.\" all rights reserved.
.\" Translated 2013-04-08, Akihiro MOTOKI <amotoki@gmail.com>
.\"
-.TH IPTABLES\-XML 1 "" "iptables 1.4.21" "iptables 1.4.21"
+.TH IPTABLES\-XML 1 "" "iptables 1.8.4" "iptables 1.8.4"
.\"
.\" Man page written by Sam Liddicott <azez@ufomechanic.net>
.\" It is based on the iptables-save man page.
.\" all rights reserved.
.\" Translated 2013-04-08, Akihiro MOTOKI <amotoki@gmail.com>
.\"
-.TH IPTABLES\-APPLY 8 "" "iptables 1.4.21" "iptables 1.4.21"
+.TH IPTABLES\-APPLY 8 "" "iptables 1.8.4" "iptables 1.8.4"
.\" disable hyphenation
.nh
.SH 名前
.\" all rights reserved.
.\" Translated 2013-04-08, Akihiro MOTOKI <amotoki@gmail.com>
.\"
-.TH iptables\-extensions 8 "" "iptables 1.4.21" "iptables 1.4.21"
+.TH iptables\-extensions 8 "" "iptables 1.8.4" "iptables 1.8.4"
.SH 名前
iptables\-extensions \(em 標準の iptables に含まれる拡張モジュールのリスト
.SH 書式
.TP
[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
.SS bpf
-Linux Socket Filter を使ってマッチを行う。 BPF プログラムを 10 進数形式で指定する。 これは
-\fBnfbpf_compile\fP ユーティリティにより生成されるフォーマットである。
+Linux Socket Filter を使ってマッチを行う。 eBPF オブジェクトへのパスもしくは、 10 進数形式の cBPF
+プログラムを指定する。
+.TP
+\fB\-\-object\-pinned\fP \fIpath\fP
+Pass a path to a pinned eBPF object.
+.PP
+Applications load eBPF programs into the kernel with the bpf() system call
+and BPF_PROG_LOAD command and can pin them in a virtual filesystem with
+BPF_OBJ_PIN. To use a pinned object in iptables, mount the bpf filesystem
+using
+.IP
+mount \-t bpf bpf ${BPF_MOUNT}
+.PP
+then insert the filter in iptables by path:
+.IP
+iptables \-A OUTPUT \-m bpf \-\-object\-pinned ${BPF_MOUNT}/{PINNED_PATH} \-j
+ACCEPT
.TP
\fB\-\-bytecode\fP \fIcode\fP
-BPF バイトコードフォーマットを渡す (フォーマットについては下記の例で説明)。
+BPF バイトコードフォーマットを渡す。 \fBnfbpf_compile\fP ユーティリティにより生成されるフォーマットである。
.PP
コードのフォーマットは tcpdump の \-ddd コマンドの出力に似ている。 最初に命令数が入った行が 1 行あり、 1 行 1 命令がこれに続く。
命令行は 'u16 u8 u8 u32' のパターンで 10 進数で指定する。 各フィールドは、命令、 true 時のジャンプオフセット、 false
iptables \-A OUTPUT \-m bpf \-\-bytecode "`nfbpf_compile RAW 'ip proto 6'`" \-j
ACCEPT
.PP
+Or use tcpdump \-ddd. In that case, generate BPF targeting a device with the
+same data link type as the xtables match. Iptables passes packets from the
+network layer up, without mac layer. Select a device with data link type
+RAW, such as a tun device:
+.IP
+ip tuntap add tun0 mode tun
+.br
+ip link set tun0 up
+.br
+tcpdump \-ddd \-i tun0 ip proto 6
+.PP
+See tcpdump \-L \-i $dev for a list of known data link types for a given
+device.
+.PP
BPF についてもっと詳しく知るには FreeBSD の bpf(4) manpage を見るといいだろう。
+.SS cgroup
+.TP
+[\fB!\fP] \fB\-\-path\fP \fIpath\fP
+Match cgroup2 membership.
+
+Each socket is associated with the v2 cgroup of the creating process. This
+matches packets coming from or going to all sockets in the sub\-hierarchy of
+the specified path. The path should be relative to the root of the cgroup2
+hierarchy.
+.TP
+[\fB!\fP] \fB\-\-cgroup\fP \fIclassid\fP
+Match cgroup net_cls classid.
+
+classid is the marker set through the cgroup net_cls controller. This
+option and \-\-path can't be used together.
+.PP
+例:
+.IP
+iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-path service/http\-server
+\-j DROP
+.IP
+iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1 \-j DROP
+.PP
+\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup matcher is
+currently only of limited functionality, meaning it will only match on
+packets that are processed for local sockets through early socket
+demuxing. Therefore, general usage on the INPUT chain is not advised unless
+the implications are well understood.
+.PP
+Linux 3.14 以降で利用可能。
.SS cluster
このモジュールを使うと、負荷分散装置なしで、ゲートウェイとバックエンドの負荷分散クラスターを配備できる。
.PP
例:
iptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes\-dir both
\-\-connbytes\-mode bytes ...
+.SS connlabel
+Module matches or adds connlabels to a connection. connlabels are similar
+to connmarks, except labels are bit\-based; i.e. all labels may be attached
+to a flow at the same time. Up to 128 unique labels are currently
+supported.
+.TP
+[\fB!\fP] \fB\-\-label\fP \fBname\fP
+matches if label \fBname\fP has been set on a connection. Instead of a name
+(which will be translated to a number, see EXAMPLE below), a number may be
+used instead. Using a number always overrides connlabel.conf.
+.TP
+\fB\-\-set\fP
+if the label has not been set on the connection, set it. Note that setting
+a label can fail. This is because the kernel allocates the conntrack label
+storage area when the connection is created, and it only reserves the amount
+of memory required by the ruleset that exists at the time the connection is
+created. In this case, the match will fail (or succeed, in case \fB\-\-label\fP
+option was negated).
+.PP
+This match depends on libnetfilter_conntrack 1.0.4 or later. Label
+translation is done via the \fB/etc/xtables/connlabel.conf\fP configuration
+file.
+.PP
+例:
+.IP
+.nf
+0 eth0\-in
+1 eth0\-out
+2 ppp\-in
+3 ppp\-out
+4 bulk\-traffic
+5 interactive
+.fi
+.PP
.SS connlimit
一つのサーバーに対する、 一つのクライアント IP アドレス (またはクライアントアドレスブロック) からの同時接続数を制限することができる。
.TP
.TP
\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP
ガベージコレクションの間隔 (ミリ秒)。
+.TP
+\fB\-\-hashlimit\-rate\-match\fP
+Classify the flow instead of rate\-limiting it. This acts like a true/false
+match on whether the rate is above/below a certain number
+.TP
+\fB\-\-hashlimit\-rate\-interval\fP \fIsec\fP
+Can be used with \-\-hashlimit\-rate\-match to specify the interval at which the
+rate should be sampled
.PP
例:
.TP
No Next header which matches 59 in the 'Next Header field' of IPv6 header or
any IPv6 extension headers
.TP
-\fBproto\fP
+\fBprot\fP
which matches any upper layer protocol header. A protocol name from
/etc/protocols and numeric value also allowed. The number 255 is equivalent
-to \fBproto\fP.
+to \fBprot\fP.
.SS ipvs
IPVS コネクション属性にマッチする。
.TP
[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupid\fP[\fB\-\fP\fIgroupid\fP]
そのパケットのソケットのファイル構造体の所有者が指定されたグループの場合にマッチする。 数値の GID や GID の範囲を指定することもできる。
.TP
+\fB\-\-suppl\-groups\fP
+Causes group(s) specified with \fB\-\-gid\-owner\fP to be also checked in the
+supplementary groups of a process.
+.TP
[\fB!\fP] \fB\-\-socket\-exists\fP
パケットがソケットに関連付けられている場合にマッチする。
.SS physdev
ブリッジデバイスを通して受け取られなかったパケットは、 \&'!' が指定されていない限り、 このオプションにマッチしない。
.TP
[\fB!\fP] \fB\-\-physdev\-out\fP \fIname\fP
-パケットを送信することになるブリッジのポート名 (\fBFORWARD\fP, \fBOUTPUT\fP, \fBPOSTROUTING\fP
-チェインに入るパケットのみ)。 インターフェース名が "+" で終っている場合、 その名前で始まる任意のインターフェース名にマッチする。 \fBnat\fP
-と \fBmangle\fP テーブルの \fBOUTPUT\fP チェインではブリッジの出力ポートにマッチさせることができないが、 \fBfilter\fP テーブルの
-\fBOUPUT\fP チェインではマッチ可能である。 パケットがブリッジデバイスから送られなかった場合、 またはパケットの出力デバイスが不明であった場合は、
-\&'!' が指定されていない限り、 パケットはこのオプションにマッチしない。
+パケットが送信されるブリッジのポート名 (\fBFORWARD\fP, \fBPOSTROUTING\fP チェインに入るパケットに対して)。 インターフェース名が
+"+" で終っている場合、 その名前で始まる任意のインターフェース名にマッチする。
.TP
[\fB!\fP] \fB\-\-physdev\-is\-in\fP
パケットがブリッジインターフェースに入った場合にマッチする。
[\fB!\fP] \fB\-\-realm\fP \fIvalue\fP[\fB/\fP\fImask\fP]
Matches a given realm number (and optionally mask). If not a number, value
can be a named realm from /etc/iproute2/rt_realms (mask can not be used in
-that case).
+that case). Both value and mask are four byte unsigned integers and may be
+specified in decimal, hex (by prefixing with "0x") or octal (if a leading
+zero is given).
.SS recent
IP アドレスのリストを動的に作成し、このリストに対するマッチングをいくつかの方法で行う。
.PP
If the packet is matched an element in the set, match only if the packet
counter of the element is greater than the given value as well.
.TP
-[\fB!\fP] \fB\-bytes\-eq\fP \fIvalue\fP
+[\fB!\fP] \fB\-\-bytes\-eq\fP \fIvalue\fP
If the packet is matched an element in the set, match only if the byte
counter of the element matches the given value too.
.TP
Example (assuming packets with mark 1 are delivered locally):
.IP
\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1
+.TP
+\fB\-\-restore\-skmark\fP
+Set the packet mark to the matching socket's mark. Can be combined with the
+\fB\-\-transparent\fP and \fB\-\-nowildcard\fP options to restrict the sockets to be
+matched when restoring the packet mark.
+.PP
+Example: An application opens 2 transparent (\fBIP_TRANSPARENT\fP) sockets and
+sets a mark on them with \fBSO_MARK\fP socket option. We can filter matching
+packets:
+.IP
+\-t mangle \-I PREROUTING \-m socket \-\-transparent \-\-restore\-skmark \-j action
+.IP
+\-t mangle \-A action \-m mark \-\-mark 10 \-j action2
+.IP
+\-t mangle \-A action \-m mark \-\-mark 11 \-j action3
.SS state
"state" 拡張は "conntrack" モジュールのサブセットである。 "state" を使うと、
パケットについてのコネクション追跡状態を参照できる。
[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP
指定された 16 進表記のパターンにマッチする。
.TP
+\fB\-\-icase\fP
+Ignore case when searching.
+.TP
例:
.IP
# 文字列パターンは単純なテキスト文字を探すのに使用できる。
[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
送信元ポートまたはポート範囲の指定。 サービス名またはポート番号を指定できる。 \fIfirst\fP\fB:\fP\fIlast\fP という形式で、 2
つの番号を含む範囲を指定することもできる。 最初のポートを省略した場合、 "0" を仮定する。 最後のポートを省略した場合、 "65535"
-を仮定する。 最初のポートが最後のポートより大きい場合、 2 つは入れ換えられる。 フラグ \fB\-\-sport\fP は、
-このオプションの便利な別名である。
+を仮定する。 フラグ \fB\-\-sport\fP は、 このオプションの便利な別名である。
.TP
[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
宛先ポートまたはポート範囲の指定。 フラグ \fB\-\-dport\fP は、 このオプションの便利な別名である。
SYN/ACK パケットに対してのみ利用できる。 MSS のネゴシエーションはコネクション開始時の TCP ハンドシェイク中だけだからである。
.TP
[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP]
-指定された TCP MSS 値か範囲にマッチする。
+Match a given TCP MSS value or range. If a range is given, the second
+\fIvalue\fP must be greater than or equal to the first \fIvalue\fP.
.SS time
このモジュールはパケットの到着時刻/日付が指定された範囲内の場合にマッチする。 すべてのオプションが任意オプションで、 複数指定した場合は AND
と解釈される。 デフォルトではすべての時刻は UTC と解釈される。
B と C は 32 ビット整数で、最初は 0 である。
.PP
命令は以下の通り。
-.IP
-number B = number;
+.TP
+\fBnumber\fP
+B = number;
.IP
C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) +
*(A+B+3)
-.IP
-&number C = C & number
-.IP
-<< number C = C << number
-.IP
->> number C = C >> number
-.IP
-@number A = A + C; この後、命令の数字を実行する
+.TP
+\fB&number\fP
+C = C & number
+.TP
+\fB<< number\fP
+C = C << number
+.TP
+\fB>> number\fP
+C = C >> number
+.TP
+\fB@number\fP
+A = A + C; then do the instruction number
.PP
[skb\->data,skb\->end] 以外へのメモリアクセスはすべてマッチ失敗となる。 それ以外の場合、計算の結果が C
の最終的な値となる。
.TP
[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
宛先ポートまたはポート範囲の指定。 詳細は TCP 拡張の \fB\-\-destination\-port\fP オプションの説明を参照すること。
-.SS "unclean (IPv4 の場合)"
-このモジュールにはオプションがないが、 おかしく正常でないように見えるパケットにマッチする。 これは実験的なものとして扱われている。
.SH ターゲットの拡張
.\" @TARGET@
iptables は拡張ターゲットモジュールを使うことができる: 以下のものが、 標準的なディストリビューションに含まれている。
許可/廃棄/拒否されたパケットを記録するのに使用できる。 詳細については auditd(8) を参照。
.TP
\fB\-\-type\fP {\fBaccept\fP|\fBdrop\fP|\fBreject\fP}
-監査レコード種別を設定する。
+Set type of audit record. Starting with linux\-4.12, this option has no
+effect on generated audit messages anymore. It is still accepted by iptables
+for compatibility reasons, but ignored.
.PP
例:
.IP
iptables \-N AUDIT_DROP
.IP
-iptables \-A AUDIT_DROP \-j AUDIT \-\-type drop
+iptables \-A AUDIT_DROP \-j AUDIT
.IP
iptables \-A AUDIT_DROP \-j DROP
.SS CHECKSUM
Only generate the specified expectation events for this connection.
Possible event types are: \fBnew\fP.
.TP
-\fB\-\-zone\fP \fIid\fP
+\fB\-\-zone\-orig\fP {\fIid\fP|\fBmark\fP}
+For traffic coming from ORIGINAL direction, assign this packet to zone \fIid\fP
+and only have lookups done in that zone. If \fBmark\fP is used instead of
+\fIid\fP, the zone is derived from the packet nfmark.
+.TP
+\fB\-\-zone\-reply\fP {\fIid\fP|\fBmark\fP}
+For traffic coming from REPLY direction, assign this packet to zone \fIid\fP
+and only have lookups done in that zone. If \fBmark\fP is used instead of
+\fIid\fP, the zone is derived from the packet nfmark.
+.TP
+\fB\-\-zone\fP {\fIid\fP|\fBmark\fP}
Assign this packet to zone \fIid\fP and only have lookups done in that zone.
-By default, packets have zone 0.
+If \fBmark\fP is used instead of \fIid\fP, the zone is derived from the packet
+nfmark. By default, packets have zone 0. This option applies to both
+directions.
.TP
\fB\-\-timeout\fP \fIname\fP
Use the timeout policy identified by \fIname\fP for the connection. This is
.TP
\fB\-\-random\fP
送信元ポートのマッピングをランダム化する。 \fB\-\-random\fP オプションを使用すると、 ポートマッピングがランダム化される (カーネル
-2.6.21 以降)。
+2.6.21 以降)。カーネル 5.0 以降では、 \fB\-\-random\fP は \fB\-\-random\-fully\fP と等価である。
+.TP
+\fB\-\-random\-fully\fP
+送信元ポートのマッピングを完全にランダム化する。 \fB\-\-random\-fully\fP オプションを使用すると、 ポートマッピングが完全にランダム化される
+(カーネル 3.13 以降)。
.TP
IPv6 サポートは Linux カーネル 3.7 以降で利用可能である。
-.SS "MIRROR (IPv4 の場合)"
-実験的なデモンストレーション用のターゲットであり、 IP ヘッダーの送信元と宛先フィールドを入れ換え、 パケットを再送信するものである。 これは
-\fBINPUT\fP, \fBFORWARD\fP, \fBPREROUTING\fP チェインと、 これらのチェインから呼び出される
-ユーザー定義チェインだけで有効である。 ループ等の問題を回避するため、 外部に送られるパケットは
-いかなるパケットフィルタリングチェイン・コネクション追跡・NAT からも 監視\fBされない\fP。
.SS NETMAP
このターゲットを使うと、あるアドレスネットワーク全体を別のネットワークアドレスに静的にマッピングできる。 このターゲットは \fBnat\fP
テーブルでルールでのみ使用できる。
ログメッセージの前に付けるプレフィックス文字列。 最大 64 文字までの指定できる。 ログの中でメッセージを区別するのに役に立つ。
.TP
\fB\-\-nflog\-range\fP \fIsize\fP
+This option has never worked, use \-\-nflog\-size instead
+.TP
+\fB\-\-nflog\-size\fP \fIsize\fP
ユーザー空間にコピーするバイト数 (nfnetlink_log の場合のみ利用できる)。 nfnetlink_log
のインスタンスは自身でコピーする範囲を指定できるが、 このオプションはそれを上書きする。
.TP
このターゲットは、 \fBnat\fP テーブルの \fBPREROUTING\fP チェインと \fBOUTPUT\fP チェイン、
およびこれらチェインから呼び出されるユーザー定義チェインでのみ有効である。 このターゲットは、 宛先 IP
をパケットを受信したインタフェースの最初のアドレスに変更することで、 パケットをそのマシン自身にリダイレクトする
-(ローカルで生成されたパケットはローカルホストのアドレス、 IPv4 では 127.0.0.1、 IPv6 では ::1 にマップされる)。
+(ローカルで生成されたパケットはローカルホストのアドレス、 IPv4 では 127.0.0.1、 IPv6 では ::1 にマップされる。 IP
+アドレスを設定されていないインタフェースに到着したパケットは破棄される)。
.TP
\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
このオプションは使用される宛先ポート・ポート範囲・複数ポートを指定する。 このオプションが指定されない場合、 宛先ポートは変更されない。
オプション \fBtcp\-reset\fP を使うことができる。 このオプションを使うと、 TCP RST パケットが送り返される。 主として
\fIident\fP (113/tcp) による探査を阻止するのに役立つ。 \fIident\fP による探査は、 壊れている (メールを受け取らない)
メールホストに メールが送られる場合に頻繁に起こる。
-.PP
+.IP
(*) icmp\-admin\-prohibited をサポートしないカーネルで、 icmp\-admin\-prohibited を使用すると、
REJECT ではなく単なる DROP になる。
-.SS "SAME (IPv4 の場合)"
-Similar to SNAT/DNAT depending on chain: it takes a range of addresses
-(`\-\-to 1.2.3.4\-1.2.3.7') and gives a client the same
-source\-/destination\-address for each connection.
-.PP
-N.B.: The DNAT target's \fB\-\-persistent\fP option replaced the SAME target.
-.TP
-\fB\-\-to\fP \fIipaddr\fP[\fB\-\fP\fIipaddr\fP]
-Addresses to map source to. May be specified more than once for multiple
-ranges.
-.TP
-\fB\-\-nodst\fP
-Don't use the destination\-ip in the calculations when selecting the new
-source\-ip
-.TP
-\fB\-\-random\fP
-Port mapping will be forcibly randomized to avoid attacks based on port
-prediction (kernel >= 2.6.21).
.SS SECMARK
This is used to set the security mark value associated with the packet for
use by security subsystems such as SELinux. It is valid in the \fBsecurity\fP
.TP
\fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...]
集合から指定されたアドレス/ポート (複数可) を削除する
+.TP
+\fB\-\-map\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...]
+[\-\-map\-mark] [\-\-map\-prio] [\-\-map\-queue] map packet properties (firewall
+mark, tc priority, hardware queue)
.IP
\fIflag\fP は \fBsrc\fP や \fBdst\fP の指定であり、 指定できるのは 6 個までである。
.TP
.TP
\fB\-\-exist\fP
エントリを追加する際に、 エントリが存在する場合、 タイムアウト値を、 指定された値か集合定義のデフォルト値にリセットする
+.TP
+\fB\-\-map\-set\fP \fIset\-name\fP
+the set\-name should be created with \-\-skbinfo option \fB\-\-map\-mark\fP map
+firewall mark to packet by lookup of value in the set \fB\-\-map\-prio\fP map
+traffic control priority to packet by lookup of value in the set
+\fB\-\-map\-queue\fP map hardware NIC queue to packet by lookup of value in the
+set
+.IP
+The \fB\-\-map\-set\fP option can be used from the mangle table only. The
+\fB\-\-map\-prio\fP and \fB\-\-map\-queue\fP flags can be used in the OUTPUT, FORWARD
+and POSTROUTING chains.
.PP
\-j SET を使用するには ipset のカーネルサポートが必要である。 標準のカーネルでは、 Linux 2.6.39 以降で提供されている。
.SS SNAT
する機能は存在しない。
.TP
\fB\-\-random\fP
-\fB\-\-random\fP オプションが使用されると、ポートマッピングはランダム化される (カーネル 2.6.21 以降)。
+\fB\-\-random\fP オプションが使用されると、ポートマッピングは、ハッシュを使ったアルゴリズムでランダム化される (カーネル 2.6.21 以降)。
+.TP
+\fB\-\-random\-fully\fP
+\fB\-\-random\fP オプションが使用されると、ポートマッピングは PRNG でランダム化される (カーネル 2.6.21 以降)。
.TP
\fB\-\-persistent\fP
クライアントの各コネクションに同じ送信元アドレス/宛先アドレスを割り当てる。 これは SAME ターゲットよりも優先される。 persistent
sysctl \-w net.ipv6.conf.all.proxy_ndp=1
.PP
また、変換されたフローに対するコネクション追跡を無効にするには \fBNOTRACK\fP ターゲットを使用する必要がある。
+.SS SYNPROXY
+This target will process TCP three\-way\-handshake parallel in netfilter
+context to protect either local or backend system. This target requires
+connection tracking because sequence numbers need to be translated. The
+kernels ability to absorb SYNFLOOD was greatly improved starting with Linux
+4.4, so this target should not be needed anymore to protect Linux servers.
+.TP
+\fB\-\-mss\fP \fImaximum segment size\fP
+Maximum segment size announced to clients. This must match the backend.
+.TP
+\fB\-\-wscale\fP \fIwindow scale\fP
+Window scale announced to clients. This must match the backend.
+.TP
+\fB\-\-sack\-perm\fP
+Pass client selective acknowledgement option to backend (will be disabled if
+not present).
+.TP
+\fB\-\-timestamps\fP
+Pass client timestamp option to backend (will be disabled if not present,
+also needed for selective acknowledgement and window scaling).
+.PP
+例:
+.PP
+Determine tcp options used by backend, from an external system
+.IP
+tcpdump \-pni eth0 \-c 1 'tcp[tcpflags] == (tcp\-syn|tcp\-ack)'
+.br
+ port 80 &
+.br
+telnet 192.0.2.42 80
+.br
+18:57:24.693307 IP 192.0.2.42.80 > 192.0.2.43.48757:
+.br
+ Flags [S.], seq 360414582, ack 788841994, win 14480,
+.br
+ options [mss 1460,sackOK,
+.br
+ TS val 1409056151 ecr 9690221,
+.br
+ nop,wscale 9],
+.br
+ length 0
+.PP
+Switch tcp_loose mode off, so conntrack will mark out\-of\-flow packets as
+state INVALID.
+.IP
+echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
+.PP
+Make SYN packets untracked
+.IP
+iptables \-t raw \-A PREROUTING \-i eth0 \-p tcp \-\-dport 80
+ \-\-syn \-j CT \-\-notrack
+.PP
+Catch UNTRACKED (SYN packets) and INVALID (3WHS ACK packets) states and send
+them to SYNPROXY. This rule will respond to SYN packets with SYN+ACK
+syncookies, create ESTABLISHED for valid client response (3WHS ACK packets)
+and drop incorrect cookies. Flags combinations not expected during 3WHS will
+not match and continue (e.g. SYN+FIN, SYN+ACK).
+.IP
+iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80
+ \-m state \-\-state UNTRACKED,INVALID \-j SYNPROXY
+ \-\-sack\-perm \-\-timestamp \-\-mss 1460 \-\-wscale 9
+.PP
+Drop invalid packets, this will be out\-of\-flow packets that were not matched
+by SYNPROXY.
+.IP
+iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80 \-m state \-\-state INVALID \-j DROP
.SS TCPMSS
このターゲットを用いると、 TCP の SYN パケットの MSS 値を書き換え、 そのコネクションでの最大サイズを制御できる (通常は、
送信インターフェースの MTU から IPv4 では 40 を、 IPv6 では 60 を引いた値に制限する)。 もちろん \fB\-p tcp\fP
want.)
.SS TRACE
This target marks packets so that the kernel will log every rule which match
-the packets as those traverse the tables, chains, rules.
-.PP
-A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for
-this to be visible. The packets are logged with the string prefix: "TRACE:
-tablename:chainname:type:rulenum " where type can be "rule" for plain rule,
-"return" for implicit rule at the end of a user defined chain and "policy"
-for the policy of the built in chains.
-.br
-It can only be used in the \fBraw\fP table.
+the packets as those traverse the tables, chains, rules. It can only be used
+in the \fBraw\fP table.
+.PP
+With iptables\-legacy, a logging backend, such as ip(6)t_LOG or
+nfnetlink_log, must be loaded for this to be visible. The packets are
+logged with the string prefix: "TRACE: tablename:chainname:type:rulenum "
+where type can be "rule" for plain rule, "return" for implicit rule at the
+end of a user defined chain and "policy" for the policy of the built in
+chains.
+.PP
+With iptables\-nft, the target is translated into nftables' \fBmeta nftrace\fP
+expression. Hence the kernel sends trace events via netlink to userspace
+where they may be displayed using \fBxtables\-monitor \-\-trace\fP command. For
+details, refer to \fBxtables\-monitor\fP(8).
.SS "TTL (IPv4 の場合)"
このターゲットを使うと、 IPv4 の TTL ヘッダーフィールドを変更できる。 TTL フィールドにより、 TTL
がなくなるまでに、パケットが何ホップ (何個のルータ) を通過できるかが決定される。
.\" Translated 2001-05-15, Yuichi SATO <ysato@h4.dion.ne.jp>
.\" Updated 2013-04-08, Akihiro MOTOKI <amotoki@gmail.com>
.\"
-.TH IPTABLES\-RESTORE 8 "" "iptables 1.4.21" "iptables 1.4.21"
+.TH IPTABLES\-RESTORE 8 "" "iptables 1.8.4" "iptables 1.8.4"
.\"
.\" Man page written by Harald Welte <laforge@gnumonks.org>
.\" It is based on the iptables man page.
.P
ip6tables\-restore \(em IPv6 テーブルを復元する
.SH 書式
-\fBiptables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
+\fBiptables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIsecs\fP] [\fB\-W\fP \fIusecs\fP] [\fB\-M\fP
+\fImodprobe\fP] [\fB\-T\fP \fIname\fP] [\fBfile\fP]
.P
-\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
+\fBip6tables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIsecs\fP] [\fB\-W\fP \fIusecs\fP] [\fB\-M\fP
+\fImodprobe\fP] [\fB\-T\fP \fIname\fP] [\fBfile\fP]
.SH 説明
.PP
-\fBiptables\-restore\fP と \fBip6tables\-restore\fP は標準入力で指定されたデータから IP/IPv6
-テーブルを復元するために使われる。 ファイルから読み込むためには、 シェルで提供されている I/O リダイレクションを使うこと。
+\fBiptables\-restore\fP と \fBip6tables\-restore\fP は、標準入力または \fIfile\fP で指定されたデータから
+IP/IPv6 テーブルを復元するために使われる。ファイルから読み込むためには、シェルで提供されている I/O リダイレクションを使うか、引き数で
+\fIfile\fP を指定すること。
.TP
\fB\-c\fP, \fB\-\-counters\fP
全てのパケットカウンタとバイトカウンタの値を復元する。
\fB\-v\fP, \fB\-\-verbose\fP
ルールセットの処理中に追加のデバッグ情報を表示する。
.TP
+\fB\-V\fP, \fB\-\-version\fP
+プログラムのバージョン番号を表示する。
+.TP
+\fB\-w\fP, \fB\-\-wait\fP [\fIseconds\fP]
+Wait for the xtables lock. To prevent multiple instances of the program
+from running concurrently, an attempt will be made to obtain an exclusive
+lock at launch. By default, the program will exit if the lock cannot be
+obtained. This option will make the program wait (indefinitely or for
+optional \fIseconds\fP) until the exclusive lock can be obtained.
+.TP
+\fB\-W\fP, \fB\-\-wait\-interval\fP \fImicroseconds\fP
+Interval to wait per each iteration. When running latency sensitive
+applications, waiting for the xtables lock for extended durations may not be
+acceptable. This option will make each iteration take the amount of time
+specified. The default interval is 1 second. This option only works with
+\fB\-w\fP.
+.TP
\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
modprobe プログラムのパスを指定する。デフォルトでは、 iptables\-restore は /proc/sys/kernel/modprobe
の内容を確認して実行ファイルのパスを決定する。
.\" Translated 2001-05-15, Yuichi SATO <ysato@h4.dion.ne.jp>
.\" Updated 2013-04-08, Akihiro MOTOKI <amotoki@gmail.com>
.\"
-.TH IPTABLES\-SAVE 8 "" "iptables 1.4.21" "iptables 1.4.21"
+.TH IPTABLES\-SAVE 8 "" "iptables 1.8.4" "iptables 1.8.4"
.\"
.\" Man page written by Harald Welte <laforge@gnumonks.org>
.\" It is based on the iptables man page.
.\"
.\"
.SH 名前
-iptables\-save \(em iptables ルールを標準出力にダンプする
+iptables\-save \(em iptables ルールをダンプする
.P
-ip6tables\-save \(em iptables ルールを標準出力にダンプする
+ip6tables\-save \(em iptables ルールをダンプする
.SH 書式
-\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] [\fB\-t\fP \fItable\fP]
+\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] [\fB\-t\fP \fItable\fP] [\fB\-f\fP
+\fIfilename\fP]
.P
-\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] [\fB\-t\fP \fItable\fP]
+\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] [\fB\-t\fP \fItable\fP] [\fB\-f\fP
+\fIfilename\fP]
.SH 説明
.PP
-\fBiptables\-save\fP と \fBip6tables\-save\fP は IP/IPv6 テーブルの内容を簡単に解析できる形式で
-標準出力にダンプするために使われる。 ファイルに書き出すためには、 シェルで提供されている I/O リダイレクションを使うこと。
+\fBiptables\-save\fP と \fBip6tables\-save\fP は、 IP/IPv6
+テーブルの内容を簡単に解析できる形式で標準出力か指定されたフィアルのいずれかにダンプするために使われる。
.TP
-\fB\-M\fP \fImodprobe_program\fP
+\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
modprobe プログラムのパスを指定する。デフォルトでは、 iptables\-save は /proc/sys/kernel/modprobe
の内容を確認して実行ファイルのパスを決定する。
.TP
+\fB\-f\fP, \fB\-\-file\fP \fIfilename\fP
+出力を書き込むファイル名を指定する。指定されなかった場合、 iptables\-save は出力を標準出力に書き出す。
+.TP
\fB\-c\fP, \fB\-\-counters\fP
全てのパケットカウンタとバイトカウンタの現在の値を出力する。
.TP
\fB\-t\fP, \fB\-\-table\fP \fItablename\fP
-出力を 1 つのテーブルのみに制限する。 指定されない場合、得られた全てのテーブルを出力する。
+restrict output to only one table. If the kernel is configured with
+automatic module loading, an attempt will be made to load the appropriate
+module for that table if it is not already there.
+.br
+指定されない場合、得られた全てのテーブルを出力する。
.SH バグ
iptables\-1.2.1 リリースでは知られていない。
.SH 作者
.\" Updated & Modified 2004-02-21, Yuichi SATO <ysato444@yahoo.co.jp>
.\" Updated 2013-04-08, Akihiro MOTOKI <amotoki@gmail.com>
.\"
-.TH IPTABLES 8 "" "iptables 1.4.21" "iptables 1.4.21"
+.TH IPTABLES 8 "" "iptables 1.8.4" "iptables 1.8.4"
.\"
.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
.\" It is based on ipchains page.
\fBnat\fP:
このテーブルは新しい接続を開くパケットの場合に参照される。 \fBPREROUTING\fP
(パケットが入ってきた場合、すぐにそのパケットを変換するためのチェイン)、 \fBOUTPUT\fP
-(ローカルで生成されたパケットをルーティングの前に変換するためのチェイン)、 \fBPOSTROUTING\fP
-(ã\83\91ã\82±ã\83\83ã\83\88ã\81\8cå\87ºã\81¦è¡\8cã\81\8fã\81¨ã\81\8dã\81«å¤\89æ\8f\9bã\81\99ã\82\8bã\81\9fã\82\81ã\81®ã\83\81ã\82§ã\82¤ã\83³) ã\81¨ã\81\84ã\81\86 3 ã\81¤ã\81®çµ\84ã\81¿è¾¼ã\81¿ã\83\81ã\82§ã\82¤ã\83³ã\81\8cã\81\82ã\82\8bã\80\82 IPv6 NAT ã\82µã\83\9dã\83¼ã\83\88ã\81¯ã\82«ã\83¼ã\83\8dã\83« 3.7
-以降で利用できる。
+(ローカルで生成されたパケットをルーティングの前に変換するためのチェイン)、 \fBINPUT\fP
+(ã\83ã\83¼ã\82«ã\83«ã\82½ã\82±ã\83\83ã\83\88å®\9bã\81¦ã\81®ã\83\91ã\82±ã\83\83ã\83\88ã\82\92å¤\89æ\9b´ã\81\99ã\82\8bã\81\9fã\82\81ã\81®ã\83\81ã\82§ã\82¤ã\83³)ã\80\81 \fBPOSTROUTING\fP (ã\83\91ã\82±ã\83\83ã\83\88ã\81\8cå\87ºã\81¦è¡\8cã\81\8fã\81¨ã\81\8dã\81«å¤\89æ\8f\9bã\81\99ã\82\8bã\81\9fã\82\81ã\81®ã\83\81ã\82§ã\82¤ã\83³) ã\81¨ã\81\84ã\81\86
+4 つの組み込みチェインがある。 IPv6 NAT サポートはカーネル 3.7 以降で利用できる。
.TP
\fBmangle\fP:
このテーブルは特別なパケット変換に使われる。 カーネル 2.4.17 までは、組み込みチェインは \fBPREROUTING\fP
.fi
DNS の逆引きを避けるために、 \fB\-n\fP オプションと共に使用されることがよくある。 \fB\-Z\fP (ゼロクリア)
オプションを同時に指定することもできる。 この場合、各チェインの表示とゼロクリアは同時に行われ、カウンタ値に抜けが発生することはない。
-細かな出力内容は同時に指定された他の引き数により変化する。 以下のように \fB\-v\fP オプションを指定しない限り、
-ルールの表示は一部省略されたものとなる。
+細かな出力内容は同時に指定された他の引き数により変化する。デフォルトでは、ルールの表示は一部省略されたものとなる。完全なルールを表示するには、
.nf
iptables \-L \-v
.fi
+のように \fB\-v\fP オプションを指定するか \fBiptables\-save\fP(8) を使うこと。
.TP
\fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP]
選択されたチェインにある全てのルールを表示する。チェインが指定されない場合、 iptables\-save と同じく、 全てのチェインの情報が表示される。
引き数が指定されなかった場合、テーブルにあるチェインのうち組み込みチェイン以外のものを全て削除する。
.TP
\fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP
-チェインのポリシーを指定したターゲットに設定する。指定可能なターゲットは「\fBターゲット\fP」の章を参照すること。 (ユーザー定義ではない)
-組み込みチェインにしかポリシーは設定できない。 また、ポリシーのターゲットに、 組み込みチェインやユーザー定義チェインを設定することはできない。
+組み込みチェイン (ユーザー定義ではないチェイン) のポリシーを指定したターゲットに設定する。ポリシーのターゲットは \fBACCEPT\fP か
+\fBDROP\fP でなければならない。
.TP
\fB\-E\fP, \fB\-\-rename\-chain\fP \fIold\-chain new\-chain\fP
ユーザー定義チェインを指定した名前に変更する。 これは見た目だけの変更なので、テーブルの構造には何も影響しない。
コマンドに適用すると、 ルールについての詳細な情報を表示する。 \fB\-v\fP は複数回指定することができ、
数が多くなるとより多くのデバッグ情報が出力される。
.TP
-\fB\-w\fP, \fB\-\-wait\fP
+\fB\-w\fP, \fB\-\-wait\fP [\fIseconds\fP]
Wait for the xtables lock. To prevent multiple instances of the program
from running concurrently, an attempt will be made to obtain an exclusive
lock at launch. By default, the program will exit if the lock cannot be
-obtained. This option will make the program wait until the exclusive lock
-can be obtained.
