summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile9
-rw-r--r--extensions/Makefile75
-rw-r--r--extensions/libip6t_HL.man17
-rw-r--r--extensions/libip6t_LOG.man28
-rw-r--r--extensions/libip6t_MARK.man6
-rw-r--r--extensions/libip6t_REJECT.man34
-rw-r--r--extensions/libip6t_ROUTE.man12
-rw-r--r--extensions/libip6t_TRACE.man3
-rw-r--r--extensions/libip6t_ah.man3
-rw-r--r--extensions/libip6t_condition.man4
-rw-r--r--extensions/libip6t_dst.man7
-rw-r--r--extensions/libip6t_esp.man3
-rw-r--r--extensions/libip6t_eui64.man1
-rw-r--r--extensions/libip6t_frag.man19
-rw-r--r--extensions/libip6t_fuzzy.man7
-rw-r--r--extensions/libip6t_hbh.man7
-rw-r--r--extensions/libip6t_hl.man10
-rw-r--r--extensions/libip6t_icmpv6.man9
-rw-r--r--extensions/libip6t_ipv6header.man10
-rw-r--r--extensions/libip6t_length.man4
-rw-r--r--extensions/libip6t_limit.man15
-rw-r--r--extensions/libip6t_mac.man10
-rw-r--r--extensions/libip6t_mark.man9
-rw-r--r--extensions/libip6t_multiport.man19
-rw-r--r--extensions/libip6t_nth.man14
-rw-r--r--extensions/libip6t_owner.man21
-rw-r--r--extensions/libip6t_random.man4
-rw-r--r--extensions/libip6t_rt.man19
-rw-r--r--extensions/libip6t_tcp.man45
-rw-r--r--extensions/libip6t_udp.man14
-rw-r--r--extensions/libipt_BALANCE.man4
-rw-r--r--extensions/libipt_CLASSIFY.man4
-rw-r--r--extensions/libipt_CLUSTERIP.man24
-rw-r--r--extensions/libipt_CONNMARK.man13
-rw-r--r--extensions/libipt_DNAT.man27
-rw-r--r--extensions/libipt_DSCP.man9
-rw-r--r--extensions/libipt_ECN.man7
-rw-r--r--extensions/libipt_LOG.man28
-rw-r--r--extensions/libipt_MARK.man6
-rw-r--r--extensions/libipt_MASQUERADE.man22
-rw-r--r--extensions/libipt_MIRROR.man12
-rw-r--r--extensions/libipt_NETMAP.man9
-rw-r--r--extensions/libipt_NOTRACK.man5
-rw-r--r--extensions/libipt_REDIRECT.man18
-rw-r--r--extensions/libipt_REJECT.man34
-rw-r--r--extensions/libipt_ROUTE.man15
-rw-r--r--extensions/libipt_SNAT.man26
-rw-r--r--extensions/libipt_TCPMSS.man38
-rw-r--r--extensions/libipt_TOS.man11
-rw-r--r--extensions/libipt_TRACE.man3
-rw-r--r--extensions/libipt_TTL.man19
-rw-r--r--extensions/libipt_ULOG.man27
-rw-r--r--extensions/libipt_addrtype.man37
-rw-r--r--extensions/libipt_ah.man3
-rw-r--r--extensions/libipt_condition.man4
-rw-r--r--extensions/libipt_conntrack.man49
-rw-r--r--extensions/libipt_dscp.man10
-rw-r--r--extensions/libipt_dstlimit.man35
-rw-r--r--extensions/libipt_ecn.man11
-rw-r--r--extensions/libipt_esp.man3
-rw-r--r--extensions/libipt_fuzzy.man7
-rw-r--r--extensions/libipt_helper.man11
-rw-r--r--extensions/libipt_icmp.man9
-rw-r--r--extensions/libipt_iprange.man7
-rw-r--r--extensions/libipt_length.man4
-rw-r--r--extensions/libipt_limit.man15
-rw-r--r--extensions/libipt_mac.man10
-rw-r--r--extensions/libipt_mark.man9
-rw-r--r--extensions/libipt_mport.man19
-rw-r--r--extensions/libipt_multiport.man19
-rw-r--r--extensions/libipt_nth.man14
-rw-r--r--extensions/libipt_owner.man26
-rw-r--r--extensions/libipt_physdev.man42
-rw-r--r--extensions/libipt_pkttype.man3
-rw-r--r--extensions/libipt_random.man4
-rw-r--r--extensions/libipt_realm.man5
-rw-r--r--extensions/libipt_state.man21
-rw-r--r--extensions/libipt_tcp.man49
-rw-r--r--extensions/libipt_tcpmss.man4
-rw-r--r--extensions/libipt_time.man10
-rw-r--r--extensions/libipt_tos.man9
-rw-r--r--extensions/libipt_ttl.man10
-rw-r--r--extensions/libipt_udp.man14
-rw-r--r--extensions/libipt_unclean.man2
-rw-r--r--ip6tables.8.in (renamed from ip6tables.8)364
-rw-r--r--iptables.81072
-rw-r--r--iptables.8.in464
87 files changed, 1738 insertions, 1436 deletions
diff --git a/Makefile b/Makefile
index 50c85511..c9c6f343 100644
--- a/Makefile
+++ b/Makefile
@@ -53,7 +53,7 @@ LDFLAGS = -static
LDLIBS =
endif
-EXTRAS+=iptables iptables.o
+EXTRAS+=iptables iptables.o iptables.8
EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables $(DESTDIR)$(MANDIR)/man8/iptables.8
# No longer experimental.
@@ -61,7 +61,7 @@ EXTRAS+=iptables-save iptables-restore
EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables-save $(DESTDIR)$(BINDIR)/iptables-restore $(DESTDIR)$(MANDIR)/man8/iptables-restore.8 $(DESTDIR)$(MANDIR)/man8/iptables-save.8
ifeq ($(DO_IPV6), 1)
-EXTRAS+=ip6tables ip6tables.o
+EXTRAS+=ip6tables ip6tables.o ip6tables.8
EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/ip6tables $(DESTDIR)$(MANDIR)/man8/ip6tables.8
EXTRAS_EXP+=ip6tables-save ip6tables-restore
EXTRA_INSTALLS_EXP+=$(DESTDIR)$(BINDIR)/ip6tables-save $(DESTDIR)$(BINDIR)/ip6tables-restore # $(DESTDIR)$(MANDIR)/man8/iptables-restore.8 $(DESTDIR)$(MANDIR)/man8/iptables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-restore.8
@@ -147,6 +147,11 @@ EXTRA_DEPENDS+=iptables-standalone.d iptables.d
iptables-standalone.d iptables.d: %.d: %.c
@-$(CC) -M -MG $(CFLAGS) $< | sed -e 's@^.*\.o:@$*.d $*.o:@' > $@
+iptables.8: iptables.8.in extensions/libipt_matches.man extensions/libipt_targets.man
+ sed -e '/@MATCH@/ r extensions/libipt_matches.man' -e '/@TARGET@/ r extensions/libipt_targets.man' iptables.8.in >iptables.8
+
+ip6tables.8: ip6tables.8.in extensions/libip6t_matches.man extensions/libip6t_targets.man
+ sed -e '/@MATCH@/ r extensions/libip6t_matches.man' -e '/@TARGET@/ r extensions/libiptt_targets.man' ip6tables.8.in >ip6tables.8
# Development Targets
.PHONY: install-devel-man3
diff --git a/extensions/Makefile b/extensions/Makefile
index db9d6041..2a45ea02 100644
--- a/extensions/Makefile
+++ b/extensions/Makefile
@@ -12,6 +12,29 @@ PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner standard tcp
PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
+PF_EXT_ALL_SLIB:=$(patsubst extensions/libipt_%.c, %, $(wildcard extensions/libipt_*.c))
+PF6_EXT_ALL_SLIB:=$(patsubst extensions/libip6t_%.c, %, $(wildcard extensions/libipt_*.c))
+
+PF_EXT_MAN_ALL_MATCHES:=$(foreach T,$(PF_EXT_ALL_SLIB),$(shell test -f extensions/libipt_$(T).man && grep -q register_match extensions/libipt_$(T).c && echo $(T)))
+PF_EXT_MAN_ALL_TARGETS:=$(foreach T,$(PF_EXT_ALL_SLIB),$(shell test -f extensions/libipt_$(T).man && grep -q register_target extensions/libipt_$(T).c && echo $(T)))
+PF6_EXT_MAN_ALL_MATCHES:=$(foreach T,$(PF6_EXT_ALL_SLIB),$(shell test -f extensions/libip6t_$(T).man && grep -q register_match6 extensions/libip6t_$(T).c && echo $(T)))
+PF6_EXT_MAN_ALL_TARGETS:=$(foreach T,$(PF6_EXT_ALL_SLIB),$(shell test -f extensions/libip6t_$(T).man && grep -q register_target6 extensions/libip6t_$(T).c && echo $(T)))
+
+PF_EXT_MAN_MATCHES:=$(filter $(PF_EXT_ALL_SLIB), $(PF_EXT_MAN_ALL_MATCHES))
+PF_EXT_MAN_TARGETS:=$(filter $(PF_EXT_ALL_SLIB), $(PF_EXT_MAN_ALL_TARGETS))
+PF_EXT_MAN_EXTRA_MATCHES:=$(filter-out $(PF_EXT_MAN_MATCHES), $(PF_EXT_MAN_ALL_MATCHES))
+PF_EXT_MAN_EXTRA_TARGETS:=$(filter-out $(PF_EXT_MAN_TARGETS), $(PF_EXT_MAN_ALL_TARGETS))
+PF6_EXT_MAN_MATCHES:=$(filter $(PF6_EXT_ALL_SLIB), $(PF6_EXT_MAN_ALL_MATCHES))
+PF6_EXT_MAN_TARGETS:=$(filter $(PF6_EXT_ALL_SLIB), $(PF6_EXT_MAN_ALL_TARGETS))
+PF6_EXT_MAN_EXTRA_MATCHES:=$(filter-out $(PF6_EXT_MAN_MATCHES), $(PF6_EXT_MAN_ALL_MATCHES))
+PF6_EXT_MAN_EXTRA_TARGETS:=$(filter-out $(PF6_EXT_MAN_TARGETS), $(PF6_EXT_MAN_ALL_TARGETS))
+
+
+allman:
+ @echo ALL_SLIB: $(PF_EXT_ALL_SLIB)
+ @echo ALL_MATCH: $(PF_EXT_MAN_ALL_MATCHES)
+ @echo ALL_TARGET: $(PF_EXT_MAN_ALL_TARGETS)
+
PF_EXT_SLIB+=$(PF_EXT_SLIB_OPTS)
PF6_EXT_SLIB+=$(PF6_EXT_SLIB_OPTS)
@@ -79,6 +102,58 @@ extensions/lib%.o: extensions/lib%.c
endif
+EXTRAS += extensions/libipt_targets.man
+extensions/libipt_targets.man: $(patsubst %,extensions/libipt_%.man,$(PF_EXT_MAN_ALL_TARGETS))
+ @for ext in $(PF_EXT_MAN_TARGETS); do \
+ echo ".SS $$ext" ;\
+ cat extensions/libipt_$$ext.man ;\
+ done >extensions/libipt_targets.man
+ @if [ -n "$(PF_EXT_MAN_EXTRA_TARGETS)" ]; then \
+ for ext in $(PF_EXT_MAN_EXTRA_TARGETS); do \
+ echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\
+ cat extensions/libipt_$$ext.man ;\
+ done ;\
+ fi >>extensions/libipt_targets.man
+
+EXTRAS += extensions/libipt_matches.man
+extensions/libipt_matches.man: $(patsubst %,extensions/libipt_%.man,$(PF_EXT_MAN_ALL_MATCHES))
+ @for ext in $(PF_EXT_MAN_MATCHES); do \
+ echo ".SS $$ext" ;\
+ cat extensions/libipt_$$ext.man ;\
+ done >extensions/libipt_matches.man
+ @if [ -n "$(PF_EXT_MAN_EXTRA_MATCHES)" ]; then \
+ for ext in $(PF_EXT_MAN_EXTRA_MATCHES); do \
+ echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\
+ cat extensions/libipt_$$ext.man ;\
+ done ;\
+ fi >>extensions/libipt_matches.man
+
+EXTRAS += extensions/libip6t_targets.man
+extensions/libip6t_targets.man: $(patsubst %, extensions/libip6t_%.man, $(PF6_EXT_MAN_ALL_TARGETS))
+ @for ext in $(PF6_EXT_MAN_TARGETS); do \
+ echo ".SS $$ext" ;\
+ cat extensions/libip6t_$$ext.man ;\
+ done >extensions/libip6t_targets.man
+ @if [ -n "$(PF6_EXT_MAN_EXTRA_TARGETS)" ]; then \
+ for ext in $(PF6_EXT_MAN_EXTRA_TARGETS); do \
+ echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\
+ cat extensions/libip6t_$$ext.man ;\
+ done ;\
+ fi >>extensions/libip6t_targets.man
+
+EXTRAS += extensions/libip6t_matches.man
+extensions/libip6t_matches.man: $(patsubst %, extensions/libip6t_%.man, $(PF6_EXT_MAN_ALL_MATCHES))
+ @for ext in $(PF6_EXT_MAN_MATCHES); do \
+ echo ".SS $$ext" ;\
+ cat extensions/libip6t_$$ext.man ;\
+ done >extensions/libip6t_matches.man
+ @if [ -n "$(PF6_EXT_MAN_EXTRA_MATCHES)" ]; then \
+ for ext in $(PF6_EXT_MAN_EXTRA_MATCHES); do \
+ echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\
+ cat extensions/libip6t_$$ext.man ;\
+ done ;\
+ fi >>extensions/libip6t_matches.man
+
$(DESTDIR)$(LIBDIR)/iptables/libipt_%.so: extensions/libipt_%.so
@[ -d $(DESTDIR)$(LIBDIR)/iptables ] || mkdir -p $(DESTDIR)$(LIBDIR)/iptables
cp $< $@
diff --git a/extensions/libip6t_HL.man b/extensions/libip6t_HL.man
new file mode 100644
index 00000000..6b8291d9
--- /dev/null
+++ b/extensions/libip6t_HL.man
@@ -0,0 +1,17 @@
+This is used to modify the IPv6 HOPLIMIT header field. The HOPLIMIT field is
+similar to what is known as TTL value in IPv4. Setting or incrementing the
+HOPLIMIT field can potentially be very dangerous, so it should be avoided at
+any cost.
+.TP
+.B Don't ever set or increment the value on packets that leave your local network!
+.B mangle
+table.
+.TP
+.BI "--hl-set " "value"
+Set the HOPLIMIT value to `value'.
+.TP
+.BI "--hl-dec " "value"
+Decrement the HOPLIMIT value `value' times.
+.TP
+.BI "--hl-inc " "value"
+Increment the HOPLIMIT value `value' times.
diff --git a/extensions/libip6t_LOG.man b/extensions/libip6t_LOG.man
new file mode 100644
index 00000000..9eb5a6ab
--- /dev/null
+++ b/extensions/libip6t_LOG.man
@@ -0,0 +1,28 @@
+Turn on kernel logging of matching packets. When this option is set
+for a rule, the Linux kernel will print some information on all
+matching packets (like most IPv6 IPv6-header fields) via the kernel log
+(where it can be read with
+.I dmesg
+or
+.IR syslogd (8)).
+This is a "non-terminating target", i.e. rule traversal continues at
+the next rule. So if you want to LOG the packets you refuse, use two
+separate rules with the same matching criteria, first using target LOG
+then DROP (or REJECT).
+.TP
+.BI "--log-level " "level"
+Level of logging (numeric or see \fIsyslog.conf\fP(5)).
+.TP
+.BI "--log-prefix " "prefix"
+Prefix log messages with the specified prefix; up to 29 letters long,
+and useful for distinguishing messages in the logs.
+.TP
+.B --log-tcp-sequence
+Log TCP sequence numbers. This is a security risk if the log is
+readable by users.
+.TP
+.B --log-tcp-options
+Log options from the TCP packet header.
+.TP
+.B --log-ip-options
+Log options from the IPv6 packet header.
diff --git a/extensions/libip6t_MARK.man b/extensions/libip6t_MARK.man
new file mode 100644
index 00000000..1f3260c5
--- /dev/null
+++ b/extensions/libip6t_MARK.man
@@ -0,0 +1,6 @@
+This is used to set the netfilter mark value associated with the
+packet. It is only valid in the
+.B mangle
+table.
+.TP
+.BI "--set-mark " "mark"
diff --git a/extensions/libip6t_REJECT.man b/extensions/libip6t_REJECT.man
new file mode 100644
index 00000000..75930f1e
--- /dev/null
+++ b/extensions/libip6t_REJECT.man
@@ -0,0 +1,34 @@
+This is used to send back an error packet in response to the matched
+packet: otherwise it is equivalent to
+.B DROP
+so it is a terminating TARGET, ending rule traversal.
