• R/O
  • HTTP
  • SSH
  • HTTPS

iptables: Commit


Commit MetaInfo

Revisión0cb2b74ea50ecc91a4a743ddd2ca5f63058dda0d (tree)
Tiempo2013-04-03 13:09:23
AutorAkihiro MOTOKI <amotoki@gmai...>
CommiterAkihiro MOTOKI

Log Message

iptables: Update po files

Cambiar Resumen

Diferencia incremental

--- a/original/man3/libipq.3
+++ b/original/man3/libipq.3
@@ -46,9 +46,9 @@ and queued for userspace processing via the QUEUE target. For example,
4646 running the following commands:
4747 .PP
4848 # modprobe iptable_filter
49-.br
49+.br
5050 # modprobe ip_queue
51-.br
51+.br
5252 # iptables \-A OUTPUT \-p icmp \-j QUEUE
5353 .PP
5454 will cause any locally generated ICMP packets (e.g. ping output) to
--- a/po4a/cmd/iptables-cmd.cfg
+++ b/po4a/cmd/iptables-cmd.cfg
@@ -18,6 +18,9 @@
1818 [type: man] original/man8/iptables.8 $lang:draft/man8/iptables.8 \
1919 add_$lang:?po4a/add_$lang/copyright/iptables.8.txt
2020
21+[type: man] original/man8/iptables-extensions.8 $lang:draft/man8/iptables-extensions.8 \
22+ add_$lang:?po4a/add_$lang/copyright/iptables-extensions.8.txt
23+
2124 [type: man] original/man8/iptables-apply.8 $lang:draft/man8/iptables-apply.8 \
2225 add_$lang:?po4a/add_$lang/copyright/iptables-apply.8.txt
2326
--- a/po4a/cmd/iptables-cmd.pot
+++ b/po4a/cmd/iptables-cmd.pot
@@ -7,7 +7,7 @@
77 msgid ""
88 msgstr ""
99 "Project-Id-Version: PACKAGE VERSION\n"
10-"POT-Creation-Date: 2012-05-10 06:40+0900\n"
10+"POT-Creation-Date: 2013-04-03 12:30+0900\n"
1111 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
1212 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
1313 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -46,7 +46,7 @@ msgstr ""
4646 #. along with this program; if not, write to the Free Software
4747 #. Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
4848 #. type: SH
49-#: original/man8/ip6tables-restore.8:21 original/man8/ip6tables-save.8:21 original/man8/ip6tables.8:27 original/man8/iptables-restore.8:21 original/man8/iptables-save.8:21 original/man8/iptables.8:25 original/man8/iptables-apply.8:8 original/man1/iptables-xml.1:21
49+#: original/man8/ip6tables-restore.8:21 original/man8/ip6tables-save.8:21 original/man8/ip6tables.8:27 original/man8/iptables-restore.8:21 original/man8/iptables-save.8:21 original/man8/iptables.8:25 original/man8/iptables-extensions.8:2 original/man8/iptables-apply.8:8 original/man1/iptables-xml.1:21
5050 #, no-wrap
5151 msgid "NAME"
5252 msgstr ""
@@ -57,59 +57,108 @@ msgid "ip6tables-restore \\(em Restore IPv6 Tables"
5757 msgstr ""
5858
5959 #. type: SH
60-#: original/man8/ip6tables-restore.8:23 original/man8/ip6tables-save.8:23 original/man8/ip6tables.8:29 original/man8/iptables-restore.8:23 original/man8/iptables-save.8:23 original/man8/iptables.8:27 original/man8/iptables-apply.8:10 original/man1/iptables-xml.1:23
60+#: original/man8/ip6tables-restore.8:23 original/man8/ip6tables-save.8:23 original/man8/ip6tables.8:29 original/man8/iptables-restore.8:23 original/man8/iptables-save.8:23 original/man8/iptables.8:27 original/man8/iptables-extensions.8:4 original/man8/iptables-apply.8:10 original/man1/iptables-xml.1:23
6161 #, no-wrap
6262 msgid "SYNOPSIS"
6363 msgstr ""
6464
6565 #. type: Plain text
66-#: original/man8/ip6tables-restore.8:25
67-msgid "B<ip6tables-restore> [B<-c>] [B<-n>]"
66+#: original/man8/ip6tables-restore.8:26
67+msgid "B<ip6tables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
6868 msgstr ""
6969
7070 #. type: SH
71-#: original/man8/ip6tables-restore.8:25 original/man8/ip6tables-save.8:26 original/man8/ip6tables.8:55 original/man8/iptables-restore.8:25 original/man8/iptables-save.8:26 original/man8/iptables.8:54 original/man8/iptables-apply.8:12 original/man1/iptables-xml.1:25
71+#: original/man8/ip6tables-restore.8:26 original/man8/ip6tables-save.8:26 original/man8/ip6tables.8:55 original/man8/iptables-restore.8:26 original/man8/iptables-save.8:26 original/man8/iptables.8:54 original/man8/iptables-apply.8:12 original/man1/iptables-xml.1:25
7272 #, no-wrap
7373 msgid "DESCRIPTION"
7474 msgstr ""
7575
7676 #. type: Plain text
77-#: original/man8/ip6tables-restore.8:30
77+#: original/man8/ip6tables-restore.8:31
7878 msgid ""
7979 "B<ip6tables-restore> is used to restore IPv6 Tables from data specified on "
8080 "STDIN. Use I/O redirection provided by your shell to read from a file"
8181 msgstr ""
8282
8383 #. type: TP
84-#: original/man8/ip6tables-restore.8:30 original/man8/ip6tables-save.8:35 original/man8/iptables-restore.8:30 original/man8/iptables-save.8:35
84+#: original/man8/ip6tables-restore.8:31 original/man8/ip6tables-save.8:35 original/man8/iptables-restore.8:31 original/man8/iptables-save.8:35
8585 #, no-wrap
8686 msgid "B<-c>, B<--counters>"
8787 msgstr ""
8888
8989 #. type: Plain text
90-#: original/man8/ip6tables-restore.8:33 original/man8/iptables-restore.8:33
90+#: original/man8/ip6tables-restore.8:34 original/man8/iptables-restore.8:34
9191 msgid "restore the values of all packet and byte counters"
9292 msgstr ""
9393
9494 #. type: TP
95-#: original/man8/ip6tables-restore.8:33 original/man8/iptables-restore.8:33
95+#: original/man8/ip6tables-restore.8:34 original/man8/iptables-restore.8:34 original/man8/iptables-apply.8:28
96+#, no-wrap
97+msgid "B<-h>, B<--help>"
98+msgstr ""
99+
100+#. type: Plain text
101+#: original/man8/ip6tables-restore.8:37 original/man8/iptables-restore.8:37
102+msgid "Print a short option summary."
103+msgstr ""
104+
105+#. type: TP
106+#: original/man8/ip6tables-restore.8:37 original/man8/iptables-restore.8:37
96107 #, no-wrap
97108 msgid "B<-n>, B<--noflush> "
98109 msgstr ""
99110
100111 #. type: Plain text
101-#: original/man8/ip6tables-restore.8:36
102-msgid "don't flush the previous contents of the table. If not specified,"
112+#: original/man8/ip6tables-restore.8:42
113+msgid ""
114+"don't flush the previous contents of the table. If not specified, "
115+"B<ip6tables-restore> flushes (deletes) all previous contents of the "
116+"respective table."
117+msgstr ""
118+
119+#. type: TP
120+#: original/man8/ip6tables-restore.8:42 original/man8/iptables-restore.8:42
121+#, no-wrap
122+msgid "B<-t>, B<--test>"
123+msgstr ""
124+
125+#. type: Plain text
126+#: original/man8/ip6tables-restore.8:45 original/man8/iptables-restore.8:45
127+msgid "Only parse and construct the ruleset, but do not commit it."
128+msgstr ""
129+
130+#. type: TP
131+#: original/man8/ip6tables-restore.8:45 original/man8/ip6tables.8:355 original/man8/iptables-restore.8:45 original/man8/iptables.8:343 original/man1/iptables-xml.1:38
132+#, no-wrap
133+msgid "B<-v>, B<--verbose>"
134+msgstr ""
135+
136+#. type: Plain text
137+#: original/man8/ip6tables-restore.8:48 original/man8/iptables-restore.8:48
138+msgid "Print additional debug info during ruleset processing."
139+msgstr ""
140+
141+#. type: TP
142+#: original/man8/ip6tables-restore.8:48 original/man8/iptables-restore.8:48
143+#, no-wrap
144+msgid "B<-M>, B<--modprobe> I<modprobe_program>"
145+msgstr ""
146+
147+#. type: Plain text
148+#: original/man8/ip6tables-restore.8:52
149+msgid ""
150+"Specify the path to the modprobe program. By default, ip6tables-restore will "
151+"inspect /proc/sys/kernel/modprobe to determine the executable's path."
103152 msgstr ""
104153
105154 #. type: TP
106-#: original/man8/ip6tables-restore.8:36 original/man8/iptables-restore.8:38
155+#: original/man8/ip6tables-restore.8:52 original/man8/iptables-restore.8:52
107156 #, no-wrap
108157 msgid "B<-T>, B<--table> I<name>"
109158 msgstr ""
110159
111160 #. type: Plain text
112-#: original/man8/ip6tables-restore.8:41
161+#: original/man8/ip6tables-restore.8:57
113162 msgid ""
114163 "Restore only the named table even if the input stream contains other ones. "
115164 "B<ip6tables-restore> flushes (deletes) all previous contents of the "
@@ -117,45 +166,45 @@ msgid ""
117166 msgstr ""
118167
119168 #. type: SH
120-#: original/man8/ip6tables-restore.8:41 original/man8/ip6tables-save.8:42 original/man8/ip6tables.8:2447 original/man8/iptables-restore.8:41 original/man8/iptables-save.8:42 original/man8/iptables.8:2606 original/man1/iptables-xml.1:82
169+#: original/man8/ip6tables-restore.8:57 original/man8/ip6tables-save.8:42 original/man8/ip6tables.8:395 original/man8/iptables-restore.8:55 original/man8/iptables-save.8:42 original/man8/iptables.8:383 original/man1/iptables-xml.1:82
121170 #, no-wrap
122171 msgid "BUGS"
123172 msgstr ""
124173
125174 #. type: Plain text
126-#: original/man8/ip6tables-restore.8:43 original/man8/ip6tables-save.8:44 original/man8/iptables-restore.8:43 original/man8/iptables-save.8:44
175+#: original/man8/ip6tables-restore.8:59 original/man8/ip6tables-save.8:44 original/man8/iptables-restore.8:57 original/man8/iptables-save.8:44
127176 msgid "None known as of iptables-1.2.1 release"
128177 msgstr ""
129178
130179 #. type: SH
131-#: original/man8/ip6tables-restore.8:43 original/man8/ip6tables-save.8:44 original/man8/ip6tables.8:2480 original/man8/iptables.8:2650
180+#: original/man8/ip6tables-restore.8:59 original/man8/ip6tables-save.8:44 original/man8/ip6tables.8:430 original/man8/iptables.8:429
132181 #, no-wrap
133182 msgid "AUTHORS"
134183 msgstr ""
135184
136185 #. type: Plain text
137-#: original/man8/ip6tables-restore.8:45 original/man8/ip6tables-save.8:46 original/man8/iptables-restore.8:45 original/man8/iptables-save.8:46
186+#: original/man8/ip6tables-restore.8:61 original/man8/ip6tables-save.8:46 original/man8/iptables-restore.8:59 original/man8/iptables-save.8:46
138187 msgid "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
139188 msgstr ""
140189
141190 #. type: Plain text
142-#: original/man8/ip6tables-restore.8:47 original/man8/ip6tables-save.8:48
191+#: original/man8/ip6tables-restore.8:63 original/man8/ip6tables-save.8:48
143192 msgid "Andras Kis-Szabo E<lt>kisza@sch.bme.huE<gt>"
144193 msgstr ""
145194
146195 #. type: SH
147-#: original/man8/ip6tables-restore.8:47 original/man8/ip6tables-save.8:48 original/man8/ip6tables.8:2464 original/man8/iptables-restore.8:45 original/man8/iptables-save.8:46 original/man8/iptables.8:2634 original/man8/iptables-apply.8:34 original/man1/iptables-xml.1:86
196+#: original/man8/ip6tables-restore.8:63 original/man8/ip6tables-save.8:48 original/man8/ip6tables.8:412 original/man8/iptables-restore.8:59 original/man8/iptables-save.8:46 original/man8/iptables.8:411 original/man8/iptables-apply.8:34 original/man1/iptables-xml.1:86
148197 #, no-wrap
149198 msgid "SEE ALSO"
150199 msgstr ""
151200
152201 #. type: Plain text
153-#: original/man8/ip6tables-restore.8:49
202+#: original/man8/ip6tables-restore.8:65
154203 msgid "B<ip6tables-save>(8), B<ip6tables>(8)"
155204 msgstr ""
156205
157206 #. type: Plain text
158-#: original/man8/ip6tables-restore.8:52 original/man8/ip6tables-save.8:53 original/man8/iptables-restore.8:50 original/man8/iptables-save.8:51
207+#: original/man8/ip6tables-restore.8:68 original/man8/ip6tables-save.8:53 original/man8/iptables-restore.8:64 original/man8/iptables-save.8:51
159208 msgid ""
160209 "The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which "
161210 "details NAT, and the netfilter-hacking-HOWTO which details the internals."
@@ -228,9 +277,9 @@ msgid "IP6TABLES"
228277 msgstr ""
229278
230279 #. type: TH
231-#: original/man8/ip6tables.8:1 original/man8/ip6tables.8:1 original/man8/iptables.8:1 original/man8/iptables.8:1
280+#: original/man8/ip6tables.8:1 original/man8/ip6tables.8:1 original/man8/iptables.8:1 original/man8/iptables.8:1 original/man8/iptables-extensions.8:1 original/man8/iptables-extensions.8:1
232281 #, no-wrap
233-msgid "iptables 1.4.13"
282+msgid "iptables 1.4.18"
234283 msgstr ""
235284
236285 #. type: Plain text
@@ -355,8 +404,8 @@ msgstr ""
355404 #. type: Plain text
356405 #: original/man8/ip6tables.8:93 original/man8/iptables.8:92
357406 msgid ""
358-"There are currently three independent tables (which tables are present at "
359-"any time depends on the kernel configuration options and which modules are "
407+"There are currently five independent tables (which tables are present at any "
408+"time depends on the kernel configuration options and which modules are "
360409 "present)."
361410 msgstr ""
362411
@@ -396,13 +445,29 @@ msgid ""
396445 msgstr ""
397446
398447 #. type: TP
399-#: original/man8/ip6tables.8:108 original/man8/iptables.8:114
448+#: original/man8/ip6tables.8:108 original/man8/iptables.8:107
449+#, no-wrap
450+msgid "B<nat>:"
451+msgstr ""
452+
453+#. type: Plain text
454+#: original/man8/ip6tables.8:115
455+msgid ""
456+"This table is consulted when a packet that creates a new connection is "
457+"encountered. It consists of three built-ins: B<PREROUTING> (for altering "
458+"packets as soon as they come in), B<OUTPUT> (for altering locally-generated "
459+"packets before routing), and B<POSTROUTING> (for altering packets as they "
460+"are about to go out). Available since kernel 3.7."
461+msgstr ""
462+
463+#. type: TP
464+#: original/man8/ip6tables.8:115 original/man8/iptables.8:114
400465 #, no-wrap
401466 msgid "B<mangle>:"
402467 msgstr ""
403468
404469 #. type: Plain text
405-#: original/man8/ip6tables.8:118 original/man8/iptables.8:124
470+#: original/man8/ip6tables.8:125 original/man8/iptables.8:124
406471 msgid ""
407472 "This table is used for specialized packet alteration. Until kernel 2.4.17 "
408473 "it had two built-in chains: B<PREROUTING> (for altering incoming packets "
@@ -414,13 +479,13 @@ msgid ""
414479 msgstr ""
415480
416481 #. type: TP
417-#: original/man8/ip6tables.8:118 original/man8/iptables.8:124
482+#: original/man8/ip6tables.8:125 original/man8/iptables.8:124
418483 #, no-wrap
419484 msgid "B<raw>:"
420485 msgstr ""
421486
422487 #. type: Plain text
423-#: original/man8/ip6tables.8:126 original/man8/iptables.8:132
488+#: original/man8/ip6tables.8:133 original/man8/iptables.8:132
424489 msgid ""
425490 "This table is used mainly for configuring exemptions from connection "
426491 "tracking in combination with the NOTRACK target. It registers at the "
@@ -431,13 +496,13 @@ msgid ""
431496 msgstr ""
432497
433498 #. type: TP
434-#: original/man8/ip6tables.8:126 original/man8/iptables.8:132
499+#: original/man8/ip6tables.8:133 original/man8/iptables.8:132
435500 #, no-wrap
436501 msgid "B<security>:"
437502 msgstr ""
438503
439504 #. type: Plain text
440-#: original/man8/ip6tables.8:137 original/man8/iptables.8:143
505+#: original/man8/ip6tables.8:144 original/man8/iptables.8:143
441506 msgid ""
442507 "This table is used for Mandatory Access Control (MAC) networking rules, such "
443508 "as those enabled by the B<SECMARK> and B<CONNSECMARK> targets. Mandatory "
@@ -451,26 +516,26 @@ msgid ""
451516 msgstr ""
452517
453518 #. type: SH
454-#: original/man8/ip6tables.8:138 original/man8/iptables.8:144 original/man8/iptables-apply.8:23
519+#: original/man8/ip6tables.8:145 original/man8/iptables.8:144 original/man8/iptables-apply.8:23
455520 #, no-wrap
456521 msgid "OPTIONS"
457522 msgstr ""
458523
459524 #. type: Plain text
460-#: original/man8/ip6tables.8:141
525+#: original/man8/ip6tables.8:148
461526 msgid ""
462527 "The options that are recognized by B<ip6tables> can be divided into several "
463528 "different groups."
464529 msgstr ""
465530
466531 #. type: SS
467-#: original/man8/ip6tables.8:141 original/man8/iptables.8:147
532+#: original/man8/ip6tables.8:148 original/man8/iptables.8:147
468533 #, no-wrap
469534 msgid "COMMANDS"
470535 msgstr ""
471536
472537 #. type: Plain text
473-#: original/man8/ip6tables.8:147
538+#: original/man8/ip6tables.8:154
474539 msgid ""
475540 "These options specify the specific action to perform. Only one of them can "
476541 "be specified on the command line unless otherwise specified below. For all "
@@ -480,13 +545,13 @@ msgid ""
480545 msgstr ""
481546
482547 #. type: TP
483-#: original/man8/ip6tables.8:147 original/man8/ip6tables.8:230 original/man8/iptables.8:153
548+#: original/man8/ip6tables.8:154 original/man8/ip6tables.8:237 original/man8/iptables.8:153
484549 #, no-wrap
485550 msgid "B<-A>, B<--append> I<chain rule-specification>"
486551 msgstr ""
487552
488553 #. type: Plain text
489-#: original/man8/ip6tables.8:152 original/man8/ip6tables.8:235 original/man8/iptables.8:158
554+#: original/man8/ip6tables.8:159 original/man8/ip6tables.8:242 original/man8/iptables.8:158
490555 msgid ""
491556 "Append one or more rules to the end of the selected chain. When the source "
492557 "and/or destination names resolve to more than one address, a rule will be "
@@ -494,13 +559,13 @@ msgid ""
494559 msgstr ""
495560
496561 #. type: TP
497-#: original/man8/ip6tables.8:152 original/man8/iptables.8:158
562+#: original/man8/ip6tables.8:159 original/man8/iptables.8:158
498563 #, no-wrap
499564 msgid "B<-C>, B<--check> I<chain rule-specification>"
500565 msgstr ""
501566
502567 #. type: Plain text
503-#: original/man8/ip6tables.8:158 original/man8/iptables.8:164
568+#: original/man8/ip6tables.8:165 original/man8/iptables.8:164
504569 msgid ""
505570 "Check whether a rule matching the specification does exist in the selected "
506571 "chain. This command uses the same logic as B<-D> to find a matching entry, "
@@ -509,19 +574,19 @@ msgid ""
509574 msgstr ""
510575
511576 #. type: TP
512-#: original/man8/ip6tables.8:158 original/man8/iptables.8:164
577+#: original/man8/ip6tables.8:165 original/man8/iptables.8:164
513578 #, no-wrap
514579 msgid "B<-D>, B<--delete> I<chain rule-specification>"
515580 msgstr ""
516581
517582 #. type: TP
518-#: original/man8/ip6tables.8:161 original/man8/iptables.8:167
583+#: original/man8/ip6tables.8:168 original/man8/iptables.8:167
519584 #, no-wrap
520585 msgid "B<-D>, B<--delete> I<chain rulenum>"
521586 msgstr ""
522587
523588 #. type: Plain text
524-#: original/man8/ip6tables.8:166 original/man8/iptables.8:172
589+#: original/man8/ip6tables.8:173 original/man8/iptables.8:172
525590 msgid ""
526591 "Delete one or more rules from the selected chain. There are two versions of "
527592 "this command: the rule can be specified as a number in the chain (starting "
@@ -529,13 +594,13 @@ msgid ""
529594 msgstr ""
530595
531596 #. type: TP
532-#: original/man8/ip6tables.8:166 original/man8/iptables.8:172
597+#: original/man8/ip6tables.8:173 original/man8/iptables.8:172
533598 #, no-wrap
534599 msgid "B<-I>, B<--insert> I<chain> [I<rulenum>] I<rule-specification>"
535600 msgstr ""
536601
537602 #. type: Plain text
538-#: original/man8/ip6tables.8:172 original/man8/iptables.8:178
603+#: original/man8/ip6tables.8:179 original/man8/iptables.8:178
539604 msgid ""
540605 "Insert one or more rules in the selected chain as the given rule number. "
541606 "So, if the rule number is 1, the rule or rules are inserted at the head of "
@@ -543,13 +608,13 @@ msgid ""
543608 msgstr ""
544609
545610 #. type: TP
546-#: original/man8/ip6tables.8:172 original/man8/iptables.8:178
611+#: original/man8/ip6tables.8:179 original/man8/iptables.8:178
547612 #, no-wrap
548613 msgid "B<-R>, B<--replace> I<chain rulenum rule-specification>"
549614 msgstr ""
550615
551616 #. type: Plain text
552-#: original/man8/ip6tables.8:177 original/man8/iptables.8:183
617+#: original/man8/ip6tables.8:184 original/man8/iptables.8:183
553618 msgid ""
554619 "Replace a rule in the selected chain. If the source and/or destination "
555620 "names resolve to multiple addresses, the command will fail. Rules are "
@@ -557,13 +622,13 @@ msgid ""
557622 msgstr ""
558623
559624 #. type: TP
560-#: original/man8/ip6tables.8:177 original/man8/iptables.8:183
625+#: original/man8/ip6tables.8:184 original/man8/iptables.8:183
561626 #, no-wrap
562627 msgid "B<-L>, B<--list> [I<chain>]"
563628 msgstr ""
564629
565630 #. type: Plain text
566-#: original/man8/ip6tables.8:182
631+#: original/man8/ip6tables.8:189
567632 msgid ""
568633 "List all rules in the selected chain. If no chain is selected, all chains "
569634 "are listed. Like every other ip6tables command, it applies to the specified "
@@ -571,7 +636,7 @@ msgid ""
571636 msgstr ""
572637
573638 #. type: Plain text
574-#: original/man8/ip6tables.8:189 original/man8/iptables.8:197
639+#: original/man8/ip6tables.8:196 original/man8/iptables.8:197
575640 msgid ""
576641 "Please note that it is often used with the B<-n> option, in order to avoid "
577642 "long reverse DNS lookups. It is legal to specify the B<-Z> (zero) option as "
@@ -581,19 +646,19 @@ msgid ""
581646 msgstr ""
582647
583648 #. type: Plain text
584-#: original/man8/ip6tables.8:191
649+#: original/man8/ip6tables.8:198
585650 #, no-wrap
586651 msgid " ip6tables -L -v\n"
587652 msgstr ""
588653
589654 #. type: TP
590-#: original/man8/ip6tables.8:192 original/man8/iptables.8:200
655+#: original/man8/ip6tables.8:199 original/man8/iptables.8:200
591656 #, no-wrap
592657 msgid "B<-S>, B<--list-rules> [I<chain>]"
593658 msgstr ""
594659
595660 #. type: Plain text
596-#: original/man8/ip6tables.8:197
661+#: original/man8/ip6tables.8:204
597662 msgid ""
598663 "Print all rules in the selected chain. If no chain is selected, all chains "
599664 "are printed like ip6tables-save. Like every other ip6tables command, it "
@@ -601,26 +666,26 @@ msgid ""
601666 msgstr ""
602667
603668 #. type: TP
604-#: original/man8/ip6tables.8:197 original/man8/iptables.8:205
669+#: original/man8/ip6tables.8:204 original/man8/iptables.8:205
605670 #, no-wrap
606671 msgid "B<-F>, B<--flush> [I<chain>]"
607672 msgstr ""
608673
609674 #. type: Plain text
610-#: original/man8/ip6tables.8:201 original/man8/iptables.8:209
675+#: original/man8/ip6tables.8:208 original/man8/iptables.8:209
611676 msgid ""
612677 "Flush the selected chain (all the chains in the table if none is given). "
613678 "This is equivalent to deleting all the rules one by one."
614679 msgstr ""
615680
616681 #. type: TP
617-#: original/man8/ip6tables.8:201 original/man8/iptables.8:209
682+#: original/man8/ip6tables.8:208 original/man8/iptables.8:209
618683 #, no-wrap
619684 msgid "B<-Z>, B<--zero> [I<chain> [I<rulenum>]]"
620685 msgstr ""
621686
622687 #. type: Plain text
623-#: original/man8/ip6tables.8:209 original/man8/iptables.8:217
688+#: original/man8/ip6tables.8:216 original/man8/iptables.8:217
624689 msgid ""
625690 "Zero the packet and byte counters in all chains, or only the given chain, or "
626691 "only the given rule in a chain. It is legal to specify the B<-L>, B<--list> "
@@ -629,26 +694,26 @@ msgid ""
629694 msgstr ""
630695
631696 #. type: TP
632-#: original/man8/ip6tables.8:209 original/man8/iptables.8:217
697+#: original/man8/ip6tables.8:216 original/man8/iptables.8:217
633698 #, no-wrap
634699 msgid "B<-N>, B<--new-chain> I<chain>"
635700 msgstr ""
636701
637702 #. type: Plain text
638-#: original/man8/ip6tables.8:213 original/man8/iptables.8:221
703+#: original/man8/ip6tables.8:220 original/man8/iptables.8:221
639704 msgid ""
640705 "Create a new user-defined chain by the given name. There must be no target "
641706 "of that name already."
642707 msgstr ""
643708
644709 #. type: TP
645-#: original/man8/ip6tables.8:213 original/man8/iptables.8:221
710+#: original/man8/ip6tables.8:220 original/man8/iptables.8:221
646711 #, no-wrap
647712 msgid "B<-X>, B<--delete-chain> [I<chain>]"
648713 msgstr ""
649714
650715 #. type: Plain text
651-#: original/man8/ip6tables.8:220 original/man8/iptables.8:228
716+#: original/man8/ip6tables.8:227 original/man8/iptables.8:228
652717 msgid ""
653718 "Delete the optional user-defined chain specified. There must be no "
654719 "references to the chain. If there are, you must delete or replace the "
@@ -658,13 +723,13 @@ msgid ""
658723 msgstr ""
659724
660725 #. type: TP
661-#: original/man8/ip6tables.8:220 original/man8/iptables.8:228
726+#: original/man8/ip6tables.8:227 original/man8/iptables.8:228
662727 #, no-wrap
663728 msgid "B<-P>, B<--policy> I<chain target>"
664729 msgstr ""
665730
666731 #. type: Plain text
667-#: original/man8/ip6tables.8:226 original/man8/iptables.8:234
732+#: original/man8/ip6tables.8:233 original/man8/iptables.8:234
668733 msgid ""
669734 "Set the policy for the chain to the given target. See the section "
670735 "B<TARGETS> for the legal targets. Only built-in (non-user-defined) chains "
@@ -673,50 +738,76 @@ msgid ""
673738 msgstr ""
674739
675740 #. type: TP
676-#: original/man8/ip6tables.8:226 original/man8/iptables.8:234
741+#: original/man8/ip6tables.8:233 original/man8/iptables.8:234
677742 #, no-wrap
678743 msgid "B<-E>, B<--rename-chain> I<old-chain new-chain>"
679744 msgstr ""
680745
681746 #. type: Plain text
682-#: original/man8/ip6tables.8:230 original/man8/iptables.8:238
747+#: original/man8/ip6tables.8:237 original/man8/iptables.8:238
683748 msgid ""
684749 "Rename the user specified chain to the user supplied name. This is "
685750 "cosmetic, and has no effect on the structure of the table."
686751 msgstr ""
687752
688753 #. type: TP
689-#: original/man8/ip6tables.8:235 original/man8/iptables.8:238
754+#: original/man8/ip6tables.8:242 original/man8/iptables.8:238
690755 #, no-wrap
691756 msgid "B<-h>"
692757 msgstr ""
693758
694759 #. type: Plain text
695-#: original/man8/ip6tables.8:239 original/man8/iptables.8:242
760+#: original/man8/ip6tables.8:246 original/man8/iptables.8:242
696761 msgid "Help. Give a (currently very brief) description of the command syntax."
697762 msgstr ""
698763
699764 #. type: SS
700-#: original/man8/ip6tables.8:239 original/man8/iptables.8:242
765+#: original/man8/ip6tables.8:246 original/man8/iptables.8:242
701766 #, no-wrap
702767 msgid "PARAMETERS"
703768 msgstr ""
704769
705770 #. type: Plain text
706-#: original/man8/ip6tables.8:242 original/man8/iptables.8:245
771+#: original/man8/ip6tables.8:249 original/man8/iptables.8:245
707772 msgid ""
708773 "The following parameters make up a rule specification (as used in the add, "
709774 "delete, insert, replace and append commands)."
710775 msgstr ""
711776
712777 #. type: TP
713-#: original/man8/ip6tables.8:242 original/man8/iptables.8:245
778+#: original/man8/ip6tables.8:249 original/man8/iptables.8:245
779+#, no-wrap
780+msgid "B<-4>, B<--ipv4>"
781+msgstr ""
782+
783+#. type: Plain text
784+#: original/man8/ip6tables.8:255
785+msgid ""
786+"If a rule using the B<-4> option is inserted with (and only with) "
787+"ip6tables-restore, it will be silently ignored. Any other uses will throw an "
788+"error. This option allows to put both IPv4 and IPv6 rules in a single rule "
789+"file for use with both iptables-restore and ip6tables-restore."
790+msgstr ""
791+
792+#. type: TP
793+#: original/man8/ip6tables.8:255 original/man8/iptables.8:248
794+#, no-wrap
795+msgid "B<-6>, B<--ipv6>"
796+msgstr ""
797+
798+#. type: Plain text
799+#: original/man8/ip6tables.8:258
800+msgid "This option has no effect in ip6tables and ip6tables-restore."
801+msgstr ""
802+
803+#. type: TP
804+#: original/man8/ip6tables.8:258 original/man8/iptables.8:254
714805 #, no-wrap
715806 msgid "[B<!>] B<-p>, B<--protocol> I<protocol>"
716807 msgstr ""
717808
718809 #. type: Plain text
719-#: original/man8/ip6tables.8:260
810+#: original/man8/ip6tables.8:276
720811 msgid ""
721812 "The protocol of the rule or of the packet to check. The specified protocol "
722813 "can be one of B<tcp>, B<udp>, B<udplite>, B<icmpv6>, B<esp>, B<mh> or the "
@@ -733,13 +824,13 @@ msgid ""
733824 msgstr ""
734825
735826 #. type: TP
736-#: original/man8/ip6tables.8:260
827+#: original/man8/ip6tables.8:276
737828 #, no-wrap
738829 msgid "[B<!>] B<-s>, B<--source> I<address>[B</>I<mask>]"
739830 msgstr ""
740831
741832 #. type: Plain text
742-#: original/man8/ip6tables.8:277
833+#: original/man8/ip6tables.8:293
743834 msgid ""
744835 "Source specification. I<Address> can be either be a hostname, a network IP "
745836 "address (with B</>I<mask>), or a plain IP address. Names will be resolved "
@@ -755,13 +846,13 @@ msgid ""
755846 msgstr ""
756847
757848 #. type: TP
758-#: original/man8/ip6tables.8:277
849+#: original/man8/ip6tables.8:293
759850 #, no-wrap
760851 msgid "[B<!>] B<-d>, B<--destination> I<address>[B</>I<mask>]"
761852 msgstr ""
762853
763854 #. type: Plain text
764-#: original/man8/ip6tables.8:283 original/man8/iptables.8:279
855+#: original/man8/ip6tables.8:299 original/man8/iptables.8:288
765856 msgid ""
766857 "Destination specification. See the description of the B<-s> (source) flag "
767858 "for a detailed description of the syntax. The flag B<--dst> is an alias for "
@@ -769,13 +860,29 @@ msgid ""
769860 msgstr ""
770861
771862 #. type: TP
772-#: original/man8/ip6tables.8:283 original/man8/iptables.8:279
863+#: original/man8/ip6tables.8:299 original/man8/iptables.8:288
864+#, no-wrap
865+msgid "B<-m>, B<--match> I<match>"
866+msgstr ""
867+
868+#. type: Plain text
869+#: original/man8/ip6tables.8:306 original/man8/iptables.8:295
870+msgid ""
871+"Specifies a match to use, that is, an extension module that tests for a "
872+"specific property. The set of matches make up the condition under which a "
873+"target is invoked. Matches are evaluated first to last as specified on the "
874+"command line and work in short-circuit fashion, i.e. if one extension yields "
875+"false, evaluation will stop."
876+msgstr ""
877+
878+#. type: TP
879+#: original/man8/ip6tables.8:306 original/man8/iptables.8:295
773880 #, no-wrap
774881 msgid "B<-j>, B<--jump> I<target>"
775882 msgstr ""
776883
777884 #. type: Plain text
778-#: original/man8/ip6tables.8:294 original/man8/iptables.8:290
885+#: original/man8/ip6tables.8:317 original/man8/iptables.8:306
779886 msgid ""
780887 "This specifies the target of the rule; i.e., what to do if the packet "
781888 "matches it. The target can be a user-defined chain (other than the one this "
@@ -787,13 +894,13 @@ msgid ""
787894 msgstr ""
788895
789896 #. type: TP
790-#: original/man8/ip6tables.8:294 original/man8/iptables.8:290
897+#: original/man8/ip6tables.8:317 original/man8/iptables.8:306
791898 #, no-wrap
792899 msgid "B<-g>, B<--goto> I<chain>"
793900 msgstr ""
794901
795902 #. type: Plain text
796-#: original/man8/ip6tables.8:300 original/man8/iptables.8:296
903+#: original/man8/ip6tables.8:323 original/man8/iptables.8:312
797904 msgid ""
798905 "This specifies that the processing should continue in a user specified "
799906 "chain. Unlike the --jump option return will not continue processing in this "
@@ -801,13 +908,13 @@ msgid ""
801908 msgstr ""
802909
803910 #. type: TP
804-#: original/man8/ip6tables.8:300 original/man8/iptables.8:296
911+#: original/man8/ip6tables.8:323 original/man8/iptables.8:312
805912 #, no-wrap
806913 msgid "[B<!>] B<-i>, B<--in-interface> I<name>"
807914 msgstr ""
808915
809916 #. type: Plain text
810-#: original/man8/ip6tables.8:308 original/man8/iptables.8:304
917+#: original/man8/ip6tables.8:331 original/man8/iptables.8:320
811918 msgid ""
812919 "Name of an interface via which a packet was received (only for packets "
813920 "entering the B<INPUT>, B<FORWARD> and B<PREROUTING> chains). When the \"!\" "
@@ -817,13 +924,13 @@ msgid ""
817924 msgstr ""
818925
819926 #. type: TP
820-#: original/man8/ip6tables.8:308 original/man8/iptables.8:304
927+#: original/man8/ip6tables.8:331 original/man8/iptables.8:320
821928 #, no-wrap
822929 msgid "[B<!>] B<-o>, B<--out-interface> I<name>"
823930 msgstr ""
824931
825932 #. type: Plain text
826-#: original/man8/ip6tables.8:325 original/man8/iptables.8:312
933+#: original/man8/ip6tables.8:348 original/man8/iptables.8:328
827934 msgid ""
828935 "Name of an interface via which a packet is going to be sent (for packets "
829936 "entering the B<FORWARD>, B<OUTPUT> and B<POSTROUTING> chains). When the "
@@ -834,37 +941,31 @@ msgid ""
834941 msgstr ""
835942
836943 #. type: TP
837-#: original/man8/ip6tables.8:325 original/man8/iptables.8:320
944+#: original/man8/ip6tables.8:348 original/man8/iptables.8:336
838945 #, no-wrap
839946 msgid "B<-c>, B<--set-counters> I<packets bytes>"
840947 msgstr ""
841948
842949 #. type: Plain text
843-#: original/man8/ip6tables.8:330 original/man8/iptables.8:325
950+#: original/man8/ip6tables.8:353 original/man8/iptables.8:341
844951 msgid ""
845952 "This enables the administrator to initialize the packet and byte counters of "
846953 "a rule (during B<INSERT>, B<APPEND>, B<REPLACE> operations)."
847954 msgstr ""
848955
849956 #. type: SS
850-#: original/man8/ip6tables.8:330 original/man8/iptables.8:325
957+#: original/man8/ip6tables.8:353 original/man8/iptables.8:341
851958 #, no-wrap
852959 msgid "OTHER OPTIONS"
853960 msgstr ""
854961
855962 #. type: Plain text
856-#: original/man8/ip6tables.8:332 original/man8/iptables.8:327
963+#: original/man8/ip6tables.8:355 original/man8/iptables.8:343
857964 msgid "The following additional options can be specified:"
858965 msgstr ""
859966
860-#. type: TP
861-#: original/man8/ip6tables.8:332 original/man8/iptables.8:327 original/man1/iptables-xml.1:38
862-#, no-wrap
863-msgid "B<-v>, B<--verbose>"
864-msgstr ""
865-
866967 #. type: Plain text
867-#: original/man8/ip6tables.8:342 original/man8/iptables.8:337
968+#: original/man8/ip6tables.8:365 original/man8/iptables.8:353
868969 msgid ""
869970 "Verbose output. This option makes the list command show the interface name, "
870971 "the rule options (if any), and the TOS masks. The packet and byte counters "
@@ -876,13 +977,13 @@ msgid ""
876977 msgstr ""
877978
878979 #. type: TP
879-#: original/man8/ip6tables.8:342 original/man8/iptables.8:337
980+#: original/man8/ip6tables.8:365 original/man8/iptables.8:353
880981 #, no-wrap
881982 msgid "B<-n>, B<--numeric>"
882983 msgstr ""
883984
884985 #. type: Plain text
885-#: original/man8/ip6tables.8:348 original/man8/iptables.8:343
986+#: original/man8/ip6tables.8:371 original/man8/iptables.8:359
886987 msgid ""
887988 "Numeric output. IP addresses and port numbers will be printed in numeric "
888989 "format. By default, the program will try to display them as host names, "
@@ -890,13 +991,13 @@ msgid ""
890991 msgstr ""
891992
892993 #. type: TP
893-#: original/man8/ip6tables.8:348 original/man8/iptables.8:343
994+#: original/man8/ip6tables.8:371 original/man8/iptables.8:359
894995 #, no-wrap
895996 msgid "B<-x>, B<--exact>"
896997 msgstr ""
897998
898999 #. type: Plain text
899-#: original/man8/ip6tables.8:355 original/man8/iptables.8:350
1000+#: original/man8/ip6tables.8:378 original/man8/iptables.8:366
9001001 msgid ""
9011002 "Expand numbers. Display the exact value of the packet and byte counters, "
9021003 "instead of only the rounded number in K's (multiples of 1000) M's "
@@ -905,6792 +1006,7354 @@ msgid ""
9051006 msgstr ""
9061007
9071008 #. type: TP
908-#: original/man8/ip6tables.8:355 original/man8/iptables.8:350
1009+#: original/man8/ip6tables.8:378 original/man8/iptables.8:366
9091010 #, no-wrap
9101011 msgid "B<--line-numbers>"
9111012 msgstr ""
9121013
9131014 #. type: Plain text
914-#: original/man8/ip6tables.8:359 original/man8/iptables.8:354
1015+#: original/man8/ip6tables.8:382 original/man8/iptables.8:370
9151016 msgid ""
9161017 "When listing rules, add line numbers to the beginning of each rule, "
9171018 "corresponding to that rule's position in the chain."
9181019 msgstr ""
9191020
9201021 #. type: TP
921-#: original/man8/ip6tables.8:359 original/man8/iptables.8:354
1022+#: original/man8/ip6tables.8:382 original/man8/iptables.8:370
9221023 #, no-wrap
9231024 msgid "B<--modprobe=>I<command>"
9241025 msgstr ""
9251026
9261027 #. type: Plain text
927-#: original/man8/ip6tables.8:363 original/man8/iptables.8:358
1028+#: original/man8/ip6tables.8:386 original/man8/iptables.8:374
9281029 msgid ""
9291030 "When adding or inserting rules into a chain, use I<command> to load any "
9301031 "necessary modules (targets, match extensions, etc)."
9311032 msgstr ""
9321033
9331034 #. type: SH
934-#: original/man8/ip6tables.8:363 original/man8/iptables.8:358
1035+#: original/man8/ip6tables.8:386 original/man8/iptables-extensions.8:10
9351036 #, no-wrap
9361037 msgid "MATCH EXTENSIONS"
9371038 msgstr ""
9381039
9391040 #. type: Plain text
940-#: original/man8/ip6tables.8:373
941-msgid ""
942-"ip6tables can use extended packet matching modules with the B<-m> or "
943-"B<--match> options, followed by the matching module name; after these, "
944-"various extra command line options become available, depending on the "
945-"specific module. You can specify multiple extended match modules in one "
946-"line, and you can use the B<-h> or B<--help> options after the module has "
947-"been specified to receive help specific to that module."
948-msgstr ""
949-
950-#. @MATCH@
951-#. type: Plain text
952-#: original/man8/ip6tables.8:378
1041+#: original/man8/ip6tables.8:390 original/man8/iptables.8:378
9531042 msgid ""
954-"If the B<-p> or B<--protocol> was specified and if and only if an unknown "
955-"option is encountered, ip6tables will try load a match module of the same "
956-"name as the protocol, to try making the option available."
1043+"iptables can use extended packet matching and target modules. A list of "
1044+"these is available in the B<iptables-extensions>(8) manpage."
9571045 msgstr ""
9581046
959-#. type: SS
960-#: original/man8/ip6tables.8:378 original/man8/iptables.8:373
1047+#. type: SH
1048+#: original/man8/ip6tables.8:390 original/man8/iptables.8:378
9611049 #, no-wrap
962-msgid "addrtype"
1050+msgid "DIAGNOSTICS"
9631051 msgstr ""
9641052
9651053 #. type: Plain text
966-#: original/man8/ip6tables.8:383 original/man8/iptables.8:378
1054+#: original/man8/ip6tables.8:395 original/man8/iptables.8:383
9671055 msgid ""
968-"This module matches packets based on their B<address type.> Address types "
969-"are used within the kernel networking stack and categorize addresses into "
970-"various groups. The exact definition of that group depends on the specific "
971-"layer three protocol."
1056+"Various error messages are printed to standard error. The exit code is 0 "
1057+"for correct functioning. Errors which appear to be caused by invalid or "
1058+"abused command line parameters cause an exit code of 2, and other errors "
1059+"cause an exit code of 1."
9721060 msgstr ""
9731061
9741062 #. type: Plain text
975-#: original/man8/ip6tables.8:385 original/man8/iptables.8:380
976-msgid "The following address types are possible:"
1063+#: original/man8/ip6tables.8:398
1064+msgid "Bugs? What's this? ;-) Well... the counters are not reliable on sparc64."
9771065 msgstr ""
9781066
979-#. type: TP
980-#: original/man8/ip6tables.8:385 original/man8/iptables.8:380
1067+#. type: SH
1068+#: original/man8/ip6tables.8:398 original/man8/iptables.8:386
9811069 #, no-wrap
982-msgid "B<UNSPEC>"
1070+msgid "COMPATIBILITY WITH IPCHAINS"
9831071 msgstr ""
9841072
9851073 #. type: Plain text
986-#: original/man8/ip6tables.8:388 original/man8/iptables.8:383
987-msgid "an unspecified address (i.e. 0.0.0.0)"
988-msgstr ""
989-
990-#. type: TP
991-#: original/man8/ip6tables.8:388 original/man8/iptables.8:383
992-#, no-wrap
993-msgid "B<UNICAST>"
1074+#: original/man8/ip6tables.8:407
1075+msgid ""
1076+"This B<ip6tables> is very similar to ipchains by Rusty Russell. The main "
1077+"difference is that the chains B<INPUT> and B<OUTPUT> are only traversed for "
1078+"packets coming into the local host and originating from the local host "
1079+"respectively. Hence every packet only passes through one of the three "
1080+"chains (except loopback traffic, which involves both INPUT and OUTPUT "
1081+"chains); previously a forwarded packet would pass through all three."
