[netfilter-cvslog] r6447 - in branches/iptables/iptables-1.4: . extensions

laforge at netfilter.org laforge at netfilter.org
Mon Jan 30 09:52:24 CET 2006 

Author: laforge at netfilter.org
Date: 2006-01-30 09:52:21 +0100 (Mon, 30 Jan 2006)
New Revision: 6447

Modified:
   branches/iptables/iptables-1.4/extensions/libip6t_HL.man
   branches/iptables/iptables-1.4/extensions/libip6t_REJECT.man
   branches/iptables/iptables-1.4/extensions/libip6t_ah.man
   branches/iptables/iptables-1.4/extensions/libip6t_condition.man
   branches/iptables/iptables-1.4/extensions/libip6t_dst.man
   branches/iptables/iptables-1.4/extensions/libip6t_esp.man
   branches/iptables/iptables-1.4/extensions/libip6t_eui64.man
   branches/iptables/iptables-1.4/extensions/libip6t_frag.man
   branches/iptables/iptables-1.4/extensions/libip6t_fuzzy.man
   branches/iptables/iptables-1.4/extensions/libip6t_hbh.man
   branches/iptables/iptables-1.4/extensions/libip6t_hl.man
   branches/iptables/iptables-1.4/extensions/libip6t_icmpv6.man
   branches/iptables/iptables-1.4/extensions/libip6t_ipv6header.man
   branches/iptables/iptables-1.4/extensions/libip6t_length.man
   branches/iptables/iptables-1.4/extensions/libip6t_mark.man
   branches/iptables/iptables-1.4/extensions/libip6t_multiport.man
   branches/iptables/iptables-1.4/extensions/libip6t_owner.man
   branches/iptables/iptables-1.4/extensions/libip6t_physdev.man
   branches/iptables/iptables-1.4/extensions/libip6t_rt.man
   branches/iptables/iptables-1.4/extensions/libipt_ah.man
   branches/iptables/iptables-1.4/extensions/libipt_condition.man
   branches/iptables/iptables-1.4/extensions/libipt_esp.man
   branches/iptables/iptables-1.4/extensions/libipt_fuzzy.man
   branches/iptables/iptables-1.4/extensions/libipt_length.man
   branches/iptables/iptables-1.4/extensions/libipt_mark.man
   branches/iptables/iptables-1.4/extensions/libipt_physdev.man
   branches/iptables/iptables-1.4/ip6tables.8.in
Log:
Major manpage update (Yasuyuki Kozakai)


Modified: branches/iptables/iptables-1.4/extensions/libip6t_HL.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_HL.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_HL.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,17 +1,17 @@
-This is used to modify the IPv6 HOPLIMIT header field.  The HOPLIMIT field is 
-similar to what is known as TTL value in IPv4.  Setting or incrementing the
-HOPLIMIT field can potentially be very dangerous, so it should be avoided at
-any cost.  
-.TP
-.B Don't ever set or increment the value on packets that leave your local network!
+This is used to modify the Hop Limit field in IPv6 header. The Hop Limit field
+is similar to what is known as TTL value in IPv4.  Setting or incrementing the
+Hop Limit field can potentially be very dangerous, so it should be avoided at
+any cost. This target is only valid in
 .B mangle
 table.
 .TP
+.B Don't ever set or increment the value on packets that leave your local network!
+.TP
 .BI "--hl-set " "value"
-Set the HOPLIMIT value to `value'.
+Set the Hop Limit to `value'.
 .TP
 .BI "--hl-dec " "value"
-Decrement the HOPLIMIT value `value' times.
+Decrement the Hop Limit `value' times.
 .TP
 .BI "--hl-inc " "value"
-Increment the HOPLIMIT value `value' times.
+Increment the Hop Limit `value' times.

Modified: branches/iptables/iptables-1.4/extensions/libip6t_REJECT.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_REJECT.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_REJECT.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -23,7 +23,7 @@
 .B " icmp6-port-unreachable"
 .B " port-unreach"
 .fi
-which return the appropriate IPv6-ICMP error message (\fBport-unreach\fP is
+which return the appropriate ICMPv6 error message (\fBport-unreach\fP is
 the default). Finally, the option
 .B tcp-reset
 can be used on rules which only match the TCP protocol: this causes a
@@ -31,4 +31,6 @@
 .I ident
 (113/tcp) probes which frequently occur when sending mail to broken mail
 hosts (which won't accept your mail otherwise).
+.B tcp-reset
+can only be used with kernel versions 2.6.14 or latter.
 

