
+.\"
+.\"	This program is free software; you can redistribute it and/or modify
+.\"	it under the terms of the GNU General Public License as published by
+.\"	the Free Software Foundation; either version 2 of the License, or
+.\"	(at your option) any later version.
+.\"
+.\"	This program is distributed in the hope that it will be useful,
+.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+.\"	GNU General Public License for more details.
+.\"
+.\"	You should have received a copy of the GNU General Public License
+.\"	along with this program; if not, write to the Free Software
+.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+iptables-xml \(em Convert iptables-save format to XML
+.SH SYNOPSIS
+\fBiptables\-xml\fP [\fB\-c\fP] [\fB\-v\fP]
+.SH DESCRIPTION
+.PP
+.B iptables-xml
+is used to convert the output of iptables-save into an easily manipulatable
+XML format to STDOUT.  Use I/O-redirection provided by your shell to write to 
+a file.
+.TP
+\fB\-c\fR, \fB\-\-combine\fR
+combine consecutive rules with the same matches but different targets. iptables
+does not currently support more than one target per match, so this simulates 
+that by collecting the targets from consecutive iptables rules into one action
+tag, but only when the rule matches are identical. Terminating actions like
+RETURN, DROP, ACCEPT and QUEUE are not combined with subsequent targets.
+.TP
+\fB\-v\fR, \fB\-\-verbose\fR
+Output xml comments containing the iptables line from which the XML is derived
+
+.PP
+iptables-xml does a mechanistic conversion to a very expressive xml
+format; the only semantic considerations are for \-g and \-j targets in
+order to discriminate between <call> <goto> and <nane-of-target> as it
+helps xml processing scripts if they can tell the difference between a
+target like SNAT and another chain.
+
+Some sample output is:
+
+<iptables-rules>
+  <table name="mangle">
+    <chain name="PREROUTING" policy="ACCEPT" packet-count="63436"
+byte-count="7137573">
+      <rule>
+       <conditions>
+        <match>
+          <p>tcp</p>
+        </match>
+        <tcp>
+          <sport>8443</sport>
+        </tcp>
+       </conditions>
+       <actions>
+        <call>
+          <check_ip/>
+        </call>
+        <ACCEPT/>
+       </actions>
+      </rule>
+    </chain>
+  </table>
+</iptables-rules>
+
+.PP
+Conversion from XML to iptables-save format may be done using the 
+iptables.xslt script and xsltproc, or a custom program using
+libxsltproc or similar; in this fashion:
+
+xsltproc iptables.xslt my-iptables.xml | iptables-restore
+
+.SH BUGS
+None known as of iptables-1.3.7 release
+.SH AUTHOR
+Sam Liddicott <azez@ufomechanic.net>
+.SH SEE ALSO
+\fBiptables\-save\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8)
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index d6b409d..748d00f 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -1,4 +1,4 @@
-.TH IPTABLES 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
+.TH iptables 8 "@PACKAGE_AND_VERSION@" "" "@PACKAGE_AND_VERSION@"
 .\"
 .\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
 .\" It is based on ipchains page.
-- 
1.7.10.4

[PATCH 02/13] doc: fixup omissions in ip6tables-restore.8

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/ip6tables-restore.8.in |    6 ++++--
 iptables/iptables-restore.8.in  |    2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/iptables/ip6tables-restore.8.in b/iptables/ip6tables-restore.8.in
index a9859ae..e9018d0 100644
--- a/iptables/ip6tables-restore.8.in
+++ b/iptables/ip6tables-restore.8.in
@@ -21,7 +21,7 @@
 .SH NAME
 ip6tables-restore \(em Restore IPv6 Tables
 .SH SYNOPSIS
-\fBip6tables\-restore\fP [\fB\-c\fP] [\fB\-n\fP]
+\fBip6tables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] [\fB\-T\fP \fIname\fP]
 .SH DESCRIPTION
 .PP
 .B ip6tables-restore
@@ -32,7 +32,9 @@ I/O redirection provided by your shell to read from a file
 restore the values of all packet and byte counters
 .TP
 \fB\-n\fR, \fB\-\-noflush\fR 
-don't flush the previous contents of the table. If not specified, 
+don't flush the previous contents of the table. If not specified,
+\fBip6tables-restore\fP flushes (deletes) all previous contents of the
+respective table.
 .TP
 \fB\-T\fP, \fB\-\-table\fP \fIname\fP
 Restore only the named table even if the input stream contains other ones.
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
index 37faae0..75de847 100644
--- a/iptables/iptables-restore.8.in
+++ b/iptables/iptables-restore.8.in
@@ -34,7 +34,7 @@ restore the values of all packet and byte counters
 \fB\-n\fR, \fB\-\-noflush\fR 
 don't flush the previous contents of the table. If not specified, 
 .B iptables-restore
-flushes (deletes) all previous contents of the respective IP Table.
+flushes (deletes) all previous contents of the respective table.
 .TP
 \fB\-T\fP, \fB\-\-table\fP \fIname\fP
 Restore only the named table even if the input stream contains other ones.
-- 
1.7.10.4

[PATCH 03/13] doc: document iptables-restore's -t option

[Jan Engelhardt]

