From 9517bbf5b805df874dcc452dfeb2cc36a7bf1500 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 28 Sep 2012 09:57:56 +0200 Subject: doc: clean up interpunction in state list for xt_conntrack Signed-off-by: Jan Engelhardt --- extensions/libxt_conntrack.man | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/extensions/libxt_conntrack.man b/extensions/libxt_conntrack.man index c397f742..c0cd24fe 100644 --- a/extensions/libxt_conntrack.man +++ b/extensions/libxt_conntrack.man @@ -42,22 +42,22 @@ specified at all, matches packets in both directions. States for \fB\-\-ctstate\fP: .TP \fBINVALID\fP -meaning that the packet is associated with no known connection +The packet is associated with no known connection. .TP \fBNEW\fP -meaning that the packet has started a new connection, or otherwise associated -with a connection which has not seen packets in both directions, and +The packet has started a new connection, or otherwise associated +with a connection which has not seen packets in both directions. .TP \fBESTABLISHED\fP -meaning that the packet is associated with a connection which has seen packets -in both directions, +The packet is associated with a connection which has seen packets +in both directions. .TP \fBRELATED\fP -meaning that the packet is starting a new connection, but is associated with an +The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error. .TP \fBUNTRACKED\fP -meaning that the packet is not tracked at all, which happens if you use +The packet is not tracked at all, which happens if you use the NOTRACK target in raw table. .TP \fBSNAT\fP @@ -74,7 +74,7 @@ Statuses for \fB\-\-ctstatus\fP: None of the below. .TP \fBEXPECTED\fP -This is an expected connection (i.e. a conntrack helper set it up) +This is an expected connection (i.e. a conntrack helper set it up). .TP \fBSEEN_REPLY\fP Conntrack has seen packets in both directions. -- cgit v1.2.3 From 4496801821c01e3934996b40e0012ddcb969a8df Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 28 Sep 2012 10:43:06 +0200 Subject: doc: deduplicate extension descriptions into a new manpage iptables.8 and ip6tables.8 had pretty much the same content, with a few protocol-specific deviations here and there. Not only did that bloat the manpages, but it also made it harder to spot differences. Separate out the extension descriptions into a new manpage, which conveniently features differences next to one another (cf. REJECT). Signed-off-by: Jan Engelhardt --- extensions/.gitignore | 4 ++-- extensions/GNUmakefile.in | 35 +++++++++++++++-------------------- iptables/.gitignore | 1 + iptables/Makefile.am | 16 +++++++++++----- iptables/ip6tables.8.in | 20 +++----------------- iptables/iptables-extensions.8.in | 27 +++++++++++++++++++++++++++ iptables/iptables.8.in | 22 ++++------------------ 7 files changed, 63 insertions(+), 62 deletions(-) create mode 100644 iptables/iptables-extensions.8.in diff --git a/extensions/.gitignore b/extensions/.gitignore index 2e74faf7..b1260f0b 100644 --- a/extensions/.gitignore +++ b/extensions/.gitignore @@ -5,5 +5,5 @@ /GNUmakefile /initext.c /initext?.c -/matches?.man -/targets?.man +/matches.man +/targets.man diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index 0e7907e9..2e0921e4 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -56,9 +56,7 @@ pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) # # Building blocks # -targets := libext.a libext4.a libext6.a \ - matches4.man matches6.man \ - targets4.man targets6.man +targets := libext.a libext4.a libext6.a matches.man targets.man targets_install := @ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs} @ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} @@ -77,7 +75,7 @@ install: ${targets_install} if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi; clean: - rm -f *.o *.oo *.so *.a {matches,targets}[46].man initext.c initext4.c initext6.c; + rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c; distclean: clean rm -f .*.d .*.dd; @@ -202,30 +200,27 @@ man_run = \ ${AM_VERBOSE_GEN} \ for ext in $(sort ${1}); do \ f="${srcdir}/libxt_$$ext.man"; \ - cf="${srcdir}/libxt_$$ext.c"; \ - if [ -f "$$f" ] && grep -Eq "$(3)|NFPROTO_UNSPEC" "$$cf"; then \ + if [ -f "$$f" ]; then \ echo -e "\t+ $$f" >&2; \ echo ".SS $$ext"; \ cat "$$f" || exit $$?; \ - continue; \ fi; \ - f="${srcdir}/lib$(2)t_$$ext.man"; \ + f="${srcdir}/libip6t_$$ext.man"; \ if [ -f "$$f" ]; then \ echo -e "\t+ $$f" >&2; \ - echo ".SS $$ext"; \ + echo ".SS $$ext (IPv6-specific)"; \ + cat "$$f" || exit $$?; \ + fi; \ + f="${srcdir}/libipt_$$ext.man"; \ + if [ -f "$$f" ]; then \ + echo -e "\t+ $$f" >&2; \ + echo ".SS $$ext (IPv4-specific)"; \ cat "$$f" || exit $$?; \ - continue; \ fi; \ done >$@; -matches4.man: .initext.dd .initext4.dd $(wildcard ${srcdir}/lib*.man) - $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod}),ip,NFPROTO_IPV4) - -matches6.man: .initext.