Modified: branches/iptables/iptables-1.4/extensions/libip6t_ah.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_ah.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_ah.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,3 +1,10 @@
-This module matches the SPIs in AH header of IPSec packets.
+This module matches the parameters in Authentication header of IPsec packets.
 .TP
 .BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
+Matches SPI.
+.TP
+.BR "--ahlen " "[!] \fIlength"
+Total length of this header in octets.
+.TP
+.BI "--ahres"
+Matches if the reserved field is filled with zero.

Modified: branches/iptables/iptables-1.4/extensions/libip6t_condition.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_condition.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_condition.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,4 +1,4 @@
 This matches if a specific /proc filename is '0' or '1'.
 .TP
-.BI "--condition " "[!] filename"
+.BR "--condition " "[!] \fIfilename"
 Match on boolean value stored in /proc/net/ip6t_condition/filename file

Modified: branches/iptables/iptables-1.4/extensions/libip6t_dst.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_dst.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_dst.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,7 +1,7 @@
-This module matches the IPv6 destination header options
+This module matches the parameters in Destination Options header
 .TP
-.BI "--dst-len" "[!]" "length"
-Total length of this header
+.BR "--dst-len " "[!] \fIlength"
+Total length of this header in octets.
 .TP
-.BI "--dst-opts " "TYPE[:LEN],[,TYPE[:LEN]...]"
-Options and it's length (List).
+.BR "--dst-opts " "\fItype\fP[:\fIlength\fP][,\fItype\fP[:\fIlength\fP]...]"
+numeric type of option and the length of the option data in octets.

Modified: branches/iptables/iptables-1.4/extensions/libip6t_esp.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_esp.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_esp.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,3 +1,3 @@
-This module matches the SPIs in ESP header of IPSec packets.
+This module matches the SPIs in ESP header of IPsec packets.
 .TP
 .BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]"

Modified: branches/iptables/iptables-1.4/extensions/libip6t_eui64.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_eui64.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_eui64.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1 +1,10 @@
-This module matches the EUI64 part of a stateless autoconfigured IPv6 address.  It compares the source MAC address with the lower 64 bits of the IPv6 address. 
+This module matches the EUI-64 part of a stateless autoconfigured IPv6 address.
+It compares the EUI-64 derived from the source MAC address in Ehternet frame
+with the lower 64 bits of the IPv6 source address. But "Universal/Local"
+bit is not compared. This module doesn't match other link layer frame, and
+is only valid in the
+.BR PREROUTING ,
+.BR INPUT
+and
+.BR FORWARD
+chains.

Modified: branches/iptables/iptables-1.4/extensions/libip6t_frag.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_frag.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_frag.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,19 +1,20 @@
-This module matches the time IPv6 fragmentathion header
+This module matches the parameters in Fragment header.
 .TP
-.BI "--fragid " "[!]" "id[:id]"
-Matches the given fragmentation ID (range).
+.BR "--fragid " "[!] \fIid\fP[:\fIid\fP]"
+Matches the given Identification or range of it.
 .TP
-.BI "--fraglen " "[!]" "length"
-Matches the total length of this header.
+.BR "--fraglen " "[!] \fIlength\fP"
+This option cannot be used with kernel version 2.6.10 or later. The length of
+Fragment header is static and this option doesn't make sense.
 .TP
-.BI "--fragres "
-Matches the reserved field, too.
+.BR "--fragres "
+Matches if the reserved fields are filled with zero.
 .TP
-.BI "--fragfirst "
+.BR "--fragfirst "
 Matches on the first fragment.
 .TP
-.BI "[--fragmore]"
+.BR "[--fragmore]"
 Matches if there are more fragments.
 .TP
-.BI "[--fraglast]"
+.BR "[--fraglast]"
 Matches if this is the last fragement.

Modified: branches/iptables/iptables-1.4/extensions/libip6t_fuzzy.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_fuzzy.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_fuzzy.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,6 +1,6 @@
 This module matches a rate limit based on a fuzzy logic controller [FLC]
 .TP
-.BI "--lower-limit  "number"
+.BI "--lower-limit " "number"
 Specifies the lower limit (in packets per second).
 .TP
 .BI "--upper-limit " "number"

Modified: branches/iptables/iptables-1.4/extensions/libip6t_hbh.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_hbh.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_hbh.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,7 +1,7 @@
-This module matches the IPv6 hop-by-hop header options
+This module matches the parameters in Hop-by-Hop Options header
 .TP
-.BI "--hbh-len" "[!]" "length"
-Total length of this header
+.BR "--hbh-len " "[!] \fIlength\fP"
+Total length of this header in octets.
 .TP
-.BI "--hbh-opts " "TYPE[:LEN],[,TYPE[:LEN]...]"
-Options and it's length (List).
+.BR "--hbh-opts " "\fItype\fP[:\fIlength\fP][,\fItype\fP[:\fIlength\fP]...]"
+numeric type of option and the length of the option data in octets.

