X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=ip6tables.8;fp=ip6tables.8;h=4e58c93a2a55dd7f0a6f0c81016addb9ee60f955;hb=01ca3ac88363ef76f34d38b254cc15616262aa55;hp=b4986a57fe6e22f104c1545238b1515187185c7d;hpb=5aa051d09fae870c8b4023bad2951eeed0067e35;p=iptables.git diff --git a/ip6tables.8 b/ip6tables.8 index b4986a5..4e58c93 100644 --- a/ip6tables.8 +++ b/ip6tables.8 @@ -1,4 +1,4 @@ -.TH IP6TABLES 8 "Mar 09, 2002" "" "" +.TH IP6TABLES 8 "Jan 22, 2006" "" "" .\" .\" Man page written by Andras Kis-Szabo .\" It is based on iptables man page. @@ -73,7 +73,19 @@ means to let the packet through. .I DROP means to drop the packet on the floor. .I QUEUE -means to pass the packet to userspace (if supported by the kernel). +means to pass the packet to userspace. (How the packet can be received +by a userspace process differs by the particular queue handler. 2.4.x +and 2.6.x kernels up to 2.6.13 include the +.B +ip_queue +queue handler. Kernels 2.6.14 and later additionally include the +.B +nfnetlink_queue +queue handler. Packets with a target of QUEUE will be sent to queue number '0' +in this case. Please also see the +.B +NFQUEUE +target as described later in this man page.) .I RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached @@ -119,6 +131,16 @@ Since kernel 2.4.18, three other built-in chains are also supported: (for altering packets being routed through the box), and .B POSTROUTING (for altering packets as they are about to go out). +.TP +.BR "raw" : +This table is used mainly for configuring exemptions from connection +tracking in combination with the NOTRACK target. It registers at the netfilter +hooks with higher priority and is thus called before nf_conntrack, or any other +IP6 tables. It provides the following built-in chains: +.B PREROUTING +(for packets arriving via any network interface) +.B OUTPUT +(for packets generated by local processes) .RE .SH OPTIONS The options that are recognized by @@ -219,11 +241,18 @@ The protocol of the rule or of the packet to check. The specified protocol can be one of .IR tcp , .IR udp , -.IR ipv6-icmp|icmpv6 , -or +.IR icmpv6 , +.IR esp , .IR all , or it can be a numeric value, representing one of these protocols or a -different one. A protocol name from /etc/protocols is also allowed. +different one. A protocol name from /etc/protocols is also allowed. +But IPv6 extension headers except +.IR esp +are not allowed. +.IR esp , +and +.IR ipv6-nonext +can be used with Kernel version 2.6.11 or later. A "!" argument before the protocol inverts the test. The number zero is equivalent to .IR all . @@ -374,101 +403,142 @@ be preceded by a to invert the sense of the match. .\" @MATCH@ .SS ah -This module matches the SPIs in AH header of IPSec packets. +This module matches the parameters in Authentication header of IPsec packets. .TP .BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]" +Matches SPI. +.TP +.BR "--ahlen " "[!] \fIlength" +Total length of this header in octets. +.TP +.BI "--ahres" +Matches if the reserved field is filled with zero. .SS condition This matches if a specific /proc filename is '0' or '1'. .TP -.BI "--condition " "[!] filename" +.BR "--condition " "[!] \fIfilename" Match on boolean value stored in /proc/net/ip6t_condition/filename file .SS dst -This module matches the IPv6 destination header options +This module matches the parameters in Destination Options header .TP -.BI "--dst-len" "[!]" "length" -Total length of this header +.BR "--dst-len " "[!] \fIlength" +Total length of this header in octets. .TP -.BI "--dst-opts " "TYPE[:LEN],[,TYPE[:LEN]...]" -Options and it's length (List). +.BR "--dst-opts " "\fItype\fP[:\fIlength\fP][,\fItype\fP[:\fIlength\fP]...]" +numeric type of option and the length of the option data in octets. .SS esp -This module matches the SPIs in ESP header of IPSec packets. +This module matches the SPIs in ESP header of IPsec packets. .TP .BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]" .SS eui64 -This module matches the EUI64 part of a stateless autoconfigured IPv6 address. It compares the source MAC address with the lower 64 bits of the IPv6 address. +This module matches the EUI-64 part of a stateless autoconfigured IPv6 address. +It compares the EUI-64 