• R/O
  • HTTP
  • SSH
  • HTTPS

iptables: Commit


Commit MetaInfo

Revisiónaf9196ed46a6fead76f526dc2bf3131d5d3a1e36 (tree)
Tiempo2014-05-07 04:50:28
AutorAkihiro MOTOKI <amotoki@gmai...>
CommiterAkihiro MOTOKI

Log Message

iptables: Update original to 1.4.21

Cambiar Resumen

Diferencia incremental

--- a/README.JM
+++ b/README.JM
@@ -25,8 +25,8 @@ cp **/*.8 ../../original/man8/
2525 @ iptables top directory
2626
2727 grep -r @PACKAGE_VERSION@ original/
28-sed -i -e 's/@PACKAGE_VERSION@/1.4.18/' original/man8/iptables.8
29-sed -i -e 's/@PACKAGE_VERSION@/1.4.18/' original/man8/ip6tables.8
28+sed -i -e 's/@PACKAGE_AND_VERSION@/1.4.21/' original/man8/iptables.8
29+patch -p3 < patch.original
3030
3131 git add -u
3232 git add original
--- a/original/man1/iptables-xml.1
+++ b/original/man1/iptables-xml.1
@@ -1,4 +1,4 @@
1-.TH IPTABLES-XML 8 "Jul 16, 2007" "" ""
1+.TH IPTABLES-XML 1 "" "iptables 1.4.21" "iptables 1.4.21"
22 .\"
33 .\" Man page written by Sam Liddicott <azez@ufomechanic.net>
44 .\" It is based on the iptables-save man page.
--- a/original/man8/ip6tables-restore.8
+++ b/original/man8/ip6tables-restore.8
@@ -1,68 +1 @@
1-.TH IP6TABLES-RESTORE 8 "Jan 30, 2002" "" ""
2-.\"
3-.\" Man page written by Harald Welte <laforge@gnumonks.org>
4-.\" It is based on the iptables man page.
5-.\"
6-.\" This program is free software; you can redistribute it and/or modify
7-.\" it under the terms of the GNU General Public License as published by
8-.\" the Free Software Foundation; either version 2 of the License, or
9-.\" (at your option) any later version.
10-.\"
11-.\" This program is distributed in the hope that it will be useful,
12-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
13-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14-.\" GNU General Public License for more details.
15-.\"
16-.\" You should have received a copy of the GNU General Public License
17-.\" along with this program; if not, write to the Free Software
18-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19-.\"
20-.\"
21-.SH NAME
22-ip6tables-restore \(em Restore IPv6 Tables
23-.SH SYNOPSIS
24-\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
25-[\fB\-T\fP \fIname\fP]
26-.SH DESCRIPTION
27-.PP
28-.B ip6tables-restore
29-is used to restore IPv6 Tables from data specified on STDIN. Use
30-I/O redirection provided by your shell to read from a file
31-.TP
32-\fB\-c\fR, \fB\-\-counters\fR
33-restore the values of all packet and byte counters
34-.TP
35-\fB\-h\fP, \fB\-\-help\fP
36-Print a short option summary.
37-.TP
38-\fB\-n\fR, \fB\-\-noflush\fR
39-don't flush the previous contents of the table. If not specified,
40-\fBip6tables-restore\fP flushes (deletes) all previous contents of the
41-respective table.
42-.TP
43-\fB\-t\fP, \fB\-\-test\fP
44-Only parse and construct the ruleset, but do not commit it.
45-.TP
46-\fB\-v\fP, \fB\-\-verbose\fP
47-Print additional debug info during ruleset processing.
48-.TP
49-\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
50-Specify the path to the modprobe program. By default, ip6tables-restore will
51-inspect /proc/sys/kernel/modprobe to determine the executable's path.
52-.TP
53-\fB\-T\fP, \fB\-\-table\fP \fIname\fP
54-Restore only the named table even if the input stream contains other ones.
55-.B ip6tables-restore
56-flushes (deletes) all previous contents of the respective IPv6 Table.
57-.SH BUGS
58-None known as of iptables-1.2.1 release
59-.SH AUTHORS
60-Harald Welte <laforge@gnumonks.org>
61-.br
62-Andras Kis-Szabo <kisza@sch.bme.hu>
63-.SH SEE ALSO
64-\fBip6tables\-save\fP(8), \fBip6tables\fP(8)
65-.PP
66-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
67-which details NAT, and the netfilter-hacking-HOWTO which details the
68-internals.
1+.so man8/iptables-restore.8
--- a/original/man8/ip6tables-save.8
+++ b/original/man8/ip6tables-save.8
@@ -1,53 +1 @@
1-.TH IP6TABLES-SAVE 8 "Jan 30, 2002" "" ""
2-.\"
3-.\" Man page written by Harald Welte <laforge@gnumonks.org>
4-.\" It is based on the iptables man page.
5-.\"
6-.\" This program is free software; you can redistribute it and/or modify
7-.\" it under the terms of the GNU General Public License as published by
8-.\" the Free Software Foundation; either version 2 of the License, or
9-.\" (at your option) any later version.
10-.\"
11-.\" This program is distributed in the hope that it will be useful,
12-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
13-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14-.\" GNU General Public License for more details.
15-.\"
16-.\" You should have received a copy of the GNU General Public License
17-.\" along with this program; if not, write to the Free Software
18-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19-.\"
20-.\"
21-.SH NAME
22-ip6tables-save \(em dump iptables rules to stdout
23-.SH SYNOPSIS
24-\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
25-[\fB\-t\fP \fItable\fP
26-.SH DESCRIPTION
27-.PP
28-.B ip6tables-save
29-is used to dump the contents of an IPv6 Table in easily parseable format
30-to STDOUT. Use I/O-redirection provided by your shell to write to a file.
31-.TP
32-\fB\-M\fP \fImodprobe_program\fP
33-Specify the path to the modprobe program. By default, iptables-save will
34-inspect /proc/sys/kernel/modprobe to determine the executable's path.
35-.TP
36-\fB\-c\fR, \fB\-\-counters\fR
37-include the current values of all packet and byte counters in the output
38-.TP
39-\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
40-restrict output to only one table. If not specified, output includes all
41-available tables.
42-.SH BUGS
43-None known as of iptables-1.2.1 release
44-.SH AUTHORS
45-Harald Welte <laforge@gnumonks.org>
46-.br
47-Andras Kis-Szabo <kisza@sch.bme.hu>
48-.SH SEE ALSO
49-\fBip6tables\-restore\fP(8), \fBip6tables\fP(8)
50-.PP
51-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
52-which details NAT, and the netfilter-hacking-HOWTO which details the
53-internals.
1+.so man8/iptables-save.8
--- a/original/man8/ip6tables.8
+++ b/original/man8/ip6tables.8
@@ -1,456 +1 @@
1-.TH IP6TABLES 8 "" "iptables 1.4.18" "iptables 1.4.18"
2-.\"
3-.\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
4-.\" It is based on iptables man page.
5-.\"
6-.\" iptables page by Herve Eychenne <rv@wallfire.org>
7-.\" It is based on ipchains man page.
8-.\"
9-.\" ipchains page by Paul ``Rusty'' Russell March 1997
10-.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
11-.\"
12-.\" This program is free software; you can redistribute it and/or modify
13-.\" it under the terms of the GNU General Public License as published by
14-.\" the Free Software Foundation; either version 2 of the License, or
15-.\" (at your option) any later version.
16-.\"
17-.\" This program is distributed in the hope that it will be useful,
18-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
19-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20-.\" GNU General Public License for more details.
21-.\"
22-.\" You should have received a copy of the GNU General Public License
23-.\" along with this program; if not, write to the Free Software
24-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25-.\"
26-.\"
27-.SH NAME
28-ip6tables \(em IPv6 packet filter administration
29-.SH SYNOPSIS
30-\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
31-\fIchain rule-specification\fP [\fIoptions...\fP]
32-.PP
33-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP]
34-\fIrule-specification\fP [\fIoptions...\fP]
35-.PP
36-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-R\fP \fIchain rulenum
37-rule-specification\fP [\fIoptions...\fP]
38-.PP
39-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-D\fP \fIchain rulenum\fP
40-[\fIoptions...\fP]
41-.PP
42-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-S\fP [\fIchain\fP [\fIrulenum\fP]]
43-.PP
44-\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP}
45-[\fIchain\fP [\fIrulenum\fP]] [\fIoptions...\fP]
46-.PP
47-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP
48-.PP
49-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
50-.PP
51-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
52-[\fIoptions...\fP]
53-.PP
54-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP
55-.SH DESCRIPTION
56-\fBIp6tables\fP is used to set up, maintain, and inspect the
57-tables of IPv6 packet
58-filter rules in the Linux kernel. Several different tables
59-may be defined. Each table contains a number of built-in
60-chains and may also contain user-defined chains.
61-.PP
62-Each chain is a list of rules which can match a set of packets. Each
63-rule specifies what to do with a packet that matches. This is called
64-a `target', which may be a jump to a user-defined chain in the same
65-table.
66-.SH TARGETS
67-A firewall rule specifies criteria for a packet and a target. If the
68-packet does not match, the next rule in the chain is the examined; if
69-it does match, then the next rule is specified by the value of the
70-target, which can be the name of a user-defined chain or one of the
71-special values \fBACCEPT\fP, \fBDROP\fP, \fBQUEUE\fP or \fBRETURN\fP.
72-.PP
73-\fBACCEPT\fP means to let the packet through.
74-\fBDROP\fP means to drop the packet on the floor.
75-\fBQUEUE\fP means to pass the packet to userspace.
76-(How the packet can be received
77-by a userspace process differs by the particular queue handler. 2.4.x
78-and 2.6.x kernels up to 2.6.13 include the \fBip_queue\fP
79-queue handler. Kernels 2.6.14 and later additionally include the
80-\fBnfnetlink_queue\fP queue handler. Packets with a target of QUEUE will be
81-sent to queue number '0' in this case. Please also see the \fBNFQUEUE\fP
82-target as described later in this man page.)
83-\fBRETURN\fP means stop traversing this chain and resume at the next
84-rule in the
85-previous (calling) chain. If the end of a built-in chain is reached
86-or a rule in a built-in chain with target \fBRETURN\fP
87-is matched, the target specified by the chain policy determines the
88-fate of the packet.
89-.SH TABLES
90-There are currently five independent tables (which tables are present
91-at any time depends on the kernel configuration options and which
92-modules are present).
93-.TP
94-\fB\-t\fP, \fB\-\-table\fP \fItable\fP
95-This option specifies the packet matching table which the command
96-should operate on. If the kernel is configured with automatic module
97-loading, an attempt will be made to load the appropriate module for
98-that table if it is not already there.
99-
100-The tables are as follows:
101-.RS
102-.TP .4i
103-\fBfilter\fP:
104-This is the default table (if no \-t option is passed). It contains
105-the built-in chains \fBINPUT\fP (for packets destined to local sockets),
106-\fBFORWARD\fP (for packets being routed through the box), and
107-\fBOUTPUT\fP (for locally-generated packets).
108-.TP
109-\fBnat\fP:
110-This table is consulted when a packet that creates a new
111-connection is encountered. It consists of three built-ins: \fBPREROUTING\fP
112-(for altering packets as soon as they come in), \fBOUTPUT\fP
113-(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
114-(for altering packets as they are about to go out). Available since kernel 3.7.
115-.TP
116-\fBmangle\fP:
117-This table is used for specialized packet alteration. Until kernel
118-2.4.17 it had two built-in chains: \fBPREROUTING\fP
119-(for altering incoming packets before routing) and \fBOUTPUT\fP
120-(for altering locally-generated packets before routing).
121-Since kernel 2.4.18, three other built-in chains are also supported:
122-\fBINPUT\fP (for packets coming into the box itself), \fBFORWARD\fP
123-(for altering packets being routed through the box), and \fBPOSTROUTING\fP
124-(for altering packets as they are about to go out).
125-.TP
126-\fBraw\fP:
127-This table is used mainly for configuring exemptions from connection
128-tracking in combination with the NOTRACK target. It registers at the netfilter
129-hooks with higher priority and is thus called before ip_conntrack, or any other
130-IP tables. It provides the following built-in chains: \fBPREROUTING\fP
131-(for packets arriving via any network interface) \fBOUTPUT\fP
132-(for packets generated by local processes)
133-.TP
134-\fBsecurity\fP:
135-This table is used for Mandatory Access Control (MAC) networking rules, such
136-as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
137-Mandatory Access Control is implemented by Linux Security Modules such as
138-SELinux. The security table is called after the filter table, allowing any
139-Discretionary Access Control (DAC) rules in the filter table to take effect
140-before MAC rules. This table provides the following built-in chains:
141-\fBINPUT\fP (for packets coming into the box itself),
142-\fBOUTPUT\fP (for altering locally-generated packets before routing), and
143-\fBFORWARD\fP (for altering packets being routed through the box).
144-.RE
145-.SH OPTIONS
146-The options that are recognized by
147-\fBip6tables\fP can be divided into several different groups.
148-.SS COMMANDS
149-These options specify the specific action to perform. Only one of them
150-can be specified on the command line unless otherwise specified
151-below. For all the long versions of the command and option names, you
152-need to use only enough letters to ensure that
153-\fBip6tables\fP can differentiate it from all other options.
154-.TP
155-\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
156-Append one or more rules to the end of the selected chain.
157-When the source and/or destination names resolve to more than one
158-address, a rule will be added for each possible address combination.
159-.TP
160-\fB\-C\fP, \fB\-\-check\fP \fIchain rule-specification\fP
161-Check whether a rule matching the specification does exist in the
162-selected chain. This command uses the same logic as \fB\-D\fP to
163-find a matching entry, but does not alter the existing iptables
164-configuration and uses its exit code to indicate success or failure.
165-.TP
166-\fB\-D\fP, \fB\-\-delete\fP \fIchain rule-specification\fP
167-.ns
168-.TP
169-\fB\-D\fP, \fB\-\-delete\fP \fIchain rulenum\fP
170-Delete one or more rules from the selected chain. There are two
171-versions of this command: the rule can be specified as a number in the
172-chain (starting at 1 for the first rule) or a rule to match.
173-.TP
174-\fB\-I\fP, \fB\-\-insert\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
175-Insert one or more rules in the selected chain as the given rule
176-number. So, if the rule number is 1, the rule or rules are inserted
177-at the head of the chain. This is also the default if no rule number
178-is specified.
179-.TP
180-\fB\-R\fP, \fB\-\-replace\fP \fIchain rulenum rule-specification\fP
181-Replace a rule in the selected chain. If the source and/or
182-destination names resolve to multiple addresses, the command will
183-fail. Rules are numbered starting at 1.
184-.TP
185-\fB\-L\fP, \fB\-\-list\fP [\fIchain\fP]
186-List all rules in the selected chain. If no chain is selected, all
187-chains are listed. Like every other ip6tables command, it applies to the
188-specified table (filter is the default).
189-.IP ""
190-Please note that it is often used with the \fB\-n\fP
191-option, in order to avoid long reverse DNS lookups.
192-It is legal to specify the \fB\-Z\fP
193-(zero) option as well, in which case the chain(s) will be atomically
194-listed and zeroed. The exact output is affected by the other
195-arguments given. The exact rules are suppressed until you use
196-.nf
197- ip6tables \-L \-v
198-.fi
199-.TP
200-\fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP]
201-Print all rules in the selected chain. If no chain is selected, all
202-chains are printed like ip6tables-save. Like every other ip6tables command,
203-it applies to the specified table (filter is the default).
204-.TP
205-\fB\-F\fP, \fB\-\-flush\fP [\fIchain\fP]
206-Flush the selected chain (all the chains in the table if none is given).
207-This is equivalent to deleting all the rules one by one.
208-.TP
209-\fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP [\fIrulenum\fP]]
210-Zero the packet and byte counters in all chains, or only the given chain,
211-or only the given rule in a chain. It is legal to
212-specify the
213-\fB\-L\fP, \fB\-\-list\fP
214-(list) option as well, to see the counters immediately before they are
215-cleared. (See above.)
216-.TP
217-\fB\-N\fP, \fB\-\-new\-chain\fP \fIchain\fP
218-Create a new user-defined chain by the given name. There must be no
219-target of that name already.
220-.TP
221-\fB\-X\fP, \fB\-\-delete\-chain\fP [\fIchain\fP]
222-Delete the optional user-defined chain specified. There must be no references
223-to the chain. If there are, you must delete or replace the referring rules
224-before the chain can be deleted. The chain must be empty, i.e. not contain
225-any rules. If no argument is given, it will attempt to delete every
226-non-builtin chain in the table.
227-.TP
228-\fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP
229-Set the policy for the chain to the given target. See the section \fBTARGETS\fP
230-for the legal targets. Only built-in (non-user-defined) chains can have
231-policies, and neither built-in nor user-defined chains can be policy
232-targets.
233-.TP
234-\fB\-E\fP, \fB\-\-rename\-chain\fP \fIold\-chain new\-chain\fP
235-Rename the user specified chain to the user supplied name. This is
236-cosmetic, and has no effect on the structure of the table.
237-.TP
238-\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
239-Append one or more rules to the end of the selected chain.
240-When the source and/or destination names resolve to more than one
241-address, a rule will be added for each possible address combination.
242-.TP
243-\fB\-h\fP
244-Help.
245-Give a (currently very brief) description of the command syntax.
246-.SS PARAMETERS
247-The following parameters make up a rule specification (as used in the
248-add, delete, insert, replace and append commands).
249-.TP
250-\fB\-4\fP, \fB\-\-ipv4\fP
251-If a rule using the \fB\-4\fP option is inserted with (and only with)
252-ip6tables-restore, it will be silently ignored. Any other uses will throw an
253-error. This option allows to put both IPv4 and IPv6 rules in a single rule file
254-for use with both iptables-restore and ip6tables-restore.
255-.TP
256-\fB\-6\fP, \fB\-\-ipv6\fP
257-This option has no effect in ip6tables and ip6tables-restore.
258-.TP
259-[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
260-The protocol of the rule or of the packet to check.
261-The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
262-\fBicmpv6\fP, \fBesp\fP, \fBmh\fP or the special keyword "\fBall\fP",
263-or it can be a numeric value, representing one of these protocols or a
264-different one. A protocol name from /etc/protocols is also allowed.
265-But IPv6 extension headers except \fBesp\fP are not allowed.
266-\fBesp\fP and \fBipv6\-nonext\fP
267-can be used with Kernel version 2.6.11 or later.
268-A "!" argument before the protocol inverts the
269-test. The number zero is equivalent to \fBall\fP, which means that you cannot
270-test the protocol field for the value 0 directly. To match on a HBH header,
271-even if it were the last, you cannot use \fB\-p 0\fP, but always need
272-\fB\-m hbh\fP.
273-"\fBall\fP"
274-will match with all protocols and is taken as default when this
275-option is omitted.
276-.TP
277-[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP]
278-Source specification.
279-\fIAddress\fP can be either be a hostname,
280-a network IP address (with \fB/\fP\fImask\fP), or a plain IP address.
281-Names will be resolved once only, before the rule is submitted to the kernel.
282-Please note that specifying any name to be resolved with a remote query such as
283-DNS is a really bad idea.
284-(Resolving network names is not supported at this time.)
285-The \fImask\fP is a plain number,
286-specifying the number of 1's at the left side of the network mask.