References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/ip6tables-restore.8.in |    5 ++++-
 iptables/iptables-restore.8.in  |    5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/iptables/ip6tables-restore.8.in b/iptables/ip6tables-restore.8.in
index e9018d0..e1c9abf 100644
--- a/iptables/ip6tables-restore.8.in
+++ b/iptables/ip6tables-restore.8.in
@@ -21,7 +21,7 @@
 .SH NAME
 ip6tables-restore \(em Restore IPv6 Tables
 .SH SYNOPSIS
-\fBip6tables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] [\fB\-T\fP \fIname\fP]
+\fBip6tables\-restore\fP [\fB\-cnt\fP] [\fB\-T\fP \fIname\fP]
 .SH DESCRIPTION
 .PP
 .B ip6tables-restore
@@ -36,6 +36,9 @@ don't flush the previous contents of the table. If not specified,
 \fBip6tables-restore\fP flushes (deletes) all previous contents of the
 respective table.
 .TP
+\fB\-t\fP, \fB\-\-test\fP
+Only parse and construct the ruleset, but do not commit it.
+.TP
 \fB\-T\fP, \fB\-\-table\fP \fIname\fP
 Restore only the named table even if the input stream contains other ones.
 .B ip6tables-restore
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
index 75de847..f98488e 100644
--- a/iptables/iptables-restore.8.in
+++ b/iptables/iptables-restore.8.in
@@ -21,7 +21,7 @@
 .SH NAME
 iptables-restore \(em Restore IP Tables
 .SH SYNOPSIS
-\fBiptables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] [\fB\-T\fP \fIname\fP]
+\fBiptables\-restore\fP [\fB\-cnt\fP] [\fB\-T\fP \fIname\fP]
 .SH DESCRIPTION
 .PP
 .B iptables-restore
@@ -36,6 +36,9 @@ don't flush the previous contents of the table. If not specified,
 .B iptables-restore
 flushes (deletes) all previous contents of the respective table.
 .TP
+\fB\-t\fP, \fB\-\-test\fP
+Only parse and construct the ruleset, but do not commit it.
+.TP
 \fB\-T\fP, \fB\-\-table\fP \fIname\fP
 Restore only the named table even if the input stream contains other ones.
 .SH BUGS
-- 
1.7.10.4

[PATCH 04/13] doc: document iptables-restore's -v option

[Jan Engelhardt]

References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/ip6tables-restore.8.in |    5 ++++-
 iptables/iptables-restore.8.in  |    5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/iptables/ip6tables-restore.8.in b/iptables/ip6tables-restore.8.in
index e1c9abf..6c0009e 100644
--- a/iptables/ip6tables-restore.8.in
+++ b/iptables/ip6tables-restore.8.in
@@ -21,7 +21,7 @@
 .SH NAME
 ip6tables-restore \(em Restore IPv6 Tables
 .SH SYNOPSIS
-\fBip6tables\-restore\fP [\fB\-cnt\fP] [\fB\-T\fP \fIname\fP]
+\fBip6tables\-restore\fP [\fB\-cntv\fP] [\fB\-T\fP \fIname\fP]
 .SH DESCRIPTION
 .PP
 .B ip6tables-restore
@@ -39,6 +39,9 @@ respective table.
 \fB\-t\fP, \fB\-\-test\fP
 Only parse and construct the ruleset, but do not commit it.
 .TP
+\fB\-v\fP, \fB\-\-verbose\fP
+Print additional debug info during ruleset processing.
+.TP
 \fB\-T\fP, \fB\-\-table\fP \fIname\fP
 Restore only the named table even if the input stream contains other ones.
 .B ip6tables-restore
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
index f98488e..27440fb 100644
--- a/iptables/iptables-restore.8.in
+++ b/iptables/iptables-restore.8.in
@@ -21,7 +21,7 @@
 .SH NAME
 iptables-restore \(em Restore IP Tables
 .SH SYNOPSIS
-\fBiptables\-restore\fP [\fB\-cnt\fP] [\fB\-T\fP \fIname\fP]
+\fBiptables\-restore\fP [\fB\-cntv\fP] [\fB\-T\fP \fIname\fP]
 .SH DESCRIPTION
 .PP
 .B iptables-restore
@@ -39,6 +39,9 @@ flushes (deletes) all previous contents of the respective table.
 \fB\-t\fP, \fB\-\-test\fP
 Only parse and construct the ruleset, but do not commit it.
 .TP
+\fB\-v\fP, \fB\-\-verbose\fP
+Print additional debug info during ruleset processing.
+.TP
 \fB\-T\fP, \fB\-\-table\fP \fIname\fP
 Restore only the named table even if the input stream contains other ones.
 .SH BUGS
-- 
1.7.10.4

[PATCH 05/13] doc: document iptables-restore's -M option

[Jan Engelhardt]

References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/ip6tables-restore.8.in |    7 ++++++-
 iptables/iptables-restore.8.in  |    7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/iptables/ip6tables-restore.8.in b/iptables/ip6tables-restore.8.in
index 6c0009e..f3419f4 100644
--- a/iptables/ip6tables-restore.8.in
+++ b/iptables/ip6tables-restore.8.in
@@ -21,7 +21,8 @@
 .SH NAME
 ip6tables-restore \(em Restore IPv6 Tables
 .SH SYNOPSIS
-\fBip6tables\-restore\fP [\fB\-cntv\fP] [\fB\-T\fP \fIname\fP]
+\fBip6tables\-restore\fP [\fB\-cntv\fP] [\fB\-M\fP \fImodprobe\fP]
+[\fB\-T\fP \fIname\fP]
 .SH DESCRIPTION
 .PP
 .B ip6tables-restore
@@ -42,6 +43,10 @@ Only parse and construct the ruleset, but do not commit it.
 \fB\-v\fP, \fB\-\-verbose\fP
 Print additional debug info during ruleset processing.
 .TP
+\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
+Specify the path to the modprobe program. By default, ip6tables-restore will
+inspect /proc/sys/kernel/modprobe to determine the executable's path.
+.TP
 \fB\-T\fP, \fB\-\-table\fP \fIname\fP
 Restore only the named table even if the input stream contains other ones.
 .B ip6tables-restore
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
index 27440fb..c493cf9 100644
--- a/iptables/iptables-restore.8.in
+++ b/iptables/iptables-restore.8.in
@@ -21,7 +21,8 @@
 .SH NAME
 iptables-restore \(em Restore IP Tables
 .SH SYNOPSIS
-\fBiptables\-restore\fP [\fB\-cntv\fP] [\fB\-T\fP \fIname\fP]
+\fBiptables\-restore\fP [\fB\-cntv\fP] [\fB\-M\fP \fImodprobe\fP]
+[\fB\-T\fP \fIname\fP]
 .SH DESCRIPTION
 .PP
 .B iptables-restore
@@ -42,6 +43,10 @@ Only parse and construct the ruleset, but do not commit it.
 \fB\-v\fP, \fB\-\-verbose\fP
 Print additional debug info during ruleset processing.
 .TP
+\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
+Specify the path to the modprobe program. By default, iptables-restore will
+inspect /proc/sys/kernel/modprobe to determine the executable's path.
+.TP
 \fB\-T\fP, \fB\-\-table\fP \fIname\fP
 Restore only the named table even if the input stream contains other ones.
 .SH BUGS
-- 
1.7.10.4

