Merge branch 'master' of git://git.inai.de/iptables
Conflicts:
extensions/GNUmakefile.in
Resolution: trivial, since this was a fuzz 3.
Reason: Line added from v1.4.15-16-g33710a5 was in vincinity of changes
from v1.4.15-22-g4496801.
diff --git a/extensions/.gitignore b/extensions/.gitignore
index 2e74faf..b1260f0 100644
--- a/extensions/.gitignore
+++ b/extensions/.gitignore
@@ -5,5 +5,5 @@
/GNUmakefile
/initext.c
/initext?.c
-/matches?.man
-/targets?.man
+/matches.man
+/targets.man
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 1639030..8b38df9 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -56,9 +56,7 @@
#
# Building blocks
#
-targets := libext.a libext4.a libext6.a \
- matches4.man matches6.man \
- targets4.man targets6.man
+targets := libext.a libext4.a libext6.a matches.man targets.man
targets_install :=
@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
@@ -77,7 +75,7 @@
if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi;
clean:
- rm -f *.o *.oo *.so *.a {matches,targets}[46].man initext.c initext4.c initext6.c;
+ rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
rm -f .*.d .*.dd;
distclean: clean
@@ -202,30 +200,27 @@
${AM_VERBOSE_GEN} \
for ext in $(sort ${1}); do \
f="${srcdir}/libxt_$$ext.man"; \
- cf="${srcdir}/libxt_$$ext.c"; \
- if [ -f "$$f" ] && grep -Eq "$(3)|NFPROTO_UNSPEC" "$$cf"; then \
- echo -e "\t+ $$f" >&2; \
- echo ".SS $$ext"; \
- cat "$$f" || exit $$?; \
- continue; \
- fi; \
- f="${srcdir}/lib$(2)t_$$ext.man"; \
if [ -f "$$f" ]; then \
echo -e "\t+ $$f" >&2; \
echo ".SS $$ext"; \
cat "$$f" || exit $$?; \
- continue; \
+ fi; \
+ f="${srcdir}/libip6t_$$ext.man"; \
+ if [ -f "$$f" ]; then \
+ echo -e "\t+ $$f" >&2; \
+ echo ".SS $$ext (IPv6-specific)"; \
+ cat "$$f" || exit $$?; \
+ fi; \
+ f="${srcdir}/libipt_$$ext.man"; \
+ if [ -f "$$f" ]; then \
+ echo -e "\t+ $$f" >&2; \
+ echo ".SS $$ext (IPv4-specific)"; \
+ cat "$$f" || exit $$?; \
fi; \
done >$@;
-matches4.man: .initext.dd .initext4.dd $(wildcard ${srcdir}/lib*.man)
- $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod}),ip,NFPROTO_IPV4)
+matches.man: .initext.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man)
+ $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod}))
-matches6.man: .initext.dd .initext6.dd $(wildcard ${srcdir}/lib*.man)
- $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf6_build_mod}),ip6,NFPROTO_IPV6)
-
-targets4.man: .initext.dd .initext4.dd $(wildcard ${srcdir}/lib*.man)
- $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod}),ip,NFPROTO_IPV4)
-
-targets6.man: .initext.dd .initext6.dd $(wildcard ${srcdir}/lib*.man)
- $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf6_build_mod}),ip6,NFPROTO_IPV6)
+targets.man: .initext.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man)
+ $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod}))
diff --git a/extensions/libxt_HMARK.man b/extensions/libxt_HMARK.man
index 0b41884..e7b5426 100644
--- a/extensions/libxt_HMARK.man
+++ b/extensions/libxt_HMARK.man
@@ -52,7 +52,7 @@
.PP
\fIExamples:\fP
.PP
-iptables \-t mangle \-A PREROUTING \-m state \-\-state NEW
+iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW
\-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000
\-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe
.PP
diff --git a/extensions/libxt_NOTRACK.man b/extensions/libxt_NOTRACK.man
index c2cdf5a..633b965 100644
--- a/extensions/libxt_NOTRACK.man
+++ b/extensions/libxt_NOTRACK.man
@@ -1,5 +1,3 @@
This target disables connection tracking for all packets matching that rule.
-.PP
-It can only be used in the
-.B raw
-table.
+It is obsoleted by \-j CT \-\-notrack. Like CT, NOTRACK can only be used in
+the \fBraw\fP table.
diff --git a/extensions/libxt_conntrack.man b/extensions/libxt_conntrack.man
index c397f74..15fd1dd 100644
--- a/extensions/libxt_conntrack.man
+++ b/extensions/libxt_conntrack.man
@@ -42,23 +42,23 @@
States for \fB\-\-ctstate\fP:
.TP
\fBINVALID\fP
-meaning that the packet is associated with no known connection
+The packet is associated with no known connection.