+This target is only valid in the
+.BR INPUT ,
+.B FORWARD
+and
+.B OUTPUT
+chains, and user-defined chains which are only called from those
+chains. The following option controls the nature of the error packet
+returned:
+.TP
+.BI "--reject-with " "type"
+The type given can be
+.nf
+.B " icmp6-no-route"
+.B " no-route"
+.B " icmp6-adm-prohibited"
+.B " adm-prohibited"
+.B " icmp6-addr-unreachable"
+.B " addr-unreach"
+.B " icmp6-port-unreachable"
+.B " port-unreach"
+.fi
+which return the appropriate IPv6-ICMP error message (\fBport-unreach\fP is
+the default). Finally, the option
+.B tcp-reset
+can be used on rules which only match the TCP protocol: this causes a
+TCP RST packet to be sent back. This is mainly useful for blocking
+.I ident
+(113/tcp) probes which frequently occur when sending mail to broken mail
+hosts (which won't accept your mail otherwise).
+
diff --git a/extensions/libip6t_ROUTE.man b/extensions/libip6t_ROUTE.man
new file mode 100644
index 00000000..145d748d
--- /dev/null
+++ b/extensions/libip6t_ROUTE.man
@@ -0,0 +1,12 @@
+This is used to explicitly override the core network stack's routing decision.
+.B mangle
+table.
+.TP
+.BI "--oif " "ifname"
+Route the packet through `ifname' network interface
+.TP
+.BI "--gw " "IPv6_address"
+Route the packet via this gateway
+.TP
+.BI "--continue "
+Behave like a non-terminating target and continue traversing the rules
diff --git a/extensions/libip6t_TRACE.man b/extensions/libip6t_TRACE.man
new file mode 100644
index 00000000..549ab33b
--- /dev/null
+++ b/extensions/libip6t_TRACE.man
@@ -0,0 +1,3 @@
+This target has no options. It just turns on
+.B packet tracing
+for all packets that match this rule.
diff --git a/extensions/libip6t_ah.man b/extensions/libip6t_ah.man
new file mode 100644
index 00000000..97de1e19
--- /dev/null
+++ b/extensions/libip6t_ah.man
@@ -0,0 +1,3 @@
+This module matches the SPIs in AH header of IPSec packets.
+.TP
+.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
diff --git a/extensions/libip6t_condition.man b/extensions/libip6t_condition.man
new file mode 100644
index 00000000..30c478cd
--- /dev/null
+++ b/extensions/libip6t_condition.man
@@ -0,0 +1,4 @@
+This matches if a specific /proc filename is '0' or '1'.
+.TP
+.BI "--condition " "[!] filename"
+Match on boolean value stored in /proc/net/ip6t_condition/filename file
diff --git a/extensions/libip6t_dst.man b/extensions/libip6t_dst.man
new file mode 100644
index 00000000..168a10fb
--- /dev/null
+++ b/extensions/libip6t_dst.man
@@ -0,0 +1,7 @@
+This module matches the IPv6 destination header options
+.TP
+.BI "--dst-len" "[!]" "length"
+Total length of this header
+.TP
+.BI "--dst-opts " "TYPE[:LEN],[,TYPE[:LEN]...]"
+Options and it's length (List).
diff --git a/extensions/libip6t_esp.man b/extensions/libip6t_esp.man
new file mode 100644
index 00000000..7b84368d
--- /dev/null
+++ b/extensions/libip6t_esp.man
@@ -0,0 +1,3 @@
+This module matches the SPIs in ESP header of IPSec packets.
+.TP
+.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]"
diff --git a/extensions/libip6t_eui64.man b/extensions/libip6t_eui64.man
new file mode 100644
index 00000000..24fc56c6
--- /dev/null
+++ b/extensions/libip6t_eui64.man
@@ -0,0 +1 @@
+This module matches the EUI64 part of a stateless autoconfigured IPv6 address. It compares the source MAC address with the lower 64 bits of the IPv6 address.
diff --git a/extensions/libip6t_frag.man b/extensions/libip6t_frag.man
new file mode 100644
index 00000000..fff3db3b
--- /dev/null
+++ b/extensions/libip6t_frag.man
@@ -0,0 +1,19 @@
+This module matches the time IPv6 fragmentathion header
+.TP
+.BI "--fragid " "[!]" "id[:id]"
+Matches the given fragmentation ID (range).
+.TP
+.BI "--fraglen " "[!]" "length"
+Matches the total length of this header.
+.TP
+.BI "--fragres "
+Matches the reserved field, too.
+.TP
+.BI "--fragfirst "
+Matches on the first fragment.
+.TP
+.BI "[--fragmore]"
+Matches if there are more fragments.
+.TP
+.BI "[--fraglast]"
+Matches if this is the last fragement.
diff --git a/extensions/libip6t_fuzzy.man b/extensions/libip6t_fuzzy.man
new file mode 100644
index 00000000..270c8d62
--- /dev/null
+++ b/extensions/libip6t_fuzzy.man
@@ -0,0 +1,7 @@
+This module matches a rate limit based on a fuzzy logic controller [FLC]
+.TP
+.BI "--lower-limit "number"
+Specifies the lower limit (in packets per second).
+.TP
+.BI "--upper-limit " "number"
+Specifies the upper limit (in packets per second).
diff --git a/extensions/libip6t_hbh.man b/extensions/libip6t_hbh.man
new file mode 100644
index 00000000..8376f915
--- /dev/null
+++ b/extensions/libip6t_hbh.man
@@ -0,0 +1,7 @@
+This module matches the IPv6 hop-by-hop header options
+.TP
+.BI "--hbh-len" "[!]" "length"
+Total length of this header
+.TP
+.BI "--hbh-opts " "TYPE[:LEN],[,TYPE[:LEN]...]"
+Options and it's length (List).
diff --git a/extensions/libip6t_hl.man b/extensions/libip6t_hl.man
new file mode 100644
index 00000000..9fcb730d
--- /dev/null
+++ b/extensions/libip6t_hl.man
@@ -0,0 +1,10 @@
+This module matches the HOPLIMIT field in the IPv6 header.
+.TP
+.BI "--hl-eq " "value"
+Matches if HOPLIMIT equals the given value.
+.TP
+.BI "--hl-lt " "ttl"
+Matches if HOPLIMIT is less than the given value.
+.TP
+.BI "--hl-gt " "ttl"
+Matches if HOPLIMIT is greater than the given value.
diff --git a/extensions/libip6t_icmpv6.man b/extensions/libip6t_icmpv6.man
new file mode 100644
index 00000000..27029544
--- /dev/null
+++ b/extensions/libip6t_icmpv6.man
@@ -0,0 +1,9 @@
+This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is
+specified. It provides the following option:
+.TP
+.BR "--icmpv6-type " "[!] \fItypename\fP"
+This allows specification of the ICMP type, which can be a numeric
+IPv6-ICMP type, or one of the IPv6-ICMP type names shown by the command
+.nf
+ ip6tables -p ipv6-icmp -h
+.fi
diff --git a/extensions/libip6t_ipv6header.man b/extensions/libip6t_ipv6header.man
new file mode 100644
index 00000000..bec3e184
--- /dev/null
+++ b/extensions/libip6t_ipv6header.man
@@ -0,0 +1,10 @@
+This module matches on IPv6 option headers
+.TP
+.BI "--header " "[!]" "headers"
+Matches the given type of headers.
+Names: hop,dst,route,frag,auth,esp,none,proto
+Long Names: hop-by-hop,ipv6-opts,ipv6-route,ipv6-frag,ah,esp,ipv6-nonxt,protocol
+Numbers: 0,60,43,44,51,50,59
+.TP
+.BI "--soft"
+The header CONTAINS the specified extensions.
diff --git a/extensions/libip6t_length.man b/extensions/libip6t_length.man
new file mode 100644
index 00000000..72a6b5dc
--- /dev/null
+++ b/extensions/libip6t_length.man
@@ -0,0 +1,4 @@
+This module matches the length of a packet against a specific value
+or range of values.
+.TP
+.BR "--length " "\fIlength\fP[:\fIlength\fP]"
diff --git a/extensions/libip6t_limit.man b/extensions/libip6t_limit.man
new file mode 100644
index 00000000..84b63d4e
--- /dev/null
+++ b/extensions/libip6t_limit.man
@@ -0,0 +1,15 @@
+This module matches at a limited rate using a token bucket filter.
+A rule using this extension will match until this limit is reached
+(unless the `!' flag is used). It can be used in combination with the
+.B LOG
+target to give limited logging, for example.
+.TP
+.BI "--limit " "rate"
+Maximum average matching rate: specified as a number, with an optional
+`/second', `/minute', `/hour', or `/day' suffix; the default is
+3/hour.
+.TP
+.BI "--limit-burst " "number"
+Maximum initial number of packets to match: this number gets
+recharged by one every time the limit specified above is not reached,
+up to this number; the default is 5.
diff --git a/extensions/libip6t_mac.man b/extensions/libip6t_mac.man
new file mode 100644
index 00000000..5321ca1c
--- /dev/null
+++ b/extensions/libip6t_mac.man
@@ -0,0 +1,10 @@
+.TP
+.BR "--mac-source " "[!] \fIaddress\fP"
+Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
+Note that this only makes sense for packets coming from an Ethernet device
+and entering the
+.BR PREROUTING ,
+.B FORWARD
+or
+.B INPUT
+chains.
diff --git a/extensions/libip6t_mark.man b/extensions/libip6t_mark.man
new file mode 100644
index 00000000..05f8e1ec
--- /dev/null
+++ b/extensions/libip6t_mark.man
@@ -0,0 +1,9 @@
+This module matches the netfilter mark field associated with a packet
+(which can be set using the
+.B MARK
+target below).
+.TP
+.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
+Matches packets with the given unsigned mark value (if a mask is
+specified, this is logically ANDed with the mask before the
+comparison).
diff --git a/extensions/libip6t_multiport.man b/extensions/libip6t_multiport.man
new file mode 100644
index 00000000..cead84e7
--- /dev/null
+++ b/extensions/libip6t_multiport.man
@@ -0,0 +1,19 @@
+This module matches a set of source or destination ports. Up to 15
+ports can be specified. It can only be used in conjunction with
+.B "-p tcp"
+or
+.BR "-p udp" .
+.TP
+.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Match if the source port is one of the given ports. The flag
+.B --sports
+is a convenient alias for this option.
+.TP
+.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Match if the destination port is one of the given ports. The flag
+.B --dports
+is a convenient alias for this option.
+.TP
+.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Match if the both the source and destination ports are equal to each
+other and to one of the given ports.
diff --git a/extensions/libip6t_nth.man b/extensions/libip6t_nth.man
new file mode 100644
index 00000000..d215fd55
--- /dev/null
+++ b/extensions/libip6t_nth.man
@@ -0,0 +1,14 @@
+This module matches every `n'th packet
+.TP
+.BI "--every " "value"
+Match every `value' packet
+.TP
+.BI "[" "--counter " "num" "]"
+Use internal counter number `num'. Default is `0'.
+.TP
+.BI "[" "--start " "num" "]"
+Initialize the counter at the number `num' insetad of `0'. Most between `0'
+and `value'-1.
+.TP
+.BI "[" "--packet " "num" "]"
+Match on `num' packet. Most be between `0' and `value'-1.
diff --git a/extensions/libip6t_owner.man b/extensions/libip6t_owner.man
new file mode 100644
index 00000000..8a31ca40
--- /dev/null
+++ b/extensions/libip6t_owner.man
@@ -0,0 +1,21 @@
+This module attempts to match various characteristics of the packet
+creator, for locally-generated packets. It is only valid in the
+.B OUTPUT
+chain, and even this some packets (such as ICMP ping responses) may
+have no owner, and hence never match. This is regarded as experimental.
+.TP
+.BI "--uid-owner " "userid"
+Matches if the packet was created by a process with the given
+effective user id.
+.TP
+.BI "--gid-owner " "groupid"
+Matches if the packet was created by a process with the given
+effective group id.
+.TP
+.BI "--pid-owner " "processid"
+Matches if the packet was created by a process with the given
+process id.
+.TP
+.BI "--sid-owner " "sessionid"
+Matches if the packet was created by a process in the given session
+group.
diff --git a/extensions/libip6t_random.man b/extensions/libip6t_random.man
new file mode 100644
index 00000000..f808a779
--- /dev/null
+++ b/extensions/libip6t_random.man
@@ -0,0 +1,4 @@
+This module randomly matches a certain percentage of all packets.
+.TP
+.BI "--average " "percent"
+Matches the given percentage. If omitted, a probability of 50% is set.
diff --git a/extensions/libip6t_rt.man b/extensions/libip6t_rt.man
new file mode 100644
index 00000000..4347ecd1
--- /dev/null
+++ b/extensions/libip6t_rt.man
@@ -0,0 +1,19 @@
+Match on IPv6 routing header
+.TP
+.BI "--rt-type " "[!]" "type"
+Match the type (numeric).
+.TP
+.BI "--rt-segsleft" "[!]" "num[:num]"
+Match the `segments left' field (range).
+.TP
+.BI "--rt-len" "[!]" "length"
+Match the length of this header
+.TP
+.BI "--rt-0-res"
+Match the reserved field, too (type=0)
+.TP
+.BI "--rt-0-addrs ADDR[,ADDR...]
+Match type=0 addresses (list).
+.TP
+.BI "--rt-0-not-strict"
+List of type=0 addresses is not a strict list.
diff --git a/extensions/libip6t_tcp.man b/extensions/libip6t_tcp.man
new file mode 100644
index 00000000..75d172e1
--- /dev/null
+++ b/extensions/libip6t_tcp.man
@@ -0,0 +1,45 @@
+These extensions are loaded if `--protocol tcp' is specified. It
+provides the following options:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+Source port or port range specification. This can either be a service
+name or a port number. An inclusive range can also be specified,
+using the format
+.IR port : port .
+If the first port is omitted, "0" is assumed; if the last is omitted,
+"65535" is assumed.
+If the second port greater then the first they will be swapped.
+The flag
+.B --sport
+is a convenient alias for this option.
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+Destination port or port range specification. The flag
+.B --dport
+is a convenient alias for this option.
+.TP
+.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
+Match when the TCP flags are as specified. The first argument is the
+flags which we should examine, written as a comma-separated list, and
+the second argument is a comma-separated list of flags which must be
+set. Flags are:
+.BR "SYN ACK FIN RST URG PSH ALL NONE" .
+Hence the command
+.nf
+ ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
+.fi
+will only match packets with the SYN flag set, and the ACK, FIN and
+RST flags unset.
+.TP
+.B "[!] --syn"
+Only match TCP packets with the SYN bit set and the ACK and RST bits
+cleared. Such packets are used to request TCP connection initiation;
+for example, blocking such packets coming in an interface will prevent
+incoming TCP connections, but outgoing TCP connections will be
+unaffected.
+It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP.
+If the "!" flag precedes the "--syn", the sense of the
+option is inverted.
+.TP
+.BR "--tcp-option " "[!] \fInumber\fP"
+Match if TCP option set.
diff --git a/extensions/libip6t_udp.man b/extensions/libip6t_udp.man
new file mode 100644
index 00000000..04084797
--- /dev/null
+++ b/extensions/libip6t_udp.man
@@ -0,0 +1,14 @@
+These extensions are loaded if `--protocol udp' is specified. It
+provides the following options:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+Source port or port range specification.
+See the description of the
+.B --source-port
+option of the TCP extension for details.
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+Destination port or port range specification.
+See the description of the
+.B --destination-port
+option of the TCP extension for details.
diff --git a/extensions/libipt_BALANCE.man b/extensions/libipt_BALANCE.man
new file mode 100644
index 00000000..0eb09d07
--- /dev/null
+++ b/extensions/libipt_BALANCE.man
@@ -0,0 +1,4 @@
+This allows you to DNAT connections in a round-robin way over a given range of destination addresses.
+.TP
+.BI "--to-destination " "ipaddr-ipaddr"
+Address range to round-robin over.
diff --git a/extensions/libipt_CLASSIFY.man b/extensions/libipt_CLASSIFY.man
new file mode 100644
index 00000000..393c329e
--- /dev/null
+++ b/extensions/libipt_CLASSIFY.man
@@ -0,0 +1,4 @@
+This module allows you to set the skb->priority value (and thus classify the packet into a specific CBQ class).
+.TP
+.BI "--set-class " "MAJOR:MINOR"
+Set the major and minor class value.
diff --git a/extensions/libipt_CLUSTERIP.man b/extensions/libipt_CLUSTERIP.man
new file mode 100644
index 00000000..8e766f37
--- /dev/null
+++ b/extensions/libipt_CLUSTERIP.man
@@ -0,0 +1,24 @@
+This module allows you to configure a simple cluster of nodes that share
+a certain IP and MAC address without an explicit load balancer in front of
+them. Connections are statically distributed between the nodes in this
+cluster.
