Merge to iptables-1.3.5

[iptables.git] / ip6tables.8

diff --git a/ip6tables.8 b/ip6tables.8
index b4986a5..4e58c93 100644 (file)
--- a/ip6tables.8
+++ b/ip6tables.8
@@ -1,4 +1,4 @@
-.TH IP6TABLES 8 "Mar 09, 2002" "" ""
+.TH IP6TABLES 8 "Jan 22, 2006" "" ""

 .\"
 .\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
 .\" It is based on iptables man page.
 .\"
 .\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
 .\" It is based on iptables man page.


@@ -73,7 +73,19 @@ means to let the packet through.
 .I DROP
 means to drop the packet on the floor.
 .I QUEUE
 .I DROP
 means to drop the packet on the floor.
 .I QUEUE

-means to pass the packet to userspace (if supported by the kernel).
+means to pass the packet to userspace.  (How the packet can be received
+by a userspace process differs by the particular queue handler.  2.4.x
+and 2.6.x kernels up to 2.6.13 include the 
+.B
+ip_queue
+queue handler.  Kernels 2.6.14 and later additionally include the 
+.B
+nfnetlink_queue
+queue handler.  Packets with a target of QUEUE will be sent to queue number '0'
+in this case. Please also see the
+.B
+NFQUEUE
+target as described later in this man page.)

 .I RETURN
 means stop traversing this chain and resume at the next rule in the
 previous (calling) chain.  If the end of a built-in chain is reached
 .I RETURN
 means stop traversing this chain and resume at the next rule in the
 previous (calling) chain.  If the end of a built-in chain is reached


@@ -119,6 +131,16 @@ Since kernel 2.4.18, three other built-in chains are also supported:
 (for altering packets being routed through the box), and
 .B POSTROUTING
 (for altering packets as they are about to go out).
 (for altering packets being routed through the box), and
 .B POSTROUTING
 (for altering packets as they are about to go out).

+.TP
+.BR "raw" :
+This table is used mainly for configuring exemptions from connection
+tracking in combination with the NOTRACK target.  It registers at the netfilter
+hooks with higher priority and is thus called before nf_conntrack, or any other
+IP6 tables.  It provides the following built-in chains:
+.B PREROUTING
+(for packets arriving via any network interface)
+.B OUTPUT
+(for packets generated by local processes)

 .RE
 .SH OPTIONS
 The options that are recognized by
 .RE
 .SH OPTIONS
 The options that are recognized by


@@ -219,11 +241,18 @@ The protocol of the rule or of the packet to check.
 The specified protocol can be one of
 .IR tcp ,
 .IR udp ,
 The specified protocol can be one of
 .IR tcp ,
 .IR udp ,

-.IR ipv6-icmp|icmpv6 ,
-or
+.IR icmpv6 ,
+.IR esp ,

 .IR all ,
 or it can be a numeric value, representing one of these protocols or a
 .IR all ,
 or it can be a numeric value, representing one of these protocols or a

-different one.  A protocol name from /etc/protocols is also allowed.
+different one. A protocol name from /etc/protocols is also allowed.
+But IPv6 extension headers except
+.IR esp
+are not allowed.
+.IR esp ,
+and
+.IR ipv6-nonext
+can be used with Kernel version 2.6.11 or later.

 A "!" argument before the protocol inverts the
 test.  The number zero is equivalent to
 .IR all .
 A "!" argument before the protocol inverts the
 test.  The number zero is equivalent to
 .IR all .


@@ -374,101 +403,142 @@ be preceded by a
 to invert the sense of the match.
 .\" @MATCH@
 .SS ah
 to invert the sense of the match.
 .\" @MATCH@
 .SS ah

-This module matches the SPIs in AH header of IPSec packets.
+This module matches the parameters in Authentication header of IPsec packets.

 .TP
 .BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
 .TP
 .BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"

+Matches SPI.
+.TP
+.BR "--ahlen " "[!] \fIlength"
+Total length of this header in octets.
+.TP
+.BI "--ahres"
+Matches if the reserved field is filled with zero.

