msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2012-05-10 06:40+0900\n"
+"POT-Creation-Date: 2013-04-03 12:30+0900\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
#. along with this program; if not, write to the Free Software
#. Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#. type: SH
-#: original/man8/ip6tables-restore.8:21 original/man8/ip6tables-save.8:21 original/man8/ip6tables.8:27 original/man8/iptables-restore.8:21 original/man8/iptables-save.8:21 original/man8/iptables.8:25 original/man8/iptables-apply.8:8 original/man1/iptables-xml.1:21
+#: original/man8/ip6tables-restore.8:21 original/man8/ip6tables-save.8:21 original/man8/ip6tables.8:27 original/man8/iptables-restore.8:21 original/man8/iptables-save.8:21 original/man8/iptables.8:25 original/man8/iptables-extensions.8:2 original/man8/iptables-apply.8:8 original/man1/iptables-xml.1:21
#, no-wrap
msgid "NAME"
msgstr ""
msgstr ""
#. type: SH
-#: original/man8/ip6tables-restore.8:23 original/man8/ip6tables-save.8:23 original/man8/ip6tables.8:29 original/man8/iptables-restore.8:23 original/man8/iptables-save.8:23 original/man8/iptables.8:27 original/man8/iptables-apply.8:10 original/man1/iptables-xml.1:23
+#: original/man8/ip6tables-restore.8:23 original/man8/ip6tables-save.8:23 original/man8/ip6tables.8:29 original/man8/iptables-restore.8:23 original/man8/iptables-save.8:23 original/man8/iptables.8:27 original/man8/iptables-extensions.8:4 original/man8/iptables-apply.8:10 original/man1/iptables-xml.1:23
#, no-wrap
msgid "SYNOPSIS"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables-restore.8:25
-msgid "B<ip6tables-restore> [B<-c>] [B<-n>]"
+#: original/man8/ip6tables-restore.8:26
+msgid "B<ip6tables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
msgstr ""
#. type: SH
-#: original/man8/ip6tables-restore.8:25 original/man8/ip6tables-save.8:26 original/man8/ip6tables.8:55 original/man8/iptables-restore.8:25 original/man8/iptables-save.8:26 original/man8/iptables.8:54 original/man8/iptables-apply.8:12 original/man1/iptables-xml.1:25
+#: original/man8/ip6tables-restore.8:26 original/man8/ip6tables-save.8:26 original/man8/ip6tables.8:55 original/man8/iptables-restore.8:26 original/man8/iptables-save.8:26 original/man8/iptables.8:54 original/man8/iptables-apply.8:12 original/man1/iptables-xml.1:25
#, no-wrap
msgid "DESCRIPTION"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables-restore.8:30
+#: original/man8/ip6tables-restore.8:31
msgid ""
"B<ip6tables-restore> is used to restore IPv6 Tables from data specified on "
"STDIN. Use I/O redirection provided by your shell to read from a file"
msgstr ""
#. type: TP
-#: original/man8/ip6tables-restore.8:30 original/man8/ip6tables-save.8:35 original/man8/iptables-restore.8:30 original/man8/iptables-save.8:35
+#: original/man8/ip6tables-restore.8:31 original/man8/ip6tables-save.8:35 original/man8/iptables-restore.8:31 original/man8/iptables-save.8:35
#, no-wrap
msgid "B<-c>, B<--counters>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables-restore.8:33 original/man8/iptables-restore.8:33
+#: original/man8/ip6tables-restore.8:34 original/man8/iptables-restore.8:34
msgid "restore the values of all packet and byte counters"
msgstr ""
#. type: TP
-#: original/man8/ip6tables-restore.8:33 original/man8/iptables-restore.8:33
+#: original/man8/ip6tables-restore.8:34 original/man8/iptables-restore.8:34 original/man8/iptables-apply.8:28
+#, no-wrap
+msgid "B<-h>, B<--help>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/ip6tables-restore.8:37 original/man8/iptables-restore.8:37
+msgid "Print a short option summary."
+msgstr ""
+
+#. type: TP
+#: original/man8/ip6tables-restore.8:37 original/man8/iptables-restore.8:37
#, no-wrap
msgid "B<-n>, B<--noflush> "
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables-restore.8:36
-msgid "don't flush the previous contents of the table. If not specified,"
+#: original/man8/ip6tables-restore.8:42
+msgid ""
+"don't flush the previous contents of the table. If not specified, "
+"B<ip6tables-restore> flushes (deletes) all previous contents of the "
+"respective table."
+msgstr ""
+
+#. type: TP
+#: original/man8/ip6tables-restore.8:42 original/man8/iptables-restore.8:42
+#, no-wrap
+msgid "B<-t>, B<--test>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/ip6tables-restore.8:45 original/man8/iptables-restore.8:45
+msgid "Only parse and construct the ruleset, but do not commit it."
+msgstr ""
+
+#. type: TP
+#: original/man8/ip6tables-restore.8:45 original/man8/ip6tables.8:355 original/man8/iptables-restore.8:45 original/man8/iptables.8:343 original/man1/iptables-xml.1:38
+#, no-wrap
+msgid "B<-v>, B<--verbose>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/ip6tables-restore.8:48 original/man8/iptables-restore.8:48
+msgid "Print additional debug info during ruleset processing."
+msgstr ""
+
+#. type: TP
+#: original/man8/ip6tables-restore.8:48 original/man8/iptables-restore.8:48
+#, no-wrap
+msgid "B<-M>, B<--modprobe> I<modprobe_program>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/ip6tables-restore.8:52
+msgid ""
+"Specify the path to the modprobe program. By default, ip6tables-restore will "
+"inspect /proc/sys/kernel/modprobe to determine the executable's path."
msgstr ""
#. type: TP
-#: original/man8/ip6tables-restore.8:36 original/man8/iptables-restore.8:38
+#: original/man8/ip6tables-restore.8:52 original/man8/iptables-restore.8:52
#, no-wrap
msgid "B<-T>, B<--table> I<name>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables-restore.8:41
+#: original/man8/ip6tables-restore.8:57
msgid ""
"Restore only the named table even if the input stream contains other ones. "
"B<ip6tables-restore> flushes (deletes) all previous contents of the "
msgstr ""
#. type: SH
-#: original/man8/ip6tables-restore.8:41 original/man8/ip6tables-save.8:42 original/man8/ip6tables.8:2447 original/man8/iptables-restore.8:41 original/man8/iptables-save.8:42 original/man8/iptables.8:2606 original/man1/iptables-xml.1:82
+#: original/man8/ip6tables-restore.8:57 original/man8/ip6tables-save.8:42 original/man8/ip6tables.8:395 original/man8/iptables-restore.8:55 original/man8/iptables-save.8:42 original/man8/iptables.8:383 original/man1/iptables-xml.1:82
#, no-wrap
msgid "BUGS"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables-restore.8:43 original/man8/ip6tables-save.8:44 original/man8/iptables-restore.8:43 original/man8/iptables-save.8:44
+#: original/man8/ip6tables-restore.8:59 original/man8/ip6tables-save.8:44 original/man8/iptables-restore.8:57 original/man8/iptables-save.8:44
msgid "None known as of iptables-1.2.1 release"
msgstr ""
#. type: SH
-#: original/man8/ip6tables-restore.8:43 original/man8/ip6tables-save.8:44 original/man8/ip6tables.8:2480 original/man8/iptables.8:2650
+#: original/man8/ip6tables-restore.8:59 original/man8/ip6tables-save.8:44 original/man8/ip6tables.8:430 original/man8/iptables.8:429
#, no-wrap
msgid "AUTHORS"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables-restore.8:45 original/man8/ip6tables-save.8:46 original/man8/iptables-restore.8:45 original/man8/iptables-save.8:46
+#: original/man8/ip6tables-restore.8:61 original/man8/ip6tables-save.8:46 original/man8/iptables-restore.8:59 original/man8/iptables-save.8:46
msgid "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables-restore.8:47 original/man8/ip6tables-save.8:48
+#: original/man8/ip6tables-restore.8:63 original/man8/ip6tables-save.8:48
msgid "Andras Kis-Szabo E<lt>kisza@sch.bme.huE<gt>"
msgstr ""
#. type: SH
-#: original/man8/ip6tables-restore.8:47 original/man8/ip6tables-save.8:48 original/man8/ip6tables.8:2464 original/man8/iptables-restore.8:45 original/man8/iptables-save.8:46 original/man8/iptables.8:2634 original/man8/iptables-apply.8:34 original/man1/iptables-xml.1:86
+#: original/man8/ip6tables-restore.8:63 original/man8/ip6tables-save.8:48 original/man8/ip6tables.8:412 original/man8/iptables-restore.8:59 original/man8/iptables-save.8:46 original/man8/iptables.8:411 original/man8/iptables-apply.8:34 original/man1/iptables-xml.1:86
#, no-wrap
msgid "SEE ALSO"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables-restore.8:49
+#: original/man8/ip6tables-restore.8:65
msgid "B<ip6tables-save>(8), B<ip6tables>(8)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables-restore.8:52 original/man8/ip6tables-save.8:53 original/man8/iptables-restore.8:50 original/man8/iptables-save.8:51
+#: original/man8/ip6tables-restore.8:68 original/man8/ip6tables-save.8:53 original/man8/iptables-restore.8:64 original/man8/iptables-save.8:51
msgid ""
"The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which "
"details NAT, and the netfilter-hacking-HOWTO which details the internals."
msgstr ""
#. type: TH
-#: original/man8/ip6tables.8:1 original/man8/ip6tables.8:1 original/man8/iptables.8:1 original/man8/iptables.8:1
+#: original/man8/ip6tables.8:1 original/man8/ip6tables.8:1 original/man8/iptables.8:1 original/man8/iptables.8:1 original/man8/iptables-extensions.8:1 original/man8/iptables-extensions.8:1
#, no-wrap
-msgid "iptables 1.4.13"
+msgid "iptables 1.4.18"
msgstr ""
#. type: Plain text
#. type: Plain text
#: original/man8/ip6tables.8:93 original/man8/iptables.8:92
msgid ""
-"There are currently three independent tables (which tables are present at "
-"any time depends on the kernel configuration options and which modules are "
+"There are currently five independent tables (which tables are present at any "
+"time depends on the kernel configuration options and which modules are "
"present)."
msgstr ""
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:108 original/man8/iptables.8:114
+#: original/man8/ip6tables.8:108 original/man8/iptables.8:107
+#, no-wrap
+msgid "B<nat>:"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/ip6tables.8:115
+msgid ""
+"This table is consulted when a packet that creates a new connection is "
+"encountered. It consists of three built-ins: B<PREROUTING> (for altering "
+"packets as soon as they come in), B<OUTPUT> (for altering locally-generated "
+"packets before routing), and B<POSTROUTING> (for altering packets as they "
+"are about to go out). Available since kernel 3.7."
+msgstr ""
+
+#. type: TP
+#: original/man8/ip6tables.8:115 original/man8/iptables.8:114
#, no-wrap
msgid "B<mangle>:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:118 original/man8/iptables.8:124
+#: original/man8/ip6tables.8:125 original/man8/iptables.8:124
msgid ""
"This table is used for specialized packet alteration. Until kernel 2.4.17 "
"it had two built-in chains: B<PREROUTING> (for altering incoming packets "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:118 original/man8/iptables.8:124
+#: original/man8/ip6tables.8:125 original/man8/iptables.8:124
#, no-wrap
msgid "B<raw>:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:126 original/man8/iptables.8:132
+#: original/man8/ip6tables.8:133 original/man8/iptables.8:132
msgid ""
"This table is used mainly for configuring exemptions from connection "
"tracking in combination with the NOTRACK target. It registers at the "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:126 original/man8/iptables.8:132
+#: original/man8/ip6tables.8:133 original/man8/iptables.8:132
#, no-wrap
msgid "B<security>:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:137 original/man8/iptables.8:143
+#: original/man8/ip6tables.8:144 original/man8/iptables.8:143
msgid ""
"This table is used for Mandatory Access Control (MAC) networking rules, such "
"as those enabled by the B<SECMARK> and B<CONNSECMARK> targets. Mandatory "
msgstr ""
#. type: SH
-#: original/man8/ip6tables.8:138 original/man8/iptables.8:144 original/man8/iptables-apply.8:23
+#: original/man8/ip6tables.8:145 original/man8/iptables.8:144 original/man8/iptables-apply.8:23
#, no-wrap
msgid "OPTIONS"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:141
+#: original/man8/ip6tables.8:148
msgid ""
"The options that are recognized by B<ip6tables> can be divided into several "
"different groups."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:141 original/man8/iptables.8:147
+#: original/man8/ip6tables.8:148 original/man8/iptables.8:147
#, no-wrap
msgid "COMMANDS"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:147
+#: original/man8/ip6tables.8:154
msgid ""
"These options specify the specific action to perform. Only one of them can "
"be specified on the command line unless otherwise specified below. For all "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:147 original/man8/ip6tables.8:230 original/man8/iptables.8:153
+#: original/man8/ip6tables.8:154 original/man8/ip6tables.8:237 original/man8/iptables.8:153
#, no-wrap
msgid "B<-A>, B<--append> I<chain rule-specification>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:152 original/man8/ip6tables.8:235 original/man8/iptables.8:158
+#: original/man8/ip6tables.8:159 original/man8/ip6tables.8:242 original/man8/iptables.8:158
msgid ""
"Append one or more rules to the end of the selected chain. When the source "
"and/or destination names resolve to more than one address, a rule will be "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:152 original/man8/iptables.8:158
+#: original/man8/ip6tables.8:159 original/man8/iptables.8:158
#, no-wrap
msgid "B<-C>, B<--check> I<chain rule-specification>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:158 original/man8/iptables.8:164
+#: original/man8/ip6tables.8:165 original/man8/iptables.8:164
msgid ""
"Check whether a rule matching the specification does exist in the selected "
"chain. This command uses the same logic as B<-D> to find a matching entry, "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:158 original/man8/iptables.8:164
+#: original/man8/ip6tables.8:165 original/man8/iptables.8:164
#, no-wrap
msgid "B<-D>, B<--delete> I<chain rule-specification>"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:161 original/man8/iptables.8:167
+#: original/man8/ip6tables.8:168 original/man8/iptables.8:167
#, no-wrap
msgid "B<-D>, B<--delete> I<chain rulenum>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:166 original/man8/iptables.8:172
+#: original/man8/ip6tables.8:173 original/man8/iptables.8:172
msgid ""
"Delete one or more rules from the selected chain. There are two versions of "
"this command: the rule can be specified as a number in the chain (starting "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:166 original/man8/iptables.8:172
+#: original/man8/ip6tables.8:173 original/man8/iptables.8:172
#, no-wrap
msgid "B<-I>, B<--insert> I<chain> [I<rulenum>] I<rule-specification>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:172 original/man8/iptables.8:178
+#: original/man8/ip6tables.8:179 original/man8/iptables.8:178
msgid ""
"Insert one or more rules in the selected chain as the given rule number. "
"So, if the rule number is 1, the rule or rules are inserted at the head of "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:172 original/man8/iptables.8:178
+#: original/man8/ip6tables.8:179 original/man8/iptables.8:178
#, no-wrap
msgid "B<-R>, B<--replace> I<chain rulenum rule-specification>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:177 original/man8/iptables.8:183
+#: original/man8/ip6tables.8:184 original/man8/iptables.8:183
msgid ""
"Replace a rule in the selected chain. If the source and/or destination "
"names resolve to multiple addresses, the command will fail. Rules are "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:177 original/man8/iptables.8:183
+#: original/man8/ip6tables.8:184 original/man8/iptables.8:183
#, no-wrap
msgid "B<-L>, B<--list> [I<chain>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:182
+#: original/man8/ip6tables.8:189
msgid ""
"List all rules in the selected chain. If no chain is selected, all chains "
"are listed. Like every other ip6tables command, it applies to the specified "
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:189 original/man8/iptables.8:197
+#: original/man8/ip6tables.8:196 original/man8/iptables.8:197
msgid ""
"Please note that it is often used with the B<-n> option, in order to avoid "
"long reverse DNS lookups. It is legal to specify the B<-Z> (zero) option as "
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:191
+#: original/man8/ip6tables.8:198
#, no-wrap
msgid " ip6tables -L -v\n"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:192 original/man8/iptables.8:200
+#: original/man8/ip6tables.8:199 original/man8/iptables.8:200
#, no-wrap
msgid "B<-S>, B<--list-rules> [I<chain>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:197
+#: original/man8/ip6tables.8:204
msgid ""
"Print all rules in the selected chain. If no chain is selected, all chains "
"are printed like ip6tables-save. Like every other ip6tables command, it "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:197 original/man8/iptables.8:205
+#: original/man8/ip6tables.8:204 original/man8/iptables.8:205
#, no-wrap
msgid "B<-F>, B<--flush> [I<chain>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:201 original/man8/iptables.8:209
+#: original/man8/ip6tables.8:208 original/man8/iptables.8:209
msgid ""
"Flush the selected chain (all the chains in the table if none is given). "
"This is equivalent to deleting all the rules one by one."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:201 original/man8/iptables.8:209
+#: original/man8/ip6tables.8:208 original/man8/iptables.8:209
#, no-wrap
msgid "B<-Z>, B<--zero> [I<chain> [I<rulenum>]]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:209 original/man8/iptables.8:217
+#: original/man8/ip6tables.8:216 original/man8/iptables.8:217
msgid ""
"Zero the packet and byte counters in all chains, or only the given chain, or "
"only the given rule in a chain. It is legal to specify the B<-L>, B<--list> "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:209 original/man8/iptables.8:217
+#: original/man8/ip6tables.8:216 original/man8/iptables.8:217
#, no-wrap
msgid "B<-N>, B<--new-chain> I<chain>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:213 original/man8/iptables.8:221
+#: original/man8/ip6tables.8:220 original/man8/iptables.8:221
msgid ""
"Create a new user-defined chain by the given name. There must be no target "
"of that name already."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:213 original/man8/iptables.8:221
+#: original/man8/ip6tables.8:220 original/man8/iptables.8:221
#, no-wrap
msgid "B<-X>, B<--delete-chain> [I<chain>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:220 original/man8/iptables.8:228
+#: original/man8/ip6tables.8:227 original/man8/iptables.8:228
msgid ""
"Delete the optional user-defined chain specified. There must be no "
"references to the chain. If there are, you must delete or replace the "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:220 original/man8/iptables.8:228
+#: original/man8/ip6tables.8:227 original/man8/iptables.8:228
#, no-wrap
msgid "B<-P>, B<--policy> I<chain target>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:226 original/man8/iptables.8:234
+#: original/man8/ip6tables.8:233 original/man8/iptables.8:234
msgid ""
"Set the policy for the chain to the given target. See the section "
"B<TARGETS> for the legal targets. Only built-in (non-user-defined) chains "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:226 original/man8/iptables.8:234
+#: original/man8/ip6tables.8:233 original/man8/iptables.8:234
#, no-wrap
msgid "B<-E>, B<--rename-chain> I<old-chain new-chain>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:230 original/man8/iptables.8:238
+#: original/man8/ip6tables.8:237 original/man8/iptables.8:238
msgid ""
"Rename the user specified chain to the user supplied name. This is "
"cosmetic, and has no effect on the structure of the table."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:235 original/man8/iptables.8:238
+#: original/man8/ip6tables.8:242 original/man8/iptables.8:238
#, no-wrap
msgid "B<-h>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:239 original/man8/iptables.8:242
+#: original/man8/ip6tables.8:246 original/man8/iptables.8:242
msgid "Help. Give a (currently very brief) description of the command syntax."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:239 original/man8/iptables.8:242
+#: original/man8/ip6tables.8:246 original/man8/iptables.8:242
#, no-wrap
msgid "PARAMETERS"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:242 original/man8/iptables.8:245
+#: original/man8/ip6tables.8:249 original/man8/iptables.8:245
msgid ""
"The following parameters make up a rule specification (as used in the add, "
"delete, insert, replace and append commands)."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:242 original/man8/iptables.8:245
+#: original/man8/ip6tables.8:249 original/man8/iptables.8:245
+#, no-wrap
+msgid "B<-4>, B<--ipv4>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/ip6tables.8:255
+msgid ""
+"If a rule using the B<-4> option is inserted with (and only with) "
+"ip6tables-restore, it will be silently ignored. Any other uses will throw an "
+"error. This option allows to put both IPv4 and IPv6 rules in a single rule "
+"file for use with both iptables-restore and ip6tables-restore."
+msgstr ""
+
+#. type: TP
+#: original/man8/ip6tables.8:255 original/man8/iptables.8:248
+#, no-wrap
+msgid "B<-6>, B<--ipv6>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/ip6tables.8:258
+msgid "This option has no effect in ip6tables and ip6tables-restore."
+msgstr ""
+
+#. type: TP
+#: original/man8/ip6tables.8:258 original/man8/iptables.8:254
#, no-wrap
msgid "[B<!>] B<-p>, B<--protocol> I<protocol>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:260
+#: original/man8/ip6tables.8:276
msgid ""
"The protocol of the rule or of the packet to check. The specified protocol "
"can be one of B<tcp>, B<udp>, B<udplite>, B<icmpv6>, B<esp>, B<mh> or the "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:260
+#: original/man8/ip6tables.8:276
#, no-wrap
msgid "[B<!>] B<-s>, B<--source> I<address>[B</>I<mask>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:277
+#: original/man8/ip6tables.8:293
msgid ""
"Source specification. I<Address> can be either be a hostname, a network IP "
"address (with B</>I<mask>), or a plain IP address. Names will be resolved "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:277
+#: original/man8/ip6tables.8:293
#, no-wrap
msgid "[B<!>] B<-d>, B<--destination> I<address>[B</>I<mask>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:283 original/man8/iptables.8:279
+#: original/man8/ip6tables.8:299 original/man8/iptables.8:288
msgid ""
"Destination specification. See the description of the B<-s> (source) flag "
"for a detailed description of the syntax. The flag B<--dst> is an alias for "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:283 original/man8/iptables.8:279
+#: original/man8/ip6tables.8:299 original/man8/iptables.8:288
+#, no-wrap
+msgid "B<-m>, B<--match> I<match>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/ip6tables.8:306 original/man8/iptables.8:295
+msgid ""
+"Specifies a match to use, that is, an extension module that tests for a "
+"specific property. The set of matches make up the condition under which a "
+"target is invoked. Matches are evaluated first to last as specified on the "
+"command line and work in short-circuit fashion, i.e. if one extension yields "
+"false, evaluation will stop."
+msgstr ""
+
+#. type: TP
+#: original/man8/ip6tables.8:306 original/man8/iptables.8:295
#, no-wrap
msgid "B<-j>, B<--jump> I<target>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:294 original/man8/iptables.8:290
+#: original/man8/ip6tables.8:317 original/man8/iptables.8:306
msgid ""
"This specifies the target of the rule; i.e., what to do if the packet "
"matches it. The target can be a user-defined chain (other than the one this "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:294 original/man8/iptables.8:290
+#: original/man8/ip6tables.8:317 original/man8/iptables.8:306
#, no-wrap
msgid "B<-g>, B<--goto> I<chain>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:300 original/man8/iptables.8:296
+#: original/man8/ip6tables.8:323 original/man8/iptables.8:312
msgid ""
"This specifies that the processing should continue in a user specified "
"chain. Unlike the --jump option return will not continue processing in this "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:300 original/man8/iptables.8:296
+#: original/man8/ip6tables.8:323 original/man8/iptables.8:312
#, no-wrap
msgid "[B<!>] B<-i>, B<--in-interface> I<name>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:308 original/man8/iptables.8:304
+#: original/man8/ip6tables.8:331 original/man8/iptables.8:320
msgid ""
"Name of an interface via which a packet was received (only for packets "
"entering the B<INPUT>, B<FORWARD> and B<PREROUTING> chains). When the \"!\" "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:308 original/man8/iptables.8:304
+#: original/man8/ip6tables.8:331 original/man8/iptables.8:320
#, no-wrap
msgid "[B<!>] B<-o>, B<--out-interface> I<name>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:325 original/man8/iptables.8:312
+#: original/man8/ip6tables.8:348 original/man8/iptables.8:328
msgid ""
"Name of an interface via which a packet is going to be sent (for packets "
"entering the B<FORWARD>, B<OUTPUT> and B<POSTROUTING> chains). When the "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:325 original/man8/iptables.8:320
+#: original/man8/ip6tables.8:348 original/man8/iptables.8:336
#, no-wrap
msgid "B<-c>, B<--set-counters> I<packets bytes>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:330 original/man8/iptables.8:325
+#: original/man8/ip6tables.8:353 original/man8/iptables.8:341
msgid ""
"This enables the administrator to initialize the packet and byte counters of "
"a rule (during B<INSERT>, B<APPEND>, B<REPLACE> operations)."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:330 original/man8/iptables.8:325
+#: original/man8/ip6tables.8:353 original/man8/iptables.8:341
#, no-wrap
msgid "OTHER OPTIONS"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:332 original/man8/iptables.8:327
+#: original/man8/ip6tables.8:355 original/man8/iptables.8:343
msgid "The following additional options can be specified:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:332 original/man8/iptables.8:327 original/man1/iptables-xml.1:38
-#, no-wrap
-msgid "B<-v>, B<--verbose>"
-msgstr ""
-
#. type: Plain text
-#: original/man8/ip6tables.8:342 original/man8/iptables.8:337
+#: original/man8/ip6tables.8:365 original/man8/iptables.8:353
msgid ""
"Verbose output. This option makes the list command show the interface name, "
"the rule options (if any), and the TOS masks. The packet and byte counters "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:342 original/man8/iptables.8:337
+#: original/man8/ip6tables.8:365 original/man8/iptables.8:353
#, no-wrap
msgid "B<-n>, B<--numeric>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:348 original/man8/iptables.8:343
+#: original/man8/ip6tables.8:371 original/man8/iptables.8:359
msgid ""
"Numeric output. IP addresses and port numbers will be printed in numeric "
"format. By default, the program will try to display them as host names, "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:348 original/man8/iptables.8:343
+#: original/man8/ip6tables.8:371 original/man8/iptables.8:359
#, no-wrap
msgid "B<-x>, B<--exact>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:355 original/man8/iptables.8:350
+#: original/man8/ip6tables.8:378 original/man8/iptables.8:366
msgid ""
"Expand numbers. Display the exact value of the packet and byte counters, "
"instead of only the rounded number in K's (multiples of 1000) M's "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:355 original/man8/iptables.8:350
+#: original/man8/ip6tables.8:378 original/man8/iptables.8:366
#, no-wrap
msgid "B<--line-numbers>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:359 original/man8/iptables.8:354
+#: original/man8/ip6tables.8:382 original/man8/iptables.8:370
msgid ""
"When listing rules, add line numbers to the beginning of each rule, "
"corresponding to that rule's position in the chain."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:359 original/man8/iptables.8:354
+#: original/man8/ip6tables.8:382 original/man8/iptables.8:370
#, no-wrap
msgid "B<--modprobe=>I<command>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:363 original/man8/iptables.8:358
+#: original/man8/ip6tables.8:386 original/man8/iptables.8:374
msgid ""
"When adding or inserting rules into a chain, use I<command> to load any "
"necessary modules (targets, match extensions, etc)."
msgstr ""
#. type: SH
-#: original/man8/ip6tables.8:363 original/man8/iptables.8:358
+#: original/man8/ip6tables.8:386 original/man8/iptables-extensions.8:10
#, no-wrap
msgid "MATCH EXTENSIONS"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:373
-msgid ""
-"ip6tables can use extended packet matching modules with the B<-m> or "
-"B<--match> options, followed by the matching module name; after these, "
-"various extra command line options become available, depending on the "
-"specific module. You can specify multiple extended match modules in one "
-"line, and you can use the B<-h> or B<--help> options after the module has "
-"been specified to receive help specific to that module."
-msgstr ""
-
-#. @MATCH@
-#. type: Plain text
-#: original/man8/ip6tables.8:378
+#: original/man8/ip6tables.8:390 original/man8/iptables.8:378
msgid ""
-"If the B<-p> or B<--protocol> was specified and if and only if an unknown "
-"option is encountered, ip6tables will try load a match module of the same "
-"name as the protocol, to try making the option available."
+"iptables can use extended packet matching and target modules. A list of "
+"these is available in the B<iptables-extensions>(8) manpage."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:378 original/man8/iptables.8:373
+#. type: SH
+#: original/man8/ip6tables.8:390 original/man8/iptables.8:378
#, no-wrap
-msgid "addrtype"
+msgid "DIAGNOSTICS"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:383 original/man8/iptables.8:378
+#: original/man8/ip6tables.8:395 original/man8/iptables.8:383
msgid ""
-"This module matches packets based on their B<address type.> Address types "
-"are used within the kernel networking stack and categorize addresses into "
-"various groups. The exact definition of that group depends on the specific "
-"layer three protocol."
+"Various error messages are printed to standard error. The exit code is 0 "
+"for correct functioning. Errors which appear to be caused by invalid or "
+"abused command line parameters cause an exit code of 2, and other errors "
+"cause an exit code of 1."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:385 original/man8/iptables.8:380
-msgid "The following address types are possible:"
+#: original/man8/ip6tables.8:398
+msgid "Bugs? What's this? ;-) Well... the counters are not reliable on sparc64."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:385 original/man8/iptables.8:380
+#. type: SH
+#: original/man8/ip6tables.8:398 original/man8/iptables.8:386
#, no-wrap
-msgid "B<UNSPEC>"
+msgid "COMPATIBILITY WITH IPCHAINS"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:388 original/man8/iptables.8:383
-msgid "an unspecified address (i.e. 0.0.0.0)"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:388 original/man8/iptables.8:383
-#, no-wrap
-msgid "B<UNICAST>"
+#: original/man8/ip6tables.8:407
+msgid ""
+"This B<ip6tables> is very similar to ipchains by Rusty Russell. The main "
+"difference is that the chains B<INPUT> and B<OUTPUT> are only traversed for "
+"packets coming into the local host and originating from the local host "
+"respectively. Hence every packet only passes through one of the three "
+"chains (except loopback traffic, which involves both INPUT and OUTPUT "
+"chains); previously a forwarded packet would pass through all three."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:391 original/man8/iptables.8:386
-msgid "an unicast address"
+#: original/man8/ip6tables.8:412
+msgid ""
+"The other main difference is that B<-i> refers to the input interface; B<-o> "
+"refers to the output interface, and both are available for packets entering "
+"the B<FORWARD> chain. There are several other changes in ip6tables."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:391 original/man8/iptables.8:386
-#, no-wrap
-msgid "B<LOCAL>"
+#. type: Plain text
+#: original/man8/ip6tables.8:421
+msgid ""
+"B<ip6tables-save>(8), B<ip6tables-restore>(8), B<iptables>(8), "
+"B<iptables-apply>(8), B<iptables-extensions>(8), B<iptables-save>(8), "
+"B<iptables-restore>(8), B<libipq>(3)."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:394 original/man8/iptables.8:389
-msgid "a local address"
+#: original/man8/ip6tables.8:427
+msgid ""
+"The packet-filtering-HOWTO details iptables usage for packet filtering, the "
+"netfilter-extensions-HOWTO details the extensions that are not in the "
+"standard distribution, and the netfilter-hacking-HOWTO details the netfilter "
+"internals."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:394 original/man8/iptables.8:389
-#, no-wrap
-msgid "B<BROADCAST>"
+#. type: Plain text
+#: original/man8/ip6tables.8:430 original/man8/iptables.8:429
+msgid "See B<http://www.netfilter.org/>."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:397 original/man8/iptables.8:392
-msgid "a broadcast address"
+#: original/man8/ip6tables.8:433
+msgid "Rusty Russell wrote iptables, in early consultation with Michael Neuling."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:397 original/man8/iptables.8:392
-#, no-wrap
-msgid "B<ANYCAST>"
+#. type: Plain text
+#: original/man8/ip6tables.8:437 original/man8/iptables.8:436
+msgid ""
+"Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet "
+"selection framework in iptables, then wrote the mangle table, the owner "
+"match, the mark stuff, and ran around doing cool stuff everywhere."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:400 original/man8/iptables.8:395
-msgid "an anycast packet"
+#: original/man8/ip6tables.8:439 original/man8/iptables.8:438
+msgid "James Morris wrote the TOS target, and tos match."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:400 original/man8/iptables.8:395
-#, no-wrap
-msgid "B<MULTICAST>"
+#. type: Plain text
+#: original/man8/ip6tables.8:441 original/man8/iptables.8:440
+msgid "Jozsef Kadlecsik wrote the REJECT target."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:403 original/man8/iptables.8:398
-msgid "a multicast address"
+#: original/man8/ip6tables.8:443
+msgid ""
+"Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as "
+"TTL match+target and libipulog."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:403 original/man8/iptables.8:398
-#, no-wrap
-msgid "B<BLACKHOLE>"
+#. type: Plain text
+#: original/man8/ip6tables.8:447 original/man8/iptables.8:446
+msgid ""
+"The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki "
+"Kozakai, Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso, "
+"Harald Welte and Rusty Russell."
msgstr ""
+#. .. and did I mention that we are incredibly cool people?
+#. .. sexy, too ..
+#. .. witty, charming, powerful ..
+#. .. and most of all, modest ..
#. type: Plain text
-#: original/man8/ip6tables.8:406 original/man8/iptables.8:401
-msgid "a blackhole address"
+#: original/man8/ip6tables.8:454
+msgid ""
+"ip6tables man page created by Andras Kis-Szabo, based on iptables man page "
+"written by Herve Eychenne E<lt>rv@wallfire.orgE<gt>."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:406 original/man8/iptables.8:401
+#. type: SH
+#: original/man8/ip6tables.8:454 original/man8/iptables.8:452
#, no-wrap
-msgid "B<UNREACHABLE>"
+msgid "VERSION"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:409 original/man8/iptables.8:404
-msgid "an unreachable address"
+#: original/man8/ip6tables.8:456
+msgid "This manual page applies to ip6tables 1.4.18."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:409 original/man8/iptables.8:404
+#. type: TH
+#: original/man8/iptables-restore.8:1
#, no-wrap
-msgid "B<PROHIBIT>"
+msgid "IPTABLES-RESTORE"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:412 original/man8/iptables.8:407
-msgid "a prohibited address"
+#. type: TH
+#: original/man8/iptables-restore.8:1 original/man8/iptables-save.8:1
+#, no-wrap
+msgid "Jan 04, 2001"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:412 original/man8/iptables.8:407
-#, no-wrap
-msgid "B<THROW>"
+#. type: Plain text
+#: original/man8/iptables-restore.8:23
+msgid "iptables-restore \\(em Restore IP Tables"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:415 original/man8/ip6tables.8:418 original/man8/iptables.8:410 original/man8/iptables.8:413
-msgid "FIXME"
+#: original/man8/iptables-restore.8:26
+msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:415 original/man8/iptables.8:410
-#, no-wrap
-msgid "B<NAT>"
+#. type: Plain text
+#: original/man8/iptables-restore.8:31
+msgid ""
+"B<iptables-restore> is used to restore IP Tables from data specified on "
+"STDIN. Use I/O redirection provided by your shell to read from a file"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:418 original/man8/iptables.8:413
-#, no-wrap
-msgid "B<XRESOLVE>"
+#. type: Plain text
+#: original/man8/iptables-restore.8:42
+msgid ""
+"don't flush the previous contents of the table. If not specified, "
+"B<iptables-restore> flushes (deletes) all previous contents of the "
+"respective table."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:420 original/man8/iptables.8:415
-#, no-wrap
-msgid "[B<!>] B<--src-type> I<type>"
+#. type: Plain text
+#: original/man8/iptables-restore.8:52
+msgid ""
+"Specify the path to the modprobe program. By default, iptables-restore will "
+"inspect /proc/sys/kernel/modprobe to determine the executable's path."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:423 original/man8/iptables.8:418
-msgid "Matches if the source address is of given type"
+#: original/man8/iptables-restore.8:55
+msgid "Restore only the named table even if the input stream contains other ones."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:423 original/man8/iptables.8:418
+#. type: SH
+#: original/man8/iptables-restore.8:57 original/man8/iptables-save.8:44 original/man1/iptables-xml.1:84
#, no-wrap
-msgid "[B<!>] B<--dst-type> I<type>"
+msgid "AUTHOR"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:426 original/man8/iptables.8:421
-msgid "Matches if the destination address is of given type"
+#: original/man8/iptables-restore.8:61
+msgid "B<iptables-save>(8), B<iptables>(8)"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:426 original/man8/iptables.8:421
+#. type: TH
+#: original/man8/iptables-save.8:1
#, no-wrap
-msgid "B<--limit-iface-in>"
+msgid "IPTABLES-SAVE"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:437 original/man8/iptables.8:432
-msgid ""
-"The address type checking can be limited to the interface the packet is "
-"coming in. This option is only valid in the B<PREROUTING>, B<INPUT> and "
-"B<FORWARD> chains. It cannot be specified with the B<--limit-iface-out> "
-"option."
+#: original/man8/iptables-save.8:23
+msgid "iptables-save \\(em dump iptables rules to stdout"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:437 original/man8/iptables.8:432
-#, no-wrap
-msgid "B<--limit-iface-out>"
+#. type: Plain text
+#: original/man8/iptables-save.8:26
+msgid "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:448 original/man8/iptables.8:443
+#: original/man8/iptables-save.8:31
msgid ""
-"The address type checking can be limited to the interface the packet is "
-"going out. This option is only valid in the B<POSTROUTING>, B<OUTPUT> and "
-"B<FORWARD> chains. It cannot be specified with the B<--limit-iface-in> "
-"option."
-msgstr ""
-
-#. type: SS
-#: original/man8/ip6tables.8:448 original/man8/iptables.8:443
-#, no-wrap
-msgid "ah"
+"B<iptables-save> is used to dump the contents of an IP Table in easily "
+"parseable format to STDOUT. Use I/O-redirection provided by your shell to "
+"write to a file."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:450
-msgid ""
-"This module matches the parameters in Authentication header of IPsec "
-"packets."
+#: original/man8/iptables-save.8:48
+msgid "B<iptables-restore>(8), B<iptables>(8)"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:450 original/man8/iptables.8:445
+#. type: TH
+#: original/man8/iptables.8:1
#, no-wrap
-msgid "[B<!>] B<--ahspi> I<spi>[B<:>I<spi>]"
+msgid "IPTABLES"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:453
-msgid "Matches SPI."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:453
-#, no-wrap
-msgid "[B<!>] B<--ahlen> I<length>"
+#: original/man8/iptables.8:27
+msgid "iptables \\(em administration tool for IPv4 packet filtering and NAT"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:456 original/man8/ip6tables.8:748 original/man8/ip6tables.8:870
-msgid "Total length of this header in octets."
+#: original/man8/iptables.8:30
+msgid ""
+"B<iptables> [B<-t> I<table>] {B<-A>|B<-C>|B<-D>} I<chain> "
+"I<rule-specification>"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:456
-#, no-wrap
-msgid "B<--ahres>"
+#. type: Plain text
+#: original/man8/iptables.8:32
+msgid ""
+"B<iptables> [B<-t> I<table>] B<-I> I<chain> [I<rulenum>] "
+"I<rule-specification>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:459
-msgid "Matches if the reserved field is filled with zero."
+#: original/man8/iptables.8:34
+msgid "B<iptables> [B<-t> I<table>] B<-R> I<chain rulenum rule-specification>"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:459 original/man8/iptables.8:447
-#, no-wrap
-msgid "cluster"
+#. type: Plain text
+#: original/man8/iptables.8:36
+msgid "B<iptables> [B<-t> I<table>] B<-D> I<chain rulenum>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:462 original/man8/iptables.8:450
-msgid ""
-"Allows you to deploy gateway and back-end load-sharing clusters without the "
-"need of load-balancers."
+#: original/man8/iptables.8:38
+msgid "B<iptables> [B<-t> I<table>] B<-S> [I<chain> [I<rulenum>]]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:465 original/man8/iptables.8:453
+#: original/man8/iptables.8:40
msgid ""
-"This match requires that all the nodes see the same packets. Thus, the "
-"cluster match decides if this node has to handle a packet given the "
-"following options:"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:465 original/man8/iptables.8:453
-#, no-wrap
-msgid "B<--cluster-total-nodes> I<num>"
+"B<iptables> [B<-t> I<table>] {B<-F>|B<-L>|B<-Z>} [I<chain> [I<rulenum>]] "
+"[I<options...>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:468 original/man8/iptables.8:456
-msgid "Set number of total nodes in cluster."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:468 original/man8/iptables.8:456
-#, no-wrap
-msgid "[B<!>] B<--cluster-local-node> I<num>"
+#: original/man8/iptables.8:42
+msgid "B<iptables> [B<-t> I<table>] B<-N> I<chain>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:471 original/man8/iptables.8:459
-msgid "Set the local node number ID."
+#: original/man8/iptables.8:44
+msgid "B<iptables> [B<-t> I<table>] B<-X> [I<chain>]"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:471 original/man8/iptables.8:459
-#, no-wrap
-msgid "[B<!>] B<--cluster-local-nodemask> I<mask>"
+#. type: Plain text
+#: original/man8/iptables.8:46
+msgid "B<iptables> [B<-t> I<table>] B<-P> I<chain target>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:475 original/man8/iptables.8:463
-msgid ""
-"Set the local node number ID mask. You can use this option instead of "
-"B<--cluster-local-node>."
+#: original/man8/iptables.8:48
+msgid "B<iptables> [B<-t> I<table>] B<-E> I<old-chain-name new-chain-name>"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:475 original/man8/iptables.8:463
-#, no-wrap
-msgid "B<--cluster-hash-seed> I<value>"
+#. type: Plain text
+#: original/man8/iptables.8:50
+msgid "rule-specification = [I<matches...>] [I<target>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:478 original/man8/iptables.8:466
-msgid "Set seed value of the Jenkins hash."
+#: original/man8/iptables.8:52
+msgid "match = B<-m> I<matchname> [I<per-match-options>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:480 original/man8/ip6tables.8:526 original/man8/ip6tables.8:563 original/man8/ip6tables.8:711 original/man8/ip6tables.8:1837 original/man8/ip6tables.8:1885 original/man8/ip6tables.8:1931 original/man8/iptables.8:468 original/man8/iptables.8:514 original/man8/iptables.8:551 original/man8/iptables.8:699 original/man8/iptables.8:1755 original/man8/iptables.8:1803 original/man8/iptables.8:1852
-#, no-wrap
-msgid "Example:"
+#: original/man8/iptables.8:54
+msgid "target = B<-j> I<targetname> [I<per-target-options>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:485 original/man8/iptables.8:473
+#: original/man8/iptables.8:60
msgid ""
-"iptables -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 "
-"--cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark "
-"0xffff"
+"B<Iptables> is used to set up, maintain, and inspect the tables of IPv4 "
+"packet filter rules in the Linux kernel. Several different tables may be "
+"defined. Each table contains a number of built-in chains and may also "
+"contain user-defined chains."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:490 original/man8/iptables.8:478
+#: original/man8/iptables.8:114
msgid ""
-"iptables -A PREROUTING -t mangle -i eth2 -m cluster --cluster-total-nodes 2 "
-"--cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark "
-"0xffff"
+"This table is consulted when a packet that creates a new connection is "
+"encountered. It consists of three built-ins: B<PREROUTING> (for altering "
+"packets as soon as they come in), B<OUTPUT> (for altering locally-generated "
+"packets before routing), and B<POSTROUTING> (for altering packets as they "
+"are about to go out)."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:493 original/man8/iptables.8:481
-msgid "iptables -A PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff -j DROP"
+#: original/man8/iptables.8:147
+msgid ""
+"The options that are recognized by B<iptables> can be divided into several "
+"different groups."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:496 original/man8/iptables.8:484
-msgid "iptables -A PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff -j DROP"
+#: original/man8/iptables.8:153
+msgid ""
+"These options specify the desired action to perform. Only one of them can be "
+"specified on the command line unless otherwise stated below. For long "
+"versions of the command and option names, you need to use only enough "
+"letters to ensure that B<iptables> can differentiate it from all other "
+"options."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:498 original/man8/iptables.8:486
-msgid "And the following commands to make all nodes see the same packets:"
+#: original/man8/iptables.8:188
+msgid ""
+"List all rules in the selected chain. If no chain is selected, all chains "
+"are listed. Like every other iptables command, it applies to the specified "
+"table (filter is the default), so NAT rules get listed by"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:500 original/man8/iptables.8:488
-msgid "ip maddr add 01:00:5e:00:01:01 dev eth1"
+#: original/man8/iptables.8:190
+#, no-wrap
+msgid " iptables -t nat -n -L\n"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:502 original/man8/iptables.8:490
-msgid "ip maddr add 01:00:5e:00:01:02 dev eth2"
+#: original/man8/iptables.8:199
+#, no-wrap
+msgid " iptables -L -v\n"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:505 original/man8/iptables.8:493
+#: original/man8/iptables.8:205
msgid ""
-"arptables -A OUTPUT -o eth1 --h-length 6 -j mangle --mangle-mac-s "
-"01:00:5e:00:01:01"
+"Print all rules in the selected chain. If no chain is selected, all chains "
+"are printed like iptables-save. Like every other iptables command, it "
+"applies to the specified table (filter is the default)."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:509 original/man8/iptables.8:497
-msgid ""
-"arptables -A INPUT -i eth1 --h-length 6 --destination-mac 01:00:5e:00:01:01 "
-"-j mangle --mangle-mac-d 00:zz:yy:xx:5a:27"
+#: original/man8/iptables.8:248
+msgid "This option has no effect in iptables and iptables-restore."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:512 original/man8/iptables.8:500
+#: original/man8/iptables.8:254
msgid ""
-"arptables -A OUTPUT -o eth2 --h-length 6 -j mangle --mangle-mac-s "
-"01:00:5e:00:01:02"
+"If a rule using the B<-6> option is inserted with (and only with) "
+"iptables-restore, it will be silently ignored. Any other uses will throw an "
+"error. This option allows to put both IPv4 and IPv6 rules in a single rule "
+"file for use with both iptables-restore and ip6tables-restore."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:516 original/man8/iptables.8:504
+#: original/man8/iptables.8:265
msgid ""
-"arptables -A INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:02 "
-"-j mangle --mangle-mac-d 00:zz:yy:xx:5a:27"
+"The protocol of the rule or of the packet to check. The specified protocol "
+"can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>, B<esp>, B<ah>, B<sctp> or "
+"the special keyword \"B<all>\", or it can be a numeric value, representing "
+"one of these protocols or a different one. A protocol name from "
+"/etc/protocols is also allowed. A \"!\" argument before the protocol "
+"inverts the test. The number zero is equivalent to B<all>. \"B<all>\" will "
+"match with all protocols and is taken as default when this option is "
+"omitted."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:520 original/man8/iptables.8:508
-msgid ""
-"In the case of TCP connections, pickup facility has to be disabled to avoid "
-"marking TCP ACK packets coming in the reply direction as valid."
+#. type: TP
+#: original/man8/iptables.8:265
+#, no-wrap
+msgid "[B<!>] B<-s>, B<--source> I<address>[B</>I<mask>][B<,>I<...>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:522 original/man8/iptables.8:510
-msgid "echo 0 E<gt> /proc/sys/net/netfilter/nf_conntrack_tcp_loose"
+#: original/man8/iptables.8:282
+msgid ""
+"Source specification. I<Address> can be either a network name, a hostname, a "
+"network IP address (with B</>I<mask>), or a plain IP address. Hostnames will "
+"be resolved once only, before the rule is submitted to the kernel. Please "
+"note that specifying any name to be resolved with a remote query such as DNS "
+"is a really bad idea. The I<mask> can be either a network mask or a plain "
+"number, specifying the number of 1's at the left side of the network mask. "
+"Thus, a mask of I<24> is equivalent to I<255.255.255.0>. A \"!\" argument "
+"before the address specification inverts the sense of the address. The flag "
+"B<--src> is an alias for this option. Multiple addresses can be specified, "
+"but this will B<expand to multiple rules> (when adding with -A), or will "
+"cause multiple rules to be deleted (with -D)."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:522 original/man8/iptables.8:510
+#. type: TP
+#: original/man8/iptables.8:282
#, no-wrap
-msgid "comment"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:524 original/man8/iptables.8:512
-msgid "Allows you to add comments (up to 256 characters) to any rule."
+msgid "[B<!>] B<-d>, B<--destination> I<address>[B</>I<mask>][B<,>I<...>]"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:524 original/man8/iptables.8:512
+#: original/man8/iptables.8:328
#, no-wrap
-msgid "B<--comment> I<comment>"
+msgid "[B<!>] B<-f>, B<--fragment>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:529 original/man8/iptables.8:517
-msgid "iptables -A INPUT -i eth1 -m comment --comment \"my local LAN\""
+#: original/man8/iptables.8:336
+msgid ""
+"This means that the rule only refers to second and further fragments of "
+"fragmented packets. Since there is no way to tell the source or destination "
+"ports of such a packet (or ICMP type), such a packet will not match any "
+"rules which specify them. When the \"!\" argument precedes the \"-f\" flag, "
+"the rule will only match head fragments, or unfragmented packets."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:529 original/man8/iptables.8:517
+#. type: SH
+#: original/man8/iptables.8:374
#, no-wrap
-msgid "connbytes"
+msgid "MATCH AND TARGET EXTENSIONS"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:533 original/man8/iptables.8:521
+#: original/man8/iptables.8:386
msgid ""
-"Match by how many bytes or packets a connection (or one of the two flows "
-"constituting the connection) has transferred so far, or by average bytes per "
-"packet."
+"Bugs? What's this? ;-) Well, you might want to have a look at "
+"http://bugzilla.netfilter.org/"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:535 original/man8/iptables.8:523
-msgid "The counters are 64-bit and are thus not expected to overflow ;)"
+#: original/man8/iptables.8:395
+msgid ""
+"This B<iptables> is very similar to ipchains by Rusty Russell. The main "
+"difference is that the chains B<INPUT> and B<OUTPUT> are only traversed for "
+"packets coming into the local host and originating from the local host "
+"respectively. Hence every packet only passes through one of the three "
+"chains (except loopback traffic, which involves both INPUT and OUTPUT "
+"chains); previously a forwarded packet would pass through all three."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:538 original/man8/iptables.8:526
+#: original/man8/iptables.8:399
msgid ""
-"The primary use is to detect long-lived downloads and mark them to be "
-"scheduled using a lower priority band in traffic control."
+"The other main difference is that B<-i> refers to the input interface; B<-o> "
+"refers to the output interface, and both are available for packets entering "
+"the B<FORWARD> chain."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:541 original/man8/iptables.8:529
+#: original/man8/iptables.8:405
msgid ""
-"The transferred bytes per connection can also be viewed through `conntrack "
-"-L` and accessed via ctnetlink."
+"The various forms of NAT have been separated out; B<iptables> is a pure "
+"packet filter when using the default `filter' table, with optional extension "
+"modules. This should simplify much of the previous confusion over the "
+"combination of IP masquerading and packet filtering seen previously. So the "
+"following options are handled differently:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:547 original/man8/iptables.8:535
+#: original/man8/iptables.8:409
+#, no-wrap
msgid ""
-"NOTE that for connections which have no accounting information, the match "
-"will always return false. The \"net.netfilter.nf_conntrack_acct\" sysctl "
-"flag controls whether B<new> connections will be byte/packet "
-"counted. Existing connection flows will not be gaining/losing a/the "
-"accounting structure when be sysctl flag is flipped."
+" -j MASQ\n"
+" -M -S\n"
+" -M -L\n"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:547 original/man8/iptables.8:535
-#, no-wrap
-msgid "[B<!>] B<--connbytes> I<from>[B<:>I<to>]"
+#. type: Plain text
+#: original/man8/iptables.8:411
+msgid "There are several other changes in iptables."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:553 original/man8/iptables.8:541
+#: original/man8/iptables.8:420
msgid ""
-"match packets from a connection whose packets/bytes/average packet size is "
-"more than FROM and less than TO bytes/packets. if TO is omitted only FROM "
-"check is done. \"!\" is used to match packets not falling in the range."
+"B<iptables-apply>(8), B<iptables-save>(8), B<iptables-restore>(8), "
+"B<iptables-extensions>(8), B<ip6tables>(8), B<ip6tables-save>(8), "
+"B<ip6tables-restore>(8), B<libipq>(3)."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:553 original/man8/iptables.8:541
-#, no-wrap
-msgid "B<--connbytes-dir> {B<original>|B<reply>|B<both>}"
+#. type: Plain text
+#: original/man8/iptables.8:426
+msgid ""
+"The packet-filtering-HOWTO details iptables usage for packet filtering, the "
+"NAT-HOWTO details NAT, the netfilter-extensions-HOWTO details the extensions "
+"that are not in the standard distribution, and the netfilter-hacking-HOWTO "
+"details the netfilter internals."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:556 original/man8/iptables.8:544
-msgid "which packets to consider"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:556 original/man8/iptables.8:544
-#, no-wrap
-msgid "B<--connbytes-mode> {B<packets>|B<bytes>|B<avgpkt>}"
+#: original/man8/iptables.8:432
+msgid ""
+"Rusty Russell originally wrote iptables, in early consultation with Michael "
+"Neuling."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:563 original/man8/iptables.8:551
+#: original/man8/iptables.8:442
msgid ""
-"whether to check the amount of packets, number of bytes transferred or the "
-"average size (in bytes) of all packets received so far. Note that when "
-"\"both\" is used together with \"avgpkt\", and data is going (mainly) only "
-"in one direction (for example HTTP), the average packet size will be about "
-"half of the actual data packets."
+"Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as "
+"the TTL, DSCP, ECN matches and targets."
msgstr ""
+#. .. and did I mention that we are incredibly cool people?
+#. .. sexy, too ..
+#. .. witty, charming, powerful ..
+#. .. and most of all, modest ..
#. type: Plain text
-#: original/man8/ip6tables.8:566 original/man8/iptables.8:554
-msgid ""
-"iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both "
-"--connbytes-mode bytes ..."
-msgstr ""
-
-#. type: SS
-#: original/man8/ip6tables.8:566 original/man8/iptables.8:554
-#, no-wrap
-msgid "connlimit"
+#: original/man8/iptables.8:452
+msgid "Man page originally written by Herve Eychenne E<lt>rv@wallfire.orgE<gt>."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:569 original/man8/iptables.8:557
-msgid ""
-"Allows you to restrict the number of parallel connections to a server per "
-"client IP address (or client address block)."
+#: original/man8/iptables.8:454
+msgid "This manual page applies to iptables 1.4.18."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:569 original/man8/iptables.8:557
+#. type: TH
+#: original/man8/iptables-extensions.8:1
#, no-wrap
-msgid "B<--connlimit-upto> I<n>"
+msgid "iptables-extensions"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:572 original/man8/iptables.8:560
-msgid "Match if the number of existing connections is below or equal I<n>."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:572 original/man8/iptables.8:560
-#, no-wrap
-msgid "B<--connlimit-above> I<n>"
+#: original/man8/iptables-extensions.8:4
+msgid ""
+"iptables-extensions \\(em list of extensions in the standard iptables "
+"distribution"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:575 original/man8/iptables.8:563
-msgid "Match if the number of existing connections is above I<n>."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:575 original/man8/iptables.8:563
-#, no-wrap
-msgid "B<--connlimit-mask> I<prefix_length>"
+#: original/man8/iptables-extensions.8:7
+msgid ""
+"B<ip6tables> [B<-m> I<name> [I<module-options>...]] [B<-j> I<target-name> "
+"[I<target-options>...]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:580 original/man8/iptables.8:568
+#: original/man8/iptables-extensions.8:10
msgid ""
-"Group hosts using the prefix length. For IPv4, this must be a number between "
-"(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the "
-"maximum prefix length for the applicable protocol is used."
+"B<iptables> [B<-m> I<name> [I<module-options>...]] [B<-j> I<target-name> "
+"[I<target-options>...]"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:580 original/man8/iptables.8:568
-#, no-wrap
-msgid "B<--connlimit-saddr>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:20
+msgid ""
+"iptables can use extended packet matching modules with the B<-m> or "
+"B<--match> options, followed by the matching module name; after these, "
+"various extra command line options become available, depending on the "
+"specific module. You can specify multiple extended match modules in one "
+"line, and you can use the B<-h> or B<--help> options after the module has "
+"been specified to receive help specific to that module. The extended match "
+"modules are evaluated in the order they are specified in the rule."
msgstr ""
+#. @MATCH@
#. type: Plain text
-#: original/man8/ip6tables.8:584 original/man8/iptables.8:572
+#: original/man8/iptables-extensions.8:25
msgid ""
-"Apply the limit onto the source group. This is the default if "
-"--connlimit-daddr is not specified."
+"If the B<-p> or B<--protocol> was specified and if and only if an unknown "
+"option is encountered, iptables will try load a match module of the same "
+"name as the protocol, to try making the option available."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:584 original/man8/iptables.8:572
+#. type: SS
+#: original/man8/iptables-extensions.8:25
#, no-wrap
-msgid "B<--connlimit-daddr>"
+msgid "addrtype"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:587 original/man8/iptables.8:575
-msgid "Apply the limit onto the destination group."
+#: original/man8/iptables-extensions.8:30
+msgid ""
+"This module matches packets based on their B<address type.> Address types "
+"are used within the kernel networking stack and categorize addresses into "
+"various groups. The exact definition of that group depends on the specific "
+"layer three protocol."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:589 original/man8/ip6tables.8:852 original/man8/ip6tables.8:1390 original/man8/ip6tables.8:1514 original/man8/iptables.8:577 original/man8/iptables.8:800 original/man8/iptables.8:1317 original/man8/iptables.8:1421
-msgid "Examples:"
+#: original/man8/iptables-extensions.8:32
+msgid "The following address types are possible:"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:589 original/man8/iptables.8:577
+#: original/man8/iptables-extensions.8:32
#, no-wrap
-msgid "# allow 2 telnet connections per client host"
+msgid "B<UNSPEC>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:592 original/man8/iptables.8:580
-msgid ""
-"iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 "
-"-j REJECT"
+#: original/man8/iptables-extensions.8:35
+msgid "an unspecified address (i.e. 0.0.0.0)"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:592 original/man8/iptables.8:580
+#: original/man8/iptables-extensions.8:35
#, no-wrap
-msgid "# you can also match the other way around:"
+msgid "B<UNICAST>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:595 original/man8/iptables.8:583
-msgid ""
-"iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-upto 2 -j "
-"ACCEPT"
+#: original/man8/iptables-extensions.8:38
+msgid "an unicast address"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:595 original/man8/iptables.8:583
+#: original/man8/iptables-extensions.8:38
#, no-wrap
-msgid ""
-"# limit the number of parallel HTTP requests to 16 per class C sized source "
-"network (24 bit netmask)"
+msgid "B<LOCAL>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:600 original/man8/iptables.8:588
-msgid ""
-"iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 "
-"--connlimit-mask 24 -j REJECT"
+#: original/man8/iptables-extensions.8:41
+msgid "a local address"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:600 original/man8/iptables.8:588
+#: original/man8/iptables-extensions.8:41
#, no-wrap
-msgid ""
-"# limit the number of parallel HTTP requests to 16 for the link local "
-"network"
+msgid "B<BROADCAST>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:605 original/man8/iptables.8:593
-msgid ""
-"(ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit "
-"--connlimit-above 16 --connlimit-mask 64 -j REJECT"
+#: original/man8/iptables-extensions.8:44
+msgid "a broadcast address"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:605 original/man8/iptables.8:593
+#: original/man8/iptables-extensions.8:44
#, no-wrap
-msgid "# Limit the number of connections to a particular host:"
+msgid "B<ANYCAST>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:609 original/man8/iptables.8:597
-msgid ""
-"ip6tables -p tcp --syn --dport 49152:65535 -d 2001:db8::1 -m connlimit "
-"--connlimit-above 100 -j REJECT"
+#: original/man8/iptables-extensions.8:47
+msgid "an anycast packet"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:609 original/man8/iptables.8:597
+#. type: TP
+#: original/man8/iptables-extensions.8:47
#, no-wrap
-msgid "connmark"
+msgid "B<MULTICAST>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:612 original/man8/iptables.8:600
-msgid ""
-"This module matches the netfilter mark field associated with a connection "
-"(which can be set using the B<CONNMARK> target below)."
+#: original/man8/iptables-extensions.8:50
+msgid "a multicast address"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:612 original/man8/ip6tables.8:1023 original/man8/iptables.8:600 original/man8/iptables.8:909
+#: original/man8/iptables-extensions.8:50
#, no-wrap
-msgid "[B<!>] B<--mark> I<value>[B</>I<mask>]"
+msgid "B<BLACKHOLE>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:616 original/man8/iptables.8:604
-msgid ""
-"Matches packets in connections with the given mark value (if a mask is "
-"specified, this is logically ANDed with the mark before the comparison)."
+#: original/man8/iptables-extensions.8:53
+msgid "a blackhole address"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:616 original/man8/iptables.8:604
+#. type: TP
+#: original/man8/iptables-extensions.8:53
#, no-wrap
-msgid "conntrack"
+msgid "B<UNREACHABLE>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:619 original/man8/iptables.8:607
-msgid ""
-"This module, when combined with connection tracking, allows access to the "
-"connection tracking state for this packet/connection."
+#: original/man8/iptables-extensions.8:56
+msgid "an unreachable address"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:619 original/man8/iptables.8:607
+#: original/man8/iptables-extensions.8:56
#, no-wrap
-msgid "[B<!>] B<--ctstate> I<statelist>"
+msgid "B<PROHIBIT>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:623 original/man8/iptables.8:611
-msgid ""
-"I<statelist> is a comma separated list of the connection states to match. "
-"Possible states are listed below."
+#: original/man8/iptables-extensions.8:59
+msgid "a prohibited address"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:623 original/man8/iptables.8:611
+#: original/man8/iptables-extensions.8:59
#, no-wrap
-msgid "[B<!>] B<--ctproto> I<l4proto>"
+msgid "B<THROW>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:626 original/man8/iptables.8:614
-msgid "Layer-4 protocol to match (by number or name)"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:626 original/man8/iptables.8:614
-#, no-wrap
-msgid "[B<!>] B<--ctorigsrc> I<address>[B</>I<mask>]"
+#: original/man8/iptables-extensions.8:62 original/man8/iptables-extensions.8:65
+msgid "FIXME"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:628 original/man8/iptables.8:616
+#: original/man8/iptables-extensions.8:62
#, no-wrap
-msgid "[B<!>] B<--ctorigdst> I<address>[B</>I<mask>]"
+msgid "B<NAT>"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:630 original/man8/iptables.8:618
+#: original/man8/iptables-extensions.8:65
#, no-wrap
-msgid "[B<!>] B<--ctreplsrc> I<address>[B</>I<mask>]"
+msgid "B<XRESOLVE>"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:632 original/man8/iptables.8:620
+#: original/man8/iptables-extensions.8:67
#, no-wrap
-msgid "[B<!>] B<--ctrepldst> I<address>[B</>I<mask>]"
+msgid "[B<!>] B<--src-type> I<type>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:635 original/man8/iptables.8:623
-msgid "Match against original/reply source/destination address"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:635 original/man8/iptables.8:623
-#, no-wrap
-msgid "[B<!>] B<--ctorigsrcport> I<port>[B<:>I<port>]"
+#: original/man8/iptables-extensions.8:70
+msgid "Matches if the source address is of given type"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:637 original/man8/iptables.8:625
+#: original/man8/iptables-extensions.8:70
#, no-wrap
-msgid "[B<!>] B<--ctorigdstport> I<port>[B<:>I<port>]"
+msgid "[B<!>] B<--dst-type> I<type>"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:639 original/man8/iptables.8:627
-#, no-wrap
-msgid "[B<!>] B<--ctreplsrcport> I<port>[B<:>I<port>]"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:73
+msgid "Matches if the destination address is of given type"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:641 original/man8/iptables.8:629
+#: original/man8/iptables-extensions.8:73
#, no-wrap
-msgid "[B<!>] B<--ctrepldstport> I<port>[B<:>I<port>]"
+msgid "B<--limit-iface-in>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:645 original/man8/iptables.8:633
+#: original/man8/iptables-extensions.8:84
msgid ""
-"Match against original/reply source/destination port (TCP/UDP/etc.) or GRE "
-"key. Matching against port ranges is only supported in kernel versions "
-"above 2.6.38."
+"The address type checking can be limited to the interface the packet is "
+"coming in. This option is only valid in the B<PREROUTING>, B<INPUT> and "
+"B<FORWARD> chains. It cannot be specified with the B<--limit-iface-out> "
+"option."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:645 original/man8/iptables.8:633
+#: original/man8/iptables-extensions.8:84
#, no-wrap
-msgid "[B<!>] B<--ctstatus> I<statelist>"
+msgid "B<--limit-iface-out>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:649 original/man8/iptables.8:637
+#: original/man8/iptables-extensions.8:95
msgid ""
-"I<statuslist> is a comma separated list of the connection statuses to "
-"match. Possible statuses are listed below."
+"The address type checking can be limited to the interface the packet is "
+"going out. This option is only valid in the B<POSTROUTING>, B<OUTPUT> and "
+"B<FORWARD> chains. It cannot be specified with the B<--limit-iface-in> "
+"option."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:649 original/man8/iptables.8:637
+#. type: SS
+#: original/man8/iptables-extensions.8:95
#, no-wrap
-msgid "[B<!>] B<--ctexpire> I<time>[B<:>I<time>]"
+msgid "ah (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:653 original/man8/iptables.8:641
+#: original/man8/iptables-extensions.8:97
msgid ""
-"Match remaining lifetime in seconds against given value or range of values "
-"(inclusive)"
+"This module matches the parameters in Authentication header of IPsec "
+"packets."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:653 original/man8/iptables.8:641
+#: original/man8/iptables-extensions.8:97 original/man8/iptables-extensions.8:108
#, no-wrap
-msgid "B<--ctdir> {B<ORIGINAL>|B<REPLY>}"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:657 original/man8/iptables.8:645
-msgid ""
-"Match packets that are flowing in the specified direction. If this flag is "
-"not specified at all, matches packets in both directions."
+msgid "[B<!>] B<--ahspi> I<spi>[B<:>I<spi>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:659 original/man8/iptables.8:647
-msgid "States for B<--ctstate>:"
+#: original/man8/iptables-extensions.8:100
+msgid "Matches SPI."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:659 original/man8/iptables.8:647
+#: original/man8/iptables-extensions.8:100
#, no-wrap
-msgid "B<INVALID>"
+msgid "[B<!>] B<--ahlen> I<length>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:662 original/man8/iptables.8:650
-msgid "meaning that the packet is associated with no known connection"
+#: original/man8/iptables-extensions.8:103 original/man8/iptables-extensions.8:407 original/man8/iptables-extensions.8:540
+msgid "Total length of this header in octets."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:662 original/man8/iptables.8:650
+#: original/man8/iptables-extensions.8:103
#, no-wrap
-msgid "B<NEW>"
+msgid "B<--ahres>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:666 original/man8/iptables.8:654
-msgid ""
-"meaning that the packet has started a new connection, or otherwise "
-"associated with a connection which has not seen packets in both directions, "
-"and"
+#: original/man8/iptables-extensions.8:106
+msgid "Matches if the reserved field is filled with zero."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:666 original/man8/iptables.8:654
+#. type: SS
+#: original/man8/iptables-extensions.8:106
#, no-wrap
-msgid "B<ESTABLISHED>"
+msgid "ah (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:670 original/man8/iptables.8:658
-msgid ""
-"meaning that the packet is associated with a connection which has seen "
-"packets in both directions,"
+#: original/man8/iptables-extensions.8:108
+msgid "This module matches the SPIs in Authentication header of IPsec packets."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:670 original/man8/iptables.8:658
+#. type: SS
+#: original/man8/iptables-extensions.8:110
#, no-wrap
-msgid "B<RELATED>"
+msgid "cluster"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:674 original/man8/iptables.8:662
+#: original/man8/iptables-extensions.8:113
msgid ""
-"meaning that the packet is starting a new connection, but is associated with "
-"an existing connection, such as an FTP data transfer, or an ICMP error."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:674 original/man8/iptables.8:662
-#, no-wrap
-msgid "B<UNTRACKED>"
+"Allows you to deploy gateway and back-end load-sharing clusters without the "
+"need of load-balancers."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:678 original/man8/iptables.8:666
+#: original/man8/iptables-extensions.8:116
msgid ""
-"meaning that the packet is not tracked at all, which happens if you use the "
-"NOTRACK target in raw table."
+"This match requires that all the nodes see the same packets. Thus, the "
+"cluster match decides if this node has to handle a packet given the "
+"following options:"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:678 original/man8/iptables.8:666
+#: original/man8/iptables-extensions.8:116
#, no-wrap
-msgid "B<SNAT>"
+msgid "B<--cluster-total-nodes> I<num>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:682 original/man8/iptables.8:670
-msgid ""
-"A virtual state, matching if the original source address differs from the "
-"reply destination."
+#: original/man8/iptables-extensions.8:119
+msgid "Set number of total nodes in cluster."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:682 original/man8/iptables.8:670
+#: original/man8/iptables-extensions.8:119
#, no-wrap
-msgid "B<DNAT>"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:686 original/man8/iptables.8:674
-msgid ""
-"A virtual state, matching if the original destination differs from the reply "
-"source."
+msgid "[B<!>] B<--cluster-local-node> I<num>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:688 original/man8/iptables.8:676
-msgid "Statuses for B<--ctstatus>:"
+#: original/man8/iptables-extensions.8:122
+msgid "Set the local node number ID."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:688 original/man8/iptables.8:676
+#: original/man8/iptables-extensions.8:122
#, no-wrap
-msgid "B<NONE>"
+msgid "[B<!>] B<--cluster-local-nodemask> I<mask>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:691 original/man8/iptables.8:679
-msgid "None of the below."
+#: original/man8/iptables-extensions.8:126
+msgid ""
+"Set the local node number ID mask. You can use this option instead of "
+"B<--cluster-local-node>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:691 original/man8/iptables.8:679
+#: original/man8/iptables-extensions.8:126
#, no-wrap
-msgid "B<EXPECTED>"
+msgid "B<--cluster-hash-seed> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:694 original/man8/iptables.8:682
-msgid "This is an expected connection (i.e. a conntrack helper set it up)"
+#: original/man8/iptables-extensions.8:129
+msgid "Set seed value of the Jenkins hash."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:694 original/man8/iptables.8:682
+#: original/man8/iptables-extensions.8:131 original/man8/iptables-extensions.8:177 original/man8/iptables-extensions.8:214 original/man8/iptables-extensions.8:362 original/man8/iptables-extensions.8:1588 original/man8/iptables-extensions.8:1636 original/man8/iptables-extensions.8:1685 original/man8/iptables-extensions.8:2016
#, no-wrap
-msgid "B<SEEN_REPLY>"
+msgid "Example:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:697 original/man8/iptables.8:685
-msgid "Conntrack has seen packets in both directions."
-msgstr ""
+#: original/man8/iptables-extensions.8:136
+msgid ""
+"iptables -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 "
+"--cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark "
+"0xffff"
+msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:697 original/man8/iptables.8:685
-#, no-wrap
-msgid "B<ASSURED>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:141
+msgid ""
+"iptables -A PREROUTING -t mangle -i eth2 -m cluster --cluster-total-nodes 2 "
+"--cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark "
+"0xffff"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:700 original/man8/iptables.8:688
-msgid "Conntrack entry should never be early-expired."
+#: original/man8/iptables-extensions.8:144
+msgid "iptables -A PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff -j DROP"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:700 original/man8/iptables.8:688
-#, no-wrap
-msgid "B<CONFIRMED>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:147
+msgid "iptables -A PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff -j DROP"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:703 original/man8/iptables.8:691
-msgid "Connection is confirmed: originating packet has left box."
+#: original/man8/iptables-extensions.8:149
+msgid "And the following commands to make all nodes see the same packets:"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:703 original/man8/iptables.8:691
-#, no-wrap
-msgid "cpu"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:151
+msgid "ip maddr add 01:00:5e:00:01:01 dev eth1"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:704 original/man8/iptables.8:692
-#, no-wrap
-msgid "[B<!>] B<--cpu> I<number>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:153
+msgid "ip maddr add 01:00:5e:00:01:02 dev eth2"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:709 original/man8/iptables.8:697
+#: original/man8/iptables-extensions.8:156
msgid ""
-"Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1 Can be "
-"used in combination with RPS (Remote Packet Steering) or multiqueue NICs to "
-"spread network traffic on different queues."
+"arptables -A OUTPUT -o eth1 --h-length 6 -j mangle --mangle-mac-s "
+"01:00:5e:00:01:01"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:714 original/man8/iptables.8:702
+#: original/man8/iptables-extensions.8:160
msgid ""
-"iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j REDIRECT "
-"--to-port 8080"
+"arptables -A INPUT -i eth1 --h-length 6 --destination-mac 01:00:5e:00:01:01 "
+"-j mangle --mangle-mac-d 00:zz:yy:xx:5a:27"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:717 original/man8/iptables.8:705
+#: original/man8/iptables-extensions.8:163
msgid ""
-"iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 -j REDIRECT "
-"--to-port 8081"
+"arptables -A OUTPUT -o eth2 --h-length 6 -j mangle --mangle-mac-s "
+"01:00:5e:00:01:02"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:719 original/man8/iptables.8:707
-msgid "Available since Linux 2.6.36."
+#: original/man8/iptables-extensions.8:167
+msgid ""
+"arptables -A INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:02 "
+"-j mangle --mangle-mac-d 00:zz:yy:xx:5a:27"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:719 original/man8/iptables.8:707
-#, no-wrap
-msgid "dccp"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:171
+msgid ""
+"In the case of TCP connections, pickup facility has to be disabled to avoid "
+"marking TCP ACK packets coming in the reply direction as valid."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:720 original/man8/ip6tables.8:1492 original/man8/ip6tables.8:1626 original/man8/ip6tables.8:1906 original/man8/iptables.8:708 original/man8/iptables.8:1399 original/man8/iptables.8:1533 original/man8/iptables.8:1824
-#, no-wrap
-msgid "[B<!>] B<--source-port>,B<--sport> I<port>[B<:>I<port>]"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:173
+msgid "echo 0 E<gt> /proc/sys/net/netfilter/nf_conntrack_tcp_loose"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:722 original/man8/ip6tables.8:1494 original/man8/ip6tables.8:1637 original/man8/ip6tables.8:1912 original/man8/iptables.8:710 original/man8/iptables.8:1401 original/man8/iptables.8:1544 original/man8/iptables.8:1830
+#. type: SS
+#: original/man8/iptables-extensions.8:173
#, no-wrap
-msgid "[B<!>] B<--destination-port>,B<--dport> I<port>[B<:>I<port>]"
+msgid "comment"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:175
+msgid "Allows you to add comments (up to 256 characters) to any rule."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:724 original/man8/iptables.8:712
+#: original/man8/iptables-extensions.8:175
#, no-wrap
-msgid "[B<!>] B<--dccp-types> I<mask>"
+msgid "B<--comment> I<comment>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:729 original/man8/iptables.8:717
-msgid ""
-"Match when the DCCP packet type is one of 'mask'. 'mask' is a "
-"comma-separated list of packet types. Packet types are: B<REQUEST RESPONSE "
-"DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID>."
+#: original/man8/iptables-extensions.8:180
+msgid "iptables -A INPUT -i eth1 -m comment --comment \"my local LAN\""
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:729 original/man8/iptables.8:717
+#. type: SS
+#: original/man8/iptables-extensions.8:180
#, no-wrap
-msgid "[B<!>] B<--dccp-option> I<number>"
+msgid "connbytes"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:732 original/man8/iptables.8:720
-msgid "Match if DCCP option set."
+#: original/man8/iptables-extensions.8:184
+msgid ""
+"Match by how many bytes or packets a connection (or one of the two flows "
+"constituting the connection) has transferred so far, or by average bytes per "
+"packet."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:732 original/man8/iptables.8:720
-#, no-wrap
-msgid "dscp"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:186
+msgid "The counters are 64-bit and are thus not expected to overflow ;)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:735 original/man8/iptables.8:723
+#: original/man8/iptables-extensions.8:189
msgid ""
-"This module matches the 6 bit DSCP field within the TOS field in the IP "
-"header. DSCP has superseded TOS within the IETF."
+"The primary use is to detect long-lived downloads and mark them to be "
+"scheduled using a lower priority band in traffic control."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:735 original/man8/iptables.8:723
-#, no-wrap
-msgid "[B<!>] B<--dscp> I<value>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:192
+msgid ""
+"The transferred bytes per connection can also be viewed through `conntrack "
+"-L` and accessed via ctnetlink."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:738 original/man8/iptables.8:726
-msgid "Match against a numeric (decimal or hex) value [0-63]."
+#: original/man8/iptables-extensions.8:198
+msgid ""
+"NOTE that for connections which have no accounting information, the match "
+"will always return false. The \"net.netfilter.nf_conntrack_acct\" sysctl "
+"flag controls whether B<new> connections will be byte/packet "
+"counted. Existing connection flows will not be gaining/losing a/the "
+"accounting structure when be sysctl flag is flipped."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:738 original/man8/iptables.8:726
+#: original/man8/iptables-extensions.8:198
#, no-wrap
-msgid "[B<!>] B<--dscp-class> I<class>"
+msgid "[B<!>] B<--connbytes> I<from>[B<:>I<to>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:743 original/man8/iptables.8:731
+#: original/man8/iptables-extensions.8:204
msgid ""
-"Match the DiffServ class. This value may be any of the BE, EF, AFxx or CSx "
-"classes. It will then be converted into its according numeric value."