.TP
\fBNEW\fP
-meaning that the packet has started a new connection, or otherwise associated
-with a connection which has not seen packets in both directions, and
+The packet has started a new connection, or otherwise associated
+with a connection which has not seen packets in both directions.
.TP
\fBESTABLISHED\fP
-meaning that the packet is associated with a connection which has seen packets
-in both directions,
+The packet is associated with a connection which has seen packets
+in both directions.
.TP
\fBRELATED\fP
-meaning that the packet is starting a new connection, but is associated with an
+The packet is starting a new connection, but is associated with an
existing connection, such as an FTP data transfer, or an ICMP error.
.TP
\fBUNTRACKED\fP
-meaning that the packet is not tracked at all, which happens if you use
-the NOTRACK target in raw table.
+The packet is not tracked at all, which happens if you explicitly untrack it
+by using \-j CT \-\-notrack in the raw table.
.TP
\fBSNAT\fP
A virtual state, matching if the original source address differs from the reply
@@ -74,7 +74,7 @@
None of the below.
.TP
\fBEXPECTED\fP
-This is an expected connection (i.e. a conntrack helper set it up)
+This is an expected connection (i.e. a conntrack helper set it up).
.TP
\fBSEEN_REPLY\fP
Conntrack has seen packets in both directions.
diff --git a/extensions/libxt_state.man b/extensions/libxt_state.man
index 37d095b..bd60468 100644
--- a/extensions/libxt_state.man
+++ b/extensions/libxt_state.man
@@ -1,24 +1,8 @@
-This module, when combined with connection tracking, allows access to
-the connection tracking state for this packet.
+The "state" module is an obsolete version of "conntrack".
+"state" allows access to the connection tracking state for this packet.
.TP
[\fB!\fP] \fB\-\-state\fP \fIstate\fP
-Where state is a comma separated list of the connection states to
-match. Possible states are
-.B INVALID
-meaning that the packet could not be identified for some reason which
-includes running out of memory and ICMP errors which don't correspond to any
-known connection,
-.B ESTABLISHED
-meaning that the packet is associated with a connection which has seen
-packets in both directions,
-.B NEW
-meaning that the packet has started a new connection, or otherwise
-associated with a connection which has not seen packets in both
-directions, and
-.B RELATED
-meaning that the packet is starting a new connection, but is
-associated with an existing connection, such as an FTP data transfer,
-or an ICMP error.
-.B UNTRACKED
-meaning that the packet is not tracked at all, which happens if you use
-the NOTRACK target in raw table.
+Where state is a comma separated list of the connection states to match. Only a
+subset of the states unterstood by "conntrack" are recognized: \fBINVALID\fP,
+\fBESTABLISHED\fP, \fBNEW\fP, \fBRELATED\fP or \fBUNTRACKED\fP. For their
+description, see the "conntrack" heading in this manpage.
diff --git a/iptables/.gitignore b/iptables/.gitignore
index 5a08937..4fc63aa 100644
--- a/iptables/.gitignore
+++ b/iptables/.gitignore
@@ -5,6 +5,7 @@
/ip6tables-static
/iptables
/iptables.8
+/iptables-extensions.8
/iptables-save
/iptables-restore
/iptables-static
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index bdd4da1..61e78db 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -27,7 +27,7 @@
sbin_PROGRAMS = xtables-multi
man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \
iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
- ip6tables-save.8
+ ip6tables-save.8 iptables-extensions.8
CLEANFILES = iptables.8 ip6tables.8
vx_bin_links = iptables-xml
@@ -38,11 +38,17 @@
v6_sbin_links = ip6tables ip6tables-restore ip6tables-save
endif
-iptables.8: ${srcdir}/iptables.8.in ../extensions/matches4.man ../extensions/targets4.man
- ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches4.man' -e '/@TARGET@/ r ../extensions/targets4.man' $< >$@;
+iptables.8: ${srcdir}/iptables.8.in
+ ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@;
-ip6tables.8: ${srcdir}/ip6tables.8.in ../extensions/matches6.man ../extensions/targets6.man
- ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches6.man' -e '/@TARGET@/ r ../extensions/targets6.man' $< >$@;
+ip6tables.8: ${srcdir}/ip6tables.8.in
+ ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@;
+
+iptables-extensions.8: ${srcdir}/iptables-extensions.8.in ../extensions/matches.man ../extensions/targets.man
+ ${AM_VERBOSE_GEN} sed -e \
+ 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' \
+ -e '/@MATCH@/ r ../extensions/matches.man' \
+ -e '/@TARGET@/ r ../extensions/targets.man' $< >$@;
pkgconfig_DATA = xtables.pc
diff --git a/iptables/ip6tables.8.in b/iptables/ip6tables.8.in
index 65f3864..078bcac 100644
--- a/iptables/ip6tables.8.in
+++ b/iptables/ip6tables.8.in
@@ -362,23 +362,8 @@
to load any necessary modules (targets, match extensions, etc).
