From 9517bbf5b805df874dcc452dfeb2cc36a7bf1500 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 28 Sep 2012 09:57:56 +0200 Subject: doc: clean up interpunction in state list for xt_conntrack Signed-off-by: Jan Engelhardt --- extensions/libxt_conntrack.man | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'extensions') diff --git a/extensions/libxt_conntrack.man b/extensions/libxt_conntrack.man index c397f742..c0cd24fe 100644 --- a/extensions/libxt_conntrack.man +++ b/extensions/libxt_conntrack.man @@ -42,22 +42,22 @@ specified at all, matches packets in both directions. States for \fB\-\-ctstate\fP: .TP \fBINVALID\fP -meaning that the packet is associated with no known connection +The packet is associated with no known connection. .TP \fBNEW\fP -meaning that the packet has started a new connection, or otherwise associated -with a connection which has not seen packets in both directions, and +The packet has started a new connection, or otherwise associated +with a connection which has not seen packets in both directions. .TP \fBESTABLISHED\fP -meaning that the packet is associated with a connection which has seen packets -in both directions, +The packet is associated with a connection which has seen packets +in both directions. .TP \fBRELATED\fP -meaning that the packet is starting a new connection, but is associated with an +The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error. .TP \fBUNTRACKED\fP -meaning that the packet is not tracked at all, which happens if you use +The packet is not tracked at all, which happens if you use the NOTRACK target in raw table. .TP \fBSNAT\fP @@ -74,7 +74,7 @@ Statuses for \fB\-\-ctstatus\fP: None of the below. .TP \fBEXPECTED\fP -This is an expected connection (i.e. a conntrack helper set it up) +This is an expected connection (i.e. a conntrack helper set it up). .TP \fBSEEN_REPLY\fP Conntrack has seen packets in both directions. -- cgit v1.2.3 From 4496801821c01e3934996b40e0012ddcb969a8df Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 28 Sep 2012 10:43:06 +0200 Subject: doc: deduplicate extension descriptions into a new manpage iptables.8 and ip6tables.8 had pretty much the same content, with a few protocol-specific deviations here and there. Not only did that bloat the manpages, but it also made it harder to spot differences. Separate out the extension descriptions into a new manpage, which conveniently features differences next to one another (cf. REJECT). Signed-off-by: Jan Engelhardt --- extensions/.gitignore | 4 ++-- extensions/GNUmakefile.in | 35 +++++++++++++++-------------------- 2 files changed, 17 insertions(+), 22 deletions(-) (limited to 'extensions') diff --git a/extensions/.gitignore b/extensions/.gitignore index 2e74faf7..b1260f0b 100644 --- a/extensions/.gitignore +++ b/extensions/.gitignore @@ -5,5 +5,5 @@ /GNUmakefile /initext.c /initext?.c -/matches?.man -/targets?.man +/matches.man +/targets.man diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index 0e7907e9..2e0921e4 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -56,9 +56,7 @@ pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) # # Building blocks # -targets := libext.a libext4.a libext6.a \ - matches4.man matches6.man \ - targets4.man targets6.man +targets := libext.a libext4.a libext6.a matches.man targets.man targets_install := @ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs} @ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} @@ -77,7 +75,7 @@ install: ${targets_install} if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi; clean: - rm -f *.o *.oo *.so *.a {matches,targets}[46].man initext.c initext4.c initext6.c; + rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c; distclean: clean rm -f .*.d .*.dd; @@ -202,30 +200,27 @@ man_run = \ ${AM_VERBOSE_GEN} \ for ext in $(sort ${1}); do \ f="${srcdir}/libxt_$$ext.man"; \ - cf="${srcdir}/libxt_$$ext.c"; \ - if [ -f "$$f" ] && grep -Eq "$(3)|NFPROTO_UNSPEC" "$$cf"; then \ + if [ -f "$$f" ]; then \ echo -e "\t+ $$f" >&2; \ echo ".SS $$ext"; \ cat "$$f" || exit $$?; \ - continue; \ fi; \ - f="${srcdir}/lib$(2)t_$$ext.man"; \ + f="${srcdir}/libip6t_$$ext.man"; \ if [ -f "$$f" ]; then \ echo -e "\t+ $$f" >&2; \ - echo ".SS $$ext"; \ + echo ".SS $$ext (IPv6-specific)"; \ + cat "$$f" || exit $$?; \ + fi; \ + f="${srcdir}/libipt_$$ext.man"; \ + if [ -f "$$f" ]; then \ + echo -e "\t+ $$f" >&2; \ + echo ".SS $$ext (IPv4-specific)"; \ cat "$$f" || exit $$?; \ - continue; \ fi; \ done >$@; -matches4.man: .initext.dd .initext4.dd $(wildcard ${srcdir}/lib*.man) - $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod}),ip,NFPROTO_IPV4) - -matches6.man: .initext.