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) - $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf6_build_mod}),ip6,NFPROTO_IPV6) - -targets4.man: .initext.dd .initext4.dd $(wildcard ${srcdir}/lib*.man) - $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod}),ip,NFPROTO_IPV4) +matches.man: .initext.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) + $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod})) -targets6.man: .initext.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) - $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf6_build_mod}),ip6,NFPROTO_IPV6) +targets.man: .initext.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) + $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod})) diff --git a/iptables/.gitignore b/iptables/.gitignore index 5a089376..4fc63aa4 100644 --- a/iptables/.gitignore +++ b/iptables/.gitignore @@ -5,6 +5,7 @@ /ip6tables-static /iptables /iptables.8 +/iptables-extensions.8 /iptables-save /iptables-restore /iptables-static diff --git a/iptables/Makefile.am b/iptables/Makefile.am index bdd4da11..61e78db9 100644 --- a/iptables/Makefile.am +++ b/iptables/Makefile.am @@ -27,7 +27,7 @@ xtables_multi_LDADD += ../libxtables/libxtables.la -lm sbin_PROGRAMS = xtables-multi man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.1 ip6tables.8 ip6tables-restore.8 \ - ip6tables-save.8 + ip6tables-save.8 iptables-extensions.8 CLEANFILES = iptables.8 ip6tables.8 vx_bin_links = iptables-xml @@ -38,11 +38,17 @@ if ENABLE_IPV6 v6_sbin_links = ip6tables ip6tables-restore ip6tables-save endif -iptables.8: ${srcdir}/iptables.8.in ../extensions/matches4.man ../extensions/targets4.man - ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches4.man' -e '/@TARGET@/ r ../extensions/targets4.man' $< >$@; +iptables.8: ${srcdir}/iptables.8.in + ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@; -ip6tables.8: ${srcdir}/ip6tables.8.in ../extensions/matches6.man ../extensions/targets6.man - ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches6.man' -e '/@TARGET@/ r ../extensions/targets6.man' $< >$@; +ip6tables.8: ${srcdir}/ip6tables.8.in + ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@; + +iptables-extensions.8: ${srcdir}/iptables-extensions.8.in ../extensions/matches.man ../extensions/targets.man + ${AM_VERBOSE_GEN} sed -e \ + 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' \ + -e '/@MATCH@/ r ../extensions/matches.man' \ + -e '/@TARGET@/ r ../extensions/targets.man' $< >$@; pkgconfig_DATA = xtables.pc diff --git a/iptables/ip6tables.8.in b/iptables/ip6tables.8.in index 65f38646..edd092d7 100644 --- a/iptables/ip6tables.8.in +++ b/iptables/ip6tables.8.in @@ -362,23 +362,8 @@ When adding or inserting rules into a chain, use \fIcommand\fP to load any necessary modules (targets, match extensions, etc). .SH MATCH EXTENSIONS .PP -ip6tables can use extended packet matching modules -with the \fB\-m\fP or \fB\-\-match\fP -options, followed by the matching module name; after these, various -extra command line options become available, depending on the specific -module. You can specify multiple extended match modules in one line, -and you can use the \fB\-h\fP or \fB\-\-help\fP -options after the module has been specified to receive help specific -to that module. -.PP -If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an -unknown option is encountered, ip6tables will try load a match module of the -same name as the protocol, to try making the option available. -.\" @MATCH@ -.SH TARGET EXTENSIONS -ip6tables can use extended target modules: the following are included -in the standard distribution. -.