.SH MATCH EXTENSIONS
.PP
-ip6tables can use extended packet matching modules
-with the \fB\-m\fP or \fB\-\-match\fP
-options, followed by the matching module name; after these, various
-extra command line options become available, depending on the specific
-module. You can specify multiple extended match modules in one line,
-and you can use the \fB\-h\fP or \fB\-\-help\fP
-options after the module has been specified to receive help specific
-to that module.
-.PP
-If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an
-unknown option is encountered, ip6tables will try load a match module of the
-same name as the protocol, to try making the option available.
-.\" @MATCH@
-.SH TARGET EXTENSIONS
-ip6tables can use extended target modules: the following are included
-in the standard distribution.
-.\" @TARGET@
+iptables can use extended packet matching and target modules.
+A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
.SH DIAGNOSTICS
Various error messages are printed to standard error. The exit code
is 0 for correct functioning. Errors which appear to be caused by
@@ -405,6 +390,8 @@
\fBip6tables\-save\fP(8),
\fBip6tables\-restore\fP(8),
\fBiptables\fP(8),
+\fBiptables\-apply\fP(8),
+\fBiptables\-extensions\fP(8),
\fBiptables\-save\fP(8),
\fBiptables\-restore\fP(8),
\fBlibipq\fP(3).
diff --git a/iptables/iptables-apply.8 b/iptables/iptables-apply.8
index 8208fd0..66eaf57 100644
--- a/iptables/iptables-apply.8
+++ b/iptables/iptables-apply.8
@@ -18,7 +18,7 @@
case, the script rolls back to the previous ruleset after the timeout
expired. The timeout can be set with \fB\-t\fP.
.PP
-When called as ip6tables\-apply, the script will use
+When called as \fBip6tables\-apply\fP, the script will use
ip6tables\-save/\-restore instead.
.SH OPTIONS
.TP
diff --git a/iptables/iptables-extensions.8.in b/iptables/iptables-extensions.8.in
new file mode 100644
index 0000000..e02c81f
--- /dev/null
+++ b/iptables/iptables-extensions.8.in
@@ -0,0 +1,27 @@
+.TH iptables-extensions 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
+.SH NAME
+iptables-extensions \(em list of extensions in the standard iptables distribution
+.SH SYNOPSIS
+\fBip6tables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
+[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
+.PP
+\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
+[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
+.SH MATCH EXTENSIONS
+iptables can use extended packet matching modules
+with the \fB\-m\fP or \fB\-\-match\fP
+options, followed by the matching module name; after these, various
+extra command line options become available, depending on the specific
+module. You can specify multiple extended match modules in one line,
+and you can use the \fB\-h\fP or \fB\-\-help\fP
+options after the module has been specified to receive help specific
+to that module.
+.PP
+If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an
+unknown option is encountered, iptables will try load a match module of the
+same name as the protocol, to try making the option available.
+.\" @MATCH@
+.SH TARGET EXTENSIONS
+iptables can use extended target modules: the following are included
+in the standard distribution.
+.\" @TARGET@
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index 59d6e04..d6b409d 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -355,25 +355,10 @@
\fB\-\-modprobe=\fP\fIcommand\fP
When adding or inserting rules into a chain, use \fIcommand\fP
to load any necessary modules (targets, match extensions, etc).
-.SH MATCH EXTENSIONS
+.SH MATCH AND TARGET EXTENSIONS
.PP
-iptables can use extended packet matching modules
-with the \fB\-m\fP or \fB\-\-match\fP
-options, followed by the matching module name; after these, various
-extra command line options become available, depending on the specific
-module. You can specify multiple extended match modules in one line,
-and you can use the \fB\-h\fP or \fB\-\-help\fP
-options after the module has been specified to receive help specific
-to that module.
-.PP
-If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an
-unknown option is encountered, iptables will try load a match module of the
-same name as the protocol, to try making the option available.
-.\" @MATCH@
-.SH TARGET EXTENSIONS
-iptables can use extended target modules: the following are included
-in the standard distribution.
-.\" @TARGET@
+iptables can use extended packet matching and target modules.
+A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
.SH DIAGNOSTICS
Various error messages are printed to standard error. The exit code
is 0 for correct functioning. Errors which appear to be caused by
@@ -408,8 +393,10 @@
.fi
There are several other changes in iptables.
.SH SEE ALSO
+\fBiptables\-apply\fP(8),
\fBiptables\-save\fP(8),
\fBiptables\-restore\fP(8),
+\fBiptables\-extensions\fP(8),
\fBip6tables\fP(8),
\fBip6tables\-save\fP(8),
\fBip6tables\-restore\fP(8),