287-A "!" argument before the address specification inverts the sense of
288-the address. The flag \fB\-\-src\fP
289-is an alias for this option.
290-Multiple addresses can be specified, but this will \fBexpand to multiple
291-rules\fP (when adding with \-A), or will cause multiple rules to be
292-deleted (with \-D).
293-.TP
294-[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP]
295-Destination specification.
296-See the description of the \fB\-s\fP
297-(source) flag for a detailed description of the syntax. The flag
298-\fB\-\-dst\fP is an alias for this option.
299-.TP
300-\fB\-m\fP, \fB\-\-match\fP \fImatch\fP
301-Specifies a match to use, that is, an extension module that tests for a
302-specific property. The set of matches make up the condition under which a
303-target is invoked. Matches are evaluated first to last as specified on the
304-command line and work in short-circuit fashion, i.e. if one extension yields
305-false, evaluation will stop.
306-.TP
307-\fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
308-This specifies the target of the rule; i.e., what to do if the packet
309-matches it. The target can be a user-defined chain (other than the
310-one this rule is in), one of the special builtin targets which decide
311-the fate of the packet immediately, or an extension (see \fBEXTENSIONS\fP
312-below). If this
313-option is omitted in a rule (and \fB\-g\fP
314-is not used), then matching the rule will have no
315-effect on the packet's fate, but the counters on the rule will be
316-incremented.
317-.TP
318-\fB\-g\fP, \fB\-\-goto\fP \fIchain\fP
319-This specifies that the processing should continue in a user
320-specified chain. Unlike the \-\-jump option return will not continue
321-processing in this chain but instead in the chain that called us via
322-\-\-jump.
323-.TP
324-[\fB!\fP] \fB\-i\fP, \fB\-\-in\-interface\fP \fIname\fP
325-Name of an interface via which a packet was received (only for
326-packets entering the \fBINPUT\fP, \fBFORWARD\fP and \fBPREROUTING\fP
327-chains). When the "!" argument is used before the interface name, the
328-sense is inverted. If the interface name ends in a "+", then any
329-interface which begins with this name will match. If this option is
330-omitted, any interface name will match.
331-.TP
332-[\fB!\fP] \fB\-o\fP, \fB\-\-out\-interface\fP \fIname\fP
333-Name of an interface via which a packet is going to be sent (for packets
334-entering the \fBFORWARD\fP, \fBOUTPUT\fP and \fBPOSTROUTING\fP
335-chains). When the "!" argument is used before the interface name, the
336-sense is inverted. If the interface name ends in a "+", then any
337-interface which begins with this name will match. If this option is
338-omitted, any interface name will match.
339-.\" Currently not supported (header-based)
340-.\" .TP
341-.\" [\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
342-.\" This means that the rule only refers to second and further fragments
343-.\" of fragmented packets. Since there is no way to tell the source or
344-.\" destination ports of such a packet (or ICMP type), such a packet will
345-.\" not match any rules which specify them. When the "!" argument
346-.\" precedes the "\-f" flag, the rule will only match head fragments, or
347-.\" unfragmented packets.
348-.TP
349-\fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
350-This enables the administrator to initialize the packet and byte
351-counters of a rule (during \fBINSERT\fP, \fBAPPEND\fP, \fBREPLACE\fP
352-operations).
353-.SS "OTHER OPTIONS"
354-The following additional options can be specified:
355-.TP
356-\fB\-v\fP, \fB\-\-verbose\fP
357-Verbose output. This option makes the list command show the interface
358-name, the rule options (if any), and the TOS masks. The packet and
359-byte counters are also listed, with the suffix 'K', 'M' or 'G' for
360-1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
361-the \fB\-x\fP flag to change this).
362-For appending, insertion, deletion and replacement, this causes
363-detailed information on the rule or rules to be printed. \fB\-v\fP may be
364-specified multiple times to possibly emit more detailed debug statements.
365-.TP
366-\fB\-n\fP, \fB\-\-numeric\fP
367-Numeric output.
368-IP addresses and port numbers will be printed in numeric format.
369-By default, the program will try to display them as host names,
370-network names, or services (whenever applicable).
371-.TP
372-\fB\-x\fP, \fB\-\-exact\fP
373-Expand numbers.
374-Display the exact value of the packet and byte counters,
375-instead of only the rounded number in K's (multiples of 1000)
376-M's (multiples of 1000K) or G's (multiples of 1000M). This option is
377-only relevant for the \fB\-L\fP command.
378-.TP
379-\fB\-\-line\-numbers\fP
380-When listing rules, add line numbers to the beginning of each rule,
381-corresponding to that rule's position in the chain.
382-.TP
383-\fB\-\-modprobe=\fP\fIcommand\fP
384-When adding or inserting rules into a chain, use \fIcommand\fP
385-to load any necessary modules (targets, match extensions, etc).
386-.SH MATCH EXTENSIONS
387-.PP
388-iptables can use extended packet matching and target modules.
389-A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
390-.SH DIAGNOSTICS
391-Various error messages are printed to standard error. The exit code
392-is 0 for correct functioning. Errors which appear to be caused by
393-invalid or abused command line parameters cause an exit code of 2, and
394-other errors cause an exit code of 1.
395-.SH BUGS
396-Bugs? What's this? ;-)
397-Well... the counters are not reliable on sparc64.
398-.SH COMPATIBILITY WITH IPCHAINS
399-This \fBip6tables\fP
400-is very similar to ipchains by Rusty Russell. The main difference is
401-that the chains \fBINPUT\fP and \fBOUTPUT\fP
402-are only traversed for packets coming into the local host and
403-originating from the local host respectively. Hence every packet only
404-passes through one of the three chains (except loopback traffic, which
405-involves both INPUT and OUTPUT chains); previously a forwarded packet
406-would pass through all three.
407-.PP
408-The other main difference is that \fB\-i\fP refers to the input interface;
409-\fB\-o\fP refers to the output interface, and both are available for packets
410-entering the \fBFORWARD\fP chain.
411-There are several other changes in ip6tables.
412-.SH SEE ALSO
413-\fBip6tables\-save\fP(8),
414-\fBip6tables\-restore\fP(8),
415-\fBiptables\fP(8),
416-\fBiptables\-apply\fP(8),
417-\fBiptables\-extensions\fP(8),
418-\fBiptables\-save\fP(8),
419-\fBiptables\-restore\fP(8),
420-\fBlibipq\fP(3).
421-.PP
422-The packet-filtering-HOWTO details iptables usage for
423-packet filtering,
424-the netfilter-extensions-HOWTO details the extensions that are
425-not in the standard distribution,
426-and the netfilter-hacking-HOWTO details the netfilter internals.
427-.br
428-See
429-.BR "http://www.netfilter.org/" .
430-.SH AUTHORS
431-Rusty Russell wrote iptables, in early consultation with Michael
432-Neuling.
433-.PP
434-Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
435-selection framework in iptables, then wrote the mangle table, the owner match,
436-the mark stuff, and ran around doing cool stuff everywhere.
437-.PP
438-James Morris wrote the TOS target, and tos match.
439-.PP
440-Jozsef Kadlecsik wrote the REJECT target.
441-.PP
442-Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as TTL match+target and libipulog.
443-.PP
444-The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
445-Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
446-Harald Welte and Rusty Russell.
447-.PP
448-ip6tables man page created by Andras Kis-Szabo, based on
449-iptables man page written by Herve Eychenne <rv@wallfire.org>.
450-.\" .. and did I mention that we are incredibly cool people?
451-.\" .. sexy, too ..
452-.\" .. witty, charming, powerful ..
453-.\" .. and most of all, modest ..
454-.SH VERSION
455-.PP
456-This manual page applies to ip6tables 1.4.18.
1+.so man8/iptables.8
--- a/original/man8/iptables-apply.8
+++ b/original/man8/iptables-apply.8
@@ -2,7 +2,7 @@
22 .\" Author: Martin F. Krafft
33 .\" Date: Jun 04, 2006
44 .\"
5-.TH iptables\-apply 8 2006-06-04
5+.TH IPTABLES\-APPLY 8 "" "iptables 1.4.21" "iptables 1.4.21"
66 .\" disable hyphenation
77 .nh
88 .SH NAME
--- a/original/man8/iptables-extensions.8
+++ b/original/man8/iptables-extensions.8
@@ -1,4 +1,4 @@
1-.TH iptables-extensions 8 "" "iptables 1.4.18" "iptables 1.4.18"
1+.TH iptables-extensions 8 "" "iptables 1.4.21" "iptables 1.4.21"
22 .SH NAME
33 iptables-extensions \(em list of extensions in the standard iptables distribution
44 .SH SYNOPSIS
@@ -107,6 +107,41 @@ Matches if the reserved field is filled with zero.
107107 This module matches the SPIs in Authentication header of IPsec packets.
108108 .TP
109109 [\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
110+.SS bpf
111+Match using Linux Socket Filter. Expects a BPF program in decimal format. This
112+is the format generated by the \fBnfbpf_compile\fP utility.
113+.TP
114+\fB\-\-bytecode\fP \fIcode\fP
115+Pass the BPF byte code format (described in the example below).
116+.PP
117+The code format is similar to the output of the tcpdump -ddd command: one line
118+that stores the number of instructions, followed by one line for each
119+instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal
120+notation. Fields encode the operation, jump offset if true, jump offset if
121+false and generic multiuse field 'K'. Comments are not supported.
122+.PP
123+For example, to read only packets matching 'ip proto 6', insert the following,
124+without the comments or trailing whitespace:
125+.IP
126+4 # number of instructions
127+.br
128+48 0 0 9 # load byte ip->proto
129+.br
130+21 0 1 6 # jump equal IPPROTO_TCP
131+.br
132+6 0 0 1 # return pass (non-zero)
133+.br
134+6 0 0 0 # return fail (zero)
135+.PP
136+You can pass this filter to the bpf match with the following command:
137+.IP
138+iptables \-A OUTPUT \-m bpf \-\-bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' \-j ACCEPT
139+.PP
140+Or instead, you can invoke the nfbpf_compile utility.
141+.IP
142+iptables \-A OUTPUT \-m bpf \-\-bytecode "`nfbpf_compile RAW 'ip proto 6'`" \-j ACCEPT
143+.PP
144+You may want to learn more about BPF from FreeBSD's bpf(4) manpage.
110145 .SS cluster
111146 Allows you to deploy gateway and back-end load-sharing clusters without the
112147 need of load-balancers.
@@ -165,6 +200,11 @@ arptables \-A INPUT \-i eth2 \-\-h\-length 6
165200 \-\-destination\-mac 01:00:5e:00:01:02
166201 \-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
167202 .PP
203+\fBNOTE\fP: the arptables commands above use mainstream syntax. If you
204+are using arptables-jf included in some RedHat, CentOS and Fedora
205+versions, you will hit syntax errors. Therefore, you'll have to adapt
206+these to the arptables-jf syntax to get them working.
207+.PP
168208 In the case of TCP connections, pickup facility has to be disabled
169209 to avoid marking TCP ACK packets coming in the reply direction as
170210 valid.
@@ -312,7 +352,7 @@ States for \fB\-\-ctstate\fP:
312352 The packet is associated with no known connection.
313353 .TP
314354 \fBNEW\fP
315-The packet has started a new connection, or otherwise associated
355+The packet has started a new connection or otherwise associated
316356 with a connection which has not seen packets in both directions.
317357 .TP
318358 \fBESTABLISHED\fP
@@ -321,7 +361,7 @@ in both directions.
321361 .TP
322362 \fBRELATED\fP
323363 The packet is starting a new connection, but is associated with an
324-existing connection, such as an FTP data transfer, or an ICMP error.
364+existing connection, such as an FTP data transfer or an ICMP error.
325365 .TP
326366 \fBUNTRACKED\fP
327367 The packet is not tracked at all, which happens if you explicitly untrack it
@@ -523,7 +563,7 @@ matching on source port
523563 matching on subnet
524564 "10000 packets per minute for every /28 subnet (groups of 8 addresses)
525565 in 10.0.0.0/8" =>
526-\-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min
566+\-s 10.0.0.0/8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min
527567 .TP
528568 matching bytes per second
529569 "flows exceeding 512kbyte/s" =>
@@ -716,15 +756,14 @@ a numeric MH
716756 .IR type
717757 or one of the MH type names shown by the command
718758 .nf
719- ip6tables \-p ipv6\-mh \-h
759+ ip6tables \-p mh \-h
720760 .fi
721761 .SS multiport
722762 This module matches a set of source or destination ports. Up to 15
723763 ports can be specified. A port range (port:port) counts as two
724-ports. It can only be used in conjunction with
725-\fB\-p tcp\fP
726-or
727-\fB\-p udp\fP.
764+ports. It can only be used in conjunction with one of the
765+following protocols:
766+\fBtcp\fP, \fBudp\fP, \fBudplite\fP, \fBdccp\fP and \fBsctp\fP.
728767 .TP
729768 [\fB!\fP] \fB\-\-source\-ports\fP,\fB\-\-sports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
730769 Match if the source port is one of the given ports. The flag
@@ -1080,7 +1119,7 @@ is the default.
10801119 \fB\-\-rdest\fP
10811120 Match/save the destination address of each packet in the recent list table.
10821121 .TP
1083-\fB\-\-mask\fPnetmask
1122+\fB\-\-mask\fP \fInetmask\fP
10841123 Netmask that will be applied to this recent list.
10851124 .TP
10861125 [\fB!\fP] \fB\-\-rcheck\fP
@@ -1129,9 +1168,6 @@ iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DR
11291168 .IP
11301169 iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
11311170 .PP
1132-Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
1133-some examples of usage.
1134-.PP
11351171 \fB/proc/net/xt_recent/*\fP are the current lists of addresses and information
11361172 about each entry of each list.
11371173 .PP
@@ -1273,11 +1309,48 @@ the set type of the specified set is single dimension (for example ipmap),
12731309 then the command will match packets for which the source address can be
12741310 found in the specified set.
12751311 .TP
1276-\fB\-\-return\-\-nomatch\fP
1277-If the \fB\-\-return\-\-nomatch\fP option is specified and the set type
1312+\fB\-\-return\-nomatch\fP
1313+If the \fB\-\-return\-nomatch\fP option is specified and the set type
12781314 supports the \fBnomatch\fP flag, then the matching is reversed: a match
12791315 with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a
12801316 match with a plain element returns \fBfalse\fP.
1317+.TP
1318+\fB!\fP \fB\-\-update\-counters\fP
1319+If the \fB\-\-update\-counters\fP flag is negated, then the packet and
1320+byte counters of the matching element in the set won't be updated. Default
1321+the packet and byte counters are updated.
1322+.TP
1323+\fB!\fP \fB\-\-update\-subcounters\fP
1324+If the \fB\-\-update\-subcounters\fP flag is negated, then the packet and
1325+byte counters of the matching element in the member set of a list type of
1326+set won't be updated. Default the packet and byte counters are updated.
1327+.TP
1328+[\fB!\fP] \fB\-\-packets\-eq\fP \fIvalue\fP
1329+If the packet is matched an element in the set, match only if the
1330+packet counter of the element matches the given value too.
1331+.TP
1332+\fB\-\-packets\-lt\fP \fIvalue\fP
1333+If the packet is matched an element in the set, match only if the
1334+packet counter of the element is less than the given value as well.
1335+.TP
1336+\fB\-\-packets\-gt\fP \fIvalue\fP
1337+If the packet is matched an element in the set, match only if the
1338+packet counter of the element is greater than the given value as well.
1339+.TP
1340+[\fB!\fP] \fB\-bytes\-eq\fP \fIvalue\fP
1341+If the packet is matched an element in the set, match only if the
1342+byte counter of the element matches the given value too.
1343+.TP
1344+\fB\-\-bytes\-lt\fP \fIvalue\fP
1345+If the packet is matched an element in the set, match only if the
1346+byte counter of the element is less than the given value as well.
1347+.TP
1348+\fB\-\-bytes\-gt\fP \fIvalue\fP
1349+If the packet is matched an element in the set, match only if the
1350+byte counter of the element is greater than the given value as well.
1351+.PP
1352+The packet and byte counters related options and flags are ignored
1353+when the set was defined without counter support.
12811354 .PP
12821355 The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does
12831356 not clash with an option of other extensions.
@@ -1285,11 +1358,28 @@ not clash with an option of other extensions.
12851358 Use of -m set requires that ipset kernel support is provided, which, for
12861359 standard kernels, is the case since Linux 2.6.39.
12871360 .SS socket
1288-This matches if an open socket can be found by doing a socket lookup on the
1289-packet.
1361+This matches if an open TCP/UDP socket can be found by doing a socket lookup on the
1362+packet. It matches if there is an established or non\-zero bound listening
1363+socket (possibly with a non\-local address). The lookup is performed using
1364+the \fBpacket\fP tuple of TCP/UDP packets, or the original TCP/UDP header
1365+\fBembedded\fP in an ICMP/ICPMv6 error packet.
12901366 .TP
12911367 \fB\-\-transparent\fP
12921368 Ignore non-transparent sockets.
1369+.TP
1370+\fB\-\-nowildcard\fP
1371+Do not ignore sockets bound to 'any' address.
1372+The socket match won't accept zero\-bound listeners by default, since
1373+then local services could intercept traffic that would otherwise be forwarded.
1374+This option therefore has security implications when used to match traffic being
1375+forwarded to redirect such packets to local machine with policy routing.
1376+When using the socket match to implement fully transparent
1377+proxies bound to non\-local addresses it is recommended to use the \-\-transparent
1378+option instead.
1379+.PP
1380+Example (assuming packets with mark 1 are delivered locally):
1381+.IP
1382+\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1
12931383 .SS state
12941384 The "state" extension is a subset of the "conntrack" module.
12951385 "state" allows access to the connection tracking state for this packet.
@@ -1348,6 +1438,16 @@ Matches the given pattern.
13481438 .TP
13491439 [\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP
13501440 Matches the given pattern in hex notation.
1441+.TP
1442+Examples:
1443+.IP
1444+# The string pattern can be used for simple text characters.
1445+.br
1446+iptables \-A INPUT \-p tcp \-\-dport 80 \-m string \-\-algo bm \-\-string 'GET /index.html' \-j LOG
1447+.IP
1448+# The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|.
1449+.br
1450+iptables \-p udp \-\-dport 53 \-m string \-\-algo bm \-\-from 40 \-\-to 57 \-\-hex\-string '|03|www|09|netfilter|03|org|00|'
13511451 .SS tcp
13521452 These extensions can be used if `\-\-protocol tcp' is specified. It
13531453 provides the following options:
@@ -1832,7 +1932,7 @@ By default, packets have zone 0.
18321932 Use the timeout policy identified by \fIname\fP for the connection. This is
18331933 provides more flexible timeout policy definition than global timeout values
18341934 available at /proc/sys/net/netfilter/nf_conntrack_*_timeout_*.
1835-.SS DNAT (IPv4-specific)
1935+.SS DNAT
18361936 This target is only valid in the
18371937 .B nat
18381938 table, in the
@@ -1842,20 +1942,17 @@ and
18421942 chains, and user-defined chains which are only called from those
18431943 chains. It specifies that the destination address of the packet
18441944 should be modified (and all future packets in this connection will
1845-also be mangled), and rules should cease being examined. It takes one
1846-type of option:
1945+also be mangled), and rules should cease being examined. It takes the
1946+following options:
18471947 .TP
18481948 \fB\-\-to\-destination\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]]
18491949 which can specify a single new destination IP address, an inclusive
1850-range of IP addresses, and optionally, a port range (which is only
1851-valid if the rule also specifies
1852-\fB\-p tcp\fP
1853-or
1854-\fB\-p udp\fP).