+obtained. This option will make the program wait (indefinitely or for
+optional \fIseconds\fP) until the exclusive lock can be obtained.
+.TP
+\fB\-W\fP, \fB\-\-wait\-interval\fP \fImicroseconds\fP
+Interval to wait per each iteration. When running latency sensitive
+applications, waiting for the xtables lock for extended durations may not be
+acceptable. This option will make each iteration take the amount of time
+specified. The default interval is 1 second. This option only works with
+\fB\-w\fP.
.TP
\fB\-n\fP, \fB\-\-numeric\fP
数値による出力を行う。 IP アドレスやポート番号を数値によるフォーマットで表示する。 デフォルトでは、iptables は (可能であれば) IP
Harald Welte は ULOG ターゲット、NFQUEUE ターゲット、新しい libiptc や TTL, DSCP, ECN
のマッチ・ターゲットを書いた。
.PP
-Netfilter コアチームは、Martin Josefsson, Yasuyuki Kozakai, Jozsef Kadlecsik,
-Patrick McHardy, James Morris, Pablo Neira Ayuso, Harald Welte, Rusty
-Russell である。
+Netfilter コアチームは、 Jozsef Kadlecsik, Pablo Neira Ayuso, Eric Leblond, Florian
+Westphal, Arturo Borrero Gonzalez である。名誉コアメンバーは Marc Boucher, Martin
+Josefsson, Yasuyuki Kozakai, James Morris, Harald Welte, Rusty Russell である。
.PP
.\" .. and did I mention that we are incredibly cool people?
.\" .. sexy, too ..
man ページは元々 Herve Eychenne <rv@wallfire.org> が書いた。
.SH バージョン
.PP
-この man ページは iptables/ip6tables 1.4.21 について説明している。
+この man ページは iptables/ip6tables 1.8.4 について説明している。
-.TH IPTABLES-XML 1 "" "iptables 1.4.21" "iptables 1.4.21"
+.TH IPTABLES-XML 1 "" "iptables 1.8.4" "iptables 1.8.4"
.\"
.\" Man page written by Sam Liddicott <azez@ufomechanic.net>
.\" It is based on the iptables-save man page.
--- /dev/null
+.TH ARPTABLES-RESTORE 8 "March 2019" "" ""
+.\"
+.\" Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables-restore man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+arptables-restore \- Restore ARP Tables (nft-based)
+.SH SYNOPSIS
+\fBarptables\-restore
+.SH DESCRIPTION
+.PP
+.B arptables-restore
+is used to restore ARP Tables from data specified on STDIN or
+via a file as first argument.
+Use I/O redirection provided by your shell to read from a file
+.TP
+.B arptables-restore
+flushes (deletes) all previous contents of the respective ARP Table.
+.SH AUTHOR
+Jesper Dangaard Brouer <brouer@redhat.com>
+.SH SEE ALSO
+\fBarptables\-save\fP(8), \fBarptables\fP(8)
+.PP
--- /dev/null
+.TH ARPTABLES-SAVE 8 "March 2019" "" ""
+.\"
+.\" Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
+.\" It is based on the iptables-save man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+arptables-save \- dump arptables rules to stdout (nft-based)
+.SH SYNOPSIS
+\fBarptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
+.P
+\fBarptables\-save\fP [\fB\-V\fP]
+.SH DESCRIPTION
+.PP
+.B arptables-save
+is used to dump the contents of an ARP Table in easily parseable format
+to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+.TP
+\fB\-M\fR, \fB\-\-modprobe\fR \fImodprobe_program\fP
+Specify the path to the modprobe program. By default, arptables-save will
+inspect /proc/sys/kernel/modprobe to determine the executable's path.
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+Include the current values of all packet and byte counters in the output.
+.TP
+\fB\-V\fR, \fB\-\-version\fR
+Print version information and exit.
+.SH AUTHOR
+Jesper Dangaard Brouer <brouer@redhat.com>
+.SH SEE ALSO
+\fBarptables\-restore\fP(8), \fBarptables\fP(8)
+.PP
--- /dev/null
+.TH ARPTABLES 8 "March 2019"
+.\"
+.\" Man page originally written by Jochen Friedrich <jochen@scram.de>,
+.\" maintained by Bart De Schuymer.
+.\" It is based on the iptables man page.
+.\"
+.\" Iptables page by Herve Eychenne March 2000.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+arptables \- ARP table administration (nft-based)
+.SH SYNOPSIS
+.BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ]
+.br
+.BR "arptables " [ "-t table" ] " -" [ RI ] " chain rulenum rule-specification " [ options ]
+.br
+.BR "arptables " [ "-t table" ] " -D chain rulenum " [ options ]
+.br
+.BR "arptables " [ "-t table" ] " -" [ "LFZ" ] " " [ chain ] " " [ options ]
+.br
+.BR "arptables " [ "-t table" ] " -" [ "NX" ] " chain"
+.br
+.BR "arptables " [ "-t table" ] " -E old-chain-name new-chain-name"
+.br
+.BR "arptables " [ "-t table" ] " -P chain target " [ options ]
+
+.SH DESCRIPTION
+.B arptables
+is a user space tool, it is used to set up and maintain the
+tables of ARP rules in the Linux kernel. These rules inspect
+the ARP frames which they see.
+.B arptables
+is analogous to the
+.B iptables
+user space tool, but
+.B arptables
+is less complicated.
+
+.SS CHAINS
+The kernel table is used to divide functionality into
+different sets of rules. Each set of rules is called a chain.
+Each chain is an ordered list of rules that can match ARP frames. If a
+rule matches an ARP frame, then a processing specification tells
+what to do with that matching frame. The processing specification is
+called a 'target'. However, if the frame does not match the current
+rule in the chain, then the next rule in the chain is examined and so forth.
+The user can create new (user-defined) chains which can be used as the 'target' of a rule.
+
+.SS TARGETS
+A firewall rule specifies criteria for an ARP frame and a frame
+processing specification called a target. When a frame matches a rule,
+then the next action performed by the kernel is specified by the target.
+The target can be one of these values:
+.IR ACCEPT ,
+.IR DROP ,
+.IR CONTINUE ,
+.IR RETURN ,
+an 'extension' (see below) or a user-defined chain.
+.PP
+.I ACCEPT
+means to let the frame through.
+.I DROP
+means the frame has to be dropped.
+.I CONTINUE
+means the next rule has to be checked. This can be handy to know how many
+frames pass a certain point in the chain or to log those frames.
+.I RETURN
+means stop traversing this chain and resume at the next rule in the
+previous (calling) chain.
+For the extension targets please see the
+.B "TARGET EXTENSIONS"
+section of this man page.
+.SS TABLES
+There is only one ARP table in the Linux
+kernel. The table is
+.BR filter.
+You can drop the '-t filter' argument to the arptables command.
+The -t argument must be the
+first argument on the arptables command line, if used.
+.TP
+.B "-t, --table"
+.br
+.BR filter ,
+is the only table and contains two built-in chains:
+.B INPUT
+(for frames destined for the host) and
+.B OUTPUT
+(for locally-generated frames).
+.br
+.br
+.SH ARPTABLES COMMAND LINE ARGUMENTS
+After the initial arptables command line argument, the remaining
+arguments can be divided into several different groups. These groups
+are commands, miscellaneous commands, rule-specifications, match-extensions,
+and watcher-extensions.
+.SS COMMANDS
+The arptables command arguments specify the actions to perform on the table
+defined with the -t argument. If you do not use the -t argument to name
+a table, the commands apply to the default filter table.
+With the exception of the
+.B "-Z"
+command, only one command may be used on the command line at a time.
+.TP
+.B "-A, --append"
+Append a rule to the end of the selected chain.
+.TP
+.B "-D, --delete"
+Delete the specified rule from the selected chain. There are two ways to
+use this command. The first is by specifying an interval of rule numbers
+to delete, syntax: start_nr[:end_nr]. Using negative numbers is allowed, for more
+details about using negative numbers, see the -I command. The second usage is by
+specifying the complete rule as it would have been specified when it was added.
+.TP
+.B "-I, --insert"
+Insert the specified rule into the selected chain at the specified rule number.
+If the current number of rules equals N, then the specified number can be
+between -N and N+1. For a positive number i, it holds that i and i-N-1 specify the
+same place in the chain where the rule should be inserted. The number 0 specifies
+the place past the last rule in the chain and using this number is therefore
+equivalent with using the -A command.
+.TP
+.B "-R, --replace"
+Replaces the specified rule into the selected chain at the specified rule number.
+If the current number of rules equals N, then the specified number can be
+between 1 and N. i specifies the place in the chain where the rule should be replaced.
+.TP
+.B "-P, --policy"
+Set the policy for the chain to the given target. The policy can be
+.BR ACCEPT ", " DROP " or " RETURN .
+.TP
+.B "-F, --flush"
+Flush the selected chain. If no chain is selected, then every chain will be
+flushed. Flushing the chain does not change the policy of the
+chain, however.
+.TP
+.B "-Z, --zero"
+Set the counters of the selected chain to zero. If no chain is selected, all the counters
+are set to zero. The
+.B "-Z"
+command can be used in conjunction with the
+.B "-L"
+command.
+When both the
+.B "-Z"
+and
+.B "-L"
+commands are used together in this way, the rule counters are printed on the screen
+before they are set to zero.
+.TP
+.B "-L, --list"
+List all rules in the selected chain. If no chain is selected, all chains
+are listed.
+.TP
+.B "-N, --new-chain"
+Create a new user-defined chain with the given name. The number of
+user-defined chains is unlimited. A user-defined chain name has maximum
+length of 31 characters.
+.TP
+.B "-X, --delete-chain"
+Delete the specified user-defined chain. There must be no remaining references
+to the specified chain, otherwise
+.B arptables
+will refuse to delete it. If no chain is specified, all user-defined
+chains that aren't referenced will be removed.
+.TP
+.B "-E, --rename-chain"
+Rename the specified chain to a new name. Besides renaming a user-defined
+chain, you may rename a standard chain name to a name that suits your
+taste. For example, if you like PREBRIDGING more than PREROUTING,
+then you can use the -E command to rename the PREROUTING chain. If you do
+rename one of the standard
+.B arptables
+chain names, please be sure to mention
+this fact should you post a question on the
+.B arptables
+mailing lists.
+It would be wise to use the standard name in your post. Renaming a standard
+.B arptables
+chain in this fashion has no effect on the structure or function
+of the
+.B arptables
+kernel table.
+
+.SS MISCELLANOUS COMMANDS
+.TP
+.B "-V, --version"
+Show the version of the arptables userspace program.
+.TP
+.B "-h, --help"
+Give a brief description of the command syntax.
+.TP
+.BR "-j, --jump " "\fItarget\fP"
+The target of the rule. This is one of the following values:
+.BR ACCEPT ,
+.BR DROP ,
+.BR CONTINUE ,
+.BR RETURN ,
+a target extension (see
+.BR "TARGET EXTENSIONS" ")"
+or a user-defined chain name.
+.TP
+.BI "-c, --set-counters " "PKTS BYTES"
+This enables the administrator to initialize the packet and byte
+counters of a rule (during
+.B INSERT,
+.B APPEND,
+.B REPLACE
+operations).
+
+.SS RULE-SPECIFICATIONS
+The following command line arguments make up a rule specification (as used
+in the add and delete commands). A "!" option before the specification
+inverts the test for that specification. Apart from these standard rule
+specifications there are some other command line arguments of interest.
+.TP
+.BR "-s, --source-ip " "[!] \fIaddress\fP[/\fImask]\fP"
+The Source IP specification.
+.TP
+.BR "-d, --destination-ip " "[!] \fIaddress\fP[/\fImask]\fP"
+The Destination IP specification.
+.TP
+.BR "--source-mac " "[!] \fIaddress\fP[/\fImask\fP]"
+The source mac address. Both mask and address are written as 6 hexadecimal
+numbers separated by colons.
+.TP
+.BR "--destination-mac " "[!] \fIaddress\fP[/\fImask\fP]"
+The destination mac address. Both mask and address are written as 6 hexadecimal
+numbers separated by colons.
+.TP
+.BR "-i, --in-interface " "[!] \fIname\fP"
+The interface via which a frame is received (for the
+.B INPUT
+chain). The flag
+.B --in-if
+is an alias for this option.
+.TP
+.BR "-o, --out-interface " "[!] \fIname\fP"
+The interface via which a frame is going to be sent (for the
+.B OUTPUT
+chain). The flag
+.B --out-if
+is an alias for this option.
+.TP
+.BR "-l, --h-length " "\fIlength\fP[/\fImask\fP]"
+The hardware length (nr of bytes)
+.TP
+.BR "--opcode " "\fIcode\fP[/\fImask\fP]
+The operation code (2 bytes). Available values are:
+.BR 1 = Request
+.BR 2 = Reply
+.BR 3 = Request_Reverse
+.BR 4 = Reply_Reverse
+.BR 5 = DRARP_Request
+.BR 6 = DRARP_Reply
+.BR 7 = DRARP_Error
+.BR 8 = InARP_Request
+.BR 9 = ARP_NAK .
+.TP
+.BR "--h-type " "\fItype\fP[/\fImask\fP]"
+The hardware type (2 bytes, hexadecimal). Available values are:
+.BR 1 = Ethernet .
+.TP
+.BR "--proto-type " "\fItype\fP[/\fImask\fP]"
+The protocol type (2 bytes). Available values are:
+.BR 0x800 = IPv4 .
+
+.SS TARGET-EXTENSIONS
+.B arptables
+extensions are precompiled into the userspace tool. So there is no need
+to explicitly load them with a -m option like in
+.BR iptables .
+However, these
+extensions deal with functionality supported by supplemental kernel modules.
+.SS mangle
+.TP
+.BR "--mangle-ip-s IP address"
+Mangles Source IP Address to given value.
+.TP
+.BR "--mangle-ip-d IP address"
+Mangles Destination IP Address to given value.
+.TP
+.BR "--mangle-mac-s MAC address"
+Mangles Source MAC Address to given value.
+.TP
+.BR "--mangle-mac-d MAC address"
+Mangles Destination MAC Address to given value.
+.TP
+.BR "--mangle-target target "
+Target of ARP mangle operation
+.BR "" ( DROP ", " CONTINUE " or " ACCEPT " -- default is " ACCEPT ).
+.SS CLASSIFY
+This module allows you to set the skb->priority value (and thus clas-
+sify the packet into a specific CBQ class).
+
+.TP
+.BR "--set-class major:minor"
+
+Set the major and minor class value. The values are always
+interpreted as hexadecimal even if no 0x prefix is given.
+
+.SS MARK
+This module allows you to set the skb->mark value (and thus classify
+the packet by the mark in u32)
+
+.TP
+.BR "--set-mark mark"
+Set the mark value. The values are always
+interpreted as hexadecimal even if no 0x prefix is given
+
+.TP
+.BR "--and-mark mark"
+Binary AND the mark with bits.
+
+.TP
+.BR "--or-mark mark"
+Binary OR the mark with bits.
+
+.SH NOTES
+In this nft-based version of
+.BR arptables ,
+support for
+.B FORWARD
+chain has not been implemented. Since ARP packets are "forwarded" only by Linux
+bridges, the same may be achieved using
+.B FORWARD
+chain in
+.BR ebtables .
+
+.SH MAILINGLISTS
+.BR "" "See " http://netfilter.org/mailinglists.html
+.SH SEE ALSO
+.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
+.PP
+.BR "" "See " https://wiki.nftables.org
--- /dev/null
+.TH EBTABLES 8 "December 2011"
+.\"
+.\" Man page written by Bart De Schuymer <bdschuym@pandora.be>
+.\" It is based on the iptables man page.
+.\"
+.\" The man page was edited, February 25th 2003, by
+.\" Greg Morgan <" dr_kludge_at_users_sourceforge_net >
+.\"
+.\" Iptables page by Herve Eychenne March 2000.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ebtables \- Ethernet bridge frame table administration (nft-based)
+.SH SYNOPSIS
+.BR "ebtables " [ -t " table ] " - [ ACDI "] chain rule specification [match extensions] [watcher extensions] target"
+.br
+.BR "ebtables " [ -t " table ] " -P " chain " ACCEPT " | " DROP " | " RETURN
+.br
+.BR "ebtables " [ -t " table ] " -F " [chain]"
+.br
+.BR "ebtables " [ -t " table ] " -Z " [chain]"
+.br
+.BR "ebtables " [ -t " table ] " -L " [" -Z "] [chain] [ [" --Ln "] | [" --Lx "] ] [" --Lc "] [" --Lmac2 ]
+.br
+.BR "ebtables " [ -t " table ] " -N " chain [" "-P ACCEPT " | " DROP " | " RETURN" ]
+.br
+.BR "ebtables " [ -t " table ] " -X " [chain]"
+.br
+.BR "ebtables " [ -t " table ] " -E " old-chain-name new-chain-name"
+.br
+.BR "ebtables " [ -t " table ] " --init-table
+.br
+.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-commit
+.br
+.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-init
+.br
+.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save
+.br
+
+.SH DESCRIPTION
+.B ebtables
+is an application program used to set up and maintain the
+tables of rules (inside the Linux kernel) that inspect
+Ethernet frames.
+It is analogous to the
+.B iptables
+application, but less complicated, due to the fact that the Ethernet protocol
+is much simpler than the IP protocol.
+.SS CHAINS
+There are two ebtables tables with built-in chains in the
+Linux kernel. These tables are used to divide functionality into
+different sets of rules. Each set of rules is called a chain.
+Each chain is an ordered list of rules that can match Ethernet frames. If a
+rule matches an Ethernet frame, then a processing specification tells
+what to do with that matching frame. The processing specification is
+called a 'target'. However, if the frame does not match the current
+rule in the chain, then the next rule in the chain is examined and so forth.
+The user can create new (user-defined) chains that can be used as the 'target'
+of a rule. User-defined chains are very useful to get better performance
+over the linear traversal of the rules and are also essential for structuring
+the filtering rules into well-organized and maintainable sets of rules.
+.SS TARGETS
+A firewall rule specifies criteria for an Ethernet frame and a frame
+processing specification called a target. When a frame matches a rule,
+then the next action performed by the kernel is specified by the target.
+The target can be one of these values:
+.BR ACCEPT ,
+.BR DROP ,
+.BR CONTINUE ,
+.BR RETURN ,
+an 'extension' (see below) or a jump to a user-defined chain.
+.PP
+.B ACCEPT
+means to let the frame through.
+.B DROP
+means the frame has to be dropped.
+.B CONTINUE
+means the next rule has to be checked. This can be handy, f.e., to know how many
+frames pass a certain point in the chain, to log those frames or to apply multiple
+targets on a frame.
+.B RETURN
+means stop traversing this chain and resume at the next rule in the
+previous (calling) chain.
+For the extension targets please refer to the
+.B "TARGET EXTENSIONS"
+section of this man page.
+.SS TABLES
+As stated earlier, there are two ebtables tables in the Linux
+kernel. The table names are
+.BR filter " and " nat .
+Of these two tables,
+the filter table is the default table that the command operates on.
+If you are working with the filter table, then you can drop the '-t filter'
+argument to the ebtables command. However, you will need to provide
+the -t argument for
+.B nat
+table. Moreover, the -t argument must be the
+first argument on the ebtables command line, if used.
+.TP
+.B "-t, --table"
+.br
+.B filter
+is the default table and contains three built-in chains:
+.B INPUT
+(for frames destined for the bridge itself, on the level of the MAC destination address),
+.B OUTPUT
+(for locally-generated or (b)routed frames) and
+.B FORWARD
+(for frames being forwarded by the bridge).
+.br
+.br
+.B nat
+is mostly used to change the mac addresses and contains three built-in chains:
+.B PREROUTING
+(for altering frames as soon as they come in),
+.B OUTPUT
+(for altering locally generated or (b)routed frames before they are bridged) and
+.B POSTROUTING
+(for altering frames as they are about to go out). A small note on the naming
+of chains PREROUTING and POSTROUTING: it would be more accurate to call them
+PREFORWARDING and POSTFORWARDING, but for all those who come from the
+iptables world to ebtables it is easier to have the same names. Note that you
+can change the name
+.BR "" ( -E )
+if you don't like the default.
+.SH EBTABLES COMMAND LINE ARGUMENTS
+After the initial ebtables '-t table' command line argument, the remaining
+arguments can be divided into several groups. These groups
+are commands, miscellaneous commands, rule specifications, match extensions,
+watcher extensions and target extensions.
+.SS COMMANDS
+The ebtables command arguments specify the actions to perform on the table
+defined with the -t argument. If you do not use the -t argument to name
+a table, the commands apply to the default filter table.
+Only one command may be used on the command line at a time, except when
+the commands
+.BR -L " and " -Z
+are combined, the commands
+.BR -N " and " -P
+are combined, or when
+.B --atomic-file
+is used.
+.TP
+.B "-A, --append"
+Append a rule to the end of the selected chain.
+.TP
+.B "-D, --delete"
+Delete the specified rule or rules from the selected chain. There are two ways to
+use this command. The first is by specifying an interval of rule numbers
+to delete (directly after
+.BR -D ).
+Syntax: \fIstart_nr\fP[\fI:end_nr\fP] (use
+.B -L --Ln
+to list the rules with their rule number). When \fIend_nr\fP is omitted, all rules starting
+from \fIstart_nr\fP are deleted. Using negative numbers is allowed, for more
+details about using negative numbers, see the
+.B -I
+command. The second usage is by
+specifying the complete rule as it would have been specified when it was added. Only
+the first encountered rule that is the same as this specified rule, in other
+words the matching rule with the lowest (positive) rule number, is deleted.
+.TP
+.B "-C, --change-counters"
+Change the counters of the specified rule or rules from the selected chain. There are two ways to
+use this command. The first is by specifying an interval of rule numbers
+to do the changes on (directly after
+.BR -C ).
+Syntax: \fIstart_nr\fP[\fI:end_nr\fP] (use
+.B -L --Ln
+to list the rules with their rule number). The details are the same as for the
+.BR -D " command. The second usage is by"
+specifying the complete rule as it would have been specified when it was added. Only
+the counters of the first encountered rule that is the same as this specified rule, in other
+words the matching rule with the lowest (positive) rule number, are changed.
+In the first usage, the counters are specified directly after the interval specification,
+in the second usage directly after
+.BR -C .
+First the packet counter is specified, then the byte counter. If the specified counters start
+with a '+', the counter values are added to the respective current counter values.
+If the specified counters start with a '-', the counter values are decreased from the respective
+current counter values. No bounds checking is done. If the counters don't start with '+' or '-',
+the current counters are changed to the specified counters.
+.TP
+.B "-I, --insert"
+Insert the specified rule into the selected chain at the specified rule number. If the
+rule number is not specified, the rule is added at the head of the chain.
+If the current number of rules equals
+.IR N ,
+then the specified number can be
+between
+.IR -N " and " N+1 .
+For a positive number
+.IR i ,
+it holds that
+.IR i " and " i-N-1
+specify the same place in the chain where the rule should be inserted. The rule number
+0 specifies the place past the last rule in the chain and using this number is therefore
+equivalent to using the
+.BR -A " command."
+Rule numbers structly smaller than 0 can be useful when more than one rule needs to be inserted
+in a chain.
+.TP
+.B "-P, --policy"
+Set the policy for the chain to the given target. The policy can be
+.BR ACCEPT ", " DROP " or " RETURN .
+.TP
+.B "-F, --flush"
+Flush the selected chain. If no chain is selected, then every chain will be
+flushed. Flushing a chain does not change the policy of the
+chain, however.
+.TP
+.B "-Z, --zero"
+Set the counters of the selected chain to zero. If no chain is selected, all the counters
+are set to zero. The
+.B "-Z"
+command can be used in conjunction with the
+.B "-L"
+command.
+When both the
+.B "-Z"
+and
+.B "-L"
+commands are used together in this way, the rule counters are printed on the screen
+before they are set to zero.
+.TP
+.B "-L, --list"
+List all rules in the selected chain. If no chain is selected, all chains
+are listed.
+.br
+The following options change the output of the
+.B "-L"
+command.
+.br
+.B "--Ln"
+.br
+Places the rule number in front of every rule. This option is incompatible with the
+.BR --Lx " option."
+.br
+.B "--Lc"
+.br
+Shows the counters at the end of each rule displayed by the
+.B "-L"
+command. Both a frame counter (pcnt) and a byte counter (bcnt) are displayed.
+The frame counter shows how many frames have matched the specific rule, the byte
+counter shows the sum of the frame sizes of these matching frames. Using this option
+.BR "" "in combination with the " --Lx " option causes the counters to be written out"
+.BR "" "in the '" -c " <pcnt> <bcnt>' option format."
+.br
+.B "--Lx"
+.br
+Changes the output so that it produces a set of ebtables commands that construct
+the contents of the chain, when specified.
+If no chain is specified, ebtables commands to construct the contents of the
+table are given, including commands for creating the user-defined chains (if any).
+You can use this set of commands in an ebtables boot or reload
+script. For example the output could be used at system startup.
+The
+.B "--Lx"
+option is incompatible with the
+.B "--Ln"
+listing option. Using the
+.BR --Lx " option together with the " --Lc " option will cause the counters to be written out"
+.BR "" "in the '" -c " <pcnt> <bcnt>' option format."
+.br
+.B "--Lmac2"
+.br
+Shows all MAC addresses with the same length, adding leading zeroes
+if necessary. The default representation omits leading zeroes in the addresses.
+.TP
+.B "-N, --new-chain"
+Create a new user-defined chain with the given name. The number of
+user-defined chains is limited only by the number of possible chain names.
+A user-defined chain name has a maximum
+length of 31 characters. The standard policy of the user-defined chain is
+ACCEPT. The policy of the new chain can be initialized to a different standard
+target by using the
+.B -P
+command together with the
+.B -N
+command. In this case, the chain name does not have to be specified for the
+.B -P
+command.
+.TP
+.B "-X, --delete-chain"
+Delete the specified user-defined chain. There must be no remaining references (jumps)
+to the specified chain, otherwise ebtables will refuse to delete it. If no chain is
+specified, all user-defined chains that aren't referenced will be removed.
+.TP
+.B "-E, --rename-chain"
+Rename the specified chain to a new name. Besides renaming a user-defined
+chain, you can rename a standard chain to a name that suits your
+taste. For example, if you like PREFORWARDING more than PREROUTING,
+then you can use the -E command to rename the PREROUTING chain. If you do
+rename one of the standard ebtables chain names, please be sure to mention
+this fact should you post a question on the ebtables mailing lists.
+It would be wise to use the standard name in your post. Renaming a standard
+ebtables chain in this fashion has no effect on the structure or functioning
+of the ebtables kernel table.
+.TP
+.B "--init-table"
+Replace the current table data by the initial table data.
+.TP
+.B "--atomic-init"
+Copy the kernel's initial data of the table to the specified
+file. This can be used as the first action, after which rules are added
+to the file. The file can be specified using the
+.B --atomic-file
+command or through the
+.IR EBTABLES_ATOMIC_FILE " environment variable."
+.TP
+.B "--atomic-save"
+Copy the kernel's current data of the table to the specified
+file. This can be used as the first action, after which rules are added
+to the file. The file can be specified using the
+.B --atomic-file
+command or through the
+.IR EBTABLES_ATOMIC_FILE " environment variable."
+.TP
+.B "--atomic-commit"
+Replace the kernel table data with the data contained in the specified
+file. This is a useful command that allows you to load all your rules of a
+certain table into the kernel at once, saving the kernel a lot of precious
+time and allowing atomic updates of the tables. The file which contains
+the table data is constructed by using either the
+.B "--atomic-init"
+or the
+.B "--atomic-save"
+command to generate a starting file. After that, using the
+.B "--atomic-file"
+command when constructing rules or setting the
+.IR EBTABLES_ATOMIC_FILE " environment variable"
+allows you to extend the file and build the complete table before
+committing it to the kernel. This command can be very useful in boot scripts
+to populate the ebtables tables in a fast way.
+.SS MISCELLANOUS COMMANDS
+.TP
+.B "-V, --version"
+Show the version of the ebtables userspace program.
+.TP
+.BR "-h, --help " "[\fIlist of module names\fP]"
+Give a brief description of the command syntax. Here you can also specify
+names of extensions and ebtables will try to write help about those
+extensions. E.g.
+.IR "ebtables -h snat log ip arp" .
+Specify
+.I list_extensions
+to list all extensions supported by the userspace
+utility.
+.TP
+.BR "-j, --jump " "\fItarget\fP"
+The target of the rule. This is one of the following values:
+.BR ACCEPT ,
+.BR DROP ,
+.BR CONTINUE ,
+.BR RETURN ,
+a target extension (see
+.BR "TARGET EXTENSIONS" ")"
+or a user-defined chain name.
+.TP
+.B --atomic-file "\fIfile\fP"
+Let the command operate on the specified
+.IR file .
+The data of the table to
+operate on will be extracted from the file and the result of the operation
+will be saved back into the file. If specified, this option should come
+before the command specification. An alternative that should be preferred,
+is setting the
+.IR EBTABLES_ATOMIC_FILE " environment variable."
+.TP
+.B -M, --modprobe "\fIprogram\fP"
+When talking to the kernel, use this
+.I program
+to try to automatically load missing kernel modules.
+.TP
+.B --concurrent
+Use a file lock to support concurrent scripts updating the ebtables kernel tables.
+
+.SS
+RULE SPECIFICATIONS
+The following command line arguments make up a rule specification (as used
+in the add and delete commands). A "!" option before the specification
+inverts the test for that specification. Apart from these standard rule
+specifications there are some other command line arguments of interest.
+See both the
+.BR "MATCH EXTENSIONS"
+and the
+.BR "WATCHER EXTENSIONS"
+below.
+.TP
+.BR "-p, --protocol " "[!] \fIprotocol\fP"
+The protocol that was responsible for creating the frame. This can be a
+hexadecimal number, above
+.IR 0x0600 ,
+a name (e.g.
+.I ARP
+) or
+.BR LENGTH .
+The protocol field of the Ethernet frame can be used to denote the
+length of the header (802.2/802.3 networks). When the value of that field is
+below or equals
+.IR 0x0600 ,
+the value equals the size of the header and shouldn't be used as a
+protocol number. Instead, all frames where the protocol field is used as
+the length field are assumed to be of the same 'protocol'. The protocol
+name used in ebtables for these frames is
+.BR LENGTH .
+.br
+The file
+.B /etc/ethertypes
+can be used to show readable
+characters instead of hexadecimal numbers for the protocols. For example,
+.I 0x0800
+will be represented by
+.IR IPV4 .
+The use of this file is not case sensitive.
+See that file for more information. The flag
+.B --proto
+is an alias for this option.
+.TP
+.BR "-i, --in-interface " "[!] \fIname\fP"
+The interface (bridge port) via which a frame is received (this option is useful in the
+.BR INPUT ,
+.BR FORWARD ,
+.BR PREROUTING " and " BROUTING
+chains). If the interface name ends with '+', then
+any interface name that begins with this name (disregarding '+') will match.
+The flag
+.B --in-if
+is an alias for this option.
+.TP
+.BR "--logical-in " "[!] \fIname\fP"
+The (logical) bridge interface via which a frame is received (this option is useful in the
+.BR INPUT ,
+.BR FORWARD ,
+.BR PREROUTING " and " BROUTING
+chains).
+If the interface name ends with '+', then
+any interface name that begins with this name (disregarding '+') will match.
+.TP
+.BR "-o, --out-interface " "[!] \fIname\fP"
+The interface (bridge port) via which a frame is going to be sent (this option is useful in the
+.BR OUTPUT ,
+.B FORWARD
+and
+.B POSTROUTING
+chains). If the interface name ends with '+', then
+any interface name that begins with this name (disregarding '+') will match.
+The flag
+.B --out-if
+is an alias for this option.
+.TP
+.BR "--logical-out " "[!] \fIname\fP"
+The (logical) bridge interface via which a frame is going to be sent (this option
+is useful in the
+.BR OUTPUT ,
+.B FORWARD
+and
+.B POSTROUTING
+chains).
+If the interface name ends with '+', then
+any interface name that begins with this name (disregarding '+') will match.
+.TP
+.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
+The source MAC address. Both mask and address are written as 6 hexadecimal
+numbers separated by colons. Alternatively one can specify Unicast,
+Multicast, Broadcast or BGA (Bridge Group Address):
+.br
+.IR "Unicast" "=00:00:00:00:00:00/01:00:00:00:00:00,"
+.IR "Multicast" "=01:00:00:00:00:00/01:00:00:00:00:00,"
+.IR "Broadcast" "=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff or"
+.IR "BGA" "=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff."
+Note that a broadcast
+address will also match the multicast specification. The flag
+.B --src
+is an alias for this option.
+.TP
+.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
+The destination MAC address. See
+.B -s
+(above) for more details on MAC addresses. The flag
+.B --dst
+is an alias for this option.
+.TP
+.BR "-c, --set-counter " "\fIpcnt bcnt\fP"
+If used with
+.BR -A " or " -I ", then the packet and byte counters of the new rule will be set to
+.IR pcnt ", resp. " bcnt ".
+If used with the
+.BR -C " or " -D " commands, only rules with a packet and byte count equal to"
+.IR pcnt ", resp. " bcnt " will match."
+
+.SS MATCH EXTENSIONS
+Ebtables extensions are dynamically loaded into the userspace tool,
+there is therefore no need to explicitly load them with a
+-m option like is done in iptables.
+These extensions deal with functionality supported by kernel modules supplemental to
+the core ebtables code.
+.SS 802_3
+Specify 802.3 DSAP/SSAP fields or SNAP type. The protocol must be specified as
+.IR "LENGTH " "(see the option " " -p " above).
+.TP
+.BR "--802_3-sap " "[!] \fIsap\fP"
+DSAP and SSAP are two one byte 802.3 fields. The bytes are always
+equal, so only one byte (hexadecimal) is needed as an argument.
+.TP
+.BR "--802_3-type " "[!] \fItype\fP"
+If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type field must
+be consulted to determine the payload protocol. This is a two byte
+(hexadecimal) argument. Only 802.3 frames with DSAP/SSAP 0xaa are
+checked for type.
+.SS among
+Match a MAC address or MAC/IP address pair versus a list of MAC addresses
+and MAC/IP address pairs.
+A list entry has the following format:
+.IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple"
+list entries are separated by a comma, specifying an IP address corresponding to
+the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address
+but different IP address (and vice versa) can be specified. If the MAC address doesn't
+match any entry from the list, the frame doesn't match the rule (unless "!" was used).
+.TP
+.BR "--among-dst " "[!] \fIlist\fP"
+Compare the MAC destination to the given list. If the Ethernet frame has type
+.IR IPv4 " or " ARP ,
+then comparison with MAC/IP destination address pairs from the
+list is possible.
+.TP
+.BR "--among-src " "[!] \fIlist\fP"
+Compare the MAC source to the given list. If the Ethernet frame has type
+.IR IPv4 " or " ARP ,
+then comparison with MAC/IP source address pairs from the list
+is possible.
+.TP
+.BR "--among-dst-file " "[!] \fIfile\fP"
+Same as
+.BR --among-dst " but the list is read in from the specified file."
+.TP
+.BR "--among-src-file " "[!] \fIfile\fP"
+Same as
+.BR --among-src " but the list is read in from the specified file."
+.PP
+Note that in this implementation of ebtables, among lists uses must be
+internally homogeneous regarding whether IP addresses are present or not. Mixed
+use of MAC addresses and MAC/IP address pairs is not supported yet.
+.SS arp
+Specify (R)ARP fields. The protocol must be specified as
+.IR ARP " or " RARP .
+.TP
+.BR "--arp-opcode " "[!] \fIopcode\fP"
+The (R)ARP opcode (decimal or a string, for more details see
+.BR "ebtables -h arp" ).