+"match packets from a connection whose packets/bytes/average packet size is "
+"more than FROM and less than TO bytes/packets. if TO is omitted only FROM "
+"check is done. \"!\" is used to match packets not falling in the range."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:743
+#. type: TP
+#: original/man8/iptables-extensions.8:204
#, no-wrap
-msgid "dst"
+msgid "B<--connbytes-dir> {B<original>|B<reply>|B<both>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:745
-msgid "This module matches the parameters in Destination Options header"
+#: original/man8/iptables-extensions.8:207
+msgid "which packets to consider"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:745
+#: original/man8/iptables-extensions.8:207
#, no-wrap
-msgid "[B<!>] B<--dst-len> I<length>"
+msgid "B<--connbytes-mode> {B<packets>|B<bytes>|B<avgpkt>}"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:748
-#, no-wrap
-msgid "B<--dst-opts> I<type>[B<:>I<length>][B<,>I<type>[B<:>I<length>]...]"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:214
+msgid ""
+"whether to check the amount of packets, number of bytes transferred or the "
+"average size (in bytes) of all packets received so far. Note that when "
+"\"both\" is used together with \"avgpkt\", and data is going (mainly) only "
+"in one direction (for example HTTP), the average packet size will be about "
+"half of the actual data packets."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:751 original/man8/ip6tables.8:873
-msgid "numeric type of option and the length of the option data in octets."
+#: original/man8/iptables-extensions.8:217
+msgid ""
+"iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both "
+"--connbytes-mode bytes ..."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:751 original/man8/iptables.8:731
+#: original/man8/iptables-extensions.8:217
#, no-wrap
-msgid "ecn"
+msgid "connlimit"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:753 original/man8/iptables.8:733
+#: original/man8/iptables-extensions.8:220
msgid ""
-"This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN "
-"is the Explicit Congestion Notification mechanism as specified in RFC3168"
+"Allows you to restrict the number of parallel connections to a server per "
+"client IP address (or client address block)."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:753 original/man8/iptables.8:733
+#: original/man8/iptables-extensions.8:220
#, no-wrap
-msgid "[B<!>] B<--ecn-tcp-cwr>"
+msgid "B<--connlimit-upto> I<n>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:756 original/man8/iptables.8:736
-msgid "This matches if the TCP ECN CWR (Congestion Window Received) bit is set."
+#: original/man8/iptables-extensions.8:223
+msgid "Match if the number of existing connections is below or equal I<n>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:756 original/man8/iptables.8:736
+#: original/man8/iptables-extensions.8:223
#, no-wrap
-msgid "[B<!>] B<--ecn-tcp-ece>"
+msgid "B<--connlimit-above> I<n>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:759 original/man8/iptables.8:739
-msgid "This matches if the TCP ECN ECE (ECN Echo) bit is set."
+#: original/man8/iptables-extensions.8:226
+msgid "Match if the number of existing connections is above I<n>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:759 original/man8/iptables.8:739
+#: original/man8/iptables-extensions.8:226
#, no-wrap
-msgid "[B<!>] B<--ecn-ip-ect> I<num>"
+msgid "B<--connlimit-mask> I<prefix_length>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:763 original/man8/iptables.8:743
+#: original/man8/iptables-extensions.8:231
msgid ""
-"This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to "
-"specify a number between `0' and `3'."
+"Group hosts using the prefix length. For IPv4, this must be a number between "
+"(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the "
+"maximum prefix length for the applicable protocol is used."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:763 original/man8/iptables.8:743
+#. type: TP
+#: original/man8/iptables-extensions.8:231
#, no-wrap
-msgid "esp"
+msgid "B<--connlimit-saddr>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:765 original/man8/iptables.8:745
-msgid "This module matches the SPIs in ESP header of IPsec packets."
+#: original/man8/iptables-extensions.8:235
+msgid ""
+"Apply the limit onto the source group. This is the default if "
+"--connlimit-daddr is not specified."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:765 original/man8/iptables.8:745
+#: original/man8/iptables-extensions.8:235
#, no-wrap
-msgid "[B<!>] B<--espspi> I<spi>[B<:>I<spi>]"
+msgid "B<--connlimit-daddr>"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:767
-#, no-wrap
-msgid "eui64"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:238
+msgid "Apply the limit onto the destination group."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:778
-msgid ""
-"This module matches the EUI-64 part of a stateless autoconfigured IPv6 "
-"address. It compares the EUI-64 derived from the source MAC address in "
-"Ethernet frame with the lower 64 bits of the IPv6 source address. But "
-"\"Universal/Local\" bit is not compared. This module doesn't match other "
-"link layer frame, and is only valid in the B<PREROUTING>, B<INPUT> and "
-"B<FORWARD> chains."
+#: original/man8/iptables-extensions.8:240 original/man8/iptables-extensions.8:514 original/man8/iptables-extensions.8:1127 original/man8/iptables-extensions.8:1252
+msgid "Examples:"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:778
+#. type: TP
+#: original/man8/iptables-extensions.8:240
#, no-wrap
-msgid "frag"
+msgid "# allow 2 telnet connections per client host"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:780
-msgid "This module matches the parameters in Fragment header."
+#: original/man8/iptables-extensions.8:243
+msgid ""
+"iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 "
+"-j REJECT"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:780
+#: original/man8/iptables-extensions.8:243
#, no-wrap
-msgid "[B<!>] B<--fragid> I<id>[B<:>I<id>]"
+msgid "# you can also match the other way around:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:783
-msgid "Matches the given Identification or range of it."
+#: original/man8/iptables-extensions.8:246
+msgid ""
+"iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-upto 2 -j "
+"ACCEPT"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:783
+#: original/man8/iptables-extensions.8:246
#, no-wrap
-msgid "[B<!>] B<--fraglen> I<length>"
+msgid ""
+"# limit the number of parallel HTTP requests to 16 per class C sized source "
+"network (24 bit netmask)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:787
+#: original/man8/iptables-extensions.8:251
msgid ""
-"This option cannot be used with kernel version 2.6.10 or later. The length "
-"of Fragment header is static and this option doesn't make sense."
+"iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 "
+"--connlimit-mask 24 -j REJECT"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:787
+#: original/man8/iptables-extensions.8:251
#, no-wrap
-msgid "B<--fragres>"
+msgid ""
+"# limit the number of parallel HTTP requests to 16 for the link local "
+"network"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:790
-msgid "Matches if the reserved fields are filled with zero."
+#: original/man8/iptables-extensions.8:256
+msgid ""
+"(ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit "
+"--connlimit-above 16 --connlimit-mask 64 -j REJECT"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:790
+#: original/man8/iptables-extensions.8:256
#, no-wrap
-msgid "B<--fragfirst>"
+msgid "# Limit the number of connections to a particular host:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:793
-msgid "Matches on the first fragment."
+#: original/man8/iptables-extensions.8:260
+msgid ""
+"ip6tables -p tcp --syn --dport 49152:65535 -d 2001:db8::1 -m connlimit "
+"--connlimit-above 100 -j REJECT"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:793
+#. type: SS
+#: original/man8/iptables-extensions.8:260
#, no-wrap
-msgid "B<--fragmore>"
+msgid "connmark"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:796
-msgid "Matches if there are more fragments."
+#: original/man8/iptables-extensions.8:263
+msgid ""
+"This module matches the netfilter mark field associated with a connection "
+"(which can be set using the B<CONNMARK> target below)."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:796
+#: original/man8/iptables-extensions.8:263 original/man8/iptables-extensions.8:703
#, no-wrap
-msgid "B<--fraglast>"
+msgid "[B<!>] B<--mark> I<value>[B</>I<mask>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:799
-msgid "Matches if this is the last fragment."
+#: original/man8/iptables-extensions.8:267
+msgid ""
+"Matches packets in connections with the given mark value (if a mask is "
+"specified, this is logically ANDed with the mark before the comparison)."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:799 original/man8/iptables.8:747
+#: original/man8/iptables-extensions.8:267
#, no-wrap
-msgid "hashlimit"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:805 original/man8/iptables.8:753
-msgid ""
-"B<hashlimit> uses hash buckets to express a rate limiting match (like the "
-"B<limit> match) for a group of connections using a B<single> iptables "
-"rule. Grouping can be done per-hostgroup (source and/or destination address) "
-"and/or per-port. It gives you the ability to express \"I<N> packets per time "
-"quantum per group\" (see below for some examples)."
+msgid "conntrack"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:808 original/man8/iptables.8:756
+#: original/man8/iptables-extensions.8:270
msgid ""
-"A hash limit option (B<--hashlimit-upto>, B<--hashlimit-above>) and "
-"B<--hashlimit-name> are required."
+"This module, when combined with connection tracking, allows access to the "
+"connection tracking state for this packet/connection."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:808 original/man8/iptables.8:756
+#: original/man8/iptables-extensions.8:270
#, no-wrap
-msgid "B<--hashlimit-upto> I<amount>[B</second>|B</minute>|B</hour>|B</day>]"
+msgid "[B<!>] B<--ctstate> I<statelist>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:812 original/man8/iptables.8:760
+#: original/man8/iptables-extensions.8:274
msgid ""
-"Match if the rate is below or equal to I<amount>/quantum. It is specified as "
-"a number, with an optional time quantum suffix; the default is 3/hour."
+"I<statelist> is a comma separated list of the connection states to match. "
+"Possible states are listed below."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:812 original/man8/iptables.8:760
+#: original/man8/iptables-extensions.8:274
#, no-wrap
-msgid "B<--hashlimit-above> I<amount>[B</second>|B</minute>|B</hour>|B</day>]"
+msgid "[B<!>] B<--ctproto> I<l4proto>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:815 original/man8/iptables.8:763
-msgid "Match if the rate is above I<amount>/quantum."
+#: original/man8/iptables-extensions.8:277
+msgid "Layer-4 protocol to match (by number or name)"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:815 original/man8/iptables.8:763
+#: original/man8/iptables-extensions.8:277
#, no-wrap
-msgid "B<--hashlimit-burst> I<amount>"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:820 original/man8/ip6tables.8:1007 original/man8/iptables.8:768 original/man8/iptables.8:893
-msgid ""
-"Maximum initial number of packets to match: this number gets recharged by "
-"one every time the limit specified above is not reached, up to this number; "
-"the default is 5."
+msgid "[B<!>] B<--ctorigsrc> I<address>[B</>I<mask>]"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:820 original/man8/iptables.8:768
+#: original/man8/iptables-extensions.8:279
#, no-wrap
-msgid "B<--hashlimit-mode> {B<srcip>|B<srcport>|B<dstip>|B<dstport>}B<,>..."
+msgid "[B<!>] B<--ctorigdst> I<address>[B</>I<mask>]"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:825 original/man8/iptables.8:773
-msgid ""
-"A comma-separated list of objects to take into consideration. If no "
-"--hashlimit-mode option is given, hashlimit acts like limit, but at the "
-"expensive of doing the hash housekeeping."
+#. type: TP
+#: original/man8/iptables-extensions.8:281
+#, no-wrap
+msgid "[B<!>] B<--ctreplsrc> I<address>[B</>I<mask>]"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:825 original/man8/iptables.8:773
+#: original/man8/iptables-extensions.8:283
#, no-wrap
-msgid "B<--hashlimit-srcmask> I<prefix>"
+msgid "[B<!>] B<--ctrepldst> I<address>[B</>I<mask>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:832 original/man8/iptables.8:780
-msgid ""
-"When --hashlimit-mode srcip is used, all source addresses encountered will "
-"be grouped according to the given prefix length and the so-created subnet "
-"will be subject to hashlimit. I<prefix> must be between (inclusive) 0 and "
-"32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not "
-"specifying srcip for --hashlimit-mode, but is technically more expensive."
+#: original/man8/iptables-extensions.8:286
+msgid "Match against original/reply source/destination address"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:832 original/man8/iptables.8:780
+#: original/man8/iptables-extensions.8:286
#, no-wrap
-msgid "B<--hashlimit-dstmask> I<prefix>"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:835 original/man8/iptables.8:783
-msgid "Like --hashlimit-srcmask, but for destination addresses."
+msgid "[B<!>] B<--ctorigsrcport> I<port>[B<:>I<port>]"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:835 original/man8/iptables.8:783
+#: original/man8/iptables-extensions.8:288
#, no-wrap
-msgid "B<--hashlimit-name> I<foo>"
+msgid "[B<!>] B<--ctorigdstport> I<port>[B<:>I<port>]"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:838 original/man8/iptables.8:786
-msgid "The name for the /proc/net/ipt_hashlimit/foo entry."
+#. type: TP
+#: original/man8/iptables-extensions.8:290
+#, no-wrap
+msgid "[B<!>] B<--ctreplsrcport> I<port>[B<:>I<port>]"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:838 original/man8/iptables.8:786
+#: original/man8/iptables-extensions.8:292
#, no-wrap
-msgid "B<--hashlimit-htable-size> I<buckets>"
+msgid "[B<!>] B<--ctrepldstport> I<port>[B<:>I<port>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:841 original/man8/iptables.8:789
-msgid "The number of buckets of the hash table"
+#: original/man8/iptables-extensions.8:296
+msgid ""
+"Match against original/reply source/destination port (TCP/UDP/etc.) or GRE "
+"key. Matching against port ranges is only supported in kernel versions "
+"above 2.6.38."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:841 original/man8/iptables.8:789
+#: original/man8/iptables-extensions.8:296
#, no-wrap
-msgid "B<--hashlimit-htable-max> I<entries>"
+msgid "[B<!>] B<--ctstatus> I<statelist>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:844 original/man8/iptables.8:792
-msgid "Maximum entries in the hash."
+#: original/man8/iptables-extensions.8:300
+msgid ""
+"I<statuslist> is a comma separated list of the connection statuses to "
+"match. Possible statuses are listed below."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:844 original/man8/iptables.8:792
+#: original/man8/iptables-extensions.8:300
#, no-wrap
-msgid "B<--hashlimit-htable-expire> I<msec>"
+msgid "[B<!>] B<--ctexpire> I<time>[B<:>I<time>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:847 original/man8/iptables.8:795
-msgid "After how many milliseconds do hash entries expire."
+#: original/man8/iptables-extensions.8:304
+msgid ""
+"Match remaining lifetime in seconds against given value or range of values "
+"(inclusive)"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:847 original/man8/iptables.8:795
+#: original/man8/iptables-extensions.8:304
#, no-wrap
-msgid "B<--hashlimit-htable-gcinterval> I<msec>"
+msgid "B<--ctdir> {B<ORIGINAL>|B<REPLY>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:850 original/man8/iptables.8:798
-msgid "How many milliseconds between garbage collection intervals."
+#: original/man8/iptables-extensions.8:308
+msgid ""
+"Match packets that are flowing in the specified direction. If this flag is "
+"not specified at all, matches packets in both directions."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:310
+msgid "States for B<--ctstate>:"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:852 original/man8/iptables.8:800
+#: original/man8/iptables-extensions.8:310
#, no-wrap
-msgid "matching on source host"
+msgid "B<INVALID>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:856 original/man8/iptables.8:804
-msgid ""
-"\"1000 packets per second for every host in 192.168.0.0/16\" =E<gt> -s "
-"192.168.0.0/16 --hashlimit-mode srcip --hashlimit-upto 1000/sec"
+#: original/man8/iptables-extensions.8:313
+msgid "The packet is associated with no known connection."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:856 original/man8/iptables.8:804
+#: original/man8/iptables-extensions.8:313
#, no-wrap
-msgid "matching on source port"
+msgid "B<NEW>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:860 original/man8/iptables.8:808
+#: original/man8/iptables-extensions.8:317
msgid ""
-"\"100 packets per second for every service of 192.168.1.1\" =E<gt> -s "
-"192.168.1.1 --hashlimit-mode srcport --hashlimit-upto 100/sec"
+"The packet has started a new connection, or otherwise associated with a "
+"connection which has not seen packets in both directions."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:860 original/man8/iptables.8:808
+#: original/man8/iptables-extensions.8:317
#, no-wrap
-msgid "matching on subnet"
+msgid "B<ESTABLISHED>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:865 original/man8/iptables.8:813
+#: original/man8/iptables-extensions.8:321
msgid ""
-"\"10000 packets per minute for every /28 subnet (groups of 8 addresses) in "
-"10.0.0.0/8\" =E<gt> -s 10.0.0.8 --hashlimit-mask 28 --hashlimit-upto "
-"10000/min"
+"The packet is associated with a connection which has seen packets in both "
+"directions."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:865
+#. type: TP
+#: original/man8/iptables-extensions.8:321
#, no-wrap
-msgid "hbh"
+msgid "B<RELATED>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:867
-msgid "This module matches the parameters in Hop-by-Hop Options header"
+#: original/man8/iptables-extensions.8:325
+msgid ""
+"The packet is starting a new connection, but is associated with an existing "
+"connection, such as an FTP data transfer, or an ICMP error."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:867
+#: original/man8/iptables-extensions.8:325
#, no-wrap
-msgid "[B<!>] B<--hbh-len> I<length>"
+msgid "B<UNTRACKED>"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:870
-#, no-wrap
-msgid "B<--hbh-opts> I<type>[B<:>I<length>][B<,>I<type>[B<:>I<length>]...]"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:329
+msgid ""
+"The packet is not tracked at all, which happens if you explicitly untrack it "
+"by using -j CT --notrack in the raw table."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:873 original/man8/iptables.8:813
+#. type: TP
+#: original/man8/iptables-extensions.8:329
#, no-wrap
-msgid "helper"
+msgid "B<SNAT>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:875 original/man8/iptables.8:815
-msgid "This module matches packets related to a specific conntrack-helper."
+#: original/man8/iptables-extensions.8:333
+msgid ""
+"A virtual state, matching if the original source address differs from the "
+"reply destination."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:875 original/man8/iptables.8:815
+#: original/man8/iptables-extensions.8:333
#, no-wrap
-msgid "[B<!>] B<--helper> I<string>"
+msgid "B<DNAT>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:878 original/man8/iptables.8:818
-msgid "Matches packets related to the specified conntrack-helper."
+#: original/man8/iptables-extensions.8:337
+msgid ""
+"A virtual state, matching if the original destination differs from the reply "
+"source."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:882 original/man8/iptables.8:822
-msgid ""
-"string can be \"ftp\" for packets related to a ftp-session on default port. "
-"For other ports append -portnr to the value, ie. \"ftp-2121\"."
+#: original/man8/iptables-extensions.8:339
+msgid "Statuses for B<--ctstatus>:"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:339
+#, no-wrap
+msgid "B<NONE>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:884 original/man8/iptables.8:824
-msgid "Same rules apply for other conntrack-helpers."
+#: original/man8/iptables-extensions.8:342
+msgid "None of the below."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:885
+#. type: TP
+#: original/man8/iptables-extensions.8:342
#, no-wrap
-msgid "hl"
+msgid "B<EXPECTED>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:887
-msgid "This module matches the Hop Limit field in the IPv6 header."
+#: original/man8/iptables-extensions.8:345
+msgid "This is an expected connection (i.e. a conntrack helper set it up)."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:887
+#: original/man8/iptables-extensions.8:345
#, no-wrap
-msgid "[B<!>] B<--hl-eq> I<value>"
+msgid "B<SEEN_REPLY>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:890
-msgid "Matches if Hop Limit equals I<value>."
+#: original/man8/iptables-extensions.8:348
+msgid "Conntrack has seen packets in both directions."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:890
+#: original/man8/iptables-extensions.8:348
#, no-wrap
-msgid "B<--hl-lt> I<value>"
+msgid "B<ASSURED>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:893
-msgid "Matches if Hop Limit is less than I<value>."
+#: original/man8/iptables-extensions.8:351
+msgid "Conntrack entry should never be early-expired."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:893
+#: original/man8/iptables-extensions.8:351
#, no-wrap
-msgid "B<--hl-gt> I<value>"
+msgid "B<CONFIRMED>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:896
-msgid "Matches if Hop Limit is greater than I<value>."
+#: original/man8/iptables-extensions.8:354
+msgid "Connection is confirmed: originating packet has left box."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:896
+#: original/man8/iptables-extensions.8:354
+#, no-wrap
+msgid "cpu"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:355
#, no-wrap
-msgid "icmp6"
+msgid "[B<!>] B<--cpu> I<number>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:899
+#: original/man8/iptables-extensions.8:360
msgid ""
-"This extension can be used if `--protocol ipv6-icmp' or `--protocol icmpv6' "
-"is specified. It provides the following option:"
+"Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1 Can be "
+"used in combination with RPS (Remote Packet Steering) or multiqueue NICs to "
+"spread network traffic on different queues."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:899
-#, no-wrap
-msgid "[B<!>] B<--icmpv6-type> I<type>[B</>I<code>]|I<typename>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:365
+msgid ""
+"iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j REDIRECT "
+"--to-port 8080"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:908
+#: original/man8/iptables-extensions.8:368
msgid ""
-"This allows specification of the ICMPv6 type, which can be a numeric ICMPv6 "
-"I<type>, I<type> and I<code>, or one of the ICMPv6 type names shown by the "
-"command"
+"iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 -j REDIRECT "
+"--to-port 8081"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:910
-#, no-wrap
-msgid " ip6tables -p ipv6-icmp -h\n"
+#: original/man8/iptables-extensions.8:370
+msgid "Available since Linux 2.6.36."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:911 original/man8/iptables.8:835
+#: original/man8/iptables-extensions.8:370
#, no-wrap
-msgid "iprange"
+msgid "dccp"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:913 original/man8/iptables.8:837
-msgid "This matches on a given arbitrary range of IP addresses."
+#. type: TP
+#: original/man8/iptables-extensions.8:371 original/man8/iptables-extensions.8:1230 original/man8/iptables-extensions.8:1354 original/man8/iptables-extensions.8:1657
+#, no-wrap
+msgid "[B<!>] B<--source-port>,B<--sport> I<port>[B<:>I<port>]"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:913 original/man8/iptables.8:837
+#: original/man8/iptables-extensions.8:373 original/man8/iptables-extensions.8:1232 original/man8/iptables-extensions.8:1365 original/man8/iptables-extensions.8:1663
#, no-wrap
-msgid "[B<!>] B<--src-range> I<from>[B<->I<to>]"
+msgid "[B<!>] B<--destination-port>,B<--dport> I<port>[B<:>I<port>]"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:375
+#, no-wrap
+msgid "[B<!>] B<--dccp-types> I<mask>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:916 original/man8/iptables.8:840
-msgid "Match source IP in the specified range."
+#: original/man8/iptables-extensions.8:380
+msgid ""
+"Match when the DCCP packet type is one of 'mask'. 'mask' is a "
+"comma-separated list of packet types. Packet types are: B<REQUEST RESPONSE "
+"DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:916 original/man8/iptables.8:840
+#: original/man8/iptables-extensions.8:380
#, no-wrap
-msgid "[B<!>] B<--dst-range> I<from>[B<->I<to>]"
+msgid "[B<!>] B<--dccp-option> I<number>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:919 original/man8/iptables.8:843
-msgid "Match destination IP in the specified range."
+#: original/man8/iptables-extensions.8:383
+msgid "Match if DCCP option set."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:919
+#: original/man8/iptables-extensions.8:383
#, no-wrap
-msgid "ipv6header"
+msgid "devgroup"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:921
-msgid "This module matches IPv6 extension headers and/or upper layer header."
+#: original/man8/iptables-extensions.8:385
+msgid "Match device group of a packets incoming/outgoing interface."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:921
+#: original/man8/iptables-extensions.8:385
#, no-wrap
-msgid "B<--soft>"
+msgid "[B<!>] B<--src-group> I<name>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:925
-msgid ""
-"Matches if the packet includes B<any> of the headers specified with "
-"B<--header>."
+#: original/man8/iptables-extensions.8:388
+msgid "Match device group of incoming device"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:925
+#: original/man8/iptables-extensions.8:388
#, no-wrap
-msgid "[B<!>] B<--header> I<header>[B<,>I<header>...]"
+msgid "[B<!>] B<--dst-group> I<name>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:930
-msgid ""
-"Matches the packet which EXACTLY includes all specified headers. The headers "
-"encapsulated with ESP header are out of scope. Possible I<header> types can "
-"be:"
+#: original/man8/iptables-extensions.8:391
+msgid "Match device group of outgoing device"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:930
+#. type: SS
+#: original/man8/iptables-extensions.8:391
#, no-wrap
-msgid "B<hop>|B<hop-by-hop>"
+msgid "dscp"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:933
-msgid "Hop-by-Hop Options header"
+#: original/man8/iptables-extensions.8:394
+msgid ""
+"This module matches the 6 bit DSCP field within the TOS field in the IP "
+"header. DSCP has superseded TOS within the IETF."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:933
+#: original/man8/iptables-extensions.8:394
#, no-wrap
-msgid "B<dst>"
+msgid "[B<!>] B<--dscp> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:936
-msgid "Destination Options header"
+#: original/man8/iptables-extensions.8:397
+msgid "Match against a numeric (decimal or hex) value [0-63]."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:936
+#: original/man8/iptables-extensions.8:397
#, no-wrap
-msgid "B<route>"
+msgid "[B<!>] B<--dscp-class> I<class>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:939
-msgid "Routing header"
+#: original/man8/iptables-extensions.8:402
+msgid ""
+"Match the DiffServ class. This value may be any of the BE, EF, AFxx or CSx "
+"classes. It will then be converted into its according numeric value."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:939
+#. type: SS
+#: original/man8/iptables-extensions.8:402
#, no-wrap
-msgid "B<frag>"
+msgid "dst (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:942
-msgid "Fragment header"
+#: original/man8/iptables-extensions.8:404
+msgid "This module matches the parameters in Destination Options header"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:942
+#: original/man8/iptables-extensions.8:404
#, no-wrap
-msgid "B<auth>"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:945
-msgid "Authentication header"
+msgid "[B<!>] B<--dst-len> I<length>"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:945
+#: original/man8/iptables-extensions.8:407
#, no-wrap
-msgid "B<esp>"
+msgid "B<--dst-opts> I<type>[B<:>I<length>][B<,>I<type>[B<:>I<length>]...]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:948
-msgid "Encapsulating Security Payload header"
+#: original/man8/iptables-extensions.8:410 original/man8/iptables-extensions.8:543
+msgid "numeric type of option and the length of the option data in octets."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:948
+#. type: SS
+#: original/man8/iptables-extensions.8:410
#, no-wrap
-msgid "B<none>"
+msgid "ecn"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:952
+#: original/man8/iptables-extensions.8:412
msgid ""
-"No Next header which matches 59 in the 'Next Header field' of IPv6 header or "
-"any IPv6 extension headers"
+"This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN "
+"is the Explicit Congestion Notification mechanism as specified in RFC3168"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:952
+#: original/man8/iptables-extensions.8:412
#, no-wrap
-msgid "B<proto>"
+msgid "[B<!>] B<--ecn-tcp-cwr>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:957
-msgid ""
-"which matches any upper layer protocol header. A protocol name from "
-"/etc/protocols and numeric value also allowed. The number 255 is equivalent "
-"to B<proto>."
+#: original/man8/iptables-extensions.8:415
+msgid "This matches if the TCP ECN CWR (Congestion Window Received) bit is set."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:957 original/man8/iptables.8:843
+#. type: TP
+#: original/man8/iptables-extensions.8:415
#, no-wrap
-msgid "ipvs"
+msgid "[B<!>] B<--ecn-tcp-ece>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:959 original/man8/iptables.8:845
-msgid "Match IPVS connection properties."
+#: original/man8/iptables-extensions.8:418
+msgid "This matches if the TCP ECN ECE (ECN Echo) bit is set."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:959 original/man8/iptables.8:845
+#: original/man8/iptables-extensions.8:418
#, no-wrap
-msgid "[B<!>] B<--ipvs>"
+msgid "[B<!>] B<--ecn-ip-ect> I<num>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:962 original/man8/iptables.8:848
-msgid "packet belongs to an IPVS connection"
+#: original/man8/iptables-extensions.8:422
+msgid ""
+"This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to "
+"specify a number between `0' and `3'."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:962 original/man8/iptables.8:848
+#. type: SS
+#: original/man8/iptables-extensions.8:422
#, no-wrap
-msgid "Any of the following options implies --ipvs (even negated)"
+msgid "esp"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:964 original/man8/iptables.8:850
-#, no-wrap
-msgid "[B<!>] B<--vproto> I<protocol>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:424
+msgid "This module matches the SPIs in ESP header of IPsec packets."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:424
+#, no-wrap
+msgid "[B<!>] B<--espspi> I<spi>[B<:>I<spi>]"
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:426
+#, no-wrap
+msgid "eui64 (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:967 original/man8/iptables.8:853
-msgid "VIP protocol to match; by number or name, e.g. \"tcp\""
+#: original/man8/iptables-extensions.8:437
+msgid ""
+"This module matches the EUI-64 part of a stateless autoconfigured IPv6 "
+"address. It compares the EUI-64 derived from the source MAC address in "
+"Ethernet frame with the lower 64 bits of the IPv6 source address. But "
+"\"Universal/Local\" bit is not compared. This module doesn't match other "
+"link layer frame, and is only valid in the B<PREROUTING>, B<INPUT> and "
+"B<FORWARD> chains."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:967 original/man8/iptables.8:853
+#. type: SS
+#: original/man8/iptables-extensions.8:437
#, no-wrap
-msgid "[B<!>] B<--vaddr> I<address>[B</>I<mask>]"
+msgid "frag (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:970 original/man8/iptables.8:856
-msgid "VIP address to match"
+#: original/man8/iptables-extensions.8:439
+msgid "This module matches the parameters in Fragment header."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:970 original/man8/iptables.8:856
+#: original/man8/iptables-extensions.8:439
#, no-wrap
-msgid "[B<!>] B<--vport> I<port>"
+msgid "[B<!>] B<--fragid> I<id>[B<:>I<id>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:973 original/man8/iptables.8:859
-msgid "VIP port to match; by number or name, e.g. \"http\""
+#: original/man8/iptables-extensions.8:442
+msgid "Matches the given Identification or range of it."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:973 original/man8/iptables.8:859
+#: original/man8/iptables-extensions.8:442
#, no-wrap
-msgid "B<--vdir> {B<ORIGINAL>|B<REPLY>}"
+msgid "[B<!>] B<--fraglen> I<length>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:976 original/man8/iptables.8:862
-msgid "flow direction of packet"
+#: original/man8/iptables-extensions.8:446
+msgid ""
+"This option cannot be used with kernel version 2.6.10 or later. The length "
+"of Fragment header is static and this option doesn't make sense."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:976 original/man8/iptables.8:862
+#: original/man8/iptables-extensions.8:446
#, no-wrap
-msgid "[B<!>] B<--vmethod> {B<GATE>|B<IPIP>|B<MASQ>}"
+msgid "B<--fragres>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:979 original/man8/iptables.8:865
-msgid "IPVS forwarding method used"
+#: original/man8/iptables-extensions.8:449
+msgid "Matches if the reserved fields are filled with zero."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:979 original/man8/iptables.8:865
+#: original/man8/iptables-extensions.8:449
#, no-wrap
-msgid "[B<!>] B<--vportctl> I<port>"
+msgid "B<--fragfirst>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:982 original/man8/iptables.8:868
-msgid "VIP port of the controlling connection to match, e.g. 21 for FTP"
+#: original/man8/iptables-extensions.8:452
+msgid "Matches on the first fragment."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:982 original/man8/iptables.8:868
+#. type: TP
+#: original/man8/iptables-extensions.8:452
#, no-wrap
-msgid "length"
+msgid "B<--fragmore>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:986 original/man8/iptables.8:872
-msgid ""
-"This module matches the length of the layer-3 payload (e.g. layer-4 packet) "
-"of a packet against a specific value or range of values."
+#: original/man8/iptables-extensions.8:455
+msgid "Matches if there are more fragments."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:986 original/man8/iptables.8:872
+#: original/man8/iptables-extensions.8:455
#, no-wrap
-msgid "[B<!>] B<--length> I<length>[B<:>I<length>]"
+msgid "B<--fraglast>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:458
+msgid "Matches if this is the last fragment."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:988 original/man8/iptables.8:874
+#: original/man8/iptables-extensions.8:458
#, no-wrap
-msgid "limit"
+msgid "hashlimit"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:994 original/man8/iptables.8:880
+#: original/man8/iptables-extensions.8:464
msgid ""
-"This module matches at a limited rate using a token bucket filter. A rule "
-"using this extension will match until this limit is reached. It can be used "
-"in combination with the B<LOG> target to give limited logging, for example."
+"B<hashlimit> uses hash buckets to express a rate limiting match (like the "
+"B<limit> match) for a group of connections using a B<single> iptables "
+"rule. Grouping can be done per-hostgroup (source and/or destination address) "
+"and/or per-port. It gives you the ability to express \"I<N> packets per time "
+"quantum per group\" or \"I<N> bytes per seconds\" (see below for some "
+"examples)."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:997 original/man8/iptables.8:883
+#: original/man8/iptables-extensions.8:467
msgid ""
-"xt_limit has no negation support - you will have to use -m hashlimit ! "
-"--hashlimit I<rate> in this case whilst omitting --hashlimit-mode."
+"A hash limit option (B<--hashlimit-upto>, B<--hashlimit-above>) and "
+"B<--hashlimit-name> are required."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:997 original/man8/iptables.8:883
+#: original/man8/iptables-extensions.8:467
#, no-wrap
-msgid "B<--limit> I<rate>[B</second>|B</minute>|B</hour>|B</day>]"
+msgid "B<--hashlimit-upto> I<amount>[B</second>|B</minute>|B</hour>|B</day>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1002 original/man8/iptables.8:888
+#: original/man8/iptables-extensions.8:472
msgid ""
-"Maximum average matching rate: specified as a number, with an optional "
-"`/second', `/minute', `/hour', or `/day' suffix; the default is 3/hour."
+"Match if the rate is below or equal to I<amount>/quantum. It is specified "
+"either as a number, with an optional time quantum suffix (the default is "
+"3/hour), or as I<amount>b/second (number of bytes per second)."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1002 original/man8/iptables.8:888
+#: original/man8/iptables-extensions.8:472
#, no-wrap
-msgid "B<--limit-burst> I<number>"
+msgid "B<--hashlimit-above> I<amount>[B</second>|B</minute>|B</hour>|B</day>]"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1007 original/man8/iptables.8:893
-#, no-wrap
-msgid "mac"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:475
+msgid "Match if the rate is above I<amount>/quantum."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1008 original/man8/iptables.8:894
+#: original/man8/iptables-extensions.8:475
#, no-wrap
-msgid "[B<!>] B<--mac-source> I<address>"
+msgid "B<--hashlimit-burst> I<amount>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1018 original/man8/iptables.8:904
+#: original/man8/iptables-extensions.8:482
msgid ""
-"Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note "
-"that this only makes sense for packets coming from an Ethernet device and "
-"entering the B<PREROUTING>, B<FORWARD> or B<INPUT> chains."
+"Maximum initial number of packets to match: this number gets recharged by "
+"one every time the limit specified above is not reached, up to this number; "
+"the default is 5. When byte-based rate matching is requested, this option "
+"specifies the amount of bytes that can exceed the given rate. This option "
+"should be used with caution -- if the entry expires, the burst value is "
+"reset too."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1018 original/man8/iptables.8:904
+#. type: TP
+#: original/man8/iptables-extensions.8:482
#, no-wrap
-msgid "mark"
+msgid "B<--hashlimit-mode> {B<srcip>|B<srcport>|B<dstip>|B<dstport>}B<,>..."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1023 original/man8/iptables.8:909
+#: original/man8/iptables-extensions.8:487
msgid ""
-"This module matches the netfilter mark field associated with a packet (which "
-"can be set using the B<MARK> target below)."
+"A comma-separated list of objects to take into consideration. If no "
+"--hashlimit-mode option is given, hashlimit acts like limit, but at the "
+"expensive of doing the hash housekeeping."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:487
+#, no-wrap
+msgid "B<--hashlimit-srcmask> I<prefix>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1028 original/man8/iptables.8:914
+#: original/man8/iptables-extensions.8:494
msgid ""
-"Matches packets with the given unsigned mark value (if a I<mask> is "
-"specified, this is logically ANDed with the I<mask> before the comparison)."
+"When --hashlimit-mode srcip is used, all source addresses encountered will "
+"be grouped according to the given prefix length and the so-created subnet "
+"will be subject to hashlimit. I<prefix> must be between (inclusive) 0 and "
+"32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not "
+"specifying srcip for --hashlimit-mode, but is technically more expensive."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1028
+#. type: TP
+#: original/man8/iptables-extensions.8:494
#, no-wrap
-msgid "mh"
+msgid "B<--hashlimit-dstmask> I<prefix>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1031
-msgid ""
-"This extension is loaded if `--protocol ipv6-mh' or `--protocol mh' is "
-"specified. It provides the following option:"
+#: original/man8/iptables-extensions.8:497
+msgid "Like --hashlimit-srcmask, but for destination addresses."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1031
+#: original/man8/iptables-extensions.8:497
#, no-wrap
-msgid "[B<!>] B<--mh-type> I<type>[B<:>I<type>]"
+msgid "B<--hashlimit-name> I<foo>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1038
-msgid ""
-"This allows specification of the Mobility Header(MH) type, which can be a "
-"numeric MH I<type>, I<type> or one of the MH type names shown by the command"
+#: original/man8/iptables-extensions.8:500
+msgid "The name for the /proc/net/ipt_hashlimit/foo entry."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1040
+#. type: TP
+#: original/man8/iptables-extensions.8:500
#, no-wrap
-msgid " ip6tables -p ipv6-mh -h\n"
+msgid "B<--hashlimit-htable-size> I<buckets>"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1041 original/man8/iptables.8:914
+#. type: Plain text
+#: original/man8/iptables-extensions.8:503
+msgid "The number of buckets of the hash table"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:503
#, no-wrap
-msgid "multiport"
+msgid "B<--hashlimit-htable-max> I<entries>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1048 original/man8/iptables.8:921
-msgid ""
-"This module matches a set of source or destination ports. Up to 15 ports "
-"can be specified. A port range (port:port) counts as two ports. It can "
-"only be used in conjunction with B<-p tcp> or B<-p udp>."
+#: original/man8/iptables-extensions.8:506
+msgid "Maximum entries in the hash."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1048 original/man8/iptables.8:921
+#: original/man8/iptables-extensions.8:506
#, no-wrap
-msgid ""
-"[B<!>] B<--source-ports>,B<--sports> "
-"I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
+msgid "B<--hashlimit-htable-expire> I<msec>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1056 original/man8/iptables.8:929
-msgid ""
-"Match if the source port is one of the given ports. The flag B<--sports> is "
-"a convenient alias for this option. Multiple ports or port ranges are "
-"separated using a comma, and a port range is specified using a colon. "
-"B<53,1024:65535> would therefore match ports 53 and all from 1024 through "
-"65535."
+#: original/man8/iptables-extensions.8:509
+msgid "After how many milliseconds do hash entries expire."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1056 original/man8/iptables.8:929
+#: original/man8/iptables-extensions.8:509
#, no-wrap
-msgid ""
-"[B<!>] B<--destination-ports>,B<--dports> "
-"I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
+msgid "B<--hashlimit-htable-gcinterval> I<msec>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1061 original/man8/iptables.8:934
-msgid ""
-"Match if the destination port is one of the given ports. The flag "
-"B<--dports> is a convenient alias for this option."
+#: original/man8/iptables-extensions.8:512
+msgid "How many milliseconds between garbage collection intervals."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1061 original/man8/iptables.8:934
+#: original/man8/iptables-extensions.8:514
#, no-wrap
-msgid "[B<!>] B<--ports> I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
+msgid "matching on source host"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1065 original/man8/iptables.8:938
+#: original/man8/iptables-extensions.8:518
msgid ""
-"Match if either the source or destination ports are equal to one of the "
-"given ports."
+"\"1000 packets per second for every host in 192.168.0.0/16\" =E<gt> -s "
+"192.168.0.0/16 --hashlimit-mode srcip --hashlimit-upto 1000/sec"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1065 original/man8/iptables.8:938
+#. type: TP
+#: original/man8/iptables-extensions.8:518
#, no-wrap
-msgid "nfacct"
+msgid "matching on source port"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1069 original/man8/iptables.8:942
+#: original/man8/iptables-extensions.8:522
msgid ""
-"The nfacct match provides the extended accounting infrastructure for "
-"iptables. You have to use this match together with the standalone "
-"user-space utility B<nfacct(8)>"
+"\"100 packets per second for every service of 192.168.1.1\" =E<gt> -s "
+"192.168.1.1 --hashlimit-mode srcport --hashlimit-upto 100/sec"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:522
+#, no-wrap
+msgid "matching on subnet"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1071 original/man8/iptables.8:944
-msgid "The only option available for this match is the following:"
+#: original/man8/iptables-extensions.8:527
+msgid ""
+"\"10000 packets per minute for every /28 subnet (groups of 8 addresses) in "
+"10.0.0.0/8\" =E<gt> -s 10.0.0.8 --hashlimit-mask 28 --hashlimit-upto "
+"10000/min"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1071 original/man8/iptables.8:944
+#: original/man8/iptables-extensions.8:527 original/man8/iptables-extensions.8:531
#, no-wrap
-msgid "B<--nfacct-name> I<name>"
+msgid "matching bytes per second"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1075 original/man8/iptables.8:948
+#: original/man8/iptables-extensions.8:531
msgid ""
-"This allows you to specify the existing object name that will be use for "
-"accounting the traffic that this rule-set is matching."
+"\"flows exceeding 512kbyte/s\" =E<gt> --hashlimit-mode "
+"srcip,dstip,srcport,dstport --hashlimit-above 512kb/s"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1077 original/man8/iptables.8:950
-msgid "To use this extension, you have to create an accounting object:"
+#: original/man8/iptables-extensions.8:535
+msgid ""
+"\"hosts that exceed 512kbyte/s, but permit up to 1Megabytes without "
+"matching\" --hashlimit-mode dstip --hashlimit-above 512kb/s "
+"--hashlimit-burst 1mb"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1079 original/man8/iptables.8:952
-msgid "nfacct add http-traffic"
+#. type: SS
+#: original/man8/iptables-extensions.8:535
+#, no-wrap
+msgid "hbh (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1081 original/man8/iptables.8:954
-msgid "Then, you have to attach it to the accounting object via iptables:"
+#: original/man8/iptables-extensions.8:537
+msgid "This module matches the parameters in Hop-by-Hop Options header"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1083 original/man8/iptables.8:956
-msgid "iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic"
+#. type: TP
+#: original/man8/iptables-extensions.8:537
+#, no-wrap
+msgid "[B<!>] B<--hbh-len> I<length>"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1085 original/man8/iptables.8:958
-msgid "iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic"
+#. type: TP
+#: original/man8/iptables-extensions.8:540
+#, no-wrap
+msgid "B<--hbh-opts> I<type>[B<:>I<length>][B<,>I<type>[B<:>I<length>]...]"
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:543
+#, no-wrap
+msgid "helper"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1087 original/man8/iptables.8:960
-msgid "Then, you can check for the amount of traffic that the rules match:"
+#: original/man8/iptables-extensions.8:545
+msgid "This module matches packets related to a specific conntrack-helper."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:545
+#, no-wrap
+msgid "[B<!>] B<--helper> I<string>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1089 original/man8/iptables.8:962
-msgid "nfacct get http-traffic"
+#: original/man8/iptables-extensions.8:548
+msgid "Matches packets related to the specified conntrack-helper."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1091 original/man8/iptables.8:964
+#: original/man8/iptables-extensions.8:552
msgid ""
-"{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = "
-"http-traffic;"
+"string can be \"ftp\" for packets related to a ftp-session on default port. "
+"For other ports append -portnr to the value, ie. \"ftp-2121\"."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1096 original/man8/iptables.8:969
-msgid ""
-"You can obtain B<nfacct(8)> from http://www.netfilter.org or, alternatively, "
-"from the git.netfilter.org repository."
+#: original/man8/iptables-extensions.8:554
+msgid "Same rules apply for other conntrack-helpers."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1096 original/man8/iptables.8:1015
+#: original/man8/iptables-extensions.8:555
#, no-wrap
-msgid "owner"
+msgid "hl (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1101 original/man8/iptables.8:1020
-msgid ""
-"This module attempts to match various characteristics of the packet creator, "
-"for locally generated packets. This match is only valid in the OUTPUT and "
-"POSTROUTING chains. Forwarded packets do not have any socket associated with "
-"them. Packets from kernel threads do have a socket, but usually no owner."
+#: original/man8/iptables-extensions.8:557
+msgid "This module matches the Hop Limit field in the IPv6 header."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1101 original/man8/iptables.8:1020
+#: original/man8/iptables-extensions.8:557
#, no-wrap
-msgid "[B<!>] B<--uid-owner> I<username>"
+msgid "[B<!>] B<--hl-eq> I<value>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:560
+msgid "Matches if Hop Limit equals I<value>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1103 original/man8/iptables.8:1022
+#: original/man8/iptables-extensions.8:560
#, no-wrap
-msgid "[B<!>] B<--uid-owner> I<userid>[B<->I<userid>]"
+msgid "B<--hl-lt> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1107 original/man8/iptables.8:1026
-msgid ""
-"Matches if the packet socket's file structure (if it has one) is owned by "
-"the given user. You may also specify a numerical UID, or an UID range."
+#: original/man8/iptables-extensions.8:563
+msgid "Matches if Hop Limit is less than I<value>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1107 original/man8/iptables.8:1026
+#: original/man8/iptables-extensions.8:563
#, no-wrap
-msgid "[B<!>] B<--gid-owner> I<groupname>"
+msgid "B<--hl-gt> I<value>"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1109 original/man8/iptables.8:1028
+#. type: Plain text
+#: original/man8/iptables-extensions.8:566
+msgid "Matches if Hop Limit is greater than I<value>."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:566
#, no-wrap
-msgid "[B<!>] B<--gid-owner> I<groupid>[B<->I<groupid>]"
+msgid "icmp (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1113 original/man8/iptables.8:1032
+#: original/man8/iptables-extensions.8:569
msgid ""
-"Matches if the packet socket's file structure is owned by the given group. "
-"You may also specify a numerical GID, or a GID range."
+"This extension can be used if `--protocol icmp' is specified. It provides "
+"the following option:"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1113 original/man8/iptables.8:1032
+#: original/man8/iptables-extensions.8:569
#, no-wrap
-msgid "[B<!>] B<--socket-exists>"
+msgid "[B<!>] B<--icmp-type> {I<type>[B</>I<code>]|I<typename>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1116 original/man8/iptables.8:1035
-msgid "Matches if the packet is associated with a socket."
-msgstr ""
-
-#. type: SS
-#: original/man8/ip6tables.8:1116 original/man8/iptables.8:1035
-#, no-wrap
-msgid "physdev"
+#: original/man8/iptables-extensions.8:573
+msgid ""
+"This allows specification of the ICMP type, which can be a numeric ICMP "
+"type, type/code pair, or one of the ICMP type names shown by the command"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1121 original/man8/iptables.8:1040
-msgid ""
-"This module matches on the bridge port input and output devices enslaved to "
-"a bridge device. This module is a part of the infrastructure that enables a "
-"transparent bridging IP firewall and is only useful for kernel versions "
-"above version 2.5.44."
+#: original/man8/iptables-extensions.8:575
+#, no-wrap
+msgid " iptables -p icmp -h\n"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1121 original/man8/iptables.8:1040
+#. type: SS
+#: original/man8/iptables-extensions.8:576
#, no-wrap
-msgid "[B<!>] B<--physdev-in> I<name>"
+msgid "icmp6 (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1132 original/man8/iptables.8:1051
+#: original/man8/iptables-extensions.8:579
msgid ""
-"Name of a bridge port via which a packet is received (only for packets "
-"entering the B<INPUT>, B<FORWARD> and B<PREROUTING> chains). If the "
-"interface name ends in a \"+\", then any interface which begins with this "
-"name will match. If the packet didn't arrive through a bridge device, this "
-"packet won't match this option, unless '!' is used."
+"This extension can be used if `--protocol ipv6-icmp' or `--protocol icmpv6' "
+"is specified. It provides the following option:"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1132 original/man8/iptables.8:1051
+#: original/man8/iptables-extensions.8:579
#, no-wrap
-msgid "[B<!>] B<--physdev-out> I<name>"
+msgid "[B<!>] B<--icmpv6-type> I<type>[B</>I<code>]|I<typename>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1149 original/man8/iptables.8:1068
+#: original/man8/iptables-extensions.8:588
msgid ""
-"Name of a bridge port via which a packet is going to be sent (for packets "
-"entering the B<FORWARD>, B<OUTPUT> and B<POSTROUTING> chains). If the "
-"interface name ends in a \"+\", then any interface which begins with this "
-"name will match. Note that in the B<nat> and B<mangle> B<OUTPUT> chains one "
-"cannot match on the bridge output port, however one can in the B<filter "
-"OUTPUT> chain. If the packet won't leave by a bridge device or if it is yet "
-"unknown what the output device will be, then the packet won't match this "
-"option, unless '!' is used."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:1149 original/man8/iptables.8:1068
-#, no-wrap
-msgid "[B<!>] B<--physdev-is-in>"
+"This allows specification of the ICMPv6 type, which can be a numeric ICMPv6 "
+"I<type>, I<type> and I<code>, or one of the ICMPv6 type names shown by the "
+"command"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1152 original/man8/iptables.8:1071
-msgid "Matches if the packet has entered through a bridge interface."
+#: original/man8/iptables-extensions.8:590
+#, no-wrap
+msgid " ip6tables -p ipv6-icmp -h\n"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1152 original/man8/iptables.8:1071
+#. type: SS
+#: original/man8/iptables-extensions.8:591
#, no-wrap
-msgid "[B<!>] B<--physdev-is-out>"
+msgid "iprange"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1155 original/man8/iptables.8:1074
-msgid "Matches if the packet will leave through a bridge interface."
+#: original/man8/iptables-extensions.8:593
+msgid "This matches on a given arbitrary range of IP addresses."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1155 original/man8/iptables.8:1074
+#: original/man8/iptables-extensions.8:593
#, no-wrap
-msgid "[B<!>] B<--physdev-is-bridged>"
+msgid "[B<!>] B<--src-range> I<from>[B<->I<to>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1159 original/man8/iptables.8:1078
-msgid ""
-"Matches if the packet is being bridged and therefore is not being routed. "
-"This is only useful in the FORWARD and POSTROUTING chains."
+#: original/man8/iptables-extensions.8:596
+msgid "Match source IP in the specified range."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1159 original/man8/iptables.8:1078
+#. type: TP
+#: original/man8/iptables-extensions.8:596
#, no-wrap
-msgid "pkttype"
+msgid "[B<!>] B<--dst-range> I<from>[B<->I<to>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1161 original/man8/iptables.8:1080
-msgid "This module matches the link-layer packet type."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:1161 original/man8/iptables.8:1080
-#, no-wrap
-msgid "[B<!>] B<--pkt-type> {B<unicast>|B<broadcast>|B<multicast>}"
+#: original/man8/iptables-extensions.8:599
+msgid "Match destination IP in the specified range."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1163 original/man8/iptables.8:1082
+#: original/man8/iptables-extensions.8:599
#, no-wrap
-msgid "policy"
+msgid "ipv6header (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1165 original/man8/iptables.8:1084
-msgid "This modules matches the policy used by IPsec for handling a packet."
+#: original/man8/iptables-extensions.8:601
+msgid "This module matches IPv6 extension headers and/or upper layer header."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1165 original/man8/iptables.8:1084
+#: original/man8/iptables-extensions.8:601
#, no-wrap
-msgid "B<--dir> {B<in>|B<out>}"
+msgid "B<--soft>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1177 original/man8/iptables.8:1096
+#: original/man8/iptables-extensions.8:605
msgid ""
-"Used to select whether to match the policy used for decapsulation or the "
-"policy that will be used for encapsulation. B<in> is valid in the "
-"B<PREROUTING, INPUT and FORWARD> chains, B<out> is valid in the "
-"B<POSTROUTING, OUTPUT and FORWARD> chains."
+"Matches if the packet includes B<any> of the headers specified with "
+"B<--header>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1177 original/man8/iptables.8:1096
+#: original/man8/iptables-extensions.8:605
#, no-wrap
-msgid "B<--pol> {B<none>|B<ipsec>}"
+msgid "[B<!>] B<--header> I<header>[B<,>I<header>...]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1181 original/man8/iptables.8:1100
+#: original/man8/iptables-extensions.8:610
msgid ""
-"Matches if the packet is subject to IPsec processing. B<--pol none> cannot "
-"be combined with B<--strict>."
+"Matches the packet which EXACTLY includes all specified headers. The headers "
+"encapsulated with ESP header are out of scope. Possible I<header> types can "
+"be:"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1181 original/man8/iptables.8:1100
+#: original/man8/iptables-extensions.8:610
#, no-wrap
-msgid "B<--strict>"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1185 original/man8/iptables.8:1104
-msgid ""
-"Selects whether to match the exact policy or match if any rule of the policy "
-"matches the given policy."
+msgid "B<hop>|B<hop-by-hop>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1189 original/man8/iptables.8:1108
-msgid ""
-"For each policy element that is to be described, one can use one or more of "
-"the following options. When B<--strict> is in effect, at least one must be "
-"used per element."
+#: original/man8/iptables-extensions.8:613
+msgid "Hop-by-Hop Options header"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1189 original/man8/iptables.8:1108
+#: original/man8/iptables-extensions.8:613
#, no-wrap
-msgid "[B<!>] B<--reqid> I<id>"
+msgid "B<dst>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1196 original/man8/iptables.8:1115
-msgid ""
-"Matches the reqid of the policy rule. The reqid can be specified with "
-"B<setkey(8)> using B<unique:id> as level."
+#: original/man8/iptables-extensions.8:616
+msgid "Destination Options header"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1196 original/man8/iptables.8:1115
+#: original/man8/iptables-extensions.8:616
#, no-wrap
-msgid "[B<!>] B<--spi> I<spi>"
+msgid "B<route>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1199 original/man8/iptables.8:1118
-msgid "Matches the SPI of the SA."
+#: original/man8/iptables-extensions.8:619
+msgid "Routing header"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1199 original/man8/iptables.8:1118
+#: original/man8/iptables-extensions.8:619
#, no-wrap
-msgid "[B<!>] B<--proto> {B<ah>|B<esp>|B<ipcomp>}"
+msgid "B<frag>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1202 original/man8/iptables.8:1121
-msgid "Matches the encapsulation protocol."
+#: original/man8/iptables-extensions.8:622
+msgid "Fragment header"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1202 original/man8/iptables.8:1121
+#: original/man8/iptables-extensions.8:622
#, no-wrap
-msgid "[B<!>] B<--mode> {B<tunnel>|B<transport>}"
+msgid "B<auth>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1205 original/man8/iptables.8:1124
-msgid "Matches the encapsulation mode."
+#: original/man8/iptables-extensions.8:625
+msgid "Authentication header"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1205 original/man8/iptables.8:1124
+#: original/man8/iptables-extensions.8:625
#, no-wrap
-msgid "[B<!>] B<--tunnel-src> I<addr>[B</>I<mask>]"
+msgid "B<esp>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1209 original/man8/iptables.8:1128
-msgid ""
-"Matches the source end-point address of a tunnel mode SA. Only valid with "
-"B<--mode tunnel>."
+#: original/man8/iptables-extensions.8:628
+msgid "Encapsulating Security Payload header"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1209 original/man8/iptables.8:1128
+#: original/man8/iptables-extensions.8:628
#, no-wrap
-msgid "[B<!>] B<--tunnel-dst> I<addr>[B</>I<mask>]"
+msgid "B<none>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1213 original/man8/iptables.8:1132
+#: original/man8/iptables-extensions.8:632
msgid ""
-"Matches the destination end-point address of a tunnel mode SA. Only valid "
-"with B<--mode tunnel>."
+"No Next header which matches 59 in the 'Next Header field' of IPv6 header or "
+"any IPv6 extension headers"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1213 original/man8/iptables.8:1132
+#: original/man8/iptables-extensions.8:632
#, no-wrap
-msgid "B<--next>"
+msgid "B<proto>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1217 original/man8/iptables.8:1136
+#: original/man8/iptables-extensions.8:637
msgid ""
-"Start the next element in the policy specification. Can only be used with "
-"B<--strict>."
+"which matches any upper layer protocol header. A protocol name from "
+"/etc/protocols and numeric value also allowed. The number 255 is equivalent "
+"to B<proto>."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1217 original/man8/iptables.8:1136
+#: original/man8/iptables-extensions.8:637
#, no-wrap
-msgid "quota"
+msgid "ipvs"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1222 original/man8/iptables.8:1141
-msgid ""
-"Implements network quotas by decrementing a byte counter with each "
-"packet. The condition matches until the byte counter reaches zero. Behavior "
-"is reversed with negation (i.e. the condition does not match until the byte "
-"counter reaches zero)."
+#: original/man8/iptables-extensions.8:639
+msgid "Match IPVS connection properties."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1222 original/man8/iptables.8:1141
+#: original/man8/iptables-extensions.8:639
#, no-wrap
-msgid "[B<!>] B<--quota> I<bytes>"
+msgid "[B<!>] B<--ipvs>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1225 original/man8/iptables.8:1144
-msgid "The quota in bytes."
+#: original/man8/iptables-extensions.8:642
+msgid "packet belongs to an IPVS connection"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1225 original/man8/iptables.8:1144
+#. type: TP
+#: original/man8/iptables-extensions.8:642
#, no-wrap
-msgid "rateest"
+msgid "Any of the following options implies --ipvs (even negated)"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1229 original/man8/iptables.8:1148
-msgid ""
-"The rate estimator can match on estimated rates as collected by the RATEEST "
-"target. It supports matching on absolute bps/pps values, comparing two rate "
-"estimators and matching on the difference between two rate estimators."
+#. type: TP
+#: original/man8/iptables-extensions.8:644
+#, no-wrap
+msgid "[B<!>] B<--vproto> I<protocol>"
msgstr ""
-#. * Absolute:
#. type: Plain text
-#: original/man8/ip6tables.8:1233 original/man8/iptables.8:1152
-msgid ""
-"For a better understanding of the available options, these are all possible "
-"combinations:"
+#: original/man8/iptables-extensions.8:647
+msgid "VIP protocol to match; by number or name, e.g. \"tcp\""
msgstr ""
-#. type: IP
-#: original/man8/ip6tables.8:1233 original/man8/ip6tables.8:1235 original/man8/ip6tables.8:1238 original/man8/ip6tables.8:1240 original/man8/ip6tables.8:1243 original/man8/ip6tables.8:1245 original/man8/ip6tables.8:1248 original/man8/ip6tables.8:1251 original/man8/iptables.8:980 original/man8/iptables.8:983 original/man8/iptables.8:986 original/man8/iptables.8:992 original/man8/iptables.8:994 original/man8/iptables.8:996 original/man8/iptables.8:1152 original/man8/iptables.8:1154 original/man8/iptables.8:1157 original/man8/iptables.8:1159 original/man8/iptables.8:1162 original/man8/iptables.8:1164 original/man8/iptables.8:1167 original/man8/iptables.8:1170
+#. type: TP
+#: original/man8/iptables-extensions.8:647
#, no-wrap
-msgid "\\(bu"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1235 original/man8/iptables.8:1154
-msgid "B<rateest> I<operator> B<rateest-bps>"
+msgid "[B<!>] B<--vaddr> I<address>[B</>I<mask>]"
msgstr ""
-#. * Absolute + Delta:
#. type: Plain text
-#: original/man8/ip6tables.8:1238 original/man8/iptables.8:1157
-msgid "B<rateest> I<operator> B<rateest-pps>"
+#: original/man8/iptables-extensions.8:650
+msgid "VIP address to match"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1240 original/man8/iptables.8:1159
-msgid "(B<rateest> minus B<rateest-bps1>) I<operator> B<rateest-bps2>"
+#. type: TP
+#: original/man8/iptables-extensions.8:650
+#, no-wrap
+msgid "[B<!>] B<--vport> I<port>"
msgstr ""
-#. * Relative:
#. type: Plain text
-#: original/man8/ip6tables.8:1243 original/man8/iptables.8:1162
-msgid "(B<rateest> minus B<rateest-pps1>) I<operator> B<rateest-pps2>"
+#: original/man8/iptables-extensions.8:653
+msgid "VIP port to match; by number or name, e.g. \"http\""
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1245 original/man8/iptables.8:1164
-msgid "B<rateest1> I<operator> B<rateest2> B<rateest-bps>(without rate!)"
+#. type: TP
+#: original/man8/iptables-extensions.8:653
+#, no-wrap
+msgid "B<--vdir> {B<ORIGINAL>|B<REPLY>}"
msgstr ""
-#. * Relative + Delta:
#. type: Plain text
-#: original/man8/ip6tables.8:1248 original/man8/iptables.8:1167
-msgid "B<rateest1> I<operator> B<rateest2> B<rateest-pps>(without rate!)"
+#: original/man8/iptables-extensions.8:656
+msgid "flow direction of packet"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1251 original/man8/iptables.8:1170
-msgid ""
-"(B<rateest1> minus B<rateest-bps1>) I<operator> (B<rateest2> minus "
-"B<rateest-bps2>)"
+#. type: TP
+#: original/man8/iptables-extensions.8:656
+#, no-wrap
+msgid "[B<!>] B<--vmethod> {B<GATE>|B<IPIP>|B<MASQ>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1254 original/man8/iptables.8:1173
-msgid ""
-"(B<rateest1> minus B<rateest-pps1>) I<operator> (B<rateest2> minus "
-"B<rateest-pps2>)"
+#: original/man8/iptables-extensions.8:659
+msgid "IPVS forwarding method used"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1254 original/man8/iptables.8:1173
+#: original/man8/iptables-extensions.8:659
#, no-wrap
-msgid "B<--rateest-delta>"
+msgid "[B<!>] B<--vportctl> I<port>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1261 original/man8/iptables.8:1180
-msgid ""
-"For each estimator (either absolute or relative mode), calculate the "
-"difference between the estimator-determined flow rate and the static value "
-"chosen with the BPS/PPS options. If the flow rate is higher than the "
-"specified BPS/PPS, 0 will be used instead of a negative value. In other "
-"words, \"max(0, rateest#_rate - rateest#_bps)\" is used."
+#: original/man8/iptables-extensions.8:662
+msgid "VIP port of the controlling connection to match, e.g. 21 for FTP"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1261 original/man8/iptables.8:1180
+#. type: SS
+#: original/man8/iptables-extensions.8:662
#, no-wrap
-msgid "[B<!>] B<--rateest-lt>"
+msgid "length"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1264 original/man8/iptables.8:1183
-msgid "Match if rate is less than given rate/estimator."
+#: original/man8/iptables-extensions.8:666
+msgid ""
+"This module matches the length of the layer-3 payload (e.g. layer-4 packet) "
+"of a packet against a specific value or range of values."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1264 original/man8/iptables.8:1183
+#: original/man8/iptables-extensions.8:666
#, no-wrap
-msgid "[B<!>] B<--rateest-gt>"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1267 original/man8/iptables.8:1186
-msgid "Match if rate is greater than given rate/estimator."
+msgid "[B<!>] B<--length> I<length>[B<:>I<length>]"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1267 original/man8/iptables.8:1186
+#. type: SS
+#: original/man8/iptables-extensions.8:668
#, no-wrap
-msgid "[B<!>] B<--rateest-eq>"
+msgid "limit"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1270 original/man8/iptables.8:1189
-msgid "Match if rate is equal to given rate/estimator."
+#: original/man8/iptables-extensions.8:674
+msgid ""
+"This module matches at a limited rate using a token bucket filter. A rule "
+"using this extension will match until this limit is reached. It can be used "
+"in combination with the B<LOG> target to give limited logging, for example."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1274 original/man8/iptables.8:1193
+#: original/man8/iptables-extensions.8:677
msgid ""
-"In the so-called \"absolute mode\", only one rate estimator is used and "
-"compared against a static value, while in \"relative mode\", two rate "
-"estimators are compared against another."
+"xt_limit has no negation support - you will have to use -m hashlimit ! "
+"--hashlimit I<rate> in this case whilst omitting --hashlimit-mode."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1274 original/man8/iptables.8:1193
+#: original/man8/iptables-extensions.8:677
#, no-wrap
-msgid "B<--rateest> I<name>"
+msgid "B<--limit> I<rate>[B</second>|B</minute>|B</hour>|B</day>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1277 original/man8/iptables.8:1196
-msgid "Name of the one rate estimator for absolute mode."
+#: original/man8/iptables-extensions.8:682
+msgid ""
+"Maximum average matching rate: specified as a number, with an optional "
+"`/second', `/minute', `/hour', or `/day' suffix; the default is 3/hour."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1277 original/man8/iptables.8:1196
+#: original/man8/iptables-extensions.8:682
#, no-wrap
-msgid "B<--rateest1> I<name>"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:1279 original/man8/iptables.8:1198
-#, no-wrap
-msgid "B<--rateest2> I<name>"
+msgid "B<--limit-burst> I<number>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1282 original/man8/iptables.8:1201
-msgid "The names of the two rate estimators for relative mode."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:1282 original/man8/iptables.8:1201
-#, no-wrap
-msgid "B<--rateest-bps> [I<value>]"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:1284 original/man8/iptables.8:1203
-#, no-wrap
-msgid "B<--rateest-pps> [I<value>]"
+#: original/man8/iptables-extensions.8:687
+msgid ""
+"Maximum initial number of packets to match: this number gets recharged by "
+"one every time the limit specified above is not reached, up to this number; "
+"the default is 5."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1286 original/man8/iptables.8:1205
+#. type: SS
+#: original/man8/iptables-extensions.8:687
#, no-wrap
-msgid "B<--rateest-bps1> [I<value>]"
+msgid "mac"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1288 original/man8/iptables.8:1207
+#: original/man8/iptables-extensions.8:688
#, no-wrap
-msgid "B<--rateest-bps2> [I<value>]"
+msgid "[B<!>] B<--mac-source> I<address>"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1290 original/man8/iptables.8:1209
-#, no-wrap
-msgid "B<--rateest-pps1> [I<value>]"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:698
+msgid ""
+"Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note "
+"that this only makes sense for packets coming from an Ethernet device and "
+"entering the B<PREROUTING>, B<FORWARD> or B<INPUT> chains."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1292 original/man8/iptables.8:1211
+#. type: SS
+#: original/man8/iptables-extensions.8:698
#, no-wrap
-msgid "B<--rateest-pps2> [I<value>]"
+msgid "mark"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1298 original/man8/iptables.8:1217
+#: original/man8/iptables-extensions.8:703
msgid ""
-"Compare the estimator(s) by bytes or packets per second, and compare against "
-"the chosen value. See the above bullet list for which option is to be used "
-"in which case. A unit suffix may be used - available ones are: bit, "
-"[kmgt]bit, [KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps."
+"This module matches the netfilter mark field associated with a packet (which "
+"can be set using the B<MARK> target below)."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1302 original/man8/iptables.8:1221
+#: original/man8/iptables-extensions.8:708
msgid ""
-"Example: This is what can be used to route outgoing data connections from an "
-"FTP server over two lines based on the available bandwidth at the time the "
-"data connection was started:"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1304 original/man8/iptables.8:1223
-msgid "# Estimate outgoing rates"
+"Matches packets with the given unsigned mark value (if a I<mask> is "
+"specified, this is logically ANDed with the I<mask> before the comparison)."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1307 original/man8/iptables.8:1226
-msgid ""
-"iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name eth0 "
-"--rateest-interval 250ms --rateest-ewma 0.5s"
+#. type: SS
+#: original/man8/iptables-extensions.8:708
+#, no-wrap
+msgid "mh (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1310 original/man8/iptables.8:1229
+#: original/man8/iptables-extensions.8:711
msgid ""
-"iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name ppp0 "
-"--rateest-interval 250ms --rateest-ewma 0.5s"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1312 original/man8/iptables.8:1231
-msgid "# Mark based on available bandwidth"
+"This extension is loaded if `--protocol ipv6-mh' or `--protocol mh' is "
+"specified. It provides the following option:"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1316 original/man8/iptables.8:1235
-msgid ""
-"iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper "
-"ftp -m rateest --rateest-delta --rateest1 eth0 --rateest-bps1 2.5mbit "
-"--rateest-gt --rateest2 ppp0 --rateest-bps2 2mbit -j CONNMARK --set-mark 1"
+#. type: TP
+#: original/man8/iptables-extensions.8:711
+#, no-wrap
+msgid "[B<!>] B<--mh-type> I<type>[B<:>I<type>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1320 original/man8/iptables.8:1239
+#: original/man8/iptables-extensions.8:718
msgid ""
-"iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper "
-"ftp -m rateest --rateest-delta --rateest1 ppp0 --rateest-bps1 2mbit "
-"--rateest-gt --rateest2 eth0 --rateest-bps2 2.5mbit -j CONNMARK --set-mark 2"
+"This allows specification of the Mobility Header(MH) type, which can be a "
+"numeric MH I<type>, I<type> or one of the MH type names shown by the command"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1322 original/man8/iptables.8:1241
-msgid "iptables -t mangle -A balance -j CONNMARK --restore-mark"
+#: original/man8/iptables-extensions.8:720
+#, no-wrap
+msgid " ip6tables -p ipv6-mh -h\n"
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1322 original/man8/iptables.8:1249
+#: original/man8/iptables-extensions.8:721
#, no-wrap
-msgid "recent"
+msgid "multiport"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1325 original/man8/iptables.8:1252
+#: original/man8/iptables-extensions.8:728
msgid ""
-"Allows you to dynamically create a list of IP addresses and then match "
-"against that list in a few different ways."
+"This module matches a set of source or destination ports. Up to 15 ports "
+"can be specified. A port range (port:port) counts as two ports. It can "
+"only be used in conjunction with B<-p tcp> or B<-p udp>."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1329 original/man8/iptables.8:1256
+#. type: TP
+#: original/man8/iptables-extensions.8:728
+#, no-wrap
msgid ""
-"For example, you can create a \"badguy\" list out of people attempting to "
-"connect to port 139 on your firewall and then DROP all future packets from "
-"them without considering them."
+"[B<!>] B<--source-ports>,B<--sports> "
+"I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1332 original/man8/iptables.8:1259
-msgid "B<--set>, B<--rcheck>, B<--update> and B<--remove> are mutually exclusive."
+#: original/man8/iptables-extensions.8:736
+msgid ""
+"Match if the source port is one of the given ports. The flag B<--sports> is "
+"a convenient alias for this option. Multiple ports or port ranges are "
+"separated using a comma, and a port range is specified using a colon. "
+"B<53,1024:65535> would therefore match ports 53 and all from 1024 through "
+"65535."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1332 original/man8/iptables.8:1259
+#: original/man8/iptables-extensions.8:736
#, no-wrap
-msgid "B<--name> I<name>"
+msgid ""
+"[B<!>] B<--destination-ports>,B<--dports> "
+"I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1336 original/man8/iptables.8:1263
+#: original/man8/iptables-extensions.8:741
msgid ""
-"Specify the list to use for the commands. If no name is given then "
-"B<DEFAULT> will be used."
+"Match if the destination port is one of the given ports. The flag "
+"B<--dports> is a convenient alias for this option."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1336 original/man8/iptables.8:1263
+#: original/man8/iptables-extensions.8:741
#, no-wrap
-msgid "[B<!>] B<--set>"
+msgid "[B<!>] B<--ports> I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1341 original/man8/iptables.8:1268
+#: original/man8/iptables-extensions.8:745
msgid ""
-"This will add the source address of the packet to the list. If the source "
-"address is already in the list, this will update the existing entry. This "
-"will always return success (or failure if B<!> is passed in)."
+"Match if either the source or destination ports are equal to one of the "
+"given ports."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1341 original/man8/iptables.8:1268
+#. type: SS
+#: original/man8/iptables-extensions.8:745
#, no-wrap
-msgid "B<--rsource>"
+msgid "nfacct"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1345 original/man8/iptables.8:1272
+#: original/man8/iptables-extensions.8:749
msgid ""
-"Match/save the source address of each packet in the recent list table. This "
-"is the default."
+"The nfacct match provides the extended accounting infrastructure for "
+"iptables. You have to use this match together with the standalone "
+"user-space utility B<nfacct(8)>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:751
+msgid "The only option available for this match is the following:"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1345 original/man8/iptables.8:1272
+#: original/man8/iptables-extensions.8:751
#, no-wrap
-msgid "B<--rdest>"
+msgid "B<--nfacct-name> I<name>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1348 original/man8/iptables.8:1275
-msgid "Match/save the destination address of each packet in the recent list table."
+#: original/man8/iptables-extensions.8:755
+msgid ""
+"This allows you to specify the existing object name that will be use for "
+"accounting the traffic that this rule-set is matching."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1348 original/man8/iptables.8:1275
-#, no-wrap
-msgid "[B<!>] B<--rcheck>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:757
+msgid "To use this extension, you have to create an accounting object:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1351 original/man8/iptables.8:1278
-msgid "Check if the source address of the packet is currently in the list."
+#: original/man8/iptables-extensions.8:759
+msgid "nfacct add http-traffic"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1351 original/man8/iptables.8:1278
-#, no-wrap
-msgid "[B<!>] B<--update>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:761
+msgid "Then, you have to attach it to the accounting object via iptables:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1355 original/man8/iptables.8:1282
-msgid ""
-"Like B<--rcheck>, except it will update the \"last seen\" timestamp if it "
-"matches."
+#: original/man8/iptables-extensions.8:763
+msgid "iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1355 original/man8/iptables.8:1282
-#, no-wrap
-msgid "[B<!>] B<--remove>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:765
+msgid "iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1360 original/man8/iptables.8:1287
-msgid ""
-"Check if the source address of the packet is currently in the list and if so "
-"that address will be removed from the list and the rule will return true. If "
-"the address is not found, false is returned."
+#: original/man8/iptables-extensions.8:767
+msgid "Then, you can check for the amount of traffic that the rules match:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1360 original/man8/iptables.8:1287
-#, no-wrap
-msgid "B<--seconds> I<seconds>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:769
+msgid "nfacct get http-traffic"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1365 original/man8/iptables.8:1292
+#: original/man8/iptables-extensions.8:771
msgid ""
-"This option must be used in conjunction with one of B<--rcheck> or "
-"B<--update>. When used, this will narrow the match to only happen when the "
-"address is in the list and was seen within the last given number of seconds."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:1365 original/man8/iptables.8:1292
-#, no-wrap
-msgid "B<--reap>"
+"{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = "
+"http-traffic;"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1370 original/man8/iptables.8:1297
+#: original/man8/iptables-extensions.8:776
msgid ""
-"This option can only be used in conjunction with B<--seconds>. When used, "
-"this will cause entries older than the last given number of seconds to be "
-"purged."
+"You can obtain B<nfacct(8)> from http://www.netfilter.org or, alternatively, "
+"from the git.netfilter.org repository."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1370 original/man8/iptables.8:1297
+#. type: SS
+#: original/man8/iptables-extensions.8:776
#, no-wrap
-msgid "B<--hitcount> I<hits>"
+msgid "osf"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1380 original/man8/iptables.8:1307
+#: original/man8/iptables-extensions.8:780
msgid ""
-"This option must be used in conjunction with one of B<--rcheck> or "
-"B<--update>. When used, this will narrow the match to only happen when the "
-"address is in the list and packets had been received greater than or equal "
-"to the given value. This option may be used along with B<--seconds> to "
-"create an even narrower match requiring a certain number of hits within a "
-"specific time frame. The maximum value for the hitcount parameter is given "
-"by the \"ip_pkt_list_tot\" parameter of the xt_recent kernel "
-"module. Exceeding this value on the command line will cause the rule to be "
-"rejected."
+"The osf module does passive operating system fingerprinting. This modules "
+"compares some data (Window Size, MSS, options and their order, TTL, DF, and "
+"others) from packets with the SYN bit set."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1380 original/man8/iptables.8:1307
+#: original/man8/iptables-extensions.8:780
#, no-wrap
-msgid "B<--rttl>"
+msgid "[B<!>] B<--genre> I<string>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1388 original/man8/iptables.8:1315
-msgid ""
-"This option may only be used in conjunction with one of B<--rcheck> or "
-"B<--update>. When used, this will narrow the match to only happen when the "
-"address is in the list and the TTL of the current packet matches that of the "
-"packet which hit the B<--set> rule. This may be useful if you have problems "
-"with people faking their source address in order to DoS you via this module "
-"by disallowing others access to your site by sending bogus packets to you."
+#: original/man8/iptables-extensions.8:783
+msgid "Match an operating system genre by using a passive fingerprinting."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1392 original/man8/iptables.8:1319
-msgid "iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP"
+#. type: TP
+#: original/man8/iptables-extensions.8:783
+#, no-wrap
+msgid "B<--ttl> I<level>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1394 original/man8/iptables.8:1321
+#: original/man8/iptables-extensions.8:787
msgid ""
-"iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set "
-"-j DROP"
+"Do additional TTL checks on the packet to determine the operating system. "
+"I<level> can be one of the following values:"
+msgstr ""
+
+#. type: IP
+#: original/man8/iptables-extensions.8:787 original/man8/iptables-extensions.8:790 original/man8/iptables-extensions.8:793 original/man8/iptables-extensions.8:799 original/man8/iptables-extensions.8:801 original/man8/iptables-extensions.8:803 original/man8/iptables-extensions.8:959 original/man8/iptables-extensions.8:961 original/man8/iptables-extensions.8:964 original/man8/iptables-extensions.8:966 original/man8/iptables-extensions.8:969 original/man8/iptables-extensions.8:971 original/man8/iptables-extensions.8:974 original/man8/iptables-extensions.8:977
+#, no-wrap
+msgid "\\(bu"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1397 original/man8/iptables.8:1324
+#: original/man8/iptables-extensions.8:790
msgid ""
-"Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also "
-"has some examples of usage."
+"0 - True IP address and fingerprint TTL comparison. This generally works for "
+"LANs."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1400 original/man8/iptables.8:1327
+#: original/man8/iptables-extensions.8:793
msgid ""
-"B</proc/net/xt_recent/*> are the current lists of addresses and information "
-"about each entry of each list."