 .SS condition
 This matches if a specific /proc filename is '0' or '1'.
 .TP
 .SS condition
 This matches if a specific /proc filename is '0' or '1'.
 .TP

-.BI "--condition " "[!] filename"
+.BR "--condition " "[!] \fIfilename"

 Match on boolean value stored in /proc/net/ip6t_condition/filename file
 .SS dst
 Match on boolean value stored in /proc/net/ip6t_condition/filename file
 .SS dst

-This module matches the IPv6 destination header options
+This module matches the parameters in Destination Options header

 .TP
 .TP

-.BI "--dst-len" "[!]" "length"
-Total length of this header
+.BR "--dst-len " "[!] \fIlength"
+Total length of this header in octets.

 .TP
 .TP

-.BI "--dst-opts " "TYPE[:LEN],[,TYPE[:LEN]...]"
-Options and it's length (List).
+.BR "--dst-opts " "\fItype\fP[:\fIlength\fP][,\fItype\fP[:\fIlength\fP]...]"
+numeric type of option and the length of the option data in octets.

 .SS esp
 .SS esp

-This module matches the SPIs in ESP header of IPSec packets.
+This module matches the SPIs in ESP header of IPsec packets.

 .TP
 .BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]"
 .SS eui64
 .TP
 .BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]"
 .SS eui64

-This module matches the EUI64 part of a stateless autoconfigured IPv6 address.  It compares the source MAC address with the lower 64 bits of the IPv6 address. 
+This module matches the EUI-64 part of a stateless autoconfigured IPv6 address.
+It compares the EUI-64 derived from the source MAC address in Ehternet frame
+with the lower 64 bits of the IPv6 source address. But "Universal/Local"
+bit is not compared. This module doesn't match other link layer frame, and
+is only valid in the
+.BR PREROUTING ,
+.BR INPUT
+and
+.BR FORWARD
+chains.

 .SS frag
 .SS frag

-This module matches the time IPv6 fragmentathion header
+This module matches the parameters in Fragment header.

 .TP
 .TP

-.BI "--fragid " "[!]" "id[:id]"
-Matches the given fragmentation ID (range).
+.BR "--fragid " "[!] \fIid\fP[:\fIid\fP]"
+Matches the given Identification or range of it.

 .TP
 .TP

-.BI "--fraglen " "[!]" "length"
-Matches the total length of this header.
+.BR "--fraglen " "[!] \fIlength\fP"
+This option cannot be used with kernel version 2.6.10 or later. The length of
+Fragment header is static and this option doesn't make sense.

 .TP
 .TP

-.BI "--fragres "
-Matches the reserved field, too.
+.BR "--fragres "
+Matches if the reserved fields are filled with zero.

 .TP
 .TP

-.BI "--fragfirst "
+.BR "--fragfirst "

 Matches on the first fragment.
 .TP
 Matches on the first fragment.
 .TP

-.BI "[--fragmore]"
+.BR "[--fragmore]"

 Matches if there are more fragments.
 .TP
 Matches if there are more fragments.
 .TP

-.BI "[--fraglast]"
+.BR "[--fraglast]"

 Matches if this is the last fragement.
 .SS fuzzy
 This module matches a rate limit based on a fuzzy logic controller [FLC]
 .TP
 Matches if this is the last fragement.
 .SS fuzzy
 This module matches a rate limit based on a fuzzy logic controller [FLC]
 .TP

-.BI "--lower-limit  "number"
+.BI "--lower-limit " "number"

 Specifies the lower limit (in packets per second).
 .TP
 .BI "--upper-limit " "number"
 Specifies the upper limit (in packets per second).
 .SS hbh
 Specifies the lower limit (in packets per second).
 .TP
 .BI "--upper-limit " "number"
 Specifies the upper limit (in packets per second).
 .SS hbh

-This module matches the IPv6 hop-by-hop header options
+This module matches the parameters in Hop-by-Hop Options header

 .TP
 .TP

-.BI "--hbh-len" "[!]" "length"
-Total length of this header
+.BR "--hbh-len " "[!] \fIlength\fP"
+Total length of this header in octets.