derived from the source MAC address in Ehternet frame +with the lower 64 bits of the IPv6 source address. But "Universal/Local" +bit is not compared. This module doesn't match other link layer frame, and +is only valid in the +.BR PREROUTING , +.BR INPUT +and +.BR FORWARD +chains. .SS frag -This module matches the time IPv6 fragmentathion header +This module matches the parameters in Fragment header. .TP -.BI "--fragid " "[!]" "id[:id]" -Matches the given fragmentation ID (range). +.BR "--fragid " "[!] \fIid\fP[:\fIid\fP]" +Matches the given Identification or range of it. .TP -.BI "--fraglen " "[!]" "length" -Matches the total length of this header. +.BR "--fraglen " "[!] \fIlength\fP" +This option cannot be used with kernel version 2.6.10 or later. The length of +Fragment header is static and this option doesn't make sense. .TP -.BI "--fragres " -Matches the reserved field, too. +.BR "--fragres " +Matches if the reserved fields are filled with zero. .TP -.BI "--fragfirst " +.BR "--fragfirst " Matches on the first fragment. .TP -.BI "[--fragmore]" +.BR "[--fragmore]" Matches if there are more fragments. .TP -.BI "[--fraglast]" +.BR "[--fraglast]" Matches if this is the last fragement. .SS fuzzy This module matches a rate limit based on a fuzzy logic controller [FLC] .TP -.BI "--lower-limit "number" +.BI "--lower-limit " "number" Specifies the lower limit (in packets per second). .TP .BI "--upper-limit " "number" Specifies the upper limit (in packets per second). .SS hbh -This module matches the IPv6 hop-by-hop header options +This module matches the parameters in Hop-by-Hop Options header .TP -.BI "--hbh-len" "[!]" "length" -Total length of this header +.BR "--hbh-len " "[!] \fIlength\fP" +Total length of this header in octets. .TP -.BI "--hbh-opts " "TYPE[:LEN],[,TYPE[:LEN]...]" -Options and it's length (List). +.BR "--hbh-opts " "\fItype\fP[:\fIlength\fP][,\fItype\fP[:\fIlength\fP]...]" +numeric type of option and the length of the option data in octets. .SS hl -This module matches the HOPLIMIT field in the IPv6 header. +This module matches the Hop Limit field in the IPv6 header. .TP -.BI "--hl-eq " "value" -Matches if HOPLIMIT equals the given value. +.BR "--hl-eq " "[!] \fIvalue\fP" +Matches if Hop Limit equals \fIvalue\fP. .TP -.BI "--hl-lt " "ttl" -Matches if HOPLIMIT is less than the given value. +.BI "--hl-lt " "value" +Matches if Hop Limit is less than \fIvalue\fP. .TP -.BI "--hl-gt " "ttl" -Matches if HOPLIMIT is greater than the given value. +.BI "--hl-gt " "value" +Matches if Hop Limit is greater than \fIvalue\fP. .SS icmpv6 This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is specified. It provides the following option: .TP -.BR "--icmpv6-type " "[!] \fItypename\fP" -This allows specification of the ICMP type, which can be a numeric -IPv6-ICMP type, or one of the IPv6-ICMP type names shown by the command +.BR "--icmpv6-type " "[!] \fItype\fP[/\fIcode\fP]|\fItypename\fP" +This allows specification of the ICMPv6 type, which can be a numeric +ICMPv6 +.IR type , +.IR type +and +.IR code , +or one of the ICMPv6 type names shown by the command .nf ip6tables -p ipv6-icmp -h .fi .SS ipv6header -This module matches on IPv6 option headers -.TP -.BI "--header " "[!]" "headers" -Matches the given type of headers. -Names: hop,dst,route,frag,auth,esp,none,proto -Long Names: hop-by-hop,ipv6-opts,ipv6-route,ipv6-frag,ah,esp,ipv6-nonxt,protocol -Numbers: 0,60,43,44,51,50,59 -.TP -.BI "--soft" -The header CONTAINS the specified extensions. +This module matches IPv6 extension headers and/or upper layer header. +.TP +.BR "--header " "[!] \fIheader\fP[,\fIheader\fP...]" +Matches the packet which EXACTLY includes all specified headers. The headers +encapsulated with ESP header are out of scope. +.IR header +can be +.IR hop | hop-by-hop +(Hop-by-Hop Options header), +.IR dst +(Destination Options header), +.IR route +(Routing header), +.IR frag +(Fragment header), +.IR auth +(Authentication header), +.IR esp +(Encapsulating Security Payload header), +.IR none +(No Next header) which matches 59 in the 'Next Header field' of IPv6 header or any IPv6 extension headers, or +.IR proto +which matches any upper layer protocol header. A protocol name from /etc/protocols and numeric value also allowed. The number 255 is equivalent to +.IR proto . +.TP +.BR "[--soft]" +Matches if the packet includes all specified headers with +.BR --header , +AT LEAST. .SS length -This module matches the length of a packet against a specific value -or range of values. +This module matches the length of the IPv6 payload in octets, or range of it. +IPv6 header itself isn't counted. .TP -.BR "--length " "\fIlength\fP[:\fIlength\fP]" +.