From 156f58692bbe9e509b32670f93582bead785c926 Mon Sep 17 00:00:00 2001 From: Frank Tobin Date: Thu, 21 May 2009 05:09:00 +0200 Subject: libxt_tcp: fix a manpage syntax typo Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=596 Signed-off-by: Jan Engelhardt --- extensions/libxt_tcp.man | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'extensions') diff --git a/extensions/libxt_tcp.man b/extensions/libxt_tcp.man index 8f39cdb8..0a99cdf7 100644 --- a/extensions/libxt_tcp.man +++ b/extensions/libxt_tcp.man @@ -12,7 +12,7 @@ The flag \fB\-\-sport\fP is a convenient alias for this option. .TP -[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB,\fP\fIport\fP] +[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP] Destination port or port range specification. The flag \fB\-\-dport\fP is a convenient alias for this option. -- cgit v1.2.3 From ae737f0070c9aaccb722ba342b12043fb124d9e2 Mon Sep 17 00:00:00 2001 From: Ian Bruce Date: Sat, 6 Jun 2009 06:04:24 +0200 Subject: libxt_tcp: manpage corrections and suggestions From: Ian Bruce The commit corrects some minor errors in the iptables(8) man page, related to port ranges in the "tcp" module. Reference: http://bugs.debian.org/531677 Signed-off-by: Jan Engelhardt --- extensions/libxt_tcp.man | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'extensions') diff --git a/extensions/libxt_tcp.man b/extensions/libxt_tcp.man index 0a99cdf7..7a16118b 100644 --- a/extensions/libxt_tcp.man +++ b/extensions/libxt_tcp.man @@ -4,10 +4,10 @@ provides the following options: [\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] Source port or port range specification. This can either be a service name or a port number. An inclusive range can also be specified, -using the format \fIport\fP\fB:\fP\fIport\fP. +using the format \fIfirst\fP\fB:\fP\fIlast\fP. If the first port is omitted, "0" is assumed; if the last is omitted, "65535" is assumed. -If the second port is greater than the first they will be swapped. +If the first port is greater than the second one they will be swapped. The flag \fB\-\-sport\fP is a convenient alias for this option. -- cgit v1.2.3 From a3726818e07d47136010f09762637a3e597329e3 Mon Sep 17 00:00:00 2001 From: kd6lvw Date: Sun, 7 Jun 2009 14:23:00 +0200 Subject: libxt_connlimit: initialize v6_mask When converting "--connlimit-mask $bits" to a 128-bit v6 mask, the code uses a left shift on v6_mask[n]. This requires v6_mask to be filled with all one-bits beforehand, but this initialization was not done. References: http://bugzilla.netfilter.org/show_bug.cgi?id=597 Signed-off-by: Jan Engelhardt --- extensions/libxt_connlimit.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'extensions') diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c index f001a2e4..403e7e6f 100644 --- a/extensions/libxt_connlimit.c +++ b/extensions/libxt_connlimit.c @@ -26,7 +26,9 @@ static const struct option connlimit_opts[] = { static void connlimit_init(struct xt_entry_match *match) { struct xt_connlimit_info *info = (void *)match->data; - info->v4_mask = 0xFFFFFFFFUL; + + /* This will also initialize the v4 mask correctly */ + memset(info->v6_mask, 0xFF, sizeof(info->v6_mask)); } static void prefix_to_netmask(u_int32_t *mask, unsigned int prefix_len) -- cgit v1.2.3 From 18c475d7040abc6d3094ee0348904deafe997508 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 10 Jun 2009 20:18:43 +0200 Subject: manpages: markup corrections The manpage of xt_cluster and xt_recent had some unclosed tags. Backslashes in commands are also not wanted because manpages are a freeform, automatically-wrapped text. Signed-off-by: Jan Engelhardt --- extensions/libxt_TCPMSS.man | 5 ++--- extensions/libxt_TPROXY.man | 2 +- extensions/libxt_cluster.man | 38 +++++++++++++++++++------------------- extensions/libxt_connlimit.man | 2 +- extensions/libxt_recent.man | 4 ++-- 5 files changed, 25 insertions(+), 26 deletions(-) (limited to 'extensions') diff --git a/extensions/libxt_TCPMSS.man b/extensions/libxt_TCPMSS.man index 675fc5ed..dbab918d 100644 --- a/extensions/libxt_TCPMSS.man +++ b/extensions/libxt_TCPMSS.man @@ -29,10 +29,9 @@ ssh works fine, but scp hangs after initial handshaking. .PD Workaround: activate this option and add a rule to your firewall configuration like: -.nf - iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN \\ +.IP + iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN \-j TCPMSS \-\-clamp\-mss\-to\-pmtu -.fi .TP \fB\-\-set\-mss\fP \fIvalue\fP Explicitly set MSS option to specified value. diff --git a/extensions/libxt_TPROXY.man b/extensions/libxt_TPROXY.man index c087ebf0..0129f845 100644 --- a/extensions/libxt_TPROXY.man +++ b/extensions/libxt_TPROXY.man @@ -13,7 +13,7 @@ rule also specifies \fB\-p tcp\fP or \fB\-p udp\fP. \fB\-\-on\-ip\fP \fIaddress\fP This