 .TP
 .TP

-.BI "--hbh-opts " "TYPE[:LEN],[,TYPE[:LEN]...]"
-Options and it's length (List).
+.BR "--hbh-opts " "\fItype\fP[:\fIlength\fP][,\fItype\fP[:\fIlength\fP]...]"
+numeric type of option and the length of the option data in octets.

 .SS hl
 .SS hl

-This module matches the HOPLIMIT field in the IPv6 header.
+This module matches the Hop Limit field in the IPv6 header.

 .TP
 .TP

-.BI "--hl-eq " "value"
-Matches if HOPLIMIT equals the given value.
+.BR "--hl-eq " "[!] \fIvalue\fP"
+Matches if Hop Limit equals \fIvalue\fP.

 .TP
 .TP

-.BI "--hl-lt " "ttl"
-Matches if HOPLIMIT is less than the given value.
+.BI "--hl-lt " "value"
+Matches if Hop Limit is less than \fIvalue\fP.

 .TP
 .TP

-.BI "--hl-gt " "ttl"
-Matches if HOPLIMIT is greater than the given value.
+.BI "--hl-gt " "value"
+Matches if Hop Limit is greater than \fIvalue\fP.

 .SS icmpv6
 This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is
 specified. It provides the following option:
 .TP
 .SS icmpv6
 This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is
 specified. It provides the following option:
 .TP

-.BR "--icmpv6-type " "[!] \fItypename\fP"
-This allows specification of the ICMP type, which can be a numeric
-IPv6-ICMP type, or one of the IPv6-ICMP type names shown by the command
+.BR "--icmpv6-type " "[!] \fItype\fP[/\fIcode\fP]|\fItypename\fP"
+This allows specification of the ICMPv6 type, which can be a numeric
+ICMPv6
+.IR type ,
+.IR type
+and
+.IR code ,
+or one of the ICMPv6 type names shown by the command

 .nf
  ip6tables -p ipv6-icmp -h
 .fi
 .SS ipv6header
 .nf
  ip6tables -p ipv6-icmp -h
 .fi
 .SS ipv6header

-This module matches on IPv6 option headers
-.TP
-.BI "--header " "[!]" "headers"
-Matches the given type of headers.  
-Names: hop,dst,route,frag,auth,esp,none,proto
-Long Names: hop-by-hop,ipv6-opts,ipv6-route,ipv6-frag,ah,esp,ipv6-nonxt,protocol
-Numbers: 0,60,43,44,51,50,59
-.TP
-.BI "--soft"
-The header CONTAINS the specified extensions.
+This module matches IPv6 extension headers and/or upper layer header.
+.TP
+.BR "--header " "[!] \fIheader\fP[,\fIheader\fP...]"
+Matches the packet which EXACTLY includes all specified headers. The headers
+encapsulated with ESP header are out of scope.
+.IR header
+can be
+.IR hop | hop-by-hop
+(Hop-by-Hop Options header),
+.IR dst
+(Destination Options header),
+.IR route
+(Routing header),
+.IR frag
+(Fragment header),
+.IR auth
+(Authentication header),
+.IR esp
+(Encapsulating Security Payload header),
+.IR none
+(No Next header) which matches 59 in the 'Next Header field' of IPv6 header or any IPv6 extension headers, or
+.IR proto
+which matches any upper layer protocol header. A protocol name from /etc/protocols and numeric value also allowed. The number 255 is equivalent to
+.IR proto .
+.TP
+.BR "[--soft]"
+Matches if the packet includes all specified headers with
+.BR --header ,
+AT LEAST.

 .SS length
 .SS length

-This module matches the length of a packet against a specific value
-or range of values.
+This module matches the length of the IPv6 payload in octets, or range of it.
+IPv6 header itself isn't counted.

