summaryrefslogtreecommitdiffstats
path: root/iptables/ip6tables.8.in
Commit message (Collapse)AuthorAgeFilesLines
* doc: merge ip6table man pages into ipv4 onesFlorian Westphal2013-08-071-463/+0
| | | | | | | | | | | | | a couple of improvements to the iptables man page never made it into ip6tables version. The number of differences between these two files is so small that it seems preferable to alias the ipv6 man pages to their ipv4 counterpart and change iptables man page to specifically document differences (e.g. lack of ip6tables -f, etc). Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip[6]tables: Add locking to prevent concurrent instancesPhil Oester2013-06-111-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There have been numerous complaints and bug reports over the years when admins attempt to run more than one instance of iptables simultaneously. Currently open bug reports which are related: 325: Parallel execution of the iptables is impossible 758: Retry iptables command on transient failure 764: Doing -Z twice in parallel breaks counters 822: iptables shows negative or other bad packet/byte counts As Patrick notes in 325: "Since this has been a problem people keep running into, I'd suggest to simply add some locking to iptables to catch the most common case." I started looking into alternatives to add locking, and of course the most common/obvious solution is to use a pidfile. But this has various downsides, such as if the application is terminated abnormally and the pidfile isn't cleaned up. And this also requires a writable filesystem. Using a UNIX domain socket file (e.g. in /var/run) has similar issues. Starting in 2.2, Linux added support for abstract sockets. These sockets require no filesystem, and automatically disappear once the application terminates. This is the locking solution I chose to implement in ip[6]tables. As an added bonus, since each network namespace has its own socket pool, an ip[6]tables instance running in one namespace will not lock out an ip[6]tables instance running in another namespace. A filesystem approach would have to recognize and handle multiple network namespaces. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: use autoconf to process .in man pagesAndy Spencer2013-05-291-1/+1
| | | | | | | | | | | | | This fixes a bug in iptables.8 and ip6tables.8 where @PACKAGE_VERSION@ was not processed in the VERSION section. It also simplifies the Makefile by avoiding some sed commands. [ Mangled this patch to rename iptables-extensions.8.in to iptables-extensions.8.tmpl.in to avoid having a file whose name is terminated by .in.in --pablo ] Signed-off-by: Andy Spencer <andy753421@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: iptables provides up to 5 independent tablesPablo Neira Ayuso2013-02-171-1/+1
| | | | | | | | | This closes bugzilla: http://bugzilla.netfilter.org/show_bug.cgi?id=807 Reported-by: Quentin Armitage <quentin@armitage.org.uk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: document nat table for IPv6Pablo Neira Ayuso2013-01-281-0/+7
| | | | | | Based on the IPv4 description. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: document the -4 and -6 optionsJan Engelhardt2013-01-071-0/+9
| | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: mention -m in the manpageJan Engelhardt2013-01-071-0/+7
| | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: mention iptables-apply in the SEE ALSO sectionsJan Engelhardt2012-09-301-0/+1
| | | | | References: http://bugs.debian.org/660748 Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* doc: deduplicate extension descriptions into a new manpageJan Engelhardt2012-09-301-17/+3
| | | | | | | | | | iptables.8 and ip6tables.8 had pretty much the same content, with a few protocol-specific deviations here and there. Not only did that bloat the manpages, but it also made it harder to spot differences. Separate out the extension descriptions into a new manpage, which conveniently features differences next to one another (cf. REJECT). Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* doc: clarification on the meaning of -p 0Jan Engelhardt2011-12-181-4/+12
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: the -m option cannot be invertedJan Engelhardt2011-07-041-3/+0
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix version string in ip6tables.8Jan Engelhardt2011-07-041-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: mention multiple verbosity flagsJan Engelhardt2011-06-301-1/+2
| | | | | | | | "-vv" can be used to further increase the verbosity level. Document this. References: http://bugs.debian.org/616037 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: move all iptables pieces into a separate directoryJan Engelhardt2011-06-071-0/+440
(Unclutter top-level dir) Signed-off-by: Jan Engelhardt <jengelh@medozas.de>