+.TP
+.BR "--arp-htype " "[!] \fIhardware type\fP"
+The hardware type, this can be a decimal or the string
+.I Ethernet
+(which sets
+.I type
+to 1). Most (R)ARP packets have Eternet as hardware type.
+.TP
+.BR "--arp-ptype " "[!] \fIprotocol type\fP"
+The protocol type for which the (r)arp is used (hexadecimal or the string
+.IR IPv4 ,
+denoting 0x0800).
+Most (R)ARP packets have protocol type IPv4.
+.TP
+.BR "--arp-ip-src " "[!] \fIaddress\fP[/\fImask\fP]"
+The (R)ARP IP source address specification.
+.TP
+.BR "--arp-ip-dst " "[!] \fIaddress\fP[/\fImask\fP]"
+The (R)ARP IP destination address specification.
+.TP
+.BR "--arp-mac-src " "[!] \fIaddress\fP[/\fImask\fP]"
+The (R)ARP MAC source address specification.
+.TP
+.BR "--arp-mac-dst " "[!] \fIaddress\fP[/\fImask\fP]"
+The (R)ARP MAC destination address specification.
+.TP
+.BR "" "[!]" " --arp-gratuitous"
+Checks for ARP gratuitous packets: checks equality of IPv4 source
+address and IPv4 destination address inside the ARP header.
+.SS ip
+Specify IPv4 fields. The protocol must be specified as
+.IR IPv4 .
+.TP
+.BR "--ip-source " "[!] \fIaddress\fP[/\fImask\fP]"
+The source IP address.
+The flag
+.B --ip-src
+is an alias for this option.
+.TP
+.BR "--ip-destination " "[!] \fIaddress\fP[/\fImask\fP]"
+The destination IP address.
+The flag
+.B --ip-dst
+is an alias for this option.
+.TP
+.BR "--ip-tos " "[!] \fItos\fP"
+The IP type of service, in hexadecimal numbers.
+.BR IPv4 .
+.TP
+.BR "--ip-protocol " "[!] \fIprotocol\fP"
+The IP protocol.
+The flag
+.B --ip-proto
+is an alias for this option.
+.TP
+.BR "--ip-source-port " "[!] \fIport1\fP[:\fIport2\fP]"
+The source port or port range for the IP protocols 6 (TCP), 17
+(UDP), 33 (DCCP) or 132 (SCTP). The
+.B --ip-protocol
+option must be specified as
+.IR TCP ", " UDP ", " DCCP " or " SCTP .
+If
+.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used."
+The flag
+.B --ip-sport
+is an alias for this option.
+.TP
+.BR "--ip-destination-port " "[!] \fIport1\fP[:\fIport2\fP]"
+The destination port or port range for ip protocols 6 (TCP), 17
+(UDP), 33 (DCCP) or 132 (SCTP). The
+.B --ip-protocol
+option must be specified as
+.IR TCP ", " UDP ", " DCCP " or " SCTP .
+If
+.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used."
+The flag
+.B --ip-dport
+is an alias for this option.
+.SS ip6
+Specify IPv6 fields. The protocol must be specified as
+.IR IPv6 .
+.TP
+.BR "--ip6-source " "[!] \fIaddress\fP[/\fImask\fP]"
+The source IPv6 address.
+The flag
+.B --ip6-src
+is an alias for this option.
+.TP
+.BR "--ip6-destination " "[!] \fIaddress\fP[/\fImask\fP]"
+The destination IPv6 address.
+The flag
+.B --ip6-dst
+is an alias for this option.
+.TP
+.BR "--ip6-tclass " "[!] \fItclass\fP"
+The IPv6 traffic class, in hexadecimal numbers.
+.TP
+.BR "--ip6-protocol " "[!] \fIprotocol\fP"
+The IP protocol.
+The flag
+.B --ip6-proto
+is an alias for this option.
+.TP
+.BR "--ip6-source-port " "[!] \fIport1\fP[:\fIport2\fP]"
+The source port or port range for the IPv6 protocols 6 (TCP), 17
+(UDP), 33 (DCCP) or 132 (SCTP). The
+.B --ip6-protocol
+option must be specified as
+.IR TCP ", " UDP ", " DCCP " or " SCTP .
+If
+.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used."
+The flag
+.B --ip6-sport
+is an alias for this option.
+.TP
+.BR "--ip6-destination-port " "[!] \fIport1\fP[:\fIport2\fP]"
+The destination port or port range for IPv6 protocols 6 (TCP), 17
+(UDP), 33 (DCCP) or 132 (SCTP). The
+.B --ip6-protocol
+option must be specified as
+.IR TCP ", " UDP ", " DCCP " or " SCTP .
+If
+.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used."
+The flag
+.B --ip6-dport
+is an alias for this option.
+.TP
+.BR "--ip6-icmp-type " "[!] {\fItype\fP[:\fItype\fP]/\fIcode\fP[:\fIcode\fP]|\fItypename\fP}"
+Specify ipv6\-icmp type and code to match.
+Ranges for both type and code are supported. Type and code are
+separated by a slash. Valid numbers for type and range are 0 to 255.
+To match a single type including all valid codes, symbolic names can
+be used instead of numbers. The list of known type names is shown by the command
+.nf
+ ebtables \-\-help ip6
+.fi
+This option is only valid for \-\-ip6-prococol ipv6-icmp.
+.SS limit
+This module matches at a limited rate using a token bucket filter.
+A rule using this extension will match until this limit is reached.
+It can be used with the
+.B --log
+watcher to give limited logging, for example. Its use is the same
+as the limit match of iptables.
+.TP
+.BR "--limit " "[\fIvalue\fP]"
+Maximum average matching rate: specified as a number, with an optional
+.IR /second ", " /minute ", " /hour ", or " /day " suffix; the default is " 3/hour .
+.TP
+.BR "--limit-burst " "[\fInumber\fP]"
+Maximum initial number of packets to match: this number gets recharged by
+one every time the limit specified above is not reached, up to this
+number; the default is
+.IR 5 .
+.SS mark_m
+.TP
+.BR "--mark " "[!] [\fIvalue\fP][/\fImask\fP]"
+Matches frames with the given unsigned mark value. If a
+.IR value " and " mask " are specified, the logical AND of the mark value of the frame and"
+the user-specified
+.IR mask " is taken before comparing it with the"
+user-specified mark
+.IR value ". When only a mark "
+.IR value " is specified, the packet"
+only matches when the mark value of the frame equals the user-specified
+mark
+.IR value .
+If only a
+.IR mask " is specified, the logical"
+AND of the mark value of the frame and the user-specified
+.IR mask " is taken and the frame matches when the result of this logical AND is"
+non-zero. Only specifying a
+.IR mask " is useful to match multiple mark values."
+.SS pkttype
+.TP
+.BR "--pkttype-type " "[!] \fItype\fP"
+Matches on the Ethernet "class" of the frame, which is determined by the
+generic networking code. Possible values:
+.IR broadcast " (MAC destination is the broadcast address),"
+.IR multicast " (MAC destination is a multicast address),"
+.IR host " (MAC destination is the receiving network device), or "
+.IR otherhost " (none of the above)."
+.SS stp
+Specify stp BPDU (bridge protocol data unit) fields. The destination
+address
+.BR "" ( -d ") must be specified as the bridge group address"
+.IR "" ( BGA ).
+For all options for which a range of values can be specified, it holds that
+if the lower bound is omitted (but the colon is not), then the lowest possible lower bound
+for that option is used, while if the upper bound is omitted (but the colon again is not), the
+highest possible upper bound for that option is used.
+.TP
+.BR "--stp-type " "[!] \fItype\fP"
+The BPDU type (0-255), recognized non-numerical types are
+.IR config ", denoting a configuration BPDU (=0), and"
+.IR tcn ", denothing a topology change notification BPDU (=128)."
+.TP
+.BR "--stp-flags " "[!] \fIflag\fP"
+The BPDU flag (0-255), recognized non-numerical flags are
+.IR topology-change ", denoting the topology change flag (=1), and"
+.IR topology-change-ack ", denoting the topology change acknowledgement flag (=128)."
+.TP
+.BR "--stp-root-prio " "[!] [\fIprio\fP][:\fIprio\fP]"
+The root priority (0-65535) range.
+.TP
+.BR "--stp-root-addr " "[!] [\fIaddress\fP][/\fImask\fP]"
+The root mac address, see the option
+.BR -s " for more details."
+.TP
+.BR "--stp-root-cost " "[!] [\fIcost\fP][:\fIcost\fP]"
+The root path cost (0-4294967295) range.
+.TP
+.BR "--stp-sender-prio " "[!] [\fIprio\fP][:\fIprio\fP]"
+The BPDU's sender priority (0-65535) range.
+.TP
+.BR "--stp-sender-addr " "[!] [\fIaddress\fP][/\fImask\fP]"
+The BPDU's sender mac address, see the option
+.BR -s " for more details."
+.TP
+.BR "--stp-port " "[!] [\fIport\fP][:\fIport\fP]"
+The port identifier (0-65535) range.
+.TP
+.BR "--stp-msg-age " "[!] [\fIage\fP][:\fIage\fP]"
+The message age timer (0-65535) range.
+.TP
+.BR "--stp-max-age " "[!] [\fIage\fP][:\fIage\fP]"
+The max age timer (0-65535) range.
+.TP
+.BR "--stp-hello-time " "[!] [\fItime\fP][:\fItime\fP]"
+The hello time timer (0-65535) range.
+.TP
+.BR "--stp-forward-delay " "[!] [\fIdelay\fP][:\fIdelay\fP]"
+The forward delay timer (0-65535) range.
+.\" .SS string
+.\" This module matches on a given string using some pattern matching strategy.
+.\" .TP
+.\" .BR "--string-algo " "\fIalgorithm\fP"
+.\" The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
+.\" .TP
+.\" .BR "--string-from " "\fIoffset\fP"
+.\" The lowest offset from which a match can start. (default: 0)
+.\" .TP
+.\" .BR "--string-to " "\fIoffset\fP"
+.\" The highest offset from which a match can start. (default: size of frame)
+.\" .TP
+.\" .BR "--string " "[!] \fIpattern\fP"
+.\" Matches the given pattern.
+.\" .TP
+.\" .BR "--string-hex " "[!] \fIpattern\fP"
+.\" Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|'
+.\" .TP
+.\" .BR "--string-icase"
+.\" Ignore case when searching.
+.SS vlan
+Specify 802.1Q Tag Control Information fields.
+The protocol must be specified as
+.IR 802_1Q " (0x8100)."
+.TP
+.BR "--vlan-id " "[!] \fIid\fP"
+The VLAN identifier field (VID). Decimal number from 0 to 4095.
+.TP
+.BR "--vlan-prio " "[!] \fIprio\fP"
+The user priority field, a decimal number from 0 to 7.
+The VID should be set to 0 ("null VID") or unspecified
+(in the latter case the VID is deliberately set to 0).
+.TP
+.BR "--vlan-encap " "[!] \fItype\fP"
+The encapsulated Ethernet frame type/length.
+Specified as a hexadecimal
+number from 0x0000 to 0xFFFF or as a symbolic name
+from
+.BR /etc/ethertypes .
+
+.SS WATCHER EXTENSIONS
+Watchers only look at frames passing by, they don't modify them nor decide
+to accept the frames or not. These watchers only
+see the frame if the frame matches the rule, and they see it before the
+target is executed.
+.SS log
+The log watcher writes descriptive data about a frame to the syslog.
+.TP
+.B "--log"
+.br
+Log with the default loggin options: log-level=
+.IR info ,
+log-prefix="", no ip logging, no arp logging.
+.TP
+.B --log-level "\fIlevel\fP"
+.br
+Defines the logging level. For the possible values, see
+.BR "ebtables -h log" .
+The default level is
+.IR info .
+.TP
+.BR --log-prefix " \fItext\fP"
+.br
+Defines the prefix
+.I text
+to be printed at the beginning of the line with the logging information.
+.TP
+.B --log-ip
+.br
+Will log the ip information when a frame made by the ip protocol matches
+the rule. The default is no ip information logging.
+.TP
+.B --log-ip6
+.br
+Will log the ipv6 information when a frame made by the ipv6 protocol matches
+the rule. The default is no ipv6 information logging.
+.TP
+.B --log-arp
+.br
+Will log the (r)arp information when a frame made by the (r)arp protocols
+matches the rule. The default is no (r)arp information logging.
+.SS nflog
+The nflog watcher passes the packet to the loaded logging backend
+in order to log the packet. This is usually used in combination with
+nfnetlink_log as logging backend, which will multicast the packet
+through a
+.IR netlink
+socket to the specified multicast group. One or more userspace processes
+may subscribe to the group to receive the packets.
+.TP
+.B "--nflog"
+.br
+Log with the default logging options
+.TP
+.B --nflog-group "\fInlgroup\fP"
+.br
+The netlink group (1 - 2^32-1) to which packets are (only applicable for
+nfnetlink_log). The default value is 1.
+.TP
+.B --nflog-prefix "\fIprefix\fP"
+.br
+A prefix string to include in the log message, up to 30 characters
+long, useful for distinguishing messages in the logs.
+.TP
+.B --nflog-range "\fIsize\fP"
+.br
+The number of bytes to be copied to userspace (only applicable for
+nfnetlink_log). nfnetlink_log instances may specify their own
+range, this option overrides it.
+.TP
+.B --nflog-threshold "\fIsize\fP"
+.br
+Number of packets to queue inside the kernel before sending them
+to userspace (only applicable for nfnetlink_log). Higher values
+result in less overhead per packet, but increase delay until the
+packets reach userspace. The default value is 1.
+.SS ulog
+The ulog watcher passes the packet to a userspace
+logging daemon using netlink multicast sockets. This differs
+from the log watcher in the sense that the complete packet is
+sent to userspace instead of a descriptive text and that
+netlink multicast sockets are used instead of the syslog.
+This watcher enables parsing of packets with userspace programs, the
+physical bridge in and out ports are also included in the netlink messages.
+The ulog watcher module accepts 2 parameters when the module is loaded
+into the kernel (e.g. with modprobe):
+.B nlbufsiz
+specifies how big the buffer for each netlink multicast
+group is. If you say
+.IR nlbufsiz=8192 ,
+for example, up to eight kB of packets will
+get accumulated in the kernel until they are sent to userspace. It is
+not possible to allocate more than 128kB. Please also keep in mind that
+this buffer size is allocated for each nlgroup you are using, so the
+total kernel memory usage increases by that factor. The default is 4096.
+.B flushtimeout
+specifies after how many hundredths of a second the queue should be
+flushed, even if it is not full yet. The default is 10 (one tenth of
+a second).
+.TP
+.B "--ulog"
+.br
+Use the default settings: ulog-prefix="", ulog-nlgroup=1,
+ulog-cprange=4096, ulog-qthreshold=1.
+.TP
+.B --ulog-prefix "\fItext\fP"
+.br
+Defines the prefix included with the packets sent to userspace.
+.TP
+.BR --ulog-nlgroup " \fIgroup\fP"
+.br
+Defines which netlink group number to use (a number from 1 to 32).
+Make sure the netlink group numbers used for the iptables ULOG
+target differ from those used for the ebtables ulog watcher.
+The default group number is 1.
+.TP
+.BR --ulog-cprange " \fIrange\fP"
+.br
+Defines the maximum copy range to userspace, for packets matching the
+rule. The default range is 0, which means the maximum copy range is
+given by
+.BR nlbufsiz .
+A maximum copy range larger than
+128*1024 is meaningless as the packets sent to userspace have an upper
+size limit of 128*1024.
+.TP
+.BR --ulog-qthreshold " \fIthreshold\fP"
+.br
+Queue at most
+.I threshold
+number of packets before sending them to
+userspace with a netlink socket. Note that packets can be sent to
+userspace before the queue is full, this happens when the ulog
+kernel timer goes off (the frequency of this timer depends on
+.BR flushtimeout ).
+.SS TARGET EXTENSIONS
+.SS arpreply
+The
+.B arpreply
+target can be used in the
+.BR PREROUTING " chain of the " nat " table."
+If this target sees an ARP request it will automatically reply
+with an ARP reply. The used MAC address for the reply can be specified.
+The protocol must be specified as
+.IR ARP .
+When the ARP message is not an ARP request or when the ARP request isn't
+for an IP address on an Ethernet network, it is ignored by this target
+.BR "" ( CONTINUE ).
+When the ARP request is malformed, it is dropped
+.BR "" ( DROP ).
+.TP
+.BR "--arpreply-mac " "\fIaddress\fP"
+Specifies the MAC address to reply with: the Ethernet source MAC and the
+ARP payload source MAC will be filled in with this address.
+.TP
+.BR "--arpreply-target " "\fItarget\fP"
+Specifies the standard target. After sending the ARP reply, the rule still
+has to give a standard target so ebtables knows what to do with the ARP request.
+The default target
+.BR "" "is " DROP .
+.SS dnat
+The
+.B dnat
+target can only be used in the
+.BR PREROUTING " and " OUTPUT " chains of the " nat " table."
+It specifies that the destination MAC address has to be changed.
+.TP
+.BR "--to-destination " "\fIaddress\fP"
+.br
+Change the destination MAC address to the specified
+.IR address .
+The flag
+.B --to-dst
+is an alias for this option.
+.TP
+.BR "--dnat-target " "\fItarget\fP"
+.br
+Specifies the standard target. After doing the dnat, the rule still has to
+give a standard target so ebtables knows what to do with the dnated frame.
+The default target is
+.BR ACCEPT .
+Making it
+.BR CONTINUE " could let you use"
+multiple target extensions on the same frame. Making it
+.BR DROP " only makes"
+sense in the
+.BR BROUTING " chain but using the " redirect " target is more logical there. " RETURN " is also allowed. Note that using " RETURN
+in a base chain is not allowed (for obvious reasons).
+.SS mark
+.BR "" "The " mark " target can be used in every chain of every table. It is possible"
+to use the marking of a frame/packet in both ebtables and iptables,
+if the bridge-nf code is compiled into the kernel. Both put the marking at the
+same place. This allows for a form of communication between ebtables and iptables.
+.TP
+.BR "--mark-set " "\fIvalue\fP"
+.br
+Mark the frame with the specified non-negative
+.IR value .
+.TP
+.BR "--mark-or " "\fIvalue\fP"
+.br
+Or the frame with the specified non-negative
+.IR value .
+.TP
+.BR "--mark-and " "\fIvalue\fP"
+.br
+And the frame with the specified non-negative
+.IR value .
+.TP
+.BR "--mark-xor " "\fIvalue\fP"
+.br
+Xor the frame with the specified non-negative
+.IR value .
+.TP
+.BR "--mark-target " "\fItarget\fP"
+.br
+Specifies the standard target. After marking the frame, the rule
+still has to give a standard target so ebtables knows what to do.
+The default target is
+.BR ACCEPT ". Making it " CONTINUE " can let you do other"
+things with the frame in subsequent rules of the chain.
+.SS redirect
+The
+.B redirect
+target will change the MAC target address to that of the bridge device the
+frame arrived on. This target can only be used in the
+.BR PREROUTING " chain of the " nat " table."
+The MAC address of the bridge is used as destination address."
+.TP
+.BR "--redirect-target " "\fItarget\fP"
+.br
+Specifies the standard target. After doing the MAC redirect, the rule
+still has to give a standard target so ebtables knows what to do.
+The default target is
+.BR ACCEPT ". Making it " CONTINUE " could let you use"
+multiple target extensions on the same frame. Making it
+.BR DROP " in the " BROUTING " chain will let the frames be routed. " RETURN " is also allowed. Note"
+.BR "" "that using " RETURN " in a base chain is not allowed."
+.SS snat
+The
+.B snat
+target can only be used in the
+.BR POSTROUTING " chain of the " nat " table."
+It specifies that the source MAC address has to be changed.
+.TP
+.BR "--to-source " "\fIaddress\fP"
+.br
+Changes the source MAC address to the specified
+.IR address ". The flag"
+.B --to-src
+is an alias for this option.
+.TP
+.BR "--snat-target " "\fItarget\fP"
+.br
+Specifies the standard target. After doing the snat, the rule still has
+to give a standard target so ebtables knows what to do.
+.BR "" "The default target is " ACCEPT ". Making it " CONTINUE " could let you use"
+.BR "" "multiple target extensions on the same frame. Making it " DROP " doesn't"
+.BR "" "make sense, but you could do that too. " RETURN " is also allowed. Note"
+.BR "" "that using " RETURN " in a base chain is not allowed."
+.br
+.TP
+.BR "--snat-arp "
+.br
+Also change the hardware source address inside the arp header if the packet is an
+arp message and the hardware address length in the arp header is 6 bytes.
+.br
+.SH FILES
+.I /etc/ethertypes
+.SH ENVIRONMENT VARIABLES
+.I EBTABLES_ATOMIC_FILE
+.SH MAILINGLISTS
+.BR "" "See " http://netfilter.org/mailinglists.html
+.SH BUGS
+The version of ebtables this man page ships with does not support the
+.B broute
+table. Also there is no support for
+.B string
+match. And finally, this list is probably not complete.
+.SH SEE ALSO
+.BR xtables-nft "(8), " iptables "(8), " ip (8)
+.PP
+.BR "" "See " https://wiki.nftables.org
--- /dev/null
+.so man8/xtables-translate.8
--- /dev/null
+.so man8/xtables-translate.8
.\" Author: Martin F. Krafft
.\" Date: Jun 04, 2006
.\"
-.TH IPTABLES\-APPLY 8 "" "iptables 1.4.21" "iptables 1.4.21"
+.TH IPTABLES\-APPLY 8 "" "iptables 1.8.4" "iptables 1.8.4"
.\" disable hyphenation
.nh
.SH NAME
-.TH iptables-extensions 8 "" "iptables 1.4.21" "iptables 1.4.21"
+.TH iptables-extensions 8 "" "iptables 1.8.4" "iptables 1.8.4"
.SH NAME
iptables-extensions \(em list of extensions in the standard iptables distribution
.SH SYNOPSIS
.TP
[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
.SS bpf
-Match using Linux Socket Filter. Expects a BPF program in decimal format. This
-is the format generated by the \fBnfbpf_compile\fP utility.
+Match using Linux Socket Filter. Expects a path to an eBPF object or a cBPF
+program in decimal format.
+.TP
+\fB\-\-object\-pinned\fP \fIpath\fP
+Pass a path to a pinned eBPF object.
+.PP
+Applications load eBPF programs into the kernel with the bpf() system call and
+BPF_PROG_LOAD command and can pin them in a virtual filesystem with BPF_OBJ_PIN.
+To use a pinned object in iptables, mount the bpf filesystem using
+.IP
+mount \-t bpf bpf ${BPF_MOUNT}
+.PP
+then insert the filter in iptables by path:
+.IP
+iptables \-A OUTPUT \-m bpf \-\-object\-pinned ${BPF_MOUNT}/{PINNED_PATH} \-j ACCEPT
.TP
\fB\-\-bytecode\fP \fIcode\fP
-Pass the BPF byte code format (described in the example below).
+Pass the BPF byte code format as generated by the \fBnfbpf_compile\fP utility.
.PP
The code format is similar to the output of the tcpdump -ddd command: one line
that stores the number of instructions, followed by one line for each
.IP
iptables \-A OUTPUT \-m bpf \-\-bytecode "`nfbpf_compile RAW 'ip proto 6'`" \-j ACCEPT
.PP
+Or use tcpdump -ddd. In that case, generate BPF targeting a device with the
+same data link type as the xtables match. Iptables passes packets from the
+network layer up, without mac layer. Select a device with data link type RAW,
+such as a tun device:
+.IP
+ip tuntap add tun0 mode tun
+.br
+ip link set tun0 up
+.br
+tcpdump -ddd -i tun0 ip proto 6
+.PP
+See tcpdump -L -i $dev for a list of known data link types for a given device.
+.PP
You may want to learn more about BPF from FreeBSD's bpf(4) manpage.
+.SS cgroup
+.TP
+[\fB!\fP] \fB\-\-path\fP \fIpath\fP
+Match cgroup2 membership.
+
+Each socket is associated with the v2 cgroup of the creating process.
+This matches packets coming from or going to all sockets in the
+sub-hierarchy of the specified path. The path should be relative to
+the root of the cgroup2 hierarchy.
+.TP
+[\fB!\fP] \fB\-\-cgroup\fP \fIclassid\fP
+Match cgroup net_cls classid.
+
+classid is the marker set through the cgroup net_cls controller. This
+option and \-\-path can't be used together.
+.PP
+Example:
+.IP
+iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-path service/http-server \-j DROP
+.IP
+iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1
+\-j DROP
+.PP
+\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup
+matcher is currently only of limited functionality, meaning it
+will only match on packets that are processed for local sockets
+through early socket demuxing. Therefore, general usage on the
+INPUT chain is not advised unless the implications are well
+understood.
+.PP
+Available since Linux 3.14.
.SS cluster
Allows you to deploy gateway and back-end load-sharing clusters without the
need of load-balancers.
.TP
Example:
iptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes\-dir both \-\-connbytes\-mode bytes ...
+.SS connlabel
+Module matches or adds connlabels to a connection.
+connlabels are similar to connmarks, except labels are bit-based; i.e.
+all labels may be attached to a flow at the same time.
+Up to 128 unique labels are currently supported.
+.TP
+[\fB!\fP] \fB\-\-label\fP \fBname\fP
+matches if label \fBname\fP has been set on a connection.
+Instead of a name (which will be translated to a number, see EXAMPLE below),
+a number may be used instead. Using a number always overrides connlabel.conf.
+.TP
+\fB\-\-set\fP
+if the label has not been set on the connection, set it.
+Note that setting a label can fail. This is because the kernel allocates the
+conntrack label storage area when the connection is created, and it only
+reserves the amount of memory required by the ruleset that exists at
+the time the connection is created.
+In this case, the match will fail (or succeed, in case \fB\-\-label\fP
+option was negated).
+.PP
+This match depends on libnetfilter_conntrack 1.0.4 or later.
+Label translation is done via the \fB/etc/xtables/connlabel.conf\fP configuration file.
+.PP
+Example:
+.IP
+.nf
+0 eth0-in
+1 eth0-out
+2 ppp-in
+3 ppp-out
+4 bulk-traffic
+5 interactive
+.fi
+.PP
.SS connlimit
Allows you to restrict the number of parallel connections to a server per
client IP address (or client address block).
.TP
\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP
How many milliseconds between garbage collection intervals.
+.TP
+\fB\-\-hashlimit\-rate\-match\fP
+Classify the flow instead of rate-limiting it. This acts like a
+true/false match on whether the rate is above/below a certain number
+.TP
+\fB\-\-hashlimit\-rate\-interval\fP \fIsec\fP
+Can be used with \-\-hashlimit\-rate\-match to specify the interval
+at which the rate should be sampled
.PP
Examples:
.TP
No Next header which matches 59 in the 'Next Header field' of IPv6 header or
any IPv6 extension headers
.TP
-\fBproto\fP
+\fBprot\fP
which matches any upper layer protocol header. A protocol name from
/etc/protocols and numeric value also allowed. The number 255 is equivalent to
-\fBproto\fP.
+\fBprot\fP.
.SS ipvs
Match IPVS connection properties.
.TP
.PP
\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP
.PP
-The fingerprint database can be downlaoded from
+The fingerprint database can be downloaded from
http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
.SS owner
This module attempts to match various characteristics of the packet creator,
Matches if the packet socket's file structure is owned by the given group.
You may also specify a numerical GID, or a GID range.
.TP
+\fB\-\-suppl\-groups\fP
+Causes group(s) specified with \fB\-\-gid-owner\fP to be also checked in the
+supplementary groups of a process.
+.TP
[\fB!\fP] \fB\-\-socket\-exists\fP
Matches if the packet is associated with a socket.
.SS physdev
through a bridge device, this packet won't match this option, unless '!' is used.
.TP
[\fB!\fP] \fB\-\-physdev\-out\fP \fIname\fP
-Name of a bridge port via which a packet is going to be sent (for packets
+Name of a bridge port via which a packet is going to be sent (for bridged packets
entering the
-.BR FORWARD ,
-.B OUTPUT
+.BR FORWARD
and
.B POSTROUTING
chains). If the interface name ends in a "+", then any
-interface which begins with this name will match. Note that in the
-.BR nat " and " mangle
-.B OUTPUT
-chains one cannot match on the bridge output port, however one can in the
-.B "filter OUTPUT"
-chain. If the packet won't leave by a bridge device or if it is yet unknown what
-the output device will be, then the packet won't match this option,
-unless '!' is used.
+interface which begins with this name will match.
.TP
[\fB!\fP] \fB\-\-physdev\-is\-in\fP
Matches if the packet has entered through a bridge interface.
Matches a given realm number (and optionally mask). If not a number, value
can be a named realm from /etc/iproute2/rt_realms (mask can not be used in
that case).
+Both value and mask are four byte unsigned integers and may be specified in
+decimal, hex (by prefixing with "0x") or octal (if a leading zero is given).
.SS recent
Allows you to dynamically create a list of IP addresses and then match against
that list in a few different ways.
This match can only be used in the PREROUTING chain of the raw or mangle table.
.TP
\fB\-\-loose\fP
-Used to specifiy that the reverse path filter test should match
+Used to specify that the reverse path filter test should match
even if the selected output device is not the expected one.
.TP
\fB\-\-validmark\fP
If the packet is matched an element in the set, match only if the
packet counter of the element is greater than the given value as well.
.TP
-[\fB!\fP] \fB\-bytes\-eq\fP \fIvalue\fP
+[\fB!\fP] \fB\-\-bytes\-eq\fP \fIvalue\fP
If the packet is matched an element in the set, match only if the
byte counter of the element matches the given value too.
.TP
Example (assuming packets with mark 1 are delivered locally):
.IP
\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1
+.TP
+\fB\-\-restore\-skmark\fP
+Set the packet mark to the matching socket's mark. Can be combined with the
+\fB\-\-transparent\fP and \fB\-\-nowildcard\fP options to restrict the sockets
+to be matched when restoring the packet mark.
+.PP
+Example: An application opens 2 transparent (\fBIP_TRANSPARENT\fP) sockets and
+sets a mark on them with \fBSO_MARK\fP socket option. We can filter matching packets:
+.IP
+\-t mangle \-I PREROUTING \-m socket \-\-transparent \-\-restore-skmark \-j action
+.IP
+\-t mangle \-A action \-m mark \-\-mark 10 \-j action2
+.IP
+\-t mangle \-A action \-m mark \-\-mark 11 \-j action3
.SS state
The "state" extension is a subset of the "conntrack" module.
"state" allows access to the connection tracking state for this packet.
[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP
Matches the given pattern in hex notation.
.TP
+\fB\-\-icase\fP
+Ignore case when searching.
+.TP
Examples:
.IP
# The string pattern can be used for simple text characters.
using the format \fIfirst\fP\fB:\fP\fIlast\fP.
If the first port is omitted, "0" is assumed; if the last is omitted,
"65535" is assumed.
-If the first port is greater than the second one they will be swapped.
The flag
\fB\-\-sport\fP
is a convenient alias for this option.
This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
.TP
[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP]
-Match a given TCP MSS value or range.
+Match a given TCP MSS value or range. If a range is given, the second \fIvalue\fP must be greater than or equal to the first \fIvalue\fP.
.SS time
This matches if the packet arrival time/date is within a given range. All
options are optional, but are ANDed when specified. All times are interpreted
B and C are unsigned 32 bit integers, initially zero
.PP
The instructions are:
-.IP
-number B = number;
+.TP
+.B number
+B = number;
.IP
C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3)
-.IP
-&number C = C & number
-.IP
-<< number C = C << number
-.IP
->> number C = C >> number
-.IP
-@number A = A + C; then do the instruction number
+.TP
+.B &number
+C = C & number
+.TP
+.B << number
+C = C << number
+.TP
+.B >> number
+C = C >> number
+.TP
+.B @number
+A = A + C; then do the instruction number
.PP
Any access of memory outside [skb\->data,skb\->end] causes the match to fail.
Otherwise the result of the computation is the final value of C.
See the description of the
\fB\-\-destination\-port\fP
option of the TCP extension for details.
-.SS unclean (IPv4-specific)
-This module takes no options, but attempts to match packets which seem
-malformed or unusual. This is regarded as experimental.
.SH TARGET EXTENSIONS
iptables can use extended target modules: the following are included
in the standard distribution.
auditd(8) for additional details.
.TP
\fB\-\-type\fP {\fBaccept\fP|\fBdrop\fP|\fBreject\fP}
-Set type of audit record.
+Set type of audit record. Starting with linux-4.12, this option has no effect
+on generated audit messages anymore. It is still accepted by iptables for
+compatibility reasons, but ignored.
.PP
Example:
.IP
iptables \-N AUDIT_DROP
.IP
-iptables \-A AUDIT_DROP \-j AUDIT \-\-type drop
+iptables \-A AUDIT_DROP \-j AUDIT
.IP
iptables \-A AUDIT_DROP \-j DROP
.SS CHECKSUM
Only generate the specified expectation events for this connection.
Possible event types are: \fBnew\fP.
.TP
-\fB\-\-zone\fP \fIid\fP
+\fB\-\-zone-orig\fP {\fIid\fP|\fBmark\fP}
+For traffic coming from ORIGINAL direction, assign this packet to zone
+\fIid\fP and only have lookups done in that zone. If \fBmark\fP is used
+instead of \fIid\fP, the zone is derived from the packet nfmark.
+.TP
+\fB\-\-zone-reply\fP {\fIid\fP|\fBmark\fP}
+For traffic coming from REPLY direction, assign this packet to zone
+\fIid\fP and only have lookups done in that zone. If \fBmark\fP is used
+instead of \fIid\fP, the zone is derived from the packet nfmark.
+.TP
+\fB\-\-zone\fP {\fIid\fP|\fBmark\fP}
Assign this packet to zone \fIid\fP and only have lookups done in that zone.
-By default, packets have zone 0.
+If \fBmark\fP is used instead of \fIid\fP, the zone is derived from the
+packet nfmark. By default, packets have zone 0. This option applies to both
+directions.
.TP
\fB\-\-timeout\fP \fIname\fP
Use the timeout policy identified by \fIname\fP for the connection. This is
If option
\fB\-\-random\fP
is used then port mapping will be randomized (kernel >= 2.6.21).
+Since kernel 5.0, \fB\-\-random\fP is identical to \fB\-\-random-fully\fP.
+.TP
+\fB\-\-random-fully\fP
+Full randomize source port mapping
+If option
+\fB\-\-random-fully\fP
+is used then port mapping will be fully randomized (kernel >= 3.13).
.TP
IPv6 support available since Linux kernels >= 3.7.
-.SS MIRROR (IPv4-specific)
-This is an experimental demonstration target which inverts the source
-and destination fields in the IP header and retransmits the packet.
-It is only valid in the
-.BR INPUT ,
-.B FORWARD
-and
-.B PREROUTING
-chains, and user-defined chains which are only called from those
-chains. Note that the outgoing packets are
-.B NOT
-seen by any packet filtering chains, connection tracking or NAT, to
-avoid loops and other problems.
.SS NETMAP
This target allows you to statically map a whole network of addresses onto
another network of addresses. It can only be used from rules in the
long, useful for distinguishing messages in the logs.
.TP
\fB\-\-nflog\-range\fP \fIsize\fP
+This option has never worked, use --nflog-size instead
+.TP
+\fB\-\-nflog\-size\fP \fIsize\fP
The number of bytes to be copied to userspace (only applicable for
nfnetlink_log). nfnetlink_log instances may specify their own
range, this option overrides it.
chains. It redirects the packet to the machine itself by changing the
destination IP to the primary address of the incoming interface
(locally-generated packets are mapped to the localhost address,
-127.0.0.1 for IPv4 and ::1 for IPv6).
+127.0.0.1 for IPv4 and ::1 for IPv6, and packets arriving on
+interfaces that don't have an IP address configured are dropped).
.TP
\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
This specifies a destination port or range of ports to use: without
.I ident
(113/tcp) probes which frequently occur when sending mail to broken mail
hosts (which won't accept your mail otherwise).
-.PP
+.IP
(*) Using icmp\-admin\-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
-.SS SAME (IPv4-specific)
-Similar to SNAT/DNAT depending on chain: it takes a range of addresses
-(`\-\-to 1.2.3.4\-1.2.3.7') and gives a client the same
-source-/destination-address for each connection.
-.PP
-N.B.: The DNAT target's \fB\-\-persistent\fP option replaced the SAME target.
-.TP
-\fB\-\-to\fP \fIipaddr\fP[\fB\-\fP\fIipaddr\fP]
-Addresses to map source to. May be specified more than once for
-multiple ranges.
