[PATCH] fix bug in mac match

Kis-Szabo Andras kisza@sch.bme.hu
Sun, 7 Oct 2001 19:15:07 +0200


--qMm9M+Fa2AknHoGS
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Harald Welte ....................................... (2001. október 05.)

 Hi!

IPv6: ip6tables MAC match fix (from Harald's one):
--- linux-2.4.9/net/ipv6/netfilter/ip6t_mac.c	Tue Oct  2 18:50:56 2001
+++ linux-2.4.9-ipt_mac-fix/net/ipv6/netfilter/ip6t_mac.c	Tue Oct  2 19:32:20 2001
@@ -20,7 +20,7 @@
 
     /* Is mac pointer valid? */
     return (skb->mac.raw >= skb->head
-	    && skb->mac.raw < skb->head + skb->len - ETH_HLEN
+	    && (skb->mac.raw + ETH_HLEN) <= skb->data
 	    /* If so, compare... */
 	    && ((memcmp(skb->mac.ethernet->h_source, info->srcaddr, ETH_ALEN)
 		== 0) ^ info->invert));

IPv6: ip6tables AGR match (experimental one!) MAC patch:
diff -urN userspace/patch-o-matic/ipv6-agr.patch.ipv6 userspace.new/patch-o-matic/ipv6-agr.patch.ipv6
--- userspace/patch-o-matic/ipv6-agr.patch.ipv6  Thu Apr 12 17:35:32 2001
+++ userspace.new/patch-o-matic/ipv6-agr.patch.ipv6  Sun Oct  7 19:11:14 2001
@@ -25,6 +25,12 @@
 +    int i=0;
 +
 +    /*TODO size and pointer checking */
++     if ( !(skb->mac.raw >= skb->head
++                && (skb->mac.raw + ETH_HLEN) <= skb->data)
++                && offset != 0) {
++                        *hotdrop = 1;
++                        return 0;
++                }
 +
 +    memset(aggregated, 0, sizeof(aggregated));
 +


And an experimental man page of ip6tables.

Regards,

	kisza

-- 
    Kis-Szabo Andras            BUTE - Schonherz Dormitory
---------------------------/  Favourite tools: Zorp, NetFilter
      kisza@sch.bme.hu    /---Member of the BUTE-MIS-SEARCHlab--->>>>>.Info

--qMm9M+Fa2AknHoGS
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="man6.20011007"

diff -urN userspace/Makefile userspace.new/Makefile
--- userspace/Makefile	Sun Sep  2 18:07:33 2001
+++ userspace.new/Makefile	Sun Oct  7 18:37:03 2001
@@ -69,7 +69,7 @@
 
 ifdef DO_IPV6
 EXTRAS+=ip6tables ip6tables.o
-EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/ip6tables
+EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/ip6tables $(DESTDIR)$(MANDIR)/man8/ip6tables.8
 EXTRAS_EXP+=ip6tables-save ip6tables-restore
 EXTRA_INSTALLS_EXP+=$(DESTDIR)$(BINDIR)/ip6tables-save $(DESTDIR)$(BINDIR)/ip6tables-restore # $(DESTDIR)$(MANDIR)/man8/iptables-restore.8 $(DESTDIR)$(MANDIR)/man8/iptables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-restore.8
 endif
diff -urN userspace/ip6tables.8 userspace.new/ip6tables.8
--- userspace/ip6tables.8	Thu Jan  1 01:00:00 1970
+++ userspace.new/ip6tables.8	Sun Oct  7 18:34:24 2001
@@ -0,0 +1,803 @@
+.TH IP6TABLES 8 "Okt 07, 2001" "" ""
+.\"
+.\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
+.\" It is based on iptables man page.
+.\"
+.\" iptables page by Herve Eychenne <eychenne@info.enserb.u-bordeaux.fr>
+.\" It is based on ipchains man page.
+.\"
+.\" ipchains page by Paul ``Rusty'' Russell March 1997
+.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl> (see README)
+.\"
+.\"	This program is free software; you can redistribute it and/or modify
+.\"	it under the terms of the GNU General Public License as published by
+.\"	the Free Software Foundation; either version 2 of the License, or
+.\"	(at your option) any later version.
