diff options
author | Jan Engelhardt <jengelh@inai.de> | 2023-11-13 11:17:35 +0100 |
---|---|---|
committer | Jan Engelhardt <jengelh@inai.de> | 2023-11-13 11:28:19 +0100 |
commit | 4b0c168a7b50032ba64f75565f73340fc447bfab (patch) | |
tree | a3b5d7b5eba3c2706981f29f03ea77ef1b2cbbf7 /iptables | |
parent | 1e6dda434e54f704dfeff4ae197c1c41b1fd68f1 (diff) |
man: more backslash-encoding of characters
"-" is the dash, "\-" is minus as we know, but groff lists some more
characters: "^" is "modifier circumflex" and "~" is "modifier tilde",
which, too, need to be escaped for our use.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Diffstat (limited to 'iptables')
-rw-r--r-- | iptables/arptables-nft-restore.8 | 2 | ||||
-rw-r--r-- | iptables/arptables-nft.8 | 108 | ||||
-rw-r--r-- | iptables/ebtables-nft.8 | 2 | ||||
-rw-r--r-- | iptables/xtables-nft.8 | 16 | ||||
-rw-r--r-- | iptables/xtables-translate.8 | 32 |
5 files changed, 80 insertions, 80 deletions
diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8 index 0e525fe3..596ca1c9 100644 --- a/iptables/arptables-nft-restore.8 +++ b/iptables/arptables-nft-restore.8 @@ -22,7 +22,7 @@ .SH NAME arptables-restore \(em Restore ARP Tables (nft-based) .SH SYNOPSIS -\fBarptables\-restore +\fBarptables\-restore\fP .SH DESCRIPTION .PP .B arptables-restore diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8 index 444b0015..2bee9f2b 100644 --- a/iptables/arptables-nft.8 +++ b/iptables/arptables-nft.8 @@ -102,11 +102,11 @@ section of this man page. There is only one ARP table in the Linux kernel. The table is .BR filter. -You can drop the '-t filter' argument to the arptables command. -The -t argument must be the +You can drop the '\-t filter' argument to the arptables command. +The \-t argument must be the first argument on the arptables command line, if used. .TP -.B "-t, --table" +.B "\-t, \-\-table" .br .BR filter , is the only table and contains two built-in chains: @@ -123,79 +123,79 @@ are commands, miscellaneous commands, rule-specifications, match-extensions, and watcher-extensions. .SS COMMANDS The arptables command arguments specify the actions to perform on the table -defined with the -t argument. If you do not use the -t argument to name +defined with the \-t argument. If you do not use the \-t argument to name a table, the commands apply to the default filter table. With the exception of the -.B "-Z" +.B "\-Z" command, only one command may be used on the command line at a time. .TP -.B "-A, --append" +.B "\-A, \-\-append" Append a rule to the end of the selected chain. .TP -.B "-D, --delete" +.B "\-D, \-\-delete" Delete the specified rule from the selected chain. There are two ways to use this command. The first is by specifying an interval of rule numbers to delete, syntax: start_nr[:end_nr]. Using negative numbers is allowed, for more -details about using negative numbers, see the -I command. The second usage is by +details about using negative numbers, see the \-I command. The second usage is by specifying the complete rule as it would have been specified when it was added. .TP -.B "-I, --insert" +.B "\-I, \-\-insert" Insert the specified rule into the selected chain at the specified rule number. If the current number of rules equals N, then the specified number can be -between -N and N+1. For a positive number i, it holds that i and i-N-1 specify the +between \-N and N+1. For a positive number i, it holds that i and i\-N\-1 specify the same place in the chain where the rule should be inserted. The number 0 specifies the place past the last rule in the chain and using this number is therefore -equivalent with using the -A command. +equivalent with using the \-A command. .TP -.B "-R, --replace" +.B "\-R, \-\-replace" Replaces the specified rule into the selected chain at the specified rule number. If the current number of rules equals N, then the specified number can be between 1 and