-.TP
-\fB\-\-nodst\fP
-Don't use the destination-ip in the calculations when selecting the
-new source-ip
-.TP
-\fB\-\-random\fP
-Port mapping will be forcibly randomized to avoid attacks based on
-port prediction (kernel >= 2.6.21).
.SS SECMARK
This is used to set the security mark value associated with the
packet for use by security subsystems such as SELinux. It is
.TP
\fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...]
delete the address(es)/port(s) of the packet from the set
+.TP
+\fB\-\-map\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...]
+[\-\-map\-mark] [\-\-map\-prio] [\-\-map\-queue]
+map packet properties (firewall mark, tc priority, hardware queue)
.IP
where \fIflag\fP(s) are
.BR "src"
\fB\-\-exist\fP
when adding an entry if it already exists, reset the timeout value
to the specified one or to the default from the set definition
+.TP
+\fB\-\-map\-set\fP \fIset\-name\fP
+the set-name should be created with --skbinfo option
+\fB\-\-map\-mark\fP
+map firewall mark to packet by lookup of value in the set
+\fB\-\-map\-prio\fP
+map traffic control priority to packet by lookup of value in the set
+\fB\-\-map\-queue\fP
+map hardware NIC queue to packet by lookup of value in the set
+.IP
+The
+\fB\-\-map\-set\fP
+option can be used from the mangle table only. The
+\fB\-\-map\-prio\fP
+and
+\fB\-\-map\-queue\fP
+flags can be used in the OUTPUT, FORWARD and POSTROUTING chains.
.PP
Use of -j SET requires that ipset kernel support is provided, which, for
standard kernels, is the case since Linux 2.6.39.
\fB\-\-random\fP
If option
\fB\-\-random\fP
-is used then port mapping will be randomized (kernel >= 2.6.21).
+is used then port mapping will be randomized through a hash-based algorithm (kernel >= 2.6.21).
+.TP
+\fB\-\-random-fully\fP
+If option
+\fB\-\-random-fully\fP
+is used then port mapping will be fully randomized through a PRNG (kernel >= 3.14).
.TP
\fB\-\-persistent\fP
Gives a client the same source-/destination-address for each connection.
You also have to use the
.B NOTRACK
target to disable connection tracking for translated flows.
+.SS SYNPROXY
+This target will process TCP three-way-handshake parallel in netfilter
+context to protect either local or backend system. This target requires
+connection tracking because sequence numbers need to be translated.
+The kernels ability to absorb SYNFLOOD was greatly improved starting with
+Linux 4.4, so this target should not be needed anymore to protect Linux servers.
+.TP
+\fB\-\-mss\fP \fImaximum segment size\fP
+Maximum segment size announced to clients. This must match the backend.
+.TP
+\fB\-\-wscale\fP \fIwindow scale\fP
+Window scale announced to clients. This must match the backend.
+.TP
+\fB\-\-sack\-perm\fP
+Pass client selective acknowledgement option to backend (will be disabled
+if not present).
+.TP
+\fB\-\-timestamps\fP
+Pass client timestamp option to backend (will be disabled if not present,
+also needed for selective acknowledgement and window scaling).
+.PP
+Example:
+.PP
+Determine tcp options used by backend, from an external system
+.IP
+tcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)'
+.br
+ port 80 &
+.br
+telnet 192.0.2.42 80
+.br
+18:57:24.693307 IP 192.0.2.42.80 > 192.0.2.43.48757:
+.br
+ Flags [S.], seq 360414582, ack 788841994, win 14480,
+.br
+ options [mss 1460,sackOK,
+.br
+ TS val 1409056151 ecr 9690221,
+.br
+ nop,wscale 9],
+.br
+ length 0
+.PP
+Switch tcp_loose mode off, so conntrack will mark out\-of\-flow
+packets as state INVALID.
+.IP
+echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
+.PP
+Make SYN packets untracked
+.IP
+iptables \-t raw \-A PREROUTING \-i eth0 \-p tcp \-\-dport 80
+ \-\-syn \-j CT \-\-notrack
+.PP
+Catch UNTRACKED (SYN packets) and INVALID (3WHS ACK packets) states
+and send them to SYNPROXY. This rule will respond to SYN packets with
+SYN+ACK syncookies, create ESTABLISHED for valid client response (3WHS ACK
+packets) and drop incorrect cookies. Flags combinations not expected
+during 3WHS will not match and continue (e.g. SYN+FIN, SYN+ACK).
+.IP
+iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80
+ \-m state \-\-state UNTRACKED,INVALID \-j SYNPROXY
+ \-\-sack\-perm \-\-timestamp \-\-mss 1460 \-\-wscale 9
+.PP
+Drop invalid packets, this will be out\-of\-flow packets that were not
+matched by SYNPROXY.
+.IP
+iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80 \-m state \-\-state INVALID \-j DROP
.SS TCPMSS
This target allows to alter the MSS value of TCP SYN packets, to control
the maximum size for that connection (usually limiting it to your
these packets will get forwarded, which is probably not what you want.)
.SS TRACE
This target marks packets so that the kernel will log every rule which match
-the packets as those traverse the tables, chains, rules.
+the packets as those traverse the tables, chains, rules. It can only be used in
+the
+.BR raw
+table.
.PP
-A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this
-to be visible.
+With iptables-legacy, a logging backend, such as ip(6)t_LOG or nfnetlink_log,
+must be loaded for this to be visible.
The packets are logged with the string prefix:
"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
plain rule, "return" for implicit rule at the end of a user defined chain
and "policy" for the policy of the built in chains.
-.br
-It can only be used in the
-.BR raw
-table.
+.PP
+With iptables-nft, the target is translated into nftables'
+.B "meta nftrace"
+expression. Hence the kernel sends trace events via netlink to userspace where
+they may be displayed using
+.B "xtables-monitor --trace"
+command. For details, refer to
+.BR xtables-monitor (8).
.SS TTL (IPv4-specific)
This is used to modify the IPv4 TTL header field. The TTL field determines
how many hops (routers) a packet can traverse until it's time to live is
--- /dev/null
+.so man8/xtables-translate.8
-.TH IPTABLES-RESTORE 8 "" "iptables 1.4.21" "iptables 1.4.21"
+.TH IPTABLES-RESTORE 8 "" "iptables 1.8.4" "iptables 1.8.4"
.\"
.\" Man page written by Harald Welte <laforge@gnumonks.org>
.\" It is based on the iptables man page.
.P
ip6tables-restore \(em Restore IPv6 Tables
.SH SYNOPSIS
-\fBiptables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
+\fBiptables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIsecs\fP]
+[\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
+[\fBfile\fP]
.P
-\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
-[\fB\-T\fP \fIname\fP]
+\fBip6tables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIsecs\fP]
+[\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
+[\fBfile\fP]
.SH DESCRIPTION
.PP
.B iptables-restore
and
.B ip6tables-restore
-are used to restore IP and IPv6 Tables from data specified on STDIN. Use
-I/O redirection provided by your shell to read from a file
+are used to restore IP and IPv6 Tables from data specified on STDIN or in
+\fIfile\fP. Use I/O redirection provided by your shell to read from a file or
+specify \fIfile\fP as an argument.
.TP
\fB\-c\fR, \fB\-\-counters\fR
restore the values of all packet and byte counters
\fB\-v\fP, \fB\-\-verbose\fP
Print additional debug info during ruleset processing.
.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version number.
+.TP
+\fB\-w\fP, \fB\-\-wait\fP [\fIseconds\fP]
+Wait for the xtables lock.
+To prevent multiple instances of the program from running concurrently,
+an attempt will be made to obtain an exclusive lock at launch. By default,
+the program will exit if the lock cannot be obtained. This option will
+make the program wait (indefinitely or for optional \fIseconds\fP) until
+the exclusive lock can be obtained.
+.TP
+\fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP
+Interval to wait per each iteration.
+When running latency sensitive applications, waiting for the xtables lock
+for extended durations may not be acceptable. This option will make each
+iteration take the amount of time specified. The default interval is
+1 second. This option only works with \fB\-w\fP.
+.TP
\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
Specify the path to the modprobe program. By default, iptables-restore will
inspect /proc/sys/kernel/modprobe to determine the executable's path.
-.TH IPTABLES-SAVE 8 "" "iptables 1.4.21" "iptables 1.4.21"
+.TH IPTABLES-SAVE 8 "" "iptables 1.8.4" "iptables 1.8.4"
.\"
.\" Man page written by Harald Welte <laforge@gnumonks.org>
.\" It is based on the iptables man page.
.\"
.\"
.SH NAME
-iptables-save \(em dump iptables rules to stdout
+iptables-save \(em dump iptables rules
.P
-ip6tables-save \(em dump iptables rules to stdout
+ip6tables-save \(em dump iptables rules
.SH SYNOPSIS
\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP]
+[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
.P
\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP
+[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
.SH DESCRIPTION
.PP
.B iptables-save
and
.B ip6tables-save
are used to dump the contents of IP or IPv6 Table in easily parseable format
-to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+either to STDOUT or to a specified file.
.TP
-\fB\-M\fP \fImodprobe_program\fP
+\fB\-M\fR, \fB\-\-modprobe\fR \fImodprobe_program\fP
Specify the path to the modprobe program. By default, iptables-save will
inspect /proc/sys/kernel/modprobe to determine the executable's path.
.TP
+\fB\-f\fR, \fB\-\-file\fR \fIfilename\fP
+Specify a filename to log the output to. If not specified, iptables-save
+will log to STDOUT.
+.TP
\fB\-c\fR, \fB\-\-counters\fR
include the current values of all packet and byte counters in the output
.TP
\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
-restrict output to only one table. If not specified, output includes all
-available tables.
+restrict output to only one table. If the kernel is configured with automatic
+module loading, an attempt will be made to load the appropriate module for
+that table if it is not already there.
+.br
+If not specified, output includes all available tables.
.SH BUGS
None known as of iptables-1.2.1 release
.SH AUTHORS
--- /dev/null
+.so man8/xtables-translate.8
-.TH IPTABLES 8 "" "iptables 1.4.21" "iptables 1.4.21"
+.TH IPTABLES 8 "" "iptables 1.8.4" "iptables 1.8.4"
.\"
.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
.\" It is based on ipchains page.
.TP
\fBnat\fP:
This table is consulted when a packet that creates a new
-connection is encountered. It consists of three built-ins: \fBPREROUTING\fP
-(for altering packets as soon as they come in), \fBOUTPUT\fP
+connection is encountered. It consists of four built-ins: \fBPREROUTING\fP
+(for altering packets as soon as they come in), \fBINPUT\fP (for altering
+packets destined for local sockets), \fBOUTPUT\fP
(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
(for altering packets as they are about to go out).
IPv6 NAT support is available since kernel 3.7.
.nf
iptables \-L \-v
.fi
+or
+\fBiptables\-save\fP(8).
.TP
\fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP]
Print all rules in the selected chain. If no chain is selected, all
non-builtin chain in the table.
.TP
\fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP
-Set the policy for the chain to the given target. See the section \fBTARGETS\fP
-for the legal targets. Only built-in (non-user-defined) chains can have
-policies, and neither built-in nor user-defined chains can be policy
-targets.
+Set the policy for the built-in (non-user-defined) chain to the given target.
+The policy target must be either \fBACCEPT\fP or \fBDROP\fP.
.TP
\fB\-E\fP, \fB\-\-rename\-chain\fP \fIold\-chain new\-chain\fP
Rename the user specified chain to the user supplied name. This is
detailed information on the rule or rules to be printed. \fB\-v\fP may be
specified multiple times to possibly emit more detailed debug statements.
.TP
-\fB\-w\fP, \fB\-\-wait\fP
+\fB\-w\fP, \fB\-\-wait\fP [\fIseconds\fP]
Wait for the xtables lock.
To prevent multiple instances of the program from running concurrently,
an attempt will be made to obtain an exclusive lock at launch. By default,
the program will exit if the lock cannot be obtained. This option will
-make the program wait until the exclusive lock can be obtained.
+make the program wait (indefinitely or for optional \fIseconds\fP) until
+the exclusive lock can be obtained.
+.TP
+\fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP
+Interval to wait per each iteration.
+When running latency sensitive applications, waiting for the xtables lock
+for extended durations may not be acceptable. This option will make each
+iteration take the amount of time specified. The default interval is
+1 second. This option only works with \fB\-w\fP.
.TP
\fB\-n\fP, \fB\-\-numeric\fP
Numeric output.
.PP
Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as the TTL, DSCP, ECN matches and targets.
.PP
-The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
-Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
-Harald Welte and Rusty Russell.
+The Netfilter Core Team is: Jozsef Kadlecsik, Pablo Neira Ayuso,
+Eric Leblond, Florian Westphal and Arturo Borrero Gonzalez.
+Emeritus Core Team members are: Marc
+Boucher, Martin Josefsson, Yasuyuki Kozakai, James Morris, Harald Welte and
+Rusty Russell.
.PP
Man page originally written by Herve Eychenne <rv@wallfire.org>.
.\" .. and did I mention that we are incredibly cool people?
.\" .. and most of all, modest ..
.SH VERSION
.PP
-This manual page applies to iptables/ip6tables 1.4.21.
+This manual page applies to iptables/ip6tables 1.8.4.
--- /dev/null
+.TH NFBPF_COMPILE 8 "" "iptables 1.8.4" "iptables 1.8.4"
+
+.SH NAME
+nfbpf_compile \- generate bytecode for use with xt_bpf
+.SH SYNOPSIS
+
+.ad l
+.in +8
+.ti -8
+.B nfbpf_compile
+[
+.I LLTYPE
+]
+.I PROGRAM
+
+.ti -8
+.I LLTYPE
+:= {
+.BR EN10MB " | " RAW " | " SLIP " | "
+.I ...
+}
+
+.SH DESCRIPTION
+The
+.B nfbpf_compile
+utility aids in generating BPF byte code suitable for passing to
+the iptables
+.B bpf
+match.
+
+.SH OPTIONS
+
+.TP
+.I LLTYPE
+Link-layer header type to operate on. This is a name as defined in
+.RB < pcap/dlt.h >
+but with the leading
+.B DLT_
+prefix stripped. For use with iptables,
+.B RAW
+should be the right choice (it's also the default if not specified).
+
+.TP
+.I PROGRAM
+The BPF expression to compile, see
+.BR pcap-filter (7)
+for a description of the language.
+
+.SH EXIT STATUS
+The program returns 0 on success, 1 otherwise.
+
+.SH EXAMPLE
+Match incoming TCP packets with size bigger than 100 bytes:
+.P
+.in +8
+.EE
+bpf=$(nfbpf_compile 'tcp and greater 100')
+.br
+iptables -A INPUT -m bpf --bytecode "$bpf" -j ACCEPT
+.RE
+.P
+The description of
+.B bpf
+match in
+.BR iptables-extensions (8)
+lists a few more examples.
+
+.SH SEE ALSO
+.BR iptables-extensions (8),
+.BR pcap-filter (7)
--- /dev/null
+.TH NFNL_OSF 8 "" "iptables 1.8.4" "iptables 1.8.4"
+
+.SH NAME
+nfnl_osf \- OS fingerprint loader utility
+.SH SYNOPSIS
+
+.ad l
+.in +8
+.ti -8
+.B nfnl_osf
+.BI -f " fingerprints"
+[
+.B -d
+]
+
+.SH DESCRIPTION
+The
+.B nfnl_osf
+utility allows to load a set of operating system signatures into the kernel for
+later matching against using iptables'
+.B osf
+match.
+
+.SH OPTIONS
+
+.TP
+.BI -f " fingerprints"
+Read signatures from file
+.IR fingerprints .
+
+.TP
+.B -d
+Instead of adding the signatures from
+.I fingerprints
+into the kernel, remove them.
+
+.SH EXIT STATUS
+Exit status is 0 if command succeeded, otherwise a negative return code
+indicates the type of error which happened:
+
+.TP
+.B -1
+Illegal arguments passed, fingerprints file not readable or failure in netlink
+communication.
+
+.TP
+.B -ENOENT
+Fingerprints file not specified.
+
+.TP
+.B -EINVAL
+Netlink handle initialization failed or fingerprints file format invalid.
+
+.SH FILES
+
+An up to date set of operating system signatures can be downloaded from
+http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
+
+.SH SEE ALSO
+
+The description of
+.B osf
+match in
+.BR iptables-extensions (8)
+contains further information about the topic as well as example
+.B nfnl_osf
+invocations.
--- /dev/null
+.\"
+.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez <arturo@netfilter.org>
+.\"
+.\" %%%LICENSE_START(GPLv2+_DOC_FULL)
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\"
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, see
+.\" <http://www.gnu.org/licenses/>.
+.\" %%%LICENSE_END
+.\"
+.TH XTABLES-LEGACY 8 "June 2018"
+
+.SH NAME
+xtables-legacy \(em iptables using old getsockopt/setsockopt-based kernel api
+
+.SH DESCRIPTION
+\fBxtables-legacy\fP are the original versions of iptables that use
+old getsockopt/setsockopt-based kernel interface.
+This kernel interface has some limitations, therefore iptables can also
+be used with the newer nf_tables based API.
+See
+.B xtables\-nft(8)
+for information about the xtables-nft variants of iptables.
+
+.SH USAGE
+The xtables-legacy-multi binary can be linked to the traditional names:
+
+.nf
+ /sbin/iptables -> /sbin/iptables\-legacy\-multi
+ /sbin/ip6tables -> /sbin/ip6tables\-legacy\-multi
+ /sbin/iptables\-save -> /sbin/ip6tables\-legacy\-multi
+ /sbin/iptables\-restore -> /sbin/ip6tables\-legacy\-multi
+.fi
+
+The iptables version string will indicate whether the legacy API (get/setsockopt) or
+the new nf_tables API is used:
+.nf
+ iptables \-V
+ iptables v1.7 (legacy)
+.fi
+
+.SH LIMITATIONS
+
+When inserting a rule using
+iptables \-A or iptables \-I, iptables first needs to retrieve the current active
+ruleset, change it to include the new rule, and then commit back the result.
+This means that if two instances of iptables are running concurrently, one of the
+updates might be lost. This can be worked around partially with the \-\-wait option.
+
+There is also no method to monitor changes to the ruleset, except periodically calling
+iptables-legacy-save and checking for any differences in output.
+
+.B xtables\-monitor(8)
+will need the
+.B xtables\-nft(8)
+versions to work, it cannot display changes made using the
+.B iptables-legacy
+tools.
+
+.SH SEE ALSO
+\fBxtables\-nft(8)\fP, \fBxtables\-translate(8)\fP
+
+.SH AUTHORS
+Rusty Russell originally wrote iptables, in early consultation with Michael Neuling.
--- /dev/null
+.TH XTABLES\-MONITOR 8 "" "iptables 1.8.4" "iptables 1.8.4"
+.SH NAME
+xtables-monitor \(em show changes to rule set and trace-events
+.SH SYNOPSIS
+\fBxtables\-monitor\fP [\fB\-t\fP] [\fB\-e\fP] [\fB\-4\fP|\fB|\-6\fB]
+.PP
+\
+.SH DESCRIPTION
+.PP
+.B xtables-monitor
+is used to monitor changes to the ruleset or to show rule evaluation events
+for packets tagged using the TRACE target.
+.B xtables-monitor
+will run until the user aborts execution, typically by using CTRL-C.
+.RE
+.SH OPTIONS
+\fB\-e\fP, \fB\-\-event\fP
+.TP
+Watch for updates to the rule set.
+Updates include creation of new tables, chains and rules and
+the name of the program that caused the rule update.
+.TP
+\fB\-t\fP, \fB\-\-trace\fP
+Watch for trace events generated by packets that have been tagged
+using the TRACE target.
+.TP
+\fB\-4\fP
+Restrict output to IPv4.
+.TP
+\fB\-6\fP
+Restrict output to IPv6.
+.SH EXAMPLE OUTPUT
+.TP
+.B xtables-monitor \-\-trace
+
+ 1 TRACE: 2 fc475095 raw:PREROUTING:rule:0x3:CONTINUE \-4 \-t raw \-A PREROUTING \-p icmp \-j TRACE
+ 2 PACKET: 0 fc475095 IN=lo LL=0x304 0000000000000000000000000800 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x0 TTL=64 ID=38349DF
+ 3 TRACE: 2 fc475095 raw:PREROUTING:return:
+ 4 TRACE: 2 fc475095 raw:PREROUTING:policy:ACCEPT
+ 5 TRACE: 2 fc475095 filter:INPUT:return:
+ 6 TRACE: 2 fc475095 filter:INPUT:policy:DROP
+ 7 TRACE: 2 0df9d3d8 raw:PREROUTING:rule:0x3:CONTINUE \-4 \-t raw \-A PREROUTING \-p icmp \-j TRACE
+.PP
+The first line shows a packet entering rule set evaluation.
+The protocol number is shown (AF_INET in this case), then a packet
+identifier number that allows to correlate messages coming from rule set evaluation of
+this packet. After this, the rule that was matched by the packet is shown.
+This is the TRACE rule that turns on tracing events for this packet.
+
+The second line dumps information about the packet. Incoming interface
+and packet headers such as source and destination addresses are shown.
+
+The third line shows that the packet completed traversal of the raw table
+PREROUTING chain, and is returning, followed by use the chain policy to make accept/drop
+decision (the example shows accept being applied).
+The fifth line shows that the packet leaves the filter INPUT chain, i.e., no rules in the filter tables
+INPUT chain matched the packet.
+It then got DROPPED by the policy of the INPUT table, as shown by line six.
+The last line shows another packet arriving \-\- the packet id is different.
+
+When using the TRACE target, it is usually a good idea to only select packets
+that are relevant, for example via
+.nf
+iptables \-t raw \-A PREROUTING \-p tcp \-\-dport 80 \-\-syn \-m limit \-\-limit 1/s \-j TRACE
+.fi
+.TP
+.B xtables-monitor \-\-event
+ 1 EVENT: nft: NEW table: table filter ip flags 0 use 4 handle 444
+ 2 EVENT: # nft: ip filter INPUT use 2 type filter hook input prio 0 policy drop packets 0 bytes 0
+ 3 EVENT: # nft: ip filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0
+ 4 EVENT: # nft: ip filter OUTPUT use 0 type filter hook output prio 0 policy accept packets 0 bytes 0
+ 5 EVENT: \-4 \-t filter \-N TCP
+ 6 EVENT: \-4 \-t filter \-A TCP \-s 192.168.0.0/16 \-p tcp \-m tcp \-\-dport 22 \-j ACCEPT
+ 7 EVENT: \-4 \-t filter \-A TCP \-p tcp \-m multiport \-\-dports 80,443 \-j ACCEPT
+ 8 EVENT: \-4 \-t filter \-A INPUT \-p tcp \-j TCP
+ 9 EVENT: \-4 \-t filter \-A INPUT \-m conntrack \-\-ctstate RELATED,ESTABLISHED \-j ACCEPT
+ 10 NEWGEN: GENID=13904 PID=25167 NAME=iptables-nftables-restore
+.PP
+This example shows event monitoring. Line one shows creation of a table (filter in this case), followed
+by three base hooks INPUT, FORWARD and OUTPUT. The iptables-nftables tools all create tables and base
+chains automatically when needed, so this is expected when a table was not yet initialized or when it is
+re-created from scratch by iptables-nftables-restore. Line five shows a new user-defined chain (TCP)
+being added, followed by addition a few rules. the last line shows that a new ruleset generation has
+become active, i.e., the rule set changes are now active. This also lists the process id and the programs name.
+.SH LIMITATIONS
+.B xtables-monitor
+only works with rules added using iptables-nftables, rules added using
+iptables-legacy cannot be monitored.
+.SH BUGS
+Should be reported or by sending email to netfilter-devel@vger.kernel.org or
+by filing a report on https://bugzilla.netfilter.org/.
+.SH SEE ALSO
+\fBiptables\fP(8), \fBxtables\fP(8), \fBnft\fP(8)
--- /dev/null
+.\"
+.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez <arturo@netfilter.org>
+.\"
+.\" %%%LICENSE_START(GPLv2+_DOC_FULL)
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\"
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, see
+.\" <http://www.gnu.org/licenses/>.
+.\" %%%LICENSE_END
+.\"
+.TH XTABLES-NFT 8 "June 2018"
+
+.SH NAME
+xtables-nft \(em iptables using nftables kernel api
+
+.SH DESCRIPTION
+\fBxtables-nft\fP are versions of iptables that use the nftables API.
+This is a set of tools to help the system administrator migrate the
+ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and
+\fBebtables(8)\fP to \fBnftables(8)\fP.
+
+The \fBxtables-nft\fP set is composed of several commands:
+.IP \[bu] 2
+iptables\-nft
+.IP \[bu]
+iptables\-nft\-save
+.IP \[bu]
+iptables\-nft\-restore
+.IP \[bu]
+ip6tables\-nft
+.IP \[bu]
+ip6tables\-nft\-save
+.IP \[bu]
+ip6tables\-nft\-restore
+.IP \[bu]
+arptables\-nft
+.IP \[bu]
+ebtables\-nft
+
+These tools use the libxtables framework extensions and hook to the nf_tables
+kernel subsystem using the \fBnft_compat\fP module.
+
+.SH USAGE
+The xtables-nft tools allow you to manage the nf_tables backend using the
+native syntax of \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and
+\fBebtables(8)\fP.
+
+You should use the xtables-nft tools exactly the same way as you would use the
+corresponding original tools.
+
+Adding a rule will result in that rule being added to the nf_tables kernel
+subsystem instead.
+Listing the ruleset will use the nf_tables backend as well.
+
+When these tools were designed, the main idea was to replace each legacy binary
+with a symlink to the xtables-nft program, for example:
+
+.nf
+ /sbin/iptables -> /usr/sbin/iptables\-nft\-multi
+ /sbin/ip6tables -> /usr/sbin/ip6tables\-nft\-multi
+ /sbin/arptables -> /usr/sbin/arptables\-nft\-multi
+ /sbin/ebtables -> /usr/sbin/ebtables\-nft\-multi
+.fi
+
+The iptables version string will indicate whether the legacy API (get/setsockopt) or
+the new nf_tables api is used:
+.nf
+ iptables \-V
+ iptables v1.7 (nf_tables)
+.fi
+
+.SH DIFFERENCES TO LEGACY IPTABLES
+
+Because the xtables-nft tools use the nf_tables kernel API, rule additions
+and deletions are always atomic. Unlike iptables-legacy, iptables-nft \-A ..
+will NOT need to retrieve the current ruleset from the kernel, change it, and
+re-load the altered ruleset. Instead, iptables-nft will tell the kernel to add
+one rule. For this reason, the iptables-legacy \-\-wait option is a no-op in
+iptables-nft.
+
+Use of the xtables-nft tools allow monitoring ruleset changes using the
+.B xtables\-monitor(8)
+command.
+
+When using \-j TRACE to debug packet traversal to the ruleset, note that you will need to use
+.B xtables\-monitor(8)
+in \-\-trace mode to obtain monitoring trace events.
+
+.SH EXAMPLES
+One basic example is creating the skeleton ruleset in nf_tables from the
+xtables-nft tools, in a fresh machine:
+
+.nf
+ root@machine:~# iptables\-nft \-L
+ [...]
+ root@machine:~# ip6tables\-nft \-L
+ [...]
+ root@machine:~# arptables\-nft \-L
+ [...]
+ root@machine:~# ebtables\-nft \-L
+ [...]
+ root@machine:~# nft list ruleset
+ table ip filter {
+ chain INPUT {
+ type filter hook input priority 0; policy accept;
+ }
+
+ chain FORWARD {
+ type filter hook forward priority 0; policy accept;
+ }
+
+ chain OUTPUT {
+ type filter hook output priority 0; policy accept;
+ }
+ }
+ table ip6 filter {
+ chain INPUT {
+ type filter hook input priority 0; policy accept;
+ }
+
+ chain FORWARD {
+ type filter hook forward priority 0; policy accept;
+ }
+
+ chain OUTPUT {
+ type filter hook output priority 0; policy accept;
+ }
+ }
+ table bridge filter {
+ chain INPUT {
+ type filter hook input priority \-200; policy accept;
+ }
+
+ chain FORWARD {
+ type filter hook forward priority \-200; policy accept;
+ }
+
+ chain OUTPUT {
+ type filter hook output priority \-200; policy accept;
+ }
+ }
+ table arp filter {
+ chain INPUT {
+ type filter hook input priority 0; policy accept;
+ }
+
+ chain FORWARD {
+ type filter hook forward priority 0; policy accept;
+ }
+
+ chain OUTPUT {
+ type filter hook output priority 0; policy accept;
+ }
+ }
+.fi
+
+(please note that in fresh machines, listing the ruleset for the first time
+results in all tables an chain being created).
+
+To migrate your complete filter ruleset, in the case of \fBiptables(8)\fP,
+you would use:
+
+.nf
+ root@machine:~# iptables\-legacy\-save > myruleset # reads from x_tables
+ root@machine:~# iptables\-nft\-restore myruleset # writes to nf_tables
+.fi
+or
+.nf
+ root@machine:~# iptables\-legacy\-save | iptables-translate-restore | less
+.fi
+
+to see how rules would look like in the nft
+\fBnft(8)\fP
+syntax.
+
+.SH LIMITATIONS
+You should use \fBLinux kernel >= 4.17\fP.
+
+The CLUSTERIP target is not supported.
+
+To get up-to-date information about this, please head to
+\fBhttp://wiki.nftables.org/\fP.
+
+.SH SEE ALSO
+\fBnft(8)\fP, \fBxtables\-translate(8)\fP, \fBxtables\-monitor(8)\fP
+
+.SH AUTHORS
+The nftables framework is written by the Netfilter project
+(https://www.netfilter.org).
+
+This manual page was written by Arturo Borrero Gonzalez
+<arturo@debian.org> for the Debian project, but may be used by others.
+
+This documentation is free/libre under the terms of the GPLv2+.
--- /dev/null
+.\"
+.\" (C) Copyright 2018, Arturo Borrero Gonzalez <arturo@netfilter.org>
+.\"
+.\" %%%LICENSE_START(GPLv2+_DOC_FULL)
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\"
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, see
+.\" <http://www.gnu.org/licenses/>.
+.\" %%%LICENSE_END
+.\"
+.TH IPTABLES-TRANSLATE 8 "May 14, 2019"
+
+.SH NAME
+iptables-translate \(em translation tool to migrate from iptables to nftables
+.P
+ip6tables-translate \(em translation tool to migrate from ip6tables to nftables
+.SH DESCRIPTION
+There is a set of tools to help the system administrator translate a given
+ruleset from \fBiptables(8)\fP and \fBip6tables(8)\fP to \fBnftables(8)\fP.
+
+The available commands are:
+
+.IP \[bu] 2
+iptables-translate
+.IP \[bu]
+iptables-restore-translate
+.IP \[bu] 2
+ip6tables-translate
+.IP \[bu]
+ip6tables-restore-translate
+
+.SH USAGE
+They take as input the original \fBiptables(8)\fP/\fBip6tables(8)\fP syntax and
+output the native \fBnftables(8)\fP syntax.
+
+The \fBiptables-restore-translate\fP tool reads a ruleset in the syntax
+produced by \fBiptables-save(8)\fP. Likewise, the
+\fBip6tables-restore-translate\fP tool reads one produced by
+\fBip6tables-save(8)\fP. No ruleset modifications occur, these tools are
+text converters only.
+
+The \fBiptables-translate\fP reads a command line as if it was entered to
+\fBiptables(8)\fP, and \fBip6tables-translate\fP reads a command like as if it
+was entered to \fBip6tables(8)\fP.
+
+.SH EXAMPLES
+Basic operation examples.
+
+Single command translation:
+
+.nf
+root@machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+nft add rule ip filter INPUT tcp dport 22 ct state new counter accept
+
+root@machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
+nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept
+.fi
+
+Whole ruleset translation:
+
+.nf
+root@machine:~# iptables-save > save.txt
+root@machine:~# cat save.txt
+# Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016
+*filter
+:INPUT ACCEPT [5166:1752111]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [5058:628693]
+-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+COMMIT
+# Completed on Sat Dec 24 14:26:40 2016
+
+root@machine:~# iptables-restore-translate -f save.txt
+# Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016
+add table ip filter
+add chain ip filter INPUT { type filter hook input priority 0; }
+add chain ip filter FORWARD { type filter hook forward priority 0; }
+add chain ip filter OUTPUT { type filter hook output priority 0; }
+add rule ip filter FORWARD tcp dport 22 ct state new counter accept
+
+root@machine:~# iptables-restore-translate -f save.txt > ruleset.nft
+root@machine:~# nft -f ruleset.nft
+root@machine:~# nft list ruleset
+table ip filter {
+ chain INPUT {
+ type filter hook input priority 0; policy accept;
+ }
+
+ chain FORWARD {
+ type filter hook forward priority 0; policy accept;
+ tcp dport ssh ct state new counter packets 0 bytes 0 accept
+ }
+
+ chain OUTPUT {
+ type filter hook output priority 0; policy accept;
+ }
+}
+.fi
+
+
+.SH LIMITATIONS
+Some (few) extensions may be not supported (or fully-supported) for whatever
+reason (for example, they were considered obsolete, or we didn't have the time
+to work on them).
+
+There are no translations available for \fBebtables(8)\fP and
+\fBarptables(8)\fP.
+
+To get up-to-date information about this, please head to
+\fBhttps://wiki.nftables.org/\fP.
+
+.SH SEE ALSO
+\fBnft(8)\fP, \fBiptables(8)\fP
+
+.SH AUTHORS
+The nftables framework is written by the Netfilter project
+(https://www.netfilter.org).
+
+This manual page was written by Arturo Borrero Gonzalez
+<arturo@netfilter.org>.
+
+This documentation is free/libre under the terms of the GPLv2+.
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2014-05-07 04:08+0900\n"
-"PO-Revision-Date: 2014-05-07 04:12+0900\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: 2021-03-24 16:13+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
#. type: TH
#, no-wrap
-msgid "iptables 1.4.21"
-msgstr "iptables 1.4.21"
+msgid "iptables 1.8.4"
+msgstr "iptables 1.8.4"
#. Man page written by Sam Liddicott <azez@ufomechanic.net>
#. It is based on the iptables-save man page.
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
"PO-Revision-Date: 2013-04-08 14:12+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
"PO-Revision-Date: 2013-04-08 14:13+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
"PO-Revision-Date: 2013-04-08 14:29+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
"PO-Revision-Date: 2013-04-08 14:29+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
"PO-Revision-Date: 2013-04-08 14:29+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
"PO-Revision-Date: 2013-04-08 14:29+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
"PO-Revision-Date: 2013-04-08 14:30+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
--- /dev/null
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Free Software Foundation, Inc.
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. type: TH
+#, no-wrap
+msgid "ARPTABLES-RESTORE"
+msgstr ""
+
+#. type: TH
+#, no-wrap
+msgid "March 2019"
+msgstr ""
+
+#
+#
+#
+#
+#. Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
+#. Man page written by Harald Welte <laforge@gnumonks.org>
+#. It is based on the iptables-restore man page.
+#. This program is free software; you can redistribute it and/or modify
+#. it under the terms of the GNU General Public License as published by
+#. the Free Software Foundation; either version 2 of the License, or
+#. (at your option) any later version.
+#. This program is distributed in the hope that it will be useful,
+#. but WITHOUT ANY WARRANTY; without even the implied warranty of
+#. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#. GNU General Public License for more details.
+#. You should have received a copy of the GNU General Public License
+#. along with this program; if not, write to the Free Software
+#. Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#. type: SH
+#, no-wrap
+msgid "NAME"
+msgstr ""
+
+#. type: Plain text
+msgid "arptables-restore - Restore ARP Tables (nft-based)"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SYNOPSIS"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<arptables-restore>"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Plain text
+msgid "B<arptables-restore> is used to restore ARP Tables from data specified on STDIN or via a file as first argument. Use I/O redirection provided by your shell to read from a file"
+msgstr ""
+
+#. type: Plain text
+msgid "flushes (deletes) all previous contents of the respective ARP Table."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "AUTHOR"
+msgstr ""
+
+#. type: Plain text
+msgid "Jesper Dangaard Brouer E<lt>brouer@redhat.comE<gt>"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Plain text
+msgid "B<arptables-save>(8), B<arptables>(8)"
+msgstr ""
--- /dev/null
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Free Software Foundation, Inc.
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. type: TH
+#, no-wrap
+msgid "ARPTABLES-SAVE"
+msgstr ""
+
+#. type: TH
+#, no-wrap
+msgid "March 2019"
+msgstr ""
+
+#
+#
+#
+#
+#. Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
+#. Man page written by Harald Welte <laforge@gnumonks.org>
+#. It is based on the iptables-save man page.
+#. This program is free software; you can redistribute it and/or modify
+#. it under the terms of the GNU General Public License as published by
+#. the Free Software Foundation; either version 2 of the License, or
+#. (at your option) any later version.