+"1 - Check if the IP header's TTL is less than the fingerprint one. Works for "
+"globally-routable addresses."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1403 original/man8/iptables.8:1330
-msgid ""
-"Each file in B</proc/net/xt_recent/> can be read from to see the current "
-"list or written two using the following commands to modify the list:"
+#: original/man8/iptables-extensions.8:795
+msgid "2 - Do not compare the TTL at all."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1403 original/man8/iptables.8:1330
+#: original/man8/iptables-extensions.8:795
#, no-wrap
-msgid "B<echo +>I<addr>B< E<gt>/proc/net/xt_recent/DEFAULT>"
+msgid "B<--log> I<level>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1406 original/man8/iptables.8:1333
-msgid "to add I<addr> to the DEFAULT list"
+#: original/man8/iptables-extensions.8:799
+msgid ""
+"Log determined genres into dmesg even if they do not match the desired one. "
+"I<level> can be one of the following values:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1406 original/man8/iptables.8:1333
-#, no-wrap
-msgid "B<echo ->I<addr>B< E<gt>/proc/net/xt_recent/DEFAULT>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:801
+msgid "0 - Log all matched or unknown signatures"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1409 original/man8/iptables.8:1336
-msgid "to remove I<addr> from the DEFAULT list"
+#: original/man8/iptables-extensions.8:803
+msgid "1 - Log only the first one"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1409 original/man8/iptables.8:1336
-#, no-wrap
-msgid "B<echo / E<gt>/proc/net/xt_recent/DEFAULT>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:805
+msgid "2 - Log all known matched signatures"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1412 original/man8/iptables.8:1339
-msgid "to flush the DEFAULT list (remove all entries)."
+#: original/man8/iptables-extensions.8:807
+msgid "You may find something like this in syslog:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1414 original/man8/iptables.8:1341
-msgid "The module itself accepts parameters, defaults shown:"
+#: original/man8/iptables-extensions.8:810
+msgid ""
+"Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -E<gt> "
+"11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -E<gt> 1.2.3.5:22 "
+"hops=4"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1414 original/man8/iptables.8:1341
-#, no-wrap
-msgid "B<ip_list_tot>=I<100>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:813
+msgid ""
+"OS fingerprints are loadable using the B<nfnl_osf> program. To load "
+"fingerprints from a file, use:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1417 original/man8/iptables.8:1344
-msgid "Number of addresses remembered per table."
+#: original/man8/iptables-extensions.8:815
+msgid "B<nfnl_osf -f /usr/share/xtables/pf.os>"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1417 original/man8/iptables.8:1344
-#, no-wrap
-msgid "B<ip_pkt_list_tot>=I<20>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:817
+msgid "To remove them again,"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1420 original/man8/iptables.8:1347
-msgid "Number of packets per address remembered."
+#: original/man8/iptables-extensions.8:819
+msgid "B<nfnl_osf -f /usr/share/xtables/pf.os -d>"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1420 original/man8/iptables.8:1347
+#. type: Plain text
+#: original/man8/iptables-extensions.8:822
+msgid ""
+"The fingerprint database can be downlaoded from "
+"http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os ."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:822
#, no-wrap
-msgid "B<ip_list_hash_size>=I<0>"
+msgid "owner"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1423 original/man8/iptables.8:1350
-msgid "Hash table size. 0 means to calculate it based on ip_list_tot, default: 512."
+#: original/man8/iptables-extensions.8:827
+msgid ""
+"This module attempts to match various characteristics of the packet creator, "
+"for locally generated packets. This match is only valid in the OUTPUT and "
+"POSTROUTING chains. Forwarded packets do not have any socket associated with "
+"them. Packets from kernel threads do have a socket, but usually no owner."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1423 original/man8/iptables.8:1350
+#: original/man8/iptables-extensions.8:827
#, no-wrap
-msgid "B<ip_list_perms>=I<0644>"
+msgid "[B<!>] B<--uid-owner> I<username>"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:829
+#, no-wrap
+msgid "[B<!>] B<--uid-owner> I<userid>[B<->I<userid>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1426 original/man8/iptables.8:1353
-msgid "Permissions for /proc/net/xt_recent/* files."
+#: original/man8/iptables-extensions.8:833
+msgid ""
+"Matches if the packet socket's file structure (if it has one) is owned by "
+"the given user. You may also specify a numerical UID, or an UID range."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1426 original/man8/iptables.8:1353
+#: original/man8/iptables-extensions.8:833
#, no-wrap
-msgid "B<ip_list_uid>=I<0>"
+msgid "[B<!>] B<--gid-owner> I<groupname>"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:835
+#, no-wrap
+msgid "[B<!>] B<--gid-owner> I<groupid>[B<->I<groupid>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1429 original/man8/iptables.8:1356
-msgid "Numerical UID for ownership of /proc/net/xt_recent/* files."
+#: original/man8/iptables-extensions.8:839
+msgid ""
+"Matches if the packet socket's file structure is owned by the given group. "
+"You may also specify a numerical GID, or a GID range."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1429 original/man8/iptables.8:1356
+#: original/man8/iptables-extensions.8:839
#, no-wrap
-msgid "B<ip_list_gid>=I<0>"
+msgid "[B<!>] B<--socket-exists>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1432 original/man8/iptables.8:1359
-msgid "Numerical GID for ownership of /proc/net/xt_recent/* files."
+#: original/man8/iptables-extensions.8:842
+msgid "Matches if the packet is associated with a socket."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1432 original/man8/iptables.8:1359
+#: original/man8/iptables-extensions.8:842
#, no-wrap
-msgid "rpfilter"
+msgid "physdev"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1441 original/man8/iptables.8:1368
+#: original/man8/iptables-extensions.8:847
msgid ""
-"Performs a reverse path filter test on a packet. If a reply to the packet "
-"would be sent via the same interface that the packet arrived on, the packet "
-"will match. Note that, unlike the in-kernel rp_filter, packets protected by "
-"IPSec are not treated specially. Combine this match with the policy match "
-"if you want this. Also, packets arriving via the loopback interface are "
-"always permitted. This match can only be used in the PREROUTING chain of "
-"the raw or mangle table."
+"This module matches on the bridge port input and output devices enslaved to "
+"a bridge device. This module is a part of the infrastructure that enables a "
+"transparent bridging IP firewall and is only useful for kernel versions "
+"above version 2.5.44."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1441 original/man8/iptables.8:1368
+#: original/man8/iptables-extensions.8:847
#, no-wrap
-msgid "B<--loose>"
+msgid "[B<!>] B<--physdev-in> I<name>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1445 original/man8/iptables.8:1372
+#: original/man8/iptables-extensions.8:858
msgid ""
-"Used to specifiy that the reverse path filter test should match even if the "
-"selected output device is not the expected one."
+"Name of a bridge port via which a packet is received (only for packets "
+"entering the B<INPUT>, B<FORWARD> and B<PREROUTING> chains). If the "
+"interface name ends in a \"+\", then any interface which begins with this "
+"name will match. If the packet didn't arrive through a bridge device, this "
+"packet won't match this option, unless '!' is used."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1445 original/man8/iptables.8:1372
+#: original/man8/iptables-extensions.8:858
#, no-wrap
-msgid "B<--validmark>"
+msgid "[B<!>] B<--physdev-out> I<name>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1448 original/man8/iptables.8:1375
+#: original/man8/iptables-extensions.8:875
msgid ""
-"Also use the packets' nfmark value when performing the reverse path route "
-"lookup."
+"Name of a bridge port via which a packet is going to be sent (for packets "
+"entering the B<FORWARD>, B<OUTPUT> and B<POSTROUTING> chains). If the "
+"interface name ends in a \"+\", then any interface which begins with this "
+"name will match. Note that in the B<nat> and B<mangle> B<OUTPUT> chains one "
+"cannot match on the bridge output port, however one can in the B<filter "
+"OUTPUT> chain. If the packet won't leave by a bridge device or if it is yet "
+"unknown what the output device will be, then the packet won't match this "
+"option, unless '!' is used."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1448 original/man8/iptables.8:1375
+#: original/man8/iptables-extensions.8:875
#, no-wrap
-msgid "B<--accept-local>"
+msgid "[B<!>] B<--physdev-is-in>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1455 original/man8/iptables.8:1382
-msgid ""
-"This will permit packets arriving from the network with a source address "
-"that is also assigned to the local machine. B<--invert> This will invert "
-"the sense of the match. Instead of matching packets that passed the reverse "
-"path filter test, match those that have failed it."
+#: original/man8/iptables-extensions.8:878
+msgid "Matches if the packet has entered through a bridge interface."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1457 original/man8/iptables.8:1384
-msgid "Example to log and drop packets failing the reverse path filter test:"
+#. type: TP
+#: original/man8/iptables-extensions.8:878
+#, no-wrap
+msgid "[B<!>] B<--physdev-is-out>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1459 original/man8/iptables.8:1386
-msgid "iptables -t raw -N RPFILTER"
+#: original/man8/iptables-extensions.8:881
+msgid "Matches if the packet will leave through a bridge interface."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1461 original/man8/iptables.8:1388
-msgid "iptables -t raw -A RPFILTER -m rpfilter -j RETURN"
+#. type: TP
+#: original/man8/iptables-extensions.8:881
+#, no-wrap
+msgid "[B<!>] B<--physdev-is-bridged>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1463 original/man8/iptables.8:1390
+#: original/man8/iptables-extensions.8:885
msgid ""
-"iptables -t raw -A RPFILTER -m limit --limit 10/minute -j NFLOG "
-"--nflog-prefix \"rpfilter drop\""
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1465 original/man8/iptables.8:1392
-msgid "iptables -t raw -A RPFILTER -j DROP"
+"Matches if the packet is being bridged and therefore is not being routed. "
+"This is only useful in the FORWARD and POSTROUTING chains."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1467 original/man8/iptables.8:1394
-msgid "iptables -t raw -A PREROUTING -j RPFILTER"
+#. type: SS
+#: original/man8/iptables-extensions.8:885
+#, no-wrap
+msgid "pkttype"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1469 original/man8/iptables.8:1396
-msgid "Example to drop failed packets, without logging:"
+#: original/man8/iptables-extensions.8:887
+msgid "This module matches the link-layer packet type."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1471 original/man8/iptables.8:1398
-msgid "iptables -t raw -A RPFILTER -m rpfilter --invert -j DROP"
+#. type: TP
+#: original/man8/iptables-extensions.8:887
+#, no-wrap
+msgid "[B<!>] B<--pkt-type> {B<unicast>|B<broadcast>|B<multicast>}"
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1471
+#: original/man8/iptables-extensions.8:889
#, no-wrap
-msgid "rt"
+msgid "policy"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1473
-msgid "Match on IPv6 routing header"
+#: original/man8/iptables-extensions.8:891
+msgid "This modules matches the policy used by IPsec for handling a packet."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1473
+#: original/man8/iptables-extensions.8:891
#, no-wrap
-msgid "[B<!>] B<--rt-type> I<type>"
+msgid "B<--dir> {B<in>|B<out>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1476
-msgid "Match the type (numeric)."
+#: original/man8/iptables-extensions.8:903
+msgid ""
+"Used to select whether to match the policy used for decapsulation or the "
+"policy that will be used for encapsulation. B<in> is valid in the "
+"B<PREROUTING, INPUT and FORWARD> chains, B<out> is valid in the "
+"B<POSTROUTING, OUTPUT and FORWARD> chains."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1476
+#: original/man8/iptables-extensions.8:903
#, no-wrap
-msgid "[B<!>] B<--rt-segsleft> I<num>[B<:>I<num>]"
+msgid "B<--pol> {B<none>|B<ipsec>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1479
-msgid "Match the `segments left' field (range)."
+#: original/man8/iptables-extensions.8:907
+msgid ""
+"Matches if the packet is subject to IPsec processing. B<--pol none> cannot "
+"be combined with B<--strict>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1479
+#: original/man8/iptables-extensions.8:907
#, no-wrap
-msgid "[B<!>] B<--rt-len> I<length>"
+msgid "B<--strict>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1482
-msgid "Match the length of this header."
+#: original/man8/iptables-extensions.8:911
+msgid ""
+"Selects whether to match the exact policy or match if any rule of the policy "
+"matches the given policy."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:915
+msgid ""
+"For each policy element that is to be described, one can use one or more of "
+"the following options. When B<--strict> is in effect, at least one must be "
+"used per element."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1482
+#: original/man8/iptables-extensions.8:915
#, no-wrap
-msgid "B<--rt-0-res>"
+msgid "[B<!>] B<--reqid> I<id>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1485
-msgid "Match the reserved field, too (type=0)"
+#: original/man8/iptables-extensions.8:922
+msgid ""
+"Matches the reqid of the policy rule. The reqid can be specified with "
+"B<setkey(8)> using B<unique:id> as level."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1485
+#: original/man8/iptables-extensions.8:922
#, no-wrap
-msgid "B<--rt-0-addrs> I<addr>[B<,>I<addr>...]"
+msgid "[B<!>] B<--spi> I<spi>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1488
-msgid "Match type=0 addresses (list)."
+#: original/man8/iptables-extensions.8:925
+msgid "Matches the SPI of the SA."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1488
+#: original/man8/iptables-extensions.8:925
#, no-wrap
-msgid "B<--rt-0-not-strict>"
+msgid "[B<!>] B<--proto> {B<ah>|B<esp>|B<ipcomp>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1491
-msgid "List of type=0 addresses is not a strict list."
-msgstr ""
-
-#. type: SS
-#: original/man8/ip6tables.8:1491 original/man8/iptables.8:1398
-#, no-wrap
-msgid "sctp"
+#: original/man8/iptables-extensions.8:928
+msgid "Matches the encapsulation protocol."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1496 original/man8/iptables.8:1403
+#: original/man8/iptables-extensions.8:928
#, no-wrap
-msgid ""
-"[B<!>] B<--chunk-types> {B<all>|B<any>|B<only>} I<chunktype>[B<:>I<flags>] "
-"[...]"
+msgid "[B<!>] B<--mode> {B<tunnel>|B<transport>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1500 original/man8/iptables.8:1407
-msgid ""
-"The flag letter in upper case indicates that the flag is to match if set, in "
-"the lower case indicates to match if unset."
+#: original/man8/iptables-extensions.8:931
+msgid "Matches the encapsulation mode."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:931
+#, no-wrap
+msgid "[B<!>] B<--tunnel-src> I<addr>[B</>I<mask>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1502 original/man8/iptables.8:1409
+#: original/man8/iptables-extensions.8:935
msgid ""
-"Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN "
-"SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE "
-"ASCONF ASCONF_ACK FORWARD_TSN"
+"Matches the source end-point address of a tunnel mode SA. Only valid with "
+"B<--mode tunnel>."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1504 original/man8/iptables.8:1411
-msgid "chunk type available flags"
+#. type: TP
+#: original/man8/iptables-extensions.8:935
+#, no-wrap
+msgid "[B<!>] B<--tunnel-dst> I<addr>[B</>I<mask>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1506 original/man8/iptables.8:1413
-msgid "DATA I U B E i u b e"
+#: original/man8/iptables-extensions.8:939
+msgid ""
+"Matches the destination end-point address of a tunnel mode SA. Only valid "
+"with B<--mode tunnel>."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1508 original/man8/iptables.8:1415
-msgid "ABORT T t"
+#. type: TP
+#: original/man8/iptables-extensions.8:939
+#, no-wrap
+msgid "B<--next>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1510 original/man8/iptables.8:1417
-msgid "SHUTDOWN_COMPLETE T t"
+#: original/man8/iptables-extensions.8:943
+msgid ""
+"Start the next element in the policy specification. Can only be used with "
+"B<--strict>."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1512 original/man8/iptables.8:1419
-msgid "(lowercase means flag should be \"off\", uppercase means \"on\")"
+#. type: SS
+#: original/man8/iptables-extensions.8:943
+#, no-wrap
+msgid "quota"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1516 original/man8/iptables.8:1423
-msgid "iptables -A INPUT -p sctp --dport 80 -j DROP"
+#: original/man8/iptables-extensions.8:948
+msgid ""
+"Implements network quotas by decrementing a byte counter with each "
+"packet. The condition matches until the byte counter reaches zero. Behavior "
+"is reversed with negation (i.e. the condition does not match until the byte "
+"counter reaches zero)."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1518 original/man8/iptables.8:1425
-msgid "iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP"
+#. type: TP
+#: original/man8/iptables-extensions.8:948
+#, no-wrap
+msgid "[B<!>] B<--quota> I<bytes>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1520 original/man8/iptables.8:1427
-msgid "iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT"
+#: original/man8/iptables-extensions.8:951
+msgid "The quota in bytes."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1520 original/man8/iptables.8:1427
+#: original/man8/iptables-extensions.8:951
#, no-wrap
-msgid "set"
+msgid "rateest"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1522 original/man8/iptables.8:1429
-msgid "This module matches IP sets which can be defined by ipset(8)."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:1522 original/man8/iptables.8:1429
-#, no-wrap
-msgid "[B<!>] B<--match-set> I<setname> I<flag>[B<,>I<flag>]..."
+#: original/man8/iptables-extensions.8:955
+msgid ""
+"The rate estimator can match on estimated rates as collected by the RATEEST "
+"target. It supports matching on absolute bps/pps values, comparing two rate "
+"estimators and matching on the difference between two rate estimators."
msgstr ""
+#. * Absolute:
#. type: Plain text
-#: original/man8/ip6tables.8:1529 original/man8/iptables.8:1436
+#: original/man8/iptables-extensions.8:959
msgid ""
-"where flags are the comma separated list of B<src> and/or B<dst> "
-"specifications and there can be no more than six of them. Hence the command"
+"For a better understanding of the available options, these are all possible "
+"combinations:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1531 original/man8/iptables.8:1438
-#, no-wrap
-msgid " iptables -A FORWARD -m set --match-set test src,dst\n"
+#: original/man8/iptables-extensions.8:961
+msgid "B<rateest> I<operator> B<rateest-bps>"
msgstr ""
+#. * Absolute + Delta:
#. type: Plain text
-#: original/man8/ip6tables.8:1537 original/man8/iptables.8:1444
-msgid ""
-"will match packets, for which (if the set type is ipportmap) the source "
-"address and destination port pair can be found in the specified set. If the "
-"set type of the specified set is single dimension (for example ipmap), then "
-"the command will match packets for which the source address can be found in "
-"the specified set."
+#: original/man8/iptables-extensions.8:964
+msgid "B<rateest> I<operator> B<rateest-pps>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:966
+msgid "(B<rateest> minus B<rateest-bps1>) I<operator> B<rateest-bps2>"
+msgstr ""
+
+#. * Relative:
+#. type: Plain text
+#: original/man8/iptables-extensions.8:969
+msgid "(B<rateest> minus B<rateest-pps1>) I<operator> B<rateest-pps2>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:971
+msgid "B<rateest1> I<operator> B<rateest2> B<rateest-bps>(without rate!)"
+msgstr ""
+
+#. * Relative + Delta:
+#. type: Plain text
+#: original/man8/iptables-extensions.8:974
+msgid "B<rateest1> I<operator> B<rateest2> B<rateest-pps>(without rate!)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1540 original/man8/iptables.8:1447
+#: original/man8/iptables-extensions.8:977
msgid ""
-"The option B<--match-set> can be replaced by B<--set> if that does not clash "
-"with an option of other extensions."
+"(B<rateest1> minus B<rateest-bps1>) I<operator> (B<rateest2> minus "
+"B<rateest-bps2>)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1543 original/man8/iptables.8:1450
+#: original/man8/iptables-extensions.8:980
msgid ""
-"Use of -m set requires that ipset kernel support is provided, which, for "
-"standard kernels, is the case since Linux 2.6.39."
+"(B<rateest1> minus B<rateest-pps1>) I<operator> (B<rateest2> minus "
+"B<rateest-pps2>)"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1543 original/man8/iptables.8:1450
+#. type: TP
+#: original/man8/iptables-extensions.8:980
#, no-wrap
-msgid "socket"
+msgid "B<--rateest-delta>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1546 original/man8/iptables.8:1453
+#: original/man8/iptables-extensions.8:987
msgid ""
-"This matches if an open socket can be found by doing a socket lookup on the "
-"packet."
+"For each estimator (either absolute or relative mode), calculate the "
+"difference between the estimator-determined flow rate and the static value "
+"chosen with the BPS/PPS options. If the flow rate is higher than the "
+"specified BPS/PPS, 0 will be used instead of a negative value. In other "
+"words, \"max(0, rateest#_rate - rateest#_bps)\" is used."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1546 original/man8/iptables.8:1453
+#: original/man8/iptables-extensions.8:987
#, no-wrap
-msgid "B<--transparent>"
+msgid "[B<!>] B<--rateest-lt>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1549 original/man8/iptables.8:1456
-msgid "Ignore non-transparent sockets."
+#: original/man8/iptables-extensions.8:990
+msgid "Match if rate is less than given rate/estimator."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1549 original/man8/iptables.8:1456
+#. type: TP
+#: original/man8/iptables-extensions.8:990
#, no-wrap
-msgid "state"
+msgid "[B<!>] B<--rateest-gt>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1552 original/man8/iptables.8:1459
-msgid ""
-"This module, when combined with connection tracking, allows access to the "
-"connection tracking state for this packet."
+#: original/man8/iptables-extensions.8:993
+msgid "Match if rate is greater than given rate/estimator."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1552 original/man8/iptables.8:1459
+#: original/man8/iptables-extensions.8:993
#, no-wrap
-msgid "[B<!>] B<--state> I<state>"
+msgid "[B<!>] B<--rateest-eq>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:996
+msgid "Match if rate is equal to given rate/estimator."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1574 original/man8/iptables.8:1481
+#: original/man8/iptables-extensions.8:1000
msgid ""
-"Where state is a comma separated list of the connection states to match. "
-"Possible states are B<INVALID> meaning that the packet could not be "
-"identified for some reason which includes running out of memory and ICMP "
-"errors which don't correspond to any known connection, B<ESTABLISHED> "
-"meaning that the packet is associated with a connection which has seen "
-"packets in both directions, B<NEW> meaning that the packet has started a new "
-"connection, or otherwise associated with a connection which has not seen "
-"packets in both directions, and B<RELATED> meaning that the packet is "
-"starting a new connection, but is associated with an existing connection, "
-"such as an FTP data transfer, or an ICMP error. B<UNTRACKED> meaning that "
-"the packet is not tracked at all, which happens if you use the NOTRACK "
-"target in raw table."
+"In the so-called \"absolute mode\", only one rate estimator is used and "
+"compared against a static value, while in \"relative mode\", two rate "
+"estimators are compared against another."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1574 original/man8/iptables.8:1481
+#. type: TP
+#: original/man8/iptables-extensions.8:1000
#, no-wrap
-msgid "statistic"
+msgid "B<--rateest> I<name>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1579 original/man8/iptables.8:1486
-msgid ""
-"This module matches packets based on some statistic condition. It supports "
-"two distinct modes settable with the B<--mode> option."
+#: original/man8/iptables-extensions.8:1003
+msgid "Name of the one rate estimator for absolute mode."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1581 original/man8/iptables.8:1488
-msgid "Supported options:"
+#. type: TP
+#: original/man8/iptables-extensions.8:1003
+#, no-wrap
+msgid "B<--rateest1> I<name>"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1581 original/man8/iptables.8:1488
+#: original/man8/iptables-extensions.8:1005
#, no-wrap
-msgid "B<--mode> I<mode>"
+msgid "B<--rateest2> I<name>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1587 original/man8/iptables.8:1494
-msgid ""
-"Set the matching mode of the matching rule, supported modes are B<random> "
-"and B<nth.>"
+#: original/man8/iptables-extensions.8:1008
+msgid "The names of the two rate estimators for relative mode."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1587 original/man8/iptables.8:1494
+#: original/man8/iptables-extensions.8:1008
#, no-wrap
-msgid "[B<!>] B<--probability> I<p>"
+msgid "B<--rateest-bps> [I<value>]"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1592 original/man8/iptables.8:1499
-msgid ""
-"Set the probability for a packet to be randomly matched. It only works with "
-"the B<random> mode. I<p> must be within 0.0 and 1.0. The supported "
-"granularity is in 1/2147483648th increments."
+#. type: TP
+#: original/man8/iptables-extensions.8:1010
+#, no-wrap
+msgid "B<--rateest-pps> [I<value>]"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1592 original/man8/iptables.8:1499
+#: original/man8/iptables-extensions.8:1012
#, no-wrap
-msgid "[B<!>] B<--every> I<n>"
+msgid "B<--rateest-bps1> [I<value>]"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1599 original/man8/iptables.8:1506
-msgid ""
-"Match one packet every nth packet. It works only with the B<nth> mode (see "
-"also the B<--packet> option)."
+#. type: TP
+#: original/man8/iptables-extensions.8:1014
+#, no-wrap
+msgid "B<--rateest-bps2> [I<value>]"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1599 original/man8/iptables.8:1506
+#: original/man8/iptables-extensions.8:1016
#, no-wrap
-msgid "B<--packet> I<p>"
+msgid "B<--rateest-pps1> [I<value>]"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1018
+#, no-wrap
+msgid "B<--rateest-pps2> [I<value>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1604 original/man8/iptables.8:1511
+#: original/man8/iptables-extensions.8:1024
msgid ""
-"Set the initial counter value (0 E<lt>= p E<lt>= n-1, default 0) for the "
-"B<nth> mode."
+"Compare the estimator(s) by bytes or packets per second, and compare against "
+"the chosen value. See the above bullet list for which option is to be used "
+"in which case. A unit suffix may be used - available ones are: bit, "
+"[kmgt]bit, [KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1604 original/man8/iptables.8:1511
-#, no-wrap
-msgid "string"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1028
+msgid ""
+"Example: This is what can be used to route outgoing data connections from an "
+"FTP server over two lines based on the available bandwidth at the time the "
+"data connection was started:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1606 original/man8/iptables.8:1513
-msgid ""
-"This modules matches a given string by using some pattern matching "
-"strategy. It requires a linux kernel E<gt>= 2.6.14."
+#: original/man8/iptables-extensions.8:1030
+msgid "# Estimate outgoing rates"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1606 original/man8/iptables.8:1513
-#, no-wrap
-msgid "B<--algo> {B<bm>|B<kmp>}"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1033
+msgid ""
+"iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name eth0 "
+"--rateest-interval 250ms --rateest-ewma 0.5s"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1609 original/man8/iptables.8:1516
+#: original/man8/iptables-extensions.8:1036
msgid ""
-"Select the pattern matching strategy. (bm = Boyer-Moore, kmp = "
-"Knuth-Pratt-Morris)"
+"iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name ppp0 "
+"--rateest-interval 250ms --rateest-ewma 0.5s"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1609 original/man8/iptables.8:1516
-#, no-wrap
-msgid "B<--from> I<offset>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1038
+msgid "# Mark based on available bandwidth"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1612 original/man8/iptables.8:1519
+#: original/man8/iptables-extensions.8:1042
msgid ""
-"Set the offset from which it starts looking for any matching. If not passed, "
-"default is 0."
+"iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper "
+"ftp -m rateest --rateest-delta --rateest1 eth0 --rateest-bps1 2.5mbit "
+"--rateest-gt --rateest2 ppp0 --rateest-bps2 2mbit -j CONNMARK --set-mark 1"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1612 original/man8/iptables.8:1519
-#, no-wrap
-msgid "B<--to> I<offset>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1046
+msgid ""
+"iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper "
+"ftp -m rateest --rateest-delta --rateest1 ppp0 --rateest-bps1 2mbit "
+"--rateest-gt --rateest2 eth0 --rateest-bps2 2.5mbit -j CONNMARK --set-mark 2"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1617 original/man8/iptables.8:1524
-msgid ""
-"Set the offset up to which should be scanned. That is, byte I<offset>-1 "
-"(counting from 0) is the last one that is scanned. If not passed, default "
-"is the packet size."
+#: original/man8/iptables-extensions.8:1048
+msgid "iptables -t mangle -A balance -j CONNMARK --restore-mark"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1617 original/man8/iptables.8:1524
+#. type: SS
+#: original/man8/iptables-extensions.8:1048
#, no-wrap
-msgid "[B<!>] B<--string> I<pattern>"
+msgid "realm (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1620 original/man8/iptables.8:1527
-msgid "Matches the given pattern."
+#: original/man8/iptables-extensions.8:1051
+msgid ""
+"This matches the routing realm. Routing realms are used in complex routing "
+"setups involving dynamic routing protocols like BGP."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1620 original/man8/iptables.8:1527
+#: original/man8/iptables-extensions.8:1051
#, no-wrap
-msgid "[B<!>] B<--hex-string> I<pattern>"
+msgid "[B<!>] B<--realm> I<value>[B</>I<mask>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1623 original/man8/iptables.8:1530
-msgid "Matches the given pattern in hex notation."
+#: original/man8/iptables-extensions.8:1056
+msgid ""
+"Matches a given realm number (and optionally mask). If not a number, value "
+"can be a named realm from /etc/iproute2/rt_realms (mask can not be used in "
+"that case)."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1623 original/man8/iptables.8:1530
+#: original/man8/iptables-extensions.8:1056
#, no-wrap
-msgid "tcp"
+msgid "recent"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1626 original/man8/iptables.8:1533
+#: original/man8/iptables-extensions.8:1059
msgid ""
-"These extensions can be used if `--protocol tcp' is specified. It provides "
-"the following options:"
+"Allows you to dynamically create a list of IP addresses and then match "
+"against that list in a few different ways."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1637 original/man8/iptables.8:1544
+#: original/man8/iptables-extensions.8:1063
msgid ""
-"Source port or port range specification. This can either be a service name "
-"or a port number. An inclusive range can also be specified, using the format "
-"I<first>B<:>I<last>. If the first port is omitted, \"0\" is assumed; if the "
-"last is omitted, \"65535\" is assumed. If the first port is greater than "
-"the second one they will be swapped. The flag B<--sport> is a convenient "
-"alias for this option."
+"For example, you can create a \"badguy\" list out of people attempting to "
+"connect to port 139 on your firewall and then DROP all future packets from "
+"them without considering them."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1642 original/man8/iptables.8:1549
-msgid ""
-"Destination port or port range specification. The flag B<--dport> is a "
-"convenient alias for this option."
+#: original/man8/iptables-extensions.8:1066
+msgid "B<--set>, B<--rcheck>, B<--update> and B<--remove> are mutually exclusive."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1642 original/man8/iptables.8:1549
+#: original/man8/iptables-extensions.8:1066
#, no-wrap
-msgid "[B<!>] B<--tcp-flags> I<mask> I<comp>"
+msgid "B<--name> I<name>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1650 original/man8/iptables.8:1557
+#: original/man8/iptables-extensions.8:1070
msgid ""
-"Match when the TCP flags are as specified. The first argument I<mask> is "
-"the flags which we should examine, written as a comma-separated list, and "
-"the second argument I<comp> is a comma-separated list of flags which must be "
-"set. Flags are: B<SYN ACK FIN RST URG PSH ALL NONE>. Hence the command"
+"Specify the list to use for the commands. If no name is given then "
+"B<DEFAULT> will be used."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1652 original/man8/iptables.8:1559
+#. type: TP
+#: original/man8/iptables-extensions.8:1070
#, no-wrap
-msgid " iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN\n"
+msgid "[B<!>] B<--set>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1655 original/man8/iptables.8:1562
+#: original/man8/iptables-extensions.8:1075
msgid ""
-"will only match packets with the SYN flag set, and the ACK, FIN and RST "
-"flags unset."
+"This will add the source address of the packet to the list. If the source "
+"address is already in the list, this will update the existing entry. This "
+"will always return success (or failure if B<!> is passed in)."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1655 original/man8/iptables.8:1562
+#: original/man8/iptables-extensions.8:1075
#, no-wrap
-msgid "[B<!>] B<--syn>"
+msgid "B<--rsource>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1665 original/man8/iptables.8:1572
+#: original/man8/iptables-extensions.8:1079
msgid ""
-"Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits "
-"cleared. Such packets are used to request TCP connection initiation; for "
-"example, blocking such packets coming in an interface will prevent incoming "
-"TCP connections, but outgoing TCP connections will be unaffected. It is "
-"equivalent to B<--tcp-flags SYN,RST,ACK,FIN SYN>. If the \"!\" flag "
-"precedes the \"--syn\", the sense of the option is inverted."
+"Match/save the source address of each packet in the recent list table. This "
+"is the default."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1665 original/man8/iptables.8:1572
+#: original/man8/iptables-extensions.8:1079
#, no-wrap
-msgid "[B<!>] B<--tcp-option> I<number>"
+msgid "B<--rdest>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1668 original/man8/iptables.8:1575
-msgid "Match if TCP option set."
+#: original/man8/iptables-extensions.8:1082
+msgid "Match/save the destination address of each packet in the recent list table."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1668 original/man8/iptables.8:1575
+#. type: TP
+#: original/man8/iptables-extensions.8:1082
#, no-wrap
-msgid "tcpmss"
+msgid "B<--mask>netmask"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1670 original/man8/iptables.8:1577
-msgid ""
-"This matches the TCP MSS (maximum segment size) field of the TCP header. "
-"You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only "
-"negotiated during the TCP handshake at connection startup time."
+#: original/man8/iptables-extensions.8:1085
+msgid "Netmask that will be applied to this recent list."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1670 original/man8/iptables.8:1577
+#: original/man8/iptables-extensions.8:1085
#, no-wrap
-msgid "[B<!>] B<--mss> I<value>[B<:>I<value>]"
+msgid "[B<!>] B<--rcheck>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1673 original/man8/iptables.8:1580
-msgid "Match a given TCP MSS value or range."
+#: original/man8/iptables-extensions.8:1088
+msgid "Check if the source address of the packet is currently in the list."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1673 original/man8/iptables.8:1580
+#. type: TP
+#: original/man8/iptables-extensions.8:1088
#, no-wrap
-msgid "time"
+msgid "[B<!>] B<--update>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1677 original/man8/iptables.8:1584
+#: original/man8/iptables-extensions.8:1092
msgid ""
-"This matches if the packet arrival time/date is within a given range. All "
-"options are optional, but are ANDed when specified. All times are "
-"interpreted as UTC by default."
+"Like B<--rcheck>, except it will update the \"last seen\" timestamp if it "
+"matches."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1677 original/man8/iptables.8:1584
+#: original/man8/iptables-extensions.8:1092
#, no-wrap
+msgid "[B<!>] B<--remove>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1097
msgid ""
-"B<--datestart> "
-"I<YYYY>[B<->I<MM>[B<->I<DD>[B<T>I<hh>[B<:>I<mm>[B<:>I<ss>]]]]]"
+"Check if the source address of the packet is currently in the list and if so "
+"that address will be removed from the list and the rule will return true. If "
+"the address is not found, false is returned."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1679 original/man8/iptables.8:1586
+#: original/man8/iptables-extensions.8:1097
#, no-wrap
-msgid "B<--datestop> I<YYYY>[B<->I<MM>[B<->I<DD>[B<T>I<hh>[B<:>I<mm>[B<:>I<ss>]]]]]"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1683 original/man8/iptables.8:1590
-msgid ""
-"Only match during the given time, which must be in ISO 8601 \"T\" notation. "
-"The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07."
+msgid "B<--seconds> I<seconds>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1686 original/man8/iptables.8:1593
+#: original/man8/iptables-extensions.8:1102
msgid ""
-"If --datestart or --datestop are not specified, it will default to "
-"1970-01-01 and 2038-01-19, respectively."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:1686 original/man8/iptables.8:1593
-#, no-wrap
-msgid "B<--timestart> I<hh>B<:>I<mm>[B<:>I<ss>]"
+"This option must be used in conjunction with one of B<--rcheck> or "
+"B<--update>. When used, this will narrow the match to only happen when the "
+"address is in the list and was seen within the last given number of seconds."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1688 original/man8/iptables.8:1595
+#: original/man8/iptables-extensions.8:1102
#, no-wrap
-msgid "B<--timestop> I<hh>B<:>I<mm>[B<:>I<ss>]"
+msgid "B<--reap>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1693 original/man8/iptables.8:1600
+#: original/man8/iptables-extensions.8:1107
msgid ""
-"Only match during the given daytime. The possible time range is 00:00:00 to "
-"23:59:59. Leading zeroes are allowed (e.g. \"06:03\") and correctly "
-"interpreted as base-10."
+"This option can only be used in conjunction with B<--seconds>. When used, "
+"this will cause entries older than the last given number of seconds to be "
+"purged."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1693 original/man8/iptables.8:1600
+#: original/man8/iptables-extensions.8:1107
#, no-wrap
-msgid "[B<!>] B<--monthdays> I<day>[B<,>I<day>...]"
+msgid "B<--hitcount> I<hits>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1699 original/man8/iptables.8:1606
+#: original/man8/iptables-extensions.8:1117
msgid ""
-"Only match on the given days of the month. Possible values are B<1> to "
-"B<31>. Note that specifying B<31> will of course not match on months which "
-"do not have a 31st day; the same goes for 28- or 29-day February."
+"This option must be used in conjunction with one of B<--rcheck> or "
+"B<--update>. When used, this will narrow the match to only happen when the "
+"address is in the list and packets had been received greater than or equal "
+"to the given value. This option may be used along with B<--seconds> to "
+"create an even narrower match requiring a certain number of hits within a "
+"specific time frame. The maximum value for the hitcount parameter is given "
+"by the \"ip_pkt_list_tot\" parameter of the xt_recent kernel "
+"module. Exceeding this value on the command line will cause the rule to be "
+"rejected."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1699 original/man8/iptables.8:1606
+#: original/man8/iptables-extensions.8:1117
#, no-wrap
-msgid "[B<!>] B<--weekdays> I<day>[B<,>I<day>...]"
+msgid "B<--rttl>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1705 original/man8/iptables.8:1612
+#: original/man8/iptables-extensions.8:1125
msgid ""
-"Only match on the given weekdays. Possible values are B<Mon>, B<Tue>, "
-"B<Wed>, B<Thu>, B<Fri>, B<Sat>, B<Sun>, or values from B<1> to B<7>, "
-"respectively. You may also use two-character variants (B<Mo>, B<Tu>, etc.)."
+"This option may only be used in conjunction with one of B<--rcheck> or "
+"B<--update>. When used, this will narrow the match to only happen when the "
+"address is in the list and the TTL of the current packet matches that of the "
+"packet which hit the B<--set> rule. This may be useful if you have problems "
+"with people faking their source address in order to DoS you via this module "
+"by disallowing others access to your site by sending bogus packets to you."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1705 original/man8/iptables.8:1612
-#, no-wrap
-msgid "B<--kerneltz>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1129
+msgid "iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1709 original/man8/iptables.8:1616
+#: original/man8/iptables-extensions.8:1131
msgid ""
-"Use the kernel timezone instead of UTC to determine whether a packet meets "
-"the time regulations."
+"iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set "
+"-j DROP"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1715 original/man8/iptables.8:1622
+#: original/man8/iptables-extensions.8:1134
msgid ""
-"About kernel timezones: Linux keeps the system time in UTC, and always does "
-"so. On boot, system time is initialized from a referential time "
-"source. Where this time source has no timezone information, such as the x86 "
-"CMOS RTC, UTC will be assumed. If the time source is however not in UTC, "
-"userspace should provide the correct system time and timezone to the kernel "
-"once it has the information."
+"Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also "
+"has some examples of usage."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1726 original/man8/iptables.8:1633
+#: original/man8/iptables-extensions.8:1137
msgid ""
-"Local time is a feature on top of the (timezone independent) system "
-"time. Each process has its own idea of local time, specified via the TZ "
-"environment variable. The kernel also has its own timezone offset "
-"variable. The TZ userspace environment variable specifies how the UTC-based "
-"system time is displayed, e.g. when you run date(1), or what you see on your "
-"desktop clock. The TZ string may resolve to different offsets at different "
-"dates, which is what enables the automatic time-jumping in userspace. when "
-"DST changes. The kernel's timezone offset variable is used when it has to "
-"convert between non-UTC sources, such as FAT filesystems, to UTC (since the "
-"latter is what the rest of the system uses)."
+"B</proc/net/xt_recent/*> are the current lists of addresses and information "
+"about each entry of each list."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1735 original/man8/iptables.8:1642
+#: original/man8/iptables-extensions.8:1140
msgid ""
-"The caveat with the kernel timezone is that Linux distributions may ignore "
-"to set the kernel timezone, and instead only set the system time. Even if a "
-"particular distribution does set the timezone at boot, it is usually does "
-"not keep the kernel timezone offset - which is what changes on DST - up to "
-"date. ntpd will not touch the kernel timezone, so running it will not "
-"resolve the issue. As such, one may encounter a timezone that is always "
-"+0000, or one that is wrong half of the time of the year. As such, B<using "
-"--kerneltz is highly discouraged.>"
+"Each file in B</proc/net/xt_recent/> can be read from to see the current "
+"list or written two using the following commands to modify the list:"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1737 original/man8/iptables.8:1644
-msgid "EXAMPLES. To match on weekends, use:"
+#. type: TP
+#: original/man8/iptables-extensions.8:1140
+#, no-wrap
+msgid "B<echo +>I<addr>B< E<gt>/proc/net/xt_recent/DEFAULT>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1739 original/man8/iptables.8:1646
-msgid "-m time --weekdays Sa,Su"
+#: original/man8/iptables-extensions.8:1143
+msgid "to add I<addr> to the DEFAULT list"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1143
+#, no-wrap
+msgid "B<echo ->I<addr>B< E<gt>/proc/net/xt_recent/DEFAULT>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1741 original/man8/iptables.8:1648
-msgid "Or, to match (once) on a national holiday block:"
+#: original/man8/iptables-extensions.8:1146
+msgid "to remove I<addr> from the DEFAULT list"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1146
+#, no-wrap
+msgid "B<echo / E<gt>/proc/net/xt_recent/DEFAULT>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1743 original/man8/iptables.8:1650
-msgid "-m time --datestart 2007-12-24 --datestop 2007-12-27"
+#: original/man8/iptables-extensions.8:1149
+msgid "to flush the DEFAULT list (remove all entries)."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1746 original/man8/iptables.8:1653
-msgid ""
-"Since the stop time is actually inclusive, you would need the following stop "
-"time to not match the first second of the new day:"
+#: original/man8/iptables-extensions.8:1151
+msgid "The module itself accepts parameters, defaults shown:"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1151
+#, no-wrap
+msgid "B<ip_list_tot>=I<100>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1748 original/man8/iptables.8:1655
-msgid "-m time --datestart 2007-01-01T17:00 --datestop 2007-01-01T23:59:59"
+#: original/man8/iptables-extensions.8:1154
+msgid "Number of addresses remembered per table."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1154
+#, no-wrap
+msgid "B<ip_pkt_list_tot>=I<20>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1750 original/man8/iptables.8:1657
-msgid "During lunch hour:"
+#: original/man8/iptables-extensions.8:1157
+msgid "Number of packets per address remembered."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1157
+#, no-wrap
+msgid "B<ip_list_hash_size>=I<0>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1752 original/man8/iptables.8:1659
-msgid "-m time --timestart 12:30 --timestop 13:30"
+#: original/man8/iptables-extensions.8:1160
+msgid "Hash table size. 0 means to calculate it based on ip_list_tot, default: 512."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1160
+#, no-wrap
+msgid "B<ip_list_perms>=I<0644>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1754 original/man8/iptables.8:1661
-msgid "The fourth Friday in the month:"
+#: original/man8/iptables-extensions.8:1163
+msgid "Permissions for /proc/net/xt_recent/* files."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1163
+#, no-wrap
+msgid "B<ip_list_uid>=I<0>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1756 original/man8/iptables.8:1663
-msgid "-m time --weekdays Fr --monthdays 22,23,24,25,26,27,28"
+#: original/man8/iptables-extensions.8:1166
+msgid "Numerical UID for ownership of /proc/net/xt_recent/* files."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1166
+#, no-wrap
+msgid "B<ip_list_gid>=I<0>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1760 original/man8/iptables.8:1667
-msgid ""
-"(Note that this exploits a certain mathematical property. It is not possible "
-"to say \"fourth Thursday OR fourth Friday\" in one rule. It is possible with "
-"multiple rules, though.)"
+#: original/man8/iptables-extensions.8:1169
+msgid "Numerical GID for ownership of /proc/net/xt_recent/* files."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1760 original/man8/iptables.8:1667
+#: original/man8/iptables-extensions.8:1169
#, no-wrap
-msgid "tos"
+msgid "rpfilter"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1764 original/man8/iptables.8:1671
+#: original/man8/iptables-extensions.8:1178
msgid ""
-"This module matches the 8-bit Type of Service field in the IPv4 header "
-"(i.e. including the \"Precedence\" bits) or the (also 8-bit) Priority field "
-"in the IPv6 header."
+"Performs a reverse path filter test on a packet. If a reply to the packet "
+"would be sent via the same interface that the packet arrived on, the packet "
+"will match. Note that, unlike the in-kernel rp_filter, packets protected by "
+"IPSec are not treated specially. Combine this match with the policy match "
+"if you want this. Also, packets arriving via the loopback interface are "
+"always permitted. This match can only be used in the PREROUTING chain of "
+"the raw or mangle table."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1764 original/man8/iptables.8:1671
+#: original/man8/iptables-extensions.8:1178
#, no-wrap
-msgid "[B<!>] B<--tos> I<value>[B</>I<mask>]"
+msgid "B<--loose>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1768 original/man8/iptables.8:1675
+#: original/man8/iptables-extensions.8:1182
msgid ""
-"Matches packets with the given TOS mark value. If a mask is specified, it is "
-"logically ANDed with the TOS mark before the comparison."
+"Used to specifiy that the reverse path filter test should match even if the "
+"selected output device is not the expected one."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1768 original/man8/iptables.8:1675
+#: original/man8/iptables-extensions.8:1182
#, no-wrap
-msgid "[B<!>] B<--tos> I<symbol>"
+msgid "B<--validmark>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1773 original/man8/iptables.8:1680
+#: original/man8/iptables-extensions.8:1185
msgid ""
-"You can specify a symbolic name when using the tos match for IPv4. The list "
-"of recognized TOS names can be obtained by calling iptables with B<-m tos "
-"-h>. Note that this implies a mask of 0x3F, i.e. all but the ECN bits."
+"Also use the packets' nfmark value when performing the reverse path route "
+"lookup."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1773 original/man8/iptables.8:1691
+#. type: TP
+#: original/man8/iptables-extensions.8:1185
#, no-wrap
-msgid "u32"
+msgid "B<--accept-local>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1777 original/man8/iptables.8:1695
+#: original/man8/iptables-extensions.8:1189
msgid ""
-"U32 tests whether quantities of up to 4 bytes extracted from a packet have "
-"specified values. The specification of what to extract is general enough to "
-"find data at given offsets from tcp headers or payloads."
+"This will permit packets arriving from the network with a source address "
+"that is also assigned to the local machine."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1777 original/man8/iptables.8:1695
+#: original/man8/iptables-extensions.8:1189
#, no-wrap
-msgid "[B<!>] B<--u32> I<tests>"
+msgid "B<--invert>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1780 original/man8/iptables.8:1698
-msgid "The argument amounts to a program in a small language described below."
+#: original/man8/iptables-extensions.8:1193
+msgid ""
+"This will invert the sense of the match. Instead of matching packets that "
+"passed the reverse path filter test, match those that have failed it."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1782 original/man8/iptables.8:1700
-msgid "tests := location \"=\" value | tests \"&&\" location \"=\" value"
+#: original/man8/iptables-extensions.8:1195
+msgid "Example to log and drop packets failing the reverse path filter test:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1784 original/man8/iptables.8:1702
-msgid "value := range | value \",\" range"
+#: original/man8/iptables-extensions.8:1197
+msgid "iptables -t raw -N RPFILTER"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1786 original/man8/iptables.8:1704
-msgid "range := number | number \":\" number"
+#: original/man8/iptables-extensions.8:1199
+msgid "iptables -t raw -A RPFILTER -m rpfilter -j RETURN"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1789 original/man8/iptables.8:1707
+#: original/man8/iptables-extensions.8:1201
msgid ""
-"a single number, I<n>, is interpreted the same as I<n:n>. I<n:m> is "
-"interpreted as the range of numbers B<E<gt>=n> and B<E<lt>=m>."
+"iptables -t raw -A RPFILTER -m limit --limit 10/minute -j NFLOG "
+"--nflog-prefix \"rpfilter drop\""
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1791 original/man8/iptables.8:1709
-msgid "location := number | location operator number"
+#: original/man8/iptables-extensions.8:1203
+msgid "iptables -t raw -A RPFILTER -j DROP"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1793 original/man8/iptables.8:1711
-msgid "operator := \"&\" | \"E<lt>E<lt>\" | \"E<gt>E<gt>\" | \"@\""
+#: original/man8/iptables-extensions.8:1205
+msgid "iptables -t raw -A PREROUTING -j RPFILTER"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1798 original/man8/iptables.8:1716
-msgid ""
-"The operators B<&>, B<E<lt>E<lt>>, B<E<gt>E<gt>> and B<&&> mean the same as "
-"in C. The B<=> is really a set membership operator and the value syntax "
-"describes a set. The B<@> operator is what allows moving to the next header "
-"and is described further below."
+#: original/man8/iptables-extensions.8:1207
+msgid "Example to drop failed packets, without logging:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1801 original/man8/iptables.8:1719
-msgid ""
-"There are currently some artificial implementation limits on the size of the "
-"tests:"
+#: original/man8/iptables-extensions.8:1209
+msgid "iptables -t raw -A RPFILTER -m rpfilter --invert -j DROP"
msgstr ""
-#. type: IP
-#: original/man8/ip6tables.8:1801 original/man8/ip6tables.8:1803 original/man8/ip6tables.8:1805 original/man8/iptables.8:1719 original/man8/iptables.8:1721 original/man8/iptables.8:1723
+#. type: SS
+#: original/man8/iptables-extensions.8:1209
#, no-wrap
-msgid " *"
+msgid "rt (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1803 original/man8/iptables.8:1721
-msgid "no more than 10 of \"B<=>\" (and 9 \"B<&&>\"s) in the u32 argument"
+#: original/man8/iptables-extensions.8:1211
+msgid "Match on IPv6 routing header"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1805 original/man8/iptables.8:1723
-msgid "no more than 10 ranges (and 9 commas) per value"
+#. type: TP
+#: original/man8/iptables-extensions.8:1211
+#, no-wrap
+msgid "[B<!>] B<--rt-type> I<type>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1807 original/man8/iptables.8:1725
-msgid "no more than 10 numbers (and 9 operators) per location"
+#: original/man8/iptables-extensions.8:1214
+msgid "Match the type (numeric)."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1810 original/man8/iptables.8:1728
-msgid ""
-"To describe the meaning of location, imagine the following machine that "
-"interprets it. There are three registers:"
+#. type: TP
+#: original/man8/iptables-extensions.8:1214
+#, no-wrap
+msgid "[B<!>] B<--rt-segsleft> I<num>[B<:>I<num>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1812 original/man8/iptables.8:1730
-msgid "A is of type B<char *>, initially the address of the IP header"
+#: original/man8/iptables-extensions.8:1217
+msgid "Match the `segments left' field (range)."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1814 original/man8/iptables.8:1732
-msgid "B and C are unsigned 32 bit integers, initially zero"
+#. type: TP
+#: original/man8/iptables-extensions.8:1217
+#, no-wrap
+msgid "[B<!>] B<--rt-len> I<length>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1816 original/man8/iptables.8:1734
-msgid "The instructions are:"
+#: original/man8/iptables-extensions.8:1220
+msgid "Match the length of this header."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1818 original/man8/iptables.8:1736
-msgid "number B = number;"
+#. type: TP
+#: original/man8/iptables-extensions.8:1220
+#, no-wrap
+msgid "B<--rt-0-res>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1820 original/man8/iptables.8:1738
-msgid ""
-"C = (*(A+B)E<lt>E<lt>24) + (*(A+B+1)E<lt>E<lt>16) + (*(A+B+2)E<lt>E<lt>8) + "
-"*(A+B+3)"
+#: original/man8/iptables-extensions.8:1223
+msgid "Match the reserved field, too (type=0)"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1822 original/man8/iptables.8:1740
-msgid "&number C = C & number"
+#. type: TP
+#: original/man8/iptables-extensions.8:1223
+#, no-wrap
+msgid "B<--rt-0-addrs> I<addr>[B<,>I<addr>...]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1824 original/man8/iptables.8:1742
-msgid "E<lt>E<lt> number C = C E<lt>E<lt> number"
+#: original/man8/iptables-extensions.8:1226
+msgid "Match type=0 addresses (list)."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1826 original/man8/iptables.8:1744
-msgid "E<gt>E<gt> number C = C E<gt>E<gt> number"
+#. type: TP
+#: original/man8/iptables-extensions.8:1226
+#, no-wrap
+msgid "B<--rt-0-not-strict>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1828 original/man8/iptables.8:1746
-msgid "@number A = A + C; then do the instruction number"
+#: original/man8/iptables-extensions.8:1229
+msgid "List of type=0 addresses is not a strict list."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1831 original/man8/iptables.8:1749
-msgid ""
-"Any access of memory outside [skb-E<gt>data,skb-E<gt>end] causes the match "
-"to fail. Otherwise the result of the computation is the final value of C."
+#. type: SS
+#: original/man8/iptables-extensions.8:1229
+#, no-wrap
+msgid "sctp"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1835 original/man8/iptables.8:1753
+#. type: TP
+#: original/man8/iptables-extensions.8:1234
+#, no-wrap
msgid ""
-"Whitespace is allowed but not required in the tests. However, the characters "
-"that do occur there are likely to require shell quoting, so it is a good "
-"idea to enclose the arguments in quotes."
+"[B<!>] B<--chunk-types> {B<all>|B<any>|B<only>} I<chunktype>[B<:>I<flags>] "
+"[...]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1839 original/man8/iptables.8:1757
-msgid "match IP packets with total length E<gt>= 256"
+#: original/man8/iptables-extensions.8:1238
+msgid ""
+"The flag letter in upper case indicates that the flag is to match if set, in "
+"the lower case indicates to match if unset."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1841 original/man8/iptables.8:1759
-msgid "The IP header contains a total length field in bytes 2-3."
+#: original/man8/iptables-extensions.8:1240
+msgid ""
+"Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN "
+"SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE "
+"ASCONF ASCONF_ACK FORWARD_TSN"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1843 original/man8/iptables.8:1761
-msgid "--u32 \"B<0 & 0xFFFF = 0x100:0xFFFF>\""
+#: original/man8/iptables-extensions.8:1242
+msgid "chunk type available flags"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1845 original/man8/iptables.8:1763
-msgid "read bytes 0-3"
+#: original/man8/iptables-extensions.8:1244
+msgid "DATA I U B E i u b e"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1848 original/man8/iptables.8:1766
-msgid ""
-"AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the "
-"range [0x100:0xFFFF]"
+#: original/man8/iptables-extensions.8:1246
+msgid "ABORT T t"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1850 original/man8/iptables.8:1768
-msgid "Example: (more realistic, hence more complicated)"
+#: original/man8/iptables-extensions.8:1248
+msgid "SHUTDOWN_COMPLETE T t"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1852 original/man8/iptables.8:1770
-msgid "match ICMP packets with icmp type 0"
+#: original/man8/iptables-extensions.8:1250
+msgid "(lowercase means flag should be \"off\", uppercase means \"on\")"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1854 original/man8/iptables.8:1772
-msgid "First test that it is an ICMP packet, true iff byte 9 (protocol) = 1"
+#: original/man8/iptables-extensions.8:1254
+msgid "iptables -A INPUT -p sctp --dport 80 -j DROP"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1856 original/man8/iptables.8:1774
-msgid "--u32 \"B<6 & 0xFF = 1 &&> ..."
+#: original/man8/iptables-extensions.8:1256
+msgid "iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1863 original/man8/iptables.8:1781
-msgid ""
-"read bytes 6-9, use B<&> to throw away bytes 6-8 and compare the result to "
-"1. Next test that it is not a fragment. (If so, it might be part of such a "
-"packet but we cannot always tell.) N.B.: This test is generally needed if "
-"you want to match anything beyond the IP header. The last 6 bits of byte 6 "
-"and all of byte 7 are 0 iff this is a complete packet (not a "
-"fragment). Alternatively, you can allow first fragments by only testing the "
-"last 5 bits of byte 6."
+#: original/man8/iptables-extensions.8:1258
+msgid "iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1865 original/man8/iptables.8:1783
-msgid "... B<4 & 0x3FFF = 0 &&> ..."
+#. type: SS
+#: original/man8/iptables-extensions.8:1258
+#, no-wrap
+msgid "set"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1869 original/man8/iptables.8:1787
-msgid ""
-"Last test: the first byte past the IP header (the type) is 0. This is where "
-"we have to use the @syntax. The length of the IP header (IHL) in 32 bit "
-"words is stored in the right half of byte 0 of the IP header itself."
+#: original/man8/iptables-extensions.8:1260
+msgid "This module matches IP sets which can be defined by ipset(8)."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1871 original/man8/iptables.8:1789
-msgid "... B<0 E<gt>E<gt> 22 & 0x3C @ 0 E<gt>E<gt> 24 = 0>\""
+#. type: TP
+#: original/man8/iptables-extensions.8:1260
+#, no-wrap
+msgid "[B<!>] B<--match-set> I<setname> I<flag>[B<,>I<flag>]..."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1883 original/man8/iptables.8:1801
+#: original/man8/iptables-extensions.8:1267
msgid ""
-"The first 0 means read bytes 0-3, B<E<gt>E<gt>22> means shift that 22 bits "
-"to the right. Shifting 24 bits would give the first byte, so only 22 bits is "
-"four times that plus a few more bits. B<&3C> then eliminates the two extra "
-"bits on the right and the first four bits of the first byte. For instance, "
-"if IHL=5, then the IP header is 20 (4 x 5) bytes long. In this case, bytes "
-"0-1 are (in binary) xxxx0101 yyzzzzzz, B<E<gt>E<gt>22> gives the 10 bit "
-"value xxxx0101yy and B<&3C> gives 010100. B<@> means to use this number as a "
-"new offset into the packet, and read four bytes starting from there. This is "
-"the first 4 bytes of the ICMP payload, of which byte 0 is the ICMP "
-"type. Therefore, we simply shift the value 24 to the right to throw out all "
-"but the first byte and compare the result with 0."
+"where flags are the comma separated list of B<src> and/or B<dst> "
+"specifications and there can be no more than six of them. Hence the command"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1887 original/man8/iptables.8:1805
-msgid "TCP payload bytes 8-12 is any of 1, 2, 5 or 8"
+#: original/man8/iptables-extensions.8:1269
+#, no-wrap
+msgid " iptables -A FORWARD -m set --match-set test src,dst\n"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1889 original/man8/iptables.8:1807
-msgid "First we test that the packet is a tcp packet (similar to ICMP)."
+#: original/man8/iptables-extensions.8:1275
+msgid ""
+"will match packets, for which (if the set type is ipportmap) the source "
+"address and destination port pair can be found in the specified set. If the "
+"set type of the specified set is single dimension (for example ipmap), then "
+"the command will match packets for which the source address can be found in "
+"the specified set."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1891 original/man8/iptables.8:1809
-msgid "--u32 \"B<6 & 0xFF = 6 &&> ..."
+#. type: TP
+#: original/man8/iptables-extensions.8:1275
+#, no-wrap
+msgid "B<--return--nomatch>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1893 original/man8/iptables.8:1811
-msgid "Next, test that it is not a fragment (same as above)."
+#: original/man8/iptables-extensions.8:1281
+msgid ""
+"If the B<--return--nomatch> option is specified and the set type supports "
+"the B<nomatch> flag, then the matching is reversed: a match with an element "
+"flagged with B<nomatch> returns B<true>, while a match with a plain element "
+"returns B<false>."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1895 original/man8/iptables.8:1813
-msgid "... B<0 E<gt>E<gt> 22 & 0x3C @ 12 E<gt>E<gt> 26 & 0x3C @ 8 = 1,2,5,8>\""
+#: original/man8/iptables-extensions.8:1284
+msgid ""
+"The option B<--match-set> can be replaced by B<--set> if that does not clash "
+"with an option of other extensions."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1903 original/man8/iptables.8:1821
+#: original/man8/iptables-extensions.8:1287
msgid ""
-"B<0E<gt>E<gt>22&3C> as above computes the number of bytes in the IP "
-"header. B<@> makes this the new offset into the packet, which is the start "
-"of the TCP header. The length of the TCP header (again in 32 bit words) is "
-"the left half of byte 12 of the TCP header. The B<12E<gt>E<gt>26&3C> "
-"computes this length in bytes (similar to the IP header before). \"@\" makes "
-"this the new offset, which is the start of the TCP payload. Finally, 8 reads "
-"bytes 8-12 of the payload and B<=> checks whether the result is any of 1, 2, "
-"5 or 8."
+"Use of -m set requires that ipset kernel support is provided, which, for "
+"standard kernels, is the case since Linux 2.6.39."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1903 original/man8/iptables.8:1821
+#: original/man8/iptables-extensions.8:1287
#, no-wrap
-msgid "udp"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1906 original/man8/iptables.8:1824
-msgid ""
-"These extensions can be used if `--protocol udp' is specified. It provides "
-"the following options:"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1912 original/man8/iptables.8:1830
-msgid ""
-"Source port or port range specification. See the description of the "
-"B<--source-port> option of the TCP extension for details."
+msgid "socket"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1918 original/man8/iptables.8:1836
+#: original/man8/iptables-extensions.8:1290
msgid ""
-"Destination port or port range specification. See the description of the "
-"B<--destination-port> option of the TCP extension for details."
+"This matches if an open socket can be found by doing a socket lookup on the "
+"packet."
msgstr ""
-#. type: SH
-#: original/man8/ip6tables.8:1918 original/man8/iptables.8:1839
+#. type: TP
+#: original/man8/iptables-extensions.8:1290
#, no-wrap
-msgid "TARGET EXTENSIONS"
+msgid "B<--transparent>"
msgstr ""
-#. @TARGET@
#. type: Plain text
-#: original/man8/ip6tables.8:1922
-msgid ""
-"ip6tables can use extended target modules: the following are included in the "
-"standard distribution."
+#: original/man8/iptables-extensions.8:1293
+msgid "Ignore non-transparent sockets."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1922 original/man8/iptables.8:1843
+#: original/man8/iptables-extensions.8:1293
#, no-wrap
-msgid "AUDIT"
+msgid "state"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1926 original/man8/iptables.8:1847
+#: original/man8/iptables-extensions.8:1296
msgid ""
-"This target allows to create audit records for packets hitting the target. "
-"It can be used to record accepted, dropped, and rejected packets. See "
-"auditd(8) for additional details."
+"The \"state\" extension is a subset of the \"conntrack\" module. \"state\" "
+"allows access to the connection tracking state for this packet."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1926 original/man8/iptables.8:1847
+#: original/man8/iptables-extensions.8:1296
#, no-wrap
-msgid "B<--type> {B<accept>|B<drop>|B<reject>}"
+msgid "[B<!>] B<--state> I<state>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1929 original/man8/iptables.8:1850
-msgid "Set type of audit record."
+#: original/man8/iptables-extensions.8:1302
+msgid ""
+"Where state is a comma separated list of the connection states to "
+"match. Only a subset of the states unterstood by \"conntrack\" are "
+"recognized: B<INVALID>, B<ESTABLISHED>, B<NEW>, B<RELATED> or "
+"B<UNTRACKED>. For their description, see the \"conntrack\" heading in this "
+"manpage."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1933 original/man8/iptables.8:1854
-msgid "iptables -N AUDIT_DROP"
+#. type: SS
+#: original/man8/iptables-extensions.8:1302
+#, no-wrap
+msgid "statistic"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1935 original/man8/iptables.8:1856
-msgid "iptables -A AUDIT_DROP -j AUDIT --type drop"
+#: original/man8/iptables-extensions.8:1307
+msgid ""
+"This module matches packets based on some statistic condition. It supports "
+"two distinct modes settable with the B<--mode> option."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1937 original/man8/iptables.8:1858
-msgid "iptables -A AUDIT_DROP -j DROP"
+#: original/man8/iptables-extensions.8:1309
+msgid "Supported options:"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1937 original/man8/iptables.8:1858
+#. type: TP
+#: original/man8/iptables-extensions.8:1309
#, no-wrap
-msgid "CHECKSUM"
+msgid "B<--mode> I<mode>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1940 original/man8/iptables.8:1861
+#: original/man8/iptables-extensions.8:1315
msgid ""
-"This target allows to selectively work around broken/old applications. It "
-"can only be used in the mangle table."
+"Set the matching mode of the matching rule, supported modes are B<random> "
+"and B<nth.>"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1940 original/man8/iptables.8:1861
+#: original/man8/iptables-extensions.8:1315
#, no-wrap
-msgid "B<--checksum-fill>"
+msgid "[B<!>] B<--probability> I<p>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1946 original/man8/iptables.8:1867
+#: original/man8/iptables-extensions.8:1320
msgid ""
-"Compute and fill in the checksum in a packet that lacks a checksum. This is "
-"particularly useful, if you need to work around old applications such as "
-"dhcp clients, that do not work well with checksum offloads, but don't want "
-"to disable checksum offload in your device."
+"Set the probability for a packet to be randomly matched. It only works with "
+"the B<random> mode. I<p> must be within 0.0 and 1.0. The supported "
+"granularity is in 1/2147483648th increments."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1946 original/man8/iptables.8:1867
+#. type: TP
+#: original/man8/iptables-extensions.8:1320
#, no-wrap
-msgid "CLASSIFY"
+msgid "[B<!>] B<--every> I<n>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1948 original/man8/iptables.8:1869
+#: original/man8/iptables-extensions.8:1327
msgid ""
-"This module allows you to set the skb-E<gt>priority value (and thus classify "
-"the packet into a specific CBQ class)."
+"Match one packet every nth packet. It works only with the B<nth> mode (see "
+"also the B<--packet> option)."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1948 original/man8/iptables.8:1869
+#: original/man8/iptables-extensions.8:1327
#, no-wrap
-msgid "B<--set-class> I<major>B<:>I<minor>"
+msgid "B<--packet> I<p>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1952 original/man8/iptables.8:1873
+#: original/man8/iptables-extensions.8:1332
msgid ""
-"Set the major and minor class value. The values are always interpreted as "
-"hexadecimal even if no 0x prefix is given."
+"Set the initial counter value (0 E<lt>= p E<lt>= n-1, default 0) for the "
+"B<nth> mode."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1952 original/man8/iptables.8:1898
+#: original/man8/iptables-extensions.8:1332
#, no-wrap
-msgid "CONNMARK"
+msgid "string"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1955 original/man8/iptables.8:1901
+#: original/man8/iptables-extensions.8:1334
msgid ""
-"This module sets the netfilter mark value associated with a connection. The "
-"mark is 32 bits wide."
+"This modules matches a given string by using some pattern matching "
+"strategy. It requires a linux kernel E<gt>= 2.6.14."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1955 original/man8/ip6tables.8:2138 original/man8/iptables.8:1901 original/man8/iptables.8:2114
+#: original/man8/iptables-extensions.8:1334
#, no-wrap
-msgid "B<--set-xmark> I<value>[B</>I<mask>]"
+msgid "B<--algo> {B<bm>|B<kmp>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1958 original/man8/iptables.8:1904
-msgid "Zero out the bits given by I<mask> and XOR I<value> into the ctmark."
+#: original/man8/iptables-extensions.8:1337
+msgid ""
+"Select the pattern matching strategy. (bm = Boyer-Moore, kmp = "
+"Knuth-Pratt-Morris)"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1958 original/man8/iptables.8:1904
+#: original/man8/iptables-extensions.8:1337
#, no-wrap
-msgid "B<--save-mark> [B<--nfmask> I<nfmask>] [B<--ctmask> I<ctmask>]"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1962 original/man8/iptables.8:1908
-msgid ""
-"Copy the packet mark (nfmark) to the connection mark (ctmark) using the "
-"given masks. The new nfmark value is determined as follows:"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1964 original/man8/iptables.8:1910
-msgid "ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)"
+msgid "B<--from> I<offset>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1968 original/man8/iptables.8:1914
+#: original/man8/iptables-extensions.8:1340
msgid ""
-"i.e. I<ctmask> defines what bits to clear and I<nfmask> what bits of the "
-"nfmark to XOR into the ctmark. I<ctmask> and I<nfmask> default to "
-"0xFFFFFFFF."
+"Set the offset from which it starts looking for any matching. If not passed, "
+"default is 0."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1968 original/man8/iptables.8:1914
+#: original/man8/iptables-extensions.8:1340
#, no-wrap
-msgid "B<--restore-mark> [B<--nfmask> I<nfmask>] [B<--ctmask> I<ctmask>]"
+msgid "B<--to> I<offset>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1972 original/man8/iptables.8:1918
+#: original/man8/iptables-extensions.8:1345
msgid ""
-"Copy the connection mark (ctmark) to the packet mark (nfmark) using the "
-"given masks. The new ctmark value is determined as follows:"
+"Set the offset up to which should be scanned. That is, byte I<offset>-1 "
+"(counting from 0) is the last one that is scanned. If not passed, default "
+"is the packet size."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1974 original/man8/iptables.8:1920
-msgid "nfmark = (nfmark & ~I<nfmask>) ^ (ctmark & I<ctmask>);"
+#. type: TP
+#: original/man8/iptables-extensions.8:1345
+#, no-wrap
+msgid "[B<!>] B<--string> I<pattern>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1978 original/man8/iptables.8:1924
-msgid ""
-"i.e. I<nfmask> defines what bits to clear and I<ctmask> what bits of the "
-"ctmark to XOR into the nfmark. I<ctmask> and I<nfmask> default to "
-"0xFFFFFFFF."
+#: original/man8/iptables-extensions.8:1348
+msgid "Matches the given pattern."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1980 original/man8/iptables.8:1926
-msgid "B<--restore-mark> is only valid in the B<mangle> table."
+#. type: TP
+#: original/man8/iptables-extensions.8:1348
+#, no-wrap
+msgid "[B<!>] B<--hex-string> I<pattern>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1982 original/man8/iptables.8:1928
-msgid "The following mnemonics are available for B<--set-xmark>:"
+#: original/man8/iptables-extensions.8:1351
+msgid "Matches the given pattern in hex notation."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1982 original/man8/ip6tables.8:2148 original/man8/iptables.8:1928 original/man8/iptables.8:2124
+#. type: SS
+#: original/man8/iptables-extensions.8:1351
#, no-wrap
-msgid "B<--and-mark> I<bits>"
+msgid "tcp"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1986 original/man8/iptables.8:1932
+#: original/man8/iptables-extensions.8:1354
msgid ""
-"Binary AND the ctmark with I<bits>. (Mnemonic for B<--set-xmark "
-"0/>I<invbits>, where I<invbits> is the binary negation of I<bits>.)"
+"These extensions can be used if `--protocol tcp' is specified. It provides "
+"the following options:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1986 original/man8/ip6tables.8:2152 original/man8/iptables.8:1932 original/man8/iptables.8:2128
-#, no-wrap
-msgid "B<--or-mark> I<bits>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1365
+msgid ""
+"Source port or port range specification. This can either be a service name "
+"or a port number. An inclusive range can also be specified, using the format "
+"I<first>B<:>I<last>. If the first port is omitted, \"0\" is assumed; if the "
+"last is omitted, \"65535\" is assumed. If the first port is greater than "
+"the second one they will be swapped. The flag B<--sport> is a convenient "
+"alias for this option."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1990 original/man8/iptables.8:1936
+#: original/man8/iptables-extensions.8:1370
msgid ""
-"Binary OR the ctmark with I<bits>. (Mnemonic for B<--set-xmark> "
-"I<bits>B</>I<bits>.)"
+"Destination port or port range specification. The flag B<--dport> is a "
+"convenient alias for this option."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1990 original/man8/ip6tables.8:2156 original/man8/iptables.8:1936 original/man8/iptables.8:2132
+#: original/man8/iptables-extensions.8:1370
#, no-wrap
-msgid "B<--xor-mark> I<bits>"
+msgid "[B<!>] B<--tcp-flags> I<mask> I<comp>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1994 original/man8/iptables.8:1940
+#: original/man8/iptables-extensions.8:1378
msgid ""
-"Binary XOR the ctmark with I<bits>. (Mnemonic for B<--set-xmark> "
-"I<bits>B</0>.)"
+"Match when the TCP flags are as specified. The first argument I<mask> is "
+"the flags which we should examine, written as a comma-separated list, and "
+"the second argument I<comp> is a comma-separated list of flags which must be "
+"set. Flags are: B<SYN ACK FIN RST URG PSH ALL NONE>. Hence the command"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1994 original/man8/ip6tables.8:2142 original/man8/iptables.8:1940 original/man8/iptables.8:2118
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1380
#, no-wrap
-msgid "B<--set-mark> I<value>[B</>I<mask>]"
+msgid " iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN\n"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1998 original/man8/iptables.8:1944
+#: original/man8/iptables-extensions.8:1383
msgid ""
-"Set the connection mark. If a mask is specified then only those bits set in "
-"the mask are modified."
+"will only match packets with the SYN flag set, and the ACK, FIN and RST "
+"flags unset."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1998 original/man8/iptables.8:1944
+#: original/man8/iptables-extensions.8:1383
#, no-wrap
-msgid "B<--save-mark> [B<--mask> I<mask>]"
+msgid "[B<!>] B<--syn>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2002 original/man8/iptables.8:1948
+#: original/man8/iptables-extensions.8:1393
msgid ""
-"Copy the nfmark to the ctmark. If a mask is specified, only those bits are "
-"copied."
+"Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits "
+"cleared. Such packets are used to request TCP connection initiation; for "
+"example, blocking such packets coming in an interface will prevent incoming "
+"TCP connections, but outgoing TCP connections will be unaffected. It is "
+"equivalent to B<--tcp-flags SYN,RST,ACK,FIN SYN>. If the \"!\" flag "
+"precedes the \"--syn\", the sense of the option is inverted."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2002 original/man8/iptables.8:1948
+#: original/man8/iptables-extensions.8:1393
#, no-wrap
-msgid "B<--restore-mark> [B<--mask> I<mask>]"
+msgid "[B<!>] B<--tcp-option> I<number>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2006 original/man8/iptables.8:1952
-msgid ""
-"Copy the ctmark to the nfmark. If a mask is specified, only those bits are "
-"copied. This is only valid in the B<mangle> table."
+#: original/man8/iptables-extensions.8:1396
+msgid "Match if TCP option set."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:2006 original/man8/iptables.8:1952
+#: original/man8/iptables-extensions.8:1396
#, no-wrap
-msgid "CONNSECMARK"
+msgid "tcpmss"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2016 original/man8/iptables.8:1962
+#: original/man8/iptables-extensions.8:1398
msgid ""
-"This module copies security markings from packets to connections (if "
-"unlabeled), and from connections back to packets (also only if unlabeled). "
-"Typically used in conjunction with SECMARK, it is valid in the B<security> "
-"table (for backwards compatibility with older kernels, it is also valid in "
-"the B<mangle> table)."
+"This matches the TCP MSS (maximum segment size) field of the TCP header. "
+"You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only "
+"negotiated during the TCP handshake at connection startup time."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2016 original/man8/iptables.8:1962
+#: original/man8/iptables-extensions.8:1398
#, no-wrap
-msgid "B<--save>"
+msgid "[B<!>] B<--mss> I<value>[B<:>I<value>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2020 original/man8/iptables.8:1966
-msgid ""
-"If the packet has a security marking, copy it to the connection if the "
-"connection is not marked."
+#: original/man8/iptables-extensions.8:1401
+msgid "Match a given TCP MSS value or range."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2020 original/man8/iptables.8:1966
+#. type: SS
+#: original/man8/iptables-extensions.8:1401
#, no-wrap
-msgid "B<--restore>"
+msgid "time"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2024 original/man8/iptables.8:1970
+#: original/man8/iptables-extensions.8:1405
msgid ""
-"If the packet does not have a security marking, and the connection does, "
-"copy the security marking from the connection to the packet."
+"This matches if the packet arrival time/date is within a given range. All "
+"options are optional, but are ANDed when specified. All times are "
+"interpreted as UTC by default."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2025 original/man8/iptables.8:1971
+#. type: TP
+#: original/man8/iptables-extensions.8:1405
#, no-wrap
-msgid "CT"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:2030 original/man8/iptables.8:1976
msgid ""
-"The CT target allows to set parameters for a packet or its associated "
-"connection. The target attaches a \"template\" connection tracking entry to "
-"the packet, which is then used by the conntrack core when initializing a new "
-"ct entry. This target is thus only valid in the \"raw\" table."
+"B<--datestart> "
+"I<YYYY>[B<->I<MM>[B<->I<DD>[B<T>I<hh>[B<:>I<mm>[B<:>I<ss>]]]]]"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2030 original/man8/iptables.8:1976
+#: original/man8/iptables-extensions.8:1407
#, no-wrap
-msgid "B<--notrack>"
+msgid "B<--datestop> I<YYYY>[B<->I<MM>[B<->I<DD>[B<T>I<hh>[B<:>I<mm>[B<:>I<ss>]]]]]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2033 original/man8/iptables.8:1979
-msgid "Disables connection tracking for this packet."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:2033 original/man8/iptables.8:1979
-#, no-wrap
-msgid "B<--helper> I<name>"
+#: original/man8/iptables-extensions.8:1411
+msgid ""
+"Only match during the given time, which must be in ISO 8601 \"T\" notation. "
+"The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2037 original/man8/iptables.8:1983
+#: original/man8/iptables-extensions.8:1414
msgid ""
-"Use the helper identified by I<name> for the connection. This is more "
-"flexible than loading the conntrack helper modules with preset ports."
+"If --datestart or --datestop are not specified, it will default to "
+"1970-01-01 and 2038-01-19, respectively."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2037 original/man8/iptables.8:1983
+#: original/man8/iptables-extensions.8:1414
#, no-wrap
-msgid "B<--ctevents> I<event>[B<,>...]"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:2043 original/man8/iptables.8:1989
-msgid ""
-"Only generate the specified conntrack events for this connection. Possible "
-"event types are: B<new>, B<related>, B<destroy>, B<reply>, B<assured>, "
-"B<protoinfo>, B<helper>, B<mark> (this refers to the ctmark, not nfmark), "
-"B<natseqinfo>, B<secmark> (ctsecmark)."
+msgid "B<--timestart> I<hh>B<:>I<mm>[B<:>I<ss>]"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2043 original/man8/iptables.8:1989
+#: original/man8/iptables-extensions.8:1416
#, no-wrap
-msgid "B<--expevents> I<event>[B<,>...]"
+msgid "B<--timestop> I<hh>B<:>I<mm>[B<:>I<ss>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2047 original/man8/iptables.8:1993
+#: original/man8/iptables-extensions.8:1421
msgid ""
-"Only generate the specified expectation events for this connection. "
-"Possible event types are: B<new>."