[PATCH 06/13] doc: document iptables-restore's -h option

[Jan Engelhardt]

References: http://bugs.debian.org/644221
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/ip6tables-restore.8.in |    5 ++++-
 iptables/iptables-restore.8.in  |    5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/iptables/ip6tables-restore.8.in b/iptables/ip6tables-restore.8.in
index f3419f4..697a226 100644
--- a/iptables/ip6tables-restore.8.in
+++ b/iptables/ip6tables-restore.8.in
@@ -21,7 +21,7 @@
 .SH NAME
 ip6tables-restore \(em Restore IPv6 Tables
 .SH SYNOPSIS
-\fBip6tables\-restore\fP [\fB\-cntv\fP] [\fB\-M\fP \fImodprobe\fP]
+\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
 [\fB\-T\fP \fIname\fP]
 .SH DESCRIPTION
 .PP
@@ -32,6 +32,9 @@ I/O redirection provided by your shell to read from a file
 \fB\-c\fR, \fB\-\-counters\fR
 restore the values of all packet and byte counters
 .TP
+\fB\-h\fP, \fB\-\-help\fP
+Print a short option summary.
+.TP
 \fB\-n\fR, \fB\-\-noflush\fR 
 don't flush the previous contents of the table. If not specified,
 \fBip6tables-restore\fP flushes (deletes) all previous contents of the
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
index c493cf9..197f013 100644
--- a/iptables/iptables-restore.8.in
+++ b/iptables/iptables-restore.8.in
@@ -21,7 +21,7 @@
 .SH NAME
 iptables-restore \(em Restore IP Tables
 .SH SYNOPSIS
-\fBiptables\-restore\fP [\fB\-cntv\fP] [\fB\-M\fP \fImodprobe\fP]
+\fBiptables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
 [\fB\-T\fP \fIname\fP]
 .SH DESCRIPTION
 .PP
@@ -32,6 +32,9 @@ I/O redirection provided by your shell to read from a file
 \fB\-c\fR, \fB\-\-counters\fR
 restore the values of all packet and byte counters
 .TP
+\fB\-h\fP, \fB\-\-help\fP
+Print a short option summary.
+.TP
 \fB\-n\fR, \fB\-\-noflush\fR 
 don't flush the previous contents of the table. If not specified, 
 .B iptables-restore
-- 
1.7.10.4

[PATCH 07/13] doc: name the supported log levels for ipt_LOG

[Jan Engelhardt]

Leonardo Ferreira da Silva Boiko lets it be known that syslogd.conf may
not exist on certain systems. Referencing that manpage is not a good
idea in any case, I believe, since the strings that are accepted are
defined by iptables and not a syslog implementation.

References: http://bugs.debian.org/567564
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 extensions/libip6t_LOG.man |    5 ++++-
 extensions/libipt_LOG.man  |    5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/extensions/libip6t_LOG.man b/extensions/libip6t_LOG.man
index b7803fe..0a48640 100644
--- a/extensions/libip6t_LOG.man
+++ b/extensions/libip6t_LOG.man
@@ -11,7 +11,10 @@ separate rules with the same matching criteria, first using target LOG
 then DROP (or REJECT).
 .TP
 \fB\-\-log\-level\fP \fIlevel\fP
-Level of logging (numeric or see \fIsyslog.conf\fP(5)).
+Level of logging, which can be (system-specific) numeric or a mnemonic.
+Possible values are (in decreasing order of priority): \fBemerg\fP,
+\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP
+or \fBdebug\fP.
 .TP
 \fB\-\-log\-prefix\fP \fIprefix\fP
 Prefix log messages with the specified prefix; up to 29 letters long,
diff --git a/extensions/libipt_LOG.man b/extensions/libipt_LOG.man
index 47c35e0..f2574f8 100644
--- a/extensions/libipt_LOG.man
+++ b/extensions/libipt_LOG.man
@@ -11,7 +11,10 @@ separate rules with the same matching criteria, first using target LOG
 then DROP (or REJECT).
 .TP
 \fB\-\-log\-level\fP \fIlevel\fP
-Level of logging (numeric or see \fIsyslog.conf\fP(5)).
+Level of logging, which can be (system-specific) numeric or a mnemonic.
+Possible values are (in decreasing order of priority): \fBemerg\fP,
+\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP
+or \fBdebug\fP.
 .TP
 \fB\-\-log\-prefix\fP \fIprefix\fP
 Prefix log messages with the specified prefix; up to 29 letters long,
-- 
1.7.10.4

[PATCH 08/13] src: remove faulty deprecated marker in libipt_LOG source

[Jan Engelhardt]