+#. This program is distributed in the hope that it will be useful,
+#. but WITHOUT ANY WARRANTY; without even the implied warranty of
+#. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#. GNU General Public License for more details.
+#. You should have received a copy of the GNU General Public License
+#. along with this program; if not, write to the Free Software
+#. Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#. type: SH
+#, no-wrap
+msgid "NAME"
+msgstr ""
+
+#. type: Plain text
+msgid "arptables-save - dump arptables rules to stdout (nft-based)"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SYNOPSIS"
+msgstr ""
+
+#. type: Plain text
+msgid "B<arptables-save> [B<-M> I<modprobe>] [B<-c>]"
+msgstr ""
+
+#. type: Plain text
+msgid "B<arptables-save> [B<-V>]"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Plain text
+msgid "B<arptables-save> is used to dump the contents of an ARP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-M>, B<--modprobe> I<modprobe_program>"
+msgstr ""
+
+#. type: Plain text
+msgid "Specify the path to the modprobe program. By default, arptables-save will inspect /proc/sys/kernel/modprobe to determine the executable's path."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-c>, B<--counters>"
+msgstr ""
+
+#. type: Plain text
+msgid "Include the current values of all packet and byte counters in the output."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-V>, B<--version>"
+msgstr ""
+
+#. type: Plain text
+msgid "Print version information and exit."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "AUTHOR"
+msgstr ""
+
+#. type: Plain text
+msgid "Jesper Dangaard Brouer E<lt>brouer@redhat.comE<gt>"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Plain text
+msgid "B<arptables-restore>(8), B<arptables>(8)"
+msgstr ""
--- /dev/null
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Free Software Foundation, Inc.
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. type: TH
+#, no-wrap
+msgid "ARPTABLES"
+msgstr ""
+
+#. type: TH
+#, no-wrap
+msgid "March 2019"
+msgstr ""
+
+#
+#
+#
+#
+#
+#. Man page originally written by Jochen Friedrich <jochen@scram.de>,
+#. maintained by Bart De Schuymer.
+#. It is based on the iptables man page.
+#. Iptables page by Herve Eychenne March 2000.
+#. This program is free software; you can redistribute it and/or modify
+#. it under the terms of the GNU General Public License as published by
+#. the Free Software Foundation; either version 2 of the License, or
+#. (at your option) any later version.
+#. This program is distributed in the hope that it will be useful,
+#. but WITHOUT ANY WARRANTY; without even the implied warranty of
+#. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#. GNU General Public License for more details.
+#. You should have received a copy of the GNU General Public License
+#. along with this program; if not, write to the Free Software
+#. Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#. type: SH
+#, no-wrap
+msgid "NAME"
+msgstr ""
+
+#. type: Plain text
+msgid "arptables - ARP table administration (nft-based)"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SYNOPSIS"
+msgstr ""
+
+#. type: Plain text
+msgid "B<arptables >[B<-t table>]B< ->[B<AD>]B< chain rule-specification >[B<options>]"
+msgstr ""
+
+#. type: Plain text
+msgid "B<arptables >[B<-t table>]B< ->[B<RI>]B< chain rulenum rule-specification >[B<options>]"
+msgstr ""
+
+#. type: Plain text
+msgid "B<arptables >[B<-t table>]B< -D chain rulenum >[B<options>]"
+msgstr ""
+
+#. type: Plain text
+msgid "B<arptables >[B<-t table>]B< ->[B<LFZ>]B< >[B<chain>]B< >[B<options>]"
+msgstr ""
+
+#. type: Plain text
+msgid "B<arptables >[B<-t table>]B< ->[B<NX>]B< chain>"
+msgstr ""
+
+#. type: Plain text
+msgid "B<arptables >[B<-t table>]B< -E old-chain-name new-chain-name>"
+msgstr ""
+
+#. type: Plain text
+msgid "B<arptables >[B<-t table>]B< -P chain target >[B<options>]"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Plain text
+msgid "B<arptables> is a user space tool, it is used to set up and maintain the tables of ARP rules in the Linux kernel. These rules inspect the ARP frames which they see. B<arptables> is analogous to the B<iptables> user space tool, but B<arptables> is less complicated."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "CHAINS"
+msgstr ""
+
+#. type: Plain text
+msgid "The kernel table is used to divide functionality into different sets of rules. Each set of rules is called a chain. Each chain is an ordered list of rules that can match ARP frames. If a rule matches an ARP frame, then a processing specification tells what to do with that matching frame. The processing specification is called a 'target'. However, if the frame does not match the current rule in the chain, then the next rule in the chain is examined and so forth. The user can create new (user-defined) chains which can be used as the 'target' of a rule."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "TARGETS"
+msgstr ""
+
+#. type: Plain text
+msgid "A firewall rule specifies criteria for an ARP frame and a frame processing specification called a target. When a frame matches a rule, then the next action performed by the kernel is specified by the target. The target can be one of these values: I<ACCEPT>, I<DROP>, I<CONTINUE>, I<RETURN>, an 'extension' (see below) or a user-defined chain."
+msgstr ""
+
+#. type: Plain text
+msgid "I<ACCEPT> means to let the frame through. I<DROP> means the frame has to be dropped. I<CONTINUE> means the next rule has to be checked. This can be handy to know how many frames pass a certain point in the chain or to log those frames. I<RETURN> means stop traversing this chain and resume at the next rule in the previous (calling) chain. For the extension targets please see the B<TARGET EXTENSIONS> section of this man page."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "TABLES"
+msgstr ""
+
+#. type: Plain text
+msgid "There is only one ARP table in the Linux kernel. The table is B<filter.> You can drop the '-t filter' argument to the arptables command. The -t argument must be the first argument on the arptables command line, if used."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-t, --table>"
+msgstr ""
+
+#. type: Plain text
+msgid "B<filter>, is the only table and contains two built-in chains: B<INPUT> (for frames destined for the host) and B<OUTPUT> (for locally-generated frames)."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "ARPTABLES COMMAND LINE ARGUMENTS"
+msgstr ""
+
+#. type: Plain text
+msgid "After the initial arptables command line argument, the remaining arguments can be divided into several different groups. These groups are commands, miscellaneous commands, rule-specifications, match-extensions, and watcher-extensions."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "COMMANDS"
+msgstr ""
+
+#. type: Plain text
+msgid "The arptables command arguments specify the actions to perform on the table defined with the -t argument. If you do not use the -t argument to name a table, the commands apply to the default filter table. With the exception of the B<-Z> command, only one command may be used on the command line at a time."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-A, --append>"
+msgstr ""
+
+#. type: Plain text
+msgid "Append a rule to the end of the selected chain."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-D, --delete>"
+msgstr ""
+
+#. type: Plain text
+msgid "Delete the specified rule from the selected chain. There are two ways to use this command. The first is by specifying an interval of rule numbers to delete, syntax: start_nr[:end_nr]. Using negative numbers is allowed, for more details about using negative numbers, see the -I command. The second usage is by specifying the complete rule as it would have been specified when it was added."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-I, --insert>"
+msgstr ""
+
+#. type: Plain text
+msgid "Insert the specified rule into the selected chain at the specified rule number. If the current number of rules equals N, then the specified number can be between -N and N+1. For a positive number i, it holds that i and i-N-1 specify the same place in the chain where the rule should be inserted. The number 0 specifies the place past the last rule in the chain and using this number is therefore equivalent with using the -A command."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-R, --replace>"
+msgstr ""
+
+#. type: Plain text
+msgid "Replaces the specified rule into the selected chain at the specified rule number. If the current number of rules equals N, then the specified number can be between 1 and N. i specifies the place in the chain where the rule should be replaced."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-P, --policy>"
+msgstr ""
+
+#. type: Plain text
+msgid "Set the policy for the chain to the given target. The policy can be B<ACCEPT>, B<DROP> or B<RETURN>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-F, --flush>"
+msgstr ""
+
+#. type: Plain text
+msgid "Flush the selected chain. If no chain is selected, then every chain will be flushed. Flushing the chain does not change the policy of the chain, however."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-Z, --zero>"
+msgstr ""
+
+#. type: Plain text
+msgid "Set the counters of the selected chain to zero. If no chain is selected, all the counters are set to zero. The B<-Z> command can be used in conjunction with the B<-L> command. When both the B<-Z> and B<-L> commands are used together in this way, the rule counters are printed on the screen before they are set to zero."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-L, --list>"
+msgstr ""
+
+#. type: Plain text
+msgid "List all rules in the selected chain. If no chain is selected, all chains are listed."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-N, --new-chain>"
+msgstr ""
+
+#. type: Plain text
+msgid "Create a new user-defined chain with the given name. The number of user-defined chains is unlimited. A user-defined chain name has maximum length of 31 characters."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-X, --delete-chain>"
+msgstr ""
+
+#. type: Plain text
+msgid "Delete the specified user-defined chain. There must be no remaining references to the specified chain, otherwise B<arptables> will refuse to delete it. If no chain is specified, all user-defined chains that aren't referenced will be removed."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-E, --rename-chain>"
+msgstr ""
+
+#. type: Plain text
+msgid "Rename the specified chain to a new name. Besides renaming a user-defined chain, you may rename a standard chain name to a name that suits your taste. For example, if you like PREBRIDGING more than PREROUTING, then you can use the -E command to rename the PREROUTING chain. If you do rename one of the standard B<arptables> chain names, please be sure to mention this fact should you post a question on the B<arptables> mailing lists. It would be wise to use the standard name in your post. Renaming a standard B<arptables> chain in this fashion has no effect on the structure or function of the B<arptables> kernel table."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "MISCELLANOUS COMMANDS"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-V, --version>"
+msgstr ""
+
+#. type: Plain text
+msgid "Show the version of the arptables userspace program."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-h, --help>"
+msgstr ""
+
+#. type: Plain text
+msgid "Give a brief description of the command syntax."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-j, --jump >I<target>"
+msgstr ""
+
+#. type: Plain text
+msgid "The target of the rule. This is one of the following values: B<ACCEPT>, B<DROP>, B<CONTINUE>, B<RETURN>, a target extension (see B<TARGET EXTENSIONS>) or a user-defined chain name."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-c, --set-counters >I<PKTS BYTES>"
+msgstr ""
+
+#. type: Plain text
+msgid "This enables the administrator to initialize the packet and byte counters of a rule (during B<INSERT,> B<APPEND,> B<REPLACE> operations)."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "RULE-SPECIFICATIONS"
+msgstr ""
+
+#. type: Plain text
+msgid "The following command line arguments make up a rule specification (as used in the add and delete commands). A \"!\" option before the specification inverts the test for that specification. Apart from these standard rule specifications there are some other command line arguments of interest."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-s, --source-ip >[!] I<address>[/I<mask]>"
+msgstr ""
+
+#. type: Plain text
+msgid "The Source IP specification."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-d, --destination-ip >[!] I<address>[/I<mask]>"
+msgstr ""
+
+#. type: Plain text
+msgid "The Destination IP specification."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--source-mac >[!] I<address>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The source mac address. Both mask and address are written as 6 hexadecimal numbers separated by colons."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--destination-mac >[!] I<address>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The destination mac address. Both mask and address are written as 6 hexadecimal numbers separated by colons."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-i, --in-interface >[!] I<name>"
+msgstr ""
+
+#. type: Plain text
+msgid "The interface via which a frame is received (for the B<INPUT> chain). The flag B<--in-if> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-o, --out-interface >[!] I<name>"
+msgstr ""
+
+#. type: Plain text
+msgid "The interface via which a frame is going to be sent (for the B<OUTPUT> chain). The flag B<--out-if> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-l, --h-length >I<length>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The hardware length (nr of bytes)"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--opcode >I<code>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The operation code (2 bytes). Available values are: B<1>=B<Request> B<2>=B<Reply> B<3>=B<Request_Reverse> B<4>=B<Reply_Reverse> B<5>=B<DRARP_Request> B<6>=B<DRARP_Reply> B<7>=B<DRARP_Error> B<8>=B<InARP_Request> B<9>=B<ARP_NAK>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--h-type >I<type>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The hardware type (2 bytes, hexadecimal). Available values are: B<1>=B<Ethernet>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--proto-type >I<type>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The protocol type (2 bytes). Available values are: B<0x800>=B<IPv4>."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "TARGET-EXTENSIONS"
+msgstr ""
+
+#. type: Plain text
+msgid "B<arptables> extensions are precompiled into the userspace tool. So there is no need to explicitly load them with a -m option like in B<iptables>. However, these extensions deal with functionality supported by supplemental kernel modules."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "mangle"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--mangle-ip-s IP address>"
+msgstr ""
+
+#. type: Plain text
+msgid "Mangles Source IP Address to given value."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--mangle-ip-d IP address>"
+msgstr ""
+
+#. type: Plain text
+msgid "Mangles Destination IP Address to given value."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--mangle-mac-s MAC address>"
+msgstr ""
+
+#. type: Plain text
+msgid "Mangles Source MAC Address to given value."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--mangle-mac-d MAC address>"
+msgstr ""
+
+#. type: Plain text
+msgid "Mangles Destination MAC Address to given value."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--mangle-target target >"
+msgstr ""
+
+#. type: Plain text
+msgid "Target of ARP mangle operation (B<DROP>, B<CONTINUE> or B<ACCEPT> -- default is B<ACCEPT>)."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "CLASSIFY"
+msgstr ""
+
+#. type: Plain text
+msgid "This module allows you to set the skb-E<gt>priority value (and thus clas- sify the packet into a specific CBQ class)."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--set-class major:minor>"
+msgstr ""
+
+#. type: Plain text
+msgid "Set the major and minor class value. The values are always interpreted as hexadecimal even if no 0x prefix is given."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "MARK"
+msgstr ""
+
+#. type: Plain text
+msgid "This module allows you to set the skb-E<gt>mark value (and thus classify the packet by the mark in u32)"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--set-mark mark>"
+msgstr ""
+
+#. type: Plain text
+msgid "Set the mark value. The values are always interpreted as hexadecimal even if no 0x prefix is given"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--and-mark mark>"
+msgstr ""
+
+#. type: Plain text
+msgid "Binary AND the mark with bits."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--or-mark mark>"
+msgstr ""
+
+#. type: Plain text
+msgid "Binary OR the mark with bits."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "NOTES"
+msgstr ""
+
+#. type: Plain text
+msgid "In this nft-based version of B<arptables>, support for B<FORWARD> chain has not been implemented. Since ARP packets are \"forwarded\" only by Linux bridges, the same may be achieved using B<FORWARD> chain in B<ebtables>."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "MAILINGLISTS"
+msgstr ""
+
+#. type: Plain text
+msgid "See B<http://netfilter.org/mailinglists.html>"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Plain text
+msgid "B<xtables-nft>(8), B<iptables>(8), B<ebtables>(8), B<ip>(8)"
+msgstr ""
+
+#. type: Plain text
+msgid "See B<https://wiki.nftables.org>"
+msgstr ""
--- /dev/null
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Free Software Foundation, Inc.
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. type: TH
+#, no-wrap
+msgid "EBTABLES"
+msgstr ""
+
+#. type: TH
+#, no-wrap
+msgid "December 2011"
+msgstr ""
+
+#
+#
+#
+#
+#
+#
+#. Man page written by Bart De Schuymer <bdschuym@pandora.be>
+#. It is based on the iptables man page.
+#. The man page was edited, February 25th 2003, by
+#. Greg Morgan <" dr_kludge_at_users_sourceforge_net >
+#. Iptables page by Herve Eychenne March 2000.
+#. This program is free software; you can redistribute it and/or modify
+#. it under the terms of the GNU General Public License as published by
+#. the Free Software Foundation; either version 2 of the License, or
+#. (at your option) any later version.
+#. This program is distributed in the hope that it will be useful,
+#. but WITHOUT ANY WARRANTY; without even the implied warranty of
+#. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#. GNU General Public License for more details.
+#. You should have received a copy of the GNU General Public License
+#. along with this program; if not, write to the Free Software
+#. Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#. type: SH
+#, no-wrap
+msgid "NAME"
+msgstr ""
+
+#. type: Plain text
+msgid "ebtables - Ethernet bridge frame table administration (nft-based)"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SYNOPSIS"
+msgstr ""
+
+#. type: Plain text
+msgid "B<ebtables >[B<-t> table ] B<->[B<ACDI>] chain rule specification [match extensions] [watcher extensions] target"
+msgstr ""
+
+#. type: Plain text
+msgid "B<ebtables >[B<-t> table ] B<-P> chain B<ACCEPT> | B<DROP> | B<RETURN>"
+msgstr ""
+
+#. type: Plain text
+msgid "B<ebtables >[B<-t> table ] B<-F> [chain]"
+msgstr ""
+
+#. type: Plain text
+msgid "B<ebtables >[B<-t> table ] B<-Z> [chain]"
+msgstr ""
+
+#. type: Plain text
+msgid "B<ebtables >[B<-t> table ] B<-L> [B<-Z>] [chain] [ [B<--Ln>] | [B<--Lx>] ] [B<--Lc>] [B<--Lmac2>]"
+msgstr ""
+
+#. type: Plain text
+msgid "B<ebtables >[B<-t> table ] B<-N> chain [B<-P ACCEPT >|B< DROP >|B< RETURN>]"
+msgstr ""
+
+#. type: Plain text
+msgid "B<ebtables >[B<-t> table ] B<-X> [chain]"
+msgstr ""
+
+#. type: Plain text
+msgid "B<ebtables >[B<-t> table ] B<-E> old-chain-name new-chain-name"
+msgstr ""
+
+#. type: Plain text
+msgid "B<ebtables >[B<-t> table ] B<--init-table>"
+msgstr ""
+
+#. type: Plain text
+msgid "B<ebtables >[B<-t> table ] [B<--atomic-file> file] B<--atomic-commit>"
+msgstr ""
+
+#. type: Plain text
+msgid "B<ebtables >[B<-t> table ] [B<--atomic-file> file] B<--atomic-init>"
+msgstr ""
+
+#. type: Plain text
+msgid "B<ebtables >[B<-t> table ] [B<--atomic-file> file] B<--atomic-save>"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Plain text
+msgid "B<ebtables> is an application program used to set up and maintain the tables of rules (inside the Linux kernel) that inspect Ethernet frames. It is analogous to the B<iptables> application, but less complicated, due to the fact that the Ethernet protocol is much simpler than the IP protocol."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "CHAINS"
+msgstr ""
+
+#. type: Plain text
+msgid "There are two ebtables tables with built-in chains in the Linux kernel. These tables are used to divide functionality into different sets of rules. Each set of rules is called a chain. Each chain is an ordered list of rules that can match Ethernet frames. If a rule matches an Ethernet frame, then a processing specification tells what to do with that matching frame. The processing specification is called a 'target'. However, if the frame does not match the current rule in the chain, then the next rule in the chain is examined and so forth. The user can create new (user-defined) chains that can be used as the 'target' of a rule. User-defined chains are very useful to get better performance over the linear traversal of the rules and are also essential for structuring the filtering rules into well-organized and maintainable sets of rules."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "TARGETS"
+msgstr ""
+
+#. type: Plain text
+msgid "A firewall rule specifies criteria for an Ethernet frame and a frame processing specification called a target. When a frame matches a rule, then the next action performed by the kernel is specified by the target. The target can be one of these values: B<ACCEPT>, B<DROP>, B<CONTINUE>, B<RETURN>, an 'extension' (see below) or a jump to a user-defined chain."
+msgstr ""
+
+#. type: Plain text
+msgid "B<ACCEPT> means to let the frame through. B<DROP> means the frame has to be dropped. B<CONTINUE> means the next rule has to be checked. This can be handy, f.e., to know how many frames pass a certain point in the chain, to log those frames or to apply multiple targets on a frame. B<RETURN> means stop traversing this chain and resume at the next rule in the previous (calling) chain. For the extension targets please refer to the B<TARGET EXTENSIONS> section of this man page."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "TABLES"
+msgstr ""
+
+#. type: Plain text
+msgid "As stated earlier, there are two ebtables tables in the Linux kernel. The table names are B<filter> and B<nat>. Of these two tables, the filter table is the default table that the command operates on. If you are working with the filter table, then you can drop the '-t filter' argument to the ebtables command. However, you will need to provide the -t argument for B<nat> table. Moreover, the -t argument must be the first argument on the ebtables command line, if used."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-t, --table>"
+msgstr ""
+
+#. type: Plain text
+msgid "B<filter> is the default table and contains three built-in chains: B<INPUT> (for frames destined for the bridge itself, on the level of the MAC destination address), B<OUTPUT> (for locally-generated or (b)routed frames) and B<FORWARD> (for frames being forwarded by the bridge)."
+msgstr ""
+
+#. type: Plain text
+msgid "B<nat> is mostly used to change the mac addresses and contains three built-in chains: B<PREROUTING> (for altering frames as soon as they come in), B<OUTPUT> (for altering locally generated or (b)routed frames before they are bridged) and B<POSTROUTING> (for altering frames as they are about to go out). A small note on the naming of chains PREROUTING and POSTROUTING: it would be more accurate to call them PREFORWARDING and POSTFORWARDING, but for all those who come from the iptables world to ebtables it is easier to have the same names. Note that you can change the name (B<-E>) if you don't like the default."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "EBTABLES COMMAND LINE ARGUMENTS"
+msgstr ""
+
+#. type: Plain text
+msgid "After the initial ebtables '-t table' command line argument, the remaining arguments can be divided into several groups. These groups are commands, miscellaneous commands, rule specifications, match extensions, watcher extensions and target extensions."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "COMMANDS"
+msgstr ""
+
+#. type: Plain text
+msgid "The ebtables command arguments specify the actions to perform on the table defined with the -t argument. If you do not use the -t argument to name a table, the commands apply to the default filter table. Only one command may be used on the command line at a time, except when the commands B<-L> and B<-Z> are combined, the commands B<-N> and B<-P> are combined, or when B<--atomic-file> is used."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-A, --append>"
+msgstr ""
+
+#. type: Plain text
+msgid "Append a rule to the end of the selected chain."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-D, --delete>"
+msgstr ""
+
+#. type: Plain text
+msgid "Delete the specified rule or rules from the selected chain. There are two ways to use this command. The first is by specifying an interval of rule numbers to delete (directly after B<-D>). Syntax: I<start_nr>[I<:end_nr>] (use B<-L --Ln> to list the rules with their rule number). When I<end_nr> is omitted, all rules starting from I<start_nr> are deleted. Using negative numbers is allowed, for more details about using negative numbers, see the B<-I> command. The second usage is by specifying the complete rule as it would have been specified when it was added. Only the first encountered rule that is the same as this specified rule, in other words the matching rule with the lowest (positive) rule number, is deleted."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-C, --change-counters>"
+msgstr ""
+
+#. type: Plain text
+msgid "Change the counters of the specified rule or rules from the selected chain. There are two ways to use this command. The first is by specifying an interval of rule numbers to do the changes on (directly after B<-C>). Syntax: I<start_nr>[I<:end_nr>] (use B<-L --Ln> to list the rules with their rule number). The details are the same as for the B<-D> command. The second usage is by specifying the complete rule as it would have been specified when it was added. Only the counters of the first encountered rule that is the same as this specified rule, in other words the matching rule with the lowest (positive) rule number, are changed. In the first usage, the counters are specified directly after the interval specification, in the second usage directly after B<-C>. First the packet counter is specified, then the byte counter. If the specified counters start with a '+', the counter values are added to the respective current counter values. If the specified counters start with a '-', the counter values are decreased from the respective current counter values. No bounds checking is done. If the counters don't start with '+' or '-', the current counters are changed to the specified counters."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-I, --insert>"
+msgstr ""
+
+#. type: Plain text
+msgid "Insert the specified rule into the selected chain at the specified rule number. If the rule number is not specified, the rule is added at the head of the chain. If the current number of rules equals I<N>, then the specified number can be between I<-N> and I<N+1>. For a positive number I<i>, it holds that I<i> and I<i-N-1> specify the same place in the chain where the rule should be inserted. The rule number 0 specifies the place past the last rule in the chain and using this number is therefore equivalent to using the B<-A> command. Rule numbers structly smaller than 0 can be useful when more than one rule needs to be inserted in a chain."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-P, --policy>"
+msgstr ""
+
+#. type: Plain text
+msgid "Set the policy for the chain to the given target. The policy can be B<ACCEPT>, B<DROP> or B<RETURN>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-F, --flush>"
+msgstr ""
+
+#. type: Plain text
+msgid "Flush the selected chain. If no chain is selected, then every chain will be flushed. Flushing a chain does not change the policy of the chain, however."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-Z, --zero>"
+msgstr ""
+
+#. type: Plain text
+msgid "Set the counters of the selected chain to zero. If no chain is selected, all the counters are set to zero. The B<-Z> command can be used in conjunction with the B<-L> command. When both the B<-Z> and B<-L> commands are used together in this way, the rule counters are printed on the screen before they are set to zero."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-L, --list>"
+msgstr ""
+
+#. type: Plain text
+msgid "List all rules in the selected chain. If no chain is selected, all chains are listed."
+msgstr ""
+
+#. type: Plain text
+msgid "The following options change the output of the B<-L> command."
+msgstr ""
+
+#. type: Plain text
+msgid "B<--Ln>"
+msgstr ""
+
+#. type: Plain text
+msgid "Places the rule number in front of every rule. This option is incompatible with the B<--Lx> option."
+msgstr ""
+
+#. type: Plain text
+msgid "B<--Lc>"
+msgstr ""
+
+#. type: Plain text
+msgid "Shows the counters at the end of each rule displayed by the B<-L> command. Both a frame counter (pcnt) and a byte counter (bcnt) are displayed. The frame counter shows how many frames have matched the specific rule, the byte counter shows the sum of the frame sizes of these matching frames. Using this option in combination with the B<--Lx> option causes the counters to be written out in the 'B<-c> E<lt>pcntE<gt> E<lt>bcntE<gt>' option format."
+msgstr ""
+
+#. type: Plain text
+msgid "B<--Lx>"
+msgstr ""
+
+#. type: Plain text
+msgid "Changes the output so that it produces a set of ebtables commands that construct the contents of the chain, when specified. If no chain is specified, ebtables commands to construct the contents of the table are given, including commands for creating the user-defined chains (if any). You can use this set of commands in an ebtables boot or reload script. For example the output could be used at system startup. The B<--Lx> option is incompatible with the B<--Ln> listing option. Using the B<--Lx> option together with the B<--Lc> option will cause the counters to be written out in the 'B<-c> E<lt>pcntE<gt> E<lt>bcntE<gt>' option format."
+msgstr ""
+
+#. type: Plain text
+msgid "B<--Lmac2>"
+msgstr ""
+
+#. type: Plain text
+msgid "Shows all MAC addresses with the same length, adding leading zeroes if necessary. The default representation omits leading zeroes in the addresses."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-N, --new-chain>"
+msgstr ""
+
+#. type: Plain text
+msgid "Create a new user-defined chain with the given name. The number of user-defined chains is limited only by the number of possible chain names. A user-defined chain name has a maximum length of 31 characters. The standard policy of the user-defined chain is ACCEPT. The policy of the new chain can be initialized to a different standard target by using the B<-P> command together with the B<-N> command. In this case, the chain name does not have to be specified for the B<-P> command."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-X, --delete-chain>"
+msgstr ""
+
+#. type: Plain text
+msgid "Delete the specified user-defined chain. There must be no remaining references (jumps) to the specified chain, otherwise ebtables will refuse to delete it. If no chain is specified, all user-defined chains that aren't referenced will be removed."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-E, --rename-chain>"
+msgstr ""
+
+#. type: Plain text
+msgid "Rename the specified chain to a new name. Besides renaming a user-defined chain, you can rename a standard chain to a name that suits your taste. For example, if you like PREFORWARDING more than PREROUTING, then you can use the -E command to rename the PREROUTING chain. If you do rename one of the standard ebtables chain names, please be sure to mention this fact should you post a question on the ebtables mailing lists. It would be wise to use the standard name in your post. Renaming a standard ebtables chain in this fashion has no effect on the structure or functioning of the ebtables kernel table."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--init-table>"
+msgstr ""
+
+#. type: Plain text
+msgid "Replace the current table data by the initial table data."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--atomic-init>"
+msgstr ""
+
+#. type: Plain text
+msgid "Copy the kernel's initial data of the table to the specified file. This can be used as the first action, after which rules are added to the file. The file can be specified using the B<--atomic-file> command or through the I<EBTABLES_ATOMIC_FILE> environment variable."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--atomic-save>"
+msgstr ""
+
+#. type: Plain text
+msgid "Copy the kernel's current data of the table to the specified file. This can be used as the first action, after which rules are added to the file. The file can be specified using the B<--atomic-file> command or through the I<EBTABLES_ATOMIC_FILE> environment variable."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--atomic-commit>"
+msgstr ""
+
+#. type: Plain text
+msgid "Replace the kernel table data with the data contained in the specified file. This is a useful command that allows you to load all your rules of a certain table into the kernel at once, saving the kernel a lot of precious time and allowing atomic updates of the tables. The file which contains the table data is constructed by using either the B<--atomic-init> or the B<--atomic-save> command to generate a starting file. After that, using the B<--atomic-file> command when constructing rules or setting the I<EBTABLES_ATOMIC_FILE> environment variable allows you to extend the file and build the complete table before committing it to the kernel. This command can be very useful in boot scripts to populate the ebtables tables in a fast way."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "MISCELLANOUS COMMANDS"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-V, --version>"
+msgstr ""
+
+#. type: Plain text
+msgid "Show the version of the ebtables userspace program."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-h, --help >[I<list of module names>]"
+msgstr ""
+
+#. type: Plain text
+msgid "Give a brief description of the command syntax. Here you can also specify names of extensions and ebtables will try to write help about those extensions. E.g. I<ebtables -h snat log ip arp>. Specify I<list_extensions> to list all extensions supported by the userspace utility."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-j, --jump >I<target>"
+msgstr ""
+
+#. type: Plain text
+msgid "The target of the rule. This is one of the following values: B<ACCEPT>, B<DROP>, B<CONTINUE>, B<RETURN>, a target extension (see B<TARGET EXTENSIONS>) or a user-defined chain name."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--atomic-file >I<file>"
+msgstr ""
+
+#. type: Plain text
+msgid "Let the command operate on the specified I<file>. The data of the table to operate on will be extracted from the file and the result of the operation will be saved back into the file. If specified, this option should come before the command specification. An alternative that should be preferred, is setting the I<EBTABLES_ATOMIC_FILE> environment variable."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-M, --modprobe >I<program>"
+msgstr ""
+
+#. type: Plain text
+msgid "When talking to the kernel, use this I<program> to try to automatically load missing kernel modules."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--concurrent>"
+msgstr ""
+
+#. type: Plain text
+msgid "Use a file lock to support concurrent scripts updating the ebtables kernel tables."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "RULE SPECIFICATIONS"
+msgstr ""
+
+#. type: Plain text
+msgid "The following command line arguments make up a rule specification (as used in the add and delete commands). A \"!\" option before the specification inverts the test for that specification. Apart from these standard rule specifications there are some other command line arguments of interest. See both the B<MATCH EXTENSIONS> and the B<WATCHER EXTENSIONS> below."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-p, --protocol >[!] I<protocol>"
+msgstr ""
+
+#. type: Plain text
+msgid "The protocol that was responsible for creating the frame. This can be a hexadecimal number, above I<0x0600>, a name (e.g. I<ARP> ) or B<LENGTH>. The protocol field of the Ethernet frame can be used to denote the length of the header (802.2/802.3 networks). When the value of that field is below or equals I<0x0600>, the value equals the size of the header and shouldn't be used as a protocol number. Instead, all frames where the protocol field is used as the length field are assumed to be of the same 'protocol'. The protocol name used in ebtables for these frames is B<LENGTH>."
+msgstr ""
+
+#. type: Plain text
+msgid "The file B</etc/ethertypes> can be used to show readable characters instead of hexadecimal numbers for the protocols. For example, I<0x0800> will be represented by I<IPV4>. The use of this file is not case sensitive. See that file for more information. The flag B<--proto> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-i, --in-interface >[!] I<name>"
+msgstr ""
+
+#. type: Plain text
+msgid "The interface (bridge port) via which a frame is received (this option is useful in the B<INPUT>, B<FORWARD>, B<PREROUTING> and B<BROUTING> chains). If the interface name ends with '+', then any interface name that begins with this name (disregarding '+') will match. The flag B<--in-if> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--logical-in >[!] I<name>"
+msgstr ""
+
+#. type: Plain text
+msgid "The (logical) bridge interface via which a frame is received (this option is useful in the B<INPUT>, B<FORWARD>, B<PREROUTING> and B<BROUTING> chains). If the interface name ends with '+', then any interface name that begins with this name (disregarding '+') will match."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-o, --out-interface >[!] I<name>"
+msgstr ""
+
+#. type: Plain text
+msgid "The interface (bridge port) via which a frame is going to be sent (this option is useful in the B<OUTPUT>, B<FORWARD> and B<POSTROUTING> chains). If the interface name ends with '+', then any interface name that begins with this name (disregarding '+') will match. The flag B<--out-if> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--logical-out >[!] I<name>"
+msgstr ""
+
+#. type: Plain text
+msgid "The (logical) bridge interface via which a frame is going to be sent (this option is useful in the B<OUTPUT>, B<FORWARD> and B<POSTROUTING> chains). If the interface name ends with '+', then any interface name that begins with this name (disregarding '+') will match."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-s, --source >[!] I<address>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The source MAC address. Both mask and address are written as 6 hexadecimal numbers separated by colons. Alternatively one can specify Unicast, Multicast, Broadcast or BGA (Bridge Group Address):"
+msgstr ""
+
+#. type: Plain text
+msgid "I<Unicast>=00:00:00:00:00:00/01:00:00:00:00:00, I<Multicast>=01:00:00:00:00:00/01:00:00:00:00:00, I<Broadcast>=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff or I<BGA>=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff. Note that a broadcast address will also match the multicast specification. The flag B<--src> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-d, --destination >[!] I<address>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The destination MAC address. See B<-s> (above) for more details on MAC addresses. The flag B<--dst> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-c, --set-counter >I<pcnt bcnt>"
+msgstr ""
+
+#. type: Plain text
+msgid "If used with B<-A> or B<-I>, then the packet and byte counters of the new rule will be set to I<pcnt>, resp. I<bcnt>. If used with the B<-C> or B<-D> commands, only rules with a packet and byte count equal to I<pcnt>, resp. I<bcnt> will match."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "MATCH EXTENSIONS"
+msgstr ""
+
+#. type: Plain text
+msgid "Ebtables extensions are dynamically loaded into the userspace tool, there is therefore no need to explicitly load them with a -m option like is done in iptables. These extensions deal with functionality supported by kernel modules supplemental to the core ebtables code."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "802_3"
+msgstr ""
+
+#. type: Plain text
+msgid "Specify 802.3 DSAP/SSAP fields or SNAP type. The protocol must be specified as I<LENGTH >(see the option I< -p >above)."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--802_3-sap >[!] I<sap>"
+msgstr ""
+
+#. type: Plain text
+msgid "DSAP and SSAP are two one byte 802.3 fields. The bytes are always equal, so only one byte (hexadecimal) is needed as an argument."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--802_3-type >[!] I<type>"
+msgstr ""
+
+#. type: Plain text
+msgid "If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type field must be consulted to determine the payload protocol. This is a two byte (hexadecimal) argument. Only 802.3 frames with DSAP/SSAP 0xaa are checked for type."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "among"
+msgstr ""
+
+#. type: Plain text
+msgid "Match a MAC address or MAC/IP address pair versus a list of MAC addresses and MAC/IP address pairs. A list entry has the following format: I<xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,]>. Multiple list entries are separated by a comma, specifying an IP address corresponding to the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address but different IP address (and vice versa) can be specified. If the MAC address doesn't match any entry from the list, the frame doesn't match the rule (unless \"!\" was used)."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--among-dst >[!] I<list>"
+msgstr ""
+
+#. type: Plain text
+msgid "Compare the MAC destination to the given list. If the Ethernet frame has type I<IPv4> or I<ARP>, then comparison with MAC/IP destination address pairs from the list is possible."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--among-src >[!] I<list>"
+msgstr ""
+
+#. type: Plain text
+msgid "Compare the MAC source to the given list. If the Ethernet frame has type I<IPv4> or I<ARP>, then comparison with MAC/IP source address pairs from the list is possible."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--among-dst-file >[!] I<file>"
+msgstr ""
+
+#. type: Plain text
+msgid "Same as B<--among-dst> but the list is read in from the specified file."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--among-src-file >[!] I<file>"
+msgstr ""
+
+#. type: Plain text
+msgid "Same as B<--among-src> but the list is read in from the specified file."