1950+range of IP addresses. Optionally a port range,
1951+if the rule also specifies one of the following protocols:
1952+\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
18551953 If no port range is specified, then the destination port will never be
18561954 modified. If no IP address is specified then only the destination port
18571955 will be modified.
1858-
18591956 In Kernels up to 2.6.10 you can add several \-\-to\-destination options. For
18601957 those kernels, if you specify more than one destination address, either via an
18611958 address range or multiple \-\-to\-destination options, a simple round-robin (one
@@ -1872,6 +1969,39 @@ is used then port mapping will be randomized (kernel >= 2.6.22).
18721969 Gives a client the same source-/destination-address for each connection.
18731970 This supersedes the SAME target. Support for persistent mappings is available
18741971 from 2.6.29-rc2.
1972+.TP
1973+IPv6 support available since Linux kernels >= 3.7.
1974+.SS DNPT (IPv6-specific)
1975+Provides stateless destination IPv6-to-IPv6 Network Prefix Translation (as
1976+described by RFC 6296).
1977+.PP
1978+You have to use this target in the
1979+.B mangle
1980+table, not in the
1981+.B nat
1982+table. It takes the following options:
1983+.TP
1984+\fB\-\-src\-pfx\fP [\fIprefix/\fP\fIlength]
1985+Set source prefix that you want to translate and length
1986+.TP
1987+\fB\-\-dst\-pfx\fP [\fIprefix/\fP\fIlength]
1988+Set destination prefix that you want to use in the translation and length
1989+.PP
1990+You have to use the SNPT target to undo the translation. Example:
1991+.IP
1992+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
1993+\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
1994+.IP
1995+ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
1996+\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst-pfx fd00::/64
1997+.PP
1998+You may need to enable IPv6 neighbor proxy:
1999+.IP
2000+sysctl -w net.ipv6.conf.all.proxy_ndp=1
2001+.PP
2002+You also have to use the
2003+.B NOTRACK
2004+target to disable connection tracking for translated flows.
18752005 .SS DSCP
18762006 This target allows to alter the value of the DSCP bits within the TOS
18772007 header of the IPv4 packet. As this manipulates a packet, it can only
@@ -2021,49 +2151,12 @@ iptables \-A INPUT \-p tcp \-\-dport 22 \-j LED \-\-led\-trigger\-id ssh
20212151 .TP
20222152 Then attach the new trigger to an LED:
20232153 echo netfilter\-ssh >/sys/class/leds/\fIledname\fP/trigger
2024-.SS LOG (IPv6-specific)
2154+.SS LOG
20252155 Turn on kernel logging of matching packets. When this option is set
20262156 for a rule, the Linux kernel will print some information on all
2027-matching packets (like most IPv6 IPv6-header fields) via the kernel log
2028-(where it can be read with
2029-.I dmesg
2030-or
2031-.IR syslogd (8)).
2032-This is a "non-terminating target", i.e. rule traversal continues at
2033-the next rule. So if you want to LOG the packets you refuse, use two
2034-separate rules with the same matching criteria, first using target LOG
2035-then DROP (or REJECT).
2036-.TP
2037-\fB\-\-log\-level\fP \fIlevel\fP
2038-Level of logging, which can be (system-specific) numeric or a mnemonic.
2039-Possible values are (in decreasing order of priority): \fBemerg\fP,
2040-\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP
2041-or \fBdebug\fP.
2042-.TP
2043-\fB\-\-log\-prefix\fP \fIprefix\fP
2044-Prefix log messages with the specified prefix; up to 29 letters long,
2045-and useful for distinguishing messages in the logs.
2046-.TP
2047-\fB\-\-log\-tcp\-sequence\fP
2048-Log TCP sequence numbers. This is a security risk if the log is
2049-readable by users.
2050-.TP
2051-\fB\-\-log\-tcp\-options\fP
2052-Log options from the TCP packet header.
2053-.TP
2054-\fB\-\-log\-ip\-options\fP
2055-Log options from the IPv6 packet header.
2056-.TP
2057-\fB\-\-log\-uid\fP
2058-Log the userid of the process which generated the packet.
2059-.SS LOG (IPv4-specific)
2060-Turn on kernel logging of matching packets. When this option is set
2061-for a rule, the Linux kernel will print some information on all
2062-matching packets (like most IP header fields) via the kernel log
2063-(where it can be read with
2064-.I dmesg
2065-or
2066-.IR syslogd (8)).
2157+matching packets (like most IP/IPv6 header fields) via the kernel log
2158+(where it can be read with \fIdmesg(1)\fP or read in the syslog).
2159+.PP
20672160 This is a "non-terminating target", i.e. rule traversal continues at
20682161 the next rule. So if you want to LOG the packets you refuse, use two
20692162 separate rules with the same matching criteria, first using target LOG
@@ -2087,7 +2180,7 @@ readable by users.
20872180 Log options from the TCP packet header.
20882181 .TP
20892182 \fB\-\-log\-ip\-options\fP
2090-Log options from the IP packet header.
2183+Log options from the IP/IPv6 packet header.
20912184 .TP
20922185 \fB\-\-log\-uid\fP
20932186 Log the userid of the process which generated the packet.
@@ -2119,38 +2212,7 @@ Binary OR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
21192212 \fB\-\-xor\-mark\fP \fIbits\fP
21202213 Binary XOR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
21212214 \fIbits\fP\fB/0\fP.)
2122-.SS MASQUERADE (IPv6-specific)
2123-This target is only valid in the
2124-.B nat
2125-table, in the
2126-.B POSTROUTING
2127-chain. It should only be used with dynamically assigned IPv6 (dialup)
2128-connections: if you have a static IP address, you should use the SNAT
2129-target. Masquerading is equivalent to specifying a mapping to the IP
2130-address of the interface the packet is going out, but also has the
2131-effect that connections are
2132-.I forgotten
2133-when the interface goes down. This is the correct behavior when the
2134-next dialup is unlikely to have the same interface address (and hence
2135-any established connections are lost anyway).
2136-.TP
2137-\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
2138-This specifies a range of source ports to use, overriding the default
2139-.B SNAT
2140-source port-selection heuristics (see above). This is only valid
2141-if the rule also specifies
2142-\fB\-p tcp\fP
2143-or
2144-\fB\-p udp\fP.
2145-.TP
2146-\fB\-\-random\fP
2147-Randomize source port mapping
2148-If option
2149-\fB\-\-random\fP
2150-is used then port mapping will be randomized.
2151-.RS
2152-.PP
2153-.SS MASQUERADE (IPv4-specific)
2215+.SS MASQUERADE
21542216 This target is only valid in the
21552217 .B nat
21562218 table, in the
@@ -2169,18 +2231,16 @@ any established connections are lost anyway).
21692231 This specifies a range of source ports to use, overriding the default
21702232 .B SNAT
21712233 source port-selection heuristics (see above). This is only valid
2172-if the rule also specifies
2173-\fB\-p tcp\fP
2174-or
2175-\fB\-p udp\fP.
2234+if the rule also specifies one of the following protocols:
2235+\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
21762236 .TP
21772237 \fB\-\-random\fP
21782238 Randomize source port mapping
21792239 If option
21802240 \fB\-\-random\fP
21812241 is used then port mapping will be randomized (kernel >= 2.6.21).
2182-.RS
2183-.PP
2242+.TP
2243+IPv6 support available since Linux kernels >= 3.7.
21842244 .SS MIRROR (IPv4-specific)
21852245 This is an experimental demonstration target which inverts the source
21862246 and destination fields in the IP header and retransmits the packet.
@@ -2194,7 +2254,7 @@ chains. Note that the outgoing packets are
21942254 .B NOT
21952255 seen by any packet filtering chains, connection tracking or NAT, to
21962256 avoid loops and other problems.
2197-.SS NETMAP (IPv4-specific)
2257+.SS NETMAP
21982258 This target allows you to statically map a whole network of addresses onto
21992259 another network of addresses. It can only be used from rules in the
22002260 .B nat
@@ -2204,6 +2264,8 @@ table.
22042264 Network address to map to. The resulting address will be constructed in the
22052265 following way: All 'one' bits in the mask are filled in from the new `address'.
22062266 All bits that are zero in the mask are filled in from the original address.
2267+.TP
2268+IPv6 support available since Linux kernels >= 3.7.
22072269 .SS NFLOG
22082270 This target provides logging of matching packets. When this target is
22092271 set for a rule, the Linux kernel will pass the packet to the loaded
@@ -2235,14 +2297,15 @@ result in less overhead per packet, but increase delay until the
22352297 packets reach userspace. The default value is 1.
22362298 .BR
22372299 .SS NFQUEUE
2238-This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
2239-you to put a packet into any specific queue, identified by its 16-bit queue
2240-number.
2241-It can only be used with Kernel versions 2.6.14 or later, since it requires
2242-the
2300+This target passes the packet to userspace using the
2301+\fBnfnetlink_queue\fP handler. The packet is put into the queue
2302+identified by its 16-bit queue number. Userspace can inspect
2303+and modify the packet if desired. Userspace must then drop or
2304+reinject the packet into the kernel. Please see libnetfilter_queue
2305+for details.
22432306 .B
22442307 nfnetlink_queue
2245-kernel support. The \fBqueue-balance\fP option was added in Linux 2.6.31,
2308+was added in Linux 2.6.14. The \fBqueue-balance\fP option was added in Linux 2.6.31,
22462309 \fBqueue-bypass\fP in 2.6.39.
22472310 .TP
22482311 \fB\-\-queue\-num\fP \fIvalue\fP
@@ -2258,11 +2321,18 @@ Packets belonging to the same connection are put into the same nfqueue.
22582321 .TP
22592322 \fB\-\-queue\-bypass\fP
22602323 By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued
2261-are dropped. When this option is used, the NFQUEUE rule is silently bypassed instead. The packet
2262-will move on to the next rule.
2324+are dropped. When this option is used, the NFQUEUE rule behaves like ACCEPT instead, and the packet
2325+will move on to the next table.
2326+.PP
2327+.TP
2328+\fB\-\-queue\-cpu-fanout\fP
2329+Available starting Linux kernel 3.10. When used together with
2330+\fB--queue-balance\fP this will use the CPU ID as an index to map packets to
2331+the queues. The idea is that you can improve performance if there's a queue
2332+per CPU. This requires \fB--queue-balance\fP to be specified.
22632333 .SS NOTRACK
2264-This target disables connection tracking for all packets matching that rule.
2265-It is obsoleted by \-j CT \-\-notrack. Like CT, NOTRACK can only be used in
2334+This extension disables connection tracking for all packets matching that rule.
2335+It is equivalent with \-j CT \-\-notrack. Like CT, NOTRACK can only be used in
22662336 the \fBraw\fP table.
22672337 .SS RATEEST
22682338 The RATEEST target collects statistics, performs rate estimation calculation
@@ -2277,7 +2347,7 @@ Rate measurement interval, in seconds, milliseconds or microseconds.
22772347 .TP
22782348 \fB\-\-rateest\-ewmalog\fP \fIvalue\fP
22792349 Rate measurement averaging time constant.
2280-.SS REDIRECT (IPv4-specific)
2350+.SS REDIRECT
22812351 This target is only valid in the
22822352 .B nat
22832353 table, in the
@@ -2287,22 +2357,21 @@ and
22872357 chains, and user-defined chains which are only called from those
22882358 chains. It redirects the packet to the machine itself by changing the
22892359 destination IP to the primary address of the incoming interface
2290-(locally-generated packets are mapped to the 127.0.0.1 address).
2360+(locally-generated packets are mapped to the localhost address,
2361+127.0.0.1 for IPv4 and ::1 for IPv6).
22912362 .TP
22922363 \fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
22932364 This specifies a destination port or range of ports to use: without
22942365 this, the destination port is never altered. This is only valid
2295-if the rule also specifies
2296-\fB\-p tcp\fP
2297-or
2298-\fB\-p udp\fP.
2366+if the rule also specifies one of the following protocols:
2367+\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
22992368 .TP
23002369 \fB\-\-random\fP
23012370 If option
23022371 \fB\-\-random\fP
23032372 is used then port mapping will be randomized (kernel >= 2.6.22).
2304-.RS
2305-.PP
2373+.TP
2374+IPv6 support available starting Linux kernels >= 3.7.
23062375 .SS REJECT (IPv6-specific)
23072376 This is used to send back an error packet in response to the matched
23082377 packet: otherwise it is equivalent to
@@ -2324,10 +2393,9 @@ The type given can be
23242393 \fBicmp6\-adm\-prohibited\fP,
23252394 \fBadm\-prohibited\fP,
23262395 \fBicmp6\-addr\-unreachable\fP,
2327-\fBaddr\-unreach\fP,
2328-\fBicmp6\-port\-unreachable\fP or
2329-\fBport\-unreach\fP
2330-which return the appropriate ICMPv6 error message (\fBport\-unreach\fP is
2396+\fBaddr\-unreach\fP, or
2397+\fBicmp6\-port\-unreachable\fP,
2398+which return the appropriate ICMPv6 error message (\fBicmp6\-port\-unreachable\fP is
23312399 the default). Finally, the option
23322400 \fBtcp\-reset\fP
23332401 can be used on rules which only match the TCP protocol: this causes a
@@ -2358,9 +2426,9 @@ The type given can be
23582426 \fBicmp\-port\-unreachable\fP,
23592427 \fBicmp\-proto\-unreachable\fP,
23602428 \fBicmp\-net\-prohibited\fP,
2361-\fBicmp\-host\-prohibited\fP or
2362-\fBicmp\-admin\-prohibited\fP (*)
2363-which return the appropriate ICMP error message (\fBport\-unreachable\fP is
2429+\fBicmp\-host\-prohibited\fP, or
2430+\fBicmp\-admin\-prohibited\fP (*),
2431+which return the appropriate ICMP error message (\fBicmp\-port\-unreachable\fP is
23642432 the default). The option
23652433 \fBtcp\-reset\fP
23662434 can be used on rules which only match the TCP protocol: this causes a
@@ -2425,28 +2493,28 @@ to the specified one or to the default from the set definition
24252493 .PP
24262494 Use of -j SET requires that ipset kernel support is provided, which, for
24272495 standard kernels, is the case since Linux 2.6.39.
2428-.SS SNAT (IPv4-specific)
2496+.SS SNAT
24292497 This target is only valid in the
24302498 .B nat
24312499 table, in the
24322500 .B POSTROUTING
2433-chain. It specifies that the source address of the packet should be
2501+and
2502+.B INPUT
2503+chains, and user-defined chains which are only called from those
2504+chains. It specifies that the source address of the packet should be
24342505 modified (and all future packets in this connection will also be
2435-mangled), and rules should cease being examined. It takes one type
2436-of option:
2506+mangled), and rules should cease being examined. It takes the
2507+following options:
24372508 .TP
24382509 \fB\-\-to\-source\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]]
24392510 which can specify a single new source IP address, an inclusive range
2440-of IP addresses, and optionally, a port range (which is only valid if
2441-the rule also specifies
2442-\fB\-p tcp\fP
2443-or
2444-\fB\-p udp\fP).
2511+of IP addresses. Optionally a port range,
2512+if the rule also specifies one of the following protocols:
2513+\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
24452514 If no port range is specified, then source ports below 512 will be
24462515 mapped to other ports below 512: those between 512 and 1023 inclusive
24472516 will be mapped to ports below 1024, and other ports will be mapped to
24482517 1024 or above. Where possible, no port alteration will occur.
2449-
24502518 In Kernels up to 2.6.10, you can add several \-\-to\-source options. For those
24512519 kernels, if you specify more than one source address, either via an address
24522520 range or multiple \-\-to\-source options, a simple round-robin (one after another
@@ -2463,6 +2531,45 @@ is used then port mapping will be randomized (kernel >= 2.6.21).
24632531 Gives a client the same source-/destination-address for each connection.
24642532 This supersedes the SAME target. Support for persistent mappings is available
24652533 from 2.6.29-rc2.
2534+.PP
2535+Kernels prior to 2.6.36-rc1 don't have the ability to
2536+.B SNAT
2537+in the
2538+.B INPUT
2539+chain.
2540+.TP
2541+IPv6 support available since Linux kernels >= 3.7.
2542+.SS SNPT (IPv6-specific)
2543+Provides stateless source IPv6-to-IPv6 Network Prefix Translation (as described
2544+by RFC 6296).
2545+.PP
2546+You have to use this target in the
2547+.B mangle
2548+table, not in the
2549+.B nat
2550+table. It takes the following options:
2551+.TP
2552+\fB\-\-src\-pfx\fP [\fIprefix/\fP\fIlength]
2553+Set source prefix that you want to translate and length
2554+.TP
2555+\fB\-\-dst\-pfx\fP [\fIprefix/\fP\fIlength]
2556+Set destination prefix that you want to use in the translation and length
2557+.PP
2558+You have to use the DNPT target to undo the translation. Example:
2559+.IP
2560+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
2561+\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
2562+.IP
2563+ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
2564+\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst-pfx fd00::/64
2565+.PP
2566+You may need to enable IPv6 neighbor proxy:
2567+.IP
2568+sysctl -w net.ipv6.conf.all.proxy_ndp=1
2569+.PP
2570+You also have to use the
2571+.B NOTRACK
2572+target to disable connection tracking for translated flows.
24662573 .SS TCPMSS
24672574 This target allows to alter the MSS value of TCP SYN packets, to control
24682575 the maximum size for that connection (usually limiting it to your
@@ -2620,7 +2727,8 @@ Decrement the TTL value `value' times.
26202727 \fB\-\-ttl\-inc\fP \fIvalue\fP
26212728 Increment the TTL value `value' times.
26222729 .SS ULOG (IPv4-specific)
2623-This target provides userspace logging of matching packets. When this
2730+This is the deprecated ipv4-only predecessor of the NFLOG target.
2731+It provides userspace logging of matching packets. When this
26242732 target is set for a rule, the Linux kernel will multicast this packet
26252733 through a
26262734 .IR netlink
--- a/original/man8/iptables-restore.8
+++ b/original/man8/iptables-restore.8
@@ -1,4 +1,4 @@
1-.TH IPTABLES-RESTORE 8 "Jan 04, 2001" "" ""
1+.TH IPTABLES-RESTORE 8 "" "iptables 1.4.21" "iptables 1.4.21"
22 .\"
33 .\" Man page written by Harald Welte <laforge@gnumonks.org>
44 .\" It is based on the iptables man page.
@@ -20,13 +20,19 @@
2020 .\"
2121 .SH NAME
2222 iptables-restore \(em Restore IP Tables
23+.P
24+ip6tables-restore \(em Restore IPv6 Tables
2325 .SH SYNOPSIS
2426 \fBiptables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
27+.P
28+\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
2529 [\fB\-T\fP \fIname\fP]
2630 .SH DESCRIPTION
2731 .PP
2832 .B iptables-restore
29-is used to restore IP Tables from data specified on STDIN. Use
33+and
34+.B ip6tables-restore
35+are used to restore IP and IPv6 Tables from data specified on STDIN. Use
3036 I/O redirection provided by your shell to read from a file
3137 .TP
3238 \fB\-c\fR, \fB\-\-counters\fR
@@ -35,10 +41,9 @@ restore the values of all packet and byte counters
3541 \fB\-h\fP, \fB\-\-help\fP
3642 Print a short option summary.
3743 .TP
38-\fB\-n\fR, \fB\-\-noflush\fR
39-don't flush the previous contents of the table. If not specified,
40-.B iptables-restore
41-flushes (deletes) all previous contents of the respective table.