The "err" loglevel is not actually deprecated - it is the only name
available to mean the LOG_ERR level.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 extensions/libip6t_LOG.c |    2 +-
 extensions/libipt_LOG.c  |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c
index 2b1ae28..8dc94e3 100644
--- a/extensions/libip6t_LOG.c
+++ b/extensions/libip6t_LOG.c
@@ -68,7 +68,7 @@ static const struct ip6t_log_names ip6t_log_names[]
     { .name = "crit",    .level = LOG_CRIT },
     { .name = "debug",   .level = LOG_DEBUG },
     { .name = "emerg",   .level = LOG_EMERG },
-    { .name = "error",   .level = LOG_ERR },		/* DEPRECATED */
+    { .name = "error",   .level = LOG_ERR },
     { .name = "info",    .level = LOG_INFO },
     { .name = "notice",  .level = LOG_NOTICE },
     { .name = "panic",   .level = LOG_EMERG },		/* DEPRECATED */
diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
index 77f16d1..971f3ca 100644
--- a/extensions/libipt_LOG.c
+++ b/extensions/libipt_LOG.c
@@ -68,7 +68,7 @@ static const struct ipt_log_names ipt_log_names[]
     { .name = "crit",    .level = LOG_CRIT },
     { .name = "debug",   .level = LOG_DEBUG },
     { .name = "emerg",   .level = LOG_EMERG },
-    { .name = "error",   .level = LOG_ERR },		/* DEPRECATED */
+    { .name = "error",   .level = LOG_ERR },
     { .name = "info",    .level = LOG_INFO },
     { .name = "notice",  .level = LOG_NOTICE },
     { .name = "panic",   .level = LOG_EMERG },		/* DEPRECATED */
-- 
1.7.10.4

[PATCH 09/13] iptables: fix order of internal commands list

[Jan Engelhardt]

Specifying -S on the command line would add 4096 (0x1000, 1<<12) to the
cmd flags, but -S was in fact commands_v_options[13]. This led to a
bogus option checking and an error message:

$ iptables -A foo -S
iptables v1.4.14: Cannot use -E with -A

References: http://bugs.debian.org/642173
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/ip6tables.c |   12 ++++++------
 iptables/iptables.c  |   12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 0e11a9e..7f14dde 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -76,12 +76,12 @@
 #define CMD_LIST		0x0020U
 #define CMD_FLUSH		0x0040U
 #define CMD_ZERO		0x0080U
-#define CMD_NEW_CHAIN		0x0100U
-#define CMD_DELETE_CHAIN	0x0200U
-#define CMD_SET_POLICY		0x0400U
-#define CMD_RENAME_CHAIN	0x0800U
-#define CMD_LIST_RULES		0x1000U
-#define CMD_ZERO_NUM		0x2000U
+#define CMD_ZERO_NUM		0x0100U
+#define CMD_NEW_CHAIN		0x0200U
+#define CMD_DELETE_CHAIN	0x0400U
+#define CMD_SET_POLICY		0x0800U
+#define CMD_RENAME_CHAIN	0x1000U
+#define CMD_LIST_RULES		0x2000U
 #define CMD_CHECK		0x4000U
 #define NUMBER_OF_CMD	16
 static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z',
diff --git a/iptables/iptables.c b/iptables/iptables.c
index f765cf9..10a0417 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -72,12 +72,12 @@
 #define CMD_LIST		0x0020U
 #define CMD_FLUSH		0x0040U
 #define CMD_ZERO		0x0080U
-#define CMD_NEW_CHAIN		0x0100U
-#define CMD_DELETE_CHAIN	0x0200U
-#define CMD_SET_POLICY		0x0400U
-#define CMD_RENAME_CHAIN	0x0800U
-#define CMD_LIST_RULES		0x1000U
-#define CMD_ZERO_NUM		0x2000U
+#define CMD_ZERO_NUM		0x0100U
+#define CMD_NEW_CHAIN		0x0200U
+#define CMD_DELETE_CHAIN	0x0400U
+#define CMD_SET_POLICY		0x0800U
+#define CMD_RENAME_CHAIN	0x1000U
+#define CMD_LIST_RULES		0x2000U
 #define CMD_CHECK		0x4000U
 #define NUMBER_OF_CMD	16
 static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z',
-- 
1.7.10.4

[PATCH 10/13] iptables: implement --line-numbers for iptables -S

[Jan Engelhardt]

Allow use of --line-numbers for -S, the latter of which is the preferred
output style for rules.

References: http://bugs.debian.org/642173
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 include/ip6tables.h       |    3 ++-
 include/iptables.h        |    3 ++-
 iptables/ip6tables-save.c |    2 +-
 iptables/ip6tables.c      |   23 +++++++++++++----------
 iptables/iptables-save.c  |    2 +-
 iptables/iptables.c       |   23 +++++++++++++----------
 6 files changed, 32 insertions(+), 24 deletions(-)

diff --git a/include/ip6tables.h b/include/ip6tables.h
index 37d2e0a..cb50a3c 100644
--- a/include/ip6tables.h
+++ b/include/ip6tables.h
@@ -13,7 +13,8 @@ extern int do_command6(int argc, char *argv[], char **table,
 extern int for_each_chain6(int (*fn)(const xt_chainlabel, int, struct xtc_handle *), int verbose, int builtinstoo, struct xtc_handle *handle);
 extern int flush_entries6(const xt_chainlabel chain, int verbose, struct xtc_handle *handle);
 extern int delete_chain6(const xt_chainlabel chain, int verbose, struct xtc_handle *handle);
-void print_rule6(const struct ip6t_entry *e, struct xtc_handle *h, const char *chain, int counters);
+extern void print_rule6(const struct ip6t_entry *e, struct xtc_handle *h,
+	const char *chain, int counters, unsigned int rule_num);
 