+msgstr ""
+
+#. type: Plain text
+msgid "Note that in this implementation of ebtables, among lists uses must be internally homogeneous regarding whether IP addresses are present or not. Mixed use of MAC addresses and MAC/IP address pairs is not supported yet."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "arp"
+msgstr ""
+
+#. type: Plain text
+msgid "Specify (R)ARP fields. The protocol must be specified as I<ARP> or I<RARP>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--arp-opcode >[!] I<opcode>"
+msgstr ""
+
+#. type: Plain text
+msgid "The (R)ARP opcode (decimal or a string, for more details see B<ebtables -h arp>)."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--arp-htype >[!] I<hardware type>"
+msgstr ""
+
+#. type: Plain text
+msgid "The hardware type, this can be a decimal or the string I<Ethernet> (which sets I<type> to 1). Most (R)ARP packets have Eternet as hardware type."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--arp-ptype >[!] I<protocol type>"
+msgstr ""
+
+#. type: Plain text
+msgid "The protocol type for which the (r)arp is used (hexadecimal or the string I<IPv4>, denoting 0x0800). Most (R)ARP packets have protocol type IPv4."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--arp-ip-src >[!] I<address>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The (R)ARP IP source address specification."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--arp-ip-dst >[!] I<address>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The (R)ARP IP destination address specification."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--arp-mac-src >[!] I<address>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The (R)ARP MAC source address specification."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--arp-mac-dst >[!] I<address>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The (R)ARP MAC destination address specification."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "[!]B< --arp-gratuitous>"
+msgstr ""
+
+#. type: Plain text
+msgid "Checks for ARP gratuitous packets: checks equality of IPv4 source address and IPv4 destination address inside the ARP header."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "ip"
+msgstr ""
+
+#. type: Plain text
+msgid "Specify IPv4 fields. The protocol must be specified as I<IPv4>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ip-source >[!] I<address>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The source IP address. The flag B<--ip-src> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ip-destination >[!] I<address>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The destination IP address. The flag B<--ip-dst> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ip-tos >[!] I<tos>"
+msgstr ""
+
+#. type: Plain text
+msgid "The IP type of service, in hexadecimal numbers. B<IPv4>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ip-protocol >[!] I<protocol>"
+msgstr ""
+
+#. type: Plain text
+msgid "The IP protocol. The flag B<--ip-proto> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ip-source-port >[!] I<port1>[:I<port2>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The source port or port range for the IP protocols 6 (TCP), 17 (UDP), 33 (DCCP) or 132 (SCTP). The B<--ip-protocol> option must be specified as I<TCP>, I<UDP>, I<DCCP> or I<SCTP>. If I<port1> is omitted, I<0:port2> is used; if I<port2> is omitted but a colon is specified, I<port1:65535> is used. The flag B<--ip-sport> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ip-destination-port >[!] I<port1>[:I<port2>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The destination port or port range for ip protocols 6 (TCP), 17 (UDP), 33 (DCCP) or 132 (SCTP). The B<--ip-protocol> option must be specified as I<TCP>, I<UDP>, I<DCCP> or I<SCTP>. If I<port1> is omitted, I<0:port2> is used; if I<port2> is omitted but a colon is specified, I<port1:65535> is used. The flag B<--ip-dport> is an alias for this option."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "ip6"
+msgstr ""
+
+#. type: Plain text
+msgid "Specify IPv6 fields. The protocol must be specified as I<IPv6>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ip6-source >[!] I<address>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The source IPv6 address. The flag B<--ip6-src> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ip6-destination >[!] I<address>[/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The destination IPv6 address. The flag B<--ip6-dst> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ip6-tclass >[!] I<tclass>"
+msgstr ""
+
+#. type: Plain text
+msgid "The IPv6 traffic class, in hexadecimal numbers."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ip6-protocol >[!] I<protocol>"
+msgstr ""
+
+#. type: Plain text
+msgid "The IP protocol. The flag B<--ip6-proto> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ip6-source-port >[!] I<port1>[:I<port2>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The source port or port range for the IPv6 protocols 6 (TCP), 17 (UDP), 33 (DCCP) or 132 (SCTP). The B<--ip6-protocol> option must be specified as I<TCP>, I<UDP>, I<DCCP> or I<SCTP>. If I<port1> is omitted, I<0:port2> is used; if I<port2> is omitted but a colon is specified, I<port1:65535> is used. The flag B<--ip6-sport> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ip6-destination-port >[!] I<port1>[:I<port2>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The destination port or port range for IPv6 protocols 6 (TCP), 17 (UDP), 33 (DCCP) or 132 (SCTP). The B<--ip6-protocol> option must be specified as I<TCP>, I<UDP>, I<DCCP> or I<SCTP>. If I<port1> is omitted, I<0:port2> is used; if I<port2> is omitted but a colon is specified, I<port1:65535> is used. The flag B<--ip6-dport> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ip6-icmp-type >[!] {I<type>[:I<type>]/I<code>[:I<code>]|I<typename>}"
+msgstr ""
+
+#. type: Plain text
+msgid "Specify ipv6-icmp type and code to match. Ranges for both type and code are supported. Type and code are separated by a slash. Valid numbers for type and range are 0 to 255. To match a single type including all valid codes, symbolic names can be used instead of numbers. The list of known type names is shown by the command"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid " ebtables --help ip6\n"
+msgstr ""
+
+#. type: Plain text
+msgid "This option is only valid for --ip6-prococol ipv6-icmp."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "limit"
+msgstr ""
+
+#. type: Plain text
+msgid "This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached. It can be used with the B<--log> watcher to give limited logging, for example. Its use is the same as the limit match of iptables."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--limit >[I<value>]"
+msgstr ""
+
+#. type: Plain text
+msgid "Maximum average matching rate: specified as a number, with an optional I</second>, I</minute>, I</hour>, or I</day> suffix; the default is I<3/hour>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--limit-burst >[I<number>]"
+msgstr ""
+
+#. type: Plain text
+msgid "Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is I<5>."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "mark_m"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--mark >[!] [I<value>][/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "Matches frames with the given unsigned mark value. If a I<value> and I<mask> are specified, the logical AND of the mark value of the frame and the user-specified I<mask> is taken before comparing it with the user-specified mark I<value>. When only a mark I<value> is specified, the packet only matches when the mark value of the frame equals the user-specified mark I<value>. If only a I<mask> is specified, the logical AND of the mark value of the frame and the user-specified I<mask> is taken and the frame matches when the result of this logical AND is non-zero. Only specifying a I<mask> is useful to match multiple mark values."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "pkttype"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--pkttype-type >[!] I<type>"
+msgstr ""
+
+#. type: Plain text
+msgid "Matches on the Ethernet \"class\" of the frame, which is determined by the generic networking code. Possible values: I<broadcast> (MAC destination is the broadcast address), I<multicast> (MAC destination is a multicast address), I<host> (MAC destination is the receiving network device), or I<otherhost> (none of the above)."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "stp"
+msgstr ""
+
+#. type: Plain text
+msgid "Specify stp BPDU (bridge protocol data unit) fields. The destination address (B<-d>) must be specified as the bridge group address (I<BGA>). For all options for which a range of values can be specified, it holds that if the lower bound is omitted (but the colon is not), then the lowest possible lower bound for that option is used, while if the upper bound is omitted (but the colon again is not), the highest possible upper bound for that option is used."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--stp-type >[!] I<type>"
+msgstr ""
+
+#. type: Plain text
+msgid "The BPDU type (0-255), recognized non-numerical types are I<config>, denoting a configuration BPDU (=0), and I<tcn>, denothing a topology change notification BPDU (=128)."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--stp-flags >[!] I<flag>"
+msgstr ""
+
+#. type: Plain text
+msgid "The BPDU flag (0-255), recognized non-numerical flags are I<topology-change>, denoting the topology change flag (=1), and I<topology-change-ack>, denoting the topology change acknowledgement flag (=128)."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--stp-root-prio >[!] [I<prio>][:I<prio>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The root priority (0-65535) range."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--stp-root-addr >[!] [I<address>][/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The root mac address, see the option B<-s> for more details."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--stp-root-cost >[!] [I<cost>][:I<cost>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The root path cost (0-4294967295) range."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--stp-sender-prio >[!] [I<prio>][:I<prio>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The BPDU's sender priority (0-65535) range."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--stp-sender-addr >[!] [I<address>][/I<mask>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The BPDU's sender mac address, see the option B<-s> for more details."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--stp-port >[!] [I<port>][:I<port>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The port identifier (0-65535) range."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--stp-msg-age >[!] [I<age>][:I<age>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The message age timer (0-65535) range."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--stp-max-age >[!] [I<age>][:I<age>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The max age timer (0-65535) range."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--stp-hello-time >[!] [I<time>][:I<time>]"
+msgstr ""
+
+#. type: Plain text
+msgid "The hello time timer (0-65535) range."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--stp-forward-delay >[!] [I<delay>][:I<delay>]"
+msgstr ""
+
+#. .SS string
+#. This module matches on a given string using some pattern matching strategy.
+#. .TP
+#. .BR "--string-algo " "\fIalgorithm\fP"
+#. The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
+#. .TP
+#. .BR "--string-from " "\fIoffset\fP"
+#. The lowest offset from which a match can start. (default: 0)
+#. .TP
+#. .BR "--string-to " "\fIoffset\fP"
+#. The highest offset from which a match can start. (default: size of frame)
+#. .TP
+#. .BR "--string " "[!] \fIpattern\fP"
+#. Matches the given pattern.
+#. .TP
+#. .BR "--string-hex " "[!] \fIpattern\fP"
+#. Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|'
+#. .TP
+#. .BR "--string-icase"
+#. Ignore case when searching.
+#. type: Plain text
+msgid "The forward delay timer (0-65535) range."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "vlan"
+msgstr ""
+
+#. type: Plain text
+msgid "Specify 802.1Q Tag Control Information fields. The protocol must be specified as I<802_1Q> (0x8100)."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--vlan-id >[!] I<id>"
+msgstr ""
+
+#. type: Plain text
+msgid "The VLAN identifier field (VID). Decimal number from 0 to 4095."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--vlan-prio >[!] I<prio>"
+msgstr ""
+
+#. type: Plain text
+msgid "The user priority field, a decimal number from 0 to 7. The VID should be set to 0 (\"null VID\") or unspecified (in the latter case the VID is deliberately set to 0)."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--vlan-encap >[!] I<type>"
+msgstr ""
+
+#. type: Plain text
+msgid "The encapsulated Ethernet frame type/length. Specified as a hexadecimal number from 0x0000 to 0xFFFF or as a symbolic name from B</etc/ethertypes>."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "WATCHER EXTENSIONS"
+msgstr ""
+
+#. type: Plain text
+msgid "Watchers only look at frames passing by, they don't modify them nor decide to accept the frames or not. These watchers only see the frame if the frame matches the rule, and they see it before the target is executed."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "log"
+msgstr ""
+
+#. type: Plain text
+msgid "The log watcher writes descriptive data about a frame to the syslog."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--log>"
+msgstr ""
+
+#. type: Plain text
+msgid "Log with the default loggin options: log-level= I<info>, log-prefix=\"\", no ip logging, no arp logging."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--log-level >I<level>"
+msgstr ""
+
+#. type: Plain text
+msgid "Defines the logging level. For the possible values, see B<ebtables -h log>. The default level is I<info>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--log-prefix> I<text>"
+msgstr ""
+
+#. type: Plain text
+msgid "Defines the prefix I<text> to be printed at the beginning of the line with the logging information."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--log-ip>"
+msgstr ""
+
+#. type: Plain text
+msgid "Will log the ip information when a frame made by the ip protocol matches the rule. The default is no ip information logging."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--log-ip6>"
+msgstr ""
+
+#. type: Plain text
+msgid "Will log the ipv6 information when a frame made by the ipv6 protocol matches the rule. The default is no ipv6 information logging."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--log-arp>"
+msgstr ""
+
+#. type: Plain text
+msgid "Will log the (r)arp information when a frame made by the (r)arp protocols matches the rule. The default is no (r)arp information logging."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "nflog"
+msgstr ""
+
+#. type: Plain text
+msgid "The nflog watcher passes the packet to the loaded logging backend in order to log the packet. This is usually used in combination with nfnetlink_log as logging backend, which will multicast the packet through a I<netlink> socket to the specified multicast group. One or more userspace processes may subscribe to the group to receive the packets."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--nflog>"
+msgstr ""
+
+#. type: Plain text
+msgid "Log with the default logging options"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--nflog-group >I<nlgroup>"
+msgstr ""
+
+#. type: Plain text
+msgid "The netlink group (1 - 2^32-1) to which packets are (only applicable for nfnetlink_log). The default value is 1."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--nflog-prefix >I<prefix>"
+msgstr ""
+
+#. type: Plain text
+msgid "A prefix string to include in the log message, up to 30 characters long, useful for distinguishing messages in the logs."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--nflog-range >I<size>"
+msgstr ""
+
+#. type: Plain text
+msgid "The number of bytes to be copied to userspace (only applicable for nfnetlink_log). nfnetlink_log instances may specify their own range, this option overrides it."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--nflog-threshold >I<size>"
+msgstr ""
+
+#. type: Plain text
+msgid "Number of packets to queue inside the kernel before sending them to userspace (only applicable for nfnetlink_log). Higher values result in less overhead per packet, but increase delay until the packets reach userspace. The default value is 1."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "ulog"
+msgstr ""
+
+#. type: Plain text
+msgid "The ulog watcher passes the packet to a userspace logging daemon using netlink multicast sockets. This differs from the log watcher in the sense that the complete packet is sent to userspace instead of a descriptive text and that netlink multicast sockets are used instead of the syslog. This watcher enables parsing of packets with userspace programs, the physical bridge in and out ports are also included in the netlink messages. The ulog watcher module accepts 2 parameters when the module is loaded into the kernel (e.g. with modprobe): B<nlbufsiz> specifies how big the buffer for each netlink multicast group is. If you say I<nlbufsiz=8192>, for example, up to eight kB of packets will get accumulated in the kernel until they are sent to userspace. It is not possible to allocate more than 128kB. Please also keep in mind that this buffer size is allocated for each nlgroup you are using, so the total kernel memory usage increases by that factor. The default is 4096. B<flushtimeout> specifies after how many hundredths of a second the queue should be flushed, even if it is not full yet. The default is 10 (one tenth of a second)."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ulog>"
+msgstr ""
+
+#. type: Plain text
+msgid "Use the default settings: ulog-prefix=\"\", ulog-nlgroup=1, ulog-cprange=4096, ulog-qthreshold=1."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ulog-prefix >I<text>"
+msgstr ""
+
+#. type: Plain text
+msgid "Defines the prefix included with the packets sent to userspace."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ulog-nlgroup> I<group>"
+msgstr ""
+
+#. type: Plain text
+msgid "Defines which netlink group number to use (a number from 1 to 32). Make sure the netlink group numbers used for the iptables ULOG target differ from those used for the ebtables ulog watcher. The default group number is 1."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ulog-cprange> I<range>"
+msgstr ""
+
+#. type: Plain text
+msgid "Defines the maximum copy range to userspace, for packets matching the rule. The default range is 0, which means the maximum copy range is given by B<nlbufsiz>. A maximum copy range larger than 128*1024 is meaningless as the packets sent to userspace have an upper size limit of 128*1024."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--ulog-qthreshold> I<threshold>"
+msgstr ""
+
+#. type: Plain text
+msgid "Queue at most I<threshold> number of packets before sending them to userspace with a netlink socket. Note that packets can be sent to userspace before the queue is full, this happens when the ulog kernel timer goes off (the frequency of this timer depends on B<flushtimeout>)."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "TARGET EXTENSIONS"
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "arpreply"
+msgstr ""
+
+#. type: Plain text
+msgid "The B<arpreply> target can be used in the B<PREROUTING> chain of the B<nat> table. If this target sees an ARP request it will automatically reply with an ARP reply. The used MAC address for the reply can be specified. The protocol must be specified as I<ARP>. When the ARP message is not an ARP request or when the ARP request isn't for an IP address on an Ethernet network, it is ignored by this target (B<CONTINUE>). When the ARP request is malformed, it is dropped (B<DROP>)."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--arpreply-mac >I<address>"
+msgstr ""
+
+#. type: Plain text
+msgid "Specifies the MAC address to reply with: the Ethernet source MAC and the ARP payload source MAC will be filled in with this address."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--arpreply-target >I<target>"
+msgstr ""
+
+#. type: Plain text
+msgid "Specifies the standard target. After sending the ARP reply, the rule still has to give a standard target so ebtables knows what to do with the ARP request. The default target is B<DROP>."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "dnat"
+msgstr ""
+
+#. type: Plain text
+msgid "The B<dnat> target can only be used in the B<PREROUTING> and B<OUTPUT> chains of the B<nat> table. It specifies that the destination MAC address has to be changed."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--to-destination >I<address>"
+msgstr ""
+
+#. type: Plain text
+msgid "Change the destination MAC address to the specified I<address>. The flag B<--to-dst> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--dnat-target >I<target>"
+msgstr ""
+
+#. type: Plain text
+msgid "Specifies the standard target. After doing the dnat, the rule still has to give a standard target so ebtables knows what to do with the dnated frame. The default target is B<ACCEPT>. Making it B<CONTINUE> could let you use multiple target extensions on the same frame. Making it B<DROP> only makes sense in the B<BROUTING> chain but using the B<redirect> target is more logical there. B<RETURN> is also allowed. Note that using B<RETURN> in a base chain is not allowed (for obvious reasons)."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "mark"
+msgstr ""
+
+#. type: Plain text
+msgid "The B<mark> target can be used in every chain of every table. It is possible to use the marking of a frame/packet in both ebtables and iptables, if the bridge-nf code is compiled into the kernel. Both put the marking at the same place. This allows for a form of communication between ebtables and iptables."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--mark-set >I<value>"
+msgstr ""
+
+#. type: Plain text
+msgid "Mark the frame with the specified non-negative I<value>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--mark-or >I<value>"
+msgstr ""
+
+#. type: Plain text
+msgid "Or the frame with the specified non-negative I<value>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--mark-and >I<value>"
+msgstr ""
+
+#. type: Plain text
+msgid "And the frame with the specified non-negative I<value>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--mark-xor >I<value>"
+msgstr ""
+
+#. type: Plain text
+msgid "Xor the frame with the specified non-negative I<value>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--mark-target >I<target>"
+msgstr ""
+
+#. type: Plain text
+msgid "Specifies the standard target. After marking the frame, the rule still has to give a standard target so ebtables knows what to do. The default target is B<ACCEPT>. Making it B<CONTINUE> can let you do other things with the frame in subsequent rules of the chain."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "redirect"
+msgstr ""
+
+#. type: Plain text
+msgid "The B<redirect> target will change the MAC target address to that of the bridge device the frame arrived on. This target can only be used in the B<PREROUTING> chain of the B<nat> table. The MAC address of the bridge is used as destination address.\""
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--redirect-target >I<target>"
+msgstr ""
+
+#. type: Plain text
+msgid "Specifies the standard target. After doing the MAC redirect, the rule still has to give a standard target so ebtables knows what to do. The default target is B<ACCEPT>. Making it B<CONTINUE> could let you use multiple target extensions on the same frame. Making it B<DROP> in the B<BROUTING> chain will let the frames be routed. B<RETURN> is also allowed. Note that using B<RETURN> in a base chain is not allowed."
+msgstr ""
+
+#. type: SS
+#, no-wrap
+msgid "snat"
+msgstr ""
+
+#. type: Plain text
+msgid "The B<snat> target can only be used in the B<POSTROUTING> chain of the B<nat> table. It specifies that the source MAC address has to be changed."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--to-source >I<address>"
+msgstr ""
+
+#. type: Plain text
+msgid "Changes the source MAC address to the specified I<address>. The flag B<--to-src> is an alias for this option."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--snat-target >I<target>"
+msgstr ""
+
+#. type: Plain text
+msgid "Specifies the standard target. After doing the snat, the rule still has to give a standard target so ebtables knows what to do. The default target is B<ACCEPT>. Making it B<CONTINUE> could let you use multiple target extensions on the same frame. Making it B<DROP> doesn't make sense, but you could do that too. B<RETURN> is also allowed. Note that using B<RETURN> in a base chain is not allowed."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--snat-arp >"
+msgstr ""
+
+#. type: Plain text
+msgid "Also change the hardware source address inside the arp header if the packet is an arp message and the hardware address length in the arp header is 6 bytes."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "FILES"
+msgstr ""
+
+#. type: Plain text
+msgid "I</etc/ethertypes>"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "ENVIRONMENT VARIABLES"
+msgstr ""
+
+#. type: Plain text
+msgid "I<EBTABLES_ATOMIC_FILE>"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "MAILINGLISTS"
+msgstr ""
+
+#. type: Plain text
+msgid "See B<http://netfilter.org/mailinglists.html>"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "BUGS"
+msgstr ""
+
+#. type: Plain text
+msgid "The version of ebtables this man page ships with does not support the B<broute> table. Also there is no support for B<string> match. And finally, this list is probably not complete."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Plain text
+msgid "B<xtables-nft>(8), B<iptables>(8), B<ip>(8)"
+msgstr ""
+
+#. type: Plain text
+msgid "See B<https://wiki.nftables.org>"
+msgstr ""
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2014-05-07 04:08+0900\n"
-"PO-Revision-Date: 2014-05-07 04:12+0900\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: 2021-03-24 17:18+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
#. type: TH
#, no-wrap
-msgid "iptables 1.4.21"
-msgstr "iptables 1.4.21"
+msgid "iptables 1.8.4"
+msgstr "iptables 1.8.4"
#. type: SH
#, no-wrap
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2014-05-07 04:08+0900\n"
-"PO-Revision-Date: 2014-05-09 02:44+0900\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: 2021-03-24 17:17+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
#. type: TH
#, no-wrap
-msgid "iptables 1.4.21"
-msgstr "iptables 1.4.21"
+msgid "iptables 1.8.4"
+msgstr "iptables 1.8.4"
#. type: SH
#, no-wrap
msgstr "bpf"
#. type: Plain text
-msgid "Match using Linux Socket Filter. Expects a BPF program in decimal format. This is the format generated by the B<nfbpf_compile> utility."
-msgstr "Linux Socket Filter を使ってマッチを行う。 BPF プログラムを 10 進数形式で指定する。 これは B<nfbpf_compile> ユーティリティにより生成されるフォーマットである。"
+msgid "Match using Linux Socket Filter. Expects a path to an eBPF object or a cBPF program in decimal format."
+msgstr "Linux Socket Filter を使ってマッチを行う。 eBPF オブジェクトへのパスもしくは、 10 進数形式の cBPF プログラムを指定する。"
+
+#. type: TP
+#, no-wrap
+msgid "B<--object-pinned> I<path>"
+msgstr "B<--object-pinned> I<path>"
+
+#. type: Plain text
+msgid "Pass a path to a pinned eBPF object."
+msgstr ""
+
+#. type: Plain text
+msgid "Applications load eBPF programs into the kernel with the bpf() system call and BPF_PROG_LOAD command and can pin them in a virtual filesystem with BPF_OBJ_PIN. To use a pinned object in iptables, mount the bpf filesystem using"
+msgstr ""
+
+#. type: Plain text
+msgid "mount -t bpf bpf ${BPF_MOUNT}"
+msgstr ""
+
+#. type: Plain text
+msgid "then insert the filter in iptables by path:"
+msgstr ""
+
+#. type: Plain text
+msgid "iptables -A OUTPUT -m bpf --object-pinned ${BPF_MOUNT}/{PINNED_PATH} -j ACCEPT"
+msgstr ""
#. type: TP
#, no-wrap
msgstr "B<--bytecode> I<code>"
#. type: Plain text
-msgid "Pass the BPF byte code format (described in the example below)."
-msgstr "BPF バイトコードフォーマットを渡す (フォーマットについては下記の例で説明)。"
+msgid "Pass the BPF byte code format as generated by the B<nfbpf_compile> utility."
+msgstr "BPF バイトコードフォーマットを渡す。 B<nfbpf_compile> ユーティリティにより生成されるフォーマットである。"
#. type: Plain text
msgid "The code format is similar to the output of the tcpdump -ddd command: one line that stores the number of instructions, followed by one line for each instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal notation. Fields encode the operation, jump offset if true, jump offset if false and generic multiuse field 'K'. Comments are not supported."
msgstr "iptables -A OUTPUT -m bpf --bytecode \"`nfbpf_compile RAW 'ip proto 6'`\" -j ACCEPT"
#. type: Plain text
+msgid "Or use tcpdump -ddd. In that case, generate BPF targeting a device with the same data link type as the xtables match. Iptables passes packets from the network layer up, without mac layer. Select a device with data link type RAW, such as a tun device:"
+msgstr ""
+
+#. type: Plain text
+msgid "ip tuntap add tun0 mode tun"
+msgstr "ip tuntap add tun0 mode tun"
+
+#. type: Plain text
+msgid "ip link set tun0 up"
+msgstr "ip link set tun0 up"
+
+#. type: Plain text
+msgid "tcpdump -ddd -i tun0 ip proto 6"
+msgstr "tcpdump -ddd -i tun0 ip proto 6"
+
+#. type: Plain text
+msgid "See tcpdump -L -i $dev for a list of known data link types for a given device."
+msgstr ""
+
+#. type: Plain text
msgid "You may want to learn more about BPF from FreeBSD's bpf(4) manpage."
msgstr "BPF についてもっと詳しく知るには FreeBSD の bpf(4) manpage を見るといいだろう。"
#. type: SS
#, no-wrap
+msgid "cgroup"
+msgstr "cgroup"
+
+#. type: TP
+#, no-wrap
+msgid "[B<!>] B<--path> I<path>"
+msgstr "[B<!>] B<--path> I<path>"
+
+#. type: Plain text
+msgid "Match cgroup2 membership."
+msgstr ""
+
+#. type: Plain text
+msgid "Each socket is associated with the v2 cgroup of the creating process. This matches packets coming from or going to all sockets in the sub-hierarchy of the specified path. The path should be relative to the root of the cgroup2 hierarchy."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "[B<!>] B<--cgroup> I<classid>"
+msgstr "[B<!>] B<--cgroup> I<classid>"
+
+#. type: Plain text
+msgid "Match cgroup net_cls classid."
+msgstr ""
+
+#. type: Plain text
+msgid "classid is the marker set through the cgroup net_cls controller. This option and --path can't be used together."
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid "Example:"
+msgstr "例:"
+
+#. type: Plain text
+msgid "iptables -A OUTPUT -p tcp --sport 80 -m cgroup ! --path service/http-server -j DROP"
+msgstr "iptables -A OUTPUT -p tcp --sport 80 -m cgroup ! --path service/http-server -j DROP"
+
+#. type: Plain text
+msgid "iptables -A OUTPUT -p tcp --sport 80 -m cgroup ! --cgroup 1 -j DROP"
+msgstr "iptables -A OUTPUT -p tcp --sport 80 -m cgroup ! --cgroup 1 -j DROP"
+
+#. type: Plain text
+msgid "B<IMPORTANT>: when being used in the INPUT chain, the cgroup matcher is currently only of limited functionality, meaning it will only match on packets that are processed for local sockets through early socket demuxing. Therefore, general usage on the INPUT chain is not advised unless the implications are well understood."
+msgstr ""
+
+#. type: Plain text
+msgid "Available since Linux 3.14."
+msgstr "Linux 3.14 以降で利用可能。"
+
+#. type: SS
+#, no-wrap
msgid "cluster"
msgstr "cluster"
msgid "Set seed value of the Jenkins hash."
msgstr "Jenkins ハッシュのシード値を設定する。"
-#. type: TP
-#, no-wrap
-msgid "Example:"
-msgstr "例:"
-
#. type: Plain text
msgid "iptables -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff"
msgstr "iptables -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff"
#. type: SS
#, no-wrap
+msgid "connlabel"
+msgstr "connlabel"
+
+#. type: Plain text
+msgid "Module matches or adds connlabels to a connection. connlabels are similar to connmarks, except labels are bit-based; i.e. all labels may be attached to a flow at the same time. Up to 128 unique labels are currently supported."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "[B<!>] B<--label> B<name>"
+msgstr "[B<!>] B<--label> B<name>"
+
+#. type: Plain text
+msgid "matches if label B<name> has been set on a connection. Instead of a name (which will be translated to a number, see EXAMPLE below), a number may be used instead. Using a number always overrides connlabel.conf."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--set>"
+msgstr "B<--set>"
+
+#. type: Plain text
+msgid "if the label has not been set on the connection, set it. Note that setting a label can fail. This is because the kernel allocates the conntrack label storage area when the connection is created, and it only reserves the amount of memory required by the ruleset that exists at the time the connection is created. In this case, the match will fail (or succeed, in case B<--label> option was negated)."
+msgstr ""
+
+#. type: Plain text
+msgid "This match depends on libnetfilter_conntrack 1.0.4 or later. Label translation is done via the B</etc/xtables/connlabel.conf> configuration file."
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"0\teth0-in\n"
+"1\teth0-out\n"
+"2\tppp-in\n"
+"3\tppp-out\n"
+"4\tbulk-traffic\n"
+"5\tinteractive\n"
+msgstr ""
+
+#. type: SS
+#, no-wrap
msgid "connlimit"
msgstr "connlimit"
#. type: TP
#, no-wrap
+msgid "B<--hashlimit-rate-match>"
+msgstr "B<--hashlimit-rate-match>"
+
+#. type: Plain text
+msgid "Classify the flow instead of rate-limiting it. This acts like a true/false match on whether the rate is above/below a certain number"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--hashlimit-rate-interval> I<sec>"
+msgstr "B<--hashlimit-rate-interval> I<sec>"
+
+#. type: Plain text
+msgid "Can be used with --hashlimit-rate-match to specify the interval at which the rate should be sampled"
+msgstr ""
+
+#. type: TP
+#, no-wrap
msgid "matching on source host"
msgstr "送信元ホストに対するマッチ"
#. type: TP
#, no-wrap
-msgid "B<proto>"
-msgstr "B<proto>"
+msgid "B<prot>"
+msgstr "B<prot>"
#. type: Plain text
-msgid "which matches any upper layer protocol header. A protocol name from /etc/protocols and numeric value also allowed. The number 255 is equivalent to B<proto>."
+msgid "which matches any upper layer protocol header. A protocol name from /etc/protocols and numeric value also allowed. The number 255 is equivalent to B<prot>."
msgstr ""
#. type: SS
msgstr "B<nfnl_osf -f /usr/share/xtables/pf.os -d>"
#. type: Plain text
-msgid "The fingerprint database can be downlaoded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os ."
+msgid "The fingerprint database can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os ."
msgstr "フィンガープリントデータベースは http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os からダウンロードできる。"
#. type: SS
#. type: TP
#, no-wrap
+msgid "B<--suppl-groups>"
+msgstr ""
+
+#. type: Plain text
+msgid "Causes group(s) specified with B<--gid-owner> to be also checked in the supplementary groups of a process."
+msgstr ""
+
+#. type: TP
+#, no-wrap
msgid "[B<!>] B<--socket-exists>"
msgstr "[B<!>] B<--socket-exists>"
msgstr "[B<!>] B<--physdev-out> I<name>"
#. type: Plain text
-msgid "Name of a bridge port via which a packet is going to be sent (for packets entering the B<FORWARD>, B<OUTPUT> and B<POSTROUTING> chains). If the interface name ends in a \"+\", then any interface which begins with this name will match. Note that in the B<nat> and B<mangle> B<OUTPUT> chains one cannot match on the bridge output port, however one can in the B<filter OUTPUT> chain. If the packet won't leave by a bridge device or if it is yet unknown what the output device will be, then the packet won't match this option, unless '!' is used."
-msgstr "ã\83\91ã\82±ã\83\83ã\83\88ã\82\92é\80\81ä¿¡ã\81\99ã\82\8bã\81\93ã\81¨ã\81«ã\81ªã\82\8bã\83\96ã\83ªã\83\83ã\82¸ã\81®ã\83\9dã\83¼ã\83\88å\90\8d (B<FORWARD>, B<OUTPUT>, B<POSTROUTING> ã\83\81ã\82§ã\82¤ã\83³ã\81«å\85¥ã\82\8bã\83\91ã\82±ã\83\83ã\83\88ã\81®ã\81¿)ã\80\82 ã\82¤ã\83³ã\82¿ã\83¼ã\83\95ã\82§ã\83¼ã\82¹å\90\8dã\81\8c \"+\" ã\81§çµ\82ã\81£ã\81¦ã\81\84ã\82\8bå ´å\90\88ã\80\81 ã\81\9dã\81®å\90\8då\89\8dã\81§å§\8bã\81¾ã\82\8bä»»æ\84\8fã\81®ã\82¤ã\83³ã\82¿ã\83¼ã\83\95ã\82§ã\83¼ã\82¹å\90\8dã\81«ã\83\9eã\83\83ã\83\81ã\81\99ã\82\8bã\80\82 B<nat> ã\81¨ B<mangle> ã\83\86ã\83¼ã\83\96ã\83«ã\81® B<OUTPUT> ã\83\81ã\82§ã\82¤ã\83³ã\81§ã\81¯ã\83\96ã\83ªã\83\83ã\82¸ã\81®å\87ºå\8a\9bã\83\9dã\83¼ã\83\88ã\81«ã\83\9eã\83\83ã\83\81ã\81\95ã\81\9bã\82\8bã\81\93ã\81¨ã\81\8cã\81§ã\81\8dã\81ªã\81\84ã\81\8cã\80\81 B<filter> ã\83\86ã\83¼ã\83\96ã\83«ã\81® B<OUPUT> ã\83\81ã\82§ã\82¤ã\83³ã\81§ã\81¯ã\83\9eã\83\83ã\83\81å\8f¯è\83½ã\81§ã\81\82ã\82\8bã\80\82 ã\83\91ã\82±ã\83\83ã\83\88ã\81\8cã\83\96ã\83ªã\83\83ã\82¸ã\83\87ã\83\90ã\82¤ã\82¹ã\81\8bã\82\89é\80\81ã\82\89ã\82\8cã\81ªã\81\8bã\81£ã\81\9få ´å\90\88ã\80\81 ã\81¾ã\81\9fã\81¯ã\83\91ã\82±ã\83\83ã\83\88ã\81®å\87ºå\8a\9bã\83\87ã\83\90ã\82¤ã\82¹ã\81\8cä¸\8dæ\98\8eã\81§ã\81\82ã\81£ã\81\9få ´å\90\88ã\81¯ã\80\81 \\&'!' ã\81\8cæ\8c\87å®\9aã\81\95ã\82\8cã\81¦ã\81\84ã\81ªã\81\84é\99\90ã\82\8aã\80\81 ã\83\91ã\82±ã\83\83ã\83\88ã\81¯ã\81\93ã\81®ã\82ªã\83\97ã\82·ã\83§ã\83³ã\81«ã\83\9eã\83\83ã\83\81ã\81\97ã\81ªã\81\84。"
+msgid "Name of a bridge port via which a packet is going to be sent (for bridged packets entering the B<FORWARD> and B<POSTROUTING> chains). If the interface name ends in a \"+\", then any interface which begins with this name will match."
+msgstr "ã\83\91ã\82±ã\83\83ã\83\88ã\81\8cé\80\81ä¿¡ã\81\95ã\82\8cã\82\8bã\83\96ã\83ªã\83\83ã\82¸ã\81®ã\83\9dã\83¼ã\83\88å\90\8d (B<FORWARD>, B<POSTROUTING> ã\83\81ã\82§ã\82¤ã\83³ã\81«å\85¥ã\82\8bã\83\91ã\82±ã\83\83ã\83\88ã\81«å¯¾ã\81\97ã\81¦)ã\80\82 ã\82¤ã\83³ã\82¿ã\83¼ã\83\95ã\82§ã\83¼ã\82¹å\90\8dã\81\8c \"+\" ã\81§çµ\82ã\81£ã\81¦ã\81\84ã\82\8bå ´å\90\88ã\80\81 ã\81\9dã\81®å\90\8då\89\8dã\81§å§\8bã\81¾ã\82\8bä»»æ\84\8fã\81®ã\82¤ã\83³ã\82¿ã\83¼ã\83\95ã\82§ã\83¼ã\82¹å\90\8dã\81«ã\83\9eã\83\83ã\83\81ã\81\99ã\82\8b。"
#. type: TP
#, no-wrap
msgstr "[B<!>] B<--realm> I<value>[B</>I<mask>]"
#. type: Plain text
-msgid "Matches a given realm number (and optionally mask). If not a number, value can be a named realm from /etc/iproute2/rt_realms (mask can not be used in that case)."