+.TP
+.BI "--new "
+Create a new ClusterIP. You always have to set this on the first rule
+for a given ClusterIP.
+.TP
+.BI "--hashmode " "mode"
+Specify the hashing mode. Has to be one of
+.B sourceip, sourceip-sourceport, sourceip-sourceport-destport
+.TP
+.BI "--clustermac " "mac"
+Specify the ClusterIP MAC address. Has to be a link-layer multicast address
+.TP
+.BI "--total-nodes " "num"
+Number of total nodes within this cluster.
+.TP
+.BI "--local-node " "num"
+Local node number within this cluster.
+.TP
+.BI "--hash-init " "rnd"
+Specify the random seed used for hash initialization.
diff --git a/extensions/libipt_CONNMARK.man b/extensions/libipt_CONNMARK.man
new file mode 100644
index 00000000..64a0222d
--- /dev/null
+++ b/extensions/libipt_CONNMARK.man
@@ -0,0 +1,13 @@
+This target allows you to mark that connection with an arbitrary walue. This
+value can later be matched via the
+.B connmark
+match.
+.TP
+.BI "--set-mark " "mark"
+Set the conntrack mark,
+.TP
+.BI "--save-mark"
+Save the packet nfmark on the connection mark.
+.TP
+.BI "--restore-mark"
+Restore the saved nfmark value from the connection mark.
diff --git a/extensions/libipt_DNAT.man b/extensions/libipt_DNAT.man
new file mode 100644
index 00000000..7579e14e
--- /dev/null
+++ b/extensions/libipt_DNAT.man
@@ -0,0 +1,27 @@
+This target is only valid in the
+.B nat
+table, in the
+.B PREROUTING
+and
+.B OUTPUT
+chains, and user-defined chains which are only called from those
+chains. It specifies that the destination address of the packet
+should be modified (and all future packets in this connection will
+also be mangled), and rules should cease being examined. It takes one
+type of option:
+.TP
+.BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+which can specify a single new destination IP address, an inclusive
+range of IP addresses, and optionally, a port range (which is only
+valid if the rule also specifies
+.B "-p tcp"
+or
+.BR "-p udp" ).
+If no port range is specified, then the destination port will never be
+modified.
+.RS
+.PP
+You can add several --to-destination options. If you specify more
+than one destination address, either via an address range or multiple
+--to-destination options, a simple round-robin (one after another in
+cycle) load balancing takes place between these adresses.
diff --git a/extensions/libipt_DSCP.man b/extensions/libipt_DSCP.man
new file mode 100644
index 00000000..e8e5cf5b
--- /dev/null
+++ b/extensions/libipt_DSCP.man
@@ -0,0 +1,9 @@
+This target allows to alter the value of the DSCP bits within the TOS
+header of the IPv4 packet. As this manipulates a packet, it can only
+be used in the mangle table.
+.TP
+.BI "--set-dscp " "value"
+Set the DSCP field to a numerical value (can be decimal or hex)
+.TP
+.BI "--set-dscp-class " "class"
+Set the DSCP field to a DiffServ class.
diff --git a/extensions/libipt_ECN.man b/extensions/libipt_ECN.man
new file mode 100644
index 00000000..3668490b
--- /dev/null
+++ b/extensions/libipt_ECN.man
@@ -0,0 +1,7 @@
+This target allows to selectively work around known ECN blackholes.
+It can only be used in the mangle table.
+.TP
+.BI "--ecn-tcp-remove"
+Remove all ECN bits from the TCP header. Of course, it can only be used
+in conjunction with
+.BR "-p tcp" .
diff --git a/extensions/libipt_LOG.man b/extensions/libipt_LOG.man
new file mode 100644
index 00000000..c604c76c
--- /dev/null
+++ b/extensions/libipt_LOG.man
@@ -0,0 +1,28 @@
+Turn on kernel logging of matching packets. When this option is set
+for a rule, the Linux kernel will print some information on all
+matching packets (like most IP header fields) via the kernel log
+(where it can be read with
+.I dmesg
+or
+.IR syslogd (8)).
+This is a "non-terminating target", i.e. rule traversal continues at
+the next rule. So if you want to LOG the packets you refuse, use two
+separate rules with the same matching criteria, first using target LOG
+then DROP (or REJECT).
+.TP
+.BI "--log-level " "level"
+Level of logging (numeric or see \fIsyslog.conf\fP(5)).
+.TP
+.BI "--log-prefix " "prefix"
+Prefix log messages with the specified prefix; up to 29 letters long,
+and useful for distinguishing messages in the logs.
+.TP
+.B --log-tcp-sequence
+Log TCP sequence numbers. This is a security risk if the log is
+readable by users.
+.TP
+.B --log-tcp-options
+Log options from the TCP packet header.
+.TP
+.B --log-ip-options
+Log options from the IP packet header.
diff --git a/extensions/libipt_MARK.man b/extensions/libipt_MARK.man
new file mode 100644
index 00000000..1c47e97a
--- /dev/null
+++ b/extensions/libipt_MARK.man
@@ -0,0 +1,6 @@
+This is used to set the netfilter mark value associated with the
+packet. It is only valid in the
+.B mangle
+table. It can for example be used in conjunction with iproute2.
+.TP
+.BI "--set-mark " "mark"
diff --git a/extensions/libipt_MASQUERADE.man b/extensions/libipt_MASQUERADE.man
new file mode 100644
index 00000000..e82063cc
--- /dev/null
+++ b/extensions/libipt_MASQUERADE.man
@@ -0,0 +1,22 @@
+This target is only valid in the
+.B nat
+table, in the
+.B POSTROUTING
+chain. It should only be used with dynamically assigned IP (dialup)
+connections: if you have a static IP address, you should use the SNAT
+target. Masquerading is equivalent to specifying a mapping to the IP
+address of the interface the packet is going out, but also has the
+effect that connections are
+.I forgotten
+when the interface goes down. This is the correct behavior when the
+next dialup is unlikely to have the same interface address (and hence
+any established connections are lost anyway). It takes one option:
+.TP
+.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
+This specifies a range of source ports to use, overriding the default
+.B SNAT
+source port-selection heuristics (see above). This is only valid
+if the rule also specifies
+.B "-p tcp"
+or
+.BR "-p udp" .
diff --git a/extensions/libipt_MIRROR.man b/extensions/libipt_MIRROR.man
new file mode 100644
index 00000000..7b720bcb
--- /dev/null
+++ b/extensions/libipt_MIRROR.man
@@ -0,0 +1,12 @@
+This is an experimental demonstration target which inverts the source
+and destination fields in the IP header and retransmits the packet.
+It is only valid in the
+.BR INPUT ,
+.B FORWARD
+and
+.B PREROUTING
+chains, and user-defined chains which are only called from those
+chains. Note that the outgoing packets are
+.B NOT
+seen by any packet filtering chains, connection tracking or NAT, to
+avoid loops and other problems.
diff --git a/extensions/libipt_NETMAP.man b/extensions/libipt_NETMAP.man
new file mode 100644
index 00000000..d49a025d
--- /dev/null
+++ b/extensions/libipt_NETMAP.man
@@ -0,0 +1,9 @@
+This target allows you to statically map a whole network of addresses onto
+another network of addresses. It can only be used from rules in the
+.B nat
+table.
+.TP
+.BI "--to " "address[/mask]"
+Network address to map to. The resulting address will be constructed in the
+following way: All 'one' bits in the mask are filled in from the new `address'.
+All bits that are zero in the mask are filled in from the original address.
diff --git a/extensions/libipt_NOTRACK.man b/extensions/libipt_NOTRACK.man
new file mode 100644
index 00000000..30e830ad
--- /dev/null
+++ b/extensions/libipt_NOTRACK.man
@@ -0,0 +1,5 @@
+This target disables connection tracking for all packets matching that rule.
+.TP
+It can only be used in the
+.B raw
+table.
diff --git a/extensions/libipt_REDIRECT.man b/extensions/libipt_REDIRECT.man
new file mode 100644
index 00000000..19fa917c
--- /dev/null
+++ b/extensions/libipt_REDIRECT.man
@@ -0,0 +1,18 @@
+This target is only valid in the
+.B nat
+table, in the
+.B PREROUTING
+and
+.B OUTPUT
+chains, and user-defined chains which are only called from those
+chains. It alters the destination IP address to send the packet to
+the machine itself (locally-generated packets are mapped to the
+127.0.0.1 address). It takes one option:
+.TP
+.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
+This specifies a destination port or range of ports to use: without
+this, the destination port is never altered. This is only valid
+if the rule also specifies
+.B "-p tcp"
+or
+.BR "-p udp" .
diff --git a/extensions/libipt_REJECT.man b/extensions/libipt_REJECT.man
new file mode 100644
index 00000000..174bf7b3
--- /dev/null
+++ b/extensions/libipt_REJECT.man
@@ -0,0 +1,34 @@
+This is used to send back an error packet in response to the matched
+packet: otherwise it is equivalent to
+.B DROP
+so it is a terminating TARGET, ending rule traversal.
+This target is only valid in the
+.BR INPUT ,
+.B FORWARD
+and
+.B OUTPUT
+chains, and user-defined chains which are only called from those
+chains. The following option controls the nature of the error packet
+returned:
+.TP
+.BI "--reject-with " "type"
+The type given can be
+.nf
+.B " icmp-net-unreachable"
+.B " icmp-host-unreachable"
+.B " icmp-port-unreachable"
+.B " icmp-proto-unreachable"
+.B " icmp-net-prohibited"
+.B " icmp-host-prohibited or"
+.B " icmp-admin-prohibited (*)"
+.fi
+which return the appropriate ICMP error message (\fBport-unreachable\fP is
+the default). The option
+.B tcp-reset
+can be used on rules which only match the TCP protocol: this causes a
+TCP RST packet to be sent back. This is mainly useful for blocking
+.I ident
+(113/tcp) probes which frequently occur when sending mail to broken mail
+hosts (which won't accept your mail otherwise).
+.TP
+(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
diff --git a/extensions/libipt_ROUTE.man b/extensions/libipt_ROUTE.man
new file mode 100644
index 00000000..dae1cb5f
--- /dev/null
+++ b/extensions/libipt_ROUTE.man
@@ -0,0 +1,15 @@
+This is used to explicitly override the core network stack's routing decision.
+.B mangle
+table.
+.TP
+.BI "--oif " "ifname"
+Route the packet through `ifname' network interface
+.TP
+.BI "--iif " "ifname"
+Change the packet's incoming interface to `ifname'
+.TP
+.BI "--gw " "IP_address"
+Route the packet via this gateway
+.TP
+.BI "--continue "
+Behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--iif'
diff --git a/extensions/libipt_SNAT.man b/extensions/libipt_SNAT.man
new file mode 100644
index 00000000..4cc03970
--- /dev/null
+++ b/extensions/libipt_SNAT.man
@@ -0,0 +1,26 @@
+This target is only valid in the
+.B nat
+table, in the
+.B POSTROUTING
+chain. It specifies that the source address of the packet should be
+modified (and all future packets in this connection will also be
+mangled), and rules should cease being examined. It takes one type
+of option:
+.TP
+.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+which can specify a single new source IP address, an inclusive range
+of IP addresses, and optionally, a port range (which is only valid if
+the rule also specifies
+.B "-p tcp"
+or
+.BR "-p udp" ).
+If no port range is specified, then source ports below 512 will be
+mapped to other ports below 512: those between 512 and 1023 inclusive
+will be mapped to ports below 1024, and other ports will be mapped to
+1024 or above. Where possible, no port alteration will occur.
+.RS
+.PP
+You can add several --to-source options. If you specify more
+than one source address, either via an address range or multiple
+--to-source options, a simple round-robin (one after another in
+cycle) takes place between these adresses.
diff --git a/extensions/libipt_TCPMSS.man b/extensions/libipt_TCPMSS.man
new file mode 100644
index 00000000..da1bce2d
--- /dev/null
+++ b/extensions/libipt_TCPMSS.man
@@ -0,0 +1,38 @@
+This target allows to alter the MSS value of TCP SYN packets, to control
+the maximum size for that connection (usually limiting it to your
+outgoing interface's MTU minus 40). Of course, it can only be used
+in conjunction with
+.BR "-p tcp" .
+.br
+This target is used to overcome criminally braindead ISPs or servers
+which block ICMP Fragmentation Needed packets. The symptoms of this
+problem are that everything works fine from your Linux
+firewall/router, but machines behind it can never exchange large
+packets:
+.PD 0
+.RS 0.1i
+.TP 0.3i
+1)
+Web browsers connect, then hang with no data received.
+.TP
+2)
+Small mail works fine, but large emails hang.
+.TP
+3)
+ssh works fine, but scp hangs after initial handshaking.
+.RE
+.PD
+Workaround: activate this option and add a rule to your firewall
+configuration like:
+.nf
+ iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
+ -j TCPMSS --clamp-mss-to-pmtu
+.fi
+.TP
+.BI "--set-mss " "value"
+Explicitly set MSS option to specified value.
+.TP
+.B "--clamp-mss-to-pmtu"
+Automatically clamp MSS value to (path_MTU - 40).
+.TP
+These options are mutually exclusive.
diff --git a/extensions/libipt_TOS.man b/extensions/libipt_TOS.man
new file mode 100644
index 00000000..c31b068d
--- /dev/null
+++ b/extensions/libipt_TOS.man
@@ -0,0 +1,11 @@
+This is used to set the 8-bit Type of Service field in the IP header.
+It is only valid in the
+.B mangle
+table.
+.TP
+.BI "--set-tos " "tos"
+You can use a numeric TOS values, or use
+.nf
+ iptables -j TOS -h
+.fi
+to see the list of valid TOS names.
diff --git a/extensions/libipt_TRACE.man b/extensions/libipt_TRACE.man
new file mode 100644
index 00000000..549ab33b
--- /dev/null
+++ b/extensions/libipt_TRACE.man
@@ -0,0 +1,3 @@
+This target has no options. It just turns on
+.B packet tracing
+for all packets that match this rule.
diff --git a/extensions/libipt_TTL.man b/extensions/libipt_TTL.man
new file mode 100644
index 00000000..97c46c43
--- /dev/null
+++ b/extensions/libipt_TTL.man
@@ -0,0 +1,19 @@
+This is used to modify the IPv4 TTL header field. The TTL field determines
+how many hops (routers) a packet can traverse until it's time to live is
+exceeded.
+.TP
+Setting or incrementing the TTL field can potentially be very dangerous,
+so it should be avoided at any cost.
+.TP
+.B Don't ever set or increment the value on packets that leave your local network!
+.B mangle
+table.
+.TP
+.BI "--ttl-set " "value"
+Set the TTL value to `value'.
+.TP
+.BI "--ttl-dec " "value"
+Decrement the TTL value `value' times.
+.TP
+.BI "--ttl-inc " "value"
+Increment the TTL value `value' times.
diff --git a/extensions/libipt_ULOG.man b/extensions/libipt_ULOG.man
new file mode 100644
index 00000000..51aa619f
--- /dev/null
+++ b/extensions/libipt_ULOG.man
@@ -0,0 +1,27 @@
+This target provides userspace logging of matching packets. When this
+target is set for a rule, the Linux kernel will multicast this packet
+through a
+.IR netlink
+socket. One or more userspace processes may then subscribe to various
+multicast groups and receive the packets.
+Like LOG, this is a "non-terminating target", i.e. rule traversal
+continues at the next rule.
+.TP
+.BI "--ulog-nlgroup " "nlgroup"
+This specifies the netlink group (1-32) to which the packet is sent.
+Default value is 1.
+.TP
+.BI "--ulog-prefix " "prefix"
+Prefix log messages with the specified prefix; up to 32 characters
+long, and useful for distinguishing messages in the logs.
+.TP
+.BI "--ulog-cprange " "size"
+Number of bytes to be copied to userspace. A value of 0 always copies
+the entire packet, regardless of its size. Default is 0.
+.TP
+.BI "--ulog-qthreshold " "size"
+Number of packet to queue inside kernel. Setting this value to, e.g. 10
+accumulates ten packets inside the kernel and transmits them as one
+netlink multipart message to userspace. Default is 1 (for backwards
+compatibility).
+.br
diff --git a/extensions/libipt_addrtype.man b/extensions/libipt_addrtype.man
new file mode 100644
index 00000000..2c3bbab0
--- /dev/null
+++ b/extensions/libipt_addrtype.man
@@ -0,0 +1,37 @@
+This module matches packets based on their
+.B address type.
+Address types are used within the kernel networking stack and categorize
+addresses into various groups. The exact definition of that group depends on the specific layer three protocol.