9941082 msgstr ""
9951083
9961084 #. type: Plain text
997-#: original/man8/ip6tables.8:391 original/man8/iptables.8:386
998-msgid "an unicast address"
1085+#: original/man8/ip6tables.8:412
1086+msgid ""
1087+"The other main difference is that B<-i> refers to the input interface; B<-o> "
1088+"refers to the output interface, and both are available for packets entering "
1089+"the B<FORWARD> chain. There are several other changes in ip6tables."
9991090 msgstr ""
10001091
1001-#. type: TP
1002-#: original/man8/ip6tables.8:391 original/man8/iptables.8:386
1003-#, no-wrap
1004-msgid "B<LOCAL>"
1092+#. type: Plain text
1093+#: original/man8/ip6tables.8:421
1094+msgid ""
1095+"B<ip6tables-save>(8), B<ip6tables-restore>(8), B<iptables>(8), "
1096+"B<iptables-apply>(8), B<iptables-extensions>(8), B<iptables-save>(8), "
1097+"B<iptables-restore>(8), B<libipq>(3)."
10051098 msgstr ""
10061099
10071100 #. type: Plain text
1008-#: original/man8/ip6tables.8:394 original/man8/iptables.8:389
1009-msgid "a local address"
1101+#: original/man8/ip6tables.8:427
1102+msgid ""
1103+"The packet-filtering-HOWTO details iptables usage for packet filtering, the "
1104+"netfilter-extensions-HOWTO details the extensions that are not in the "
1105+"standard distribution, and the netfilter-hacking-HOWTO details the netfilter "
1106+"internals."
10101107 msgstr ""
10111108
1012-#. type: TP
1013-#: original/man8/ip6tables.8:394 original/man8/iptables.8:389
1014-#, no-wrap
1015-msgid "B<BROADCAST>"
1109+#. type: Plain text
1110+#: original/man8/ip6tables.8:430 original/man8/iptables.8:429
1111+msgid "See B<http://www.netfilter.org/>."
10161112 msgstr ""
10171113
10181114 #. type: Plain text
1019-#: original/man8/ip6tables.8:397 original/man8/iptables.8:392
1020-msgid "a broadcast address"
1115+#: original/man8/ip6tables.8:433
1116+msgid "Rusty Russell wrote iptables, in early consultation with Michael Neuling."
10211117 msgstr ""
10221118
1023-#. type: TP
1024-#: original/man8/ip6tables.8:397 original/man8/iptables.8:392
1025-#, no-wrap
1026-msgid "B<ANYCAST>"
1119+#. type: Plain text
1120+#: original/man8/ip6tables.8:437 original/man8/iptables.8:436
1121+msgid ""
1122+"Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet "
1123+"selection framework in iptables, then wrote the mangle table, the owner "
1124+"match, the mark stuff, and ran around doing cool stuff everywhere."
10271125 msgstr ""
10281126
10291127 #. type: Plain text
1030-#: original/man8/ip6tables.8:400 original/man8/iptables.8:395
1031-msgid "an anycast packet"
1128+#: original/man8/ip6tables.8:439 original/man8/iptables.8:438
1129+msgid "James Morris wrote the TOS target, and tos match."
10321130 msgstr ""
10331131
1034-#. type: TP
1035-#: original/man8/ip6tables.8:400 original/man8/iptables.8:395
1036-#, no-wrap
1037-msgid "B<MULTICAST>"
1132+#. type: Plain text
1133+#: original/man8/ip6tables.8:441 original/man8/iptables.8:440
1134+msgid "Jozsef Kadlecsik wrote the REJECT target."
10381135 msgstr ""
10391136
10401137 #. type: Plain text
1041-#: original/man8/ip6tables.8:403 original/man8/iptables.8:398
1042-msgid "a multicast address"
1138+#: original/man8/ip6tables.8:443
1139+msgid ""
1140+"Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as "
1141+"TTL match+target and libipulog."
10431142 msgstr ""
10441143
1045-#. type: TP
1046-#: original/man8/ip6tables.8:403 original/man8/iptables.8:398
1047-#, no-wrap
1048-msgid "B<BLACKHOLE>"
1144+#. type: Plain text
1145+#: original/man8/ip6tables.8:447 original/man8/iptables.8:446
1146+msgid ""
1147+"The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki "
1148+"Kozakai, Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso, "
1149+"Harald Welte and Rusty Russell."
10491150 msgstr ""
10501151
1152+#. .. and did I mention that we are incredibly cool people?
1153+#. .. sexy, too ..
1154+#. .. witty, charming, powerful ..
1155+#. .. and most of all, modest ..
10511156 #. type: Plain text
1052-#: original/man8/ip6tables.8:406 original/man8/iptables.8:401
1053-msgid "a blackhole address"
1157+#: original/man8/ip6tables.8:454
1158+msgid ""
1159+"ip6tables man page created by Andras Kis-Szabo, based on iptables man page "
1160+"written by Herve Eychenne E<lt>rv@wallfire.orgE<gt>."
10541161 msgstr ""
10551162
1056-#. type: TP
1057-#: original/man8/ip6tables.8:406 original/man8/iptables.8:401
1163+#. type: SH
1164+#: original/man8/ip6tables.8:454 original/man8/iptables.8:452
10581165 #, no-wrap
1059-msgid "B<UNREACHABLE>"
1166+msgid "VERSION"
10601167 msgstr ""
10611168
10621169 #. type: Plain text
1063-#: original/man8/ip6tables.8:409 original/man8/iptables.8:404
1064-msgid "an unreachable address"
1170+#: original/man8/ip6tables.8:456
1171+msgid "This manual page applies to ip6tables 1.4.18."
10651172 msgstr ""
10661173
1067-#. type: TP
1068-#: original/man8/ip6tables.8:409 original/man8/iptables.8:404
1174+#. type: TH
1175+#: original/man8/iptables-restore.8:1
10691176 #, no-wrap
1070-msgid "B<PROHIBIT>"
1177+msgid "IPTABLES-RESTORE"
10711178 msgstr ""
10721179
1073-#. type: Plain text
1074-#: original/man8/ip6tables.8:412 original/man8/iptables.8:407
1075-msgid "a prohibited address"
1180+#. type: TH
1181+#: original/man8/iptables-restore.8:1 original/man8/iptables-save.8:1
1182+#, no-wrap
1183+msgid "Jan 04, 2001"
10761184 msgstr ""
10771185
1078-#. type: TP
1079-#: original/man8/ip6tables.8:412 original/man8/iptables.8:407
1080-#, no-wrap
1081-msgid "B<THROW>"
1186+#. type: Plain text
1187+#: original/man8/iptables-restore.8:23
1188+msgid "iptables-restore \\(em Restore IP Tables"
10821189 msgstr ""
10831190
10841191 #. type: Plain text
1085-#: original/man8/ip6tables.8:415 original/man8/ip6tables.8:418 original/man8/iptables.8:410 original/man8/iptables.8:413
1086-msgid "FIXME"
1192+#: original/man8/iptables-restore.8:26
1193+msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
10871194 msgstr ""
10881195
1089-#. type: TP
1090-#: original/man8/ip6tables.8:415 original/man8/iptables.8:410
1091-#, no-wrap
1092-msgid "B<NAT>"
1196+#. type: Plain text
1197+#: original/man8/iptables-restore.8:31
1198+msgid ""
1199+"B<iptables-restore> is used to restore IP Tables from data specified on "
1200+"STDIN. Use I/O redirection provided by your shell to read from a file"
10931201 msgstr ""
10941202
1095-#. type: TP
1096-#: original/man8/ip6tables.8:418 original/man8/iptables.8:413
1097-#, no-wrap
1098-msgid "B<XRESOLVE>"
1203+#. type: Plain text
1204+#: original/man8/iptables-restore.8:42
1205+msgid ""
1206+"don't flush the previous contents of the table. If not specified, "
1207+"B<iptables-restore> flushes (deletes) all previous contents of the "
1208+"respective table."
10991209 msgstr ""
11001210
1101-#. type: TP
1102-#: original/man8/ip6tables.8:420 original/man8/iptables.8:415
1103-#, no-wrap
1104-msgid "[B<!>] B<--src-type> I<type>"
1211+#. type: Plain text
1212+#: original/man8/iptables-restore.8:52
1213+msgid ""
1214+"Specify the path to the modprobe program. By default, iptables-restore will "
1215+"inspect /proc/sys/kernel/modprobe to determine the executable's path."
11051216 msgstr ""
11061217
11071218 #. type: Plain text
1108-#: original/man8/ip6tables.8:423 original/man8/iptables.8:418
1109-msgid "Matches if the source address is of given type"
1219+#: original/man8/iptables-restore.8:55
1220+msgid "Restore only the named table even if the input stream contains other ones."
11101221 msgstr ""
11111222
1112-#. type: TP
1113-#: original/man8/ip6tables.8:423 original/man8/iptables.8:418
1223+#. type: SH
1224+#: original/man8/iptables-restore.8:57 original/man8/iptables-save.8:44 original/man1/iptables-xml.1:84
11141225 #, no-wrap
1115-msgid "[B<!>] B<--dst-type> I<type>"
1226+msgid "AUTHOR"
11161227 msgstr ""
11171228
11181229 #. type: Plain text
1119-#: original/man8/ip6tables.8:426 original/man8/iptables.8:421
1120-msgid "Matches if the destination address is of given type"
1230+#: original/man8/iptables-restore.8:61
1231+msgid "B<iptables-save>(8), B<iptables>(8)"
11211232 msgstr ""
11221233
1123-#. type: TP
1124-#: original/man8/ip6tables.8:426 original/man8/iptables.8:421
1234+#. type: TH
1235+#: original/man8/iptables-save.8:1
11251236 #, no-wrap
1126-msgid "B<--limit-iface-in>"
1237+msgid "IPTABLES-SAVE"
11271238 msgstr ""
11281239
11291240 #. type: Plain text
1130-#: original/man8/ip6tables.8:437 original/man8/iptables.8:432
1131-msgid ""
1132-"The address type checking can be limited to the interface the packet is "
1133-"coming in. This option is only valid in the B<PREROUTING>, B<INPUT> and "
1134-"B<FORWARD> chains. It cannot be specified with the B<--limit-iface-out> "
1135-"option."
1241+#: original/man8/iptables-save.8:23
1242+msgid "iptables-save \\(em dump iptables rules to stdout"
11361243 msgstr ""
11371244
1138-#. type: TP
1139-#: original/man8/ip6tables.8:437 original/man8/iptables.8:432
1140-#, no-wrap
1141-msgid "B<--limit-iface-out>"
1245+#. type: Plain text
1246+#: original/man8/iptables-save.8:26
1247+msgid "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
11421248 msgstr ""
11431249
11441250 #. type: Plain text
1145-#: original/man8/ip6tables.8:448 original/man8/iptables.8:443
1251+#: original/man8/iptables-save.8:31
11461252 msgid ""
1147-"The address type checking can be limited to the interface the packet is "
1148-"going out. This option is only valid in the B<POSTROUTING>, B<OUTPUT> and "
1149-"B<FORWARD> chains. It cannot be specified with the B<--limit-iface-in> "
1150-"option."
1151-msgstr ""
1152-
1153-#. type: SS
1154-#: original/man8/ip6tables.8:448 original/man8/iptables.8:443
1155-#, no-wrap
1156-msgid "ah"
1253+"B<iptables-save> is used to dump the contents of an IP Table in easily "
1254+"parseable format to STDOUT. Use I/O-redirection provided by your shell to "
1255+"write to a file."
11571256 msgstr ""
11581257
11591258 #. type: Plain text
1160-#: original/man8/ip6tables.8:450
1161-msgid ""
1162-"This module matches the parameters in Authentication header of IPsec "
1163-"packets."
1259+#: original/man8/iptables-save.8:48
1260+msgid "B<iptables-restore>(8), B<iptables>(8)"
11641261 msgstr ""
11651262
1166-#. type: TP
1167-#: original/man8/ip6tables.8:450 original/man8/iptables.8:445
1263+#. type: TH
1264+#: original/man8/iptables.8:1
11681265 #, no-wrap
1169-msgid "[B<!>] B<--ahspi> I<spi>[B<:>I<spi>]"
1266+msgid "IPTABLES"
11701267 msgstr ""
11711268
11721269 #. type: Plain text
1173-#: original/man8/ip6tables.8:453
1174-msgid "Matches SPI."
1175-msgstr ""
1176-
1177-#. type: TP
1178-#: original/man8/ip6tables.8:453
1179-#, no-wrap
1180-msgid "[B<!>] B<--ahlen> I<length>"
1270+#: original/man8/iptables.8:27
1271+msgid "iptables \\(em administration tool for IPv4 packet filtering and NAT"
11811272 msgstr ""
11821273
11831274 #. type: Plain text
1184-#: original/man8/ip6tables.8:456 original/man8/ip6tables.8:748 original/man8/ip6tables.8:870
1185-msgid "Total length of this header in octets."
1275+#: original/man8/iptables.8:30
1276+msgid ""
1277+"B<iptables> [B<-t> I<table>] {B<-A>|B<-C>|B<-D>} I<chain> "
1278+"I<rule-specification>"
11861279 msgstr ""
11871280
1188-#. type: TP
1189-#: original/man8/ip6tables.8:456
1190-#, no-wrap
1191-msgid "B<--ahres>"
1281+#. type: Plain text
1282+#: original/man8/iptables.8:32
1283+msgid ""
1284+"B<iptables> [B<-t> I<table>] B<-I> I<chain> [I<rulenum>] "
1285+"I<rule-specification>"
11921286 msgstr ""
11931287
11941288 #. type: Plain text
1195-#: original/man8/ip6tables.8:459
1196-msgid "Matches if the reserved field is filled with zero."
1289+#: original/man8/iptables.8:34
1290+msgid "B<iptables> [B<-t> I<table>] B<-R> I<chain rulenum rule-specification>"
11971291 msgstr ""
11981292
1199-#. type: SS
1200-#: original/man8/ip6tables.8:459 original/man8/iptables.8:447
1201-#, no-wrap
1202-msgid "cluster"
1293+#. type: Plain text
1294+#: original/man8/iptables.8:36
1295+msgid "B<iptables> [B<-t> I<table>] B<-D> I<chain rulenum>"
12031296 msgstr ""
12041297
12051298 #. type: Plain text
1206-#: original/man8/ip6tables.8:462 original/man8/iptables.8:450
1207-msgid ""
1208-"Allows you to deploy gateway and back-end load-sharing clusters without the "
1209-"need of load-balancers."
1299+#: original/man8/iptables.8:38
1300+msgid "B<iptables> [B<-t> I<table>] B<-S> [I<chain> [I<rulenum>]]"
12101301 msgstr ""
12111302
12121303 #. type: Plain text
1213-#: original/man8/ip6tables.8:465 original/man8/iptables.8:453
1304+#: original/man8/iptables.8:40
12141305 msgid ""
1215-"This match requires that all the nodes see the same packets. Thus, the "
1216-"cluster match decides if this node has to handle a packet given the "
1217-"following options:"
1218-msgstr ""
1219-
1220-#. type: TP
1221-#: original/man8/ip6tables.8:465 original/man8/iptables.8:453
1222-#, no-wrap
1223-msgid "B<--cluster-total-nodes> I<num>"
1306+"B<iptables> [B<-t> I<table>] {B<-F>|B<-L>|B<-Z>} [I<chain> [I<rulenum>]] "
1307+"[I<options...>]"
12241308 msgstr ""
12251309
12261310 #. type: Plain text
1227-#: original/man8/ip6tables.8:468 original/man8/iptables.8:456
1228-msgid "Set number of total nodes in cluster."
1229-msgstr ""
1230-
1231-#. type: TP
1232-#: original/man8/ip6tables.8:468 original/man8/iptables.8:456
1233-#, no-wrap
1234-msgid "[B<!>] B<--cluster-local-node> I<num>"
1311+#: original/man8/iptables.8:42
1312+msgid "B<iptables> [B<-t> I<table>] B<-N> I<chain>"
12351313 msgstr ""
12361314
12371315 #. type: Plain text
1238-#: original/man8/ip6tables.8:471 original/man8/iptables.8:459
1239-msgid "Set the local node number ID."
1316+#: original/man8/iptables.8:44
1317+msgid "B<iptables> [B<-t> I<table>] B<-X> [I<chain>]"
12401318 msgstr ""
12411319
1242-#. type: TP
1243-#: original/man8/ip6tables.8:471 original/man8/iptables.8:459
1244-#, no-wrap
1245-msgid "[B<!>] B<--cluster-local-nodemask> I<mask>"
1320+#. type: Plain text
1321+#: original/man8/iptables.8:46
1322+msgid "B<iptables> [B<-t> I<table>] B<-P> I<chain target>"
12461323 msgstr ""
12471324
12481325 #. type: Plain text
1249-#: original/man8/ip6tables.8:475 original/man8/iptables.8:463
1250-msgid ""
1251-"Set the local node number ID mask. You can use this option instead of "
1252-"B<--cluster-local-node>."
1326+#: original/man8/iptables.8:48
1327+msgid "B<iptables> [B<-t> I<table>] B<-E> I<old-chain-name new-chain-name>"
12531328 msgstr ""
12541329
1255-#. type: TP
1256-#: original/man8/ip6tables.8:475 original/man8/iptables.8:463
1257-#, no-wrap
1258-msgid "B<--cluster-hash-seed> I<value>"
1330+#. type: Plain text
1331+#: original/man8/iptables.8:50
1332+msgid "rule-specification = [I<matches...>] [I<target>]"
12591333 msgstr ""
12601334
12611335 #. type: Plain text
1262-#: original/man8/ip6tables.8:478 original/man8/iptables.8:466
1263-msgid "Set seed value of the Jenkins hash."
1336+#: original/man8/iptables.8:52
1337+msgid "match = B<-m> I<matchname> [I<per-match-options>]"
12641338 msgstr ""
12651339
12661340 #. type: Plain text
1267-#: original/man8/ip6tables.8:480 original/man8/ip6tables.8:526 original/man8/ip6tables.8:563 original/man8/ip6tables.8:711 original/man8/ip6tables.8:1837 original/man8/ip6tables.8:1885 original/man8/ip6tables.8:1931 original/man8/iptables.8:468 original/man8/iptables.8:514 original/man8/iptables.8:551 original/man8/iptables.8:699 original/man8/iptables.8:1755 original/man8/iptables.8:1803 original/man8/iptables.8:1852
1268-#, no-wrap
1269-msgid "Example:"
1341+#: original/man8/iptables.8:54
1342+msgid "target = B<-j> I<targetname> [I<per-target-options>]"
12701343 msgstr ""
12711344
12721345 #. type: Plain text
1273-#: original/man8/ip6tables.8:485 original/man8/iptables.8:473
1346+#: original/man8/iptables.8:60
12741347 msgid ""
1275-"iptables -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 "
1276-"--cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark "
1277-"0xffff"
1348+"B<Iptables> is used to set up, maintain, and inspect the tables of IPv4 "
1349+"packet filter rules in the Linux kernel. Several different tables may be "
1350+"defined. Each table contains a number of built-in chains and may also "
1351+"contain user-defined chains."
12781352 msgstr ""
12791353
12801354 #. type: Plain text
1281-#: original/man8/ip6tables.8:490 original/man8/iptables.8:478
1355+#: original/man8/iptables.8:114
12821356 msgid ""
1283-"iptables -A PREROUTING -t mangle -i eth2 -m cluster --cluster-total-nodes 2 "
1284-"--cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark "
1285-"0xffff"
1357+"This table is consulted when a packet that creates a new connection is "
1358+"encountered. It consists of three built-ins: B<PREROUTING> (for altering "
1359+"packets as soon as they come in), B<OUTPUT> (for altering locally-generated "
1360+"packets before routing), and B<POSTROUTING> (for altering packets as they "
1361+"are about to go out)."
12861362 msgstr ""
12871363
12881364 #. type: Plain text
1289-#: original/man8/ip6tables.8:493 original/man8/iptables.8:481
1290-msgid "iptables -A PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff -j DROP"
1365+#: original/man8/iptables.8:147
1366+msgid ""
1367+"The options that are recognized by B<iptables> can be divided into several "
1368+"different groups."
12911369 msgstr ""
12921370
12931371 #. type: Plain text
1294-#: original/man8/ip6tables.8:496 original/man8/iptables.8:484
1295-msgid "iptables -A PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff -j DROP"
1372+#: original/man8/iptables.8:153
1373+msgid ""
1374+"These options specify the desired action to perform. Only one of them can be "
1375+"specified on the command line unless otherwise stated below. For long "
1376+"versions of the command and option names, you need to use only enough "
1377+"letters to ensure that B<iptables> can differentiate it from all other "
1378+"options."
12961379 msgstr ""
12971380
12981381 #. type: Plain text
1299-#: original/man8/ip6tables.8:498 original/man8/iptables.8:486
1300-msgid "And the following commands to make all nodes see the same packets:"
1382+#: original/man8/iptables.8:188
1383+msgid ""
1384+"List all rules in the selected chain. If no chain is selected, all chains "
1385+"are listed. Like every other iptables command, it applies to the specified "
1386+"table (filter is the default), so NAT rules get listed by"
13011387 msgstr ""
13021388
13031389 #. type: Plain text
1304-#: original/man8/ip6tables.8:500 original/man8/iptables.8:488
1305-msgid "ip maddr add 01:00:5e:00:01:01 dev eth1"
1390+#: original/man8/iptables.8:190
1391+#, no-wrap
1392+msgid " iptables -t nat -n -L\n"
13061393 msgstr ""
13071394
13081395 #. type: Plain text
1309-#: original/man8/ip6tables.8:502 original/man8/iptables.8:490
1310-msgid "ip maddr add 01:00:5e:00:01:02 dev eth2"
1396+#: original/man8/iptables.8:199
1397+#, no-wrap
1398+msgid " iptables -L -v\n"
13111399 msgstr ""
13121400
13131401 #. type: Plain text
1314-#: original/man8/ip6tables.8:505 original/man8/iptables.8:493
1402+#: original/man8/iptables.8:205
13151403 msgid ""
1316-"arptables -A OUTPUT -o eth1 --h-length 6 -j mangle --mangle-mac-s "
1317-"01:00:5e:00:01:01"
1404+"Print all rules in the selected chain. If no chain is selected, all chains "
1405+"are printed like iptables-save. Like every other iptables command, it "
1406+"applies to the specified table (filter is the default)."
13181407 msgstr ""
13191408
13201409 #. type: Plain text
1321-#: original/man8/ip6tables.8:509 original/man8/iptables.8:497
1322-msgid ""
1323-"arptables -A INPUT -i eth1 --h-length 6 --destination-mac 01:00:5e:00:01:01 "
1324-"-j mangle --mangle-mac-d 00:zz:yy:xx:5a:27"
1410+#: original/man8/iptables.8:248
1411+msgid "This option has no effect in iptables and iptables-restore."
13251412 msgstr ""
13261413
13271414 #. type: Plain text
1328-#: original/man8/ip6tables.8:512 original/man8/iptables.8:500
1415+#: original/man8/iptables.8:254
13291416 msgid ""
1330-"arptables -A OUTPUT -o eth2 --h-length 6 -j mangle --mangle-mac-s "
1331-"01:00:5e:00:01:02"
1417+"If a rule using the B<-6> option is inserted with (and only with) "
1418+"iptables-restore, it will be silently ignored. Any other uses will throw an "
1419+"error. This option allows to put both IPv4 and IPv6 rules in a single rule "
1420+"file for use with both iptables-restore and ip6tables-restore."
13321421 msgstr ""
13331422
13341423 #. type: Plain text
1335-#: original/man8/ip6tables.8:516 original/man8/iptables.8:504
1424+#: original/man8/iptables.8:265
13361425 msgid ""
1337-"arptables -A INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:02 "
1338-"-j mangle --mangle-mac-d 00:zz:yy:xx:5a:27"
1426+"The protocol of the rule or of the packet to check. The specified protocol "
1427+"can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>, B<esp>, B<ah>, B<sctp> or "
1428+"the special keyword \"B<all>\", or it can be a numeric value, representing "
1429+"one of these protocols or a different one. A protocol name from "
1430+"/etc/protocols is also allowed. A \"!\" argument before the protocol "
1431+"inverts the test. The number zero is equivalent to B<all>. \"B<all>\" will "
1432+"match with all protocols and is taken as default when this option is "
1433+"omitted."
13391434 msgstr ""
13401435
1341-#. type: Plain text
1342-#: original/man8/ip6tables.8:520 original/man8/iptables.8:508
1343-msgid ""
1344-"In the case of TCP connections, pickup facility has to be disabled to avoid "
1345-"marking TCP ACK packets coming in the reply direction as valid."
1436+#. type: TP
1437+#: original/man8/iptables.8:265
1438+#, no-wrap
1439+msgid "[B<!>] B<-s>, B<--source> I<address>[B</>I<mask>][B<,>I<...>]"
13461440 msgstr ""
13471441
13481442 #. type: Plain text
1349-#: original/man8/ip6tables.8:522 original/man8/iptables.8:510
1350-msgid "echo 0 E<gt> /proc/sys/net/netfilter/nf_conntrack_tcp_loose"
1443+#: original/man8/iptables.8:282
1444+msgid ""
1445+"Source specification. I<Address> can be either a network name, a hostname, a "
1446+"network IP address (with B</>I<mask>), or a plain IP address. Hostnames will "
1447+"be resolved once only, before the rule is submitted to the kernel. Please "
1448+"note that specifying any name to be resolved with a remote query such as DNS "
1449+"is a really bad idea. The I<mask> can be either a network mask or a plain "
1450+"number, specifying the number of 1's at the left side of the network mask. "
1451+"Thus, a mask of I<24> is equivalent to I<255.255.255.0>. A \"!\" argument "
1452+"before the address specification inverts the sense of the address. The flag "
1453+"B<--src> is an alias for this option. Multiple addresses can be specified, "
1454+"but this will B<expand to multiple rules> (when adding with -A), or will "
1455+"cause multiple rules to be deleted (with -D)."
13511456 msgstr ""
13521457
1353-#. type: SS
1354-#: original/man8/ip6tables.8:522 original/man8/iptables.8:510
1458+#. type: TP
1459+#: original/man8/iptables.8:282
13551460 #, no-wrap
1356-msgid "comment"
1357-msgstr ""
1358-
1359-#. type: Plain text
1360-#: original/man8/ip6tables.8:524 original/man8/iptables.8:512
1361-msgid "Allows you to add comments (up to 256 characters) to any rule."
1461+msgid "[B<!>] B<-d>, B<--destination> I<address>[B</>I<mask>][B<,>I<...>]"
13621462 msgstr ""
13631463
13641464 #. type: TP
1365-#: original/man8/ip6tables.8:524 original/man8/iptables.8:512
1465+#: original/man8/iptables.8:328
13661466 #, no-wrap
1367-msgid "B<--comment> I<comment>"
1467+msgid "[B<!>] B<-f>, B<--fragment>"
13681468 msgstr ""
13691469
13701470 #. type: Plain text
1371-#: original/man8/ip6tables.8:529 original/man8/iptables.8:517
1372-msgid "iptables -A INPUT -i eth1 -m comment --comment \"my local LAN\""
1471+#: original/man8/iptables.8:336
1472+msgid ""
1473+"This means that the rule only refers to second and further fragments of "
1474+"fragmented packets. Since there is no way to tell the source or destination "
1475+"ports of such a packet (or ICMP type), such a packet will not match any "
1476+"rules which specify them. When the \"!\" argument precedes the \"-f\" flag, "
1477+"the rule will only match head fragments, or unfragmented packets."
13731478 msgstr ""
13741479
1375-#. type: SS
1376-#: original/man8/ip6tables.8:529 original/man8/iptables.8:517
1480+#. type: SH
1481+#: original/man8/iptables.8:374
13771482 #, no-wrap
1378-msgid "connbytes"
1483+msgid "MATCH AND TARGET EXTENSIONS"
13791484 msgstr ""
13801485
13811486 #. type: Plain text
1382-#: original/man8/ip6tables.8:533 original/man8/iptables.8:521
1487+#: original/man8/iptables.8:386
13831488 msgid ""
1384-"Match by how many bytes or packets a connection (or one of the two flows "
1385-"constituting the connection) has transferred so far, or by average bytes per "
1386-"packet."
1489+"Bugs? What's this? ;-) Well, you might want to have a look at "
1490+"http://bugzilla.netfilter.org/"
13871491 msgstr ""
13881492
13891493 #. type: Plain text
1390-#: original/man8/ip6tables.8:535 original/man8/iptables.8:523
1391-msgid "The counters are 64-bit and are thus not expected to overflow ;)"
1494+#: original/man8/iptables.8:395
1495+msgid ""
1496+"This B<iptables> is very similar to ipchains by Rusty Russell. The main "
1497+"difference is that the chains B<INPUT> and B<OUTPUT> are only traversed for "
1498+"packets coming into the local host and originating from the local host "
1499+"respectively. Hence every packet only passes through one of the three "
1500+"chains (except loopback traffic, which involves both INPUT and OUTPUT "
1501+"chains); previously a forwarded packet would pass through all three."
13921502 msgstr ""
13931503
13941504 #. type: Plain text
1395-#: original/man8/ip6tables.8:538 original/man8/iptables.8:526
1505+#: original/man8/iptables.8:399
13961506 msgid ""
1397-"The primary use is to detect long-lived downloads and mark them to be "
1398-"scheduled using a lower priority band in traffic control."
1507+"The other main difference is that B<-i> refers to the input interface; B<-o> "
1508+"refers to the output interface, and both are available for packets entering "
1509+"the B<FORWARD> chain."
13991510 msgstr ""
14001511
14011512 #. type: Plain text
1402-#: original/man8/ip6tables.8:541 original/man8/iptables.8:529
1513+#: original/man8/iptables.8:405
14031514 msgid ""
1404-"The transferred bytes per connection can also be viewed through `conntrack "
1405-"-L` and accessed via ctnetlink."
1515+"The various forms of NAT have been separated out; B<iptables> is a pure "
1516+"packet filter when using the default `filter' table, with optional extension "
1517+"modules. This should simplify much of the previous confusion over the "
1518+"combination of IP masquerading and packet filtering seen previously. So the "
1519+"following options are handled differently:"
14061520 msgstr ""
14071521
14081522 #. type: Plain text
1409-#: original/man8/ip6tables.8:547 original/man8/iptables.8:535
1523+#: original/man8/iptables.8:409
1524+#, no-wrap
14101525 msgid ""
1411-"NOTE that for connections which have no accounting information, the match "
1412-"will always return false. The \"net.netfilter.nf_conntrack_acct\" sysctl "
1413-"flag controls whether B<new> connections will be byte/packet "
1414-"counted. Existing connection flows will not be gaining/losing a/the "
1415-"accounting structure when be sysctl flag is flipped."
1526+" -j MASQ\n"
1527+" -M -S\n"
1528+" -M -L\n"
14161529 msgstr ""
14171530
1418-#. type: TP
1419-#: original/man8/ip6tables.8:547 original/man8/iptables.8:535
1420-#, no-wrap
1421-msgid "[B<!>] B<--connbytes> I<from>[B<:>I<to>]"
1531+#. type: Plain text
1532+#: original/man8/iptables.8:411
1533+msgid "There are several other changes in iptables."
14221534 msgstr ""
14231535
14241536 #. type: Plain text
1425-#: original/man8/ip6tables.8:553 original/man8/iptables.8:541
1537+#: original/man8/iptables.8:420
14261538 msgid ""
1427-"match packets from a connection whose packets/bytes/average packet size is "
1428-"more than FROM and less than TO bytes/packets. if TO is omitted only FROM "
1429-"check is done. \"!\" is used to match packets not falling in the range."
1539+"B<iptables-apply>(8), B<iptables-save>(8), B<iptables-restore>(8), "
1540+"B<iptables-extensions>(8), B<ip6tables>(8), B<ip6tables-save>(8), "
1541+"B<ip6tables-restore>(8), B<libipq>(3)."
14301542 msgstr ""
14311543
1432-#. type: TP
1433-#: original/man8/ip6tables.8:553 original/man8/iptables.8:541
1434-#, no-wrap
1435-msgid "B<--connbytes-dir> {B<original>|B<reply>|B<both>}"
1544+#. type: Plain text
1545+#: original/man8/iptables.8:426
1546+msgid ""
1547+"The packet-filtering-HOWTO details iptables usage for packet filtering, the "
1548+"NAT-HOWTO details NAT, the netfilter-extensions-HOWTO details the extensions "
1549+"that are not in the standard distribution, and the netfilter-hacking-HOWTO "
1550+"details the netfilter internals."
14361551 msgstr ""
14371552
14381553 #. type: Plain text
1439-#: original/man8/ip6tables.8:556 original/man8/iptables.8:544
1440-msgid "which packets to consider"
1441-msgstr ""
1442-
1443-#. type: TP
1444-#: original/man8/ip6tables.8:556 original/man8/iptables.8:544
1445-#, no-wrap
1446-msgid "B<--connbytes-mode> {B<packets>|B<bytes>|B<avgpkt>}"
1554+#: original/man8/iptables.8:432
1555+msgid ""
1556+"Rusty Russell originally wrote iptables, in early consultation with Michael "
1557+"Neuling."
14471558 msgstr ""
14481559
14491560 #. type: Plain text
1450-#: original/man8/ip6tables.8:563 original/man8/iptables.8:551
1561+#: original/man8/iptables.8:442
14511562 msgid ""
1452-"whether to check the amount of packets, number of bytes transferred or the "
1453-"average size (in bytes) of all packets received so far. Note that when "
1454-"\"both\" is used together with \"avgpkt\", and data is going (mainly) only "
1455-"in one direction (for example HTTP), the average packet size will be about "
1456-"half of the actual data packets."
1563+"Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as "
1564+"the TTL, DSCP, ECN matches and targets."
14571565 msgstr ""
14581566
1567+#. .. and did I mention that we are incredibly cool people?
1568+#. .. sexy, too ..
1569+#. .. witty, charming, powerful ..
1570+#. .. and most of all, modest ..
14591571 #. type: Plain text
1460-#: original/man8/ip6tables.8:566 original/man8/iptables.8:554
1461-msgid ""
1462-"iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both "
1463-"--connbytes-mode bytes ..."
1464-msgstr ""
1465-
1466-#. type: SS
1467-#: original/man8/ip6tables.8:566 original/man8/iptables.8:554
1468-#, no-wrap
1469-msgid "connlimit"
1572+#: original/man8/iptables.8:452
1573+msgid "Man page originally written by Herve Eychenne E<lt>rv@wallfire.orgE<gt>."
14701574 msgstr ""
14711575
14721576 #. type: Plain text
1473-#: original/man8/ip6tables.8:569 original/man8/iptables.8:557
1474-msgid ""
1475-"Allows you to restrict the number of parallel connections to a server per "
1476-"client IP address (or client address block)."
1577+#: original/man8/iptables.8:454
1578+msgid "This manual page applies to iptables 1.4.18."
14771579 msgstr ""
14781580
1479-#. type: TP
1480-#: original/man8/ip6tables.8:569 original/man8/iptables.8:557
1581+#. type: TH
1582+#: original/man8/iptables-extensions.8:1
14811583 #, no-wrap
1482-msgid "B<--connlimit-upto> I<n>"
1584+msgid "iptables-extensions"
14831585 msgstr ""
14841586
14851587 #. type: Plain text
1486-#: original/man8/ip6tables.8:572 original/man8/iptables.8:560
1487-msgid "Match if the number of existing connections is below or equal I<n>."
1488-msgstr ""
1489-
1490-#. type: TP
1491-#: original/man8/ip6tables.8:572 original/man8/iptables.8:560
1492-#, no-wrap
1493-msgid "B<--connlimit-above> I<n>"
1588+#: original/man8/iptables-extensions.8:4
1589+msgid ""
1590+"iptables-extensions \\(em list of extensions in the standard iptables "
1591+"distribution"
14941592 msgstr ""
14951593
14961594 #. type: Plain text
1497-#: original/man8/ip6tables.8:575 original/man8/iptables.8:563
1498-msgid "Match if the number of existing connections is above I<n>."
1499-msgstr ""
1500-
1501-#. type: TP
1502-#: original/man8/ip6tables.8:575 original/man8/iptables.8:563
1503-#, no-wrap
1504-msgid "B<--connlimit-mask> I<prefix_length>"
1595+#: original/man8/iptables-extensions.8:7
1596+msgid ""
1597+"B<ip6tables> [B<-m> I<name> [I<module-options>...]] [B<-j> I<target-name> "
1598+"[I<target-options>...]"
15051599 msgstr ""
15061600
15071601 #. type: Plain text
1508-#: original/man8/ip6tables.8:580 original/man8/iptables.8:568
1602+#: original/man8/iptables-extensions.8:10
15091603 msgid ""
1510-"Group hosts using the prefix length. For IPv4, this must be a number between "
1511-"(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the "
1512-"maximum prefix length for the applicable protocol is used."
1604+"B<iptables> [B<-m> I<name> [I<module-options>...]] [B<-j> I<target-name> "
1605+"[I<target-options>...]"
15131606 msgstr ""
15141607
1515-#. type: TP
1516-#: original/man8/ip6tables.8:580 original/man8/iptables.8:568
1517-#, no-wrap
1518-msgid "B<--connlimit-saddr>"
1608+#. type: Plain text
1609+#: original/man8/iptables-extensions.8:20
1610+msgid ""
1611+"iptables can use extended packet matching modules with the B<-m> or "
1612+"B<--match> options, followed by the matching module name; after these, "
1613+"various extra command line options become available, depending on the "
1614+"specific module. You can specify multiple extended match modules in one "
1615+"line, and you can use the B<-h> or B<--help> options after the module has "
1616+"been specified to receive help specific to that module. The extended match "
1617+"modules are evaluated in the order they are specified in the rule."
15191618 msgstr ""
15201619
1620+#. @MATCH@
15211621 #. type: Plain text
1522-#: original/man8/ip6tables.8:584 original/man8/iptables.8:572
1622+#: original/man8/iptables-extensions.8:25
15231623 msgid ""
1524-"Apply the limit onto the source group. This is the default if "
1525-"--connlimit-daddr is not specified."
1624+"If the B<-p> or B<--protocol> was specified and if and only if an unknown "
1625+"option is encountered, iptables will try load a match module of the same "
1626+"name as the protocol, to try making the option available."
15261627 msgstr ""
15271628
1528-#. type: TP
1529-#: original/man8/ip6tables.8:584 original/man8/iptables.8:572
1629+#. type: SS
1630+#: original/man8/iptables-extensions.8:25
15301631 #, no-wrap
1531-msgid "B<--connlimit-daddr>"
1632+msgid "addrtype"
15321633 msgstr ""
15331634
15341635 #. type: Plain text
1535-#: original/man8/ip6tables.8:587 original/man8/iptables.8:575
1536-msgid "Apply the limit onto the destination group."
1636+#: original/man8/iptables-extensions.8:30
1637+msgid ""
1638+"This module matches packets based on their B<address type.> Address types "
1639+"are used within the kernel networking stack and categorize addresses into "
1640+"various groups. The exact definition of that group depends on the specific "
1641+"layer three protocol."
15371642 msgstr ""
15381643
15391644 #. type: Plain text
1540-#: original/man8/ip6tables.8:589 original/man8/ip6tables.8:852 original/man8/ip6tables.8:1390 original/man8/ip6tables.8:1514 original/man8/iptables.8:577 original/man8/iptables.8:800 original/man8/iptables.8:1317 original/man8/iptables.8:1421
1541-msgid "Examples:"
1645+#: original/man8/iptables-extensions.8:32
1646+msgid "The following address types are possible:"
15421647 msgstr ""
15431648
15441649 #. type: TP
1545-#: original/man8/ip6tables.8:589 original/man8/iptables.8:577
1650+#: original/man8/iptables-extensions.8:32
15461651 #, no-wrap
1547-msgid "# allow 2 telnet connections per client host"
1652+msgid "B<UNSPEC>"
15481653 msgstr ""
15491654
15501655 #. type: Plain text
1551-#: original/man8/ip6tables.8:592 original/man8/iptables.8:580
1552-msgid ""
1553-"iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 "
1554-"-j REJECT"
1656+#: original/man8/iptables-extensions.8:35
1657+msgid "an unspecified address (i.e. 0.0.0.0)"
15551658 msgstr ""
15561659
15571660 #. type: TP
1558-#: original/man8/ip6tables.8:592 original/man8/iptables.8:580
1661+#: original/man8/iptables-extensions.8:35
15591662 #, no-wrap
1560-msgid "# you can also match the other way around:"
1663+msgid "B<UNICAST>"
15611664 msgstr ""
15621665
15631666 #. type: Plain text
1564-#: original/man8/ip6tables.8:595 original/man8/iptables.8:583
1565-msgid ""
1566-"iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-upto 2 -j "
1567-"ACCEPT"
1667+#: original/man8/iptables-extensions.8:38
1668+msgid "an unicast address"
15681669 msgstr ""
15691670
15701671 #. type: TP
1571-#: original/man8/ip6tables.8:595 original/man8/iptables.8:583
1672+#: original/man8/iptables-extensions.8:38
15721673 #, no-wrap
1573-msgid ""
1574-"# limit the number of parallel HTTP requests to 16 per class C sized source "
1575-"network (24 bit netmask)"
1674+msgid "B<LOCAL>"
15761675 msgstr ""
15771676
15781677 #. type: Plain text
1579-#: original/man8/ip6tables.8:600 original/man8/iptables.8:588
1580-msgid ""
1581-"iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 "
1582-"--connlimit-mask 24 -j REJECT"
1678+#: original/man8/iptables-extensions.8:41
1679+msgid "a local address"
15831680 msgstr ""
15841681
15851682 #. type: TP
1586-#: original/man8/ip6tables.8:600 original/man8/iptables.8:588
1683+#: original/man8/iptables-extensions.8:41
15871684 #, no-wrap
1588-msgid ""
1589-"# limit the number of parallel HTTP requests to 16 for the link local "
1590-"network"
1685+msgid "B<BROADCAST>"
15911686 msgstr ""
15921687
15931688 #. type: Plain text
1594-#: original/man8/ip6tables.8:605 original/man8/iptables.8:593
1595-msgid ""
1596-"(ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit "
1597-"--connlimit-above 16 --connlimit-mask 64 -j REJECT"
1689+#: original/man8/iptables-extensions.8:44
1690+msgid "a broadcast address"
15981691 msgstr ""
15991692
16001693 #. type: TP
1601-#: original/man8/ip6tables.8:605 original/man8/iptables.8:593
1694+#: original/man8/iptables-extensions.8:44
16021695 #, no-wrap
1603-msgid "# Limit the number of connections to a particular host:"
1696+msgid "B<ANYCAST>"
16041697 msgstr ""
16051698
16061699 #. type: Plain text
1607-#: original/man8/ip6tables.8:609 original/man8/iptables.8:597
1608-msgid ""
1609-"ip6tables -p tcp --syn --dport 49152:65535 -d 2001:db8::1 -m connlimit "
1610-"--connlimit-above 100 -j REJECT"
1700+#: original/man8/iptables-extensions.8:47
1701+msgid "an anycast packet"
16111702 msgstr ""
16121703
1613-#. type: SS
1614-#: original/man8/ip6tables.8:609 original/man8/iptables.8:597
1704+#. type: TP
1705+#: original/man8/iptables-extensions.8:47
16151706 #, no-wrap
1616-msgid "connmark"
1707+msgid "B<MULTICAST>"
16171708 msgstr ""
16181709
16191710 #. type: Plain text
1620-#: original/man8/ip6tables.8:612 original/man8/iptables.8:600
1621-msgid ""
1622-"This module matches the netfilter mark field associated with a connection "
1623-"(which can be set using the B<CONNMARK> target below)."
1711+#: original/man8/iptables-extensions.8:50
1712+msgid "a multicast address"
16241713 msgstr ""
16251714
16261715 #. type: TP
1627-#: original/man8/ip6tables.8:612 original/man8/ip6tables.8:1023 original/man8/iptables.8:600 original/man8/iptables.8:909
1716+#: original/man8/iptables-extensions.8:50
16281717 #, no-wrap
1629-msgid "[B<!>] B<--mark> I<value>[B</>I<mask>]"
1718+msgid "B<BLACKHOLE>"
16301719 msgstr ""
16311720
16321721 #. type: Plain text
1633-#: original/man8/ip6tables.8:616 original/man8/iptables.8:604
1634-msgid ""
1635-"Matches packets in connections with the given mark value (if a mask is "
1636-"specified, this is logically ANDed with the mark before the comparison)."
1722+#: original/man8/iptables-extensions.8:53
1723+msgid "a blackhole address"
16371724 msgstr ""
16381725
1639-#. type: SS
1640-#: original/man8/ip6tables.8:616 original/man8/iptables.8:604
1726+#. type: TP
1727+#: original/man8/iptables-extensions.8:53
16411728 #, no-wrap
1642-msgid "conntrack"
1729+msgid "B<UNREACHABLE>"
16431730 msgstr ""
16441731
16451732 #. type: Plain text
1646-#: original/man8/ip6tables.8:619 original/man8/iptables.8:607
1647-msgid ""
1648-"This module, when combined with connection tracking, allows access to the "
1649-"connection tracking state for this packet/connection."
1733+#: original/man8/iptables-extensions.8:56
1734+msgid "an unreachable address"
16501735 msgstr ""
16511736
16521737 #. type: TP
1653-#: original/man8/ip6tables.8:619 original/man8/iptables.8:607
1738+#: original/man8/iptables-extensions.8:56
16541739 #, no-wrap
1655-msgid "[B<!>] B<--ctstate> I<statelist>"
1740+msgid "B<PROHIBIT>"
16561741 msgstr ""
16571742
16581743 #. type: Plain text
1659-#: original/man8/ip6tables.8:623 original/man8/iptables.8:611
1660-msgid ""
1661-"I<statelist> is a comma separated list of the connection states to match. "
1662-"Possible states are listed below."