+"Only match during the given daytime. The possible time range is 00:00:00 to "
+"23:59:59. Leading zeroes are allowed (e.g. \"06:03\") and correctly "
+"interpreted as base-10."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2047 original/man8/iptables.8:1993
+#: original/man8/iptables-extensions.8:1421
#, no-wrap
-msgid "B<--zone> I<id>"
+msgid "[B<!>] B<--monthdays> I<day>[B<,>I<day>...]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2051 original/man8/iptables.8:1997
+#: original/man8/iptables-extensions.8:1427
msgid ""
-"Assign this packet to zone I<id> and only have lookups done in that zone. "
-"By default, packets have zone 0."
+"Only match on the given days of the month. Possible values are B<1> to "
+"B<31>. Note that specifying B<31> will of course not match on months which "
+"do not have a 31st day; the same goes for 28- or 29-day February."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2051 original/man8/iptables.8:2037
+#. type: TP
+#: original/man8/iptables-extensions.8:1427
#, no-wrap
-msgid "DSCP"
+msgid "[B<!>] B<--weekdays> I<day>[B<,>I<day>...]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2055 original/man8/iptables.8:2041
+#: original/man8/iptables-extensions.8:1433
msgid ""
-"This target allows to alter the value of the DSCP bits within the TOS header "
-"of the IPv4 packet. As this manipulates a packet, it can only be used in "
-"the mangle table."
+"Only match on the given weekdays. Possible values are B<Mon>, B<Tue>, "
+"B<Wed>, B<Thu>, B<Fri>, B<Sat>, B<Sun>, or values from B<1> to B<7>, "
+"respectively. You may also use two-character variants (B<Mo>, B<Tu>, etc.)."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2055 original/man8/iptables.8:2041
+#: original/man8/iptables-extensions.8:1433
#, no-wrap
-msgid "B<--set-dscp> I<value>"
+msgid "B<--contiguous>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2058 original/man8/iptables.8:2044
-msgid "Set the DSCP field to a numerical value (can be decimal or hex)"
+#: original/man8/iptables-extensions.8:1437
+msgid ""
+"When B<--timestop> is smaller than B<--timestart> value, match this as a "
+"single time period instead distinct intervals. See EXAMPLES."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2058 original/man8/iptables.8:2044
+#: original/man8/iptables-extensions.8:1437
#, no-wrap
-msgid "B<--set-dscp-class> I<class>"
+msgid "B<--kerneltz>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2061 original/man8/iptables.8:2047
-msgid "Set the DSCP field to a DiffServ class."
-msgstr ""
-
-#. type: SS
-#: original/man8/ip6tables.8:2061
-#, no-wrap
-msgid "HL"
+#: original/man8/iptables-extensions.8:1441
+msgid ""
+"Use the kernel timezone instead of UTC to determine whether a packet meets "
+"the time regulations."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2068
+#: original/man8/iptables-extensions.8:1447
msgid ""
-"This is used to modify the Hop Limit field in IPv6 header. The Hop Limit "
-"field is similar to what is known as TTL value in IPv4. Setting or "
-"incrementing the Hop Limit field can potentially be very dangerous, so it "
-"should be avoided at any cost. This target is only valid in B<mangle> table."
+"About kernel timezones: Linux keeps the system time in UTC, and always does "
+"so. On boot, system time is initialized from a referential time "
+"source. Where this time source has no timezone information, such as the x86 "
+"CMOS RTC, UTC will be assumed. If the time source is however not in UTC, "
+"userspace should provide the correct system time and timezone to the kernel "
+"once it has the information."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2070 original/man8/iptables.8:2564
+#: original/man8/iptables-extensions.8:1458
msgid ""
-"B<Don't ever set or increment the value on packets that leave your local "
-"network!>"
+"Local time is a feature on top of the (timezone independent) system "
+"time. Each process has its own idea of local time, specified via the TZ "
+"environment variable. The kernel also has its own timezone offset "
+"variable. The TZ userspace environment variable specifies how the UTC-based "
+"system time is displayed, e.g. when you run date(1), or what you see on your "
+"desktop clock. The TZ string may resolve to different offsets at different "
+"dates, which is what enables the automatic time-jumping in userspace. when "
+"DST changes. The kernel's timezone offset variable is used when it has to "
+"convert between non-UTC sources, such as FAT filesystems, to UTC (since the "
+"latter is what the rest of the system uses)."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2070
-#, no-wrap
-msgid "B<--hl-set> I<value>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1467
+msgid ""
+"The caveat with the kernel timezone is that Linux distributions may ignore "
+"to set the kernel timezone, and instead only set the system time. Even if a "
+"particular distribution does set the timezone at boot, it is usually does "
+"not keep the kernel timezone offset - which is what changes on DST - up to "
+"date. ntpd will not touch the kernel timezone, so running it will not "
+"resolve the issue. As such, one may encounter a timezone that is always "
+"+0000, or one that is wrong half of the time of the year. As such, B<using "
+"--kerneltz is highly discouraged.>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2073
-msgid "Set the Hop Limit to `value'."
+#: original/man8/iptables-extensions.8:1469
+msgid "EXAMPLES. To match on weekends, use:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2073
-#, no-wrap
-msgid "B<--hl-dec> I<value>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1471
+msgid "-m time --weekdays Sa,Su"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2076
-msgid "Decrement the Hop Limit `value' times."
+#: original/man8/iptables-extensions.8:1473
+msgid "Or, to match (once) on a national holiday block:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2076
-#, no-wrap
-msgid "B<--hl-inc> I<value>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1475
+msgid "-m time --datestart 2007-12-24 --datestop 2007-12-27"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2079
-msgid "Increment the Hop Limit `value' times."
+#: original/man8/iptables-extensions.8:1478
+msgid ""
+"Since the stop time is actually inclusive, you would need the following stop "
+"time to not match the first second of the new day:"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2079 original/man8/iptables.8:2055
-#, no-wrap
-msgid "IDLETIMER"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1480
+msgid "-m time --datestart 2007-01-01T17:00 --datestop 2007-01-01T23:59:59"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2088 original/man8/iptables.8:2064
-msgid ""
-"This target can be used to identify when interfaces have been idle for a "
-"certain period of time. Timers are identified by labels and are created "
-"when a rule is set with a new label. The rules also take a timeout value "
-"(in seconds) as an option. If more than one rule uses the same timer label, "
-"the timer will be restarted whenever any of the rules get a hit. One entry "
-"for each timer is created in sysfs. This attribute contains the timer "
-"remaining for the timer to expire. The attributes are located under the "
-"xt_idletimer class:"
+#: original/man8/iptables-extensions.8:1482
+msgid "During lunch hour:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2090 original/man8/iptables.8:2066
-msgid "/sys/class/xt_idletimer/timers/E<lt>labelE<gt>"
+#: original/man8/iptables-extensions.8:1484
+msgid "-m time --timestart 12:30 --timestop 13:30"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2093 original/man8/iptables.8:2069
-msgid ""
-"When the timer expires, the target module sends a sysfs notification to the "
-"userspace, which can then decide what to do (eg. disconnect to save power)."
+#: original/man8/iptables-extensions.8:1486
+msgid "The fourth Friday in the month:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2093 original/man8/iptables.8:2069
-#, no-wrap
-msgid "B<--timeout> I<amount>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1488
+msgid "-m time --weekdays Fr --monthdays 22,23,24,25,26,27,28"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2096 original/man8/iptables.8:2072
-msgid "This is the time in seconds that will trigger the notification."
+#: original/man8/iptables-extensions.8:1492
+msgid ""
+"(Note that this exploits a certain mathematical property. It is not possible "
+"to say \"fourth Thursday OR fourth Friday\" in one rule. It is possible with "
+"multiple rules, though.)"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2096 original/man8/iptables.8:2072
-#, no-wrap
-msgid "B<--label> I<string>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1494
+msgid "Matching across days might not do what is expected. For instance,"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2100 original/man8/iptables.8:2076
+#: original/man8/iptables-extensions.8:1500
msgid ""
-"This is a unique identifier for the timer. The maximum length for the label "
-"string is 27 characters."
+"-m time --weekdays Mo --timestart 23:00 --timestop 01:00 Will match Monday, "
+"for one hour from midnight to 1 a.m., and then again for another hour from "
+"23:00 onwards. If this is unwanted, e.g. if you would like 'match for two "
+"hours from Montay 23:00 onwards' you need to also specify the --contiguous "
+"option in the example above."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:2100 original/man8/iptables.8:2076
+#: original/man8/iptables-extensions.8:1500
#, no-wrap
-msgid "LOG"
+msgid "tos"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2112
+#: original/man8/iptables-extensions.8:1504
msgid ""
-"Turn on kernel logging of matching packets. When this option is set for a "
-"rule, the Linux kernel will print some information on all matching packets "
-"(like most IPv6 IPv6-header fields) via the kernel log (where it can be read "
-"with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", "
-"i.e. rule traversal continues at the next rule. So if you want to LOG the "
-"packets you refuse, use two separate rules with the same matching criteria, "
-"first using target LOG then DROP (or REJECT)."
+"This module matches the 8-bit Type of Service field in the IPv4 header "
+"(i.e. including the \"Precedence\" bits) or the (also 8-bit) Priority field "
+"in the IPv6 header."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2112 original/man8/iptables.8:2088
+#: original/man8/iptables-extensions.8:1504
#, no-wrap
-msgid "B<--log-level> I<level>"
+msgid "[B<!>] B<--tos> I<value>[B</>I<mask>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2115 original/man8/iptables.8:2091
-msgid "Level of logging (numeric or see I<syslog.conf>(5))."
+#: original/man8/iptables-extensions.8:1508
+msgid ""
+"Matches packets with the given TOS mark value. If a mask is specified, it is "
+"logically ANDed with the TOS mark before the comparison."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2115 original/man8/iptables.8:2091
+#: original/man8/iptables-extensions.8:1508
#, no-wrap
-msgid "B<--log-prefix> I<prefix>"
+msgid "[B<!>] B<--tos> I<symbol>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2119 original/man8/iptables.8:2095
+#: original/man8/iptables-extensions.8:1513
msgid ""
-"Prefix log messages with the specified prefix; up to 29 letters long, and "
-"useful for distinguishing messages in the logs."
+"You can specify a symbolic name when using the tos match for IPv4. The list "
+"of recognized TOS names can be obtained by calling iptables with B<-m tos "
+"-h>. Note that this implies a mask of 0x3F, i.e. all but the ECN bits."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2119 original/man8/iptables.8:2095
+#. type: SS
+#: original/man8/iptables-extensions.8:1513
#, no-wrap
-msgid "B<--log-tcp-sequence>"
+msgid "ttl (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2123 original/man8/iptables.8:2099
-msgid ""
-"Log TCP sequence numbers. This is a security risk if the log is readable by "
-"users."
+#: original/man8/iptables-extensions.8:1515
+msgid "This module matches the time to live field in the IP header."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2123 original/man8/iptables.8:2099
+#: original/man8/iptables-extensions.8:1515
#, no-wrap
-msgid "B<--log-tcp-options>"
+msgid "[B<!>] B<--ttl-eq> I<ttl>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2126 original/man8/iptables.8:2102
-msgid "Log options from the TCP packet header."
+#: original/man8/iptables-extensions.8:1518
+msgid "Matches the given TTL value."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2126 original/man8/iptables.8:2102
+#: original/man8/iptables-extensions.8:1518
#, no-wrap
-msgid "B<--log-ip-options>"
+msgid "B<--ttl-gt> I<ttl>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2129
-msgid "Log options from the IPv6 packet header."
+#: original/man8/iptables-extensions.8:1521
+msgid "Matches if TTL is greater than the given TTL value."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2129 original/man8/iptables.8:2105
+#: original/man8/iptables-extensions.8:1521
#, no-wrap
-msgid "B<--log-uid>"
+msgid "B<--ttl-lt> I<ttl>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2132 original/man8/iptables.8:2108
-msgid "Log the userid of the process which generated the packet."
+#: original/man8/iptables-extensions.8:1524
+msgid "Matches if TTL is less than the given TTL value."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:2132 original/man8/iptables.8:2108
+#: original/man8/iptables-extensions.8:1524
#, no-wrap
-msgid "MARK"
+msgid "u32"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2138 original/man8/iptables.8:2114
+#: original/man8/iptables-extensions.8:1528
msgid ""
-"This target is used to set the Netfilter mark value associated with the "
-"packet. It can, for example, be used in conjunction with routing based on "
-"fwmark (needs iproute2). If you plan on doing so, note that the mark needs "
-"to be set in the PREROUTING chain of the mangle table to affect routing. "
-"The mark field is 32 bits wide."
+"U32 tests whether quantities of up to 4 bytes extracted from a packet have "
+"specified values. The specification of what to extract is general enough to "
+"find data at given offsets from tcp headers or payloads."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:2142 original/man8/iptables.8:2118
-msgid ""
-"Zeroes out the bits given by I<mask> and XORs I<value> into the packet mark "
-"(\"nfmark\"). If I<mask> is omitted, 0xFFFFFFFF is assumed."
+#. type: TP
+#: original/man8/iptables-extensions.8:1528
+#, no-wrap
+msgid "[B<!>] B<--u32> I<tests>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2146 original/man8/iptables.8:2122
-msgid ""
-"Zeroes out the bits given by I<mask> and ORs I<value> into the packet "
-"mark. If I<mask> is omitted, 0xFFFFFFFF is assumed."
+#: original/man8/iptables-extensions.8:1531
+msgid "The argument amounts to a program in a small language described below."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2148 original/man8/ip6tables.8:2385 original/man8/iptables.8:2124 original/man8/iptables.8:2496
-msgid "The following mnemonics are available:"
+#: original/man8/iptables-extensions.8:1533
+msgid "tests := location \"=\" value | tests \"&&\" location \"=\" value"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2152 original/man8/iptables.8:2128
-msgid ""
-"Binary AND the nfmark with I<bits>. (Mnemonic for B<--set-xmark "
-"0/>I<invbits>, where I<invbits> is the binary negation of I<bits>.)"
+#: original/man8/iptables-extensions.8:1535
+msgid "value := range | value \",\" range"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2156 original/man8/iptables.8:2132
-msgid ""
-"Binary OR the nfmark with I<bits>. (Mnemonic for B<--set-xmark> "
-"I<bits>B</>I<bits>.)"
+#: original/man8/iptables-extensions.8:1537
+msgid "range := number | number \":\" number"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2160 original/man8/iptables.8:2136
+#: original/man8/iptables-extensions.8:1540
msgid ""
-"Binary XOR the nfmark with I<bits>. (Mnemonic for B<--set-xmark> "
-"I<bits>B</0>.)"
+"a single number, I<n>, is interpreted the same as I<n:n>. I<n:m> is "
+"interpreted as the range of numbers B<E<gt>=n> and B<E<lt>=m>."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2160 original/man8/iptables.8:2190
-#, no-wrap
-msgid "NFLOG"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1542
+msgid "location := number | location operator number"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2170 original/man8/iptables.8:2200
-msgid ""
-"This target provides logging of matching packets. When this target is set "
-"for a rule, the Linux kernel will pass the packet to the loaded logging "
-"backend to log the packet. This is usually used in combination with "
-"nfnetlink_log as logging backend, which will multicast the packet through a "
-"I<netlink> socket to the specified multicast group. One or more userspace "
-"processes may subscribe to the group to receive the packets. Like LOG, this "
-"is a non-terminating target, i.e. rule traversal continues at the next rule."
+#: original/man8/iptables-extensions.8:1544
+msgid "operator := \"&\" | \"E<lt>E<lt>\" | \"E<gt>E<gt>\" | \"@\""
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2170 original/man8/iptables.8:2200
-#, no-wrap
-msgid "B<--nflog-group> I<nlgroup>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1549
+msgid ""
+"The operators B<&>, B<E<lt>E<lt>>, B<E<gt>E<gt>> and B<&&> mean the same as "
+"in C. The B<=> is really a set membership operator and the value syntax "
+"describes a set. The B<@> operator is what allows moving to the next header "
+"and is described further below."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2174 original/man8/iptables.8:2204
+#: original/man8/iptables-extensions.8:1552
msgid ""
-"The netlink group (0 - 2^16-1) to which packets are (only applicable for "
-"nfnetlink_log). The default value is 0."
+"There are currently some artificial implementation limits on the size of the "
+"tests:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2174 original/man8/iptables.8:2204
+#. type: IP
+#: original/man8/iptables-extensions.8:1552 original/man8/iptables-extensions.8:1554 original/man8/iptables-extensions.8:1556
#, no-wrap
-msgid "B<--nflog-prefix> I<prefix>"
+msgid " *"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2178 original/man8/iptables.8:2208
-msgid ""
-"A prefix string to include in the log message, up to 64 characters long, "
-"useful for distinguishing messages in the logs."
+#: original/man8/iptables-extensions.8:1554
+msgid "no more than 10 of \"B<=>\" (and 9 \"B<&&>\"s) in the u32 argument"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2178 original/man8/iptables.8:2208
-#, no-wrap
-msgid "B<--nflog-range> I<size>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1556
+msgid "no more than 10 ranges (and 9 commas) per value"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2183 original/man8/iptables.8:2213
-msgid ""
-"The number of bytes to be copied to userspace (only applicable for "
-"nfnetlink_log). nfnetlink_log instances may specify their own range, this "
-"option overrides it."
+#: original/man8/iptables-extensions.8:1558
+msgid "no more than 10 numbers (and 9 operators) per location"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2183 original/man8/iptables.8:2213
-#, no-wrap
-msgid "B<--nflog-threshold> I<size>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1561
+msgid ""
+"To describe the meaning of location, imagine the following machine that "
+"interprets it. There are three registers:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2190 original/man8/iptables.8:2220
-msgid ""
-"Number of packets to queue inside the kernel before sending them to "
-"userspace (only applicable for nfnetlink_log). Higher values result in less "
-"overhead per packet, but increase delay until the packets reach "
-"userspace. The default value is 1."
+#: original/man8/iptables-extensions.8:1563
+msgid "A is of type B<char *>, initially the address of the IP header"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2190 original/man8/iptables.8:2220
-#, no-wrap
-msgid "NFQUEUE"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1565
+msgid "B and C are unsigned 32 bit integers, initially zero"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2200 original/man8/iptables.8:2230
-msgid ""
-"This target is an extension of the QUEUE target. As opposed to QUEUE, it "
-"allows you to put a packet into any specific queue, identified by its 16-bit "
-"queue number. It can only be used with Kernel versions 2.6.14 or later, "
-"since it requires the B<nfnetlink_queue> kernel support. The "
-"B<queue-balance> option was added in Linux 2.6.31, B<queue-bypass> in "
-"2.6.39."
+#: original/man8/iptables-extensions.8:1567
+msgid "The instructions are:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2200 original/man8/iptables.8:2230
-#, no-wrap
-msgid "B<--queue-num> I<value>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1569
+msgid "number B = number;"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2203 original/man8/iptables.8:2233
+#: original/man8/iptables-extensions.8:1571
msgid ""
-"This specifies the QUEUE number to use. Valid queue numbers are 0 to "
-"65535. The default value is 0."
+"C = (*(A+B)E<lt>E<lt>24) + (*(A+B+1)E<lt>E<lt>16) + (*(A+B+2)E<lt>E<lt>8) + "
+"*(A+B+3)"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2204 original/man8/iptables.8:2234
-#, no-wrap
-msgid "B<--queue-balance> I<value>B<:>I<value>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1573
+msgid "&number C = C & number"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2210 original/man8/iptables.8:2240
-msgid ""
-"This specifies a range of queues to use. Packets are then balanced across "
-"the given queues. This is useful for multicore systems: start multiple "
-"instances of the userspace program on queues x, x+1, .. x+n and use "
-"\"--queue-balance I<x>B<:>I<x+n>\". Packets belonging to the same "
-"connection are put into the same nfqueue."
+#: original/man8/iptables-extensions.8:1575
+msgid "E<lt>E<lt> number C = C E<lt>E<lt> number"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2211 original/man8/iptables.8:2241
-#, no-wrap
-msgid "B<--queue-bypass>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1577
+msgid "E<gt>E<gt> number C = C E<gt>E<gt> number"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2216 original/man8/iptables.8:2246
-msgid ""
-"By default, if no userspace program is listening on an NFQUEUE, then all "
-"packets that are to be queued are dropped. When this option is used, the "
-"NFQUEUE rule is silently bypassed instead. The packet will move on to the "
-"next rule."
+#: original/man8/iptables-extensions.8:1579
+msgid "@number A = A + C; then do the instruction number"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2216 original/man8/iptables.8:2246
-#, no-wrap
-msgid "NOTRACK"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1582
+msgid ""
+"Any access of memory outside [skb-E<gt>data,skb-E<gt>end] causes the match "
+"to fail. Otherwise the result of the computation is the final value of C."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2218 original/man8/iptables.8:2248
-msgid "This target disables connection tracking for all packets matching that rule."
+#: original/man8/iptables-extensions.8:1586
+msgid ""
+"Whitespace is allowed but not required in the tests. However, the characters "
+"that do occur there are likely to require shell quoting, so it is a good "
+"idea to enclose the arguments in quotes."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2222 original/man8/ip6tables.8:2442 original/man8/iptables.8:2252 original/man8/iptables.8:2553
-msgid "It can only be used in the B<raw> table."
+#: original/man8/iptables-extensions.8:1590
+msgid "match IP packets with total length E<gt>= 256"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2222 original/man8/iptables.8:2252
-#, no-wrap
-msgid "RATEEST"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1592
+msgid "The IP header contains a total length field in bytes 2-3."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2225 original/man8/iptables.8:2255
-msgid ""
-"The RATEEST target collects statistics, performs rate estimation calculation "
-"and saves the results for later evaluation using the B<rateest> match."
+#: original/man8/iptables-extensions.8:1594
+msgid "--u32 \"B<0 & 0xFFFF = 0x100:0xFFFF>\""
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2225 original/man8/iptables.8:2255
-#, no-wrap
-msgid "B<--rateest-name> I<name>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1596
+msgid "read bytes 0-3"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2229 original/man8/iptables.8:2259
+#: original/man8/iptables-extensions.8:1599
msgid ""
-"Count matched packets into the pool referred to by I<name>, which is freely "
-"choosable."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:2229 original/man8/iptables.8:2259
-#, no-wrap
-msgid "B<--rateest-interval> I<amount>{B<s>|B<ms>|B<us>}"
+"AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the "
+"range [0x100:0xFFFF]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2232 original/man8/iptables.8:2262
-msgid "Rate measurement interval, in seconds, milliseconds or microseconds."
+#: original/man8/iptables-extensions.8:1601
+msgid "Example: (more realistic, hence more complicated)"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2232 original/man8/iptables.8:2262
-#, no-wrap
-msgid "B<--rateest-ewmalog> I<value>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1603
+msgid "match ICMP packets with icmp type 0"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2235 original/man8/iptables.8:2265
-msgid "Rate measurement averaging time constant."
+#: original/man8/iptables-extensions.8:1605
+msgid "First test that it is an ICMP packet, true iff byte 9 (protocol) = 1"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2235 original/man8/iptables.8:2291
-#, no-wrap
-msgid "REJECT"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1607
+msgid "--u32 \"B<6 & 0xFF = 1 &&> ..."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2248 original/man8/iptables.8:2304
+#: original/man8/iptables-extensions.8:1614
msgid ""
-"This is used to send back an error packet in response to the matched packet: "
-"otherwise it is equivalent to B<DROP> so it is a terminating TARGET, ending "
-"rule traversal. This target is only valid in the B<INPUT>, B<FORWARD> and "
-"B<OUTPUT> chains, and user-defined chains which are only called from those "
-"chains. The following option controls the nature of the error packet "
-"returned:"
+"read bytes 6-9, use B<&> to throw away bytes 6-8 and compare the result to "
+"1. Next test that it is not a fragment. (If so, it might be part of such a "
+"packet but we cannot always tell.) N.B.: This test is generally needed if "
+"you want to match anything beyond the IP header. The last 6 bits of byte 6 "
+"and all of byte 7 are 0 iff this is a complete packet (not a "
+"fragment). Alternatively, you can allow first fragments by only testing the "
+"last 5 bits of byte 6."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2248 original/man8/iptables.8:2304
-#, no-wrap
-msgid "B<--reject-with> I<type>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1616
+msgid "... B<4 & 0x3FFF = 0 &&> ..."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2269
+#: original/man8/iptables-extensions.8:1620
msgid ""
-"The type given can be B<icmp6-no-route>, B<no-route>, "
-"B<icmp6-adm-prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, "
-"B<addr-unreach>, B<icmp6-port-unreachable> or B<port-unreach> which return "
-"the appropriate ICMPv6 error message (B<port-unreach> is the "
-"default). Finally, the option B<tcp-reset> can be used on rules which only "
-"match the TCP protocol: this causes a TCP RST packet to be sent back. This "
-"is mainly useful for blocking I<ident> (113/tcp) probes which frequently "
-"occur when sending mail to broken mail hosts (which won't accept your mail "
-"otherwise). B<tcp-reset> can only be used with kernel versions 2.6.14 or "
-"later."
+"Last test: the first byte past the IP header (the type) is 0. This is where "
+"we have to use the @syntax. The length of the IP header (IHL) in 32 bit "
+"words is stored in the right half of byte 0 of the IP header itself."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2269 original/man8/iptables.8:2342
-#, no-wrap
-msgid "SECMARK"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1622
+msgid "... B<0 E<gt>E<gt> 22 & 0x3C @ 0 E<gt>E<gt> 24 = 0>\""
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2278 original/man8/iptables.8:2351
+#: original/man8/iptables-extensions.8:1634
msgid ""
-"This is used to set the security mark value associated with the packet for "
-"use by security subsystems such as SELinux. It is valid in the B<security> "
-"table (for backwards compatibility with older kernels, it is also valid in "
-"the B<mangle> table). The mark is 32 bits wide."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:2278 original/man8/iptables.8:2351
-#, no-wrap
-msgid "B<--selctx> I<security_context>"
-msgstr ""
-
-#. type: SS
-#: original/man8/ip6tables.8:2280 original/man8/iptables.8:2353
-#, no-wrap
-msgid "SET"
+"The first 0 means read bytes 0-3, B<E<gt>E<gt>22> means shift that 22 bits "
+"to the right. Shifting 24 bits would give the first byte, so only 22 bits is "
+"four times that plus a few more bits. B<&3C> then eliminates the two extra "
+"bits on the right and the first four bits of the first byte. For instance, "
+"if IHL=5, then the IP header is 20 (4 x 5) bytes long. In this case, bytes "
+"0-1 are (in binary) xxxx0101 yyzzzzzz, B<E<gt>E<gt>22> gives the 10 bit "
+"value xxxx0101yy and B<&3C> gives 010100. B<@> means to use this number as a "
+"new offset into the packet, and read four bytes starting from there. This is "
+"the first 4 bytes of the ICMP payload, of which byte 0 is the ICMP "
+"type. Therefore, we simply shift the value 24 to the right to throw out all "
+"but the first byte and compare the result with 0."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2283 original/man8/iptables.8:2356
-msgid ""
-"This modules adds and/or deletes entries from IP sets which can be defined "
-"by ipset(8)."
+#: original/man8/iptables-extensions.8:1638
+msgid "TCP payload bytes 8-12 is any of 1, 2, 5 or 8"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2283 original/man8/iptables.8:2356
-#, no-wrap
-msgid "B<--add-set> I<setname> I<flag>[B<,>I<flag>...]"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1640
+msgid "First we test that the packet is a tcp packet (similar to ICMP)."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2286 original/man8/iptables.8:2359
-msgid "add the address(es)/port(s) of the packet to the sets"
+#: original/man8/iptables-extensions.8:1642
+msgid "--u32 \"B<6 & 0xFF = 6 &&> ..."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2286 original/man8/iptables.8:2359
-#, no-wrap
-msgid "B<--del-set> I<setname> I<flag>[B<,>I<flag>...]"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1644
+msgid "Next, test that it is not a fragment (same as above)."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2289 original/man8/iptables.8:2362
-msgid "delete the address(es)/port(s) of the packet from the sets"
+#: original/man8/iptables-extensions.8:1646
+msgid "... B<0 E<gt>E<gt> 22 & 0x3C @ 12 E<gt>E<gt> 26 & 0x3C @ 8 = 1,2,5,8>\""
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2295 original/man8/iptables.8:2368
+#: original/man8/iptables-extensions.8:1654
msgid ""
-"where flags are B<src> and/or B<dst> specifications and there can be no more "
-"than six of them."
+"B<0E<gt>E<gt>22&3C> as above computes the number of bytes in the IP "
+"header. B<@> makes this the new offset into the packet, which is the start "
+"of the TCP header. The length of the TCP header (again in 32 bit words) is "
+"the left half of byte 12 of the TCP header. The B<12E<gt>E<gt>26&3C> "
+"computes this length in bytes (similar to the IP header before). \"@\" makes "
+"this the new offset, which is the start of the TCP payload. Finally, 8 reads "
+"bytes 8-12 of the payload and B<=> checks whether the result is any of 1, 2, "
+"5 or 8."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2295 original/man8/iptables.8:2368
+#. type: SS
+#: original/man8/iptables-extensions.8:1654
#, no-wrap
-msgid "B<--timeout> I<value>"
+msgid "udp"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2299 original/man8/iptables.8:2372
+#: original/man8/iptables-extensions.8:1657
msgid ""
-"when adding entry, the timeout value to use instead of the default one from "
-"the set definition"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:2299 original/man8/iptables.8:2372
-#, no-wrap
-msgid "B<--exist>"
+"These extensions can be used if `--protocol udp' is specified. It provides "
+"the following options:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2303 original/man8/iptables.8:2376
+#: original/man8/iptables-extensions.8:1663
msgid ""
-"when adding entry if it already exists, reset the timeout value to the "
-"specified one or to the default from the set definition"
+"Source port or port range specification. See the description of the "
+"B<--source-port> option of the TCP extension for details."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2306 original/man8/iptables.8:2379
+#: original/man8/iptables-extensions.8:1669
msgid ""
-"Use of -j SET requires that ipset kernel support is provided, which, for "
-"standard kernels, is the case since Linux 2.6.39."
+"Destination port or port range specification. See the description of the "
+"B<--destination-port> option of the TCP extension for details."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:2306 original/man8/iptables.8:2417
+#: original/man8/iptables-extensions.8:1669
#, no-wrap
-msgid "TCPMSS"
+msgid "unclean (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2313 original/man8/iptables.8:2424
+#: original/man8/iptables-extensions.8:1672
msgid ""
-"This target allows to alter the MSS value of TCP SYN packets, to control the "
-"maximum size for that connection (usually limiting it to your outgoing "
-"interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively). Of course, "
-"it can only be used in conjunction with B<-p tcp>."
+"This module takes no options, but attempts to match packets which seem "
+"malformed or unusual. This is regarded as experimental."
msgstr ""
+#. type: SH
+#: original/man8/iptables-extensions.8:1672
+#, no-wrap
+msgid "TARGET EXTENSIONS"
+msgstr ""
+
+#. @TARGET@
#. type: Plain text
-#: original/man8/ip6tables.8:2320 original/man8/iptables.8:2431
+#: original/man8/iptables-extensions.8:1676
msgid ""
-"This target is used to overcome criminally braindead ISPs or servers which "
-"block \"ICMP Fragmentation Needed\" or \"ICMPv6 Packet Too Big\" packets. "
-"The symptoms of this problem are that everything works fine from your Linux "
-"firewall/router, but machines behind it can never exchange large packets:"
+"iptables can use extended target modules: the following are included in the "
+"standard distribution."
msgstr ""
-#. type: IP
-#: original/man8/ip6tables.8:2320 original/man8/iptables.8:2431
+#. type: SS
+#: original/man8/iptables-extensions.8:1676
#, no-wrap
-msgid "1."
+msgid "AUDIT"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2322 original/man8/iptables.8:2433
-msgid "Web browsers connect, then hang with no data received."
+#: original/man8/iptables-extensions.8:1680
+msgid ""
+"This target allows to create audit records for packets hitting the target. "
+"It can be used to record accepted, dropped, and rejected packets. See "
+"auditd(8) for additional details."
msgstr ""
-#. type: IP
-#: original/man8/ip6tables.8:2322 original/man8/iptables.8:2433
+#. type: TP
+#: original/man8/iptables-extensions.8:1680
#, no-wrap
-msgid "2."
+msgid "B<--type> {B<accept>|B<drop>|B<reject>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2324 original/man8/iptables.8:2435
-msgid "Small mail works fine, but large emails hang."
-msgstr ""
-
-#. type: IP
-#: original/man8/ip6tables.8:2324 original/man8/iptables.8:2435
-#, no-wrap
-msgid "3."
+#: original/man8/iptables-extensions.8:1683
+msgid "Set type of audit record."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2326 original/man8/iptables.8:2437
-msgid "ssh works fine, but scp hangs after initial handshaking."
+#: original/man8/iptables-extensions.8:1687
+msgid "iptables -N AUDIT_DROP"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2329 original/man8/iptables.8:2440
-msgid ""
-"Workaround: activate this option and add a rule to your firewall "
-"configuration like:"
+#: original/man8/iptables-extensions.8:1689
+msgid "iptables -A AUDIT_DROP -j AUDIT --type drop"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2332 original/man8/iptables.8:2443
-#, no-wrap
-msgid ""
-" iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN\n"
-" -j TCPMSS --clamp-mss-to-pmtu\n"
+#: original/man8/iptables-extensions.8:1691
+msgid "iptables -A AUDIT_DROP -j DROP"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2332 original/man8/iptables.8:2443
+#. type: SS
+#: original/man8/iptables-extensions.8:1691
#, no-wrap
-msgid "B<--set-mss> I<value>"
+msgid "CHECKSUM"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2337 original/man8/iptables.8:2448
+#: original/man8/iptables-extensions.8:1694
msgid ""
-"Explicitly sets MSS option to specified value. If the MSS of the packet is "
-"already lower than I<value>, it will B<not> be increased (from Linux 2.6.25 "
-"onwards) to avoid more problems with hosts relying on a proper MSS."
+"This target allows to selectively work around broken/old applications. It "
+"can only be used in the mangle table."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2337 original/man8/iptables.8:2448
+#: original/man8/iptables-extensions.8:1694
#, no-wrap
-msgid "B<--clamp-mss-to-pmtu>"
+msgid "B<--checksum-fill>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2346 original/man8/iptables.8:2457
+#: original/man8/iptables-extensions.8:1700
msgid ""
-"Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60 for IPv6). "
-"This may not function as desired where asymmetric routes with differing path "
-"MTU exist \\(em the kernel uses the path MTU which it would use to send "
-"packets from itself to the source and destination IP addresses. Prior to "
-"Linux 2.6.25, only the path MTU to the destination IP address was considered "
-"by this option; subsequent kernels also consider the path MTU to the source "
-"IP address."
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:2348 original/man8/iptables.8:2459
-msgid "These options are mutually exclusive."
+"Compute and fill in the checksum in a packet that lacks a checksum. This is "
+"particularly useful, if you need to work around old applications such as "
+"dhcp clients, that do not work well with checksum offloads, but don't want "
+"to disable checksum offload in your device."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:2348 original/man8/iptables.8:2459
+#: original/man8/iptables-extensions.8:1700
#, no-wrap
-msgid "TCPOPTSTRIP"
+msgid "CLASSIFY"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2351 original/man8/iptables.8:2462
+#: original/man8/iptables-extensions.8:1702
msgid ""
-"This target will strip TCP options off a TCP packet. (It will actually "
-"replace them by NO-OPs.) As such, you will need to add the B<-p tcp> "
-"parameters."
+"This module allows you to set the skb-E<gt>priority value (and thus classify "
+"the packet into a specific CBQ class)."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2351 original/man8/iptables.8:2462
+#: original/man8/iptables-extensions.8:1702
#, no-wrap
-msgid "B<--strip-options> I<option>[B<,>I<option>...]"
+msgid "B<--set-class> I<major>B<:>I<minor>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2356 original/man8/iptables.8:2467
+#: original/man8/iptables-extensions.8:1706
msgid ""
-"Strip the given option(s). The options may be specified by TCP option number "
-"or by symbolic name. The list of recognized options can be obtained by "
-"calling iptables with B<-j TCPOPTSTRIP -h>."
+"Set the major and minor class value. The values are always interpreted as "
+"hexadecimal even if no 0x prefix is given."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:2356 original/man8/iptables.8:2467
+#: original/man8/iptables-extensions.8:1706
#, no-wrap
-msgid "TEE"
+msgid "CLUSTERIP (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2361 original/man8/iptables.8:2472
+#: original/man8/iptables-extensions.8:1711
msgid ""
-"The B<TEE> target will clone a packet and redirect this clone to another "
-"machine on the B<local> network segment. In other words, the nexthop must be "
-"the target, or you will have to configure the nexthop to forward it further "
-"if so desired."
+"This module allows you to configure a simple cluster of nodes that share a "
+"certain IP and MAC address without an explicit load balancer in front of "
+"them. Connections are statically distributed between the nodes in this "
+"cluster."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2361 original/man8/iptables.8:2472
+#: original/man8/iptables-extensions.8:1711
#, no-wrap
-msgid "B<--gateway> I<ipaddr>"
+msgid "B<--new>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2365 original/man8/iptables.8:2476
+#: original/man8/iptables-extensions.8:1715
msgid ""
-"Send the cloned packet to the host reachable at the given IP address. Use "
-"of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid."
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:2367 original/man8/iptables.8:2478
-msgid "To forward all incoming traffic on eth0 to an Network Layer logging box:"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:2369 original/man8/iptables.8:2480
-msgid "-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1"
+"Create a new ClusterIP. You always have to set this on the first rule for a "
+"given ClusterIP."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2369 original/man8/iptables.8:2480
+#. type: TP
+#: original/man8/iptables-extensions.8:1715
#, no-wrap
-msgid "TOS"
+msgid "B<--hashmode> I<mode>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2374 original/man8/iptables.8:2485
+#: original/man8/iptables-extensions.8:1719
msgid ""
-"This module sets the Type of Service field in the IPv4 header (including the "
-"\"precedence\" bits) or the Priority field in the IPv6 header. Note that TOS "
-"shares the same bits as DSCP and ECN. The TOS target is only valid in the "
-"B<mangle> table."
+"Specify the hashing mode. Has to be one of B<sourceip>, "
+"B<sourceip-sourceport>, B<sourceip-sourceport-destport>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2374 original/man8/iptables.8:2485
+#: original/man8/iptables-extensions.8:1719
#, no-wrap
-msgid "B<--set-tos> I<value>[B</>I<mask>]"
+msgid "B<--clustermac> I<mac>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2378 original/man8/iptables.8:2489
-msgid ""
-"Zeroes out the bits given by I<mask> (see NOTE below) and XORs I<value> into "
-"the TOS/Priority field. If I<mask> is omitted, 0xFF is assumed."
+#: original/man8/iptables-extensions.8:1722
+msgid "Specify the ClusterIP MAC address. Has to be a link-layer multicast address"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2378 original/man8/iptables.8:2489
+#: original/man8/iptables-extensions.8:1722
#, no-wrap
-msgid "B<--set-tos> I<symbol>"
+msgid "B<--total-nodes> I<num>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2383 original/man8/iptables.8:2494
-msgid ""
-"You can specify a symbolic name when using the TOS target for IPv4. It "
-"implies a mask of 0xFF (see NOTE below). The list of recognized TOS names "
-"can be obtained by calling iptables with B<-j TOS -h>."
+#: original/man8/iptables-extensions.8:1725
+msgid "Number of total nodes within this cluster."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2385 original/man8/iptables.8:2496
+#: original/man8/iptables-extensions.8:1725
#, no-wrap
-msgid "B<--and-tos> I<bits>"
+msgid "B<--local-node> I<num>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2390 original/man8/iptables.8:2501
-msgid ""
-"Binary AND the TOS value with I<bits>. (Mnemonic for B<--set-tos "
-"0/>I<invbits>, where I<invbits> is the binary negation of I<bits>. See NOTE "
-"below.)"
+#: original/man8/iptables-extensions.8:1728
+msgid "Local node number within this cluster."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2390 original/man8/iptables.8:2501
+#: original/man8/iptables-extensions.8:1728
#, no-wrap
-msgid "B<--or-tos> I<bits>"
+msgid "B<--hash-init> I<rnd>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2394 original/man8/iptables.8:2505
-msgid ""
-"Binary OR the TOS value with I<bits>. (Mnemonic for B<--set-tos> "
-"I<bits>B</>I<bits>. See NOTE below.)"
+#: original/man8/iptables-extensions.8:1731
+msgid "Specify the random seed used for hash initialization."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2394 original/man8/iptables.8:2505
+#. type: SS
+#: original/man8/iptables-extensions.8:1731
#, no-wrap
-msgid "B<--xor-tos> I<bits>"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:2398 original/man8/iptables.8:2509
-msgid ""
-"Binary XOR the TOS value with I<bits>. (Mnemonic for B<--set-tos> "
-"I<bits>B</0>. See NOTE below.)"
+msgid "CONNMARK"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2406 original/man8/iptables.8:2517
+#: original/man8/iptables-extensions.8:1734
msgid ""
-"NOTE: In Linux kernels up to and including 2.6.38, with the exception of "
-"longterm releases 2.6.32 (E<gt>=.42), 2.6.33 (E<gt>=.15), and 2.6.35 "
-"(E<gt>=.14), there is a bug whereby IPv6 TOS mangling does not behave as "
-"documented and differs from the IPv4 version. The TOS mask indicates the "
-"bits one wants to zero out, so it needs to be inverted before applying it to "
-"the original TOS field. However, the aformentioned kernels forgo the "
-"inversion which breaks --set-tos and its mnemonics."
+"This module sets the netfilter mark value associated with a connection. The "
+"mark is 32 bits wide."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2406 original/man8/iptables.8:2517
+#. type: TP
+#: original/man8/iptables-extensions.8:1734 original/man8/iptables-extensions.8:2100
#, no-wrap
-msgid "TPROXY"
+msgid "B<--set-xmark> I<value>[B</>I<mask>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2413 original/man8/iptables.8:2524
-msgid ""
-"This target is only valid in the B<mangle> table, in the B<PREROUTING> chain "
-"and user-defined chains which are only called from this chain. It redirects "
-"the packet to a local socket without changing the packet header in any "
-"way. It can also change the mark value which can then be used in advanced "
-"routing rules. It takes three options:"
+#: original/man8/iptables-extensions.8:1737
+msgid "Zero out the bits given by I<mask> and XOR I<value> into the ctmark."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2413 original/man8/iptables.8:2524
+#: original/man8/iptables-extensions.8:1737
#, no-wrap
-msgid "B<--on-port> I<port>"
+msgid "B<--save-mark> [B<--nfmask> I<nfmask>] [B<--ctmask> I<ctmask>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2418 original/man8/iptables.8:2529
+#: original/man8/iptables-extensions.8:1741
msgid ""
-"This specifies a destination port to use. It is a required option, 0 means "
-"the new destination port is the same as the original. This is only valid if "
-"the rule also specifies B<-p tcp> or B<-p udp>."
+"Copy the packet mark (nfmark) to the connection mark (ctmark) using the "
+"given masks. The new nfmark value is determined as follows:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2418 original/man8/iptables.8:2529
-#, no-wrap
-msgid "B<--on-ip> I<address>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1743
+msgid "ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2423 original/man8/iptables.8:2534
+#: original/man8/iptables-extensions.8:1747
msgid ""
-"This specifies a destination address to use. By default the address is the "
-"IP address of the incoming interface. This is only valid if the rule also "
-"specifies B<-p tcp> or B<-p udp>."
+"i.e. I<ctmask> defines what bits to clear and I<nfmask> what bits of the "
+"nfmark to XOR into the ctmark. I<ctmask> and I<nfmask> default to "
+"0xFFFFFFFF."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2423 original/man8/iptables.8:2534
+#: original/man8/iptables-extensions.8:1747
#, no-wrap
-msgid "B<--tproxy-mark> I<value>[B</>I<mask>]"
+msgid "B<--restore-mark> [B<--nfmask> I<nfmask>] [B<--ctmask> I<ctmask>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2428 original/man8/iptables.8:2539
+#: original/man8/iptables-extensions.8:1751
msgid ""
-"Marks packets with the given value/mask. The fwmark value set here can be "
-"used by advanced routing. (Required for transparent proxying to work: "
-"otherwise these packets will get forwarded, which is probably not what you "
-"want.)"
+"Copy the connection mark (ctmark) to the packet mark (nfmark) using the "
+"given masks. The new ctmark value is determined as follows:"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2428 original/man8/iptables.8:2539
-#, no-wrap
-msgid "TRACE"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1753
+msgid "nfmark = (nfmark & ~I<nfmask>) ^ (ctmark & I<ctmask>);"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2431 original/man8/iptables.8:2542
+#: original/man8/iptables-extensions.8:1757
msgid ""
-"This target marks packets so that the kernel will log every rule which match "
-"the packets as those traverse the tables, chains, rules."
+"i.e. I<nfmask> defines what bits to clear and I<ctmask> what bits of the "
+"ctmark to XOR into the nfmark. I<ctmask> and I<nfmask> default to "
+"0xFFFFFFFF."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2438 original/man8/iptables.8:2549
-msgid ""
-"A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for "
-"this to be visible. The packets are logged with the string prefix: \"TRACE: "
-"tablename:chainname:type:rulenum \" where type can be \"rule\" for plain "
-"rule, \"return\" for implicit rule at the end of a user defined chain and "
-"\"policy\" for the policy of the built in chains."
+#: original/man8/iptables-extensions.8:1759
+msgid "B<--restore-mark> is only valid in the B<mangle> table."
msgstr ""
-#. type: SH
-#: original/man8/ip6tables.8:2442 original/man8/iptables.8:2601
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1761
+msgid "The following mnemonics are available for B<--set-xmark>:"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1761 original/man8/iptables-extensions.8:2110
#, no-wrap
-msgid "DIAGNOSTICS"
+msgid "B<--and-mark> I<bits>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2447 original/man8/iptables.8:2606
+#: original/man8/iptables-extensions.8:1765
msgid ""
-"Various error messages are printed to standard error. The exit code is 0 "
-"for correct functioning. Errors which appear to be caused by invalid or "
-"abused command line parameters cause an exit code of 2, and other errors "
-"cause an exit code of 1."
+"Binary AND the ctmark with I<bits>. (Mnemonic for B<--set-xmark "
+"0/>I<invbits>, where I<invbits> is the binary negation of I<bits>.)"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1765 original/man8/iptables-extensions.8:2114
+#, no-wrap
+msgid "B<--or-mark> I<bits>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2450
-msgid "Bugs? What's this? ;-) Well... the counters are not reliable on sparc64."
+#: original/man8/iptables-extensions.8:1769
+msgid ""
+"Binary OR the ctmark with I<bits>. (Mnemonic for B<--set-xmark> "
+"I<bits>B</>I<bits>.)"
msgstr ""
-#. type: SH
-#: original/man8/ip6tables.8:2450 original/man8/iptables.8:2609
+#. type: TP
+#: original/man8/iptables-extensions.8:1769 original/man8/iptables-extensions.8:2118
#, no-wrap
-msgid "COMPATIBILITY WITH IPCHAINS"
+msgid "B<--xor-mark> I<bits>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2459
+#: original/man8/iptables-extensions.8:1773
msgid ""
-"This B<ip6tables> is very similar to ipchains by Rusty Russell. The main "
-"difference is that the chains B<INPUT> and B<OUTPUT> are only traversed for "
-"packets coming into the local host and originating from the local host "
-"respectively. Hence every packet only passes through one of the three "
-"chains (except loopback traffic, which involves both INPUT and OUTPUT "
-"chains); previously a forwarded packet would pass through all three."
+"Binary XOR the ctmark with I<bits>. (Mnemonic for B<--set-xmark> "
+"I<bits>B</0>.)"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:2464
-msgid ""
-"The other main difference is that B<-i> refers to the input interface; B<-o> "
-"refers to the output interface, and both are available for packets entering "
-"the B<FORWARD> chain. There are several other changes in ip6tables."
+#. type: TP
+#: original/man8/iptables-extensions.8:1773 original/man8/iptables-extensions.8:2104
+#, no-wrap
+msgid "B<--set-mark> I<value>[B</>I<mask>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2471
+#: original/man8/iptables-extensions.8:1777
msgid ""
-"B<ip6tables-save>(8), B<ip6tables-restore>(8), B<iptables>(8), "
-"B<iptables-save>(8), B<iptables-restore>(8), B<libipq>(3)."
+"Set the connection mark. If a mask is specified then only those bits set in "
+"the mask are modified."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:2477
-msgid ""
-"The packet-filtering-HOWTO details iptables usage for packet filtering, the "
-"netfilter-extensions-HOWTO details the extensions that are not in the "
-"standard distribution, and the netfilter-hacking-HOWTO details the netfilter "
-"internals."
+#. type: TP
+#: original/man8/iptables-extensions.8:1777
+#, no-wrap
+msgid "B<--save-mark> [B<--mask> I<mask>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2480 original/man8/iptables.8:2650
-msgid "See B<http://www.netfilter.org/>."
+#: original/man8/iptables-extensions.8:1781
+msgid ""
+"Copy the nfmark to the ctmark. If a mask is specified, only those bits are "
+"copied."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:2483
-msgid "Rusty Russell wrote iptables, in early consultation with Michael Neuling."
+#. type: TP
+#: original/man8/iptables-extensions.8:1781
+#, no-wrap
+msgid "B<--restore-mark> [B<--mask> I<mask>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2487 original/man8/iptables.8:2657
+#: original/man8/iptables-extensions.8:1785
msgid ""
-"Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet "
-"selection framework in iptables, then wrote the mangle table, the owner "
-"match, the mark stuff, and ran around doing cool stuff everywhere."
+"Copy the ctmark to the nfmark. If a mask is specified, only those bits are "
+"copied. This is only valid in the B<mangle> table."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:2489 original/man8/iptables.8:2659
-msgid "James Morris wrote the TOS target, and tos match."
+#. type: SS
+#: original/man8/iptables-extensions.8:1785
+#, no-wrap
+msgid "CONNSECMARK"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2491 original/man8/iptables.8:2661
-msgid "Jozsef Kadlecsik wrote the REJECT target."
+#: original/man8/iptables-extensions.8:1795
+msgid ""
+"This module copies security markings from packets to connections (if "
+"unlabeled), and from connections back to packets (also only if unlabeled). "
+"Typically used in conjunction with SECMARK, it is valid in the B<security> "
+"table (for backwards compatibility with older kernels, it is also valid in "
+"the B<mangle> table)."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:2493
-msgid ""
-"Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as "
-"TTL match+target and libipulog."
+#. type: TP
+#: original/man8/iptables-extensions.8:1795
+#, no-wrap
+msgid "B<--save>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2497 original/man8/iptables.8:2667
+#: original/man8/iptables-extensions.8:1799
msgid ""
-"The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki "
-"Kozakai, Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso, "
-"Harald Welte and Rusty Russell."
+"If the packet has a security marking, copy it to the connection if the "
+"connection is not marked."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1799
+#, no-wrap
+msgid "B<--restore>"
msgstr ""
-#. .. and did I mention that we are incredibly cool people?
-#. .. sexy, too ..
-#. .. witty, charming, powerful ..
-#. .. and most of all, modest ..
#. type: Plain text
-#: original/man8/ip6tables.8:2504
+#: original/man8/iptables-extensions.8:1803
msgid ""
-"ip6tables man page created by Andras Kis-Szabo, based on iptables man page "
-"written by Herve Eychenne E<lt>rv@wallfire.orgE<gt>."
+"If the packet does not have a security marking, and the connection does, "
+"copy the security marking from the connection to the packet."
msgstr ""
-#. type: SH
-#: original/man8/ip6tables.8:2504 original/man8/iptables.8:2673
+#. type: SS
+#: original/man8/iptables-extensions.8:1804
#, no-wrap
-msgid "VERSION"
+msgid "CT"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2506
-msgid "This manual page applies to ip6tables @PACKAGE_VERSION@."
+#: original/man8/iptables-extensions.8:1809
+msgid ""
+"The CT target allows to set parameters for a packet or its associated "
+"connection. The target attaches a \"template\" connection tracking entry to "
+"the packet, which is then used by the conntrack core when initializing a new "
+"ct entry. This target is thus only valid in the \"raw\" table."
msgstr ""
-#. type: TH
-#: original/man8/iptables-restore.8:1
+#. type: TP
+#: original/man8/iptables-extensions.8:1809
#, no-wrap
-msgid "IPTABLES-RESTORE"
+msgid "B<--notrack>"
msgstr ""
-#. type: TH
-#: original/man8/iptables-restore.8:1 original/man8/iptables-save.8:1
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1812
+msgid "Disables connection tracking for this packet."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1812
#, no-wrap
-msgid "Jan 04, 2001"
+msgid "B<--helper> I<name>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables-restore.8:23
-msgid "iptables-restore \\(em Restore IP Tables"
+#: original/man8/iptables-extensions.8:1816
+msgid ""
+"Use the helper identified by I<name> for the connection. This is more "
+"flexible than loading the conntrack helper modules with preset ports."
msgstr ""
-#. type: Plain text
-#: original/man8/iptables-restore.8:25
-msgid "B<iptables-restore> [B<-c>] [B<-n>] [B<-T> I<name>]"
+#. type: TP
+#: original/man8/iptables-extensions.8:1816
+#, no-wrap
+msgid "B<--ctevents> I<event>[B<,>...]"
msgstr ""
#. type: Plain text
-#: original/man8/iptables-restore.8:30
+#: original/man8/iptables-extensions.8:1822
msgid ""
-"B<iptables-restore> is used to restore IP Tables from data specified on "
-"STDIN. Use I/O redirection provided by your shell to read from a file"
+"Only generate the specified conntrack events for this connection. Possible "
+"event types are: B<new>, B<related>, B<destroy>, B<reply>, B<assured>, "
+"B<protoinfo>, B<helper>, B<mark> (this refers to the ctmark, not nfmark), "
+"B<natseqinfo>, B<secmark> (ctsecmark)."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1822
+#, no-wrap
+msgid "B<--expevents> I<event>[B<,>...]"
msgstr ""
#. type: Plain text
-#: original/man8/iptables-restore.8:38
+#: original/man8/iptables-extensions.8:1826
msgid ""
-"don't flush the previous contents of the table. If not specified, "
-"B<iptables-restore> flushes (deletes) all previous contents of the "
-"respective IP Table."
+"Only generate the specified expectation events for this connection. "
+"Possible event types are: B<new>."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1826
+#, no-wrap
+msgid "B<--zone> I<id>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables-restore.8:41
-msgid "Restore only the named table even if the input stream contains other ones."
+#: original/man8/iptables-extensions.8:1830
+msgid ""
+"Assign this packet to zone I<id> and only have lookups done in that zone. "
+"By default, packets have zone 0."
msgstr ""
-#. type: SH
-#: original/man8/iptables-restore.8:43 original/man8/iptables-save.8:44 original/man1/iptables-xml.1:84
+#. type: TP
+#: original/man8/iptables-extensions.8:1830
#, no-wrap
-msgid "AUTHOR"
+msgid "B<--timeout> I<name>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables-restore.8:47
-msgid "B<iptables-save>(8), B<iptables>(8)"
+#: original/man8/iptables-extensions.8:1835
+msgid ""
+"Use the timeout policy identified by I<name> for the connection. This is "
+"provides more flexible timeout policy definition than global timeout values "
+"available at /proc/sys/net/netfilter/nf_conntrack_*_timeout_*."
msgstr ""
-#. type: TH
-#: original/man8/iptables-save.8:1
+#. type: SS
+#: original/man8/iptables-extensions.8:1835
#, no-wrap
-msgid "IPTABLES-SAVE"
+msgid "DNAT (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/iptables-save.8:23
-msgid "iptables-save \\(em dump iptables rules to stdout"
+#: original/man8/iptables-extensions.8:1847
+msgid ""
+"This target is only valid in the B<nat> table, in the B<PREROUTING> and "
+"B<OUTPUT> chains, and user-defined chains which are only called from those "
+"chains. It specifies that the destination address of the packet should be "
+"modified (and all future packets in this connection will also be mangled), "
+"and rules should cease being examined. It takes one type of option:"
msgstr ""
-#. type: Plain text
-#: original/man8/iptables-save.8:26
-msgid "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
+#. type: TP
+#: original/man8/iptables-extensions.8:1847
+#, no-wrap
+msgid "B<--to-destination> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
msgstr ""
#. type: Plain text
-#: original/man8/iptables-save.8:31
+#: original/man8/iptables-extensions.8:1858
msgid ""
-"B<iptables-save> is used to dump the contents of an IP Table in easily "
-"parseable format to STDOUT. Use I/O-redirection provided by your shell to "
-"write to a file."
+"which can specify a single new destination IP address, an inclusive range of "
+"IP addresses, and optionally, a port range (which is only valid if the rule "
+"also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then "
+"the destination port will never be modified. If no IP address is specified "
+"then only the destination port will be modified."
msgstr ""
#. type: Plain text
-#: original/man8/iptables-save.8:48
-msgid "B<iptables-restore>(8), B<iptables>(8)"
+#: original/man8/iptables-extensions.8:1865
+msgid ""
+"In Kernels up to 2.6.10 you can add several --to-destination options. For "
+"those kernels, if you specify more than one destination address, either via "
+"an address range or multiple --to-destination options, a simple round-robin "
+"(one after another in cycle) load balancing takes place between these "
+"addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT "
+"to multiple ranges anymore."
msgstr ""
-#. type: TH
-#: original/man8/iptables.8:1
+#. type: TP
+#: original/man8/iptables-extensions.8:1865 original/man8/iptables-extensions.8:2145 original/man8/iptables-extensions.8:2176 original/man8/iptables-extensions.8:2299 original/man8/iptables-extensions.8:2387 original/man8/iptables-extensions.8:2456
#, no-wrap
-msgid "IPTABLES"
+msgid "B<--random>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:27
-msgid "iptables \\(em administration tool for IPv4 packet filtering and NAT"
+#: original/man8/iptables-extensions.8:1870 original/man8/iptables-extensions.8:2304
+msgid ""
+"If option B<--random> is used then port mapping will be randomized (kernel "
+"E<gt>= 2.6.22)."
msgstr ""
-#. type: Plain text
-#: original/man8/iptables.8:30
-msgid ""
-"B<iptables> [B<-t> I<table>] {B<-A>|B<-C>|B<-D>} I<chain> "
-"I<rule-specification>"
+#. type: TP
+#: original/man8/iptables-extensions.8:1870 original/man8/iptables-extensions.8:2461
+#, no-wrap
+msgid "B<--persistent>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:32
+#: original/man8/iptables-extensions.8:1875 original/man8/iptables-extensions.8:2466
msgid ""
-"B<iptables> [B<-t> I<table>] B<-I> I<chain> [I<rulenum>] "
-"I<rule-specification>"
+"Gives a client the same source-/destination-address for each connection. "
+"This supersedes the SAME target. Support for persistent mappings is "
+"available from 2.6.29-rc2."
msgstr ""
-#. type: Plain text
-#: original/man8/iptables.8:34
-msgid "B<iptables> [B<-t> I<table>] B<-R> I<chain rulenum rule-specification>"
+#. type: SS
+#: original/man8/iptables-extensions.8:1875
+#, no-wrap
+msgid "DSCP"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:36
-msgid "B<iptables> [B<-t> I<table>] B<-D> I<chain rulenum>"
+#: original/man8/iptables-extensions.8:1879
+msgid ""
+"This target allows to alter the value of the DSCP bits within the TOS header "
+"of the IPv4 packet. As this manipulates a packet, it can only be used in "
+"the mangle table."
msgstr ""
-#. type: Plain text
-#: original/man8/iptables.8:38
-msgid "B<iptables> [B<-t> I<table>] B<-S> [I<chain> [I<rulenum>]]"
+#. type: TP
+#: original/man8/iptables-extensions.8:1879
+#, no-wrap
+msgid "B<--set-dscp> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:40
-msgid ""
-"B<iptables> [B<-t> I<table>] {B<-F>|B<-L>|B<-Z>} [I<chain> [I<rulenum>]] "
-"[I<options...>]"
+#: original/man8/iptables-extensions.8:1882
+msgid "Set the DSCP field to a numerical value (can be decimal or hex)"
msgstr ""
-#. type: Plain text
-#: original/man8/iptables.8:42
-msgid "B<iptables> [B<-t> I<table>] B<-N> I<chain>"
+#. type: TP
+#: original/man8/iptables-extensions.8:1882
+#, no-wrap
+msgid "B<--set-dscp-class> I<class>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:44
-msgid "B<iptables> [B<-t> I<table>] B<-X> [I<chain>]"
+#: original/man8/iptables-extensions.8:1885
+msgid "Set the DSCP field to a DiffServ class."
msgstr ""
-#. type: Plain text
-#: original/man8/iptables.8:46
-msgid "B<iptables> [B<-t> I<table>] B<-P> I<chain target>"
+#. type: SS
+#: original/man8/iptables-extensions.8:1885
+#, no-wrap
+msgid "ECN (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:48
-msgid "B<iptables> [B<-t> I<table>] B<-E> I<old-chain-name new-chain-name>"
+#: original/man8/iptables-extensions.8:1888
+msgid ""
+"This target allows to selectively work around known ECN blackholes. It can "
+"only be used in the mangle table."
msgstr ""
-#. type: Plain text
-#: original/man8/iptables.8:50
-msgid "rule-specification = [I<matches...>] [I<target>]"
+#. type: TP
+#: original/man8/iptables-extensions.8:1888
+#, no-wrap
+msgid "B<--ecn-tcp-remove>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:52
-msgid "match = B<-m> I<matchname> [I<per-match-options>]"
+#: original/man8/iptables-extensions.8:1893
+msgid ""
+"Remove all ECN bits from the TCP header. Of course, it can only be used in "
+"conjunction with B<-p tcp>."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:1893
+#, no-wrap
+msgid "HL (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:54
-msgid "target = B<-j> I<targetname> [I<per-target-options>]"
+#: original/man8/iptables-extensions.8:1900
+msgid ""
+"This is used to modify the Hop Limit field in IPv6 header. The Hop Limit "
+"field is similar to what is known as TTL value in IPv4. Setting or "
+"incrementing the Hop Limit field can potentially be very dangerous, so it "
+"should be avoided at any cost. This target is only valid in B<mangle> table."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:60
+#: original/man8/iptables-extensions.8:1902 original/man8/iptables-extensions.8:2613
msgid ""
-"B<Iptables> is used to set up, maintain, and inspect the tables of IPv4 "
-"packet filter rules in the Linux kernel. Several different tables may be "
-"defined. Each table contains a number of built-in chains and may also "
-"contain user-defined chains."
+"B<Don't ever set or increment the value on packets that leave your local "
+"network!>"
msgstr ""
#. type: TP
-#: original/man8/iptables.8:107
+#: original/man8/iptables-extensions.8:1902
#, no-wrap
-msgid "B<nat>:"
+msgid "B<--hl-set> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:114
-msgid ""
-"This table is consulted when a packet that creates a new connection is "
-"encountered. It consists of three built-ins: B<PREROUTING> (for altering "
-"packets as soon as they come in), B<OUTPUT> (for altering locally-generated "
-"packets before routing), and B<POSTROUTING> (for altering packets as they "
-"are about to go out)."
+#: original/man8/iptables-extensions.8:1905
+msgid "Set the Hop Limit to `value'."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1905
+#, no-wrap
+msgid "B<--hl-dec> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:147
-msgid ""
-"The options that are recognized by B<iptables> can be divided into several "
-"different groups."
+#: original/man8/iptables-extensions.8:1908
+msgid "Decrement the Hop Limit `value' times."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1908
+#, no-wrap
+msgid "B<--hl-inc> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:153
-msgid ""
-"These options specify the desired action to perform. Only one of them can be "
-"specified on the command line unless otherwise stated below. For long "
-"versions of the command and option names, you need to use only enough "
-"letters to ensure that B<iptables> can differentiate it from all other "
-"options."
+#: original/man8/iptables-extensions.8:1911
+msgid "Increment the Hop Limit `value' times."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:1911
+#, no-wrap
+msgid "HMARK"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:188
+#: original/man8/iptables-extensions.8:1916
msgid ""
-"List all rules in the selected chain. If no chain is selected, all chains "
-"are listed. Like every other iptables command, it applies to the specified "
-"table (filter is the default), so NAT rules get listed by"
+"Like MARK, i.e. set the fwmark, but the mark is calculated from hashing "
+"packet selector at choice. You have also to specify the mark range and, "
+"optionally, the offset to start from. ICMP error messages are inspected and "
+"used to calculate the hashing."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:190
+#: original/man8/iptables-extensions.8:1918
+msgid "Existing options are:"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1918
#, no-wrap
-msgid " iptables -t nat -n -L\n"
+msgid "B<--hmark-tuple> tuple"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:199
+#: original/man8/iptables-extensions.8:1933
+msgid ""
+"Possible tuple members are: B<src> meaning source address (IPv4, IPv6 "
+"address), B<dst> meaning destination address (IPv4, IPv6 address), B<sport> "
+"meaning source port (TCP, UDP, UDPlite, SCTP, DCCP), B<dport> meaning "
+"destination port (TCP, UDP, UDPlite, SCTP, DCCP), B<spi> meaning Security "
+"Parameter Index (AH, ESP), and B<ct> meaning the usage of the conntrack "
+"tuple instead of the packet selectors."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1933
#, no-wrap
-msgid " iptables -L -v\n"
+msgid "B<--hmark-mod> I<value (must be E<gt> 0)>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:205
-msgid ""
-"Print all rules in the selected chain. If no chain is selected, all chains "
-"are printed like iptables-save. Like every other iptables command, it "
-"applies to the specified table (filter is the default)."
+#: original/man8/iptables-extensions.8:1936
+msgid "Modulus for hash calculation (to limit the range of possible marks)"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1936
+#, no-wrap
+msgid "B<--hmark-offset> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:256
-msgid ""
-"The protocol of the rule or of the packet to check. The specified protocol "
-"can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>, B<esp>, B<ah>, B<sctp> or "
-"the special keyword \"B<all>\", or it can be a numeric value, representing "
-"one of these protocols or a different one. A protocol name from "
-"/etc/protocols is also allowed. A \"!\" argument before the protocol "
-"inverts the test. The number zero is equivalent to B<all>. \"B<all>\" will "
-"match with all protocols and is taken as default when this option is "
-"omitted."
+#: original/man8/iptables-extensions.8:1939
+msgid "Offset to start marks from."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:256
+#: original/man8/iptables-extensions.8:1939
#, no-wrap
-msgid "[B<!>] B<-s>, B<--source> I<address>[B</>I<mask>][B<,>I<...>]"
+msgid "For advanced usage, instead of using --hmark-tuple, you can specify custom"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:273
-msgid ""
-"Source specification. I<Address> can be either a network name, a hostname, a "
-"network IP address (with B</>I<mask>), or a plain IP address. Hostnames will "
-"be resolved once only, before the rule is submitted to the kernel. Please "
-"note that specifying any name to be resolved with a remote query such as DNS "
-"is a really bad idea. The I<mask> can be either a network mask or a plain "
-"number, specifying the number of 1's at the left side of the network mask. "
-"Thus, a mask of I<24> is equivalent to I<255.255.255.0>. A \"!\" argument "
-"before the address specification inverts the sense of the address. The flag "
-"B<--src> is an alias for this option. Multiple addresses can be specified, "
-"but this will B<expand to multiple rules> (when adding with -A), or will "
-"cause multiple rules to be deleted (with -D)."
+#: original/man8/iptables-extensions.8:1942
+msgid "prefixes and masks:"
msgstr ""
#. type: TP
-#: original/man8/iptables.8:273
+#: original/man8/iptables-extensions.8:1942
#, no-wrap
-msgid "[B<!>] B<-d>, B<--destination> I<address>[B</>I<mask>][B<,>I<...>]"
+msgid "B<--hmark-src-prefix> I<cidr>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1945
+msgid "The source address mask in CIDR notation."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:312
+#: original/man8/iptables-extensions.8:1945
#, no-wrap
-msgid "[B<!>] B<-f>, B<--fragment>"
+msgid "B<--hmark-dst-prefix> I<cidr>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:320
-msgid ""
-"This means that the rule only refers to second and further fragments of "
-"fragmented packets. Since there is no way to tell the source or destination "
-"ports of such a packet (or ICMP type), such a packet will not match any "
-"rules which specify them. When the \"!\" argument precedes the \"-f\" flag, "
-"the rule will only match head fragments, or unfragmented packets."
+#: original/man8/iptables-extensions.8:1948
+msgid "The destination address mask in CIDR notation."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1948
+#, no-wrap
+msgid "B<--hmark-sport-mask> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:368
-msgid ""
-"iptables can use extended packet matching modules with the B<-m> or "
-"B<--match> options, followed by the matching module name; after these, "
-"various extra command line options become available, depending on the "
-"specific module. You can specify multiple extended match modules in one "
-"line, and you can use the B<-h> or B<--help> options after the module has "
-"been specified to receive help specific to that module."
+#: original/man8/iptables-extensions.8:1951
+msgid "A 16 bit source port mask in hexadecimal."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1951
+#, no-wrap
+msgid "B<--hmark-dport-mask> I<value>"
msgstr ""
-#. @MATCH@
#. type: Plain text
-#: original/man8/iptables.8:373
-msgid ""
-"If the B<-p> or B<--protocol> was specified and if and only if an unknown "
-"option is encountered, iptables will try load a match module of the same "
-"name as the protocol, to try making the option available."
+#: original/man8/iptables-extensions.8:1954
+msgid "A 16 bit destination port mask in hexadecimal."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1954
+#, no-wrap
+msgid "B<--hmark-spi-mask> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:445
-msgid "This module matches the SPIs in Authentication header of IPsec packets."
+#: original/man8/iptables-extensions.8:1957
+msgid "A 32 bit field with spi mask."
msgstr ""
-#. type: SS
-#: original/man8/iptables.8:825
+#. type: TP
+#: original/man8/iptables-extensions.8:1957
#, no-wrap
-msgid "icmp"
+msgid "B<--hmark-proto-mask> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:828
-msgid ""
-"This extension can be used if `--protocol icmp' is specified. It provides "
-"the following option:"
+#: original/man8/iptables-extensions.8:1960
+msgid "An 8 bit field with layer 4 protocol number."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:828
+#: original/man8/iptables-extensions.8:1960
#, no-wrap
-msgid "[B<!>] B<--icmp-type> {I<type>[B</>I<code>]|I<typename>}"
+msgid "B<--hmark-rnd> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:832
-msgid ""
-"This allows specification of the ICMP type, which can be a numeric ICMP "
-"type, type/code pair, or one of the ICMP type names shown by the command"
+#: original/man8/iptables-extensions.8:1963
+msgid "A 32 bit random custom value to feed hash calculation."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:834
+#: original/man8/iptables-extensions.8:1965
+msgid "I<Examples:>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1969
#, no-wrap
-msgid " iptables -p icmp -h\n"
+msgid ""
+"iptables -t mangle -A PREROUTING -m conntrack --ctstate NEW\n"
+" -j HMARK --hmark-tuple ct,src,dst,proto --hmark-offset 10000\n"
+"--hmark-mod 10 --hmark-rnd 0xfeedcafe\n"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1972
+msgid ""
+"iptables -t mangle -A PREROUTING -j HMARK --hmark-offset 10000 --hmark-tuple "
+"src,dst,proto --hmark-mod 10 --hmark-rnd 0xdeafbeef"
msgstr ""
#. type: SS
-#: original/man8/iptables.8:969
+#: original/man8/iptables-extensions.8:1972
#, no-wrap
-msgid "osf"
+msgid "IDLETIMER"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:973
+#: original/man8/iptables-extensions.8:1981
msgid ""
-"The osf module does passive operating system fingerprinting. This modules "
-"compares some data (Window Size, MSS, options and their order, TTL, DF, and "
-"others) from packets with the SYN bit set."
+"This target can be used to identify when interfaces have been idle for a "
+"certain period of time. Timers are identified by labels and are created "
+"when a rule is set with a new label. The rules also take a timeout value "
+"(in seconds) as an option. If more than one rule uses the same timer label, "
+"the timer will be restarted whenever any of the rules get a hit. One entry "
+"for each timer is created in sysfs. This attribute contains the timer "
+"remaining for the timer to expire. The attributes are located under the "
+"xt_idletimer class:"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1983
+msgid "/sys/class/xt_idletimer/timers/E<lt>labelE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1986
+msgid ""
+"When the timer expires, the target module sends a sysfs notification to the "
+"userspace, which can then decide what to do (eg. disconnect to save power)."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:973
+#: original/man8/iptables-extensions.8:1986
#, no-wrap
-msgid "[B<!>] B<--genre> I<string>"
+msgid "B<--timeout> I<amount>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:976
-msgid "Match an operating system genre by using a passive fingerprinting."
+#: original/man8/iptables-extensions.8:1989
+msgid "This is the time in seconds that will trigger the notification."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:976
+#: original/man8/iptables-extensions.8:1989
#, no-wrap
-msgid "B<--ttl> I<level>"
+msgid "B<--label> I<string>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:980
+#: original/man8/iptables-extensions.8:1993
msgid ""
-"Do additional TTL checks on the packet to determine the operating system. "
-"I<level> can be one of the following values:"
+"This is a unique identifier for the timer. The maximum length for the label "
+"string is 27 characters."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:1993
+#, no-wrap
+msgid "LED"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:983
+#: original/man8/iptables-extensions.8:1999
msgid ""
-"0 - True IP address and fingerprint TTL comparison. This generally works for "
-"LANs."
+"This creates an LED-trigger that can then be attached to system indicator "
+"lights, to blink or illuminate them when certain packets pass through the "
+"system. One example might be to light up an LED for a few minutes every time "
+"an SSH connection is made to the local machine. The following options "
+"control the trigger behavior:"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1999
+#, no-wrap
+msgid "B<--led-trigger-id> I<name>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:986
+#: original/man8/iptables-extensions.8:2003
msgid ""
-"1 - Check if the IP header's TTL is less than the fingerprint one. Works for "
-"globally-routable addresses."
+"This is the name given to the LED trigger. The actual name of the trigger "
+"will be prefixed with \"netfilter-\"."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2003
+#, no-wrap
+msgid "B<--led-delay> I<ms>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:988
-msgid "2 - Do not compare the TTL at all."
+#: original/man8/iptables-extensions.8:2011
+msgid ""
+"This indicates how long (in milliseconds) the LED should be left illuminated "
+"when a packet arrives before being switched off again. The default is 0 "
+"(blink as fast as possible.) The special value I<inf> can be given to leave "
+"the LED on permanently once activated. (In this case the trigger will need "
+"to be manually detached and reattached to the LED device to switch it off "
+"again.)"
msgstr ""
#. type: TP
-#: original/man8/iptables.8:988
+#: original/man8/iptables-extensions.8:2011
#, no-wrap
-msgid "B<--log> I<level>"
+msgid "B<--led-always-blink>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2016
+msgid ""
+"Always make the LED blink on packet arrival, even if the LED is already on. "
+"This allows notification of new packets even with long delay values (which "
+"otherwise would result in a silent prolonging of the delay time.)"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2018
+#, no-wrap
+msgid "Create an LED trigger for incoming SSH traffic:"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2021
+msgid "iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2021
+#, no-wrap
+msgid "Then attach the new trigger to an LED:"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2024
+msgid "echo netfilter-ssh E<gt>/sys/class/leds/I<ledname>/trigger"
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2024
+#, no-wrap
+msgid "LOG (IPv6-specific)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2036
+msgid ""
+"Turn on kernel logging of matching packets. When this option is set for a "
+"rule, the Linux kernel will print some information on all matching packets "
+"(like most IPv6 IPv6-header fields) via the kernel log (where it can be read "
+"with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", "
+"i.e. rule traversal continues at the next rule. So if you want to LOG the "
+"packets you refuse, use two separate rules with the same matching criteria, "
+"first using target LOG then DROP (or REJECT)."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2036 original/man8/iptables-extensions.8:2071
+#, no-wrap
+msgid "B<--log-level> I<level>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2042 original/man8/iptables-extensions.8:2077
+msgid ""
+"Level of logging, which can be (system-specific) numeric or a mnemonic. "
+"Possible values are (in decreasing order of priority): B<emerg>, B<alert>, "
+"B<crit>, B<error>, B<warning>, B<notice>, B<info> or B<debug>."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2042 original/man8/iptables-extensions.8:2077
+#, no-wrap
+msgid "B<--log-prefix> I<prefix>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2046 original/man8/iptables-extensions.8:2081
+msgid ""
+"Prefix log messages with the specified prefix; up to 29 letters long, and "
+"useful for distinguishing messages in the logs."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2046 original/man8/iptables-extensions.8:2081
+#, no-wrap
+msgid "B<--log-tcp-sequence>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2050 original/man8/iptables-extensions.8:2085
+msgid ""
+"Log TCP sequence numbers. This is a security risk if the log is readable by "
+"users."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2050 original/man8/iptables-extensions.8:2085
+#, no-wrap
+msgid "B<--log-tcp-options>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2053 original/man8/iptables-extensions.8:2088
+msgid "Log options from the TCP packet header."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2053 original/man8/iptables-extensions.8:2088
+#, no-wrap
+msgid "B<--log-ip-options>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2056
+msgid "Log options from the IPv6 packet header."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2056 original/man8/iptables-extensions.8:2091
+#, no-wrap
+msgid "B<--log-uid>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2059 original/man8/iptables-extensions.8:2094
+msgid "Log the userid of the process which generated the packet."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2059
+#, no-wrap
+msgid "LOG (IPv4-specific)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2071
+msgid ""
+"Turn on kernel logging of matching packets. When this option is set for a "
+"rule, the Linux kernel will print some information on all matching packets "
+"(like most IP header fields) via the kernel log (where it can be read with "
+"I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule "
+"traversal continues at the next rule. So if you want to LOG the packets you "
+"refuse, use two separate rules with the same matching criteria, first using "
+"target LOG then DROP (or REJECT)."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2091
+msgid "Log options from the IP packet header."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2094
+#, no-wrap
+msgid "MARK"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2100
+msgid ""
+"This target is used to set the Netfilter mark value associated with the "
+"packet. It can, for example, be used in conjunction with routing based on "
+"fwmark (needs iproute2). If you plan on doing so, note that the mark needs "
+"to be set in the PREROUTING chain of the mangle table to affect routing. "
+"The mark field is 32 bits wide."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2104
+msgid ""
+"Zeroes out the bits given by I<mask> and XORs I<value> into the packet mark "
+"(\"nfmark\"). If I<mask> is omitted, 0xFFFFFFFF is assumed."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2108
+msgid ""
+"Zeroes out the bits given by I<mask> and ORs I<value> into the packet "
+"mark. If I<mask> is omitted, 0xFFFFFFFF is assumed."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2110 original/man8/iptables-extensions.8:2545
+msgid "The following mnemonics are available:"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2114
+msgid ""
+"Binary AND the nfmark with I<bits>. (Mnemonic for B<--set-xmark "
+"0/>I<invbits>, where I<invbits> is the binary negation of I<bits>.)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2118
+msgid ""
+"Binary OR the nfmark with I<bits>. (Mnemonic for B<--set-xmark> "
+"I<bits>B</>I<bits>.)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2122
+msgid ""
+"Binary XOR the nfmark with I<bits>. (Mnemonic for B<--set-xmark> "
+"I<bits>B</0>.)"