+.TP
+The following address types are possible:
+.TP
+.BI "UNSPEC"
+an unspecified address (i.e. 0.0.0.0)
+.BI "UNICAST"
+an unicast address
+.BI "LOCAL"
+a local address
+.BI "BROADCAST"
+a broadcast address
+.BI "ANYCAST"
+an anycast packet
+.BI "MULTICAST"
+a multicast address
+.BI "BLACKHOLE"
+a blackhole address
+.BI "UNREACHABLE"
+an unreachable address
+.BI "PROHIBIT"
+a prohibited address
+.BI "THROW"
+FIXME
+.BI "NAT"
+FIXME
+.BI "XRESOLVE"
+FIXME
+.TP
+.BI "--src-type " "type"
+Matches if the source address is of given type
+.TP
+.BI "--dst-type " "type"
+Matches if the destination address is of given type
diff --git a/extensions/libipt_ah.man b/extensions/libipt_ah.man
new file mode 100644
index 00000000..97de1e19
--- /dev/null
+++ b/extensions/libipt_ah.man
@@ -0,0 +1,3 @@
+This module matches the SPIs in AH header of IPSec packets.
+.TP
+.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
diff --git a/extensions/libipt_condition.man b/extensions/libipt_condition.man
new file mode 100644
index 00000000..0fc51ffe
--- /dev/null
+++ b/extensions/libipt_condition.man
@@ -0,0 +1,4 @@
+This matches if a specific /proc filename is '0' or '1'.
+.TP
+.BI "--condition " "[!] filename"
+Match on boolean value stored in /proc/net/ipt_condition/filename file
diff --git a/extensions/libipt_conntrack.man b/extensions/libipt_conntrack.man
new file mode 100644
index 00000000..b732b28e
--- /dev/null
+++ b/extensions/libipt_conntrack.man
@@ -0,0 +1,49 @@
+This module, when combined with connection tracking, allows access to
+more connection tracking information than the "state" match.
+(this module is present only if iptables was compiled under a kernel
+supporting this feature)
+.TP
+.BI "--ctstate " "state"
+Where state is a comma separated list of the connection states to
+match. Possible states are
+.B INVALID
+meaning that the packet is associated with no known connection,
+.B ESTABLISHED
+meaning that the packet is associated with a connection which has seen
+packets in both directions,
+.B NEW
+meaning that the packet has started a new connection, or otherwise
+associated with a connection which has not seen packets in both
+directions, and
+.B RELATED
+meaning that the packet is starting a new connection, but is
+associated with an existing connection, such as an FTP data transfer,
+or an ICMP error.
+.B SNAT
+A virtual state, matching if the original source address differs from
+the reply destination.
+.B DNAT
+A virtual state, matching if the original destination differs from the
+reply source.
+.TP
+.BI "--ctproto " "proto"
+Protocol to match (by number or name)
+.TP
+.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]"
+Match against original source address
+.TP
+.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]"
+Match against original destination address
+.TP
+.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]"
+Match against reply source address
+.TP
+.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]"
+Match against reply destination address
+.TP
+.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]"
+Match against internal conntrack states
+.TP
+.BI "--ctexpire " "\fItime\fP[\fI:time\fP]"
+Match remaining lifetime in seconds against given value
+or range of values (inclusive)
diff --git a/extensions/libipt_dscp.man b/extensions/libipt_dscp.man
new file mode 100644
index 00000000..4a842101
--- /dev/null
+++ b/extensions/libipt_dscp.man
@@ -0,0 +1,10 @@
+This module matches the 6 bit DSCP field within the TOS field in the
+IP header. DSCP has superseded TOS within the IETF.
+.TP
+.BI "--dscp " "value"
+Match against a numeric (decimal or hex) value [0-32].
+.TP
+.BI "--dscp-class " "\fIDiffServ Class\fP"
+Match the DiffServ class. This value may be any of the
+BE, EF, AFxx or CSx classes. It will then be converted
+into it's according numeric value.
diff --git a/extensions/libipt_dstlimit.man b/extensions/libipt_dstlimit.man
new file mode 100644
index 00000000..e4a4a5ab
--- /dev/null
+++ b/extensions/libipt_dstlimit.man
@@ -0,0 +1,35 @@
+This module allows you to limit the packet per second (pps) rate on a per
+destination IP or per destination port base. As opposed to the `limit' match,
+every destination ip / destination port has it's own limit.
+.TP
+.BI "--dstlimit " "avg"
+Maximum average match rate (packets per second unless followed by /sec /minute /hour /day postfixes).
+.TP
+.BI "--dstlimit-mode " "mode"
+The limiting hashmode. Is the specified limit per
+.B dstip, dstip-dstport
+tuple,
+.B srcip-dstip
+tuple, or per
+.B srcipdstip-dstport
+tuple.
+.TP
+.BI "--dstlimit-name " "name"
+Name for /proc/net/ipt_dstlimit/* file entry
+.TP
+.BI "[" "--dstlimit-burst " "burst" "]"
+Number of packets to match in a burst. Default: 5
+.TP
+.BI "[" "--dstlimit-htable-size " "size" "]"
+Number of buckets in the hashtable
+.TP
+.BI "[" "--dstlimit-htable-max " "max" "]"
+Maximum number of entries in the hashtable
+.TP
+.BI "[" "--dstlimit-htable-gcinterval " "interval" "]"
+Interval between garbage collection runs of the hashtable (in miliseconds).
+Default is 1000 (1 second).
+.TP
+.BI "[" "--dstlimit-htable-expire " "time"
+After which time are idle entries expired from hashtable (in miliseconds)?
+Default is 10000 (10 seconds).
diff --git a/extensions/libipt_ecn.man b/extensions/libipt_ecn.man
new file mode 100644
index 00000000..8ecfef59
--- /dev/null
+++ b/extensions/libipt_ecn.man
@@ -0,0 +1,11 @@
+This allows you to match the ECN bits of the IPv4 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168
+.TP
+.BI "--ecn-tcp-cwr"
+This matches if the TCP ECN CWR (Congestion Window Received) bit is set.
+.TP
+.BI "--ecn-tcp-ece"
+This matches if the TCP ECN ECE (ECN Echo) bit is set.
+.TP
+.BI "--ecn-ip-ect " "num"
+This matches a particular IPv4 ECT (ECN-Capable Transport). You have to specify
+a number between `0' and `3'.
diff --git a/extensions/libipt_esp.man b/extensions/libipt_esp.man
new file mode 100644
index 00000000..7b84368d
--- /dev/null
+++ b/extensions/libipt_esp.man
@@ -0,0 +1,3 @@
+This module matches the SPIs in ESP header of IPSec packets.
+.TP
+.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]"
diff --git a/extensions/libipt_fuzzy.man b/extensions/libipt_fuzzy.man
new file mode 100644
index 00000000..270c8d62
--- /dev/null
+++ b/extensions/libipt_fuzzy.man
@@ -0,0 +1,7 @@
+This module matches a rate limit based on a fuzzy logic controller [FLC]
+.TP
+.BI "--lower-limit "number"
+Specifies the lower limit (in packets per second).
+.TP
+.BI "--upper-limit " "number"
+Specifies the upper limit (in packets per second).
diff --git a/extensions/libipt_helper.man b/extensions/libipt_helper.man
new file mode 100644
index 00000000..c3221ad8
--- /dev/null
+++ b/extensions/libipt_helper.man
@@ -0,0 +1,11 @@
+This module matches packets related to a specific conntrack-helper.
+.TP
+.BI "--helper " "string"
+Matches packets related to the specified conntrack-helper.
+.RS
+.PP
+string can be "ftp" for packets related to a ftp-session on default port.
+For other ports append -portnr to the value, ie. "ftp-2121".
+.PP
+Same rules apply for other conntrack-helpers.
+.RE
diff --git a/extensions/libipt_icmp.man b/extensions/libipt_icmp.man
new file mode 100644
index 00000000..5b91514d
--- /dev/null
+++ b/extensions/libipt_icmp.man
@@ -0,0 +1,9 @@
+This extension is loaded if `--protocol icmp' is specified. It
+provides the following option:
+.TP
+.BR "--icmp-type " "[!] \fItypename\fP"
+This allows specification of the ICMP type, which can be a numeric
+ICMP type, or one of the ICMP type names shown by the command
+.nf
+ iptables -p icmp -h
+.fi
diff --git a/extensions/libipt_iprange.man b/extensions/libipt_iprange.man
new file mode 100644
index 00000000..57e1cff1
--- /dev/null
+++ b/extensions/libipt_iprange.man
@@ -0,0 +1,7 @@
+This matches on a given arbitrary range of IPv4 addresses
+.TP
+.BI "[!]" "--src-range " "ip-ip"
+Match source IP in the specified range.
+.TP
+.BI "[!]" "--dst-range " "ip-ip"
+Match destination IP in the specified range.
diff --git a/extensions/libipt_length.man b/extensions/libipt_length.man
new file mode 100644
index 00000000..72a6b5dc
--- /dev/null
+++ b/extensions/libipt_length.man
@@ -0,0 +1,4 @@
+This module matches the length of a packet against a specific value
+or range of values.
+.TP
+.BR "--length " "\fIlength\fP[:\fIlength\fP]"
diff --git a/extensions/libipt_limit.man b/extensions/libipt_limit.man
new file mode 100644
index 00000000..84b63d4e
--- /dev/null
+++ b/extensions/libipt_limit.man
@@ -0,0 +1,15 @@
+This module matches at a limited rate using a token bucket filter.
+A rule using this extension will match until this limit is reached
+(unless the `!' flag is used). It can be used in combination with the
+.B LOG
+target to give limited logging, for example.
+.TP
+.BI "--limit " "rate"
+Maximum average matching rate: specified as a number, with an optional
+`/second', `/minute', `/hour', or `/day' suffix; the default is
+3/hour.
+.TP
+.BI "--limit-burst " "number"
+Maximum initial number of packets to match: this number gets
+recharged by one every time the limit specified above is not reached,
+up to this number; the default is 5.
diff --git a/extensions/libipt_mac.man b/extensions/libipt_mac.man
new file mode 100644
index 00000000..5321ca1c
--- /dev/null
+++ b/extensions/libipt_mac.man
@@ -0,0 +1,10 @@
+.TP
+.BR "--mac-source " "[!] \fIaddress\fP"
+Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
+Note that this only makes sense for packets coming from an Ethernet device
+and entering the
+.BR PREROUTING ,
+.B FORWARD
+or
+.B INPUT
+chains.
diff --git a/extensions/libipt_mark.man b/extensions/libipt_mark.man
new file mode 100644
index 00000000..05f8e1ec
--- /dev/null
+++ b/extensions/libipt_mark.man
@@ -0,0 +1,9 @@
+This module matches the netfilter mark field associated with a packet
+(which can be set using the
+.B MARK
+target below).
+.TP
+.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
+Matches packets with the given unsigned mark value (if a mask is
+specified, this is logically ANDed with the mask before the
+comparison).
diff --git a/extensions/libipt_mport.man b/extensions/libipt_mport.man
new file mode 100644
index 00000000..cead84e7
--- /dev/null
+++ b/extensions/libipt_mport.man
@@ -0,0 +1,19 @@
+This module matches a set of source or destination ports. Up to 15
+ports can be specified. It can only be used in conjunction with
+.B "-p tcp"
+or
+.BR "-p udp" .
+.TP
+.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Match if the source port is one of the given ports. The flag
+.B --sports
+is a convenient alias for this option.
+.TP
+.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Match if the destination port is one of the given ports. The flag
+.B --dports
+is a convenient alias for this option.
+.TP
+.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Match if the both the source and destination ports are equal to each
+other and to one of the given ports.
diff --git a/extensions/libipt_multiport.man b/extensions/libipt_multiport.man
new file mode 100644
index 00000000..cead84e7
--- /dev/null
+++ b/extensions/libipt_multiport.man
@@ -0,0 +1,19 @@
+This module matches a set of source or destination ports. Up to 15
+ports can be specified. It can only be used in conjunction with
+.B "-p tcp"
+or
+.BR "-p udp" .
+.TP
+.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Match if the source port is one of the given ports. The flag
+.B --sports
+is a convenient alias for this option.
+.TP
+.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Match if the destination port is one of the given ports. The flag
+.B --dports
+is a convenient alias for this option.
+.TP
+.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
+Match if the both the source and destination ports are equal to each
+other and to one of the given ports.
diff --git a/extensions/libipt_nth.man b/extensions/libipt_nth.man
new file mode 100644
index 00000000..d215fd55
--- /dev/null
+++ b/extensions/libipt_nth.man
@@ -0,0 +1,14 @@
+This module matches every `n'th packet
+.TP
+.BI "--every " "value"
+Match every `value' packet
+.TP
+.BI "[" "--counter " "num" "]"
+Use internal counter number `num'. Default is `0'.
+.TP
+.BI "[" "--start " "num" "]"
+Initialize the counter at the number `num' insetad of `0'. Most between `0'
+and `value'-1.
+.TP
+.BI "[" "--packet " "num" "]"
+Match on `num' packet. Most be between `0' and `value'-1.
diff --git a/extensions/libipt_owner.man b/extensions/libipt_owner.man
new file mode 100644
index 00000000..1394aca6
--- /dev/null
+++ b/extensions/libipt_owner.man
@@ -0,0 +1,26 @@
+This module attempts to match various characteristics of the packet
+creator, for locally-generated packets. It is only valid in the
+.B OUTPUT
+chain, and even this some packets (such as ICMP ping responses) may
+have no owner, and hence never match.
+.TP
+.BI "--uid-owner " "userid"
+Matches if the packet was created by a process with the given
+effective user id.
+.TP
+.BI "--gid-owner " "groupid"
+Matches if the packet was created by a process with the given
+effective group id.
+.TP
+.BI "--pid-owner " "processid"
+Matches if the packet was created by a process with the given
+process id.
+.TP
+.BI "--sid-owner " "sessionid"
+Matches if the packet was created by a process in the given session
+group.
+.TP
+.BI "--cmd-owner " "name"
+Matches if the packet was created by a process with the given command name.
+(this option is present only if iptables was compiled under a kernel
+supporting this feature)
diff --git a/extensions/libipt_physdev.man b/extensions/libipt_physdev.man
new file mode 100644
index 00000000..846ec7c1
--- /dev/null
+++ b/extensions/libipt_physdev.man
@@ -0,0 +1,42 @@
+This module matches on the bridge port input and output devices enslaved
+to a bridge device. This module is a part of the infrastructure that enables
+a transparent bridging IP firewall and is only useful for kernel versions
+above version 2.5.44.
+.TP
+.B --physdev-in name
+Name of a bridge port via which a packet is received (only for
+packets entering the
+.BR INPUT ,
+.B FORWARD
+and
+.B PREROUTING
+chains). If the interface name ends in a "+", then any
+interface which begins with this name will match. If the packet didn't arrive
+through a bridge device, this packet won't match this option, unless '!' is used.
+.TP
+.B --physdev-out name
+Name of a bridge port via which a packet is going to be sent (for packets
+entering the
+.BR FORWARD ,
+.B OUTPUT
+and
+.B POSTROUTING
+chains). If the interface name ends in a "+", then any
+interface which begins with this name will match. Note that in the
+.BR nat " and " mangle
+.B OUTPUT
+chains one cannot match on the bridge output port, however one can in the
+.B "filter OUTPUT"
+chain. If the packet won't leave by a bridge device or it is yet unknown what
+the output device will be, then the packet won't match this option, unless
+'!' is used.
+.TP
+.B --physdev-is-in
+Matches if the packet has entered through a bridge interface.
+.TP
+.B --physdev-is-out
+Matches if the packet will leave through a bridge interface.
+.TP
+.B --physdev-is-bridged
+Matches if the packet is being bridged and therefore is not being routed.
+This is only useful in the FORWARD and POSTROUTING chains.
diff --git a/extensions/libipt_pkttype.man b/extensions/libipt_pkttype.man
new file mode 100644
index 00000000..b52810b7
--- /dev/null
+++ b/extensions/libipt_pkttype.man
@@ -0,0 +1,3 @@
+This module matches the link-layer packet type.
+.TP
+.BI "--pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]"
diff --git a/extensions/libipt_random.man b/extensions/libipt_random.man
new file mode 100644
index 00000000..f808a779
--- /dev/null
+++ b/extensions/libipt_random.man
@@ -0,0 +1,4 @@
+This module randomly matches a certain percentage of all packets.
+.TP
+.BI "--average " "percent"
+Matches the given percentage. If omitted, a probability of 50% is set.
diff --git a/extensions/libipt_realm.man b/extensions/libipt_realm.man
new file mode 100644
index 00000000..55e67fcf
--- /dev/null
+++ b/extensions/libipt_realm.man
@@ -0,0 +1,5 @@
+This matches the routing realm. Routing realms are used in complex routing
+setups involving dynamic routing protocols like BGP.
+.TP
+.BI "--realm " "[!]" "value[/mask]"
+Matches a given realm number (and optionally mask).
diff --git a/extensions/libipt_state.man b/extensions/libipt_state.man
new file mode 100644
index 00000000..71078680
--- /dev/null
+++ b/extensions/libipt_state.man
@@ -0,0 +1,21 @@
+This module, when combined with connection tracking, allows access to
+the connection tracking state for this packet.