44+\fB\-n\fR, \fB\-\-noflush\fR
45+don't flush the previous contents of the table. If not specified,
46+both commands flush (delete) all previous contents of the respective table.
4247 .TP
4348 \fB\-t\fP, \fB\-\-test\fP
4449 Only parse and construct the ruleset, but do not commit it.
@@ -54,8 +59,11 @@ inspect /proc/sys/kernel/modprobe to determine the executable's path.
5459 Restore only the named table even if the input stream contains other ones.
5560 .SH BUGS
5661 None known as of iptables-1.2.1 release
57-.SH AUTHOR
58-Harald Welte <laforge@gnumonks.org>
62+.SH AUTHORS
63+Harald Welte <laforge@gnumonks.org> wrote iptables-restore based on code
64+from Rusty Russell.
65+.br
66+Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
5967 .SH SEE ALSO
6068 \fBiptables\-save\fP(8), \fBiptables\fP(8)
6169 .PP
--- a/original/man8/iptables-save.8
+++ b/original/man8/iptables-save.8
@@ -1,4 +1,4 @@
1-.TH IPTABLES-SAVE 8 "Jan 04, 2001" "" ""
1+.TH IPTABLES-SAVE 8 "" "iptables 1.4.21" "iptables 1.4.21"
22 .\"
33 .\" Man page written by Harald Welte <laforge@gnumonks.org>
44 .\" It is based on the iptables man page.
@@ -20,13 +20,20 @@
2020 .\"
2121 .SH NAME
2222 iptables-save \(em dump iptables rules to stdout
23+.P
24+ip6tables-save \(em dump iptables rules to stdout
2325 .SH SYNOPSIS
2426 \fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
2527 [\fB\-t\fP \fItable\fP]
28+.P
29+\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
30+[\fB\-t\fP \fItable\fP
2631 .SH DESCRIPTION
2732 .PP
2833 .B iptables-save
29-is used to dump the contents of an IP Table in easily parseable format
34+and
35+.B ip6tables-save
36+are used to dump the contents of IP or IPv6 Table in easily parseable format
3037 to STDOUT. Use I/O-redirection provided by your shell to write to a file.
3138 .TP
3239 \fB\-M\fP \fImodprobe_program\fP
@@ -41,8 +48,12 @@ restrict output to only one table. If not specified, output includes all
4148 available tables.
4249 .SH BUGS
4350 None known as of iptables-1.2.1 release
44-.SH AUTHOR
51+.SH AUTHORS
4552 Harald Welte <laforge@gnumonks.org>
53+.br
54+Rusty Russell <rusty@rustcorp.com.au>
55+.br
56+Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
4657 .SH SEE ALSO
4758 \fBiptables\-restore\fP(8), \fBiptables\fP(8)
4859 .PP
--- a/original/man8/iptables.8
+++ b/original/man8/iptables.8
@@ -1,4 +1,4 @@
1-.TH IPTABLES 8 "" "iptables 1.4.18" "iptables 1.4.18"
1+.TH IPTABLES 8 "" "iptables 1.4.21" "iptables 1.4.21"
22 .\"
33 .\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
44 .\" It is based on ipchains page.
@@ -23,10 +23,13 @@
2323 .\"
2424 .\"
2525 .SH NAME
26-iptables \(em administration tool for IPv4 packet filtering and NAT
26+iptables/ip6tables \(em administration tool for IPv4/IPv6 packet filtering and NAT
2727 .SH SYNOPSIS
2828 \fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
2929 \fIchain\fP \fIrule-specification\fP
30+.P
31+\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
32+\fIchain rule-specification\fP
3033 .PP
3134 \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
3235 .PP
@@ -52,8 +55,8 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
5255 .PP
5356 target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
5457 .SH DESCRIPTION
55-\fBIptables\fP is used to set up, maintain, and inspect the
56-tables of IPv4 packet
58+\fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
59+tables of IPv4 and IPv6 packet
5760 filter rules in the Linux kernel. Several different tables
5861 may be defined. Each table contains a number of built-in
5962 chains and may also contain user-defined chains.
@@ -64,21 +67,14 @@ a `target', which may be a jump to a user-defined chain in the same
6467 table.
6568 .SH TARGETS
6669 A firewall rule specifies criteria for a packet and a target. If the
67-packet does not match, the next rule in the chain is the examined; if
70+packet does not match, the next rule in the chain is examined; if
6871 it does match, then the next rule is specified by the value of the
69-target, which can be the name of a user-defined chain or one of the
70-special values \fBACCEPT\fP, \fBDROP\fP, \fBQUEUE\fP or \fBRETURN\fP.
72+target, which can be the name of a user-defined chain, one of the targets
73+described in \fBiptables\-extensions\fP(8), or one of the
74+special values \fBACCEPT\fP, \fBDROP\fP or \fBRETURN\fP.
7175 .PP
7276 \fBACCEPT\fP means to let the packet through.
7377 \fBDROP\fP means to drop the packet on the floor.
74-\fBQUEUE\fP means to pass the packet to userspace.
75-(How the packet can be received
76-by a userspace process differs by the particular queue handler. 2.4.x
77-and 2.6.x kernels up to 2.6.13 include the \fBip_queue\fP
78-queue handler. Kernels 2.6.14 and later additionally include the
79-\fBnfnetlink_queue\fP queue handler. Packets with a target of QUEUE will be
80-sent to queue number '0' in this case. Please also see the \fBNFQUEUE\fP
81-target as described later in this man page.)
8278 \fBRETURN\fP means stop traversing this chain and resume at the next
8379 rule in the
8480 previous (calling) chain. If the end of a built-in chain is reached
@@ -111,6 +107,7 @@ connection is encountered. It consists of three built-ins: \fBPREROUTING\fP
111107 (for altering packets as soon as they come in), \fBOUTPUT\fP
112108 (for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
113109 (for altering packets as they are about to go out).
110+IPv6 NAT support is available since kernel 3.7.
114111 .TP
115112 \fBmangle\fP:
116113 This table is used for specialized packet alteration. Until kernel
@@ -143,7 +140,7 @@ before MAC rules. This table provides the following built-in chains:
143140 .RE
144141 .SH OPTIONS
145142 The options that are recognized by
146-\fBiptables\fP can be divided into several different groups.
143+\fBiptables\fP and \fBip6tables\fP can be divided into several different groups.
147144 .SS COMMANDS
148145 These options specify the desired action to perform. Only one of them
149146 can be specified on the command line unless otherwise stated
@@ -245,23 +242,35 @@ add, delete, insert, replace and append commands).
245242 .TP
246243 \fB\-4\fP, \fB\-\-ipv4\fP
247244 This option has no effect in iptables and iptables-restore.
245+If a rule using the \fB\-4\fP option is inserted with (and only with)
246+ip6tables-restore, it will be silently ignored. Any other uses will throw an
247+error. This option allows to put both IPv4 and IPv6 rules in a single rule file
248+for use with both iptables-restore and ip6tables-restore.
248249 .TP
249250 \fB\-6\fP, \fB\-\-ipv6\fP
250251 If a rule using the \fB\-6\fP option is inserted with (and only with)
251252 iptables-restore, it will be silently ignored. Any other uses will throw an
252253 error. This option allows to put both IPv4 and IPv6 rules in a single rule file
253254 for use with both iptables-restore and ip6tables-restore.
255+This option has no effect in ip6tables and ip6tables-restore.
254256 .TP
255257 [\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
256258 The protocol of the rule or of the packet to check.
257259 The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
258-\fBicmp\fP, \fBesp\fP, \fBah\fP, \fBsctp\fP or the special keyword "\fBall\fP",
260+\fBicmp\fP, \fBicmpv6\fP,\fBesp\fP, \fBah\fP, \fBsctp\fP, \fBmh\fP or the special keyword "\fBall\fP",
259261 or it can be a numeric value, representing one of these protocols or a
260262 different one. A protocol name from /etc/protocols is also allowed.
261263 A "!" argument before the protocol inverts the
262264 test. The number zero is equivalent to \fBall\fP. "\fBall\fP"
263265 will match with all protocols and is taken as default when this
264266 option is omitted.
267+Note that, in ip6tables, IPv6 extension headers except \fBesp\fP are not allowed.
268+\fBesp\fP and \fBipv6\-nonext\fP
269+can be used with Kernel version 2.6.11 or later.
270+The number zero is equivalent to \fBall\fP, which means that you cannot
271+test the protocol field for the value 0 directly. To match on a HBH header,
272+even if it were the last, you cannot use \fB\-p 0\fP, but always need
273+\fB\-m hbh\fP.
265274 .TP
266275 [\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
267276 Source specification. \fIAddress\fP
@@ -271,9 +280,9 @@ be resolved once only, before the rule is submitted to the kernel.
271280 Please note that specifying any name to be resolved with a remote query such as
272281 DNS is a really bad idea.
273282 The \fImask\fP
274-can be either a network mask or a plain number,
283+can be either an ipv4 network mask (for iptables) or a plain number,
275284 specifying the number of 1's at the left side of the network mask.
276-Thus, a mask of \fI24\fP is equivalent to \fI255.255.255.0\fP.
285+Thus, an iptables mask of \fI24\fP is equivalent to \fI255.255.255.0\fP.
277286 A "!" argument before the address specification inverts the sense of
278287 the address. The flag \fB\-\-src\fP is an alias for this option.
279288 Multiple addresses can be specified, but this will \fBexpand to multiple
@@ -327,12 +336,13 @@ interface which begins with this name will match. If this option is
327336 omitted, any interface name will match.
328337 .TP
329338 [\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
330-This means that the rule only refers to second and further fragments
339+This means that the rule only refers to second and further IPv4 fragments
331340 of fragmented packets. Since there is no way to tell the source or
332341 destination ports of such a packet (or ICMP type), such a packet will
333342 not match any rules which specify them. When the "!" argument
334343 precedes the "\-f" flag, the rule will only match head fragments, or
335-unfragmented packets.
344+unfragmented packets. This option is IPv4 specific, it is not available
345+in ip6tables.
336346 .TP
337347 \fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
338348 This enables the administrator to initialize the packet and byte
@@ -351,6 +361,13 @@ For appending, insertion, deletion and replacement, this causes
351361 detailed information on the rule or rules to be printed. \fB\-v\fP may be
352362 specified multiple times to possibly emit more detailed debug statements.
353363 .TP
364+\fB\-w\fP, \fB\-\-wait\fP
365+Wait for the xtables lock.
366+To prevent multiple instances of the program from running concurrently,
367+an attempt will be made to obtain an exclusive lock at launch. By default,
368+the program will exit if the lock cannot be obtained. This option will
369+make the program wait until the exclusive lock can be obtained.
370+.TP
354371 \fB\-n\fP, \fB\-\-numeric\fP
355372 Numeric output.
356373 IP addresses and port numbers will be printed in numeric format.
@@ -413,10 +430,6 @@ There are several other changes in iptables.
413430 \fBiptables\-save\fP(8),
414431 \fBiptables\-restore\fP(8),
415432 \fBiptables\-extensions\fP(8),
416-\fBip6tables\fP(8),
417-\fBip6tables\-save\fP(8),
418-\fBip6tables\-restore\fP(8),
419-\fBlibipq\fP(3).
420433 .PP
421434 The packet-filtering-HOWTO details iptables usage for
422435 packet filtering, the NAT-HOWTO details NAT,
@@ -451,4 +464,4 @@ Man page originally written by Herve Eychenne <rv@wallfire.org>.
451464 .\" .. and most of all, modest ..
452465 .SH VERSION
453466 .PP
454-This manual page applies to iptables 1.4.18.
467+This manual page applies to iptables/ip6tables 1.4.21.
--- a/po4a/man1/iptables-xml.1.ja.po
+++ b/po4a/man1/iptables-xml.1.ja.po
@@ -6,7 +6,7 @@
66 msgid ""
77 msgstr ""
88 "Project-Id-Version: PACKAGE VERSION\n"
9-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
9+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
1010 "PO-Revision-Date: 2013-04-09 00:09+0900\n"
1111 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
1212 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -22,8 +22,8 @@ msgstr "IPTABLES-XML"
2222
2323 #. type: TH
2424 #, no-wrap
25-msgid "Jul 16, 2007"
26-msgstr "Jul 16, 2007"
25+msgid "iptables 1.4.21"
26+msgstr ""
2727
2828 #. Man page written by Sam Liddicott <azez@ufomechanic.net>
2929 #. It is based on the iptables-save man page.
@@ -176,3 +176,6 @@ msgstr "関連項目"
176176 #. type: Plain text
177177 msgid "B<iptables-save>(8), B<iptables-restore>(8), B<iptables>(8)"
178178 msgstr "B<iptables-save>(8), B<iptables-restore>(8), B<iptables>(8)"
179+
180+#~ msgid "Jul 16, 2007"
181+#~ msgstr "Jul 16, 2007"
--- a/po4a/man8/iptables-apply.8.ja.po
+++ b/po4a/man8/iptables-apply.8.ja.po
@@ -6,7 +6,7 @@
66 msgid ""
77 msgstr ""
88 "Project-Id-Version: PACKAGE VERSION\n"
9-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
9+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
1010 "PO-Revision-Date: 2013-04-08 16:11+0900\n"
1111 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
1212 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -17,13 +17,13 @@ msgstr ""
1717
1818 #. type: TH
1919 #, no-wrap
20-msgid "iptables-apply"
21-msgstr "iptables-apply"
20+msgid "IPTABLES-APPLY"
21+msgstr ""
2222
2323 #. type: TH
2424 #, no-wrap
25-msgid "2006-06-04"
26-msgstr "2006-06-04"
25+msgid "iptables 1.4.21"
26+msgstr ""
2727
2828 #. type: SH
2929 #, no-wrap
@@ -113,3 +113,9 @@ msgstr "このマニュアルページは Martin F. Krafft E<lt>madduck@madduck.
113113 #. type: Plain text
114114 msgid "Permission is granted to copy, distribute and/or modify this document under the terms of the Artistic License 2.0."
115115 msgstr "この文書のコピー、配布、修正は Artistic License 2.0 の下で行うことができる。"
116+
117+#~ msgid "iptables-apply"
118+#~ msgstr "iptables-apply"
119+
120+#~ msgid "2006-06-04"
121+#~ msgstr "2006-06-04"
--- a/po4a/man8/iptables-extensions.8.ja.po
+++ b/po4a/man8/iptables-extensions.8.ja.po
@@ -6,7 +6,7 @@
66 msgid ""
77 msgstr ""
88 "Project-Id-Version: PACKAGE VERSION\n"
9-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
9+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
1010 "PO-Revision-Date: 2014-05-07 03:36+0900\n"
1111 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
1212 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -21,8 +21,9 @@ msgid "iptables-extensions"
2121 msgstr "iptables-extensions"
2222
2323 #. type: TH
24-#, no-wrap
25-msgid "iptables 1.4.18"
24+#, fuzzy, no-wrap
25+#| msgid "iptables 1.4.18"
26+msgid "iptables 1.4.21"
2627 msgstr "iptables 1.4.18"
2728
2829 #. type: SH
@@ -257,6 +258,73 @@ msgstr "このモジュールは IPsec パケットの認証ヘッダー (AH)
257258
258259 #. type: SS
259260 #, no-wrap
261+msgid "bpf"
262+msgstr ""
263+
264+#. type: Plain text
265+msgid "Match using Linux Socket Filter. Expects a BPF program in decimal format. This is the format generated by the B<nfbpf_compile> utility."
266+msgstr ""
267+
268+#. type: TP
269+#, fuzzy, no-wrap
270+#| msgid "B<--mode> I<mode>"
271+msgid "B<--bytecode> I<code>"
272+msgstr "B<--mode> I<mode>"
273+
274+#. type: Plain text
275+msgid "Pass the BPF byte code format (described in the example below)."
276+msgstr ""
277+
278+#. type: Plain text
279+msgid "The code format is similar to the output of the tcpdump -ddd command: one line that stores the number of instructions, followed by one line for each instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal notation. Fields encode the operation, jump offset if true, jump offset if false and generic multiuse field 'K'. Comments are not supported."
280+msgstr ""
281+
282+#. type: Plain text
283+msgid "For example, to read only packets matching 'ip proto 6', insert the following, without the comments or trailing whitespace:"
284+msgstr ""
285+
286+#. type: Plain text
287+msgid "4 # number of instructions"
288+msgstr ""
289+
290+#. type: Plain text
291+msgid "48 0 0 9 # load byte ip-E<gt>proto"
292+msgstr ""
293+
294+#. type: Plain text
295+msgid "21 0 1 6 # jump equal IPPROTO_TCP"
296+msgstr ""
297+
298+#. type: Plain text
299+msgid "6 0 0 1 # return pass (non-zero)"
300+msgstr ""
301+
302+#. type: Plain text
303+msgid "6 0 0 0 # return fail (zero)"
304+msgstr ""
305+
306+#. type: Plain text
307+msgid "You can pass this filter to the bpf match with the following command:"
308+msgstr ""
309+
310+#. type: Plain text
311+msgid "iptables -A OUTPUT -m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' -j ACCEPT"
312+msgstr ""
313+
314+#. type: Plain text
315+msgid "Or instead, you can invoke the nfbpf_compile utility."
316+msgstr ""
317+
318+#. type: Plain text
319+msgid "iptables -A OUTPUT -m bpf --bytecode \"`nfbpf_compile RAW 'ip proto 6'`\" -j ACCEPT"
320+msgstr ""
321+
322+#. type: Plain text
323+msgid "You may want to learn more about BPF from FreeBSD's bpf(4) manpage."
324+msgstr ""
325+
326+#. type: SS
327+#, no-wrap
260328 msgid "cluster"
261329 msgstr "cluster"
262330
@@ -354,6 +422,10 @@ msgid "arptables -A INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:
354422 msgstr "arptables -A INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:02 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27"
355423
356424 #. type: Plain text
425+msgid "B<NOTE>: the arptables commands above use mainstream syntax. If you are using arptables-jf included in some RedHat, CentOS and Fedora versions, you will hit syntax errors. Therefore, you'll have to adapt these to the arptables-jf syntax to get them working."
426+msgstr ""
427+
428+#. type: Plain text
357429 msgid "In the case of TCP connections, pickup facility has to be disabled to avoid marking TCP ACK packets coming in the reply direction as valid."
358430 msgstr "TCP 接続の場合には、応答方向で受信した TCP ACK パケットが有効とマークされないようにするため、ピックアップ (pickup) 機能を無効する必要がある。"
359431
@@ -491,7 +563,8 @@ msgstr "B<--connlimit-daddr>"
491563 msgid "Apply the limit onto the destination group."
492564 msgstr "宛先グループに対して制限を適用する。"
493565
494-#. type: Plain text
566+#. type: TP
567+#, no-wrap
495568 msgid "Examples:"
496569 msgstr "例:"
497570
@@ -679,7 +752,9 @@ msgid "B<NEW>"
679752 msgstr "B<NEW>"
680753
681754 #. type: Plain text
682-msgid "The packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions."