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2122
+#, no-wrap
+msgid "MASQUERADE (IPv6-specific)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2136
+msgid ""
+"This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. "
+"It should only be used with dynamically assigned IPv6 (dialup) connections: "
+"if you have a static IP address, you should use the SNAT target. "
+"Masquerading is equivalent to specifying a mapping to the IP address of the "
+"interface the packet is going out, but also has the effect that connections "
+"are I<forgotten> when the interface goes down. This is the correct behavior "
+"when the next dialup is unlikely to have the same interface address (and "
+"hence any established connections are lost anyway)."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2136 original/man8/iptables-extensions.8:2167 original/man8/iptables-extensions.8:2291
+#, no-wrap
+msgid "B<--to-ports> I<port>[B<->I<port>]"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2145 original/man8/iptables-extensions.8:2176
+msgid ""
+"This specifies a range of source ports to use, overriding the default "
+"B<SNAT> source port-selection heuristics (see above). This is only valid if "
+"the rule also specifies B<-p tcp> or B<-p udp>."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2151
+msgid ""
+"Randomize source port mapping If option B<--random> is used then port "
+"mapping will be randomized."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2153
+#, no-wrap
+msgid "MASQUERADE (IPv4-specific)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2167
+msgid ""
+"This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. "
+"It should only be used with dynamically assigned IP (dialup) connections: "
+"if you have a static IP address, you should use the SNAT target. "
+"Masquerading is equivalent to specifying a mapping to the IP address of the "
+"interface the packet is going out, but also has the effect that connections "
+"are I<forgotten> when the interface goes down. This is the correct behavior "
+"when the next dialup is unlikely to have the same interface address (and "
+"hence any established connections are lost anyway)."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2182
+msgid ""
+"Randomize source port mapping If option B<--random> is used then port "
+"mapping will be randomized (kernel E<gt>= 2.6.21)."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2184
+#, no-wrap
+msgid "MIRROR (IPv4-specific)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2197
+msgid ""
+"This is an experimental demonstration target which inverts the source and "
+"destination fields in the IP header and retransmits the packet. It is only "
+"valid in the B<INPUT>, B<FORWARD> and B<PREROUTING> chains, and user-defined "
+"chains which are only called from those chains. Note that the outgoing "
+"packets are B<NOT> seen by any packet filtering chains, connection tracking "
+"or NAT, to avoid loops and other problems."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2197
+#, no-wrap
+msgid "NETMAP (IPv4-specific)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2202
+msgid ""
+"This target allows you to statically map a whole network of addresses onto "
+"another network of addresses. It can only be used from rules in the B<nat> "
+"table."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2202
+#, no-wrap
+msgid "B<--to> I<address>[B</>I<mask>]"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2207
+msgid ""
+"Network address to map to. The resulting address will be constructed in the "
+"following way: All 'one' bits in the mask are filled in from the new "
+"`address'. All bits that are zero in the mask are filled in from the "
+"original address."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2207
+#, no-wrap
+msgid "NFLOG"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2217
+msgid ""
+"This target provides logging of matching packets. When this target is set "
+"for a rule, the Linux kernel will pass the packet to the loaded logging "
+"backend to log the packet. This is usually used in combination with "
+"nfnetlink_log as logging backend, which will multicast the packet through a "
+"I<netlink> socket to the specified multicast group. One or more userspace "
+"processes may subscribe to the group to receive the packets. Like LOG, this "
+"is a non-terminating target, i.e. rule traversal continues at the next rule."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2217
+#, no-wrap
+msgid "B<--nflog-group> I<nlgroup>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2221
+msgid ""
+"The netlink group (0 - 2^16-1) to which packets are (only applicable for "
+"nfnetlink_log). The default value is 0."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2221
+#, no-wrap
+msgid "B<--nflog-prefix> I<prefix>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2225
+msgid ""
+"A prefix string to include in the log message, up to 64 characters long, "
+"useful for distinguishing messages in the logs."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2225
+#, no-wrap
+msgid "B<--nflog-range> I<size>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2230
+msgid ""
+"The number of bytes to be copied to userspace (only applicable for "
+"nfnetlink_log). nfnetlink_log instances may specify their own range, this "
+"option overrides it."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2230
+#, no-wrap
+msgid "B<--nflog-threshold> I<size>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2237
+msgid ""
+"Number of packets to queue inside the kernel before sending them to "
+"userspace (only applicable for nfnetlink_log). Higher values result in less "
+"overhead per packet, but increase delay until the packets reach "
+"userspace. The default value is 1."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2237
+#, no-wrap
+msgid "NFQUEUE"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2247
+msgid ""
+"This target is an extension of the QUEUE target. As opposed to QUEUE, it "
+"allows you to put a packet into any specific queue, identified by its 16-bit "
+"queue number. It can only be used with Kernel versions 2.6.14 or later, "
+"since it requires the B<nfnetlink_queue> kernel support. The "
+"B<queue-balance> option was added in Linux 2.6.31, B<queue-bypass> in "
+"2.6.39."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2247
+#, no-wrap
+msgid "B<--queue-num> I<value>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2250
+msgid ""
+"This specifies the QUEUE number to use. Valid queue numbers are 0 to "
+"65535. The default value is 0."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2251
+#, no-wrap
+msgid "B<--queue-balance> I<value>B<:>I<value>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2257
+msgid ""
+"This specifies a range of queues to use. Packets are then balanced across "
+"the given queues. This is useful for multicore systems: start multiple "
+"instances of the userspace program on queues x, x+1, .. x+n and use "
+"\"--queue-balance I<x>B<:>I<x+n>\". Packets belonging to the same "
+"connection are put into the same nfqueue."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2258
+#, no-wrap
+msgid "B<--queue-bypass>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2263
+msgid ""
+"By default, if no userspace program is listening on an NFQUEUE, then all "
+"packets that are to be queued are dropped. When this option is used, the "
+"NFQUEUE rule is silently bypassed instead. The packet will move on to the "
+"next rule."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2263
+#, no-wrap
+msgid "NOTRACK"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2267
+msgid ""
+"This target disables connection tracking for all packets matching that "
+"rule. It is obsoleted by -j CT --notrack. Like CT, NOTRACK can only be used "
+"in the B<raw> table."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2267
+#, no-wrap
+msgid "RATEEST"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2270
+msgid ""
+"The RATEEST target collects statistics, performs rate estimation calculation "
+"and saves the results for later evaluation using the B<rateest> match."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2270
+#, no-wrap
+msgid "B<--rateest-name> I<name>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2274
+msgid ""
+"Count matched packets into the pool referred to by I<name>, which is freely "
+"choosable."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2274
+#, no-wrap
+msgid "B<--rateest-interval> I<amount>{B<s>|B<ms>|B<us>}"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2277
+msgid "Rate measurement interval, in seconds, milliseconds or microseconds."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2277
+#, no-wrap
+msgid "B<--rateest-ewmalog> I<value>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2280
+msgid "Rate measurement averaging time constant."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2280
+#, no-wrap
+msgid "REDIRECT (IPv4-specific)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2291
+msgid ""
+"This target is only valid in the B<nat> table, in the B<PREROUTING> and "
+"B<OUTPUT> chains, and user-defined chains which are only called from those "
+"chains. It redirects the packet to the machine itself by changing the "
+"destination IP to the primary address of the incoming interface "
+"(locally-generated packets are mapped to the 127.0.0.1 address)."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2299
+msgid ""
+"This specifies a destination port or range of ports to use: without this, "
+"the destination port is never altered. This is only valid if the rule also "
+"specifies B<-p tcp> or B<-p udp>."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2306
+#, no-wrap
+msgid "REJECT (IPv6-specific)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2319 original/man8/iptables-extensions.8:2353
+msgid ""
+"This is used to send back an error packet in response to the matched packet: "
+"otherwise it is equivalent to B<DROP> so it is a terminating TARGET, ending "
+"rule traversal. This target is only valid in the B<INPUT>, B<FORWARD> and "
+"B<OUTPUT> chains, and user-defined chains which are only called from those "
+"chains. The following option controls the nature of the error packet "
+"returned:"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2319 original/man8/iptables-extensions.8:2353
+#, no-wrap
+msgid "B<--reject-with> I<type>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2340
+msgid ""
+"The type given can be B<icmp6-no-route>, B<no-route>, "
+"B<icmp6-adm-prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, "
+"B<addr-unreach>, B<icmp6-port-unreachable> or B<port-unreach> which return "
+"the appropriate ICMPv6 error message (B<port-unreach> is the "
+"default). Finally, the option B<tcp-reset> can be used on rules which only "
+"match the TCP protocol: this causes a TCP RST packet to be sent back. This "
+"is mainly useful for blocking I<ident> (113/tcp) probes which frequently "
+"occur when sending mail to broken mail hosts (which won't accept your mail "
+"otherwise). B<tcp-reset> can only be used with kernel versions 2.6.14 or "
+"later."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2340
+#, no-wrap
+msgid "REJECT (IPv4-specific)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2371
+msgid ""
+"The type given can be B<icmp-net-unreachable>, B<icmp-host-unreachable>, "
+"B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, "
+"B<icmp-host-prohibited> or B<icmp-admin-prohibited> (*) which return the "
+"appropriate ICMP error message (B<port-unreachable> is the default). The "
+"option B<tcp-reset> can be used on rules which only match the TCP protocol: "
+"this causes a TCP RST packet to be sent back. This is mainly useful for "
+"blocking I<ident> (113/tcp) probes which frequently occur when sending mail "
+"to broken mail hosts (which won't accept your mail otherwise)."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:992
+#: original/man8/iptables-extensions.8:2373
msgid ""
-"Log determined genres into dmesg even if they do not match the desired one. "
-"I<level> can be one of the following values:"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:994
-msgid "0 - Log all matched or unknown signatures"
+"(*) Using icmp-admin-prohibited with kernels that do not support it will "
+"result in a plain DROP instead of REJECT"
msgstr ""
-#. type: Plain text
-#: original/man8/iptables.8:996
-msgid "1 - Log only the first one"
+#. type: SS
+#: original/man8/iptables-extensions.8:2373
+#, no-wrap
+msgid "SAME (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:998
-msgid "2 - Log all known matched signatures"
+#: original/man8/iptables-extensions.8:2377
+msgid ""
+"Similar to SNAT/DNAT depending on chain: it takes a range of addresses "
+"(`--to 1.2.3.4-1.2.3.7') and gives a client the same "
+"source-/destination-address for each connection."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1000
-msgid "You may find something like this in syslog:"
+#: original/man8/iptables-extensions.8:2379
+msgid "N.B.: The DNAT target's B<--persistent> option replaced the SAME target."
msgstr ""
-#. type: Plain text
-#: original/man8/iptables.8:1003
-msgid ""
-"Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -E<gt> "
-"11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -E<gt> 1.2.3.5:22 "
-"hops=4"
+#. type: TP
+#: original/man8/iptables-extensions.8:2379
+#, no-wrap
+msgid "B<--to> I<ipaddr>[B<->I<ipaddr>]"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1006
+#: original/man8/iptables-extensions.8:2383
msgid ""
-"OS fingerprints are loadable using the B<nfnl_osf> program. To load "
-"fingerprints from a file, use:"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:1008
-msgid "B<nfnl_osf -f /usr/share/xtables/pf.os>"
+"Addresses to map source to. May be specified more than once for multiple "
+"ranges."
msgstr ""
-#. type: Plain text
-#: original/man8/iptables.8:1010
-msgid "To remove them again,"
+#. type: TP
+#: original/man8/iptables-extensions.8:2383
+#, no-wrap
+msgid "B<--nodst>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1012
-msgid "B<nfnl_osf -f /usr/share/xtables/pf.os -d>"
+#: original/man8/iptables-extensions.8:2387
+msgid ""
+"Don't use the destination-ip in the calculations when selecting the new "
+"source-ip"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1015
+#: original/man8/iptables-extensions.8:2391
msgid ""
-"The fingerprint database can be downlaoded from "
-"http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os ."
+"Port mapping will be forcibly randomized to avoid attacks based on port "
+"prediction (kernel E<gt>= 2.6.21)."
msgstr ""
#. type: SS
-#: original/man8/iptables.8:1241
+#: original/man8/iptables-extensions.8:2391
#, no-wrap
-msgid "realm"
+msgid "SECMARK"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1244
+#: original/man8/iptables-extensions.8:2400
msgid ""
-"This matches the routing realm. Routing realms are used in complex routing "
-"setups involving dynamic routing protocols like BGP."
+"This is used to set the security mark value associated with the packet for "
+"use by security subsystems such as SELinux. It is valid in the B<security> "
+"table (for backwards compatibility with older kernels, it is also valid in "
+"the B<mangle> table). The mark is 32 bits wide."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:1244
+#: original/man8/iptables-extensions.8:2400
#, no-wrap
-msgid "[B<!>] B<--realm> I<value>[B</>I<mask>]"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:1249
-msgid ""
-"Matches a given realm number (and optionally mask). If not a number, value "
-"can be a named realm from /etc/iproute2/rt_realms (mask can not be used in "
-"that case)."
+msgid "B<--selctx> I<security_context>"
msgstr ""
#. type: SS
-#: original/man8/iptables.8:1680
+#: original/man8/iptables-extensions.8:2402
#, no-wrap
-msgid "ttl"
+msgid "SET"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1682
-msgid "This module matches the time to live field in the IP header."
+#: original/man8/iptables-extensions.8:2405
+msgid ""
+"This module adds and/or deletes entries from IP sets which can be defined by "
+"ipset(8)."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:1682
+#: original/man8/iptables-extensions.8:2405
#, no-wrap
-msgid "[B<!>] B<--ttl-eq> I<ttl>"
+msgid "B<--add-set> I<setname> I<flag>[B<,>I<flag>...]"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1685
-msgid "Matches the given TTL value."
+#: original/man8/iptables-extensions.8:2408
+msgid "add the address(es)/port(s) of the packet to the set"
msgstr ""
#. type: TP
-#: original/man8/iptables.8:1685
+#: original/man8/iptables-extensions.8:2408
#, no-wrap
-msgid "B<--ttl-gt> I<ttl>"
+msgid "B<--del-set> I<setname> I<flag>[B<,>I<flag>...]"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1688
-msgid "Matches if TTL is greater than the given TTL value."
+#: original/man8/iptables-extensions.8:2411
+msgid "delete the address(es)/port(s) of the packet from the set"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2417
+msgid ""
+"where I<flag>(s) are B<src> and/or B<dst> specifications and there can be no "
+"more than six of them."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:1688
+#: original/man8/iptables-extensions.8:2417
#, no-wrap
-msgid "B<--ttl-lt> I<ttl>"
+msgid "B<--timeout> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1691
-msgid "Matches if TTL is less than the given TTL value."
+#: original/man8/iptables-extensions.8:2421
+msgid ""
+"when adding an entry, the timeout value to use instead of the default one "
+"from the set definition"
msgstr ""
-#. type: SS
-#: original/man8/iptables.8:1836
+#. type: TP
+#: original/man8/iptables-extensions.8:2421
#, no-wrap
-msgid "unclean"
+msgid "B<--exist>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1839
+#: original/man8/iptables-extensions.8:2425
msgid ""
-"This module takes no options, but attempts to match packets which seem "
-"malformed or unusual. This is regarded as experimental."
+"when adding an entry if it already exists, reset the timeout value to the "
+"specified one or to the default from the set definition"
msgstr ""
-#. @TARGET@
#. type: Plain text
-#: original/man8/iptables.8:1843
+#: original/man8/iptables-extensions.8:2428
msgid ""
-"iptables can use extended target modules: the following are included in the "
-"standard distribution."
+"Use of -j SET requires that ipset kernel support is provided, which, for "
+"standard kernels, is the case since Linux 2.6.39."
msgstr ""
#. type: SS
-#: original/man8/iptables.8:1873
+#: original/man8/iptables-extensions.8:2428
#, no-wrap
-msgid "CLUSTERIP"
+msgid "SNAT (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1878
+#: original/man8/iptables-extensions.8:2437
msgid ""
-"This module allows you to configure a simple cluster of nodes that share a "
-"certain IP and MAC address without an explicit load balancer in front of "
-"them. Connections are statically distributed between the nodes in this "
-"cluster."
+"This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. "
+"It specifies that the source address of the packet should be modified (and "
+"all future packets in this connection will also be mangled), and rules "
+"should cease being examined. It takes one type of option:"
msgstr ""
#. type: TP
-#: original/man8/iptables.8:1878
+#: original/man8/iptables-extensions.8:2437
#, no-wrap
-msgid "B<--new>"
+msgid "B<--to-source> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1882
+#: original/man8/iptables-extensions.8:2449
msgid ""
-"Create a new ClusterIP. You always have to set this on the first rule for a "
-"given ClusterIP."
+"which can specify a single new source IP address, an inclusive range of IP "
+"addresses, and optionally, a port range (which is only valid if the rule "
+"also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then "
+"source ports below 512 will be mapped to other ports below 512: those "
+"between 512 and 1023 inclusive will be mapped to ports below 1024, and other "
+"ports will be mapped to 1024 or above. Where possible, no port alteration "
+"will occur."
msgstr ""
-#. type: TP
-#: original/man8/iptables.8:1882
-#, no-wrap
-msgid "B<--hashmode> I<mode>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2456
+msgid ""
+"In Kernels up to 2.6.10, you can add several --to-source options. For those "
+"kernels, if you specify more than one source address, either via an address "
+"range or multiple --to-source options, a simple round-robin (one after "
+"another in cycle) takes place between these addresses. Later Kernels "
+"(E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges "
+"anymore."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1886
+#: original/man8/iptables-extensions.8:2461
msgid ""
-"Specify the hashing mode. Has to be one of B<sourceip>, "
-"B<sourceip-sourceport>, B<sourceip-sourceport-destport>."
+"If option B<--random> is used then port mapping will be randomized (kernel "
+"E<gt>= 2.6.21)."
msgstr ""
-#. type: TP
-#: original/man8/iptables.8:1886
+#. type: SS
+#: original/man8/iptables-extensions.8:2466
#, no-wrap
-msgid "B<--clustermac> I<mac>"
+msgid "TCPMSS"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1889
-msgid "Specify the ClusterIP MAC address. Has to be a link-layer multicast address"
-msgstr ""
-
-#. type: TP
-#: original/man8/iptables.8:1889
-#, no-wrap
-msgid "B<--total-nodes> I<num>"
+#: original/man8/iptables-extensions.8:2473
+msgid ""
+"This target allows to alter the MSS value of TCP SYN packets, to control the "
+"maximum size for that connection (usually limiting it to your outgoing "
+"interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively). Of course, "
+"it can only be used in conjunction with B<-p tcp>."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1892
-msgid "Number of total nodes within this cluster."
+#: original/man8/iptables-extensions.8:2480
+msgid ""
+"This target is used to overcome criminally braindead ISPs or servers which "
+"block \"ICMP Fragmentation Needed\" or \"ICMPv6 Packet Too Big\" packets. "
+"The symptoms of this problem are that everything works fine from your Linux "
+"firewall/router, but machines behind it can never exchange large packets:"
msgstr ""
-#. type: TP
-#: original/man8/iptables.8:1892
+#. type: IP
+#: original/man8/iptables-extensions.8:2480
#, no-wrap
-msgid "B<--local-node> I<num>"
+msgid "1."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1895
-msgid "Local node number within this cluster."
+#: original/man8/iptables-extensions.8:2482
+msgid "Web browsers connect, then hang with no data received."
msgstr ""
-#. type: TP
-#: original/man8/iptables.8:1895
+#. type: IP
+#: original/man8/iptables-extensions.8:2482
#, no-wrap
-msgid "B<--hash-init> I<rnd>"
+msgid "2."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1898
-msgid "Specify the random seed used for hash initialization."
+#: original/man8/iptables-extensions.8:2484
+msgid "Small mail works fine, but large emails hang."
msgstr ""
-#. type: SS
-#: original/man8/iptables.8:1997
+#. type: IP
+#: original/man8/iptables-extensions.8:2484
#, no-wrap
-msgid "DNAT"
+msgid "3."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2009
-msgid ""
-"This target is only valid in the B<nat> table, in the B<PREROUTING> and "
-"B<OUTPUT> chains, and user-defined chains which are only called from those "
-"chains. It specifies that the destination address of the packet should be "
-"modified (and all future packets in this connection will also be mangled), "
-"and rules should cease being examined. It takes one type of option:"
-msgstr ""
-
-#. type: TP
-#: original/man8/iptables.8:2009
-#, no-wrap
-msgid "B<--to-destination> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
+#: original/man8/iptables-extensions.8:2486
+msgid "ssh works fine, but scp hangs after initial handshaking."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2020
+#: original/man8/iptables-extensions.8:2489
msgid ""
-"which can specify a single new destination IP address, an inclusive range of "
-"IP addresses, and optionally, a port range (which is only valid if the rule "
-"also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then "
-"the destination port will never be modified. If no IP address is specified "
-"then only the destination port will be modified."
+"Workaround: activate this option and add a rule to your firewall "
+"configuration like:"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2027
+#: original/man8/iptables-extensions.8:2492
+#, no-wrap
msgid ""
-"In Kernels up to 2.6.10 you can add several --to-destination options. For "
-"those kernels, if you specify more than one destination address, either via "
-"an address range or multiple --to-destination options, a simple round-robin "
-"(one after another in cycle) load balancing takes place between these "
-"addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT "
-"to multiple ranges anymore."
+" iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN\n"
+" -j TCPMSS --clamp-mss-to-pmtu\n"
msgstr ""
#. type: TP
-#: original/man8/iptables.8:2027 original/man8/iptables.8:2159 original/man8/iptables.8:2284 original/man8/iptables.8:2338 original/man8/iptables.8:2407
+#: original/man8/iptables-extensions.8:2492
#, no-wrap
-msgid "B<--random>"
+msgid "B<--set-mss> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2032 original/man8/iptables.8:2289
+#: original/man8/iptables-extensions.8:2497
msgid ""
-"If option B<--random> is used then port mapping will be randomized (kernel "
-"E<gt>= 2.6.22)."
+"Explicitly sets MSS option to specified value. If the MSS of the packet is "
+"already lower than I<value>, it will B<not> be increased (from Linux 2.6.25 "
+"onwards) to avoid more problems with hosts relying on a proper MSS."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:2032 original/man8/iptables.8:2412
+#: original/man8/iptables-extensions.8:2497
#, no-wrap
-msgid "B<--persistent>"
+msgid "B<--clamp-mss-to-pmtu>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2037 original/man8/iptables.8:2417
+#: original/man8/iptables-extensions.8:2506
msgid ""
-"Gives a client the same source-/destination-address for each connection. "
-"This supersedes the SAME target. Support for persistent mappings is "
-"available from 2.6.29-rc2."
-msgstr ""
-
-#. type: SS
-#: original/man8/iptables.8:2047
-#, no-wrap
-msgid "ECN"
+"Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60 for IPv6). "
+"This may not function as desired where asymmetric routes with differing path "
+"MTU exist \\(em the kernel uses the path MTU which it would use to send "
+"packets from itself to the source and destination IP addresses. Prior to "
+"Linux 2.6.25, only the path MTU to the destination IP address was considered "
+"by this option; subsequent kernels also consider the path MTU to the source "
+"IP address."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2050
-msgid ""
-"This target allows to selectively work around known ECN blackholes. It can "
-"only be used in the mangle table."
+#: original/man8/iptables-extensions.8:2508
+msgid "These options are mutually exclusive."
msgstr ""
-#. type: TP
-#: original/man8/iptables.8:2050
+#. type: SS
+#: original/man8/iptables-extensions.8:2508
#, no-wrap
-msgid "B<--ecn-tcp-remove>"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:2055
-msgid ""
-"Remove all ECN bits from the TCP header. Of course, it can only be used in "
-"conjunction with B<-p tcp>."
+msgid "TCPOPTSTRIP"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2088
+#: original/man8/iptables-extensions.8:2511
msgid ""
-"Turn on kernel logging of matching packets. When this option is set for a "
-"rule, the Linux kernel will print some information on all matching packets "
-"(like most IP header fields) via the kernel log (where it can be read with "
-"I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule "
-"traversal continues at the next rule. So if you want to LOG the packets you "
-"refuse, use two separate rules with the same matching criteria, first using "
-"target LOG then DROP (or REJECT)."
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:2105
-msgid "Log options from the IP packet header."
+"This target will strip TCP options off a TCP packet. (It will actually "
+"replace them by NO-OPs.) As such, you will need to add the B<-p tcp> "
+"parameters."
msgstr ""
-#. type: SS
-#: original/man8/iptables.8:2136
+#. type: TP
+#: original/man8/iptables-extensions.8:2511
#, no-wrap
-msgid "MASQUERADE"
+msgid "B<--strip-options> I<option>[B<,>I<option>...]"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2150
+#: original/man8/iptables-extensions.8:2516
msgid ""
-"This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. "
-"It should only be used with dynamically assigned IP (dialup) connections: "
-"if you have a static IP address, you should use the SNAT target. "
-"Masquerading is equivalent to specifying a mapping to the IP address of the "
-"interface the packet is going out, but also has the effect that connections "
-"are I<forgotten> when the interface goes down. This is the correct behavior "
-"when the next dialup is unlikely to have the same interface address (and "
-"hence any established connections are lost anyway)."
+"Strip the given option(s). The options may be specified by TCP option number "
+"or by symbolic name. The list of recognized options can be obtained by "
+"calling iptables with B<-j TCPOPTSTRIP -h>."
msgstr ""
-#. type: TP
-#: original/man8/iptables.8:2150 original/man8/iptables.8:2276
+#. type: SS
+#: original/man8/iptables-extensions.8:2516
#, no-wrap
-msgid "B<--to-ports> I<port>[B<->I<port>]"
+msgid "TEE"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2159
+#: original/man8/iptables-extensions.8:2521
msgid ""
-"This specifies a range of source ports to use, overriding the default "
-"B<SNAT> source port-selection heuristics (see above). This is only valid if "
-"the rule also specifies B<-p tcp> or B<-p udp>."
+"The B<TEE> target will clone a packet and redirect this clone to another "
+"machine on the B<local> network segment. In other words, the nexthop must be "
+"the target, or you will have to configure the nexthop to forward it further "
+"if so desired."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2521
+#, no-wrap
+msgid "B<--gateway> I<ipaddr>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2165
+#: original/man8/iptables-extensions.8:2525
msgid ""
-"Randomize source port mapping If option B<--random> is used then port "
-"mapping will be randomized (kernel E<gt>= 2.6.21)."
+"Send the cloned packet to the host reachable at the given IP address. Use "
+"of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid."
msgstr ""
-#. type: SS
-#: original/man8/iptables.8:2167
-#, no-wrap
-msgid "MIRROR"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2527
+msgid "To forward all incoming traffic on eth0 to an Network Layer logging box:"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2180
-msgid ""
-"This is an experimental demonstration target which inverts the source and "
-"destination fields in the IP header and retransmits the packet. It is only "
-"valid in the B<INPUT>, B<FORWARD> and B<PREROUTING> chains, and user-defined "
-"chains which are only called from those chains. Note that the outgoing "
-"packets are B<NOT> seen by any packet filtering chains, connection tracking "
-"or NAT, to avoid loops and other problems."
+#: original/man8/iptables-extensions.8:2529
+msgid "-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1"
msgstr ""
#. type: SS
-#: original/man8/iptables.8:2180
+#: original/man8/iptables-extensions.8:2529
#, no-wrap
-msgid "NETMAP"
+msgid "TOS"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2185
+#: original/man8/iptables-extensions.8:2534
msgid ""
-"This target allows you to statically map a whole network of addresses onto "
-"another network of addresses. It can only be used from rules in the B<nat> "
-"table."
+"This module sets the Type of Service field in the IPv4 header (including the "
+"\"precedence\" bits) or the Priority field in the IPv6 header. Note that TOS "
+"shares the same bits as DSCP and ECN. The TOS target is only valid in the "
+"B<mangle> table."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:2185
+#: original/man8/iptables-extensions.8:2534
#, no-wrap
-msgid "B<--to> I<address>[B</>I<mask>]"
+msgid "B<--set-tos> I<value>[B</>I<mask>]"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2190
+#: original/man8/iptables-extensions.8:2538
msgid ""
-"Network address to map to. The resulting address will be constructed in the "
-"following way: All 'one' bits in the mask are filled in from the new "
-"`address'. All bits that are zero in the mask are filled in from the "
-"original address."
+"Zeroes out the bits given by I<mask> (see NOTE below) and XORs I<value> into "
+"the TOS/Priority field. If I<mask> is omitted, 0xFF is assumed."
msgstr ""
-#. type: SS
-#: original/man8/iptables.8:2265
+#. type: TP
+#: original/man8/iptables-extensions.8:2538
#, no-wrap
-msgid "REDIRECT"
+msgid "B<--set-tos> I<symbol>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2276
+#: original/man8/iptables-extensions.8:2543
msgid ""
-"This target is only valid in the B<nat> table, in the B<PREROUTING> and "
-"B<OUTPUT> chains, and user-defined chains which are only called from those "
-"chains. It redirects the packet to the machine itself by changing the "
-"destination IP to the primary address of the incoming interface "
-"(locally-generated packets are mapped to the 127.0.0.1 address)."
+"You can specify a symbolic name when using the TOS target for IPv4. It "
+"implies a mask of 0xFF (see NOTE below). The list of recognized TOS names "
+"can be obtained by calling iptables with B<-j TOS -h>."
msgstr ""
-#. type: Plain text
-#: original/man8/iptables.8:2284
-msgid ""
-"This specifies a destination port or range of ports to use: without this, "
-"the destination port is never altered. This is only valid if the rule also "
-"specifies B<-p tcp> or B<-p udp>."
+#. type: TP
+#: original/man8/iptables-extensions.8:2545
+#, no-wrap
+msgid "B<--and-tos> I<bits>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2322
+#: original/man8/iptables-extensions.8:2550
msgid ""
-"The type given can be B<icmp-net-unreachable>, B<icmp-host-unreachable>, "
-"B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, "
-"B<icmp-host-prohibited> or B<icmp-admin-prohibited> (*) which return the "
-"appropriate ICMP error message (B<port-unreachable> is the default). The "
-"option B<tcp-reset> can be used on rules which only match the TCP protocol: "
-"this causes a TCP RST packet to be sent back. This is mainly useful for "
-"blocking I<ident> (113/tcp) probes which frequently occur when sending mail "
-"to broken mail hosts (which won't accept your mail otherwise)."
+"Binary AND the TOS value with I<bits>. (Mnemonic for B<--set-tos "
+"0/>I<invbits>, where I<invbits> is the binary negation of I<bits>. See NOTE "
+"below.)"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2550
+#, no-wrap
+msgid "B<--or-tos> I<bits>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2324
+#: original/man8/iptables-extensions.8:2554
msgid ""
-"(*) Using icmp-admin-prohibited with kernels that do not support it will "
-"result in a plain DROP instead of REJECT"
+"Binary OR the TOS value with I<bits>. (Mnemonic for B<--set-tos> "
+"I<bits>B</>I<bits>. See NOTE below.)"
msgstr ""
-#. type: SS
-#: original/man8/iptables.8:2324
+#. type: TP
+#: original/man8/iptables-extensions.8:2554
#, no-wrap
-msgid "SAME"
+msgid "B<--xor-tos> I<bits>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2328
+#: original/man8/iptables-extensions.8:2558
msgid ""
-"Similar to SNAT/DNAT depending on chain: it takes a range of addresses "
-"(`--to 1.2.3.4-1.2.3.7') and gives a client the same "
-"source-/destination-address for each connection."
+"Binary XOR the TOS value with I<bits>. (Mnemonic for B<--set-tos> "
+"I<bits>B</0>. See NOTE below.)"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2330
-msgid "N.B.: The DNAT target's B<--persistent> option replaced the SAME target."
+#: original/man8/iptables-extensions.8:2566
+msgid ""
+"NOTE: In Linux kernels up to and including 2.6.38, with the exception of "
+"longterm releases 2.6.32 (E<gt>=.42), 2.6.33 (E<gt>=.15), and 2.6.35 "
+"(E<gt>=.14), there is a bug whereby IPv6 TOS mangling does not behave as "
+"documented and differs from the IPv4 version. The TOS mask indicates the "
+"bits one wants to zero out, so it needs to be inverted before applying it to "
+"the original TOS field. However, the aformentioned kernels forgo the "
+"inversion which breaks --set-tos and its mnemonics."
msgstr ""
-#. type: TP
-#: original/man8/iptables.8:2330
+#. type: SS
+#: original/man8/iptables-extensions.8:2566
#, no-wrap
-msgid "B<--to> I<ipaddr>[B<->I<ipaddr>]"
+msgid "TPROXY"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2334
+#: original/man8/iptables-extensions.8:2573
msgid ""
-"Addresses to map source to. May be specified more than once for multiple "
-"ranges."
+"This target is only valid in the B<mangle> table, in the B<PREROUTING> chain "
+"and user-defined chains which are only called from this chain. It redirects "
+"the packet to a local socket without changing the packet header in any "
+"way. It can also change the mark value which can then be used in advanced "
+"routing rules. It takes three options:"
msgstr ""
#. type: TP
-#: original/man8/iptables.8:2334
+#: original/man8/iptables-extensions.8:2573
#, no-wrap
-msgid "B<--nodst>"
+msgid "B<--on-port> I<port>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2338
+#: original/man8/iptables-extensions.8:2578
msgid ""
-"Don't use the destination-ip in the calculations when selecting the new "
-"source-ip"
+"This specifies a destination port to use. It is a required option, 0 means "
+"the new destination port is the same as the original. This is only valid if "
+"the rule also specifies B<-p tcp> or B<-p udp>."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2578
+#, no-wrap
+msgid "B<--on-ip> I<address>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2342
+#: original/man8/iptables-extensions.8:2583
msgid ""
-"Port mapping will be forcibly randomized to avoid attacks based on port "
-"prediction (kernel E<gt>= 2.6.21)."
+"This specifies a destination address to use. By default the address is the "
+"IP address of the incoming interface. This is only valid if the rule also "
+"specifies B<-p tcp> or B<-p udp>."
msgstr ""
-#. type: SS
-#: original/man8/iptables.8:2379
+#. type: TP
+#: original/man8/iptables-extensions.8:2583
#, no-wrap
-msgid "SNAT"
+msgid "B<--tproxy-mark> I<value>[B</>I<mask>]"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2388
+#: original/man8/iptables-extensions.8:2588
msgid ""
-"This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. "
-"It specifies that the source address of the packet should be modified (and "
-"all future packets in this connection will also be mangled), and rules "
-"should cease being examined. It takes one type of option:"
+"Marks packets with the given value/mask. The fwmark value set here can be "
+"used by advanced routing. (Required for transparent proxying to work: "
+"otherwise these packets will get forwarded, which is probably not what you "
+"want.)"
msgstr ""
-#. type: TP
-#: original/man8/iptables.8:2388
+#. type: SS
+#: original/man8/iptables-extensions.8:2588
#, no-wrap
-msgid "B<--to-source> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
+msgid "TRACE"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2400
+#: original/man8/iptables-extensions.8:2591
msgid ""
-"which can specify a single new source IP address, an inclusive range of IP "
-"addresses, and optionally, a port range (which is only valid if the rule "
-"also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then "
-"source ports below 512 will be mapped to other ports below 512: those "
-"between 512 and 1023 inclusive will be mapped to ports below 1024, and other "
-"ports will be mapped to 1024 or above. Where possible, no port alteration "
-"will occur."
+"This target marks packets so that the kernel will log every rule which match "
+"the packets as those traverse the tables, chains, rules."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2407
+#: original/man8/iptables-extensions.8:2598
msgid ""
-"In Kernels up to 2.6.10, you can add several --to-source options. For those "
-"kernels, if you specify more than one source address, either via an address "
-"range or multiple --to-source options, a simple round-robin (one after "
-"another in cycle) takes place between these addresses. Later Kernels "
-"(E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges "
-"anymore."
+"A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for "
+"this to be visible. The packets are logged with the string prefix: \"TRACE: "
+"tablename:chainname:type:rulenum \" where type can be \"rule\" for plain "
+"rule, \"return\" for implicit rule at the end of a user defined chain and "
+"\"policy\" for the policy of the built in chains."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2412
-msgid ""
-"If option B<--random> is used then port mapping will be randomized (kernel "
-"E<gt>= 2.6.21)."
+#: original/man8/iptables-extensions.8:2602
+msgid "It can only be used in the B<raw> table."
msgstr ""
#. type: SS
-#: original/man8/iptables.8:2553
+#: original/man8/iptables-extensions.8:2602
#, no-wrap
-msgid "TTL"
+msgid "TTL (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2557
+#: original/man8/iptables-extensions.8:2606
msgid ""
"This is used to modify the IPv4 TTL header field. The TTL field determines "
"how many hops (routers) a packet can traverse until it's time to live is "
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2562
+#: original/man8/iptables-extensions.8:2611
msgid ""
"Setting or incrementing the TTL field can potentially be very dangerous, so "
"it should be avoided at any cost. This target is only valid in B<mangle> "
msgstr ""
#. type: TP
-#: original/man8/iptables.8:2564
+#: original/man8/iptables-extensions.8:2613
#, no-wrap
msgid "B<--ttl-set> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2567
+#: original/man8/iptables-extensions.8:2616
msgid "Set the TTL value to `value'."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:2567
+#: original/man8/iptables-extensions.8:2616
#, no-wrap
msgid "B<--ttl-dec> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2570
+#: original/man8/iptables-extensions.8:2619
msgid "Decrement the TTL value `value' times."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:2570
+#: original/man8/iptables-extensions.8:2619
#, no-wrap
msgid "B<--ttl-inc> I<value>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2573
+#: original/man8/iptables-extensions.8:2622
msgid "Increment the TTL value `value' times."
msgstr ""
#. type: SS
-#: original/man8/iptables.8:2573
+#: original/man8/iptables-extensions.8:2622
#, no-wrap
-msgid "ULOG"
+msgid "ULOG (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2582
+#: original/man8/iptables-extensions.8:2631
msgid ""
"This target provides userspace logging of matching packets. When this "
"target is set for a rule, the Linux kernel will multicast this packet "
msgstr ""
#. type: TP
-#: original/man8/iptables.8:2582
+#: original/man8/iptables-extensions.8:2631
#, no-wrap
msgid "B<--ulog-nlgroup> I<nlgroup>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2586
+#: original/man8/iptables-extensions.8:2635
msgid ""
"This specifies the netlink group (1-32) to which the packet is sent. "
"Default value is 1."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:2586
+#: original/man8/iptables-extensions.8:2635
#, no-wrap
msgid "B<--ulog-prefix> I<prefix>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2590
+#: original/man8/iptables-extensions.8:2639
msgid ""
"Prefix log messages with the specified prefix; up to 32 characters long, and "
"useful for distinguishing messages in the logs."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:2590
+#: original/man8/iptables-extensions.8:2639
#, no-wrap
msgid "B<--ulog-cprange> I<size>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2594
+#: original/man8/iptables-extensions.8:2643
msgid ""
"Number of bytes to be copied to userspace. A value of 0 always copies the "
"entire packet, regardless of its size. Default is 0."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:2594
+#: original/man8/iptables-extensions.8:2643
#, no-wrap
msgid "B<--ulog-qthreshold> I<size>"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2600
+#: original/man8/iptables-extensions.8:2649
msgid ""
"Number of packet to queue inside kernel. Setting this value to, e.g. 10 "
"accumulates ten packets inside the kernel and transmits them as one netlink "
"multipart message to userspace. Default is 1 (for backwards compatibility)."
msgstr ""
-#. type: Plain text
-#: original/man8/iptables.8:2609
-msgid ""
-"Bugs? What's this? ;-) Well, you might want to have a look at "
-"http://bugzilla.netfilter.org/"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:2618
-msgid ""
-"This B<iptables> is very similar to ipchains by Rusty Russell. The main "
-"difference is that the chains B<INPUT> and B<OUTPUT> are only traversed for "
-"packets coming into the local host and originating from the local host "
-"respectively. Hence every packet only passes through one of the three "
-"chains (except loopback traffic, which involves both INPUT and OUTPUT "
-"chains); previously a forwarded packet would pass through all three."
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:2622
-msgid ""
-"The other main difference is that B<-i> refers to the input interface; B<-o> "
-"refers to the output interface, and both are available for packets entering "
-"the B<FORWARD> chain."
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:2628
-msgid ""
-"The various forms of NAT have been separated out; B<iptables> is a pure "
-"packet filter when using the default `filter' table, with optional extension "
-"modules. This should simplify much of the previous confusion over the "
-"combination of IP masquerading and packet filtering seen previously. So the "
-"following options are handled differently:"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:2632
-#, no-wrap
-msgid ""
-" -j MASQ\n"
-" -M -S\n"
-" -M -L\n"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:2634
-msgid "There are several other changes in iptables."
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:2641
-msgid ""
-"B<iptables-save>(8), B<iptables-restore>(8), B<ip6tables>(8), "
-"B<ip6tables-save>(8), B<ip6tables-restore>(8), B<libipq>(3)."
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:2647
-msgid ""
-"The packet-filtering-HOWTO details iptables usage for packet filtering, the "
-"NAT-HOWTO details NAT, the netfilter-extensions-HOWTO details the extensions "
-"that are not in the standard distribution, and the netfilter-hacking-HOWTO "
-"details the netfilter internals."
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:2653
-msgid ""
-"Rusty Russell originally wrote iptables, in early consultation with Michael "
-"Neuling."
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:2663
-msgid ""
-"Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as "
-"the TTL, DSCP, ECN matches and targets."
-msgstr ""
-
-#. .. and did I mention that we are incredibly cool people?
-#. .. sexy, too ..
-#. .. witty, charming, powerful ..
-#. .. and most of all, modest ..
-#. type: Plain text
-#: original/man8/iptables.8:2673
-msgid "Man page originally written by Herve Eychenne E<lt>rv@wallfire.orgE<gt>."
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:2675
-msgid "This manual page applies to iptables @PACKAGE_VERSION@."
-msgstr ""
-
#. type: TH
#: original/man8/iptables-apply.8:5
#, no-wrap
#. type: Plain text
#: original/man8/iptables-apply.8:23
msgid ""
-"When called as ip6tables-apply, the script will use ip6tables-save/-restore "
-"instead."
+"When called as B<ip6tables-apply>, the script will use "
+"ip6tables-save/-restore instead."
msgstr ""
#. type: TP
"ruleset."
msgstr ""
-#. type: TP
-#: original/man8/iptables-apply.8:28
-#, no-wrap
-msgid "B<-h>, B<--help>"
-msgstr ""
-
#. type: Plain text
#: original/man8/iptables-apply.8:31
msgid "Display usage information."
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2012-05-10 06:40+0900\n"
-"PO-Revision-Date: 2012-05-09 03:09+0900\n"
+"POT-Creation-Date: 2013-04-03 12:09+0900\n"
+"PO-Revision-Date: 2013-04-03 12:35+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
#: original/man8/ip6tables-restore.8:21 original/man8/ip6tables-save.8:21
#: original/man8/ip6tables.8:27 original/man8/iptables-restore.8:21
#: original/man8/iptables-save.8:21 original/man8/iptables.8:25
-#: original/man8/iptables-apply.8:8 original/man1/iptables-xml.1:21
+#: original/man8/iptables-extensions.8:2 original/man8/iptables-apply.8:8
+#: original/man1/iptables-xml.1:21
#, no-wrap
msgid "NAME"
msgstr "名前"
#: original/man8/ip6tables-restore.8:23 original/man8/ip6tables-save.8:23
#: original/man8/ip6tables.8:29 original/man8/iptables-restore.8:23
#: original/man8/iptables-save.8:23 original/man8/iptables.8:27
-#: original/man8/iptables-apply.8:10 original/man1/iptables-xml.1:23
+#: original/man8/iptables-extensions.8:4 original/man8/iptables-apply.8:10
+#: original/man1/iptables-xml.1:23
#, no-wrap
msgid "SYNOPSIS"
msgstr "書式"
#. type: Plain text
-#: original/man8/ip6tables-restore.8:25
+#: original/man8/ip6tables-restore.8:26
#, fuzzy
-#| msgid "B<ip6tables-restore >[-c] [-n]"
-msgid "B<ip6tables-restore> [B<-c>] [B<-n>]"
-msgstr "B<ip6tables-restore >[-c] [-n]"
+#| msgid "B<iptables-restore >[-c] [-n]"
+msgid "B<ip6tables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
+msgstr "B<iptables-restore >[-c] [-n]"
#. type: SH
-#: original/man8/ip6tables-restore.8:25 original/man8/ip6tables-save.8:26
-#: original/man8/ip6tables.8:55 original/man8/iptables-restore.8:25
+#: original/man8/ip6tables-restore.8:26 original/man8/ip6tables-save.8:26
+#: original/man8/ip6tables.8:55 original/man8/iptables-restore.8:26
#: original/man8/iptables-save.8:26 original/man8/iptables.8:54
#: original/man8/iptables-apply.8:12 original/man1/iptables-xml.1:25
#, no-wrap
msgstr "説明"
#. type: Plain text
-#: original/man8/ip6tables-restore.8:30
+#: original/man8/ip6tables-restore.8:31
msgid ""
"B<ip6tables-restore> is used to restore IPv6 Tables from data specified on "
"STDIN. Use I/O redirection provided by your shell to read from a file"
"ダイレクションを使うこと。"
#. type: TP
-#: original/man8/ip6tables-restore.8:30 original/man8/ip6tables-save.8:35
-#: original/man8/iptables-restore.8:30 original/man8/iptables-save.8:35
+#: original/man8/ip6tables-restore.8:31 original/man8/ip6tables-save.8:35
+#: original/man8/iptables-restore.8:31 original/man8/iptables-save.8:35
#, no-wrap
msgid "B<-c>, B<--counters>"
msgstr "B<-c>, B<--counters>"
#. type: Plain text
-#: original/man8/ip6tables-restore.8:33 original/man8/iptables-restore.8:33
+#: original/man8/ip6tables-restore.8:34 original/man8/iptables-restore.8:34
msgid "restore the values of all packet and byte counters"
msgstr "全てのパケットカウンタとバイトカウンタの値を復元する。"
#. type: TP
-#: original/man8/ip6tables-restore.8:33 original/man8/iptables-restore.8:33
+#: original/man8/ip6tables-restore.8:34 original/man8/iptables-restore.8:34
+#: original/man8/iptables-apply.8:28
+#, no-wrap
+msgid "B<-h>, B<--help>"
+msgstr "B<-h>, B<--help>"
+
+#. type: Plain text
+#: original/man8/ip6tables-restore.8:37 original/man8/iptables-restore.8:37
+msgid "Print a short option summary."
+msgstr ""
+
+#. type: TP
+#: original/man8/ip6tables-restore.8:37 original/man8/iptables-restore.8:37
#, no-wrap
msgid "B<-n>, B<--noflush> "
msgstr "B<-n>, B<--noflush> "
#. type: Plain text
-#: original/man8/ip6tables-restore.8:36
-msgid "don't flush the previous contents of the table. If not specified,"
+#: original/man8/ip6tables-restore.8:42
+msgid ""
+"don't flush the previous contents of the table. If not specified, "
+"B<ip6tables-restore> flushes (deletes) all previous contents of the "
+"respective table."
+msgstr "これまでのテーブルの内容をフラッシュしない。 指定されない場合、 B<ip6tables-restore> は、これまでの各テーブルの内容を全てフラッシュ (削除) する。"
+
+#. type: TP
+#: original/man8/ip6tables-restore.8:42 original/man8/iptables-restore.8:42
+#, no-wrap
+msgid "B<-t>, B<--test>"
+msgstr "B<-t>, B<--test>"
+
+#. type: Plain text
+#: original/man8/ip6tables-restore.8:45 original/man8/iptables-restore.8:45
+msgid "Only parse and construct the ruleset, but do not commit it."
msgstr ""
#. type: TP
-#: original/man8/ip6tables-restore.8:36 original/man8/iptables-restore.8:38
-#, fuzzy, no-wrap
-#| msgid "B<-t>, B<--table> B<tablename>"
+#: original/man8/ip6tables-restore.8:45 original/man8/ip6tables.8:355
+#: original/man8/iptables-restore.8:45 original/man8/iptables.8:343
+#: original/man1/iptables-xml.1:38
+#, no-wrap
+msgid "B<-v>, B<--verbose>"
+msgstr "B<-v>, B<--verbose>"
+
+#. type: Plain text
+#: original/man8/ip6tables-restore.8:48 original/man8/iptables-restore.8:48
+msgid "Print additional debug info during ruleset processing."
+msgstr ""
+
+#. type: TP
+#: original/man8/ip6tables-restore.8:48 original/man8/iptables-restore.8:48
+#, no-wrap
+msgid "B<-M>, B<--modprobe> I<modprobe_program>"
+msgstr "B<-M>, B<--modprobe> I<modprobe_program>"
+
+#. type: Plain text
+#: original/man8/ip6tables-restore.8:52
+msgid ""
+"Specify the path to the modprobe program. By default, ip6tables-restore will "
+"inspect /proc/sys/kernel/modprobe to determine the executable's path."
+msgstr ""
+
+#. type: TP
+#: original/man8/ip6tables-restore.8:52 original/man8/iptables-restore.8:52
+#, no-wrap
msgid "B<-T>, B<--table> I<name>"
-msgstr "B<-t>, B<--table> B<tablename>"
+msgstr "B<-T>, B<--table> I<name>"
#. type: Plain text
-#: original/man8/ip6tables-restore.8:41
+#: original/man8/ip6tables-restore.8:57
#, fuzzy
#| msgid ""
#| "don't flush the previous contents of the table. If not specified, "
"restore> は、これまでの各 IPv6 テーブルの内容を全てフラッシュ (削除) する。"
#. type: SH
-#: original/man8/ip6tables-restore.8:41 original/man8/ip6tables-save.8:42
-#: original/man8/ip6tables.8:2447 original/man8/iptables-restore.8:41
-#: original/man8/iptables-save.8:42 original/man8/iptables.8:2606
+#: original/man8/ip6tables-restore.8:57 original/man8/ip6tables-save.8:42
+#: original/man8/ip6tables.8:395 original/man8/iptables-restore.8:55
+#: original/man8/iptables-save.8:42 original/man8/iptables.8:383
#: original/man1/iptables-xml.1:82
#, no-wrap
msgid "BUGS"
msgstr "バグ"
#. type: Plain text
-#: original/man8/ip6tables-restore.8:43 original/man8/ip6tables-save.8:44
-#: original/man8/iptables-restore.8:43 original/man8/iptables-save.8:44
+#: original/man8/ip6tables-restore.8:59 original/man8/ip6tables-save.8:44
+#: original/man8/iptables-restore.8:57 original/man8/iptables-save.8:44
msgid "None known as of iptables-1.2.1 release"
msgstr "iptables-1.2.1 リリースでは知られていない。"
#. type: SH
-#: original/man8/ip6tables-restore.8:43 original/man8/ip6tables-save.8:44
-#: original/man8/ip6tables.8:2480 original/man8/iptables.8:2650
+#: original/man8/ip6tables-restore.8:59 original/man8/ip6tables-save.8:44
+#: original/man8/ip6tables.8:430 original/man8/iptables.8:429
#, no-wrap
msgid "AUTHORS"
msgstr "作者"
#. type: Plain text
-#: original/man8/ip6tables-restore.8:45 original/man8/ip6tables-save.8:46
-#: original/man8/iptables-restore.8:45 original/man8/iptables-save.8:46
+#: original/man8/ip6tables-restore.8:61 original/man8/ip6tables-save.8:46
+#: original/man8/iptables-restore.8:59 original/man8/iptables-save.8:46
msgid "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
msgstr "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
#. type: Plain text
-#: original/man8/ip6tables-restore.8:47 original/man8/ip6tables-save.8:48
+#: original/man8/ip6tables-restore.8:63 original/man8/ip6tables-save.8:48
msgid "Andras Kis-Szabo E<lt>kisza@sch.bme.huE<gt>"
msgstr "Andras Kis-Szabo E<lt>kisza@sch.bme.huE<gt>"
#. type: SH
-#: original/man8/ip6tables-restore.8:47 original/man8/ip6tables-save.8:48
-#: original/man8/ip6tables.8:2464 original/man8/iptables-restore.8:45
-#: original/man8/iptables-save.8:46 original/man8/iptables.8:2634
+#: original/man8/ip6tables-restore.8:63 original/man8/ip6tables-save.8:48
+#: original/man8/ip6tables.8:412 original/man8/iptables-restore.8:59
+#: original/man8/iptables-save.8:46 original/man8/iptables.8:411
#: original/man8/iptables-apply.8:34 original/man1/iptables-xml.1:86
#, no-wrap
msgid "SEE ALSO"
msgstr "関連項目"
#. type: Plain text
-#: original/man8/ip6tables-restore.8:49
+#: original/man8/ip6tables-restore.8:65
msgid "B<ip6tables-save>(8), B<ip6tables>(8)"
msgstr "B<ip6tables-save>(8), B<ip6tables>(8)"
#. type: Plain text
-#: original/man8/ip6tables-restore.8:52 original/man8/ip6tables-save.8:53
-#: original/man8/iptables-restore.8:50 original/man8/iptables-save.8:51
+#: original/man8/ip6tables-restore.8:68 original/man8/ip6tables-save.8:53
+#: original/man8/iptables-restore.8:64 original/man8/iptables-save.8:51
msgid ""
"The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which "
"details NAT, and the netfilter-hacking-HOWTO which details the internals."
#. type: Plain text
#: original/man8/ip6tables-save.8:26
-#, fuzzy
-#| msgid "B<ip6tables-save >[-c] [-t table]"
msgid "B<ip6tables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>"
-msgstr "B<ip6tables-save >[-c] [-t table]"
+msgstr "B<ip6tables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>"
#. type: Plain text
#: original/man8/ip6tables-save.8:31
#. type: TP
#: original/man8/ip6tables-save.8:31 original/man8/iptables-save.8:31
-#, fuzzy, no-wrap
-#| msgid "B<--modprobe=command>"
+#, no-wrap
msgid "B<-M> I<modprobe_program>"
-msgstr "B<--modprobe=command>"
+msgstr "B<-M> I<modprobe_program>"
#. type: Plain text
#: original/man8/ip6tables-save.8:35 original/man8/iptables-save.8:35
#. type: TP
#: original/man8/ip6tables-save.8:38 original/man8/iptables-save.8:38
-#, fuzzy, no-wrap
-#| msgid "B<-t>, B<--table> B<tablename>"
+#, no-wrap
msgid "B<-t>, B<--table> I<tablename>"
-msgstr "B<-t>, B<--table>
B<tablename>"
+msgstr "B<-t>, B<--table>
I<tablename>"
#. type: Plain text
#: original/man8/ip6tables-save.8:42 original/man8/iptables-save.8:42
#. type: TH
#: original/man8/ip6tables.8:1 original/man8/iptables.8:1
+#: original/man8/iptables-extensions.8:1
#, no-wrap
-msgid "iptables 1.4.13"
+msgid "iptables 1.4.18"
msgstr ""
#. type: Plain text
#: original/man8/ip6tables.8:29
-#, fuzzy
-#| msgid "ip6tables - IPv6 packet filter administration"
msgid "ip6tables \\(em IPv6 packet filter administration"
-msgstr "ip6tables - IPv6 パケットフィルタを管理する"
+msgstr "ip6tables \\(em IPv6 パケットフィルタを管理する"
#. type: Plain text
#: original/man8/ip6tables.8:32
-#, fuzzy
-#| msgid "B<ip6tables [-t table] -[AD] >chain rule-specification [options]"
msgid ""
"B<ip6tables> [B<-t> I<table>] {B<-A>|B<-C>|B<-D>} I<chain rule-"
"specification> [I<options...>]"
-msgstr "B<ip6tables [-t テーブル] -[AD] >チェイン ルールの詳細 [オプション]"
+msgstr "B<ip6tables> [B<-t> I<テーブル>] {B<-A>|B<-C>|B<-D>} I<チェイン ルールの詳細> [I<オプション...>]"
#. type: Plain text
#: original/man8/ip6tables.8:35
-#, fuzzy
-#| msgid ""
-#| "B<ip6tables [-t table] -I >chain [rulenum] rule-specification [options]"
msgid ""
"B<ip6tables> [B<-t> I<table>] B<-I> I<chain> [I<rulenum>] I<rule-"
"specification> [I<options...>]"
-msgstr ""
-"B<ip6tables [-t テーブル] -I >チェイン [ルール番号] ルールの詳細 [オプション]"
+msgstr "B<ip6tables> [B<-t> I<テーブル>] B<-I> I<チェイン> [I<ルール番号>] I<ルールの詳細> [I<オプション...>]"
#. type: Plain text
#: original/man8/ip6tables.8:38
-#, fuzzy
-#| msgid ""
-#| "B<ip6tables [-t table] -R >chain rulenum rule-specification [options]"
msgid ""
"B<ip6tables> [B<-t> I<table>] B<-R> I<chain rulenum rule-specification> "
"[I<options...>]"
-msgstr ""
-"B<ip6tables [-t テーブル] -R >チェイン ルール番号 ルールの詳細 [オプション]"
+msgstr "B<ip6tables> [B<-t> I<テーブル>] B<-R> I<チェイン ルール番号 ルールの詳細> [I<オプション...>]"
#. type: Plain text
#: original/man8/ip6tables.8:41
-#, fuzzy
-#| msgid "B<ip6tables [-t table] -D >chain rulenum [options]"
msgid "B<ip6tables> [B<-t> I<table>] B<-D> I<chain rulenum> [I<options...>]"
-msgstr "B<ip6tables [-t テーブル] -D >チェイン ルール番号 [オプション]"
+msgstr "B<ip6tables> [B<-t> I<テーブル>] B<-D> I<チェイン ルール番号> [I<オプション...>]"
#. type: Plain text
#: original/man8/ip6tables.8:43
-#, fuzzy
-#| msgid "B<ip6tables [-t table] -D >chain rulenum [options]"
msgid "B<ip6tables> [B<-t> I<table>] B<-S> [I<chain> [I<rulenum>]]"
-msgstr "B<ip6tables [-t テーブル] -D >チェイン ルール番号 [オプション]"
+msgstr "B<ip6tables> [B<-t> I<テーブル>] B<-S> [I<チェイン> [I<ルール番号>]]"
#. type: Plain text
#: original/man8/ip6tables.8:46
-#, fuzzy
-#| msgid "B<ip6tables [-t table] -D >chain rulenum [options]"
msgid ""
"B<ip6tables> [B<-t> I<table>] {B<-F>|B<-L>|B<-Z>} [I<chain> [I<rulenum>]] "
"[I<options...>]"
-msgstr "B<ip6tables [-t テーブル] -D >チェイン ルール番号 [オプション]"
+msgstr "B<ip6tables> [B<-t> I<テーブル>] {B<-F>|B<-L>|B<-Z>} [I<チェイン> [I<ルール番号>]] [I<オプション...>]"
#. type: Plain text
#: original/man8/ip6tables.8:48
-#, fuzzy
-#| msgid "B<ip6tables [-t table] -N >chain"
msgid "B<ip6tables> [B<-t> I<table>] B<-N> I<chain>"
-msgstr "B<ip6tables [-t テーブル] -N >チェイン"
+msgstr "B<ip6tables> [B<-t> I<テーブル>] B<-N> I<チェイン>"
#. type: Plain text
#: original/man8/ip6tables.8:50
-#, fuzzy
-#| msgid "B<ip6tables [-t table] -X >[chain]"
msgid "B<ip6tables> [B<-t> I<table>] B<-X> [I<chain>]"
-msgstr "B<ip6tables [-t テーブル] -X >[チェイン]"
+msgstr "B<ip6tables> [B<-t> I<テーブル>] B<-X> [I<チェイン>]"
#. type: Plain text
#: original/man8/ip6tables.8:53
-#, fuzzy
-#| msgid "B<ip6tables [-t table] -P >chain target [options]"
msgid "B<ip6tables> [B<-t> I<table>] B<-P> I<chain target> [I<options...>]"
-msgstr "B<ip6tables [-t テーブル] -P >チェイン ターゲット [オプション]"
+msgstr "B<ip6tables> [B<-t> I<テーブル>] B<-P> I<チェイン ターゲット> [I<オプション...>]"
#. type: Plain text
#: original/man8/ip6tables.8:55
-#, fuzzy
-#| msgid "B<ip6tables [-t table] -E >old-chain-name new-chain-name"
msgid "B<ip6tables> [B<-t> I<table>] B<-E> I<old-chain-name new-chain-name>"
-msgstr "B<ip6tables [-t テーブル] -E >旧チェイン名 新チェイン名"
+msgstr "B<ip6tables> [B<-t> I<テーブル>] B<-E> I<旧チェイン名 新チェイン名>"
#. type: Plain text
#: original/man8/ip6tables.8:61
#. type: Plain text
#: original/man8/ip6tables.8:93 original/man8/iptables.8:92
+#, fuzzy
+#| msgid ""
+#| "There are currently three independent tables (which tables are present at "
+#| "any time depends on the kernel configuration options and which modules "
+#| "are present)."
msgid ""
-"There are currently three independent tables (which tables are present at "
-"any time depends on the kernel configuration options and which modules are "
+"There are currently five independent tables (which tables are present at any "
+"time depends on the kernel configuration options and which modules are "
"present)."
msgstr ""
"現在のところ 3 つの独立なテーブルが存在する (ある時点でどのテーブルが存在する"
"組み込み済みチェインが含まれる。"
#. type: TP
-#: original/man8/ip6tables.8:108 original/man8/iptables.8:114
+#: original/man8/ip6tables.8:108 original/man8/iptables.8:107
+#, no-wrap
+msgid "B<nat>:"
+msgstr "B<nat>:"
+
+#. type: Plain text
+#: original/man8/ip6tables.8:115
+#, fuzzy
+#| msgid ""
+#| "This table is consulted when a packet that creates a new connection is "
+#| "encountered. It consists of three built-ins: B<PREROUTING> (for altering "
+#| "packets as soon as they come in), B<OUTPUT> (for altering locally-"
+#| "generated packets before routing), and B<POSTROUTING> (for altering "
+#| "packets as they are about to go out)."
+msgid ""
+"This table is consulted when a packet that creates a new connection is "
+"encountered. It consists of three built-ins: B<PREROUTING> (for altering "
+"packets as soon as they come in), B<OUTPUT> (for altering locally-generated "
+"packets before routing), and B<POSTROUTING> (for altering packets as they "
+"are about to go out). Available since kernel 3.7."
+msgstr ""
+"このテーブルは新しい接続を開くようなパケットに対して参照される。 これには "
+"B<PREROUTING> (パケットが入ってきた場合、すぐにそのパケットを変換するための"
+"チェイン)・ B<OUTPUT> (ローカルで生成されたパケットをルーティングの前に変換す"
+"るためのチェイン)・ B<POSTROUTING> (パケットが出て行くときに変換するための"
+"チェイン) という 3 つの組み込み済みチェインが含まれる。"
+
+#. type: TP
+#: original/man8/ip6tables.8:115 original/man8/iptables.8:114
#, no-wrap
msgid "B<mangle>:"
msgstr "B<mangle>:"
#. type: Plain text
-#: original/man8/ip6tables.8:118 original/man8/iptables.8:124
+#: original/man8/ip6tables.8:125 original/man8/iptables.8:124
msgid ""
"This table is used for specialized packet alteration. Until kernel 2.4.17 "
"it had two built-in chains: B<PREROUTING> (for altering incoming packets "
"ためのチェイン)・ という 3 つの組み込み済みチェインもサポートされる。"
#. type: TP
-#: original/man8/ip6tables.8:118 original/man8/iptables.8:124
+#: original/man8/ip6tables.8:125 original/man8/iptables.8:124
#, no-wrap
msgid "B<raw>:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:126 original/man8/iptables.8:132
+#: original/man8/ip6tables.8:133 original/man8/iptables.8:132
msgid ""
"This table is used mainly for configuring exemptions from connection "
"tracking in combination with the NOTRACK target. It registers at the "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:126 original/man8/iptables.8:132
+#: original/man8/ip6tables.8:133 original/man8/iptables.8:132
#, no-wrap
msgid "B<security>:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:137 original/man8/iptables.8:143
+#: original/man8/ip6tables.8:144 original/man8/iptables.8:143
msgid ""
"This table is used for Mandatory Access Control (MAC) networking rules, such "
"as those enabled by the B<SECMARK> and B<CONNSECMARK> targets. Mandatory "
msgstr ""
#. type: SH
-#: original/man8/ip6tables.8:138 original/man8/iptables.8:144
+#: original/man8/ip6tables.8:145 original/man8/iptables.8:144
#: original/man8/iptables-apply.8:23
#, no-wrap
msgid "OPTIONS"
msgstr "オプション"
#. type: Plain text
-#: original/man8/ip6tables.8:141
+#: original/man8/ip6tables.8:148
msgid ""
"The options that are recognized by B<ip6tables> can be divided into several "
"different groups."
msgstr "B<ip6tables> で使えるオプションは、いくつかのグループに分けられる。"
#. type: SS
-#: original/man8/ip6tables.8:141 original/man8/iptables.8:147
+#: original/man8/ip6tables.8:148 original/man8/iptables.8:147
#, no-wrap
msgid "COMMANDS"
msgstr "コマンド"
#. type: Plain text
-#: original/man8/ip6tables.8:147
+#: original/man8/ip6tables.8:154
msgid ""
"These options specify the specific action to perform. Only one of them can "
"be specified on the command line unless otherwise specified below. For all "
"ン名と区別できる範囲で (文字を省略して) 指定することもできる。"
#. type: TP
-#: original/man8/ip6tables.8:147 original/man8/ip6tables.8:230
+#: original/man8/ip6tables.8:154 original/man8/ip6tables.8:237
#: original/man8/iptables.8:153
#, fuzzy, no-wrap
#| msgid "B<-A, --append >I<chain rule-specification>"
msgstr "B<-A, --append >I<chain rule-specification>"
#. type: Plain text
-#: original/man8/ip6tables.8:152 original/man8/ip6tables.8:235
+#: original/man8/ip6tables.8:159 original/man8/ip6tables.8:242
#: original/man8/iptables.8:158
msgid ""
"Append one or more rules to the end of the selected chain. When the source "
"場合は、可能なアドレスの組合せそれぞれに対してルールが追加される。"
#. type: TP
-#: original/man8/ip6tables.8:152 original/man8/iptables.8:158
+#: original/man8/ip6tables.8:159 original/man8/iptables.8:158
#, fuzzy, no-wrap
#| msgid "B<-A, --append >I<chain rule-specification>"
msgid "B<-C>, B<--check> I<chain rule-specification>"
msgstr "B<-A, --append >I<chain rule-specification>"
#. type: Plain text
-#: original/man8/ip6tables.8:158 original/man8/iptables.8:164
+#: original/man8/ip6tables.8:165 original/man8/iptables.8:164
msgid ""
"Check whether a rule matching the specification does exist in the selected "
"chain. This command uses the same logic as B<-D> to find a matching entry, "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:158 original/man8/iptables.8:164
+#: original/man8/ip6tables.8:165 original/man8/iptables.8:164
#, fuzzy, no-wrap
#| msgid "B<-D, --delete >I<chain rule-specification>"
msgid "B<-D>, B<--delete> I<chain rule-specification>"
msgstr "B<-D, --delete >I<chain rule-specification>"
#. type: TP
-#: original/man8/ip6tables.8:161 original/man8/iptables.8:167
+#: original/man8/ip6tables.8:168 original/man8/iptables.8:167
#, fuzzy, no-wrap
#| msgid "B<-D, --delete >I<chain rulenum>"
msgid "B<-D>, B<--delete> I<chain rulenum>"
msgstr "B<-D, --delete >I<chain rulenum>"
#. type: Plain text
-#: original/man8/ip6tables.8:166 original/man8/iptables.8:172
+#: original/man8/ip6tables.8:173 original/man8/iptables.8:172
msgid ""
"Delete one or more rules from the selected chain. There are two versions of "
"this command: the rule can be specified as a number in the chain (starting "
"マッチするルールを指定する場合である。"
#. type: TP
-#: original/man8/ip6tables.8:166 original/man8/iptables.8:172
+#: original/man8/ip6tables.8:173 original/man8/iptables.8:172
#, fuzzy, no-wrap
#| msgid "B<-I, --insert >I<chain> [I<rulenum>] I<rule-specification>"
msgid "B<-I>, B<--insert> I<chain> [I<rulenum>] I<rule-specification>"
msgstr "B<-I, --insert >I<チェイン> [I<ルール番号>] I<ルールの詳細>"
#. type: Plain text
-#: original/man8/ip6tables.8:172 original/man8/iptables.8:178
+#: original/man8/ip6tables.8:179 original/man8/iptables.8:178
msgid ""
"Insert one or more rules in the selected chain as the given rule number. "
"So, if the rule number is 1, the rule or rules are inserted at the head of "
"されない場合のデフォルトでもある。"
#. type: TP
-#: original/man8/ip6tables.8:172 original/man8/iptables.8:178
+#: original/man8/ip6tables.8:179 original/man8/iptables.8:178
#, fuzzy, no-wrap
#| msgid "B<-R, --replace >I<chain rulenum rule-specification>"
msgid "B<-R>, B<--replace> I<chain rulenum rule-specification>"
msgstr "B<-R, --replace >I<chain rulenum rule-specification>"
#. type: Plain text
-#: original/man8/ip6tables.8:177 original/man8/iptables.8:183
+#: original/man8/ip6tables.8:184 original/man8/iptables.8:183
msgid ""
"Replace a rule in the selected chain. If the source and/or destination "
"names resolve to multiple addresses, the command will fail. Rules are "
"このコマンドは失敗する。ルール番号は 1 からはじまる。"
#. type: TP
-#: original/man8/ip6tables.8:177 original/man8/iptables.8:183
+#: original/man8/ip6tables.8:184 original/man8/iptables.8:183
#, fuzzy, no-wrap
#| msgid "B<-L, --list >[I<chain>]"
msgid "B<-L>, B<--list> [I<chain>]"
msgstr "B<-L, --list >[I<chain>]"
#. type: Plain text
-#: original/man8/ip6tables.8:182
+#: original/man8/ip6tables.8:189
#, fuzzy
#| msgid ""
#| "List all rules in the selected chain. If no chain is selected, all "
"ルールを表示するには以下のようにする。"
#. type: Plain text
-#: original/man8/ip6tables.8:189 original/man8/iptables.8:197
+#: original/man8/ip6tables.8:196 original/man8/iptables.8:197
msgid ""
"Please note that it is often used with the B<-n> option, in order to avoid "
"long reverse DNS lookups. It is legal to specify the B<-Z> (zero) option as "
"実際のルールそのものは表示されない。"
#. type: Plain text
-#: original/man8/ip6tables.8:191
+#: original/man8/ip6tables.8:198
#, no-wrap
msgid " ip6tables -L -v\n"
msgstr " ip6tables -L -v\n"
#. type: TP
-#: original/man8/ip6tables.8:192 original/man8/iptables.8:200
+#: original/man8/ip6tables.8:199 original/man8/iptables.8:200
#, fuzzy, no-wrap
#| msgid "B<-L, --list >[I<chain>]"
msgid "B<-S>, B<--list-rules> [I<chain>]"
msgstr "B<-L, --list >[I<chain>]"
#. type: Plain text
-#: original/man8/ip6tables.8:197
+#: original/man8/ip6tables.8:204
#, fuzzy
#| msgid ""
#| "List all rules in the selected chain. If no chain is selected, all "
"ルールを表示するには以下のようにする。"
#. type: TP
-#: original/man8/ip6tables.8:197 original/man8/iptables.8:205
+#: original/man8/ip6tables.8:204 original/man8/iptables.8:205
#, fuzzy, no-wrap
#| msgid "B<-F, --flush >[I<chain>]"
msgid "B<-F>, B<--flush> [I<chain>]"
msgstr "B<-F, --flush >[I<chain>]"
#. type: Plain text
-#: original/man8/ip6tables.8:201 original/man8/iptables.8:209
+#: original/man8/ip6tables.8:208 original/man8/iptables.8:209
msgid ""
"Flush the selected chain (all the chains in the table if none is given). "
"This is equivalent to deleting all the rules one by one."
"同じである。"
#. type: TP
-#: original/man8/ip6tables.8:201 original/man8/iptables.8:209
+#: original/man8/ip6tables.8:208 original/man8/iptables.8:209
#, fuzzy, no-wrap
#| msgid "B<-Z, --zero >[I<chain>]"
msgid "B<-Z>, B<--zero> [I<chain> [I<rulenum>]]"
msgstr "B<-Z, --zero >[I<chain>]"
#. type: Plain text
-#: original/man8/ip6tables.8:209 original/man8/iptables.8:217
+#: original/man8/ip6tables.8:216 original/man8/iptables.8:217
#, fuzzy
#| msgid ""
#| "Zero the packet and byte counters in all chains. It is legal to specify "
"することもできる (上記を参照)。"
#. type: TP
-#: original/man8/ip6tables.8:209 original/man8/iptables.8:217
+#: original/man8/ip6tables.8:216 original/man8/iptables.8:217
#, fuzzy, no-wrap
#| msgid "B<-N, --new-chain >I<chain>"
msgid "B<-N>, B<--new-chain> I<chain>"
msgstr "B<-N, --new-chain >I<chain>"
#. type: Plain text
-#: original/man8/ip6tables.8:213 original/man8/iptables.8:221
+#: original/man8/ip6tables.8:220 original/man8/iptables.8:221
msgid ""
"Create a new user-defined chain by the given name. There must be no target "
"of that name already."
"してはならない。"
#. type: TP
-#: original/man8/ip6tables.8:213 original/man8/iptables.8:221
+#: original/man8/ip6tables.8:220 original/man8/iptables.8:221
#, fuzzy, no-wrap
#| msgid "B<-X, --delete-chain >[I<chain>]"
msgid "B<-X>, B<--delete-chain> [I<chain>]"
msgstr "B<-X, --delete-chain >[I<chain>]"
#. type: Plain text
-#: original/man8/ip6tables.8:220 original/man8/iptables.8:228
+#: original/man8/ip6tables.8:227 original/man8/iptables.8:228
#, fuzzy
#| msgid ""
#| "Delete the optional user-defined chain specified. There must be no "
"ブルにあるチェインのうち 組み込み済みチェインでないものを全て削除する。"
#. type: TP
-#: original/man8/ip6tables.8:220 original/man8/iptables.8:228
+#: original/man8/ip6tables.8:227 original/man8/iptables.8:228
#, fuzzy, no-wrap
#| msgid "B<-P, --policy >I<chain target>"
msgid "B<-P>, B<--policy> I<chain target>"
msgstr "B<-P, --policy >I<chain target>"
#. type: Plain text
-#: original/man8/ip6tables.8:226 original/man8/iptables.8:234
+#: original/man8/ip6tables.8:233 original/man8/iptables.8:234
msgid ""
"Set the policy for the chain to the given target. See the section "
"B<TARGETS> for the legal targets. Only built-in (non-user-defined) chains "
"ユーザー定義チェインも ポリシーのターゲットに設定することはできない。"
#. type: TP
-#: original/man8/ip6tables.8:226 original/man8/iptables.8:234
+#: original/man8/ip6tables.8:233 original/man8/iptables.8:234
#, fuzzy, no-wrap
#| msgid "B<-E, --rename-chain >I<old-chain new-chain>"
msgid "B<-E>, B<--rename-chain> I<old-chain new-chain>"
msgstr "B<-E, --rename-chain >I<old-chain new-chain>"
#. type: Plain text
-#: original/man8/ip6tables.8:230 original/man8/iptables.8:238
+#: original/man8/ip6tables.8:237 original/man8/iptables.8:238
msgid ""
"Rename the user specified chain to the user supplied name. This is "
"cosmetic, and has no effect on the structure of the table."
"テーブルの構造には何も影響しない。"
#. type: TP
-#: original/man8/ip6tables.8:235 original/man8/iptables.8:238
+#: original/man8/ip6tables.8:242 original/man8/iptables.8:238
#, no-wrap
msgid "B<-h>"
msgstr "B<-h>"
#. type: Plain text
-#: original/man8/ip6tables.8:239 original/man8/iptables.8:242
+#: original/man8/ip6tables.8:246 original/man8/iptables.8:242
msgid "Help. Give a (currently very brief) description of the command syntax."
msgstr "ヘルプ。 (今のところはとても簡単な) コマンド書式の説明を表示する。"
#. type: SS
-#: original/man8/ip6tables.8:239 original/man8/iptables.8:242
+#: original/man8/ip6tables.8:246 original/man8/iptables.8:242
#, no-wrap
msgid "PARAMETERS"
msgstr "パラメータ"
#. type: Plain text
-#: original/man8/ip6tables.8:242 original/man8/iptables.8:245
+#: original/man8/ip6tables.8:249 original/man8/iptables.8:245
msgid ""
"The following parameters make up a rule specification (as used in the add, "
"delete, insert, replace and append commands)."