+.TP
+.BI "--state " "state"
+Where state is a comma separated list of the connection states to
+match. Possible states are
+.B INVALID
+meaning that the packet could not be identified for some reason which
+includes running out of memory and ICMP errors which don't correspond to any
+known connection,
+.B ESTABLISHED
+meaning that the packet is associated with a connection which has seen
+packets in both directions,
+.B NEW
+meaning that the packet has started a new connection, or otherwise
+associated with a connection which has not seen packets in both
+directions, and
+.B RELATED
+meaning that the packet is starting a new connection, but is
+associated with an existing connection, such as an FTP data transfer,
+or an ICMP error.
diff --git a/extensions/libipt_tcp.man b/extensions/libipt_tcp.man
new file mode 100644
index 00000000..48a068fa
--- /dev/null
+++ b/extensions/libipt_tcp.man
@@ -0,0 +1,49 @@
+These extensions are loaded if `--protocol tcp' is specified. It
+provides the following options:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+Source port or port range specification. This can either be a service
+name or a port number. An inclusive range can also be specified,
+using the format
+.IR port : port .
+If the first port is omitted, "0" is assumed; if the last is omitted,
+"65535" is assumed.
+If the second port greater then the first they will be swapped.
+The flag
+.B --sport
+is a convenient alias for this option.
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+Destination port or port range specification. The flag
+.B --dport
+is a convenient alias for this option.
+.TP
+.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
+Match when the TCP flags are as specified. The first argument is the
+flags which we should examine, written as a comma-separated list, and
+the second argument is a comma-separated list of flags which must be
+set. Flags are:
+.BR "SYN ACK FIN RST URG PSH ALL NONE" .
+Hence the command
+.nf
+ iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
+.fi
+will only match packets with the SYN flag set, and the ACK, FIN and
+RST flags unset.
+.TP
+.B "[!] --syn"
+Only match TCP packets with the SYN bit set and the ACK and RST bits
+cleared. Such packets are used to request TCP connection initiation;
+for example, blocking such packets coming in an interface will prevent
+incoming TCP connections, but outgoing TCP connections will be
+unaffected.
+It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP.
+If the "!" flag precedes the "--syn", the sense of the
+option is inverted.
+.TP
+.BR "--tcp-option " "[!] \fInumber\fP"
+Match if TCP option set.
+.TP
+.BR "--mss " "\fIvalue\fP[:\fIvalue\fP]"
+Match TCP SYN or SYN/ACK packets with the specified MSS value (or range),
+which control the maximum packet size for that connection.
diff --git a/extensions/libipt_tcpmss.man b/extensions/libipt_tcpmss.man
new file mode 100644
index 00000000..5115d6b9
--- /dev/null
+++ b/extensions/libipt_tcpmss.man
@@ -0,0 +1,4 @@
+This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
+.TP
+.BI "[!] "--mss " "value[:value]"
+Match a given TCP MSS value or range.
diff --git a/extensions/libipt_time.man b/extensions/libipt_time.man
new file mode 100644
index 00000000..0871ecfa
--- /dev/null
+++ b/extensions/libipt_time.man
@@ -0,0 +1,10 @@
+This matches if the current time is within a given range.
+.TP
+.BI "--timestart " "value"
+Match only if it is after `value' (Format: HH:MM).
+.TP
+.BI "--timestop " "value"
+Match only if it is before `value' (Format: HH:MM).
+.TP
+.BI "--days " "listofdays"
+Match only if today is one of the given days. (Format: Mon,Tue,Wed,Thu,Fri)
diff --git a/extensions/libipt_tos.man b/extensions/libipt_tos.man
new file mode 100644
index 00000000..c612b299
--- /dev/null
+++ b/extensions/libipt_tos.man
@@ -0,0 +1,9 @@
+This module matches the 8 bits of Type of Service field in the IP
+header (ie. including the precedence bits).
+.TP
+.BI "--tos " "tos"
+The argument is either a standard name, (use
+.br
+ iptables -m tos -h
+.br
+to see the list), or a numeric value to match.
diff --git a/extensions/libipt_ttl.man b/extensions/libipt_ttl.man
new file mode 100644
index 00000000..f043c79a
--- /dev/null
+++ b/extensions/libipt_ttl.man
@@ -0,0 +1,10 @@
+This module matches the time to live field in the IP header.
+.TP
+.BI "--ttl-eq " "ttl"
+Matches the given TTL value.
+.TP
+.BI "--ttl-gt " "ttl"
+Matches if TTL is greater than the given TTL value.
+.TP
+.BI "--ttl-lt " "ttl"
+Matches if TTL is less than the given TTL value.
diff --git a/extensions/libipt_udp.man b/extensions/libipt_udp.man
new file mode 100644
index 00000000..04084797
--- /dev/null
+++ b/extensions/libipt_udp.man
@@ -0,0 +1,14 @@
+These extensions are loaded if `--protocol udp' is specified. It
+provides the following options:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+Source port or port range specification.
+See the description of the
+.B --source-port
+option of the TCP extension for details.
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+Destination port or port range specification.
+See the description of the
+.B --destination-port
+option of the TCP extension for details.
diff --git a/extensions/libipt_unclean.man b/extensions/libipt_unclean.man
new file mode 100644
index 00000000..3fecd554
--- /dev/null
+++ b/extensions/libipt_unclean.man
@@ -0,0 +1,2 @@
+This module takes no options, but attempts to match packets which seem
+malformed or unusual. This is regarded as experimental.
diff --git a/ip6tables.8 b/ip6tables.8.in
index 53a310cd..6d3f56cd 100644
--- a/ip6tables.8
+++ b/ip6tables.8.in
@@ -372,371 +372,11 @@ The following are included in the base package, and most of these can
be preceded by a
.B !
to invert the sense of the match.
-.SS tcp
-These extensions are loaded if `--protocol tcp' is specified. It
-provides the following options:
-.TP
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
-Source port or port range specification. This can either be a service
-name or a port number. An inclusive range can also be specified,
-using the format
-.IR port : port .
-If the first port is omitted, "0" is assumed; if the last is omitted,
-"65535" is assumed.
-If the second port greater then the first they will be swapped.
-The flag
-.B --sport
-is a convenient alias for this option.
-.TP
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
-Destination port or port range specification. The flag
-.B --dport
-is a convenient alias for this option.
-.TP
-.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
-Match when the TCP flags are as specified. The first argument is the
-flags which we should examine, written as a comma-separated list, and
-the second argument is a comma-separated list of flags which must be
-set. Flags are:
-.BR "SYN ACK FIN RST URG PSH ALL NONE" .
-Hence the command
-.nf
- ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
-.fi
-will only match packets with the SYN flag set, and the ACK, FIN and
-RST flags unset.
-.TP
-.B "[!] --syn"
-Only match TCP packets with the SYN bit set and the ACK and RST bits
-cleared. Such packets are used to request TCP connection initiation;
-for example, blocking such packets coming in an interface will prevent
-incoming TCP connections, but outgoing TCP connections will be
-unaffected.
-It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP.
-If the "!" flag precedes the "--syn", the sense of the
-option is inverted.
-.TP
-.BR "--tcp-option " "[!] \fInumber\fP"
-Match if TCP option set.
-.SS udp
-These extensions are loaded if `--protocol udp' is specified. It
-provides the following options:
-.TP
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
-Source port or port range specification.
-See the description of the
-.B --source-port
-option of the TCP extension for details.
-.TP
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
-Destination port or port range specification.
-See the description of the
-.B --destination-port
-option of the TCP extension for details.
-.SS ipv6-icmp
-This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is
-specified. It provides the following option:
-.TP
-.BR "--icmpv6-type " "[!] \fItypename\fP"
-This allows specification of the ICMP type, which can be a numeric
-IPv6-ICMP type, or one of the IPv6-ICMP type names shown by the command
-.nf
- ip6tables -p ipv6-icmp -h
-.fi
-.SS mac
-.TP
-.BR "--mac-source " "[!] \fIaddress\fP"
-Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
-Note that this only makes sense for packets coming from an Ethernet device
-and entering the
-.BR PREROUTING ,
-.B FORWARD
-or
-.B INPUT
-chains.
-.SS limit
-This module matches at a limited rate using a token bucket filter.
-A rule using this extension will match until this limit is reached
-(unless the `!' flag is used). It can be used in combination with the
-.B LOG
-target to give limited logging, for example.
-.TP
-.BI "--limit " "rate"
-Maximum average matching rate: specified as a number, with an optional
-`/second', `/minute', `/hour', or `/day' suffix; the default is
-3/hour.
-.TP
-.BI "--limit-burst " "number"
-Maximum initial number of packets to match: this number gets
-recharged by one every time the limit specified above is not reached,
-up to this number; the default is 5.
-.SS multiport
-This module matches a set of source or destination ports. Up to 15
-ports can be specified. It can only be used in conjunction with
-.B "-p tcp"
-or
-.BR "-p udp" .
-.TP
-.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the source port is one of the given ports. The flag
-.B --sports
-is a convenient alias for this option.
-.TP
-.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the destination port is one of the given ports. The flag
-.B --dports
-is a convenient alias for this option.
-.TP
-.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the both the source and destination ports are equal to each
-other and to one of the given ports.
-.SS mark
-This module matches the netfilter mark field associated with a packet
-(which can be set using the
-.B MARK
-target below).
-.TP
-.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
-Matches packets with the given unsigned mark value (if a mask is
-specified, this is logically ANDed with the mask before the
-comparison).
-.SS owner
-This module attempts to match various characteristics of the packet
-creator, for locally-generated packets. It is only valid in the
-.B OUTPUT
-chain, and even this some packets (such as ICMP ping responses) may
-have no owner, and hence never match. This is regarded as experimental.
-.TP
-.BI "--uid-owner " "userid"
-Matches if the packet was created by a process with the given
-effective user id.
-.TP
-.BI "--gid-owner " "groupid"
-Matches if the packet was created by a process with the given
-effective group id.
-.TP
-.BI "--pid-owner " "processid"
-Matches if the packet was created by a process with the given
-process id.
-.TP
-.BI "--sid-owner " "sessionid"
-Matches if the packet was created by a process in the given session
-group.
-.\" .SS state
-.\" This module, when combined with connection tracking, allows access to
-.\" the connection tracking state for this packet.
-.\" .TP
-.\" .BI "--state " "state"
-.\" Where state is a comma separated list of the connection states to
-.\" match. Possible states are
-.\" .B INVALID
-.\" meaning that the packet is associated with no known connection,
-.\" .B ESTABLISHED
-.\" meaning that the packet is associated with a connection which has seen
-.\" packets in both directions,
-.\" .B NEW
-.\" meaning that the packet has started a new connection, or otherwise
-.\" associated with a connection which has not seen packets in both
-.\" directions, and
-.\" .B RELATED
-.\" meaning that the packet is starting a new connection, but is
-.\" associated with an existing connection, such as an FTP data transfer,
-.\" or an ICMP error.
-.\" .SS unclean
-.\" This module takes no options, but attempts to match packets which seem
-.\" malformed or unusual. This is regarded as experimental.
-.\" .SS tos
-.\" This module matches the 8 bits of Type of Service field in the IP
-.\" header (ie. including the precedence bits).
-.\" .TP
-.\" .BI "--tos " "tos"
-.\" The argument is either a standard name, (use
-.\" .br
-.\" iptables -m tos -h
-.\" .br
-.\" to see the list), or a numeric value to match.
+.\" @MATCH@
.SH TARGET EXTENSIONS
ip6tables can use extended target modules: the following are included
in the standard distribution.
-.SS LOG
-Turn on kernel logging of matching packets. When this option is set
-for a rule, the Linux kernel will print some information on all
-matching packets (like most IPv6 IPv6-header fields) via the kernel log
-(where it can be read with
-.I dmesg
-or
-.IR syslogd (8)).
-This is a "non-terminating target", i.e. rule traversal continues at
-the next rule. So if you want to LOG the packets you refuse, use two
-separate rules with the same matching criteria, first using target LOG
-then DROP (or REJECT).
-.TP
-.BI "--log-level " "level"
-Level of logging (numeric or see \fIsyslog.conf\fP(5)).
-.TP
-.BI "--log-prefix " "prefix"
-Prefix log messages with the specified prefix; up to 29 letters long,
-and useful for distinguishing messages in the logs.
-.TP
-.B --log-tcp-sequence
-Log TCP sequence numbers. This is a security risk if the log is
-readable by users.
-.TP
-.B --log-tcp-options
-Log options from the TCP packet header.
-.TP
-.B --log-ip-options
-Log options from the IPv6 packet header.
-.SS MARK
-This is used to set the netfilter mark value associated with the
-packet. It is only valid in the
-.B mangle
-table.
-.TP
-.BI "--set-mark " "mark"
-.SS REJECT
-This is used to send back an error packet in response to the matched
-packet: otherwise it is equivalent to
-.B DROP
-so it is a terminating TARGET, ending rule traversal.
-This target is only valid in the
-.BR INPUT ,
-.B FORWARD
-and
-.B OUTPUT
-chains, and user-defined chains which are only called from those
-chains. The following option controls the nature of the error packet
-returned:
-.TP
-.BI "--reject-with " "type"
-The type given can be
-.nf
-.B " icmp6-no-route"
-.B " no-route"
-.B " icmp6-adm-prohibited"
-.B " adm-prohibited"
-.B " icmp6-addr-unreachable"
-.B " addr-unreach"
-.B " icmp6-port-unreachable"
-.B " port-unreach"
-.fi
-which return the appropriate IPv6-ICMP error message (\fBport-unreach\fP is
-the default). Finally, the option
-.B tcp-reset
-can be used on rules which only match the TCP protocol: this causes a
-TCP RST packet to be sent back. This is mainly useful for blocking
-.I ident
-(113/tcp) probes which frequently occur when sending mail to broken mail
-hosts (which won't accept your mail otherwise).
-.\" .SS TOS
-.\" This is used to set the 8-bit Type of Service field in the IP header.
-.\" It is only valid in the
-.\" .B mangle
-.\" table.
-.\" .TP
-.\" .BI "--set-tos " "tos"
-.\" You can use a numeric TOS values, or use
-.\" .br
-.\" iptables -j TOS -h
-.\" .br
-.\" to see the list of valid TOS names.
-.\" .SS MIRROR
-.\" This is an experimental demonstration target which inverts the source
-.\" and destination fields in the IP header and retransmits the packet.
-.\" It is only valid in the
-.\" .BR INPUT ,
-.\" .B FORWARD
-.\" and
-.\" .B PREROUTING
-.\" chains, and user-defined chains which are only called from those
-.\" chains. Note that the outgoing packets are
-.\" .B NOT
-.\" seen by any packet filtering chains, connection tracking or NAT, to
-.\" avoid loops and other problems.
-.\" .SS SNAT
-.\" This target is only valid in the
-.\" .B nat
-.\" table, in the
-.\" .B POSTROUTING
-.\" chain. It specifies that the source address of the packet should be
-.\" modified (and all future packets in this connection will also be
-.\" mangled), and rules should cease being examined. It takes one option:
-.\" .TP
-.\" .BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
-.\" which can specify a single new source IP address, an inclusive range
-.\" of IP addresses, and optionally, a port range (which is only valid if
-.\" the rule also specifies
-.\" .B "-p tcp"
-.\" or
-.\" .BR "-p udp" ).
-.\" If no port range is specified, then source ports below 512 will be
-.\" mapped to other ports below 512: those between 512 and 1023 inclusive
-.\" will be mapped to ports below 1024, and other ports will be mapped to
-.\" 1024 or above. Where possible, no port alteration will occur.
-.\" .SS DNAT
-.\" This target is only valid in the
-.\" .B nat
-.\" table, in the
-.\" .B PREROUTING
-.\" and
-.\" .B OUTPUT
-.\" chains, and user-defined chains which are only called from those
-.\" chains. It specifies that the destination address of the packet
-.\" should be modified (and all future packets in this connection will
-.\" also be mangled), and rules should cease being examined. It takes one
-.\" option:
-.\" .TP
-.\" .BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
-.\" which can specify a single new destination IP address, an inclusive
-.\" range of IP addresses, and optionally, a port range (which is only
-.\" valid if the rule also specifies
-.\" .B "-p tcp"
-.\" or
-.\" .BR "-p udp" ).
-.\" If no port range is specified, then the destination port will never be
-.\" modified.