Modified: branches/iptables/iptables-1.4/extensions/libip6t_hl.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_hl.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_hl.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,10 +1,10 @@
-This module matches the HOPLIMIT field in the IPv6 header.
+This module matches the Hop Limit field in the IPv6 header.
 .TP
-.BI "--hl-eq " "value"
-Matches if HOPLIMIT equals the given value.
+.BR "--hl-eq " "[!] \fIvalue\fP"
+Matches if Hop Limit equals \fIvalue\fP.
 .TP
-.BI "--hl-lt " "ttl"
-Matches if HOPLIMIT is less than the given value.
+.BI "--hl-lt " "value"
+Matches if Hop Limit is less than \fIvalue\fP.
 .TP
-.BI "--hl-gt " "ttl"
-Matches if HOPLIMIT is greater than the given value.
+.BI "--hl-gt " "value"
+Matches if Hop Limit is greater than \fIvalue\fP.

Modified: branches/iptables/iptables-1.4/extensions/libip6t_icmpv6.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_icmpv6.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_icmpv6.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,9 +1,14 @@
 This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is
 specified. It provides the following option:
 .TP
-.BR "--icmpv6-type " "[!] \fItypename\fP"
-This allows specification of the ICMP type, which can be a numeric
-IPv6-ICMP type, or one of the IPv6-ICMP type names shown by the command
+.BR "--icmpv6-type " "[!] \fItype\fP[/\fIcode\fP]|\fItypename\fP"
+This allows specification of the ICMPv6 type, which can be a numeric
+ICMPv6
+.IR type ,
+.IR type
+and
+.IR code ,
+or one of the ICMPv6 type names shown by the command
 .nf
  ip6tables -p ipv6-icmp -h
 .fi

Modified: branches/iptables/iptables-1.4/extensions/libip6t_ipv6header.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_ipv6header.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_ipv6header.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,10 +1,29 @@
-This module matches on IPv6 option headers
+This module matches IPv6 extension headers and/or upper layer header.
 .TP
-.BI "--header " "[!]" "headers"
-Matches the given type of headers.  
-Names: hop,dst,route,frag,auth,esp,none,proto
-Long Names: hop-by-hop,ipv6-opts,ipv6-route,ipv6-frag,ah,esp,ipv6-nonxt,protocol
-Numbers: 0,60,43,44,51,50,59
+.BR "--header " "[!] \fIheader\fP[,\fIheader\fP...]"
+Matches the packet which EXACTLY includes all specified headers. The headers
+encapsulated with ESP header are out of scope.
+.IR header
+can be
+.IR hop | hop-by-hop
+(Hop-by-Hop Options header),
+.IR dst
+(Destination Options header),
+.IR route
+(Routing header),
+.IR frag
+(Fragment header),
+.IR auth
+(Authentication header),
+.IR esp
+(Encapsulating Security Payload header),
+.IR none
+(No Next header) which matches 59 in the 'Next Header field' of IPv6 header or any IPv6 extension headers, or
+.IR proto
+which matches any upper layer protocol header. A protocol name from /etc/protocols and numeric value also allowed. The number 255 is equivalent to
+.IR proto .
 .TP
-.BI "--soft"
-The header CONTAINS the specified extensions.
+.BR "[--soft]"
+Matches if the packet includes all specified headers with
+.BR --header ,
+AT LEAST.

Modified: branches/iptables/iptables-1.4/extensions/libip6t_length.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_length.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_length.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,4 +1,4 @@
-This module matches the length of a packet against a specific value
-or range of values.
+This module matches the length of the IPv6 payload in octets, or range of it.
+IPv6 header itself isn't counted.
 .TP
-.BR "--length " "\fIlength\fP[:\fIlength\fP]"
+.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"

Modified: branches/iptables/iptables-1.4/extensions/libip6t_mark.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_mark.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_mark.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -4,6 +4,6 @@
 target below).
 .TP
 .BR "--mark " "\fIvalue\fP[/\fImask\fP]"
-Matches packets with the given unsigned mark value (if a mask is
-specified, this is logically ANDed with the mask before the
+Matches packets with the given unsigned mark value (if a \fImask\fP is
+specified, this is logically ANDed with the \fImask\fP before the
 comparison).