1744+#: original/man8/iptables-extensions.8:59
1745+msgid "a prohibited address"
16631746 msgstr ""
16641747
16651748 #. type: TP
1666-#: original/man8/ip6tables.8:623 original/man8/iptables.8:611
1749+#: original/man8/iptables-extensions.8:59
16671750 #, no-wrap
1668-msgid "[B<!>] B<--ctproto> I<l4proto>"
1751+msgid "B<THROW>"
16691752 msgstr ""
16701753
16711754 #. type: Plain text
1672-#: original/man8/ip6tables.8:626 original/man8/iptables.8:614
1673-msgid "Layer-4 protocol to match (by number or name)"
1674-msgstr ""
1675-
1676-#. type: TP
1677-#: original/man8/ip6tables.8:626 original/man8/iptables.8:614
1678-#, no-wrap
1679-msgid "[B<!>] B<--ctorigsrc> I<address>[B</>I<mask>]"
1755+#: original/man8/iptables-extensions.8:62 original/man8/iptables-extensions.8:65
1756+msgid "FIXME"
16801757 msgstr ""
16811758
16821759 #. type: TP
1683-#: original/man8/ip6tables.8:628 original/man8/iptables.8:616
1760+#: original/man8/iptables-extensions.8:62
16841761 #, no-wrap
1685-msgid "[B<!>] B<--ctorigdst> I<address>[B</>I<mask>]"
1762+msgid "B<NAT>"
16861763 msgstr ""
16871764
16881765 #. type: TP
1689-#: original/man8/ip6tables.8:630 original/man8/iptables.8:618
1766+#: original/man8/iptables-extensions.8:65
16901767 #, no-wrap
1691-msgid "[B<!>] B<--ctreplsrc> I<address>[B</>I<mask>]"
1768+msgid "B<XRESOLVE>"
16921769 msgstr ""
16931770
16941771 #. type: TP
1695-#: original/man8/ip6tables.8:632 original/man8/iptables.8:620
1772+#: original/man8/iptables-extensions.8:67
16961773 #, no-wrap
1697-msgid "[B<!>] B<--ctrepldst> I<address>[B</>I<mask>]"
1774+msgid "[B<!>] B<--src-type> I<type>"
16981775 msgstr ""
16991776
17001777 #. type: Plain text
1701-#: original/man8/ip6tables.8:635 original/man8/iptables.8:623
1702-msgid "Match against original/reply source/destination address"
1703-msgstr ""
1704-
1705-#. type: TP
1706-#: original/man8/ip6tables.8:635 original/man8/iptables.8:623
1707-#, no-wrap
1708-msgid "[B<!>] B<--ctorigsrcport> I<port>[B<:>I<port>]"
1778+#: original/man8/iptables-extensions.8:70
1779+msgid "Matches if the source address is of given type"
17091780 msgstr ""
17101781
17111782 #. type: TP
1712-#: original/man8/ip6tables.8:637 original/man8/iptables.8:625
1783+#: original/man8/iptables-extensions.8:70
17131784 #, no-wrap
1714-msgid "[B<!>] B<--ctorigdstport> I<port>[B<:>I<port>]"
1785+msgid "[B<!>] B<--dst-type> I<type>"
17151786 msgstr ""
17161787
1717-#. type: TP
1718-#: original/man8/ip6tables.8:639 original/man8/iptables.8:627
1719-#, no-wrap
1720-msgid "[B<!>] B<--ctreplsrcport> I<port>[B<:>I<port>]"
1788+#. type: Plain text
1789+#: original/man8/iptables-extensions.8:73
1790+msgid "Matches if the destination address is of given type"
17211791 msgstr ""
17221792
17231793 #. type: TP
1724-#: original/man8/ip6tables.8:641 original/man8/iptables.8:629
1794+#: original/man8/iptables-extensions.8:73
17251795 #, no-wrap
1726-msgid "[B<!>] B<--ctrepldstport> I<port>[B<:>I<port>]"
1796+msgid "B<--limit-iface-in>"
17271797 msgstr ""
17281798
17291799 #. type: Plain text
1730-#: original/man8/ip6tables.8:645 original/man8/iptables.8:633
1800+#: original/man8/iptables-extensions.8:84
17311801 msgid ""
1732-"Match against original/reply source/destination port (TCP/UDP/etc.) or GRE "
1733-"key. Matching against port ranges is only supported in kernel versions "
1734-"above 2.6.38."
1802+"The address type checking can be limited to the interface the packet is "
1803+"coming in. This option is only valid in the B<PREROUTING>, B<INPUT> and "
1804+"B<FORWARD> chains. It cannot be specified with the B<--limit-iface-out> "
1805+"option."
17351806 msgstr ""
17361807
17371808 #. type: TP
1738-#: original/man8/ip6tables.8:645 original/man8/iptables.8:633
1809+#: original/man8/iptables-extensions.8:84
17391810 #, no-wrap
1740-msgid "[B<!>] B<--ctstatus> I<statelist>"
1811+msgid "B<--limit-iface-out>"
17411812 msgstr ""
17421813
17431814 #. type: Plain text
1744-#: original/man8/ip6tables.8:649 original/man8/iptables.8:637
1815+#: original/man8/iptables-extensions.8:95
17451816 msgid ""
1746-"I<statuslist> is a comma separated list of the connection statuses to "
1747-"match. Possible statuses are listed below."
1817+"The address type checking can be limited to the interface the packet is "
1818+"going out. This option is only valid in the B<POSTROUTING>, B<OUTPUT> and "
1819+"B<FORWARD> chains. It cannot be specified with the B<--limit-iface-in> "
1820+"option."
17481821 msgstr ""
17491822
1750-#. type: TP
1751-#: original/man8/ip6tables.8:649 original/man8/iptables.8:637
1823+#. type: SS
1824+#: original/man8/iptables-extensions.8:95
17521825 #, no-wrap
1753-msgid "[B<!>] B<--ctexpire> I<time>[B<:>I<time>]"
1826+msgid "ah (IPv6-specific)"
17541827 msgstr ""
17551828
17561829 #. type: Plain text
1757-#: original/man8/ip6tables.8:653 original/man8/iptables.8:641
1830+#: original/man8/iptables-extensions.8:97
17581831 msgid ""
1759-"Match remaining lifetime in seconds against given value or range of values "
1760-"(inclusive)"
1832+"This module matches the parameters in Authentication header of IPsec "
1833+"packets."
17611834 msgstr ""
17621835
17631836 #. type: TP
1764-#: original/man8/ip6tables.8:653 original/man8/iptables.8:641
1837+#: original/man8/iptables-extensions.8:97 original/man8/iptables-extensions.8:108
17651838 #, no-wrap
1766-msgid "B<--ctdir> {B<ORIGINAL>|B<REPLY>}"
1767-msgstr ""
1768-
1769-#. type: Plain text
1770-#: original/man8/ip6tables.8:657 original/man8/iptables.8:645
1771-msgid ""
1772-"Match packets that are flowing in the specified direction. If this flag is "
1773-"not specified at all, matches packets in both directions."
1839+msgid "[B<!>] B<--ahspi> I<spi>[B<:>I<spi>]"
17741840 msgstr ""
17751841
17761842 #. type: Plain text
1777-#: original/man8/ip6tables.8:659 original/man8/iptables.8:647
1778-msgid "States for B<--ctstate>:"
1843+#: original/man8/iptables-extensions.8:100
1844+msgid "Matches SPI."
17791845 msgstr ""
17801846
17811847 #. type: TP
1782-#: original/man8/ip6tables.8:659 original/man8/iptables.8:647
1848+#: original/man8/iptables-extensions.8:100
17831849 #, no-wrap
1784-msgid "B<INVALID>"
1850+msgid "[B<!>] B<--ahlen> I<length>"
17851851 msgstr ""
17861852
17871853 #. type: Plain text
1788-#: original/man8/ip6tables.8:662 original/man8/iptables.8:650
1789-msgid "meaning that the packet is associated with no known connection"
1854+#: original/man8/iptables-extensions.8:103 original/man8/iptables-extensions.8:407 original/man8/iptables-extensions.8:540
1855+msgid "Total length of this header in octets."
17901856 msgstr ""
17911857
17921858 #. type: TP
1793-#: original/man8/ip6tables.8:662 original/man8/iptables.8:650
1859+#: original/man8/iptables-extensions.8:103
17941860 #, no-wrap
1795-msgid "B<NEW>"
1861+msgid "B<--ahres>"
17961862 msgstr ""
17971863
17981864 #. type: Plain text
1799-#: original/man8/ip6tables.8:666 original/man8/iptables.8:654
1800-msgid ""
1801-"meaning that the packet has started a new connection, or otherwise "
1802-"associated with a connection which has not seen packets in both directions, "
1803-"and"
1865+#: original/man8/iptables-extensions.8:106
1866+msgid "Matches if the reserved field is filled with zero."
18041867 msgstr ""
18051868
1806-#. type: TP
1807-#: original/man8/ip6tables.8:666 original/man8/iptables.8:654
1869+#. type: SS
1870+#: original/man8/iptables-extensions.8:106
18081871 #, no-wrap
1809-msgid "B<ESTABLISHED>"
1872+msgid "ah (IPv4-specific)"
18101873 msgstr ""
18111874
18121875 #. type: Plain text
1813-#: original/man8/ip6tables.8:670 original/man8/iptables.8:658
1814-msgid ""
1815-"meaning that the packet is associated with a connection which has seen "
1816-"packets in both directions,"
1876+#: original/man8/iptables-extensions.8:108
1877+msgid "This module matches the SPIs in Authentication header of IPsec packets."
18171878 msgstr ""
18181879
1819-#. type: TP
1820-#: original/man8/ip6tables.8:670 original/man8/iptables.8:658
1880+#. type: SS
1881+#: original/man8/iptables-extensions.8:110
18211882 #, no-wrap
1822-msgid "B<RELATED>"
1883+msgid "cluster"
18231884 msgstr ""
18241885
18251886 #. type: Plain text
1826-#: original/man8/ip6tables.8:674 original/man8/iptables.8:662
1887+#: original/man8/iptables-extensions.8:113
18271888 msgid ""
1828-"meaning that the packet is starting a new connection, but is associated with "
1829-"an existing connection, such as an FTP data transfer, or an ICMP error."
1830-msgstr ""
1831-
1832-#. type: TP
1833-#: original/man8/ip6tables.8:674 original/man8/iptables.8:662
1834-#, no-wrap
1835-msgid "B<UNTRACKED>"
1889+"Allows you to deploy gateway and back-end load-sharing clusters without the "
1890+"need of load-balancers."
18361891 msgstr ""
18371892
18381893 #. type: Plain text
1839-#: original/man8/ip6tables.8:678 original/man8/iptables.8:666
1894+#: original/man8/iptables-extensions.8:116
18401895 msgid ""
1841-"meaning that the packet is not tracked at all, which happens if you use the "
1842-"NOTRACK target in raw table."
1896+"This match requires that all the nodes see the same packets. Thus, the "
1897+"cluster match decides if this node has to handle a packet given the "
1898+"following options:"
18431899 msgstr ""
18441900
18451901 #. type: TP
1846-#: original/man8/ip6tables.8:678 original/man8/iptables.8:666
1902+#: original/man8/iptables-extensions.8:116
18471903 #, no-wrap
1848-msgid "B<SNAT>"
1904+msgid "B<--cluster-total-nodes> I<num>"
18491905 msgstr ""
18501906
18511907 #. type: Plain text
1852-#: original/man8/ip6tables.8:682 original/man8/iptables.8:670
1853-msgid ""
1854-"A virtual state, matching if the original source address differs from the "
1855-"reply destination."
1908+#: original/man8/iptables-extensions.8:119
1909+msgid "Set number of total nodes in cluster."
18561910 msgstr ""
18571911
18581912 #. type: TP
1859-#: original/man8/ip6tables.8:682 original/man8/iptables.8:670
1913+#: original/man8/iptables-extensions.8:119
18601914 #, no-wrap
1861-msgid "B<DNAT>"
1862-msgstr ""
1863-
1864-#. type: Plain text
1865-#: original/man8/ip6tables.8:686 original/man8/iptables.8:674
1866-msgid ""
1867-"A virtual state, matching if the original destination differs from the reply "
1868-"source."
1915+msgid "[B<!>] B<--cluster-local-node> I<num>"
18691916 msgstr ""
18701917
18711918 #. type: Plain text
1872-#: original/man8/ip6tables.8:688 original/man8/iptables.8:676
1873-msgid "Statuses for B<--ctstatus>:"
1919+#: original/man8/iptables-extensions.8:122
1920+msgid "Set the local node number ID."
18741921 msgstr ""
18751922
18761923 #. type: TP
1877-#: original/man8/ip6tables.8:688 original/man8/iptables.8:676
1924+#: original/man8/iptables-extensions.8:122
18781925 #, no-wrap
1879-msgid "B<NONE>"
1926+msgid "[B<!>] B<--cluster-local-nodemask> I<mask>"
18801927 msgstr ""
18811928
18821929 #. type: Plain text
1883-#: original/man8/ip6tables.8:691 original/man8/iptables.8:679
1884-msgid "None of the below."
1930+#: original/man8/iptables-extensions.8:126
1931+msgid ""
1932+"Set the local node number ID mask. You can use this option instead of "
1933+"B<--cluster-local-node>."
18851934 msgstr ""
18861935
18871936 #. type: TP
1888-#: original/man8/ip6tables.8:691 original/man8/iptables.8:679
1937+#: original/man8/iptables-extensions.8:126
18891938 #, no-wrap
1890-msgid "B<EXPECTED>"
1939+msgid "B<--cluster-hash-seed> I<value>"
18911940 msgstr ""
18921941
18931942 #. type: Plain text
1894-#: original/man8/ip6tables.8:694 original/man8/iptables.8:682
1895-msgid "This is an expected connection (i.e. a conntrack helper set it up)"
1943+#: original/man8/iptables-extensions.8:129
1944+msgid "Set seed value of the Jenkins hash."
18961945 msgstr ""
18971946
18981947 #. type: TP
1899-#: original/man8/ip6tables.8:694 original/man8/iptables.8:682
1948+#: original/man8/iptables-extensions.8:131 original/man8/iptables-extensions.8:177 original/man8/iptables-extensions.8:214 original/man8/iptables-extensions.8:362 original/man8/iptables-extensions.8:1588 original/man8/iptables-extensions.8:1636 original/man8/iptables-extensions.8:1685 original/man8/iptables-extensions.8:2016
19001949 #, no-wrap
1901-msgid "B<SEEN_REPLY>"
1950+msgid "Example:"
19021951 msgstr ""
19031952
19041953 #. type: Plain text
1905-#: original/man8/ip6tables.8:697 original/man8/iptables.8:685
1906-msgid "Conntrack has seen packets in both directions."
1907-msgstr ""
1954+#: original/man8/iptables-extensions.8:136
1955+msgid ""
1956+"iptables -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 "
1957+"--cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark "
1958+"0xffff"
1959+msgstr ""
19081960
1909-#. type: TP
1910-#: original/man8/ip6tables.8:697 original/man8/iptables.8:685
1911-#, no-wrap
1912-msgid "B<ASSURED>"
1961+#. type: Plain text
1962+#: original/man8/iptables-extensions.8:141
1963+msgid ""
1964+"iptables -A PREROUTING -t mangle -i eth2 -m cluster --cluster-total-nodes 2 "
1965+"--cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark "
1966+"0xffff"
19131967 msgstr ""
19141968
19151969 #. type: Plain text
1916-#: original/man8/ip6tables.8:700 original/man8/iptables.8:688
1917-msgid "Conntrack entry should never be early-expired."
1970+#: original/man8/iptables-extensions.8:144
1971+msgid "iptables -A PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff -j DROP"
19181972 msgstr ""
19191973
1920-#. type: TP
1921-#: original/man8/ip6tables.8:700 original/man8/iptables.8:688
1922-#, no-wrap
1923-msgid "B<CONFIRMED>"
1974+#. type: Plain text
1975+#: original/man8/iptables-extensions.8:147
1976+msgid "iptables -A PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff -j DROP"
19241977 msgstr ""
19251978
19261979 #. type: Plain text
1927-#: original/man8/ip6tables.8:703 original/man8/iptables.8:691
1928-msgid "Connection is confirmed: originating packet has left box."
1980+#: original/man8/iptables-extensions.8:149
1981+msgid "And the following commands to make all nodes see the same packets:"
19291982 msgstr ""
19301983
1931-#. type: SS
1932-#: original/man8/ip6tables.8:703 original/man8/iptables.8:691
1933-#, no-wrap
1934-msgid "cpu"
1984+#. type: Plain text
1985+#: original/man8/iptables-extensions.8:151
1986+msgid "ip maddr add 01:00:5e:00:01:01 dev eth1"
19351987 msgstr ""
19361988
1937-#. type: TP
1938-#: original/man8/ip6tables.8:704 original/man8/iptables.8:692
1939-#, no-wrap
1940-msgid "[B<!>] B<--cpu> I<number>"
1989+#. type: Plain text
1990+#: original/man8/iptables-extensions.8:153
1991+msgid "ip maddr add 01:00:5e:00:01:02 dev eth2"
19411992 msgstr ""
19421993
19431994 #. type: Plain text
1944-#: original/man8/ip6tables.8:709 original/man8/iptables.8:697
1995+#: original/man8/iptables-extensions.8:156
19451996 msgid ""
1946-"Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1 Can be "
1947-"used in combination with RPS (Remote Packet Steering) or multiqueue NICs to "
1948-"spread network traffic on different queues."
1997+"arptables -A OUTPUT -o eth1 --h-length 6 -j mangle --mangle-mac-s "
1998+"01:00:5e:00:01:01"
19491999 msgstr ""
19502000
19512001 #. type: Plain text
1952-#: original/man8/ip6tables.8:714 original/man8/iptables.8:702
2002+#: original/man8/iptables-extensions.8:160
19532003 msgid ""
1954-"iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j REDIRECT "
1955-"--to-port 8080"
2004+"arptables -A INPUT -i eth1 --h-length 6 --destination-mac 01:00:5e:00:01:01 "
2005+"-j mangle --mangle-mac-d 00:zz:yy:xx:5a:27"
19562006 msgstr ""
19572007
19582008 #. type: Plain text
1959-#: original/man8/ip6tables.8:717 original/man8/iptables.8:705
2009+#: original/man8/iptables-extensions.8:163
19602010 msgid ""
1961-"iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 -j REDIRECT "
1962-"--to-port 8081"
2011+"arptables -A OUTPUT -o eth2 --h-length 6 -j mangle --mangle-mac-s "
2012+"01:00:5e:00:01:02"
19632013 msgstr ""
19642014
19652015 #. type: Plain text
1966-#: original/man8/ip6tables.8:719 original/man8/iptables.8:707
1967-msgid "Available since Linux 2.6.36."
2016+#: original/man8/iptables-extensions.8:167
2017+msgid ""
2018+"arptables -A INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:02 "
2019+"-j mangle --mangle-mac-d 00:zz:yy:xx:5a:27"
19682020 msgstr ""
19692021
1970-#. type: SS
1971-#: original/man8/ip6tables.8:719 original/man8/iptables.8:707
1972-#, no-wrap
1973-msgid "dccp"
2022+#. type: Plain text
2023+#: original/man8/iptables-extensions.8:171
2024+msgid ""
2025+"In the case of TCP connections, pickup facility has to be disabled to avoid "
2026+"marking TCP ACK packets coming in the reply direction as valid."
19742027 msgstr ""
19752028
1976-#. type: TP
1977-#: original/man8/ip6tables.8:720 original/man8/ip6tables.8:1492 original/man8/ip6tables.8:1626 original/man8/ip6tables.8:1906 original/man8/iptables.8:708 original/man8/iptables.8:1399 original/man8/iptables.8:1533 original/man8/iptables.8:1824
1978-#, no-wrap
1979-msgid "[B<!>] B<--source-port>,B<--sport> I<port>[B<:>I<port>]"
2029+#. type: Plain text
2030+#: original/man8/iptables-extensions.8:173
2031+msgid "echo 0 E<gt> /proc/sys/net/netfilter/nf_conntrack_tcp_loose"
19802032 msgstr ""
19812033
1982-#. type: TP
1983-#: original/man8/ip6tables.8:722 original/man8/ip6tables.8:1494 original/man8/ip6tables.8:1637 original/man8/ip6tables.8:1912 original/man8/iptables.8:710 original/man8/iptables.8:1401 original/man8/iptables.8:1544 original/man8/iptables.8:1830
2034+#. type: SS
2035+#: original/man8/iptables-extensions.8:173
19842036 #, no-wrap
1985-msgid "[B<!>] B<--destination-port>,B<--dport> I<port>[B<:>I<port>]"
2037+msgid "comment"
2038+msgstr ""
2039+
2040+#. type: Plain text
2041+#: original/man8/iptables-extensions.8:175
2042+msgid "Allows you to add comments (up to 256 characters) to any rule."
19862043 msgstr ""
19872044
19882045 #. type: TP
1989-#: original/man8/ip6tables.8:724 original/man8/iptables.8:712
2046+#: original/man8/iptables-extensions.8:175
19902047 #, no-wrap
1991-msgid "[B<!>] B<--dccp-types> I<mask>"
2048+msgid "B<--comment> I<comment>"
19922049 msgstr ""
19932050
19942051 #. type: Plain text
1995-#: original/man8/ip6tables.8:729 original/man8/iptables.8:717
1996-msgid ""
1997-"Match when the DCCP packet type is one of 'mask'. 'mask' is a "
1998-"comma-separated list of packet types. Packet types are: B<REQUEST RESPONSE "
1999-"DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID>."
2052+#: original/man8/iptables-extensions.8:180
2053+msgid "iptables -A INPUT -i eth1 -m comment --comment \"my local LAN\""
20002054 msgstr ""
20012055
2002-#. type: TP
2003-#: original/man8/ip6tables.8:729 original/man8/iptables.8:717
2056+#. type: SS
2057+#: original/man8/iptables-extensions.8:180
20042058 #, no-wrap
2005-msgid "[B<!>] B<--dccp-option> I<number>"
2059+msgid "connbytes"
20062060 msgstr ""
20072061
20082062 #. type: Plain text
2009-#: original/man8/ip6tables.8:732 original/man8/iptables.8:720
2010-msgid "Match if DCCP option set."
2063+#: original/man8/iptables-extensions.8:184
2064+msgid ""
2065+"Match by how many bytes or packets a connection (or one of the two flows "
2066+"constituting the connection) has transferred so far, or by average bytes per "
2067+"packet."
20112068 msgstr ""
20122069
2013-#. type: SS
2014-#: original/man8/ip6tables.8:732 original/man8/iptables.8:720
2015-#, no-wrap
2016-msgid "dscp"
2070+#. type: Plain text
2071+#: original/man8/iptables-extensions.8:186
2072+msgid "The counters are 64-bit and are thus not expected to overflow ;)"
20172073 msgstr ""
20182074
20192075 #. type: Plain text
2020-#: original/man8/ip6tables.8:735 original/man8/iptables.8:723
2076+#: original/man8/iptables-extensions.8:189
20212077 msgid ""
2022-"This module matches the 6 bit DSCP field within the TOS field in the IP "
2023-"header. DSCP has superseded TOS within the IETF."
2078+"The primary use is to detect long-lived downloads and mark them to be "
2079+"scheduled using a lower priority band in traffic control."
20242080 msgstr ""
20252081
2026-#. type: TP
2027-#: original/man8/ip6tables.8:735 original/man8/iptables.8:723
2028-#, no-wrap
2029-msgid "[B<!>] B<--dscp> I<value>"
2082+#. type: Plain text
2083+#: original/man8/iptables-extensions.8:192
2084+msgid ""
2085+"The transferred bytes per connection can also be viewed through `conntrack "
2086+"-L` and accessed via ctnetlink."
20302087 msgstr ""
20312088
20322089 #. type: Plain text
2033-#: original/man8/ip6tables.8:738 original/man8/iptables.8:726
2034-msgid "Match against a numeric (decimal or hex) value [0-63]."
2090+#: original/man8/iptables-extensions.8:198
2091+msgid ""
2092+"NOTE that for connections which have no accounting information, the match "
2093+"will always return false. The \"net.netfilter.nf_conntrack_acct\" sysctl "
2094+"flag controls whether B<new> connections will be byte/packet "
2095+"counted. Existing connection flows will not be gaining/losing a/the "
2096+"accounting structure when be sysctl flag is flipped."
20352097 msgstr ""
20362098
20372099 #. type: TP
2038-#: original/man8/ip6tables.8:738 original/man8/iptables.8:726
2100+#: original/man8/iptables-extensions.8:198
20392101 #, no-wrap
2040-msgid "[B<!>] B<--dscp-class> I<class>"
2102+msgid "[B<!>] B<--connbytes> I<from>[B<:>I<to>]"
20412103 msgstr ""
20422104
20432105 #. type: Plain text
2044-#: original/man8/ip6tables.8:743 original/man8/iptables.8:731
2106+#: original/man8/iptables-extensions.8:204
20452107 msgid ""
2046-"Match the DiffServ class. This value may be any of the BE, EF, AFxx or CSx "
2047-"classes. It will then be converted into its according numeric value."
2108+"match packets from a connection whose packets/bytes/average packet size is "
2109+"more than FROM and less than TO bytes/packets. if TO is omitted only FROM "
2110+"check is done. \"!\" is used to match packets not falling in the range."
20482111 msgstr ""
20492112
2050-#. type: SS
2051-#: original/man8/ip6tables.8:743
2113+#. type: TP
2114+#: original/man8/iptables-extensions.8:204
20522115 #, no-wrap
2053-msgid "dst"
2116+msgid "B<--connbytes-dir> {B<original>|B<reply>|B<both>}"
20542117 msgstr ""
20552118
20562119 #. type: Plain text
2057-#: original/man8/ip6tables.8:745
2058-msgid "This module matches the parameters in Destination Options header"
2120+#: original/man8/iptables-extensions.8:207
2121+msgid "which packets to consider"
20592122 msgstr ""
20602123
20612124 #. type: TP
2062-#: original/man8/ip6tables.8:745
2125+#: original/man8/iptables-extensions.8:207
20632126 #, no-wrap
2064-msgid "[B<!>] B<--dst-len> I<length>"
2127+msgid "B<--connbytes-mode> {B<packets>|B<bytes>|B<avgpkt>}"
20652128 msgstr ""
20662129
2067-#. type: TP
2068-#: original/man8/ip6tables.8:748
2069-#, no-wrap
2070-msgid "B<--dst-opts> I<type>[B<:>I<length>][B<,>I<type>[B<:>I<length>]...]"
2130+#. type: Plain text
2131+#: original/man8/iptables-extensions.8:214
2132+msgid ""
2133+"whether to check the amount of packets, number of bytes transferred or the "
2134+"average size (in bytes) of all packets received so far. Note that when "
2135+"\"both\" is used together with \"avgpkt\", and data is going (mainly) only "
2136+"in one direction (for example HTTP), the average packet size will be about "
2137+"half of the actual data packets."
20712138 msgstr ""
20722139
20732140 #. type: Plain text
2074-#: original/man8/ip6tables.8:751 original/man8/ip6tables.8:873
2075-msgid "numeric type of option and the length of the option data in octets."
2141+#: original/man8/iptables-extensions.8:217
2142+msgid ""
2143+"iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both "
2144+"--connbytes-mode bytes ..."
20762145 msgstr ""
20772146
20782147 #. type: SS
2079-#: original/man8/ip6tables.8:751 original/man8/iptables.8:731
2148+#: original/man8/iptables-extensions.8:217
20802149 #, no-wrap
2081-msgid "ecn"
2150+msgid "connlimit"
20822151 msgstr ""
20832152
20842153 #. type: Plain text
2085-#: original/man8/ip6tables.8:753 original/man8/iptables.8:733
2154+#: original/man8/iptables-extensions.8:220
20862155 msgid ""
2087-"This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN "
2088-"is the Explicit Congestion Notification mechanism as specified in RFC3168"
2156+"Allows you to restrict the number of parallel connections to a server per "
2157+"client IP address (or client address block)."
20892158 msgstr ""
20902159
20912160 #. type: TP
2092-#: original/man8/ip6tables.8:753 original/man8/iptables.8:733
2161+#: original/man8/iptables-extensions.8:220
20932162 #, no-wrap
2094-msgid "[B<!>] B<--ecn-tcp-cwr>"
2163+msgid "B<--connlimit-upto> I<n>"
20952164 msgstr ""
20962165
20972166 #. type: Plain text
2098-#: original/man8/ip6tables.8:756 original/man8/iptables.8:736
2099-msgid "This matches if the TCP ECN CWR (Congestion Window Received) bit is set."
2167+#: original/man8/iptables-extensions.8:223
2168+msgid "Match if the number of existing connections is below or equal I<n>."
21002169 msgstr ""
21012170
21022171 #. type: TP
2103-#: original/man8/ip6tables.8:756 original/man8/iptables.8:736
2172+#: original/man8/iptables-extensions.8:223
21042173 #, no-wrap
2105-msgid "[B<!>] B<--ecn-tcp-ece>"
2174+msgid "B<--connlimit-above> I<n>"
21062175 msgstr ""
21072176
21082177 #. type: Plain text
2109-#: original/man8/ip6tables.8:759 original/man8/iptables.8:739
2110-msgid "This matches if the TCP ECN ECE (ECN Echo) bit is set."
2178+#: original/man8/iptables-extensions.8:226
2179+msgid "Match if the number of existing connections is above I<n>."
21112180 msgstr ""
21122181
21132182 #. type: TP
2114-#: original/man8/ip6tables.8:759 original/man8/iptables.8:739
2183+#: original/man8/iptables-extensions.8:226
21152184 #, no-wrap
2116-msgid "[B<!>] B<--ecn-ip-ect> I<num>"
2185+msgid "B<--connlimit-mask> I<prefix_length>"
21172186 msgstr ""
21182187
21192188 #. type: Plain text
2120-#: original/man8/ip6tables.8:763 original/man8/iptables.8:743
2189+#: original/man8/iptables-extensions.8:231
21212190 msgid ""
2122-"This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to "
2123-"specify a number between `0' and `3'."
2191+"Group hosts using the prefix length. For IPv4, this must be a number between "
2192+"(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the "
2193+"maximum prefix length for the applicable protocol is used."
21242194 msgstr ""
21252195
2126-#. type: SS
2127-#: original/man8/ip6tables.8:763 original/man8/iptables.8:743
2196+#. type: TP
2197+#: original/man8/iptables-extensions.8:231
21282198 #, no-wrap
2129-msgid "esp"
2199+msgid "B<--connlimit-saddr>"
21302200 msgstr ""
21312201
21322202 #. type: Plain text
2133-#: original/man8/ip6tables.8:765 original/man8/iptables.8:745
2134-msgid "This module matches the SPIs in ESP header of IPsec packets."
2203+#: original/man8/iptables-extensions.8:235
2204+msgid ""
2205+"Apply the limit onto the source group. This is the default if "
2206+"--connlimit-daddr is not specified."
21352207 msgstr ""
21362208
21372209 #. type: TP
2138-#: original/man8/ip6tables.8:765 original/man8/iptables.8:745
2210+#: original/man8/iptables-extensions.8:235
21392211 #, no-wrap
2140-msgid "[B<!>] B<--espspi> I<spi>[B<:>I<spi>]"
2212+msgid "B<--connlimit-daddr>"
21412213 msgstr ""
21422214
2143-#. type: SS
2144-#: original/man8/ip6tables.8:767
2145-#, no-wrap
2146-msgid "eui64"
2215+#. type: Plain text
2216+#: original/man8/iptables-extensions.8:238
2217+msgid "Apply the limit onto the destination group."
21472218 msgstr ""
21482219
21492220 #. type: Plain text
2150-#: original/man8/ip6tables.8:778
2151-msgid ""
2152-"This module matches the EUI-64 part of a stateless autoconfigured IPv6 "
2153-"address. It compares the EUI-64 derived from the source MAC address in "
2154-"Ethernet frame with the lower 64 bits of the IPv6 source address. But "
2155-"\"Universal/Local\" bit is not compared. This module doesn't match other "
2156-"link layer frame, and is only valid in the B<PREROUTING>, B<INPUT> and "
2157-"B<FORWARD> chains."
2221+#: original/man8/iptables-extensions.8:240 original/man8/iptables-extensions.8:514 original/man8/iptables-extensions.8:1127 original/man8/iptables-extensions.8:1252
2222+msgid "Examples:"
21582223 msgstr ""
21592224
2160-#. type: SS
2161-#: original/man8/ip6tables.8:778
2225+#. type: TP
2226+#: original/man8/iptables-extensions.8:240
21622227 #, no-wrap
2163-msgid "frag"
2228+msgid "# allow 2 telnet connections per client host"
21642229 msgstr ""
21652230
21662231 #. type: Plain text
2167-#: original/man8/ip6tables.8:780
2168-msgid "This module matches the parameters in Fragment header."
2232+#: original/man8/iptables-extensions.8:243
2233+msgid ""
2234+"iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 "
2235+"-j REJECT"
21692236 msgstr ""
21702237
21712238 #. type: TP
2172-#: original/man8/ip6tables.8:780
2239+#: original/man8/iptables-extensions.8:243
21732240 #, no-wrap
2174-msgid "[B<!>] B<--fragid> I<id>[B<:>I<id>]"
2241+msgid "# you can also match the other way around:"
21752242 msgstr ""
21762243
21772244 #. type: Plain text
2178-#: original/man8/ip6tables.8:783
2179-msgid "Matches the given Identification or range of it."
2245+#: original/man8/iptables-extensions.8:246
2246+msgid ""
2247+"iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-upto 2 -j "
2248+"ACCEPT"
21802249 msgstr ""
21812250
21822251 #. type: TP
2183-#: original/man8/ip6tables.8:783
2252+#: original/man8/iptables-extensions.8:246
21842253 #, no-wrap
2185-msgid "[B<!>] B<--fraglen> I<length>"
2254+msgid ""
2255+"# limit the number of parallel HTTP requests to 16 per class C sized source "
2256+"network (24 bit netmask)"
21862257 msgstr ""
21872258
21882259 #. type: Plain text
2189-#: original/man8/ip6tables.8:787
2260+#: original/man8/iptables-extensions.8:251
21902261 msgid ""
2191-"This option cannot be used with kernel version 2.6.10 or later. The length "
2192-"of Fragment header is static and this option doesn't make sense."
2262+"iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 "
2263+"--connlimit-mask 24 -j REJECT"
21932264 msgstr ""
21942265
21952266 #. type: TP
2196-#: original/man8/ip6tables.8:787
2267+#: original/man8/iptables-extensions.8:251
21972268 #, no-wrap
2198-msgid "B<--fragres>"
2269+msgid ""
2270+"# limit the number of parallel HTTP requests to 16 for the link local "
2271+"network"
21992272 msgstr ""
22002273
22012274 #. type: Plain text
2202-#: original/man8/ip6tables.8:790
2203-msgid "Matches if the reserved fields are filled with zero."
2275+#: original/man8/iptables-extensions.8:256
2276+msgid ""
2277+"(ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit "
2278+"--connlimit-above 16 --connlimit-mask 64 -j REJECT"
22042279 msgstr ""
22052280
22062281 #. type: TP
2207-#: original/man8/ip6tables.8:790
2282+#: original/man8/iptables-extensions.8:256
22082283 #, no-wrap
2209-msgid "B<--fragfirst>"
2284+msgid "# Limit the number of connections to a particular host:"
22102285 msgstr ""
22112286
22122287 #. type: Plain text
2213-#: original/man8/ip6tables.8:793
2214-msgid "Matches on the first fragment."
2288+#: original/man8/iptables-extensions.8:260
2289+msgid ""
2290+"ip6tables -p tcp --syn --dport 49152:65535 -d 2001:db8::1 -m connlimit "
2291+"--connlimit-above 100 -j REJECT"
22152292 msgstr ""
22162293
2217-#. type: TP
2218-#: original/man8/ip6tables.8:793
2294+#. type: SS
2295+#: original/man8/iptables-extensions.8:260
22192296 #, no-wrap
2220-msgid "B<--fragmore>"
2297+msgid "connmark"
22212298 msgstr ""
22222299
22232300 #. type: Plain text
2224-#: original/man8/ip6tables.8:796
2225-msgid "Matches if there are more fragments."
2301+#: original/man8/iptables-extensions.8:263
2302+msgid ""
2303+"This module matches the netfilter mark field associated with a connection "
2304+"(which can be set using the B<CONNMARK> target below)."
22262305 msgstr ""
22272306
22282307 #. type: TP
2229-#: original/man8/ip6tables.8:796
2308+#: original/man8/iptables-extensions.8:263 original/man8/iptables-extensions.8:703
22302309 #, no-wrap
2231-msgid "B<--fraglast>"
2310+msgid "[B<!>] B<--mark> I<value>[B</>I<mask>]"
22322311 msgstr ""
22332312
22342313 #. type: Plain text
2235-#: original/man8/ip6tables.8:799
2236-msgid "Matches if this is the last fragment."
2314+#: original/man8/iptables-extensions.8:267
2315+msgid ""
2316+"Matches packets in connections with the given mark value (if a mask is "
2317+"specified, this is logically ANDed with the mark before the comparison)."
22372318 msgstr ""
22382319
22392320 #. type: SS
2240-#: original/man8/ip6tables.8:799 original/man8/iptables.8:747
2321+#: original/man8/iptables-extensions.8:267
22412322 #, no-wrap
2242-msgid "hashlimit"
2243-msgstr ""
2244-
2245-#. type: Plain text
2246-#: original/man8/ip6tables.8:805 original/man8/iptables.8:753
2247-msgid ""
2248-"B<hashlimit> uses hash buckets to express a rate limiting match (like the "
2249-"B<limit> match) for a group of connections using a B<single> iptables "
2250-"rule. Grouping can be done per-hostgroup (source and/or destination address) "
2251-"and/or per-port. It gives you the ability to express \"I<N> packets per time "
2252-"quantum per group\" (see below for some examples)."
2323+msgid "conntrack"
22532324 msgstr ""
22542325
22552326 #. type: Plain text
2256-#: original/man8/ip6tables.8:808 original/man8/iptables.8:756
2327+#: original/man8/iptables-extensions.8:270
22572328 msgid ""
2258-"A hash limit option (B<--hashlimit-upto>, B<--hashlimit-above>) and "
2259-"B<--hashlimit-name> are required."
2329+"This module, when combined with connection tracking, allows access to the "
2330+"connection tracking state for this packet/connection."
22602331 msgstr ""
22612332
22622333 #. type: TP
2263-#: original/man8/ip6tables.8:808 original/man8/iptables.8:756
2334+#: original/man8/iptables-extensions.8:270
22642335 #, no-wrap
2265-msgid "B<--hashlimit-upto> I<amount>[B</second>|B</minute>|B</hour>|B</day>]"
2336+msgid "[B<!>] B<--ctstate> I<statelist>"
22662337 msgstr ""
22672338
22682339 #. type: Plain text
2269-#: original/man8/ip6tables.8:812 original/man8/iptables.8:760
2340+#: original/man8/iptables-extensions.8:274
22702341 msgid ""
2271-"Match if the rate is below or equal to I<amount>/quantum. It is specified as "
2272-"a number, with an optional time quantum suffix; the default is 3/hour."
2342+"I<statelist> is a comma separated list of the connection states to match. "
2343+"Possible states are listed below."
22732344 msgstr ""
22742345
22752346 #. type: TP
2276-#: original/man8/ip6tables.8:812 original/man8/iptables.8:760
2347+#: original/man8/iptables-extensions.8:274
22772348 #, no-wrap
2278-msgid "B<--hashlimit-above> I<amount>[B</second>|B</minute>|B</hour>|B</day>]"
2349+msgid "[B<!>] B<--ctproto> I<l4proto>"
22792350 msgstr ""
22802351
22812352 #. type: Plain text
2282-#: original/man8/ip6tables.8:815 original/man8/iptables.8:763
2283-msgid "Match if the rate is above I<amount>/quantum."
2353+#: original/man8/iptables-extensions.8:277
2354+msgid "Layer-4 protocol to match (by number or name)"
22842355 msgstr ""
22852356
22862357 #. type: TP
2287-#: original/man8/ip6tables.8:815 original/man8/iptables.8:763
2358+#: original/man8/iptables-extensions.8:277
22882359 #, no-wrap
2289-msgid "B<--hashlimit-burst> I<amount>"
2290-msgstr ""
2291-
2292-#. type: Plain text
2293-#: original/man8/ip6tables.8:820 original/man8/ip6tables.8:1007 original/man8/iptables.8:768 original/man8/iptables.8:893
2294-msgid ""
2295-"Maximum initial number of packets to match: this number gets recharged by "
2296-"one every time the limit specified above is not reached, up to this number; "
2297-"the default is 5."
2360+msgid "[B<!>] B<--ctorigsrc> I<address>[B</>I<mask>]"
22982361 msgstr ""
22992362
23002363 #. type: TP
2301-#: original/man8/ip6tables.8:820 original/man8/iptables.8:768
2364+#: original/man8/iptables-extensions.8:279
23022365 #, no-wrap
2303-msgid "B<--hashlimit-mode> {B<srcip>|B<srcport>|B<dstip>|B<dstport>}B<,>..."
2366+msgid "[B<!>] B<--ctorigdst> I<address>[B</>I<mask>]"
23042367 msgstr ""
23052368
2306-#. type: Plain text
2307-#: original/man8/ip6tables.8:825 original/man8/iptables.8:773
2308-msgid ""
2309-"A comma-separated list of objects to take into consideration. If no "
2310-"--hashlimit-mode option is given, hashlimit acts like limit, but at the "
2311-"expensive of doing the hash housekeeping."
2369+#. type: TP
2370+#: original/man8/iptables-extensions.8:281
2371+#, no-wrap
2372+msgid "[B<!>] B<--ctreplsrc> I<address>[B</>I<mask>]"
23122373 msgstr ""
23132374
23142375 #. type: TP
2315-#: original/man8/ip6tables.8:825 original/man8/iptables.8:773
2376+#: original/man8/iptables-extensions.8:283
23162377 #, no-wrap
2317-msgid "B<--hashlimit-srcmask> I<prefix>"
2378+msgid "[B<!>] B<--ctrepldst> I<address>[B</>I<mask>]"
23182379 msgstr ""
23192380
23202381 #. type: Plain text
2321-#: original/man8/ip6tables.8:832 original/man8/iptables.8:780
2322-msgid ""
2323-"When --hashlimit-mode srcip is used, all source addresses encountered will "
2324-"be grouped according to the given prefix length and the so-created subnet "
2325-"will be subject to hashlimit. I<prefix> must be between (inclusive) 0 and "
2326-"32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not "
2327-"specifying srcip for --hashlimit-mode, but is technically more expensive."
2382+#: original/man8/iptables-extensions.8:286
2383+msgid "Match against original/reply source/destination address"
23282384 msgstr ""
23292385
23302386 #. type: TP
2331-#: original/man8/ip6tables.8:832 original/man8/iptables.8:780
2387+#: original/man8/iptables-extensions.8:286
23322388 #, no-wrap
2333-msgid "B<--hashlimit-dstmask> I<prefix>"
2334-msgstr ""
2335-
2336-#. type: Plain text
2337-#: original/man8/ip6tables.8:835 original/man8/iptables.8:783
2338-msgid "Like --hashlimit-srcmask, but for destination addresses."
2389+msgid "[B<!>] B<--ctorigsrcport> I<port>[B<:>I<port>]"
23392390 msgstr ""
23402391
23412392 #. type: TP
2342-#: original/man8/ip6tables.8:835 original/man8/iptables.8:783
2393+#: original/man8/iptables-extensions.8:288
23432394 #, no-wrap
2344-msgid "B<--hashlimit-name> I<foo>"
2395+msgid "[B<!>] B<--ctorigdstport> I<port>[B<:>I<port>]"
23452396 msgstr ""
23462397
2347-#. type: Plain text
2348-#: original/man8/ip6tables.8:838 original/man8/iptables.8:786
2349-msgid "The name for the /proc/net/ipt_hashlimit/foo entry."
2398+#. type: TP
2399+#: original/man8/iptables-extensions.8:290
2400+#, no-wrap
2401+msgid "[B<!>] B<--ctreplsrcport> I<port>[B<:>I<port>]"
23502402 msgstr ""
23512403
23522404 #. type: TP
2353-#: original/man8/ip6tables.8:838 original/man8/iptables.8:786
2405+#: original/man8/iptables-extensions.8:292
23542406 #, no-wrap
2355-msgid "B<--hashlimit-htable-size> I<buckets>"
2407+msgid "[B<!>] B<--ctrepldstport> I<port>[B<:>I<port>]"
23562408 msgstr ""
23572409
23582410 #. type: Plain text
2359-#: original/man8/ip6tables.8:841 original/man8/iptables.8:789
2360-msgid "The number of buckets of the hash table"
2411+#: original/man8/iptables-extensions.8:296
2412+msgid ""
2413+"Match against original/reply source/destination port (TCP/UDP/etc.) or GRE "
2414+"key. Matching against port ranges is only supported in kernel versions "
2415+"above 2.6.38."