-.\" .SS MASQUERADE
-.\" This target is only valid in the
-.\" .B nat
-.\" table, in the
-.\" .B POSTROUTING
-.\" chain. It should only be used with dynamically assigned IP (dialup)
-.\" connections: if you have a static IP address, you should use the SNAT
-.\" target. Masquerading is equivalent to specifying a mapping to the IP
-.\" address of the interface the packet is going out, but also has the
-.\" effect that connections are
-.\" .I forgotten
-.\" when the interface goes down. This is the correct behavior when the
-.\" next dialup is unlikely to have the same interface address (and hence
-.\" any established connections are lost anyway). It takes one option:
-.\" .TP
-.\" .BR "--to-ports " "\fIport\fP[-\fIport\fP]"
-.\" This specifies a range of source ports to use, overriding the default
-.\" .B SNAT
-.\" source port-selection heuristics (see above). This is only valid
-.\" if the rule also specifies
-.\" .B "-p tcp"
-.\" or
-.\" .BR "-p udp" .
-.\" .SS REDIRECT
-.\" This target is only valid in the
-.\" .B nat
-.\" table, in the
-.\" .B PREROUTING
-.\" and
-.\" .B OUTPUT
-.\" chains, and user-defined chains which are only called from those
-.\" chains. It alters the destination IP address to send the packet to
-.\" the machine itself (locally-generated packets are mapped to the
-.\" 127.0.0.1 address). It takes one option:
-.\" .TP
-.\" .BR "--to-ports " "\fIport\fP[-\fIport\fP]"
-.\" This specifies a destination port or range of ports to use: without
-.\" this, the destination port is never altered. This is only valid
-.\" if the rule also specifies
-.\" .B "-p tcp"
-.\" or
-.\" .BR "-p udp" .
+.\" @TARGET@
.SH DIAGNOSTICS
Various error messages are printed to standard error. The exit code
is 0 for correct functioning. Errors which appear to be caused by
diff --git a/iptables.8 b/iptables.8
deleted file mode 100644
index b79f1ece..00000000
--- a/iptables.8
+++ /dev/null
@@ -1,1072 +0,0 @@
-.TH IPTABLES 8 "Mar 09, 2002" "" ""
-.\"
-.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
-.\" It is based on ipchains page.
-.\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG)
-.\"
-.\" ipchains page by Paul ``Rusty'' Russell March 1997
-.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-iptables \- administration tool for IPv4 packet filtering and NAT
-.SH SYNOPSIS
-.BR "iptables [-t table] -[AD] " "chain rule-specification [options]"
-.br
-.BR "iptables [-t table] -I " "chain [rulenum] rule-specification [options]"
-.br
-.BR "iptables [-t table] -R " "chain rulenum rule-specification [options]"
-.br
-.BR "iptables [-t table] -D " "chain rulenum [options]"
-.br
-.BR "iptables [-t table] -[LFZ] " "[chain] [options]"
-.br
-.BR "iptables [-t table] -N " "chain"
-.br
-.BR "iptables [-t table] -X " "[chain]"
-.br
-.BR "iptables [-t table] -P " "chain target [options]"
-.br
-.BR "iptables [-t table] -E " "old-chain-name new-chain-name"
-.SH DESCRIPTION
-.B Iptables
-is used to set up, maintain, and inspect the tables of IP packet
-filter rules in the Linux kernel. Several different tables
-may be defined. Each table contains a number of built-in
-chains and may also contain user-defined chains.
-
-Each chain is a list of rules which can match a set of packets. Each
-rule specifies what to do with a packet that matches. This is called
-a `target', which may be a jump to a user-defined chain in the same
-table.
-
-.SH TARGETS
-A firewall rule specifies criteria for a packet, and a target. If the
-packet does not match, the next rule in the chain is the examined; if
-it does match, then the next rule is specified by the value of the
-target, which can be the name of a user-defined chain or one of the
-special values
-.IR ACCEPT ,
-.IR DROP ,
-.IR QUEUE ,
-or
-.IR RETURN .
-.PP
-.I ACCEPT
-means to let the packet through.
-.I DROP
-means to drop the packet on the floor.
-.I QUEUE
-means to pass the packet to userspace (if supported by the kernel).
-.I RETURN
-means stop traversing this chain and resume at the next rule in the
-previous (calling) chain. If the end of a built-in chain is reached
-or a rule in a built-in chain with target
-.I RETURN
-is matched, the target specified by the chain policy determines the
-fate of the packet.
-.SH TABLES
-There are currently three independent tables (which tables are present
-at any time depends on the kernel configuration options and which
-modules are present).
-.TP
-.BI "-t, --table " "table"
-This option specifies the packet matching table which the command
-should operate on. If the kernel is configured with automatic module
-loading, an attempt will be made to load the appropriate module for
-that table if it is not already there.
-
-The tables are as follows:
-.RS
-.TP .4i
-.BR "filter" :
-This is the default table (if no -t option is passed). It contains
-the built-in chains
-.B INPUT
-(for packets coming into the box itself),
-.B FORWARD
-(for packets being routed through the box), and
-.B OUTPUT
-(for locally-generated packets).
-.TP
-.BR "nat" :
-This table is consulted when a packet that creates a new
-connection is encountered. It consists of three built-ins:
-.B PREROUTING
-(for altering packets as soon as they come in),
-.B OUTPUT
-(for altering locally-generated packets before routing), and
-.B POSTROUTING
-(for altering packets as they are about to go out).
-.TP
-.BR "mangle" :
-This table is used for specialized packet alteration. Until kernel
-2.4.17 it had two built-in chains:
-.B PREROUTING
-(for altering incoming packets before routing) and
-.B OUTPUT
-(for altering locally-generated packets before routing).
-Since kernel 2.4.18, three other built-in chains are also supported:
-.B INPUT
-(for packets coming into the box itself),
-.B FORWARD
-(for altering packets being routed through the box), and
-.B POSTROUTING
-(for altering packets as they are about to go out).
-.RE
-.SH OPTIONS
-The options that are recognized by
-.B iptables
-can be divided into several different groups.
-.SS COMMANDS
-These options specify the specific action to perform. Only one of them
-can be specified on the command line unless otherwise specified
-below. For all the long versions of the command and option names, you
-need to use only enough letters to ensure that
-.B iptables
-can differentiate it from all other options.
-.TP
-.BI "-A, --append " "chain rule-specification"
-Append one or more rules to the end of the selected chain.
-When the source and/or destination names resolve to more than one
-address, a rule will be added for each possible address combination.
-.TP
-.BI "-D, --delete " "chain rule-specification"
-.ns
-.TP
-.BI "-D, --delete " "chain rulenum"
-Delete one or more rules from the selected chain. There are two
-versions of this command: the rule can be specified as a number in the
-chain (starting at 1 for the first rule) or a rule to match.
-.TP
-.BR "-I, --insert " "\fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP"
-Insert one or more rules in the selected chain as the given rule
-number. So, if the rule number is 1, the rule or rules are inserted
-at the head of the chain. This is also the default if no rule number
-is specified.
-.TP
-.BI "-R, --replace " "chain rulenum rule-specification"
-Replace a rule in the selected chain. If the source and/or
-destination names resolve to multiple addresses, the command will
-fail. Rules are numbered starting at 1.
-.TP
-.BR "-L, --list " "[\fIchain\fP]"
-List all rules in the selected chain. If no chain is selected, all
-chains are listed. As every other iptables command, it applies to the
-specified table (filter is the default), so NAT rules get listed by
-.nf
- iptables -t nat -n -L
-.fi
-Please note that it is often used with the
-.B -n
-option, in order to avoid long reverse DNS lookups.
-It is legal to specify the
-.B -Z
-(zero) option as well, in which case the chain(s) will be atomically
-listed and zeroed. The exact output is affected by the other
-arguments given. The exact rules are suppressed until you use
-.nf
- iptables -L -v
-.fi
-.TP
-.BR "-F, --flush " "[\fIchain\fP]"
-Flush the selected chain (all the chains in the table if none is given).
-This is equivalent to deleting all the rules one by one.
-.TP
-.BR "-Z, --zero " "[\fIchain\fP]"
-Zero the packet and byte counters in all chains. It is legal to
-specify the
-.B "-L, --list"
-(list) option as well, to see the counters immediately before they are
-cleared. (See above.)
-.TP
-.BI "-N, --new-chain " "chain"
-Create a new user-defined chain by the given name. There must be no
-target of that name already.
-.TP
-.BR "-X, --delete-chain " "[\fIchain\fP]"
-Delete the optional user-defined chain specified. There must be no references
-to the chain. If there are, you must delete or replace the referring
-rules before the chain can be deleted. If no argument is given, it
-will attempt to delete every non-builtin chain in the table.
-.TP
-.BI "-P, --policy " "chain target"
-Set the policy for the chain to the given target. See the section
-.B TARGETS
-for the legal targets. Only built-in (non-user-defined) chains can have
-policies, and neither built-in nor user-defined chains can be policy
-targets.
-.TP
-.BI "-E, --rename-chain " "old-chain new-chain"
-Rename the user specified chain to the user supplied name. This is
-cosmetic, and has no effect on the structure of the table.
-.TP
-.B -h
-Help.
-Give a (currently very brief) description of the command syntax.
-.SS PARAMETERS
-The following parameters make up a rule specification (as used in the
-add, delete, insert, replace and append commands).
-.TP
-.BR "-p, --protocol " "[!] \fIprotocol\fP"
-The protocol of the rule or of the packet to check.
-The specified protocol can be one of
-.IR tcp ,
-.IR udp ,
-.IR icmp ,
-or
-.IR all ,
-or it can be a numeric value, representing one of these protocols or a
-different one. A protocol name from /etc/protocols is also allowed.
-A "!" argument before the protocol inverts the
-test. The number zero is equivalent to
-.IR all .
-Protocol
-.I all
-will match with all protocols and is taken as default when this
-option is omitted.
-.TP
-.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
-Source specification.
-.I Address
-can be either a network name, a hostname (please note that specifying
-any name to be resolved with a remote query such as DNS is a really bad idea),
-a network IP address (with /mask), or a plain IP address.
-The
-.I mask
-can be either a network mask or a plain number,
-specifying the number of 1's at the left side of the network mask.
-Thus, a mask of
-.I 24
-is equivalent to
-.IR 255.255.255.0 .
-A "!" argument before the address specification inverts the sense of
-the address. The flag
-.B --src
-is an alias for this option.
-.TP
-.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
-Destination specification.
-See the description of the
-.B -s
-(source) flag for a detailed description of the syntax. The flag
-.B --dst
-is an alias for this option.
-.TP
-.BI "-j, --jump " "target"
-This specifies the target of the rule; i.e., what to do if the packet
-matches it. The target can be a user-defined chain (other than the
-one this rule is in), one of the special builtin targets which decide
-the fate of the packet immediately, or an extension (see
-.B EXTENSIONS
-below). If this
-option is omitted in a rule, then matching the rule will have no
-effect on the packet's fate, but the counters on the rule will be
-incremented.
-.TP
-.BR "-i, --in-interface " "[!] \fIname\fP"
-Name of an interface via which a packet is going to be received (only for
-packets entering the
-.BR INPUT ,
-.B FORWARD
-and
-.B PREROUTING
-chains). When the "!" argument is used before the interface name, the
-sense is inverted. If the interface name ends in a "+", then any
-interface which begins with this name will match. If this option is
-omitted, any interface name will match.
-.TP
-.BR "-o, --out-interface " "[!] \fIname\fP"
-Name of an interface via which a packet is going to be sent (for packets
-entering the
-.BR FORWARD ,
-.B OUTPUT
-and
-.B POSTROUTING
-chains). When the "!" argument is used before the interface name, the
-sense is inverted. If the interface name ends in a "+", then any
-interface which begins with this name will match. If this option is
-omitted, any interface name will match.
-.TP
-.B "[!] " "-f, --fragment"
-This means that the rule only refers to second and further fragments
-of fragmented packets. Since there is no way to tell the source or
-destination ports of such a packet (or ICMP type), such a packet will
-not match any rules which specify them. When the "!" argument
-precedes the "-f" flag, the rule will only match head fragments, or
-unfragmented packets.
-.TP
-.BI "-c, --set-counters " "PKTS BYTES"
-This enables the administrator to initialize the packet and byte
-counters of a rule (during
-.B INSERT,
-.B APPEND,
-.B REPLACE
-operations).
-.SS "OTHER OPTIONS"
-The following additional options can be specified:
-.TP
-.B "-v, --verbose"
-Verbose output. This option makes the list command show the interface
-name, the rule options (if any), and the TOS masks. The packet and
-byte counters are also listed, with the suffix 'K', 'M' or 'G' for
-1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
-the
-.B -x
-flag to change this).
-For appending, insertion, deletion and replacement, this causes
-detailed information on the rule or rules to be printed.
-.TP
-.B "-n, --numeric"
-Numeric output.
-IP addresses and port numbers will be printed in numeric format.
-By default, the program will try to display them as host names,
-network names, or services (whenever applicable).
-.TP
-.B "-x, --exact"
-Expand numbers.
-Display the exact value of the packet and byte counters,
-instead of only the rounded number in K's (multiples of 1000)
-M's (multiples of 1000K) or G's (multiples of 1000M). This option is
-only relevant for the
-.B -L
-command.
-.TP
-.B "--line-numbers"
-When listing rules, add line numbers to the beginning of each rule,
-corresponding to that rule's position in the chain.
-.TP
-.B "--modprobe=command"
-When adding or inserting rules into a chain, use
-.B command
-to load any necessary modules (targets, match extensions, etc).
-.SH MATCH EXTENSIONS
-iptables can use extended packet matching modules. These are loaded
-in two ways: implicitly, when
-.B -p
-or
-.B --protocol
-is specified, or with the
-.B -m
-or
-.B --match
-options, followed by the matching module name; after these, various
-extra command line options become available, depending on the specific
-module. You can specify multiple extended match modules in one line,
-and you can use the
-.B -h
-or
-.B --help
-options after the module has been specified to receive help specific
-to that module.
-
-The following are included in the base package, and most of these can
-be preceded by a
-.B !
-to invert the sense of the match.
-.SS ah
-This module matches the SPIs in AH header of IPSec packets.
-.TP
-.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
-.SS conntrack
-This module, when combined with connection tracking, allows access to
-more connection tracking information than the "state" match.
-(this module is present only if iptables was compiled under a kernel
-supporting this feature)
-.TP
-.BI "--ctstate " "state"
-Where state is a comma separated list of the connection states to
-match. Possible states are
-.B INVALID
-meaning that the packet is associated with no known connection,
-.B ESTABLISHED
-meaning that the packet is associated with a connection which has seen
-packets in both directions,
-.B NEW
-meaning that the packet has started a new connection, or otherwise
-associated with a connection which has not seen packets in both
-directions, and
-.B RELATED
-meaning that the packet is starting a new connection, but is
-associated with an existing connection, such as an FTP data transfer,
-or an ICMP error.
-.B SNAT
-A virtual state, matching if the original source address differs from
-the reply destination.
-.B DNAT
-A virtual state, matching if the original destination differs from the
-reply source.
-.TP
-.BI "--ctproto " "proto"
-Protocol to match (by number or name)
-.TP
-.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]"
-Match against original source address
-.TP
-.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]"
-Match against original destination address
-.TP
-.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]"
-Match against reply source address
-.TP
-.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]"
-Match against reply destination address
-.TP
-.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]"
-Match against internal conntrack states
-.TP
-.BI "--ctexpire " "\fItime\fP[\fI:time\fP]"
-Match remaining lifetime in seconds against given value
-or range of values (inclusive)
-.SS dscp
-This module matches the 6 bit DSCP field within the TOS field in the
-IP header. DSCP has superseded TOS within the IETF.
-.TP
-.BI "--dscp " "value"
-Match against a numeric (decimal or hex) value [0-32].
-.TP
-.BI "--dscp-class " "\fIDiffServ Class\fP"
-Match the DiffServ class. This value may be any of the
-BE, EF, AFxx or CSx classes. It will then be converted
-into it's according numeric value.
-.SS esp
-This module matches the SPIs in ESP header of IPSec packets.
-.TP
-.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]"
-.SS helper
-This module matches packets related to a specific conntrack-helper.
-.TP
-.BI "--helper " "string"
-Matches packets related to the specified conntrack-helper.
-.RS
-.PP
-string can be "ftp" for packets related to a ftp-session on default port.
-For other ports append -portnr to the value, ie. "ftp-2121".
-.PP
-Same rules apply for other conntrack-helpers.
-.RE
-.SS icmp
-This extension is loaded if `--protocol icmp' is specified. It
-provides the following option:
-.TP
-.BR "--icmp-type " "[!] \fItypename\fP"
-This allows specification of the ICMP type, which can be a numeric
-ICMP type, or one of the ICMP type names shown by the command
-.nf
- iptables -p icmp -h
-.fi
-.SS length
-This module matches the length of a packet against a specific value
-or range of values.
-.TP
-.BR "--length " "\fIlength\fP[:\fIlength\fP]"
-.SS limit
-This module matches at a limited rate using a token bucket filter.
-A rule using this extension will match until this limit is reached
-(unless the `!' flag is used). It can be used in combination with the
-.B LOG
-target to give limited logging, for example.
