summaryrefslogtreecommitdiffstats
path: root/iptables/iptables.8.in
diff options
context:
space:
mode:
Diffstat (limited to 'iptables/iptables.8.in')
-rw-r--r--iptables/iptables.8.in43
1 files changed, 23 insertions, 20 deletions
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index f81c632f..21fb891d 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -45,15 +45,15 @@ iptables/ip6tables \(em administration tool for IPv4/IPv6 packet filtering and N
.PP
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
.PP
-\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
+\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain policy\fP
.PP
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP
.PP
-rule-specification = [\fImatches...\fP] [\fItarget\fP]
+rule-specification := [matches...] [target]
.PP
-match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
+match := \fB\-m\fP \fImatchname\fP [per-match-options]
.PP
-target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
+target := \fB\-j\fP \fItargetname\fP [per-target-options]
.SH DESCRIPTION
\fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
tables of IPv4 and IPv6 packet
@@ -125,8 +125,8 @@ This table is used mainly for configuring exemptions from connection
tracking in combination with the NOTRACK target. It registers at the netfilter
hooks with higher priority and is thus called before ip_conntrack, or any other
IP tables. It provides the following built-in chains: \fBPREROUTING\fP
-(for packets arriving via any network interface) \fBOUTPUT\fP
-(for packets generated by local processes)
+(for packets arriving via any network interface) and \fBOUTPUT\fP
+(for packets generated by local processes).
.TP
\fBsecurity\fP:
This table is used for Mandatory Access Control (MAC) networking rules, such
@@ -244,13 +244,13 @@ add, delete, insert, replace and append commands).
\fB\-4\fP, \fB\-\-ipv4\fP
This option has no effect in iptables and iptables-restore.
If a rule using the \fB\-4\fP option is inserted with (and only with)
-ip6tables-restore, it will be silently ignored. Any other uses will throw an
+\fBip6tables\-restore\fP, it will be silently ignored. Any other uses will throw an
error. This option allows IPv4 and IPv6 rules in a single rule file
for use with both iptables-restore and ip6tables-restore.
.TP
\fB\-6\fP, \fB\-\-ipv6\fP
If a rule using the \fB\-6\fP option is inserted with (and only with)
-iptables-restore, it will be silently ignored. Any other uses will throw an
+\fBiptables\-restore\fP, it will be silently ignored. Any other uses will throw an
error. This option allows IPv4 and IPv6 rules in a single rule file
for use with both iptables-restore and ip6tables-restore.
This option has no effect in ip6tables and ip6tables-restore.
@@ -258,9 +258,9 @@ This option has no effect in ip6tables and ip6tables-restore.
[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
The protocol of the rule or of the packet to check.
The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
-\fBicmp\fP, \fBicmpv6\fP,\fBesp\fP, \fBah\fP, \fBsctp\fP, \fBmh\fP or the special keyword "\fBall\fP",
+\fBicmp\fP, \fBicmpv6\fP, \fBesp\fP, \fBah\fP, \fBsctp\fP, \fBmh\fP or the special keyword "\fBall\fP",
or it can be a numeric value, representing one of these protocols or a
-different one. A protocol name from /etc/protocols is also allowed.
+different one. A protocol name from \fI/etc/protocols\fP is also allowed.
A "!" argument before the protocol inverts the
test. The number zero is equivalent to \fBall\fP. "\fBall\fP"
will match with all protocols and is taken as default when this
@@ -307,8 +307,8 @@ false, evaluation will stop.
This specifies the target of the rule; i.e., what to do if the packet
matches it. The target can be a user-defined chain (other than the
one this rule is in), one of the special builtin targets which decide
-the fate of the packet immediately, or an extension (see \fBEXTENSIONS\fP
-below). If this
+the fate of the packet immediately, or an extension (see \fBMATCH AND TARGET
+EXTENSIONS\fP below). If this
option is omitted in a rule (and \fB\-g\fP
is not used), then matching the rule will have no
effect on the packet's fate, but the counters on the rule will be
@@ -316,7 +316,7 @@ incremented.
.TP
\fB\-g\fP, \fB\-\-goto\fP \fIchain\fP
This specifies that the processing should continue in a user
-specified chain. Unlike the \-\-jump option return will not continue
+specified chain. Unlike with the \-\-jump option, \fBRETURN\fP will not continue
processing in this chain but instead in the chain that called us via
\-\-jump.
.TP
@@ -386,7 +386,7 @@ network names, or services (whenever applicable).
\fB\-x\fP, \fB\-\-exact\fP
Expand numbers.
Display the exact value of the packet and byte counters,
-instead of only the rounded number in K's (multiples of 1000)
+instead of only the rounded number in K's (multiples of 1000),
M's (multiples of 1000K) or G's (multiples of 1000M). This option is
only relevant for the \fB\-L\fP command.
.TP
@@ -410,13 +410,16 @@ the default setting.
iptables can use extended packet matching and target modules.
A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
.SH DIAGNOSTICS
-Various error messages are printed to standard error. The exit code
-is 0 for correct functioning. Errors which appear to be caused by
-invalid or abused command line parameters cause an exit code of 2, and
+Various error messages are printed to standard error. The exit code is 0 for
+correct functioning. Errors which appear to be caused by invalid or abused
+command line parameters cause an exit code of 2. Errors which indicate an
+incompatibility between kernel and user space cause an exit code of 3. Errors
+which indicate a resource problem, such as a busy lock, failing memory
+allocation or error messages from kernel cause an exit code of 4. Finally,
other errors cause an exit code of 1.
.SH BUGS
Bugs? What's this? ;-)
-Well, you might want to have a look at http://bugzilla.netfilter.org/
+Well, you might want to have a look at https://bugzilla.netfilter.org/
\fBiptables\fP will exit immediately with an error code of 111 if it finds
that it was called as a setuid-to-root program.
iptables cannot be used safely in this manner because it trusts
@@ -438,7 +441,7 @@ entering the \fBFORWARD\fP chain.
.PP
The various forms of NAT have been separated out; \fBiptables\fP
is a pure packet filter when using the default `filter' table, with
-optional extension modules. This should simplify much of the previous
+optional extension modules. This should avoid much of the
confusion over the combination of IP masquerading and packet filtering
seen previously. So the following options are handled differently:
.nf
@@ -460,7 +463,7 @@ not in the standard distribution,
and the netfilter-hacking-HOWTO details the netfilter internals.
.br
See
-.BR "http://www.netfilter.org/" .
+.BR "https://www.netfilter.org/" .
.SH AUTHORS
Rusty Russell originally wrote iptables, in early consultation with Michael
Neuling.