[Bug 1682] New: Issues in iptables man pages

Sun May 28 08:02:35 CEST 2023

https://bugzilla.netfilter.org/show_bug.cgi?id=1682

            Bug ID: 1682
           Summary: Issues in iptables man pages
           Product: iptables
           Version: 1.8.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: iptables
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: debian at helgefjell.de

Dear iptables maintainer,
the manpage-l10n project maintains a large number of translations of
man pages both from a large variety of sources (including iptables) as
well for a large variety of target languages.

During their work translators notice different possible issues in the
original (english) man pages. Sometimes this is a straightforward
typo, sometimes a hard to read sentence, sometimes this is a
convention not held up and sometimes we simply do not understand the
original.

We use several distributions as sources and update regularly (at
least every 2 month). This means we are fairly recent (some
distributions like archlinux also update frequently) but might miss
the latest upstream version once in a while, so the error might be
already fixed. We apologize and ask you to close the issue immediately
if this should be the case, but given the huge volume of projects and
the very limited number of volunteers we are not able to double check
each and every issue.

Secondly we translators see the manpages in the neutral po format,
i.e. converted and harmonized, but not the original source (be it man,
groff, xml or other). So we cannot provide a true patch (where
possible), but only an approximation which you need to convert into
your source format.

Finally the issues I'm reporting have accumulated over time and are
not always discovered by me, so sometimes my description of the
problem my be a bit limited - do not hesitate to ask so we can clarify
them.

I'm now reporting the errors for your project. If future reports
should use another channel, please let me know.

Man page: iptables.8
Issue:    "consult" sounds strange, maybe "used"?

"This table is consulted when a packet that creates a new connection is "
"encountered.  It consists of four built-ins: B<PREROUTING> (for altering "
"packets as soon as they come in), B<INPUT> (for altering packets destined "
"for local sockets), B<OUTPUT> (for altering locally-generated packets before "
"routing), and B<POSTROUTING> (for altering packets as they are about to go "
"out).  IPv6 NAT support is available since kernel 3.7."
--
Man page: iptables.8
Issue 1:  B<OUTPUT> → and B<OUTPUT>
Issue 2:  Missing full stop at end

"This table is used mainly for configuring exemptions from connection "
"tracking in combination with the NOTRACK target.  It registers at the "
"netfilter hooks with higher priority and is thus called before ip_conntrack, "
"or any other IP tables.  It provides the following built-in chains: "
"B<PREROUTING> (for packets arriving via any network interface) B<OUTPUT> "
"(for packets generated by local processes)"
--
Man page: iptables.8
Issue:    B<iptables-nft> → B<iptables-nft>(8)

"Delete the chain specified.  There must be no references to the chain.  If "
"there are, you must delete or replace the referring rules before the chain "
"can be deleted.  The chain must be empty, i.e. not contain any rules.  If no "
"argument is given, it will delete all empty chains in the table. Empty "
"builtin chains can only be deleted with B<iptables-nft>."
--
Man page: iptables.8
Issue 1:  iptables → B<iptables>
Issue 2:  iptables-restore → B<iptables-restore>(8)
Issue 3:  ip6tables-restore → B<ip6tables-restore>(8)

"This option has no effect in iptables and iptables-restore.  If a rule using "
"the B<-4> option is inserted with (and only with)  ip6tables-restore, it "
"will be silently ignored. Any other uses will throw an error. This option "
"allows IPv4 and IPv6 rules in a single rule file for use with both iptables-"
"restore and ip6tables-restore."
--
Man page: iptables.8
Issue 1:  ip6tables → B<ip6tables>
Issue 2:  ip6tables-restore → B<ip6tables-restore>(8)
Issue 3:  iptables-restore → B<iptables-restore>(8)

"If a rule using the B<-6> option is inserted with (and only with)  iptables-"
"restore, it will be silently ignored. Any other uses will throw an error. "
"This option allows IPv4 and IPv6 rules in a single rule file for use with "
"both iptables-restore and ip6tables-restore.  This option has no effect in "
"ip6tables and ip6tables-restore."
--
Man page: iptables.8
Issue 1:  B<icmpv6>,B<esp> → B<icmpv6>, B<esp>
Issue 2:  /etc/protocols → I</etc/protocols>
Issue 3:  ip6tables → B<ip6tables>