N. i specifies the place in the chain where the rule should be replaced. .TP -.B "-P, --policy" +.B "\-P, \-\-policy" Set the policy for the chain to the given target. The policy can be .BR ACCEPT ", " DROP " or " RETURN . .TP -.B "-F, --flush" +.B "\-F, \-\-flush" Flush the selected chain. If no chain is selected, then every chain will be flushed. Flushing the chain does not change the policy of the chain, however. .TP -.B "-Z, --zero" +.B "\-Z, \-\-zero" Set the counters of the selected chain to zero. If no chain is selected, all the counters are set to zero. The -.B "-Z" +.B "\-Z" command can be used in conjunction with the -.B "-L" +.B "\-L" command. When both the -.B "-Z" +.B "\-Z" and -.B "-L" +.B "\-L" commands are used together in this way, the rule counters are printed on the screen before they are set to zero. .TP -.B "-L, --list" +.B "\-L, \-\-list" List all rules in the selected chain. If no chain is selected, all chains are listed. .TP -.B "-N, --new-chain" +.B "\-N, \-\-new-chain" Create a new user-defined chain with the given name. The number of user-defined chains is unlimited. A user-defined chain name has maximum length of 31 characters. .TP -.B "-X, --delete-chain" +.B "\-X, \-\-delete-chain" Delete the specified user-defined chain. There must be no remaining references to the specified chain, otherwise .B arptables will refuse to delete it. If no chain is specified, all user-defined chains that aren't referenced will be removed. .TP -.B "-E, --rename-chain" +.B "\-E, \-\-rename\-chain" Rename the specified chain to a new name. Besides renaming a user-defined chain, you may rename a standard chain name to a name that suits your taste. For example, if you like PREBRIDGING more than PREROUTING, -then you can use the -E command to rename the PREROUTING chain. If you do +then you can use the \-E command to rename the PREROUTING chain. If you do rename one of the standard .B arptables chain names, please be sure to mention @@ -211,13 +211,13 @@ kernel table. .SS MISCELLANOUS COMMANDS .TP -.B "-V, --version" +.B "\-V, \-\-version" Show the version of the arptables userspace program. .TP -.B "-h, --help" +.B "\-h, \-\-help" Give a brief description of the command syntax. .TP -.BR "-j, --jump " "\fItarget\fP" +.BR "\-j, \-\-jump " "\fItarget\fP" The target of the rule. This is one of the following values: .BR ACCEPT , .BR DROP , @@ -227,7 +227,7 @@ a target extension (see .BR "TARGET EXTENSIONS" ")" or a user-defined chain name. .TP -.BI "-c, --set-counters " "PKTS BYTES" +.BI "\-c, \-\-set-counters " "PKTS BYTES" This enables the administrator to initialize the packet and byte counters of a rule (during .B INSERT, @@ -241,38 +241,38 @@ in the add and delete commands). A "!" option before the specification inverts the test for that specification. Apart from these standard rule specifications there are some other command line arguments of interest. .TP -.BR "-s, --source-ip " "[!] \fIaddress\fP[/\fImask]\fP" +.BR "\-s, \-\-source\-ip " "[!] \fIaddress\fP[/\fImask]\fP" The Source IP specification. .TP -.BR "-d, --destination-ip " "[!] \fIaddress\fP[/\fImask]\fP" +.BR "\-d, \-\-destination\-ip " "[!] \fIaddress\fP[/\fImask]\fP" The Destination IP specification. .TP -.BR "--source-mac " "[!] \fIaddress\fP[/\fImask\fP]" +.BR "\-\-source\-mac " "[!] \fIaddress\fP[/\fImask\fP]" The source mac address. Both mask and address are written as 6 hexadecimal numbers separated by colons. .TP -.BR "--destination-mac " "[!] \fIaddress\fP[/\fImask\fP]" +.BR "\-\-destination\-mac " "[!] \fIaddress\fP[/\fImask\fP]" The destination mac address. Both mask and address are written as 6 hexadecimal numbers separated by colons. .TP -.BR "-i, --in-interface " "[!] \fIname\fP" +.BR "\-i, \-\-in\-interface " "[!] \fIname\fP" The interface via which a frame is received (for the .B INPUT chain). The flag -.B --in-if +.B \-\-in\-if is an alias for this option. .TP -.BR "-o, --out-interface " "[!] \fIname\fP" +.BR "\-o, \-\-out-interface " "[!] \fIname\fP" The interface via which a frame is going to be sent (for the .B OUTPUT chain). The flag -.B --out-if +.B \-\-out\-if is an alias for this option. .TP -.BR "-l, --h-length " "\fIlength\fP[/\fImask\fP]" +.BR "\-l, \-\-h\-length " "\fIlength\fP[/\fImask\fP]" The hardware length (nr of bytes) .TP -.BR "--opcode " "\fIcode\fP[/\fImask\fP] +.BR "\-\-opcode " "\fIcode\fP[/\fImask\fP] The operation code (2 bytes). Available values are: .BR 1 = Request .BR 2 = Reply @@ -284,63 +284,63 @@ The operation code (2 bytes). Available values are: .BR 8 = InARP_Request .BR 9 = ARP_NAK . .TP -.BR "--h-type " "\fItype\fP[/\fImask\fP]" +.BR "\-\-h\-type " "\fItype\fP[/\fImask\fP]" The hardware type (2 bytes, hexadecimal). Available values are: .BR 1 = Ethernet . .TP -.BR "--proto-type " "\fItype\fP[/\fImask\fP]" +.BR "\-\-proto\-type " "\fItype\fP[/\fImask\fP]" The protocol type (2 bytes). Available values are: .BR 0x800 = IPv4 . .SS TARGET-EXTENSIONS .B arptables extensions are precompiled into the userspace tool. So there is no need -to explicitly load them with a -m option like in +to explicitly load them with a \-m option like in .BR iptables . However, these extensions deal with functionality supported by supplemental kernel modules. .SS mangle .TP -.BR "--mangle-ip-s IP address" +.BR "\-\-mangle\-ip\-s IP address" Mangles Source IP Address to given value. .TP -.BR "--mangle-ip-d IP address" +.BR "\-\-mangle\-ip\-d IP address" Mangles Destination IP Address to given value. .TP -.BR "--mangle-mac-s MAC address" +.BR "\-\-mangle\-mac\-s MAC address" Mangles Source MAC Address to given value. .TP -.BR "--mangle-mac-d MAC address" +.BR "\-\-mangle\-mac\-d MAC address" Mangles Destination MAC Address to given value. .TP -.BR "--mangle-target target " +.BR "\-\-mangle\-target target " Target of ARP mangle operation -.BR "" ( DROP ", " CONTINUE " or " ACCEPT " -- default is " ACCEPT ). +.BR "" ( DROP ", " CONTINUE " or " ACCEPT " \(em default is " ACCEPT ). .SS CLASSIFY -This module allows you to set the skb->priority value (and thus +This module allows you to set the skb\->priority value (and thus classify the packet into a specific CBQ class). .TP -.BR "--set-class major:minor" +.BR "\-\-set\-class major:minor" Set the major and minor class value. The values are always interpreted as hexadecimal even if no 0x prefix is given. .SS MARK -This module allows you to set the skb->mark value (and thus classify +This module allows you to set the skb\->mark value (and thus classify the packet by the mark in u32) .TP -.BR "--set-mark mark" +.BR "\-\-set\-mark mark" Set the mark value. The values are always interpreted as hexadecimal even if no 0x prefix is given .TP -.BR "--and-mark mark" +.BR "\-\-and\-mark mark" Binary AND the mark with bits. .TP -.BR "--or-mark mark" +.BR "\-\-or\-mark mark" Binary OR the mark with bits. .SH NOTES @@ -357,6 +357,6 @@ chain in .SH MAILINGLISTS .BR "" "See " http://netfilter.org/mailinglists.html .SH SEE ALSO -.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8) +.BR xtables\-nft "(8), " iptables "(8), " ebtables "(8), " ip (8) .PP .BR "" "See " https://wiki.nftables.org diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 index 9fc845a1..641008cf 100644 --- a/iptables/ebtables-nft.8 +++ b/iptables/ebtables-nft.8 @@ -858,7 +858,7 @@ Log with the default logging options .TP .B --nflog-group "\fInlgroup\fP" .br -The netlink group (1\(en2^32\-1) to which packets are (only applicable for +The netlink group (1\(en2\^32\-1) to which packets are (only applicable for nfnetlink_log). The default value is 1. .TP .B --nflog-prefix "\fIprefix\fP" diff --git a/iptables/xtables-nft.8 b/iptables/xtables-nft.8 index 702bf954..3ced29ca 100644 --- a/iptables/xtables-nft.8 +++ b/iptables/xtables-nft.8 @@ -105,15 +105,15 @@ One basic example is creating