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]" .SS limit This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached @@ -503,13 +573,14 @@ This module matches the netfilter mark field associated with a packet target below). .TP .BR "--mark " "\fIvalue\fP[/\fImask\fP]" -Matches packets with the given unsigned mark value (if a mask is -specified, this is logically ANDed with the mask before the +Matches packets with the given unsigned mark value (if a \fImask\fP is +specified, this is logically ANDed with the \fImask\fP before the comparison). .SS multiport This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two -ports. It can only be used in conjunction with +ports, but range isn't supported now. It can only be used in conjunction +with .B "-p tcp" or .BR "-p udp" . @@ -546,7 +617,7 @@ Match on `num' packet. Most be between `0' and `value'-1. This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the .B OUTPUT -chain, and even this some packets (such as ICMP ping responses) may +chain, and even this some packets (such as ICMPv6 ping responses) may have no owner, and hence never match. This is regarded as experimental. .TP .BI "--uid-owner " "userid" @@ -572,7 +643,7 @@ to a bridge device. This module is a part of the infrastructure that enables a transparent bridging IP firewall and is only useful for kernel versions above version 2.5.44. .TP -.B --physdev-in name +.BR --physdev-in " [!] \fIname\fP" Name of a bridge port via which a packet is received (only for packets entering the .BR INPUT , @@ -583,7 +654,7 @@ chains). If the interface name ends in a "+", then any interface which begins with this name will match. If the packet didn't arrive through a bridge device, this packet won't match this option, unless '!' is used. .TP -.B --physdev-out name +.BR --physdev-out " [!] \fIname\fP" Name of a bridge port via which a packet is going to be sent (for packets entering the .BR FORWARD , @@ -600,15 +671,64 @@ chain. If the packet won't leave by a bridge device or it is yet unknown what the output device will be, then the packet won't match this option, unless '!' is used. .TP -.B --physdev-is-in +.RB "[!] " --physdev-is-in Matches if the packet has entered through a bridge interface. .TP -.B --physdev-is-out +.RB "[!] " --physdev-is-out Matches if the packet will leave through a bridge interface. .TP -.B --physdev-is-bridged +.RB "[!] " --physdev-is-bridged Matches if the packet is being bridged and therefore is not being routed. This is only useful in the FORWARD and POSTROUTING chains. +.SS policy +This modules matches the policy used by IPsec for handling a packet. +.TP +.BI "--dir " "in|out" +Used to select whether to match the policy used for decapsulation or the +policy that will be used for encapsulation. +.B in +is valid in the +.B PREROUTING, INPUT and FORWARD +chains, +.B out +is valid in the +.B POSTROUTING, OUTPUT and FORWARD +chains. +.TP +.BI "--pol " "none|ipsec" +Matches if the packet is subject to IPsec processing. +.TP +.BI "--strict" +Selects whether to match the exact policy or match if any rule of +the policy matches the given policy. +.TP +.BI "--reqid " "id" +Matches the reqid of the policy rule. The reqid can be specified with +.B setkey(8) +using +.B unique:id +as level. +.TP +.BI "--spi " "spi" +Matches the SPI of the SA. +.TP +.BI "--proto " "ah|esp|ipcomp" +Matches the encapsulation protocol. +.TP +.BI "--mode " "tunnel|transport" +Matches the encapsulation mode. +.TP +.BI "--tunnel-src " "addr[/mask]" +Matches the source end-point address of a tunnel mode SA. +Only valid with --mode tunnel. +.TP +.BI "--tunnel-dst " "addr[/mask]" +Matches the destination end-point address of a tunnel mode SA. +Only valid with --mode tunnel. +.TP +.BI "--next" +Start the next element