-.TP
-.BI "--limit " "rate"
-Maximum average matching rate: specified as a number, with an optional
-`/second', `/minute', `/hour', or `/day' suffix; the default is
-3/hour.
-.TP
-.BI "--limit-burst " "number"
-Maximum initial number of packets to match: this number gets
-recharged by one every time the limit specified above is not reached,
-up to this number; the default is 5.
-.SS mac
-.TP
-.BR "--mac-source " "[!] \fIaddress\fP"
-Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
-Note that this only makes sense for packets coming from an Ethernet device
-and entering the
-.BR PREROUTING ,
-.B FORWARD
-or
-.B INPUT
-chains.
-.SS mark
-This module matches the netfilter mark field associated with a packet
-(which can be set using the
-.B MARK
-target below).
-.TP
-.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
-Matches packets with the given unsigned mark value (if a mask is
-specified, this is logically ANDed with the mask before the
-comparison).
-.SS multiport
-This module matches a set of source or destination ports. Up to 15
-ports can be specified. It can only be used in conjunction with
-.B "-p tcp"
-or
-.BR "-p udp" .
-.TP
-.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the source port is one of the given ports. The flag
-.B --sports
-is a convenient alias for this option.
-.TP
-.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the destination port is one of the given ports. The flag
-.B --dports
-is a convenient alias for this option.
-.TP
-.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the both the source and destination ports are equal to each
-other and to one of the given ports.
-.SS owner
-This module attempts to match various characteristics of the packet
-creator, for locally-generated packets. It is only valid in the
-.B OUTPUT
-chain, and even this some packets (such as ICMP ping responses) may
-have no owner, and hence never match.
-.TP
-.BI "--uid-owner " "userid"
-Matches if the packet was created by a process with the given
-effective user id.
-.TP
-.BI "--gid-owner " "groupid"
-Matches if the packet was created by a process with the given
-effective group id.
-.TP
-.BI "--pid-owner " "processid"
-Matches if the packet was created by a process with the given
-process id.
-.TP
-.BI "--sid-owner " "sessionid"
-Matches if the packet was created by a process in the given session
-group.
-.TP
-.BI "--cmd-owner " "name"
-Matches if the packet was created by a process with the given command name.
-(this option is present only if iptables was compiled under a kernel
-supporting this feature)
-.SS physdev
-This module matches on the bridge port input and output devices enslaved
-to a bridge device. This module is a part of the infrastructure that enables
-a transparent bridging IP firewall and is only useful for kernel versions
-above version 2.5.44.
-.TP
-.B --physdev-in name
-Name of a bridge port via which a packet is received (only for
-packets entering the
-.BR INPUT ,
-.B FORWARD
-and
-.B PREROUTING
-chains). If the interface name ends in a "+", then any
-interface which begins with this name will match. If the packet didn't arrive
-through a bridge device, this packet won't match this option, unless '!' is used.
-.TP
-.B --physdev-out name
-Name of a bridge port via which a packet is going to be sent (for packets
-entering the
-.BR FORWARD ,
-.B OUTPUT
-and
-.B POSTROUTING
-chains). If the interface name ends in a "+", then any
-interface which begins with this name will match. Note that in the
-.BR nat " and " mangle
-.B OUTPUT
-chains one cannot match on the bridge output port, however one can in the
-.B "filter OUTPUT"
-chain. If the packet won't leave by a bridge device or it is yet unknown what
-the output device will be, then the packet won't match this option, unless
-'!' is used.
-.TP
-.B --physdev-is-in
-Matches if the packet has entered through a bridge interface.
-.TP
-.B --physdev-is-out
-Matches if the packet will leave through a bridge interface.
-.TP
-.B --physdev-is-bridged
-Matches if the packet is being bridged and therefore is not being routed.
-This is only useful in the FORWARD and POSTROUTING chains.
-.SS pkttype
-This module matches the link-layer packet type.
-.TP
-.BI "--pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]"
-.SS state
-This module, when combined with connection tracking, allows access to
-the connection tracking state for this packet.
-.TP
-.BI "--state " "state"
-Where state is a comma separated list of the connection states to
-match. Possible states are
-.B INVALID
-meaning that the packet could not be identified for some reason which
-includes running out of memory and ICMP errors which don't correspond to any
-known connection,
-.B ESTABLISHED
-meaning that the packet is associated with a connection which has seen
-packets in both directions,
-.B NEW
-meaning that the packet has started a new connection, or otherwise
-associated with a connection which has not seen packets in both
-directions, and
-.B RELATED
-meaning that the packet is starting a new connection, but is
-associated with an existing connection, such as an FTP data transfer,
-or an ICMP error.
-.SS tcp
-These extensions are loaded if `--protocol tcp' is specified. It
-provides the following options:
-.TP
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
-Source port or port range specification. This can either be a service
-name or a port number. An inclusive range can also be specified,
-using the format
-.IR port : port .
-If the first port is omitted, "0" is assumed; if the last is omitted,
-"65535" is assumed.
-If the second port greater then the first they will be swapped.
-The flag
-.B --sport
-is a convenient alias for this option.
-.TP
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
-Destination port or port range specification. The flag
-.B --dport
-is a convenient alias for this option.
-.TP
-.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
-Match when the TCP flags are as specified. The first argument is the
-flags which we should examine, written as a comma-separated list, and
-the second argument is a comma-separated list of flags which must be
-set. Flags are:
-.BR "SYN ACK FIN RST URG PSH ALL NONE" .
-Hence the command
-.nf
- iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
-.fi
-will only match packets with the SYN flag set, and the ACK, FIN and
-RST flags unset.
-.TP
-.B "[!] --syn"
-Only match TCP packets with the SYN bit set and the ACK and RST bits
-cleared. Such packets are used to request TCP connection initiation;
-for example, blocking such packets coming in an interface will prevent
-incoming TCP connections, but outgoing TCP connections will be
-unaffected.
-It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP.
-If the "!" flag precedes the "--syn", the sense of the
-option is inverted.
-.TP
-.BR "--tcp-option " "[!] \fInumber\fP"
-Match if TCP option set.
-.TP
-.BR "--mss " "\fIvalue\fP[:\fIvalue\fP]"
-Match TCP SYN or SYN/ACK packets with the specified MSS value (or range),
-which control the maximum packet size for that connection.
-.SS tos
-This module matches the 8 bits of Type of Service field in the IP
-header (ie. including the precedence bits).
-.TP
-.BI "--tos " "tos"
-The argument is either a standard name, (use
-.br
- iptables -m tos -h
-.br
-to see the list), or a numeric value to match.
-.SS ttl
-This module matches the time to live field in the IP header.
-.TP
-.BI "--ttl " "ttl"
-Matches the given TTL value.
-.SS udp
-These extensions are loaded if `--protocol udp' is specified. It
-provides the following options:
-.TP
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
-Source port or port range specification.
-See the description of the
-.B --source-port
-option of the TCP extension for details.
-.TP
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
-Destination port or port range specification.
-See the description of the
-.B --destination-port
-option of the TCP extension for details.
-.SS unclean
-This module takes no options, but attempts to match packets which seem
-malformed or unusual. This is regarded as experimental.
-.SH TARGET EXTENSIONS
-iptables can use extended target modules: the following are included
-in the standard distribution.
-.SS DNAT
-This target is only valid in the
-.B nat
-table, in the
-.B PREROUTING
-and
-.B OUTPUT
-chains, and user-defined chains which are only called from those
-chains. It specifies that the destination address of the packet
-should be modified (and all future packets in this connection will
-also be mangled), and rules should cease being examined. It takes one
-type of option:
-.TP
-.BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
-which can specify a single new destination IP address, an inclusive
-range of IP addresses, and optionally, a port range (which is only
-valid if the rule also specifies
-.B "-p tcp"
-or
-.BR "-p udp" ).
-If no port range is specified, then the destination port will never be
-modified.
-.RS
-.PP
-You can add several --to-destination options. If you specify more
-than one destination address, either via an address range or multiple
---to-destination options, a simple round-robin (one after another in
-cycle) load balancing takes place between these adresses.
-.SS DSCP
-This target allows to alter the value of the DSCP bits within the TOS
-header of the IPv4 packet. As this manipulates a packet, it can only
-be used in the mangle table.
-.TP
-.BI "--set-dscp " "value"
-Set the DSCP field to a numerical value (can be decimal or hex)
-.TP
-.BI "--set-dscp-class " "class"
-Set the DSCP field to a DiffServ class.
-.SS ECN
-This target allows to selectively work around known ECN blackholes.
-It can only be used in the mangle table.
-.TP
-.BI "--ecn-tcp-remove"
-Remove all ECN bits from the TCP header. Of course, it can only be used
-in conjunction with
-.BR "-p tcp" .
-.SS LOG
-Turn on kernel logging of matching packets. When this option is set
-for a rule, the Linux kernel will print some information on all
-matching packets (like most IP header fields) via the kernel log
-(where it can be read with
-.I dmesg
-or
-.IR syslogd (8)).
-This is a "non-terminating target", i.e. rule traversal continues at
-the next rule. So if you want to LOG the packets you refuse, use two
-separate rules with the same matching criteria, first using target LOG
-then DROP (or REJECT).
-.TP
-.BI "--log-level " "level"
-Level of logging (numeric or see \fIsyslog.conf\fP(5)).
-.TP
-.BI "--log-prefix " "prefix"
-Prefix log messages with the specified prefix; up to 29 letters long,
-and useful for distinguishing messages in the logs.
-.TP
-.B --log-tcp-sequence
-Log TCP sequence numbers. This is a security risk if the log is
-readable by users.
-.TP
-.B --log-tcp-options
-Log options from the TCP packet header.
-.TP
-.B --log-ip-options
-Log options from the IP packet header.
-.SS MARK
-This is used to set the netfilter mark value associated with the
-packet. It is only valid in the
-.B mangle
-table. It can for example be used in conjunction with iproute2.
-.TP
-.BI "--set-mark " "mark"
-.SS MASQUERADE
-This target is only valid in the
-.B nat
-table, in the
-.B POSTROUTING
-chain. It should only be used with dynamically assigned IP (dialup)
-connections: if you have a static IP address, you should use the SNAT
-target. Masquerading is equivalent to specifying a mapping to the IP
-address of the interface the packet is going out, but also has the
-effect that connections are
-.I forgotten
-when the interface goes down. This is the correct behavior when the
-next dialup is unlikely to have the same interface address (and hence
-any established connections are lost anyway). It takes one option:
-.TP
-.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
-This specifies a range of source ports to use, overriding the default
-.B SNAT
-source port-selection heuristics (see above). This is only valid
-if the rule also specifies
-.B "-p tcp"
-or
-.BR "-p udp" .
-.SS MIRROR
-This is an experimental demonstration target which inverts the source
-and destination fields in the IP header and retransmits the packet.
-It is only valid in the
-.BR INPUT ,
-.B FORWARD
-and
-.B PREROUTING
-chains, and user-defined chains which are only called from those
-chains. Note that the outgoing packets are
-.B NOT
-seen by any packet filtering chains, connection tracking or NAT, to
-avoid loops and other problems.
-.SS REDIRECT
-This target is only valid in the
-.B nat
-table, in the
-.B PREROUTING
-and
-.B OUTPUT
-chains, and user-defined chains which are only called from those
-chains. It alters the destination IP address to send the packet to
-the machine itself (locally-generated packets are mapped to the
-127.0.0.1 address). It takes one option:
-.TP
-.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
-This specifies a destination port or range of ports to use: without
-this, the destination port is never altered. This is only valid
-if the rule also specifies
-.B "-p tcp"
-or
-.BR "-p udp" .
-.SS REJECT
-This is used to send back an error packet in response to the matched
-packet: otherwise it is equivalent to
-.B DROP
-so it is a terminating TARGET, ending rule traversal.
-This target is only valid in the
-.BR INPUT ,
-.B FORWARD
-and
-.B OUTPUT
-chains, and user-defined chains which are only called from those
-chains. The following option controls the nature of the error packet
-returned:
-.TP
-.BI "--reject-with " "type"
-The type given can be
-.nf
-.B " icmp-net-unreachable"
-.B " icmp-host-unreachable"
-.B " icmp-port-unreachable"
-.B " icmp-proto-unreachable"
-.B " icmp-net-prohibited"
-.B " icmp-host-prohibited or"
-.B " icmp-admin-prohibited (*)"
-.fi
-which return the appropriate ICMP error message (\fBport-unreachable\fP is
-the default). The option
-.B tcp-reset
-can be used on rules which only match the TCP protocol: this causes a
-TCP RST packet to be sent back. This is mainly useful for blocking
-.I ident
-(113/tcp) probes which frequently occur when sending mail to broken mail
-hosts (which won't accept your mail otherwise).
-.TP
-(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
-.SS SNAT
-This target is only valid in the
-.B nat
-table, in the
-.B POSTROUTING
-chain. It specifies that the source address of the packet should be
-modified (and all future packets in this connection will also be
-mangled), and rules should cease being examined. It takes one type
-of option:
-.TP
-.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
-which can specify a single new source IP address, an inclusive range
-of IP addresses, and optionally, a port range (which is only valid if
-the rule also specifies
-.B "-p tcp"
-or
-.BR "-p udp" ).
-If no port range is specified, then source ports below 512 will be
-mapped to other ports below 512: those between 512 and 1023 inclusive
-will be mapped to ports below 1024, and other ports will be mapped to
-1024 or above. Where possible, no port alteration will occur.
-.RS
-.PP
-You can add several --to-source options. If you specify more
-than one source address, either via an address range or multiple
---to-source options, a simple round-robin (one after another in
-cycle) takes place between these adresses.
-.SS TCPMSS
-This target allows to alter the MSS value of TCP SYN packets, to control
-the maximum size for that connection (usually limiting it to your
-outgoing interface's MTU minus 40). Of course, it can only be used
-in conjunction with
-.BR "-p tcp" .
-.br
-This target is used to overcome criminally braindead ISPs or servers
-which block ICMP Fragmentation Needed packets. The symptoms of this
-problem are that everything works fine from your Linux
-firewall/router, but machines behind it can never exchange large
-packets:
-.PD 0
-.RS 0.1i
-.TP 0.3i
-1)
-Web browsers connect, then hang with no data received.
-.TP
-2)
-Small mail works fine, but large emails hang.
-.TP
-3)
-ssh works fine, but scp hangs after initial handshaking.
-.RE
-.PD
-Workaround: activate this option and add a rule to your firewall
-configuration like:
-.nf
- iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
- -j TCPMSS --clamp-mss-to-pmtu
-.fi
-.TP
-.BI "--set-mss " "value"
-Explicitly set MSS option to specified value.
-.TP
-.B "--clamp-mss-to-pmtu"
-Automatically clamp MSS value to (path_MTU - 40).
-.TP
-These options are mutually exclusive.
-.SS TOS
-This is used to set the 8-bit Type of Service field in the IP header.
-It is only valid in the
-.B mangle
-table.
-.TP
-.BI "--set-tos " "tos"
-You can use a numeric TOS values, or use
-.nf
- iptables -j TOS -h
-.fi
-to see the list of valid TOS names.
-.SS ULOG
-This target provides userspace logging of matching packets. When this
-target is set for a rule, the Linux kernel will multicast this packet
-through a
-.IR netlink
-socket. One or more userspace processes may then subscribe to various
-multicast groups and receive the packets.
-Like LOG, this is a "non-terminating target", i.e. rule traversal
-continues at the next rule.
-.TP
-.BI "--ulog-nlgroup " "nlgroup"
-This specifies the netlink group (1-32) to which the packet is sent.
-Default value is 1.
-.TP
-.BI "--ulog-prefix " "prefix"
-Prefix log messages with the specified prefix; up to 32 characters
-long, and useful for distinguishing messages in the logs.
-.TP
-.BI "--ulog-cprange " "size"
-Number of bytes to be copied to userspace. A value of 0 always copies
-the entire packet, regardless of its size. Default is 0.
-.TP
-.BI "--ulog-qthreshold " "size"
-Number of packet to queue inside kernel. Setting this value to, e.g. 10
-accumulates ten packets inside the kernel and transmits them as one
-netlink multipart message to userspace. Default is 1 (for backwards
-compatibility).
-.br
-.SH DIAGNOSTICS
-Various error messages are printed to standard error. The exit code
-is 0 for correct functioning. Errors which appear to be caused by
-invalid or abused command line parameters cause an exit code of 2, and
-other errors cause an exit code of 1.
-.SH BUGS
-Bugs? What's this? ;-)
-Well... the counters are not reliable on sparc64.
-.SH COMPATIBILITY WITH IPCHAINS
-This
-.B iptables
-is very similar to ipchains by Rusty Russell. The main difference is
-that the chains
-.B INPUT
-and
-.B OUTPUT
-are only traversed for packets coming into the local host and
-originating from the local host respectively. Hence every packet only
-passes through one of the three chains (except loopback traffic, which
-involves both INPUT and OUTPUT chains); previously a forwarded packet
-would pass through all three.