+.\"
+.\"	This program is distributed in the hope that it will be useful,
+.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+.\"	GNU General Public License for more details.
+.\"
+.\"	You should have received a copy of the GNU General Public License
+.\"	along with this program; if not, write to the Free Software
+.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ip6tables \- IPv6 packet filter administration
+.SH SYNOPSIS
+.BR "ip6tables -[ADC] " "chain rule-specification [options]"
+.br
+.BR "ip6tables -[RI] " "chain rulenum rule-specification [options]"
+.br
+.BR "ip6tables -D " "chain rulenum [options]"
+.br
+.BR "ip6tables -[LFZ] " "[chain] [options]"
+.br
+.BR "ip6tables -[NX] " "chain"
+.br
+.BR "ip6tables -P " "chain target [options]"
+.br
+.BR "ip6tables -E " "old-chain-name new-chain-name"
+.SH DESCRIPTION
+.B Ip6tables
+is used to set up, maintain, and inspect the tables of IPv6 packet
+filter rules in the Linux kernel.  Several different tables
+may be defined.  Each table contains a number of built-in
+chains and may also contain user-defined chains.
+
+Each chain is a list of rules which can match a set of packets.  Each
+rule specifies what to do with a packet that matches.  This is called
+a `target', which may be a jump to a user-defined chain in the same
+table.
+
+.SH TARGETS
+A firewall rule specifies criteria for a packet, and a target.  If the
+packet does not match, the next rule in the chain is the examined; if
+it does match, then the next rule is specified by the value of the
+target, which can be the name of a user-defined chain or one of the
+special values 
+.IR ACCEPT ,
+.IR DROP ,
+.IR QUEUE ,
+or
+.IR RETURN .
+.PP
+.I ACCEPT 
+means to let the packet through.
+.I DROP
+means to drop the packet on the floor.
+.I QUEUE
+means to pass the packet to userspace (if supported by the kernel).
+.I RETURN
+means stop traversing this chain and resume at the next rule in the
+previous (calling) chain.  If the end of a built-in chain is reached
+or a rule in a built-in chain with target
+.I RETURN
+is matched, the target specified by the chain policy determines the
+fate of the packet.
+.SH TABLES
+There are current three independent tables (which tables are present
+at any time depends on the kernel configuration options and which
+modules are present).
+.TP
+.B "-t, --table"
+This option specifies the packet matching table which the command
+should operate on.  If the kernel is configured with automatic module
+loading, an attempt will be made to load the appropriate module for
+that table if it is not already there.
+
+The tables are as follows:
+.TP
+.BR "filter"
+This is the default table.  It contains the built-in chains INPUT (for
+packets coming into the box itself), FORWARD (for packets being routed
+through the box), and OUTPUT (for locally-generated packets).
+.TP
+.BR "mangle"
+This table is used for specialized packet alteration.  It has two
+built-in chains: PREROUTING (for altering incoming packets before
+routing) and OUTPUT (for altering locally-generated packets before
+routing).
+.SH OPTIONS
+The options that are recognized by
+.B ip6tables
+can be divided into several different groups.
+.SS COMMANDS
+These options specify the specific action to perform.  Only one of them
+can be specified on the command line unless otherwise specified
+below.  For all the long versions of the command and option names, you
+need to use only enough letters to ensure that
+.B ip6tables
+can differentiate it from all other options.
+.TP
+.BR "-A, --append"
+Append one or more rules to the end of the selected chain.
+When the source and/or destination names resolve to more than one
+address, a rule will be added for each possible address combination.
+.TP
+.BR "-D, --delete"
+Delete one or more rules from the selected chain.  There are two
+versions of this command: the rule can be specified as a number in the
+chain (starting at 1 for the first rule) or a rule to match.
+.TP
+.B "-R, --replace"
+Replace a rule in the selected chain.  If the source and/or
+destination names resolve to multiple addresses, the command will
+fail.  Rules are numbered starting at 1.