755+#, fuzzy
756+#| msgid "The packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions."
757+msgid "The packet has started a new connection or otherwise associated with a connection which has not seen packets in both directions."
683758 msgstr "そのパケットが新しいコネクションを開始しようとしている。 もしくは、 両方の方向でパケットが観測されていないコネクションに関連付けられる。"
684759
685760 #. type: TP
@@ -697,7 +772,9 @@ msgid "B<RELATED>"
697772 msgstr "B<RELATED>"
698773
699774 #. type: Plain text
700-msgid "The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error."
775+#, fuzzy
776+#| msgid "The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error."
777+msgid "The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error."
701778 msgstr "そのパケットは、新しいコネクションを開始しようとしているが、 既存のコネクションと関連付けられる。 FTP データ転送や ICMP エラーなどが該当する。"
702779
703780 #. type: TP
@@ -1170,7 +1247,9 @@ msgid "matching on subnet"
11701247 msgstr "サブネットに対するマッチ"
11711248
11721249 #. type: Plain text
1173-msgid "\"10000 packets per minute for every /28 subnet (groups of 8 addresses) in 10.0.0.0/8\" =E<gt> -s 10.0.0.8 --hashlimit-mask 28 --hashlimit-upto 10000/min"
1250+#, fuzzy
1251+#| msgid "\"10000 packets per minute for every /28 subnet (groups of 8 addresses) in 10.0.0.0/8\" =E<gt> -s 10.0.0.8 --hashlimit-mask 28 --hashlimit-upto 10000/min"
1252+msgid "\"10000 packets per minute for every /28 subnet (groups of 8 addresses) in 10.0.0.0/8\" =E<gt> -s 10.0.0.0/8 --hashlimit-mask 28 --hashlimit-upto 10000/min"
11741253 msgstr "\"10.0.0.0/8 内の /28 サブネット (アドレス 8 個のグループ) それぞれに対して 10000 パケット/秒\" =E<gt> -s 10.0.0.8 --hashlimit-mask 28 --hashlimit-upto 10000/min"
11751254
11761255 #. type: TP
@@ -1611,8 +1690,9 @@ msgid "This allows specification of the Mobility Header(MH) type, which can be a
16111690 msgstr "Mobility Header (MH) タイプを指定できる。 タイプ指定には、 数値の MH タイプか、 以下のコマンドで表示される MH タイプ名を指定できる。"
16121691
16131692 #. type: Plain text
1614-#, no-wrap
1615-msgid " ip6tables -p ipv6-mh -h\n"
1693+#, fuzzy, no-wrap
1694+#| msgid " ip6tables -p ipv6-mh -h\n"
1695+msgid " ip6tables -p mh -h\n"
16161696 msgstr " ip6tables -p ipv6-mh -h\n"
16171697
16181698 #. type: SS
@@ -1621,7 +1701,9 @@ msgid "multiport"
16211701 msgstr "multiport"
16221702
16231703 #. type: Plain text
1624-msgid "This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two ports. It can only be used in conjunction with B<-p tcp> or B<-p udp>."
1704+#, fuzzy
1705+#| msgid "This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two ports. It can only be used in conjunction with B<-p tcp> or B<-p udp>."
1706+msgid "This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two ports. It can only be used in conjunction with one of the following protocols: B<tcp>, B<udp>, B<udplite>, B<dccp> and B<sctp>."
16251707 msgstr "このモジュールは送信元ポートや宛先ポートの集合にマッチする。 ポートは 15 個まで指定できる。 ポートの範囲指定 (port:port) は 2 ポートとカウントされる。 このモジュールが使用できるのは B<-p tcp> か B<-p udp> と組み合わせた場合だけである。"
16261708
16271709 #. type: TP
@@ -2289,8 +2371,9 @@ msgid "Match/save the destination address of each packet in the recent list tabl
22892371 msgstr "recent リストのテーブルの照合/保存で、各パケットの宛先アドレスを使う。"
22902372
22912373 #. type: TP
2292-#, no-wrap
2293-msgid "B<--mask>netmask"
2374+#, fuzzy, no-wrap
2375+#| msgid "B<--mask>netmask"
2376+msgid "B<--mask> I<netmask>"
22942377 msgstr "B<--mask>netmask"
22952378
22962379 #. type: Plain text
@@ -2369,10 +2452,6 @@ msgid "iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --
23692452 msgstr "iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP"
23702453
23712454 #. type: Plain text
2372-msgid "Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has some examples of usage."
2373-msgstr "Steve の ipt_recent ウェブサイト (http://snowman.net/projects/ipt_recent/) にも使用例がいくつかある。"
2374-
2375-#. type: Plain text
23762455 msgid "B</proc/net/xt_recent/*> are the current lists of addresses and information about each entry of each list."
23772456 msgstr "B</proc/net/xt_recent/*> は現在のアドレスのリストと各リストの各エントリーの情報である。"
23782457
@@ -2683,12 +2762,97 @@ msgid "will match packets, for which (if the set type is ipportmap) the source a
26832762 msgstr ""
26842763
26852764 #. type: TP
2686-#, no-wrap
2687-msgid "B<--return--nomatch>"
2765+#, fuzzy, no-wrap
2766+#| msgid "B<--return--nomatch>"
2767+msgid "B<--return-nomatch>"
26882768 msgstr "B<--return--nomatch>"
26892769
26902770 #. type: Plain text
2691-msgid "If the B<--return--nomatch> option is specified and the set type supports the B<nomatch> flag, then the matching is reversed: a match with an element flagged with B<nomatch> returns B<true>, while a match with a plain element returns B<false>."
2771+msgid "If the B<--return-nomatch> option is specified and the set type supports the B<nomatch> flag, then the matching is reversed: a match with an element flagged with B<nomatch> returns B<true>, while a match with a plain element returns B<false>."
2772+msgstr ""
2773+
2774+#. type: TP
2775+#, fuzzy, no-wrap
2776+#| msgid "[B<!>] B<--update>"
2777+msgid "B<!> B<--update-counters>"
2778+msgstr "[B<!>] B<--update>"
2779+
2780+#. type: Plain text
2781+msgid "If the B<--update-counters> flag is negated, then the packet and byte counters of the matching element in the set won't be updated. Default the packet and byte counters are updated."
2782+msgstr ""
2783+
2784+#. type: TP
2785+#, fuzzy, no-wrap
2786+#| msgid "[B<!>] B<--update>"
2787+msgid "B<!> B<--update-subcounters>"
2788+msgstr "[B<!>] B<--update>"
2789+
2790+#. type: Plain text
2791+msgid "If the B<--update-subcounters> flag is negated, then the packet and byte counters of the matching element in the member set of a list type of set won't be updated. Default the packet and byte counters are updated."
2792+msgstr ""
2793+
2794+#. type: TP
2795+#, fuzzy, no-wrap
2796+#| msgid "[B<!>] B<--hl-eq> I<value>"
2797+msgid "[B<!>] B<--packets-eq> I<value>"
2798+msgstr "[B<!>] B<--hl-eq> I<value>"
2799+
2800+#. type: Plain text
2801+msgid "If the packet is matched an element in the set, match only if the packet counter of the element matches the given value too."
2802+msgstr ""
2803+
2804+#. type: TP
2805+#, fuzzy, no-wrap
2806+#| msgid "B<--hl-lt> I<value>"
2807+msgid "B<--packets-lt> I<value>"
2808+msgstr "B<--hl-lt> I<value>"
2809+
2810+#. type: Plain text
2811+msgid "If the packet is matched an element in the set, match only if the packet counter of the element is less than the given value as well."
2812+msgstr ""
2813+
2814+#. type: TP
2815+#, fuzzy, no-wrap
2816+#| msgid "B<--hl-gt> I<value>"
2817+msgid "B<--packets-gt> I<value>"
2818+msgstr "B<--hl-gt> I<value>"
2819+
2820+#. type: Plain text
2821+msgid "If the packet is matched an element in the set, match only if the packet counter of the element is greater than the given value as well."
2822+msgstr ""
2823+
2824+#. type: TP
2825+#, fuzzy, no-wrap
2826+#| msgid "[B<!>] B<--hl-eq> I<value>"
2827+msgid "[B<!>] B<-bytes-eq> I<value>"
2828+msgstr "[B<!>] B<--hl-eq> I<value>"
2829+
2830+#. type: Plain text
2831+msgid "If the packet is matched an element in the set, match only if the byte counter of the element matches the given value too."
2832+msgstr ""
2833+
2834+#. type: TP
2835+#, fuzzy, no-wrap
2836+#| msgid "B<--hl-lt> I<value>"
2837+msgid "B<--bytes-lt> I<value>"
2838+msgstr "B<--hl-lt> I<value>"
2839+
2840+#. type: Plain text
2841+msgid "If the packet is matched an element in the set, match only if the byte counter of the element is less than the given value as well."
2842+msgstr ""
2843+
2844+#. type: TP
2845+#, fuzzy, no-wrap
2846+#| msgid "B<--hl-gt> I<value>"
2847+msgid "B<--bytes-gt> I<value>"
2848+msgstr "B<--hl-gt> I<value>"
2849+
2850+#. type: Plain text
2851+msgid "If the packet is matched an element in the set, match only if the byte counter of the element is greater than the given value as well."
2852+msgstr ""
2853+
2854+#. type: Plain text
2855+msgid "The packet and byte counters related options and flags are ignored when the set was defined without counter support."
26922856 msgstr ""
26932857
26942858 #. type: Plain text
@@ -2705,7 +2869,7 @@ msgid "socket"
27052869 msgstr "socket"
27062870
27072871 #. type: Plain text
2708-msgid "This matches if an open socket can be found by doing a socket lookup on the packet."
2872+msgid "This matches if an open TCP/UDP socket can be found by doing a socket lookup on the packet. It matches if there is an established or non-zero bound listening socket (possibly with a non-local address). The lookup is performed using the B<packet> tuple of TCP/UDP packets, or the original TCP/UDP header B<embedded> in an ICMP/ICPMv6 error packet."
27092873 msgstr ""
27102874
27112875 #. type: TP
@@ -2717,6 +2881,26 @@ msgstr "B<--transparent>"
27172881 msgid "Ignore non-transparent sockets."
27182882 msgstr "非透過 (non-transparent) ソケットを無視する。"
27192883
2884+#. type: TP
2885+#, fuzzy, no-wrap
2886+#| msgid "B<--nodst>"
2887+msgid "B<--nowildcard>"
2888+msgstr "B<--nodst>"
2889+
2890+#. type: Plain text
2891+msgid "Do not ignore sockets bound to 'any' address. The socket match won't accept zero-bound listeners by default, since then local services could intercept traffic that would otherwise be forwarded. This option therefore has security implications when used to match traffic being forwarded to redirect such packets to local machine with policy routing. When using the socket match to implement fully transparent proxies bound to non-local addresses it is recommended to use the --transparent option instead."
2892+msgstr ""
2893+
2894+#. type: Plain text
2895+msgid "Example (assuming packets with mark 1 are delivered locally):"
2896+msgstr ""
2897+
2898+#. type: Plain text
2899+#, fuzzy
2900+#| msgid "-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1"
2901+msgid "-t mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1"
2902+msgstr "-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1"
2903+
27202904 #. type: SS
27212905 #, no-wrap
27222906 msgid "state"
@@ -2838,6 +3022,24 @@ msgstr "[B<!>] B<--hex-string> I<pattern>"
28383022 msgid "Matches the given pattern in hex notation."
28393023 msgstr "指定された 16 進表記のパターンにマッチする。"
28403024
3025+#. type: Plain text
3026+msgid "# The string pattern can be used for simple text characters."
3027+msgstr ""
3028+
3029+#. type: Plain text
3030+#, fuzzy
3031+#| msgid "iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh"
3032+msgid "iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /index.html' -j LOG"
3033+msgstr "iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh"
3034+
3035+#. type: Plain text
3036+msgid "# The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|."
3037+msgstr ""
3038+
3039+#. type: Plain text
3040+msgid "iptables -p udp --dport 53 -m string --algo bm --from 40 --to 57 --hex-string '|03|www|09|netfilter|03|org|00|'"
3041+msgstr ""
3042+
28413043 #. type: SS
28423044 #, no-wrap
28433045 msgid "tcp"
@@ -3681,12 +3883,15 @@ msgid "Use the timeout policy identified by I<name> for the connection. This is
36813883 msgstr ""
36823884
36833885 #. type: SS
3684-#, no-wrap
3685-msgid "DNAT (IPv4-specific)"
3686-msgstr "DNAT (IPv4 の場合)"
3886+#, fuzzy, no-wrap
3887+#| msgid "B<DNAT>"
3888+msgid "DNAT"
3889+msgstr "B<DNAT>"
36873890
36883891 #. type: Plain text
3689-msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:"
3892+#, fuzzy
3893+#| msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:"
3894+msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes the following options:"
36903895 msgstr "このターゲットは B<nat> テーブルの B<PREROUTING>, B<OUTPUT> チェイン、 これらのチェインから呼び出される ユーザー定義チェインのみで有効である。 このターゲットはパケットの宛先アドレスを修正する (このコネクションの以降のパケットも修正して分からなく (mangle) する)。 さらに、 ルールによるチェックを止めさせる。 このターゲットにはオプションが 1 種類ある:"
36913896
36923897 #. type: TP
@@ -3695,11 +3900,9 @@ msgid "B<--to-destination> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
36953900 msgstr "B<--to-destination> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
36963901
36973902 #. type: Plain text
3698-msgid "which can specify a single new destination IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then the destination port will never be modified. If no IP address is specified then only the destination port will be modified."
3699-msgstr "1 つの新しい宛先 IP アドレス、 または IP アドレスの範囲が指定できる。 ポートの範囲を指定することもできる (これはルールで B<-p tcp> または B<-p udp> を指定している場合にのみ有効)。 ポートの範囲が指定されていない場合、 宛先ポートは変更されない。 IP アドレスが指定されなかった場合は、 宛先ポートだけが変更される。"
3700-
3701-#. type: Plain text
3702-msgid "In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels, if you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another in cycle) load balancing takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
3903+#, fuzzy
3904+#| msgid "In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels, if you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another in cycle) load balancing takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
3905+msgid "which can specify a single new destination IP address, an inclusive range of IP addresses. Optionally a port range, if the rule also specifies one of the following protocols: B<tcp>, B<udp>, B<dccp> or B<sctp>. If no port range is specified, then the destination port will never be modified. If no IP address is specified then only the destination port will be modified. In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels, if you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another in cycle) load balancing takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
37033906 msgstr "2.6.10 以前のカーネルでは、 複数の --to-destination オプションを指定することができる。 これらのカーネルでは、 アドレスの範囲指定や --to-destination オプションの複数回指定により 2 つ以上の宛先アドレスを指定した場合、 それらのアドレスを使った単純なラウンドロビンによる負荷分散が行われる。 それ以降のカーネル (E<gt>= 2.6.11-rc1) には複数の範囲を NAT する機能は存在しない。"
37043907
37053908 #. type: TP
@@ -3720,6 +3923,69 @@ msgstr "B<--persistent>"
37203923 msgid "Gives a client the same source-/destination-address for each connection. This supersedes the SAME target. Support for persistent mappings is available from 2.6.29-rc2."
37213924 msgstr ""
37223925
3926+#. type: TP
3927+#, no-wrap
3928+msgid "IPv6 support available since Linux kernels E<gt>= 3.7."
3929+msgstr ""
3930+
3931+#. type: SS
3932+#, fuzzy, no-wrap
3933+#| msgid "DNAT (IPv4-specific)"
3934+msgid "DNPT (IPv6-specific)"
3935+msgstr "DNAT (IPv4 の場合)"
3936+
3937+#. type: Plain text
3938+msgid "Provides stateless destination IPv6-to-IPv6 Network Prefix Translation (as described by RFC 6296)."
3939+msgstr ""
3940+
3941+#. type: Plain text
3942+msgid "You have to use this target in the B<mangle> table, not in the B<nat> table. It takes the following options:"
3943+msgstr ""
3944+
3945+#. type: TP
3946+#, fuzzy, no-wrap
3947+#| msgid "B<--connlimit-mask> I<prefix_length>"
3948+msgid "B<--src-pfx> [I<prefix/>I<length]>"
3949+msgstr "B<--connlimit-mask> I<prefix_length>"
3950+
3951+#. type: Plain text
3952+msgid "Set source prefix that you want to translate and length"
3953+msgstr ""
3954+
3955+#. type: TP
3956+#, fuzzy, no-wrap
3957+#| msgid "B<--connlimit-mask> I<prefix_length>"
3958+msgid "B<--dst-pfx> [I<prefix/>I<length]>"
3959+msgstr "B<--connlimit-mask> I<prefix_length>"
3960+
3961+#. type: Plain text
3962+msgid "Set destination prefix that you want to use in the translation and length"
3963+msgstr ""
3964+
3965+#. type: Plain text
3966+msgid "You have to use the SNPT target to undo the translation. Example:"
3967+msgstr ""
3968+
3969+#. type: Plain text
3970+msgid "ip6tables -t mangle -I POSTROUTING -s fd00::/64 \\! -o vboxnet0 -j SNPT --src-pfx fd00::/64 --dst-pfx 2001:e20:2000:40f::/64"
3971+msgstr ""
3972+
3973+#. type: Plain text
3974+msgid "ip6tables -t mangle -I PREROUTING -i wlan0 -d 2001:e20:2000:40f::/64 -j DNPT --src-pfx 2001:e20:2000:40f::/64 --dst-pfx fd00::/64"
3975+msgstr ""
3976+
3977+#. type: Plain text
3978+msgid "You may need to enable IPv6 neighbor proxy:"
3979+msgstr ""
3980+
3981+#. type: Plain text
3982+msgid "sysctl -w net.ipv6.conf.all.proxy_ndp=1"
3983+msgstr ""
3984+
3985+#. type: Plain text
3986+msgid "You also have to use the B<NOTRACK> target to disable connection tracking for translated flows."
3987+msgstr ""
3988+
37233989 #. type: SS
37243990 #, no-wrap
37253991 msgid "DSCP"
@@ -4026,14 +4292,23 @@ msgid "echo netfilter-ssh E<gt>/sys/class/leds/I<ledname>/trigger"
40264292 msgstr "echo netfilter-ssh E<gt>/sys/class/leds/I<ledname>/trigger"
40274293
40284294 #. type: SS
4029-#, no-wrap
4030-msgid "LOG (IPv6-specific)"
4031-msgstr "LOG (IPv6 の場合)"
4295+#, fuzzy, no-wrap
4296+#| msgid "NFLOG"
4297+msgid "LOG"
4298+msgstr "NFLOG"
40324299
40334300 #. type: Plain text
4034-msgid "Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IPv6 IPv6-header fields) via the kernel log (where it can be read with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT)."
4301+#, fuzzy
4302+#| msgid "Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IPv6 IPv6-header fields) via the kernel log (where it can be read with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT)."
4303+msgid "Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IP/IPv6 header fields) via the kernel log (where it can be read with I<dmesg(1)> or read in the syslog)."