23612416 msgstr ""
23622417
23632418 #. type: TP
2364-#: original/man8/ip6tables.8:841 original/man8/iptables.8:789
2419+#: original/man8/iptables-extensions.8:296
23652420 #, no-wrap
2366-msgid "B<--hashlimit-htable-max> I<entries>"
2421+msgid "[B<!>] B<--ctstatus> I<statelist>"
23672422 msgstr ""
23682423
23692424 #. type: Plain text
2370-#: original/man8/ip6tables.8:844 original/man8/iptables.8:792
2371-msgid "Maximum entries in the hash."
2425+#: original/man8/iptables-extensions.8:300
2426+msgid ""
2427+"I<statuslist> is a comma separated list of the connection statuses to "
2428+"match. Possible statuses are listed below."
23722429 msgstr ""
23732430
23742431 #. type: TP
2375-#: original/man8/ip6tables.8:844 original/man8/iptables.8:792
2432+#: original/man8/iptables-extensions.8:300
23762433 #, no-wrap
2377-msgid "B<--hashlimit-htable-expire> I<msec>"
2434+msgid "[B<!>] B<--ctexpire> I<time>[B<:>I<time>]"
23782435 msgstr ""
23792436
23802437 #. type: Plain text
2381-#: original/man8/ip6tables.8:847 original/man8/iptables.8:795
2382-msgid "After how many milliseconds do hash entries expire."
2438+#: original/man8/iptables-extensions.8:304
2439+msgid ""
2440+"Match remaining lifetime in seconds against given value or range of values "
2441+"(inclusive)"
23832442 msgstr ""
23842443
23852444 #. type: TP
2386-#: original/man8/ip6tables.8:847 original/man8/iptables.8:795
2445+#: original/man8/iptables-extensions.8:304
23872446 #, no-wrap
2388-msgid "B<--hashlimit-htable-gcinterval> I<msec>"
2447+msgid "B<--ctdir> {B<ORIGINAL>|B<REPLY>}"
23892448 msgstr ""
23902449
23912450 #. type: Plain text
2392-#: original/man8/ip6tables.8:850 original/man8/iptables.8:798
2393-msgid "How many milliseconds between garbage collection intervals."
2451+#: original/man8/iptables-extensions.8:308
2452+msgid ""
2453+"Match packets that are flowing in the specified direction. If this flag is "
2454+"not specified at all, matches packets in both directions."
2455+msgstr ""
2456+
2457+#. type: Plain text
2458+#: original/man8/iptables-extensions.8:310
2459+msgid "States for B<--ctstate>:"
23942460 msgstr ""
23952461
23962462 #. type: TP
2397-#: original/man8/ip6tables.8:852 original/man8/iptables.8:800
2463+#: original/man8/iptables-extensions.8:310
23982464 #, no-wrap
2399-msgid "matching on source host"
2465+msgid "B<INVALID>"
24002466 msgstr ""
24012467
24022468 #. type: Plain text
2403-#: original/man8/ip6tables.8:856 original/man8/iptables.8:804
2404-msgid ""
2405-"\"1000 packets per second for every host in 192.168.0.0/16\" =E<gt> -s "
2406-"192.168.0.0/16 --hashlimit-mode srcip --hashlimit-upto 1000/sec"
2469+#: original/man8/iptables-extensions.8:313
2470+msgid "The packet is associated with no known connection."
24072471 msgstr ""
24082472
24092473 #. type: TP
2410-#: original/man8/ip6tables.8:856 original/man8/iptables.8:804
2474+#: original/man8/iptables-extensions.8:313
24112475 #, no-wrap
2412-msgid "matching on source port"
2476+msgid "B<NEW>"
24132477 msgstr ""
24142478
24152479 #. type: Plain text
2416-#: original/man8/ip6tables.8:860 original/man8/iptables.8:808
2480+#: original/man8/iptables-extensions.8:317
24172481 msgid ""
2418-"\"100 packets per second for every service of 192.168.1.1\" =E<gt> -s "
2419-"192.168.1.1 --hashlimit-mode srcport --hashlimit-upto 100/sec"
2482+"The packet has started a new connection, or otherwise associated with a "
2483+"connection which has not seen packets in both directions."
24202484 msgstr ""
24212485
24222486 #. type: TP
2423-#: original/man8/ip6tables.8:860 original/man8/iptables.8:808
2487+#: original/man8/iptables-extensions.8:317
24242488 #, no-wrap
2425-msgid "matching on subnet"
2489+msgid "B<ESTABLISHED>"
24262490 msgstr ""
24272491
24282492 #. type: Plain text
2429-#: original/man8/ip6tables.8:865 original/man8/iptables.8:813
2493+#: original/man8/iptables-extensions.8:321
24302494 msgid ""
2431-"\"10000 packets per minute for every /28 subnet (groups of 8 addresses) in "
2432-"10.0.0.0/8\" =E<gt> -s 10.0.0.8 --hashlimit-mask 28 --hashlimit-upto "
2433-"10000/min"
2495+"The packet is associated with a connection which has seen packets in both "
2496+"directions."
24342497 msgstr ""
24352498
2436-#. type: SS
2437-#: original/man8/ip6tables.8:865
2499+#. type: TP
2500+#: original/man8/iptables-extensions.8:321
24382501 #, no-wrap
2439-msgid "hbh"
2502+msgid "B<RELATED>"
24402503 msgstr ""
24412504
24422505 #. type: Plain text
2443-#: original/man8/ip6tables.8:867
2444-msgid "This module matches the parameters in Hop-by-Hop Options header"
2506+#: original/man8/iptables-extensions.8:325
2507+msgid ""
2508+"The packet is starting a new connection, but is associated with an existing "
2509+"connection, such as an FTP data transfer, or an ICMP error."
24452510 msgstr ""
24462511
24472512 #. type: TP
2448-#: original/man8/ip6tables.8:867
2513+#: original/man8/iptables-extensions.8:325
24492514 #, no-wrap
2450-msgid "[B<!>] B<--hbh-len> I<length>"
2515+msgid "B<UNTRACKED>"
24512516 msgstr ""
24522517
2453-#. type: TP
2454-#: original/man8/ip6tables.8:870
2455-#, no-wrap
2456-msgid "B<--hbh-opts> I<type>[B<:>I<length>][B<,>I<type>[B<:>I<length>]...]"
2518+#. type: Plain text
2519+#: original/man8/iptables-extensions.8:329
2520+msgid ""
2521+"The packet is not tracked at all, which happens if you explicitly untrack it "
2522+"by using -j CT --notrack in the raw table."
24572523 msgstr ""
24582524
2459-#. type: SS
2460-#: original/man8/ip6tables.8:873 original/man8/iptables.8:813
2525+#. type: TP
2526+#: original/man8/iptables-extensions.8:329
24612527 #, no-wrap
2462-msgid "helper"
2528+msgid "B<SNAT>"
24632529 msgstr ""
24642530
24652531 #. type: Plain text
2466-#: original/man8/ip6tables.8:875 original/man8/iptables.8:815
2467-msgid "This module matches packets related to a specific conntrack-helper."
2532+#: original/man8/iptables-extensions.8:333
2533+msgid ""
2534+"A virtual state, matching if the original source address differs from the "
2535+"reply destination."
24682536 msgstr ""
24692537
24702538 #. type: TP
2471-#: original/man8/ip6tables.8:875 original/man8/iptables.8:815
2539+#: original/man8/iptables-extensions.8:333
24722540 #, no-wrap
2473-msgid "[B<!>] B<--helper> I<string>"
2541+msgid "B<DNAT>"
24742542 msgstr ""
24752543
24762544 #. type: Plain text
2477-#: original/man8/ip6tables.8:878 original/man8/iptables.8:818
2478-msgid "Matches packets related to the specified conntrack-helper."
2545+#: original/man8/iptables-extensions.8:337
2546+msgid ""
2547+"A virtual state, matching if the original destination differs from the reply "
2548+"source."
24792549 msgstr ""
24802550
24812551 #. type: Plain text
2482-#: original/man8/ip6tables.8:882 original/man8/iptables.8:822
2483-msgid ""
2484-"string can be \"ftp\" for packets related to a ftp-session on default port. "
2485-"For other ports append -portnr to the value, ie. \"ftp-2121\"."
2552+#: original/man8/iptables-extensions.8:339
2553+msgid "Statuses for B<--ctstatus>:"
2554+msgstr ""
2555+
2556+#. type: TP
2557+#: original/man8/iptables-extensions.8:339
2558+#, no-wrap
2559+msgid "B<NONE>"
24862560 msgstr ""
24872561
24882562 #. type: Plain text
2489-#: original/man8/ip6tables.8:884 original/man8/iptables.8:824
2490-msgid "Same rules apply for other conntrack-helpers."
2563+#: original/man8/iptables-extensions.8:342
2564+msgid "None of the below."
24912565 msgstr ""
24922566
2493-#. type: SS
2494-#: original/man8/ip6tables.8:885
2567+#. type: TP
2568+#: original/man8/iptables-extensions.8:342
24952569 #, no-wrap
2496-msgid "hl"
2570+msgid "B<EXPECTED>"
24972571 msgstr ""
24982572
24992573 #. type: Plain text
2500-#: original/man8/ip6tables.8:887
2501-msgid "This module matches the Hop Limit field in the IPv6 header."
2574+#: original/man8/iptables-extensions.8:345
2575+msgid "This is an expected connection (i.e. a conntrack helper set it up)."
25022576 msgstr ""
25032577
25042578 #. type: TP
2505-#: original/man8/ip6tables.8:887
2579+#: original/man8/iptables-extensions.8:345
25062580 #, no-wrap
2507-msgid "[B<!>] B<--hl-eq> I<value>"
2581+msgid "B<SEEN_REPLY>"
25082582 msgstr ""
25092583
25102584 #. type: Plain text
2511-#: original/man8/ip6tables.8:890
2512-msgid "Matches if Hop Limit equals I<value>."
2585+#: original/man8/iptables-extensions.8:348
2586+msgid "Conntrack has seen packets in both directions."
25132587 msgstr ""
25142588
25152589 #. type: TP
2516-#: original/man8/ip6tables.8:890
2590+#: original/man8/iptables-extensions.8:348
25172591 #, no-wrap
2518-msgid "B<--hl-lt> I<value>"
2592+msgid "B<ASSURED>"
25192593 msgstr ""
25202594
25212595 #. type: Plain text
2522-#: original/man8/ip6tables.8:893
2523-msgid "Matches if Hop Limit is less than I<value>."
2596+#: original/man8/iptables-extensions.8:351
2597+msgid "Conntrack entry should never be early-expired."
25242598 msgstr ""
25252599
25262600 #. type: TP
2527-#: original/man8/ip6tables.8:893
2601+#: original/man8/iptables-extensions.8:351
25282602 #, no-wrap
2529-msgid "B<--hl-gt> I<value>"
2603+msgid "B<CONFIRMED>"
25302604 msgstr ""
25312605
25322606 #. type: Plain text
2533-#: original/man8/ip6tables.8:896
2534-msgid "Matches if Hop Limit is greater than I<value>."
2607+#: original/man8/iptables-extensions.8:354
2608+msgid "Connection is confirmed: originating packet has left box."
25352609 msgstr ""
25362610
25372611 #. type: SS
2538-#: original/man8/ip6tables.8:896
2612+#: original/man8/iptables-extensions.8:354
2613+#, no-wrap
2614+msgid "cpu"
2615+msgstr ""
2616+
2617+#. type: TP
2618+#: original/man8/iptables-extensions.8:355
25392619 #, no-wrap
2540-msgid "icmp6"
2620+msgid "[B<!>] B<--cpu> I<number>"
25412621 msgstr ""
25422622
25432623 #. type: Plain text
2544-#: original/man8/ip6tables.8:899
2624+#: original/man8/iptables-extensions.8:360
25452625 msgid ""
2546-"This extension can be used if `--protocol ipv6-icmp' or `--protocol icmpv6' "
2547-"is specified. It provides the following option:"
2626+"Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1 Can be "
2627+"used in combination with RPS (Remote Packet Steering) or multiqueue NICs to "
2628+"spread network traffic on different queues."
25482629 msgstr ""
25492630
2550-#. type: TP
2551-#: original/man8/ip6tables.8:899
2552-#, no-wrap
2553-msgid "[B<!>] B<--icmpv6-type> I<type>[B</>I<code>]|I<typename>"
2631+#. type: Plain text
2632+#: original/man8/iptables-extensions.8:365
2633+msgid ""
2634+"iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j REDIRECT "
2635+"--to-port 8080"
25542636 msgstr ""
25552637
25562638 #. type: Plain text
2557-#: original/man8/ip6tables.8:908
2639+#: original/man8/iptables-extensions.8:368
25582640 msgid ""
2559-"This allows specification of the ICMPv6 type, which can be a numeric ICMPv6 "
2560-"I<type>, I<type> and I<code>, or one of the ICMPv6 type names shown by the "
2561-"command"
2641+"iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 -j REDIRECT "
2642+"--to-port 8081"
25622643 msgstr ""
25632644
25642645 #. type: Plain text
2565-#: original/man8/ip6tables.8:910
2566-#, no-wrap
2567-msgid " ip6tables -p ipv6-icmp -h\n"
2646+#: original/man8/iptables-extensions.8:370
2647+msgid "Available since Linux 2.6.36."
25682648 msgstr ""
25692649
25702650 #. type: SS
2571-#: original/man8/ip6tables.8:911 original/man8/iptables.8:835
2651+#: original/man8/iptables-extensions.8:370
25722652 #, no-wrap
2573-msgid "iprange"
2653+msgid "dccp"
25742654 msgstr ""
25752655
2576-#. type: Plain text
2577-#: original/man8/ip6tables.8:913 original/man8/iptables.8:837
2578-msgid "This matches on a given arbitrary range of IP addresses."
2656+#. type: TP
2657+#: original/man8/iptables-extensions.8:371 original/man8/iptables-extensions.8:1230 original/man8/iptables-extensions.8:1354 original/man8/iptables-extensions.8:1657
2658+#, no-wrap
2659+msgid "[B<!>] B<--source-port>,B<--sport> I<port>[B<:>I<port>]"
25792660 msgstr ""
25802661
25812662 #. type: TP
2582-#: original/man8/ip6tables.8:913 original/man8/iptables.8:837
2663+#: original/man8/iptables-extensions.8:373 original/man8/iptables-extensions.8:1232 original/man8/iptables-extensions.8:1365 original/man8/iptables-extensions.8:1663
25832664 #, no-wrap
2584-msgid "[B<!>] B<--src-range> I<from>[B<->I<to>]"
2665+msgid "[B<!>] B<--destination-port>,B<--dport> I<port>[B<:>I<port>]"
2666+msgstr ""
2667+
2668+#. type: TP
2669+#: original/man8/iptables-extensions.8:375
2670+#, no-wrap
2671+msgid "[B<!>] B<--dccp-types> I<mask>"
25852672 msgstr ""
25862673
25872674 #. type: Plain text
2588-#: original/man8/ip6tables.8:916 original/man8/iptables.8:840
2589-msgid "Match source IP in the specified range."
2675+#: original/man8/iptables-extensions.8:380
2676+msgid ""
2677+"Match when the DCCP packet type is one of 'mask'. 'mask' is a "
2678+"comma-separated list of packet types. Packet types are: B<REQUEST RESPONSE "
2679+"DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID>."
25902680 msgstr ""
25912681
25922682 #. type: TP
2593-#: original/man8/ip6tables.8:916 original/man8/iptables.8:840
2683+#: original/man8/iptables-extensions.8:380
25942684 #, no-wrap
2595-msgid "[B<!>] B<--dst-range> I<from>[B<->I<to>]"
2685+msgid "[B<!>] B<--dccp-option> I<number>"
25962686 msgstr ""
25972687
25982688 #. type: Plain text
2599-#: original/man8/ip6tables.8:919 original/man8/iptables.8:843
2600-msgid "Match destination IP in the specified range."
2689+#: original/man8/iptables-extensions.8:383
2690+msgid "Match if DCCP option set."
26012691 msgstr ""
26022692
26032693 #. type: SS
2604-#: original/man8/ip6tables.8:919
2694+#: original/man8/iptables-extensions.8:383
26052695 #, no-wrap
2606-msgid "ipv6header"
2696+msgid "devgroup"
26072697 msgstr ""
26082698
26092699 #. type: Plain text
2610-#: original/man8/ip6tables.8:921
2611-msgid "This module matches IPv6 extension headers and/or upper layer header."
2700+#: original/man8/iptables-extensions.8:385
2701+msgid "Match device group of a packets incoming/outgoing interface."
26122702 msgstr ""
26132703
26142704 #. type: TP
2615-#: original/man8/ip6tables.8:921
2705+#: original/man8/iptables-extensions.8:385
26162706 #, no-wrap
2617-msgid "B<--soft>"
2707+msgid "[B<!>] B<--src-group> I<name>"
26182708 msgstr ""
26192709
26202710 #. type: Plain text
2621-#: original/man8/ip6tables.8:925
2622-msgid ""
2623-"Matches if the packet includes B<any> of the headers specified with "
2624-"B<--header>."
2711+#: original/man8/iptables-extensions.8:388
2712+msgid "Match device group of incoming device"
26252713 msgstr ""
26262714
26272715 #. type: TP
2628-#: original/man8/ip6tables.8:925
2716+#: original/man8/iptables-extensions.8:388
26292717 #, no-wrap
2630-msgid "[B<!>] B<--header> I<header>[B<,>I<header>...]"
2718+msgid "[B<!>] B<--dst-group> I<name>"
26312719 msgstr ""
26322720
26332721 #. type: Plain text
2634-#: original/man8/ip6tables.8:930
2635-msgid ""
2636-"Matches the packet which EXACTLY includes all specified headers. The headers "
2637-"encapsulated with ESP header are out of scope. Possible I<header> types can "
2638-"be:"
2722+#: original/man8/iptables-extensions.8:391
2723+msgid "Match device group of outgoing device"
26392724 msgstr ""
26402725
2641-#. type: TP
2642-#: original/man8/ip6tables.8:930
2726+#. type: SS
2727+#: original/man8/iptables-extensions.8:391
26432728 #, no-wrap
2644-msgid "B<hop>|B<hop-by-hop>"
2729+msgid "dscp"
26452730 msgstr ""
26462731
26472732 #. type: Plain text
2648-#: original/man8/ip6tables.8:933
2649-msgid "Hop-by-Hop Options header"
2733+#: original/man8/iptables-extensions.8:394
2734+msgid ""
2735+"This module matches the 6 bit DSCP field within the TOS field in the IP "
2736+"header. DSCP has superseded TOS within the IETF."
26502737 msgstr ""
26512738
26522739 #. type: TP
2653-#: original/man8/ip6tables.8:933
2740+#: original/man8/iptables-extensions.8:394
26542741 #, no-wrap
2655-msgid "B<dst>"
2742+msgid "[B<!>] B<--dscp> I<value>"
26562743 msgstr ""
26572744
26582745 #. type: Plain text
2659-#: original/man8/ip6tables.8:936
2660-msgid "Destination Options header"
2746+#: original/man8/iptables-extensions.8:397
2747+msgid "Match against a numeric (decimal or hex) value [0-63]."
26612748 msgstr ""
26622749
26632750 #. type: TP
2664-#: original/man8/ip6tables.8:936
2751+#: original/man8/iptables-extensions.8:397
26652752 #, no-wrap
2666-msgid "B<route>"
2753+msgid "[B<!>] B<--dscp-class> I<class>"
26672754 msgstr ""
26682755
26692756 #. type: Plain text
2670-#: original/man8/ip6tables.8:939
2671-msgid "Routing header"
2757+#: original/man8/iptables-extensions.8:402
2758+msgid ""
2759+"Match the DiffServ class. This value may be any of the BE, EF, AFxx or CSx "
2760+"classes. It will then be converted into its according numeric value."
26722761 msgstr ""
26732762
2674-#. type: TP
2675-#: original/man8/ip6tables.8:939
2763+#. type: SS
2764+#: original/man8/iptables-extensions.8:402
26762765 #, no-wrap
2677-msgid "B<frag>"
2766+msgid "dst (IPv6-specific)"
26782767 msgstr ""
26792768
26802769 #. type: Plain text
2681-#: original/man8/ip6tables.8:942
2682-msgid "Fragment header"
2770+#: original/man8/iptables-extensions.8:404
2771+msgid "This module matches the parameters in Destination Options header"
26832772 msgstr ""
26842773
26852774 #. type: TP
2686-#: original/man8/ip6tables.8:942
2775+#: original/man8/iptables-extensions.8:404
26872776 #, no-wrap
2688-msgid "B<auth>"
2689-msgstr ""
2690-
2691-#. type: Plain text
2692-#: original/man8/ip6tables.8:945
2693-msgid "Authentication header"
2777+msgid "[B<!>] B<--dst-len> I<length>"
26942778 msgstr ""
26952779
26962780 #. type: TP
2697-#: original/man8/ip6tables.8:945
2781+#: original/man8/iptables-extensions.8:407
26982782 #, no-wrap
2699-msgid "B<esp>"
2783+msgid "B<--dst-opts> I<type>[B<:>I<length>][B<,>I<type>[B<:>I<length>]...]"
27002784 msgstr ""
27012785
27022786 #. type: Plain text
2703-#: original/man8/ip6tables.8:948
2704-msgid "Encapsulating Security Payload header"
2787+#: original/man8/iptables-extensions.8:410 original/man8/iptables-extensions.8:543
2788+msgid "numeric type of option and the length of the option data in octets."
27052789 msgstr ""
27062790
2707-#. type: TP
2708-#: original/man8/ip6tables.8:948
2791+#. type: SS
2792+#: original/man8/iptables-extensions.8:410
27092793 #, no-wrap
2710-msgid "B<none>"
2794+msgid "ecn"
27112795 msgstr ""
27122796
27132797 #. type: Plain text
2714-#: original/man8/ip6tables.8:952
2798+#: original/man8/iptables-extensions.8:412
27152799 msgid ""
2716-"No Next header which matches 59 in the 'Next Header field' of IPv6 header or "
2717-"any IPv6 extension headers"
2800+"This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN "
2801+"is the Explicit Congestion Notification mechanism as specified in RFC3168"
27182802 msgstr ""
27192803
27202804 #. type: TP
2721-#: original/man8/ip6tables.8:952
2805+#: original/man8/iptables-extensions.8:412
27222806 #, no-wrap
2723-msgid "B<proto>"
2807+msgid "[B<!>] B<--ecn-tcp-cwr>"
27242808 msgstr ""
27252809
27262810 #. type: Plain text
2727-#: original/man8/ip6tables.8:957
2728-msgid ""
2729-"which matches any upper layer protocol header. A protocol name from "
2730-"/etc/protocols and numeric value also allowed. The number 255 is equivalent "
2731-"to B<proto>."
2811+#: original/man8/iptables-extensions.8:415
2812+msgid "This matches if the TCP ECN CWR (Congestion Window Received) bit is set."
27322813 msgstr ""
27332814
2734-#. type: SS
2735-#: original/man8/ip6tables.8:957 original/man8/iptables.8:843
2815+#. type: TP
2816+#: original/man8/iptables-extensions.8:415
27362817 #, no-wrap
2737-msgid "ipvs"
2818+msgid "[B<!>] B<--ecn-tcp-ece>"
27382819 msgstr ""
27392820
27402821 #. type: Plain text
2741-#: original/man8/ip6tables.8:959 original/man8/iptables.8:845
2742-msgid "Match IPVS connection properties."
2822+#: original/man8/iptables-extensions.8:418
2823+msgid "This matches if the TCP ECN ECE (ECN Echo) bit is set."
27432824 msgstr ""
27442825
27452826 #. type: TP
2746-#: original/man8/ip6tables.8:959 original/man8/iptables.8:845
2827+#: original/man8/iptables-extensions.8:418
27472828 #, no-wrap
2748-msgid "[B<!>] B<--ipvs>"
2829+msgid "[B<!>] B<--ecn-ip-ect> I<num>"
27492830 msgstr ""
27502831
27512832 #. type: Plain text
2752-#: original/man8/ip6tables.8:962 original/man8/iptables.8:848
2753-msgid "packet belongs to an IPVS connection"
2833+#: original/man8/iptables-extensions.8:422
2834+msgid ""
2835+"This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to "
2836+"specify a number between `0' and `3'."
27542837 msgstr ""
27552838
2756-#. type: TP
2757-#: original/man8/ip6tables.8:962 original/man8/iptables.8:848
2839+#. type: SS
2840+#: original/man8/iptables-extensions.8:422
27582841 #, no-wrap
2759-msgid "Any of the following options implies --ipvs (even negated)"
2842+msgid "esp"
27602843 msgstr ""
27612844
2762-#. type: TP
2763-#: original/man8/ip6tables.8:964 original/man8/iptables.8:850
2764-#, no-wrap
2765-msgid "[B<!>] B<--vproto> I<protocol>"
2845+#. type: Plain text
2846+#: original/man8/iptables-extensions.8:424
2847+msgid "This module matches the SPIs in ESP header of IPsec packets."
2848+msgstr ""
2849+
2850+#. type: TP
2851+#: original/man8/iptables-extensions.8:424
2852+#, no-wrap
2853+msgid "[B<!>] B<--espspi> I<spi>[B<:>I<spi>]"
2854+msgstr ""
2855+
2856+#. type: SS
2857+#: original/man8/iptables-extensions.8:426
2858+#, no-wrap
2859+msgid "eui64 (IPv6-specific)"
27662860 msgstr ""
27672861
27682862 #. type: Plain text
2769-#: original/man8/ip6tables.8:967 original/man8/iptables.8:853
2770-msgid "VIP protocol to match; by number or name, e.g. \"tcp\""
2863+#: original/man8/iptables-extensions.8:437
2864+msgid ""
2865+"This module matches the EUI-64 part of a stateless autoconfigured IPv6 "
2866+"address. It compares the EUI-64 derived from the source MAC address in "
2867+"Ethernet frame with the lower 64 bits of the IPv6 source address. But "
2868+"\"Universal/Local\" bit is not compared. This module doesn't match other "
2869+"link layer frame, and is only valid in the B<PREROUTING>, B<INPUT> and "
2870+"B<FORWARD> chains."
27712871 msgstr ""
27722872
2773-#. type: TP
2774-#: original/man8/ip6tables.8:967 original/man8/iptables.8:853
2873+#. type: SS
2874+#: original/man8/iptables-extensions.8:437
27752875 #, no-wrap
2776-msgid "[B<!>] B<--vaddr> I<address>[B</>I<mask>]"
2876+msgid "frag (IPv6-specific)"
27772877 msgstr ""
27782878
27792879 #. type: Plain text
2780-#: original/man8/ip6tables.8:970 original/man8/iptables.8:856
2781-msgid "VIP address to match"
2880+#: original/man8/iptables-extensions.8:439
2881+msgid "This module matches the parameters in Fragment header."
27822882 msgstr ""
27832883
27842884 #. type: TP
2785-#: original/man8/ip6tables.8:970 original/man8/iptables.8:856
2885+#: original/man8/iptables-extensions.8:439
27862886 #, no-wrap
2787-msgid "[B<!>] B<--vport> I<port>"
2887+msgid "[B<!>] B<--fragid> I<id>[B<:>I<id>]"
27882888 msgstr ""
27892889
27902890 #. type: Plain text
2791-#: original/man8/ip6tables.8:973 original/man8/iptables.8:859
2792-msgid "VIP port to match; by number or name, e.g. \"http\""
2891+#: original/man8/iptables-extensions.8:442
2892+msgid "Matches the given Identification or range of it."
27932893 msgstr ""
27942894
27952895 #. type: TP
2796-#: original/man8/ip6tables.8:973 original/man8/iptables.8:859
2896+#: original/man8/iptables-extensions.8:442
27972897 #, no-wrap
2798-msgid "B<--vdir> {B<ORIGINAL>|B<REPLY>}"
2898+msgid "[B<!>] B<--fraglen> I<length>"
27992899 msgstr ""
28002900
28012901 #. type: Plain text
2802-#: original/man8/ip6tables.8:976 original/man8/iptables.8:862
2803-msgid "flow direction of packet"
2902+#: original/man8/iptables-extensions.8:446
2903+msgid ""
2904+"This option cannot be used with kernel version 2.6.10 or later. The length "
2905+"of Fragment header is static and this option doesn't make sense."
28042906 msgstr ""
28052907
28062908 #. type: TP
2807-#: original/man8/ip6tables.8:976 original/man8/iptables.8:862
2909+#: original/man8/iptables-extensions.8:446
28082910 #, no-wrap
2809-msgid "[B<!>] B<--vmethod> {B<GATE>|B<IPIP>|B<MASQ>}"
2911+msgid "B<--fragres>"
28102912 msgstr ""
28112913
28122914 #. type: Plain text
2813-#: original/man8/ip6tables.8:979 original/man8/iptables.8:865
2814-msgid "IPVS forwarding method used"
2915+#: original/man8/iptables-extensions.8:449
2916+msgid "Matches if the reserved fields are filled with zero."
28152917 msgstr ""
28162918
28172919 #. type: TP
2818-#: original/man8/ip6tables.8:979 original/man8/iptables.8:865
2920+#: original/man8/iptables-extensions.8:449
28192921 #, no-wrap
2820-msgid "[B<!>] B<--vportctl> I<port>"
2922+msgid "B<--fragfirst>"
28212923 msgstr ""
28222924
28232925 #. type: Plain text
2824-#: original/man8/ip6tables.8:982 original/man8/iptables.8:868
2825-msgid "VIP port of the controlling connection to match, e.g. 21 for FTP"
2926+#: original/man8/iptables-extensions.8:452
2927+msgid "Matches on the first fragment."
28262928 msgstr ""
28272929
2828-#. type: SS
2829-#: original/man8/ip6tables.8:982 original/man8/iptables.8:868
2930+#. type: TP
2931+#: original/man8/iptables-extensions.8:452
28302932 #, no-wrap
2831-msgid "length"
2933+msgid "B<--fragmore>"
28322934 msgstr ""
28332935
28342936 #. type: Plain text
2835-#: original/man8/ip6tables.8:986 original/man8/iptables.8:872
2836-msgid ""
2837-"This module matches the length of the layer-3 payload (e.g. layer-4 packet) "
2838-"of a packet against a specific value or range of values."
2937+#: original/man8/iptables-extensions.8:455
2938+msgid "Matches if there are more fragments."
28392939 msgstr ""
28402940
28412941 #. type: TP
2842-#: original/man8/ip6tables.8:986 original/man8/iptables.8:872
2942+#: original/man8/iptables-extensions.8:455
28432943 #, no-wrap
2844-msgid "[B<!>] B<--length> I<length>[B<:>I<length>]"
2944+msgid "B<--fraglast>"
2945+msgstr ""
2946+
2947+#. type: Plain text
2948+#: original/man8/iptables-extensions.8:458
2949+msgid "Matches if this is the last fragment."
28452950 msgstr ""
28462951
28472952 #. type: SS
2848-#: original/man8/ip6tables.8:988 original/man8/iptables.8:874
2953+#: original/man8/iptables-extensions.8:458
28492954 #, no-wrap
2850-msgid "limit"
2955+msgid "hashlimit"
28512956 msgstr ""
28522957
28532958 #. type: Plain text
2854-#: original/man8/ip6tables.8:994 original/man8/iptables.8:880
2959+#: original/man8/iptables-extensions.8:464
28552960 msgid ""
2856-"This module matches at a limited rate using a token bucket filter. A rule "
2857-"using this extension will match until this limit is reached. It can be used "
2858-"in combination with the B<LOG> target to give limited logging, for example."
2961+"B<hashlimit> uses hash buckets to express a rate limiting match (like the "
2962+"B<limit> match) for a group of connections using a B<single> iptables "
2963+"rule. Grouping can be done per-hostgroup (source and/or destination address) "
2964+"and/or per-port. It gives you the ability to express \"I<N> packets per time "
2965+"quantum per group\" or \"I<N> bytes per seconds\" (see below for some "
2966+"examples)."
28592967 msgstr ""
28602968
28612969 #. type: Plain text
2862-#: original/man8/ip6tables.8:997 original/man8/iptables.8:883
2970+#: original/man8/iptables-extensions.8:467
28632971 msgid ""
2864-"xt_limit has no negation support - you will have to use -m hashlimit ! "
2865-"--hashlimit I<rate> in this case whilst omitting --hashlimit-mode."
2972+"A hash limit option (B<--hashlimit-upto>, B<--hashlimit-above>) and "
2973+"B<--hashlimit-name> are required."
28662974 msgstr ""
28672975
28682976 #. type: TP
2869-#: original/man8/ip6tables.8:997 original/man8/iptables.8:883
2977+#: original/man8/iptables-extensions.8:467
28702978 #, no-wrap
2871-msgid "B<--limit> I<rate>[B</second>|B</minute>|B</hour>|B</day>]"
2979+msgid "B<--hashlimit-upto> I<amount>[B</second>|B</minute>|B</hour>|B</day>]"
28722980 msgstr ""
28732981
28742982 #. type: Plain text
2875-#: original/man8/ip6tables.8:1002 original/man8/iptables.8:888
2983+#: original/man8/iptables-extensions.8:472
28762984 msgid ""
2877-"Maximum average matching rate: specified as a number, with an optional "
2878-"`/second', `/minute', `/hour', or `/day' suffix; the default is 3/hour."
2985+"Match if the rate is below or equal to I<amount>/quantum. It is specified "
2986+"either as a number, with an optional time quantum suffix (the default is "
2987+"3/hour), or as I<amount>b/second (number of bytes per second)."
28792988 msgstr ""
28802989
28812990 #. type: TP
2882-#: original/man8/ip6tables.8:1002 original/man8/iptables.8:888
2991+#: original/man8/iptables-extensions.8:472
28832992 #, no-wrap
2884-msgid "B<--limit-burst> I<number>"
2993+msgid "B<--hashlimit-above> I<amount>[B</second>|B</minute>|B</hour>|B</day>]"
28852994 msgstr ""
28862995
2887-#. type: SS
2888-#: original/man8/ip6tables.8:1007 original/man8/iptables.8:893
2889-#, no-wrap
2890-msgid "mac"
2996+#. type: Plain text
2997+#: original/man8/iptables-extensions.8:475
2998+msgid "Match if the rate is above I<amount>/quantum."
28912999 msgstr ""
28923000
28933001 #. type: TP
2894-#: original/man8/ip6tables.8:1008 original/man8/iptables.8:894
3002+#: original/man8/iptables-extensions.8:475
28953003 #, no-wrap
2896-msgid "[B<!>] B<--mac-source> I<address>"
3004+msgid "B<--hashlimit-burst> I<amount>"
28973005 msgstr ""
28983006
28993007 #. type: Plain text
2900-#: original/man8/ip6tables.8:1018 original/man8/iptables.8:904
3008+#: original/man8/iptables-extensions.8:482
29013009 msgid ""
2902-"Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note "
2903-"that this only makes sense for packets coming from an Ethernet device and "
2904-"entering the B<PREROUTING>, B<FORWARD> or B<INPUT> chains."
3010+"Maximum initial number of packets to match: this number gets recharged by "
3011+"one every time the limit specified above is not reached, up to this number; "
3012+"the default is 5. When byte-based rate matching is requested, this option "
3013+"specifies the amount of bytes that can exceed the given rate. This option "
3014+"should be used with caution -- if the entry expires, the burst value is "
3015+"reset too."
29053016 msgstr ""
29063017
2907-#. type: SS
2908-#: original/man8/ip6tables.8:1018 original/man8/iptables.8:904
3018+#. type: TP
3019+#: original/man8/iptables-extensions.8:482
29093020 #, no-wrap
2910-msgid "mark"
3021+msgid "B<--hashlimit-mode> {B<srcip>|B<srcport>|B<dstip>|B<dstport>}B<,>..."
29113022 msgstr ""
29123023
29133024 #. type: Plain text
2914-#: original/man8/ip6tables.8:1023 original/man8/iptables.8:909
3025+#: original/man8/iptables-extensions.8:487
29153026 msgid ""
2916-"This module matches the netfilter mark field associated with a packet (which "
2917-"can be set using the B<MARK> target below)."
3027+"A comma-separated list of objects to take into consideration. If no "
3028+"--hashlimit-mode option is given, hashlimit acts like limit, but at the "
3029+"expensive of doing the hash housekeeping."
3030+msgstr ""
3031+
3032+#. type: TP
3033+#: original/man8/iptables-extensions.8:487
3034+#, no-wrap
3035+msgid "B<--hashlimit-srcmask> I<prefix>"
29183036 msgstr ""
29193037
29203038 #. type: Plain text
2921-#: original/man8/ip6tables.8:1028 original/man8/iptables.8:914
3039+#: original/man8/iptables-extensions.8:494
29223040 msgid ""
2923-"Matches packets with the given unsigned mark value (if a I<mask> is "
2924-"specified, this is logically ANDed with the I<mask> before the comparison)."
3041+"When --hashlimit-mode srcip is used, all source addresses encountered will "
3042+"be grouped according to the given prefix length and the so-created subnet "
3043+"will be subject to hashlimit. I<prefix> must be between (inclusive) 0 and "
3044+"32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not "
3045+"specifying srcip for --hashlimit-mode, but is technically more expensive."
29253046 msgstr ""
29263047
2927-#. type: SS
2928-#: original/man8/ip6tables.8:1028
3048+#. type: TP
3049+#: original/man8/iptables-extensions.8:494
29293050 #, no-wrap
2930-msgid "mh"
3051+msgid "B<--hashlimit-dstmask> I<prefix>"
29313052 msgstr ""
29323053
29333054 #. type: Plain text
2934-#: original/man8/ip6tables.8:1031
2935-msgid ""
2936-"This extension is loaded if `--protocol ipv6-mh' or `--protocol mh' is "
2937-"specified. It provides the following option:"
3055+#: original/man8/iptables-extensions.8:497
3056+msgid "Like --hashlimit-srcmask, but for destination addresses."
29383057 msgstr ""
29393058
29403059 #. type: TP
2941-#: original/man8/ip6tables.8:1031
3060+#: original/man8/iptables-extensions.8:497
29423061 #, no-wrap
2943-msgid "[B<!>] B<--mh-type> I<type>[B<:>I<type>]"
3062+msgid "B<--hashlimit-name> I<foo>"
29443063 msgstr ""
29453064
29463065 #. type: Plain text
2947-#: original/man8/ip6tables.8:1038
2948-msgid ""
2949-"This allows specification of the Mobility Header(MH) type, which can be a "
2950-"numeric MH I<type>, I<type> or one of the MH type names shown by the command"
3066+#: original/man8/iptables-extensions.8:500
3067+msgid "The name for the /proc/net/ipt_hashlimit/foo entry."
29513068 msgstr ""
29523069
2953-#. type: Plain text
2954-#: original/man8/ip6tables.8:1040
3070+#. type: TP
3071+#: original/man8/iptables-extensions.8:500
29553072 #, no-wrap
2956-msgid " ip6tables -p ipv6-mh -h\n"
3073+msgid "B<--hashlimit-htable-size> I<buckets>"
29573074 msgstr ""
29583075
2959-#. type: SS
2960-#: original/man8/ip6tables.8:1041 original/man8/iptables.8:914
3076+#. type: Plain text
3077+#: original/man8/iptables-extensions.8:503
3078+msgid "The number of buckets of the hash table"
3079+msgstr ""
3080+
3081+#. type: TP
3082+#: original/man8/iptables-extensions.8:503
29613083 #, no-wrap
2962-msgid "multiport"
3084+msgid "B<--hashlimit-htable-max> I<entries>"
29633085 msgstr ""
29643086
29653087 #. type: Plain text
2966-#: original/man8/ip6tables.8:1048 original/man8/iptables.8:921
2967-msgid ""
2968-"This module matches a set of source or destination ports. Up to 15 ports "
2969-"can be specified. A port range (port:port) counts as two ports. It can "
2970-"only be used in conjunction with B<-p tcp> or B<-p udp>."
3088+#: original/man8/iptables-extensions.8:506
3089+msgid "Maximum entries in the hash."
29713090 msgstr ""
29723091
29733092 #. type: TP
2974-#: original/man8/ip6tables.8:1048 original/man8/iptables.8:921
3093+#: original/man8/iptables-extensions.8:506
29753094 #, no-wrap
2976-msgid ""
2977-"[B<!>] B<--source-ports>,B<--sports> "
2978-"I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
3095+msgid "B<--hashlimit-htable-expire> I<msec>"
29793096 msgstr ""
29803097
29813098 #. type: Plain text
2982-#: original/man8/ip6tables.8:1056 original/man8/iptables.8:929
2983-msgid ""
2984-"Match if the source port is one of the given ports. The flag B<--sports> is "
2985-"a convenient alias for this option. Multiple ports or port ranges are "
2986-"separated using a comma, and a port range is specified using a colon. "
2987-"B<53,1024:65535> would therefore match ports 53 and all from 1024 through "
2988-"65535."
3099+#: original/man8/iptables-extensions.8:509
3100+msgid "After how many milliseconds do hash entries expire."
29893101 msgstr ""
29903102
29913103 #. type: TP
2992-#: original/man8/ip6tables.8:1056 original/man8/iptables.8:929
3104+#: original/man8/iptables-extensions.8:509
29933105 #, no-wrap
2994-msgid ""
2995-"[B<!>] B<--destination-ports>,B<--dports> "
2996-"I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
3106+msgid "B<--hashlimit-htable-gcinterval> I<msec>"
29973107 msgstr ""
29983108
29993109 #. type: Plain text
3000-#: original/man8/ip6tables.8:1061 original/man8/iptables.8:934
3001-msgid ""
3002-"Match if the destination port is one of the given ports. The flag "
3003-"B<--dports> is a convenient alias for this option."
3110+#: original/man8/iptables-extensions.8:512
3111+msgid "How many milliseconds between garbage collection intervals."
30043112 msgstr ""
30053113
30063114 #. type: TP
3007-#: original/man8/ip6tables.8:1061 original/man8/iptables.8:934
3115+#: original/man8/iptables-extensions.8:514
30083116 #, no-wrap
3009-msgid "[B<!>] B<--ports> I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
3117+msgid "matching on source host"
30103118 msgstr ""
30113119
30123120 #. type: Plain text
3013-#: original/man8/ip6tables.8:1065 original/man8/iptables.8:938
3121+#: original/man8/iptables-extensions.8:518
30143122 msgid ""
3015-"Match if either the source or destination ports are equal to one of the "
3016-"given ports."
3123+"\"1000 packets per second for every host in 192.168.0.0/16\" =E<gt> -s "
3124+"192.168.0.0/16 --hashlimit-mode srcip --hashlimit-upto 1000/sec"
30173125 msgstr ""
30183126
3019-#. type: SS
3020-#: original/man8/ip6tables.8:1065 original/man8/iptables.8:938
3127+#. type: TP
3128+#: original/man8/iptables-extensions.8:518
30213129 #, no-wrap
3022-msgid "nfacct"
3130+msgid "matching on source port"
30233131 msgstr ""
30243132
30253133 #. type: Plain text
3026-#: original/man8/ip6tables.8:1069 original/man8/iptables.8:942
3134+#: original/man8/iptables-extensions.8:522
30273135 msgid ""
3028-"The nfacct match provides the extended accounting infrastructure for "
3029-"iptables. You have to use this match together with the standalone "
3030-"user-space utility B<nfacct(8)>"
3136+"\"100 packets per second for every service of 192.168.1.1\" =E<gt> -s "
3137+"192.168.1.1 --hashlimit-mode srcport --hashlimit-upto 100/sec"
3138+msgstr ""
3139+
3140+#. type: TP
3141+#: original/man8/iptables-extensions.8:522
3142+#, no-wrap
3143+msgid "matching on subnet"
30313144 msgstr ""
30323145
30333146 #. type: Plain text
3034-#: original/man8/ip6tables.8:1071 original/man8/iptables.8:944
3035-msgid "The only option available for this match is the following:"
3147+#: original/man8/iptables-extensions.8:527
3148+msgid ""
3149+"\"10000 packets per minute for every /28 subnet (groups of 8 addresses) in "
3150+"10.0.0.0/8\" =E<gt> -s 10.0.0.8 --hashlimit-mask 28 --hashlimit-upto "
3151+"10000/min"
30363152 msgstr ""
30373153
30383154 #. type: TP
3039-#: original/man8/ip6tables.8:1071 original/man8/iptables.8:944
3155+#: original/man8/iptables-extensions.8:527 original/man8/iptables-extensions.8:531
30403156 #, no-wrap
3041-msgid "B<--nfacct-name> I<name>"
3157+msgid "matching bytes per second"
30423158 msgstr ""
30433159
30443160 #. type: Plain text
3045-#: original/man8/ip6tables.8:1075 original/man8/iptables.8:948
3161+#: original/man8/iptables-extensions.8:531
30463162 msgid ""
3047-"This allows you to specify the existing object name that will be use for "
3048-"accounting the traffic that this rule-set is matching."