"The protocol of the rule or of the packet to check.  The specified protocol "
"can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>, B<icmpv6>,B<esp>, B<ah>, "
"B<sctp>, B<mh> or the special keyword \"B<all>\", or it can be a numeric "
"value, representing one of these protocols or a different one.  A protocol "
"name from /etc/protocols is also allowed.  A \"!\" argument before the "
"protocol inverts the test.  The number zero is equivalent to B<all>. "
"\"B<all>\" will match with all protocols and is taken as default when this "
"option is omitted.  Note that, in ip6tables, IPv6 extension headers except "
"B<esp> are not allowed.  B<esp> and B<ipv6-nonext> can be used with Kernel "
"version 2.6.11 or later.  The number zero is equivalent to B<all>, which "
"means that you cannot test the protocol field for the value 0 directly. To "
"match on a HBH header, even if it were the last, you cannot use B<-p 0>, but "
"always need B<-m hbh>."
--
Man page: iptables.8
Issue:    iptables → B<iptables>

"Source specification. I<Address> can be either a network name, a hostname, a "
"network IP address (with B</>I<mask>), or a plain IP address. Hostnames will "
"be resolved once only, before the rule is submitted to the kernel.  Please "
"note that specifying any name to be resolved with a remote query such as DNS "
"is a really bad idea.  The I<mask> can be either an ipv4 network mask (for "
"iptables) or a plain number, specifying the number of 1's at the left side "
"of the network mask.  Thus, an iptables mask of I<24> is equivalent to "
"I<255.255.255.0>.  A \"!\" argument before the address specification inverts "
"the sense of the address. The flag B<--src> is an alias for this option.  "
"Multiple addresses can be specified, but this will B<expand to multiple "
"rules> (when adding with -A), or will cause multiple rules to be deleted "
"(with -D)."
--
Man page: iptables.8
Issue:    B<EXTENSIONS> → B<MATCH AND TARGET EXTENSIONS>?

"This specifies the target of the rule; i.e., what to do if the packet "
"matches it.  The target can be a user-defined chain (other than the one this "
"rule is in), one of the special builtin targets which decide the fate of the "
"packet immediately, or an extension (see B<EXTENSIONS> below).  If this "
"option is omitted in a rule (and B<-g> is not used), then matching the rule "
"will have no effect on the packet's fate, but the counters on the rule will "
"be incremented."
--
Man page: iptables.8
Issue:    return → B<RETURN>?

"This specifies that the processing should continue in a user specified "
"chain. Unlike the --jump option return will not continue processing in this "
"chain but instead in the chain that called us via --jump."
--
Man page: iptables.8
Issue:    ip6tables. → B<ip6tables>.

"This means that the rule only refers to second and further IPv4 fragments of "
"fragmented packets.  Since there is no way to tell the source or destination "
"ports of such a packet (or ICMP type), such a packet will not match any "
"rules which specify them.  When the \"!\" argument precedes the \"-f\" flag, "
"the rule will only match head fragments, or unfragmented packets. This "
"option is IPv4 specific, it is not available in ip6tables."
--
Man page: iptables.8
Issue:    1000) → 1000),

"Expand numbers.  Display the exact value of the packet and byte counters, "
"instead of only the rounded number in K's (multiples of 1000)  M's "
"(multiples of 1000K) or G's (multiples of 1000M).  This option is only "
"relevant for the B<-L> command."
--
Man page: iptables.8
Issue:    http → https

"Bugs? What's this? ;-)  Well, you might want to have a look at http://"
"bugzilla.netfilter.org/ B<iptables> will exit immediately with an error code "
"of 111 if it finds that it was called as a setuid-to-root program.  iptables "
"cannot be used safely in this manner because it trusts the shared libraries "
"(matches, targets) loaded at run time, the search path can be set using "
"environment variables."
--
Man page: iptables.8
Issue 1:  should simplify → should avoid
Issue 2:  filtering seen previously. → filtering.

"The various forms of NAT have been separated out; B<iptables> is a pure "
"packet filter when using the default `filter' table, with optional extension "
"modules.  This should simplify much of the previous confusion over the "
"combination of IP masquerading and packet filtering seen previously.  So the "
"following options are handled differently:"
--
Man page: iptables.8
Issue:    iptables. → B<iptables>.

"There are several other changes in iptables."
--
Man page: iptables.8
Issue:    iptables/ip6tables → B<iptables>/B<ip6tables>

"This manual page applies to iptables/ip6tables 1.8.9."

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230528/b04eeec9/attachment.html>