"て) ルールの仕様を決める。"
#. type: TP
-#: original/man8/ip6tables.8:242 original/man8/iptables.8:245
+#: original/man8/ip6tables.8:249 original/man8/iptables.8:245
+#, fuzzy, no-wrap
+#| msgid "B<-c>, B<--counters>"
+msgid "B<-4>, B<--ipv4>"
+msgstr "B<-c>, B<--counters>"
+
+#. type: Plain text
+#: original/man8/ip6tables.8:255
+msgid ""
+"If a rule using the B<-4> option is inserted with (and only with) ip6tables-"
+"restore, it will be silently ignored. Any other uses will throw an error. "
+"This option allows to put both IPv4 and IPv6 rules in a single rule file for "
+"use with both iptables-restore and ip6tables-restore."
+msgstr ""
+
+#. type: TP
+#: original/man8/ip6tables.8:255 original/man8/iptables.8:248
+#, fuzzy, no-wrap
+#| msgid "B<-c>, B<--counters>"
+msgid "B<-6>, B<--ipv6>"
+msgstr "B<-c>, B<--counters>"
+
+#. type: Plain text
+#: original/man8/ip6tables.8:258
+msgid "This option has no effect in ip6tables and ip6tables-restore."
+msgstr ""
+
+#. type: TP
+#: original/man8/ip6tables.8:258 original/man8/iptables.8:254
#, fuzzy, no-wrap
#| msgid "B<-p, --protocol >[!] I<protocol>"
msgid "[B<!>] B<-p>, B<--protocol> I<protocol>"
msgstr "B<-p, --protocol >[!] I<protocol>"
#. type: Plain text
-#: original/man8/ip6tables.8:260
+#: original/man8/ip6tables.8:276
#, fuzzy
#| msgid ""
#| "The protocol of the rule or of the packet to check. The specified "
"プションが省略された際のデフォルトである。"
#. type: TP
-#: original/man8/ip6tables.8:260
+#: original/man8/ip6tables.8:276
#, fuzzy, no-wrap
#| msgid "B<-s, --source >[!] I<address>[/I<mask>]"
msgid "[B<!>] B<-s>, B<--source> I<address>[B</>I<mask>]"
msgstr "B<-s, --source >[!] I<address>[/I<mask>]"
#. type: Plain text
-#: original/man8/ip6tables.8:277
+#: original/man8/ip6tables.8:293
#, fuzzy
#| msgid ""
#| "Source specification. I<Address> can be either a network name, a "
"ションの別名である。"
#. type: TP
-#: original/man8/ip6tables.8:277
+#: original/man8/ip6tables.8:293
#, fuzzy, no-wrap
#| msgid "B<-d, --destination >[!] I<address>[/I<mask>]"
msgid "[B<!>] B<-d>, B<--destination> I<address>[B</>I<mask>]"
msgstr "B<-d, --destination >[!] I<address>[/I<mask>]"
#. type: Plain text
-#: original/man8/ip6tables.8:283 original/man8/iptables.8:279
+#: original/man8/ip6tables.8:299 original/man8/iptables.8:288
msgid ""
"Destination specification. See the description of the B<-s> (source) flag "
"for a detailed description of the syntax. The flag B<--dst> is an alias for "
"すること。 フラグ B<--dst> は、このオプションの別名である。"
#. type: TP
-#: original/man8/ip6tables.8:283 original/man8/iptables.8:279
+#: original/man8/ip6tables.8:299 original/man8/iptables.8:288
+#, fuzzy, no-wrap
+#| msgid "B<-L, --list >[I<chain>]"
+msgid "B<-m>, B<--match> I<match>"
+msgstr "B<-L, --list >[I<chain>]"
+
+#. type: Plain text
+#: original/man8/ip6tables.8:306 original/man8/iptables.8:295
+msgid ""
+"Specifies a match to use, that is, an extension module that tests for a "
+"specific property. The set of matches make up the condition under which a "
+"target is invoked. Matches are evaluated first to last as specified on the "
+"command line and work in short-circuit fashion, i.e. if one extension yields "
+"false, evaluation will stop."
+msgstr ""
+
+#. type: TP
+#: original/man8/ip6tables.8:306 original/man8/iptables.8:295
#, fuzzy, no-wrap
#| msgid "B<-j, --jump >I<target>"
msgid "B<-j>, B<--jump> I<target>"
msgstr "B<-j, --jump >I<target>"
#. type: Plain text
-#: original/man8/ip6tables.8:294 original/man8/iptables.8:290
+#: original/man8/ip6tables.8:317 original/man8/iptables.8:306
#, fuzzy
#| msgid ""
#| "This specifies the target of the rule; i.e., what to do if the packet "
"加算される。"
#. type: TP
-#: original/man8/ip6tables.8:294 original/man8/iptables.8:290
+#: original/man8/ip6tables.8:317 original/man8/iptables.8:306
#, fuzzy, no-wrap
#| msgid "B<-L, --list >[I<chain>]"
msgid "B<-g>, B<--goto> I<chain>"
msgstr "B<-L, --list >[I<chain>]"
#. type: Plain text
-#: original/man8/ip6tables.8:300 original/man8/iptables.8:296
+#: original/man8/ip6tables.8:323 original/man8/iptables.8:312
msgid ""
"This specifies that the processing should continue in a user specified "
"chain. Unlike the --jump option return will not continue processing in this "
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:300 original/man8/iptables.8:296
+#: original/man8/ip6tables.8:323 original/man8/iptables.8:312
#, fuzzy, no-wrap
#| msgid "B<-i, --in-interface >[!] I<name>"
msgid "[B<!>] B<-i>, B<--in-interface> I<name>"
msgstr "B<-i, --in-interface >[!] I<name>"
#. type: Plain text
-#: original/man8/ip6tables.8:308 original/man8/iptables.8:304
+#: original/man8/ip6tables.8:331 original/man8/iptables.8:320
#, fuzzy
#| msgid ""
#| "Name of an interface via which a packet is going to be received (only for "
"任意のインターフェース名にマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:308 original/man8/iptables.8:304
+#: original/man8/ip6tables.8:331 original/man8/iptables.8:320
#, fuzzy, no-wrap
#| msgid "B<-o, --out-interface >[!] I<name>"
msgid "[B<!>] B<-o>, B<--out-interface> I<name>"
msgstr "B<-o, --out-interface >[!] I<name>"
#. type: Plain text
-#: original/man8/ip6tables.8:325 original/man8/iptables.8:312
+#: original/man8/ip6tables.8:348 original/man8/iptables.8:328
msgid ""
"Name of an interface via which a packet is going to be sent (for packets "
"entering the B<FORWARD>, B<OUTPUT> and B<POSTROUTING> chains). When the \"!"
"る。"
#. type: TP
-#: original/man8/ip6tables.8:325 original/man8/iptables.8:320
+#: original/man8/ip6tables.8:348 original/man8/iptables.8:336
#, fuzzy, no-wrap
#| msgid "B<-c, --set-counters >I<PKTS BYTES>"
msgid "B<-c>, B<--set-counters> I<packets bytes>"
msgstr "B<-c, --set-counters >I<PKTS BYTES>"
#. type: Plain text
-#: original/man8/ip6tables.8:330 original/man8/iptables.8:325
+#: original/man8/ip6tables.8:353 original/man8/iptables.8:341
#, fuzzy
#| msgid ""
#| "This enables the administrator to initialize the packet and byte counters "
"者はパケットカウンタとバイトカウンタを 初期化することができる。"
#. type: SS
-#: original/man8/ip6tables.8:330 original/man8/iptables.8:325
+#: original/man8/ip6tables.8:353 original/man8/iptables.8:341
#, no-wrap
msgid "OTHER OPTIONS"
msgstr "その他のオプション"
#. type: Plain text
-#: original/man8/ip6tables.8:332 original/man8/iptables.8:327
+#: original/man8/ip6tables.8:355 original/man8/iptables.8:343
msgid "The following additional options can be specified:"
msgstr "その他に以下のオプションを指定することができる:"
-#. type: TP
-#: original/man8/ip6tables.8:332 original/man8/iptables.8:327
-#: original/man1/iptables-xml.1:38
-#, fuzzy, no-wrap
-#| msgid "B<-v, --verbose>"
-msgid "B<-v>, B<--verbose>"
-msgstr "B<-v, --verbose>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:342 original/man8/iptables.8:337
+#: original/man8/ip6tables.8:365 original/man8/iptables.8:353
#, fuzzy
#| msgid ""
#| "Verbose output. This option makes the list command show the interface "
"delete, replace コマンドに適用すると、 ルールについての詳細な情報を表示する。"
#. type: TP
-#: original/man8/ip6tables.8:342 original/man8/iptables.8:337
+#: original/man8/ip6tables.8:365 original/man8/iptables.8:353
#, fuzzy, no-wrap
#| msgid "B<-n, --numeric>"
msgid "B<-n>, B<--numeric>"
msgstr "B<-n, --numeric>"
#. type: Plain text
-#: original/man8/ip6tables.8:348 original/man8/iptables.8:343
+#: original/man8/ip6tables.8:371 original/man8/iptables.8:359
msgid ""
"Numeric output. IP addresses and port numbers will be printed in numeric "
"format. By default, the program will try to display them as host names, "
"ホスト名・ネットワーク名・サービス名で表示しようとする。"
#. type: TP
-#: original/man8/ip6tables.8:348 original/man8/iptables.8:343
+#: original/man8/ip6tables.8:371 original/man8/iptables.8:359
#, fuzzy, no-wrap
#| msgid "B<-x, --exact>"
msgid "B<-x>, B<--exact>"
msgstr "B<-x, --exact>"
#. type: Plain text
-#: original/man8/ip6tables.8:355 original/man8/iptables.8:350
+#: original/man8/ip6tables.8:378 original/man8/iptables.8:366
msgid ""
"Expand numbers. Display the exact value of the packet and byte counters, "
"instead of only the rounded number in K's (multiples of 1000) M's "
"このオプションは、 B<-L> コマンドとしか関係しない。"
#. type: TP
-#: original/man8/ip6tables.8:355 original/man8/iptables.8:350
+#: original/man8/ip6tables.8:378 original/man8/iptables.8:366
#, no-wrap
msgid "B<--line-numbers>"
msgstr "B<--line-numbers>"
#. type: Plain text
-#: original/man8/ip6tables.8:359 original/man8/iptables.8:354
+#: original/man8/ip6tables.8:382 original/man8/iptables.8:370
msgid ""
"When listing rules, add line numbers to the beginning of each rule, "
"corresponding to that rule's position in the chain."
"各行の始めに付加する。"
#. type: TP
-#: original/man8/ip6tables.8:359 original/man8/iptables.8:354
+#: original/man8/ip6tables.8:382 original/man8/iptables.8:370
#, fuzzy, no-wrap
#| msgid "B<--modprobe=command>"
msgid "B<--modprobe=>I<command>"
msgstr "B<--modprobe=command>"
#. type: Plain text
-#: original/man8/ip6tables.8:363 original/man8/iptables.8:358
+#: original/man8/ip6tables.8:386 original/man8/iptables.8:374
#, fuzzy
#| msgid ""
#| "When adding or inserting rules into a chain, use B<command> to load any "
"で) 必要なモジュールをロードするために使う B<command> を指定する。"
#. type: SH
-#: original/man8/ip6tables.8:363 original/man8/iptables.8:358
+#: original/man8/ip6tables.8:386 original/man8/iptables-extensions.8:10
#, no-wrap
msgid "MATCH EXTENSIONS"
msgstr "マッチングの拡張"
#. type: Plain text
-#: original/man8/ip6tables.8:373
-#, fuzzy
-#| msgid ""
-#| "ip6tables can use extended packet matching modules. These are loaded in "
-#| "two ways: implicitly, when B<-p> or B<--protocol> is specified, or with "
-#| "the B<-m> or B<--match> options, followed by the matching module name; "
-#| "after these, various extra command line options become available, "
-#| "depending on the specific module. You can specify multiple extended "
-#| "match modules in one line, and you can use the B<-h> or B<--help> options "
-#| "after the module has been specified to receive help specific to that "
-#| "module."
-msgid ""
-"ip6tables can use extended packet matching modules with the B<-m> or B<--"
-"match> options, followed by the matching module name; after these, various "
-"extra command line options become available, depending on the specific "
-"module. You can specify multiple extended match modules in one line, and "
-"you can use the B<-h> or B<--help> options after the module has been "
-"specified to receive help specific to that module."
-msgstr ""
-"ip6tables は拡張されたパケットマッチングモジュールを使うことができる。 これら"
-"のモジュールは 2 種類の方法でロードされる: モジュールは、 B<-p> または B<--"
-"protocol> で暗黙のうちに指定されるか、 B<-m> または B<--match> の後にモジュー"
-"ル名を続けて指定される。 これらのモジュールの後ろには、モジュールに応じて 他"
-"のいろいろなコマンドラインオプションを指定することができる。 複数の拡張マッチ"
-"ングモジュールを 1 行で指定することができる。 また、モジュールに特有のヘルプ"
-"を表示させるためには、 モジュールを指定した後で B<-h> または B<--help> を指定"
-"すればよい。"
-
-#. @MATCH@
-#. type: Plain text
-#: original/man8/ip6tables.8:378
+#: original/man8/ip6tables.8:390 original/man8/iptables.8:378
msgid ""
-"If the B<-p> or B<--protocol> was specified and if and only if an unknown "
-"option is encountered, ip6tables will try load a match module of the same "
-"name as the protocol, to try making the option available."
+"iptables can use extended packet matching and target modules. A list of "
+"these is available in the B<iptables-extensions>(8) manpage."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:378 original/man8/iptables.8:373
+#. type: SH
+#: original/man8/ip6tables.8:390 original/man8/iptables.8:378
#, no-wrap
-msgid "addrtype"
-msgstr ""
+msgid "DIAGNOSTICS"
+msgstr "返り値"
#. type: Plain text
-#: original/man8/ip6tables.8:383 original/man8/iptables.8:378
+#: original/man8/ip6tables.8:395 original/man8/iptables.8:383
msgid ""
-"This module matches packets based on their B<address type.> Address types "
-"are used within the kernel networking stack and categorize addresses into "
-"various groups. The exact definition of that group depends on the specific "
-"layer three protocol."
+"Various error messages are printed to standard error. The exit code is 0 "
+"for correct functioning. Errors which appear to be caused by invalid or "
+"abused command line parameters cause an exit code of 2, and other errors "
+"cause an exit code of 1."
msgstr ""
+"いろいろなエラーメッセージが標準エラーに表示される。 正しく機能した場合、終了"
+"コードは 0 である。 不正なコマンドラインパラメータによりエラーが発生した場合"
+"は、 終了コード 2 が返される。 その他のエラーの場合は、終了コード 1 が返され"
+"る。"
#. type: Plain text
-#: original/man8/ip6tables.8:385 original/man8/iptables.8:380
-#, fuzzy
-#| msgid "The following additional options can be specified:"
-msgid "The following address types are possible:"
-msgstr "その他に以下のオプションを指定することができる:"
+#: original/man8/ip6tables.8:398
+msgid ""
+"Bugs? What's this? ;-) Well... the counters are not reliable on sparc64."
+msgstr ""
+"バグ? バグって何? ;-) えーと…、sparc64 ではカウンター値が信頼できない。"
-#. type: TP
-#: original/man8/ip6tables.8:385 original/man8/iptables.8:380
+#. type: SH
+#: original/man8/ip6tables.8:398 original/man8/iptables.8:386
#, no-wrap
-msgid "B<UNSPEC>"
-msgstr ""
+msgid "COMPATIBILITY WITH IPCHAINS"
+msgstr "IPCHAINS との互換性"
#. type: Plain text
-#: original/man8/ip6tables.8:388 original/man8/iptables.8:383
-msgid "an unspecified address (i.e. 0.0.0.0)"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:388 original/man8/iptables.8:383
-#, no-wrap
-msgid "B<UNICAST>"
+#: original/man8/ip6tables.8:407
+msgid ""
+"This B<ip6tables> is very similar to ipchains by Rusty Russell. The main "
+"difference is that the chains B<INPUT> and B<OUTPUT> are only traversed for "
+"packets coming into the local host and originating from the local host "
+"respectively. Hence every packet only passes through one of the three "
+"chains (except loopback traffic, which involves both INPUT and OUTPUT "
+"chains); previously a forwarded packet would pass through all three."
msgstr ""
+"B<ip6tables> は、Rusty Russell の ipchains と非常によく似ている。 大きな違い"
+"は、チェイン B<INPUT> と B<OUTPUT> が、それぞれローカルホストに入ってくるパ"
+"ケットと、 ローカルホストから出されるパケットのみしか調べないという点であ"
+"る。 よって、全てのパケットは 3 つあるチェインのうち 1 つしか通らない (ループ"
+"バックトラフィックは例外で、INPUT と OUTPUT チェインの両方を通る)。 以前は "
+"(ipchains では)、 フォワードされるパケットが 3 つのチェイン全てを通っていた。"
#. type: Plain text
-#: original/man8/ip6tables.8:391 original/man8/iptables.8:386
-msgid "an unicast address"
+#: original/man8/ip6tables.8:412
+msgid ""
+"The other main difference is that B<-i> refers to the input interface; B<-o> "
+"refers to the output interface, and both are available for packets entering "
+"the B<FORWARD> chain. There are several other changes in ip6tables."
msgstr ""
+"その他の大きな違いは、 B<-i> で入力インターフェース、 B<-o> で出力インター"
+"フェースを指定し、 ともに B<FORWARD> チェインに入るパケットに対して指定可能な"
+"点である。 ip6tables では、その他にもいくつかの変更がある。"
-#. type: TP
-#: original/man8/ip6tables.8:391 original/man8/iptables.8:386
-#, no-wrap
-msgid "B<LOCAL>"
+#. type: Plain text
+#: original/man8/ip6tables.8:421
+#, fuzzy
+#| msgid ""
+#| "B<ip6tables-save>(8), B<ip6tables-restore(8),> B<iptables>(8), B<iptables-"
+#| "save>(8), B<iptables-restore>(8)."
+msgid ""
+"B<ip6tables-save>(8), B<ip6tables-restore>(8), B<iptables>(8), B<iptables-"
+"apply>(8), B<iptables-extensions>(8), B<iptables-save>(8), B<iptables-"
+"restore>(8), B<libipq>(3)."
msgstr ""
+"B<ip6tables-save>(8), B<ip6tables-restore(8),> B<iptables>(8), B<iptables-"
+"save>(8), B<iptables-restore>(8)."
#. type: Plain text
-#: original/man8/ip6tables.8:394 original/man8/iptables.8:389
-msgid "a local address"
+#: original/man8/ip6tables.8:427
+#, fuzzy
+#| msgid ""
+#| "The packet-filtering-HOWTO details iptables usage for packet filtering, "
+#| "the NAT-HOWTO details NAT, the netfilter-extensions-HOWTO details the "
+#| "extensions that are not in the standard distribution, and the netfilter-"
+#| "hacking-HOWTO details the netfilter internals."
+msgid ""
+"The packet-filtering-HOWTO details iptables usage for packet filtering, the "
+"netfilter-extensions-HOWTO details the extensions that are not in the "
+"standard distribution, and the netfilter-hacking-HOWTO details the netfilter "
+"internals."
msgstr ""
+"パケットフィルタリングについての詳細な iptables の使用法を\n"
+"説明している packet-filtering-HOWTO。\n"
+"NAT について詳細に説明している NAT-HOWTO。\n"
+"標準的な配布には含まれない拡張の詳細を 説明している \n"
+"netfilter-extensions-HOWTO。\n"
+"内部構造について詳細に説明している netfilter-hacking-HOWTO。"
-#. type: TP
-#: original/man8/ip6tables.8:394 original/man8/iptables.8:389
-#, no-wrap
-msgid "B<BROADCAST>"
-msgstr ""
+#. type: Plain text
+#: original/man8/ip6tables.8:430 original/man8/iptables.8:429
+msgid "See B<http://www.netfilter.org/>."
+msgstr "B<http://www.netfilter.org/> を参照。"
#. type: Plain text
-#: original/man8/ip6tables.8:397 original/man8/iptables.8:392
-msgid "a broadcast address"
+#: original/man8/ip6tables.8:433
+msgid ""
+"Rusty Russell wrote iptables, in early consultation with Michael Neuling."
msgstr ""
+"Rusty Russell は、初期の段階で Michael Neuling に相談して iptables を書いた。"
-#. type: TP
-#: original/man8/ip6tables.8:397 original/man8/iptables.8:392
-#, no-wrap
-msgid "B<ANYCAST>"
+#. type: Plain text
+#: original/man8/ip6tables.8:437 original/man8/iptables.8:436
+msgid ""
+"Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet "
+"selection framework in iptables, then wrote the mangle table, the owner "
+"match, the mark stuff, and ran around doing cool stuff everywhere."
msgstr ""
+"Marc Boucher は Rusty に iptables の一般的なパケット選択の考え方を勧めて、 "
+"ipnatctl を止めさせた。 そして、mangle テーブル・所有者マッチング・ mark 機能"
+"を書き、いたるところで使われている素晴らしいコードを書いた。"
#. type: Plain text
-#: original/man8/ip6tables.8:400 original/man8/iptables.8:395
-msgid "an anycast packet"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:400 original/man8/iptables.8:395
-#, no-wrap
-msgid "B<MULTICAST>"
-msgstr ""
+#: original/man8/ip6tables.8:439 original/man8/iptables.8:438
+msgid "James Morris wrote the TOS target, and tos match."
+msgstr "James Morris が TOS ターゲットと tos マッチングを書いた。"
#. type: Plain text
-#: original/man8/ip6tables.8:403 original/man8/iptables.8:398
-msgid "a multicast address"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:403 original/man8/iptables.8:398
-#, no-wrap
-msgid "B<BLACKHOLE>"
-msgstr ""
+#: original/man8/ip6tables.8:441 original/man8/iptables.8:440
+msgid "Jozsef Kadlecsik wrote the REJECT target."
+msgstr "Jozsef Kadlecsik が REJECT ターゲットを書いた。"
#. type: Plain text
-#: original/man8/ip6tables.8:406 original/man8/iptables.8:401
-msgid "a blackhole address"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:406 original/man8/iptables.8:401
-#, no-wrap
-msgid "B<UNREACHABLE>"
+#: original/man8/ip6tables.8:443
+#, fuzzy
+#| msgid "Harald Welte wrote the ULOG target, TTL match+target and libipulog."
+msgid ""
+"Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as "
+"TTL match+target and libipulog."
msgstr ""
+"Harald Welte が ULOG ターゲット・TTL マッチングと TTL ターゲット・ libipulog "
+"を書いた。"
#. type: Plain text
-#: original/man8/ip6tables.8:409 original/man8/iptables.8:404
-msgid "an unreachable address"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:409 original/man8/iptables.8:404
-#, no-wrap
-msgid "B<PROHIBIT>"
+#: original/man8/ip6tables.8:447 original/man8/iptables.8:446
+#, fuzzy
+#| msgid ""
+#| "The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef "
+#| "Kadlecsik, James Morris, Harald Welte and Rusty Russell."
+msgid ""
+"The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki "
+"Kozakai, Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso, "
+"Harald Welte and Rusty Russell."
msgstr ""
+"Netfilter コアチームは、Marc Boucher, Martin Josefsson, Jozsef Kadlecsik, "
+"James Morris, Harald Welte, Rusty Russell である。"
+#. .. and did I mention that we are incredibly cool people?
+#. .. sexy, too ..
+#. .. witty, charming, powerful ..
+#. .. and most of all, modest ..
#. type: Plain text
-#: original/man8/ip6tables.8:412 original/man8/iptables.8:407
-msgid "a prohibited address"
+#: original/man8/ip6tables.8:454
+msgid ""
+"ip6tables man page created by Andras Kis-Szabo, based on iptables man page "
+"written by Herve Eychenne E<lt>rv@wallfire.orgE<gt>."
msgstr ""
+"ip6tables の man ページは、Andras Kis-Szabo によって作成された。 これは "
+"Herve Eychenne E<lt>rv@wallfire.orgE<gt> によって書かれた iptables の man "
+"ページを元にしている。"
-#. type: TP
-#: original/man8/ip6tables.8:412 original/man8/iptables.8:407
+#. type: SH
+#: original/man8/ip6tables.8:454 original/man8/iptables.8:452
#, no-wrap
-msgid "B<THROW>"
+msgid "VERSION"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:415 original/man8/ip6tables.8:418
-#: original/man8/iptables.8:410 original/man8/iptables.8:413
-msgid "FIXME"
+#: original/man8/ip6tables.8:456
+msgid "This manual page applies to ip6tables 1.4.18."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:415 original/man8/iptables.8:410
+#. type: TH
+#: original/man8/iptables-restore.8:1
#, no-wrap
-msgid "B<NAT>"
-msgstr ""
+msgid "IPTABLES-RESTORE"
+msgstr "IPTABLES-RESTORE"
-#. type: TP
-#: original/man8/ip6tables.8:418 original/man8/iptables.8:413
+#. type: TH
+#: original/man8/iptables-restore.8:1 original/man8/iptables-save.8:1
#, no-wrap
-msgid "B<XRESOLVE>"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:420 original/man8/iptables.8:415
-#, fuzzy, no-wrap
-#| msgid "B<--icmp-type >[!] I<typename>"
-msgid "[B<!>] B<--src-type> I<type>"
-msgstr "B<--icmp-type >[!] I<typename>"
+msgid "Jan 04, 2001"
+msgstr "Jan 04, 2001"
#. type: Plain text
-#: original/man8/ip6tables.8:423 original/man8/iptables.8:418
+#: original/man8/iptables-restore.8:23
#, fuzzy
-#| msgid ""
-#| "Matches if the packet was created by a process with the given process id."
-msgid "Matches if the source address is of given type"
-msgstr ""
-"指定されたプロセス ID のプロセスにより パケットが生成されている場合にマッチす"
-"る。"
-
-#. type: TP
-#: original/man8/ip6tables.8:423 original/man8/iptables.8:418
-#, fuzzy, no-wrap
-#| msgid "B<--icmp-type >[!] I<typename>"
-msgid "[B<!>] B<--dst-type> I<type>"
-msgstr "B<--icmp-type >[!] I<typename>"
+#| msgid "iptables-restore - Restore IP Tables"
+msgid "iptables-restore \\(em Restore IP Tables"
+msgstr "iptables-restore - IP テーブルを復元する"
#. type: Plain text
-#: original/man8/ip6tables.8:426 original/man8/iptables.8:421
+#: original/man8/iptables-restore.8:26
#, fuzzy
-#| msgid "Match against reply destination address"
-msgid "Matches if the destination address is of given type"
-msgstr "応答の宛先アドレスにマッチする。"
-
-#. type: TP
-#: original/man8/ip6tables.8:426 original/man8/iptables.8:421
-#, fuzzy, no-wrap
-#| msgid "B<--limit >I<rate>"
-msgid "B<--limit-iface-in>"
-msgstr "B<--limit >I<rate>"
+#| msgid "B<iptables-restore >[-c] [-n]"
+msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
+msgstr "B<iptables-restore >[-c] [-n]"
#. type: Plain text
-#: original/man8/ip6tables.8:437 original/man8/iptables.8:432
+#: original/man8/iptables-restore.8:31
msgid ""
-"The address type checking can be limited to the interface the packet is "
-"coming in. This option is only valid in the B<PREROUTING>, B<INPUT> and "
-"B<FORWARD> chains. It cannot be specified with the B<--limit-iface-out> "
-"option."
+"B<iptables-restore> is used to restore IP Tables from data specified on "
+"STDIN. Use I/O redirection provided by your shell to read from a file"
msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:437 original/man8/iptables.8:432
-#, fuzzy, no-wrap
-#| msgid "B<--limit >I<rate>"
-msgid "B<--limit-iface-out>"
-msgstr "B<--limit >I<rate>"
+"B<iptables-restore> は標準入力で指定されたデータから IP テーブルを復元するた"
+"めに使われる。 ファイルから読み込むためには、 シェルで提供されている I/O リダ"
+"イレクションを使うこと。"
#. type: Plain text
-#: original/man8/ip6tables.8:448 original/man8/iptables.8:443
+#: original/man8/iptables-restore.8:42
+#, fuzzy
+#| msgid ""
+#| "don't flush the previous contents of the table. If not specified, "
+#| "B<iptables-restore> flushes (deletes) all previous contents of the "
+#| "respective IP Table."
msgid ""
-"The address type checking can be limited to the interface the packet is "
-"going out. This option is only valid in the B<POSTROUTING>, B<OUTPUT> and "
-"B<FORWARD> chains. It cannot be specified with the B<--limit-iface-in> "
-"option."
+"don't flush the previous contents of the table. If not specified, B<iptables-"
+"restore> flushes (deletes) all previous contents of the respective table."
msgstr ""
-
-#. type: SS
-#: original/man8/ip6tables.8:448 original/man8/iptables.8:443
-#, no-wrap
-msgid "ah"
-msgstr "ah"
+"これまでのテーブルの内容をフラッシュしない。 指定されない場合、 B<iptables-"
+"restore> は、これまでの各 IP テーブルの内容を全てフラッシュ (削除) する。"
#. type: Plain text
-#: original/man8/ip6tables.8:450
-#, fuzzy
-#| msgid "This module matches the SPIs in AH header of IPSec packets."
+#: original/man8/iptables-restore.8:52
msgid ""
-"This module matches the parameters in Authentication header of IPsec packets."
-msgstr "このモジュールは IPSec パケットの AH ヘッダーの SPI 値にマッチする。"
-
-#. type: TP
-#: original/man8/ip6tables.8:450 original/man8/iptables.8:445
-#, fuzzy, no-wrap
-#| msgid "B<--ahspi >[!] I<spi>[:I<spi>]"
-msgid "[B<!>] B<--ahspi> I<spi>[B<:>I<spi>]"
-msgstr "B<--ahspi >[!] I<spi>[:I<spi>]"
+"Specify the path to the modprobe program. By default, iptables-restore will "
+"inspect /proc/sys/kernel/modprobe to determine the executable's path."
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:453
-msgid "Matches SPI."
+#: original/man8/iptables-restore.8:55
+msgid ""
+"Restore only the named table even if the input stream contains other ones."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:453
-#, fuzzy, no-wrap
-#| msgid "B<-t>, B<--table> B<tablename>"
-msgid "[B<!>] B<--ahlen> I<length>"
-msgstr "B<-t>, B<--table> B<tablename>"
+#. type: SH
+#: original/man8/iptables-restore.8:57 original/man8/iptables-save.8:44
+#: original/man1/iptables-xml.1:84
+#, no-wrap
+msgid "AUTHOR"
+msgstr "作者"
#. type: Plain text
-#: original/man8/ip6tables.8:456 original/man8/ip6tables.8:748
-#: original/man8/ip6tables.8:870
-msgid "Total length of this header in octets."
-msgstr ""
+#: original/man8/iptables-restore.8:61
+msgid "B<iptables-save>(8), B<iptables>(8)"
+msgstr "B<iptables-save>(8), B<iptables>(8)"
-#. type: TP
-#: original/man8/ip6tables.8:456
+#. type: TH
+#: original/man8/iptables-save.8:1
#, no-wrap
-msgid "B<--ahres>"
-msgstr ""
+msgid "IPTABLES-SAVE"
+msgstr "IPTABLES-SAVE"
#. type: Plain text
-#: original/man8/ip6tables.8:459
-msgid "Matches if the reserved field is filled with zero."
+#: original/man8/iptables-save.8:23
+msgid "iptables-save \\(em dump iptables rules to stdout"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:459 original/man8/iptables.8:447
-#, no-wrap
-msgid "cluster"
-msgstr ""
+#. type: Plain text
+#: original/man8/iptables-save.8:26
+#, fuzzy
+#| msgid "B<iptables-save >[-c] [-t table]"
+msgid "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
+msgstr "B<iptables-save >[-c] [-t table]"
#. type: Plain text
-#: original/man8/ip6tables.8:462 original/man8/iptables.8:450
+#: original/man8/iptables-save.8:31
msgid ""
-"Allows you to deploy gateway and back-end load-sharing clusters without the "
-"need of load-balancers."
+"B<iptables-save> is used to dump the contents of an IP Table in easily "
+"parseable format to STDOUT. Use I/O-redirection provided by your shell to "
+"write to a file."
msgstr ""
+"B<iptables-save> は IP テーブルの内容を簡単に解析できる形式で 標準出力にダン"
+"プするために使われる。 ファイルに書き出すためには、 シェルで提供されている I/"
+"O リダイレクションを使うこと。"
#. type: Plain text
-#: original/man8/ip6tables.8:465 original/man8/iptables.8:453
-msgid ""
-"This match requires that all the nodes see the same packets. Thus, the "
-"cluster match decides if this node has to handle a packet given the "
-"following options:"
-msgstr ""
+#: original/man8/iptables-save.8:48
+msgid "B<iptables-restore>(8), B<iptables>(8)"
+msgstr "B<iptables-restore>(8), B<iptables>(8)"
-#. type: TP
-#: original/man8/ip6tables.8:465 original/man8/iptables.8:453
+#. type: TH
+#: original/man8/iptables.8:1
#, no-wrap
-msgid "B<--cluster-total-nodes> I<num>"
-msgstr ""
+msgid "IPTABLES"
+msgstr "IPTABLES"
#. type: Plain text
-#: original/man8/ip6tables.8:468 original/man8/iptables.8:456
-msgid "Set number of total nodes in cluster."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:468 original/man8/iptables.8:456
-#, fuzzy, no-wrap
-#| msgid "B<-t>, B<--table> B<tablename>"
-msgid "[B<!>] B<--cluster-local-node> I<num>"
-msgstr "B<-t>, B<--table> B<tablename>"
+#: original/man8/iptables.8:27
+#, fuzzy
+#| msgid "iptables - administration tool for IPv4 packet filtering and NAT"
+msgid "iptables \\(em administration tool for IPv4 packet filtering and NAT"
+msgstr "iptables - IPv4 のパケットフィルタと NAT を管理するツール"
#. type: Plain text
-#: original/man8/ip6tables.8:471 original/man8/iptables.8:459
-msgid "Set the local node number ID."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:471 original/man8/iptables.8:459
-#, no-wrap
-msgid "[B<!>] B<--cluster-local-nodemask> I<mask>"
-msgstr ""
+#: original/man8/iptables.8:30
+#, fuzzy
+#| msgid "B<iptables [-t table] -[AD] >chain rule-specification [options]"
+msgid ""
+"B<iptables> [B<-t> I<table>] {B<-A>|B<-C>|B<-D>} I<chain> I<rule-"
+"specification>"
+msgstr "B<iptables [-t table] -[AD] >チェイン ルールの詳細 [オプション]"
#. type: Plain text
-#: original/man8/ip6tables.8:475 original/man8/iptables.8:463
+#: original/man8/iptables.8:32
+#, fuzzy
+#| msgid ""
+#| "B<iptables [-t table] -I >chain [rulenum] rule-specification [options]"
msgid ""
-"Set the local node number ID mask. You can use this option instead of B<--"
-"cluster-local-node>."
+"B<iptables> [B<-t> I<table>] B<-I> I<chain> [I<rulenum>] I<rule-"
+"specification>"
msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:475 original/man8/iptables.8:463
-#, fuzzy, no-wrap
-#| msgid "B<--set-mss >I<value>"
-msgid "B<--cluster-hash-seed> I<value>"
-msgstr "B<--set-mss >I<value>"
+"B<iptables [-t table] -I >チェイン [ルール番号] ルールの詳細 [オプション]"
#. type: Plain text
-#: original/man8/ip6tables.8:478 original/man8/iptables.8:466
-msgid "Set seed value of the Jenkins hash."
-msgstr ""
+#: original/man8/iptables.8:34
+#, fuzzy
+#| msgid "B<iptables [-t table] -R >chain rulenum rule-specification [options]"
+msgid "B<iptables> [B<-t> I<table>] B<-R> I<chain rulenum rule-specification>"
+msgstr ""
+"B<iptables [-t table] -R >チェイン ルール番号 ルールの詳細 [オプション]"
#. type: Plain text
-#: original/man8/ip6tables.8:480 original/man8/ip6tables.8:526
-#: original/man8/ip6tables.8:563 original/man8/ip6tables.8:711
-#: original/man8/ip6tables.8:1837 original/man8/ip6tables.8:1885
-#: original/man8/ip6tables.8:1931 original/man8/iptables.8:468
-#: original/man8/iptables.8:514 original/man8/iptables.8:551
-#: original/man8/iptables.8:699 original/man8/iptables.8:1755
-#: original/man8/iptables.8:1803 original/man8/iptables.8:1852
-#, no-wrap
-msgid "Example:"
-msgstr ""
+#: original/man8/iptables.8:36
+#, fuzzy
+#| msgid "B<iptables [-t table] -D >chain rulenum [options]"
+msgid "B<iptables> [B<-t> I<table>] B<-D> I<chain rulenum>"
+msgstr "B<iptables [-t table] -D >チェイン ルール番号 [オプション]"
#. type: Plain text
-#: original/man8/ip6tables.8:485 original/man8/iptables.8:473
-msgid ""
-"iptables -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 "
-"--cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark "
-"0xffff"
-msgstr ""
+#: original/man8/iptables.8:38
+#, fuzzy
+#| msgid "B<iptables [-t table] -D >chain rulenum [options]"
+msgid "B<iptables> [B<-t> I<table>] B<-S> [I<chain> [I<rulenum>]]"
+msgstr "B<iptables [-t table] -D >チェイン ルール番号 [オプション]"
#. type: Plain text
-#: original/man8/ip6tables.8:490 original/man8/iptables.8:478
+#: original/man8/iptables.8:40
+#, fuzzy
+#| msgid "B<iptables [-t table] -D >chain rulenum [options]"
msgid ""
-"iptables -A PREROUTING -t mangle -i eth2 -m cluster --cluster-total-nodes 2 "
-"--cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark "
-"0xffff"
-msgstr ""
+"B<iptables> [B<-t> I<table>] {B<-F>|B<-L>|B<-Z>} [I<chain> [I<rulenum>]] "
+"[I<options...>]"
+msgstr "B<iptables [-t table] -D >チェイン ルール番号 [オプション]"
#. type: Plain text
-#: original/man8/ip6tables.8:493 original/man8/iptables.8:481
-msgid ""
-"iptables -A PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff -j DROP"
-msgstr ""
+#: original/man8/iptables.8:42
+#, fuzzy
+#| msgid "B<iptables [-t table] -N >chain"
+msgid "B<iptables> [B<-t> I<table>] B<-N> I<chain>"
+msgstr "B<iptables [-t table] -N >チェイン"
#. type: Plain text
-#: original/man8/ip6tables.8:496 original/man8/iptables.8:484
-msgid ""
-"iptables -A PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff -j DROP"
-msgstr ""
+#: original/man8/iptables.8:44
+#, fuzzy
+#| msgid "B<iptables [-t table] -X >[chain]"
+msgid "B<iptables> [B<-t> I<table>] B<-X> [I<chain>]"
+msgstr "B<iptables [-t table] -X >[チェイン]"
#. type: Plain text
-#: original/man8/ip6tables.8:498 original/man8/iptables.8:486
-msgid "And the following commands to make all nodes see the same packets:"
-msgstr ""
+#: original/man8/iptables.8:46
+#, fuzzy
+#| msgid "B<iptables [-t table] -P >chain target [options]"
+msgid "B<iptables> [B<-t> I<table>] B<-P> I<chain target>"
+msgstr "B<iptables [-t table] -P >チェイン ターゲット [オプション]"
#. type: Plain text
-#: original/man8/ip6tables.8:500 original/man8/iptables.8:488
-msgid "ip maddr add 01:00:5e:00:01:01 dev eth1"
-msgstr ""
+#: original/man8/iptables.8:48
+#, fuzzy
+#| msgid "B<iptables [-t table] -E >old-chain-name new-chain-name"
+msgid "B<iptables> [B<-t> I<table>] B<-E> I<old-chain-name new-chain-name>"
+msgstr "B<iptables [-t table] -E >旧チェイン名 新チェイン名"
#. type: Plain text
-#: original/man8/ip6tables.8:502 original/man8/iptables.8:490
-msgid "ip maddr add 01:00:5e:00:01:02 dev eth2"
+#: original/man8/iptables.8:50
+msgid "rule-specification = [I<matches...>] [I<target>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:505 original/man8/iptables.8:493
-msgid ""
-"arptables -A OUTPUT -o eth1 --h-length 6 -j mangle --mangle-mac-s "
-"01:00:5e:00:01:01"
+#: original/man8/iptables.8:52
+msgid "match = B<-m> I<matchname> [I<per-match-options>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:509 original/man8/iptables.8:497
-msgid ""
-"arptables -A INPUT -i eth1 --h-length 6 --destination-mac 01:00:5e:00:01:01 -"
-"j mangle --mangle-mac-d 00:zz:yy:xx:5a:27"
+#: original/man8/iptables.8:54
+msgid "target = B<-j> I<targetname> [I<per-target-options>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:512 original/man8/iptables.8:500
+#: original/man8/iptables.8:60
+#, fuzzy
+#| msgid ""
+#| "B<Iptables> is used to set up, maintain, and inspect the tables of IP "
+#| "packet filter rules in the Linux kernel. Several different tables may be "
+#| "defined. Each table contains a number of built-in chains and may also "
+#| "contain user-defined chains."
msgid ""
-"arptables -A OUTPUT -o eth2 --h-length 6 -j mangle --mangle-mac-s "
-"01:00:5e:00:01:02"
+"B<Iptables> is used to set up, maintain, and inspect the tables of IPv4 "
+"packet filter rules in the Linux kernel. Several different tables may be "
+"defined. Each table contains a number of built-in chains and may also "
+"contain user-defined chains."
msgstr ""
+"B<iptables> は Linux カーネルの IP パケットフィルタルールのテーブルを 設定・"
+"管理・検査するために使われる。 複数の異なるテーブルを定義できる。 各テーブル"
+"にはたくさんの組み込み済みチェインが含まれており、 さらにユーザー定義のチェイ"
+"ンを加えることもできる。"
#. type: Plain text
-#: original/man8/ip6tables.8:516 original/man8/iptables.8:504
+#: original/man8/iptables.8:114
msgid ""
-"arptables -A INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:02 -"
-"j mangle --mangle-mac-d 00:zz:yy:xx:5a:27"
+"This table is consulted when a packet that creates a new connection is "
+"encountered. It consists of three built-ins: B<PREROUTING> (for altering "
+"packets as soon as they come in), B<OUTPUT> (for altering locally-generated "
+"packets before routing), and B<POSTROUTING> (for altering packets as they "
+"are about to go out)."
msgstr ""
+"このテーブルは新しい接続を開くようなパケットに対して参照される。 これには "
+"B<PREROUTING> (パケットが入ってきた場合、すぐにそのパケットを変換するための"
+"チェイン)・ B<OUTPUT> (ローカルで生成されたパケットをルーティングの前に変換す"
+"るためのチェイン)・ B<POSTROUTING> (パケットが出て行くときに変換するための"
+"チェイン) という 3 つの組み込み済みチェインが含まれる。"
#. type: Plain text
-#: original/man8/ip6tables.8:520 original/man8/iptables.8:508
+#: original/man8/iptables.8:147
msgid ""
-"In the case of TCP connections, pickup facility has to be disabled to avoid "
-"marking TCP ACK packets coming in the reply direction as valid."
-msgstr ""
+"The options that are recognized by B<iptables> can be divided into several "
+"different groups."
+msgstr "B<iptables> で使えるオプションは、いくつかのグループに分けられる。"
#. type: Plain text
-#: original/man8/ip6tables.8:522 original/man8/iptables.8:510
-msgid "echo 0 E<gt> /proc/sys/net/netfilter/nf_conntrack_tcp_loose"
-msgstr ""
-
-#. type: SS
-#: original/man8/ip6tables.8:522 original/man8/iptables.8:510
-#, no-wrap
-msgid "comment"
+#: original/man8/iptables.8:153
+#, fuzzy
+#| msgid ""
+#| "These options specify the specific action to perform. Only one of them "
+#| "can be specified on the command line unless otherwise specified below. "
+#| "For all the long versions of the command and option names, you need to "
+#| "use only enough letters to ensure that B<iptables> can differentiate it "
+#| "from all other options."
+msgid ""
+"These options specify the desired action to perform. Only one of them can be "
+"specified on the command line unless otherwise stated below. For long "
+"versions of the command and option names, you need to use only enough "
+"letters to ensure that B<iptables> can differentiate it from all other "
+"options."
msgstr ""
+"これらのオプションは、実行する特定の動作を指定する。 以下の説明で注記されてい"
+"ない限り、 コマンドラインで指定できるのはこの中の 1 つだけである。 長いバー"
+"ジョンのコマンド名とオプション名は、 B<iptables> が他のコマンド名やオプション"
+"名と区別できる範囲で (文字を省略して) 指定することもできる。"
#. type: Plain text
-#: original/man8/ip6tables.8:524 original/man8/iptables.8:512
-msgid "Allows you to add comments (up to 256 characters) to any rule."
+#: original/man8/iptables.8:188
+#, fuzzy
+#| msgid ""
+#| "List all rules in the selected chain. If no chain is selected, all "
+#| "chains are listed. As every other iptables command, it applies to the "
+#| "specified table (filter is the default), so NAT rules get listed by"
+msgid ""
+"List all rules in the selected chain. If no chain is selected, all chains "
+"are listed. Like every other iptables command, it applies to the specified "
+"table (filter is the default), so NAT rules get listed by"
msgstr ""
+"選択されたチェインにある全てのルールを一覧表示する。 チェインが指定されない場"
+"合、全てのチェインにあるリストが一覧表示される。 他の各 iptables コマンドと同"
+"様に、指定されたテーブル (デフォルトは filter) に対して作用する。 よって NAT "
+"ルールを表示するには以下のようにする。"
-#. type: TP
-#: original/man8/ip6tables.8:524 original/man8/iptables.8:512
+#. type: Plain text
+#: original/man8/iptables.8:190
#, no-wrap
-msgid "B<--comment> I<comment>"
-msgstr ""
+msgid " iptables -t nat -n -L\n"
+msgstr " iptables -t nat -n -L\n"
#. type: Plain text
-#: original/man8/ip6tables.8:529 original/man8/iptables.8:517
-msgid "iptables -A INPUT -i eth1 -m comment --comment \"my local LAN\""
-msgstr ""
-
-#. type: SS
-#: original/man8/ip6tables.8:529 original/man8/iptables.8:517
+#: original/man8/iptables.8:199
#, no-wrap
-msgid "connbytes"
-msgstr ""
+msgid " iptables -L -v\n"
+msgstr " iptables -L -v\n"
#. type: Plain text
-#: original/man8/ip6tables.8:533 original/man8/iptables.8:521
+#: original/man8/iptables.8:205
+#, fuzzy
+#| msgid ""
+#| "List all rules in the selected chain. If no chain is selected, all "
+#| "chains are listed. As every other iptables command, it applies to the "
+#| "specified table (filter is the default), so NAT rules get listed by"
msgid ""
-"Match by how many bytes or packets a connection (or one of the two flows "
-"constituting the connection) has transferred so far, or by average bytes per "
-"packet."
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:535 original/man8/iptables.8:523
-msgid "The counters are 64-bit and are thus not expected to overflow ;)"
+"Print all rules in the selected chain. If no chain is selected, all chains "
+"are printed like iptables-save. Like every other iptables command, it "
+"applies to the specified table (filter is the default)."
msgstr ""
+"選択されたチェインにある全てのルールを一覧表示する。 チェインが指定されない場"
+"合、全てのチェインにあるリストが一覧表示される。 他の各 iptables コマンドと同"
+"様に、指定されたテーブル (デフォルトは filter) に対して作用する。 よって NAT "
+"ルールを表示するには以下のようにする。"
#. type: Plain text
-#: original/man8/ip6tables.8:538 original/man8/iptables.8:526
-msgid ""
-"The primary use is to detect long-lived downloads and mark them to be "
-"scheduled using a lower priority band in traffic control."
+#: original/man8/iptables.8:248
+msgid "This option has no effect in iptables and iptables-restore."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:541 original/man8/iptables.8:529
+#: original/man8/iptables.8:254
msgid ""
-"The transferred bytes per connection can also be viewed through `conntrack -"
-"L` and accessed via ctnetlink."
+"If a rule using the B<-6> option is inserted with (and only with) iptables-"
+"restore, it will be silently ignored. Any other uses will throw an error. "
+"This option allows to put both IPv4 and IPv6 rules in a single rule file for "
+"use with both iptables-restore and ip6tables-restore."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:547 original/man8/iptables.8:535
+#: original/man8/iptables.8:265
+#, fuzzy
+#| msgid ""
+#| "The protocol of the rule or of the packet to check. The specified "
+#| "protocol can be one of I<tcp>, I<udp>, I<icmp>, or I<all>, or it can be a "
+#| "numeric value, representing one of these protocols or a different one. A "
+#| "protocol name from /etc/protocols is also allowed. A \"!\" argument "
+#| "before the protocol inverts the test. The number zero is equivalent to "
+#| "I<all>. Protocol I<all> will match with all protocols and is taken as "
+#| "default when this option is omitted."
msgid ""
-"NOTE that for connections which have no accounting information, the match "
-"will always return false. The \"net.netfilter.nf_conntrack_acct\" sysctl "
-"flag controls whether B<new> connections will be byte/packet counted. "
-"Existing connection flows will not be gaining/losing a/the accounting "
-"structure when be sysctl flag is flipped."
+"The protocol of the rule or of the packet to check. The specified protocol "
+"can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>, B<esp>, B<ah>, B<sctp> or "
+"the special keyword \"B<all>\", or it can be a numeric value, representing "
+"one of these protocols or a different one. A protocol name from /etc/"
+"protocols is also allowed. A \"!\" argument before the protocol inverts the "
+"test. The number zero is equivalent to B<all>. \"B<all>\" will match with "
+"all protocols and is taken as default when this option is omitted."
msgstr ""
+"ルールで使われるプロトコル、またはチェックされるパケットのプロトコル。 指定で"
+"きるプロトコルは、 I<tcp>, I<udp>, I<icmp>, I<all> のいずれか 1 つか、数値で"
+"ある。 数値には、これらのプロトコルのどれかないし別のプロトコルを表す 数値を"
+"指定することができる。 /etc/protocols にあるプロトコル名も指定できる。 プロト"
+"コルの前に \"!\" を置くと、そのプロトコルを除外するという意味になる。 数値 0 "
+"は I<all> と等しい。 プロトコル I<all> は全てのプロトコルとマッチし、 このオ"
+"プションが省略された際のデフォルトである。"
#. type: TP
-#: original/man8/ip6tables.8:547 original/man8/iptables.8:535
-#, no-wrap
-msgid "[B<!>] B<--connbytes> I<from>[B<:>I<to>]"
-msgstr ""
+#: original/man8/iptables.8:265
+#, fuzzy, no-wrap
+#| msgid "B<-s, --source >[!] I<address>[/I<mask>]"
+msgid "[B<!>] B<-s>, B<--source> I<address>[B</>I<mask>][B<,>I<...>]"
+msgstr "B<-s, --source >[!] I<address>[/I<mask>]"
#. type: Plain text
-#: original/man8/ip6tables.8:553 original/man8/iptables.8:541
+#: original/man8/iptables.8:282
+#, fuzzy
+#| msgid ""
+#| "Source specification. I<Address> can be either a network name, a "
+#| "hostname (please note that specifying any name to be resolved with a "
+#| "remote query such as DNS is a really bad idea), a network IP address "
+#| "(with /mask), or a plain IP address. The I<mask> can be either a network "
+#| "mask or a plain number, specifying the number of 1's at the left side of "
+#| "the network mask. Thus, a mask of I<24> is equivalent to "
+#| "I<255.255.255.0>. A \"!\" argument before the address specification "
+#| "inverts the sense of the address. The flag B<--src> is an alias for this "
+#| "option."
msgid ""
-"match packets from a connection whose packets/bytes/average packet size is "
-"more than FROM and less than TO bytes/packets. if TO is omitted only FROM "
-"check is done. \"!\" is used to match packets not falling in the range."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:553 original/man8/iptables.8:541
-#, no-wrap
-msgid "B<--connbytes-dir> {B<original>|B<reply>|B<both>}"
+"Source specification. I<Address> can be either a network name, a hostname, a "
+"network IP address (with B</>I<mask>), or a plain IP address. Hostnames will "
+"be resolved once only, before the rule is submitted to the kernel. Please "
+"note that specifying any name to be resolved with a remote query such as DNS "
+"is a really bad idea. The I<mask> can be either a network mask or a plain "
+"number, specifying the number of 1's at the left side of the network mask. "
+"Thus, a mask of I<24> is equivalent to I<255.255.255.0>. A \"!\" argument "
+"before the address specification inverts the sense of the address. The flag "
+"B<--src> is an alias for this option. Multiple addresses can be specified, "
+"but this will B<expand to multiple rules> (when adding with -A), or will "
+"cause multiple rules to be deleted (with -D)."
msgstr ""
+"送信元の指定。 I<address> はホスト名 (DNS のようなリモートへの問い合わせで解"
+"決する名前を指定するのは非常に良くない) ・ネットワーク IP アドレス (/mask を"
+"指定する)・ 通常の IP アドレス、のいずれかである。 I<mask> はネットワークマス"
+"クか、 ネットワークマスクの左側にある 1 の数を指定する数値である。 つまり、 "
+"I<24> という mask は I<255.255.255.0> に等しい。 アドレス指定の前に \"!\" を"
+"置くと、そのアドレスを除外するという意味になる。 フラグ B<--src> は、このオプ"
+"ションの別名である。"
-#. type: Plain text
-#: original/man8/ip6tables.8:556 original/man8/iptables.8:544
-msgid "which packets to consider"
-msgstr ""
+#. type: TP
+#: original/man8/iptables.8:282
+#, fuzzy, no-wrap
+#| msgid "B<-d, --destination >[!] I<address>[/I<mask>]"
+msgid "[B<!>] B<-d>, B<--destination> I<address>[B</>I<mask>][B<,>I<...>]"
+msgstr "B<-d, --destination >[!] I<address>[/I<mask>]"
#. type: TP
-#: original/man8/ip6tables.8:556 original/man8/iptables.8:544
-#, no-wrap
-msgid "B<--connbytes-mode> {B<packets>|B<bytes>|B<avgpkt>}"
-msgstr ""
+#: original/man8/iptables.8:328
+#, fuzzy, no-wrap
+#| msgid "B<[!] -f, --fragment>"
+msgid "[B<!>] B<-f>, B<--fragment>"
+msgstr "B<[!] -f, --fragment>"
#. type: Plain text
-#: original/man8/ip6tables.8:563 original/man8/iptables.8:551
+#: original/man8/iptables.8:336
msgid ""
-"whether to check the amount of packets, number of bytes transferred or the "
-"average size (in bytes) of all packets received so far. Note that when \"both"
-"\" is used together with \"avgpkt\", and data is going (mainly) only in one "
-"direction (for example HTTP), the average packet size will be about half of "
-"the actual data packets."
+"This means that the rule only refers to second and further fragments of "
+"fragmented packets. Since there is no way to tell the source or destination "
+"ports of such a packet (or ICMP type), such a packet will not match any "
+"rules which specify them. When the \"!\" argument precedes the \"-f\" flag, "
+"the rule will only match head fragments, or unfragmented packets."
msgstr ""
+"このオプションは、分割されたパケット (fragmented packet) のうち 2 番目以降の"
+"パケットだけを参照するルールであることを意味する。 このようなパケット (また"
+"は ICMP タイプのパケット) は 送信元・送信先ポートを知る方法がないので、 送信"
+"元や送信先を指定するようなルールにはマッチしない。 \"-f\" フラグの前に \"!\" "
+"を置くと、 分割されたパケットのうち最初のものか、 分割されていないパケットだ"
+"けにマッチする。"
+
+#. type: SH
+#: original/man8/iptables.8:374
+#, fuzzy, no-wrap
+#| msgid "TARGET EXTENSIONS"
+msgid "MATCH AND TARGET EXTENSIONS"
+msgstr "ターゲットの拡張"
#. type: Plain text
-#: original/man8/ip6tables.8:566 original/man8/iptables.8:554
+#: original/man8/iptables.8:386
msgid ""
-"iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --"
-"connbytes-mode bytes ..."
+"Bugs? What's this? ;-) Well, you might want to have a look at http://"
+"bugzilla.netfilter.org/"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:566 original/man8/iptables.8:554
-#, fuzzy, no-wrap
-#| msgid "limit"
-msgid "connlimit"
-msgstr "limit"
-
#. type: Plain text
-#: original/man8/ip6tables.8:569 original/man8/iptables.8:557
+#: original/man8/iptables.8:395
msgid ""
-"Allows you to restrict the number of parallel connections to a server per "
-"client IP address (or client address block)."
+"This B<iptables> is very similar to ipchains by Rusty Russell. The main "
+"difference is that the chains B<INPUT> and B<OUTPUT> are only traversed for "
+"packets coming into the local host and originating from the local host "
+"respectively. Hence every packet only passes through one of the three "
+"chains (except loopback traffic, which involves both INPUT and OUTPUT "
+"chains); previously a forwarded packet would pass through all three."
msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:569 original/man8/iptables.8:557
-#, fuzzy, no-wrap
-#| msgid "B<--limit-burst >I<number>"
-msgid "B<--connlimit-upto> I<n>"
-msgstr "B<--limit-burst >I<number>"
+"B<iptables> は、Rusty Russell の ipchains と非常によく似ている。 大きな違い"
+"は、チェイン B<INPUT> と B<OUTPUT> が、それぞれローカルホストに入ってくるパ"
+"ケットと、 ローカルホストから出されるパケットのみしか調べないという点であ"
+"る。 よって、(INPUT と OUTPUT の両方のチェインを起動する ループバックトラ"
+"フィックを除く) 全てのパケットは 3 つあるチェインのうち 1 しか通らない。 以"
+"前は (ipchains では)、 フォワードされるパケットは 3 つのチェイン全てを通って"
+"いた。"
#. type: Plain text
-#: original/man8/ip6tables.8:572 original/man8/iptables.8:560
-msgid "Match if the number of existing connections is below or equal I<n>."
+#: original/man8/iptables.8:399
+msgid ""
+"The other main difference is that B<-i> refers to the input interface; B<-o> "
+"refers to the output interface, and both are available for packets entering "
+"the B<FORWARD> chain."
msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:572 original/man8/iptables.8:560
-#, fuzzy, no-wrap
-#| msgid "B<--limit-burst >I<number>"
-msgid "B<--connlimit-above> I<n>"
-msgstr "B<--limit-burst >I<number>"
+"その他の大きな違いは、 B<-i> で入力インターフェース、 B<-o> で出力インター"
+"フェースを参照すること、 そしてともに B<FORWARD> チェインに入るパケットに対し"
+"て指定可能な点である。"
#. type: Plain text
-#: original/man8/ip6tables.8:575 original/man8/iptables.8:563
-msgid "Match if the number of existing connections is above I<n>."
+#: original/man8/iptables.8:405
+msgid ""
+"The various forms of NAT have been separated out; B<iptables> is a pure "
+"packet filter when using the default `filter' table, with optional extension "
+"modules. This should simplify much of the previous confusion over the "
+"combination of IP masquerading and packet filtering seen previously. So the "
+"following options are handled differently:"
msgstr ""
+"NAT のいろいろな形式が分割された。 オプションの拡張モジュールとともに デフォ"
+"ルトの「フィルタ」テーブルを用いた場合、 B<iptables> は純粋なパケットフィルタ"
+"となる。 これは、以前みられた IP マスカレーディングとパケットフィルタリング"
+"の 組合せによる混乱を簡略化する。 よって、オプション"
-#. type: TP
-#: original/man8/ip6tables.8:575 original/man8/iptables.8:563
+#. type: Plain text
+#: original/man8/iptables.8:409
#, no-wrap
-msgid "B<--connlimit-mask> I<prefix_length>"
+msgid ""
+" -j MASQ\n"
+" -M -S\n"
+" -M -L\n"
msgstr ""
+" -j MASQ\n"
+" -M -S\n"
+" -M -L\n"
#. type: Plain text
-#: original/man8/ip6tables.8:580 original/man8/iptables.8:568
-msgid ""
-"Group hosts using the prefix length. For IPv4, this must be a number between "
-"(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the "
-"maximum prefix length for the applicable protocol is used."
+#: original/man8/iptables.8:411
+msgid "There are several other changes in iptables."
msgstr ""
+"は別のものとして扱われる。 iptables では、その他にもいくつかの変更がある。"
-#. type: TP
-#: original/man8/ip6tables.8:580 original/man8/iptables.8:568
-#, no-wrap
-msgid "B<--connlimit-saddr>"
+#. type: Plain text
+#: original/man8/iptables.8:420
+#, fuzzy
+#| msgid ""
+#| "B<iptables-save>(8), B<iptables-restore>(8), B<ip6tables>(8), B<ip6tables-"
+#| "save>(8), B<ip6tables-restore>(8)."
+msgid ""
+"B<iptables-apply>(8), B<iptables-save>(8), B<iptables-restore>(8), "
+"B<iptables-extensions>(8), B<ip6tables>(8), B<ip6tables-save>(8), "
+"B<ip6tables-restore>(8), B<libipq>(3)."
msgstr ""
+"B<iptables-save>(8), B<iptables-restore>(8), B<ip6tables>(8), B<ip6tables-"
+"save>(8), B<ip6tables-restore>(8)."
#. type: Plain text
-#: original/man8/ip6tables.8:584 original/man8/iptables.8:572
+#: original/man8/iptables.8:426
msgid ""
-"Apply the limit onto the source group. This is the default if --connlimit-"
-"daddr is not specified."
+"The packet-filtering-HOWTO details iptables usage for packet filtering, the "
+"NAT-HOWTO details NAT, the netfilter-extensions-HOWTO details the extensions "
+"that are not in the standard distribution, and the netfilter-hacking-HOWTO "
+"details the netfilter internals."
msgstr ""
+"パケットフィルタリングについての詳細な iptables の使用法を\n"
+"説明している packet-filtering-HOWTO。\n"
+"NAT について詳細に説明している NAT-HOWTO。\n"
+"標準的な配布には含まれない拡張の詳細を 説明している \n"
+"netfilter-extensions-HOWTO。\n"
+"内部構造について詳細に説明している netfilter-hacking-HOWTO。"
-#. type: TP
-#: original/man8/ip6tables.8:584 original/man8/iptables.8:572
-#, no-wrap
-msgid "B<--connlimit-daddr>"
+#. type: Plain text
+#: original/man8/iptables.8:432
+#, fuzzy
+#| msgid ""
+#| "Rusty Russell wrote iptables, in early consultation with Michael Neuling."
+msgid ""
+"Rusty Russell originally wrote iptables, in early consultation with Michael "
+"Neuling."
msgstr ""
+"Rusty Russell は、初期の段階で Michael Neuling に相談して iptables を書いた。"
#. type: Plain text
-#: original/man8/ip6tables.8:587 original/man8/iptables.8:575
-msgid "Apply the limit onto the destination group."
+#: original/man8/iptables.8:442
+#, fuzzy
+#| msgid ""
+#| "Harald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets."
+msgid ""
+"Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as "
+"the TTL, DSCP, ECN matches and targets."
msgstr ""
+"Harald Welte が ULOG ターゲットと、 TTL, DSCP, ECN のマッチ・ターゲットを書い"
+"た。"
+#. .. and did I mention that we are incredibly cool people?
+#. .. sexy, too ..
+#. .. witty, charming, powerful ..
+#. .. and most of all, modest ..
#. type: Plain text
-#: original/man8/ip6tables.8:589 original/man8/ip6tables.8:852
-#: original/man8/ip6tables.8:1390 original/man8/ip6tables.8:1514
-#: original/man8/iptables.8:577 original/man8/iptables.8:800
-#: original/man8/iptables.8:1317 original/man8/iptables.8:1421
-msgid "Examples:"
-msgstr ""
+#: original/man8/iptables.8:452
+#, fuzzy
+#| msgid "Man page written by Herve Eychenne E<lt>rv@wallfire.orgE<gt>."
+msgid ""
+"Man page originally written by Herve Eychenne E<lt>rv@wallfire.orgE<gt>."
+msgstr "man ページは Herve Eychenne E<lt>rv@wallfire.orgE<gt> が書いた。"
-#. type: TP
-#: original/man8/ip6tables.8:589 original/man8/iptables.8:577
-#, no-wrap
-msgid "# allow 2 telnet connections per client host"
+#. type: Plain text
+#: original/man8/iptables.8:454
+msgid "This manual page applies to iptables 1.4.18."
msgstr ""
+#. type: TH
+#: original/man8/iptables-extensions.8:1
+#, fuzzy, no-wrap
+#| msgid " iptables -m tos -h\n"
+msgid "iptables-extensions"
+msgstr " iptables -m tos -h\n"
+
#. type: Plain text
-#: original/man8/ip6tables.8:592 original/man8/iptables.8:580
+#: original/man8/iptables-extensions.8:4
+#, fuzzy
+#| msgid ""
+#| "iptables can use extended target modules: the following are included in "
+#| "the standard distribution."
msgid ""
-"iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -"
-"j REJECT"
+"iptables-extensions \\(em list of extensions in the standard iptables "
+"distribution"
msgstr ""
+"iptables は拡張ターゲットモジュールを使うことができる: 以下のものが、標準的な"
+"ディストリビューションに含まれている。"
-#. type: TP
-#: original/man8/ip6tables.8:592 original/man8/iptables.8:580
-#, no-wrap
-msgid "# you can also match the other way around:"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:7
+#, fuzzy
+#| msgid "B<ip6tables [-t table] -P >chain target [options]"
+msgid ""
+"B<ip6tables> [B<-m> I<name> [I<module-options>...]] [B<-j> I<target-name> "
+"[I<target-options>...]"
+msgstr "B<ip6tables [-t テーブル] -P >チェイン ターゲット [オプション]"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:10
+#, fuzzy
+#| msgid "B<ip6tables [-t table] -P >chain target [options]"
+msgid ""
+"B<iptables> [B<-m> I<name> [I<module-options>...]] [B<-j> I<target-name> "
+"[I<target-options>...]"
+msgstr "B<ip6tables [-t テーブル] -P >チェイン ターゲット [オプション]"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:20
+#, fuzzy
+#| msgid ""
+#| "iptables can use extended packet matching modules. These are loaded in "
+#| "two ways: implicitly, when B<-p> or B<--protocol> is specified, or with "
+#| "the B<-m> or B<--match> options, followed by the matching module name; "
+#| "after these, various extra command line options become available, "
+#| "depending on the specific module. You can specify multiple extended "
+#| "match modules in one line, and you can use the B<-h> or B<--help> options "
+#| "after the module has been specified to receive help specific to that "
+#| "module."
+msgid ""
+"iptables can use extended packet matching modules with the B<-m> or B<--"
+"match> options, followed by the matching module name; after these, various "
+"extra command line options become available, depending on the specific "
+"module. You can specify multiple extended match modules in one line, and "
+"you can use the B<-h> or B<--help> options after the module has been "
+"specified to receive help specific to that module. The extended match "
+"modules are evaluated in the order they are specified in the rule."
msgstr ""
+"iptables は拡張されたパケットマッチングモジュールを使うことができる。 これら"
+"のモジュールは 2 種類の方法でロードされる: モジュールは、 B<-p> または B<--"
+"protocol> で暗黙のうちに指定されるか、 B<-m> または B<--match> の後にモジュー"
+"ル名を続けて指定される。 これらのモジュールの後ろには、モジュールに応じて 他"
+"のいろいろなコマンドラインオプションを指定することができる。 複数の拡張マッチ"
+"ングモジュールを一行で指定することができる。 また、モジュールに特有のヘルプを"
+"表示させるためには、 モジュールを指定した後で B<-h> または B<--help> を指定す"
+"ればよい。"
+#. @MATCH@
#. type: Plain text
-#: original/man8/ip6tables.8:595 original/man8/iptables.8:583
+#: original/man8/iptables-extensions.8:25
msgid ""
-"iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-upto 2 -j "
-"ACCEPT"
+"If the B<-p> or B<--protocol> was specified and if and only if an unknown "
+"option is encountered, iptables will try load a match module of the same "
+"name as the protocol, to try making the option available."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:595 original/man8/iptables.8:583
+#. type: SS
+#: original/man8/iptables-extensions.8:25
#, no-wrap
-msgid "# limit the number of parallel HTTP requests to 16 per class C sized source network (24 bit netmask)"
+msgid "addrtype"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:600 original/man8/iptables.8:588
+#: original/man8/iptables-extensions.8:30
msgid ""
-"iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --"
-"connlimit-mask 24 -j REJECT"
+"This module matches packets based on their B<address type.> Address types "
+"are used within the kernel networking stack and categorize addresses into "
+"various groups. The exact definition of that group depends on the specific "
+"layer three protocol."
msgstr ""
+#. type: Plain text
+#: original/man8/iptables-extensions.8:32
+#, fuzzy
+#| msgid "The following additional options can be specified:"
+msgid "The following address types are possible:"
+msgstr "その他に以下のオプションを指定することができる:"
+
#. type: TP
-#: original/man8/ip6tables.8:600 original/man8/iptables.8:588
+#: original/man8/iptables-extensions.8:32
#, no-wrap
-msgid "# limit the number of parallel HTTP requests to 16 for the link local network"
+msgid "B<UNSPEC>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:605 original/man8/iptables.8:593
-msgid ""
-"(ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --"
-"connlimit-above 16 --connlimit-mask 64 -j REJECT"
+#: original/man8/iptables-extensions.8:35
+msgid "an unspecified address (i.e. 0.0.0.0)"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:605 original/man8/iptables.8:593
+#: original/man8/iptables-extensions.8:35
#, no-wrap
-msgid "# Limit the number of connections to a particular host:"
+msgid "B<UNICAST>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:609 original/man8/iptables.8:597
-msgid ""
-"ip6tables -p tcp --syn --dport 49152:65535 -d 2001:db8::1 -m connlimit --"
-"connlimit-above 100 -j REJECT"
+#: original/man8/iptables-extensions.8:38
+msgid "an unicast address"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:609 original/man8/iptables.8:597
-#, fuzzy, no-wrap
-#| msgid "conntrack"
-msgid "connmark"
-msgstr "conntrack"
+#. type: TP
+#: original/man8/iptables-extensions.8:38
+#, no-wrap
+msgid "B<LOCAL>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:612 original/man8/iptables.8:600
-#, fuzzy
-#| msgid ""
-#| "This module matches the netfilter mark field associated with a packet "
-#| "(which can be set using the B<MARK> target below)."
-msgid ""
-"This module matches the netfilter mark field associated with a connection "
-"(which can be set using the B<CONNMARK> target below)."
+#: original/man8/iptables-extensions.8:41
+msgid "a local address"
msgstr ""
-"このモジュールはパケットに関連づけられた netfilter の mark フィールドにマッチ"
-"する (このフィールドは、以下の B<MARK> ターゲットで設定される)。"
#. type: TP
-#: original/man8/ip6tables.8:612 original/man8/ip6tables.8:1023
-#: original/man8/iptables.8:600 original/man8/iptables.8:909
-#, fuzzy, no-wrap
-#| msgid "B<--mark >I<value>[/I<mask>]"
-msgid "[B<!>] B<--mark> I<value>[B</>I<mask>]"
-msgstr "B<--mark >I<value>[/I<mask>]"
+#: original/man8/iptables-extensions.8:41
+#, no-wrap
+msgid "B<BROADCAST>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:616 original/man8/iptables.8:604
-#, fuzzy
-#| msgid ""
-#| "Matches packets with the given unsigned mark value (if a mask is "
-#| "specified, this is logically ANDed with the mask before the comparison)."
-msgid ""
-"Matches packets in connections with the given mark value (if a mask is "
-"specified, this is logically ANDed with the mark before the comparison)."
+#: original/man8/iptables-extensions.8:44
+msgid "a broadcast address"
msgstr ""
-"指定された符号なし mark 値のパケットにマッチする (mask が指定されると、比較の"
-"前に mask との論理積 (AND) がとられる)。"
-#. type: SS
-#: original/man8/ip6tables.8:616 original/man8/iptables.8:604
+#. type: TP
+#: original/man8/iptables-extensions.8:44
#, no-wrap
-msgid "conntrack"
-msgstr "conntrack"
+msgid "B<ANYCAST>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:619 original/man8/iptables.8:607
-#, fuzzy
-#| msgid ""
-#| "This module, when combined with connection tracking, allows access to the "
-#| "connection tracking state for this packet."
-msgid ""
-"This module, when combined with connection tracking, allows access to the "
-"connection tracking state for this packet/connection."
+#: original/man8/iptables-extensions.8:47
+msgid "an anycast packet"
msgstr ""
-"このモジュールは、接続追跡 (connection tracking) と組み合わせて用いると、 パ"
-"ケットについての接続追跡状態を知ることができる。"
#. type: TP
-#: original/man8/ip6tables.8:619 original/man8/iptables.8:607
-#, fuzzy, no-wrap
-#| msgid "B<--ctstate >I<state>"
-msgid "[B<!>] B<--ctstate> I<statelist>"
-msgstr "B<--ctstate >I<state>"
+#: original/man8/iptables-extensions.8:47
+#, no-wrap
+msgid "B<MULTICAST>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:623 original/man8/iptables.8:611
-msgid ""
-"I<statelist> is a comma separated list of the connection states to match. "
-"Possible states are listed below."
+#: original/man8/iptables-extensions.8:50
+msgid "a multicast address"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:623 original/man8/iptables.8:611
-#, fuzzy, no-wrap
-#| msgid "B<--ctproto >I<proto>"
-msgid "[B<!>] B<--ctproto> I<l4proto>"
-msgstr "B<--ctproto >I<proto>"
+#: original/man8/iptables-extensions.8:50
+#, no-wrap
+msgid "B<BLACKHOLE>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:626 original/man8/iptables.8:614
-#, fuzzy
-#| msgid "Protocol to match (by number or name)"
-msgid "Layer-4 protocol to match (by number or name)"
-msgstr "(名前または数値で) 指定されたプロトコルにマッチする。"
+#: original/man8/iptables-extensions.8:53
+msgid "a blackhole address"
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:626 original/man8/iptables.8:614
-#, fuzzy, no-wrap
-#| msgid "B<--ctorigsrc >I<[!] address[/mask]>"
-msgid "[B<!>] B<--ctorigsrc> I<address>[B</>I<mask>]"
-msgstr "B<--ctorigsrc >I<[!] address[/mask]>"
+#: original/man8/iptables-extensions.8:53
+#, no-wrap
+msgid "B<UNREACHABLE>"
+msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:628 original/man8/iptables.8:616
-#, fuzzy, no-wrap
-#| msgid "B<--ctorigdst >I<[!] address[/mask]>"
-msgid "[B<!>] B<--ctorigdst> I<address>[B</>I<mask>]"
-msgstr "B<--ctorigdst >I<[!] address[/mask]>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:56
+msgid "an unreachable address"
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:630 original/man8/iptables.8:618
-#, fuzzy, no-wrap
-#| msgid "B<--ctrepldst >I<[!] address>B<[/>I<mask>B<]>"
-msgid "[B<!>] B<--ctreplsrc> I<address>[B</>I<mask>]"
-msgstr "B<--ctrepldst >I<[!] address>B<[/>I<mask>B<]>"
+#: original/man8/iptables-extensions.8:56
+#, no-wrap
+msgid "B<PROHIBIT>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:59
+msgid "a prohibited address"
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:632 original/man8/iptables.8:620
-#, fuzzy, no-wrap
-#| msgid "B<--ctrepldst >I<[!] address>B<[/>I<mask>B<]>"
-msgid "[B<!>] B<--ctrepldst> I<address>[B</>I<mask>]"
-msgstr "B<--ctrepldst >I<[!] address>B<[/>I<mask>B<]>"
+#: original/man8/iptables-extensions.8:59
+#, no-wrap
+msgid "B<THROW>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:635 original/man8/iptables.8:623
-#, fuzzy
-#| msgid "Match against original destination address"
-msgid "Match against original/reply source/destination address"
-msgstr "書き換え前の宛先アドレスにマッチする。"
+#: original/man8/iptables-extensions.8:62
+#: original/man8/iptables-extensions.8:65
+msgid "FIXME"
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:635 original/man8/iptables.8:623
-#, fuzzy, no-wrap
-#| msgid "B<--source-port >[!] I<port>[:I<port>]"
-msgid "[B<!>] B<--ctorigsrcport> I<port>[B<:>I<port>]"
-msgstr "B<--source-port >[!] I<port>[:I<port>]"
+#: original/man8/iptables-extensions.8:62
+#, no-wrap
+msgid "B<NAT>"
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:637 original/man8/iptables.8:625
-#, fuzzy, no-wrap
-#| msgid "B<--to-ports >I<port>[-I<port>]"
-msgid "[B<!>] B<--ctorigdstport> I<port>[B<:>I<port>]"
-msgstr "B<--to-ports >I<port>[-I<port>]"
+#: original/man8/iptables-extensions.8:65
+#, no-wrap
+msgid "B<XRESOLVE>"
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:639 original/man8/iptables.8:627
+#: original/man8/iptables-extensions.8:67
#, fuzzy, no-wrap
-#| msgid "B<--source-port >[!] I<port>[:I<port>]"
-msgid "[B<!>] B<--ctreplsrcport> I<port>[B<:>I<port>]"
-msgstr "B<--source-port >[!] I<port>[:I<port>]"
+#| msgid "B<--icmp-type >[!] I<typename>"
+msgid "[B<!>] B<--src-type> I<type>"
+msgstr "B<--icmp-type >[!] I<typename>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:70
+#, fuzzy
+#| msgid ""
+#| "Matches if the packet was created by a process with the given process id."