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) - $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf6_build_mod}),ip6,NFPROTO_IPV6) - -targets4.man: .initext.dd .initext4.dd $(wildcard ${srcdir}/lib*.man) - $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod}),ip,NFPROTO_IPV4) +matches.man: .initext.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) + $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod})) -targets6.man: .initext.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) - $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf6_build_mod}),ip6,NFPROTO_IPV6) +targets.man: .initext.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) + $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod})) -- cgit v1.2.3 From faeaf11536f605ebb733d4d5f5ec2ca074d3f247 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 28 Sep 2012 10:52:32 +0200 Subject: doc: trim "state" manpage and reference conntrack instead The module is practically obsolete, so just pinpoint to the replacement in short order. Signed-off-by: Jan Engelhardt --- extensions/libxt_HMARK.man | 2 +- extensions/libxt_state.man | 28 ++++++---------------------- 2 files changed, 7 insertions(+), 23 deletions(-) (limited to 'extensions') diff --git a/extensions/libxt_HMARK.man b/extensions/libxt_HMARK.man index 0b418842..e7b5426d 100644 --- a/extensions/libxt_HMARK.man +++ b/extensions/libxt_HMARK.man @@ -52,7 +52,7 @@ A 32 bit random custom value to feed hash calculation. .PP \fIExamples:\fP .PP -iptables \-t mangle \-A PREROUTING \-m state \-\-state NEW +iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000 \-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe .PP diff --git a/extensions/libxt_state.man b/extensions/libxt_state.man index 37d095bc..bd60468f 100644 --- a/extensions/libxt_state.man +++ b/extensions/libxt_state.man @@ -1,24 +1,8 @@ -This module, when combined with connection tracking, allows access to -the connection tracking state for this packet. +The "state" module is an obsolete version of "conntrack". +"state" allows access to the connection tracking state for this packet. .TP [\fB!\fP] \fB\-\-state\fP \fIstate\fP -Where state is a comma separated list of the connection states to -match. Possible states are -.B INVALID -meaning that the packet could not be identified for some reason which -includes running out of memory and ICMP errors which don't correspond to any -known connection, -.B ESTABLISHED -meaning that the packet is associated with a connection which has seen -packets in both directions, -.B NEW -meaning that the packet has started a new connection, or otherwise -associated with a connection which has not seen packets in both -directions, and -.B RELATED -meaning that the packet is starting a new connection, but is -associated with an existing connection, such as an FTP data transfer, -or an ICMP error. -.B UNTRACKED -meaning that the packet is not tracked at all, which happens if you use -the NOTRACK target in raw table. +Where state is a comma separated list of the connection states to match. Only a +subset of the states unterstood by "conntrack" are recognized: \fBINVALID\fP, +\fBESTABLISHED\fP, \fBNEW\fP, \fBRELATED\fP or \fBUNTRACKED\fP. For their +description, see the "conntrack" heading in this manpage. -- cgit v1.2.3 From d97d546ba4540a28b14fcbf75176df345caee954 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 28 Sep 2012 10:54:47 +0200 Subject: doc: have NOTRACK manpage point to CT instead The module is obsolete, so point to CT --notrack instead. Signed-off-by: Jan Engelhardt --- extensions/libxt_NOTRACK.man | 6 ++---- extensions/libxt_conntrack.man | 4 ++-- 2 files changed, 4 insertions(+), 6 deletions(-) (limited to 'extensions') diff --git a/extensions/libxt_NOTRACK.man b/extensions/libxt_NOTRACK.man index c2cdf5a6..633b965e 100644 --- a/extensions/libxt_NOTRACK.man +++ b/extensions/libxt_NOTRACK.man @@ -1,5 +1,3 @@ This target disables connection tracking for all packets matching that rule. -.PP -It can only be used in the -.B raw -table. +It is obsoleted by \-j CT \-\-notrack. Like CT, NOTRACK can only be used in +the \fBraw\fP table. diff --git a/extensions/libxt_conntrack.man b/extensions/libxt_conntrack.man index c0cd24fe..15fd1ddf 100644 --- a/extensions/libxt_conntrack.man +++ b/extensions/libxt_conntrack.man @@ -57,8 +57,8 @@ The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error. .TP \fBUNTRACKED\fP -The packet is not tracked at all, which happens if you use -the NOTRACK target in raw table. +The packet is not tracked at all, which happens if you explicitly untrack it +by using \-j CT \-\-notrack in the raw table. .TP \fBSNAT\fP A virtual state, matching if the original source address differs from the reply -- cgit v1.2.3