 .TP
 .TP

-.BR "--length " "\fIlength\fP[:\fIlength\fP]"
+.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"

 .SS limit
 This module matches at a limited rate using a token bucket filter.
 A rule using this extension will match until this limit is reached
 .SS limit
 This module matches at a limited rate using a token bucket filter.
 A rule using this extension will match until this limit is reached


@@ -503,13 +573,14 @@ This module matches the netfilter mark field associated with a packet
 target below).
 .TP
 .BR "--mark " "\fIvalue\fP[/\fImask\fP]"
 target below).
 .TP
 .BR "--mark " "\fIvalue\fP[/\fImask\fP]"

-Matches packets with the given unsigned mark value (if a mask is
-specified, this is logically ANDed with the mask before the
+Matches packets with the given unsigned mark value (if a \fImask\fP is
+specified, this is logically ANDed with the \fImask\fP before the

 comparison).
 .SS multiport
 This module matches a set of source or destination ports.  Up to 15
 ports can be specified.  A port range (port:port) counts as two
 comparison).
 .SS multiport
 This module matches a set of source or destination ports.  Up to 15
 ports can be specified.  A port range (port:port) counts as two

-ports.  It can only be used in conjunction with
+ports, but range isn't supported now. It can only be used in conjunction
+with

 .B "-p tcp"
 or
 .BR "-p udp" .
 .B "-p tcp"
 or
 .BR "-p udp" .


@@ -546,7 +617,7 @@ Match on `num' packet.  Most be between `0' and `value'-1.
 This module attempts to match various characteristics of the packet
 creator, for locally-generated packets.  It is only valid in the
 .B OUTPUT
 This module attempts to match various characteristics of the packet
 creator, for locally-generated packets.  It is only valid in the
 .B OUTPUT

-chain, and even this some packets (such as ICMP ping responses) may
+chain, and even this some packets (such as ICMPv6 ping responses) may

 have no owner, and hence never match.  This is regarded as experimental.
 .TP
 .BI "--uid-owner " "userid"
 have no owner, and hence never match.  This is regarded as experimental.
 .TP
 .BI "--uid-owner " "userid"


@@ -572,7 +643,7 @@ to a bridge device. This module is a part of the infrastructure that enables
 a transparent bridging IP firewall and is only useful for kernel versions
 above version 2.5.44.
 .TP
 a transparent bridging IP firewall and is only useful for kernel versions
 above version 2.5.44.
 .TP

-.B --physdev-in name
+.BR --physdev-in " [!] \fIname\fP"

 Name of a bridge port via which a packet is received (only for
 packets entering the
 .BR INPUT ,
 Name of a bridge port via which a packet is received (only for
 packets entering the
 .BR INPUT ,


@@ -583,7 +654,7 @@ chains). If the interface name ends in a "+", then any
 interface which begins with this name will match. If the packet didn't arrive
 through a bridge device, this packet won't match this option, unless '!' is used.
 .TP
 interface which begins with this name will match. If the packet didn't arrive
 through a bridge device, this packet won't match this option, unless '!' is used.
 .TP

-.B --physdev-out name
+.BR --physdev-out " [!] \fIname\fP"

 Name of a bridge port via which a packet is going to be sent (for packets
 entering the
 .BR FORWARD ,
 Name of a bridge port via which a packet is going to be sent (for packets
 entering the
 .BR FORWARD ,


@@ -600,15 +671,64 @@ chain. If the packet won't leave by a bridge device or it is yet unknown what
 the output device will be, then the packet won't match this option, unless
 '!' is used.
 .TP
 the output device will be, then the packet won't match this option, unless
 '!' is used.
 .TP

-.B --physdev-is-in
+.RB "[!] " --physdev-is-in

 Matches if the packet has entered through a bridge interface.
 .TP
 Matches if the packet has entered through a bridge interface.
 .TP

-.B --physdev-is-out
+.RB "[!] " --physdev-is-out

 Matches if the packet will leave through a bridge interface.
 .TP
 Matches if the packet will leave through a bridge interface.
 .TP

-.B --physdev-is-bridged
+.RB "[!] " --physdev-is-bridged

 Matches if the packet is being bridged and therefore is not being routed.
 This is only useful in the FORWARD and POSTROUTING chains.
 Matches if the packet is being bridged and therefore is not being routed.
 This is only useful in the FORWARD and POSTROUTING chains.