+msgid "Matches a given realm number (and optionally mask). If not a number, value can be a named realm from /etc/iproute2/rt_realms (mask can not be used in that case). Both value and mask are four byte unsigned integers and may be specified in decimal, hex (by prefixing with \"0x\") or octal (if a leading zero is given)."
msgstr ""
#. type: SS
msgstr "B<--loose>"
#. type: Plain text
-msgid "Used to specifiy that the reverse path filter test should match even if the selected output device is not the expected one."
+msgid "Used to specify that the reverse path filter test should match even if the selected output device is not the expected one."
msgstr "選択された出力デバイスが期待されたものではない場合であっても、 reverse path フィルターテストのマッチを行うことを指示する。"
#. type: TP
#. type: TP
#, no-wrap
-msgid "[B<!>] B<-bytes-eq> I<value>"
-msgstr "[B<!>] B<-bytes-eq> I<value>"
+msgid "[B<!>] B<--bytes-eq> I<value>"
+msgstr "[B<!>] B<--bytes-eq> I<value>"
#. type: Plain text
msgid "If the packet is matched an element in the set, match only if the byte counter of the element matches the given value too."
msgid "-t mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1"
msgstr "-t mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1"
+#. type: TP
+#, no-wrap
+msgid "B<--restore-skmark>"
+msgstr "B<--restore-skmark>"
+
+#. type: Plain text
+msgid "Set the packet mark to the matching socket's mark. Can be combined with the B<--transparent> and B<--nowildcard> options to restrict the sockets to be matched when restoring the packet mark."
+msgstr ""
+
+#. type: Plain text
+msgid "Example: An application opens 2 transparent (B<IP_TRANSPARENT>) sockets and sets a mark on them with B<SO_MARK> socket option. We can filter matching packets:"
+msgstr ""
+
+#. type: Plain text
+msgid "-t mangle -I PREROUTING -m socket --transparent --restore-skmark -j action"
+msgstr "-t mangle -I PREROUTING -m socket --transparent --restore-skmark -j action"
+
+#. type: Plain text
+msgid "-t mangle -A action -m mark --mark 10 -j action2"
+msgstr ""
+
+#. type: Plain text
+msgid "-t mangle -A action -m mark --mark 11 -j action3"
+msgstr ""
+
#. type: SS
#, no-wrap
msgid "state"
msgid "Matches the given pattern in hex notation."
msgstr "指定された 16 進表記のパターンにマッチする。"
+#. type: TP
+#, no-wrap
+msgid "B<--icase>"
+msgstr "B<--icase>"
+
+#. type: Plain text
+msgid "Ignore case when searching."
+msgstr ""
+
#. type: Plain text
msgid "# The string pattern can be used for simple text characters."
msgstr "# 文字列パターンは単純なテキスト文字を探すのに使用できる。"
msgstr "これらの拡張は `--protocol tcp' が指定され場合に使用できる。 以下のオプションが提供される:"
#. type: Plain text
-msgid "Source port or port range specification. This can either be a service name or a port number. An inclusive range can also be specified, using the format I<first>B<:>I<last>. If the first port is omitted, \"0\" is assumed; if the last is omitted, \"65535\" is assumed. If the first port is greater than the second one they will be swapped. The flag B<--sport> is a convenient alias for this option."
-msgstr "送信元ポートまたはポート範囲の指定。 サービス名またはポート番号を指定できる。 I<first>B<:>I<last> という形式で、 2 つの番号を含む範囲を指定することもできる。 最初のポートを省略した場合、 \"0\" を仮定する。 最後のポートを省略した場合、 \"65535\" を仮定する。 最初のポートが最後のポートより大きい場合、 2 つは入れ換えられる。 フラグ B<--sport> は、 このオプションの便利な別名である。"
+msgid "Source port or port range specification. This can either be a service name or a port number. An inclusive range can also be specified, using the format I<first>B<:>I<last>. If the first port is omitted, \"0\" is assumed; if the last is omitted, \"65535\" is assumed. The flag B<--sport> is a convenient alias for this option."
+msgstr "送信元ポートまたはポート範囲の指定。 サービス名またはポート番号を指定できる。 I<first>B<:>I<last> という形式で、 2 つの番号を含む範囲を指定することもできる。 最初のポートを省略した場合、 \"0\" を仮定する。 最後のポートを省略した場合、 \"65535\" を仮定する。 フラグ B<--sport> は、 このオプションの便利な別名である。"
#. type: Plain text
msgid "Destination port or port range specification. The flag B<--dport> is a convenient alias for this option."
msgstr "[B<!>] B<--mss> I<value>[B<:>I<value>]"
#. type: Plain text
-msgid "Match a given TCP MSS value or range."
-msgstr "指定された TCP MSS 値か範囲にマッチする。"
+msgid "Match a given TCP MSS value or range. If a range is given, the second I<value> must be greater than or equal to the first I<value>."
+msgstr ""
#. type: SS
#, no-wrap
msgid "The instructions are:"
msgstr "命令は以下の通り。"
+#. type: TP
+#, no-wrap
+msgid "B<number>"
+msgstr "B<number>"
+
#. type: Plain text
-msgid "number B = number;"
-msgstr "number B = number;"
+msgid "B = number;"
+msgstr "B = number;"
#. type: Plain text
msgid "C = (*(A+B)E<lt>E<lt>24) + (*(A+B+1)E<lt>E<lt>16) + (*(A+B+2)E<lt>E<lt>8) + *(A+B+3)"
msgstr "C = (*(A+B)E<lt>E<lt>24) + (*(A+B+1)E<lt>E<lt>16) + (*(A+B+2)E<lt>E<lt>8) + *(A+B+3)"
+#. type: TP
+#, no-wrap
+msgid "B<&number>"
+msgstr "B<&number>"
+
#. type: Plain text
-msgid "&number C = C & number"
-msgstr "&number C = C & number"
+msgid "C = C & number"
+msgstr "C = C & number"
+
+#. type: TP
+#, no-wrap
+msgid "B<E<lt>E<lt> number>"
+msgstr "B<E<lt>E<lt> number>"
#. type: Plain text
-msgid "E<lt>E<lt> number C = C E<lt>E<lt> number"
-msgstr "E<lt>E<lt> number C = C E<lt>E<lt> number"
+msgid "C = C E<lt>E<lt> number"
+msgstr "C = C E<lt>E<lt> number"
+
+#. type: TP
+#, no-wrap
+msgid "B<E<gt>E<gt> number>"
+msgstr "B<E<gt>E<gt> number>"
#. type: Plain text
-msgid "E<gt>E<gt> number C = C E<gt>E<gt> number"
-msgstr "E<gt>E<gt> number C = C E<gt>E<gt> number"
+msgid "C = C E<gt>E<gt> number"
+msgstr "C = C E<gt>E<gt> number"
+
+#. type: TP
+#, no-wrap
+msgid "B<@number>"
+msgstr "B<@number>"
#. type: Plain text
-msgid "@number A = A + C; then do the instruction number"
-msgstr "@number A = A + C; この後、命令の数字を実行する"
+msgid "A = A + C; then do the instruction number"
+msgstr "A = A + C; then do the instruction number"
#. type: Plain text
msgid "Any access of memory outside [skb-E<gt>data,skb-E<gt>end] causes the match to fail. Otherwise the result of the computation is the final value of C."
msgid "Destination port or port range specification. See the description of the B<--destination-port> option of the TCP extension for details."
msgstr "宛先ポートまたはポート範囲の指定。 詳細は TCP 拡張の B<--destination-port> オプションの説明を参照すること。"
-#. type: SS
-#, no-wrap
-msgid "unclean (IPv4-specific)"
-msgstr "unclean (IPv4 の場合)"
-
-#. type: Plain text
-msgid "This module takes no options, but attempts to match packets which seem malformed or unusual. This is regarded as experimental."
-msgstr "このモジュールにはオプションがないが、 おかしく正常でないように見えるパケットにマッチする。 これは実験的なものとして扱われている。"
-
#. type: SH
#, no-wrap
msgid "TARGET EXTENSIONS"
msgstr "B<--type> {B<accept>|B<drop>|B<reject>}"
#. type: Plain text
-msgid "Set type of audit record."
-msgstr "監査レコード種別を設定する。"
+msgid "Set type of audit record. Starting with linux-4.12, this option has no effect on generated audit messages anymore. It is still accepted by iptables for compatibility reasons, but ignored."
+msgstr ""
#. type: Plain text
msgid "iptables -N AUDIT_DROP"
msgstr "iptables -N AUDIT_DROP"
#. type: Plain text
-msgid "iptables -A AUDIT_DROP -j AUDIT --type drop"
-msgstr "iptables -A AUDIT_DROP -j AUDIT --type drop"
+msgid "iptables -A AUDIT_DROP -j AUDIT"
+msgstr "iptables -A AUDIT_DROP -j AUDIT"
#. type: Plain text
msgid "iptables -A AUDIT_DROP -j DROP"
#. type: TP
#, no-wrap
-msgid "B<--zone> I<id>"
-msgstr "B<--zone> I<id>"
+msgid "B<--zone-orig> {I<id>|B<mark>}"
+msgstr "B<--zone-orig> {I<id>|B<mark>}"
+
+#. type: Plain text
+msgid "For traffic coming from ORIGINAL direction, assign this packet to zone I<id> and only have lookups done in that zone. If B<mark> is used instead of I<id>, the zone is derived from the packet nfmark."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--zone-reply> {I<id>|B<mark>}"
+msgstr "B<--zone-reply> {I<id>|B<mark>}"
+
+#. type: Plain text
+msgid "For traffic coming from REPLY direction, assign this packet to zone I<id> and only have lookups done in that zone. If B<mark> is used instead of I<id>, the zone is derived from the packet nfmark."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--zone> {I<id>|B<mark>}"
+msgstr "B<--zone> {I<id>|B<mark>}"
#. type: Plain text
-msgid "Assign this packet to zone I<id> and only have lookups done in that zone. By default, packets have zone 0."
+msgid "Assign this packet to zone I<id> and only have lookups done in that zone. If B<mark> is used instead of I<id>, the zone is derived from the packet nfmark. By default, packets have zone 0. This option applies to both directions."
msgstr ""
#. type: TP
msgstr "このオプションは、 使用する送信元ポートの範囲を指定し、 デフォルトの B<SNAT> 送信元ポートの選択方法 (上記) よりも優先される。 ルールがプロトコルとして B<tcp>, B<udp>, B<dccp>, B<sctp> を指定している場合にのみ有効である。"
#. type: Plain text
-msgid "Randomize source port mapping If option B<--random> is used then port mapping will be randomized (kernel E<gt>= 2.6.21)."
-msgstr "送信元ポートのマッピングをランダム化する。 B<--random> オプションを使用すると、 ポートマッピングがランダム化される (カーネル 2.6.21 以降)。"
+msgid "Randomize source port mapping If option B<--random> is used then port mapping will be randomized (kernel E<gt>= 2.6.21). Since kernel 5.0, B<--random> is identical to B<--random-fully>."
+msgstr "送信元ポートのマッピングをランダム化する。 B<--random> オプションを使用すると、 ポートマッピングがランダム化される (カーネル 2.6.21 以降)。カーネル 5.0 以降では、 B<--random> は B<--random-fully> と等価である。"
-#. type: SS
+#. type: TP
#, no-wrap
-msgid "MIRROR (IPv4-specific)"
-msgstr "MIRROR (IPv4 の場合)"
+msgid "B<--random-fully>"
+msgstr "B<--random-fully>"
#. type: Plain text
-msgid "This is an experimental demonstration target which inverts the source and destination fields in the IP header and retransmits the packet. It is only valid in the B<INPUT>, B<FORWARD> and B<PREROUTING> chains, and user-defined chains which are only called from those chains. Note that the outgoing packets are B<NOT> seen by any packet filtering chains, connection tracking or NAT, to avoid loops and other problems."
-msgstr "実験的なデモンストレーション用のターゲットであり、 IP ヘッダーの送信元と宛先フィールドを入れ換え、 パケットを再送信するものである。 これは B<INPUT>, B<FORWARD>, B<PREROUTING> チェインと、 これらのチェインから呼び出される ユーザー定義チェインだけで有効である。 ループ等の問題を回避するため、 外部に送られるパケットは いかなるパケットフィルタリングチェイン・コネクション追跡・NAT からも 監視B<されない>。"
+msgid "Full randomize source port mapping If option B<--random-fully> is used then port mapping will be fully randomized (kernel E<gt>= 3.13)."
+msgstr "送信元ポートのマッピングを完全にランダム化する。 B<--random-fully> オプションを使用すると、 ポートマッピングが完全にランダム化される (カーネル 3.13 以降)。"
#. type: SS
#, no-wrap
msgstr "B<--nflog-range> I<size>"
#. type: Plain text
+msgid "This option has never worked, use --nflog-size instead"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--nflog-size> I<size>"
+msgstr "B<--nflog-size> I<size>"
+
+#. type: Plain text
msgid "The number of bytes to be copied to userspace (only applicable for nfnetlink_log). nfnetlink_log instances may specify their own range, this option overrides it."
msgstr "ユーザー空間にコピーするバイト数 (nfnetlink_log の場合のみ利用できる)。 nfnetlink_log のインスタンスは自身でコピーする範囲を指定できるが、 このオプションはそれを上書きする。"
msgstr "REDIRECT"
#. type: Plain text
-msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the localhost address, 127.0.0.1 for IPv4 and ::1 for IPv6)."
-msgstr "このターゲットは、 B<nat> テーブルの B<PREROUTING> チェインと B<OUTPUT> チェイン、 およびこれらチェインから呼び出されるユーザー定義チェインでのみ有効である。 このターゲットは、 宛先 IP をパケットを受信したインタフェースの最初のアドレスに変更することで、 パケットをそのマシン自身にリダイレクトする (ローカルで生成されたパケットはローカルホストのアドレス、 IPv4 では 127.0.0.1、 IPv6 では ::1 にマップされる)。"
+msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the localhost address, 127.0.0.1 for IPv4 and ::1 for IPv6, and packets arriving on interfaces that don't have an IP address configured are dropped)."
+msgstr "このターゲットは、 B<nat> テーブルの B<PREROUTING> チェインと B<OUTPUT> チェイン、 およびこれらチェインから呼び出されるユーザー定義チェインでのみ有効である。 このターゲットは、 宛先 IP をパケットを受信したインタフェースの最初のアドレスに変更することで、 パケットをそのマシン自身にリダイレクトする (ローカルで生成されたパケットはローカルホストのアドレス、 IPv4 では 127.0.0.1、 IPv6 では ::1 にマップされる。 IP アドレスを設定されていないインタフェースに到着したパケットは破棄される)。"
#. type: Plain text
msgid "This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies one of the following protocols: B<tcp>, B<udp>, B<dccp> or B<sctp>."
#. type: SS
#, no-wrap
-msgid "SAME (IPv4-specific)"
-msgstr "SAME (IPv4 の場合)"
-
-#. type: Plain text
-msgid "Similar to SNAT/DNAT depending on chain: it takes a range of addresses (`--to 1.2.3.4-1.2.3.7') and gives a client the same source-/destination-address for each connection."
-msgstr ""
-
-#. type: Plain text
-msgid "N.B.: The DNAT target's B<--persistent> option replaced the SAME target."
-msgstr ""
-
-#. type: TP
-#, no-wrap
-msgid "B<--to> I<ipaddr>[B<->I<ipaddr>]"
-msgstr "B<--to> I<ipaddr>[B<->I<ipaddr>]"
-
-#. type: Plain text
-msgid "Addresses to map source to. May be specified more than once for multiple ranges."
-msgstr ""
-
-#. type: TP
-#, no-wrap
-msgid "B<--nodst>"
-msgstr "B<--nodst>"
-
-#. type: Plain text
-msgid "Don't use the destination-ip in the calculations when selecting the new source-ip"
-msgstr ""
-
-#. type: Plain text
-msgid "Port mapping will be forcibly randomized to avoid attacks based on port prediction (kernel E<gt>= 2.6.21)."
-msgstr ""
-
-#. type: SS
-#, no-wrap
msgid "SECMARK"
msgstr "SECMARK"
msgid "delete the address(es)/port(s) of the packet from the set"
msgstr "集合から指定されたアドレス/ポート (複数可) を削除する"
+#. type: TP
+#, no-wrap
+msgid "B<--map-set> I<setname> I<flag>[B<,>I<flag>...] "
+msgstr "B<--map-set> I<setname> I<flag>[B<,>I<flag>...] "
+
+#. type: Plain text
+msgid "[--map-mark] [--map-prio] [--map-queue] map packet properties (firewall mark, tc priority, hardware queue)"
+msgstr ""
+
#. type: Plain text
msgid "where I<flag>(s) are B<src> and/or B<dst> specifications and there can be no more than six of them."
msgstr "I<flag> は B<src> や B<dst> の指定であり、 指定できるのは 6 個までである。"
msgid "when adding an entry if it already exists, reset the timeout value to the specified one or to the default from the set definition"
msgstr "エントリを追加する際に、 エントリが存在する場合、 タイムアウト値を、 指定された値か集合定義のデフォルト値にリセットする"
+#. type: TP
+#, no-wrap
+msgid "B<--map-set> I<set-name>"
+msgstr "B<--map-set> I<set-name>"
+
+#. type: Plain text
+msgid "the set-name should be created with --skbinfo option B<--map-mark> map firewall mark to packet by lookup of value in the set B<--map-prio> map traffic control priority to packet by lookup of value in the set B<--map-queue> map hardware NIC queue to packet by lookup of value in the set"
+msgstr ""
+
+#. type: Plain text
+msgid "The B<--map-set> option can be used from the mangle table only. The B<--map-prio> and B<--map-queue> flags can be used in the OUTPUT, FORWARD and POSTROUTING chains."
+msgstr ""
+
#. type: Plain text
msgid "Use of -j SET requires that ipset kernel support is provided, which, for standard kernels, is the case since Linux 2.6.39."
msgstr "-j SET を使用するには ipset のカーネルサポートが必要である。 標準のカーネルでは、 Linux 2.6.39 以降で提供されている。"
msgstr "1 つの新しい送信元 IP アドレス、 または IP アドレスの範囲が指定できる。 ルールでプロトコルとして B<tcp>, B<udp>, B<dccp>, B<sctp> が指定されている場合、 ポートの範囲を指定することもできる。 ポートの範囲が指定されていない場合、 512 未満の送信元ポートは、 他の 512 未満のポートにマッピングされる。 512 〜 1023 までのポートは、 1024 未満のポートにマッピングされる。 それ以外のポートは、 1024 以上のポートにマッピングされる。 可能であれば、 ポートの変換は起こらない。 2.6.10 以前のカーネルでは、 複数の --to-source オプションを指定することができる。 これらのカーネルでは、 アドレスの範囲指定や --to-source オプションの複数回指定により 2 つ以上の送信元アドレスを指定した場合、 それらのアドレスを使った単純なラウンド・ロビンが行われる。 それ以降のカーネル (E<gt>= 2.6.11-rc1) には複数の範囲を NAT する機能は存在しない。"
#. type: Plain text
-msgid "If option B<--random> is used then port mapping will be randomized (kernel E<gt>= 2.6.21)."
-msgstr "B<--random> オプションが使用されると、ポートマッピングはランダム化される (カーネル 2.6.21 以降)。"
+msgid "If option B<--random> is used then port mapping will be randomized through a hash-based algorithm (kernel E<gt>= 2.6.21)."
+msgstr "B<--random> オプションが使用されると、ポートマッピングは、ハッシュを使ったアルゴリズムでランダム化される (カーネル 2.6.21 以降)。"
+
+#. type: Plain text
+msgid "If option B<--random-fully> is used then port mapping will be fully randomized through a PRNG (kernel E<gt>= 3.14)."
+msgstr "B<--random> オプションが使用されると、ポートマッピングは PRNG でランダム化される (カーネル 2.6.21 以降)。"
#. type: Plain text
msgid "Kernels prior to 2.6.36-rc1 don't have the ability to B<SNAT> in the B<INPUT> chain."
#. type: SS
#, no-wrap
+msgid "SYNPROXY"
+msgstr "SYNPROXY"
+
+#. type: Plain text
+msgid "This target will process TCP three-way-handshake parallel in netfilter context to protect either local or backend system. This target requires connection tracking because sequence numbers need to be translated. The kernels ability to absorb SYNFLOOD was greatly improved starting with Linux 4.4, so this target should not be needed anymore to protect Linux servers."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--mss> I<maximum segment size>"
+msgstr ""
+
+#. type: Plain text
+msgid "Maximum segment size announced to clients. This must match the backend."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--wscale> I<window scale>"
+msgstr "B<--wscale> I<window scale>"
+
+#. type: Plain text
+msgid "Window scale announced to clients. This must match the backend."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--sack-perm>"
+msgstr "B<--sack-perm>"
+
+#. type: Plain text
+msgid "Pass client selective acknowledgement option to backend (will be disabled if not present)."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<--timestamps>"
+msgstr "B<--timestamps>"
+
+#. type: Plain text
+msgid "Pass client timestamp option to backend (will be disabled if not present, also needed for selective acknowledgement and window scaling)."
+msgstr ""
+
+#. type: Plain text
+msgid "Determine tcp options used by backend, from an external system"
+msgstr ""
+
+#. type: Plain text
+msgid "tcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)'"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid " port 80 &\n"
+msgstr ""
+
+#. type: Plain text
+msgid "telnet 192.0.2.42 80"
+msgstr ""
+
+#. type: Plain text
+msgid "18:57:24.693307 IP 192.0.2.42.80 E<gt> 192.0.2.43.48757:"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid " Flags [S.], seq 360414582, ack 788841994, win 14480,\n"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid " options [mss 1460,sackOK,\n"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid " TS val 1409056151 ecr 9690221,\n"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid " nop,wscale 9],\n"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid " length 0\n"
+msgstr " length 0\n"
+
+#. type: Plain text
+msgid "Switch tcp_loose mode off, so conntrack will mark out-of-flow packets as state INVALID."
+msgstr ""
+
+#. type: Plain text
+msgid "Make SYN packets untracked"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"iptables -t raw -A PREROUTING -i eth0 -p tcp --dport 80\n"
+" --syn -j CT --notrack\n"
+msgstr ""
+"iptables -t raw -A PREROUTING -i eth0 -p tcp --dport 80\n"
+" --syn -j CT --notrack\n"
+
+#. type: Plain text
+msgid "Catch UNTRACKED (SYN packets) and INVALID (3WHS ACK packets) states and send them to SYNPROXY. This rule will respond to SYN packets with SYN+ACK syncookies, create ESTABLISHED for valid client response (3WHS ACK packets) and drop incorrect cookies. Flags combinations not expected during 3WHS will not match and continue (e.g. SYN+FIN, SYN+ACK)."
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"iptables -A INPUT -i eth0 -p tcp --dport 80\n"
+" -m state --state UNTRACKED,INVALID -j SYNPROXY\n"
+" --sack-perm --timestamp --mss 1460 --wscale 9\n"
+msgstr ""
+
+#. type: Plain text
+msgid "Drop invalid packets, this will be out-of-flow packets that were not matched by SYNPROXY."
+msgstr ""
+
+#. type: Plain text
+msgid "iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state INVALID -j DROP"
+msgstr "iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state INVALID -j DROP"
+
+#. type: SS
+#, no-wrap
msgid "TCPMSS"
msgstr "TCPMSS"
msgstr "TRACE"
#. type: Plain text
-msgid "This target marks packets so that the kernel will log every rule which match the packets as those traverse the tables, chains, rules."
+msgid "This target marks packets so that the kernel will log every rule which match the packets as those traverse the tables, chains, rules. It can only be used in the B<raw> table."
msgstr ""
#. type: Plain text
-msgid "A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this to be visible. The packets are logged with the string prefix: \"TRACE: tablename:chainname:type:rulenum \" where type can be \"rule\" for plain rule, \"return\" for implicit rule at the end of a user defined chain and \"policy\" for the policy of the built in chains."
+msgid "With iptables-legacy, a logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this to be visible. The packets are logged with the string prefix: \"TRACE: tablename:chainname:type:rulenum \" where type can be \"rule\" for plain rule, \"return\" for implicit rule at the end of a user defined chain and \"policy\" for the policy of the built in chains."
msgstr ""
#. type: Plain text
-msgid "It can only be used in the B<raw> table."
+msgid "With iptables-nft, the target is translated into nftables' B<meta nftrace> expression. Hence the kernel sends trace events via netlink to userspace where they may be displayed using B<xtables-monitor --trace> command. For details, refer to B<xtables-monitor>(8)."
msgstr ""
#. type: SS
#. type: Plain text
msgid "Number of packet to queue inside kernel. Setting this value to, e.g. 10 accumulates ten packets inside the kernel and transmits them as one netlink multipart message to userspace. Default is 1 (for backwards compatibility)."
msgstr "カーネル内部のキューに入れられるパケットの数。 例えば、 この値を 10 にした場合、 カーネル内部で 10 個のパケットをまとめ、 1 つの netlink マルチパートメッセージとしてユーザー空間に送る。 (過去のものとの互換性のため) デフォルトは 1 である。"
+
+#~ msgid "Name of a bridge port via which a packet is going to be sent (for packets entering the B<FORWARD>, B<OUTPUT> and B<POSTROUTING> chains). If the interface name ends in a \"+\", then any interface which begins with this name will match. Note that in the B<nat> and B<mangle> B<OUTPUT> chains one cannot match on the bridge output port, however one can in the B<filter OUTPUT> chain. If the packet won't leave by a bridge device or if it is yet unknown what the output device will be, then the packet won't match this option, unless '!' is used."
+#~ msgstr "パケットを送信することになるブリッジのポート名 (B<FORWARD>, B<OUTPUT>, B<POSTROUTING> チェインに入るパケットのみ)。 インターフェース名が \"+\" で終っている場合、 その名前で始まる任意のインターフェース名にマッチする。 B<nat> と B<mangle> テーブルの B<OUTPUT> チェインではブリッジの出力ポートにマッチさせることができないが、 B<filter> テーブルの B<OUPUT> チェインではマッチ可能である。 パケットがブリッジデバイスから送られなかった場合、 またはパケットの出力デバイスが不明であった場合は、 \\&'!' が指定されていない限り、 パケットはこのオプションにマッチしない。"
+
+#~ msgid "Match a given TCP MSS value or range."
+#~ msgstr "指定された TCP MSS 値か範囲にマッチする。"
+
+#~ msgid "unclean (IPv4-specific)"
+#~ msgstr "unclean (IPv4 の場合)"
+
+#~ msgid "This module takes no options, but attempts to match packets which seem malformed or unusual. This is regarded as experimental."
+#~ msgstr "このモジュールにはオプションがないが、 おかしく正常でないように見えるパケットにマッチする。 これは実験的なものとして扱われている。"
+
+#~ msgid "Set type of audit record."
+#~ msgstr "監査レコード種別を設定する。"
+
+#~ msgid "iptables -A AUDIT_DROP -j AUDIT --type drop"
+#~ msgstr "iptables -A AUDIT_DROP -j AUDIT --type drop"
+
+#~ msgid "MIRROR (IPv4-specific)"
+#~ msgstr "MIRROR (IPv4 の場合)"
+
+#~ msgid "This is an experimental demonstration target which inverts the source and destination fields in the IP header and retransmits the packet. It is only valid in the B<INPUT>, B<FORWARD> and B<PREROUTING> chains, and user-defined chains which are only called from those chains. Note that the outgoing packets are B<NOT> seen by any packet filtering chains, connection tracking or NAT, to avoid loops and other problems."
+#~ msgstr "実験的なデモンストレーション用のターゲットであり、 IP ヘッダーの送信元と宛先フィールドを入れ換え、 パケットを再送信するものである。 これは B<INPUT>, B<FORWARD>, B<PREROUTING> チェインと、 これらのチェインから呼び出される ユーザー定義チェインだけで有効である。 ループ等の問題を回避するため、 外部に送られるパケットは いかなるパケットフィルタリングチェイン・コネクション追跡・NAT からも 監視B<されない>。"
+
+#~ msgid "SAME (IPv4-specific)"
+#~ msgstr "SAME (IPv4 の場合)"
+
+#~ msgid "B<--to> I<ipaddr>[B<->I<ipaddr>]"
+#~ msgstr "B<--to> I<ipaddr>[B<->I<ipaddr>]"
+
+#~ msgid "B<--nodst>"
+#~ msgstr "B<--nodst>"
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2014-05-07 04:08+0900\n"
-"PO-Revision-Date: 2014-05-07 04:21+0900\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: 2021-03-24 16:11+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
#. type: TH
#, no-wrap
-msgid "iptables 1.4.21"
-msgstr "iptables 1.4.21"
+msgid "iptables 1.8.4"
+msgstr "iptables 1.8.4"
#. Man page written by Harald Welte <laforge@gnumonks.org>
#. It is based on the iptables man page.
msgstr "書式"
#. type: Plain text
-msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>]"
-msgstr "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>]"
+msgid "B<iptables-restore> [B<-chntvV>] [B<-w> I<secs>] [B<-W> I<usecs>] [B<-M> I<modprobe>] [B<-T> I<name>] [B<file>]"
+msgstr "B<iptables-restore> [B<-chntvV>] [B<-w> I<secs>] [B<-W> I<usecs>] [B<-M> I<modprobe>] [B<-T> I<name>] [B<file>]"
#. type: Plain text
-msgid "B<ip6tables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
-msgstr "B<ip6tables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
+msgid "B<ip6tables-restore> [B<-chntvV>] [B<-w> I<secs>] [B<-W> I<usecs>] [B<-M> I<modprobe>] [B<-T> I<name>] [B<file>]"
+msgstr "B<ip6tables-restore> [B<-chntvV>] [B<-w> I<secs>] [B<-W> I<usecs>] [B<-M> I<modprobe>] [B<-T> I<name>] [B<file>]"
#. type: SH
#, no-wrap
msgstr "説明"
#. type: Plain text
-msgid "B<iptables-restore> and B<ip6tables-restore> are used to restore IP and IPv6 Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file"
-msgstr "B<iptables-restore> と B<ip6tables-restore> は標準入力で指定されたデータから IP/IPv6 テーブルを復元するために使われる。 ファイルから読み込むためには、 シェルで提供されている I/O リダイレクションを使うこと。"
+msgid "B<iptables-restore> and B<ip6tables-restore> are used to restore IP and IPv6 Tables from data specified on STDIN or in I<file>. Use I/O redirection provided by your shell to read from a file or specify I<file> as an argument."
+msgstr "B<iptables-restore> と B<ip6tables-restore> は、標準入力または I<file> で指定されたデータから IP/IPv6 テーブルを復元するために使われる。ファイルから読み込むためには、シェルで提供されている I/O リダイレクションを使うか、引き数で I<file> を指定すること。"
#. type: TP
#, no-wrap
#. type: TP
#, no-wrap
+msgid "B<-V>, B<--version>"
+msgstr "B<-V>, B<--version>"
+
+#. type: Plain text
+msgid "Print the program version number."
+msgstr "プログラムのバージョン番号を表示する。"
+
+#. type: TP
+#, no-wrap
+msgid "B<-w>, B<--wait> [I<seconds>]"
+msgstr "B<-w>, B<--wait> [I<seconds>]"
+
+#. type: Plain text
+msgid "Wait for the xtables lock. To prevent multiple instances of the program from running concurrently, an attempt will be made to obtain an exclusive lock at launch. By default, the program will exit if the lock cannot be obtained. This option will make the program wait (indefinitely or for optional I<seconds>) until the exclusive lock can be obtained."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-W>, B<--wait-interval> I<microseconds>"
+msgstr "B<-W>, B<--wait-interval> I<microseconds>"
+
+#. type: Plain text
+msgid "Interval to wait per each iteration. When running latency sensitive applications, waiting for the xtables lock for extended durations may not be acceptable. This option will make each iteration take the amount of time specified. The default interval is 1 second. This option only works with B<-w>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
msgid "B<-M>, B<--modprobe> I<modprobe_program>"
msgstr "B<-M>, B<--modprobe> I<modprobe_program>"
#. type: Plain text
msgid "The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the internals."
msgstr "より多くの iptables の使用法について 詳細に説明している iptables-HOWTO。 NAT について詳細に説明している NAT-HOWTO。 内部構造について詳細に説明している netfilter-hacking-HOWTO。"
+
+#~ msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>]"
+#~ msgstr "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>]"
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2014-05-07 04:08+0900\n"
-"PO-Revision-Date: 2014-05-07 04:18+0900\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: 2021-03-24 16:06+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
#. type: TH
#, no-wrap
-msgid "iptables 1.4.21"
-msgstr "iptables 1.4.21"
+msgid "iptables 1.8.4"
+msgstr "iptables 1.8.4"
#. Man page written by Harald Welte <laforge@gnumonks.org>
#. It is based on the iptables man page.
msgstr "名前"
#. type: Plain text
-msgid "iptables-save \\(em dump iptables rules to stdout"
-msgstr "iptables-save \\(em iptables ルールを標準出力にダンプする"
+msgid "iptables-save \\(em dump iptables rules"
+msgstr "iptables-save \\(em iptables ルールをダンプする"
#. type: Plain text
-msgid "ip6tables-save \\(em dump iptables rules to stdout"
-msgstr "ip6tables-save \\(em iptables ルールを標準出力にダンプする"
+msgid "ip6tables-save \\(em dump iptables rules"
+msgstr "ip6tables-save \\(em iptables ルールをダンプする"
#. type: SH
#, no-wrap
msgstr "書式"
#. type: Plain text
-msgid "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
-msgstr "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
+msgid "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>] [B<-f> I<filename>]"
+msgstr "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>] [B<-f> I<filename>]"
#. type: Plain text
-msgid "B<ip6tables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>"
-msgstr "B<ip6tables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
+msgid "B<ip6tables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>] [B<-f> I<filename>]"
+msgstr "B<ip6tables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>] [B<-f> I<filename>]"
#. type: SH
#, no-wrap
msgstr "説明"
#. type: Plain text
-msgid "B<iptables-save> and B<ip6tables-save> are used to dump the contents of IP or IPv6 Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file."
-msgstr "B<iptables-save> と B<ip6tables-save> は IP/IPv6 テーブルの内容を簡単に解析できる形式で 標準出力にダンプするために使われる。 ファイルに書き出すためには、 シェルで提供されている I/O リダイレクションを使うこと。"
+msgid "B<iptables-save> and B<ip6tables-save> are used to dump the contents of IP or IPv6 Table in easily parseable format either to STDOUT or to a specified file."
+msgstr "B<iptables-save> と B<ip6tables-save> は、 IP/IPv6 テーブルの内容を簡単に解析できる形式で標準出力か指定されたフィアルのいずれかにダンプするために使われる。"
#. type: TP
#, no-wrap
-msgid "B<-M> I<modprobe_program>"
-msgstr "B<-M> I<modprobe_program>"
+msgid "B<-M>, B<--modprobe> I<modprobe_program>"
+msgstr "B<-M>, B<--modprobe> I<modprobe_program>"
#. type: Plain text
msgid "Specify the path to the modprobe program. By default, iptables-save will inspect /proc/sys/kernel/modprobe to determine the executable's path."
#. type: TP
#, no-wrap
+msgid "B<-f>, B<--file> I<filename>"
+msgstr "B<-f>, B<--file> I<filename>"
+
+#. type: Plain text
+msgid "Specify a filename to log the output to. If not specified, iptables-save will log to STDOUT."
+msgstr "出力を書き込むファイル名を指定する。指定されなかった場合、 iptables-save は出力を標準出力に書き出す。"
+
+#. type: TP
+#, no-wrap
msgid "B<-c>, B<--counters>"
msgstr "B<-c>, B<--counters>"
msgstr "B<-t>, B<--table> I<tablename>"
#. type: Plain text
-msgid "restrict output to only one table. If not specified, output includes all available tables."
-msgstr "出力を 1 つのテーブルのみに制限する。 指定されない場合、得られた全てのテーブルを出力する。"
+msgid "restrict output to only one table. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there."
+msgstr ""
+
+#. type: Plain text
+msgid "If not specified, output includes all available tables."
+msgstr "指定されない場合、得られた全てのテーブルを出力する。"
#. type: SH
#, no-wrap
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2014-05-07 04:08+0900\n"
-"PO-Revision-Date: 2014-05-07 04:42+0900\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: 2021-03-24 16:45+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
#. type: TH
#, no-wrap
-msgid "iptables 1.4.21"
-msgstr "iptables 1.4.21"
+msgid "iptables 1.8.4"
+msgstr "iptables 1.8.4"
#. Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
#. It is based on ipchains page.
msgstr "B<nat>:"
#. type: Plain text
-msgid "This table is consulted when a packet that creates a new connection is encountered. It consists of
three built-ins: B<PREROUTING> (for altering packets as soon as they come in), B<OUTPUT> (for altering locally-generated packets before routing), and B<POSTROUTING> (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7."