 extern struct xtables_globals ip6tables_globals;
 
diff --git a/include/iptables.h b/include/iptables.h
index c42613c..51106f0 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -16,7 +16,8 @@ extern int flush_entries4(const xt_chainlabel chain, int verbose,
 extern int for_each_chain4(int (*fn)(const xt_chainlabel, int, struct xtc_handle *),
 		int verbose, int builtinstoo, struct xtc_handle *handle);
 extern void print_rule4(const struct ipt_entry *e,
-		struct xtc_handle *handle, const char *chain, int counters);
+		struct xtc_handle *handle, const char *chain, int counters,
+		unsigned int rule_num);
 
 extern struct xtables_globals iptables_globals;
 
diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
index d819b30..a5fd355 100644
--- a/iptables/ip6tables-save.c
+++ b/iptables/ip6tables-save.c
@@ -106,7 +106,7 @@ static int do_output(const char *tablename)
 		/* Dump out rules */
 		e = ip6tc_first_rule(chain, h);
 		while(e) {
-			print_rule6(e, h, chain, show_counters);
+			print_rule6(e, h, chain, show_counters, 0);
 			e = ip6tc_next_rule(e, h);
 		}
 	}
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 7f14dde..ab26ba0 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -163,7 +163,7 @@ static const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
 /*DEL_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
 /*SET_POLICY*/{'x','x','x','x','x',' ','x','x','x','x',' '},
 /*RENAME*/    {'x','x','x','x','x',' ','x','x','x','x','x'},
-/*LIST_RULES*/{'x','x','x','x','x',' ','x','x','x','x','x'},
+/*LIST_RULES*/{'x','x','x','x','x',' ','x','x','x',' ','x'},
 /*CHECK*/     {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x'},
 };
 
@@ -1079,12 +1079,15 @@ static void print_ip(const char *prefix, const struct in6_addr *ip,
 
 /* We want this to be readable, so only print out neccessary fields.
  * Because that's the kind of world I want to live in.  */
-void print_rule6(const struct ip6t_entry *e,
-		       struct xtc_handle *h, const char *chain, int counters)
+void print_rule6(const struct ip6t_entry *e, struct xtc_handle *h,
+		 const char *chain, int counters, unsigned int rule_num)
 {
 	const struct xt_entry_target *t;
 	const char *target_name;
 
+	if (rule_num > 0)
+		printf("# Rule %u:\n", rule_num);
+
 	/* print counters for iptables-save */
 	if (counters > 0)
 		printf("[%llu:%llu] ", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
@@ -1169,15 +1172,12 @@ void print_rule6(const struct ip6t_entry *e,
 }
 
 static int
-list_rules(const xt_chainlabel chain, int rulenum, int counters,
+list_rules(const xt_chainlabel chain, int rulenum, unsigned int options,
 	     struct xtc_handle *handle)
 {
 	const char *this = NULL;
 	int found = 0;
 
-	if (counters)
-	    counters = -1;		/* iptables -c format */
-
 	/* Dump out chain names first,
 	 * thereby preventing dependency conflicts */
 	if (!rulenum) for (this = ip6tc_first_chain(handle);
@@ -1189,7 +1189,7 @@ list_rules(const xt_chainlabel chain, int rulenum, int counters,
 		if (ip6tc_builtin(this, handle)) {
 			struct xt_counters count;
 			printf("-P %s %s", this, ip6tc_get_policy(this, &count, handle));
-			if (counters)
+			if (options & OPT_VERBOSE)
 			    printf(" -c %llu %llu", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
 			printf("\n");
 		} else {
@@ -1211,7 +1211,10 @@ list_rules(const xt_chainlabel chain, int rulenum, int counters,
 		while(e) {
 			num++;
 			if (!rulenum || num == rulenum)
-			    print_rule6(e, handle, this, counters);
+				print_rule6(e, handle, this,
+					    (options & OPT_VERBOSE) ? -1 : 0,
+					    (options & OPT_LINENUMBERS) ?
+						num : 0);
 			e = ip6tc_next_rule(e, handle);
 		}
 		found = 1;
@@ -1935,7 +1938,7 @@ int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle
 	case CMD_LIST_RULES|CMD_ZERO_NUM:
 		ret = list_rules(chain,
 				   rulenum,
-				   cs.options&OPT_VERBOSE,
+				   cs.options,
 				   *handle);
 		if (ret && (command & CMD_ZERO))
 			ret = zero_entries(chain,
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
index e599fce..41b520f 100644
--- a/iptables/iptables-save.c
+++ b/iptables/iptables-save.c
@@ -104,7 +104,7 @@ static int do_output(const char *tablename)
 		/* Dump out rules */
 		e = iptc_first_rule(chain, h);
 		while(e) {
-			print_rule4(e, h, chain, show_counters);
+			print_rule4(e, h, chain, show_counters, 0);
 			e = iptc_next_rule(e, h);
 		}
 	}
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 10a0417..d530289 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -162,7 +162,7 @@ static const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
 /*DEL_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
 /*SET_POLICY*/{'x','x','x','x','x',' ','x','x','x','x',' ','x'},
 /*RENAME*/    {'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*LIST_RULES*/{'x','x','x','x','x',' ','x','x','x','x','x','x'},
+/*LIST_RULES*/{'x','x','x','x','x',' ','x','x','x',' ','x','x'},
 /*CHECK*/     {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' '},
 };
 
