X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=ip6tables.8.in;h=bf24d551d2ef27df737a25ad70f55b67f4e49cc2;hb=782ed68bce7c9b3cc29eb4351ec13ede40a7ee49;hp=6d3f56cdcf5121a5ddf80d3375e989ed94945d15;hpb=2e293f94e43325cb8cc719e27b43e647842c046d;p=iptables.git diff --git a/ip6tables.8.in b/ip6tables.8.in index 6d3f56c..bf24d55 100644 --- a/ip6tables.8.in +++ b/ip6tables.8.in @@ -1,4 +1,4 @@ -.TH IP6TABLES 8 "Mar 09, 2002" "" "" +.TH IP6TABLES 8 "Jan 22, 2006" "" "" .\" .\" Man page written by Andras Kis-Szabo .\" It is based on iptables man page. @@ -73,7 +73,19 @@ means to let the packet through. .I DROP means to drop the packet on the floor. .I QUEUE -means to pass the packet to userspace (if supported by the kernel). +means to pass the packet to userspace. (How the packet can be received +by a userspace process differs by the particular queue handler. 2.4.x +and 2.6.x kernels up to 2.6.13 include the +.B +ip_queue +queue handler. Kernels 2.6.14 and later additionally include the +.B +nfnetlink_queue +queue handler. Packets with a target of QUEUE will be sent to queue number '0' +in this case. Please also see the +.B +NFQUEUE +target as described later in this man page.) .I RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached @@ -119,6 +131,16 @@ Since kernel 2.4.18, three other built-in chains are also supported: (for altering packets being routed through the box), and .B POSTROUTING (for altering packets as they are about to go out). +.TP +.BR "raw" : +This table is used mainly for configuring exemptions from connection +tracking in combination with the NOTRACK target. It registers at the netfilter +hooks with higher priority and is thus called before nf_conntrack, or any other +IP6 tables. It provides the following built-in chains: +.B PREROUTING +(for packets arriving via any network interface) +.B OUTPUT +(for packets generated by local processes) .RE .SH OPTIONS The options that are recognized by @@ -219,11 +241,18 @@ The protocol of the rule or of the packet to check. The specified protocol can be one of .IR tcp , .IR udp , -.IR ipv6-icmp|icmpv6 , -or +.IR icmpv6 , +.IR esp , .IR all , or it can be a numeric value, representing one of these protocols or a -different one. A protocol name from /etc/protocols is also allowed. +different one. A protocol name from /etc/protocols is also allowed. +But IPv6 extension headers except +.IR esp +are not allowed. +.IR esp , +and +.IR ipv6-nonext +can be used with Kernel version 2.6.11 or later. A "!" argument before the protocol inverts the test. The number zero is equivalent to .IR all . @@ -426,7 +455,8 @@ There are several other changes in ip6tables. .BR ip6tables-restore(8), .BR iptables (8), .BR iptables-save (8), -.BR iptables-restore (8). +.BR iptables-restore (8), +.BR libipq (3). .P The packet-filtering-HOWTO details iptables usage for packet filtering, the NAT-HOWTO details NAT, @@ -448,7 +478,7 @@ James Morris wrote the TOS target, and tos match. .PP Jozsef Kadlecsik wrote the REJECT target. .PP -Harald Welte wrote the ULOG target, TTL match+target and libipulog. +Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, aswell as TTL match+target and libipulog. .PP The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik, James Morris, Harald Welte and Rusty Russell.