Modified: branches/iptables/iptables-1.4/extensions/libip6t_multiport.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_multiport.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_multiport.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,6 +1,7 @@
 This module matches a set of source or destination ports.  Up to 15
 ports can be specified.  A port range (port:port) counts as two
-ports.  It can only be used in conjunction with
+ports, but range isn't supported now. It can only be used in conjunction
+with
 .B "-p tcp"
 or
 .BR "-p udp" .

Modified: branches/iptables/iptables-1.4/extensions/libip6t_owner.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_owner.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_owner.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,7 +1,7 @@
 This module attempts to match various characteristics of the packet
 creator, for locally-generated packets.  It is only valid in the
 .B OUTPUT
-chain, and even this some packets (such as ICMP ping responses) may
+chain, and even this some packets (such as ICMPv6 ping responses) may
 have no owner, and hence never match.  This is regarded as experimental.
 .TP
 .BI "--uid-owner " "userid"

Modified: branches/iptables/iptables-1.4/extensions/libip6t_physdev.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_physdev.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_physdev.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -3,7 +3,7 @@
 a transparent bridging IP firewall and is only useful for kernel versions
 above version 2.5.44.
 .TP
-.B --physdev-in name
+.BR --physdev-in " [!] \fIname\fP"
 Name of a bridge port via which a packet is received (only for
 packets entering the
 .BR INPUT ,
@@ -14,7 +14,7 @@
 interface which begins with this name will match. If the packet didn't arrive
 through a bridge device, this packet won't match this option, unless '!' is used.
 .TP
-.B --physdev-out name
+.BR --physdev-out " [!] \fIname\fP"
 Name of a bridge port via which a packet is going to be sent (for packets
 entering the
 .BR FORWARD ,
@@ -31,12 +31,12 @@
 the output device will be, then the packet won't match this option, unless
 '!' is used.
 .TP
-.B --physdev-is-in
+.RB "[!] " --physdev-is-in
 Matches if the packet has entered through a bridge interface.
 .TP
-.B --physdev-is-out
+.RB "[!] " --physdev-is-out
 Matches if the packet will leave through a bridge interface.
 .TP
-.B --physdev-is-bridged
+.RB "[!] " --physdev-is-bridged
 Matches if the packet is being bridged and therefore is not being routed.
 This is only useful in the FORWARD and POSTROUTING chains.

Modified: branches/iptables/iptables-1.4/extensions/libip6t_rt.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libip6t_rt.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libip6t_rt.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,19 +1,19 @@
 Match on IPv6 routing header
 .TP
-.BI "--rt-type " "[!]" "type"
+.BR "--rt-type" " [!] \fItype\fP"
 Match the type (numeric).
 .TP
-.BI "--rt-segsleft" "[!]" "num[:num]"
+.BR "--rt-segsleft" " [!] \fInum\fP[:\fInum\fP]"
 Match the `segments left' field (range).
 .TP
-.BI "--rt-len" "[!]" "length"
-Match the length of this header
+.BR "--rt-len" " [!] \fIlength\fP"
+Match the length of this header.
 .TP
-.BI "--rt-0-res"
+.BR "--rt-0-res"
 Match the reserved field, too (type=0)
 .TP
-.BI "--rt-0-addrs ADDR[,ADDR...]
+.BR "--rt-0-addrs" " \fIADDR\fP[,\fIADDR\fP...]"
 Match type=0 addresses (list).
 .TP
-.BI "--rt-0-not-strict"
+.BR "--rt-0-not-strict"
 List of type=0 addresses is not a strict list.

Modified: branches/iptables/iptables-1.4/extensions/libipt_ah.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libipt_ah.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libipt_ah.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,3 +1,3 @@
-This module matches the SPIs in AH header of IPSec packets.
+This module matches the SPIs in Authentication header of IPsec packets.
 .TP
 .BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"

Modified: branches/iptables/iptables-1.4/extensions/libipt_condition.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libipt_condition.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libipt_condition.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,4 +1,4 @@
 This matches if a specific /proc filename is '0' or '1'.
 .TP
-.BI "--condition " "[!] filename"
+.BI "--condition " "[!] \fIfilename\fP"
 Match on boolean value stored in /proc/net/ipt_condition/filename file

Modified: branches/iptables/iptables-1.4/extensions/libipt_esp.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libipt_esp.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libipt_esp.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,3 +1,3 @@
-This module matches the SPIs in ESP header of IPSec packets.
+This module matches the SPIs in ESP header of IPsec packets.
 .TP
 .BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]"

Modified: branches/iptables/iptables-1.4/extensions/libipt_fuzzy.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libipt_fuzzy.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libipt_fuzzy.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,6 +1,6 @@
 This module matches a rate limit based on a fuzzy logic controller [FLC]
 .TP
-.BI "--lower-limit  "number"
+.BI "--lower-limit " "number"
 Specifies the lower limit (in packets per second).
 .TP
 .BI "--upper-limit " "number"