+.TP
+.B "-I, --insert"
+Insert one or more rules in the selected chain as the given rule
+number.  So, if the rule number is 1, the rule or rules are inserted
+at the head of the chain.  This is also the default if no rule number
+is specified.
+.TP
+.B "-L, --list"
+List all rules in the selected chain.  If no chain is selected, all
+chains are listed.  It is legal to specify the
+.B -Z
+(zero) option as well, in which case the chain(s) will be atomically
+listed and zeroed.  The exact output is affected by the other
+arguments given.
+.TP
+.B "-F, --flush"
+Flush the selected chain.  This is equivalent to deleting all the
+rules one by one.
+.TP
+.B "-Z, --zero"
+Zero the packet and byte counters in all chains.  It is legal to
+specify the
+.B "-L, --list"
+(list) option as well, to see the counters immediately before they are
+cleared. (See above.)
+.TP
+.B "-N, --new-chain"
+Create a new user-defined chain by the given name.  There must be no
+target of that name already.
+.TP
+.B "-X, --delete-chain"
+Delete the specified user-defined chain.  There must be no references
+to the chain.  If there are, you must delete or replace the referring
+rules before the chain can be deleted.  If no argument is given, it
+will attempt to delete every non-builtin chain in the table.
+.TP
+.B "-P, --policy"
+Set the policy for the chain to the given target.  See the section
+.B TARGETS
+for the legal targets.  Only non-user-defined chains can have policies,
+and neither built-in nor user-defined chains can be policy targets.
+.TP
+.B "-E, --rename-chain"
+Rename the user specified chain to the user supplied name.  This is
+cosmetic, and has no effect on the structure of the table.
+.TP
+.B -h
+Help.
+Give a (currently very brief) description of the command syntax.
+.SS PARAMETERS
+The following parameters make up a rule specification (as used in the
+add, delete, insert, replace and append commands).
+.TP
+.BR "-p, --protocol " "[!] \fIprotocol\fP"
+The protocol of the rule or of the packet to check.
+The specified protocol can be one of
+.IR tcp ,
+.IR udp ,
+.IR ipv6-icmp|icmpv6 ,
+or
+.IR all ,
+or it can be a numeric value, representing one of these protocols or a
+different one.  A protocol name from /etc/protocols is also allowed.
+A "!" argument before the protocol inverts the
+test.  The number zero is equivalent to
+.IR all .
+Protocol
+.I all
+will match with all protocols and is taken as default when this
+option is omitted.
+.TP
+.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
+Source specification.
+.I Address
+can be either a hostname, or a plain IPv6 address (the network name doesn't supported now).
+The
+.I mask
+can be either a network mask or a plain number,
+specifying the number of 1's at the left side of the network mask.
+Thus, a mask of
+.I 64
+is equivalent to
+.IR ffff:ffff:ffff:ffff:0000:0000:0000:0000 .
+A "!" argument before the address specification inverts the sense of
+the address. The flag
+.B --src
+is a convenient alias for this option.
+.TP
+.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
+Destination specification. 
+See the description of the
+.B -s
+(source) flag for a detailed description of the syntax.  The flag
+.B --dst
+is an alias for this option.
+.TP
+.BI "-j, --jump " "target"
+This specifies the target of the rule; i.e., what to do if the packet
+matches it.  The target can be a user-defined chain (other than the
+one this rule is in), one of the special builtin targets which decide
+the fate of the packet immediately, or an extension (see
+.B EXTENSIONS
+below).  If this
+option is omitted in a rule, then matching the rule will have no
+effect on the packet's fate, but the counters on the rule will be
+incremented.
+.TP
+.BR "-i, --in-interface " "[!] [\fIname\fP]"
+Optional name of an interface via which a packet is received (for
+packets entering the 
+.BR INPUT ,
+.B FORWARD
+and
+.B PREROUTING
+chains).  When the "!" argument is used before the interface name, the
+sense is inverted.  If the interface name ends in a "+", then any
+interface which begins with this name will match.  If this option is
+omitted, the string "+" is assumed, which will match with any
+interface name.