\" @TARGET@ +iptables can use extended packet matching and target modules. +A list of these is available in the \fBiptables\-extensions\fP(8) manpage. .SH DIAGNOSTICS Various error messages are printed to standard error. The exit code is 0 for correct functioning. Errors which appear to be caused by @@ -405,6 +390,7 @@ There are several other changes in ip6tables. \fBip6tables\-save\fP(8), \fBip6tables\-restore\fP(8), \fBiptables\fP(8), +\fBiptables\-extensions\fP(8), \fBiptables\-save\fP(8), \fBiptables\-restore\fP(8), \fBlibipq\fP(3). diff --git a/iptables/iptables-extensions.8.in b/iptables/iptables-extensions.8.in new file mode 100644 index 00000000..e02c81fb --- /dev/null +++ b/iptables/iptables-extensions.8.in @@ -0,0 +1,27 @@ +.TH iptables-extensions 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@" +.SH NAME +iptables-extensions \(em list of extensions in the standard iptables distribution +.SH SYNOPSIS +\fBip6tables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]] +[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...] +.PP +\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]] +[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...] +.SH MATCH EXTENSIONS +iptables can use extended packet matching modules +with the \fB\-m\fP or \fB\-\-match\fP +options, followed by the matching module name; after these, various +extra command line options become available, depending on the specific +module. You can specify multiple extended match modules in one line, +and you can use the \fB\-h\fP or \fB\-\-help\fP +options after the module has been specified to receive help specific +to that module. +.PP +If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an +unknown option is encountered, iptables will try load a match module of the +same name as the protocol, to try making the option available. +.\" @MATCH@ +.SH TARGET EXTENSIONS +iptables can use extended target modules: the following are included +in the standard distribution. +.\" @TARGET@ diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in index 59d6e040..48eb2fa1 100644 --- a/iptables/iptables.8.in +++ b/iptables/iptables.8.in @@ -355,25 +355,10 @@ corresponding to that rule's position in the chain. \fB\-\-modprobe=\fP\fIcommand\fP When adding or inserting rules into a chain, use \fIcommand\fP to load any necessary modules (targets, match extensions, etc). -.SH MATCH EXTENSIONS +.SH MATCH AND TARGET EXTENSIONS .PP -iptables can use extended packet matching modules -with the \fB\-m\fP or \fB\-\-match\fP -options, followed by the matching module name; after these, various -extra command line options become available, depending on the specific -module. You can specify multiple extended match modules in one line, -and you can use the \fB\-h\fP or \fB\-\-help\fP -options after the module has been specified to receive help specific -to that module. -.PP -If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an -unknown option is encountered, iptables will try load a match module of the -same name as the protocol, to try making the option available. -.\" @MATCH@ -.SH TARGET EXTENSIONS -iptables can use extended target modules: the following are included -in the standard distribution. -.\" @TARGET@ +iptables can use extended packet matching and target modules. +A list of these is available in the \fBiptables\-extensions\fP(8) manpage. .SH DIAGNOSTICS Various error messages are printed to standard error. The exit code is 0 for correct functioning. Errors which appear to be caused by @@ -410,6 +395,7 @@ There are several other changes in iptables. .SH SEE ALSO \fBiptables\-save\fP(8), \fBiptables\-restore\fP(8), +\fBiptables\-extensions\fP(8), \fBip6tables\fP(8), \fBip6tables\-save\fP(8), \fBip6tables\-restore\fP(8), -- cgit v1.2.3 From faeaf11536f605ebb733d4d5f5ec2ca074d3f247 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 28 Sep 2012 10:52:32 +0200 Subject: doc: trim "state" manpage and reference conntrack instead The module is practically obsolete, so just pinpoint to the replacement in short order. Signed-off-by: Jan Engelhardt --- extensions/libxt_HMARK.man | 2 +- extensions/libxt_state.man | 28 ++++++---------------------- 2 files changed, 7 insertions(+), 23 deletions(-) diff --git a/extensions/libxt_HMARK.man b/extensions/libxt_HMARK.man index 0b418842..e7b5426d 100644 --- a/extensions/libxt_HMARK.man +++ b/extensions/libxt_HMARK.man @@ -52,7 +52,7 @@ A 32 bit random custom value to feed hash calculation. .PP \fIExamples:\fP .PP -iptables \-t mangle \-A PREROUTING \-m state \-\-state NEW +iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000 \-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe .PP diff --git a/extensions/libxt_state.man b/extensions/libxt_state.man index 37d095bc..bd60468f 100644 --- a/extensions/libxt_state.man +++ b/extensions/libxt_state.man @@ -1,24 +1,8 @@ -This module, when combined with connection tracking, allows access to -the connection tracking state for this packet. +The "state" module is an obsolete version of "conntrack". +"state" allows access to the connection tracking state for this packet. .TP [\fB!