specifies a destination address to use. By default the address is the IP address of the incoming interface. This is only valid if the rule also -specifies \fB\-p tcp\fP or \fP\-p udp\fP. +specifies \fB\-p tcp\fP or \fB\-p udp\fP. .TP \fB\-\-tproxy\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] Marks packets with the given value/mask. The fwmark value set here can be used diff --git a/extensions/libxt_cluster.man b/extensions/libxt_cluster.man index 6081be14..62ad71cc 100644 --- a/extensions/libxt_cluster.man +++ b/extensions/libxt_cluster.man @@ -4,35 +4,35 @@ need of load-balancers. This match requires that all the nodes see the same packets. Thus, the cluster match decides if this node has to handle a packet given the following options: .TP -\fB\-\-cluster\-total\-nodes \fInum\fP +\fB\-\-cluster\-total\-nodes\fP \fInum\fP Set number of total nodes in cluster. .TP -[\fB!\fP] \fB\-\-cluster\-local\-node \fInum\fP +[\fB!\fP] \fB\-\-cluster\-local\-node\fP \fInum\fP Set the local node number ID. .TP -[\fB!\fP] \fB\-\-cluster\-local\-nodemask \fImask\fP +[\fB!\fP] \fB\-\-cluster\-local\-nodemask\fP \fImask\fP Set the local node number ID mask. You can use this option instead -of \fB\-\-cluster\-local\-node. +of \fB\-\-cluster\-local\-node\fP. .TP -\fB\-\-cluster\-hash\-seed \fIvalue\fP +\fB\-\-cluster\-hash\-seed\fP \fIvalue\fP Set seed value of the Jenkins hash. .PP Example: .IP -iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster \ -\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 \ -\-\-cluster\-hash\-seed 0xdeadbeef \ +iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster +\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 +\-\-cluster\-hash\-seed 0xdeadbeef \-j MARK \-\-set-mark 0xffff .IP -iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster \ -\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 \ -\-\-cluster\-hash\-seed 0xdeadbeef \ +iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster +\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 +\-\-cluster\-hash\-seed 0xdeadbeef \-j MARK -\-set\-mark 0xffff .IP -iptables \-A PREROUTING \-t mangle \-i eth1 \ +iptables \-A PREROUTING \-t mangle \-i eth1 \-m mark ! \-\-mark 0xffff \-j DROP .IP -iptables \-A PREROUTING \-t mangle \-i eth2 \ +iptables \-A PREROUTING \-t mangle \-i eth2 \-m mark ! \-\-mark 0xffff \-j DROP .PP And the following commands to make all nodes see the same packets: @@ -41,18 +41,18 @@ ip maddr add 01:00:5e:00:01:01 dev eth1 .IP ip maddr add 01:00:5e:00:01:02 dev eth2 .IP -arptables \-A OUTPUT \-o eth1 \-\-h\-length 6 \ +arptables \-A OUTPUT \-o eth1 \-\-h\-length 6 \-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01 .IP -arptables \-A INPUT \-i eth1 \-\-h-length 6 \ -\-\-destination-mac 01:00:5e:00:01:01 \ +arptables \-A INPUT \-i eth1 \-\-h-length 6 +\-\-destination-mac 01:00:5e:00:01:01 \-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27 .IP -arptables \-A OUTPUT \-o eth2 \-\-h\-length 6 \ +arptables \-A OUTPUT \-o eth2 \-\-h\-length 6 \-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:02 .IP -arptables \-A INPUT \-i eth2 \-\-h\-length 6 \ -\-\-destination\-mac 01:00:5e:00:01:02 \ +arptables \-A INPUT \-i eth2 \-\-h\-length 6 +\-\-destination\-mac 01:00:5e:00:01:02 \-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27 .PP In the case of TCP connections, pickup facility has to be disabled diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man index eb0832aa..c85d768c 100644 --- a/extensions/libxt_connlimit.man +++ b/extensions/libxt_connlimit.man @@ -21,7 +21,7 @@ network (24 bit netmask) iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16 \-\-connlimit\-mask 24 \-j REJECT .TP -# limit the number of parallel HTTP requests to 16 for the link local network \ +# limit the number of parallel HTTP requests to 16 for the link local network (ipv6) ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above 16 \-\-connlimit\-mask 64 \-j REJECT diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man index e03d8ece..9d5a64ee 100644 --- a/extensions/libxt_recent.man +++ b/extensions/libxt_recent.man @@ -33,12 +33,12 @@ Check if the source address of the packet is currently in the list and if so that address will be removed from the list and the rule will return true. If the address is not found, false is returned. .TP -[\fB!\fR] \fB\-\-seconds \fIseconds\fP +[\fB!\fR] \fB\-\-seconds\fP \fIseconds\fP This option must be used in conjunction with one of \fB\-\-rcheck\fP or \fB\-\-update\fP. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds. .TP -[\fB!\fR] \fB\-\-hitcount \fIhits\fP +[\fB!\fR] \fB\-\-hitcount\fP \fIhits\fP This option must be used in conjunction with one of \fB\-\-rcheck\fP or \fB\-\-update\fP. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to -- cgit v1.2.3