3163+"\"flows exceeding 512kbyte/s\" =E<gt> --hashlimit-mode "
3164+"srcip,dstip,srcport,dstport --hashlimit-above 512kb/s"
30493165 msgstr ""
30503166
30513167 #. type: Plain text
3052-#: original/man8/ip6tables.8:1077 original/man8/iptables.8:950
3053-msgid "To use this extension, you have to create an accounting object:"
3168+#: original/man8/iptables-extensions.8:535
3169+msgid ""
3170+"\"hosts that exceed 512kbyte/s, but permit up to 1Megabytes without "
3171+"matching\" --hashlimit-mode dstip --hashlimit-above 512kb/s "
3172+"--hashlimit-burst 1mb"
30543173 msgstr ""
30553174
3056-#. type: Plain text
3057-#: original/man8/ip6tables.8:1079 original/man8/iptables.8:952
3058-msgid "nfacct add http-traffic"
3175+#. type: SS
3176+#: original/man8/iptables-extensions.8:535
3177+#, no-wrap
3178+msgid "hbh (IPv6-specific)"
30593179 msgstr ""
30603180
30613181 #. type: Plain text
3062-#: original/man8/ip6tables.8:1081 original/man8/iptables.8:954
3063-msgid "Then, you have to attach it to the accounting object via iptables:"
3182+#: original/man8/iptables-extensions.8:537
3183+msgid "This module matches the parameters in Hop-by-Hop Options header"
30643184 msgstr ""
30653185
3066-#. type: Plain text
3067-#: original/man8/ip6tables.8:1083 original/man8/iptables.8:956
3068-msgid "iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic"
3186+#. type: TP
3187+#: original/man8/iptables-extensions.8:537
3188+#, no-wrap
3189+msgid "[B<!>] B<--hbh-len> I<length>"
30693190 msgstr ""
30703191
3071-#. type: Plain text
3072-#: original/man8/ip6tables.8:1085 original/man8/iptables.8:958
3073-msgid "iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic"
3192+#. type: TP
3193+#: original/man8/iptables-extensions.8:540
3194+#, no-wrap
3195+msgid "B<--hbh-opts> I<type>[B<:>I<length>][B<,>I<type>[B<:>I<length>]...]"
3196+msgstr ""
3197+
3198+#. type: SS
3199+#: original/man8/iptables-extensions.8:543
3200+#, no-wrap
3201+msgid "helper"
30743202 msgstr ""
30753203
30763204 #. type: Plain text
3077-#: original/man8/ip6tables.8:1087 original/man8/iptables.8:960
3078-msgid "Then, you can check for the amount of traffic that the rules match:"
3205+#: original/man8/iptables-extensions.8:545
3206+msgid "This module matches packets related to a specific conntrack-helper."
3207+msgstr ""
3208+
3209+#. type: TP
3210+#: original/man8/iptables-extensions.8:545
3211+#, no-wrap
3212+msgid "[B<!>] B<--helper> I<string>"
30793213 msgstr ""
30803214
30813215 #. type: Plain text
3082-#: original/man8/ip6tables.8:1089 original/man8/iptables.8:962
3083-msgid "nfacct get http-traffic"
3216+#: original/man8/iptables-extensions.8:548
3217+msgid "Matches packets related to the specified conntrack-helper."
30843218 msgstr ""
30853219
30863220 #. type: Plain text
3087-#: original/man8/ip6tables.8:1091 original/man8/iptables.8:964
3221+#: original/man8/iptables-extensions.8:552
30883222 msgid ""
3089-"{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = "
3090-"http-traffic;"
3223+"string can be \"ftp\" for packets related to a ftp-session on default port. "
3224+"For other ports append -portnr to the value, ie. \"ftp-2121\"."
30913225 msgstr ""
30923226
30933227 #. type: Plain text
3094-#: original/man8/ip6tables.8:1096 original/man8/iptables.8:969
3095-msgid ""
3096-"You can obtain B<nfacct(8)> from http://www.netfilter.org or, alternatively, "
3097-"from the git.netfilter.org repository."
3228+#: original/man8/iptables-extensions.8:554
3229+msgid "Same rules apply for other conntrack-helpers."
30983230 msgstr ""
30993231
31003232 #. type: SS
3101-#: original/man8/ip6tables.8:1096 original/man8/iptables.8:1015
3233+#: original/man8/iptables-extensions.8:555
31023234 #, no-wrap
3103-msgid "owner"
3235+msgid "hl (IPv6-specific)"
31043236 msgstr ""
31053237
31063238 #. type: Plain text
3107-#: original/man8/ip6tables.8:1101 original/man8/iptables.8:1020
3108-msgid ""
3109-"This module attempts to match various characteristics of the packet creator, "
3110-"for locally generated packets. This match is only valid in the OUTPUT and "
3111-"POSTROUTING chains. Forwarded packets do not have any socket associated with "
3112-"them. Packets from kernel threads do have a socket, but usually no owner."
3239+#: original/man8/iptables-extensions.8:557
3240+msgid "This module matches the Hop Limit field in the IPv6 header."
31133241 msgstr ""
31143242
31153243 #. type: TP
3116-#: original/man8/ip6tables.8:1101 original/man8/iptables.8:1020
3244+#: original/man8/iptables-extensions.8:557
31173245 #, no-wrap
3118-msgid "[B<!>] B<--uid-owner> I<username>"
3246+msgid "[B<!>] B<--hl-eq> I<value>"
3247+msgstr ""
3248+
3249+#. type: Plain text
3250+#: original/man8/iptables-extensions.8:560
3251+msgid "Matches if Hop Limit equals I<value>."
31193252 msgstr ""
31203253
31213254 #. type: TP
3122-#: original/man8/ip6tables.8:1103 original/man8/iptables.8:1022
3255+#: original/man8/iptables-extensions.8:560
31233256 #, no-wrap
3124-msgid "[B<!>] B<--uid-owner> I<userid>[B<->I<userid>]"
3257+msgid "B<--hl-lt> I<value>"
31253258 msgstr ""
31263259
31273260 #. type: Plain text
3128-#: original/man8/ip6tables.8:1107 original/man8/iptables.8:1026
3129-msgid ""
3130-"Matches if the packet socket's file structure (if it has one) is owned by "
3131-"the given user. You may also specify a numerical UID, or an UID range."
3261+#: original/man8/iptables-extensions.8:563
3262+msgid "Matches if Hop Limit is less than I<value>."
31323263 msgstr ""
31333264
31343265 #. type: TP
3135-#: original/man8/ip6tables.8:1107 original/man8/iptables.8:1026
3266+#: original/man8/iptables-extensions.8:563
31363267 #, no-wrap
3137-msgid "[B<!>] B<--gid-owner> I<groupname>"
3268+msgid "B<--hl-gt> I<value>"
31383269 msgstr ""
31393270
3140-#. type: TP
3141-#: original/man8/ip6tables.8:1109 original/man8/iptables.8:1028
3271+#. type: Plain text
3272+#: original/man8/iptables-extensions.8:566
3273+msgid "Matches if Hop Limit is greater than I<value>."
3274+msgstr ""
3275+
3276+#. type: SS
3277+#: original/man8/iptables-extensions.8:566
31423278 #, no-wrap
3143-msgid "[B<!>] B<--gid-owner> I<groupid>[B<->I<groupid>]"
3279+msgid "icmp (IPv4-specific)"
31443280 msgstr ""
31453281
31463282 #. type: Plain text
3147-#: original/man8/ip6tables.8:1113 original/man8/iptables.8:1032
3283+#: original/man8/iptables-extensions.8:569
31483284 msgid ""
3149-"Matches if the packet socket's file structure is owned by the given group. "
3150-"You may also specify a numerical GID, or a GID range."
3285+"This extension can be used if `--protocol icmp' is specified. It provides "
3286+"the following option:"
31513287 msgstr ""
31523288
31533289 #. type: TP
3154-#: original/man8/ip6tables.8:1113 original/man8/iptables.8:1032
3290+#: original/man8/iptables-extensions.8:569
31553291 #, no-wrap
3156-msgid "[B<!>] B<--socket-exists>"
3292+msgid "[B<!>] B<--icmp-type> {I<type>[B</>I<code>]|I<typename>}"
31573293 msgstr ""
31583294
31593295 #. type: Plain text
3160-#: original/man8/ip6tables.8:1116 original/man8/iptables.8:1035
3161-msgid "Matches if the packet is associated with a socket."
3162-msgstr ""
3163-
3164-#. type: SS
3165-#: original/man8/ip6tables.8:1116 original/man8/iptables.8:1035
3166-#, no-wrap
3167-msgid "physdev"
3296+#: original/man8/iptables-extensions.8:573
3297+msgid ""
3298+"This allows specification of the ICMP type, which can be a numeric ICMP "
3299+"type, type/code pair, or one of the ICMP type names shown by the command"
31683300 msgstr ""
31693301
31703302 #. type: Plain text
3171-#: original/man8/ip6tables.8:1121 original/man8/iptables.8:1040
3172-msgid ""
3173-"This module matches on the bridge port input and output devices enslaved to "
3174-"a bridge device. This module is a part of the infrastructure that enables a "
3175-"transparent bridging IP firewall and is only useful for kernel versions "
3176-"above version 2.5.44."
3303+#: original/man8/iptables-extensions.8:575
3304+#, no-wrap
3305+msgid " iptables -p icmp -h\n"
31773306 msgstr ""
31783307
3179-#. type: TP
3180-#: original/man8/ip6tables.8:1121 original/man8/iptables.8:1040
3308+#. type: SS
3309+#: original/man8/iptables-extensions.8:576
31813310 #, no-wrap
3182-msgid "[B<!>] B<--physdev-in> I<name>"
3311+msgid "icmp6 (IPv6-specific)"
31833312 msgstr ""
31843313
31853314 #. type: Plain text
3186-#: original/man8/ip6tables.8:1132 original/man8/iptables.8:1051
3315+#: original/man8/iptables-extensions.8:579
31873316 msgid ""
3188-"Name of a bridge port via which a packet is received (only for packets "
3189-"entering the B<INPUT>, B<FORWARD> and B<PREROUTING> chains). If the "
3190-"interface name ends in a \"+\", then any interface which begins with this "
3191-"name will match. If the packet didn't arrive through a bridge device, this "
3192-"packet won't match this option, unless '!' is used."
3317+"This extension can be used if `--protocol ipv6-icmp' or `--protocol icmpv6' "
3318+"is specified. It provides the following option:"
31933319 msgstr ""
31943320
31953321 #. type: TP
3196-#: original/man8/ip6tables.8:1132 original/man8/iptables.8:1051
3322+#: original/man8/iptables-extensions.8:579
31973323 #, no-wrap
3198-msgid "[B<!>] B<--physdev-out> I<name>"
3324+msgid "[B<!>] B<--icmpv6-type> I<type>[B</>I<code>]|I<typename>"
31993325 msgstr ""
32003326
32013327 #. type: Plain text
3202-#: original/man8/ip6tables.8:1149 original/man8/iptables.8:1068
3328+#: original/man8/iptables-extensions.8:588
32033329 msgid ""
3204-"Name of a bridge port via which a packet is going to be sent (for packets "
3205-"entering the B<FORWARD>, B<OUTPUT> and B<POSTROUTING> chains). If the "
3206-"interface name ends in a \"+\", then any interface which begins with this "
3207-"name will match. Note that in the B<nat> and B<mangle> B<OUTPUT> chains one "
3208-"cannot match on the bridge output port, however one can in the B<filter "
3209-"OUTPUT> chain. If the packet won't leave by a bridge device or if it is yet "
3210-"unknown what the output device will be, then the packet won't match this "
3211-"option, unless '!' is used."
3212-msgstr ""
3213-
3214-#. type: TP
3215-#: original/man8/ip6tables.8:1149 original/man8/iptables.8:1068
3216-#, no-wrap
3217-msgid "[B<!>] B<--physdev-is-in>"
3330+"This allows specification of the ICMPv6 type, which can be a numeric ICMPv6 "
3331+"I<type>, I<type> and I<code>, or one of the ICMPv6 type names shown by the "
3332+"command"
32183333 msgstr ""
32193334
32203335 #. type: Plain text
3221-#: original/man8/ip6tables.8:1152 original/man8/iptables.8:1071
3222-msgid "Matches if the packet has entered through a bridge interface."
3336+#: original/man8/iptables-extensions.8:590
3337+#, no-wrap
3338+msgid " ip6tables -p ipv6-icmp -h\n"
32233339 msgstr ""
32243340
3225-#. type: TP
3226-#: original/man8/ip6tables.8:1152 original/man8/iptables.8:1071
3341+#. type: SS
3342+#: original/man8/iptables-extensions.8:591
32273343 #, no-wrap
3228-msgid "[B<!>] B<--physdev-is-out>"
3344+msgid "iprange"
32293345 msgstr ""
32303346
32313347 #. type: Plain text
3232-#: original/man8/ip6tables.8:1155 original/man8/iptables.8:1074
3233-msgid "Matches if the packet will leave through a bridge interface."
3348+#: original/man8/iptables-extensions.8:593
3349+msgid "This matches on a given arbitrary range of IP addresses."
32343350 msgstr ""
32353351
32363352 #. type: TP
3237-#: original/man8/ip6tables.8:1155 original/man8/iptables.8:1074
3353+#: original/man8/iptables-extensions.8:593
32383354 #, no-wrap
3239-msgid "[B<!>] B<--physdev-is-bridged>"
3355+msgid "[B<!>] B<--src-range> I<from>[B<->I<to>]"
32403356 msgstr ""
32413357
32423358 #. type: Plain text
3243-#: original/man8/ip6tables.8:1159 original/man8/iptables.8:1078
3244-msgid ""
3245-"Matches if the packet is being bridged and therefore is not being routed. "
3246-"This is only useful in the FORWARD and POSTROUTING chains."
3359+#: original/man8/iptables-extensions.8:596
3360+msgid "Match source IP in the specified range."
32473361 msgstr ""
32483362
3249-#. type: SS
3250-#: original/man8/ip6tables.8:1159 original/man8/iptables.8:1078
3363+#. type: TP
3364+#: original/man8/iptables-extensions.8:596
32513365 #, no-wrap
3252-msgid "pkttype"
3366+msgid "[B<!>] B<--dst-range> I<from>[B<->I<to>]"
32533367 msgstr ""
32543368
32553369 #. type: Plain text
3256-#: original/man8/ip6tables.8:1161 original/man8/iptables.8:1080
3257-msgid "This module matches the link-layer packet type."
3258-msgstr ""
3259-
3260-#. type: TP
3261-#: original/man8/ip6tables.8:1161 original/man8/iptables.8:1080
3262-#, no-wrap
3263-msgid "[B<!>] B<--pkt-type> {B<unicast>|B<broadcast>|B<multicast>}"
3370+#: original/man8/iptables-extensions.8:599
3371+msgid "Match destination IP in the specified range."
32643372 msgstr ""
32653373
32663374 #. type: SS
3267-#: original/man8/ip6tables.8:1163 original/man8/iptables.8:1082
3375+#: original/man8/iptables-extensions.8:599
32683376 #, no-wrap
3269-msgid "policy"
3377+msgid "ipv6header (IPv6-specific)"
32703378 msgstr ""
32713379
32723380 #. type: Plain text
3273-#: original/man8/ip6tables.8:1165 original/man8/iptables.8:1084
3274-msgid "This modules matches the policy used by IPsec for handling a packet."
3381+#: original/man8/iptables-extensions.8:601
3382+msgid "This module matches IPv6 extension headers and/or upper layer header."
32753383 msgstr ""
32763384
32773385 #. type: TP
3278-#: original/man8/ip6tables.8:1165 original/man8/iptables.8:1084
3386+#: original/man8/iptables-extensions.8:601
32793387 #, no-wrap
3280-msgid "B<--dir> {B<in>|B<out>}"
3388+msgid "B<--soft>"
32813389 msgstr ""
32823390
32833391 #. type: Plain text
3284-#: original/man8/ip6tables.8:1177 original/man8/iptables.8:1096
3392+#: original/man8/iptables-extensions.8:605
32853393 msgid ""
3286-"Used to select whether to match the policy used for decapsulation or the "
3287-"policy that will be used for encapsulation. B<in> is valid in the "
3288-"B<PREROUTING, INPUT and FORWARD> chains, B<out> is valid in the "
3289-"B<POSTROUTING, OUTPUT and FORWARD> chains."
3394+"Matches if the packet includes B<any> of the headers specified with "
3395+"B<--header>."
32903396 msgstr ""
32913397
32923398 #. type: TP
3293-#: original/man8/ip6tables.8:1177 original/man8/iptables.8:1096
3399+#: original/man8/iptables-extensions.8:605
32943400 #, no-wrap
3295-msgid "B<--pol> {B<none>|B<ipsec>}"
3401+msgid "[B<!>] B<--header> I<header>[B<,>I<header>...]"
32963402 msgstr ""
32973403
32983404 #. type: Plain text
3299-#: original/man8/ip6tables.8:1181 original/man8/iptables.8:1100
3405+#: original/man8/iptables-extensions.8:610
33003406 msgid ""
3301-"Matches if the packet is subject to IPsec processing. B<--pol none> cannot "
3302-"be combined with B<--strict>."
3407+"Matches the packet which EXACTLY includes all specified headers. The headers "
3408+"encapsulated with ESP header are out of scope. Possible I<header> types can "
3409+"be:"
33033410 msgstr ""
33043411
33053412 #. type: TP
3306-#: original/man8/ip6tables.8:1181 original/man8/iptables.8:1100
3413+#: original/man8/iptables-extensions.8:610
33073414 #, no-wrap
3308-msgid "B<--strict>"
3309-msgstr ""
3310-
3311-#. type: Plain text
3312-#: original/man8/ip6tables.8:1185 original/man8/iptables.8:1104
3313-msgid ""
3314-"Selects whether to match the exact policy or match if any rule of the policy "
3315-"matches the given policy."
3415+msgid "B<hop>|B<hop-by-hop>"
33163416 msgstr ""
33173417
33183418 #. type: Plain text
3319-#: original/man8/ip6tables.8:1189 original/man8/iptables.8:1108
3320-msgid ""
3321-"For each policy element that is to be described, one can use one or more of "
3322-"the following options. When B<--strict> is in effect, at least one must be "
3323-"used per element."
3419+#: original/man8/iptables-extensions.8:613
3420+msgid "Hop-by-Hop Options header"
33243421 msgstr ""
33253422
33263423 #. type: TP
3327-#: original/man8/ip6tables.8:1189 original/man8/iptables.8:1108
3424+#: original/man8/iptables-extensions.8:613
33283425 #, no-wrap
3329-msgid "[B<!>] B<--reqid> I<id>"
3426+msgid "B<dst>"
33303427 msgstr ""
33313428
33323429 #. type: Plain text
3333-#: original/man8/ip6tables.8:1196 original/man8/iptables.8:1115
3334-msgid ""
3335-"Matches the reqid of the policy rule. The reqid can be specified with "
3336-"B<setkey(8)> using B<unique:id> as level."
3430+#: original/man8/iptables-extensions.8:616
3431+msgid "Destination Options header"
33373432 msgstr ""
33383433
33393434 #. type: TP
3340-#: original/man8/ip6tables.8:1196 original/man8/iptables.8:1115
3435+#: original/man8/iptables-extensions.8:616
33413436 #, no-wrap
3342-msgid "[B<!>] B<--spi> I<spi>"
3437+msgid "B<route>"
33433438 msgstr ""
33443439
33453440 #. type: Plain text
3346-#: original/man8/ip6tables.8:1199 original/man8/iptables.8:1118
3347-msgid "Matches the SPI of the SA."
3441+#: original/man8/iptables-extensions.8:619
3442+msgid "Routing header"
33483443 msgstr ""
33493444
33503445 #. type: TP
3351-#: original/man8/ip6tables.8:1199 original/man8/iptables.8:1118
3446+#: original/man8/iptables-extensions.8:619
33523447 #, no-wrap
3353-msgid "[B<!>] B<--proto> {B<ah>|B<esp>|B<ipcomp>}"
3448+msgid "B<frag>"
33543449 msgstr ""
33553450
33563451 #. type: Plain text
3357-#: original/man8/ip6tables.8:1202 original/man8/iptables.8:1121
3358-msgid "Matches the encapsulation protocol."
3452+#: original/man8/iptables-extensions.8:622
3453+msgid "Fragment header"
33593454 msgstr ""
33603455
33613456 #. type: TP
3362-#: original/man8/ip6tables.8:1202 original/man8/iptables.8:1121
3457+#: original/man8/iptables-extensions.8:622
33633458 #, no-wrap
3364-msgid "[B<!>] B<--mode> {B<tunnel>|B<transport>}"
3459+msgid "B<auth>"
33653460 msgstr ""
33663461
33673462 #. type: Plain text
3368-#: original/man8/ip6tables.8:1205 original/man8/iptables.8:1124
3369-msgid "Matches the encapsulation mode."
3463+#: original/man8/iptables-extensions.8:625
3464+msgid "Authentication header"
33703465 msgstr ""
33713466
33723467 #. type: TP
3373-#: original/man8/ip6tables.8:1205 original/man8/iptables.8:1124
3468+#: original/man8/iptables-extensions.8:625
33743469 #, no-wrap
3375-msgid "[B<!>] B<--tunnel-src> I<addr>[B</>I<mask>]"
3470+msgid "B<esp>"
33763471 msgstr ""
33773472
33783473 #. type: Plain text
3379-#: original/man8/ip6tables.8:1209 original/man8/iptables.8:1128
3380-msgid ""
3381-"Matches the source end-point address of a tunnel mode SA. Only valid with "
3382-"B<--mode tunnel>."
3474+#: original/man8/iptables-extensions.8:628
3475+msgid "Encapsulating Security Payload header"
33833476 msgstr ""
33843477
33853478 #. type: TP
3386-#: original/man8/ip6tables.8:1209 original/man8/iptables.8:1128
3479+#: original/man8/iptables-extensions.8:628
33873480 #, no-wrap
3388-msgid "[B<!>] B<--tunnel-dst> I<addr>[B</>I<mask>]"
3481+msgid "B<none>"
33893482 msgstr ""
33903483
33913484 #. type: Plain text
3392-#: original/man8/ip6tables.8:1213 original/man8/iptables.8:1132
3485+#: original/man8/iptables-extensions.8:632
33933486 msgid ""
3394-"Matches the destination end-point address of a tunnel mode SA. Only valid "
3395-"with B<--mode tunnel>."
3487+"No Next header which matches 59 in the 'Next Header field' of IPv6 header or "
3488+"any IPv6 extension headers"
33963489 msgstr ""
33973490
33983491 #. type: TP
3399-#: original/man8/ip6tables.8:1213 original/man8/iptables.8:1132
3492+#: original/man8/iptables-extensions.8:632
34003493 #, no-wrap
3401-msgid "B<--next>"
3494+msgid "B<proto>"
34023495 msgstr ""
34033496
34043497 #. type: Plain text
3405-#: original/man8/ip6tables.8:1217 original/man8/iptables.8:1136
3498+#: original/man8/iptables-extensions.8:637
34063499 msgid ""
3407-"Start the next element in the policy specification. Can only be used with "
3408-"B<--strict>."
3500+"which matches any upper layer protocol header. A protocol name from "
3501+"/etc/protocols and numeric value also allowed. The number 255 is equivalent "
3502+"to B<proto>."
34093503 msgstr ""
34103504
34113505 #. type: SS
3412-#: original/man8/ip6tables.8:1217 original/man8/iptables.8:1136
3506+#: original/man8/iptables-extensions.8:637
34133507 #, no-wrap
3414-msgid "quota"
3508+msgid "ipvs"
34153509 msgstr ""
34163510
34173511 #. type: Plain text
3418-#: original/man8/ip6tables.8:1222 original/man8/iptables.8:1141
3419-msgid ""
3420-"Implements network quotas by decrementing a byte counter with each "
3421-"packet. The condition matches until the byte counter reaches zero. Behavior "
3422-"is reversed with negation (i.e. the condition does not match until the byte "
3423-"counter reaches zero)."
3512+#: original/man8/iptables-extensions.8:639
3513+msgid "Match IPVS connection properties."
34243514 msgstr ""
34253515
34263516 #. type: TP
3427-#: original/man8/ip6tables.8:1222 original/man8/iptables.8:1141
3517+#: original/man8/iptables-extensions.8:639
34283518 #, no-wrap
3429-msgid "[B<!>] B<--quota> I<bytes>"
3519+msgid "[B<!>] B<--ipvs>"
34303520 msgstr ""
34313521
34323522 #. type: Plain text
3433-#: original/man8/ip6tables.8:1225 original/man8/iptables.8:1144
3434-msgid "The quota in bytes."
3523+#: original/man8/iptables-extensions.8:642
3524+msgid "packet belongs to an IPVS connection"
34353525 msgstr ""
34363526
3437-#. type: SS
3438-#: original/man8/ip6tables.8:1225 original/man8/iptables.8:1144
3527+#. type: TP
3528+#: original/man8/iptables-extensions.8:642
34393529 #, no-wrap
3440-msgid "rateest"
3530+msgid "Any of the following options implies --ipvs (even negated)"
34413531 msgstr ""
34423532
3443-#. type: Plain text
3444-#: original/man8/ip6tables.8:1229 original/man8/iptables.8:1148
3445-msgid ""
3446-"The rate estimator can match on estimated rates as collected by the RATEEST "
3447-"target. It supports matching on absolute bps/pps values, comparing two rate "
3448-"estimators and matching on the difference between two rate estimators."
3533+#. type: TP
3534+#: original/man8/iptables-extensions.8:644
3535+#, no-wrap
3536+msgid "[B<!>] B<--vproto> I<protocol>"
34493537 msgstr ""
34503538
3451-#. * Absolute:
34523539 #. type: Plain text
3453-#: original/man8/ip6tables.8:1233 original/man8/iptables.8:1152
3454-msgid ""
3455-"For a better understanding of the available options, these are all possible "
3456-"combinations:"
3540+#: original/man8/iptables-extensions.8:647
3541+msgid "VIP protocol to match; by number or name, e.g. \"tcp\""
34573542 msgstr ""
34583543
3459-#. type: IP
3460-#: original/man8/ip6tables.8:1233 original/man8/ip6tables.8:1235 original/man8/ip6tables.8:1238 original/man8/ip6tables.8:1240 original/man8/ip6tables.8:1243 original/man8/ip6tables.8:1245 original/man8/ip6tables.8:1248 original/man8/ip6tables.8:1251 original/man8/iptables.8:980 original/man8/iptables.8:983 original/man8/iptables.8:986 original/man8/iptables.8:992 original/man8/iptables.8:994 original/man8/iptables.8:996 original/man8/iptables.8:1152 original/man8/iptables.8:1154 original/man8/iptables.8:1157 original/man8/iptables.8:1159 original/man8/iptables.8:1162 original/man8/iptables.8:1164 original/man8/iptables.8:1167 original/man8/iptables.8:1170
3544+#. type: TP
3545+#: original/man8/iptables-extensions.8:647
34613546 #, no-wrap
3462-msgid "\\(bu"
3463-msgstr ""
3464-
3465-#. type: Plain text
3466-#: original/man8/ip6tables.8:1235 original/man8/iptables.8:1154
3467-msgid "B<rateest> I<operator> B<rateest-bps>"
3547+msgid "[B<!>] B<--vaddr> I<address>[B</>I<mask>]"
34683548 msgstr ""
34693549
3470-#. * Absolute + Delta:
34713550 #. type: Plain text
3472-#: original/man8/ip6tables.8:1238 original/man8/iptables.8:1157
3473-msgid "B<rateest> I<operator> B<rateest-pps>"
3551+#: original/man8/iptables-extensions.8:650
3552+msgid "VIP address to match"
34743553 msgstr ""
34753554
3476-#. type: Plain text
3477-#: original/man8/ip6tables.8:1240 original/man8/iptables.8:1159
3478-msgid "(B<rateest> minus B<rateest-bps1>) I<operator> B<rateest-bps2>"
3555+#. type: TP
3556+#: original/man8/iptables-extensions.8:650
3557+#, no-wrap
3558+msgid "[B<!>] B<--vport> I<port>"
34793559 msgstr ""
34803560
3481-#. * Relative:
34823561 #. type: Plain text
3483-#: original/man8/ip6tables.8:1243 original/man8/iptables.8:1162
3484-msgid "(B<rateest> minus B<rateest-pps1>) I<operator> B<rateest-pps2>"
3562+#: original/man8/iptables-extensions.8:653
3563+msgid "VIP port to match; by number or name, e.g. \"http\""
34853564 msgstr ""
34863565
3487-#. type: Plain text
3488-#: original/man8/ip6tables.8:1245 original/man8/iptables.8:1164
3489-msgid "B<rateest1> I<operator> B<rateest2> B<rateest-bps>(without rate!)"
3566+#. type: TP
3567+#: original/man8/iptables-extensions.8:653
3568+#, no-wrap
3569+msgid "B<--vdir> {B<ORIGINAL>|B<REPLY>}"
34903570 msgstr ""
34913571
3492-#. * Relative + Delta:
34933572 #. type: Plain text
3494-#: original/man8/ip6tables.8:1248 original/man8/iptables.8:1167
3495-msgid "B<rateest1> I<operator> B<rateest2> B<rateest-pps>(without rate!)"
3573+#: original/man8/iptables-extensions.8:656
3574+msgid "flow direction of packet"
34963575 msgstr ""
34973576
3498-#. type: Plain text
3499-#: original/man8/ip6tables.8:1251 original/man8/iptables.8:1170
3500-msgid ""
3501-"(B<rateest1> minus B<rateest-bps1>) I<operator> (B<rateest2> minus "
3502-"B<rateest-bps2>)"
3577+#. type: TP
3578+#: original/man8/iptables-extensions.8:656
3579+#, no-wrap
3580+msgid "[B<!>] B<--vmethod> {B<GATE>|B<IPIP>|B<MASQ>}"
35033581 msgstr ""
35043582
35053583 #. type: Plain text
3506-#: original/man8/ip6tables.8:1254 original/man8/iptables.8:1173
3507-msgid ""
3508-"(B<rateest1> minus B<rateest-pps1>) I<operator> (B<rateest2> minus "
3509-"B<rateest-pps2>)"
3584+#: original/man8/iptables-extensions.8:659
3585+msgid "IPVS forwarding method used"
35103586 msgstr ""
35113587
35123588 #. type: TP
3513-#: original/man8/ip6tables.8:1254 original/man8/iptables.8:1173
3589+#: original/man8/iptables-extensions.8:659
35143590 #, no-wrap
3515-msgid "B<--rateest-delta>"
3591+msgid "[B<!>] B<--vportctl> I<port>"
35163592 msgstr ""
35173593
35183594 #. type: Plain text
3519-#: original/man8/ip6tables.8:1261 original/man8/iptables.8:1180
3520-msgid ""
3521-"For each estimator (either absolute or relative mode), calculate the "
3522-"difference between the estimator-determined flow rate and the static value "
3523-"chosen with the BPS/PPS options. If the flow rate is higher than the "
3524-"specified BPS/PPS, 0 will be used instead of a negative value. In other "
3525-"words, \"max(0, rateest#_rate - rateest#_bps)\" is used."
3595+#: original/man8/iptables-extensions.8:662
3596+msgid "VIP port of the controlling connection to match, e.g. 21 for FTP"
35263597 msgstr ""
35273598
3528-#. type: TP
3529-#: original/man8/ip6tables.8:1261 original/man8/iptables.8:1180
3599+#. type: SS
3600+#: original/man8/iptables-extensions.8:662
35303601 #, no-wrap
3531-msgid "[B<!>] B<--rateest-lt>"
3602+msgid "length"
35323603 msgstr ""
35333604
35343605 #. type: Plain text
3535-#: original/man8/ip6tables.8:1264 original/man8/iptables.8:1183
3536-msgid "Match if rate is less than given rate/estimator."
3606+#: original/man8/iptables-extensions.8:666
3607+msgid ""
3608+"This module matches the length of the layer-3 payload (e.g. layer-4 packet) "
3609+"of a packet against a specific value or range of values."
35373610 msgstr ""
35383611
35393612 #. type: TP
3540-#: original/man8/ip6tables.8:1264 original/man8/iptables.8:1183
3613+#: original/man8/iptables-extensions.8:666
35413614 #, no-wrap
3542-msgid "[B<!>] B<--rateest-gt>"
3543-msgstr ""
3544-
3545-#. type: Plain text
3546-#: original/man8/ip6tables.8:1267 original/man8/iptables.8:1186
3547-msgid "Match if rate is greater than given rate/estimator."
3615+msgid "[B<!>] B<--length> I<length>[B<:>I<length>]"
35483616 msgstr ""
35493617
3550-#. type: TP
3551-#: original/man8/ip6tables.8:1267 original/man8/iptables.8:1186
3618+#. type: SS
3619+#: original/man8/iptables-extensions.8:668
35523620 #, no-wrap
3553-msgid "[B<!>] B<--rateest-eq>"
3621+msgid "limit"
35543622 msgstr ""
35553623
35563624 #. type: Plain text
3557-#: original/man8/ip6tables.8:1270 original/man8/iptables.8:1189
3558-msgid "Match if rate is equal to given rate/estimator."
3625+#: original/man8/iptables-extensions.8:674
3626+msgid ""
3627+"This module matches at a limited rate using a token bucket filter. A rule "
3628+"using this extension will match until this limit is reached. It can be used "
3629+"in combination with the B<LOG> target to give limited logging, for example."
35593630 msgstr ""
35603631
35613632 #. type: Plain text
3562-#: original/man8/ip6tables.8:1274 original/man8/iptables.8:1193
3633+#: original/man8/iptables-extensions.8:677
35633634 msgid ""
3564-"In the so-called \"absolute mode\", only one rate estimator is used and "
3565-"compared against a static value, while in \"relative mode\", two rate "
3566-"estimators are compared against another."
3635+"xt_limit has no negation support - you will have to use -m hashlimit ! "
3636+"--hashlimit I<rate> in this case whilst omitting --hashlimit-mode."
35673637 msgstr ""
35683638
35693639 #. type: TP
3570-#: original/man8/ip6tables.8:1274 original/man8/iptables.8:1193
3640+#: original/man8/iptables-extensions.8:677
35713641 #, no-wrap
3572-msgid "B<--rateest> I<name>"
3642+msgid "B<--limit> I<rate>[B</second>|B</minute>|B</hour>|B</day>]"
35733643 msgstr ""
35743644
35753645 #. type: Plain text
3576-#: original/man8/ip6tables.8:1277 original/man8/iptables.8:1196
3577-msgid "Name of the one rate estimator for absolute mode."
3646+#: original/man8/iptables-extensions.8:682
3647+msgid ""
3648+"Maximum average matching rate: specified as a number, with an optional "
3649+"`/second', `/minute', `/hour', or `/day' suffix; the default is 3/hour."
35783650 msgstr ""
35793651
35803652 #. type: TP
3581-#: original/man8/ip6tables.8:1277 original/man8/iptables.8:1196
3653+#: original/man8/iptables-extensions.8:682
35823654 #, no-wrap
3583-msgid "B<--rateest1> I<name>"
3584-msgstr ""
3585-
3586-#. type: TP
3587-#: original/man8/ip6tables.8:1279 original/man8/iptables.8:1198
3588-#, no-wrap
3589-msgid "B<--rateest2> I<name>"
3655+msgid "B<--limit-burst> I<number>"
35903656 msgstr ""
35913657
35923658 #. type: Plain text
3593-#: original/man8/ip6tables.8:1282 original/man8/iptables.8:1201
3594-msgid "The names of the two rate estimators for relative mode."
3595-msgstr ""
3596-
3597-#. type: TP
3598-#: original/man8/ip6tables.8:1282 original/man8/iptables.8:1201
3599-#, no-wrap
3600-msgid "B<--rateest-bps> [I<value>]"
3601-msgstr ""
3602-
3603-#. type: TP
3604-#: original/man8/ip6tables.8:1284 original/man8/iptables.8:1203
3605-#, no-wrap
3606-msgid "B<--rateest-pps> [I<value>]"
3659+#: original/man8/iptables-extensions.8:687
3660+msgid ""
3661+"Maximum initial number of packets to match: this number gets recharged by "
3662+"one every time the limit specified above is not reached, up to this number; "
3663+"the default is 5."
36073664 msgstr ""
36083665
3609-#. type: TP
3610-#: original/man8/ip6tables.8:1286 original/man8/iptables.8:1205
3666+#. type: SS
3667+#: original/man8/iptables-extensions.8:687
36113668 #, no-wrap
3612-msgid "B<--rateest-bps1> [I<value>]"
3669+msgid "mac"
36133670 msgstr ""
36143671
36153672 #. type: TP
3616-#: original/man8/ip6tables.8:1288 original/man8/iptables.8:1207
3673+#: original/man8/iptables-extensions.8:688
36173674 #, no-wrap
3618-msgid "B<--rateest-bps2> [I<value>]"
3675+msgid "[B<!>] B<--mac-source> I<address>"
36193676 msgstr ""
36203677
3621-#. type: TP
3622-#: original/man8/ip6tables.8:1290 original/man8/iptables.8:1209
3623-#, no-wrap
3624-msgid "B<--rateest-pps1> [I<value>]"
3678+#. type: Plain text
3679+#: original/man8/iptables-extensions.8:698
3680+msgid ""
3681+"Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note "
3682+"that this only makes sense for packets coming from an Ethernet device and "
3683+"entering the B<PREROUTING>, B<FORWARD> or B<INPUT> chains."
36253684 msgstr ""
36263685
3627-#. type: TP
3628-#: original/man8/ip6tables.8:1292 original/man8/iptables.8:1211
3686+#. type: SS
3687+#: original/man8/iptables-extensions.8:698
36293688 #, no-wrap
3630-msgid "B<--rateest-pps2> [I<value>]"
3689+msgid "mark"
36313690 msgstr ""
36323691
36333692 #. type: Plain text
3634-#: original/man8/ip6tables.8:1298 original/man8/iptables.8:1217
3693+#: original/man8/iptables-extensions.8:703
36353694 msgid ""
3636-"Compare the estimator(s) by bytes or packets per second, and compare against "
3637-"the chosen value. See the above bullet list for which option is to be used "
3638-"in which case. A unit suffix may be used - available ones are: bit, "
3639-"[kmgt]bit, [KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps."
3695+"This module matches the netfilter mark field associated with a packet (which "
3696+"can be set using the B<MARK> target below)."
36403697 msgstr ""
36413698
36423699 #. type: Plain text
3643-#: original/man8/ip6tables.8:1302 original/man8/iptables.8:1221
3700+#: original/man8/iptables-extensions.8:708
36443701 msgid ""
3645-"Example: This is what can be used to route outgoing data connections from an "
3646-"FTP server over two lines based on the available bandwidth at the time the "
3647-"data connection was started:"
3648-msgstr ""
3649-
3650-#. type: Plain text
3651-#: original/man8/ip6tables.8:1304 original/man8/iptables.8:1223
3652-msgid "# Estimate outgoing rates"
3702+"Matches packets with the given unsigned mark value (if a I<mask> is "
3703+"specified, this is logically ANDed with the I<mask> before the comparison)."
36533704 msgstr ""
36543705
3655-#. type: Plain text
3656-#: original/man8/ip6tables.8:1307 original/man8/iptables.8:1226
3657-msgid ""
3658-"iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name eth0 "
3659-"--rateest-interval 250ms --rateest-ewma 0.5s"
3706+#. type: SS
3707+#: original/man8/iptables-extensions.8:708
3708+#, no-wrap
3709+msgid "mh (IPv6-specific)"
36603710 msgstr ""
36613711
36623712 #. type: Plain text
3663-#: original/man8/ip6tables.8:1310 original/man8/iptables.8:1229
3713+#: original/man8/iptables-extensions.8:711
36643714 msgid ""
3665-"iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name ppp0 "
3666-"--rateest-interval 250ms --rateest-ewma 0.5s"
3667-msgstr ""
3668-
3669-#. type: Plain text
3670-#: original/man8/ip6tables.8:1312 original/man8/iptables.8:1231
3671-msgid "# Mark based on available bandwidth"
3715+"This extension is loaded if `--protocol ipv6-mh' or `--protocol mh' is "
3716+"specified. It provides the following option:"
36723717 msgstr ""
36733718
3674-#. type: Plain text
3675-#: original/man8/ip6tables.8:1316 original/man8/iptables.8:1235
3676-msgid ""
3677-"iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper "
3678-"ftp -m rateest --rateest-delta --rateest1 eth0 --rateest-bps1 2.5mbit "
3679-"--rateest-gt --rateest2 ppp0 --rateest-bps2 2mbit -j CONNMARK --set-mark 1"
3719+#. type: TP
3720+#: original/man8/iptables-extensions.8:711
3721+#, no-wrap
3722+msgid "[B<!>] B<--mh-type> I<type>[B<:>I<type>]"
36803723 msgstr ""
36813724
36823725 #. type: Plain text
3683-#: original/man8/ip6tables.8:1320 original/man8/iptables.8:1239
3726+#: original/man8/iptables-extensions.8:718
36843727 msgid ""
3685-"iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper "
3686-"ftp -m rateest --rateest-delta --rateest1 ppp0 --rateest-bps1 2mbit "
3687-"--rateest-gt --rateest2 eth0 --rateest-bps2 2.5mbit -j CONNMARK --set-mark 2"
3728+"This allows specification of the Mobility Header(MH) type, which can be a "
3729+"numeric MH I<type>, I<type> or one of the MH type names shown by the command"
36883730 msgstr ""
36893731
36903732 #. type: Plain text
3691-#: original/man8/ip6tables.8:1322 original/man8/iptables.8:1241
3692-msgid "iptables -t mangle -A balance -j CONNMARK --restore-mark"
3733+#: original/man8/iptables-extensions.8:720
3734+#, no-wrap
3735+msgid " ip6tables -p ipv6-mh -h\n"
36933736 msgstr ""
36943737
36953738 #. type: SS
3696-#: original/man8/ip6tables.8:1322 original/man8/iptables.8:1249
3739+#: original/man8/iptables-extensions.8:721
36973740 #, no-wrap
3698-msgid "recent"
3741+msgid "multiport"
36993742 msgstr ""
37003743
37013744 #. type: Plain text
3702-#: original/man8/ip6tables.8:1325 original/man8/iptables.8:1252
3745+#: original/man8/iptables-extensions.8:728
37033746 msgid ""
3704-"Allows you to dynamically create a list of IP addresses and then match "
3705-"against that list in a few different ways."
3747+"This module matches a set of source or destination ports. Up to 15 ports "
3748+"can be specified. A port range (port:port) counts as two ports. It can "
3749+"only be used in conjunction with B<-p tcp> or B<-p udp>."
37063750 msgstr ""
37073751
3708-#. type: Plain text
3709-#: original/man8/ip6tables.8:1329 original/man8/iptables.8:1256
3752+#. type: TP
3753+#: original/man8/iptables-extensions.8:728
3754+#, no-wrap
37103755 msgid ""
3711-"For example, you can create a \"badguy\" list out of people attempting to "
3712-"connect to port 139 on your firewall and then DROP all future packets from "
3713-"them without considering them."
3756+"[B<!>] B<--source-ports>,B<--sports> "
3757+"I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
37143758 msgstr ""
37153759
37163760 #. type: Plain text
3717-#: original/man8/ip6tables.8:1332 original/man8/iptables.8:1259
3718-msgid "B<--set>, B<--rcheck>, B<--update> and B<--remove> are mutually exclusive."
3761+#: original/man8/iptables-extensions.8:736
3762+msgid ""
3763+"Match if the source port is one of the given ports. The flag B<--sports> is "
3764+"a convenient alias for this option. Multiple ports or port ranges are "
3765+"separated using a comma, and a port range is specified using a colon. "
3766+"B<53,1024:65535> would therefore match ports 53 and all from 1024 through "
3767+"65535."
37193768 msgstr ""
37203769
37213770 #. type: TP
3722-#: original/man8/ip6tables.8:1332 original/man8/iptables.8:1259
3771+#: original/man8/iptables-extensions.8:736
37233772 #, no-wrap
3724-msgid "B<--name> I<name>"
3773+msgid ""
3774+"[B<!>] B<--destination-ports>,B<--dports> "
3775+"I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
37253776 msgstr ""
37263777
37273778 #. type: Plain text
3728-#: original/man8/ip6tables.8:1336 original/man8/iptables.8:1263
3779+#: original/man8/iptables-extensions.8:741
37293780 msgid ""
3730-"Specify the list to use for the commands. If no name is given then "
3731-"B<DEFAULT> will be used."
3781+"Match if the destination port is one of the given ports. The flag "
3782+"B<--dports> is a convenient alias for this option."
37323783 msgstr ""
37333784
37343785 #. type: TP
3735-#: original/man8/ip6tables.8:1336 original/man8/iptables.8:1263
3786+#: original/man8/iptables-extensions.8:741
37363787 #, no-wrap
3737-msgid "[B<!>] B<--set>"
3788+msgid "[B<!>] B<--ports> I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
37383789 msgstr ""
37393790
37403791 #. type: Plain text
3741-#: original/man8/ip6tables.8:1341 original/man8/iptables.8:1268
3792+#: original/man8/iptables-extensions.8:745
37423793 msgid ""
3743-"This will add the source address of the packet to the list. If the source "
3744-"address is already in the list, this will update the existing entry. This "
3745-"will always return success (or failure if B<!> is passed in)."
3794+"Match if either the source or destination ports are equal to one of the "
3795+"given ports."
37463796 msgstr ""
37473797
3748-#. type: TP
3749-#: original/man8/ip6tables.8:1341 original/man8/iptables.8:1268
3798+#. type: SS
3799+#: original/man8/iptables-extensions.8:745
37503800 #, no-wrap
3751-msgid "B<--rsource>"
3801+msgid "nfacct"
37523802 msgstr ""
37533803
37543804 #. type: Plain text
3755-#: original/man8/ip6tables.8:1345 original/man8/iptables.8:1272
3805+#: original/man8/iptables-extensions.8:749
37563806 msgid ""
3757-"Match/save the source address of each packet in the recent list table. This "
3758-"is the default."