Modified: branches/iptables/iptables-1.4/extensions/libipt_length.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libipt_length.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libipt_length.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,4 +1,4 @@
 This module matches the length of a packet against a specific value
 or range of values.
 .TP
-.BR "--length " "\fIlength\fP[:\fIlength\fP]"
+.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"

Modified: branches/iptables/iptables-1.4/extensions/libipt_mark.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libipt_mark.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libipt_mark.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -4,6 +4,6 @@
 target below).
 .TP
 .BR "--mark " "\fIvalue\fP[/\fImask\fP]"
-Matches packets with the given unsigned mark value (if a mask is
-specified, this is logically ANDed with the mask before the
+Matches packets with the given unsigned mark value (if a \fImask\fP is
+specified, this is logically ANDed with the \fImask\fP before the
 comparison).

Modified: branches/iptables/iptables-1.4/extensions/libipt_physdev.man
===================================================================
--- branches/iptables/iptables-1.4/extensions/libipt_physdev.man	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/extensions/libipt_physdev.man	2006-01-30 08:52:21 UTC (rev 6447)
@@ -3,7 +3,7 @@
 a transparent bridging IP firewall and is only useful for kernel versions
 above version 2.5.44.
 .TP
-.B --physdev-in name
+.BR --physdev-in " [!] \fIname\fP"
 Name of a bridge port via which a packet is received (only for
 packets entering the
 .BR INPUT ,
@@ -14,7 +14,7 @@
 interface which begins with this name will match. If the packet didn't arrive
 through a bridge device, this packet won't match this option, unless '!' is used.
 .TP
-.B --physdev-out name
+.BR --physdev-out " [!] \fIname\fP"
 Name of a bridge port via which a packet is going to be sent (for packets
 entering the
 .BR FORWARD ,
@@ -31,12 +31,12 @@
 the output device will be, then the packet won't match this option, unless
 '!' is used.
 .TP
-.B --physdev-is-in
+.RB "[!] " --physdev-is-in
 Matches if the packet has entered through a bridge interface.
 .TP
-.B --physdev-is-out
+.RB "[!] " --physdev-is-out
 Matches if the packet will leave through a bridge interface.
 .TP
-.B --physdev-is-bridged
+.RB "[!] " --physdev-is-bridged
 Matches if the packet is being bridged and therefore is not being routed.
 This is only useful in the FORWARD and POSTROUTING chains.

Modified: branches/iptables/iptables-1.4/ip6tables.8.in
===================================================================
--- branches/iptables/iptables-1.4/ip6tables.8.in	2006-01-30 08:50:09 UTC (rev 6446)
+++ branches/iptables/iptables-1.4/ip6tables.8.in	2006-01-30 08:52:21 UTC (rev 6447)
@@ -1,4 +1,4 @@
-.TH IP6TABLES 8 "Mar 09, 2002" "" ""
+.TH IP6TABLES 8 "Jan 22, 2006" "" ""
 .\"
 .\" Man page written by Andras Kis-Szabo <kisza at sch.bme.hu>
 .\" It is based on iptables man page.
@@ -131,6 +131,16 @@
 (for altering packets being routed through the box), and
 .B POSTROUTING
 (for altering packets as they are about to go out).
+.TP
+.BR "raw" :
+This table is used mainly for configuring exemptions from connection
+tracking in combination with the NOTRACK target.  It registers at the netfilter
+hooks with higher priority and is thus called before nf_conntrack, or any other
+IP6 tables.  It provides the following built-in chains:
+.B PREROUTING
+(for packets arriving via any network interface)
+.B OUTPUT
+(for packets generated by local processes)
 .RE
 .SH OPTIONS
 The options that are recognized by
@@ -231,11 +241,18 @@
 The specified protocol can be one of
 .IR tcp ,
 .IR udp ,
-.IR ipv6-icmp|icmpv6 ,
-or
+.IR icmpv6 ,
+.IR esp ,
 .IR all ,
 or it can be a numeric value, representing one of these protocols or a
-different one.  A protocol name from /etc/protocols is also allowed.
+different one. A protocol name from /etc/protocols is also allowed.
+But IPv6 extension headers except
+.IR esp
+are not allowed.
+.IR esp ,
+and
+.IR ipv6-nonext
+can be used with Kernel version 2.6.11 or later.
 A "!" argument before the protocol inverts the
 test.  The number zero is equivalent to
 .IR all .

More information about the netfilter-cvslog mailing list