the skeleton ruleset in nf_tables from the xtables-nft tools, in a fresh machine: .nf - root@machine:~# iptables\-nft \-L + root@machine:\~# iptables\-nft \-L [...] - root@machine:~# ip6tables\-nft \-L + root@machine:\~# ip6tables\-nft \-L [...] - root@machine:~# arptables\-nft \-L + root@machine:\~# arptables\-nft \-L [...] - root@machine:~# ebtables\-nft \-L + root@machine:\~# ebtables\-nft \-L [...] - root@machine:~# nft list ruleset + root@machine:\~# nft list ruleset table ip filter { chain INPUT { type filter hook input priority 0; policy accept; @@ -175,12 +175,12 @@ To migrate your complete filter ruleset, in the case of \fBiptables(8)\fP, you would use: .nf - root@machine:~# iptables\-legacy\-save > myruleset # reads from x_tables - root@machine:~# iptables\-nft\-restore myruleset # writes to nf_tables + root@machine:\~# iptables\-legacy\-save > myruleset # reads from x_tables + root@machine:\~# iptables\-nft\-restore myruleset # writes to nf_tables .fi or .nf - root@machine:~# iptables\-legacy\-save | iptables-translate-restore | less + root@machine:\~# iptables\-legacy\-save | iptables\-translate\-restore | less .fi to see how rules would look like in the nft diff --git a/iptables/xtables-translate.8 b/iptables/xtables-translate.8 index a048e8c9..ba16c525 100644 --- a/iptables/xtables-translate.8 +++ b/iptables/xtables-translate.8 @@ -38,15 +38,15 @@ ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP and \fBebtables(8)\fP to The available commands are: .IP \[bu] 2 -iptables-translate +iptables\-translate .IP \[bu] -iptables-restore-translate +iptables\-restore\-translate .IP \[bu] 2 -ip6tables-translate +ip6tables\-translate .IP \[bu] -ip6tables-restore-translate +ip6tables\-restore\-translate .IP \[bu] 2 -ebtables-translate +ebtables\-translate .SH USAGE They take as input the original @@ -69,38 +69,38 @@ Basic operation examples. Single command translation: .nf -root@machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT +root@machine:\~# iptables\-translate \-A INPUT \-p tcp \-\-dport 22 \-m conntrack \-\-ctstate NEW \-j ACCEPT nft add rule ip filter INPUT tcp dport 22 ct state new counter accept -root@machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT +root@machine:\~# ip6tables\-translate \-A FORWARD \-i eth0 \-o eth3 \-p udp \-m multiport \-\-dports 111,222 \-j ACCEPT nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept .fi Whole ruleset translation: .nf -root@machine:~# iptables-save > save.txt -root@machine:~# cat save.txt -# Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016 +root@machine:\~# iptables\-save > save.txt +root@machine:\~# cat save.txt +# Generated by iptables\-save v1.6.0 on Sat Dec 24 14:26:40 2016 *filter :INPUT ACCEPT [5166:1752111] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [5058:628693] --A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT +\-A FORWARD \-p tcp \-m tcp \-\-dport 22 \-m conntrack \-\-ctstate NEW \-j ACCEPT COMMIT # Completed on Sat Dec 24 14:26:40 2016 -root@machine:~# iptables-restore-translate -f save.txt -# Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016 +root@machine:\~# iptables\-restore\-translate \-f save.txt +# Translated by iptables\-restore\-translate v1.6.0 on Sat Dec 24 14:26:59 2016 add table ip filter add chain ip filter INPUT { type filter hook input priority 0; } add chain ip filter FORWARD { type filter hook forward priority 0; } add chain ip filter OUTPUT { type filter hook output priority 0; } add rule ip filter FORWARD tcp dport 22 ct state new counter accept -root@machine:~# iptables-restore-translate -f save.txt > ruleset.nft -root@machine:~# nft -f ruleset.nft -root@machine:~# nft list ruleset +root@machine:\~# iptables\-restore\-translate \-f save.txt > ruleset.nft +root@machine:\~# nft \-f ruleset.nft +root@machine:\~# nft list ruleset table ip filter { chain INPUT { type filter hook input priority 0; policy accept; |