+.TP
+.BR "-o, --out-interface " "[!] [\fIname\fP]"
+Optional name of an interface via which a packet is going to
+be sent (for packets entering the
+.BR FORWARD 
+and
+.B OUTPUT
+chains).  When the "!" argument is used before the interface name,
+the sense is inverted.  If the interface name ends in a "+", then any
+interface which begins with this name will match.  If this option is
+omitted, the string "+" is assumed, which will match with any
+interface name.
+.TP
+.\" Currently not supported (header-based)
+.\" 
+.\" .B "[!] " "-f, --fragment"
+.\" This means that the rule only refers to second and further fragments
+.\" of fragmented packets.  Since there is no way to tell the source or
+.\" destination ports of such a packet (or ICMP type), such a packet will
+.\" not match any rules which specify them.  When the "!" argument
+.\" precedes the "-f" flag, the rule will only match head fragments, or
+.\" unfragmented packets.
+.\" .TP
+.\" .B "-c, --set-counters " "PKTS BYTES"
+.\" This enables the administrater to initialize the packet and byte
+.\" counters of a rule (during
+.\" .B INSERT,
+.\" .B APPEND,
+.\" .B REPLACE
+.\" operations)
+.SS "OTHER OPTIONS"
+The following additional options can be specified:
+.TP
+.B "-v, --verbose"
+Verbose output.  This option makes the list command show the interface
+address, the rule options (if any), and the TOS masks.  The packet and
+byte counters are also listed, with the suffix 'K', 'M' or 'G' for
+1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
+the
+.B -x
+flag to change this).
+For appending, insertion, deletion and replacement, this causes
+detailed information on the rule or rules to be printed.
+.TP
+.B "-n, --numeric"
+Numeric output.
+IP addresses and port numbers will be printed in numeric format.
+By default, the program will try to display them as host names,
+network names, or services (whenever applicable).
+.TP
+.B "-x, --exact"
+Expand numbers.
+Display the exact value of the packet and byte counters,
+instead of only the rounded number in K's (multiples of 1000)
+M's (multiples of 1000K) or G's (multiples of 1000M).  This option is
+only relevant for the 
+.B -L
+command.
+.TP
+.B "--line-numbers"
+When listing rules, add line numbers to the beginning of each rule,
+corresponding to that rule's position in the chain.
+.TP
+.B "--modprobe=<command>"
+When adding or inserting rules into a chain, use
+.B command
+to load any necessary modules (targets, match extensions, etc).
+.SH MATCH EXTENSIONS
+ip6tables can use extended packet matching modules.  These are loaded
+in two ways: implicitly, when
+.B -p
+or
+.B --protocol
+is specified, or with the
+.B -m
+or
+.B --match
+options, followed by the matching module name; after these, various
+extra command line options become available, depending on the specific
+module.  You can specify multiple extended match modules in one line, and you can use the
+.B -h
+or
+.B --help
+options after the module has been specified to receive help specific
+to that module.
+
+The following are included in the base package, and most of these can
+be preceded by a
+.B !
+to invert the sense of the match.
+.SS tcp
+These extensions are loaded if `--protocol tcp' is specified. It
+provides the following options:
+.TP
+.BR "--source-port " "[!] [\fIport[:port]\fP]"
+Source port or port range specification. This can either be a service
+name or a port number. An inclusive range can also be specified,
+using the format
+.IR port : port .
+If the first port is omitted, "0" is assumed; if the last is omitted,
+"65535" is assumed.
+If the second port greater then the first they will be swapped.
+The flag
+.B --sport
+is an alias for this option.
+.TP
+.BR "--destination-port " "[!] [\fIport[:port]\fP]"
+Destination port or port range specification. The flag
+.B --dport
+is an alias for this option.
+.TP
+.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
+Match when the TCP flags are as specified.  The first argument is the
+flags which we should examine, written as a comma-separated list, and
+the second argument is a comma-separated list of flags which must be
+set.  Flags are: 
+.BR "SYN ACK FIN RST URG PSH ALL NONE" .
+Hence the command
+.br
+ ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
+.br
+will only match packets with the SYN flag set, and the ACK, FIN and
+RST flags unset.