3807+"The nfacct match provides the extended accounting infrastructure for "
3808+"iptables. You have to use this match together with the standalone "
3809+"user-space utility B<nfacct(8)>"
3810+msgstr ""
3811+
3812+#. type: Plain text
3813+#: original/man8/iptables-extensions.8:751
3814+msgid "The only option available for this match is the following:"
37593815 msgstr ""
37603816
37613817 #. type: TP
3762-#: original/man8/ip6tables.8:1345 original/man8/iptables.8:1272
3818+#: original/man8/iptables-extensions.8:751
37633819 #, no-wrap
3764-msgid "B<--rdest>"
3820+msgid "B<--nfacct-name> I<name>"
37653821 msgstr ""
37663822
37673823 #. type: Plain text
3768-#: original/man8/ip6tables.8:1348 original/man8/iptables.8:1275
3769-msgid "Match/save the destination address of each packet in the recent list table."
3824+#: original/man8/iptables-extensions.8:755
3825+msgid ""
3826+"This allows you to specify the existing object name that will be use for "
3827+"accounting the traffic that this rule-set is matching."
37703828 msgstr ""
37713829
3772-#. type: TP
3773-#: original/man8/ip6tables.8:1348 original/man8/iptables.8:1275
3774-#, no-wrap
3775-msgid "[B<!>] B<--rcheck>"
3830+#. type: Plain text
3831+#: original/man8/iptables-extensions.8:757
3832+msgid "To use this extension, you have to create an accounting object:"
37763833 msgstr ""
37773834
37783835 #. type: Plain text
3779-#: original/man8/ip6tables.8:1351 original/man8/iptables.8:1278
3780-msgid "Check if the source address of the packet is currently in the list."
3836+#: original/man8/iptables-extensions.8:759
3837+msgid "nfacct add http-traffic"
37813838 msgstr ""
37823839
3783-#. type: TP
3784-#: original/man8/ip6tables.8:1351 original/man8/iptables.8:1278
3785-#, no-wrap
3786-msgid "[B<!>] B<--update>"
3840+#. type: Plain text
3841+#: original/man8/iptables-extensions.8:761
3842+msgid "Then, you have to attach it to the accounting object via iptables:"
37873843 msgstr ""
37883844
37893845 #. type: Plain text
3790-#: original/man8/ip6tables.8:1355 original/man8/iptables.8:1282
3791-msgid ""
3792-"Like B<--rcheck>, except it will update the \"last seen\" timestamp if it "
3793-"matches."
3846+#: original/man8/iptables-extensions.8:763
3847+msgid "iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic"
37943848 msgstr ""
37953849
3796-#. type: TP
3797-#: original/man8/ip6tables.8:1355 original/man8/iptables.8:1282
3798-#, no-wrap
3799-msgid "[B<!>] B<--remove>"
3850+#. type: Plain text
3851+#: original/man8/iptables-extensions.8:765
3852+msgid "iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic"
38003853 msgstr ""
38013854
38023855 #. type: Plain text
3803-#: original/man8/ip6tables.8:1360 original/man8/iptables.8:1287
3804-msgid ""
3805-"Check if the source address of the packet is currently in the list and if so "
3806-"that address will be removed from the list and the rule will return true. If "
3807-"the address is not found, false is returned."
3856+#: original/man8/iptables-extensions.8:767
3857+msgid "Then, you can check for the amount of traffic that the rules match:"
38083858 msgstr ""
38093859
3810-#. type: TP
3811-#: original/man8/ip6tables.8:1360 original/man8/iptables.8:1287
3812-#, no-wrap
3813-msgid "B<--seconds> I<seconds>"
3860+#. type: Plain text
3861+#: original/man8/iptables-extensions.8:769
3862+msgid "nfacct get http-traffic"
38143863 msgstr ""
38153864
38163865 #. type: Plain text
3817-#: original/man8/ip6tables.8:1365 original/man8/iptables.8:1292
3866+#: original/man8/iptables-extensions.8:771
38183867 msgid ""
3819-"This option must be used in conjunction with one of B<--rcheck> or "
3820-"B<--update>. When used, this will narrow the match to only happen when the "
3821-"address is in the list and was seen within the last given number of seconds."
3822-msgstr ""
3823-
3824-#. type: TP
3825-#: original/man8/ip6tables.8:1365 original/man8/iptables.8:1292
3826-#, no-wrap
3827-msgid "B<--reap>"
3868+"{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = "
3869+"http-traffic;"
38283870 msgstr ""
38293871
38303872 #. type: Plain text
3831-#: original/man8/ip6tables.8:1370 original/man8/iptables.8:1297
3873+#: original/man8/iptables-extensions.8:776
38323874 msgid ""
3833-"This option can only be used in conjunction with B<--seconds>. When used, "
3834-"this will cause entries older than the last given number of seconds to be "
3835-"purged."
3875+"You can obtain B<nfacct(8)> from http://www.netfilter.org or, alternatively, "
3876+"from the git.netfilter.org repository."
38363877 msgstr ""
38373878
3838-#. type: TP
3839-#: original/man8/ip6tables.8:1370 original/man8/iptables.8:1297
3879+#. type: SS
3880+#: original/man8/iptables-extensions.8:776
38403881 #, no-wrap
3841-msgid "B<--hitcount> I<hits>"
3882+msgid "osf"
38423883 msgstr ""
38433884
38443885 #. type: Plain text
3845-#: original/man8/ip6tables.8:1380 original/man8/iptables.8:1307
3886+#: original/man8/iptables-extensions.8:780
38463887 msgid ""
3847-"This option must be used in conjunction with one of B<--rcheck> or "
3848-"B<--update>. When used, this will narrow the match to only happen when the "
3849-"address is in the list and packets had been received greater than or equal "
3850-"to the given value. This option may be used along with B<--seconds> to "
3851-"create an even narrower match requiring a certain number of hits within a "
3852-"specific time frame. The maximum value for the hitcount parameter is given "
3853-"by the \"ip_pkt_list_tot\" parameter of the xt_recent kernel "
3854-"module. Exceeding this value on the command line will cause the rule to be "
3855-"rejected."
3888+"The osf module does passive operating system fingerprinting. This modules "
3889+"compares some data (Window Size, MSS, options and their order, TTL, DF, and "
3890+"others) from packets with the SYN bit set."
38563891 msgstr ""
38573892
38583893 #. type: TP
3859-#: original/man8/ip6tables.8:1380 original/man8/iptables.8:1307
3894+#: original/man8/iptables-extensions.8:780
38603895 #, no-wrap
3861-msgid "B<--rttl>"
3896+msgid "[B<!>] B<--genre> I<string>"
38623897 msgstr ""
38633898
38643899 #. type: Plain text
3865-#: original/man8/ip6tables.8:1388 original/man8/iptables.8:1315
3866-msgid ""
3867-"This option may only be used in conjunction with one of B<--rcheck> or "
3868-"B<--update>. When used, this will narrow the match to only happen when the "
3869-"address is in the list and the TTL of the current packet matches that of the "
3870-"packet which hit the B<--set> rule. This may be useful if you have problems "
3871-"with people faking their source address in order to DoS you via this module "
3872-"by disallowing others access to your site by sending bogus packets to you."
3900+#: original/man8/iptables-extensions.8:783
3901+msgid "Match an operating system genre by using a passive fingerprinting."
38733902 msgstr ""
38743903
3875-#. type: Plain text
3876-#: original/man8/ip6tables.8:1392 original/man8/iptables.8:1319
3877-msgid "iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP"
3904+#. type: TP
3905+#: original/man8/iptables-extensions.8:783
3906+#, no-wrap
3907+msgid "B<--ttl> I<level>"
38783908 msgstr ""
38793909
38803910 #. type: Plain text
3881-#: original/man8/ip6tables.8:1394 original/man8/iptables.8:1321
3911+#: original/man8/iptables-extensions.8:787
38823912 msgid ""
3883-"iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set "
3884-"-j DROP"
3913+"Do additional TTL checks on the packet to determine the operating system. "
3914+"I<level> can be one of the following values:"
3915+msgstr ""
3916+
3917+#. type: IP
3918+#: original/man8/iptables-extensions.8:787 original/man8/iptables-extensions.8:790 original/man8/iptables-extensions.8:793 original/man8/iptables-extensions.8:799 original/man8/iptables-extensions.8:801 original/man8/iptables-extensions.8:803 original/man8/iptables-extensions.8:959 original/man8/iptables-extensions.8:961 original/man8/iptables-extensions.8:964 original/man8/iptables-extensions.8:966 original/man8/iptables-extensions.8:969 original/man8/iptables-extensions.8:971 original/man8/iptables-extensions.8:974 original/man8/iptables-extensions.8:977
3919+#, no-wrap
3920+msgid "\\(bu"
38853921 msgstr ""
38863922
38873923 #. type: Plain text
3888-#: original/man8/ip6tables.8:1397 original/man8/iptables.8:1324
3924+#: original/man8/iptables-extensions.8:790
38893925 msgid ""
3890-"Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also "
3891-"has some examples of usage."
3926+"0 - True IP address and fingerprint TTL comparison. This generally works for "
3927+"LANs."
38923928 msgstr ""
38933929
38943930 #. type: Plain text
3895-#: original/man8/ip6tables.8:1400 original/man8/iptables.8:1327
3931+#: original/man8/iptables-extensions.8:793
38963932 msgid ""
3897-"B</proc/net/xt_recent/*> are the current lists of addresses and information "
3898-"about each entry of each list."
3933+"1 - Check if the IP header's TTL is less than the fingerprint one. Works for "
3934+"globally-routable addresses."
38993935 msgstr ""
39003936
39013937 #. type: Plain text
3902-#: original/man8/ip6tables.8:1403 original/man8/iptables.8:1330
3903-msgid ""
3904-"Each file in B</proc/net/xt_recent/> can be read from to see the current "
3905-"list or written two using the following commands to modify the list:"
3938+#: original/man8/iptables-extensions.8:795
3939+msgid "2 - Do not compare the TTL at all."
39063940 msgstr ""
39073941
39083942 #. type: TP
3909-#: original/man8/ip6tables.8:1403 original/man8/iptables.8:1330
3943+#: original/man8/iptables-extensions.8:795
39103944 #, no-wrap
3911-msgid "B<echo +>I<addr>B< E<gt>/proc/net/xt_recent/DEFAULT>"
3945+msgid "B<--log> I<level>"
39123946 msgstr ""
39133947
39143948 #. type: Plain text
3915-#: original/man8/ip6tables.8:1406 original/man8/iptables.8:1333
3916-msgid "to add I<addr> to the DEFAULT list"
3949+#: original/man8/iptables-extensions.8:799
3950+msgid ""
3951+"Log determined genres into dmesg even if they do not match the desired one. "
3952+"I<level> can be one of the following values:"
39173953 msgstr ""
39183954
3919-#. type: TP
3920-#: original/man8/ip6tables.8:1406 original/man8/iptables.8:1333
3921-#, no-wrap
3922-msgid "B<echo ->I<addr>B< E<gt>/proc/net/xt_recent/DEFAULT>"
3955+#. type: Plain text
3956+#: original/man8/iptables-extensions.8:801
3957+msgid "0 - Log all matched or unknown signatures"
39233958 msgstr ""
39243959
39253960 #. type: Plain text
3926-#: original/man8/ip6tables.8:1409 original/man8/iptables.8:1336
3927-msgid "to remove I<addr> from the DEFAULT list"
3961+#: original/man8/iptables-extensions.8:803
3962+msgid "1 - Log only the first one"
39283963 msgstr ""
39293964
3930-#. type: TP
3931-#: original/man8/ip6tables.8:1409 original/man8/iptables.8:1336
3932-#, no-wrap
3933-msgid "B<echo / E<gt>/proc/net/xt_recent/DEFAULT>"
3965+#. type: Plain text
3966+#: original/man8/iptables-extensions.8:805
3967+msgid "2 - Log all known matched signatures"
39343968 msgstr ""
39353969
39363970 #. type: Plain text
3937-#: original/man8/ip6tables.8:1412 original/man8/iptables.8:1339
3938-msgid "to flush the DEFAULT list (remove all entries)."
3971+#: original/man8/iptables-extensions.8:807
3972+msgid "You may find something like this in syslog:"
39393973 msgstr ""
39403974
39413975 #. type: Plain text
3942-#: original/man8/ip6tables.8:1414 original/man8/iptables.8:1341
3943-msgid "The module itself accepts parameters, defaults shown:"
3976+#: original/man8/iptables-extensions.8:810
3977+msgid ""
3978+"Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -E<gt> "
3979+"11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -E<gt> 1.2.3.5:22 "
3980+"hops=4"
39443981 msgstr ""
39453982
3946-#. type: TP
3947-#: original/man8/ip6tables.8:1414 original/man8/iptables.8:1341
3948-#, no-wrap
3949-msgid "B<ip_list_tot>=I<100>"
3983+#. type: Plain text
3984+#: original/man8/iptables-extensions.8:813
3985+msgid ""
3986+"OS fingerprints are loadable using the B<nfnl_osf> program. To load "
3987+"fingerprints from a file, use:"
39503988 msgstr ""
39513989
39523990 #. type: Plain text
3953-#: original/man8/ip6tables.8:1417 original/man8/iptables.8:1344
3954-msgid "Number of addresses remembered per table."
3991+#: original/man8/iptables-extensions.8:815
3992+msgid "B<nfnl_osf -f /usr/share/xtables/pf.os>"
39553993 msgstr ""
39563994
3957-#. type: TP
3958-#: original/man8/ip6tables.8:1417 original/man8/iptables.8:1344
3959-#, no-wrap
3960-msgid "B<ip_pkt_list_tot>=I<20>"
3995+#. type: Plain text
3996+#: original/man8/iptables-extensions.8:817
3997+msgid "To remove them again,"
39613998 msgstr ""
39623999
39634000 #. type: Plain text
3964-#: original/man8/ip6tables.8:1420 original/man8/iptables.8:1347
3965-msgid "Number of packets per address remembered."
4001+#: original/man8/iptables-extensions.8:819
4002+msgid "B<nfnl_osf -f /usr/share/xtables/pf.os -d>"
39664003 msgstr ""
39674004
3968-#. type: TP
3969-#: original/man8/ip6tables.8:1420 original/man8/iptables.8:1347
4005+#. type: Plain text
4006+#: original/man8/iptables-extensions.8:822
4007+msgid ""
4008+"The fingerprint database can be downlaoded from "
4009+"http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os ."
4010+msgstr ""
4011+
4012+#. type: SS
4013+#: original/man8/iptables-extensions.8:822
39704014 #, no-wrap
3971-msgid "B<ip_list_hash_size>=I<0>"
4015+msgid "owner"
39724016 msgstr ""
39734017
39744018 #. type: Plain text
3975-#: original/man8/ip6tables.8:1423 original/man8/iptables.8:1350
3976-msgid "Hash table size. 0 means to calculate it based on ip_list_tot, default: 512."
4019+#: original/man8/iptables-extensions.8:827
4020+msgid ""
4021+"This module attempts to match various characteristics of the packet creator, "
4022+"for locally generated packets. This match is only valid in the OUTPUT and "
4023+"POSTROUTING chains. Forwarded packets do not have any socket associated with "
4024+"them. Packets from kernel threads do have a socket, but usually no owner."
39774025 msgstr ""
39784026
39794027 #. type: TP
3980-#: original/man8/ip6tables.8:1423 original/man8/iptables.8:1350
4028+#: original/man8/iptables-extensions.8:827
39814029 #, no-wrap
3982-msgid "B<ip_list_perms>=I<0644>"
4030+msgid "[B<!>] B<--uid-owner> I<username>"
4031+msgstr ""
4032+
4033+#. type: TP
4034+#: original/man8/iptables-extensions.8:829
4035+#, no-wrap
4036+msgid "[B<!>] B<--uid-owner> I<userid>[B<->I<userid>]"
39834037 msgstr ""
39844038
39854039 #. type: Plain text
3986-#: original/man8/ip6tables.8:1426 original/man8/iptables.8:1353
3987-msgid "Permissions for /proc/net/xt_recent/* files."
4040+#: original/man8/iptables-extensions.8:833
4041+msgid ""
4042+"Matches if the packet socket's file structure (if it has one) is owned by "
4043+"the given user. You may also specify a numerical UID, or an UID range."
39884044 msgstr ""
39894045
39904046 #. type: TP
3991-#: original/man8/ip6tables.8:1426 original/man8/iptables.8:1353
4047+#: original/man8/iptables-extensions.8:833
39924048 #, no-wrap
3993-msgid "B<ip_list_uid>=I<0>"
4049+msgid "[B<!>] B<--gid-owner> I<groupname>"
4050+msgstr ""
4051+
4052+#. type: TP
4053+#: original/man8/iptables-extensions.8:835
4054+#, no-wrap
4055+msgid "[B<!>] B<--gid-owner> I<groupid>[B<->I<groupid>]"
39944056 msgstr ""
39954057
39964058 #. type: Plain text
3997-#: original/man8/ip6tables.8:1429 original/man8/iptables.8:1356
3998-msgid "Numerical UID for ownership of /proc/net/xt_recent/* files."
4059+#: original/man8/iptables-extensions.8:839
4060+msgid ""
4061+"Matches if the packet socket's file structure is owned by the given group. "
4062+"You may also specify a numerical GID, or a GID range."
39994063 msgstr ""
40004064
40014065 #. type: TP
4002-#: original/man8/ip6tables.8:1429 original/man8/iptables.8:1356
4066+#: original/man8/iptables-extensions.8:839
40034067 #, no-wrap
4004-msgid "B<ip_list_gid>=I<0>"
4068+msgid "[B<!>] B<--socket-exists>"
40054069 msgstr ""
40064070
40074071 #. type: Plain text
4008-#: original/man8/ip6tables.8:1432 original/man8/iptables.8:1359
4009-msgid "Numerical GID for ownership of /proc/net/xt_recent/* files."
4072+#: original/man8/iptables-extensions.8:842
4073+msgid "Matches if the packet is associated with a socket."
40104074 msgstr ""
40114075
40124076 #. type: SS
4013-#: original/man8/ip6tables.8:1432 original/man8/iptables.8:1359
4077+#: original/man8/iptables-extensions.8:842
40144078 #, no-wrap
4015-msgid "rpfilter"
4079+msgid "physdev"
40164080 msgstr ""
40174081
40184082 #. type: Plain text
4019-#: original/man8/ip6tables.8:1441 original/man8/iptables.8:1368
4083+#: original/man8/iptables-extensions.8:847
40204084 msgid ""
4021-"Performs a reverse path filter test on a packet. If a reply to the packet "
4022-"would be sent via the same interface that the packet arrived on, the packet "
4023-"will match. Note that, unlike the in-kernel rp_filter, packets protected by "
4024-"IPSec are not treated specially. Combine this match with the policy match "
4025-"if you want this. Also, packets arriving via the loopback interface are "
4026-"always permitted. This match can only be used in the PREROUTING chain of "
4027-"the raw or mangle table."
4085+"This module matches on the bridge port input and output devices enslaved to "
4086+"a bridge device. This module is a part of the infrastructure that enables a "
4087+"transparent bridging IP firewall and is only useful for kernel versions "
4088+"above version 2.5.44."
40284089 msgstr ""
40294090
40304091 #. type: TP
4031-#: original/man8/ip6tables.8:1441 original/man8/iptables.8:1368
4092+#: original/man8/iptables-extensions.8:847
40324093 #, no-wrap
4033-msgid "B<--loose>"
4094+msgid "[B<!>] B<--physdev-in> I<name>"
40344095 msgstr ""
40354096
40364097 #. type: Plain text
4037-#: original/man8/ip6tables.8:1445 original/man8/iptables.8:1372
4098+#: original/man8/iptables-extensions.8:858
40384099 msgid ""
4039-"Used to specifiy that the reverse path filter test should match even if the "
4040-"selected output device is not the expected one."
4100+"Name of a bridge port via which a packet is received (only for packets "
4101+"entering the B<INPUT>, B<FORWARD> and B<PREROUTING> chains). If the "
4102+"interface name ends in a \"+\", then any interface which begins with this "
4103+"name will match. If the packet didn't arrive through a bridge device, this "
4104+"packet won't match this option, unless '!' is used."
40414105 msgstr ""
40424106
40434107 #. type: TP
4044-#: original/man8/ip6tables.8:1445 original/man8/iptables.8:1372
4108+#: original/man8/iptables-extensions.8:858
40454109 #, no-wrap
4046-msgid "B<--validmark>"
4110+msgid "[B<!>] B<--physdev-out> I<name>"
40474111 msgstr ""
40484112
40494113 #. type: Plain text
4050-#: original/man8/ip6tables.8:1448 original/man8/iptables.8:1375
4114+#: original/man8/iptables-extensions.8:875
40514115 msgid ""
4052-"Also use the packets' nfmark value when performing the reverse path route "
4053-"lookup."
4116+"Name of a bridge port via which a packet is going to be sent (for packets "
4117+"entering the B<FORWARD>, B<OUTPUT> and B<POSTROUTING> chains). If the "
4118+"interface name ends in a \"+\", then any interface which begins with this "
4119+"name will match. Note that in the B<nat> and B<mangle> B<OUTPUT> chains one "
4120+"cannot match on the bridge output port, however one can in the B<filter "
4121+"OUTPUT> chain. If the packet won't leave by a bridge device or if it is yet "
4122+"unknown what the output device will be, then the packet won't match this "
4123+"option, unless '!' is used."
40544124 msgstr ""
40554125
40564126 #. type: TP
4057-#: original/man8/ip6tables.8:1448 original/man8/iptables.8:1375
4127+#: original/man8/iptables-extensions.8:875
40584128 #, no-wrap
4059-msgid "B<--accept-local>"
4129+msgid "[B<!>] B<--physdev-is-in>"
40604130 msgstr ""
40614131
40624132 #. type: Plain text
4063-#: original/man8/ip6tables.8:1455 original/man8/iptables.8:1382
4064-msgid ""
4065-"This will permit packets arriving from the network with a source address "
4066-"that is also assigned to the local machine. B<--invert> This will invert "
4067-"the sense of the match. Instead of matching packets that passed the reverse "
4068-"path filter test, match those that have failed it."
4133+#: original/man8/iptables-extensions.8:878
4134+msgid "Matches if the packet has entered through a bridge interface."
40694135 msgstr ""
40704136
4071-#. type: Plain text
4072-#: original/man8/ip6tables.8:1457 original/man8/iptables.8:1384
4073-msgid "Example to log and drop packets failing the reverse path filter test:"
4137+#. type: TP
4138+#: original/man8/iptables-extensions.8:878
4139+#, no-wrap
4140+msgid "[B<!>] B<--physdev-is-out>"
40744141 msgstr ""
40754142
40764143 #. type: Plain text
4077-#: original/man8/ip6tables.8:1459 original/man8/iptables.8:1386
4078-msgid "iptables -t raw -N RPFILTER"
4144+#: original/man8/iptables-extensions.8:881
4145+msgid "Matches if the packet will leave through a bridge interface."
40794146 msgstr ""
40804147
4081-#. type: Plain text
4082-#: original/man8/ip6tables.8:1461 original/man8/iptables.8:1388
4083-msgid "iptables -t raw -A RPFILTER -m rpfilter -j RETURN"
4148+#. type: TP
4149+#: original/man8/iptables-extensions.8:881
4150+#, no-wrap
4151+msgid "[B<!>] B<--physdev-is-bridged>"
40844152 msgstr ""
40854153
40864154 #. type: Plain text
4087-#: original/man8/ip6tables.8:1463 original/man8/iptables.8:1390
4155+#: original/man8/iptables-extensions.8:885
40884156 msgid ""
4089-"iptables -t raw -A RPFILTER -m limit --limit 10/minute -j NFLOG "
4090-"--nflog-prefix \"rpfilter drop\""
4091-msgstr ""
4092-
4093-#. type: Plain text
4094-#: original/man8/ip6tables.8:1465 original/man8/iptables.8:1392
4095-msgid "iptables -t raw -A RPFILTER -j DROP"
4157+"Matches if the packet is being bridged and therefore is not being routed. "
4158+"This is only useful in the FORWARD and POSTROUTING chains."
40964159 msgstr ""
40974160
4098-#. type: Plain text
4099-#: original/man8/ip6tables.8:1467 original/man8/iptables.8:1394
4100-msgid "iptables -t raw -A PREROUTING -j RPFILTER"
4161+#. type: SS
4162+#: original/man8/iptables-extensions.8:885
4163+#, no-wrap
4164+msgid "pkttype"
41014165 msgstr ""
41024166
41034167 #. type: Plain text
4104-#: original/man8/ip6tables.8:1469 original/man8/iptables.8:1396
4105-msgid "Example to drop failed packets, without logging:"
4168+#: original/man8/iptables-extensions.8:887
4169+msgid "This module matches the link-layer packet type."
41064170 msgstr ""
41074171
4108-#. type: Plain text
4109-#: original/man8/ip6tables.8:1471 original/man8/iptables.8:1398
4110-msgid "iptables -t raw -A RPFILTER -m rpfilter --invert -j DROP"
4172+#. type: TP
4173+#: original/man8/iptables-extensions.8:887
4174+#, no-wrap
4175+msgid "[B<!>] B<--pkt-type> {B<unicast>|B<broadcast>|B<multicast>}"
41114176 msgstr ""
41124177
41134178 #. type: SS
4114-#: original/man8/ip6tables.8:1471
4179+#: original/man8/iptables-extensions.8:889
41154180 #, no-wrap
4116-msgid "rt"
4181+msgid "policy"
41174182 msgstr ""
41184183
41194184 #. type: Plain text
4120-#: original/man8/ip6tables.8:1473
4121-msgid "Match on IPv6 routing header"
4185+#: original/man8/iptables-extensions.8:891
4186+msgid "This modules matches the policy used by IPsec for handling a packet."
41224187 msgstr ""
41234188
41244189 #. type: TP
4125-#: original/man8/ip6tables.8:1473
4190+#: original/man8/iptables-extensions.8:891
41264191 #, no-wrap
4127-msgid "[B<!>] B<--rt-type> I<type>"
4192+msgid "B<--dir> {B<in>|B<out>}"
41284193 msgstr ""
41294194
41304195 #. type: Plain text
4131-#: original/man8/ip6tables.8:1476
4132-msgid "Match the type (numeric)."
4196+#: original/man8/iptables-extensions.8:903
4197+msgid ""
4198+"Used to select whether to match the policy used for decapsulation or the "
4199+"policy that will be used for encapsulation. B<in> is valid in the "
4200+"B<PREROUTING, INPUT and FORWARD> chains, B<out> is valid in the "
4201+"B<POSTROUTING, OUTPUT and FORWARD> chains."
41334202 msgstr ""
41344203
41354204 #. type: TP
4136-#: original/man8/ip6tables.8:1476
4205+#: original/man8/iptables-extensions.8:903
41374206 #, no-wrap
4138-msgid "[B<!>] B<--rt-segsleft> I<num>[B<:>I<num>]"
4207+msgid "B<--pol> {B<none>|B<ipsec>}"
41394208 msgstr ""
41404209
41414210 #. type: Plain text
4142-#: original/man8/ip6tables.8:1479
4143-msgid "Match the `segments left' field (range)."
4211+#: original/man8/iptables-extensions.8:907
4212+msgid ""
4213+"Matches if the packet is subject to IPsec processing. B<--pol none> cannot "
4214+"be combined with B<--strict>."
41444215 msgstr ""
41454216
41464217 #. type: TP
4147-#: original/man8/ip6tables.8:1479
4218+#: original/man8/iptables-extensions.8:907
41484219 #, no-wrap
4149-msgid "[B<!>] B<--rt-len> I<length>"
4220+msgid "B<--strict>"
41504221 msgstr ""
41514222
41524223 #. type: Plain text
4153-#: original/man8/ip6tables.8:1482
4154-msgid "Match the length of this header."
4224+#: original/man8/iptables-extensions.8:911
4225+msgid ""
4226+"Selects whether to match the exact policy or match if any rule of the policy "
4227+"matches the given policy."
4228+msgstr ""
4229+
4230+#. type: Plain text
4231+#: original/man8/iptables-extensions.8:915
4232+msgid ""
4233+"For each policy element that is to be described, one can use one or more of "
4234+"the following options. When B<--strict> is in effect, at least one must be "
4235+"used per element."
41554236 msgstr ""
41564237
41574238 #. type: TP
4158-#: original/man8/ip6tables.8:1482
4239+#: original/man8/iptables-extensions.8:915
41594240 #, no-wrap
4160-msgid "B<--rt-0-res>"
4241+msgid "[B<!>] B<--reqid> I<id>"
41614242 msgstr ""
41624243
41634244 #. type: Plain text
4164-#: original/man8/ip6tables.8:1485
4165-msgid "Match the reserved field, too (type=0)"
4245+#: original/man8/iptables-extensions.8:922
4246+msgid ""
4247+"Matches the reqid of the policy rule. The reqid can be specified with "
4248+"B<setkey(8)> using B<unique:id> as level."
41664249 msgstr ""
41674250
41684251 #. type: TP
4169-#: original/man8/ip6tables.8:1485
4252+#: original/man8/iptables-extensions.8:922
41704253 #, no-wrap
4171-msgid "B<--rt-0-addrs> I<addr>[B<,>I<addr>...]"
4254+msgid "[B<!>] B<--spi> I<spi>"
41724255 msgstr ""
41734256
41744257 #. type: Plain text
4175-#: original/man8/ip6tables.8:1488
4176-msgid "Match type=0 addresses (list)."
4258+#: original/man8/iptables-extensions.8:925
4259+msgid "Matches the SPI of the SA."
41774260 msgstr ""
41784261
41794262 #. type: TP
4180-#: original/man8/ip6tables.8:1488
4263+#: original/man8/iptables-extensions.8:925
41814264 #, no-wrap
4182-msgid "B<--rt-0-not-strict>"
4265+msgid "[B<!>] B<--proto> {B<ah>|B<esp>|B<ipcomp>}"
41834266 msgstr ""
41844267
41854268 #. type: Plain text
4186-#: original/man8/ip6tables.8:1491
4187-msgid "List of type=0 addresses is not a strict list."
4188-msgstr ""
4189-
4190-#. type: SS
4191-#: original/man8/ip6tables.8:1491 original/man8/iptables.8:1398
4192-#, no-wrap
4193-msgid "sctp"
4269+#: original/man8/iptables-extensions.8:928
4270+msgid "Matches the encapsulation protocol."
41944271 msgstr ""
41954272
41964273 #. type: TP
4197-#: original/man8/ip6tables.8:1496 original/man8/iptables.8:1403
4274+#: original/man8/iptables-extensions.8:928
41984275 #, no-wrap
4199-msgid ""
4200-"[B<!>] B<--chunk-types> {B<all>|B<any>|B<only>} I<chunktype>[B<:>I<flags>] "
4201-"[...]"
4276+msgid "[B<!>] B<--mode> {B<tunnel>|B<transport>}"
42024277 msgstr ""
42034278
42044279 #. type: Plain text
4205-#: original/man8/ip6tables.8:1500 original/man8/iptables.8:1407
4206-msgid ""
4207-"The flag letter in upper case indicates that the flag is to match if set, in "
4208-"the lower case indicates to match if unset."
4280+#: original/man8/iptables-extensions.8:931
4281+msgid "Matches the encapsulation mode."
4282+msgstr ""
4283+
4284+#. type: TP
4285+#: original/man8/iptables-extensions.8:931
4286+#, no-wrap
4287+msgid "[B<!>] B<--tunnel-src> I<addr>[B</>I<mask>]"
42094288 msgstr ""
42104289
42114290 #. type: Plain text
4212-#: original/man8/ip6tables.8:1502 original/man8/iptables.8:1409
4291+#: original/man8/iptables-extensions.8:935
42134292 msgid ""
4214-"Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN "
4215-"SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE "
4216-"ASCONF ASCONF_ACK FORWARD_TSN"
4293+"Matches the source end-point address of a tunnel mode SA. Only valid with "
4294+"B<--mode tunnel>."
42174295 msgstr ""
42184296
4219-#. type: Plain text
4220-#: original/man8/ip6tables.8:1504 original/man8/iptables.8:1411
4221-msgid "chunk type available flags"
4297+#. type: TP
4298+#: original/man8/iptables-extensions.8:935
4299+#, no-wrap
4300+msgid "[B<!>] B<--tunnel-dst> I<addr>[B</>I<mask>]"
42224301 msgstr ""
42234302
42244303 #. type: Plain text
4225-#: original/man8/ip6tables.8:1506 original/man8/iptables.8:1413
4226-msgid "DATA I U B E i u b e"
4304+#: original/man8/iptables-extensions.8:939
4305+msgid ""
4306+"Matches the destination end-point address of a tunnel mode SA. Only valid "
4307+"with B<--mode tunnel>."
42274308 msgstr ""
42284309
4229-#. type: Plain text
4230-#: original/man8/ip6tables.8:1508 original/man8/iptables.8:1415
4231-msgid "ABORT T t"
4310+#. type: TP
4311+#: original/man8/iptables-extensions.8:939
4312+#, no-wrap
4313+msgid "B<--next>"
42324314 msgstr ""
42334315
42344316 #. type: Plain text
4235-#: original/man8/ip6tables.8:1510 original/man8/iptables.8:1417
4236-msgid "SHUTDOWN_COMPLETE T t"
4317+#: original/man8/iptables-extensions.8:943
4318+msgid ""
4319+"Start the next element in the policy specification. Can only be used with "
4320+"B<--strict>."
42374321 msgstr ""
42384322
4239-#. type: Plain text
4240-#: original/man8/ip6tables.8:1512 original/man8/iptables.8:1419
4241-msgid "(lowercase means flag should be \"off\", uppercase means \"on\")"
4323+#. type: SS
4324+#: original/man8/iptables-extensions.8:943
4325+#, no-wrap
4326+msgid "quota"
42424327 msgstr ""
42434328
42444329 #. type: Plain text
4245-#: original/man8/ip6tables.8:1516 original/man8/iptables.8:1423
4246-msgid "iptables -A INPUT -p sctp --dport 80 -j DROP"
4330+#: original/man8/iptables-extensions.8:948
4331+msgid ""
4332+"Implements network quotas by decrementing a byte counter with each "
4333+"packet. The condition matches until the byte counter reaches zero. Behavior "
4334+"is reversed with negation (i.e. the condition does not match until the byte "
4335+"counter reaches zero)."
42474336 msgstr ""
42484337
4249-#. type: Plain text
4250-#: original/man8/ip6tables.8:1518 original/man8/iptables.8:1425
4251-msgid "iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP"
4338+#. type: TP
4339+#: original/man8/iptables-extensions.8:948
4340+#, no-wrap
4341+msgid "[B<!>] B<--quota> I<bytes>"
42524342 msgstr ""
42534343
42544344 #. type: Plain text
4255-#: original/man8/ip6tables.8:1520 original/man8/iptables.8:1427
4256-msgid "iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT"
4345+#: original/man8/iptables-extensions.8:951
4346+msgid "The quota in bytes."
42574347 msgstr ""
42584348
42594349 #. type: SS
4260-#: original/man8/ip6tables.8:1520 original/man8/iptables.8:1427
4350+#: original/man8/iptables-extensions.8:951
42614351 #, no-wrap
4262-msgid "set"
4352+msgid "rateest"
42634353 msgstr ""
42644354
42654355 #. type: Plain text
4266-#: original/man8/ip6tables.8:1522 original/man8/iptables.8:1429
4267-msgid "This module matches IP sets which can be defined by ipset(8)."
4268-msgstr ""
4269-
4270-#. type: TP
4271-#: original/man8/ip6tables.8:1522 original/man8/iptables.8:1429
4272-#, no-wrap
4273-msgid "[B<!>] B<--match-set> I<setname> I<flag>[B<,>I<flag>]..."
4356+#: original/man8/iptables-extensions.8:955
4357+msgid ""
4358+"The rate estimator can match on estimated rates as collected by the RATEEST "
4359+"target. It supports matching on absolute bps/pps values, comparing two rate "
4360+"estimators and matching on the difference between two rate estimators."
42744361 msgstr ""
42754362
4363+#. * Absolute:
42764364 #. type: Plain text
4277-#: original/man8/ip6tables.8:1529 original/man8/iptables.8:1436
4365+#: original/man8/iptables-extensions.8:959
42784366 msgid ""
4279-"where flags are the comma separated list of B<src> and/or B<dst> "
4280-"specifications and there can be no more than six of them. Hence the command"
4367+"For a better understanding of the available options, these are all possible "
4368+"combinations:"
42814369 msgstr ""
42824370
42834371 #. type: Plain text
4284-#: original/man8/ip6tables.8:1531 original/man8/iptables.8:1438
4285-#, no-wrap
4286-msgid " iptables -A FORWARD -m set --match-set test src,dst\n"
4372+#: original/man8/iptables-extensions.8:961
4373+msgid "B<rateest> I<operator> B<rateest-bps>"
42874374 msgstr ""
42884375
4376+#. * Absolute + Delta:
42894377 #. type: Plain text
4290-#: original/man8/ip6tables.8:1537 original/man8/iptables.8:1444
4291-msgid ""
4292-"will match packets, for which (if the set type is ipportmap) the source "
4293-"address and destination port pair can be found in the specified set. If the "
4294-"set type of the specified set is single dimension (for example ipmap), then "
4295-"the command will match packets for which the source address can be found in "
4296-"the specified set."
4378+#: original/man8/iptables-extensions.8:964
4379+msgid "B<rateest> I<operator> B<rateest-pps>"
4380+msgstr ""
4381+
4382+#. type: Plain text
4383+#: original/man8/iptables-extensions.8:966
4384+msgid "(B<rateest> minus B<rateest-bps1>) I<operator> B<rateest-bps2>"
4385+msgstr ""
4386+
4387+#. * Relative:
4388+#. type: Plain text
4389+#: original/man8/iptables-extensions.8:969
4390+msgid "(B<rateest> minus B<rateest-pps1>) I<operator> B<rateest-pps2>"
4391+msgstr ""
4392+
4393+#. type: Plain text
4394+#: original/man8/iptables-extensions.8:971
4395+msgid "B<rateest1> I<operator> B<rateest2> B<rateest-bps>(without rate!)"
4396+msgstr ""
4397+
4398+#. * Relative + Delta:
4399+#. type: Plain text
4400+#: original/man8/iptables-extensions.8:974
4401+msgid "B<rateest1> I<operator> B<rateest2> B<rateest-pps>(without rate!)"
42974402 msgstr ""
42984403
42994404 #. type: Plain text
4300-#: original/man8/ip6tables.8:1540 original/man8/iptables.8:1447
4405+#: original/man8/iptables-extensions.8:977
43014406 msgid ""
4302-"The option B<--match-set> can be replaced by B<--set> if that does not clash "
4303-"with an option of other extensions."
4407+"(B<rateest1> minus B<rateest-bps1>) I<operator> (B<rateest2> minus "
4408+"B<rateest-bps2>)"
43044409 msgstr ""
43054410
43064411 #. type: Plain text
4307-#: original/man8/ip6tables.8:1543 original/man8/iptables.8:1450
4412+#: original/man8/iptables-extensions.8:980
43084413 msgid ""
4309-"Use of -m set requires that ipset kernel support is provided, which, for "
4310-"standard kernels, is the case since Linux 2.6.39."
4414+"(B<rateest1> minus B<rateest-pps1>) I<operator> (B<rateest2> minus "
4415+"B<rateest-pps2>)"
43114416 msgstr ""
43124417
4313-#. type: SS
4314-#: original/man8/ip6tables.8:1543 original/man8/iptables.8:1450
4418+#. type: TP
4419+#: original/man8/iptables-extensions.8:980
43154420 #, no-wrap
4316-msgid "socket"
4421+msgid "B<--rateest-delta>"
43174422 msgstr ""
43184423
43194424 #. type: Plain text
4320-#: original/man8/ip6tables.8:1546 original/man8/iptables.8:1453
4425+#: original/man8/iptables-extensions.8:987
43214426 msgid ""
4322-"This matches if an open socket can be found by doing a socket lookup on the "
4323-"packet."
4427+"For each estimator (either absolute or relative mode), calculate the "
4428+"difference between the estimator-determined flow rate and the static value "
4429+"chosen with the BPS/PPS options. If the flow rate is higher than the "
4430+"specified BPS/PPS, 0 will be used instead of a negative value. In other "
4431+"words, \"max(0, rateest#_rate - rateest#_bps)\" is used."
43244432 msgstr ""
43254433
43264434 #. type: TP
4327-#: original/man8/ip6tables.8:1546 original/man8/iptables.8:1453
4435+#: original/man8/iptables-extensions.8:987
43284436 #, no-wrap
4329-msgid "B<--transparent>"
4437+msgid "[B<!>] B<--rateest-lt>"
43304438 msgstr ""
43314439
43324440 #. type: Plain text
4333-#: original/man8/ip6tables.8:1549 original/man8/iptables.8:1456
4334-msgid "Ignore non-transparent sockets."
4441+#: original/man8/iptables-extensions.8:990
4442+msgid "Match if rate is less than given rate/estimator."
43354443 msgstr ""
43364444
4337-#. type: SS
4338-#: original/man8/ip6tables.8:1549 original/man8/iptables.8:1456
4445+#. type: TP
4446+#: original/man8/iptables-extensions.8:990
43394447 #, no-wrap
4340-msgid "state"
4448+msgid "[B<!>] B<--rateest-gt>"
43414449 msgstr ""
43424450
43434451 #. type: Plain text
4344-#: original/man8/ip6tables.8:1552 original/man8/iptables.8:1459
4345-msgid ""
4346-"This module, when combined with connection tracking, allows access to the "
4347-"connection tracking state for this packet."
4452+#: original/man8/iptables-extensions.8:993
4453+msgid "Match if rate is greater than given rate/estimator."
43484454 msgstr ""
43494455
43504456 #. type: TP
4351-#: original/man8/ip6tables.8:1552 original/man8/iptables.8:1459
4457+#: original/man8/iptables-extensions.8:993
43524458 #, no-wrap
4353-msgid "[B<!>] B<--state> I<state>"
4459+msgid "[B<!>] B<--rateest-eq>"
4460+msgstr ""
4461+
4462+#. type: Plain text
4463+#: original/man8/iptables-extensions.8:996
4464+msgid "Match if rate is equal to given rate/estimator."
43544465 msgstr ""
43554466
43564467 #. type: Plain text
4357-#: original/man8/ip6tables.8:1574 original/man8/iptables.8:1481
4468+#: original/man8/iptables-extensions.8:1000
43584469 msgid ""
4359-"Where state is a comma separated list of the connection states to match. "
4360-"Possible states are B<INVALID> meaning that the packet could not be "
4361-"identified for some reason which includes running out of memory and ICMP "
4362-"errors which don't correspond to any known connection, B<ESTABLISHED> "
4363-"meaning that the packet is associated with a connection which has seen "
4364-"packets in both directions, B<NEW> meaning that the packet has started a new "
4365-"connection, or otherwise associated with a connection which has not seen "
4366-"packets in both directions, and B<RELATED> meaning that the packet is "
4367-"starting a new connection, but is associated with an existing connection, "
4368-"such as an FTP data transfer, or an ICMP error. B<UNTRACKED> meaning that "
4369-"the packet is not tracked at all, which happens if you use the NOTRACK "
4370-"target in raw table."
4470+"In the so-called \"absolute mode\", only one rate estimator is used and "
4471+"compared against a static value, while in \"relative mode\", two rate "
4472+"estimators are compared against another."
43714473 msgstr ""
43724474
4373-#. type: SS
4374-#: original/man8/ip6tables.8:1574 original/man8/iptables.8:1481
4475+#. type: TP
4476+#: original/man8/iptables-extensions.8:1000
43754477 #, no-wrap
4376-msgid "statistic"
4478+msgid "B<--rateest> I<name>"
43774479 msgstr ""
43784480
43794481 #. type: Plain text
4380-#: original/man8/ip6tables.8:1579 original/man8/iptables.8:1486
4381-msgid ""
4382-"This module matches packets based on some statistic condition. It supports "
4383-"two distinct modes settable with the B<--mode> option."
4482+#: original/man8/iptables-extensions.8:1003
4483+msgid "Name of the one rate estimator for absolute mode."
43844484 msgstr ""
43854485
4386-#. type: Plain text
4387-#: original/man8/ip6tables.8:1581 original/man8/iptables.8:1488
4388-msgid "Supported options:"
4486+#. type: TP
4487+#: original/man8/iptables-extensions.8:1003
4488+#, no-wrap
4489+msgid "B<--rateest1> I<name>"
43894490 msgstr ""
43904491
43914492 #. type: TP
4392-#: original/man8/ip6tables.8:1581 original/man8/iptables.8:1488
4493+#: original/man8/iptables-extensions.8:1005
43934494 #, no-wrap
4394-msgid "B<--mode> I<mode>"
4495+msgid "B<--rateest2> I<name>"
43954496 msgstr ""
43964497
43974498 #. type: Plain text
4398-#: original/man8/ip6tables.8:1587 original/man8/iptables.8:1494
4399-msgid ""
4400-"Set the matching mode of the matching rule, supported modes are B<random> "
4401-"and B<nth.>"
4499+#: original/man8/iptables-extensions.8:1008
4500+msgid "The names of the two rate estimators for relative mode."
44024501 msgstr ""
44034502
44044503 #. type: TP
4405-#: original/man8/ip6tables.8:1587 original/man8/iptables.8:1494
4504+#: original/man8/iptables-extensions.8:1008
44064505 #, no-wrap
4407-msgid "[B<!>] B<--probability> I<p>"
4506+msgid "B<--rateest-bps> [I<value>]"
44084507 msgstr ""
44094508
4410-#. type: Plain text
4411-#: original/man8/ip6tables.8:1592 original/man8/iptables.8:1499
4412-msgid ""
4413-"Set the probability for a packet to be randomly matched. It only works with "
4414-"the B<random> mode. I<p> must be within 0.0 and 1.0. The supported "
4415-"granularity is in 1/2147483648th increments."