@@ -1096,12 +1096,15 @@ static void print_ip(const char *prefix, uint32_t ip,
 
 /* We want this to be readable, so only print out neccessary fields.
  * Because that's the kind of world I want to live in.  */
-void print_rule4(const struct ipt_entry *e,
-		struct xtc_handle *h, const char *chain, int counters)
+void print_rule4(const struct ipt_entry *e, struct xtc_handle *h,
+		 const char *chain, int counters, unsigned int rule_num)
 {
 	const struct xt_entry_target *t;
 	const char *target_name;
 
+	if (rule_num > 0)
+		printf("# Rule %u:\n", rule_num);
+
 	/* print counters for iptables-save */
 	if (counters > 0)
 		printf("[%llu:%llu] ", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
@@ -1177,15 +1180,12 @@ void print_rule4(const struct ipt_entry *e,
 }
 
 static int
-list_rules(const xt_chainlabel chain, int rulenum, int counters,
+list_rules(const xt_chainlabel chain, int rulenum, unsigned int options,
 	     struct xtc_handle *handle)
 {
 	const char *this = NULL;
 	int found = 0;
 
-	if (counters)
-	    counters = -1;		/* iptables -c format */
-
 	/* Dump out chain names first,
 	 * thereby preventing dependency conflicts */
 	if (!rulenum) for (this = iptc_first_chain(handle);
@@ -1197,7 +1197,7 @@ list_rules(const xt_chainlabel chain, int rulenum, int counters,
 		if (iptc_builtin(this, handle)) {
 			struct xt_counters count;
 			printf("-P %s %s", this, iptc_get_policy(this, &count, handle));
-			if (counters)
+			if (options & OPT_VERBOSE)
 			    printf(" -c %llu %llu", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
 			printf("\n");
 		} else {
@@ -1219,7 +1219,10 @@ list_rules(const xt_chainlabel chain, int rulenum, int counters,
 		while(e) {
 			num++;
 			if (!rulenum || num == rulenum)
-			    print_rule4(e, handle, this, counters);
+				print_rule4(e, handle, this,
+					    (options & OPT_VERBOSE) ? -1 : 0,
+					    (options & OPT_LINENUMBERS) ?
+						num : 0);
 			e = iptc_next_rule(e, handle);
 		}
 		found = 1;
@@ -1951,7 +1954,7 @@ int do_command4(int argc, char *argv[], char **table, struct xtc_handle **handle
 	case CMD_LIST_RULES|CMD_ZERO_NUM:
 		ret = list_rules(chain,
 				   rulenum,
-				   cs.options&OPT_VERBOSE,
+				   cs.options,
 				   *handle);
 		if (ret && (command & CMD_ZERO))
 			ret = zero_entries(chain,
-- 
1.7.10.4

[PATCH 11/13] doc: mention -m in the manpage

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/ip6tables.8.in |    7 +++++++
 iptables/iptables.8.in  |    7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/iptables/ip6tables.8.in b/iptables/ip6tables.8.in
index fd0e61b..dfeebe6 100644
--- a/iptables/ip6tables.8.in
+++ b/iptables/ip6tables.8.in
@@ -281,6 +281,13 @@ See the description of the \fB\-s\fP
 (source) flag for a detailed description of the syntax.  The flag
 \fB\-\-dst\fP is an alias for this option.
 .TP
+\fB\-m\fP, \fB\-\-match\fP \fImatch\fP
+Specifies a match to use, that is, an extension module that tests for a
+specific property. The set of matches make up the condition under which a
+target is invoked. Matches are evaluated first to last as specified on the
+command line and work in short-circuit fashion, i.e. if one extension yields
+false, evaluation will stop.
+.TP
 \fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
 This specifies the target of the rule; i.e., what to do if the packet
 matches it.  The target can be a user-defined chain (other than the
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index 748d00f..9276cf9 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -277,6 +277,13 @@ See the description of the \fB\-s\fP
 (source) flag for a detailed description of the syntax.  The flag
 \fB\-\-dst\fP is an alias for this option.
 .TP
+\fB\-m\fP, \fB\-\-match\fP \fImatch\fP
+Specifies a match to use, that is, an extension module that tests for a
+specific property. The set of matches make up the condition under which a
+target is invoked. Matches are evaluated first to last as specified on the
+command line and work in short-circuit fashion, i.e. if one extension yields
+false, evaluation will stop.
+.TP
 \fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
 This specifies the target of the rule; i.e., what to do if the packet
 matches it.  The target can be a user-defined chain (other than the
-- 
1.7.10.4

[PATCH 12/13] doc: document the -4 and -6 options

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/ip6tables.8.in |    9 +++++++++
 iptables/iptables.8.in  |    9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/iptables/ip6tables.8.in b/iptables/ip6tables.8.in
index dfeebe6..c274e91 100644
--- a/iptables/ip6tables.8.in
+++ b/iptables/ip6tables.8.in
@@ -240,6 +240,15 @@ Give a (currently very brief) description of the command syntax.
 The following parameters make up a rule specification (as used in the
 add, delete, insert, replace and append commands).
 .TP
+\fB\-4\fP, \fB\-\-ipv4\fP
+If a rule using the \fB\-4\fP option is inserted with (and only with)
+ip6tables-restore, it will be silently ignored. Any other uses will throw an
+error. This option allows to put both IPv4 and IPv6 rules in a single rule file
+for use with both iptables-restore and ip6tables-restore.
+.TP
+\fB\-6\fP, \fB\-\-ipv6\fP
+This option has no effect in ip6tables and ip6tables-restore.
+.TP
 [\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
 The protocol of the rule or of the packet to check.
 The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index 9276cf9..22a8478 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -243,6 +243,15 @@ Give a (currently very brief) description of the command syntax.
 The following parameters make up a rule specification (as used in the
 add, delete, insert, replace and append commands).
 .TP
+\fB\-4\fP, \fB\-\-ipv4\fP
+This option has no effect in iptables and iptables-restore.
+.TP
+\fB\-6\fP, \fB\-\-ipv6\fP
+If a rule using the \fB\-6\fP option is inserted with (and only with)
+iptables-restore, it will be silently ignored. Any other uses will throw an
+error. This option allows to put both IPv4 and IPv6 rules in a single rule file
+for use with both iptables-restore and ip6tables-restore.
+.TP
 [\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
 The protocol of the rule or of the packet to check.
 The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
-- 
1.7.10.4

[PATCH 13/13] build: resolve link failure for ip6t_NETMAP

[Jan Engelhardt]

Link stage of libip6t_NETMAP failed since recently.