+.SS policy
+This modules matches the policy used by IPsec for handling a packet.
+.TP
+.BI "--dir " "in|out"
+Used to select whether to match the policy used for decapsulation or the
+policy that will be used for encapsulation.
+.B in
+is valid in the
+.B PREROUTING, INPUT and FORWARD
+chains,
+.B out
+is valid in the
+.B POSTROUTING, OUTPUT and FORWARD
+chains.
+.TP
+.BI "--pol " "none|ipsec"
+Matches if the packet is subject to IPsec processing.
+.TP
+.BI "--strict"
+Selects whether to match the exact policy or match if any rule of
+the policy matches the given policy.
+.TP
+.BI "--reqid " "id"
+Matches the reqid of the policy rule. The reqid can be specified with
+.B setkey(8)
+using
+.B unique:id
+as level.
+.TP
+.BI "--spi " "spi"
+Matches the SPI of the SA.
+.TP
+.BI "--proto " "ah|esp|ipcomp"
+Matches the encapsulation protocol.
+.TP
+.BI "--mode " "tunnel|transport"
+Matches the encapsulation mode.
+.TP
+.BI "--tunnel-src " "addr[/mask]"
+Matches the source end-point address of a tunnel mode SA.
+Only valid with --mode tunnel.
+.TP
+.BI "--tunnel-dst " "addr[/mask]"
+Matches the destination end-point address of a tunnel mode SA.
+Only valid with --mode tunnel.
+.TP
+.BI "--next"
+Start the next element in the policy specification. Can only be used with
+--strict

 .SS random
 This module randomly matches a certain percentage of all packets.
 .TP
 .SS random
 This module randomly matches a certain percentage of all packets.
 .TP


@@ -617,22 +737,22 @@ Matches the given percentage.  If omitted, a probability of 50% is set.
 .SS rt
 Match on IPv6 routing header
 .TP
 .SS rt
 Match on IPv6 routing header
 .TP

-.BI "--rt-type " "[!]" "type"
+.BR "--rt-type" " [!] \fItype\fP"

 Match the type (numeric).
 .TP
 Match the type (numeric).
 .TP

-.BI "--rt-segsleft" "[!]" "num[:num]"
+.BR "--rt-segsleft" " [!] \fInum\fP[:\fInum\fP]"

 Match the `segments left' field (range).
 .TP
 Match the `segments left' field (range).
 .TP

-.BI "--rt-len" "[!]" "length"
-Match the length of this header
+.BR "--rt-len" " [!] \fIlength\fP"
+Match the length of this header.

 .TP
 .TP

-.BI "--rt-0-res"
+.BR "--rt-0-res"

 Match the reserved field, too (type=0)
 .TP
 Match the reserved field, too (type=0)
 .TP

-.BI "--rt-0-addrs ADDR[,ADDR...]
+.BR "--rt-0-addrs" " \fIADDR\fP[,\fIADDR\fP...]"

 Match type=0 addresses (list).
 .TP
 Match type=0 addresses (list).
 .TP

-.BI "--rt-0-not-strict"
+.BR "--rt-0-not-strict"

 List of type=0 addresses is not a strict list.
 .SS tcp
 These extensions are loaded if `--protocol tcp' is specified. It
 List of type=0 addresses is not a strict list.
 .SS tcp
 These extensions are loaded if `--protocol tcp' is specified. It


@@ -700,23 +820,23 @@ ip6tables can use extended target modules: the following are included
 in the standard distribution.
 .\" @TARGET@
 .SS HL
 in the standard distribution.
 .\" @TARGET@
 .SS HL

-This is used to modify the IPv6 HOPLIMIT header field.  The HOPLIMIT field is 
-similar to what is known as TTL value in IPv4.  Setting or incrementing the
-HOPLIMIT field can potentially be very dangerous, so it should be avoided at
-any cost.  
-.TP
-.B Don't ever set or increment the value on packets that leave your local network!
+This is used to modify the Hop Limit field in IPv6 header. The Hop Limit field
+is similar to what is known as TTL value in IPv4.  Setting or incrementing the
+Hop Limit field can potentially be very dangerous, so it should be avoided at
+any cost. This target is only valid in

 .B mangle
 table.
 .TP
 .B mangle
 table.
 .TP

+.B Don't ever set or increment the value on packets that leave your local network!
+.TP

 .BI "--hl-set " "value"
 .BI "--hl-set " "value"

-Set the HOPLIMIT value to `value'.
+Set the Hop Limit to `value'.