40354304 msgstr "マッチしたパケットをカーネルログに記録する。 このオプションがルールに対して設定されると、 Linux カーネルはマッチしたパケットについての (IPv6 における大部分の IPv6 ヘッダーフィールドのような) 何らかの情報を カーネルログに表示する (カーネルログは I<dmesg> または I<syslogd>(8) で見ることができる)。 これは「非終了タ ーゲット」である。 すなわち、 ルールの探索は、 次のルールへと継続される。 よって、 拒否するパケットをログ記録したければ、 同じマッチング判断基準を持つ 2 つのルールを使用し、 最初のルールで LOG ターゲットを、 次のルールで DROP (または REJECT) ターゲットを指定する。"
40364305
4306+#. type: Plain text
4307+#, fuzzy
4308+#| msgid "Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IP header fields) via the kernel log (where it can be read with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT)."
4309+msgid "This is a \"non-terminating target\", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT)."
4310+msgstr "マッチしたパケットをカーネルログに記録する。 このオプションがルールに対して設定されると、 Linux カーネルはマッチしたパケットについての (大部分の IP ヘッダーフィールドのような) 何らかの情報を カーネルログに表示する (カーネルログは I<dmesg> または I<syslogd>(8) で見ることができる)。 これは \"非終了ターゲット\" である。 すなわち、 ルールの探索は次のルールへと継続される。 よって、 拒否するパケットをログ記録したければ、 同じマッチング判断基準を持つ 2 つのルールを使用し、 最初のルールで LOG ターゲットを、 次のルールで DROP (または REJECT) ターゲットを指定する。"
4311+
40374312 #. type: TP
40384313 #, no-wrap
40394314 msgid "B<--log-level> I<level>"
@@ -4079,7 +4354,9 @@ msgid "B<--log-ip-options>"
40794354 msgstr "B<--log-ip-options>"
40804355
40814356 #. type: Plain text
4082-msgid "Log options from the IPv6 packet header."
4357+#, fuzzy
4358+#| msgid "Log options from the IPv6 packet header."
4359+msgid "Log options from the IP/IPv6 packet header."
40834360 msgstr "IPv6 パケットヘッダーのオプションをログに記録する。"
40844361
40854362 #. type: TP
@@ -4093,19 +4370,6 @@ msgstr ""
40934370
40944371 #. type: SS
40954372 #, no-wrap
4096-msgid "LOG (IPv4-specific)"
4097-msgstr "LOG (IPv4 の場合)"
4098-
4099-#. type: Plain text
4100-msgid "Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IP header fields) via the kernel log (where it can be read with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT)."
4101-msgstr "マッチしたパケットをカーネルログに記録する。 このオプションがルールに対して設定されると、 Linux カーネルはマッチしたパケットについての (大部分の IP ヘッダーフィールドのような) 何らかの情報を カーネルログに表示する (カーネルログは I<dmesg> または I<syslogd>(8) で見ることができる)。 これは \"非終了ターゲット\" である。 すなわち、 ルールの探索は次のルールへと継続される。 よって、 拒否するパケットをログ記録したければ、 同じマッチング判断基準を持つ 2 つのルールを使用し、 最初のルールで LOG ターゲットを、 次のルールで DROP (または REJECT) ターゲットを指定する。"
4102-
4103-#. type: Plain text
4104-msgid "Log options from the IP packet header."
4105-msgstr "IP パケットヘッダーのオプションをログに記録する。"
4106-
4107-#. type: SS
4108-#, no-wrap
41094373 msgid "MARK"
41104374 msgstr "MARK"
41114375
@@ -4139,12 +4403,12 @@ msgstr ""
41394403
41404404 #. type: SS
41414405 #, no-wrap
4142-msgid "MASQUERADE (IPv6-specific)"
4143-msgstr "MASQUERADE (IPv6 の場合)"
4406+msgid "MASQUERADE"
4407+msgstr ""
41444408
41454409 #. type: Plain text
4146-msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It should only be used with dynamically assigned IPv6 (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are I<forgotten> when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway)."
4147-msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 動的割り当て IPv6 (ダイヤルアップ) コネクションの場合にのみ使うべきである。 固定 IP アドレスならば、 SNAT ターゲットを使うべきである。 マスカレーディングは、 パケットが送信されるインターフェースの IP アドレスへのマッピングを指定するのと同じであるが、 インターフェースが停止した場合にコネクションをI<忘れる>という効果がある。 次のダイヤルアップでは同じインターフェースアドレスになる可能性が低い (そのため、 前回確立されたコネクションは失われる) 場合、 この動作は正しい。"
4410+msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are I<forgotten> when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway)."
4411+msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 動的割り当て IP (ダイヤルアップ) コネクションの場合にのみ使うべきである。 固定 IP アドレスならば、 SNAT ターゲットを使うべきである。 マスカレーディングは、 パケットが送信されるインターフェースの IP アドレスへのマッピングを指定するのと同じであるが、 インターフェースが停止した場合にコネクションをI<忘れる>という効果がある。 次のダイヤルアップでは同じインターフェースアドレスになる可能性が低い (そのため、 前回確立されたコネクションは失われる) 場合、 この動作は正しい。"
41484412
41494413 #. type: TP
41504414 #, no-wrap
@@ -4152,23 +4416,12 @@ msgid "B<--to-ports> I<port>[B<->I<port>]"
41524416 msgstr "B<--to-ports> I<port>[B<->I<port>]"
41534417
41544418 #. type: Plain text
4155-msgid "This specifies a range of source ports to use, overriding the default B<SNAT> source port-selection heuristics (see above). This is only valid if the rule also specifies B<-p tcp> or B<-p udp>."
4419+#, fuzzy
4420+#| msgid "This specifies a range of source ports to use, overriding the default B<SNAT> source port-selection heuristics (see above). This is only valid if the rule also specifies B<-p tcp> or B<-p udp>."
4421+msgid "This specifies a range of source ports to use, overriding the default B<SNAT> source port-selection heuristics (see above). This is only valid if the rule also specifies one of the following protocols: B<tcp>, B<udp>, B<dccp> or B<sctp>."
41564422 msgstr "このオプションは、 使用する送信元ポートの範囲を指定し、 デフォルトの B<SNAT> 送信元ポートの選択方法 (上記) よりも優先される。 ルールが B<-p tcp> または B<-p udp> を指定している場合にのみ有効である。"
41574423
41584424 #. type: Plain text
4159-msgid "Randomize source port mapping If option B<--random> is used then port mapping will be randomized."
4160-msgstr ""
4161-
4162-#. type: SS
4163-#, no-wrap
4164-msgid "MASQUERADE (IPv4-specific)"
4165-msgstr "MASQUERADE (IPv4 の場合)"
4166-
4167-#. type: Plain text
4168-msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are I<forgotten> when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway)."
4169-msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 動的割り当て IP (ダイヤルアップ) コネクションの場合にのみ使うべきである。 固定 IP アドレスならば、 SNAT ターゲットを使うべきである。 マスカレーディングは、 パケットが送信されるインターフェースの IP アドレスへのマッピングを指定するのと同じであるが、 インターフェースが停止した場合にコネクションをI<忘れる>という効果がある。 次のダイヤルアップでは同じインターフェースアドレスになる可能性が低い (そのため、 前回確立されたコネクションは失われる) 場合、 この動作は正しい。"
4170-
4171-#. type: Plain text
41724425 msgid "Randomize source port mapping If option B<--random> is used then port mapping will be randomized (kernel E<gt>= 2.6.21)."
41734426 msgstr ""
41744427
@@ -4183,8 +4436,8 @@ msgstr "実験的なデモンストレーション用のターゲットであり
41834436
41844437 #. type: SS
41854438 #, no-wrap
4186-msgid "NETMAP (IPv4-specific)"
4187-msgstr "NETMAP (IPv4 の場合)"
4439+msgid "NETMAP"
4440+msgstr ""
41884441
41894442 #. type: Plain text
41904443 msgid "This target allows you to statically map a whole network of addresses onto another network of addresses. It can only be used from rules in the B<nat> table."
@@ -4250,7 +4503,7 @@ msgid "NFQUEUE"
42504503 msgstr "NFQUEUE"
42514504
42524505 #. type: Plain text
4253-msgid "This target is an extension of the QUEUE target. As opposed to QUEUE, it allows you to put a packet into any specific queue, identified by its 16-bit queue number. It can only be used with Kernel versions 2.6.14 or later, since it requires the B<nfnetlink_queue> kernel support. The B<queue-balance> option was added in Linux 2.6.31, B<queue-bypass> in 2.6.39."
4506+msgid "This target passes the packet to userspace using the B<nfnetlink_queue> handler. The packet is put into the queue identified by its 16-bit queue number. Userspace can inspect and modify the packet if desired. Userspace must then drop or reinject the packet into the kernel. Please see libnetfilter_queue for details. B<nfnetlink_queue> was added in Linux 2.6.14. The B<queue-balance> option was added in Linux 2.6.31, B<queue-bypass> in 2.6.39."
42544507 msgstr ""
42554508
42564509 #. type: TP
@@ -4277,7 +4530,17 @@ msgid "B<--queue-bypass>"
42774530 msgstr "B<--queue-bypass>"
42784531
42794532 #. type: Plain text
4280-msgid "By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued are dropped. When this option is used, the NFQUEUE rule is silently bypassed instead. The packet will move on to the next rule."
4533+msgid "By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued are dropped. When this option is used, the NFQUEUE rule behaves like ACCEPT instead, and the packet will move on to the next table."
4534+msgstr ""
4535+
4536+#. type: TP
4537+#, fuzzy, no-wrap
4538+#| msgid "B<--queue-bypass>"
4539+msgid "B<--queue-cpu-fanout>"
4540+msgstr "B<--queue-bypass>"
4541+
4542+#. type: Plain text
4543+msgid "Available starting Linux kernel 3.10. When used together with B<--queue-balance> this will use the CPU ID as an index to map packets to the queues. The idea is that you can improve performance if there's a queue per CPU. This requires B<--queue-balance> to be specified."
42814544 msgstr ""
42824545
42834546 #. type: SS
@@ -4286,7 +4549,7 @@ msgid "NOTRACK"
42864549 msgstr "NOTRACK"
42874550
42884551 #. type: Plain text
4289-msgid "This target disables connection tracking for all packets matching that rule. It is obsoleted by -j CT --notrack. Like CT, NOTRACK can only be used in the B<raw> table."
4552+msgid "This extension disables connection tracking for all packets matching that rule. It is equivalent with -j CT --notrack. Like CT, NOTRACK can only be used in the B<raw> table."
42904553 msgstr ""
42914554
42924555 #. type: SS
@@ -4327,17 +4590,26 @@ msgstr ""
43274590
43284591 #. type: SS
43294592 #, no-wrap
4330-msgid "REDIRECT (IPv4-specific)"
4331-msgstr "REDIRECT (IPv4 の場合)"
4593+msgid "REDIRECT"
4594+msgstr ""
43324595
43334596 #. type: Plain text
4334-msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address)."
4597+#, fuzzy
4598+#| msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address)."
4599+msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the localhost address, 127.0.0.1 for IPv4 and ::1 for IPv6)."
43354600 msgstr "このターゲットは、 B<nat> テーブルの B<PREROUTING> チェインと B<OUTPUT> チェイン、 およびこれらチェインから呼び出されるユーザー定義チェインでのみ有効である。 このターゲットは、 宛先 IP をパケットを受信したインタフェースの最初のアドレスに変更することで、 パケットをそのマシン自身にリダイレクトする (ローカルで生成されたパケットは、 アドレス 127.0.0.1 にマップされる)。"
43364601
43374602 #. type: Plain text
4338-msgid "This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies B<-p tcp> or B<-p udp>."
4603+#, fuzzy
4604+#| msgid "This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies B<-p tcp> or B<-p udp>."
4605+msgid "This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies one of the following protocols: B<tcp>, B<udp>, B<dccp> or B<sctp>."
43394606 msgstr "このオプションは使用される宛先ポート・ポート範囲・複数ポートを指定する。 このオプションが指定されない場合、 宛先ポートは変更されない。 ルールが B<-p tcp> または B<-p udp> を指定している場合にのみ有効である。"
43404607
4608+#. type: TP
4609+#, no-wrap
4610+msgid "IPv6 support available starting Linux kernels E<gt>= 3.7."
4611+msgstr ""
4612+
43414613 #. type: SS
43424614 #, no-wrap
43434615 msgid "REJECT (IPv6-specific)"
@@ -4359,7 +4631,9 @@ msgid "B<--reject-with> I<type>"
43594631 msgstr "B<--reject-with> I<type>"
43604632
43614633 #. type: Plain text
4362-msgid "The type given can be B<icmp6-no-route>, B<no-route>, B<icmp6-adm-prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, B<addr-unreach>, B<icmp6-port-unreachable> or B<port-unreach> which return the appropriate ICMPv6 error message (B<port-unreach> is the default). Finally, the option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise). B<tcp-reset> can only be used with kernel versions 2.6.14 or later."
4634+#, fuzzy
4635+#| msgid "The type given can be B<icmp6-no-route>, B<no-route>, B<icmp6-adm-prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, B<addr-unreach>, B<icmp6-port-unreachable> or B<port-unreach> which return the appropriate ICMPv6 error message (B<port-unreach> is the default). Finally, the option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise). B<tcp-reset> can only be used with kernel versions 2.6.14 or later."
4636+msgid "The type given can be B<icmp6-no-route>, B<no-route>, B<icmp6-adm-prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, B<addr-unreach>, or B<icmp6-port-unreachable>, which return the appropriate ICMPv6 error message (B<icmp6-port-unreachable> is the default). Finally, the option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise). B<tcp-reset> can only be used with kernel versions 2.6.14 or later."
43634637 msgstr "指定できるタイプは B<icmp6-no-route>, B<no-route>, B<icmp6-adm-prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, B<addr-unreach>, B<icmp6-port-unreachable>, B<port-unreach> である。 指定したタイプの適切な IPv6 エラーメッセージが返される (B<port-unreach> がデフォルトである)。 さらに、 TCP プロトコルにのみマッチするルールに対して、 オプション B<tcp-reset> を使うことができる。 このオプションを使うと、 TCP RST パケットが送り返される。 主として I<ident> (113/tcp) による探査を阻止するのに役立つ。 I<ident> による探査は、 壊れている (メールを受け取らない) メールホストに メールが送られる場合に頻繁に起こる。 B<tcp-reset> はバージョン 2.6.14 以降のカーネルでのみ使用できる。"
43644638
43654639 #. type: SS
@@ -4368,7 +4642,9 @@ msgid "REJECT (IPv4-specific)"
43684642 msgstr "REJECT (IPv4 の場合)"
43694643
43704644 #. type: Plain text
4371-msgid "The type given can be B<icmp-net-unreachable>, B<icmp-host-unreachable>, B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, B<icmp-host-prohibited> or B<icmp-admin-prohibited> (*) which return the appropriate ICMP error message (B<port-unreachable> is the default). The option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise)."
4645+#, fuzzy
4646+#| msgid "The type given can be B<icmp-net-unreachable>, B<icmp-host-unreachable>, B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, B<icmp-host-prohibited> or B<icmp-admin-prohibited> (*) which return the appropriate ICMP error message (B<port-unreachable> is the default). The option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise)."
4647+msgid "The type given can be B<icmp-net-unreachable>, B<icmp-host-unreachable>, B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, B<icmp-host-prohibited>, or B<icmp-admin-prohibited> (*), which return the appropriate ICMP error message (B<icmp-port-unreachable> is the default). The option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise)."
43724648 msgstr "指定できるタイプは B<icmp-net-unreachable>, B<icmp-host-unreachable>, B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, B<icmp-host-prohibited>, B<icmp-admin-prohibited> (*) である。指定したタイプの適切な ICMP エラーメッセージを返す (B<port-unreachable> がデフォルトである)。 TCP プロトコルにのみマッチするルールに対して、 オプション B<tcp-reset> を使うことができる。 このオプションを使うと、 TCP RST パケットが送り返される。 主として I<ident> (113/tcp) による探査を阻止するのに役立つ。 I<ident> による探査は、 壊れている (メールを受け取らない) メールホストに メールが送られる場合に頻繁に起こる。"
43734649
43744650 #. type: Plain text
@@ -4478,13 +4754,16 @@ msgid "Use of -j SET requires that ipset kernel support is provided, which, for
44784754 msgstr "-j SET を使用するには ipset のカーネルサポートが必要である。 標準のカーネルでは、 Linux 2.6.39 以降で提供されている。"
44794755
44804756 #. type: SS
4481-#, no-wrap
4482-msgid "SNAT (IPv4-specific)"
4483-msgstr "SNAT (IPv4 の場合)"
4757+#, fuzzy, no-wrap
4758+#| msgid "B<SNAT>"
4759+msgid "SNAT"
4760+msgstr "B<SNAT>"
44844761
44854762 #. type: Plain text
4486-msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:"
4487-msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 このターゲットはパケットの送信元アドレスを修正させる (このコネクションの以降のパケットも修正して分からなく (mangle) する)。 さらに、 ルールが評価を中止するように指示する。 このターゲットにはオプションが 1 種類ある:"
4763+#, fuzzy
4764+#| msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:"
4765+msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> and B<INPUT> chains, and user-defined chains which are only called from those chains. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes the following options:"
4766+msgstr "このターゲットは B<nat> テーブルの B<PREROUTING>, B<OUTPUT> チェイン、 これらのチェインから呼び出される ユーザー定義チェインのみで有効である。 このターゲットはパケットの宛先アドレスを修正する (このコネクションの以降のパケットも修正して分からなく (mangle) する)。 さらに、 ルールによるチェックを止めさせる。 このターゲットにはオプションが 1 種類ある:"
44884767
44894768 #. type: TP
44904769 #, no-wrap
@@ -4492,15 +4771,31 @@ msgid "B<--to-source> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
44924771 msgstr "B<--to-source> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
44934772
44944773 #. type: Plain text
4495-msgid "which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur."
4774+#, fuzzy
4775+#| msgid "which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur."
4776+msgid "which can specify a single new source IP address, an inclusive range of IP addresses. Optionally a port range, if the rule also specifies one of the following protocols: B<tcp>, B<udp>, B<dccp> or B<sctp>. If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur. In Kernels up to 2.6.10, you can add several --to-source options. For those kernels, if you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
44964777 msgstr "1 つの新しい送信元 IP アドレス、 または IP アドレスの範囲が指定できる。 ポートの範囲を指定することもできる (ルールが B<-p tcp> または B<-p udp> を指定している場合にのみ有効)。 ポートの範囲が指定されていない場合、 512 未満の送信元ポートは、 他の 512 未満のポートにマッピングされる。 512 〜 1023 までのポートは、 1024 未満のポートにマッピングされる。 それ以外のポートは、 1024 以上のポートにマッピングされる。 可能であれば、 ポートの変換は起こらない。"
44974778
44984779 #. type: Plain text
4499-msgid "In Kernels up to 2.6.10, you can add several --to-source options. For those kernels, if you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
4500-msgstr "2.6.10 以前のカーネルでは、 複数の --to-source オプションを指定することができる。 これらのカーネルでは、 アドレスの範囲指定や --to-source オプションの複数回指定により 2 つ以上の送信元アドレスを指定した場合、 それらのアドレスを使った単純なラウンド・ロビンが行われる。 それ以降のカーネル (E<gt>= 2.6.11-rc1) には複数の範囲を NAT する機能は存在しない。"
4780+msgid "If option B<--random> is used then port mapping will be randomized (kernel E<gt>= 2.6.21)."