+.TP
+.B "[!] --syn"
+Only match TCP packets with the SYN bit set and the ACK and FIN bits
+cleared.  Such packets are used to request TCP connection initiation;
+for example, blocking such packets coming in an interface will prevent
+incoming TCP connections, but outgoing TCP connections will be
+unaffected.
+It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP.
+If the "!" flag precedes the "--syn", the sense of the
+option is inverted.
+.TP
+.BR "--tcp-option " "[!] \fInumber\fP"
+Match if TCP option set.
+.SS udp
+These extensions are loaded if `--protocol udp' is specified.  It
+provides the following options:
+.TP
+.BR "--source-port " "[!] [\fIport[:port]\fP]"
+Source port or port range specification.
+See the description of the
+.B --source-port
+option of the TCP extension for details.
+.TP
+.BR "--destination-port " "[!] [\fIport[:port]\fP]"
+Destination port or port range specification.
+See the description of the
+.B --destination-port
+option of the TCP extension for details.
+.SS ipv6-icmp
+This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is
+specified. It provides the following option:
+.TP
+.BR "--icmpv6-type " "[!] \fItypename\fP"
+This allows specification of the ICMP type, which can be a numeric
+IPv6-ICMP type, or one of the IPv6-ICMP type names shown by the command
+.br
+ ip6tables -p ipv6-icmp -h
+.br
+.SS mac
+.TP
+.BR "--mac-source " "[!] \fIaddress\fP"
+Match source MAC address.  It must be of the form XX:XX:XX:XX:XX:XX.
+Note that this only makes sense for packets entering the
+.BR PREROUTING ,
+.B FORWARD
+or
+.B INPUT
+chains for packets coming from an ethernet device.
+.SS limit
+This module matches at a limited rate using a token bucket filter: it
+can be used in combination with the
+.B LOG
+target to give limited logging.  A rule using this extension will
+match until this limit is reached (unless the `!' flag is used).
+.TP
+.BI "--limit " "rate"
+Maximum average matching rate: specified as a number, with an optional
+`/second', `/minute', `/hour', or `/day' suffix; the default is
+3/hour.
+.TP
+.BI "--limit-burst " "number"
+The maximum initial number of packets to match: this number gets
+recharged by one every time the limit specified above is not reached,
+up to this number; the default is 5.
+.SS multiport
+This module matches a set of source or destination ports. Up to 15
+ports can be specified. It can only be used in conjunction with
+.B "-p tcp"
+or
+.BR "-p udp" .
+.TP
+.BR "--source-port" " [\fIport[,port]\fP]"
+Match if the source port is one of the given ports.
+.TP
+.BR "--destination-port" " [\fIport[,port]\fP]"
+Match if the destination port is one of the given ports.
+.TP
+.BR "--port" " [\fIport[,port]\fP]"
+Match if the both the source and destination ports are equal to each
+other and to one of the given ports.
+.SS mark
+This module matches the netfilter mark field associated with a packet
+(which can be set using the
+.B MARK
+target below).
+.TP
+.BI "--mark " "value[/mask]"
+Matches packets with the given unsigned mark value (if a mask is
+specified, this is logically ANDed with the mask before the
+comparison).
+.SS owner
+This module attempts to match various characteristics of the packet
+creator, for locally-generated packets.  It is only valid in the
+.B OUTPUT
+chain, and even this some packets (such as ICMP ping responses) may
+have no owner, and hence never match.
+.TP
+.BI "--uid-owner " "userid"
+Matches if the packet was created by a process with the given
+effective user id.
+.TP
+.BI "--gid-owner " "groupid"
+Matches if the packet was created by a process with the given
+effective group id.
+.TP
+.BI "--pid-owner " "processid"
+Matches if the packet was created by a process with the given
+process id.
+.TP
+.BI "--sid-owner " "sessionid"
+Matches if the packet was created by a process in the given session
+group.
+.\" .SS state
+.\" This module, when combined with connection tracking, allows access to
+.\" the connection tracking state for this packet.