 .TP
 .BI "--hl-dec " "value"
 .TP
 .BI "--hl-dec " "value"

-Decrement the HOPLIMIT value `value' times.
+Decrement the Hop Limit `value' times.

 .TP
 .BI "--hl-inc " "value"
 .TP
 .BI "--hl-inc " "value"

-Increment the HOPLIMIT value `value' times.
+Increment the Hop Limit `value' times.

 .SS LOG
 Turn on kernel logging of matching packets.  When this option is set
 for a rule, the Linux kernel will print some information on all
 .SS LOG
 Turn on kernel logging of matching packets.  When this option is set
 for a rule, the Linux kernel will print some information on all


@@ -756,6 +876,19 @@ packet.  It is only valid in the
 table.
 .TP
 .BI "--set-mark " "mark"
 table.
 .TP
 .BI "--set-mark " "mark"

+.SS NFQUEUE
+This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
+you to put a packet into any specific queue, identified by its 16-bit queue
+number.  
+.TP
+.BR "--queue-num " "\fIvalue"
+This specifies the QUEUE number to use. Valud queue numbers are 0 to 65535. The default value is 0.
+.TP
+It can only be used with Kernel versions 2.6.14 or later, since it requires
+the
+.B
+nfnetlink_queue
+kernel support.

 .SS REJECT
 This is used to send back an error packet in response to the matched
 packet: otherwise it is equivalent to 
 .SS REJECT
 This is used to send back an error packet in response to the matched
 packet: otherwise it is equivalent to 


@@ -782,7 +915,7 @@ The type given can be
 .B " icmp6-port-unreachable"
 .B " port-unreach"
 .fi
 .B " icmp6-port-unreachable"
 .B " port-unreach"
 .fi

-which return the appropriate IPv6-ICMP error message (\fBport-unreach\fP is
+which return the appropriate ICMPv6 error message (\fBport-unreach\fP is

 the default). Finally, the option
 .B tcp-reset
 can be used on rules which only match the TCP protocol: this causes a
 the default). Finally, the option
 .B tcp-reset
 can be used on rules which only match the TCP protocol: this causes a


@@ -790,6 +923,8 @@ TCP RST packet to be sent back.  This is mainly useful for blocking
 .I ident
 (113/tcp) probes which frequently occur when sending mail to broken mail
 hosts (which won't accept your mail otherwise).
 .I ident
 (113/tcp) probes which frequently occur when sending mail to broken mail
 hosts (which won't accept your mail otherwise).

+.B tcp-reset
+can only be used with kernel versions 2.6.14 or latter.

 
 .SS ROUTE
 This is used to explicitly override the core network stack's routing decision.
 
 .SS ROUTE
 This is used to explicitly override the core network stack's routing decision.


@@ -860,7 +995,8 @@ There are several other changes in ip6tables.
 .BR ip6tables-restore(8),
 .BR iptables (8),
 .BR iptables-save (8),
 .BR ip6tables-restore(8),
 .BR iptables (8),
 .BR iptables-save (8),

-.BR iptables-restore (8).
+.BR iptables-restore (8),
+.BR libipq (3).

 .P
 The packet-filtering-HOWTO details iptables usage for
 packet filtering, the NAT-HOWTO details NAT,
 .P
 The packet-filtering-HOWTO details iptables usage for
 packet filtering, the NAT-HOWTO details NAT,


@@ -882,7 +1018,7 @@ James Morris wrote the TOS target, and tos match.
 .PP
 Jozsef Kadlecsik wrote the REJECT target.
 .PP
 .PP
 Jozsef Kadlecsik wrote the REJECT target.
 .PP

-Harald Welte wrote the ULOG target, TTL match+target and libipulog.
+Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, aswell as TTL match+target and libipulog.

 .PP
 The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
 James Morris, Harald Welte and Rusty Russell.
 .PP
 The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
 James Morris, Harald Welte and Rusty Russell.