in the policy specification. Can only be used with +--strict .SS random This module randomly matches a certain percentage of all packets. .TP @@ -617,22 +737,22 @@ Matches the given percentage. If omitted, a probability of 50% is set. .SS rt Match on IPv6 routing header .TP -.BI "--rt-type " "[!]" "type" +.BR "--rt-type" " [!] \fItype\fP" Match the type (numeric). .TP -.BI "--rt-segsleft" "[!]" "num[:num]" +.BR "--rt-segsleft" " [!] \fInum\fP[:\fInum\fP]" Match the `segments left' field (range). .TP -.BI "--rt-len" "[!]" "length" -Match the length of this header +.BR "--rt-len" " [!] \fIlength\fP" +Match the length of this header. .TP -.BI "--rt-0-res" +.BR "--rt-0-res" Match the reserved field, too (type=0) .TP -.BI "--rt-0-addrs ADDR[,ADDR...] +.BR "--rt-0-addrs" " \fIADDR\fP[,\fIADDR\fP...]" Match type=0 addresses (list). .TP -.BI "--rt-0-not-strict" +.BR "--rt-0-not-strict" List of type=0 addresses is not a strict list. .SS tcp These extensions are loaded if `--protocol tcp' is specified. It @@ -700,23 +820,23 @@ ip6tables can use extended target modules: the following are included in the standard distribution. .\" @TARGET@ .SS HL -This is used to modify the IPv6 HOPLIMIT header field. The HOPLIMIT field is -similar to what is known as TTL value in IPv4. Setting or incrementing the -HOPLIMIT field can potentially be very dangerous, so it should be avoided at -any cost. -.TP -.B Don't ever set or increment the value on packets that leave your local network! +This is used to modify the Hop Limit field in IPv6 header. The Hop Limit field +is similar to what is known as TTL value in IPv4. Setting or incrementing the +Hop Limit field can potentially be very dangerous, so it should be avoided at +any cost. This target is only valid in .B mangle table. .TP +.B Don't ever set or increment the value on packets that leave your local network! +.TP .BI "--hl-set " "value" -Set the HOPLIMIT value to `value'. +Set the Hop Limit to `value'. .TP .BI "--hl-dec " "value" -Decrement the HOPLIMIT value `value' times. +Decrement the Hop Limit `value' times. .TP .BI "--hl-inc " "value" -Increment the HOPLIMIT value `value' times. +Increment the Hop Limit `value' times. .SS LOG Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all @@ -756,6 +876,19 @@ packet. It is only valid in the table. .TP .BI "--set-mark " "mark" +.SS NFQUEUE +This target is an extension of the QUEUE target. As opposed to QUEUE, it allows +you to put a packet into any specific queue, identified by its 16-bit queue +number. +.TP +.BR "--queue-num " "\fIvalue" +This specifies the QUEUE number to use. Valud queue numbers are 0 to 65535. The default value is 0. +.TP +It can only be used with Kernel versions 2.6.14 or later, since it requires +the +.B +nfnetlink_queue +kernel support. .SS REJECT This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to @@ -782,7 +915,7 @@ The type given can be .B " icmp6-port-unreachable" .B " port-unreach" .fi -which return the appropriate IPv6-ICMP error message (\fBport-unreach\fP is +which return the appropriate ICMPv6 error message (\fBport-unreach\fP is the default). Finally, the option .B tcp-reset can be used on rules which only match the TCP protocol: this causes a @@ -790,6 +923,8 @@ TCP RST packet to be sent back. This is mainly useful for blocking .I ident (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise). +.B tcp-reset +can only be used with kernel versions 2.6.14 or latter. .SS ROUTE This is used to explicitly override the core network stack's routing decision. @@ -860,7 +995,8 @@ There are several other changes in ip6tables. .BR ip6tables-restore(8), .BR iptables (8), .BR iptables-save (8), -.BR iptables-restore (8). +.BR iptables-restore (8), +.BR libipq (3). .P The packet-filtering-HOWTO details iptables usage for packet filtering, the NAT-HOWTO details NAT, @@ -882,7 +1018,7 @@ James Morris wrote the TOS target, and tos match. .PP Jozsef Kadlecsik wrote the REJECT target. .PP -Harald Welte wrote the ULOG target, TTL match+target and libipulog. +Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, aswell as TTL match+target and libipulog. .PP The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik, James Morris, Harald Welte and Rusty Russell.