  CCLD     libip6t_NETMAP.so
/usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld:
cannot find -lip6tc

libip6t_NETMAP.c uses the "ipv6_prefix_length" function from
libip6tc.so; "-lip6tc" is used in the Makefile, but, the directory to
it is not specified.

Why does the link succeed for some people? Because
/usr/lib(64)/libip6tc.so satisfies -lip6tc, but not all environments,
especially those without iptables development files, have that file,
hence this link error can happen.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 extensions/GNUmakefile.in |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index e71e3ff..68e0b9b 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -101,7 +101,8 @@ libxt_state.so: libxt_conntrack.so
 	ln -fs $< $@
 
 # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
-ip6t_NETMAP_LIBADD  = -lip6tc
+ip6t_NETMAP_LIBADD  = -L${top_builddir}/libiptc/.libs \
+                      -L${top_builddir}/libiptc -lip6tc
 xt_RATEEST_LIBADD   = -lm
 xt_statistic_LIBADD = -lm
 
-- 
1.7.10.4

Re: [PATCH 12/13] doc: document the -4 and -6 options

[Maciej Żenczykowski]

Should have done this myself.  Thanks.

On Wed, Dec 26, 2012 at 12:11 AM, Jan Engelhardt <jengelh@inai.de> wrote:
> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
> ---
>  iptables/ip6tables.8.in |    9 +++++++++
>  iptables/iptables.8.in  |    9 +++++++++
>  2 files changed, 18 insertions(+)
>
> diff --git a/iptables/ip6tables.8.in b/iptables/ip6tables.8.in
> index dfeebe6..c274e91 100644
> --- a/iptables/ip6tables.8.in
> +++ b/iptables/ip6tables.8.in
> @@ -240,6 +240,15 @@ Give a (currently very brief) description of the command syntax.
>  The following parameters make up a rule specification (as used in the
>  add, delete, insert, replace and append commands).
>  .TP
> +\fB\-4\fP, \fB\-\-ipv4\fP
> +If a rule using the \fB\-4\fP option is inserted with (and only with)
> +ip6tables-restore, it will be silently ignored. Any other uses will throw an
> +error. This option allows to put both IPv4 and IPv6 rules in a single rule file
> +for use with both iptables-restore and ip6tables-restore.
> +.TP
> +\fB\-6\fP, \fB\-\-ipv6\fP
> +This option has no effect in ip6tables and ip6tables-restore.
> +.TP
>  [\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
>  The protocol of the rule or of the packet to check.
>  The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
> diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
> index 9276cf9..22a8478 100644
> --- a/iptables/iptables.8.in
> +++ b/iptables/iptables.8.in
> @@ -243,6 +243,15 @@ Give a (currently very brief) description of the command syntax.
>  The following parameters make up a rule specification (as used in the
>  add, delete, insert, replace and append commands).
>  .TP
> +\fB\-4\fP, \fB\-\-ipv4\fP
> +This option has no effect in iptables and iptables-restore.
> +.TP
> +\fB\-6\fP, \fB\-\-ipv6\fP
> +If a rule using the \fB\-6\fP option is inserted with (and only with)
> +iptables-restore, it will be silently ignored. Any other uses will throw an
> +error. This option allows to put both IPv4 and IPv6 rules in a single rule file
> +for use with both iptables-restore and ip6tables-restore.
> +.TP
>  [\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
>  The protocol of the rule or of the packet to check.
>  The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
> --
> 1.7.10.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 09/13] iptables: fix order of internal commands list

[Pablo Neira Ayuso]

On Wed, Dec 26, 2012 at 12:11:25AM +0100, Jan Engelhardt wrote:
> Specifying -S on the command line would add 4096 (0x1000, 1<<12) to the
> cmd flags, but -S was in fact commands_v_options[13]. This led to a
> bogus option checking and an error message:
> 
> $ iptables -A foo -S
> iptables v1.4.14: Cannot use -E with -A

# iptables -A foo -S
iptables v1.4.17: Cannot use -S with -A

Are you hitting an old bug?

Re: [PATCH 01/13] doc: add package version to all manpages

[Pablo Neira Ayuso]