\fP] \fB\-\-state\fP \fIstate\fP -Where state is a comma separated list of the connection states to -match. Possible states are -.B INVALID -meaning that the packet could not be identified for some reason which -includes running out of memory and ICMP errors which don't correspond to any -known connection, -.B ESTABLISHED -meaning that the packet is associated with a connection which has seen -packets in both directions, -.B NEW -meaning that the packet has started a new connection, or otherwise -associated with a connection which has not seen packets in both -directions, and -.B RELATED -meaning that the packet is starting a new connection, but is -associated with an existing connection, such as an FTP data transfer, -or an ICMP error. -.B UNTRACKED -meaning that the packet is not tracked at all, which happens if you use -the NOTRACK target in raw table. +Where state is a comma separated list of the connection states to match. Only a +subset of the states unterstood by "conntrack" are recognized: \fBINVALID\fP, +\fBESTABLISHED\fP, \fBNEW\fP, \fBRELATED\fP or \fBUNTRACKED\fP. For their +description, see the "conntrack" heading in this manpage. -- cgit v1.2.3 From d97d546ba4540a28b14fcbf75176df345caee954 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 28 Sep 2012 10:54:47 +0200 Subject: doc: have NOTRACK manpage point to CT instead The module is obsolete, so point to CT --notrack instead. Signed-off-by: Jan Engelhardt --- extensions/libxt_NOTRACK.man | 6 ++---- extensions/libxt_conntrack.man | 4 ++-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/extensions/libxt_NOTRACK.man b/extensions/libxt_NOTRACK.man index c2cdf5a6..633b965e 100644 --- a/extensions/libxt_NOTRACK.man +++ b/extensions/libxt_NOTRACK.man @@ -1,5 +1,3 @@ This target disables connection tracking for all packets matching that rule. -.PP -It can only be used in the -.B raw -table. +It is obsoleted by \-j CT \-\-notrack. Like CT, NOTRACK can only be used in +the \fBraw\fP table. diff --git a/extensions/libxt_conntrack.man b/extensions/libxt_conntrack.man index c0cd24fe..15fd1ddf 100644 --- a/extensions/libxt_conntrack.man +++ b/extensions/libxt_conntrack.man @@ -57,8 +57,8 @@ The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error. .TP \fBUNTRACKED\fP -The packet is not tracked at all, which happens if you use -the NOTRACK target in raw table. +The packet is not tracked at all, which happens if you explicitly untrack it +by using \-j CT \-\-notrack in the raw table. .TP \fBSNAT\fP A virtual state, matching if the original source address differs from the reply -- cgit v1.2.3 From 7b5ba43ae48c1310e5a615cf9485c1d42f486467 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 28 Sep 2012 10:57:45 +0200 Subject: doc: mention iptables-apply in the SEE ALSO sections References: http://bugs.debian.org/660748 Signed-off-by: Jan Engelhardt --- iptables/ip6tables.8.in | 1 + iptables/iptables-apply.8 | 2 +- iptables/iptables.8.in | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/iptables/ip6tables.8.in b/iptables/ip6tables.8.in index edd092d7..078bcacd 100644 --- a/iptables/ip6tables.8.in +++ b/iptables/ip6tables.8.in @@ -390,6 +390,7 @@ There are several other changes in ip6tables. \fBip6tables\-save\fP(8), \fBip6tables\-restore\fP(8), \fBiptables\fP(8), +\fBiptables\-apply\fP(8), \fBiptables\-extensions\fP(8), \fBiptables\-save\fP(8), \fBiptables\-restore\fP(8), diff --git a/iptables/iptables-apply.8 b/iptables/iptables-apply.8 index 8208fd0f..66eaf57a 100644 --- a/iptables/iptables-apply.8 +++ b/iptables/iptables-apply.8 @@ -18,7 +18,7 @@ connection, the user will not be able to answer affirmatively. In this case, the script rolls back to the previous ruleset after the timeout expired. The timeout can be set with \fB\-t\fP. .PP -When called as ip6tables\-apply, the script will use +When called as \fBip6tables\-apply\fP, the script will use ip6tables\-save/\-restore instead. .SH OPTIONS .TP diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in index 48eb2fa1..d6b409d0 100644 --- a/iptables/iptables.8.in +++ b/iptables/iptables.8.in @@ -393,6 +393,7 @@ seen previously. So the following options are handled differently: .fi There are several other changes in iptables. .SH SEE ALSO +\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\-restore\fP(8), \fBiptables\-extensions\fP(8), -- cgit v1.2.3