4781+msgstr ""
45014782
45024783 #. type: Plain text
4503-msgid "If option B<--random> is used then port mapping will be randomized (kernel E<gt>= 2.6.21)."
4784+msgid "Kernels prior to 2.6.36-rc1 don't have the ability to B<SNAT> in the B<INPUT> chain."
4785+msgstr ""
4786+
4787+#. type: SS
4788+#, fuzzy, no-wrap
4789+#| msgid "SNAT (IPv4-specific)"
4790+msgid "SNPT (IPv6-specific)"
4791+msgstr "SNAT (IPv4 の場合)"
4792+
4793+#. type: Plain text
4794+msgid "Provides stateless source IPv6-to-IPv6 Network Prefix Translation (as described by RFC 6296)."
4795+msgstr ""
4796+
4797+#. type: Plain text
4798+msgid "You have to use the DNPT target to undo the translation. Example:"
45044799 msgstr ""
45054800
45064801 #. type: SS
@@ -4779,7 +5074,9 @@ msgid "ULOG (IPv4-specific)"
47795074 msgstr "ULOG (IPv4 の場合)"
47805075
47815076 #. type: Plain text
4782-msgid "This target provides userspace logging of matching packets. When this target is set for a rule, the Linux kernel will multicast this packet through a I<netlink> socket. One or more userspace processes may then subscribe to various multicast groups and receive the packets. Like LOG, this is a \"non-terminating target\", i.e. rule traversal continues at the next rule."
5077+#, fuzzy
5078+#| msgid "This target provides userspace logging of matching packets. When this target is set for a rule, the Linux kernel will multicast this packet through a I<netlink> socket. One or more userspace processes may then subscribe to various multicast groups and receive the packets. Like LOG, this is a \"non-terminating target\", i.e. rule traversal continues at the next rule."
5079+msgid "This is the deprecated ipv4-only predecessor of the NFLOG target. It provides userspace logging of matching packets. When this target is set for a rule, the Linux kernel will multicast this packet through a I<netlink> socket. One or more userspace processes may then subscribe to various multicast groups and receive the packets. Like LOG, this is a \"non-terminating target\", i.e. rule traversal continues at the next rule."
47835080 msgstr "このターゲットは、 マッチしたパケットを ユーザー空間でログ記録する機能を提供する。 このターゲットがルールに設定されると、 Linux カーネルは、 そのパケットを I<netlink> ソケットを用いてマルチキャストする。 そして、 1 つ以上のユーザー空間プロセスが いろいろなマルチキャストグループに登録をおこない、 パケットを受信する。 LOG と同様、 これは \"非終了ターゲット\" であり、 ルールの探索は次のルールへと継続される。"
47845081
47855082 #. type: TP
@@ -4817,3 +5114,39 @@ msgstr "B<--ulog-qthreshold> I<size>"
48175114 #. type: Plain text
48185115 msgid "Number of packet to queue inside kernel. Setting this value to, e.g. 10 accumulates ten packets inside the kernel and transmits them as one netlink multipart message to userspace. Default is 1 (for backwards compatibility)."
48195116 msgstr "カーネル内部のキューに入れられるパケットの数。 例えば、 この値を 10 にした場合、 カーネル内部で 10 個のパケットをまとめ、 1 つの netlink マルチパートメッセージとしてユーザー空間に送る。 (過去のものとの互換性のため) デフォルトは 1 である。"
5117+
5118+#~ msgid "Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has some examples of usage."
5119+#~ msgstr "Steve の ipt_recent ウェブサイト (http://snowman.net/projects/ipt_recent/) にも使用例がいくつかある。"
5120+
5121+#~ msgid "which can specify a single new destination IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then the destination port will never be modified. If no IP address is specified then only the destination port will be modified."
5122+#~ msgstr "1 つの新しい宛先 IP アドレス、 または IP アドレスの範囲が指定できる。 ポートの範囲を指定することもできる (これはルールで B<-p tcp> または B<-p udp> を指定している場合にのみ有効)。 ポートの範囲が指定されていない場合、 宛先ポートは変更されない。 IP アドレスが指定されなかった場合は、 宛先ポートだけが変更される。"
5123+
5124+#~ msgid "LOG (IPv6-specific)"
5125+#~ msgstr "LOG (IPv6 の場合)"
5126+
5127+#~ msgid "LOG (IPv4-specific)"
5128+#~ msgstr "LOG (IPv4 の場合)"
5129+
5130+#~ msgid "Log options from the IP packet header."
5131+#~ msgstr "IP パケットヘッダーのオプションをログに記録する。"
5132+
5133+#~ msgid "MASQUERADE (IPv6-specific)"
5134+#~ msgstr "MASQUERADE (IPv6 の場合)"
5135+
5136+#~ msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It should only be used with dynamically assigned IPv6 (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are I<forgotten> when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway)."
5137+#~ msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 動的割り当て IPv6 (ダイヤルアップ) コネクションの場合にのみ使うべきである。 固定 IP アドレスならば、 SNAT ターゲットを使うべきである。 マスカレーディングは、 パケットが送信されるインターフェースの IP アドレスへのマッピングを指定するのと同じであるが、 インターフェースが停止した場合にコネクションをI<忘れる>という効果がある。 次のダイヤルアップでは同じインターフェースアドレスになる可能性が低い (そのため、 前回確立されたコネクションは失われる) 場合、 この動作は正しい。"
5138+
5139+#~ msgid "MASQUERADE (IPv4-specific)"
5140+#~ msgstr "MASQUERADE (IPv4 の場合)"
5141+
5142+#~ msgid "NETMAP (IPv4-specific)"
5143+#~ msgstr "NETMAP (IPv4 の場合)"
5144+
5145+#~ msgid "REDIRECT (IPv4-specific)"
5146+#~ msgstr "REDIRECT (IPv4 の場合)"
5147+
5148+#~ msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:"
5149+#~ msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 このターゲットはパケットの送信元アドレスを修正させる (このコネクションの以降のパケットも修正して分からなく (mangle) する)。 さらに、 ルールが評価を中止するように指示する。 このターゲットにはオプションが 1 種類ある:"
5150+
5151+#~ msgid "In Kernels up to 2.6.10, you can add several --to-source options. For those kernels, if you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
5152+#~ msgstr "2.6.10 以前のカーネルでは、 複数の --to-source オプションを指定することができる。 これらのカーネルでは、 アドレスの範囲指定や --to-source オプションの複数回指定により 2 つ以上の送信元アドレスを指定した場合、 それらのアドレスを使った単純なラウンド・ロビンが行われる。 それ以降のカーネル (E<gt>= 2.6.11-rc1) には複数の範囲を NAT する機能は存在しない。"
--- a/po4a/man8/iptables-restore.8.ja.po
+++ b/po4a/man8/iptables-restore.8.ja.po
@@ -6,7 +6,7 @@
66 msgid ""
77 msgstr ""
88 "Project-Id-Version: PACKAGE VERSION\n"
9-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
9+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
1010 "PO-Revision-Date: 2013-04-08 16:21+0900\n"
1111 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
1212 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -22,8 +22,8 @@ msgstr "IPTABLES-RESTORE"
2222
2323 #. type: TH
2424 #, no-wrap
25-msgid "Jan 04, 2001"
26-msgstr "Jan 04, 2001"
25+msgid "iptables 1.4.21"
26+msgstr ""
2727
2828 #. Man page written by Harald Welte <laforge@gnumonks.org>
2929 #. It is based on the iptables man page.
@@ -47,13 +47,27 @@ msgstr "名前"
4747 msgid "iptables-restore \\(em Restore IP Tables"
4848 msgstr "iptables-restore \\(em IP テーブルを復元する"
4949
50+#. type: Plain text
51+#, fuzzy
52+#| msgid "iptables-restore \\(em Restore IP Tables"
53+msgid "ip6tables-restore \\(em Restore IPv6 Tables"
54+msgstr "iptables-restore \\(em IP テーブルを復元する"
55+
5056 #. type: SH
5157 #, no-wrap
5258 msgid "SYNOPSIS"
5359 msgstr "書式"
5460
5561 #. type: Plain text
56-msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
62+#, fuzzy
63+#| msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
64+msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>]"
65+msgstr "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
66+
67+#. type: Plain text
68+#, fuzzy
69+#| msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
70+msgid "B<ip6tables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
5771 msgstr "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
5872
5973 #. type: SH
@@ -62,7 +76,9 @@ msgid "DESCRIPTION"
6276 msgstr "説明"
6377
6478 #. type: Plain text
65-msgid "B<iptables-restore> is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file"
79+#, fuzzy
80+#| msgid "B<iptables-restore> is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file"
81+msgid "B<iptables-restore> and B<ip6tables-restore> are used to restore IP and IPv6 Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file"
6682 msgstr "B<iptables-restore> は標準入力で指定されたデータから IP テーブルを復元するために使われる。 ファイルから読み込むためには、 シェルで提供されている I/O リダイレクションを使うこと。"
6783
6884 #. type: TP
@@ -84,12 +100,15 @@ msgid "Print a short option summary."
84100 msgstr "簡潔なオプション一覧を表示する。"
85101
86102 #. type: TP
87-#, no-wrap
88-msgid "B<-n>, B<--noflush> "
103+#, fuzzy, no-wrap
104+#| msgid "B<-n>, B<--noflush> "
105+msgid "B<-n>, B<--noflush>"
89106 msgstr "B<-n>, B<--noflush> "
90107
91108 #. type: Plain text
92-msgid "don't flush the previous contents of the table. If not specified, B<iptables-restore> flushes (deletes) all previous contents of the respective table."
109+#, fuzzy
110+#| msgid "don't flush the previous contents of the table. If not specified, B<iptables-restore> flushes (deletes) all previous contents of the respective table."
111+msgid "don't flush the previous contents of the table. If not specified, both commands flush (delete) all previous contents of the respective table."
93112 msgstr "これまでのテーブルの内容をフラッシュしない。 指定されない場合、 B<iptables-restore> は、これまでの各テーブルの内容を全てフラッシュ (削除) する。"
94113
95114 #. type: TP
@@ -138,14 +157,21 @@ msgid "None known as of iptables-1.2.1 release"
138157 msgstr "iptables-1.2.1 リリースでは知られていない。"
139158
140159 #. type: SH
141-#, no-wrap
142-msgid "AUTHOR"
160+#, fuzzy, no-wrap
161+#| msgid "AUTHOR"
162+msgid "AUTHORS"
143163 msgstr "作者"
144164
145165 #. type: Plain text
146-msgid "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
166+#, fuzzy
167+#| msgid "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
168+msgid "Harald Welte E<lt>laforge@gnumonks.orgE<gt> wrote iptables-restore based on code from Rusty Russell."
147169 msgstr "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
148170
171+#. type: Plain text
172+msgid "Andras Kis-Szabo E<lt>kisza@sch.bme.huE<gt> contributed ip6tables-restore."
173+msgstr ""
174+
149175 #. type: SH
150176 #, no-wrap
151177 msgid "SEE ALSO"
@@ -158,3 +184,6 @@ msgstr "B<iptables-save>(8), B<iptables>(8)"
158184 #. type: Plain text
159185 msgid "The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the internals."
160186 msgstr "より多くの iptables の使用法について 詳細に説明している iptables-HOWTO。 NAT について詳細に説明している NAT-HOWTO。 内部構造について詳細に説明している netfilter-hacking-HOWTO。"
187+
188+#~ msgid "Jan 04, 2001"
189+#~ msgstr "Jan 04, 2001"
--- a/po4a/man8/iptables-save.8.ja.po
+++ b/po4a/man8/iptables-save.8.ja.po
@@ -6,7 +6,7 @@
66 msgid ""
77 msgstr ""
88 "Project-Id-Version: PACKAGE VERSION\n"
9-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
9+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
1010 "PO-Revision-Date: 2013-04-08 14:54+0900\n"
1111 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
1212 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -22,8 +22,8 @@ msgstr "IPTABLES-SAVE"
2222
2323 #. type: TH
2424 #, no-wrap
25-msgid "Jan 04, 2001"
26-msgstr "Jan 04, 2001"
25+msgid "iptables 1.4.21"
26+msgstr ""
2727
2828 #. Man page written by Harald Welte <laforge@gnumonks.org>
2929 #. It is based on the iptables man page.
@@ -47,6 +47,12 @@ msgstr "名前"
4747 msgid "iptables-save \\(em dump iptables rules to stdout"
4848 msgstr "iptables-save \\(em iptables ルールを標準出力にダンプする"
4949
50+#. type: Plain text
51+#, fuzzy
52+#| msgid "iptables-save \\(em dump iptables rules to stdout"
53+msgid "ip6tables-save \\(em dump iptables rules to stdout"
54+msgstr "iptables-save \\(em iptables ルールを標準出力にダンプする"
55+
5056 #. type: SH
5157 #, no-wrap
5258 msgid "SYNOPSIS"
@@ -56,13 +62,21 @@ msgstr "書式"
5662 msgid "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
5763 msgstr "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
5864
65+#. type: Plain text
66+#, fuzzy
67+#| msgid "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
68+msgid "B<ip6tables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>"
69+msgstr "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
70+
5971 #. type: SH
6072 #, no-wrap
6173 msgid "DESCRIPTION"
6274 msgstr "説明"
6375
6476 #. type: Plain text
65-msgid "B<iptables-save> is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file."
77+#, fuzzy
78+#| msgid "B<iptables-save> is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file."
79+msgid "B<iptables-save> and B<ip6tables-save> are used to dump the contents of IP or IPv6 Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file."
6680 msgstr "B<iptables-save> は IP テーブルの内容を簡単に解析できる形式で 標準出力にダンプするために使われる。 ファイルに書き出すためには、 シェルで提供されている I/O リダイレクションを使うこと。"
6781
6882 #. type: TP
@@ -102,14 +116,23 @@ msgid "None known as of iptables-1.2.1 release"
102116 msgstr "iptables-1.2.1 リリースでは知られていない。"
103117
104118 #. type: SH
105-#, no-wrap
106-msgid "AUTHOR"
119+#, fuzzy, no-wrap
120+#| msgid "AUTHOR"
121+msgid "AUTHORS"
107122 msgstr "作者"
108123
109124 #. type: Plain text
110125 msgid "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
111126 msgstr "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
112127
128+#. type: Plain text
129+msgid "Rusty Russell E<lt>rusty@rustcorp.com.auE<gt>"
130+msgstr ""
131+
132+#. type: Plain text
133+msgid "Andras Kis-Szabo E<lt>kisza@sch.bme.huE<gt> contributed ip6tables-save."
134+msgstr ""
135+
113136 #. type: SH
114137 #, no-wrap
115138 msgid "SEE ALSO"
@@ -122,3 +145,6 @@ msgstr "B<iptables-restore>(8), B<iptables>(8)"
122145 #. type: Plain text
123146 msgid "The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the internals."
124147 msgstr "より多くの iptables の使用法について 詳細に説明している iptables-HOWTO。 NAT について詳細に説明している NAT-HOWTO。 内部構造について詳細に説明している netfilter-hacking-HOWTO。"
148+
149+#~ msgid "Jan 04, 2001"
150+#~ msgstr "Jan 04, 2001"
--- a/po4a/man8/iptables.8.ja.po
+++ b/po4a/man8/iptables.8.ja.po
@@ -6,7 +6,7 @@
66 msgid ""
77 msgstr ""
88 "Project-Id-Version: PACKAGE VERSION\n"
9-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
9+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
1010 "PO-Revision-Date: 2013-05-24 16:53+0900\n"
1111 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
1212 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -21,8 +21,9 @@ msgid "IPTABLES"
2121 msgstr "IPTABLES"
2222
2323 #. type: TH
24-#, no-wrap
25-msgid "iptables 1.4.18"
24+#, fuzzy, no-wrap
25+#| msgid "iptables 1.4.18"
26+msgid "iptables 1.4.21"
2627 msgstr "iptables 1.4.18"
2728
2829 #. Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
@@ -47,7 +48,9 @@ msgid "NAME"
4748 msgstr "名前"
4849
4950 #. type: Plain text
50-msgid "iptables \\(em administration tool for IPv4 packet filtering and NAT"
51+#, fuzzy
52+#| msgid "iptables \\(em administration tool for IPv4 packet filtering and NAT"
53+msgid "iptables/ip6tables \\(em administration tool for IPv4/IPv6 packet filtering and NAT"
5154 msgstr "iptables \\(em IPv4 のパケットフィルタと NAT の管理ツール"
5255
5356 #. type: SH
@@ -60,6 +63,12 @@ msgid "B<iptables> [B<-t> I<table>] {B<-A>|B<-C>|B<-D>} I<chain> I<rule-specific
6063 msgstr "B<iptables> [B<-t> I<table>] {B<-A>|B<-C>|B<-D>} I<chain> I<rule-specification>"
6164
6265 #. type: Plain text
66+#, fuzzy
67+#| msgid "B<iptables> [B<-t> I<table>] {B<-A>|B<-C>|B<-D>} I<chain> I<rule-specification>"
68+msgid "B<ip6tables> [B<-t> I<table>] {B<-A>|B<-C>|B<-D>} I<chain rule-specification>"
69+msgstr "B<iptables> [B<-t> I<table>] {B<-A>|B<-C>|B<-D>} I<chain> I<rule-specification>"
70+
71+#. type: Plain text
6372 msgid "B<iptables> [B<-t> I<table>] B<-I> I<chain> [I<rulenum>] I<rule-specification>"
6473 msgstr "B<iptables> [B<-t> I<table>] B<-I> I<chain> [I<rulenum>] I<rule-specification>"
6574
@@ -113,7 +122,9 @@ msgid "DESCRIPTION"
113122 msgstr "説明"
114123
115124 #. type: Plain text
116-msgid "B<Iptables> is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains."
125+#, fuzzy
126+#| msgid "B<Iptables> is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains."
127+msgid "B<Iptables> and B<ip6tables> are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains."
117128 msgstr "B<iptables> は Linux カーネルの IPv4 パケットフィルタルールのテーブルの設定・管理・検査に使用される。 複数の異なるテーブルを定義できる。 各テーブルには数個の組み込みチェインがあり、 さらにユーザー定義のチェインを加えることもできる。"
118129
119130 #. type: Plain text
@@ -126,11 +137,15 @@ msgid "TARGETS"
126137 msgstr "ターゲット"
127138
128139 #. type: Plain text
129-msgid "A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values B<ACCEPT>, B<DROP>, B<QUEUE> or B<RETURN>."
140+#, fuzzy
141+#| msgid "A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values B<ACCEPT>, B<DROP>, B<QUEUE> or B<RETURN>."
142+msgid "A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain, one of the targets described in B<iptables-extensions>(8), or one of the special values B<ACCEPT>, B<DROP> or B<RETURN>."
130143 msgstr "ファイアウォールのルールでは、 パケットのマッチ条件とターゲットを指定する。 パケットがマッチしない場合、 チェイン内の次のルールが評価される。 パケットがマッチした場合、 ターゲットの値によって次のルールが指定される。 ターゲットの値には、 ユーザー定義チェインの名前、 もしくは特別な値 B<ACCEPT>, B<DROP>, B<QUEUE>, B<RETURN> のいずれか 1 つを指定する。"
131144
132145 #. type: Plain text
133-msgid "B<ACCEPT> means to let the packet through. B<DROP> means to drop the packet on the floor. B<QUEUE> means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the B<ip_queue> queue handler. Kernels 2.6.14 and later additionally include the B<nfnetlink_queue> queue handler. Packets with a target of QUEUE will be sent to queue number '0' in this case. Please also see the B<NFQUEUE> target as described later in this man page.) B<RETURN> means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target B<RETURN> is matched, the target specified by the chain policy determines the fate of the packet."