4509+#. type: TP
4510+#: original/man8/iptables-extensions.8:1010
4511+#, no-wrap
4512+msgid "B<--rateest-pps> [I<value>]"
44164513 msgstr ""
44174514
44184515 #. type: TP
4419-#: original/man8/ip6tables.8:1592 original/man8/iptables.8:1499
4516+#: original/man8/iptables-extensions.8:1012
44204517 #, no-wrap
4421-msgid "[B<!>] B<--every> I<n>"
4518+msgid "B<--rateest-bps1> [I<value>]"
44224519 msgstr ""
44234520
4424-#. type: Plain text
4425-#: original/man8/ip6tables.8:1599 original/man8/iptables.8:1506
4426-msgid ""
4427-"Match one packet every nth packet. It works only with the B<nth> mode (see "
4428-"also the B<--packet> option)."
4521+#. type: TP
4522+#: original/man8/iptables-extensions.8:1014
4523+#, no-wrap
4524+msgid "B<--rateest-bps2> [I<value>]"
44294525 msgstr ""
44304526
44314527 #. type: TP
4432-#: original/man8/ip6tables.8:1599 original/man8/iptables.8:1506
4528+#: original/man8/iptables-extensions.8:1016
44334529 #, no-wrap
4434-msgid "B<--packet> I<p>"
4530+msgid "B<--rateest-pps1> [I<value>]"
4531+msgstr ""
4532+
4533+#. type: TP
4534+#: original/man8/iptables-extensions.8:1018
4535+#, no-wrap
4536+msgid "B<--rateest-pps2> [I<value>]"
44354537 msgstr ""
44364538
44374539 #. type: Plain text
4438-#: original/man8/ip6tables.8:1604 original/man8/iptables.8:1511
4540+#: original/man8/iptables-extensions.8:1024
44394541 msgid ""
4440-"Set the initial counter value (0 E<lt>= p E<lt>= n-1, default 0) for the "
4441-"B<nth> mode."
4542+"Compare the estimator(s) by bytes or packets per second, and compare against "
4543+"the chosen value. See the above bullet list for which option is to be used "
4544+"in which case. A unit suffix may be used - available ones are: bit, "
4545+"[kmgt]bit, [KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps."
44424546 msgstr ""
44434547
4444-#. type: SS
4445-#: original/man8/ip6tables.8:1604 original/man8/iptables.8:1511
4446-#, no-wrap
4447-msgid "string"
4548+#. type: Plain text
4549+#: original/man8/iptables-extensions.8:1028
4550+msgid ""
4551+"Example: This is what can be used to route outgoing data connections from an "
4552+"FTP server over two lines based on the available bandwidth at the time the "
4553+"data connection was started:"
44484554 msgstr ""
44494555
44504556 #. type: Plain text
4451-#: original/man8/ip6tables.8:1606 original/man8/iptables.8:1513
4452-msgid ""
4453-"This modules matches a given string by using some pattern matching "
4454-"strategy. It requires a linux kernel E<gt>= 2.6.14."
4557+#: original/man8/iptables-extensions.8:1030
4558+msgid "# Estimate outgoing rates"
44554559 msgstr ""
44564560
4457-#. type: TP
4458-#: original/man8/ip6tables.8:1606 original/man8/iptables.8:1513
4459-#, no-wrap
4460-msgid "B<--algo> {B<bm>|B<kmp>}"
4561+#. type: Plain text
4562+#: original/man8/iptables-extensions.8:1033
4563+msgid ""
4564+"iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name eth0 "
4565+"--rateest-interval 250ms --rateest-ewma 0.5s"
44614566 msgstr ""
44624567
44634568 #. type: Plain text
4464-#: original/man8/ip6tables.8:1609 original/man8/iptables.8:1516
4569+#: original/man8/iptables-extensions.8:1036
44654570 msgid ""
4466-"Select the pattern matching strategy. (bm = Boyer-Moore, kmp = "
4467-"Knuth-Pratt-Morris)"
4571+"iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name ppp0 "
4572+"--rateest-interval 250ms --rateest-ewma 0.5s"
44684573 msgstr ""
44694574
4470-#. type: TP
4471-#: original/man8/ip6tables.8:1609 original/man8/iptables.8:1516
4472-#, no-wrap
4473-msgid "B<--from> I<offset>"
4575+#. type: Plain text
4576+#: original/man8/iptables-extensions.8:1038
4577+msgid "# Mark based on available bandwidth"
44744578 msgstr ""
44754579
44764580 #. type: Plain text
4477-#: original/man8/ip6tables.8:1612 original/man8/iptables.8:1519
4581+#: original/man8/iptables-extensions.8:1042
44784582 msgid ""
4479-"Set the offset from which it starts looking for any matching. If not passed, "
4480-"default is 0."
4583+"iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper "
4584+"ftp -m rateest --rateest-delta --rateest1 eth0 --rateest-bps1 2.5mbit "
4585+"--rateest-gt --rateest2 ppp0 --rateest-bps2 2mbit -j CONNMARK --set-mark 1"
44814586 msgstr ""
44824587
4483-#. type: TP
4484-#: original/man8/ip6tables.8:1612 original/man8/iptables.8:1519
4485-#, no-wrap
4486-msgid "B<--to> I<offset>"
4588+#. type: Plain text
4589+#: original/man8/iptables-extensions.8:1046
4590+msgid ""
4591+"iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper "
4592+"ftp -m rateest --rateest-delta --rateest1 ppp0 --rateest-bps1 2mbit "
4593+"--rateest-gt --rateest2 eth0 --rateest-bps2 2.5mbit -j CONNMARK --set-mark 2"
44874594 msgstr ""
44884595
44894596 #. type: Plain text
4490-#: original/man8/ip6tables.8:1617 original/man8/iptables.8:1524
4491-msgid ""
4492-"Set the offset up to which should be scanned. That is, byte I<offset>-1 "
4493-"(counting from 0) is the last one that is scanned. If not passed, default "
4494-"is the packet size."
4597+#: original/man8/iptables-extensions.8:1048
4598+msgid "iptables -t mangle -A balance -j CONNMARK --restore-mark"
44954599 msgstr ""
44964600
4497-#. type: TP
4498-#: original/man8/ip6tables.8:1617 original/man8/iptables.8:1524
4601+#. type: SS
4602+#: original/man8/iptables-extensions.8:1048
44994603 #, no-wrap
4500-msgid "[B<!>] B<--string> I<pattern>"
4604+msgid "realm (IPv4-specific)"
45014605 msgstr ""
45024606
45034607 #. type: Plain text
4504-#: original/man8/ip6tables.8:1620 original/man8/iptables.8:1527
4505-msgid "Matches the given pattern."
4608+#: original/man8/iptables-extensions.8:1051
4609+msgid ""
4610+"This matches the routing realm. Routing realms are used in complex routing "
4611+"setups involving dynamic routing protocols like BGP."
45064612 msgstr ""
45074613
45084614 #. type: TP
4509-#: original/man8/ip6tables.8:1620 original/man8/iptables.8:1527
4615+#: original/man8/iptables-extensions.8:1051
45104616 #, no-wrap
4511-msgid "[B<!>] B<--hex-string> I<pattern>"
4617+msgid "[B<!>] B<--realm> I<value>[B</>I<mask>]"
45124618 msgstr ""
45134619
45144620 #. type: Plain text
4515-#: original/man8/ip6tables.8:1623 original/man8/iptables.8:1530
4516-msgid "Matches the given pattern in hex notation."
4621+#: original/man8/iptables-extensions.8:1056
4622+msgid ""
4623+"Matches a given realm number (and optionally mask). If not a number, value "
4624+"can be a named realm from /etc/iproute2/rt_realms (mask can not be used in "
4625+"that case)."
45174626 msgstr ""
45184627
45194628 #. type: SS
4520-#: original/man8/ip6tables.8:1623 original/man8/iptables.8:1530
4629+#: original/man8/iptables-extensions.8:1056
45214630 #, no-wrap
4522-msgid "tcp"
4631+msgid "recent"
45234632 msgstr ""
45244633
45254634 #. type: Plain text
4526-#: original/man8/ip6tables.8:1626 original/man8/iptables.8:1533
4635+#: original/man8/iptables-extensions.8:1059
45274636 msgid ""
4528-"These extensions can be used if `--protocol tcp' is specified. It provides "
4529-"the following options:"
4637+"Allows you to dynamically create a list of IP addresses and then match "
4638+"against that list in a few different ways."
45304639 msgstr ""
45314640
45324641 #. type: Plain text
4533-#: original/man8/ip6tables.8:1637 original/man8/iptables.8:1544
4642+#: original/man8/iptables-extensions.8:1063
45344643 msgid ""
4535-"Source port or port range specification. This can either be a service name "
4536-"or a port number. An inclusive range can also be specified, using the format "
4537-"I<first>B<:>I<last>. If the first port is omitted, \"0\" is assumed; if the "
4538-"last is omitted, \"65535\" is assumed. If the first port is greater than "
4539-"the second one they will be swapped. The flag B<--sport> is a convenient "
4540-"alias for this option."
4644+"For example, you can create a \"badguy\" list out of people attempting to "
4645+"connect to port 139 on your firewall and then DROP all future packets from "
4646+"them without considering them."
45414647 msgstr ""
45424648
45434649 #. type: Plain text
4544-#: original/man8/ip6tables.8:1642 original/man8/iptables.8:1549
4545-msgid ""
4546-"Destination port or port range specification. The flag B<--dport> is a "
4547-"convenient alias for this option."
4650+#: original/man8/iptables-extensions.8:1066
4651+msgid "B<--set>, B<--rcheck>, B<--update> and B<--remove> are mutually exclusive."
45484652 msgstr ""
45494653
45504654 #. type: TP
4551-#: original/man8/ip6tables.8:1642 original/man8/iptables.8:1549
4655+#: original/man8/iptables-extensions.8:1066
45524656 #, no-wrap
4553-msgid "[B<!>] B<--tcp-flags> I<mask> I<comp>"
4657+msgid "B<--name> I<name>"
45544658 msgstr ""
45554659
45564660 #. type: Plain text
4557-#: original/man8/ip6tables.8:1650 original/man8/iptables.8:1557
4661+#: original/man8/iptables-extensions.8:1070
45584662 msgid ""
4559-"Match when the TCP flags are as specified. The first argument I<mask> is "
4560-"the flags which we should examine, written as a comma-separated list, and "
4561-"the second argument I<comp> is a comma-separated list of flags which must be "
4562-"set. Flags are: B<SYN ACK FIN RST URG PSH ALL NONE>. Hence the command"
4663+"Specify the list to use for the commands. If no name is given then "
4664+"B<DEFAULT> will be used."
45634665 msgstr ""
45644666
4565-#. type: Plain text
4566-#: original/man8/ip6tables.8:1652 original/man8/iptables.8:1559
4667+#. type: TP
4668+#: original/man8/iptables-extensions.8:1070
45674669 #, no-wrap
4568-msgid " iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN\n"
4670+msgid "[B<!>] B<--set>"
45694671 msgstr ""
45704672
45714673 #. type: Plain text
4572-#: original/man8/ip6tables.8:1655 original/man8/iptables.8:1562
4674+#: original/man8/iptables-extensions.8:1075
45734675 msgid ""
4574-"will only match packets with the SYN flag set, and the ACK, FIN and RST "
4575-"flags unset."
4676+"This will add the source address of the packet to the list. If the source "
4677+"address is already in the list, this will update the existing entry. This "
4678+"will always return success (or failure if B<!> is passed in)."
45764679 msgstr ""
45774680
45784681 #. type: TP
4579-#: original/man8/ip6tables.8:1655 original/man8/iptables.8:1562
4682+#: original/man8/iptables-extensions.8:1075
45804683 #, no-wrap
4581-msgid "[B<!>] B<--syn>"
4684+msgid "B<--rsource>"
45824685 msgstr ""
45834686
45844687 #. type: Plain text
4585-#: original/man8/ip6tables.8:1665 original/man8/iptables.8:1572
4688+#: original/man8/iptables-extensions.8:1079
45864689 msgid ""
4587-"Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits "
4588-"cleared. Such packets are used to request TCP connection initiation; for "
4589-"example, blocking such packets coming in an interface will prevent incoming "
4590-"TCP connections, but outgoing TCP connections will be unaffected. It is "
4591-"equivalent to B<--tcp-flags SYN,RST,ACK,FIN SYN>. If the \"!\" flag "
4592-"precedes the \"--syn\", the sense of the option is inverted."
4690+"Match/save the source address of each packet in the recent list table. This "
4691+"is the default."
45934692 msgstr ""
45944693
45954694 #. type: TP
4596-#: original/man8/ip6tables.8:1665 original/man8/iptables.8:1572
4695+#: original/man8/iptables-extensions.8:1079
45974696 #, no-wrap
4598-msgid "[B<!>] B<--tcp-option> I<number>"
4697+msgid "B<--rdest>"
45994698 msgstr ""
46004699
46014700 #. type: Plain text
4602-#: original/man8/ip6tables.8:1668 original/man8/iptables.8:1575
4603-msgid "Match if TCP option set."
4701+#: original/man8/iptables-extensions.8:1082
4702+msgid "Match/save the destination address of each packet in the recent list table."
46044703 msgstr ""
46054704
4606-#. type: SS
4607-#: original/man8/ip6tables.8:1668 original/man8/iptables.8:1575
4705+#. type: TP
4706+#: original/man8/iptables-extensions.8:1082
46084707 #, no-wrap
4609-msgid "tcpmss"
4708+msgid "B<--mask>netmask"
46104709 msgstr ""
46114710
46124711 #. type: Plain text
4613-#: original/man8/ip6tables.8:1670 original/man8/iptables.8:1577
4614-msgid ""
4615-"This matches the TCP MSS (maximum segment size) field of the TCP header. "
4616-"You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only "
4617-"negotiated during the TCP handshake at connection startup time."
4712+#: original/man8/iptables-extensions.8:1085
4713+msgid "Netmask that will be applied to this recent list."
46184714 msgstr ""
46194715
46204716 #. type: TP
4621-#: original/man8/ip6tables.8:1670 original/man8/iptables.8:1577
4717+#: original/man8/iptables-extensions.8:1085
46224718 #, no-wrap
4623-msgid "[B<!>] B<--mss> I<value>[B<:>I<value>]"
4719+msgid "[B<!>] B<--rcheck>"
46244720 msgstr ""
46254721
46264722 #. type: Plain text
4627-#: original/man8/ip6tables.8:1673 original/man8/iptables.8:1580
4628-msgid "Match a given TCP MSS value or range."
4723+#: original/man8/iptables-extensions.8:1088
4724+msgid "Check if the source address of the packet is currently in the list."
46294725 msgstr ""
46304726
4631-#. type: SS
4632-#: original/man8/ip6tables.8:1673 original/man8/iptables.8:1580
4727+#. type: TP
4728+#: original/man8/iptables-extensions.8:1088
46334729 #, no-wrap
4634-msgid "time"
4730+msgid "[B<!>] B<--update>"
46354731 msgstr ""
46364732
46374733 #. type: Plain text
4638-#: original/man8/ip6tables.8:1677 original/man8/iptables.8:1584
4734+#: original/man8/iptables-extensions.8:1092
46394735 msgid ""
4640-"This matches if the packet arrival time/date is within a given range. All "
4641-"options are optional, but are ANDed when specified. All times are "
4642-"interpreted as UTC by default."
4736+"Like B<--rcheck>, except it will update the \"last seen\" timestamp if it "
4737+"matches."
46434738 msgstr ""
46444739
46454740 #. type: TP
4646-#: original/man8/ip6tables.8:1677 original/man8/iptables.8:1584
4741+#: original/man8/iptables-extensions.8:1092
46474742 #, no-wrap
4743+msgid "[B<!>] B<--remove>"
4744+msgstr ""
4745+
4746+#. type: Plain text
4747+#: original/man8/iptables-extensions.8:1097
46484748 msgid ""
4649-"B<--datestart> "
4650-"I<YYYY>[B<->I<MM>[B<->I<DD>[B<T>I<hh>[B<:>I<mm>[B<:>I<ss>]]]]]"
4749+"Check if the source address of the packet is currently in the list and if so "
4750+"that address will be removed from the list and the rule will return true. If "
4751+"the address is not found, false is returned."
46514752 msgstr ""
46524753
46534754 #. type: TP
4654-#: original/man8/ip6tables.8:1679 original/man8/iptables.8:1586
4755+#: original/man8/iptables-extensions.8:1097
46554756 #, no-wrap
4656-msgid "B<--datestop> I<YYYY>[B<->I<MM>[B<->I<DD>[B<T>I<hh>[B<:>I<mm>[B<:>I<ss>]]]]]"
4657-msgstr ""
4658-
4659-#. type: Plain text
4660-#: original/man8/ip6tables.8:1683 original/man8/iptables.8:1590
4661-msgid ""
4662-"Only match during the given time, which must be in ISO 8601 \"T\" notation. "
4663-"The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07."
4757+msgid "B<--seconds> I<seconds>"
46644758 msgstr ""
46654759
46664760 #. type: Plain text
4667-#: original/man8/ip6tables.8:1686 original/man8/iptables.8:1593
4761+#: original/man8/iptables-extensions.8:1102
46684762 msgid ""
4669-"If --datestart or --datestop are not specified, it will default to "
4670-"1970-01-01 and 2038-01-19, respectively."
4671-msgstr ""
4672-
4673-#. type: TP
4674-#: original/man8/ip6tables.8:1686 original/man8/iptables.8:1593
4675-#, no-wrap
4676-msgid "B<--timestart> I<hh>B<:>I<mm>[B<:>I<ss>]"
4763+"This option must be used in conjunction with one of B<--rcheck> or "
4764+"B<--update>. When used, this will narrow the match to only happen when the "
4765+"address is in the list and was seen within the last given number of seconds."
46774766 msgstr ""
46784767
46794768 #. type: TP
4680-#: original/man8/ip6tables.8:1688 original/man8/iptables.8:1595
4769+#: original/man8/iptables-extensions.8:1102
46814770 #, no-wrap
4682-msgid "B<--timestop> I<hh>B<:>I<mm>[B<:>I<ss>]"
4771+msgid "B<--reap>"
46834772 msgstr ""
46844773
46854774 #. type: Plain text
4686-#: original/man8/ip6tables.8:1693 original/man8/iptables.8:1600
4775+#: original/man8/iptables-extensions.8:1107
46874776 msgid ""
4688-"Only match during the given daytime. The possible time range is 00:00:00 to "
4689-"23:59:59. Leading zeroes are allowed (e.g. \"06:03\") and correctly "
4690-"interpreted as base-10."
4777+"This option can only be used in conjunction with B<--seconds>. When used, "
4778+"this will cause entries older than the last given number of seconds to be "
4779+"purged."
46914780 msgstr ""
46924781
46934782 #. type: TP
4694-#: original/man8/ip6tables.8:1693 original/man8/iptables.8:1600
4783+#: original/man8/iptables-extensions.8:1107
46954784 #, no-wrap
4696-msgid "[B<!>] B<--monthdays> I<day>[B<,>I<day>...]"
4785+msgid "B<--hitcount> I<hits>"
46974786 msgstr ""
46984787
46994788 #. type: Plain text
4700-#: original/man8/ip6tables.8:1699 original/man8/iptables.8:1606
4789+#: original/man8/iptables-extensions.8:1117
47014790 msgid ""
4702-"Only match on the given days of the month. Possible values are B<1> to "
4703-"B<31>. Note that specifying B<31> will of course not match on months which "
4704-"do not have a 31st day; the same goes for 28- or 29-day February."
4791+"This option must be used in conjunction with one of B<--rcheck> or "
4792+"B<--update>. When used, this will narrow the match to only happen when the "
4793+"address is in the list and packets had been received greater than or equal "
4794+"to the given value. This option may be used along with B<--seconds> to "
4795+"create an even narrower match requiring a certain number of hits within a "
4796+"specific time frame. The maximum value for the hitcount parameter is given "
4797+"by the \"ip_pkt_list_tot\" parameter of the xt_recent kernel "
4798+"module. Exceeding this value on the command line will cause the rule to be "
4799+"rejected."
47054800 msgstr ""
47064801
47074802 #. type: TP
4708-#: original/man8/ip6tables.8:1699 original/man8/iptables.8:1606
4803+#: original/man8/iptables-extensions.8:1117
47094804 #, no-wrap
4710-msgid "[B<!>] B<--weekdays> I<day>[B<,>I<day>...]"
4805+msgid "B<--rttl>"
47114806 msgstr ""
47124807
47134808 #. type: Plain text
4714-#: original/man8/ip6tables.8:1705 original/man8/iptables.8:1612
4809+#: original/man8/iptables-extensions.8:1125
47154810 msgid ""
4716-"Only match on the given weekdays. Possible values are B<Mon>, B<Tue>, "
4717-"B<Wed>, B<Thu>, B<Fri>, B<Sat>, B<Sun>, or values from B<1> to B<7>, "
4718-"respectively. You may also use two-character variants (B<Mo>, B<Tu>, etc.)."
4811+"This option may only be used in conjunction with one of B<--rcheck> or "
4812+"B<--update>. When used, this will narrow the match to only happen when the "
4813+"address is in the list and the TTL of the current packet matches that of the "
4814+"packet which hit the B<--set> rule. This may be useful if you have problems "
4815+"with people faking their source address in order to DoS you via this module "
4816+"by disallowing others access to your site by sending bogus packets to you."
47194817 msgstr ""
47204818
4721-#. type: TP
4722-#: original/man8/ip6tables.8:1705 original/man8/iptables.8:1612
4723-#, no-wrap
4724-msgid "B<--kerneltz>"
4819+#. type: Plain text
4820+#: original/man8/iptables-extensions.8:1129
4821+msgid "iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP"
47254822 msgstr ""
47264823
47274824 #. type: Plain text
4728-#: original/man8/ip6tables.8:1709 original/man8/iptables.8:1616
4825+#: original/man8/iptables-extensions.8:1131
47294826 msgid ""
4730-"Use the kernel timezone instead of UTC to determine whether a packet meets "
4731-"the time regulations."
4827+"iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set "
4828+"-j DROP"
47324829 msgstr ""
47334830
47344831 #. type: Plain text
4735-#: original/man8/ip6tables.8:1715 original/man8/iptables.8:1622
4832+#: original/man8/iptables-extensions.8:1134
47364833 msgid ""
4737-"About kernel timezones: Linux keeps the system time in UTC, and always does "
4738-"so. On boot, system time is initialized from a referential time "
4739-"source. Where this time source has no timezone information, such as the x86 "
4740-"CMOS RTC, UTC will be assumed. If the time source is however not in UTC, "
4741-"userspace should provide the correct system time and timezone to the kernel "
4742-"once it has the information."
4834+"Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also "
4835+"has some examples of usage."
47434836 msgstr ""
47444837
47454838 #. type: Plain text
4746-#: original/man8/ip6tables.8:1726 original/man8/iptables.8:1633
4839+#: original/man8/iptables-extensions.8:1137
47474840 msgid ""
4748-"Local time is a feature on top of the (timezone independent) system "
4749-"time. Each process has its own idea of local time, specified via the TZ "
4750-"environment variable. The kernel also has its own timezone offset "
4751-"variable. The TZ userspace environment variable specifies how the UTC-based "
4752-"system time is displayed, e.g. when you run date(1), or what you see on your "
4753-"desktop clock. The TZ string may resolve to different offsets at different "
4754-"dates, which is what enables the automatic time-jumping in userspace. when "
4755-"DST changes. The kernel's timezone offset variable is used when it has to "
4756-"convert between non-UTC sources, such as FAT filesystems, to UTC (since the "
4757-"latter is what the rest of the system uses)."
4841+"B</proc/net/xt_recent/*> are the current lists of addresses and information "
4842+"about each entry of each list."
47584843 msgstr ""
47594844
47604845 #. type: Plain text
4761-#: original/man8/ip6tables.8:1735 original/man8/iptables.8:1642
4846+#: original/man8/iptables-extensions.8:1140
47624847 msgid ""
4763-"The caveat with the kernel timezone is that Linux distributions may ignore "
4764-"to set the kernel timezone, and instead only set the system time. Even if a "
4765-"particular distribution does set the timezone at boot, it is usually does "
4766-"not keep the kernel timezone offset - which is what changes on DST - up to "
4767-"date. ntpd will not touch the kernel timezone, so running it will not "
4768-"resolve the issue. As such, one may encounter a timezone that is always "
4769-"+0000, or one that is wrong half of the time of the year. As such, B<using "
4770-"--kerneltz is highly discouraged.>"
4848+"Each file in B</proc/net/xt_recent/> can be read from to see the current "
4849+"list or written two using the following commands to modify the list:"
47714850 msgstr ""
47724851
4773-#. type: Plain text
4774-#: original/man8/ip6tables.8:1737 original/man8/iptables.8:1644
4775-msgid "EXAMPLES. To match on weekends, use:"
4852+#. type: TP
4853+#: original/man8/iptables-extensions.8:1140
4854+#, no-wrap
4855+msgid "B<echo +>I<addr>B< E<gt>/proc/net/xt_recent/DEFAULT>"
47764856 msgstr ""
47774857
47784858 #. type: Plain text
4779-#: original/man8/ip6tables.8:1739 original/man8/iptables.8:1646
4780-msgid "-m time --weekdays Sa,Su"
4859+#: original/man8/iptables-extensions.8:1143
4860+msgid "to add I<addr> to the DEFAULT list"
4861+msgstr ""
4862+
4863+#. type: TP
4864+#: original/man8/iptables-extensions.8:1143
4865+#, no-wrap
4866+msgid "B<echo ->I<addr>B< E<gt>/proc/net/xt_recent/DEFAULT>"
47814867 msgstr ""
47824868
47834869 #. type: Plain text
4784-#: original/man8/ip6tables.8:1741 original/man8/iptables.8:1648
4785-msgid "Or, to match (once) on a national holiday block:"
4870+#: original/man8/iptables-extensions.8:1146
4871+msgid "to remove I<addr> from the DEFAULT list"
4872+msgstr ""
4873+
4874+#. type: TP
4875+#: original/man8/iptables-extensions.8:1146
4876+#, no-wrap
4877+msgid "B<echo / E<gt>/proc/net/xt_recent/DEFAULT>"
47864878 msgstr ""
47874879
47884880 #. type: Plain text
4789-#: original/man8/ip6tables.8:1743 original/man8/iptables.8:1650
4790-msgid "-m time --datestart 2007-12-24 --datestop 2007-12-27"
4881+#: original/man8/iptables-extensions.8:1149
4882+msgid "to flush the DEFAULT list (remove all entries)."
47914883 msgstr ""
47924884
47934885 #. type: Plain text
4794-#: original/man8/ip6tables.8:1746 original/man8/iptables.8:1653
4795-msgid ""
4796-"Since the stop time is actually inclusive, you would need the following stop "
4797-"time to not match the first second of the new day:"
4886+#: original/man8/iptables-extensions.8:1151
4887+msgid "The module itself accepts parameters, defaults shown:"
4888+msgstr ""
4889+
4890+#. type: TP
4891+#: original/man8/iptables-extensions.8:1151
4892+#, no-wrap
4893+msgid "B<ip_list_tot>=I<100>"
47984894 msgstr ""
47994895
48004896 #. type: Plain text
4801-#: original/man8/ip6tables.8:1748 original/man8/iptables.8:1655
4802-msgid "-m time --datestart 2007-01-01T17:00 --datestop 2007-01-01T23:59:59"
4897+#: original/man8/iptables-extensions.8:1154
4898+msgid "Number of addresses remembered per table."
4899+msgstr ""
4900+
4901+#. type: TP
4902+#: original/man8/iptables-extensions.8:1154
4903+#, no-wrap
4904+msgid "B<ip_pkt_list_tot>=I<20>"
48034905 msgstr ""
48044906
48054907 #. type: Plain text
4806-#: original/man8/ip6tables.8:1750 original/man8/iptables.8:1657
4807-msgid "During lunch hour:"
4908+#: original/man8/iptables-extensions.8:1157
4909+msgid "Number of packets per address remembered."
4910+msgstr ""
4911+
4912+#. type: TP
4913+#: original/man8/iptables-extensions.8:1157
4914+#, no-wrap
4915+msgid "B<ip_list_hash_size>=I<0>"
48084916 msgstr ""
48094917
48104918 #. type: Plain text
4811-#: original/man8/ip6tables.8:1752 original/man8/iptables.8:1659
4812-msgid "-m time --timestart 12:30 --timestop 13:30"
4919+#: original/man8/iptables-extensions.8:1160
4920+msgid "Hash table size. 0 means to calculate it based on ip_list_tot, default: 512."
4921+msgstr ""
4922+
4923+#. type: TP
4924+#: original/man8/iptables-extensions.8:1160
4925+#, no-wrap
4926+msgid "B<ip_list_perms>=I<0644>"
48134927 msgstr ""
48144928
48154929 #. type: Plain text
4816-#: original/man8/ip6tables.8:1754 original/man8/iptables.8:1661
4817-msgid "The fourth Friday in the month:"
4930+#: original/man8/iptables-extensions.8:1163
4931+msgid "Permissions for /proc/net/xt_recent/* files."
4932+msgstr ""
4933+
4934+#. type: TP
4935+#: original/man8/iptables-extensions.8:1163
4936+#, no-wrap
4937+msgid "B<ip_list_uid>=I<0>"
48184938 msgstr ""
48194939
48204940 #. type: Plain text
4821-#: original/man8/ip6tables.8:1756 original/man8/iptables.8:1663
4822-msgid "-m time --weekdays Fr --monthdays 22,23,24,25,26,27,28"
4941+#: original/man8/iptables-extensions.8:1166
4942+msgid "Numerical UID for ownership of /proc/net/xt_recent/* files."
4943+msgstr ""
4944+
4945+#. type: TP
4946+#: original/man8/iptables-extensions.8:1166
4947+#, no-wrap
4948+msgid "B<ip_list_gid>=I<0>"
48234949 msgstr ""
48244950
48254951 #. type: Plain text
4826-#: original/man8/ip6tables.8:1760 original/man8/iptables.8:1667
4827-msgid ""
4828-"(Note that this exploits a certain mathematical property. It is not possible "
4829-"to say \"fourth Thursday OR fourth Friday\" in one rule. It is possible with "
4830-"multiple rules, though.)"
4952+#: original/man8/iptables-extensions.8:1169
4953+msgid "Numerical GID for ownership of /proc/net/xt_recent/* files."
48314954 msgstr ""
48324955
48334956 #. type: SS
4834-#: original/man8/ip6tables.8:1760 original/man8/iptables.8:1667
4957+#: original/man8/iptables-extensions.8:1169
48354958 #, no-wrap
4836-msgid "tos"
4959+msgid "rpfilter"
48374960 msgstr ""
48384961
48394962 #. type: Plain text
4840-#: original/man8/ip6tables.8:1764 original/man8/iptables.8:1671
4963+#: original/man8/iptables-extensions.8:1178
48414964 msgid ""
4842-"This module matches the 8-bit Type of Service field in the IPv4 header "
4843-"(i.e. including the \"Precedence\" bits) or the (also 8-bit) Priority field "
4844-"in the IPv6 header."
4965+"Performs a reverse path filter test on a packet. If a reply to the packet "
4966+"would be sent via the same interface that the packet arrived on, the packet "
4967+"will match. Note that, unlike the in-kernel rp_filter, packets protected by "
4968+"IPSec are not treated specially. Combine this match with the policy match "
4969+"if you want this. Also, packets arriving via the loopback interface are "
4970+"always permitted. This match can only be used in the PREROUTING chain of "
4971+"the raw or mangle table."
48454972 msgstr ""
48464973
48474974 #. type: TP
4848-#: original/man8/ip6tables.8:1764 original/man8/iptables.8:1671
4975+#: original/man8/iptables-extensions.8:1178
48494976 #, no-wrap
4850-msgid "[B<!>] B<--tos> I<value>[B</>I<mask>]"
4977+msgid "B<--loose>"
48514978 msgstr ""
48524979
48534980 #. type: Plain text
4854-#: original/man8/ip6tables.8:1768 original/man8/iptables.8:1675
4981+#: original/man8/iptables-extensions.8:1182
48554982 msgid ""
4856-"Matches packets with the given TOS mark value. If a mask is specified, it is "
4857-"logically ANDed with the TOS mark before the comparison."
4983+"Used to specifiy that the reverse path filter test should match even if the "
4984+"selected output device is not the expected one."
48584985 msgstr ""
48594986
48604987 #. type: TP
4861-#: original/man8/ip6tables.8:1768 original/man8/iptables.8:1675
4988+#: original/man8/iptables-extensions.8:1182
48624989 #, no-wrap
4863-msgid "[B<!>] B<--tos> I<symbol>"
4990+msgid "B<--validmark>"
48644991 msgstr ""
48654992
48664993 #. type: Plain text
4867-#: original/man8/ip6tables.8:1773 original/man8/iptables.8:1680
4994+#: original/man8/iptables-extensions.8:1185
48684995 msgid ""
4869-"You can specify a symbolic name when using the tos match for IPv4. The list "
4870-"of recognized TOS names can be obtained by calling iptables with B<-m tos "
4871-"-h>. Note that this implies a mask of 0x3F, i.e. all but the ECN bits."
4996+"Also use the packets' nfmark value when performing the reverse path route "
4997+"lookup."
48724998 msgstr ""
48734999
4874-#. type: SS
4875-#: original/man8/ip6tables.8:1773 original/man8/iptables.8:1691
5000+#. type: TP
5001+#: original/man8/iptables-extensions.8:1185
48765002 #, no-wrap
4877-msgid "u32"
5003+msgid "B<--accept-local>"
48785004 msgstr ""
48795005
48805006 #. type: Plain text
4881-#: original/man8/ip6tables.8:1777 original/man8/iptables.8:1695
5007+#: original/man8/iptables-extensions.8:1189
48825008 msgid ""
4883-"U32 tests whether quantities of up to 4 bytes extracted from a packet have "
4884-"specified values. The specification of what to extract is general enough to "
4885-"find data at given offsets from tcp headers or payloads."
5009+"This will permit packets arriving from the network with a source address "
5010+"that is also assigned to the local machine."
48865011 msgstr ""
48875012
48885013 #. type: TP
4889-#: original/man8/ip6tables.8:1777 original/man8/iptables.8:1695
5014+#: original/man8/iptables-extensions.8:1189
48905015 #, no-wrap
4891-msgid "[B<!>] B<--u32> I<tests>"
5016+msgid "B<--invert>"
48925017 msgstr ""
48935018
48945019 #. type: Plain text
4895-#: original/man8/ip6tables.8:1780 original/man8/iptables.8:1698
4896-msgid "The argument amounts to a program in a small language described below."
5020+#: original/man8/iptables-extensions.8:1193
5021+msgid ""
5022+"This will invert the sense of the match. Instead of matching packets that "
5023+"passed the reverse path filter test, match those that have failed it."
48975024 msgstr ""
48985025
48995026 #. type: Plain text
4900-#: original/man8/ip6tables.8:1782 original/man8/iptables.8:1700
4901-msgid "tests := location \"=\" value | tests \"&&\" location \"=\" value"
5027+#: original/man8/iptables-extensions.8:1195
5028+msgid "Example to log and drop packets failing the reverse path filter test:"
49025029 msgstr ""
49035030
49045031 #. type: Plain text
4905-#: original/man8/ip6tables.8:1784 original/man8/iptables.8:1702
4906-msgid "value := range | value \",\" range"
5032+#: original/man8/iptables-extensions.8:1197
5033+msgid "iptables -t raw -N RPFILTER"
49075034 msgstr ""
49085035
49095036 #. type: Plain text
4910-#: original/man8/ip6tables.8:1786 original/man8/iptables.8:1704
4911-msgid "range := number | number \":\" number"
5037+#: original/man8/iptables-extensions.8:1199
5038+msgid "iptables -t raw -A RPFILTER -m rpfilter -j RETURN"
49125039 msgstr ""
49135040
49145041 #. type: Plain text
4915-#: original/man8/ip6tables.8:1789 original/man8/iptables.8:1707
5042+#: original/man8/iptables-extensions.8:1201
49165043 msgid ""
4917-"a single number, I<n>, is interpreted the same as I<n:n>. I<n:m> is "
4918-"interpreted as the range of numbers B<E<gt>=n> and B<E<lt>=m>."
5044+"iptables -t raw -A RPFILTER -m limit --limit 10/minute -j NFLOG "
5045+"--nflog-prefix \"rpfilter drop\""
49195046 msgstr ""
49205047
49215048 #. type: Plain text
4922-#: original/man8/ip6tables.8:1791 original/man8/iptables.8:1709
4923-msgid "location := number | location operator number"
5049+#: original/man8/iptables-extensions.8:1203
5050+msgid "iptables -t raw -A RPFILTER -j DROP"
49245051 msgstr ""
49255052
49265053 #. type: Plain text
4927-#: original/man8/ip6tables.8:1793 original/man8/iptables.8:1711
4928-msgid "operator := \"&\" | \"E<lt>E<lt>\" | \"E<gt>E<gt>\" | \"@\""
5054+#: original/man8/iptables-extensions.8:1205
5055+msgid "iptables -t raw -A PREROUTING -j RPFILTER"
49295056 msgstr ""
49305057
49315058 #. type: Plain text
4932-#: original/man8/ip6tables.8:1798 original/man8/iptables.8:1716
4933-msgid ""
4934-"The operators B<&>, B<E<lt>E<lt>>, B<E<gt>E<gt>> and B<&&> mean the same as "
4935-"in C. The B<=> is really a set membership operator and the value syntax "
4936-"describes a set. The B<@> operator is what allows moving to the next header "
4937-"and is described further below."
5059+#: original/man8/iptables-extensions.8:1207
5060+msgid "Example to drop failed packets, without logging:"
49385061 msgstr ""
49395062
49405063 #. type: Plain text
4941-#: original/man8/ip6tables.8:1801 original/man8/iptables.8:1719
4942-msgid ""
4943-"There are currently some artificial implementation limits on the size of the "
4944-"tests:"
5064+#: original/man8/iptables-extensions.8:1209
5065+msgid "iptables -t raw -A RPFILTER -m rpfilter --invert -j DROP"
49455066 msgstr ""
49465067
4947-#. type: IP
4948-#: original/man8/ip6tables.8:1801 original/man8/ip6tables.8:1803 original/man8/ip6tables.8:1805 original/man8/iptables.8:1719 original/man8/iptables.8:1721 original/man8/iptables.8:1723
5068+#. type: SS
5069+#: original/man8/iptables-extensions.8:1209
49495070 #, no-wrap
4950-msgid " *"
5071+msgid "rt (IPv6-specific)"
49515072 msgstr ""
49525073
49535074 #. type: Plain text
4954-#: original/man8/ip6tables.8:1803 original/man8/iptables.8:1721
4955-msgid "no more than 10 of \"B<=>\" (and 9 \"B<&&>\"s) in the u32 argument"
5075+#: original/man8/iptables-extensions.8:1211
5076+msgid "Match on IPv6 routing header"
49565077 msgstr ""
49575078
4958-#. type: Plain text
4959-#: original/man8/ip6tables.8:1805 original/man8/iptables.8:1723
4960-msgid "no more than 10 ranges (and 9 commas) per value"
5079+#. type: TP
5080+#: original/man8/iptables-extensions.8:1211
5081+#, no-wrap
5082+msgid "[B<!>] B<--rt-type> I<type>"
49615083 msgstr ""
49625084
49635085 #. type: Plain text
4964-#: original/man8/ip6tables.8:1807 original/man8/iptables.8:1725
4965-msgid "no more than 10 numbers (and 9 operators) per location"
5086+#: original/man8/iptables-extensions.8:1214
5087+msgid "Match the type (numeric)."
49665088 msgstr ""
49675089
4968-#. type: Plain text
4969-#: original/man8/ip6tables.8:1810 original/man8/iptables.8:1728
4970-msgid ""
4971-"To describe the meaning of location, imagine the following machine that "
4972-"interprets it. There are three registers:"
5090+#. type: TP
5091+#: original/man8/iptables-extensions.8:1214
5092+#, no-wrap
5093+msgid "[B<!>] B<--rt-segsleft> I<num>[B<:>I<num>]"
49735094 msgstr ""
49745095
49755096 #. type: Plain text
4976-#: original/man8/ip6tables.8:1812 original/man8/iptables.8:1730
4977-msgid "A is of type B<char *>, initially the address of the IP header"
5097+#: original/man8/iptables-extensions.8:1217
5098+msgid "Match the `segments left' field (range)."
49785099 msgstr ""
49795100
4980-#. type: Plain text
4981-#: original/man8/ip6tables.8:1814 original/man8/iptables.8:1732
4982-msgid "B and C are unsigned 32 bit integers, initially zero"
5101+#. type: TP
5102+#: original/man8/iptables-extensions.8:1217
5103+#, no-wrap
5104+msgid "[B<!>] B<--rt-len> I<length>"
49835105 msgstr ""
49845106
49855107 #. type: Plain text
4986-#: original/man8/ip6tables.8:1816 original/man8/iptables.8:1734
4987-msgid "The instructions are:"
5108+#: original/man8/iptables-extensions.8:1220
5109+msgid "Match the length of this header."
49885110 msgstr ""
49895111
4990-#. type: Plain text
4991-#: original/man8/ip6tables.8:1818 original/man8/iptables.8:1736
4992-msgid "number B = number;"
5112+#. type: TP
5113+#: original/man8/iptables-extensions.8:1220
5114+#, no-wrap
5115+msgid "B<--rt-0-res>"
49935116 msgstr ""
49945117
49955118 #. type: Plain text
4996-#: original/man8/ip6tables.8:1820 original/man8/iptables.8:1738
4997-msgid ""
4998-"C = (*(A+B)E<lt>E<lt>24) + (*(A+B+1)E<lt>E<lt>16) + (*(A+B+2)E<lt>E<lt>8) + "
4999-"*(A+B+3)"
5119+#: original/man8/iptables-extensions.8:1223
5120+msgid "Match the reserved field, too (type=0)"
50005121 msgstr ""
50015122
5002-#. type: Plain text
5003-#: original/man8/ip6tables.8:1822 original/man8/iptables.8:1740
5004-msgid "&number C = C & number"
5123+#. type: TP
5124+#: original/man8/iptables-extensions.8:1223
5125+#, no-wrap
5126+msgid "B<--rt-0-addrs> I<addr>[B<,>I<addr>...]"
50055127 msgstr ""
50065128
50075129 #. type: Plain text
5008-#: original/man8/ip6tables.8:1824 original/man8/iptables.8:1742
5009-msgid "E<lt>E<lt> number C = C E<lt>E<lt> number"
5130+#: original/man8/iptables-extensions.8:1226
5131+msgid "Match type=0 addresses (list)."
50105132 msgstr ""
50115133
5012-#. type: Plain text
5013-#: original/man8/ip6tables.8:1826 original/man8/iptables.8:1744
5014-msgid "E<gt>E<gt> number C = C E<gt>E<gt> number"
5134+#. type: TP
5135+#: original/man8/iptables-extensions.8:1226
5136+#, no-wrap
5137+msgid "B<--rt-0-not-strict>"
50155138 msgstr ""
50165139
50175140 #. type: Plain text
5018-#: original/man8/ip6tables.8:1828 original/man8/iptables.8:1746
5019-msgid "@number A = A + C; then do the instruction number"
5141+#: original/man8/iptables-extensions.8:1229
5142+msgid "List of type=0 addresses is not a strict list."
50205143 msgstr ""
50215144
5022-#. type: Plain text
5023-#: original/man8/ip6tables.8:1831 original/man8/iptables.8:1749
5024-msgid ""
5025-"Any access of memory outside [skb-E<gt>data,skb-E<gt>end] causes the match "
5026-"to fail. Otherwise the result of the computation is the final value of C."
5145+#. type: SS
5146+#: original/man8/iptables-extensions.8:1229
5147+#, no-wrap
5148+msgid "sctp"
50275149 msgstr ""
50285150
5029-#. type: Plain text
5030-#: original/man8/ip6tables.8:1835 original/man8/iptables.8:1753
5151+#. type: TP
5152+#: original/man8/iptables-extensions.8:1234
5153+#, no-wrap
50315154 msgid ""
5032-"Whitespace is allowed but not required in the tests. However, the characters "
5033-"that do occur there are likely to require shell quoting, so it is a good "
5034-"idea to enclose the arguments in quotes."
5155+"[B<!>] B<--chunk-types> {B<all>|B<any>|B<only>} I<chunktype>[B<:>I<flags>] "
5156+"[...]"
50355157 msgstr ""
50365158
50375159 #. type: Plain text
5038-#: original/man8/ip6tables.8:1839 original/man8/iptables.8:1757
5039-msgid "match IP packets with total length E<gt>= 256"
5160+#: original/man8/iptables-extensions.8:1238
5161+msgid ""
5162+"The flag letter in upper case indicates that the flag is to match if set, in "
5163+"the lower case indicates to match if unset."
50405164 msgstr ""
50415165
50425166 #. type: Plain text
5043-#: original/man8/ip6tables.8:1841 original/man8/iptables.8:1759
5044-msgid "The IP header contains a total length field in bytes 2-3."