+.\" .TP
+.\" .BI "--state " "state"
+.\" Where state is a comma separated list of the connection states to
+.\" match.  Possible states are 
+.\" .B INVALID
+.\" meaning that the packet is associated with no known connection,
+.\" .B ESTABLISHED
+.\" meaning that the packet is associated with a connection which has seen
+.\" packets in both directions,
+.\" .B NEW
+.\" meaning that the packet has started a new connection, or otherwise
+.\" associated with a connection which has not seen packets in both
+.\" directions, and
+.\" .B RELATED
+.\" meaning that the packet is starting a new connection, but is
+.\" associated with an existing connection, such as an FTP data transfer,
+.\" or an ICMP error.
+.\" .SS unclean
+.\" This module takes no options, but attempts to match packets which seem
+.\" malformed or unusual.  This is regarded as experimental.
+.\" .SS tos
+.\" This module matches the 8 bits of Type of Service field in the IP
+.\" header (ie. including the precedence bits). 
+.\" .TP
+.\" .BI "--tos " "tos"
+.\" The argument is either a standard name, (use
+.\" .br
+.\" iptables -m tos -h
+.\" .br
+.\" to see the list), or a numeric value to match.
+.\" .SH TARGET EXTENSIONS
+.\" iptables can use extended target modules: the following are included
+.\" in the standard distribution.
+.SS LOG
+Turn on kernel logging of matching packets.  When this option is set
+for a rule, the Linux kernel will print some information on all
+matching packets (like most IPv6 IPv6-header fields) via the kernel log
+(where it can be read with
+.I dmesg
+or 
+.IR syslogd (8)).
+.TP
+.BI "--log-level " "level"
+Level of logging (numeric or see \fIsyslog.conf\fP(5)).
+.TP
+.BI "--log-prefix " "prefix"
+Prefix log messages with the specified prefix; up to 29 letters long,
+and useful for distinguishing messages in the logs.
+.TP
+.B --log-tcp-sequence
+Log TCP sequence numbers. This is a security risk if the log is
+readable by users.
+.TP
+.B --log-tcp-options
+Log options from the TCP packet header.
+.TP
+.B --log-ip-options
+Log options from the IPv6 packet header.
+.SS MARK
+This is used to set the netfilter mark value associated with the
+packet.  It is only valid in the
+.B mangle
+table.
+.TP
+.BI "--set-mark " "mark"
+.SS REJECT
+This is used to send back an error packet in response to the matched
+packet: otherwise it is equivalent to 
+.BR DROP .
+This target is only valid in the
+.BR INPUT ,
+.B FORWARD
+and
+.B OUTPUT
+chains, and user-defined chains which are only called from those
+chains.  Several options control the nature of the error packet
+returned:
+.TP
+.BI "--reject-with " "type"
+The type given can be 
+.BR icmp6-no-route ,
+.BR no-route ,
+.BR icmp6-adm-prohibited ,
+.BR adm-prohibited ,
+.BR icmp6-addr-unreachable ,
+.BR addr-unreach ,
+.BR icmp6-port-unreachable ,
+.BR port-unreach ,
+which return the appropriate IPv6-ICMP error message (port-unreach is
+the default). Finally, the option
+.B tcp-reset
+can be used on rules which only match the TCP protocol: this causes a
+TCP RST packet to be sent back.  This is mainly useful for blocking 
+.I ident
+probes which frequently occur when sending mail to broken mail hosts
+(which won't accept your mail otherwise).
+.\" .SS TOS
+.\" This is used to set the 8-bit Type of Service field in the IP header.
+.\" It is only valid in the
+.\" .B mangle
+.\" table.
+.\" .TP
+.\" .BI "--set-tos " "tos"
+.\" You can use a numeric TOS values, or use
+.\" .br
+.\" iptables -j TOS -h
+.\" .br
+.\" to see the list of valid TOS names.
+.\" .SS MIRROR
+.\" This is an experimental demonstration target which inverts the source
+.\" and destination fields in the IP header and retransmits the packet.
+.\" It is only valid in the
+.\" .BR INPUT ,
+.\" .B FORWARD
+.\" and 
+.\" .B PREROUTING
+.\" chains, and user-defined chains which are only called from those
+.\" chains.  Note that the outgoing packets are
+.\" .B NOT
+.\" seen by any packet filtering chains, connection tracking or NAT, to
+.\" avoid loops and other problems.