146+#, fuzzy
147+#| msgid "B<ACCEPT> means to let the packet through. B<DROP> means to drop the packet on the floor. B<QUEUE> means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the B<ip_queue> queue handler. Kernels 2.6.14 and later additionally include the B<nfnetlink_queue> queue handler. Packets with a target of QUEUE will be sent to queue number '0' in this case. Please also see the B<NFQUEUE> target as described later in this man page.) B<RETURN> means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target B<RETURN> is matched, the target specified by the chain policy determines the fate of the packet."
148+msgid "B<ACCEPT> means to let the packet through. B<DROP> means to drop the packet on the floor. B<RETURN> means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target B<RETURN> is matched, the target specified by the chain policy determines the fate of the packet."
134149 msgstr "B<ACCEPT> はパケット通過、 B<DROP> はパケット廃棄を意味する。 B<QUEUE> はそのパケットをユーザー空間に渡すという意味である。 (ユーザー空間プロセスがパケットをどのように受信するかは、個々のキューハンドラにより異なる。バージョン 2.4.x および 2.6.13 までの 2.6.x のカーネルでは B<ip_queue> キューハンドラが読み込まれる。バージョン 2.6.14 以降のカーネルでは、これに加えて B<nfnetlink_queue> キューハンドラも利用できる。ターゲットが QUEUE のパケットは、キュー番号 '0' に送信される。この man ページの後ろの方で説明されている B<NFQUEUE> ターゲットについても参照のこと。) B<RETURN> は、このチェインを辿るのを中止して、 前の (呼び出し元) チェインの次のルールから再開するという意味である。 組み込みチェインの最後に到達した場合、 または組み込みチェインでターゲット B<RETURN> を持つルールにマッチした場合、 パケットをどのように処理するかは、そのチェインのポリシーで指定されたターゲットにより決まる。"
135150
136151 #. type: SH
@@ -170,7 +185,9 @@ msgid "B<nat>:"
170185 msgstr "B<nat>:"
171186
172187 #. type: Plain text
173-msgid "This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: B<PREROUTING> (for altering packets as soon as they come in), B<OUTPUT> (for altering locally-generated packets before routing), and B<POSTROUTING> (for altering packets as they are about to go out)."
188+#, fuzzy
189+#| msgid "This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: B<PREROUTING> (for altering packets as soon as they come in), B<OUTPUT> (for altering locally-generated packets before routing), and B<POSTROUTING> (for altering packets as they are about to go out)."
190+msgid "This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: B<PREROUTING> (for altering packets as soon as they come in), B<OUTPUT> (for altering locally-generated packets before routing), and B<POSTROUTING> (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7."
174191 msgstr "このテーブルは新しい接続を開くパケットの場合に参照される。 B<PREROUTING> (パケットが入ってきた場合、すぐにそのパケットを変換するためのチェイン)、 B<OUTPUT> (ローカルで生成されたパケットをルーティングの前に変換するためのチェイン)、 B<POSTROUTING> (パケットが出て行くときに変換するためのチェイン) という 3 つの組み込みチェインがある。"
175192
176193 #. type: TP
@@ -206,7 +223,9 @@ msgid "OPTIONS"
206223 msgstr "オプション"
207224
208225 #. type: Plain text
209-msgid "The options that are recognized by B<iptables> can be divided into several different groups."
226+#, fuzzy
227+#| msgid "The options that are recognized by B<iptables> can be divided into several different groups."
228+msgid "The options that are recognized by B<iptables> and B<ip6tables> can be divided into several different groups."
210229 msgstr "B<iptables> で使えるオプションは、いくつかのグループに分けられる。"
211230
212231 #. type: SS
@@ -378,8 +397,10 @@ msgid "B<-4>, B<--ipv4>"
378397 msgstr "B<-4>, B<--ipv4>"
379398
380399 #. type: Plain text
381-msgid "This option has no effect in iptables and iptables-restore."
382-msgstr "このオプションは iptables と iptables-restore では効果を持たない。"
400+#, fuzzy
401+#| msgid "If a rule using the B<-6> option is inserted with (and only with) iptables-restore, it will be silently ignored. Any other uses will throw an error. This option allows to put both IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore."
402+msgid "This option has no effect in iptables and iptables-restore. If a rule using the B<-4> option is inserted with (and only with) ip6tables-restore, it will be silently ignored. Any other uses will throw an error. This option allows to put both IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore."
403+msgstr "B<-6> オプションを使ったルールを iptables-restore で挿入された場合、(この場合に限り) そのルールは黙って無視される。それ以外の使い方をした場合はエラーが発生する。このオプションを使うと、 IPv4 と IPv6 の両方のルールを一つのルールファイルに記述し、iptables-restore と ip6tables-restore の両方でそのファイルを使うことができる。"
383404
384405 #. type: TP
385406 #, no-wrap
@@ -387,7 +408,9 @@ msgid "B<-6>, B<--ipv6>"
387408 msgstr "B<-6>, B<--ipv6>"
388409
389410 #. type: Plain text
390-msgid "If a rule using the B<-6> option is inserted with (and only with) iptables-restore, it will be silently ignored. Any other uses will throw an error. This option allows to put both IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore."
411+#, fuzzy
412+#| msgid "If a rule using the B<-6> option is inserted with (and only with) iptables-restore, it will be silently ignored. Any other uses will throw an error. This option allows to put both IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore."
413+msgid "If a rule using the B<-6> option is inserted with (and only with) iptables-restore, it will be silently ignored. Any other uses will throw an error. This option allows to put both IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore. This option has no effect in ip6tables and ip6tables-restore."
391414 msgstr "B<-6> オプションを使ったルールを iptables-restore で挿入された場合、(この場合に限り) そのルールは黙って無視される。それ以外の使い方をした場合はエラーが発生する。このオプションを使うと、 IPv4 と IPv6 の両方のルールを一つのルールファイルに記述し、iptables-restore と ip6tables-restore の両方でそのファイルを使うことができる。"
392415
393416 #. type: TP
@@ -396,7 +419,9 @@ msgid "[B<!>] B<-p>, B<--protocol> I<protocol>"
396419 msgstr "[B<!>] B<-p>, B<--protocol> I<protocol>"
397420
398421 #. type: Plain text
399-msgid "The protocol of the rule or of the packet to check. The specified protocol can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>, B<esp>, B<ah>, B<sctp> or the special keyword \"B<all>\", or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A \"!\" argument before the protocol inverts the test. The number zero is equivalent to B<all>. \"B<all>\" will match with all protocols and is taken as default when this option is omitted."
422+#, fuzzy
423+#| msgid "The protocol of the rule or of the packet to check. The specified protocol can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>, B<esp>, B<ah>, B<sctp> or the special keyword \"B<all>\", or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A \"!\" argument before the protocol inverts the test. The number zero is equivalent to B<all>. \"B<all>\" will match with all protocols and is taken as default when this option is omitted."
424+msgid "The protocol of the rule or of the packet to check. The specified protocol can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>, B<icmpv6>,B<esp>, B<ah>, B<sctp>, B<mh> or the special keyword \"B<all>\", or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A \"!\" argument before the protocol inverts the test. The number zero is equivalent to B<all>. \"B<all>\" will match with all protocols and is taken as default when this option is omitted. Note that, in ip6tables, IPv6 extension headers except B<esp> are not allowed. B<esp> and B<ipv6-nonext> can be used with Kernel version 2.6.11 or later. The number zero is equivalent to B<all>, which means that you cannot test the protocol field for the value 0 directly. To match on a HBH header, even if it were the last, you cannot use B<-p 0>, but always need B<-m hbh>."
400425 msgstr "ルールで使われるプロトコル、またはチェックされるパケットのプロトコル。 指定できるプロトコルは、 B<tcp>, B<udp>, B<udplite>, B<icmp>, B<esp>, B<ah>, B<sctp> と特別なキーワード B<all> のいずれか 1 つか、または数値である。 数値には、これらのプロトコルのどれか、またはそれ以外のプロトコルを表す数値を指定することができる。 /etc/protocols にあるプロトコル名も指定できる。 プロトコルの前に \"!\" を置くと、そのプロトコルを除外するという意味になる。 数値 0 は B<all> と等しい。 \"B<all>\" は全てのプロトコルとマッチし、このオプションが省略された際のデフォルトである。"
401426
402427 #. type: TP
@@ -405,7 +430,9 @@ msgid "[B<!>] B<-s>, B<--source> I<address>[B</>I<mask>][B<,>I<...>]"
405430 msgstr "[B<!>] B<-s>, B<--source> I<address>[B</>I<mask>][B<,>I<...>]"
406431
407432 #. type: Plain text
408-msgid "Source specification. I<Address> can be either a network name, a hostname, a network IP address (with B</>I<mask>), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The I<mask> can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of I<24> is equivalent to I<255.255.255.0>. A \"!\" argument before the address specification inverts the sense of the address. The flag B<--src> is an alias for this option. Multiple addresses can be specified, but this will B<expand to multiple rules> (when adding with -A), or will cause multiple rules to be deleted (with -D)."
433+#, fuzzy
434+#| msgid "Source specification. I<Address> can be either a network name, a hostname, a network IP address (with B</>I<mask>), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The I<mask> can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of I<24> is equivalent to I<255.255.255.0>. A \"!\" argument before the address specification inverts the sense of the address. The flag B<--src> is an alias for this option. Multiple addresses can be specified, but this will B<expand to multiple rules> (when adding with -A), or will cause multiple rules to be deleted (with -D)."
435+msgid "Source specification. I<Address> can be either a network name, a hostname, a network IP address (with B</>I<mask>), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The I<mask> can be either an ipv4 network mask (for iptables) or a plain number, specifying the number of 1's at the left side of the network mask. Thus, an iptables mask of I<24> is equivalent to I<255.255.255.0>. A \"!\" argument before the address specification inverts the sense of the address. The flag B<--src> is an alias for this option. Multiple addresses can be specified, but this will B<expand to multiple rules> (when adding with -A), or will cause multiple rules to be deleted (with -D)."
409436 msgstr "送信元の指定。 I<address> はホスト名、ネットワーク IP アドレス (B</>I<mask> を指定する)、通常の IP アドレスのいずれかである。ホスト名の解決は、カーネルにルールが登録される前に一度だけ行われる。 DNS のようなリモートへの問い合わせで解決する名前を指定するのは非常に良くないことである。 I<mask> には、ネットワークマスクか、ネットワークマスクの左側にある 1 の数を表す数値を指定する。つまり、 I<24> という mask は I<255.255.255.0> と同じである。 アドレス指定の前に \"!\" を置くと、そのアドレスを除外するという意味になる。 フラグ B<--src> は、このオプションの別名である。複数のアドレスを指定することができるが、その場合は (-A での追加であれば) B<複数のルールに展開され>、 (-D での削除であれば) 複数のルールが削除されることになる。"
410437
411438 #. type: TP
@@ -468,7 +495,9 @@ msgid "[B<!>] B<-f>, B<--fragment>"
468495 msgstr "[B<!>] B<-f>, B<--fragment>"
469496
470497 #. type: Plain text
471-msgid "This means that the rule only refers to second and further fragments of fragmented packets. Since there is no way to tell the source or destination ports of such a packet (or ICMP type), such a packet will not match any rules which specify them. When the \"!\" argument precedes the \"-f\" flag, the rule will only match head fragments, or unfragmented packets."
498+#, fuzzy
499+#| msgid "This means that the rule only refers to second and further fragments of fragmented packets. Since there is no way to tell the source or destination ports of such a packet (or ICMP type), such a packet will not match any rules which specify them. When the \"!\" argument precedes the \"-f\" flag, the rule will only match head fragments, or unfragmented packets."
500+msgid "This means that the rule only refers to second and further IPv4 fragments of fragmented packets. Since there is no way to tell the source or destination ports of such a packet (or ICMP type), such a packet will not match any rules which specify them. When the \"!\" argument precedes the \"-f\" flag, the rule will only match head fragments, or unfragmented packets. This option is IPv4 specific, it is not available in ip6tables."
472501 msgstr "分割されたパケット (fragmented packet) のうち 2 番目以降のパケットだけを参照するルールであることを意味する。 このようなパケット (または ICMP タイプのパケット) は 送信元ポートと宛先ポートを知る方法がないので、 送信元ポートや宛先ポートを指定するようなルールにはマッチしない。 \"-f\" フラグの前に \"!\" を置くと、 分割されたパケットのうち最初のフラグメントか、 分割されていないパケットだけにマッチする。"
473502
474503 #. type: TP
@@ -499,6 +528,16 @@ msgid "Verbose output. This option makes the list command show the interface na
499528 msgstr "詳細な出力を行う。 list コマンドの際に、 インターフェース名、 ルールのオプション (ある場合のみ)、 TOS マスクを表示させる。 パケットとバイトカウンタも表示される。 添字 'K', 'M', 'G' は、 それぞれ 1000, 1,000,000, 1,000,000,000 倍を表す (これを変更する B<-x> フラグも見よ)。 このオプションを append, insert, delete, replace コマンドに適用すると、 ルールについての詳細な情報を表示する。 B<-v> は複数回指定することができ、 数が多くなるとより多くのデバッグ情報が出力される。"
500529
501530 #. type: TP
531+#, fuzzy, no-wrap
532+#| msgid "B<-x>, B<--exact>"
533+msgid "B<-w>, B<--wait>"
534+msgstr "B<-x>, B<--exact>"
535+
536+#. type: Plain text
537+msgid "Wait for the xtables lock. To prevent multiple instances of the program from running concurrently, an attempt will be made to obtain an exclusive lock at launch. By default, the program will exit if the lock cannot be obtained. This option will make the program wait until the exclusive lock can be obtained."
538+msgstr ""
539+
540+#. type: TP
502541 #, no-wrap
503542 msgid "B<-n>, B<--numeric>"
504543 msgstr "B<-n>, B<--numeric>"
@@ -599,7 +638,9 @@ msgid "SEE ALSO"
599638 msgstr "関連項目"
600639
601640 #. type: Plain text
602-msgid "B<iptables-apply>(8), B<iptables-save>(8), B<iptables-restore>(8), B<iptables-extensions>(8), B<ip6tables>(8), B<ip6tables-save>(8), B<ip6tables-restore>(8), B<libipq>(3)."
641+#, fuzzy
642+#| msgid "B<iptables-apply>(8), B<iptables-save>(8), B<iptables-restore>(8), B<iptables-extensions>(8), B<ip6tables>(8), B<ip6tables-save>(8), B<ip6tables-restore>(8), B<libipq>(3)."
643+msgid "B<iptables-apply>(8), B<iptables-save>(8), B<iptables-restore>(8), B<iptables-extensions>(8),"
603644 msgstr "B<iptables-apply>(8), B<iptables-save>(8), B<iptables-restore>(8), B<iptables-extensions>(8), B<ip6tables>(8), B<ip6tables-save>(8), B<ip6tables-restore>(8), B<libipq>(3)."
604645
605646 #. type: Plain text
@@ -653,5 +694,10 @@ msgid "VERSION"
653694 msgstr "バージョン"
654695
655696 #. type: Plain text
656-msgid "This manual page applies to iptables 1.4.18."
697+#, fuzzy
698+#| msgid "This manual page applies to iptables 1.4.18."
699+msgid "This manual page applies to iptables/ip6tables 1.4.21."
657700 msgstr "この man ページは iptables 1.4.18 について説明している。"
701+
702+#~ msgid "This option has no effect in iptables and iptables-restore."
703+#~ msgstr "このオプションは iptables と iptables-restore では効果を持たない。"
--- a/translation_list
+++ b/translation_list
@@ -1,20 +1,20 @@
1-○:iptables:1.4.18:2012/03/27:iptables-xml:1:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
2-×:iptables:1.4.18:2012/03/27:ipq_create_handle:3:::::
3-※:iptables:1.4.18:2012/03/27:ipq_destroy_handle:3:ipq_create_handle:3:
4-×:iptables:1.4.18:2012/03/27:ipq_errstr:3:::::
5-※:iptables:1.4.18:2012/03/27:ipq_get_msgerr:3:ipq_message_type:3:
6-※:iptables:1.4.18:2012/03/27:ipq_get_packet:3:ipq_message_type:3:
7-×:iptables:1.4.18:2012/03/27:ipq_message_type:3:::::
8-※:iptables:1.4.18:2012/03/27:ipq_perror:3:ipq_errstr:3:
9-×:iptables:1.4.18:2012/03/27:ipq_read:3:::::
10-×:iptables:1.4.18:2012/03/27:ipq_set_mode:3:::::
11-×:iptables:1.4.18:2012/03/27:ipq_set_verdict:3:::::
12-×:iptables:1.4.18:2012/03/27:libipq:3:::::
13-○:iptables:1.4.18:2013/03/03:ip6tables:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
14-○:iptables:1.4.18:2013/03/03:ip6tables-restore:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
15-○:iptables:1.4.18:2012/03/27:ip6tables-save:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
16-○:iptables:1.4.18:2013/03/03:iptables:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
17-○:iptables:1.4.18:2013/03/03:iptables-apply:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
18-○:iptables:1.4.18:2013/03/03:iptables-extensions:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
19-○:iptables:1.4.18:2013/03/03:iptables-restore:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
20-○:iptables:1.4.18:2012/03/27:iptables-save:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
1+☆:iptables:1.4.18=>1.4.21:2013/11/22:iptables-xml:1:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
2+×:iptables:1.4.21:2012/03/27:ipq_create_handle:3:::::
3+※:iptables:1.4.21:2012/03/27:ipq_destroy_handle:3:ipq_create_handle:3:
4+×:iptables:1.4.21:2012/03/27:ipq_errstr:3:::::
5+※:iptables:1.4.21:2012/03/27:ipq_get_msgerr:3:ipq_message_type:3:
6+※:iptables:1.4.21:2012/03/27:ipq_get_packet:3:ipq_message_type:3:
7+×:iptables:1.4.21:2012/03/27:ipq_message_type:3:::::
8+※:iptables:1.4.21:2012/03/27:ipq_perror:3:ipq_errstr:3:
9+×:iptables:1.4.21:2012/03/27:ipq_read:3:::::
10+×:iptables:1.4.21:2012/03/27:ipq_set_mode:3:::::
11+×:iptables:1.4.21:2012/03/27:ipq_set_verdict:3:::::
12+×:iptables:1.4.21:2013/11/22:libipq:3:::::
13+@:iptables:1.4.21:2013/11/22:ip6tables:8:iptables:8:
14+@:iptables:1.4.21:2013/11/22:ip6tables-restore:8:iptables-restore:8:
15+@:iptables:1.4.21:2013/11/22:ip6tables-save:8:iptables-save:8:
16+☆:iptables:1.4.18=>1.4.21:2013/11/22:iptables:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
17+☆:iptables:1.4.18=>1.4.21:2013/11/22:iptables-apply:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
18+☆:iptables:1.4.18=>1.4.21:2013/11/22:iptables-extensions:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
19+☆:iptables:1.4.18=>1.4.21:2013/11/22:iptables-restore:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
20+☆:iptables:1.4.18=>1.4.21:2013/11/22:iptables-save:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
Show on old repository browser