-msgstr "このテーブルは新しい接続を開くパケットの場合に参照される。 B<PREROUTING> (パケットが入ってきた場合、すぐにそのパケットを変換するためのチェイン)、 B<OUTPUT> (ローカルで生成されたパケットをルーティングの前に変換するためのチェイン)、 B<POSTROUTING> (パケットが出て行くときに変換するためのチェイン) という 3 つの組み込みチェインがある。 IPv6 NAT サポートはカーネル 3.7 以降で利用できる。"
+msgid "This table is consulted when a packet that creates a new connection is encountered. It consists of
four built-ins: B<PREROUTING> (for altering packets as soon as they come in), B<INPUT> (for altering packets destined for local sockets), B<OUTPUT> (for altering locally-generated packets before routing), and B<POSTROUTING> (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7."
+msgstr "このテーブルは新しい接続を開くパケットの場合に参照される。 B<PREROUTING> (パケットが入ってきた場合、すぐにそのパケットを変換するためのチェイン)、 B<OUTPUT> (ローカルで生成されたパケットをルーティングの前に変換するためのチェイン)、 B<INPUT> (ローカルソケット宛てのパケットを変更するためのチェイン)、 B<POSTROUTING> (パケットが出て行くときに変換するためのチェイン) という 4 つの組み込みチェインがある。 IPv6 NAT サポートはカーネル 3.7 以降で利用できる。"
#. type: TP
#, no-wrap
#. type: Plain text
msgid "Please note that it is often used with the B<-n> option, in order to avoid long reverse DNS lookups. It is legal to specify the B<-Z> (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. The exact rules are suppressed until you use"
-msgstr "DNS の逆引きを避けるために、 B<-n> オプションと共に使用されることがよくある。 B<-Z> (ゼロクリア) オプションを同時に指定することもできる。 この場合、各チェインの表示とゼロクリアは同時に行われ、カウンタ値に抜けが発生することはない。 細かな出力内容は同時に指定された他の引き数により変化する。 以下のように B<-v> オプションを指定しない限り、 ルールの表示は一部省略されたものとなる。"
+msgstr "DNS の逆引きを避けるために、 B<-n> オプションと共に使用されることがよくある。 B<-Z> (ゼロクリア) オプションを同時に指定することもできる。 この場合、各チェインの表示とゼロクリアは同時に行われ、カウンタ値に抜けが発生することはない。 細かな出力内容は同時に指定された他の引き数により変化する。デフォルトでは、ルールの表示は一部省略されたものとなる。完全なルールを表示するには、"
#. type: Plain text
#, no-wrap
msgid " iptables -L -v\n"
msgstr " iptables -L -v\n"
+#. type: Plain text
+msgid "or B<iptables-save>(8)."
+msgstr "のように B<-v> オプションを指定するか B<iptables-save>(8) を使うこと。"
+
#. type: TP
#, no-wrap
msgid "B<-S>, B<--list-rules> [I<chain>]"
msgstr "B<-P>, B<--policy> I<chain target>"
#. type: Plain text
-msgid "Set the policy for the chain to the given target. See the section B<TARGETS> for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets."
-msgstr "チェインのポリシーを指定したターゲットに設定する。指定可能なターゲットは「B<ターゲット>」の章を参照すること。 (ユーザー定義ではない) 組み込みチェインにしかポリシーは設定できない。 また、ポリシーのターゲットに、 組み込みチェインやユーザー定義チェインを設定することはできない。"
+msgid "Set the policy for the built-in (non-user-defined) chain to the given target. The policy target must be either B<ACCEPT> or B<DROP>."
+msgstr "組み込みチェイン (ユーザー定義ではないチェイン) のポリシーを指定したターゲットに設定する。ポリシーのターゲットは B<ACCEPT> か B<DROP> でなければならない。"
#. type: TP
#, no-wrap
#. type: TP
#, no-wrap
-msgid "B<-w>, B<--wait>"
-msgstr "B<-w>, B<--wait>"
+msgid "B<-w>, B<--wait> [I<seconds>]"
+msgstr "B<-w>, B<--wait> [I<seconds>]"
#. type: Plain text
-msgid "Wait for the xtables lock. To prevent multiple instances of the program from running concurrently, an attempt will be made to obtain an exclusive lock at launch. By default, the program will exit if the lock cannot be obtained. This option will make the program wait until the exclusive lock can be obtained."
+msgid "Wait for the xtables lock. To prevent multiple instances of the program from running concurrently, an attempt will be made to obtain an exclusive lock at launch. By default, the program will exit if the lock cannot be obtained. This option will make the program wait (indefinitely or for optional I<seconds>) until the exclusive lock can be obtained."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-W>, B<--wait-interval> I<microseconds>"
+msgstr "B<-W>, B<--wait-interval> I<microseconds>"
+
+#. type: Plain text
+msgid "Interval to wait per each iteration. When running latency sensitive applications, waiting for the xtables lock for extended durations may not be acceptable. This option will make each iteration take the amount of time specified. The default interval is 1 second. This option only works with B<-w>."
msgstr ""
#. type: TP
msgstr "Harald Welte は ULOG ターゲット、NFQUEUE ターゲット、新しい libiptc や TTL, DSCP, ECN のマッチ・ターゲットを書いた。"
#. type: Plain text
-msgid "The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai, Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso, Harald Welte and Rusty Russell."
-msgstr "Netfilter コアチームは、Martin Josefsson, Yasuyuki Kozakai, Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso, Harald Welte, Rusty Russell である。"
+msgid "The Netfilter Core Team is: Jozsef Kadlecsik, Pablo Neira Ayuso, Eric Leblond, Florian Westphal and Arturo Borrero Gonzalez. Emeritus Core Team members are: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai, James Morris, Harald Welte and Rusty Russell."
+msgstr "Netfilter コアチームは、 Jozsef Kadlecsik, Pablo Neira Ayuso, Eric Leblond, Florian Westphal, Arturo Borrero Gonzalez である。名誉コアメンバーは Marc Boucher, Martin Josefsson, Yasuyuki Kozakai, James Morris, Harald Welte, Rusty Russell である。"
#. .. and did I mention that we are incredibly cool people?
#. .. sexy, too ..
msgstr "バージョン"
#. type: Plain text
-msgid "This manual page applies to iptables/ip6tables 1.4.21."
-msgstr "この man ページは iptables/ip6tables 1.4.21 について説明している。"
+msgid "This manual page applies to iptables/ip6tables 1.8.4."
+msgstr "この man ページは iptables/ip6tables 1.8.4 について説明している。"
+
+#~ msgid "Set the policy for the chain to the given target. See the section B<TARGETS> for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets."
+#~ msgstr "チェインのポリシーを指定したターゲットに設定する。指定可能なターゲットは「B<ターゲット>」の章を参照すること。 (ユーザー定義ではない) 組み込みチェインにしかポリシーは設定できない。 また、ポリシーのターゲットに、 組み込みチェインやユーザー定義チェインを設定することはできない。"
--- /dev/null
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Free Software Foundation, Inc.
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. type: TH
+#, no-wrap
+msgid "NFBPF_COMPILE"
+msgstr ""
+
+#. type: TH
+#, no-wrap
+msgid "iptables 1.8.4"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "NAME"
+msgstr ""
+
+#. type: Plain text
+msgid "nfbpf_compile - generate bytecode for use with xt_bpf"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SYNOPSIS"
+msgstr ""
+
+#. type: Plain text
+msgid "B<nfbpf_compile> [ I<LLTYPE> ] I<PROGRAM>"
+msgstr ""
+
+#. type: Plain text
+msgid "I<LLTYPE> := { B<EN10MB> | B<RAW> | B<SLIP> | I<...> }"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Plain text
+msgid "The B<nfbpf_compile> utility aids in generating BPF byte code suitable for passing to the iptables B<bpf> match."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "OPTIONS"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "I<LLTYPE>"
+msgstr ""
+
+#. type: Plain text
+msgid "Link-layer header type to operate on. This is a name as defined in E<lt>B<pcap/dlt.h>E<gt> but with the leading B<DLT_> prefix stripped. For use with iptables, B<RAW> should be the right choice (it's also the default if not specified)."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "I<PROGRAM>"
+msgstr ""
+
+#. type: Plain text
+msgid "The BPF expression to compile, see B<pcap-filter>(7) for a description of the language."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "EXIT STATUS"
+msgstr ""
+
+#. type: Plain text
+msgid "The program returns 0 on success, 1 otherwise."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "EXAMPLE"
+msgstr ""
+
+#. type: Plain text
+msgid "Match incoming TCP packets with size bigger than 100 bytes:"
+msgstr ""
+
+#. type: Plain text
+msgid "bpf=$(nfbpf_compile 'tcp and greater 100')"
+msgstr ""
+
+#. type: Plain text
+msgid "iptables -A INPUT -m bpf --bytecode \"$bpf\" -j ACCEPT"
+msgstr ""
+
+#. type: Plain text
+msgid "The description of B<bpf> match in B<iptables-extensions>(8) lists a few more examples."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Plain text
+msgid "B<iptables-extensions>(8), B<pcap-filter>(7)"
+msgstr ""
--- /dev/null
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Free Software Foundation, Inc.
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. type: TH
+#, no-wrap
+msgid "NFNL_OSF"
+msgstr ""
+
+#. type: TH
+#, no-wrap
+msgid "iptables 1.8.4"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "NAME"
+msgstr ""
+
+#. type: Plain text
+msgid "nfnl_osf - OS fingerprint loader utility"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SYNOPSIS"
+msgstr ""
+
+#. type: Plain text
+msgid "B<nfnl_osf> B<-f>I< fingerprints> [ B<-d> ]"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Plain text
+msgid "The B<nfnl_osf> utility allows to load a set of operating system signatures into the kernel for later matching against using iptables' B<osf> match."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "OPTIONS"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-f>I< fingerprints>"
+msgstr ""
+
+#. type: Plain text
+msgid "Read signatures from file I<fingerprints>."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-d>"
+msgstr ""
+
+#. type: Plain text
+msgid "Instead of adding the signatures from I<fingerprints> into the kernel, remove them."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "EXIT STATUS"
+msgstr ""
+
+#. type: Plain text
+msgid "Exit status is 0 if command succeeded, otherwise a negative return code indicates the type of error which happened:"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-1>"
+msgstr ""
+
+#. type: Plain text
+msgid "Illegal arguments passed, fingerprints file not readable or failure in netlink communication."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-ENOENT>"
+msgstr ""
+
+#. type: Plain text
+msgid "Fingerprints file not specified."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-EINVAL>"
+msgstr ""
+
+#. type: Plain text
+msgid "Netlink handle initialization failed or fingerprints file format invalid."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "FILES"
+msgstr ""
+
+#. type: Plain text
+msgid "An up to date set of operating system signatures can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os ."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Plain text
+msgid "The description of B<osf> match in B<iptables-extensions>(8) contains further information about the topic as well as example B<nfnl_osf> invocations."
+msgstr ""
--- /dev/null
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Free Software Foundation, Inc.
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. type: TH
+#, no-wrap
+msgid "XTABLES-LEGACY"
+msgstr ""
+
+#. type: TH
+#, no-wrap
+msgid "June 2018"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "NAME"
+msgstr ""
+
+#. type: Plain text
+msgid "xtables-legacy \\(em iptables using old getsockopt/setsockopt-based kernel api"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Plain text
+msgid "B<xtables-legacy> are the original versions of iptables that use old getsockopt/setsockopt-based kernel interface. This kernel interface has some limitations, therefore iptables can also be used with the newer nf_tables based API. See B<xtables-nft(8)> for information about the xtables-nft variants of iptables."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "USAGE"
+msgstr ""
+
+#. type: Plain text
+msgid "The xtables-legacy-multi binary can be linked to the traditional names:"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"\t/sbin/iptables -E<gt> /sbin/iptables-legacy-multi\n"
+"\t/sbin/ip6tables -E<gt> /sbin/ip6tables-legacy-multi\n"
+"\t/sbin/iptables-save -E<gt> /sbin/ip6tables-legacy-multi\n"
+"\t/sbin/iptables-restore -E<gt> /sbin/ip6tables-legacy-multi\n"
+msgstr ""
+
+#. type: Plain text
+msgid "The iptables version string will indicate whether the legacy API (get/setsockopt) or the new nf_tables API is used:"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"\tiptables -V\n"
+"\tiptables v1.7 (legacy)\n"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "LIMITATIONS"
+msgstr ""
+
+#. type: Plain text
+msgid "When inserting a rule using iptables -A or iptables -I, iptables first needs to retrieve the current active ruleset, change it to include the new rule, and then commit back the result. This means that if two instances of iptables are running concurrently, one of the updates might be lost. This can be worked around partially with the --wait option."
+msgstr ""
+
+#. type: Plain text
+msgid "There is also no method to monitor changes to the ruleset, except periodically calling iptables-legacy-save and checking for any differences in output."
+msgstr ""
+
+#. type: Plain text
+msgid "B<xtables-monitor(8)> will need the B<xtables-nft(8)> versions to work, it cannot display changes made using the B<iptables-legacy> tools."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Plain text
+msgid "B<xtables-nft(8)>, B<xtables-translate(8)>"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "AUTHORS"
+msgstr ""
+
+#. type: Plain text
+msgid "Rusty Russell originally wrote iptables, in early consultation with Michael Neuling."
+msgstr ""
--- /dev/null
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Free Software Foundation, Inc.
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. type: TH
+#, no-wrap
+msgid "XTABLES-MONITOR"
+msgstr ""
+
+#. type: TH
+#, no-wrap
+msgid "iptables 1.8.4"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "NAME"
+msgstr ""
+
+#. type: Plain text
+msgid "xtables-monitor \\(em show changes to rule set and trace-events"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SYNOPSIS"
+msgstr ""
+
+#. type: Plain text
+msgid "B<xtables-monitor> [B<-t>] [B<-e>] [B<-4>|B<|-6]>"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Plain text
+msgid "B<xtables-monitor> is used to monitor changes to the ruleset or to show rule evaluation events for packets tagged using the TRACE target. B<xtables-monitor> will run until the user aborts execution, typically by using CTRL-C."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "OPTIONS"
+msgstr ""
+
+#. type: Plain text
+msgid "B<-e>, B<--event>"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "Watch for updates to the rule set."
+msgstr ""
+
+#. type: Plain text
+msgid "Updates include creation of new tables, chains and rules and the name of the program that caused the rule update."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-t>, B<--trace>"
+msgstr ""
+
+#. type: Plain text
+msgid "Watch for trace events generated by packets that have been tagged using the TRACE target."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-4>"
+msgstr ""
+
+#. type: Plain text
+msgid "Restrict output to IPv4."
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<-6>"
+msgstr ""
+
+#. type: Plain text
+msgid "Restrict output to IPv6."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "EXAMPLE OUTPUT"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<xtables-monitor --trace>"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+" 1 TRACE: 2 fc475095 raw:PREROUTING:rule:0x3:CONTINUE -4 -t raw -A PREROUTING -p icmp -j TRACE\n"
+" 2 PACKET: 0 fc475095 IN=lo LL=0x304 0000000000000000000000000800 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x0 TTL=64 ID=38349DF\n"
+" 3 TRACE: 2 fc475095 raw:PREROUTING:return:\n"
+" 4 TRACE: 2 fc475095 raw:PREROUTING:policy:ACCEPT\n"
+" 5 TRACE: 2 fc475095 filter:INPUT:return:\n"
+" 6 TRACE: 2 fc475095 filter:INPUT:policy:DROP\n"
+" 7 TRACE: 2 0df9d3d8 raw:PREROUTING:rule:0x3:CONTINUE -4 -t raw -A PREROUTING -p icmp -j TRACE\n"
+msgstr ""
+
+#. type: Plain text
+msgid "The first line shows a packet entering rule set evaluation. The protocol number is shown (AF_INET in this case), then a packet identifier number that allows to correlate messages coming from rule set evaluation of this packet. After this, the rule that was matched by the packet is shown. This is the TRACE rule that turns on tracing events for this packet."
+msgstr ""
+
+#. type: Plain text
+msgid "The second line dumps information about the packet. Incoming interface and packet headers such as source and destination addresses are shown."
+msgstr ""
+
+#. type: Plain text
+msgid "The third line shows that the packet completed traversal of the raw table PREROUTING chain, and is returning, followed by use the chain policy to make accept/drop decision (the example shows accept being applied). The fifth line shows that the packet leaves the filter INPUT chain, i.e., no rules in the filter tables INPUT chain matched the packet. It then got DROPPED by the policy of the INPUT table, as shown by line six. The last line shows another packet arriving -- the packet id is different."
+msgstr ""
+
+#. type: Plain text
+msgid "When using the TRACE target, it is usually a good idea to only select packets that are relevant, for example via"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid "iptables -t raw -A PREROUTING -p tcp --dport 80 --syn -m limit --limit 1/s -j TRACE\n"
+msgstr ""
+
+#. type: TP
+#, no-wrap
+msgid "B<xtables-monitor --event>"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+" 1 EVENT: nft: NEW table: table filter ip flags 0 use 4 handle 444\n"
+" 2 EVENT: # nft: ip filter INPUT use 2 type filter hook input prio 0 policy drop packets 0 bytes 0\n"
+" 3 EVENT: # nft: ip filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0\n"
+" 4 EVENT: # nft: ip filter OUTPUT use 0 type filter hook output prio 0 policy accept packets 0 bytes 0\n"
+" 5 EVENT: -4 -t filter -N TCP\n"
+" 6 EVENT: -4 -t filter -A TCP -s 192.168.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT\n"
+" 7 EVENT: -4 -t filter -A TCP -p tcp -m multiport --dports 80,443 -j ACCEPT\n"
+" 8 EVENT: -4 -t filter -A INPUT -p tcp -j TCP\n"
+" 9 EVENT: -4 -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\n"
+" 10 NEWGEN: GENID=13904 PID=25167 NAME=iptables-nftables-restore\n"
+msgstr ""
+
+#. type: Plain text
+msgid "This example shows event monitoring. Line one shows creation of a table (filter in this case), followed by three base hooks INPUT, FORWARD and OUTPUT. The iptables-nftables tools all create tables and base chains automatically when needed, so this is expected when a table was not yet initialized or when it is re-created from scratch by iptables-nftables-restore. Line five shows a new user-defined chain (TCP) being added, followed by addition a few rules. the last line shows that a new ruleset generation has become active, i.e., the rule set changes are now active. This also lists the process id and the programs name."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "LIMITATIONS"
+msgstr ""
+
+#. type: Plain text
+msgid "B<xtables-monitor> only works with rules added using iptables-nftables, rules added using iptables-legacy cannot be monitored."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "BUGS"
+msgstr ""
+
+#. type: Plain text
+msgid "Should be reported or by sending email to netfilter-devel@vger.kernel.org or by filing a report on https://bugzilla.netfilter.org/."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Plain text
+msgid "B<iptables>(8), B<xtables>(8), B<nft>(8)"
+msgstr ""
--- /dev/null
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Free Software Foundation, Inc.
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. type: TH
+#, no-wrap
+msgid "XTABLES-NFT"
+msgstr ""
+
+#. type: TH
+#, no-wrap
+msgid "June 2018"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "NAME"
+msgstr ""
+
+#. type: Plain text
+msgid "xtables-nft \\(em iptables using nftables kernel api"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Plain text
+msgid "B<xtables-nft> are versions of iptables that use the nftables API. This is a set of tools to help the system administrator migrate the ruleset from B<iptables(8)>, B<ip6tables(8)>, B<arptables(8)>, and B<ebtables(8)> to B<nftables(8)>."
+msgstr ""
+
+#. type: Plain text
+msgid "The B<xtables-nft> set is composed of several commands:"
+msgstr ""
+
+#. type: IP
+#, no-wrap
+msgid "\\[bu]"
+msgstr ""
+
+#. type: Plain text
+msgid "iptables-nft"
+msgstr ""
+
+#. type: Plain text
+msgid "iptables-nft-save"
+msgstr ""
+
+#. type: Plain text
+msgid "iptables-nft-restore"
+msgstr ""
+
+#. type: Plain text
+msgid "ip6tables-nft"
+msgstr ""
+
+#. type: Plain text
+msgid "ip6tables-nft-save"
+msgstr ""
+
+#. type: Plain text
+msgid "ip6tables-nft-restore"
+msgstr ""
+
+#. type: Plain text
+msgid "arptables-nft"
+msgstr ""
+
+#. type: Plain text
+msgid "ebtables-nft"
+msgstr ""
+
+#. type: Plain text
+msgid "These tools use the libxtables framework extensions and hook to the nf_tables kernel subsystem using the B<nft_compat> module."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "USAGE"
+msgstr ""
+
+#. type: Plain text
+msgid "The xtables-nft tools allow you to manage the nf_tables backend using the native syntax of B<iptables(8)>, B<ip6tables(8)>, B<arptables(8)>, and B<ebtables(8)>."
+msgstr ""
+
+#. type: Plain text
+msgid "You should use the xtables-nft tools exactly the same way as you would use the corresponding original tools."
+msgstr ""
+
+#. type: Plain text
+msgid "Adding a rule will result in that rule being added to the nf_tables kernel subsystem instead. Listing the ruleset will use the nf_tables backend as well."
+msgstr ""
+
+#. type: Plain text
+msgid "When these tools were designed, the main idea was to replace each legacy binary with a symlink to the xtables-nft program, for example:"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"\t/sbin/iptables -E<gt> /usr/sbin/iptables-nft-multi\n"
+"\t/sbin/ip6tables -E<gt> /usr/sbin/ip6tables-nft-multi\n"
+"\t/sbin/arptables -E<gt> /usr/sbin/arptables-nft-multi\n"
+"\t/sbin/ebtables -E<gt> /usr/sbin/ebtables-nft-multi\n"
+msgstr ""
+
+#. type: Plain text
+msgid "The iptables version string will indicate whether the legacy API (get/setsockopt) or the new nf_tables api is used:"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"\tiptables -V\n"
+"\tiptables v1.7 (nf_tables)\n"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "DIFFERENCES TO LEGACY IPTABLES"
+msgstr ""
+
+#. type: Plain text
+msgid "Because the xtables-nft tools use the nf_tables kernel API, rule additions and deletions are always atomic. Unlike iptables-legacy, iptables-nft -A .. will NOT need to retrieve the current ruleset from the kernel, change it, and re-load the altered ruleset. Instead, iptables-nft will tell the kernel to add one rule. For this reason, the iptables-legacy --wait option is a no-op in iptables-nft."
+msgstr ""
+
+#. type: Plain text
+msgid "Use of the xtables-nft tools allow monitoring ruleset changes using the B<xtables-monitor(8)> command."
+msgstr ""
+
+#. type: Plain text
+msgid "When using -j TRACE to debug packet traversal to the ruleset, note that you will need to use B<xtables-monitor(8)> in --trace mode to obtain monitoring trace events."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "EXAMPLES"
+msgstr ""
+
+#. type: Plain text
+msgid "One basic example is creating the skeleton ruleset in nf_tables from the xtables-nft tools, in a fresh machine:"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"\troot@machine:~# iptables-nft -L\n"
+"\t[...]\n"
+"\troot@machine:~# ip6tables-nft -L\n"
+"\t[...]\n"
+"\troot@machine:~# arptables-nft -L\n"
+"\t[...]\n"
+"\troot@machine:~# ebtables-nft -L\n"
+"\t[...]\n"
+"\troot@machine:~# nft list ruleset\n"
+"\ttable ip filter {\n"
+"\t\tchain INPUT {\n"
+"\t\t\ttype filter hook input priority 0; policy accept;\n"
+"\t\t}\n"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"\t\tchain FORWARD {\n"
+"\t\t\ttype filter hook forward priority 0; policy accept;\n"
+"\t\t}\n"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"\t\tchain OUTPUT {\n"
+"\t\t\ttype filter hook output priority 0; policy accept;\n"
+"\t\t}\n"
+"\t}\n"
+"\ttable ip6 filter {\n"
+"\t\tchain INPUT {\n"
+"\t\t\ttype filter hook input priority 0; policy accept;\n"
+"\t\t}\n"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"\t\tchain OUTPUT {\n"
+"\t\t\ttype filter hook output priority 0; policy accept;\n"
+"\t\t}\n"
+"\t}\n"
+"\ttable bridge filter {\n"
+"\t\tchain INPUT {\n"
+"\t\t\ttype filter hook input priority -200; policy accept;\n"
+"\t\t}\n"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"\t\tchain FORWARD {\n"
+"\t\t\ttype filter hook forward priority -200; policy accept;\n"
+"\t\t}\n"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"\t\tchain OUTPUT {\n"
+"\t\t\ttype filter hook output priority -200; policy accept;\n"
+"\t\t}\n"
+"\t}\n"
+"\ttable arp filter {\n"
+"\t\tchain INPUT {\n"
+"\t\t\ttype filter hook input priority 0; policy accept;\n"
+"\t\t}\n"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"\t\tchain OUTPUT {\n"
+"\t\t\ttype filter hook output priority 0; policy accept;\n"
+"\t\t}\n"
+"\t}\n"
+msgstr ""
+
+#. type: Plain text
+msgid "(please note that in fresh machines, listing the ruleset for the first time results in all tables an chain being created)."
+msgstr ""
+
+#. type: Plain text
+msgid "To migrate your complete filter ruleset, in the case of B<iptables(8)>, you would use:"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"\troot@machine:~# iptables-legacy-save E<gt> myruleset # reads from x_tables\n"
+"\troot@machine:~# iptables-nft-restore myruleset # writes to nf_tables\n"
+msgstr ""
+
+#. type: Plain text
+msgid "or"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid "\troot@machine:~# iptables-legacy-save | iptables-translate-restore | less\n"
+msgstr ""
+
+#. type: Plain text
+msgid "to see how rules would look like in the nft B<nft(8)> syntax."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "LIMITATIONS"
+msgstr ""
+
+#. type: Plain text
+msgid "You should use B<Linux kernel E<gt>= 4.17>."
+msgstr ""
+
+#. type: Plain text
+msgid "The CLUSTERIP target is not supported."
+msgstr ""
+
+#. type: Plain text
+msgid "To get up-to-date information about this, please head to B<http://wiki.nftables.org/>."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Plain text
+msgid "B<nft(8)>, B<xtables-translate(8)>, B<xtables-monitor(8)>"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "AUTHORS"
+msgstr ""
+
+#. type: Plain text
+msgid "The nftables framework is written by the Netfilter project (https://www.netfilter.org)."
+msgstr ""
+
+#. type: Plain text
+msgid "This manual page was written by Arturo Borrero Gonzalez E<lt>arturo@debian.orgE<gt> for the Debian project, but may be used by others."
+msgstr ""
+
+#. type: Plain text
+msgid "This documentation is free/libre under the terms of the GPLv2+."
+msgstr ""
--- /dev/null
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Free Software Foundation, Inc.
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"POT-Creation-Date: 2021-03-24 13:11+0900\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. type: TH
+#, no-wrap
+msgid "IPTABLES-TRANSLATE"
+msgstr ""
+
+#. type: TH
+#, no-wrap
+msgid "May 14, 2019"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "NAME"
+msgstr ""
+
+#. type: Plain text
+msgid "iptables-translate \\(em translation tool to migrate from iptables to nftables"
+msgstr ""
+
+#. type: Plain text
+msgid "ip6tables-translate \\(em translation tool to migrate from ip6tables to nftables"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Plain text
+msgid "There is a set of tools to help the system administrator translate a given ruleset from B<iptables(8)> and B<ip6tables(8)> to B<nftables(8)>."
+msgstr ""
+
+#. type: Plain text
+msgid "The available commands are:"
+msgstr ""
+
+#. type: IP
+#, no-wrap
+msgid "\\[bu]"
+msgstr ""
+
+#. type: Plain text
+msgid "iptables-translate"
+msgstr ""
+
+#. type: Plain text
+msgid "iptables-restore-translate"
+msgstr ""
+
+#. type: Plain text
+msgid "ip6tables-translate"
+msgstr ""
+
+#. type: Plain text
+msgid "ip6tables-restore-translate"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "USAGE"
+msgstr ""
+
+#. type: Plain text
+msgid "They take as input the original B<iptables(8)>/B<ip6tables(8)> syntax and output the native B<nftables(8)> syntax."
+msgstr ""
+
+#. type: Plain text
+msgid "The B<iptables-restore-translate> tool reads a ruleset in the syntax produced by B<iptables-save(8)>. Likewise, the B<ip6tables-restore-translate> tool reads one produced by B<ip6tables-save(8)>. No ruleset modifications occur, these tools are text converters only."
+msgstr ""
+
+#. type: Plain text
+msgid "The B<iptables-translate> reads a command line as if it was entered to B<iptables(8)>, and B<ip6tables-translate> reads a command like as if it was entered to B<ip6tables(8)>."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "EXAMPLES"
+msgstr ""
+
+#. type: Plain text
+msgid "Basic operation examples."
+msgstr ""
+
+#. type: Plain text
+msgid "Single command translation:"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"root@machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT\n"
+"nft add rule ip filter INPUT tcp dport 22 ct state new counter accept\n"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"root@machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT\n"
+"nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept\n"
+msgstr ""
+
+#. type: Plain text
+msgid "Whole ruleset translation:"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"root@machine:~# iptables-save E<gt> save.txt\n"
+"root@machine:~# cat save.txt\n"
+"# Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016\n"
+"*filter\n"
+":INPUT ACCEPT [5166:1752111]\n"
+":FORWARD ACCEPT [0:0]\n"
+":OUTPUT ACCEPT [5058:628693]\n"
+"-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT\n"
+"COMMIT\n"
+"# Completed on Sat Dec 24 14:26:40 2016\n"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"root@machine:~# iptables-restore-translate -f save.txt\n"
+"# Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016\n"
+"add table ip filter\n"
+"add chain ip filter INPUT { type filter hook input priority 0; }\n"
+"add chain ip filter FORWARD { type filter hook forward priority 0; }\n"
+"add chain ip filter OUTPUT { type filter hook output priority 0; }\n"
+"add rule ip filter FORWARD tcp dport 22 ct state new counter accept\n"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"root@machine:~# iptables-restore-translate -f save.txt E<gt> ruleset.nft\n"
+"root@machine:~# nft -f ruleset.nft\n"
+"root@machine:~# nft list ruleset\n"
+"table ip filter {\n"
+"\tchain INPUT {\n"
+"\t\ttype filter hook input priority 0; policy accept;\n"
+"\t}\n"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"\tchain FORWARD {\n"
+"\t\ttype filter hook forward priority 0; policy accept;\n"
+"\t\ttcp dport ssh ct state new counter packets 0 bytes 0 accept\n"
+"\t}\n"
+msgstr ""
+
+#. type: Plain text
+#, no-wrap
+msgid ""
+"\tchain OUTPUT {\n"
+"\t\ttype filter hook output priority 0; policy accept;\n"
+"\t}\n"
+"}\n"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "LIMITATIONS"
+msgstr ""
+
+#. type: Plain text
+msgid "Some (few) extensions may be not supported (or fully-supported) for whatever reason (for example, they were considered obsolete, or we didn't have the time to work on them)."
+msgstr ""
+
+#. type: Plain text
+msgid "There are no translations available for B<ebtables(8)> and B<arptables(8)>."
+msgstr ""
+
+#. type: Plain text
+msgid "To get up-to-date information about this, please head to B<https://wiki.nftables.org/>."
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Plain text
+msgid "B<nft(8)>, B<iptables(8)>"
+msgstr ""
+
+#. type: SH
+#, no-wrap
+msgid "AUTHORS"
+msgstr ""
+
+#. type: Plain text
+msgid "The nftables framework is written by the Netfilter project (https://www.netfilter.org)."
+msgstr ""
+
+#. type: Plain text
+msgid "This manual page was written by Arturo Borrero Gonzalez E<lt>arturo@netfilter.orgE<gt>."
+msgstr ""
+
+#. type: Plain text
+msgid "This documentation is free/libre under the terms of the GPLv2+."
+msgstr ""
-☆:iptables:1.4.18=>1.4.21:2013/11/22:iptables-xml:1:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
-×:iptables:1.4.21:2012/03/27:ipq_create_handle:3:::::
-※:iptables:1.4.21:2012/03/27:ipq_destroy_handle:3:ipq_create_handle:3:
-×:iptables:1.4.21:2012/03/27:ipq_errstr:3:::::
-※:iptables:1.4.21:2012/03/27:ipq_get_msgerr:3:ipq_message_type:3:
-※:iptables:1.4.21:2012/03/27:ipq_get_packet:3:ipq_message_type:3:
-×:iptables:1.4.21:2012/03/27:ipq_message_type:3:::::
-※:iptables:1.4.21:2012/03/27:ipq_perror:3:ipq_errstr:3:
-×:iptables:1.4.21:2012/03/27:ipq_read:3:::::
-×:iptables:1.4.21:2012/03/27:ipq_set_mode:3:::::
-×:iptables:1.4.21:2012/03/27:ipq_set_verdict:3:::::
-×:iptables:1.4.21:2013/11/22:libipq:3:::::
-@:iptables:1.4.21:2013/11/22:ip6tables:8:iptables:8:
-@:iptables:1.4.21:2013/11/22:ip6tables-restore:8:iptables-restore:8:
-@:iptables:1.4.21:2013/11/22:ip6tables-save:8:iptables-save:8:
-○:iptables:1.4.21:2013/11/22:iptables:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
-○:iptables:1.4.21:2013/11/22:iptables-apply:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
-☆:iptables:1.4.18=>1.4.21:2013/11/22:iptables-extensions:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
-○:iptables:1.4.21:2013/11/22:iptables-restore:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
-○:iptables:1.4.21:2013/11/22:iptables-save:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
+☆:iptables:1.4.18=>1.8.4:2013/03/03:iptables-xml:1:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
+×:iptables:1.8.4:2012/03/27:ipq_create_handle:3:::::
+※:iptables:1.8.4:2012/03/27:ipq_destroy_handle:3:ipq_create_handle:3:
+×:iptables:1.8.4:2012/03/27:ipq_errstr:3:::::
+※:iptables:1.8.4:2012/03/27:ipq_get_msgerr:3:ipq_message_type:3:
+※:iptables:1.8.4:2012/03/27:ipq_get_packet:3:ipq_message_type:3:
+×:iptables:1.8.4:2012/03/27:ipq_message_type:3:::::
+※:iptables:1.8.4:2012/03/27:ipq_perror:3:ipq_errstr:3:
+×:iptables:1.8.4:2012/03/27:ipq_read:3:::::
+×:iptables:1.8.4:2012/03/27:ipq_set_mode:3:::::
+×:iptables:1.8.4:2012/03/27:ipq_set_verdict:3:::::
+×:iptables:1.8.4:2013/03/03:libipq:3:::::
+×:iptables:1.8.4:2013/03/03:arptables-nft:8:::::
+×:iptables:1.8.4:2013/03/03:arptables-nft-restore:8:::::
+×:iptables:1.8.4:2013/03/03:arptables-nft-save:8:::::
+×:iptables:1.8.4:2013/03/03:ebtables-nft:8:::::
+@:iptables:1.8.4:2013/03/03:ip6tables:8:iptables:8:
+@:iptables:1.8.4:2013/03/03:ip6tables-restore:8:iptables-restore:8:
+※:iptables:1.8.4:2013/03/03:ip6tables-restore-translate:8:xtables-translate:8:
+@:iptables:1.8.4:2013/03/03:ip6tables-save:8:iptables-save:8:
+※:iptables:1.8.4:2013/03/03:ip6tables-translate:8:xtables-translate:8:
+☆:iptables:1.4.21=>1.8.4:2013/03/03:iptables:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
+☆:iptables:1.4.21=>1.8.4:2013/03/03:iptables-apply:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
+☆:iptables:1.4.18=>1.8.4:2013/03/03:iptables-extensions:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
+☆:iptables:1.4.21=>1.8.4:2013/03/03:iptables-restore:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
+※:iptables:1.8.4:2013/03/03:iptables-restore-translate:8:xtables-translate:8:
+☆:iptables:1.4.21=>1.8.4:2013/03/03:iptables-save:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
+※:iptables:1.8.4:2013/03/03:iptables-translate:8:xtables-translate:8:
+×:iptables:1.8.4:2013/03/03:nfbpf_compile:8:::::
+×:iptables:1.8.4:2013/03/03:nfnl_osf:8:::::
+×:iptables:1.8.4:2013/03/03:xtables-legacy:8:::::
+×:iptables:1.8.4:2013/03/03:xtables-monitor:8:::::
+×:iptables:1.8.4:2013/03/03:xtables-nft:8:::::
+×:iptables:1.8.4:2013/03/03:xtables-translate:8:::::
OSDN Git Service