5167+#: original/man8/iptables-extensions.8:1240
5168+msgid ""
5169+"Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN "
5170+"SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE "
5171+"ASCONF ASCONF_ACK FORWARD_TSN"
50455172 msgstr ""
50465173
50475174 #. type: Plain text
5048-#: original/man8/ip6tables.8:1843 original/man8/iptables.8:1761
5049-msgid "--u32 \"B<0 & 0xFFFF = 0x100:0xFFFF>\""
5175+#: original/man8/iptables-extensions.8:1242
5176+msgid "chunk type available flags"
50505177 msgstr ""
50515178
50525179 #. type: Plain text
5053-#: original/man8/ip6tables.8:1845 original/man8/iptables.8:1763
5054-msgid "read bytes 0-3"
5180+#: original/man8/iptables-extensions.8:1244
5181+msgid "DATA I U B E i u b e"
50555182 msgstr ""
50565183
50575184 #. type: Plain text
5058-#: original/man8/ip6tables.8:1848 original/man8/iptables.8:1766
5059-msgid ""
5060-"AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the "
5061-"range [0x100:0xFFFF]"
5185+#: original/man8/iptables-extensions.8:1246
5186+msgid "ABORT T t"
50625187 msgstr ""
50635188
50645189 #. type: Plain text
5065-#: original/man8/ip6tables.8:1850 original/man8/iptables.8:1768
5066-msgid "Example: (more realistic, hence more complicated)"
5190+#: original/man8/iptables-extensions.8:1248
5191+msgid "SHUTDOWN_COMPLETE T t"
50675192 msgstr ""
50685193
50695194 #. type: Plain text
5070-#: original/man8/ip6tables.8:1852 original/man8/iptables.8:1770
5071-msgid "match ICMP packets with icmp type 0"
5195+#: original/man8/iptables-extensions.8:1250
5196+msgid "(lowercase means flag should be \"off\", uppercase means \"on\")"
50725197 msgstr ""
50735198
50745199 #. type: Plain text
5075-#: original/man8/ip6tables.8:1854 original/man8/iptables.8:1772
5076-msgid "First test that it is an ICMP packet, true iff byte 9 (protocol) = 1"
5200+#: original/man8/iptables-extensions.8:1254
5201+msgid "iptables -A INPUT -p sctp --dport 80 -j DROP"
50775202 msgstr ""
50785203
50795204 #. type: Plain text
5080-#: original/man8/ip6tables.8:1856 original/man8/iptables.8:1774
5081-msgid "--u32 \"B<6 & 0xFF = 1 &&> ..."
5205+#: original/man8/iptables-extensions.8:1256
5206+msgid "iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP"
50825207 msgstr ""
50835208
50845209 #. type: Plain text
5085-#: original/man8/ip6tables.8:1863 original/man8/iptables.8:1781
5086-msgid ""
5087-"read bytes 6-9, use B<&> to throw away bytes 6-8 and compare the result to "
5088-"1. Next test that it is not a fragment. (If so, it might be part of such a "
5089-"packet but we cannot always tell.) N.B.: This test is generally needed if "
5090-"you want to match anything beyond the IP header. The last 6 bits of byte 6 "
5091-"and all of byte 7 are 0 iff this is a complete packet (not a "
5092-"fragment). Alternatively, you can allow first fragments by only testing the "
5093-"last 5 bits of byte 6."
5210+#: original/man8/iptables-extensions.8:1258
5211+msgid "iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT"
50945212 msgstr ""
50955213
5096-#. type: Plain text
5097-#: original/man8/ip6tables.8:1865 original/man8/iptables.8:1783
5098-msgid "... B<4 & 0x3FFF = 0 &&> ..."
5214+#. type: SS
5215+#: original/man8/iptables-extensions.8:1258
5216+#, no-wrap
5217+msgid "set"
50995218 msgstr ""
51005219
51015220 #. type: Plain text
5102-#: original/man8/ip6tables.8:1869 original/man8/iptables.8:1787
5103-msgid ""
5104-"Last test: the first byte past the IP header (the type) is 0. This is where "
5105-"we have to use the @syntax. The length of the IP header (IHL) in 32 bit "
5106-"words is stored in the right half of byte 0 of the IP header itself."
5221+#: original/man8/iptables-extensions.8:1260
5222+msgid "This module matches IP sets which can be defined by ipset(8)."
51075223 msgstr ""
51085224
5109-#. type: Plain text
5110-#: original/man8/ip6tables.8:1871 original/man8/iptables.8:1789
5111-msgid "... B<0 E<gt>E<gt> 22 & 0x3C @ 0 E<gt>E<gt> 24 = 0>\""
5225+#. type: TP
5226+#: original/man8/iptables-extensions.8:1260
5227+#, no-wrap
5228+msgid "[B<!>] B<--match-set> I<setname> I<flag>[B<,>I<flag>]..."
51125229 msgstr ""
51135230
51145231 #. type: Plain text
5115-#: original/man8/ip6tables.8:1883 original/man8/iptables.8:1801
5232+#: original/man8/iptables-extensions.8:1267
51165233 msgid ""
5117-"The first 0 means read bytes 0-3, B<E<gt>E<gt>22> means shift that 22 bits "
5118-"to the right. Shifting 24 bits would give the first byte, so only 22 bits is "
5119-"four times that plus a few more bits. B<&3C> then eliminates the two extra "
5120-"bits on the right and the first four bits of the first byte. For instance, "
5121-"if IHL=5, then the IP header is 20 (4 x 5) bytes long. In this case, bytes "
5122-"0-1 are (in binary) xxxx0101 yyzzzzzz, B<E<gt>E<gt>22> gives the 10 bit "
5123-"value xxxx0101yy and B<&3C> gives 010100. B<@> means to use this number as a "
5124-"new offset into the packet, and read four bytes starting from there. This is "
5125-"the first 4 bytes of the ICMP payload, of which byte 0 is the ICMP "
5126-"type. Therefore, we simply shift the value 24 to the right to throw out all "
5127-"but the first byte and compare the result with 0."
5234+"where flags are the comma separated list of B<src> and/or B<dst> "
5235+"specifications and there can be no more than six of them. Hence the command"
51285236 msgstr ""
51295237
51305238 #. type: Plain text
5131-#: original/man8/ip6tables.8:1887 original/man8/iptables.8:1805
5132-msgid "TCP payload bytes 8-12 is any of 1, 2, 5 or 8"
5239+#: original/man8/iptables-extensions.8:1269
5240+#, no-wrap
5241+msgid " iptables -A FORWARD -m set --match-set test src,dst\n"
51335242 msgstr ""
51345243
51355244 #. type: Plain text
5136-#: original/man8/ip6tables.8:1889 original/man8/iptables.8:1807
5137-msgid "First we test that the packet is a tcp packet (similar to ICMP)."
5245+#: original/man8/iptables-extensions.8:1275
5246+msgid ""
5247+"will match packets, for which (if the set type is ipportmap) the source "
5248+"address and destination port pair can be found in the specified set. If the "
5249+"set type of the specified set is single dimension (for example ipmap), then "
5250+"the command will match packets for which the source address can be found in "
5251+"the specified set."
51385252 msgstr ""
51395253
5140-#. type: Plain text
5141-#: original/man8/ip6tables.8:1891 original/man8/iptables.8:1809
5142-msgid "--u32 \"B<6 & 0xFF = 6 &&> ..."
5254+#. type: TP
5255+#: original/man8/iptables-extensions.8:1275
5256+#, no-wrap
5257+msgid "B<--return--nomatch>"
51435258 msgstr ""
51445259
51455260 #. type: Plain text
5146-#: original/man8/ip6tables.8:1893 original/man8/iptables.8:1811
5147-msgid "Next, test that it is not a fragment (same as above)."
5261+#: original/man8/iptables-extensions.8:1281
5262+msgid ""
5263+"If the B<--return--nomatch> option is specified and the set type supports "
5264+"the B<nomatch> flag, then the matching is reversed: a match with an element "
5265+"flagged with B<nomatch> returns B<true>, while a match with a plain element "
5266+"returns B<false>."
51485267 msgstr ""
51495268
51505269 #. type: Plain text
5151-#: original/man8/ip6tables.8:1895 original/man8/iptables.8:1813
5152-msgid "... B<0 E<gt>E<gt> 22 & 0x3C @ 12 E<gt>E<gt> 26 & 0x3C @ 8 = 1,2,5,8>\""
5270+#: original/man8/iptables-extensions.8:1284
5271+msgid ""
5272+"The option B<--match-set> can be replaced by B<--set> if that does not clash "
5273+"with an option of other extensions."
51535274 msgstr ""
51545275
51555276 #. type: Plain text
5156-#: original/man8/ip6tables.8:1903 original/man8/iptables.8:1821
5277+#: original/man8/iptables-extensions.8:1287
51575278 msgid ""
5158-"B<0E<gt>E<gt>22&3C> as above computes the number of bytes in the IP "
5159-"header. B<@> makes this the new offset into the packet, which is the start "
5160-"of the TCP header. The length of the TCP header (again in 32 bit words) is "
5161-"the left half of byte 12 of the TCP header. The B<12E<gt>E<gt>26&3C> "
5162-"computes this length in bytes (similar to the IP header before). \"@\" makes "
5163-"this the new offset, which is the start of the TCP payload. Finally, 8 reads "
5164-"bytes 8-12 of the payload and B<=> checks whether the result is any of 1, 2, "
5165-"5 or 8."
5279+"Use of -m set requires that ipset kernel support is provided, which, for "
5280+"standard kernels, is the case since Linux 2.6.39."
51665281 msgstr ""
51675282
51685283 #. type: SS
5169-#: original/man8/ip6tables.8:1903 original/man8/iptables.8:1821
5284+#: original/man8/iptables-extensions.8:1287
51705285 #, no-wrap
5171-msgid "udp"
5172-msgstr ""
5173-
5174-#. type: Plain text
5175-#: original/man8/ip6tables.8:1906 original/man8/iptables.8:1824
5176-msgid ""
5177-"These extensions can be used if `--protocol udp' is specified. It provides "
5178-"the following options:"
5179-msgstr ""
5180-
5181-#. type: Plain text
5182-#: original/man8/ip6tables.8:1912 original/man8/iptables.8:1830
5183-msgid ""
5184-"Source port or port range specification. See the description of the "
5185-"B<--source-port> option of the TCP extension for details."
5286+msgid "socket"
51865287 msgstr ""
51875288
51885289 #. type: Plain text
5189-#: original/man8/ip6tables.8:1918 original/man8/iptables.8:1836
5290+#: original/man8/iptables-extensions.8:1290
51905291 msgid ""
5191-"Destination port or port range specification. See the description of the "
5192-"B<--destination-port> option of the TCP extension for details."
5292+"This matches if an open socket can be found by doing a socket lookup on the "
5293+"packet."
51935294 msgstr ""
51945295
5195-#. type: SH
5196-#: original/man8/ip6tables.8:1918 original/man8/iptables.8:1839
5296+#. type: TP
5297+#: original/man8/iptables-extensions.8:1290
51975298 #, no-wrap
5198-msgid "TARGET EXTENSIONS"
5299+msgid "B<--transparent>"
51995300 msgstr ""
52005301
5201-#. @TARGET@
52025302 #. type: Plain text
5203-#: original/man8/ip6tables.8:1922
5204-msgid ""
5205-"ip6tables can use extended target modules: the following are included in the "
5206-"standard distribution."
5303+#: original/man8/iptables-extensions.8:1293
5304+msgid "Ignore non-transparent sockets."
52075305 msgstr ""
52085306
52095307 #. type: SS
5210-#: original/man8/ip6tables.8:1922 original/man8/iptables.8:1843
5308+#: original/man8/iptables-extensions.8:1293
52115309 #, no-wrap
5212-msgid "AUDIT"
5310+msgid "state"
52135311 msgstr ""
52145312
52155313 #. type: Plain text
5216-#: original/man8/ip6tables.8:1926 original/man8/iptables.8:1847
5314+#: original/man8/iptables-extensions.8:1296
52175315 msgid ""
5218-"This target allows to create audit records for packets hitting the target. "
5219-"It can be used to record accepted, dropped, and rejected packets. See "
5220-"auditd(8) for additional details."
5316+"The \"state\" extension is a subset of the \"conntrack\" module. \"state\" "
5317+"allows access to the connection tracking state for this packet."
52215318 msgstr ""
52225319
52235320 #. type: TP
5224-#: original/man8/ip6tables.8:1926 original/man8/iptables.8:1847
5321+#: original/man8/iptables-extensions.8:1296
52255322 #, no-wrap
5226-msgid "B<--type> {B<accept>|B<drop>|B<reject>}"
5323+msgid "[B<!>] B<--state> I<state>"
52275324 msgstr ""
52285325
52295326 #. type: Plain text
5230-#: original/man8/ip6tables.8:1929 original/man8/iptables.8:1850
5231-msgid "Set type of audit record."
5327+#: original/man8/iptables-extensions.8:1302
5328+msgid ""
5329+"Where state is a comma separated list of the connection states to "
5330+"match. Only a subset of the states unterstood by \"conntrack\" are "
5331+"recognized: B<INVALID>, B<ESTABLISHED>, B<NEW>, B<RELATED> or "
5332+"B<UNTRACKED>. For their description, see the \"conntrack\" heading in this "
5333+"manpage."
52325334 msgstr ""
52335335
5234-#. type: Plain text
5235-#: original/man8/ip6tables.8:1933 original/man8/iptables.8:1854
5236-msgid "iptables -N AUDIT_DROP"
5336+#. type: SS
5337+#: original/man8/iptables-extensions.8:1302
5338+#, no-wrap
5339+msgid "statistic"
52375340 msgstr ""
52385341
52395342 #. type: Plain text
5240-#: original/man8/ip6tables.8:1935 original/man8/iptables.8:1856
5241-msgid "iptables -A AUDIT_DROP -j AUDIT --type drop"
5343+#: original/man8/iptables-extensions.8:1307
5344+msgid ""
5345+"This module matches packets based on some statistic condition. It supports "
5346+"two distinct modes settable with the B<--mode> option."
52425347 msgstr ""
52435348
52445349 #. type: Plain text
5245-#: original/man8/ip6tables.8:1937 original/man8/iptables.8:1858
5246-msgid "iptables -A AUDIT_DROP -j DROP"
5350+#: original/man8/iptables-extensions.8:1309
5351+msgid "Supported options:"
52475352 msgstr ""
52485353
5249-#. type: SS
5250-#: original/man8/ip6tables.8:1937 original/man8/iptables.8:1858
5354+#. type: TP
5355+#: original/man8/iptables-extensions.8:1309
52515356 #, no-wrap
5252-msgid "CHECKSUM"
5357+msgid "B<--mode> I<mode>"
52535358 msgstr ""
52545359
52555360 #. type: Plain text
5256-#: original/man8/ip6tables.8:1940 original/man8/iptables.8:1861
5361+#: original/man8/iptables-extensions.8:1315
52575362 msgid ""
5258-"This target allows to selectively work around broken/old applications. It "
5259-"can only be used in the mangle table."
5363+"Set the matching mode of the matching rule, supported modes are B<random> "
5364+"and B<nth.>"
52605365 msgstr ""
52615366
52625367 #. type: TP
5263-#: original/man8/ip6tables.8:1940 original/man8/iptables.8:1861
5368+#: original/man8/iptables-extensions.8:1315
52645369 #, no-wrap
5265-msgid "B<--checksum-fill>"
5370+msgid "[B<!>] B<--probability> I<p>"
52665371 msgstr ""
52675372
52685373 #. type: Plain text
5269-#: original/man8/ip6tables.8:1946 original/man8/iptables.8:1867
5374+#: original/man8/iptables-extensions.8:1320
52705375 msgid ""
5271-"Compute and fill in the checksum in a packet that lacks a checksum. This is "
5272-"particularly useful, if you need to work around old applications such as "
5273-"dhcp clients, that do not work well with checksum offloads, but don't want "
5274-"to disable checksum offload in your device."
5376+"Set the probability for a packet to be randomly matched. It only works with "
5377+"the B<random> mode. I<p> must be within 0.0 and 1.0. The supported "
5378+"granularity is in 1/2147483648th increments."
52755379 msgstr ""
52765380
5277-#. type: SS
5278-#: original/man8/ip6tables.8:1946 original/man8/iptables.8:1867
5381+#. type: TP
5382+#: original/man8/iptables-extensions.8:1320
52795383 #, no-wrap
5280-msgid "CLASSIFY"
5384+msgid "[B<!>] B<--every> I<n>"
52815385 msgstr ""
52825386
52835387 #. type: Plain text
5284-#: original/man8/ip6tables.8:1948 original/man8/iptables.8:1869
5388+#: original/man8/iptables-extensions.8:1327
52855389 msgid ""
5286-"This module allows you to set the skb-E<gt>priority value (and thus classify "
5287-"the packet into a specific CBQ class)."
5390+"Match one packet every nth packet. It works only with the B<nth> mode (see "
5391+"also the B<--packet> option)."
52885392 msgstr ""
52895393
52905394 #. type: TP
5291-#: original/man8/ip6tables.8:1948 original/man8/iptables.8:1869
5395+#: original/man8/iptables-extensions.8:1327
52925396 #, no-wrap
5293-msgid "B<--set-class> I<major>B<:>I<minor>"
5397+msgid "B<--packet> I<p>"
52945398 msgstr ""
52955399
52965400 #. type: Plain text
5297-#: original/man8/ip6tables.8:1952 original/man8/iptables.8:1873
5401+#: original/man8/iptables-extensions.8:1332
52985402 msgid ""
5299-"Set the major and minor class value. The values are always interpreted as "
5300-"hexadecimal even if no 0x prefix is given."
5403+"Set the initial counter value (0 E<lt>= p E<lt>= n-1, default 0) for the "
5404+"B<nth> mode."
53015405 msgstr ""
53025406
53035407 #. type: SS
5304-#: original/man8/ip6tables.8:1952 original/man8/iptables.8:1898
5408+#: original/man8/iptables-extensions.8:1332
53055409 #, no-wrap
5306-msgid "CONNMARK"
5410+msgid "string"
53075411 msgstr ""
53085412
53095413 #. type: Plain text
5310-#: original/man8/ip6tables.8:1955 original/man8/iptables.8:1901
5414+#: original/man8/iptables-extensions.8:1334
53115415 msgid ""
5312-"This module sets the netfilter mark value associated with a connection. The "
5313-"mark is 32 bits wide."
5416+"This modules matches a given string by using some pattern matching "
5417+"strategy. It requires a linux kernel E<gt>= 2.6.14."
53145418 msgstr ""
53155419
53165420 #. type: TP
5317-#: original/man8/ip6tables.8:1955 original/man8/ip6tables.8:2138 original/man8/iptables.8:1901 original/man8/iptables.8:2114
5421+#: original/man8/iptables-extensions.8:1334
53185422 #, no-wrap
5319-msgid "B<--set-xmark> I<value>[B</>I<mask>]"
5423+msgid "B<--algo> {B<bm>|B<kmp>}"
53205424 msgstr ""
53215425
53225426 #. type: Plain text
5323-#: original/man8/ip6tables.8:1958 original/man8/iptables.8:1904
5324-msgid "Zero out the bits given by I<mask> and XOR I<value> into the ctmark."
5427+#: original/man8/iptables-extensions.8:1337
5428+msgid ""
5429+"Select the pattern matching strategy. (bm = Boyer-Moore, kmp = "
5430+"Knuth-Pratt-Morris)"
53255431 msgstr ""
53265432
53275433 #. type: TP
5328-#: original/man8/ip6tables.8:1958 original/man8/iptables.8:1904
5434+#: original/man8/iptables-extensions.8:1337
53295435 #, no-wrap
5330-msgid "B<--save-mark> [B<--nfmask> I<nfmask>] [B<--ctmask> I<ctmask>]"
5331-msgstr ""
5332-
5333-#. type: Plain text
5334-#: original/man8/ip6tables.8:1962 original/man8/iptables.8:1908
5335-msgid ""
5336-"Copy the packet mark (nfmark) to the connection mark (ctmark) using the "
5337-"given masks. The new nfmark value is determined as follows:"
5338-msgstr ""
5339-
5340-#. type: Plain text
5341-#: original/man8/ip6tables.8:1964 original/man8/iptables.8:1910
5342-msgid "ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)"
5436+msgid "B<--from> I<offset>"
53435437 msgstr ""
53445438
53455439 #. type: Plain text
5346-#: original/man8/ip6tables.8:1968 original/man8/iptables.8:1914
5440+#: original/man8/iptables-extensions.8:1340
53475441 msgid ""
5348-"i.e. I<ctmask> defines what bits to clear and I<nfmask> what bits of the "
5349-"nfmark to XOR into the ctmark. I<ctmask> and I<nfmask> default to "
5350-"0xFFFFFFFF."
5442+"Set the offset from which it starts looking for any matching. If not passed, "
5443+"default is 0."
53515444 msgstr ""
53525445
53535446 #. type: TP
5354-#: original/man8/ip6tables.8:1968 original/man8/iptables.8:1914
5447+#: original/man8/iptables-extensions.8:1340
53555448 #, no-wrap
5356-msgid "B<--restore-mark> [B<--nfmask> I<nfmask>] [B<--ctmask> I<ctmask>]"
5449+msgid "B<--to> I<offset>"
53575450 msgstr ""
53585451
53595452 #. type: Plain text
5360-#: original/man8/ip6tables.8:1972 original/man8/iptables.8:1918
5453+#: original/man8/iptables-extensions.8:1345
53615454 msgid ""
5362-"Copy the connection mark (ctmark) to the packet mark (nfmark) using the "
5363-"given masks. The new ctmark value is determined as follows:"
5455+"Set the offset up to which should be scanned. That is, byte I<offset>-1 "
5456+"(counting from 0) is the last one that is scanned. If not passed, default "
5457+"is the packet size."
53645458 msgstr ""
53655459
5366-#. type: Plain text
5367-#: original/man8/ip6tables.8:1974 original/man8/iptables.8:1920
5368-msgid "nfmark = (nfmark & ~I<nfmask>) ^ (ctmark & I<ctmask>);"
5460+#. type: TP
5461+#: original/man8/iptables-extensions.8:1345
5462+#, no-wrap
5463+msgid "[B<!>] B<--string> I<pattern>"
53695464 msgstr ""
53705465
53715466 #. type: Plain text
5372-#: original/man8/ip6tables.8:1978 original/man8/iptables.8:1924
5373-msgid ""
5374-"i.e. I<nfmask> defines what bits to clear and I<ctmask> what bits of the "
5375-"ctmark to XOR into the nfmark. I<ctmask> and I<nfmask> default to "
5376-"0xFFFFFFFF."
5467+#: original/man8/iptables-extensions.8:1348
5468+msgid "Matches the given pattern."
53775469 msgstr ""
53785470
5379-#. type: Plain text
5380-#: original/man8/ip6tables.8:1980 original/man8/iptables.8:1926
5381-msgid "B<--restore-mark> is only valid in the B<mangle> table."
5471+#. type: TP
5472+#: original/man8/iptables-extensions.8:1348
5473+#, no-wrap
5474+msgid "[B<!>] B<--hex-string> I<pattern>"
53825475 msgstr ""
53835476
53845477 #. type: Plain text
5385-#: original/man8/ip6tables.8:1982 original/man8/iptables.8:1928
5386-msgid "The following mnemonics are available for B<--set-xmark>:"
5478+#: original/man8/iptables-extensions.8:1351
5479+msgid "Matches the given pattern in hex notation."
53875480 msgstr ""
53885481
5389-#. type: TP
5390-#: original/man8/ip6tables.8:1982 original/man8/ip6tables.8:2148 original/man8/iptables.8:1928 original/man8/iptables.8:2124
5482+#. type: SS
5483+#: original/man8/iptables-extensions.8:1351
53915484 #, no-wrap
5392-msgid "B<--and-mark> I<bits>"
5485+msgid "tcp"
53935486 msgstr ""
53945487
53955488 #. type: Plain text
5396-#: original/man8/ip6tables.8:1986 original/man8/iptables.8:1932
5489+#: original/man8/iptables-extensions.8:1354
53975490 msgid ""
5398-"Binary AND the ctmark with I<bits>. (Mnemonic for B<--set-xmark "
5399-"0/>I<invbits>, where I<invbits> is the binary negation of I<bits>.)"
5491+"These extensions can be used if `--protocol tcp' is specified. It provides "
5492+"the following options:"
54005493 msgstr ""
54015494
5402-#. type: TP
5403-#: original/man8/ip6tables.8:1986 original/man8/ip6tables.8:2152 original/man8/iptables.8:1932 original/man8/iptables.8:2128
5404-#, no-wrap
5405-msgid "B<--or-mark> I<bits>"
5495+#. type: Plain text
5496+#: original/man8/iptables-extensions.8:1365
5497+msgid ""
5498+"Source port or port range specification. This can either be a service name "
5499+"or a port number. An inclusive range can also be specified, using the format "
5500+"I<first>B<:>I<last>. If the first port is omitted, \"0\" is assumed; if the "
5501+"last is omitted, \"65535\" is assumed. If the first port is greater than "
5502+"the second one they will be swapped. The flag B<--sport> is a convenient "
5503+"alias for this option."
54065504 msgstr ""
54075505
54085506 #. type: Plain text
5409-#: original/man8/ip6tables.8:1990 original/man8/iptables.8:1936
5507+#: original/man8/iptables-extensions.8:1370
54105508 msgid ""
5411-"Binary OR the ctmark with I<bits>. (Mnemonic for B<--set-xmark> "
5412-"I<bits>B</>I<bits>.)"
5509+"Destination port or port range specification. The flag B<--dport> is a "
5510+"convenient alias for this option."
54135511 msgstr ""
54145512
54155513 #. type: TP
5416-#: original/man8/ip6tables.8:1990 original/man8/ip6tables.8:2156 original/man8/iptables.8:1936 original/man8/iptables.8:2132
5514+#: original/man8/iptables-extensions.8:1370
54175515 #, no-wrap
5418-msgid "B<--xor-mark> I<bits>"
5516+msgid "[B<!>] B<--tcp-flags> I<mask> I<comp>"
54195517 msgstr ""
54205518
54215519 #. type: Plain text
5422-#: original/man8/ip6tables.8:1994 original/man8/iptables.8:1940
5520+#: original/man8/iptables-extensions.8:1378
54235521 msgid ""
5424-"Binary XOR the ctmark with I<bits>. (Mnemonic for B<--set-xmark> "
5425-"I<bits>B</0>.)"
5522+"Match when the TCP flags are as specified. The first argument I<mask> is "
5523+"the flags which we should examine, written as a comma-separated list, and "
5524+"the second argument I<comp> is a comma-separated list of flags which must be "
5525+"set. Flags are: B<SYN ACK FIN RST URG PSH ALL NONE>. Hence the command"
54265526 msgstr ""
54275527
5428-#. type: TP
5429-#: original/man8/ip6tables.8:1994 original/man8/ip6tables.8:2142 original/man8/iptables.8:1940 original/man8/iptables.8:2118
5528+#. type: Plain text
5529+#: original/man8/iptables-extensions.8:1380
54305530 #, no-wrap
5431-msgid "B<--set-mark> I<value>[B</>I<mask>]"
5531+msgid " iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN\n"
54325532 msgstr ""
54335533
54345534 #. type: Plain text
5435-#: original/man8/ip6tables.8:1998 original/man8/iptables.8:1944
5535+#: original/man8/iptables-extensions.8:1383
54365536 msgid ""
5437-"Set the connection mark. If a mask is specified then only those bits set in "
5438-"the mask are modified."
5537+"will only match packets with the SYN flag set, and the ACK, FIN and RST "
5538+"flags unset."
54395539 msgstr ""
54405540
54415541 #. type: TP
5442-#: original/man8/ip6tables.8:1998 original/man8/iptables.8:1944
5542+#: original/man8/iptables-extensions.8:1383
54435543 #, no-wrap
5444-msgid "B<--save-mark> [B<--mask> I<mask>]"
5544+msgid "[B<!>] B<--syn>"
54455545 msgstr ""
54465546
54475547 #. type: Plain text
5448-#: original/man8/ip6tables.8:2002 original/man8/iptables.8:1948
5548+#: original/man8/iptables-extensions.8:1393
54495549 msgid ""
5450-"Copy the nfmark to the ctmark. If a mask is specified, only those bits are "
5451-"copied."
5550+"Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits "
5551+"cleared. Such packets are used to request TCP connection initiation; for "
5552+"example, blocking such packets coming in an interface will prevent incoming "
5553+"TCP connections, but outgoing TCP connections will be unaffected. It is "
5554+"equivalent to B<--tcp-flags SYN,RST,ACK,FIN SYN>. If the \"!\" flag "
5555+"precedes the \"--syn\", the sense of the option is inverted."
54525556 msgstr ""
54535557
54545558 #. type: TP
5455-#: original/man8/ip6tables.8:2002 original/man8/iptables.8:1948
5559+#: original/man8/iptables-extensions.8:1393
54565560 #, no-wrap
5457-msgid "B<--restore-mark> [B<--mask> I<mask>]"
5561+msgid "[B<!>] B<--tcp-option> I<number>"
54585562 msgstr ""
54595563
54605564 #. type: Plain text
5461-#: original/man8/ip6tables.8:2006 original/man8/iptables.8:1952
5462-msgid ""
5463-"Copy the ctmark to the nfmark. If a mask is specified, only those bits are "
5464-"copied. This is only valid in the B<mangle> table."
5565+#: original/man8/iptables-extensions.8:1396
5566+msgid "Match if TCP option set."
54655567 msgstr ""
54665568
54675569 #. type: SS
5468-#: original/man8/ip6tables.8:2006 original/man8/iptables.8:1952
5570+#: original/man8/iptables-extensions.8:1396
54695571 #, no-wrap
5470-msgid "CONNSECMARK"
5572+msgid "tcpmss"
54715573 msgstr ""
54725574
54735575 #. type: Plain text
5474-#: original/man8/ip6tables.8:2016 original/man8/iptables.8:1962
5576+#: original/man8/iptables-extensions.8:1398
54755577 msgid ""
5476-"This module copies security markings from packets to connections (if "
5477-"unlabeled), and from connections back to packets (also only if unlabeled). "
5478-"Typically used in conjunction with SECMARK, it is valid in the B<security> "
5479-"table (for backwards compatibility with older kernels, it is also valid in "
5480-"the B<mangle> table)."
5578+"This matches the TCP MSS (maximum segment size) field of the TCP header. "
5579+"You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only "
5580+"negotiated during the TCP handshake at connection startup time."
54815581 msgstr ""
54825582
54835583 #. type: TP
5484-#: original/man8/ip6tables.8:2016 original/man8/iptables.8:1962
5584+#: original/man8/iptables-extensions.8:1398
54855585 #, no-wrap
5486-msgid "B<--save>"
5586+msgid "[B<!>] B<--mss> I<value>[B<:>I<value>]"
54875587 msgstr ""
54885588
54895589 #. type: Plain text
5490-#: original/man8/ip6tables.8:2020 original/man8/iptables.8:1966
5491-msgid ""
5492-"If the packet has a security marking, copy it to the connection if the "
5493-"connection is not marked."
5590+#: original/man8/iptables-extensions.8:1401
5591+msgid "Match a given TCP MSS value or range."
54945592 msgstr ""
54955593
5496-#. type: TP
5497-#: original/man8/ip6tables.8:2020 original/man8/iptables.8:1966
5594+#. type: SS
5595+#: original/man8/iptables-extensions.8:1401
54985596 #, no-wrap
5499-msgid "B<--restore>"
5597+msgid "time"
55005598 msgstr ""
55015599
55025600 #. type: Plain text
5503-#: original/man8/ip6tables.8:2024 original/man8/iptables.8:1970
5601+#: original/man8/iptables-extensions.8:1405
55045602 msgid ""
5505-"If the packet does not have a security marking, and the connection does, "
5506-"copy the security marking from the connection to the packet."
5603+"This matches if the packet arrival time/date is within a given range. All "
5604+"options are optional, but are ANDed when specified. All times are "
5605+"interpreted as UTC by default."
55075606 msgstr ""
55085607
5509-#. type: SS
5510-#: original/man8/ip6tables.8:2025 original/man8/iptables.8:1971
5608+#. type: TP
5609+#: original/man8/iptables-extensions.8:1405
55115610 #, no-wrap
5512-msgid "CT"
5513-msgstr ""
5514-
5515-#. type: Plain text
5516-#: original/man8/ip6tables.8:2030 original/man8/iptables.8:1976
55175611 msgid ""
5518-"The CT target allows to set parameters for a packet or its associated "
5519-"connection. The target attaches a \"template\" connection tracking entry to "
5520-"the packet, which is then used by the conntrack core when initializing a new "
5521-"ct entry. This target is thus only valid in the \"raw\" table."
5612+"B<--datestart> "
5613+"I<YYYY>[B<->I<MM>[B<->I<DD>[B<T>I<hh>[B<:>I<mm>[B<:>I<ss>]]]]]"
55225614 msgstr ""
55235615
55245616 #. type: TP
5525-#: original/man8/ip6tables.8:2030 original/man8/iptables.8:1976
5617+#: original/man8/iptables-extensions.8:1407
55265618 #, no-wrap
5527-msgid "B<--notrack>"
5619+msgid "B<--datestop> I<YYYY>[B<->I<MM>[B<->I<DD>[B<T>I<hh>[B<:>I<mm>[B<:>I<ss>]]]]]"
55285620 msgstr ""
55295621
55305622 #. type: Plain text
5531-#: original/man8/ip6tables.8:2033 original/man8/iptables.8:1979
5532-msgid "Disables connection tracking for this packet."
5533-msgstr ""
5534-
5535-#. type: TP
5536-#: original/man8/ip6tables.8:2033 original/man8/iptables.8:1979
5537-#, no-wrap
5538-msgid "B<--helper> I<name>"
5623+#: original/man8/iptables-extensions.8:1411
5624+msgid ""
5625+"Only match during the given time, which must be in ISO 8601 \"T\" notation. "
5626+"The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07."
55395627 msgstr ""
55405628
55415629 #. type: Plain text
5542-#: original/man8/ip6tables.8:2037 original/man8/iptables.8:1983
5630+#: original/man8/iptables-extensions.8:1414
55435631 msgid ""
5544-"Use the helper identified by I<name> for the connection. This is more "
5545-"flexible than loading the conntrack helper modules with preset ports."
5632+"If --datestart or --datestop are not specified, it will default to "
5633+"1970-01-01 and 2038-01-19, respectively."
55465634 msgstr ""
55475635
55485636 #. type: TP
5549-#: original/man8/ip6tables.8:2037 original/man8/iptables.8:1983
5637+#: original/man8/iptables-extensions.8:1414
55505638 #, no-wrap
5551-msgid "B<--ctevents> I<event>[B<,>...]"
5552-msgstr ""
5553-
5554-#. type: Plain text
5555-#: original/man8/ip6tables.8:2043 original/man8/iptables.8:1989
5556-msgid ""
5557-"Only generate the specified conntrack events for this connection. Possible "
5558-"event types are: B<new>, B<related>, B<destroy>, B<reply>, B<assured>, "
5559-"B<protoinfo>, B<helper>, B<mark> (this refers to the ctmark, not nfmark), "
5560-"B<natseqinfo>, B<secmark> (ctsecmark)."
5639+msgid "B<--timestart> I<hh>B<:>I<mm>[B<:>I<ss>]"
55615640 msgstr ""
55625641
55635642 #. type: TP
5564-#: original/man8/ip6tables.8:2043 original/man8/iptables.8:1989
5643+#: original/man8/iptables-extensions.8:1416
55655644 #, no-wrap
5566-msgid "B<--expevents> I<event>[B<,>...]"
5645+msgid "B<--timestop> I<hh>B<:>I<mm>[B<:>I<ss>]"
55675646 msgstr ""
55685647
55695648 #. type: Plain text
5570-#: original/man8/ip6tables.8:2047 original/man8/iptables.8:1993
5649+#: original/man8/iptables-extensions.8:1421
55715650 msgid ""
5572-"Only generate the specified expectation events for this connection. "
5573-"Possible event types are: B<new>."
5651+"Only match during the given daytime. The possible time range is 00:00:00 to "
5652+"23:59:59. Leading zeroes are allowed (e.g. \"06:03\") and correctly "
5653+"interpreted as base-10."
55745654 msgstr ""
55755655
55765656 #. type: TP
5577-#: original/man8/ip6tables.8:2047 original/man8/iptables.8:1993
5657+#: original/man8/iptables-extensions.8:1421
55785658 #, no-wrap
5579-msgid "B<--zone> I<id>"
5659+msgid "[B<!>] B<--monthdays> I<day>[B<,>I<day>...]"
55805660 msgstr ""
55815661
55825662 #. type: Plain text
5583-#: original/man8/ip6tables.8:2051 original/man8/iptables.8:1997
5663+#: original/man8/iptables-extensions.8:1427
55845664 msgid ""
5585-"Assign this packet to zone I<id> and only have lookups done in that zone. "
5586-"By default, packets have zone 0."
5665+"Only match on the given days of the month. Possible values are B<1> to "
5666+"B<31>. Note that specifying B<31> will of course not match on months which "
5667+"do not have a 31st day; the same goes for 28- or 29-day February."
55875668 msgstr ""
55885669
5589-#. type: SS
5590-#: original/man8/ip6tables.8:2051 original/man8/iptables.8:2037
5670+#. type: TP
5671+#: original/man8/iptables-extensions.8:1427
55915672 #, no-wrap
5592-msgid "DSCP"
5673+msgid "[B<!>] B<--weekdays> I<day>[B<,>I<day>...]"
55935674 msgstr ""
55945675
55955676 #. type: Plain text
5596-#: original/man8/ip6tables.8:2055 original/man8/iptables.8:2041
5677+#: original/man8/iptables-extensions.8:1433
55975678 msgid ""
5598-"This target allows to alter the value of the DSCP bits within the TOS header "
5599-"of the IPv4 packet. As this manipulates a packet, it can only be used in "
5600-"the mangle table."
5679+"Only match on the given weekdays. Possible values are B<Mon>, B<Tue>, "
5680+"B<Wed>, B<Thu>, B<Fri>, B<Sat>, B<Sun>, or values from B<1> to B<7>, "
5681+"respectively. You may also use two-character variants (B<Mo>, B<Tu>, etc.)."
56015682 msgstr ""
56025683
56035684 #. type: TP
5604-#: original/man8/ip6tables.8:2055 original/man8/iptables.8:2041
5685+#: original/man8/iptables-extensions.8:1433
56055686 #, no-wrap
5606-msgid "B<--set-dscp> I<value>"
5687+msgid "B<--contiguous>"
56075688 msgstr ""
56085689
56095690 #. type: Plain text
5610-#: original/man8/ip6tables.8:2058 original/man8/iptables.8:2044
5611-msgid "Set the DSCP field to a numerical value (can be decimal or hex)"
5691+#: original/man8/iptables-extensions.8:1437
5692+msgid ""
5693+"When B<--timestop> is smaller than B<--timestart> value, match this as a "
5694+"single time period instead distinct intervals. See EXAMPLES."
56125695 msgstr ""
56135696
56145697 #. type: TP
5615-#: original/man8/ip6tables.8:2058 original/man8/iptables.8:2044
5698+#: original/man8/iptables-extensions.8:1437
56165699 #, no-wrap
5617-msgid "B<--set-dscp-class> I<class>"
5700+msgid "B<--kerneltz>"
56185701 msgstr ""
56195702
56205703 #. type: Plain text
5621-#: original/man8/ip6tables.8:2061 original/man8/iptables.8:2047
5622-msgid "Set the DSCP field to a DiffServ class."
5623-msgstr ""
5624-
5625-#. type: SS
5626-#: original/man8/ip6tables.8:2061
5627-#, no-wrap
5628-msgid "HL"
5704+#: original/man8/iptables-extensions.8:1441
5705+msgid ""
5706+"Use the kernel timezone instead of UTC to determine whether a packet meets "
5707+"the time regulations."
56295708 msgstr ""
56305709
56315710 #. type: Plain text
5632-#: original/man8/ip6tables.8:2068
5711+#: original/man8/iptables-extensions.8:1447
56335712 msgid ""
5634-"This is used to modify the Hop Limit field in IPv6 header. The Hop Limit "
5635-"field is similar to what is known as TTL value in IPv4. Setting or "
5636-"incrementing the Hop Limit field can potentially be very dangerous, so it "
5637-"should be avoided at any cost. This target is only valid in B<mangle> table."
5713+"About kernel timezones: Linux keeps the system time in UTC, and always does "
5714+"so. On boot, system time is initialized from a referential time "
5715+"source. Where this time source has no timezone information, such as the x86 "
5716+"CMOS RTC, UTC will be assumed. If the time source is however not in UTC, "
5717+"userspace should provide the correct system time and timezone to the kernel "
5718+"once it has the information."
56385719 msgstr ""
56395720
56405721 #. type: Plain text
5641-#: original/man8/ip6tables.8:2070 original/man8/iptables.8:2564
5722+#: original/man8/iptables-extensions.8:1458
56425723 msgid ""
5643-"B<Don't ever set or increment the value on packets that leave your local "
5644-"network!>"
5724+"Local time is a feature on top of the (timezone independent) system "
5725+"time. Each process has its own idea of local time, specified via the TZ "
5726+"environment variable. The kernel also has its own timezone offset "
5727+"variable. The TZ userspace environment variable specifies how the UTC-based "
5728+"system time is displayed, e.g. when you run date(1), or what you see on your "
5729+"desktop clock. The TZ string may resolve to different offsets at different "
5730+"dates, which is what enables the automatic time-jumping in userspace. when "
5731+"DST changes. The kernel's timezone offset variable is used when it has to "
5732+"convert between non-UTC sources, such as FAT filesystems, to UTC (since the "
5733+"latter is what the rest of the system uses)."
56455734 msgstr ""
56465735
5647-#. type: TP
5648-#: original/man8/ip6tables.8:2070
5649-#, no-wrap
5650-msgid "B<--hl-set> I<value>"
5736+#. type: Plain text
5737+#: original/man8/iptables-extensions.8:1467
5738+msgid ""
5739+"The caveat with the kernel timezone is that Linux distributions may ignore "
5740+"to set the kernel timezone, and instead only set the system time. Even if a "
5741+"particular distribution does set the timezone at boot, it is usually does "
5742+"not keep the kernel timezone offset - which is what changes on DST - up to "
5743+"date. ntpd will not touch the kernel timezone, so running it will not "
5744+"resolve the issue. As such, one may encounter a timezone that is always "
5745+"+0000, or one that is wrong half of the time of the year. As such, B<using "
5746+"--kerneltz is highly discouraged.>"
56515747 msgstr ""
56525748
56535749 #. type: Plain text
5654-#: original/man8/ip6tables.8:2073
5655-msgid "Set the Hop Limit to `value'."
5750+#: original/man8/iptables-extensions.8:1469
5751+msgid "EXAMPLES. To match on weekends, use:"
56565752 msgstr ""
56575753
5658-#. type: TP
5659-#: original/man8/ip6tables.8:2073
5660-#, no-wrap
5661-msgid "B<--hl-dec> I<value>"
5754+#. type: Plain text
5755+#: original/man8/iptables-extensions.8:1471
5756+msgid "-m time --weekdays Sa,Su"
56625757 msgstr ""
56635758
56645759 #. type: Plain text
5665-#: original/man8/ip6tables.8:2076
5666-msgid "Decrement the Hop Limit `value' times."
5760+#: original/man8/iptables-extensions.8:1473
5761+msgid "Or, to match (once) on a national holiday block:"
56675762 msgstr ""
56685763
5669-#. type: TP
5670-#: original/man8/ip6tables.8:2076
5671-#, no-wrap
5672-msgid "B<--hl-inc> I<value>"
5764+#. type: Plain text
5765+#: original/man8/iptables-extensions.8:1475
5766+msgid "-m time --datestart 2007-12-24 --datestop 2007-12-27"
56735767 msgstr ""
56745768
56755769 #. type: Plain text
5676-#: original/man8/ip6tables.8:2079
5677-msgid "Increment the Hop Limit `value' times."
5770+#: original/man8/iptables-extensions.8:1478
5771+msgid ""
5772+"Since the stop time is actually inclusive, you would need the following stop "
5773+"time to not match the first second of the new day:"
56785774 msgstr ""
56795775
5680-#. type: SS
5681-#: original/man8/ip6tables.8:2079 original/man8/iptables.8:2055
5682-#, no-wrap
5683-msgid "IDLETIMER"
5776+#. type: Plain text
5777+#: original/man8/iptables-extensions.8:1480
5778+msgid "-m time --datestart 2007-01-01T17:00 --datestop 2007-01-01T23:59:59"
56845779 msgstr ""
56855780
56865781 #. type: Plain text
5687-#: original/man8/ip6tables.8:2088 original/man8/iptables.8:2064
5688-msgid ""
5689-"This target can be used to identify when interfaces have been idle for a "
5690-"certain period of time. Timers are identified by labels and are created "
5691-"when a rule is set with a new label. The rules also take a timeout value "
5692-"(in seconds) as an option. If more than one rule uses the same timer label, "
5693-"the timer will be restarted whenever any of the rules get a hit. One entry "
5694-"for each timer is created in sysfs. This attribute contains the timer "
5695-"remaining for the timer to expire. The attributes are located under the "
5696-"xt_idletimer class:"
5782+#: original/man8/iptables-extensions.8:1482
5783+msgid "During lunch hour:"
56975784 msgstr ""
56985785
56995786 #. type: Plain text
5700-#: original/man8/ip6tables.8:2090 original/man8/iptables.8:2066
5701-msgid "/sys/class/xt_idletimer/timers/E<lt>labelE<gt>"
5787+#: original/man8/iptables-extensions.8:1484
5788+msgid "-m time --timestart 12:30 --timestop 13:30"
57025789 msgstr ""
57035790
57045791 #. type: Plain text
5705-#: original/man8/ip6tables.8:2093 original/man8/iptables.8:2069
5706-msgid ""