+.\" .SS SNAT
+.\" This target is only valid in the 
+.\" .B nat
+.\" table, in the 
+.\" .B POSTROUTING
+.\" chain.  It specifies that the source address of the packet should be
+.\" modified (and all future packets in this connection will also be
+.\" mangled), and rules should cease being examined.  It takes one option:
+.\" .TP
+.\" .BI "--to-source  " "<ipaddr>[-<ipaddr>][:port-port]"
+.\" which can specify a single new source IP address, an inclusive range
+.\" of IP addresses, and optionally, a port range (which is only valid if
+.\" the rule also specifies
+.\" .B "-p tcp"
+.\" or
+.\" .BR "-p udp" ).
+.\" If no port range is specified, then source ports below 512 will be
+.\" mapped to other ports below 512: those between 512 and 1023 inclusive
+.\" will be mapped to ports below 1024, and other ports will be mapped to
+.\" 1024 or above. Where possible, no port alteration will occur.
+.\" .SS DNAT
+.\" This target is only valid in the 
+.\" .B nat
+.\" table, in the 
+.\" .B PREROUTING
+.\" and
+.\" .B OUTPUT
+.\" chains, and user-defined chains which are only called from those
+.\" chains.  It specifies that the destination address of the packet
+.\" should be modified (and all future packets in this connection will
+.\" also be mangled), and rules should cease being examined.  It takes one
+.\" option:
+.\" .TP
+.\" .BI "--to-destination " "<ipaddr>[-<ipaddr>][:port-port]"
+.\" which can specify a single new destination IP address, an inclusive
+.\" range of IP addresses, and optionally, a port range (which is only
+.\" valid if the rule also specifies
+.\" .B "-p tcp"
+.\" or
+.\" .BR "-p udp" ).
+.\" If no port range is specified, then the destination port will never be
+.\" modified.
+.\" .SS MASQUERADE
+.\" This target is only valid in the 
+.\" .B nat
+.\" table, in the 
+.\" .B POSTROUTING
+.\" chain.  It should only be used with dynamically assigned IP (dialup)
+.\" connections: if you have a static IP address, you should use the SNAT
+.\" target.  Masquerading is equivalent to specifying a mapping to the IP
+.\" address of the interface the packet is going out, but also has the
+.\" effect that connections are 
+.\" .I forgotten
+.\" when the interface goes down.  This is the correct behavior when the
+.\" next dialup is unlikely to have the same interface address (and hence
+.\" any established connections are lost anyway).  It takes one option:
+.\" .TP
+.\" .BI "--to-ports " "<port>[-<port>]"
+.\" This specifies a range of source ports to use, overriding the default 
+.\" .B SNAT
+.\" source port-selection heuristics (see above).  This is only valid with
+.\" if the rule also specifies
+.\" .B "-p tcp"
+.\" or
+.\" .BR "-p udp" ).
+.\" .SS REDIRECT
+.\" This target is only valid in the 
+.\" .B nat
+.\" table, in the 
+.\" .B PREROUTING
+.\" and
+.\" .B OUTPUT
+.\" chains, and user-defined chains which are only called from those
+.\" chains.  It alters the destination IP address to send the packet to
+.\" the machine itself (locally-generated packets are mapped to the
+.\" 127.0.0.1 address).  It takes one option:
+.\" .TP
+.\" .BI "--to-ports " "<port>[-<port>]"
+.\" This specifies a destination port or range or ports to use: without
+.\" this, the destination port is never altered.  This is only valid with
+.\" if the rule also specifies
+.\" .B "-p tcp"
+.\" or
+.\" .BR "-p udp" ).
+.\" .SH EXTRA EXTENSIONS
+.\" The following extensions are not included by default in the standard
+.\" distribution.
+.\" .SS ttl
+.\" This module matches the time to live field in the IP header.
+.\" .TP
+.\" .BI "--ttl " "ttl"
+.\" Matches the given TTL value.
+.\" .SS TTL
+.\" This target is used to modify the time to live field in the IP header.