-.PP
-The other main difference is that
-.B -i
-refers to the input interface;
-.B -o
-refers to the output interface, and both are available for packets
-entering the
-.B FORWARD
-chain.
-.PP The various forms of NAT have been separated out;
-.B iptables
-is a pure packet filter when using the default `filter' table, with
-optional extension modules. This should simplify much of the previous
-confusion over the combination of IP masquerading and packet filtering
-seen previously. So the following options are handled differently:
-.nf
- -j MASQ
- -M -S
- -M -L
-.fi
-There are several other changes in iptables.
-.SH SEE ALSO
-.BR iptables-save (8),
-.BR iptables-restore (8),
-.BR ip6tables (8),
-.BR ip6tables-save (8),
-.BR ip6tables-restore (8).
-.P
-The packet-filtering-HOWTO details iptables usage for
-packet filtering, the NAT-HOWTO details NAT,
-the netfilter-extensions-HOWTO details the extensions that are
-not in the standard distribution,
-and the netfilter-hacking-HOWTO details the netfilter internals.
-.br
-See
-.BR "http://www.netfilter.org/" .
-.SH AUTHORS
-Rusty Russell wrote iptables, in early consultation with Michael
-Neuling.
-.PP
-Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
-selection framework in iptables, then wrote the mangle table, the owner match,
-the mark stuff, and ran around doing cool stuff everywhere.
-.PP
-James Morris wrote the TOS target, and tos match.
-.PP
-Jozsef Kadlecsik wrote the REJECT target.
-.PP
-Harald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets.
-.PP
-The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
-James Morris, Harald Welte and Rusty Russell.
-.PP
-Man page written by Herve Eychenne <rv@wallfire.org>.
-.\" .. and did I mention that we are incredibly cool people?
-.\" .. sexy, too ..
-.\" .. witty, charming, powerful ..
-.\" .. and most of all, modest ..
diff --git a/iptables.8.in b/iptables.8.in
new file mode 100644
index 00000000..3f36fd80
--- /dev/null
+++ b/iptables.8.in
@@ -0,0 +1,464 @@
+.TH IPTABLES 8 "Mar 09, 2002" "" ""
+.\"
+.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
+.\" It is based on ipchains page.
+.\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG)
+.\"
+.\" ipchains page by Paul ``Rusty'' Russell March 1997
+.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+iptables \- administration tool for IPv4 packet filtering and NAT
+.SH SYNOPSIS
+.BR "iptables [-t table] -[AD] " "chain rule-specification [options]"
+.br
+.BR "iptables [-t table] -I " "chain [rulenum] rule-specification [options]"
+.br
+.BR "iptables [-t table] -R " "chain rulenum rule-specification [options]"
+.br
+.BR "iptables [-t table] -D " "chain rulenum [options]"
+.br
+.BR "iptables [-t table] -[LFZ] " "[chain] [options]"
+.br
+.BR "iptables [-t table] -N " "chain"
+.br
+.BR "iptables [-t table] -X " "[chain]"
+.br
+.BR "iptables [-t table] -P " "chain target [options]"
+.br
+.BR "iptables [-t table] -E " "old-chain-name new-chain-name"
+.SH DESCRIPTION
+.B Iptables
+is used to set up, maintain, and inspect the tables of IP packet
+filter rules in the Linux kernel. Several different tables
+may be defined. Each table contains a number of built-in
+chains and may also contain user-defined chains.
+
+Each chain is a list of rules which can match a set of packets. Each
+rule specifies what to do with a packet that matches. This is called
+a `target', which may be a jump to a user-defined chain in the same
+table.
+
+.SH TARGETS
+A firewall rule specifies criteria for a packet, and a target. If the
+packet does not match, the next rule in the chain is the examined; if
+it does match, then the next rule is specified by the value of the
+target, which can be the name of a user-defined chain or one of the
+special values
+.IR ACCEPT ,
+.IR DROP ,
+.IR QUEUE ,
+or
+.IR RETURN .
+.PP
+.I ACCEPT
+means to let the packet through.
+.I DROP
+means to drop the packet on the floor.
+.I QUEUE
+means to pass the packet to userspace (if supported by the kernel).
+.I RETURN
+means stop traversing this chain and resume at the next rule in the
+previous (calling) chain. If the end of a built-in chain is reached
+or a rule in a built-in chain with target
+.I RETURN
+is matched, the target specified by the chain policy determines the
+fate of the packet.
+.SH TABLES
+There are currently three independent tables (which tables are present
+at any time depends on the kernel configuration options and which
+modules are present).
+.TP
+.BI "-t, --table " "table"
+This option specifies the packet matching table which the command
+should operate on. If the kernel is configured with automatic module
+loading, an attempt will be made to load the appropriate module for
+that table if it is not already there.
+
+The tables are as follows:
+.RS
+.TP .4i
+.BR "filter" :
+This is the default table (if no -t option is passed). It contains
+the built-in chains
+.B INPUT
+(for packets coming into the box itself),
+.B FORWARD
+(for packets being routed through the box), and
+.B OUTPUT
+(for locally-generated packets).
+.TP
+.BR "nat" :
+This table is consulted when a packet that creates a new
+connection is encountered. It consists of three built-ins:
+.B PREROUTING
+(for altering packets as soon as they come in),
+.B OUTPUT
+(for altering locally-generated packets before routing), and
+.B POSTROUTING
+(for altering packets as they are about to go out).
+.TP
+.BR "mangle" :
+This table is used for specialized packet alteration. Until kernel
+2.4.17 it had two built-in chains:
+.B PREROUTING
+(for altering incoming packets before routing) and
+.B OUTPUT
+(for altering locally-generated packets before routing).
+Since kernel 2.4.18, three other built-in chains are also supported:
+.B INPUT
+(for packets coming into the box itself),
+.B FORWARD
+(for altering packets being routed through the box), and
+.B POSTROUTING
+(for altering packets as they are about to go out).
+.RE
+.SH OPTIONS
+The options that are recognized by
+.B iptables
+can be divided into several different groups.
+.SS COMMANDS
+These options specify the specific action to perform. Only one of them
+can be specified on the command line unless otherwise specified
+below. For all the long versions of the command and option names, you
+need to use only enough letters to ensure that
+.B iptables
+can differentiate it from all other options.
+.TP
+.BI "-A, --append " "chain rule-specification"
+Append one or more rules to the end of the selected chain.
+When the source and/or destination names resolve to more than one
+address, a rule will be added for each possible address combination.
+.TP
+.BI "-D, --delete " "chain rule-specification"
+.ns
+.TP
+.BI "-D, --delete " "chain rulenum"
+Delete one or more rules from the selected chain. There are two
+versions of this command: the rule can be specified as a number in the
+chain (starting at 1 for the first rule) or a rule to match.
+.TP
+.BR "-I, --insert " "\fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP"
+Insert one or more rules in the selected chain as the given rule
+number. So, if the rule number is 1, the rule or rules are inserted
+at the head of the chain. This is also the default if no rule number
+is specified.
+.TP
+.BI "-R, --replace " "chain rulenum rule-specification"
+Replace a rule in the selected chain. If the source and/or
+destination names resolve to multiple addresses, the command will
+fail. Rules are numbered starting at 1.
+.TP
+.BR "-L, --list " "[\fIchain\fP]"
+List all rules in the selected chain. If no chain is selected, all
+chains are listed. As every other iptables command, it applies to the
+specified table (filter is the default), so NAT rules get listed by
+.nf
+ iptables -t nat -n -L
+.fi
+Please note that it is often used with the
+.B -n
+option, in order to avoid long reverse DNS lookups.
+It is legal to specify the
+.B -Z
+(zero) option as well, in which case the chain(s) will be atomically
+listed and zeroed. The exact output is affected by the other
+arguments given. The exact rules are suppressed until you use
+.nf
+ iptables -L -v
+.fi
+.TP
+.BR "-F, --flush " "[\fIchain\fP]"
+Flush the selected chain (all the chains in the table if none is given).
+This is equivalent to deleting all the rules one by one.
+.TP
+.BR "-Z, --zero " "[\fIchain\fP]"
+Zero the packet and byte counters in all chains. It is legal to
+specify the
+.B "-L, --list"
+(list) option as well, to see the counters immediately before they are
+cleared. (See above.)
+.TP
+.BI "-N, --new-chain " "chain"
+Create a new user-defined chain by the given name. There must be no
+target of that name already.
+.TP
+.BR "-X, --delete-chain " "[\fIchain\fP]"
+Delete the optional user-defined chain specified. There must be no references
+to the chain. If there are, you must delete or replace the referring
+rules before the chain can be deleted. If no argument is given, it
+will attempt to delete every non-builtin chain in the table.
+.TP
+.BI "-P, --policy " "chain target"
+Set the policy for the chain to the given target. See the section
+.B TARGETS
+for the legal targets. Only built-in (non-user-defined) chains can have
+policies, and neither built-in nor user-defined chains can be policy
+targets.
+.TP
+.BI "-E, --rename-chain " "old-chain new-chain"
+Rename the user specified chain to the user supplied name. This is
+cosmetic, and has no effect on the structure of the table.
+.TP
+.B -h
+Help.
+Give a (currently very brief) description of the command syntax.
+.SS PARAMETERS
+The following parameters make up a rule specification (as used in the
+add, delete, insert, replace and append commands).
+.TP
+.BR "-p, --protocol " "[!] \fIprotocol\fP"
+The protocol of the rule or of the packet to check.
+The specified protocol can be one of
+.IR tcp ,
+.IR udp ,
+.IR icmp ,
+or
+.IR all ,
+or it can be a numeric value, representing one of these protocols or a
+different one. A protocol name from /etc/protocols is also allowed.
+A "!" argument before the protocol inverts the
+test. The number zero is equivalent to
+.IR all .
+Protocol
+.I all
+will match with all protocols and is taken as default when this
+option is omitted.
+.TP
+.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
+Source specification.
+.I Address
+can be either a network name, a hostname (please note that specifying
+any name to be resolved with a remote query such as DNS is a really bad idea),
+a network IP address (with /mask), or a plain IP address.
+The
+.I mask
+can be either a network mask or a plain number,
+specifying the number of 1's at the left side of the network mask.
+Thus, a mask of
+.I 24
+is equivalent to
+.IR 255.255.255.0 .
+A "!" argument before the address specification inverts the sense of
+the address. The flag
+.B --src
+is an alias for this option.
+.TP
+.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
+Destination specification.
+See the description of the
+.B -s
+(source) flag for a detailed description of the syntax. The flag
+.B --dst
+is an alias for this option.
+.TP
+.BI "-j, --jump " "target"
+This specifies the target of the rule; i.e., what to do if the packet
+matches it. The target can be a user-defined chain (other than the
+one this rule is in), one of the special builtin targets which decide
+the fate of the packet immediately, or an extension (see
+.B EXTENSIONS
+below). If this
+option is omitted in a rule, then matching the rule will have no
+effect on the packet's fate, but the counters on the rule will be
+incremented.
+.TP
+.BR "-i, --in-interface " "[!] \fIname\fP"
+Name of an interface via which a packet is going to be received (only for
+packets entering the
+.BR INPUT ,
+.B FORWARD
+and
+.B PREROUTING
+chains). When the "!" argument is used before the interface name, the
+sense is inverted. If the interface name ends in a "+", then any
+interface which begins with this name will match. If this option is
+omitted, any interface name will match.
+.TP
+.BR "-o, --out-interface " "[!] \fIname\fP"
+Name of an interface via which a packet is going to be sent (for packets
+entering the
+.BR FORWARD ,
+.B OUTPUT
+and
+.B POSTROUTING
+chains). When the "!" argument is used before the interface name, the
+sense is inverted. If the interface name ends in a "+", then any
+interface which begins with this name will match. If this option is
+omitted, any interface name will match.
+.TP
+.B "[!] " "-f, --fragment"
+This means that the rule only refers to second and further fragments
+of fragmented packets. Since there is no way to tell the source or
+destination ports of such a packet (or ICMP type), such a packet will
+not match any rules which specify them. When the "!" argument
+precedes the "-f" flag, the rule will only match head fragments, or
+unfragmented packets.
+.TP
+.BI "-c, --set-counters " "PKTS BYTES"
+This enables the administrator to initialize the packet and byte
+counters of a rule (during
+.B INSERT,
+.B APPEND,
+.B REPLACE
+operations).
+.SS "OTHER OPTIONS"
+The following additional options can be specified:
+.TP
+.B "-v, --verbose"
+Verbose output. This option makes the list command show the interface
+name, the rule options (if any), and the TOS masks. The packet and
+byte counters are also listed, with the suffix 'K', 'M' or 'G' for
+1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
+the
+.B -x
+flag to change this).
+For appending, insertion, deletion and replacement, this causes
+detailed information on the rule or rules to be printed.
+.TP
+.B "-n, --numeric"
+Numeric output.
+IP addresses and port numbers will be printed in numeric format.
+By default, the program will try to display them as host names,
+network names, or services (whenever applicable).
+.TP
+.B "-x, --exact"
+Expand numbers.
+Display the exact value of the packet and byte counters,
+instead of only the rounded number in K's (multiples of 1000)
+M's (multiples of 1000K) or G's (multiples of 1000M). This option is
+only relevant for the
+.B -L
+command.
+.TP
+.B "--line-numbers"
+When listing rules, add line numbers to the beginning of each rule,
+corresponding to that rule's position in the chain.
+.TP
+.B "--modprobe=command"
+When adding or inserting rules into a chain, use
+.B command
+to load any necessary modules (targets, match extensions, etc).
+.SH MATCH EXTENSIONS
+iptables can use extended packet matching modules. These are loaded
+in two ways: implicitly, when
+.B -p
+or
+.B --protocol
+is specified, or with the
+.B -m
+or
+.B --match
+options, followed by the matching module name; after these, various
+extra command line options become available, depending on the specific
+module. You can specify multiple extended match modules in one line,
+and you can use the
+.B -h
+or
+.B --help
+options after the module has been specified to receive help specific
+to that module.
+
+The following are included in the base package, and most of these can
+be preceded by a
+.B !
+to invert the sense of the match.
+.\" @MATCH@
+.SH TARGET EXTENSIONS
+iptables can use extended target modules: the following are included
+in the standard distribution.
+.\" @TARGET@
+.SH DIAGNOSTICS
+Various error messages are printed to standard error. The exit code
+is 0 for correct functioning. Errors which appear to be caused by
+invalid or abused command line parameters cause an exit code of 2, and
+other errors cause an exit code of 1.
+.SH BUGS
+Bugs? What's this? ;-)
+Well... the counters are not reliable on sparc64.
+.SH COMPATIBILITY WITH IPCHAINS
+This
+.B iptables
+is very similar to ipchains by Rusty Russell. The main difference is
+that the chains
+.B INPUT
+and
+.B OUTPUT
+are only traversed for packets coming into the local host and
+originating from the local host respectively. Hence every packet only
+passes through one of the three chains (except loopback traffic, which
+involves both INPUT and OUTPUT chains); previously a forwarded packet
+would pass through all three.
+.PP
+The other main difference is that
+.B -i
+refers to the input interface;
+.B -o
+refers to the output interface, and both are available for packets
+entering the
+.B FORWARD
+chain.
+.PP The various forms of NAT have been separated out;
+.B iptables
+is a pure packet filter when using the default `filter' table, with
+optional extension modules. This should simplify much of the previous
+confusion over the combination of IP masquerading and packet filtering
+seen previously. So the following options are handled differently:
+.nf
+ -j MASQ
+ -M -S
+ -M -L
+.fi
+There are several other changes in iptables.
+.SH SEE ALSO
+.BR iptables-save (8),
+.BR iptables-restore (8),
+.BR ip6tables (8),
+.BR ip6tables-save (8),
+.BR ip6tables-restore (8).
+.P
+The packet-filtering-HOWTO details iptables usage for
+packet filtering, the NAT-HOWTO details NAT,
+the netfilter-extensions-HOWTO details the extensions that are
+not in the standard distribution,
+and the netfilter-hacking-HOWTO details the netfilter internals.
+.br
+See
+.BR "http://www.netfilter.org/" .
+.SH AUTHORS
+Rusty Russell wrote iptables, in early consultation with Michael
+Neuling.
+.PP
+Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
+selection framework in iptables, then wrote the mangle table, the owner match,
+the mark stuff, and ran around doing cool stuff everywhere.
+.PP
+James Morris wrote the TOS target, and tos match.
+.PP
+Jozsef Kadlecsik wrote the REJECT target.
+.PP
+Harald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets.
+.PP
+The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
+James Morris, Harald Welte and Rusty Russell.
+.PP
+Man page written by Herve Eychenne <rv@wallfire.org>.
+.\" .. and did I mention that we are incredibly cool people?
+.\" .. sexy, too ..
+.\" .. witty, charming, powerful ..
+.\" .. and most of all, modest ..