On Wed, Dec 26, 2012 at 12:11:17AM +0100, Jan Engelhardt wrote:
> diff --git a/iptables/Makefile.am b/iptables/Makefile.am
> index 61e78db..0f4c1f6 100644
> --- a/iptables/Makefile.am
> +++ b/iptables/Makefile.am
> @@ -27,8 +27,8 @@ xtables_multi_LDADD   += ../libxtables/libxtables.la -lm
>  sbin_PROGRAMS    = xtables-multi
>  man_MANS         = iptables.8 iptables-restore.8 iptables-save.8 \
>                     iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
> -                   ip6tables-save.8 iptables-extensions.8
> -CLEANFILES       = iptables.8 ip6tables.8
> +                   ip6tables-save.8 iptables-extensions.8 iptables-apply.8
> +CLEANFILES       = ${man_MANS}
>  
>  vx_bin_links   = iptables-xml
>  if ENABLE_IPV4
> @@ -38,14 +38,36 @@ if ENABLE_IPV6
>  v6_sbin_links  = ip6tables ip6tables-restore ip6tables-save
>  endif
>  
> -iptables.8: ${srcdir}/iptables.8.in
> -	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@;
> +fill_in_date = ${AM_V_GEN} sed -e \
> +               's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' \
> +               $< >$@;
> +
> +iptables-xml.1: ${srcdir}/iptables-xml.1.in
> +	${fill_in_date}
> +
> +ip6tables-restore.8: ${srcdir}/ip6tables-restore.8.in
> +	${fill_in_date}
> +
> +ip6tables-save.8: ${srcdir}/ip6tables-save.8.in
> +	${fill_in_date}
>  
>  ip6tables.8: ${srcdir}/ip6tables.8.in
> -	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@;
> +	${fill_in_date}
> +
> +iptables-apply.8: ${srcdir}/iptables-apply.8.in
> +	${fill_in_date}
> +
> +iptables-restore.8: ${srcdir}/iptables-restore.8.in
> +	${fill_in_date}
> +
> +iptables-save.8: ${srcdir}/iptables-save.8.in
> +	${fill_in_date}
> +
> +iptables.8: ${srcdir}/iptables.8.in
> +	${fill_in_date}

This belongs more naturally to the ./configure stage, including
setting the date via AC_SUBST. You should be able to make it with
little changes in configure.ac.

For iptables-extensions.8 it will be a special case, it still requires
part of the magic in the makefile to build the page.

Re: [PATCH 01/13] doc: add package version to all manpages

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 708 bytes --]

On Wed, Dec 26, 2012 at 03:33:00PM +0100, Pablo Neira Ayuso wrote:
[...]
> > +iptables-apply.8: ${srcdir}/iptables-apply.8.in
> > +	${fill_in_date}
> > +
> > +iptables-restore.8: ${srcdir}/iptables-restore.8.in
> > +	${fill_in_date}
> > +
> > +iptables-save.8: ${srcdir}/iptables-save.8.in
> > +	${fill_in_date}
> > +
> > +iptables.8: ${srcdir}/iptables.8.in
> > +	${fill_in_date}
> 
> This belongs more naturally to the ./configure stage, including
> setting the date via AC_SUBST. You should be able to make it with
> little changes in configure.ac.
> 
> For iptables-extensions.8 it will be a special case, it still requires
> part of the magic in the makefile to build the page.

See patch for instance.

[-- Attachment #2: 0004-build-add-iptables-manpage-version-during-at-.-confi.patch --]
[-- Type: text/x-diff, Size: 2625 bytes --]

>From 8899a031b9498349aa113146d2eeb3dbccdcc868 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 12 Nov 2012 08:06:14 +0100
Subject: [PATCH] build: add iptables manpage version during at ./configure stage

For both iptables and ip6tables, instead of at make stage.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 configure.ac            |    3 ++-
 iptables/Makefile.am    |    6 ------
 iptables/ip6tables.8.in |    2 +-
 iptables/iptables.8.in  |    2 +-
 4 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/configure.ac b/configure.ac
index e644308..3e27e02 100644
--- a/configure.ac
+++ b/configure.ac
@@ -127,5 +127,6 @@ AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile
 	libiptc/Makefile libiptc/libiptc.pc
 	libiptc/libip4tc.pc libiptc/libip6tc.pc
 	libxtables/Makefile utils/Makefile
-	include/xtables-version.h include/iptables/internal.h])
+	include/xtables-version.h include/iptables/internal.h
+	iptables/iptables.8 iptables/ip6tables.8])
 AC_OUTPUT
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index 61e78db..a476171 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -38,12 +38,6 @@ if ENABLE_IPV6
 v6_sbin_links  = ip6tables ip6tables-restore ip6tables-save
 endif
 
-iptables.8: ${srcdir}/iptables.8.in
-	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@;
-
-ip6tables.8: ${srcdir}/ip6tables.8.in
-	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@;
-
 iptables-extensions.8: ${srcdir}/iptables-extensions.8.in ../extensions/matches.man ../extensions/targets.man
 	${AM_VERBOSE_GEN} sed -e \
 		's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' \
diff --git a/iptables/ip6tables.8.in b/iptables/ip6tables.8.in
index 078bcac..328a0e3 100644
--- a/iptables/ip6tables.8.in
+++ b/iptables/ip6tables.8.in
@@ -1,4 +1,4 @@
-.TH IP6TABLES 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
+.TH IP6TABLES 8 "" "@PACKAGE_NAME@ @PACKAGE_VERSION@" "@PACKAGE_NAME@ @PACKAGE_VERSION@"
 .\"
 .\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
 .\" It is based on iptables man page.
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index d6b409d..596c329 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -1,4 +1,4 @@
-.TH IPTABLES 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
+.TH IPTABLES 8 "" "@PACKAGE_NAME@ @PACKAGE_VERSION@" "@PACKAGE_NAME@ @PACKAGE_VERSION@"
 .\"
 .\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
 .\" It is based on ipchains page.
-- 
1.7.10.4

Re: Documentation and a build fix

[Pablo Neira Ayuso]

On Wed, Dec 26, 2012 at 12:11:16AM +0100, Jan Engelhardt wrote:
[...]
>       doc: fixup omissions in ip6tables-restore.8
>       doc: document iptables-restore's -t option
>       doc: document iptables-restore's -v option
>       doc: document iptables-restore's -M option
>       doc: document iptables-restore's -h option
>       doc: name the supported log levels for ipt_LOG
>       doc: mention -m in the manpage
>       doc: document the -4 and -6 options

Applied these 8 documentation cleanups to master.