+.\" It is only valid in the 
+.\" .B mangle
+.\" table.
+.\" .TP
+.\" .BI "--ttl-set " "ttl"
+.\" Set the TTL to the given value.
+.\" .TP
+.\" .BI "--ttl-dec " "ttl"
+.\" Decrement the TTL by the given value.
+.\" .TP
+.\" .BI "--ttl-inc " "ttl"
+.\" Increment the TTL by the given value.
+.\" .SS ULOG
+.\" This target provides userspace logging of matching packets.  When this
+.\" target is set for a rule, the Linux kernel will multicast this packet
+.\" through a
+.\" .IR netlink 
+.\" socket. One or more userspace processes may then subscribe to various 
+.\" multicast groups and receive the packets.
+.\" .TP
+.\" .BI "--ulog-nlgroup " "<nlgroup>"
+.\" This specifies the netlink group (1-32) to which the packet is sent.
+.\" Default value is 1.
+.\" .TP
+.\" .BI "--ulog-prefix " "<prefix>"
+.\" Prefix log messages with the specified prefix; up to 32 characters
+.\" long, and useful fro distinguishing messages in the logs.
+.\" .TP
+.\" .BI "--ulog-cprange " "<size>"
+.\" Number of bytes to be copied to userspace. A value of 0 always copies
+.\" the entire packet, regardless of its size. Default is 0
+.\" .TP
+.\" .BI "--ulog-qthreshold " "<size>"
+.\" Number of packet to queue inside kernel. Setting this value to, e.g. 10
+.\" accumulates ten packets inside the kernel and transmits them as one
+.\" netlink multipart message to userspace.  Default is 1 (for backwards 
+.\" compatibility)
+.SH DIAGNOSTICS
+Various error messages are printed to standard error.  The exit code
+is 0 for correct functioning.  Errors which appear to be caused by
+invalid or abused command line parameters cause an exit code of 2, and
+other errors cause an exit code of 1.
+.SH BUGS
+Check is not implemented (yet).
+.SH COMPATIBILITY WITH IPCHAINS
+This 
+.B ip6tables
+is very similar to ipchains by Rusty Russell.  The main difference is
+that the chains 
+.B INPUT
+and
+.B OUTPUT
+are only traversed for packets coming into the local host and
+originating from the local host respectively.  Hence every packet only
+passes through one of the three chains; previously a forwarded packet
+would pass through all three.
+.PP
+The other main difference is that 
+.B -i
+refers to the input interface;
+.B -o
+refers to the output interface, and both are available for packets
+entering the
+.B FORWARD
+chain.
+.\" .PP The various forms of NAT have been separated out; 
+.\" .B iptables 
+.\" is a pure packet filter when using the default `filter' table, with
+.\" optional extension modules.  This should simplify much of the previous
+.\" confusion over the combination of IP masquerading and packet filtering
+.\" seen previously.  So the following options are handled differently:
+.\" .br
+.\" -j MASQ
+.\" .br
+.\" -M -S
+.\" .br
+.\" -M -L
+.\" .br
+There are several other changes in ip6tables.
+.SH SEE ALSO
+The packet-filtering-HOWTO, which details more iptables usage for packet filtering,
+and the netfilter-hacking-HOWTO which details the
+internals.
+.SH AUTHORS
+Rusty Russell wrote iptables, in early consultation with Michael
+Neuling.
+.PP
+Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
+selection framework in iptables, then wrote the mangle table, the owner match,
+the mark stuff, and ran around doing cool stuff everywhere.
+.PP
+James Morris wrote the TOS target, and tos match.
+.PP
+Jozsef Kadlecsik wrote the REJECT target.
+.PP
+Harald Welte wrote the ULOG target, TTL match+target and libipulog.
+.PP
+The Netfilter Core Team is: Marc Boucher, James Morris, Harald Welte
+and Rusty Russell.
+.\" .. and did I mention that we are incredibly cool people?
+.\" .. sexy, too ..
+.\" .. witty, charming, powerful ..
+.\" .. and most of all, modest ..

--qMm9M+Fa2AknHoGS--