+msgid "Matches if the source address is of given type"
+msgstr ""
+"指定されたプロセス ID のプロセスにより パケットが生成されている場合にマッチす"
+"る。"
#. type: TP
-#: original/man8/ip6tables.8:641 original/man8/iptables.8:629
+#: original/man8/iptables-extensions.8:70
#, fuzzy, no-wrap
-#| msgid "B<--source-port >[!] I<port>[:I<port>]"
-msgid "[B<!>] B<--ctrepldstport> I<port>[B<:>I<port>]"
-msgstr "B<--source-port >[!] I<port>[:I<port>]"
+#| msgid "B<--icmp-type >[!] I<typename>"
+msgid "[B<!>] B<--dst-type> I<type>"
+msgstr "B<--icmp-type >[!] I<typename>"
#. type: Plain text
-#: original/man8/ip6tables.8:645 original/man8/iptables.8:633
-msgid ""
-"Match against original/reply source/destination port (TCP/UDP/etc.) or GRE "
-"key. Matching against port ranges is only supported in kernel versions "
-"above 2.6.38."
-msgstr ""
+#: original/man8/iptables-extensions.8:73
+#, fuzzy
+#| msgid "Match against reply destination address"
+msgid "Matches if the destination address is of given type"
+msgstr "応答の宛先アドレスにマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:645 original/man8/iptables.8:633
+#: original/man8/iptables-extensions.8:73
#, fuzzy, no-wrap
-#| msgid "B<--ctstate >I<state>"
-msgid "[B<!>] B<--ctstatus> I<statelist>"
-msgstr "B<--ctstate >I<state>"
+#| msgid "B<--limit >I<rate>"
+msgid "B<--limit-iface-in>"
+msgstr "B<--limit >I<rate>"
#. type: Plain text
-#: original/man8/ip6tables.8:649 original/man8/iptables.8:637
+#: original/man8/iptables-extensions.8:84
msgid ""
-"I<statuslist> is a comma separated list of the connection statuses to "
-"match. Possible statuses are listed below."
+"The address type checking can be limited to the interface the packet is "
+"coming in. This option is only valid in the B<PREROUTING>, B<INPUT> and "
+"B<FORWARD> chains. It cannot be specified with the B<--limit-iface-out> "
+"option."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:649 original/man8/iptables.8:637
+#: original/man8/iptables-extensions.8:84
#, fuzzy, no-wrap
-#| msgid "B<--ctexpire >I<time[:time]>"
-msgid "[B<!>] B<--ctexpire> I<time>[B<:>I<time>]"
-msgstr "B<--ctexpire >I<time[:time]>"
+#| msgid "B<--limit >I<rate>"
+msgid "B<--limit-iface-out>"
+msgstr "B<--limit >I<rate>"
#. type: Plain text
-#: original/man8/ip6tables.8:653 original/man8/iptables.8:641
+#: original/man8/iptables-extensions.8:95
msgid ""
-"Match remaining lifetime in seconds against given value or range of values "
-"(inclusive)"
-msgstr "有効期間の残り秒数、またはその範囲(両端を含む)にマッチする。"
+"The address type checking can be limited to the interface the packet is "
+"going out. This option is only valid in the B<POSTROUTING>, B<OUTPUT> and "
+"B<FORWARD> chains. It cannot be specified with the B<--limit-iface-in> "
+"option."
+msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:653 original/man8/iptables.8:641
+#. type: SS
+#: original/man8/iptables-extensions.8:95
#, no-wrap
-msgid "B<--ctdir> {B<ORIGINAL>|B<REPLY>}"
+msgid "ah (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:657 original/man8/iptables.8:645
+#: original/man8/iptables-extensions.8:97
+#, fuzzy
+#| msgid "This module matches the SPIs in AH header of IPSec packets."
msgid ""
-"Match packets that are flowing in the specified direction. If this flag is "
-"not specified at all, matches packets in both directions."
-msgstr ""
+"This module matches the parameters in Authentication header of IPsec packets."
+msgstr "このモジュールは IPSec パケットの AH ヘッダーの SPI 値にマッチする。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:97
+#: original/man8/iptables-extensions.8:108
+#, fuzzy, no-wrap
+#| msgid "B<--ahspi >[!] I<spi>[:I<spi>]"
+msgid "[B<!>] B<--ahspi> I<spi>[B<:>I<spi>]"
+msgstr "B<--ahspi >[!] I<spi>[:I<spi>]"
#. type: Plain text
-#: original/man8/ip6tables.8:659 original/man8/iptables.8:647
-msgid "States for B<--ctstate>:"
+#: original/man8/iptables-extensions.8:100
+msgid "Matches SPI."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:659 original/man8/iptables.8:647
-#, no-wrap
-msgid "B<INVALID>"
-msgstr ""
+#: original/man8/iptables-extensions.8:100
+#, fuzzy, no-wrap
+#| msgid "B<-t>, B<--table> B<tablename>"
+msgid "[B<!>] B<--ahlen> I<length>"
+msgstr "B<-t>, B<--table> B<tablename>"
#. type: Plain text
-#: original/man8/ip6tables.8:662 original/man8/iptables.8:650
-msgid "meaning that the packet is associated with no known connection"
+#: original/man8/iptables-extensions.8:103
+#: original/man8/iptables-extensions.8:407
+#: original/man8/iptables-extensions.8:540
+msgid "Total length of this header in octets."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:662 original/man8/iptables.8:650
+#: original/man8/iptables-extensions.8:103
#, no-wrap
-msgid "B<NEW>"
+msgid "B<--ahres>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:666 original/man8/iptables.8:654
-msgid ""
-"meaning that the packet has started a new connection, or otherwise "
-"associated with a connection which has not seen packets in both directions, "
-"and"
+#: original/man8/iptables-extensions.8:106
+msgid "Matches if the reserved field is filled with zero."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:666 original/man8/iptables.8:654
+#. type: SS
+#: original/man8/iptables-extensions.8:106
#, no-wrap
-msgid "B<ESTABLISHED>"
+msgid "ah (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:670 original/man8/iptables.8:658
-msgid ""
-"meaning that the packet is associated with a connection which has seen "
-"packets in both directions,"
-msgstr ""
+#: original/man8/iptables-extensions.8:108
+#, fuzzy
+#| msgid "This module matches the SPIs in AH header of IPSec packets."
+msgid "This module matches the SPIs in Authentication header of IPsec packets."
+msgstr "このモジュールは IPSec パケットの AH ヘッダーの SPI 値にマッチする。"
-#. type: TP
-#: original/man8/ip6tables.8:670 original/man8/iptables.8:658
+#. type: SS
+#: original/man8/iptables-extensions.8:110
#, no-wrap
-msgid "B<RELATED>"
+msgid "cluster"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:113
+msgid ""
+"Allows you to deploy gateway and back-end load-sharing clusters without the "
+"need of load-balancers."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:674 original/man8/iptables.8:662
+#: original/man8/iptables-extensions.8:116
msgid ""
-"meaning that the packet is starting a new connection, but is associated with "
-"an existing connection, such as an FTP data transfer, or an ICMP error."
+"This match requires that all the nodes see the same packets. Thus, the "
+"cluster match decides if this node has to handle a packet given the "
+"following options:"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:674 original/man8/iptables.8:662
+#: original/man8/iptables-extensions.8:116
#, no-wrap
-msgid "B<UNTRACKED>"
+msgid "B<--cluster-total-nodes> I<num>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:678 original/man8/iptables.8:666
-msgid ""
-"meaning that the packet is not tracked at all, which happens if you use the "
-"NOTRACK target in raw table."
+#: original/man8/iptables-extensions.8:119
+msgid "Set number of total nodes in cluster."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:678 original/man8/iptables.8:666
+#: original/man8/iptables-extensions.8:119
#, fuzzy, no-wrap
-#| msgid "SNAT"
-msgid "B<SNAT>"
-msgstr "SNAT"
+#| msgid "B<-t>, B<--table> B<tablename>"
+msgid "[B<!>] B<--cluster-local-node> I<num>"
+msgstr "B<-t>, B<--table> B<tablename>"
#. type: Plain text
-#: original/man8/ip6tables.8:682 original/man8/iptables.8:670
-msgid ""
-"A virtual state, matching if the original source address differs from the "
-"reply destination."
+#: original/man8/iptables-extensions.8:122
+msgid "Set the local node number ID."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:682 original/man8/iptables.8:670
-#, fuzzy, no-wrap
-#| msgid "DNAT"
-msgid "B<DNAT>"
-msgstr "DNAT"
+#: original/man8/iptables-extensions.8:122
+#, no-wrap
+msgid "[B<!>] B<--cluster-local-nodemask> I<mask>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:686 original/man8/iptables.8:674
+#: original/man8/iptables-extensions.8:126
msgid ""
-"A virtual state, matching if the original destination differs from the reply "
-"source."
+"Set the local node number ID mask. You can use this option instead of B<--"
+"cluster-local-node>."
msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:126
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--cluster-hash-seed> I<value>"
+msgstr "B<--set-mss >I<value>"
+
#. type: Plain text
-#: original/man8/ip6tables.8:688 original/man8/iptables.8:676
-msgid "Statuses for B<--ctstatus>:"
+#: original/man8/iptables-extensions.8:129
+msgid "Set seed value of the Jenkins hash."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:688 original/man8/iptables.8:676
+#: original/man8/iptables-extensions.8:131
+#: original/man8/iptables-extensions.8:177
+#: original/man8/iptables-extensions.8:214
+#: original/man8/iptables-extensions.8:362
+#: original/man8/iptables-extensions.8:1588
+#: original/man8/iptables-extensions.8:1636
+#: original/man8/iptables-extensions.8:1685
+#: original/man8/iptables-extensions.8:2016
#, no-wrap
-msgid "B<NONE>"
+msgid "Example:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:691 original/man8/iptables.8:679
-msgid "None of the below."
+#: original/man8/iptables-extensions.8:136
+msgid ""
+"iptables -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 "
+"--cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark "
+"0xffff"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:691 original/man8/iptables.8:679
-#, no-wrap
-msgid "B<EXPECTED>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:141
+msgid ""
+"iptables -A PREROUTING -t mangle -i eth2 -m cluster --cluster-total-nodes 2 "
+"--cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark "
+"0xffff"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:694 original/man8/iptables.8:682
-msgid "This is an expected connection (i.e. a conntrack helper set it up)"
+#: original/man8/iptables-extensions.8:144
+msgid ""
+"iptables -A PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff -j DROP"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:694 original/man8/iptables.8:682
-#, no-wrap
-msgid "B<SEEN_REPLY>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:147
+msgid ""
+"iptables -A PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff -j DROP"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:697 original/man8/iptables.8:685
-msgid "Conntrack has seen packets in both directions."
+#: original/man8/iptables-extensions.8:149
+msgid "And the following commands to make all nodes see the same packets:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:697 original/man8/iptables.8:685
-#, no-wrap
-msgid "B<ASSURED>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:151
+msgid "ip maddr add 01:00:5e:00:01:01 dev eth1"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:700 original/man8/iptables.8:688
-msgid "Conntrack entry should never be early-expired."
+#: original/man8/iptables-extensions.8:153
+msgid "ip maddr add 01:00:5e:00:01:02 dev eth2"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:700 original/man8/iptables.8:688
-#, no-wrap
-msgid "B<CONFIRMED>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:156
+msgid ""
+"arptables -A OUTPUT -o eth1 --h-length 6 -j mangle --mangle-mac-s "
+"01:00:5e:00:01:01"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:703 original/man8/iptables.8:691
-msgid "Connection is confirmed: originating packet has left box."
+#: original/man8/iptables-extensions.8:160
+msgid ""
+"arptables -A INPUT -i eth1 --h-length 6 --destination-mac 01:00:5e:00:01:01 -"
+"j mangle --mangle-mac-d 00:zz:yy:xx:5a:27"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:703 original/man8/iptables.8:691
-#, fuzzy, no-wrap
-#| msgid "tcp"
-msgid "cpu"
-msgstr "tcp"
-
-#. type: TP
-#: original/man8/ip6tables.8:704 original/man8/iptables.8:692
-#, fuzzy, no-wrap
-#| msgid "B<-t>, B<--table> B<tablename>"
-msgid "[B<!>] B<--cpu> I<number>"
-msgstr "B<-t>, B<--table> B<tablename>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:709 original/man8/iptables.8:697
+#: original/man8/iptables-extensions.8:163
msgid ""
-"Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1 Can be "
-"used in combination with RPS (Remote Packet Steering) or multiqueue NICs to "
-"spread network traffic on different queues."
+"arptables -A OUTPUT -o eth2 --h-length 6 -j mangle --mangle-mac-s "
+"01:00:5e:00:01:02"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:714 original/man8/iptables.8:702
+#: original/man8/iptables-extensions.8:167
msgid ""
-"iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j REDIRECT --"
-"to-port 8080"
+"arptables -A INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:02 -"
+"j mangle --mangle-mac-d 00:zz:yy:xx:5a:27"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:717 original/man8/iptables.8:705
+#: original/man8/iptables-extensions.8:171
msgid ""
-"iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 -j REDIRECT --"
-"to-port 8081"
+"In the case of TCP connections, pickup facility has to be disabled to avoid "
+"marking TCP ACK packets coming in the reply direction as valid."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:719 original/man8/iptables.8:707
-msgid "Available since Linux 2.6.36."
+#: original/man8/iptables-extensions.8:173
+msgid "echo 0 E<gt> /proc/sys/net/netfilter/nf_conntrack_tcp_loose"
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:719 original/man8/iptables.8:707
+#: original/man8/iptables-extensions.8:173
#, no-wrap
-msgid "dccp"
+msgid "comment"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:720 original/man8/ip6tables.8:1492
-#: original/man8/ip6tables.8:1626 original/man8/ip6tables.8:1906
-#: original/man8/iptables.8:708 original/man8/iptables.8:1399
-#: original/man8/iptables.8:1533 original/man8/iptables.8:1824
-#, fuzzy, no-wrap
-#| msgid "B<--source-ports >I<port>[,I<port>[,I<port>...]]"
-msgid "[B<!>] B<--source-port>,B<--sport> I<port>[B<:>I<port>]"
-msgstr "B<--source-ports >I<port>[,I<port>[,I<port>...]]"
-
-#. type: TP
-#: original/man8/ip6tables.8:722 original/man8/ip6tables.8:1494
-#: original/man8/ip6tables.8:1637 original/man8/ip6tables.8:1912
-#: original/man8/iptables.8:710 original/man8/iptables.8:1401
-#: original/man8/iptables.8:1544 original/man8/iptables.8:1830
-#, fuzzy, no-wrap
-#| msgid "B<--destination-ports >I<port>[,I<port>[,I<port>...]]"
-msgid "[B<!>] B<--destination-port>,B<--dport> I<port>[B<:>I<port>]"
-msgstr "B<--destination-ports >I<port>[,I<port>[,I<port>...]]"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:175
+msgid "Allows you to add comments (up to 256 characters) to any rule."
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:724 original/man8/iptables.8:712
+#: original/man8/iptables-extensions.8:175
#, no-wrap
-msgid "[B<!>] B<--dccp-types> I<mask>"
+msgid "B<--comment> I<comment>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:729 original/man8/iptables.8:717
-msgid ""
-"Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-"
-"separated list of packet types. Packet types are: B<REQUEST RESPONSE DATA "
-"ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID>."
+#: original/man8/iptables-extensions.8:180
+msgid "iptables -A INPUT -i eth1 -m comment --comment \"my local LAN\""
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:729 original/man8/iptables.8:717
-#, fuzzy, no-wrap
-#| msgid "B<--tcp-option >[!] I<number>"
-msgid "[B<!>] B<--dccp-option> I<number>"
-msgstr "B<--tcp-option >[!] I<number>"
-
-#. type: Plain text
-#: original/man8/ip6tables.8:732 original/man8/iptables.8:720
-#, fuzzy
-#| msgid "Match if TCP option set."
-msgid "Match if DCCP option set."
-msgstr "TCP オプションが設定されている場合にマッチする。"
-
#. type: SS
-#: original/man8/ip6tables.8:732 original/man8/iptables.8:720
+#: original/man8/iptables-extensions.8:180
#, no-wrap
-msgid "dscp"
-msgstr "dscp"
+msgid "connbytes"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:735 original/man8/iptables.8:723
+#: original/man8/iptables-extensions.8:184
msgid ""
-"This module matches the 6 bit DSCP field within the TOS field in the IP "
-"header. DSCP has superseded TOS within the IETF."
+"Match by how many bytes or packets a connection (or one of the two flows "
+"constituting the connection) has transferred so far, or by average bytes per "
+"packet."
msgstr ""
-"このモジュールは、IP ヘッダーの TOS フィールド内にある、 6 bit の DSCP フィー"
-"ルドにマッチする。 IETF では DSCP が TOS に取って代わった。"
-#. type: TP
-#: original/man8/ip6tables.8:735 original/man8/iptables.8:723
-#, fuzzy, no-wrap
-#| msgid "B<--dscp >I<value>"
-msgid "[B<!>] B<--dscp> I<value>"
-msgstr "B<--dscp >I<value>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:186
+msgid "The counters are 64-bit and are thus not expected to overflow ;)"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:738 original/man8/iptables.8:726
-#, fuzzy
-#| msgid "Match against a numeric (decimal or hex) value [0-32]."
-msgid "Match against a numeric (decimal or hex) value [0-63]."
-msgstr "(10 進または 16 進の) 数値 [0-63] にマッチする。"
+#: original/man8/iptables-extensions.8:189
+msgid ""
+"The primary use is to detect long-lived downloads and mark them to be "
+"scheduled using a lower priority band in traffic control."
+msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:738 original/man8/iptables.8:726
-#, fuzzy, no-wrap
-#| msgid "B<--set-dscp-class >I<class>"
-msgid "[B<!>] B<--dscp-class> I<class>"
-msgstr "B<--set-dscp-class >I<class>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:192
+msgid ""
+"The transferred bytes per connection can also be viewed through `conntrack -"
+"L` and accessed via ctnetlink."
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:743 original/man8/iptables.8:731
-#, fuzzy
-#| msgid ""
-#| "Match the DiffServ class. This value may be any of the BE, EF, AFxx or "
-#| "CSx classes. It will then be converted into it's according numeric value."
+#: original/man8/iptables-extensions.8:198
msgid ""
-"Match the DiffServ class. This value may be any of the BE, EF, AFxx or CSx "
-"classes. It will then be converted into its according numeric value."
+"NOTE that for connections which have no accounting information, the match "
+"will always return false. The \"net.netfilter.nf_conntrack_acct\" sysctl "
+"flag controls whether B<new> connections will be byte/packet counted. "
+"Existing connection flows will not be gaining/losing a/the accounting "
+"structure when be sysctl flag is flipped."
msgstr ""
-"DiffServ クラスにマッチする。 値は BE, EF, AFxx, CSx クラスのいずれかであ"
-"る。 これらは、対応する数値で指定するのと同じである。"
-#. type: SS
-#: original/man8/ip6tables.8:743
+#. type: TP
+#: original/man8/iptables-extensions.8:198
#, no-wrap
-msgid "dst"
+msgid "[B<!>] B<--connbytes> I<from>[B<:>I<to>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:745
-#, fuzzy
-#| msgid "This module matches the time to live field in the IP header."
-msgid "This module matches the parameters in Destination Options header"
-msgstr "このモジュールは IP ヘッダーの time to live フィールドにマッチする。"
+#: original/man8/iptables-extensions.8:204
+msgid ""
+"match packets from a connection whose packets/bytes/average packet size is "
+"more than FROM and less than TO bytes/packets. if TO is omitted only FROM "
+"check is done. \"!\" is used to match packets not falling in the range."
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:745
-#, fuzzy, no-wrap
-#| msgid "B<-t>, B<--table> B<tablename>"
-msgid "[B<!>] B<--dst-len> I<length>"
-msgstr "B<-t>, B<--table> B<tablename>"
+#: original/man8/iptables-extensions.8:204
+#, no-wrap
+msgid "B<--connbytes-dir> {B<original>|B<reply>|B<both>}"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:207
+msgid "which packets to consider"
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:748
+#: original/man8/iptables-extensions.8:207
#, no-wrap
-msgid "B<--dst-opts> I<type>[B<:>I<length>][B<,>I<type>[B<:>I<length>]...]"
+msgid "B<--connbytes-mode> {B<packets>|B<bytes>|B<avgpkt>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:751 original/man8/ip6tables.8:873
-msgid "numeric type of option and the length of the option data in octets."
+#: original/man8/iptables-extensions.8:214
+msgid ""
+"whether to check the amount of packets, number of bytes transferred or the "
+"average size (in bytes) of all packets received so far. Note that when \"both"
+"\" is used together with \"avgpkt\", and data is going (mainly) only in one "
+"direction (for example HTTP), the average packet size will be about half of "
+"the actual data packets."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:751 original/man8/iptables.8:731
-#, no-wrap
-msgid "ecn"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:217
+msgid ""
+"iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --"
+"connbytes-mode bytes ..."
msgstr ""
+#. type: SS
+#: original/man8/iptables-extensions.8:217
+#, fuzzy, no-wrap
+#| msgid "limit"
+msgid "connlimit"
+msgstr "limit"
+
#. type: Plain text
-#: original/man8/ip6tables.8:753 original/man8/iptables.8:733
+#: original/man8/iptables-extensions.8:220
msgid ""
-"This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN "
-"is the Explicit Congestion Notification mechanism as specified in RFC3168"
+"Allows you to restrict the number of parallel connections to a server per "
+"client IP address (or client address block)."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:753 original/man8/iptables.8:733
+#: original/man8/iptables-extensions.8:220
#, fuzzy, no-wrap
-#| msgid "B<--ecn-tcp-remove>"
-msgid "[B<!>] B<--ecn-tcp-cwr>"
-msgstr "B<--ecn-tcp-remove>"
+#| msgid "B<--limit-burst >I<number>"
+msgid "B<--connlimit-upto> I<n>"
+msgstr "B<--limit-burst >I<number>"
#. type: Plain text
-#: original/man8/ip6tables.8:756 original/man8/iptables.8:736
-msgid ""
-"This matches if the TCP ECN CWR (Congestion Window Received) bit is set."
+#: original/man8/iptables-extensions.8:223
+msgid "Match if the number of existing connections is below or equal I<n>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:756 original/man8/iptables.8:736
+#: original/man8/iptables-extensions.8:223
#, fuzzy, no-wrap
-#| msgid "B<--ecn-tcp-remove>"
-msgid "[B<!>] B<--ecn-tcp-ece>"
-msgstr "B<--ecn-tcp-remove>"
+#| msgid "B<--limit-burst >I<number>"
+msgid "B<--connlimit-above> I<n>"
+msgstr "B<--limit-burst >I<number>"
#. type: Plain text
-#: original/man8/ip6tables.8:759 original/man8/iptables.8:739
-msgid "This matches if the TCP ECN ECE (ECN Echo) bit is set."
+#: original/man8/iptables-extensions.8:226
+msgid "Match if the number of existing connections is above I<n>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:759 original/man8/iptables.8:739
+#: original/man8/iptables-extensions.8:226
#, no-wrap
-msgid "[B<!>] B<--ecn-ip-ect> I<num>"
+msgid "B<--connlimit-mask> I<prefix_length>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:763 original/man8/iptables.8:743
+#: original/man8/iptables-extensions.8:231
msgid ""
-"This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to "
-"specify a number between `0' and `3'."
+"Group hosts using the prefix length. For IPv4, this must be a number between "
+"(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the "
+"maximum prefix length for the applicable protocol is used."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:763 original/man8/iptables.8:743
+#. type: TP
+#: original/man8/iptables-extensions.8:231
#, no-wrap
-msgid "esp"
-msgstr "esp"
+msgid "B<--connlimit-saddr>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:765 original/man8/iptables.8:745
-#, fuzzy
-#| msgid "This module matches the SPIs in ESP header of IPSec packets."
-msgid "This module matches the SPIs in ESP header of IPsec packets."
-msgstr "このモジュールは IPSec パケットの ESP ヘッダーの SPI 値にマッチする。"
-
-#. type: TP
-#: original/man8/ip6tables.8:765 original/man8/iptables.8:745
-#, fuzzy, no-wrap
-#| msgid "B<--espspi >[!] I<spi>[:I<spi>]"
-msgid "[B<!>] B<--espspi> I<spi>[B<:>I<spi>]"
-msgstr "B<--espspi >[!] I<spi>[:I<spi>]"
-
-#. type: SS
-#: original/man8/ip6tables.8:767
-#, no-wrap
-msgid "eui64"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:778
+#: original/man8/iptables-extensions.8:235
msgid ""
-"This module matches the EUI-64 part of a stateless autoconfigured IPv6 "
-"address. It compares the EUI-64 derived from the source MAC address in "
-"Ethernet frame with the lower 64 bits of the IPv6 source address. But "
-"\"Universal/Local\" bit is not compared. This module doesn't match other "
-"link layer frame, and is only valid in the B<PREROUTING>, B<INPUT> and "
-"B<FORWARD> chains."
+"Apply the limit onto the source group. This is the default if --connlimit-"
+"daddr is not specified."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:778
+#. type: TP
+#: original/man8/iptables-extensions.8:235
#, no-wrap
-msgid "frag"
+msgid "B<--connlimit-daddr>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:780
-#, fuzzy
-#| msgid "This module matches the time to live field in the IP header."
-msgid "This module matches the parameters in Fragment header."
-msgstr "このモジュールは IP ヘッダーの time to live フィールドにマッチする。"
-
-#. type: TP
-#: original/man8/ip6tables.8:780
-#, no-wrap
-msgid "[B<!>] B<--fragid> I<id>[B<:>I<id>]"
+#: original/man8/iptables-extensions.8:238
+msgid "Apply the limit onto the destination group."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:783
-msgid "Matches the given Identification or range of it."
+#: original/man8/iptables-extensions.8:240
+#: original/man8/iptables-extensions.8:514
+#: original/man8/iptables-extensions.8:1127
+#: original/man8/iptables-extensions.8:1252
+msgid "Examples:"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:783
-#, fuzzy, no-wrap
-#| msgid "B<-t>, B<--table> B<tablename>"
-msgid "[B<!>] B<--fraglen> I<length>"
-msgstr "B<-t>, B<--table> B<tablename>"
+#: original/man8/iptables-extensions.8:240
+#, no-wrap
+msgid "# allow 2 telnet connections per client host"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:787
+#: original/man8/iptables-extensions.8:243
msgid ""
-"This option cannot be used with kernel version 2.6.10 or later. The length "
-"of Fragment header is static and this option doesn't make sense."
+"iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -"
+"j REJECT"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:787
+#: original/man8/iptables-extensions.8:243
#, no-wrap
-msgid "B<--fragres>"
+msgid "# you can also match the other way around:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:790
-msgid "Matches if the reserved fields are filled with zero."
+#: original/man8/iptables-extensions.8:246
+msgid ""
+"iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-upto 2 -j "
+"ACCEPT"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:790
+#: original/man8/iptables-extensions.8:246
#, no-wrap
-msgid "B<--fragfirst>"
+msgid "# limit the number of parallel HTTP requests to 16 per class C sized source network (24 bit netmask)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:793
-msgid "Matches on the first fragment."
+#: original/man8/iptables-extensions.8:251
+msgid ""
+"iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --"
+"connlimit-mask 24 -j REJECT"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:793
-#, fuzzy, no-wrap
-#| msgid "B<[!] -f, --fragment>"
-msgid "B<--fragmore>"
-msgstr "B<[!] -f, --fragment>"
+#: original/man8/iptables-extensions.8:251
+#, no-wrap
+msgid "# limit the number of parallel HTTP requests to 16 for the link local network"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:796
-msgid "Matches if there are more fragments."
+#: original/man8/iptables-extensions.8:256
+msgid ""
+"(ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --"
+"connlimit-above 16 --connlimit-mask 64 -j REJECT"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:796
+#: original/man8/iptables-extensions.8:256
#, no-wrap
-msgid "B<--fraglast>"
+msgid "# Limit the number of connections to a particular host:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:799
-msgid "Matches if this is the last fragment."
+#: original/man8/iptables-extensions.8:260
+msgid ""
+"ip6tables -p tcp --syn --dport 49152:65535 -d 2001:db8::1 -m connlimit --"
+"connlimit-above 100 -j REJECT"
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:799 original/man8/iptables.8:747
+#: original/man8/iptables-extensions.8:260
#, fuzzy, no-wrap
-#| msgid "limit"
-msgid "hashlimit"
-msgstr "limit"
+#| msgid "conntrack"
+msgid "connmark"
+msgstr "conntrack"
#. type: Plain text
-#: original/man8/ip6tables.8:805 original/man8/iptables.8:753
+#: original/man8/iptables-extensions.8:263
+#, fuzzy
+#| msgid ""
+#| "This module matches the netfilter mark field associated with a packet "
+#| "(which can be set using the B<MARK> target below)."
msgid ""
-"B<hashlimit> uses hash buckets to express a rate limiting match (like the "
-"B<limit> match) for a group of connections using a B<single> iptables rule. "
-"Grouping can be done per-hostgroup (source and/or destination address) and/"
-"or per-port. It gives you the ability to express \"I<N> packets per time "
-"quantum per group\" (see below for some examples)."
+"This module matches the netfilter mark field associated with a connection "
+"(which can be set using the B<CONNMARK> target below)."
msgstr ""
+"このモジュールはパケットに関連づけられた netfilter の mark フィールドにマッチ"
+"する (このフィールドは、以下の B<MARK> ターゲットで設定される)。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:263
+#: original/man8/iptables-extensions.8:703
+#, fuzzy, no-wrap
+#| msgid "B<--mark >I<value>[/I<mask>]"
+msgid "[B<!>] B<--mark> I<value>[B</>I<mask>]"
+msgstr "B<--mark >I<value>[/I<mask>]"
#. type: Plain text
-#: original/man8/ip6tables.8:808 original/man8/iptables.8:756
+#: original/man8/iptables-extensions.8:267
+#, fuzzy
+#| msgid ""
+#| "Matches packets with the given unsigned mark value (if a mask is "
+#| "specified, this is logically ANDed with the mask before the comparison)."
msgid ""
-"A hash limit option (B<--hashlimit-upto>, B<--hashlimit-above>) and B<--"
-"hashlimit-name> are required."
+"Matches packets in connections with the given mark value (if a mask is "
+"specified, this is logically ANDed with the mark before the comparison)."
msgstr ""
+"指定された符号なし mark 値のパケットにマッチする (mask が指定されると、比較の"
+"前に mask との論理積 (AND) がとられる)。"
-#. type: TP
-#: original/man8/ip6tables.8:808 original/man8/iptables.8:756
+#. type: SS
+#: original/man8/iptables-extensions.8:267
#, no-wrap
-msgid "B<--hashlimit-upto> I<amount>[B</second>|B</minute>|B</hour>|B</day>]"
-msgstr ""
+msgid "conntrack"
+msgstr "conntrack"
#. type: Plain text
-#: original/man8/ip6tables.8:812 original/man8/iptables.8:760
+#: original/man8/iptables-extensions.8:270
#, fuzzy
#| msgid ""
-#| "Maximum average matching rate: specified as a number, with an optional `/"
-#| "second', `/minute', `/hour', or `/day' suffix; the default is 3/hour."
+#| "This module, when combined with connection tracking, allows access to the "
+#| "connection tracking state for this packet."
msgid ""
-"Match if the rate is below or equal to I<amount>/quantum. It is specified as "
-"a number, with an optional time quantum suffix; the default is 3/hour."
+"This module, when combined with connection tracking, allows access to the "
+"connection tracking state for this packet/connection."
msgstr ""
-"単位時間あたりの平均マッチ回数の最大値。 数値で指定され、添字 `/second', `/"
-"minute', `/hour', `/day' を付けることもできる。 デフォルトは 3/hour である。"
+"このモジュールは、接続追跡 (connection tracking) と組み合わせて用いると、 パ"
+"ケットについての接続追跡状態を知ることができる。"
#. type: TP
-#: original/man8/ip6tables.8:812 original/man8/iptables.8:760
-#, no-wrap
-msgid "B<--hashlimit-above> I<amount>[B</second>|B</minute>|B</hour>|B</day>]"
-msgstr ""
+#: original/man8/iptables-extensions.8:270
+#, fuzzy, no-wrap
+#| msgid "B<--ctstate >I<state>"
+msgid "[B<!>] B<--ctstate> I<statelist>"
+msgstr "B<--ctstate >I<state>"
#. type: Plain text
-#: original/man8/ip6tables.8:815 original/man8/iptables.8:763
-msgid "Match if the rate is above I<amount>/quantum."
+#: original/man8/iptables-extensions.8:274
+msgid ""
+"I<statelist> is a comma separated list of the connection states to match. "
+"Possible states are listed below."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:815 original/man8/iptables.8:763
+#: original/man8/iptables-extensions.8:274
#, fuzzy, no-wrap
-#| msgid "B<--limit-burst >I<number>"
-msgid "B<--hashlimit-burst> I<amount>"
-msgstr "B<--limit-burst >I<number>"
+#| msgid "B<--ctproto >I<proto>"
+msgid "[B<!>] B<--ctproto> I<l4proto>"
+msgstr "B<--ctproto >I<proto>"
#. type: Plain text
-#: original/man8/ip6tables.8:820 original/man8/ip6tables.8:1007
-#: original/man8/iptables.8:768 original/man8/iptables.8:893
-msgid ""
-"Maximum initial number of packets to match: this number gets recharged by "
-"one every time the limit specified above is not reached, up to this number; "
-"the default is 5."
-msgstr ""
-"パケットがマッチする回数の最大初期値: 上のオプションで指定した制限に\n"
-"達しなければ、 その度ごとに、この数値になるまで 1 個ずつ増やされる。\n"
-"デフォルトは 5 である。"
+#: original/man8/iptables-extensions.8:277
+#, fuzzy
+#| msgid "Protocol to match (by number or name)"
+msgid "Layer-4 protocol to match (by number or name)"
+msgstr "(名前または数値で) 指定されたプロトコルにマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:820 original/man8/iptables.8:768
-#, no-wrap
-msgid "B<--hashlimit-mode> {B<srcip>|B<srcport>|B<dstip>|B<dstport>}B<,>..."
-msgstr ""
+#: original/man8/iptables-extensions.8:277
+#, fuzzy, no-wrap
+#| msgid "B<--ctorigsrc >I<[!] address[/mask]>"
+msgid "[B<!>] B<--ctorigsrc> I<address>[B</>I<mask>]"
+msgstr "B<--ctorigsrc >I<[!] address[/mask]>"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:279
+#, fuzzy, no-wrap
+#| msgid "B<--ctorigdst >I<[!] address[/mask]>"
+msgid "[B<!>] B<--ctorigdst> I<address>[B</>I<mask>]"
+msgstr "B<--ctorigdst >I<[!] address[/mask]>"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:281
+#, fuzzy, no-wrap
+#| msgid "B<--ctrepldst >I<[!] address>B<[/>I<mask>B<]>"
+msgid "[B<!>] B<--ctreplsrc> I<address>[B</>I<mask>]"
+msgstr "B<--ctrepldst >I<[!] address>B<[/>I<mask>B<]>"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:283
+#, fuzzy, no-wrap
+#| msgid "B<--ctrepldst >I<[!] address>B<[/>I<mask>B<]>"
+msgid "[B<!>] B<--ctrepldst> I<address>[B</>I<mask>]"
+msgstr "B<--ctrepldst >I<[!] address>B<[/>I<mask>B<]>"
#. type: Plain text
-#: original/man8/ip6tables.8:825 original/man8/iptables.8:773
-msgid ""
-"A comma-separated list of objects to take into consideration. If no --"
-"hashlimit-mode option is given, hashlimit acts like limit, but at the "
-"expensive of doing the hash housekeeping."
-msgstr ""
+#: original/man8/iptables-extensions.8:286
+#, fuzzy
+#| msgid "Match against original destination address"
+msgid "Match against original/reply source/destination address"
+msgstr "書き換え前の宛先アドレスにマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:825 original/man8/iptables.8:773
+#: original/man8/iptables-extensions.8:286
#, fuzzy, no-wrap
-#| msgid "B<--limit >I<rate>"
-msgid "B<--hashlimit-srcmask> I<prefix>"
-msgstr "B<--limit >I<rate>"
+#| msgid "B<--source-port >[!] I<port>[:I<port>]"
+msgid "[B<!>] B<--ctorigsrcport> I<port>[B<:>I<port>]"
+msgstr "B<--source-port >[!] I<port>[:I<port>]"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:288
+#, fuzzy, no-wrap
+#| msgid "B<--to-ports >I<port>[-I<port>]"
+msgid "[B<!>] B<--ctorigdstport> I<port>[B<:>I<port>]"
+msgstr "B<--to-ports >I<port>[-I<port>]"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:290
+#, fuzzy, no-wrap
+#| msgid "B<--source-port >[!] I<port>[:I<port>]"
+msgid "[B<!>] B<--ctreplsrcport> I<port>[B<:>I<port>]"
+msgstr "B<--source-port >[!] I<port>[:I<port>]"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:292
+#, fuzzy, no-wrap
+#| msgid "B<--source-port >[!] I<port>[:I<port>]"
+msgid "[B<!>] B<--ctrepldstport> I<port>[B<:>I<port>]"
+msgstr "B<--source-port >[!] I<port>[:I<port>]"
#. type: Plain text
-#: original/man8/ip6tables.8:832 original/man8/iptables.8:780
+#: original/man8/iptables-extensions.8:296
msgid ""
-"When --hashlimit-mode srcip is used, all source addresses encountered will "
-"be grouped according to the given prefix length and the so-created subnet "
-"will be subject to hashlimit. I<prefix> must be between (inclusive) 0 and "
-"32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not "
-"specifying srcip for --hashlimit-mode, but is technically more expensive."
+"Match against original/reply source/destination port (TCP/UDP/etc.) or GRE "
+"key. Matching against port ranges is only supported in kernel versions "
+"above 2.6.38."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:832 original/man8/iptables.8:780
+#: original/man8/iptables-extensions.8:296
#, fuzzy, no-wrap
-#| msgid "B<--limit >I<rate>"
-msgid "B<--hashlimit-dstmask> I<prefix>"
-msgstr "B<--limit >I<rate>"
+#| msgid "B<--ctstate >I<state>"
+msgid "[B<!>] B<--ctstatus> I<statelist>"
+msgstr "B<--ctstate >I<state>"
#. type: Plain text
-#: original/man8/ip6tables.8:835 original/man8/iptables.8:783
-msgid "Like --hashlimit-srcmask, but for destination addresses."
+#: original/man8/iptables-extensions.8:300
+msgid ""
+"I<statuslist> is a comma separated list of the connection statuses to "
+"match. Possible statuses are listed below."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:835 original/man8/iptables.8:783
-#, no-wrap
-msgid "B<--hashlimit-name> I<foo>"
-msgstr ""
+#: original/man8/iptables-extensions.8:300
+#, fuzzy, no-wrap
+#| msgid "B<--ctexpire >I<time[:time]>"
+msgid "[B<!>] B<--ctexpire> I<time>[B<:>I<time>]"
+msgstr "B<--ctexpire >I<time[:time]>"
#. type: Plain text
-#: original/man8/ip6tables.8:838 original/man8/iptables.8:786
-msgid "The name for the /proc/net/ipt_hashlimit/foo entry."
-msgstr ""
+#: original/man8/iptables-extensions.8:304
+msgid ""
+"Match remaining lifetime in seconds against given value or range of values "
+"(inclusive)"
+msgstr "有効期間の残り秒数、またはその範囲(両端を含む)にマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:838 original/man8/iptables.8:786
+#: original/man8/iptables-extensions.8:304
#, no-wrap
-msgid "B<--hashlimit-htable-size> I<buckets>"
+msgid "B<--ctdir> {B<ORIGINAL>|B<REPLY>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:841 original/man8/iptables.8:789
-msgid "The number of buckets of the hash table"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:841 original/man8/iptables.8:789
-#, no-wrap
-msgid "B<--hashlimit-htable-max> I<entries>"
+#: original/man8/iptables-extensions.8:308
+msgid ""
+"Match packets that are flowing in the specified direction. If this flag is "
+"not specified at all, matches packets in both directions."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:844 original/man8/iptables.8:792
-msgid "Maximum entries in the hash."
+#: original/man8/iptables-extensions.8:310
+msgid "States for B<--ctstate>:"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:844 original/man8/iptables.8:792
+#: original/man8/iptables-extensions.8:310
#, no-wrap
-msgid "B<--hashlimit-htable-expire> I<msec>"
+msgid "B<INVALID>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:847 original/man8/iptables.8:795
-msgid "After how many milliseconds do hash entries expire."
+#: original/man8/iptables-extensions.8:313
+#, fuzzy
+#| msgid ""
+#| "Matches if the packet was created by a process with the given process id."
+msgid "The packet is associated with no known connection."
msgstr ""
+"指定されたプロセス ID のプロセスにより パケットが生成されている場合にマッチす"
+"る。"
#. type: TP
-#: original/man8/ip6tables.8:847 original/man8/iptables.8:795
+#: original/man8/iptables-extensions.8:313
#, no-wrap
-msgid "B<--hashlimit-htable-gcinterval> I<msec>"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:850 original/man8/iptables.8:798
-msgid "How many milliseconds between garbage collection intervals."
+msgid "B<NEW>"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:852 original/man8/iptables.8:800
-#, fuzzy, no-wrap
-#| msgid "Match against original source address"
-msgid "matching on source host"
-msgstr "書き換え前の送信元アドレスにマッチする。"
-
#. type: Plain text
-#: original/man8/ip6tables.8:856 original/man8/iptables.8:804
+#: original/man8/iptables-extensions.8:317
msgid ""
-"\"1000 packets per second for every host in 192.168.0.0/16\" =E<gt> -s "
-"192.168.0.0/16 --hashlimit-mode srcip --hashlimit-upto 1000/sec"
+"The packet has started a new connection, or otherwise associated with a "
+"connection which has not seen packets in both directions."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:856 original/man8/iptables.8:804
-#, fuzzy, no-wrap
-#| msgid "Match against original source address"
-msgid "matching on source port"
-msgstr "書き換え前の送信元アドレスにマッチする。"
+#: original/man8/iptables-extensions.8:317
+#, no-wrap
+msgid "B<ESTABLISHED>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:860 original/man8/iptables.8:808
+#: original/man8/iptables-extensions.8:321
+#, fuzzy
+#| msgid ""
+#| "This module matches the netfilter mark field associated with a packet "
+#| "(which can be set using the B<MARK> target below)."
msgid ""
-"\"100 packets per second for every service of 192.168.1.1\" =E<gt> -s "
-"192.168.1.1 --hashlimit-mode srcport --hashlimit-upto 100/sec"
+"The packet is associated with a connection which has seen packets in both "
+"directions."
msgstr ""
+"このモジュールはパケットに関連づけられた netfilter の mark フィールドにマッチ"
+"する (このフィールドは、以下の B<MARK> ターゲットで設定される)。"
#. type: TP
-#: original/man8/ip6tables.8:860 original/man8/iptables.8:808
+#: original/man8/iptables-extensions.8:321
#, no-wrap
-msgid "matching on subnet"
+msgid "B<RELATED>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:865 original/man8/iptables.8:813
+#: original/man8/iptables-extensions.8:325
msgid ""
-"\"10000 packets per minute for every /28 subnet (groups of 8 addresses) in "
-"10.0.0.0/8\" =E<gt> -s 10.0.0.8 --hashlimit-mask 28 --hashlimit-upto 10000/"
-"min"
+"The packet is starting a new connection, but is associated with an existing "
+"connection, such as an FTP data transfer, or an ICMP error."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:865
+#. type: TP
+#: original/man8/iptables-extensions.8:325
#, no-wrap
-msgid "hbh"
+msgid "B<UNTRACKED>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:867
-#, fuzzy
-#| msgid "This module matches the time to live field in the IP header."
-msgid "This module matches the parameters in Hop-by-Hop Options header"
-msgstr "このモジュールは IP ヘッダーの time to live フィールドにマッチする。"
+#: original/man8/iptables-extensions.8:329
+msgid ""
+"The packet is not tracked at all, which happens if you explicitly untrack it "
+"by using -j CT --notrack in the raw table."
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:867
+#: original/man8/iptables-extensions.8:329
#, fuzzy, no-wrap
-#| msgid "B<-t>, B<--table> B<tablename>"
-msgid "[B<!>] B<--hbh-len> I<length>"
-msgstr "B<-t>, B<--table> B<tablename>"
-
-#. type: TP
-#: original/man8/ip6tables.8:870
-#, no-wrap
-msgid "B<--hbh-opts> I<type>[B<:>I<length>][B<,>I<type>[B<:>I<length>]...]"
-msgstr ""
-
-#. type: SS
-#: original/man8/ip6tables.8:873 original/man8/iptables.8:813
-#, no-wrap
-msgid "helper"
-msgstr "helper"
+#| msgid "SNAT"
+msgid "B<SNAT>"
+msgstr "SNAT"
#. type: Plain text
-#: original/man8/ip6tables.8:875 original/man8/iptables.8:815
-msgid "This module matches packets related to a specific conntrack-helper."
+#: original/man8/iptables-extensions.8:333
+msgid ""
+"A virtual state, matching if the original source address differs from the "
+"reply destination."
msgstr ""
-"このモジュールは、指定された接続追跡ヘルパーモジュールに 関連するパケットに"
-"マッチする。"
#. type: TP
-#: original/man8/ip6tables.8:875 original/man8/iptables.8:815
+#: original/man8/iptables-extensions.8:333
#, fuzzy, no-wrap
-#| msgid "B<--helper >I<string>"
-msgid "[B<!>] B<--helper> I<string>"
-msgstr "B<--helper >I<string>"
-
-#. type: Plain text
-#: original/man8/ip6tables.8:878 original/man8/iptables.8:818
-msgid "Matches packets related to the specified conntrack-helper."
-msgstr "指定された接続追跡ヘルパーモジュールに 関連するパケットにマッチする。"
+#| msgid "DNAT"
+msgid "B<DNAT>"
+msgstr "DNAT"
#. type: Plain text
-#: original/man8/ip6tables.8:882 original/man8/iptables.8:822
+#: original/man8/iptables-extensions.8:337
msgid ""
-"string can be \"ftp\" for packets related to a ftp-session on default port. "
-"For other ports append -portnr to the value, ie. \"ftp-2121\"."
+"A virtual state, matching if the original destination differs from the reply "
+"source."
msgstr ""
-"デフォルトのポートを使った ftp-セッションに関連するパケットでは、 string に "
-"\"ftp\" と書ける。 他のポートでは \"-ポート番号\" を値に付け加える。 すなわ"
-"ち \"ftp-2121\" となる。"
#. type: Plain text
-#: original/man8/ip6tables.8:884 original/man8/iptables.8:824
-msgid "Same rules apply for other conntrack-helpers."
-msgstr "他の接続追跡ヘルパーでも同じルールが適用される。"
+#: original/man8/iptables-extensions.8:339
+msgid "Statuses for B<--ctstatus>:"
+msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:885
+#. type: TP
+#: original/man8/iptables-extensions.8:339
#, no-wrap
-msgid "hl"
+msgid "B<NONE>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:887
-#, fuzzy
-#| msgid "This module matches the time to live field in the IP header."
-msgid "This module matches the Hop Limit field in the IPv6 header."
-msgstr "このモジュールは IP ヘッダーの time to live フィールドにマッチする。"
+#: original/man8/iptables-extensions.8:342
+msgid "None of the below."
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:887
-#, fuzzy, no-wrap
-#| msgid "B<-t>, B<--table> B<tablename>"
-msgid "[B<!>] B<--hl-eq> I<value>"
-msgstr "B<-t>, B<--table> B<tablename>"
+#: original/man8/iptables-extensions.8:342
+#, no-wrap
+msgid "B<EXPECTED>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:890
-msgid "Matches if Hop Limit equals I<value>."
+#: original/man8/iptables-extensions.8:345
+msgid "This is an expected connection (i.e. a conntrack helper set it up)."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:890
-#, fuzzy, no-wrap
-#| msgid "B<--dscp >I<value>"
-msgid "B<--hl-lt> I<value>"
-msgstr "B<--dscp >I<value>"
+#: original/man8/iptables-extensions.8:345
+#, no-wrap
+msgid "B<SEEN_REPLY>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:893
-msgid "Matches if Hop Limit is less than I<value>."
+#: original/man8/iptables-extensions.8:348
+msgid "Conntrack has seen packets in both directions."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:893
-#, fuzzy, no-wrap
-#| msgid "B<--dscp >I<value>"
-msgid "B<--hl-gt> I<value>"
-msgstr "B<--dscp >I<value>"
+#: original/man8/iptables-extensions.8:348
+#, no-wrap
+msgid "B<ASSURED>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:896
-msgid "Matches if Hop Limit is greater than I<value>."
+#: original/man8/iptables-extensions.8:351
+msgid "Conntrack entry should never be early-expired."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:896
-#, fuzzy, no-wrap
-#| msgid "icmp"
-msgid "icmp6"
-msgstr "icmp"
+#. type: TP
+#: original/man8/iptables-extensions.8:351
+#, no-wrap
+msgid "B<CONFIRMED>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:899
-#, fuzzy
-#| msgid ""
-#| "This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' "
-#| "is specified. It provides the following option:"
-msgid ""
-"This extension can be used if `--protocol ipv6-icmp' or `--protocol icmpv6' "
-"is specified. It provides the following option:"
+#: original/man8/iptables-extensions.8:354
+msgid "Connection is confirmed: originating packet has left box."
msgstr ""
-"これらの拡張は `--protocol ipv6-icmp' または `--protocol icmpv6' が指定された"
-"場合にロードされ、 以下のオプションが提供される:"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:354
+#, fuzzy, no-wrap
+#| msgid "tcp"
+msgid "cpu"
+msgstr "tcp"
#. type: TP
-#: original/man8/ip6tables.8:899
+#: original/man8/iptables-extensions.8:355
#, fuzzy, no-wrap
-#| msgid "B<--icmpv6-type >[!] I<typename>"
-msgid "[B<!>] B<--icmpv6-type> I<type>[B</>I<code>]|I<typename>"
-msgstr "B<--icmpv6-type >[!] I<typename>"
+#| msgid "B<-t>, B<--table> B<tablename>"
+msgid "[B<!>] B<--cpu> I<number>"
+msgstr "B<-t>, B<--table> B<tablename>"
#. type: Plain text
-#: original/man8/ip6tables.8:908
-#, fuzzy
-#| msgid ""
-#| "This allows specification of the ICMP type, which can be a numeric ICMP "
-#| "type, or one of the ICMP type names shown by the command"
+#: original/man8/iptables-extensions.8:360
msgid ""
-"This allows specification of the ICMPv6 type, which can be a numeric ICMPv6 "
-"I<type>, I<type> and I<code>, or one of the ICMPv6 type names shown by the "
-"command"
+"Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1 Can be "
+"used in combination with RPS (Remote Packet Steering) or multiqueue NICs to "
+"spread network traffic on different queues."
msgstr ""
-"ICMP タイプを指定できる。タイプ指定には、 数値の ICMP タイプ、または以下のコ"
-"マンド で表示される ICMP タイプ名を指定できる。"
#. type: Plain text
-#: original/man8/ip6tables.8:910
-#, no-wrap
-msgid " ip6tables -p ipv6-icmp -h\n"
-msgstr " ip6tables -p ipv6-icmp -h\n"
+#: original/man8/iptables-extensions.8:365
+msgid ""
+"iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j REDIRECT --"
+"to-port 8080"
+msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:911 original/man8/iptables.8:835
-#, no-wrap
-msgid "iprange"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:368
+msgid ""
+"iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 -j REDIRECT --"
+"to-port 8081"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:913 original/man8/iptables.8:837
-msgid "This matches on a given arbitrary range of IP addresses."
+#: original/man8/iptables-extensions.8:370
+msgid "Available since Linux 2.6.36."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:913 original/man8/iptables.8:837
+#. type: SS
+#: original/man8/iptables-extensions.8:370
#, no-wrap
-msgid "[B<!>] B<--src-range> I<from>[B<->I<to>]"
+msgid "dccp"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:916 original/man8/iptables.8:840
-msgid "Match source IP in the specified range."
-msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:371
+#: original/man8/iptables-extensions.8:1230
+#: original/man8/iptables-extensions.8:1354
+#: original/man8/iptables-extensions.8:1657
+#, fuzzy, no-wrap
+#| msgid "B<--source-ports >I<port>[,I<port>[,I<port>...]]"
+msgid "[B<!>] B<--source-port>,B<--sport> I<port>[B<:>I<port>]"
+msgstr "B<--source-ports >I<port>[,I<port>[,I<port>...]]"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:373
+#: original/man8/iptables-extensions.8:1232
+#: original/man8/iptables-extensions.8:1365
+#: original/man8/iptables-extensions.8:1663
+#, fuzzy, no-wrap
+#| msgid "B<--destination-ports >I<port>[,I<port>[,I<port>...]]"
+msgid "[B<!>] B<--destination-port>,B<--dport> I<port>[B<:>I<port>]"
+msgstr "B<--destination-ports >I<port>[,I<port>[,I<port>...]]"
#. type: TP
-#: original/man8/ip6tables.8:916 original/man8/iptables.8:840
+#: original/man8/iptables-extensions.8:375
#, no-wrap
-msgid "[B<!>] B<--dst-range> I<from>[B<->I<to>]"
+msgid "[B<!>] B<--dccp-types> I<mask>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:919 original/man8/iptables.8:843
-msgid "Match destination IP in the specified range."
+#: original/man8/iptables-extensions.8:380
+msgid ""
+"Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-"
+"separated list of packet types. Packet types are: B<REQUEST RESPONSE DATA "
+"ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID>."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:919
-#, no-wrap
-msgid "ipv6header"
-msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:380
+#, fuzzy, no-wrap
+#| msgid "B<--tcp-option >[!] I<number>"
+msgid "[B<!>] B<--dccp-option> I<number>"
+msgstr "B<--tcp-option >[!] I<number>"
#. type: Plain text
-#: original/man8/ip6tables.8:921
+#: original/man8/iptables-extensions.8:383
#, fuzzy
-#| msgid "This module matches the SPIs in AH header of IPSec packets."
-msgid "This module matches IPv6 extension headers and/or upper layer header."
-msgstr "このモジュールは IPSec パケットの AH ヘッダーの SPI 値にマッチする。"
+#| msgid "Match if TCP option set."
+msgid "Match if DCCP option set."
+msgstr "TCP オプションが設定されている場合にマッチする。"
-#. type: TP
-#: original/man8/ip6tables.8:921
+#. type: SS
+#: original/man8/iptables-extensions.8:383
#, no-wrap
-msgid "B<--soft>"
+msgid "devgroup"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:925
-msgid ""
-"Matches if the packet includes B<any> of the headers specified with B<--"
-"header>."
+#: original/man8/iptables-extensions.8:385
+msgid "Match device group of a packets incoming/outgoing interface."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:925
-#, no-wrap
-msgid "[B<!>] B<--header> I<header>[B<,>I<header>...]"
-msgstr ""
+#: original/man8/iptables-extensions.8:385
+#, fuzzy, no-wrap
+#| msgid "B<--physdev-out name>"
+msgid "[B<!>] B<--src-group> I<name>"
+msgstr "B<--physdev-out name>"
#. type: Plain text
-#: original/man8/ip6tables.8:930
-msgid ""
-"Matches the packet which EXACTLY includes all specified headers. The headers "
-"encapsulated with ESP header are out of scope. Possible I<header> types can "
-"be:"
+#: original/man8/iptables-extensions.8:388
+msgid "Match device group of incoming device"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:930
-#, no-wrap
-msgid "B<hop>|B<hop-by-hop>"
-msgstr ""
+#: original/man8/iptables-extensions.8:388
+#, fuzzy, no-wrap
+#| msgid "B<--physdev-out name>"
+msgid "[B<!>] B<--dst-group> I<name>"
+msgstr "B<--physdev-out name>"
#. type: Plain text
-#: original/man8/ip6tables.8:933
-msgid "Hop-by-Hop Options header"
+#: original/man8/iptables-extensions.8:391
+msgid "Match device group of outgoing device"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:933
+#. type: SS
+#: original/man8/iptables-extensions.8:391
#, no-wrap
-msgid "B<dst>"
-msgstr ""
+msgid "dscp"
+msgstr "dscp"
#. type: Plain text
-#: original/man8/ip6tables.8:936
-msgid "Destination Options header"
+#: original/man8/iptables-extensions.8:394
+msgid ""
+"This module matches the 6 bit DSCP field within the TOS field in the IP "
+"header. DSCP has superseded TOS within the IETF."
msgstr ""
+"このモジュールは、IP ヘッダーの TOS フィールド内にある、 6 bit の DSCP フィー"
+"ルドにマッチする。 IETF では DSCP が TOS に取って代わった。"
#. type: TP
-#: original/man8/ip6tables.8:936
-#, no-wrap
-msgid "B<route>"
-msgstr ""
+#: original/man8/iptables-extensions.8:394
+#, fuzzy, no-wrap
+#| msgid "B<--dscp >I<value>"
+msgid "[B<!>] B<--dscp> I<value>"
+msgstr "B<--dscp >I<value>"
#. type: Plain text
-#: original/man8/ip6tables.8:939
-msgid "Routing header"
-msgstr ""
+#: original/man8/iptables-extensions.8:397
+#, fuzzy
+#| msgid "Match against a numeric (decimal or hex) value [0-32]."
+msgid "Match against a numeric (decimal or hex) value [0-63]."
+msgstr "(10 進または 16 進の) 数値 [0-63] にマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:939
+#: original/man8/iptables-extensions.8:397
+#, fuzzy, no-wrap
+#| msgid "B<--set-dscp-class >I<class>"
+msgid "[B<!>] B<--dscp-class> I<class>"
+msgstr "B<--set-dscp-class >I<class>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:402
+#, fuzzy
+#| msgid ""
+#| "Match the DiffServ class. This value may be any of the BE, EF, AFxx or "
+#| "CSx classes. It will then be converted into it's according numeric value."
+msgid ""
+"Match the DiffServ class. This value may be any of the BE, EF, AFxx or CSx "
+"classes. It will then be converted into its according numeric value."
+msgstr ""
+"DiffServ クラスにマッチする。 値は BE, EF, AFxx, CSx クラスのいずれかであ"
+"る。 これらは、対応する数値で指定するのと同じである。"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:402
#, no-wrap
-msgid "B<frag>"
+msgid "dst (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:942
-msgid "Fragment header"
-msgstr ""
+#: original/man8/iptables-extensions.8:404
+#, fuzzy
+#| msgid "This module matches the time to live field in the IP header."
+msgid "This module matches the parameters in Destination Options header"
+msgstr "このモジュールは IP ヘッダーの time to live フィールドにマッチする。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:404
+#, fuzzy, no-wrap
+#| msgid "B<-t>, B<--table> B<tablename>"
+msgid "[B<!>] B<--dst-len> I<length>"
+msgstr "B<-t>, B<--table> B<tablename>"
#. type: TP
-#: original/man8/ip6tables.8:942
+#: original/man8/iptables-extensions.8:407
#, no-wrap
-msgid "B<auth>"
+msgid "B<--dst-opts> I<type>[B<:>I<length>][B<,>I<type>[B<:>I<length>]...]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:945
-msgid "Authentication header"
+#: original/man8/iptables-extensions.8:410
+#: original/man8/iptables-extensions.8:543
+msgid "numeric type of option and the length of the option data in octets."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:945
+#. type: SS
+#: original/man8/iptables-extensions.8:410
#, no-wrap
-msgid "B<esp>"
+msgid "ecn"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:948
-msgid "Encapsulating Security Payload header"
+#: original/man8/iptables-extensions.8:412
+msgid ""
+"This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN "
+"is the Explicit Congestion Notification mechanism as specified in RFC3168"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:948
-#, no-wrap
-msgid "B<none>"
-msgstr ""
+#: original/man8/iptables-extensions.8:412
+#, fuzzy, no-wrap
+#| msgid "B<--ecn-tcp-remove>"
+msgid "[B<!>] B<--ecn-tcp-cwr>"
+msgstr "B<--ecn-tcp-remove>"
#. type: Plain text
-#: original/man8/ip6tables.8:952
+#: original/man8/iptables-extensions.8:415
msgid ""
-"No Next header which matches 59 in the 'Next Header field' of IPv6 header or "
-"any IPv6 extension headers"
+"This matches if the TCP ECN CWR (Congestion Window Received) bit is set."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:415
+#, fuzzy, no-wrap
+#| msgid "B<--ecn-tcp-remove>"
+msgid "[B<!>] B<--ecn-tcp-ece>"
+msgstr "B<--ecn-tcp-remove>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:418
+msgid "This matches if the TCP ECN ECE (ECN Echo) bit is set."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:952
+#: original/man8/iptables-extensions.8:418
#, no-wrap
-msgid "B<proto>"
+msgid "[B<!>] B<--ecn-ip-ect> I<num>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:957
+#: original/man8/iptables-extensions.8:422
msgid ""
-"which matches any upper layer protocol header. A protocol name from /etc/"
-"protocols and numeric value also allowed. The number 255 is equivalent to "
-"B<proto>."
+"This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to "
+"specify a number between `0' and `3'."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:957 original/man8/iptables.8:843
+#: original/man8/iptables-extensions.8:422
#, no-wrap
-msgid "ipvs"
-msgstr ""
+msgid "esp"
+msgstr "esp"
#. type: Plain text
-#: original/man8/ip6tables.8:959 original/man8/iptables.8:845
-msgid "Match IPVS connection properties."
-msgstr ""
+#: original/man8/iptables-extensions.8:424
+#, fuzzy
+#| msgid "This module matches the SPIs in ESP header of IPSec packets."
+msgid "This module matches the SPIs in ESP header of IPsec packets."
+msgstr "このモジュールは IPSec パケットの ESP ヘッダーの SPI 値にマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:959 original/man8/iptables.8:845
+#: original/man8/iptables-extensions.8:424
#, fuzzy, no-wrap
-#| msgid "B<-c>, B<--counters>"
-msgid "[B<!>] B<--ipvs>"
-msgstr "B<-c>, B<--counters>"
+#| msgid "B<--espspi >[!] I<spi>[:I<spi>]"
+msgid "[B<!>] B<--espspi> I<spi>[B<:>I<spi>]"
+msgstr "B<--espspi >[!] I<spi>[:I<spi>]"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:426
+#, no-wrap
+msgid "eui64 (IPv6-specific)"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:962 original/man8/iptables.8:848
-msgid "packet belongs to an IPVS connection"
+#: original/man8/iptables-extensions.8:437
+msgid ""
+"This module matches the EUI-64 part of a stateless autoconfigured IPv6 "
+"address. It compares the EUI-64 derived from the source MAC address in "
+"Ethernet frame with the lower 64 bits of the IPv6 source address. But "
+"\"Universal/Local\" bit is not compared. This module doesn't match other "
+"link layer frame, and is only valid in the B<PREROUTING>, B<INPUT> and "
+"B<FORWARD> chains."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:962 original/man8/iptables.8:848
+#. type: SS
+#: original/man8/iptables-extensions.8:437
#, no-wrap
-msgid "Any of the following options implies --ipvs (even negated)"
+msgid "frag (IPv6-specific)"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:964 original/man8/iptables.8:850
-#, fuzzy, no-wrap
-#| msgid "B<-p, --protocol >[!] I<protocol>"
-msgid "[B<!>] B<--vproto> I<protocol>"
-msgstr "B<-p, --protocol >[!] I<protocol>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:967 original/man8/iptables.8:853
+#: original/man8/iptables-extensions.8:439
#, fuzzy
-#| msgid "Protocol to match (by number or name)"
-msgid "VIP protocol to match; by number or name, e.g. \"tcp\""
-msgstr "(名前または数値で) 指定されたプロトコルにマッチする。"
+#| msgid "This module matches the time to live field in the IP header."
+msgid "This module matches the parameters in Fragment header."
+msgstr "このモジュールは IP ヘッダーの time to live フィールドにマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:967 original/man8/iptables.8:853
-#, fuzzy, no-wrap
-#| msgid "B<-s, --source >[!] I<address>[/I<mask>]"
-msgid "[B<!>] B<--vaddr> I<address>[B</>I<mask>]"
-msgstr "B<-s, --source >[!] I<address>[/I<mask>]"
+#: original/man8/iptables-extensions.8:439
+#, no-wrap
+msgid "[B<!>] B<--fragid> I<id>[B<:>I<id>]"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:970 original/man8/iptables.8:856
-msgid "VIP address to match"
+#: original/man8/iptables-extensions.8:442
+msgid "Matches the given Identification or range of it."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:970 original/man8/iptables.8:856
+#: original/man8/iptables-extensions.8:442
#, fuzzy, no-wrap
-#| msgid "B<--ctproto >I<proto>"
-msgid "[B<!>] B<--vport> I<port>"
-msgstr "B<--ctproto >I<proto>"
+#| msgid "B<-t>, B<--table> B<tablename>"
+msgid "[B<!>] B<--fraglen> I<length>"
+msgstr "B<-t>, B<--table> B<tablename>"
#. type: Plain text
-#: original/man8/ip6tables.8:973 original/man8/iptables.8:859
-#, fuzzy
-#| msgid "Protocol to match (by number or name)"
-msgid "VIP port to match; by number or name, e.g. \"http\""
-msgstr "(名前または数値で) 指定されたプロトコルにマッチする。"
+#: original/man8/iptables-extensions.8:446
+msgid ""
+"This option cannot be used with kernel version 2.6.10 or later. The length "
+"of Fragment header is static and this option doesn't make sense."
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:973 original/man8/iptables.8:859
+#: original/man8/iptables-extensions.8:446
#, no-wrap
-msgid "B<--vdir> {B<ORIGINAL>|B<REPLY>}"
+msgid "B<--fragres>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:976 original/man8/iptables.8:862
-msgid "flow direction of packet"
+#: original/man8/iptables-extensions.8:449
+msgid "Matches if the reserved fields are filled with zero."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:976 original/man8/iptables.8:862
+#: original/man8/iptables-extensions.8:449
#, no-wrap
-msgid "[B<!>] B<--vmethod> {B<GATE>|B<IPIP>|B<MASQ>}"
+msgid "B<--fragfirst>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:979 original/man8/iptables.8:865
-msgid "IPVS forwarding method used"
+#: original/man8/iptables-extensions.8:452
+msgid "Matches on the first fragment."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:979 original/man8/iptables.8:865
-#, no-wrap
-msgid "[B<!>] B<--vportctl> I<port>"
-msgstr ""
+#: original/man8/iptables-extensions.8:452
+#, fuzzy, no-wrap
+#| msgid "B<[!] -f, --fragment>"
+msgid "B<--fragmore>"
+msgstr "B<[!] -f, --fragment>"
#. type: Plain text
-#: original/man8/ip6tables.8:982 original/man8/iptables.8:868
-msgid "VIP port of the controlling connection to match, e.g. 21 for FTP"
+#: original/man8/iptables-extensions.8:455
+msgid "Matches if there are more fragments."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:982 original/man8/iptables.8:868
+#. type: TP
+#: original/man8/iptables-extensions.8:455
#, no-wrap
-msgid "length"
-msgstr "length"
+msgid "B<--fraglast>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:986 original/man8/iptables.8:872
-#, fuzzy
-#| msgid ""
-#| "This module matches the length of a packet against a specific value or "
-#| "range of values."
-msgid ""
-"This module matches the length of the layer-3 payload (e.g. layer-4 packet) "
-"of a packet against a specific value or range of values."
-msgstr "このモジュールは、指定されたパケット長、またはその範囲にマッチする。"
-
-#. type: TP
-#: original/man8/ip6tables.8:986 original/man8/iptables.8:872
-#, fuzzy, no-wrap
-#| msgid "B<--length >I<length>[:I<length>]"
-msgid "[B<!>] B<--length> I<length>[B<:>I<length>]"
-msgstr "B<--length >I<length>[:I<length>]"
+#: original/man8/iptables-extensions.8:458
+msgid "Matches if this is the last fragment."
+msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:988 original/man8/iptables.8:874
-#, no-wrap
-msgid "limit"
+#: original/man8/iptables-extensions.8:458
+#, fuzzy, no-wrap
+#| msgid "limit"
+msgid "hashlimit"
msgstr "limit"
#. type: Plain text
-#: original/man8/ip6tables.8:994 original/man8/iptables.8:880
-#, fuzzy
-#| msgid ""
-#| "This module matches at a limited rate using a token bucket filter. A "
-#| "rule using this extension will match until this limit is reached (unless "
-#| "the `!' flag is used). It can be used in combination with the B<LOG> "
-#| "target to give limited logging, for example."
+#: original/man8/iptables-extensions.8:464
msgid ""
-"This module matches at a limited rate using a token bucket filter. A rule "
-"using this extension will match until this limit is reached. It can be used "
-"in combination with the B<LOG> target to give limited logging, for example."
+"B<hashlimit> uses hash buckets to express a rate limiting match (like the "
+"B<limit> match) for a group of connections using a B<single> iptables rule. "
+"Grouping can be done per-hostgroup (source and/or destination address) and/"
+"or per-port. It gives you the ability to express \"I<N> packets per time "
+"quantum per group\" or \"I<N> bytes per seconds\" (see below for some "
+"examples)."
msgstr ""
-"このモジュールは、トークンバケツフィルタを使い、 単位時間あたり制限され\n"
-"た回数だけマッチする。 この拡張を使ったルールは、(`!' フラグが指定され\n"
-"ない限り) 制限に達するまでマッチする。 例えば、このモジュールはログ記録\n"
-"を制限するために B<LOG> ターゲットと組み合わせて使うことができる。"
#. type: Plain text
-#: original/man8/ip6tables.8:997 original/man8/iptables.8:883
+#: original/man8/iptables-extensions.8:467
msgid ""
-"xt_limit has no negation support - you will have to use -m hashlimit ! --"
-"hashlimit I<rate> in this case whilst omitting --hashlimit-mode."
+"A hash limit option (B<--hashlimit-upto>, B<--hashlimit-above>) and B<--"
+"hashlimit-name> are required."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:997 original/man8/iptables.8:883
+#: original/man8/iptables-extensions.8:467
#, no-wrap
-msgid "B<--limit> I<rate>[B</second>|B</minute>|B</hour>|B</day>]"
+msgid "B<--hashlimit-upto> I<amount>[B</second>|B</minute>|B</hour>|B</day>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1002 original/man8/iptables.8:888
+#: original/man8/iptables-extensions.8:472
+#, fuzzy
+#| msgid ""
+#| "Maximum average matching rate: specified as a number, with an optional `/"
+#| "second', `/minute', `/hour', or `/day' suffix; the default is 3/hour."
msgid ""
-"Maximum average matching rate: specified as a number, with an optional `/"
-"second', `/minute', `/hour', or `/day' suffix; the default is 3/hour."
+"Match if the rate is below or equal to I<amount>/quantum. It is specified "
+"either as a number, with an optional time quantum suffix (the default is 3/"
+"hour), or as I<amount>b/second (number of bytes per second)."
msgstr ""
"単位時間あたりの平均マッチ回数の最大値。 数値で指定され、添字 `/second', `/"
"minute', `/hour', `/day' を付けることもできる。 デフォルトは 3/hour である。"
#. type: TP
-#: original/man8/ip6tables.8:1002 original/man8/iptables.8:888
-#, fuzzy, no-wrap
-#| msgid "B<--limit-burst >I<number>"
-msgid "B<--limit-burst> I<number>"
-msgstr "B<--limit-burst >I<number>"
-
-#. type: SS
-#: original/man8/ip6tables.8:1007 original/man8/iptables.8:893
+#: original/man8/iptables-extensions.8:472
#, no-wrap
-msgid "mac"
-msgstr "mac"
+msgid "B<--hashlimit-above> I<amount>[B</second>|B</minute>|B</hour>|B</day>]"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:475
+msgid "Match if the rate is above I<amount>/quantum."
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1008 original/man8/iptables.8:894
+#: original/man8/iptables-extensions.8:475
#, fuzzy, no-wrap
-#| msgid "B<--mac-source >[!] I<address>"
-msgid "[B<!>] B<--mac-source> I<address>"
-msgstr "B<--mac-source >[!] I<address>"
+#| msgid "B<--limit-burst >I<number>"
+msgid "B<--hashlimit-burst> I<amount>"
+msgstr "B<--limit-burst >I<number>"
#. type: Plain text
-#: original/man8/ip6tables.8:1018 original/man8/iptables.8:904
+#: original/man8/iptables-extensions.8:482
+#, fuzzy
+#| msgid ""
+#| "Maximum initial number of packets to match: this number gets recharged by "
+#| "one every time the limit specified above is not reached, up to this "
+#| "number; the default is 5."
msgid ""
-"Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note "
-"that this only makes sense for packets coming from an Ethernet device and "
-"entering the B<PREROUTING>, B<FORWARD> or B<INPUT> chains."
+"Maximum initial number of packets to match: this number gets recharged by "
+"one every time the limit specified above is not reached, up to this number; "
+"the default is 5. When byte-based rate matching is requested, this option "
+"specifies the amount of bytes that can exceed the given rate. This option "
+"should be used with caution -- if the entry expires, the burst value is "
+"reset too."
msgstr ""
-"送信元 MAC アドレスにマッチする。 I<address> は XX:XX:XX:XX:XX:XX と\n"
-"いう形式でなければならない。イーサーネットデバイスから入ってくるパケッ\n"
-"トで、 B<PREROUTING>, B<FORWARD>, B<INPUT> チェインに入るパケットにしか\n"
-"意味がない。"
+"パケットがマッチする回数の最大初期値: 上のオプションで指定した制限に\n"
+"達しなければ、 その度ごとに、この数値になるまで 1 個ずつ増やされる。\n"
+"デフォルトは 5 である。"
-#. type: SS
-#: original/man8/ip6tables.8:1018 original/man8/iptables.8:904
+#. type: TP
+#: original/man8/iptables-extensions.8:482
#, no-wrap
-msgid "mark"
-msgstr "mark"
+msgid "B<--hashlimit-mode> {B<srcip>|B<srcport>|B<dstip>|B<dstport>}B<,>..."
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1023 original/man8/iptables.8:909
+#: original/man8/iptables-extensions.8:487
msgid ""
-"This module matches the netfilter mark field associated with a packet (which "
-"can be set using the B<MARK> target below)."
+"A comma-separated list of objects to take into consideration. If no --"
+"hashlimit-mode option is given, hashlimit acts like limit, but at the "
+"expensive of doing the hash housekeeping."
msgstr ""
-"このモジュールはパケットに関連づけられた netfilter の mark フィールドにマッチ"
-"する (このフィールドは、以下の B<MARK> ターゲットで設定される)。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:487
+#, fuzzy, no-wrap
+#| msgid "B<--limit >I<rate>"
+msgid "B<--hashlimit-srcmask> I<prefix>"
+msgstr "B<--limit >I<rate>"
#. type: Plain text
-#: original/man8/ip6tables.8:1028 original/man8/iptables.8:914
-#, fuzzy
-#| msgid ""
-#| "Matches packets with the given unsigned mark value (if a mask is "
-#| "specified, this is logically ANDed with the mask before the comparison)."
+#: original/man8/iptables-extensions.8:494
msgid ""
-"Matches packets with the given unsigned mark value (if a I<mask> is "
-"specified, this is logically ANDed with the I<mask> before the comparison)."
+"When --hashlimit-mode srcip is used, all source addresses encountered will "
+"be grouped according to the given prefix length and the so-created subnet "
+"will be subject to hashlimit. I<prefix> must be between (inclusive) 0 and "
+"32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not "
+"specifying srcip for --hashlimit-mode, but is technically more expensive."
msgstr ""
-"指定された符号なし mark 値のパケットにマッチする (mask が指定されると、比較の"
-"前に mask との論理積 (AND) がとられる)。"
-#. type: SS
-#: original/man8/ip6tables.8:1028
+#. type: TP
+#: original/man8/iptables-extensions.8:494
+#, fuzzy, no-wrap
+#| msgid "B<--limit >I<rate>"
+msgid "B<--hashlimit-dstmask> I<prefix>"
+msgstr "B<--limit >I<rate>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:497
+msgid "Like --hashlimit-srcmask, but for destination addresses."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:497
#, no-wrap
-msgid "mh"
+msgid "B<--hashlimit-name> I<foo>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1031
-#, fuzzy
-#| msgid ""
-#| "This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' "
-#| "is specified. It provides the following option:"
-msgid ""
-"This extension is loaded if `--protocol ipv6-mh' or `--protocol mh' is "
-"specified. It provides the following option:"
+#: original/man8/iptables-extensions.8:500
+msgid "The name for the /proc/net/ipt_hashlimit/foo entry."
msgstr ""
-"これらの拡張は `--protocol ipv6-icmp' または `--protocol icmpv6' が指定された"
-"場合にロードされ、 以下のオプションが提供される:"
#. type: TP
-#: original/man8/ip6tables.8:1031
+#: original/man8/iptables-extensions.8:500
#, no-wrap
-msgid "[B<!>] B<--mh-type> I<type>[B<:>I<type>]"
+msgid "B<--hashlimit-htable-size> I<buckets>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1038
-#, fuzzy
-#| msgid ""
-#| "This allows specification of the ICMP type, which can be a numeric ICMP "
-#| "type, or one of the ICMP type names shown by the command"
-msgid ""
-"This allows specification of the Mobility Header(MH) type, which can be a "
-"numeric MH I<type>, I<type> or one of the MH type names shown by the command"
+#: original/man8/iptables-extensions.8:503
+msgid "The number of buckets of the hash table"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:503
+#, no-wrap
+msgid "B<--hashlimit-htable-max> I<entries>"
msgstr ""
-"ICMP タイプを指定できる。タイプ指定には、 数値の ICMP タイプ、または以下のコ"
-"マンド で表示される ICMP タイプ名を指定できる。"
#. type: Plain text
-#: original/man8/ip6tables.8:1040
-#, fuzzy, no-wrap
-#| msgid " ip6tables -p ipv6-icmp -h\n"
-msgid " ip6tables -p ipv6-mh -h\n"
-msgstr " ip6tables -p ipv6-icmp -h\n"
+#: original/man8/iptables-extensions.8:506
+msgid "Maximum entries in the hash."
+msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1041 original/man8/iptables.8:914
+#. type: TP
+#: original/man8/iptables-extensions.8:506
#, no-wrap
-msgid "multiport"
-msgstr "multiport"
+msgid "B<--hashlimit-htable-expire> I<msec>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1048 original/man8/iptables.8:921
-#, fuzzy
-#| msgid ""
-#| "This module matches a set of source or destination ports. Up to 15 ports "
-#| "can be specified. It can only be used in conjunction with B<-p tcp> or "
-#| "B<-p udp>."
-msgid ""
-"This module matches a set of source or destination ports. Up to 15 ports "
-"can be specified. A port range (port:port) counts as two ports. It can "
-"only be used in conjunction with B<-p tcp> or B<-p udp>."
+#: original/man8/iptables-extensions.8:509
+msgid "After how many milliseconds do hash entries expire."
msgstr ""
-"このモジュールは送信元や送信先のポートの集合にマッチする。 ポートは 15 個まで"
-"指定できる。 このモジュールは B<-p tcp> または B<-p udp> と組み合わせて使うこ"
-"としかできない。"
#. type: TP
-#: original/man8/ip6tables.8:1048 original/man8/iptables.8:921
-#, fuzzy, no-wrap
-#| msgid "B<--source-ports >I<port>[,I<port>[,I<port>...]]"
-msgid "[B<!>] B<--source-ports>,B<--sports> I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
-msgstr "B<--source-ports >I<port>[,I<port>[,I<port>...]]"
+#: original/man8/iptables-extensions.8:509
+#, no-wrap
+msgid "B<--hashlimit-htable-gcinterval> I<msec>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1056 original/man8/iptables.8:929
-msgid ""
-"Match if the source port is one of the given ports. The flag B<--sports> is "
-"a convenient alias for this option. Multiple ports or port ranges are "
-"separated using a comma, and a port range is specified using a colon. "
-"B<53,1024:65535> would therefore match ports 53 and all from 1024 through "
-"65535."
+#: original/man8/iptables-extensions.8:512
+msgid "How many milliseconds between garbage collection intervals."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1056 original/man8/iptables.8:929
+#: original/man8/iptables-extensions.8:514
#, fuzzy, no-wrap
-#| msgid "B<--destination-ports >I<port>[,I<port>[,I<port>...]]"
-msgid "[B<!>] B<--destination-ports>,B<--dports> I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
-msgstr "B<--destination-ports >I<port>[,I<port>[,I<port>...]]"
+#| msgid "Match against original source address"
+msgid "matching on source host"
+msgstr "書き換え前の送信元アドレスにマッチする。"
#. type: Plain text
-#: original/man8/ip6tables.8:1061 original/man8/iptables.8:934
+#: original/man8/iptables-extensions.8:518
msgid ""
-"Match if the destination port is one of the given ports. The flag B<--"
-"dports> is a convenient alias for this option."
+"\"1000 packets per second for every host in 192.168.0.0/16\" =E<gt> -s "
+"192.168.0.0/16 --hashlimit-mode srcip --hashlimit-upto 1000/sec"
msgstr ""
-"宛先ポートが指定されたポートのうちのいずれかであればマッチする。\n"
-"フラグ B<--dports> は、このオプションの便利な別名である。"
#. type: TP
-#: original/man8/ip6tables.8:1061 original/man8/iptables.8:934
+#: original/man8/iptables-extensions.8:518
#, fuzzy, no-wrap
-#| msgid "B<--ports >I<port>[,I<port>[,I<port>...]]"
-msgid "[B<!>] B<--ports> I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
-msgstr "B<--ports >I<port>[,I<port>[,I<port>...]]"
+#| msgid "Match against original source address"
+msgid "matching on source port"
+msgstr "書き換え前の送信元アドレスにマッチする。"
#. type: Plain text
-#: original/man8/ip6tables.8:1065 original/man8/iptables.8:938
-#, fuzzy
-#| msgid ""
-#| "Match if the both the source and destination ports are equal to each "
-#| "other and to one of the given ports."
+#: original/man8/iptables-extensions.8:522
msgid ""
-"Match if either the source or destination ports are equal to one of the "
-"given ports."
+"\"100 packets per second for every service of 192.168.1.1\" =E<gt> -s "
+"192.168.1.1 --hashlimit-mode srcport --hashlimit-upto 100/sec"
msgstr ""
-"送信元ポートと宛先ポートが等しく、 かつそのポートが指定されたポートの\n"
-"うちのいずれかであればマッチする。"
-#. type: SS
-#: original/man8/ip6tables.8:1065 original/man8/iptables.8:938
+#. type: TP
+#: original/man8/iptables-extensions.8:522
#, no-wrap
-msgid "nfacct"
+msgid "matching on subnet"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1069 original/man8/iptables.8:942
+#: original/man8/iptables-extensions.8:527
msgid ""
-"The nfacct match provides the extended accounting infrastructure for "
-"iptables. You have to use this match together with the standalone user-"
-"space utility B<nfacct(8)>"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1071 original/man8/iptables.8:944
-msgid "The only option available for this match is the following:"
+"\"10000 packets per minute for every /28 subnet (groups of 8 addresses) in "
+"10.0.0.0/8\" =E<gt> -s 10.0.0.8 --hashlimit-mask 28 --hashlimit-upto 10000/"
+"min"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1071 original/man8/iptables.8:944
-#, fuzzy, no-wrap
-#| msgid "B<--cmd-owner >I<name>"
-msgid "B<--nfacct-name> I<name>"
-msgstr "B<--cmd-owner >I<name>"
+#: original/man8/iptables-extensions.8:527
+#: original/man8/iptables-extensions.8:531
+#, no-wrap
+msgid "matching bytes per second"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1075 original/man8/iptables.8:948
+#: original/man8/iptables-extensions.8:531
msgid ""
-"This allows you to specify the existing object name that will be use for "
-"accounting the traffic that this rule-set is matching."
+"\"flows exceeding 512kbyte/s\" =E<gt> --hashlimit-mode srcip,dstip,srcport,"
+"dstport --hashlimit-above 512kb/s"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1077 original/man8/iptables.8:950
-msgid "To use this extension, you have to create an accounting object:"
+#: original/man8/iptables-extensions.8:535
+msgid ""
+"\"hosts that exceed 512kbyte/s, but permit up to 1Megabytes without matching"
+"\" --hashlimit-mode dstip --hashlimit-above 512kb/s --hashlimit-burst 1mb"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1079 original/man8/iptables.8:952
-msgid "nfacct add http-traffic"
+#. type: SS
+#: original/man8/iptables-extensions.8:535
+#, no-wrap
+msgid "hbh (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1081 original/man8/iptables.8:954
-msgid "Then, you have to attach it to the accounting object via iptables:"
-msgstr ""
+#: original/man8/iptables-extensions.8:537
+#, fuzzy
+#| msgid "This module matches the time to live field in the IP header."
+msgid "This module matches the parameters in Hop-by-Hop Options header"
+msgstr "このモジュールは IP ヘッダーの time to live フィールドにマッチする。"
-#. type: Plain text
-#: original/man8/ip6tables.8:1083 original/man8/iptables.8:956
-msgid ""
-"iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic"
-msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:537
+#, fuzzy, no-wrap
+#| msgid "B<-t>, B<--table> B<tablename>"
+msgid "[B<!>] B<--hbh-len> I<length>"
+msgstr "B<-t>, B<--table> B<tablename>"
-#. type: Plain text
-#: original/man8/ip6tables.8:1085 original/man8/iptables.8:958
-msgid ""
-"iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic"
+#. type: TP
+#: original/man8/iptables-extensions.8:540
+#, no-wrap
+msgid "B<--hbh-opts> I<type>[B<:>I<length>][B<,>I<type>[B<:>I<length>]...]"
msgstr ""
+#. type: SS
+#: original/man8/iptables-extensions.8:543
+#, no-wrap
+msgid "helper"
+msgstr "helper"
+
#. type: Plain text
-#: original/man8/ip6tables.8:1087 original/man8/iptables.8:960
-msgid "Then, you can check for the amount of traffic that the rules match:"
+#: original/man8/iptables-extensions.8:545
+msgid "This module matches packets related to a specific conntrack-helper."
msgstr ""
+"このモジュールは、指定された接続追跡ヘルパーモジュールに 関連するパケットに"
+"マッチする。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:545
+#, fuzzy, no-wrap
+#| msgid "B<--helper >I<string>"
+msgid "[B<!>] B<--helper> I<string>"
+msgstr "B<--helper >I<string>"
#. type: Plain text
-#: original/man8/ip6tables.8:1089 original/man8/iptables.8:962
-msgid "nfacct get http-traffic"
-msgstr ""
+#: original/man8/iptables-extensions.8:548
+msgid "Matches packets related to the specified conntrack-helper."
+msgstr "指定された接続追跡ヘルパーモジュールに 関連するパケットにマッチする。"
#. type: Plain text
-#: original/man8/ip6tables.8:1091 original/man8/iptables.8:964
+#: original/man8/iptables-extensions.8:552
msgid ""
-"{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = http-traffic;"
+"string can be \"ftp\" for packets related to a ftp-session on default port. "
+"For other ports append -portnr to the value, ie. \"ftp-2121\"."
msgstr ""
+"デフォルトのポートを使った ftp-セッションに関連するパケットでは、 string に "
+"\"ftp\" と書ける。 他のポートでは \"-ポート番号\" を値に付け加える。 すなわ"
+"ち \"ftp-2121\" となる。"
#. type: Plain text
-#: original/man8/ip6tables.8:1096 original/man8/iptables.8:969
-msgid ""
-"You can obtain B<nfacct(8)> from http://www.netfilter.org or, alternatively, "
-"from the git.netfilter.org repository."
-msgstr ""
+#: original/man8/iptables-extensions.8:554
+msgid "Same rules apply for other conntrack-helpers."
+msgstr "他の接続追跡ヘルパーでも同じルールが適用される。"
#. type: SS
-#: original/man8/ip6tables.8:1096 original/man8/iptables.8:1015
+#: original/man8/iptables-extensions.8:555
#, no-wrap
-msgid "owner"
-msgstr "owner"
+msgid "hl (IPv6-specific)"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1101 original/man8/iptables.8:1020
+#: original/man8/iptables-extensions.8:557
#, fuzzy
-#| msgid ""
-#| "This module attempts to match various characteristics of the packet "
-#| "creator, for locally-generated packets. It is only valid in the "
-#| "B<OUTPUT> chain, and even this some packets (such as ICMP ping responses) "
-#| "may have no owner, and hence never match."
-msgid ""
-"This module attempts to match various characteristics of the packet creator, "
-"for locally generated packets. This match is only valid in the OUTPUT and "
-"POSTROUTING chains. Forwarded packets do not have any socket associated with "
-"them. Packets from kernel threads do have a socket, but usually no owner."
-msgstr ""
-"このモジュールは、ローカルで生成されたパケットに付いて、 パケット生成者のいろ"
-"いろな特性に対してマッチを行う。 これは B<OUTPUT> チェインのみでしか有効でな"
-"い。 また、(ICMP ping 応答のような) パケットは、 所有者がいないので絶対にマッ"
-"チしない。"
-
-#. type: TP
-#: original/man8/ip6tables.8:1101 original/man8/iptables.8:1020
-#, fuzzy, no-wrap
-#| msgid "B<--uid-owner >I<userid>"
-msgid "[B<!>] B<--uid-owner> I<username>"
-msgstr "B<--uid-owner >I<userid>"
+#| msgid "This module matches the time to live field in the IP header."
+msgid "This module matches the Hop Limit field in the IPv6 header."
+msgstr "このモジュールは IP ヘッダーの time to live フィールドにマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:1103 original/man8/iptables.8:1022
+#: original/man8/iptables-extensions.8:557
#, fuzzy, no-wrap
-#| msgid "B<--uid-owner >I<userid>"
-msgid "[B<!>] B<--uid-owner> I<userid>[B<->I<userid>]"
-msgstr "B<--uid-owner >I<userid>"
+#| msgid "B<-t>, B<--table> B<tablename>"
+msgid "[B<!>] B<--hl-eq> I<value>"
+msgstr "B<-t>, B<--table> B<tablename>"
#. type: Plain text
-#: original/man8/ip6tables.8:1107 original/man8/iptables.8:1026
-msgid ""
-"Matches if the packet socket's file structure (if it has one) is owned by "
-"the given user. You may also specify a numerical UID, or an UID range."
+#: original/man8/iptables-extensions.8:560
+msgid "Matches if Hop Limit equals I<value>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1107 original/man8/iptables.8:1026
+#: original/man8/iptables-extensions.8:560
#, fuzzy, no-wrap
-#| msgid "B<--gid-owner >I<groupid>"
-msgid "[B<!>] B<--gid-owner> I<groupname>"
-msgstr "B<--gid-owner >I<groupid>"
+#| msgid "B<--dscp >I<value>"
+msgid "B<--hl-lt> I<value>"
+msgstr "B<--dscp >I<value>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:563
+msgid "Matches if Hop Limit is less than I<value>."
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1109 original/man8/iptables.8:1028
+#: original/man8/iptables-extensions.8:563
#, fuzzy, no-wrap
-#| msgid "B<--gid-owner >I<groupid>"
-msgid "[B<!>] B<--gid-owner> I<groupid>[B<->I<groupid>]"
-msgstr "B<--gid-owner >I<groupid>"
+#| msgid "B<--dscp >I<value>"
+msgid "B<--hl-gt> I<value>"
+msgstr "B<--dscp >I<value>"
#. type: Plain text
-#: original/man8/ip6tables.8:1113 original/man8/iptables.8:1032
-msgid ""
-"Matches if the packet socket's file structure is owned by the given group. "
-"You may also specify a numerical GID, or a GID range."
+#: original/man8/iptables-extensions.8:566
+msgid "Matches if Hop Limit is greater than I<value>."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1113 original/man8/iptables.8:1032
+#. type: SS
+#: original/man8/iptables-extensions.8:566
#, no-wrap
-msgid "[B<!>] B<--socket-exists>"
+msgid "icmp (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1116 original/man8/iptables.8:1035
+#: original/man8/iptables-extensions.8:569
#, fuzzy
#| msgid ""
-#| "Matches if the packet was created by a process with the given process id."
-msgid "Matches if the packet is associated with a socket."
+#| "This extension is loaded if `--protocol icmp' is specified. It provides "
+#| "the following option:"
+msgid ""
+"This extension can be used if `--protocol icmp' is specified. It provides "
+"the following option:"
msgstr ""
-"指定されたプロセス ID のプロセスにより パケットが生成されている場合にマッチす"
-"ã\82\8bã\80\82"
+"この拡張は `--protocol icmp' が指定された場合にロードされ、 以下のオプション"
+"ã\81\8cæ\8f\90ä¾\9bã\81\95ã\82\8cã\82\8b:"
-#. type: SS
-#: original/man8/ip6tables.8:1116 original/man8/iptables.8:1035
-#, no-wrap
-msgid "physdev"
-msgstr "physdev"
+#. type: TP
+#: original/man8/iptables-extensions.8:569
+#, fuzzy, no-wrap
+#| msgid "B<--icmp-type >[!] I<typename>"
+msgid "[B<!>] B<--icmp-type> {I<type>[B</>I<code>]|I<typename>}"
+msgstr "B<--icmp-type >[!] I<typename>"
#. type: Plain text
-#: original/man8/ip6tables.8:1121 original/man8/iptables.8:1040
+#: original/man8/iptables-extensions.8:573
+#, fuzzy
+#| msgid ""
+#| "This allows specification of the ICMP type, which can be a numeric ICMP "
+#| "type, or one of the ICMP type names shown by the command"
msgid ""
-"This module matches on the bridge port input and output devices enslaved to "
-"a bridge device. This module is a part of the infrastructure that enables a "
-"transparent bridging IP firewall and is only useful for kernel versions "
-"above version 2.5.44."
+"This allows specification of the ICMP type, which can be a numeric ICMP "
+"type, type/code pair, or one of the ICMP type names shown by the command"
msgstr ""
-"このモジュールは、ブリッジデバイスのスレーブにされた、 ブリッジポートの入出力"
-"デバイスにマッチする。 このモジュールは、ブリッジによる透過的な IP ファイア"
-"ウォールの基盤の一部であり、 カーネルバージョン 2.5.44 以降でのみ有効である。"
+"ICMP タイプを指定できる。タイプ指定には、 数値の ICMP タイプ、または以下のコ"
+"マンド で表示される ICMP タイプ名を指定できる。"
-#. type: TP
-#: original/man8/ip6tables.8:1121 original/man8/iptables.8:1040
-#, fuzzy, no-wrap
-#| msgid "B<--physdev-in name>"
-msgid "[B<!>] B<--physdev-in> I<name>"
-msgstr "B<--physdev-in name>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:575
+#, no-wrap
+msgid " iptables -p icmp -h\n"
+msgstr " iptables -p icmp -h\n"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:576
+#, no-wrap
+msgid "icmp6 (IPv6-specific)"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1132 original/man8/iptables.8:1051
+#: original/man8/iptables-extensions.8:579
+#, fuzzy
+#| msgid ""
+#| "This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' "
+#| "is specified. It provides the following option:"
msgid ""
-"Name of a bridge port via which a packet is received (only for packets "
-"entering the B<INPUT>, B<FORWARD> and B<PREROUTING> chains). If the "
-"interface name ends in a \"+\", then any interface which begins with this "
-"name will match. If the packet didn't arrive through a bridge device, this "
-"packet won't match this option, unless '!' is used."
+"This extension can be used if `--protocol ipv6-icmp' or `--protocol icmpv6' "
+"is specified. It provides the following option:"
msgstr ""
-"パケットが受信されるブリッジのポート名 (B<INPUT>, B<FORWARD>, B<PREROUTING> "
-"チェインに入るパケットのみ)。 インターフェース名が \"+\" で終っている場合、 "
-"その名前で始まる任意のインターフェース名にマッチする。 ブリッジデバイスを通し"
-"て受け取られなかったパケットは、 \\&'!' が指定されていない限り、このオプショ"
-"ンにマッチしない。"
+"これらの拡張は `--protocol ipv6-icmp' または `--protocol icmpv6' が指定された"
+"場合にロードされ、 以下のオプションが提供される:"
#. type: TP
-#: original/man8/ip6tables.8:1132 original/man8/iptables.8:1051
+#: original/man8/iptables-extensions.8:579
#, fuzzy, no-wrap
-#| msgid "B<--physdev-out name>"
-msgid "[B<!>] B<--physdev-out> I<name>"
-msgstr "B<--physdev-out name>"
+#| msgid "B<--icmpv6-type >[!] I<typename>"
+msgid "[B<!>] B<--icmpv6-type> I<type>[B</>I<code>]|I<typename>"
+msgstr "B<--icmpv6-type >[!] I<typename>"
#. type: Plain text
-#: original/man8/ip6tables.8:1149 original/man8/iptables.8:1068
+#: original/man8/iptables-extensions.8:588
#, fuzzy
#| msgid ""
-#| "Name of a bridge port via which a packet is going to be sent (for packets "
-#| "entering the B<FORWARD>, B<OUTPUT> and B<POSTROUTING> chains). If the "
-#| "interface name ends in a \"+\", then any interface which begins with this "
-#| "name will match. Note that in the B<nat> and B<mangle> B<OUTPUT> chains "
-#| "one cannot match on the bridge output port, however one can in the "
-#| "B<filter OUTPUT> chain. If the packet won't leave by a bridge device or "
-#| "it is yet unknown what the output device will be, then the packet won't "
-#| "match this option, unless '!' is used."
+#| "This allows specification of the ICMP type, which can be a numeric ICMP "
+#| "type, or one of the ICMP type names shown by the command"
msgid ""
-"Name of a bridge port via which a packet is going to be sent (for packets "
-"entering the B<FORWARD>, B<OUTPUT> and B<POSTROUTING> chains). If the "
-"interface name ends in a \"+\", then any interface which begins with this "
-"name will match. Note that in the B<nat> and B<mangle> B<OUTPUT> chains one "
-"cannot match on the bridge output port, however one can in the B<filter "
-"OUTPUT> chain. If the packet won't leave by a bridge device or if it is yet "
-"unknown what the output device will be, then the packet won't match this "
-"option, unless '!' is used."
+"This allows specification of the ICMPv6 type, which can be a numeric ICMPv6 "
+"I<type>, I<type> and I<code>, or one of the ICMPv6 type names shown by the "
+"command"
msgstr ""
-"パケットを送信することになるブリッジのポート名 (B<FORWARD>, B<OUTPUT>, "
-"B<POSTROUTING> チェインに入るパケットのみ)。 インターフェース名が \"+\" で"
-"終っている場合、 その名前で始まる任意のインターフェース名にマッチする。 "
-"B<nat> と B<mangle> テーブルの B<OUTPUT> チェインではブリッジの出力ポートに"
-"マッチさせることができないが、 B<filter> テーブルの B<OUPUT> チェインではマッ"
-"チ可能である。 パケットがブリッジデバイスから送られなかった場合、 またはパ"
-"ケットの出力デバイスが不明であった場合は、 \\&'!' が指定されていない限り、パ"
-"ケットはこのオプションにマッチしない。"
-
-#. type: TP
-#: original/man8/ip6tables.8:1149 original/man8/iptables.8:1068
-#, fuzzy, no-wrap
-#| msgid "B<--physdev-is-in>"
-msgid "[B<!>] B<--physdev-is-in>"
-msgstr "B<--physdev-is-in>"
+"ICMP タイプを指定できる。タイプ指定には、 数値の ICMP タイプ、または以下のコ"
+"マンド で表示される ICMP タイプ名を指定できる。"
#. type: Plain text
-#: original/man8/ip6tables.8:1152 original/man8/iptables.8:1071
-msgid "Matches if the packet has entered through a bridge interface."
-msgstr "パケットがブリッジインターフェースに入った場合にマッチする。"
+#: original/man8/iptables-extensions.8:590
+#, no-wrap
+msgid " ip6tables -p ipv6-icmp -h\n"
+msgstr " ip6tables -p ipv6-icmp -h\n"
-#. type: TP
-#: original/man8/ip6tables.8:1152 original/man8/iptables.8:1071
-#, fuzzy, no-wrap
-#| msgid "B<--physdev-is-out>"
-msgid "[B<!>] B<--physdev-is-out>"
-msgstr "B<--physdev-is-out>"
+#. type: SS
+#: original/man8/iptables-extensions.8:591
+#, no-wrap
+msgid "iprange"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1155 original/man8/iptables.8:1074
-msgid "Matches if the packet will leave through a bridge interface."
-msgstr "パケットがブリッジインターフェースから出ようとした場合にマッチする。"
+#: original/man8/iptables-extensions.8:593
+msgid "This matches on a given arbitrary range of IP addresses."
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1155 original/man8/iptables.8:1074
-#, fuzzy, no-wrap
-#| msgid "B<--physdev-is-bridged>"
-msgid "[B<!>] B<--physdev-is-bridged>"
-msgstr "B<--physdev-is-bridged>"
+#: original/man8/iptables-extensions.8:593
+#, no-wrap
+msgid "[B<!>] B<--src-range> I<from>[B<->I<to>]"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1159 original/man8/iptables.8:1078
-msgid ""
-"Matches if the packet is being bridged and therefore is not being routed. "
-"This is only useful in the FORWARD and POSTROUTING chains."
+#: original/man8/iptables-extensions.8:596
+msgid "Match source IP in the specified range."
msgstr ""
-"パケットがブリッジされることにより、 ルーティングされなかった場合にマッチす"
-"る。 これは FORWARD, POSTROUTING チェインにおいてのみ役立つ。"
-#. type: SS
-#: original/man8/ip6tables.8:1159 original/man8/iptables.8:1078
+#. type: TP
+#: original/man8/iptables-extensions.8:596
#, no-wrap
-msgid "pkttype"
-msgstr "pkttype"
+msgid "[B<!>] B<--dst-range> I<from>[B<->I<to>]"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1161 original/man8/iptables.8:1080
-msgid "This module matches the link-layer packet type."
-msgstr "このモジュールは、リンク層のパケットタイプにマッチする。"
-
-#. type: TP
-#: original/man8/ip6tables.8:1161 original/man8/iptables.8:1080
-#, fuzzy, no-wrap
-#| msgid "B<--pkt-type >I<[unicast|broadcast|multicast]>"
-msgid "[B<!>] B<--pkt-type> {B<unicast>|B<broadcast>|B<multicast>}"
-msgstr "B<--pkt-type >I<[unicast|broadcast|multicast]>"
+#: original/man8/iptables-extensions.8:599
+msgid "Match destination IP in the specified range."
+msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1163 original/man8/iptables.8:1082
+#: original/man8/iptables-extensions.8:599
#, no-wrap
-msgid "policy"
+msgid "ipv6header (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1165 original/man8/iptables.8:1084
+#: original/man8/iptables-extensions.8:601
#, fuzzy
#| msgid "This module matches the SPIs in AH header of IPSec packets."
-msgid "This modules matches the policy used by IPsec for handling a packet."
+msgid "This module matches IPv6 extension headers and/or upper layer header."
msgstr "このモジュールは IPSec パケットの AH ヘッダーの SPI 値にマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:1165 original/man8/iptables.8:1084
+#: original/man8/iptables-extensions.8:601
#, no-wrap
-msgid "B<--dir> {B<in>|B<out>}"
+msgid "B<--soft>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1177 original/man8/iptables.8:1096
+#: original/man8/iptables-extensions.8:605
msgid ""
-"Used to select whether to match the policy used for decapsulation or the "
-"policy that will be used for encapsulation. B<in> is valid in the "
-"B<PREROUTING, INPUT and FORWARD> chains, B<out> is valid in the "
-"B<POSTROUTING, OUTPUT and FORWARD> chains."
+"Matches if the packet includes B<any> of the headers specified with B<--"
+"header>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1177 original/man8/iptables.8:1096
+#: original/man8/iptables-extensions.8:605
#, no-wrap
-msgid "B<--pol> {B<none>|B<ipsec>}"
+msgid "[B<!>] B<--header> I<header>[B<,>I<header>...]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1181 original/man8/iptables.8:1100
+#: original/man8/iptables-extensions.8:610
msgid ""
-"Matches if the packet is subject to IPsec processing. B<--pol none> cannot "
-"be combined with B<--strict>."
+"Matches the packet which EXACTLY includes all specified headers. The headers "
+"encapsulated with ESP header are out of scope. Possible I<header> types can "
+"be:"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1181 original/man8/iptables.8:1100
+#: original/man8/iptables-extensions.8:610
#, no-wrap
-msgid "B<--strict>"
+msgid "B<hop>|B<hop-by-hop>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1185 original/man8/iptables.8:1104
-msgid ""
-"Selects whether to match the exact policy or match if any rule of the policy "
-"matches the given policy."
+#: original/man8/iptables-extensions.8:613
+msgid "Hop-by-Hop Options header"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:613
+#, no-wrap
+msgid "B<dst>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1189 original/man8/iptables.8:1108
-msgid ""
-"For each policy element that is to be described, one can use one or more of "
-"the following options. When B<--strict> is in effect, at least one must be "
-"used per element."
+#: original/man8/iptables-extensions.8:616
+msgid "Destination Options header"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1189 original/man8/iptables.8:1108
+#: original/man8/iptables-extensions.8:616
#, no-wrap
-msgid "[B<!>] B<--reqid> I<id>"
+msgid "B<route>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1196 original/man8/iptables.8:1115
-msgid ""
-"Matches the reqid of the policy rule. The reqid can be specified with "
-"B<setkey(8)> using B<unique:id> as level."
+#: original/man8/iptables-extensions.8:619
+msgid "Routing header"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1196 original/man8/iptables.8:1115
-#, fuzzy, no-wrap
-#| msgid "B<--ahspi >[!] I<spi>[:I<spi>]"
-msgid "[B<!>] B<--spi> I<spi>"
-msgstr "B<--ahspi >[!] I<spi>[:I<spi>]"
+#: original/man8/iptables-extensions.8:619
+#, no-wrap
+msgid "B<frag>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1199 original/man8/iptables.8:1118
-msgid "Matches the SPI of the SA."
+#: original/man8/iptables-extensions.8:622
+msgid "Fragment header"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1199 original/man8/iptables.8:1118
+#: original/man8/iptables-extensions.8:622
#, no-wrap
-msgid "[B<!>] B<--proto> {B<ah>|B<esp>|B<ipcomp>}"
+msgid "B<auth>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1202 original/man8/iptables.8:1121
-msgid "Matches the encapsulation protocol."
+#: original/man8/iptables-extensions.8:625
+msgid "Authentication header"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1202 original/man8/iptables.8:1121
+#: original/man8/iptables-extensions.8:625
#, no-wrap
-msgid "[B<!>] B<--mode> {B<tunnel>|B<transport>}"
+msgid "B<esp>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1205 original/man8/iptables.8:1124
-#, fuzzy
-#| msgid "Matches the given TTL value."
-msgid "Matches the encapsulation mode."
-msgstr "指定された TTL 値にマッチする。"
+#: original/man8/iptables-extensions.8:628
+msgid "Encapsulating Security Payload header"
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1205 original/man8/iptables.8:1124
-#, fuzzy, no-wrap
-#| msgid "B<-s, --source >[!] I<address>[/I<mask>]"
-msgid "[B<!>] B<--tunnel-src> I<addr>[B</>I<mask>]"
-msgstr "B<-s, --source >[!] I<address>[/I<mask>]"
+#: original/man8/iptables-extensions.8:628
+#, no-wrap
+msgid "B<none>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1209 original/man8/iptables.8:1128
+#: original/man8/iptables-extensions.8:632
msgid ""
-"Matches the source end-point address of a tunnel mode SA. Only valid with "
-"B<--mode tunnel>."
+"No Next header which matches 59 in the 'Next Header field' of IPv6 header or "
+"any IPv6 extension headers"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1209 original/man8/iptables.8:1128
-#, fuzzy, no-wrap
-#| msgid "B<--ctrepldst >I<[!] address>B<[/>I<mask>B<]>"
-msgid "[B<!>] B<--tunnel-dst> I<addr>[B</>I<mask>]"
-msgstr "B<--ctrepldst >I<[!] address>B<[/>I<mask>B<]>"
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1213 original/man8/iptables.8:1132
-msgid ""
-"Matches the destination end-point address of a tunnel mode SA. Only valid "
-"with B<--mode tunnel>."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:1213 original/man8/iptables.8:1132
+#: original/man8/iptables-extensions.8:632
#, no-wrap
-msgid "B<--next>"
+msgid "B<proto>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1217 original/man8/iptables.8:1136
+#: original/man8/iptables-extensions.8:637
msgid ""
-"Start the next element in the policy specification. Can only be used with "
-"B<--strict>."
+"which matches any upper layer protocol header. A protocol name from /etc/"
+"protocols and numeric value also allowed. The number 255 is equivalent to "
+"B<proto>."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1217 original/man8/iptables.8:1136
+#: original/man8/iptables-extensions.8:637
#, no-wrap
-msgid "quota"
+msgid "ipvs"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1222 original/man8/iptables.8:1141
-msgid ""
-"Implements network quotas by decrementing a byte counter with each packet. "
-"The condition matches until the byte counter reaches zero. Behavior is "
-"reversed with negation (i.e. the condition does not match until the byte "
-"counter reaches zero)."
+#: original/man8/iptables-extensions.8:639
+msgid "Match IPVS connection properties."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1222 original/man8/iptables.8:1141
+#: original/man8/iptables-extensions.8:639
#, fuzzy, no-wrap
-#| msgid "B<-t>, B<--table> B<tablename>"
-msgid "[B<!>] B<--quota> I<bytes>"
-msgstr "B<-t>, B<--table> B<tablename>"
+#| msgid "B<-c>, B<--counters>"
+msgid "[B<!>] B<--ipvs>"
+msgstr "B<-c>, B<--counters>"
#. type: Plain text
-#: original/man8/ip6tables.8:1225 original/man8/iptables.8:1144
-msgid "The quota in bytes."
+#: original/man8/iptables-extensions.8:642
+msgid "packet belongs to an IPVS connection"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1225 original/man8/iptables.8:1144
+#. type: TP
+#: original/man8/iptables-extensions.8:642
#, no-wrap
-msgid "rateest"
+msgid "Any of the following options implies --ipvs (even negated)"
msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:644
+#, fuzzy, no-wrap
+#| msgid "B<-p, --protocol >[!] I<protocol>"
+msgid "[B<!>] B<--vproto> I<protocol>"
+msgstr "B<-p, --protocol >[!] I<protocol>"
+
#. type: Plain text
-#: original/man8/ip6tables.8:1229 original/man8/iptables.8:1148
-msgid ""
-"The rate estimator can match on estimated rates as collected by the RATEEST "
-"target. It supports matching on absolute bps/pps values, comparing two rate "
-"estimators and matching on the difference between two rate estimators."
-msgstr ""
+#: original/man8/iptables-extensions.8:647
+#, fuzzy
+#| msgid "Protocol to match (by number or name)"
+msgid "VIP protocol to match; by number or name, e.g. \"tcp\""
+msgstr "(名前または数値で) 指定されたプロトコルにマッチする。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:647
+#, fuzzy, no-wrap
+#| msgid "B<-s, --source >[!] I<address>[/I<mask>]"
+msgid "[B<!>] B<--vaddr> I<address>[B</>I<mask>]"
+msgstr "B<-s, --source >[!] I<address>[/I<mask>]"
-#. * Absolute:
#. type: Plain text
-#: original/man8/ip6tables.8:1233 original/man8/iptables.8:1152
-msgid ""
-"For a better understanding of the available options, these are all possible "
-"combinations:"
+#: original/man8/iptables-extensions.8:650
+msgid "VIP address to match"
msgstr ""
-#. type: IP
-#: original/man8/ip6tables.8:1233 original/man8/ip6tables.8:1235
-#: original/man8/ip6tables.8:1238 original/man8/ip6tables.8:1240
-#: original/man8/ip6tables.8:1243 original/man8/ip6tables.8:1245
-#: original/man8/ip6tables.8:1248 original/man8/ip6tables.8:1251
-#: original/man8/iptables.8:980 original/man8/iptables.8:983
-#: original/man8/iptables.8:986 original/man8/iptables.8:992
-#: original/man8/iptables.8:994 original/man8/iptables.8:996
-#: original/man8/iptables.8:1152 original/man8/iptables.8:1154
-#: original/man8/iptables.8:1157 original/man8/iptables.8:1159
-#: original/man8/iptables.8:1162 original/man8/iptables.8:1164
-#: original/man8/iptables.8:1167 original/man8/iptables.8:1170
+#. type: TP
+#: original/man8/iptables-extensions.8:650
+#, fuzzy, no-wrap
+#| msgid "B<--ctproto >I<proto>"
+msgid "[B<!>] B<--vport> I<port>"
+msgstr "B<--ctproto >I<proto>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:653
+#, fuzzy
+#| msgid "Protocol to match (by number or name)"
+msgid "VIP port to match; by number or name, e.g. \"http\""
+msgstr "(名前または数値で) 指定されたプロトコルにマッチする。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:653
#, no-wrap
-msgid "\\(bu"
+msgid "B<--vdir> {B<ORIGINAL>|B<REPLY>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1235 original/man8/iptables.8:1154
-msgid "B<rateest> I<operator> B<rateest-bps>"
+#: original/man8/iptables-extensions.8:656
+msgid "flow direction of packet"
msgstr ""
-#. * Absolute + Delta:
-#. type: Plain text
-#: original/man8/ip6tables.8:1238 original/man8/iptables.8:1157
-msgid "B<rateest> I<operator> B<rateest-pps>"
+#. type: TP
+#: original/man8/iptables-extensions.8:656
+#, no-wrap
+msgid "[B<!>] B<--vmethod> {B<GATE>|B<IPIP>|B<MASQ>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1240 original/man8/iptables.8:1159
-msgid "(B<rateest> minus B<rateest-bps1>) I<operator> B<rateest-bps2>"
+#: original/man8/iptables-extensions.8:659
+msgid "IPVS forwarding method used"
msgstr ""
-#. * Relative:
-#. type: Plain text
-#: original/man8/ip6tables.8:1243 original/man8/iptables.8:1162
-msgid "(B<rateest> minus B<rateest-pps1>) I<operator> B<rateest-pps2>"
+#. type: TP
+#: original/man8/iptables-extensions.8:659
+#, no-wrap
+msgid "[B<!>] B<--vportctl> I<port>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1245 original/man8/iptables.8:1164
-msgid "B<rateest1> I<operator> B<rateest2> B<rateest-bps>(without rate!)"
+#: original/man8/iptables-extensions.8:662
+msgid "VIP port of the controlling connection to match, e.g. 21 for FTP"
msgstr ""
-#. * Relative + Delta:
+#. type: SS
+#: original/man8/iptables-extensions.8:662
+#, no-wrap
+msgid "length"
+msgstr "length"
+
#. type: Plain text
-#: original/man8/ip6tables.8:1248 original/man8/iptables.8:1167
-msgid "B<rateest1> I<operator> B<rateest2> B<rateest-pps>(without rate!)"
-msgstr ""
+#: original/man8/iptables-extensions.8:666
+#, fuzzy
+#| msgid ""
+#| "This module matches the length of a packet against a specific value or "
+#| "range of values."
+msgid ""
+"This module matches the length of the layer-3 payload (e.g. layer-4 packet) "
+"of a packet against a specific value or range of values."
+msgstr "このモジュールは、指定されたパケット長、またはその範囲にマッチする。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:666
+#, fuzzy, no-wrap
+#| msgid "B<--length >I<length>[:I<length>]"
+msgid "[B<!>] B<--length> I<length>[B<:>I<length>]"
+msgstr "B<--length >I<length>[:I<length>]"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:668
+#, no-wrap
+msgid "limit"
+msgstr "limit"
#. type: Plain text
-#: original/man8/ip6tables.8:1251 original/man8/iptables.8:1170
+#: original/man8/iptables-extensions.8:674
+#, fuzzy
+#| msgid ""
+#| "This module matches at a limited rate using a token bucket filter. A "
+#| "rule using this extension will match until this limit is reached (unless "
+#| "the `!' flag is used). It can be used in combination with the B<LOG> "
+#| "target to give limited logging, for example."
msgid ""
-"(B<rateest1> minus B<rateest-bps1>) I<operator> (B<rateest2> minus B<rateest-"
-"bps2>)"
+"This module matches at a limited rate using a token bucket filter. A rule "
+"using this extension will match until this limit is reached. It can be used "
+"in combination with the B<LOG> target to give limited logging, for example."
msgstr ""
+"このモジュールは、トークンバケツフィルタを使い、 単位時間あたり制限され\n"
+"た回数だけマッチする。 この拡張を使ったルールは、(`!' フラグが指定され\n"
+"ない限り) 制限に達するまでマッチする。 例えば、このモジュールはログ記録\n"
+"を制限するために B<LOG> ターゲットと組み合わせて使うことができる。"
#. type: Plain text
-#: original/man8/ip6tables.8:1254 original/man8/iptables.8:1173
+#: original/man8/iptables-extensions.8:677
msgid ""
-"(B<rateest1> minus B<rateest-pps1>) I<operator> (B<rateest2> minus B<rateest-"
-"pps2>)"
+"xt_limit has no negation support - you will have to use -m hashlimit ! --"
+"hashlimit I<rate> in this case whilst omitting --hashlimit-mode."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1254 original/man8/iptables.8:1173
+#: original/man8/iptables-extensions.8:677
#, no-wrap
-msgid "B<--rateest-delta>"
+msgid "B<--limit> I<rate>[B</second>|B</minute>|B</hour>|B</day>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1261 original/man8/iptables.8:1180
+#: original/man8/iptables-extensions.8:682
msgid ""
-"For each estimator (either absolute or relative mode), calculate the "
-"difference between the estimator-determined flow rate and the static value "
-"chosen with the BPS/PPS options. If the flow rate is higher than the "
-"specified BPS/PPS, 0 will be used instead of a negative value. In other "
-"words, \"max(0, rateest#_rate - rateest#_bps)\" is used."
+"Maximum average matching rate: specified as a number, with an optional `/"
+"second', `/minute', `/hour', or `/day' suffix; the default is 3/hour."
msgstr ""
+"単位時間あたりの平均マッチ回数の最大値。 数値で指定され、添字 `/second', `/"
+"minute', `/hour', `/day' を付けることもできる。 デフォルトは 3/hour である。"
#. type: TP
-#: original/man8/ip6tables.8:1261 original/man8/iptables.8:1180
-#, no-wrap
-msgid "[B<!>] B<--rateest-lt>"
-msgstr ""
+#: original/man8/iptables-extensions.8:682
+#, fuzzy, no-wrap
+#| msgid "B<--limit-burst >I<number>"
+msgid "B<--limit-burst> I<number>"
+msgstr "B<--limit-burst >I<number>"
#. type: Plain text
-#: original/man8/ip6tables.8:1264 original/man8/iptables.8:1183
-msgid "Match if rate is less than given rate/estimator."
+#: original/man8/iptables-extensions.8:687
+msgid ""
+"Maximum initial number of packets to match: this number gets recharged by "
+"one every time the limit specified above is not reached, up to this number; "
+"the default is 5."
msgstr ""
+"パケットがマッチする回数の最大初期値: 上のオプションで指定した制限に\n"
+"達しなければ、 その度ごとに、この数値になるまで 1 個ずつ増やされる。\n"
+"デフォルトは 5 である。"
-#. type: TP
-#: original/man8/ip6tables.8:1264 original/man8/iptables.8:1183
+#. type: SS
+#: original/man8/iptables-extensions.8:687
#, no-wrap
-msgid "[B<!>] B<--rateest-gt>"
-msgstr ""
+msgid "mac"
+msgstr "mac"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:688
+#, fuzzy, no-wrap
+#| msgid "B<--mac-source >[!] I<address>"
+msgid "[B<!>] B<--mac-source> I<address>"
+msgstr "B<--mac-source >[!] I<address>"
#. type: Plain text
-#: original/man8/ip6tables.8:1267 original/man8/iptables.8:1186
-msgid "Match if rate is greater than given rate/estimator."
+#: original/man8/iptables-extensions.8:698
+msgid ""
+"Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note "
+"that this only makes sense for packets coming from an Ethernet device and "
+"entering the B<PREROUTING>, B<FORWARD> or B<INPUT> chains."
msgstr ""
+"送信元 MAC アドレスにマッチする。 I<address> は XX:XX:XX:XX:XX:XX と\n"
+"いう形式でなければならない。イーサーネットデバイスから入ってくるパケッ\n"
+"トで、 B<PREROUTING>, B<FORWARD>, B<INPUT> チェインに入るパケットにしか\n"
+"意味がない。"
-#. type: TP
-#: original/man8/ip6tables.8:1267 original/man8/iptables.8:1186
+#. type: SS
+#: original/man8/iptables-extensions.8:698
#, no-wrap
-msgid "[B<!>] B<--rateest-eq>"
-msgstr ""
+msgid "mark"
+msgstr "mark"
#. type: Plain text
-#: original/man8/ip6tables.8:1270 original/man8/iptables.8:1189
-msgid "Match if rate is equal to given rate/estimator."
+#: original/man8/iptables-extensions.8:703
+msgid ""
+"This module matches the netfilter mark field associated with a packet (which "
+"can be set using the B<MARK> target below)."
msgstr ""
+"このモジュールはパケットに関連づけられた netfilter の mark フィールドにマッチ"
+"する (このフィールドは、以下の B<MARK> ターゲットで設定される)。"
#. type: Plain text
-#: original/man8/ip6tables.8:1274 original/man8/iptables.8:1193
+#: original/man8/iptables-extensions.8:708
+#, fuzzy
+#| msgid ""
+#| "Matches packets with the given unsigned mark value (if a mask is "
+#| "specified, this is logically ANDed with the mask before the comparison)."
msgid ""
-"In the so-called \"absolute mode\", only one rate estimator is used and "
-"compared against a static value, while in \"relative mode\", two rate "
-"estimators are compared against another."
+"Matches packets with the given unsigned mark value (if a I<mask> is "
+"specified, this is logically ANDed with the I<mask> before the comparison)."
msgstr ""
+"指定された符号なし mark 値のパケットにマッチする (mask が指定されると、比較の"
+"前に mask との論理積 (AND) がとられる)。"
-#. type: TP
-#: original/man8/ip6tables.8:1274 original/man8/iptables.8:1193
-#, fuzzy, no-wrap
-#| msgid "B<-t>, B<--table> B<tablename>"
-msgid "B<--rateest> I<name>"
-msgstr "B<-t>, B<--table> B<tablename>"
+#. type: SS
+#: original/man8/iptables-extensions.8:708
+#, no-wrap
+msgid "mh (IPv6-specific)"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1277 original/man8/iptables.8:1196
-msgid "Name of the one rate estimator for absolute mode."
+#: original/man8/iptables-extensions.8:711
+#, fuzzy
+#| msgid ""
+#| "This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' "
+#| "is specified. It provides the following option:"
+msgid ""
+"This extension is loaded if `--protocol ipv6-mh' or `--protocol mh' is "
+"specified. It provides the following option:"
msgstr ""
+"これらの拡張は `--protocol ipv6-icmp' または `--protocol icmpv6' が指定された"
+"場合にロードされ、 以下のオプションが提供される:"
#. type: TP
-#: original/man8/ip6tables.8:1277 original/man8/iptables.8:1196
-#, fuzzy, no-wrap
-#| msgid "B<-t>, B<--table> B<tablename>"
-msgid "B<--rateest1> I<name>"
-msgstr "B<-t>, B<--table> B<tablename>"
-
-#. type: TP
-#: original/man8/ip6tables.8:1279 original/man8/iptables.8:1198
-#, fuzzy, no-wrap
-#| msgid "B<-t>, B<--table> B<tablename>"
-msgid "B<--rateest2> I<name>"
-msgstr "B<-t>, B<--table> B<tablename>"
+#: original/man8/iptables-extensions.8:711
+#, no-wrap
+msgid "[B<!>] B<--mh-type> I<type>[B<:>I<type>]"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1282 original/man8/iptables.8:1201
-msgid "The names of the two rate estimators for relative mode."
+#: original/man8/iptables-extensions.8:718
+#, fuzzy
+#| msgid ""
+#| "This allows specification of the ICMP type, which can be a numeric ICMP "
+#| "type, or one of the ICMP type names shown by the command"
+msgid ""
+"This allows specification of the Mobility Header(MH) type, which can be a "
+"numeric MH I<type>, I<type> or one of the MH type names shown by the command"
msgstr ""
+"ICMP タイプを指定できる。タイプ指定には、 数値の ICMP タイプ、または以下のコ"
+"マンド で表示される ICMP タイプ名を指定できる。"
-#. type: TP
-#: original/man8/ip6tables.8:1282 original/man8/iptables.8:1201
+#. type: Plain text
+#: original/man8/iptables-extensions.8:720
#, fuzzy, no-wrap
-#| msgid "B<--set-mss >I<value>"
-msgid "B<--rateest-bps> [I<value>]"
-msgstr "B<--set-mss >I<value>"
+#| msgid " ip6tables -p ipv6-icmp -h\n"
+msgid " ip6tables -p ipv6-mh -h\n"
+msgstr " ip6tables -p ipv6-icmp -h\n"
-#. type: TP
-#: original/man8/ip6tables.8:1284 original/man8/iptables.8:1203
-#, fuzzy, no-wrap
-#| msgid "B<--set-mss >I<value>"
-msgid "B<--rateest-pps> [I<value>]"
-msgstr "B<--set-mss >I<value>"
+#. type: SS
+#: original/man8/iptables-extensions.8:721
+#, no-wrap
+msgid "multiport"
+msgstr "multiport"
-#. type: TP
-#: original/man8/ip6tables.8:1286 original/man8/iptables.8:1205
-#, fuzzy, no-wrap
-#| msgid "B<--set-mss >I<value>"
-msgid "B<--rateest-bps1> [I<value>]"
-msgstr "B<--set-mss >I<value>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:728
+#, fuzzy
+#| msgid ""
+#| "This module matches a set of source or destination ports. Up to 15 ports "
+#| "can be specified. It can only be used in conjunction with B<-p tcp> or "
+#| "B<-p udp>."
+msgid ""
+"This module matches a set of source or destination ports. Up to 15 ports "
+"can be specified. A port range (port:port) counts as two ports. It can "
+"only be used in conjunction with B<-p tcp> or B<-p udp>."
+msgstr ""
+"このモジュールは送信元や送信先のポートの集合にマッチする。 ポートは 15 個まで"
+"指定できる。 このモジュールは B<-p tcp> または B<-p udp> と組み合わせて使うこ"
+"としかできない。"
#. type: TP
-#: original/man8/ip6tables.8:1288 original/man8/iptables.8:1207
+#: original/man8/iptables-extensions.8:728
#, fuzzy, no-wrap
-#| msgid "B<--set-mss >I<value>"
-msgid "B<--rateest-bps2> [I<value>]"
-msgstr "B<--set-mss >I<value>"
+#| msgid "B<--source-ports >I<port>[,I<port>[,I<port>...]]"
+msgid "[B<!>] B<--source-ports>,B<--sports> I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
+msgstr "B<--source-ports >I<port>[,I<port>[,I<port>...]]"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:736
+msgid ""
+"Match if the source port is one of the given ports. The flag B<--sports> is "
+"a convenient alias for this option. Multiple ports or port ranges are "
+"separated using a comma, and a port range is specified using a colon. "
+"B<53,1024:65535> would therefore match ports 53 and all from 1024 through "
+"65535."
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1290 original/man8/iptables.8:1209
+#: original/man8/iptables-extensions.8:736
#, fuzzy, no-wrap
-#| msgid "B<--set-mss >I<value>"
-msgid "B<--rateest-pps1> [I<value>]"
-msgstr "B<--set-mss >I<value>"
+#| msgid "B<--destination-ports >I<port>[,I<port>[,I<port>...]]"
+msgid "[B<!>] B<--destination-ports>,B<--dports> I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
+msgstr "B<--destination-ports >I<port>[,I<port>[,I<port>...]]"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:741
+msgid ""
+"Match if the destination port is one of the given ports. The flag B<--"
+"dports> is a convenient alias for this option."
+msgstr ""
+"宛先ポートが指定されたポートのうちのいずれかであればマッチする。\n"
+"フラグ B<--dports> は、このオプションの便利な別名である。"
#. type: TP
-#: original/man8/ip6tables.8:1292 original/man8/iptables.8:1211
+#: original/man8/iptables-extensions.8:741
#, fuzzy, no-wrap
-#| msgid "B<--set-mss >I<value>"
-msgid "B<--rateest-pps2> [I<value>]"
-msgstr "B<--set-mss >I<value>"
+#| msgid "B<--ports >I<port>[,I<port>[,I<port>...]]"
+msgid "[B<!>] B<--ports> I<port>[B<,>I<port>|B<,>I<port>B<:>I<port>]..."
+msgstr "B<--ports >I<port>[,I<port>[,I<port>...]]"
#. type: Plain text
-#: original/man8/ip6tables.8:1298 original/man8/iptables.8:1217
+#: original/man8/iptables-extensions.8:745
+#, fuzzy
+#| msgid ""
+#| "Match if the both the source and destination ports are equal to each "
+#| "other and to one of the given ports."
msgid ""
-"Compare the estimator(s) by bytes or packets per second, and compare against "
-"the chosen value. See the above bullet list for which option is to be used "
-"in which case. A unit suffix may be used - available ones are: bit, [kmgt]"
-"bit, [KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps."
+"Match if either the source or destination ports are equal to one of the "
+"given ports."
+msgstr ""
+"送信元ポートと宛先ポートが等しく、 かつそのポートが指定されたポートの\n"
+"うちのいずれかであればマッチする。"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:745
+#, no-wrap
+msgid "nfacct"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1302 original/man8/iptables.8:1221
+#: original/man8/iptables-extensions.8:749
msgid ""
-"Example: This is what can be used to route outgoing data connections from an "
-"FTP server over two lines based on the available bandwidth at the time the "
-"data connection was started:"
+"The nfacct match provides the extended accounting infrastructure for "
+"iptables. You have to use this match together with the standalone user-"
+"space utility B<nfacct(8)>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1304 original/man8/iptables.8:1223
-msgid "# Estimate outgoing rates"
+#: original/man8/iptables-extensions.8:751
+msgid "The only option available for this match is the following:"
msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:751
+#, fuzzy, no-wrap
+#| msgid "B<--cmd-owner >I<name>"
+msgid "B<--nfacct-name> I<name>"
+msgstr "B<--cmd-owner >I<name>"
+
#. type: Plain text
-#: original/man8/ip6tables.8:1307 original/man8/iptables.8:1226
+#: original/man8/iptables-extensions.8:755
msgid ""
-"iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name eth0 --"
-"rateest-interval 250ms --rateest-ewma 0.5s"
+"This allows you to specify the existing object name that will be use for "
+"accounting the traffic that this rule-set is matching."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1310 original/man8/iptables.8:1229
-msgid ""
-"iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name ppp0 --"
-"rateest-interval 250ms --rateest-ewma 0.5s"
+#: original/man8/iptables-extensions.8:757
+msgid "To use this extension, you have to create an accounting object:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1312 original/man8/iptables.8:1231
-msgid "# Mark based on available bandwidth"
+#: original/man8/iptables-extensions.8:759
+msgid "nfacct add http-traffic"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:761
+msgid "Then, you have to attach it to the accounting object via iptables:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1316 original/man8/iptables.8:1235
+#: original/man8/iptables-extensions.8:763
msgid ""
-"iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper "
-"ftp -m rateest --rateest-delta --rateest1 eth0 --rateest-bps1 2.5mbit --"
-"rateest-gt --rateest2 ppp0 --rateest-bps2 2mbit -j CONNMARK --set-mark 1"
+"iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1320 original/man8/iptables.8:1239
+#: original/man8/iptables-extensions.8:765
msgid ""
-"iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper "
-"ftp -m rateest --rateest-delta --rateest1 ppp0 --rateest-bps1 2mbit --"
-"rateest-gt --rateest2 eth0 --rateest-bps2 2.5mbit -j CONNMARK --set-mark 2"
+"iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1322 original/man8/iptables.8:1241
-msgid "iptables -t mangle -A balance -j CONNMARK --restore-mark"
+#: original/man8/iptables-extensions.8:767
+msgid "Then, you can check for the amount of traffic that the rules match:"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1322 original/man8/iptables.8:1249
-#, no-wrap
-msgid "recent"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:769
+msgid "nfacct get http-traffic"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1325 original/man8/iptables.8:1252
+#: original/man8/iptables-extensions.8:771
msgid ""
-"Allows you to dynamically create a list of IP addresses and then match "
-"against that list in a few different ways."
+"{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = http-traffic;"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1329 original/man8/iptables.8:1256
+#: original/man8/iptables-extensions.8:776
msgid ""
-"For example, you can create a \"badguy\" list out of people attempting to "
-"connect to port 139 on your firewall and then DROP all future packets from "
-"them without considering them."
+"You can obtain B<nfacct(8)> from http://www.netfilter.org or, alternatively, "
+"from the git.netfilter.org repository."
msgstr ""
+#. type: SS
+#: original/man8/iptables-extensions.8:776
+#, fuzzy, no-wrap
+#| msgid "tos"
+msgid "osf"
+msgstr "tos"
+
#. type: Plain text
-#: original/man8/ip6tables.8:1332 original/man8/iptables.8:1259
+#: original/man8/iptables-extensions.8:780
msgid ""
-"B<--set>, B<--rcheck>, B<--update> and B<--remove> are mutually exclusive."
+"The osf module does passive operating system fingerprinting. This modules "
+"compares some data (Window Size, MSS, options and their order, TTL, DF, and "
+"others) from packets with the SYN bit set."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1332 original/man8/iptables.8:1259
+#: original/man8/iptables-extensions.8:780
#, fuzzy, no-wrap
-#| msgid "B<--cmd-owner >I<name>"
-msgid "B<--name> I<name>"
-msgstr "B<--cmd-owner >I<name>"
+#| msgid "B<--helper >I<string>"
+msgid "[B<!>] B<--genre> I<string>"
+msgstr "B<--helper >I<string>"
#. type: Plain text
-#: original/man8/ip6tables.8:1336 original/man8/iptables.8:1263
-msgid ""
-"Specify the list to use for the commands. If no name is given then "
-"B<DEFAULT> will be used."
+#: original/man8/iptables-extensions.8:783
+msgid "Match an operating system genre by using a passive fingerprinting."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1336 original/man8/iptables.8:1263
+#: original/man8/iptables-extensions.8:783
#, fuzzy, no-wrap
-#| msgid "B<-v, --verbose>"
-msgid "[B<!>] B<--set>"
-msgstr "B<-v, --verbose>"
+#| msgid "B<--ttl >I<ttl>"
+msgid "B<--ttl> I<level>"
+msgstr "B<--ttl >I<ttl>"
#. type: Plain text
-#: original/man8/ip6tables.8:1341 original/man8/iptables.8:1268
+#: original/man8/iptables-extensions.8:787
msgid ""
-"This will add the source address of the packet to the list. If the source "
-"address is already in the list, this will update the existing entry. This "
-"will always return success (or failure if B<!> is passed in)."
+"Do additional TTL checks on the packet to determine the operating system. "
+"I<level> can be one of the following values:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1341 original/man8/iptables.8:1268
+#. type: IP
+#: original/man8/iptables-extensions.8:787
+#: original/man8/iptables-extensions.8:790
+#: original/man8/iptables-extensions.8:793
+#: original/man8/iptables-extensions.8:799
+#: original/man8/iptables-extensions.8:801
+#: original/man8/iptables-extensions.8:803
+#: original/man8/iptables-extensions.8:959
+#: original/man8/iptables-extensions.8:961
+#: original/man8/iptables-extensions.8:964
+#: original/man8/iptables-extensions.8:966
+#: original/man8/iptables-extensions.8:969
+#: original/man8/iptables-extensions.8:971
+#: original/man8/iptables-extensions.8:974
+#: original/man8/iptables-extensions.8:977
#, no-wrap
-msgid "B<--rsource>"
+msgid "\\(bu"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1345 original/man8/iptables.8:1272
+#: original/man8/iptables-extensions.8:790
msgid ""
-"Match/save the source address of each packet in the recent list table. This "
-"is the default."
+"0 - True IP address and fingerprint TTL comparison. This generally works for "
+"LANs."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1345 original/man8/iptables.8:1272
-#, fuzzy, no-wrap
-#| msgid "B<--physdev-is-out>"
-msgid "B<--rdest>"
-msgstr "B<--physdev-is-out>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:1348 original/man8/iptables.8:1275
+#: original/man8/iptables-extensions.8:793
msgid ""
-"Match/save the destination address of each packet in the recent list table."
+"1 - Check if the IP header's TTL is less than the fingerprint one. Works for "
+"globally-routable addresses."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1348 original/man8/iptables.8:1275
-#, fuzzy, no-wrap
-#| msgid "B<-c>, B<--counters>"
-msgid "[B<!>] B<--rcheck>"
-msgstr "B<-c>, B<--counters>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:1351 original/man8/iptables.8:1278
-msgid "Check if the source address of the packet is currently in the list."
+#: original/man8/iptables-extensions.8:795
+msgid "2 - Do not compare the TTL at all."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1351 original/man8/iptables.8:1278
+#: original/man8/iptables-extensions.8:795
#, fuzzy, no-wrap
-#| msgid "B<-c>, B<--counters>"
-msgid "[B<!>] B<--update>"
-msgstr "B<-c>, B<--counters>"
+#| msgid "B<--log-level >I<level>"
+msgid "B<--log> I<level>"
+msgstr "B<--log-level >I<level>"
#. type: Plain text
-#: original/man8/ip6tables.8:1355 original/man8/iptables.8:1282
+#: original/man8/iptables-extensions.8:799
msgid ""
-"Like B<--rcheck>, except it will update the \"last seen\" timestamp if it "
-"matches."
+"Log determined genres into dmesg even if they do not match the desired one. "
+"I<level> can be one of the following values:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1355 original/man8/iptables.8:1282
-#, fuzzy, no-wrap
-#| msgid "B<-v, --verbose>"
-msgid "[B<!>] B<--remove>"
-msgstr "B<-v, --verbose>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:1360 original/man8/iptables.8:1287
-msgid ""
-"Check if the source address of the packet is currently in the list and if so "
-"that address will be removed from the list and the rule will return true. If "
-"the address is not found, false is returned."
+#: original/man8/iptables-extensions.8:801
+msgid "0 - Log all matched or unknown signatures"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1360 original/man8/iptables.8:1287
-#, fuzzy, no-wrap
-#| msgid "B<--set-tos >I<tos>"
-msgid "B<--seconds> I<seconds>"
-msgstr "B<--set-tos >I<tos>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:1365 original/man8/iptables.8:1292
-msgid ""
-"This option must be used in conjunction with one of B<--rcheck> or B<--"
-"update>. When used, this will narrow the match to only happen when the "
-"address is in the list and was seen within the last given number of seconds."
+#: original/man8/iptables-extensions.8:803
+msgid "1 - Log only the first one"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1365 original/man8/iptables.8:1292
-#, no-wrap
-msgid "B<--reap>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:805
+msgid "2 - Log all known matched signatures"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1370 original/man8/iptables.8:1297
-msgid ""
-"This option can only be used in conjunction with B<--seconds>. When used, "
-"this will cause entries older than the last given number of seconds to be "
-"purged."
+#: original/man8/iptables-extensions.8:807
+msgid "You may find something like this in syslog:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1370 original/man8/iptables.8:1297
-#, fuzzy, no-wrap
-#| msgid "B<--tos >I<tos>"
-msgid "B<--hitcount> I<hits>"
-msgstr "B<--tos >I<tos>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:1380 original/man8/iptables.8:1307
+#: original/man8/iptables-extensions.8:810
msgid ""
-"This option must be used in conjunction with one of B<--rcheck> or B<--"
-"update>. When used, this will narrow the match to only happen when the "
-"address is in the list and packets had been received greater than or equal "
-"to the given value. This option may be used along with B<--seconds> to "
-"create an even narrower match requiring a certain number of hits within a "
-"specific time frame. The maximum value for the hitcount parameter is given "
-"by the \"ip_pkt_list_tot\" parameter of the xt_recent kernel module. "
-"Exceeding this value on the command line will cause the rule to be rejected."
+"Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -E<gt> "
+"11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -E<gt> 1.2.3.5:22 "
+"hops=4"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1380 original/man8/iptables.8:1307
-#, fuzzy, no-wrap
-#| msgid "B<--ttl >I<ttl>"
-msgid "B<--rttl>"
-msgstr "B<--ttl >I<ttl>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:1388 original/man8/iptables.8:1315
+#: original/man8/iptables-extensions.8:813
msgid ""
-"This option may only be used in conjunction with one of B<--rcheck> or B<--"
-"update>. When used, this will narrow the match to only happen when the "
-"address is in the list and the TTL of the current packet matches that of the "
-"packet which hit the B<--set> rule. This may be useful if you have problems "
-"with people faking their source address in order to DoS you via this module "
-"by disallowing others access to your site by sending bogus packets to you."
+"OS fingerprints are loadable using the B<nfnl_osf> program. To load "
+"fingerprints from a file, use:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1392 original/man8/iptables.8:1319
-msgid ""
-"iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP"
+#: original/man8/iptables-extensions.8:815
+msgid "B<nfnl_osf -f /usr/share/xtables/pf.os>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1394 original/man8/iptables.8:1321
-msgid ""
-"iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set "
-"-j DROP"
+#: original/man8/iptables-extensions.8:817
+msgid "To remove them again,"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1397 original/man8/iptables.8:1324
-msgid ""
-"Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also "
-"has some examples of usage."
+#: original/man8/iptables-extensions.8:819
+msgid "B<nfnl_osf -f /usr/share/xtables/pf.os -d>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1400 original/man8/iptables.8:1327
+#: original/man8/iptables-extensions.8:822
msgid ""
-"B</proc/net/xt_recent/*> are the current lists of addresses and information "
-"about each entry of each list."
+"The fingerprint database can be downlaoded from http://www.openbsd.org/cgi-"
+"bin/cvsweb/src/etc/pf.os ."
msgstr ""
+#. type: SS
+#: original/man8/iptables-extensions.8:822
+#, no-wrap
+msgid "owner"
+msgstr "owner"
+
#. type: Plain text
-#: original/man8/ip6tables.8:1403 original/man8/iptables.8:1330
+#: original/man8/iptables-extensions.8:827
+#, fuzzy
+#| msgid ""
+#| "This module attempts to match various characteristics of the packet "
+#| "creator, for locally-generated packets. It is only valid in the "
+#| "B<OUTPUT> chain, and even this some packets (such as ICMP ping responses) "
+#| "may have no owner, and hence never match."
msgid ""
-"Each file in B</proc/net/xt_recent/> can be read from to see the current "
-"list or written two using the following commands to modify the list:"
+"This module attempts to match various characteristics of the packet creator, "
+"for locally generated packets. This match is only valid in the OUTPUT and "
+"POSTROUTING chains. Forwarded packets do not have any socket associated with "
+"them. Packets from kernel threads do have a socket, but usually no owner."
msgstr ""
+"このモジュールは、ローカルで生成されたパケットに付いて、 パケット生成者のいろ"
+"いろな特性に対してマッチを行う。 これは B<OUTPUT> チェインのみでしか有効でな"
+"い。 また、(ICMP ping 応答のような) パケットは、 所有者がいないので絶対にマッ"
+"チしない。"
#. type: TP
-#: original/man8/ip6tables.8:1403 original/man8/iptables.8:1330
-#, no-wrap
-msgid "B<echo +>I<addr>B< E<gt>/proc/net/xt_recent/DEFAULT>"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1406 original/man8/iptables.8:1333
-msgid "to add I<addr> to the DEFAULT list"
-msgstr ""
+#: original/man8/iptables-extensions.8:827
+#, fuzzy, no-wrap
+#| msgid "B<--uid-owner >I<userid>"
+msgid "[B<!>] B<--uid-owner> I<username>"
+msgstr "B<--uid-owner >I<userid>"
#. type: TP
-#: original/man8/ip6tables.8:1406 original/man8/iptables.8:1333
-#, no-wrap
-msgid "B<echo ->I<addr>B< E<gt>/proc/net/xt_recent/DEFAULT>"
-msgstr ""
+#: original/man8/iptables-extensions.8:829
+#, fuzzy, no-wrap
+#| msgid "B<--uid-owner >I<userid>"
+msgid "[B<!>] B<--uid-owner> I<userid>[B<->I<userid>]"
+msgstr "B<--uid-owner >I<userid>"
#. type: Plain text
-#: original/man8/ip6tables.8:1409 original/man8/iptables.8:1336
-msgid "to remove I<addr> from the DEFAULT list"
+#: original/man8/iptables-extensions.8:833
+msgid ""
+"Matches if the packet socket's file structure (if it has one) is owned by "
+"the given user. You may also specify a numerical UID, or an UID range."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1409 original/man8/iptables.8:1336
-#, no-wrap
-msgid "B<echo / E<gt>/proc/net/xt_recent/DEFAULT>"
-msgstr ""
+#: original/man8/iptables-extensions.8:833
+#, fuzzy, no-wrap
+#| msgid "B<--gid-owner >I<groupid>"
+msgid "[B<!>] B<--gid-owner> I<groupname>"
+msgstr "B<--gid-owner >I<groupid>"
-#. type: Plain text
-#: original/man8/ip6tables.8:1412 original/man8/iptables.8:1339
-msgid "to flush the DEFAULT list (remove all entries)."
-msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:835
+#, fuzzy, no-wrap
+#| msgid "B<--gid-owner >I<groupid>"
+msgid "[B<!>] B<--gid-owner> I<groupid>[B<->I<groupid>]"
+msgstr "B<--gid-owner >I<groupid>"
#. type: Plain text
-#: original/man8/ip6tables.8:1414 original/man8/iptables.8:1341
-msgid "The module itself accepts parameters, defaults shown:"
+#: original/man8/iptables-extensions.8:839
+msgid ""
+"Matches if the packet socket's file structure is owned by the given group. "
+"You may also specify a numerical GID, or a GID range."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1414 original/man8/iptables.8:1341
+#: original/man8/iptables-extensions.8:839
#, no-wrap
-msgid "B<ip_list_tot>=I<100>"
+msgid "[B<!>] B<--socket-exists>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1417 original/man8/iptables.8:1344
-msgid "Number of addresses remembered per table."
+#: original/man8/iptables-extensions.8:842
+#, fuzzy
+#| msgid ""
+#| "Matches if the packet was created by a process with the given process id."
+msgid "Matches if the packet is associated with a socket."
msgstr ""
+"指定されたプロセス ID のプロセスにより パケットが生成されている場合にマッチす"
+"る。"
-#. type: TP
-#: original/man8/ip6tables.8:1417 original/man8/iptables.8:1344
+#. type: SS
+#: original/man8/iptables-extensions.8:842
#, no-wrap
-msgid "B<ip_pkt_list_tot>=I<20>"
-msgstr ""
+msgid "physdev"
+msgstr "physdev"
#. type: Plain text
-#: original/man8/ip6tables.8:1420 original/man8/iptables.8:1347
-msgid "Number of packets per address remembered."
+#: original/man8/iptables-extensions.8:847
+msgid ""
+"This module matches on the bridge port input and output devices enslaved to "
+"a bridge device. This module is a part of the infrastructure that enables a "
+"transparent bridging IP firewall and is only useful for kernel versions "
+"above version 2.5.44."
msgstr ""
+"このモジュールは、ブリッジデバイスのスレーブにされた、 ブリッジポートの入出力"
+"デバイスにマッチする。 このモジュールは、ブリッジによる透過的な IP ファイア"
+"ウォールの基盤の一部であり、 カーネルバージョン 2.5.44 以降でのみ有効である。"
#. type: TP
-#: original/man8/ip6tables.8:1420 original/man8/iptables.8:1347
-#, no-wrap
-msgid "B<ip_list_hash_size>=I<0>"
-msgstr ""
+#: original/man8/iptables-extensions.8:847
+#, fuzzy, no-wrap
+#| msgid "B<--physdev-in name>"
+msgid "[B<!>] B<--physdev-in> I<name>"
+msgstr "B<--physdev-in name>"
#. type: Plain text
-#: original/man8/ip6tables.8:1423 original/man8/iptables.8:1350
+#: original/man8/iptables-extensions.8:858
msgid ""
-"Hash table size. 0 means to calculate it based on ip_list_tot, default: 512."
+"Name of a bridge port via which a packet is received (only for packets "
+"entering the B<INPUT>, B<FORWARD> and B<PREROUTING> chains). If the "
+"interface name ends in a \"+\", then any interface which begins with this "
+"name will match. If the packet didn't arrive through a bridge device, this "
+"packet won't match this option, unless '!' is used."
msgstr ""
+"パケットが受信されるブリッジのポート名 (B<INPUT>, B<FORWARD>, B<PREROUTING> "
+"チェインに入るパケットのみ)。 インターフェース名が \"+\" で終っている場合、 "
+"その名前で始まる任意のインターフェース名にマッチする。 ブリッジデバイスを通し"
+"て受け取られなかったパケットは、 \\&'!' が指定されていない限り、このオプショ"
+"ンにマッチしない。"
#. type: TP
-#: original/man8/ip6tables.8:1423 original/man8/iptables.8:1350
-#, no-wrap
-msgid "B<ip_list_perms>=I<0644>"
-msgstr ""
+#: original/man8/iptables-extensions.8:858
+#, fuzzy, no-wrap
+#| msgid "B<--physdev-out name>"
+msgid "[B<!>] B<--physdev-out> I<name>"
+msgstr "B<--physdev-out name>"
#. type: Plain text
-#: original/man8/ip6tables.8:1426 original/man8/iptables.8:1353
-msgid "Permissions for /proc/net/xt_recent/* files."
+#: original/man8/iptables-extensions.8:875
+#, fuzzy
+#| msgid ""
+#| "Name of a bridge port via which a packet is going to be sent (for packets "
+#| "entering the B<FORWARD>, B<OUTPUT> and B<POSTROUTING> chains). If the "
+#| "interface name ends in a \"+\", then any interface which begins with this "
+#| "name will match. Note that in the B<nat> and B<mangle> B<OUTPUT> chains "
+#| "one cannot match on the bridge output port, however one can in the "
+#| "B<filter OUTPUT> chain. If the packet won't leave by a bridge device or "
+#| "it is yet unknown what the output device will be, then the packet won't "
+#| "match this option, unless '!' is used."
+msgid ""
+"Name of a bridge port via which a packet is going to be sent (for packets "
+"entering the B<FORWARD>, B<OUTPUT> and B<POSTROUTING> chains). If the "
+"interface name ends in a \"+\", then any interface which begins with this "
+"name will match. Note that in the B<nat> and B<mangle> B<OUTPUT> chains one "
+"cannot match on the bridge output port, however one can in the B<filter "
+"OUTPUT> chain. If the packet won't leave by a bridge device or if it is yet "
+"unknown what the output device will be, then the packet won't match this "
+"option, unless '!' is used."
msgstr ""
+"パケットを送信することになるブリッジのポート名 (B<FORWARD>, B<OUTPUT>, "
+"B<POSTROUTING> チェインに入るパケットのみ)。 インターフェース名が \"+\" で"
+"終っている場合、 その名前で始まる任意のインターフェース名にマッチする。 "
+"B<nat> と B<mangle> テーブルの B<OUTPUT> チェインではブリッジの出力ポートに"
+"マッチさせることができないが、 B<filter> テーブルの B<OUPUT> チェインではマッ"
+"チ可能である。 パケットがブリッジデバイスから送られなかった場合、 またはパ"
+"ケットの出力デバイスが不明であった場合は、 \\&'!' が指定されていない限り、パ"
+"ケットはこのオプションにマッチしない。"
#. type: TP
-#: original/man8/ip6tables.8:1426 original/man8/iptables.8:1353
-#, no-wrap
-msgid "B<ip_list_uid>=I<0>"
-msgstr ""
+#: original/man8/iptables-extensions.8:875
+#, fuzzy, no-wrap
+#| msgid "B<--physdev-is-in>"
+msgid "[B<!>] B<--physdev-is-in>"
+msgstr "B<--physdev-is-in>"
#. type: Plain text
-#: original/man8/ip6tables.8:1429 original/man8/iptables.8:1356
-msgid "Numerical UID for ownership of /proc/net/xt_recent/* files."
-msgstr ""
+#: original/man8/iptables-extensions.8:878
+msgid "Matches if the packet has entered through a bridge interface."
+msgstr "パケットがブリッジインターフェースに入った場合にマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:1429 original/man8/iptables.8:1356
-#, no-wrap
-msgid "B<ip_list_gid>=I<0>"
-msgstr ""
+#: original/man8/iptables-extensions.8:878
+#, fuzzy, no-wrap
+#| msgid "B<--physdev-is-out>"
+msgid "[B<!>] B<--physdev-is-out>"
+msgstr "B<--physdev-is-out>"
#. type: Plain text
-#: original/man8/ip6tables.8:1432 original/man8/iptables.8:1359
-msgid "Numerical GID for ownership of /proc/net/xt_recent/* files."
-msgstr ""
+#: original/man8/iptables-extensions.8:881
+msgid "Matches if the packet will leave through a bridge interface."
+msgstr "パケットがブリッジインターフェースから出ようとした場合にマッチする。"
-#. type: SS
-#: original/man8/ip6tables.8:1432 original/man8/iptables.8:1359
+#. type: TP
+#: original/man8/iptables-extensions.8:881
#, fuzzy, no-wrap
-#| msgid "B<filter>:"
-msgid "rpfilter"
-msgstr "B<filter>:"
+#| msgid "B<--physdev-is-bridged>"
+msgid "[B<!>] B<--physdev-is-bridged>"
+msgstr "B<--physdev-is-bridged>"
#. type: Plain text
-#: original/man8/ip6tables.8:1441 original/man8/iptables.8:1368
+#: original/man8/iptables-extensions.8:885
msgid ""
-"Performs a reverse path filter test on a packet. If a reply to the packet "
-"would be sent via the same interface that the packet arrived on, the packet "
-"will match. Note that, unlike the in-kernel rp_filter, packets protected by "
-"IPSec are not treated specially. Combine this match with the policy match "
-"if you want this. Also, packets arriving via the loopback interface are "
-"always permitted. This match can only be used in the PREROUTING chain of "
-"the raw or mangle table."
+"Matches if the packet is being bridged and therefore is not being routed. "
+"This is only useful in the FORWARD and POSTROUTING chains."
msgstr ""
+"パケットがブリッジされることにより、 ルーティングされなかった場合にマッチす"
+"る。 これは FORWARD, POSTROUTING チェインにおいてのみ役立つ。"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:885
+#, no-wrap
+msgid "pkttype"
+msgstr "pkttype"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:887
+msgid "This module matches the link-layer packet type."
+msgstr "このモジュールは、リンク層のパケットタイプにマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:1441 original/man8/iptables.8:1368
+#: original/man8/iptables-extensions.8:887
#, fuzzy, no-wrap
-#| msgid "B<--tos >I<tos>"
-msgid "B<--loose>"
-msgstr "B<--tos >I<tos>"
+#| msgid "B<--pkt-type >I<[unicast|broadcast|multicast]>"
+msgid "[B<!>] B<--pkt-type> {B<unicast>|B<broadcast>|B<multicast>}"
+msgstr "B<--pkt-type >I<[unicast|broadcast|multicast]>"
-#. type: Plain text
-#: original/man8/ip6tables.8:1445 original/man8/iptables.8:1372
-msgid ""
-"Used to specifiy that the reverse path filter test should match even if the "
-"selected output device is not the expected one."
+#. type: SS
+#: original/man8/iptables-extensions.8:889
+#, no-wrap
+msgid "policy"
msgstr ""
+#. type: Plain text
+#: original/man8/iptables-extensions.8:891
+#, fuzzy
+#| msgid "This module matches the SPIs in AH header of IPSec packets."
+msgid "This modules matches the policy used by IPsec for handling a packet."
+msgstr "このモジュールは IPSec パケットの AH ヘッダーの SPI 値にマッチする。"
+
#. type: TP
-#: original/man8/ip6tables.8:1445 original/man8/iptables.8:1372
+#: original/man8/iptables-extensions.8:891
#, no-wrap
-msgid "B<--validmark>"
+msgid "B<--dir> {B<in>|B<out>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1448 original/man8/iptables.8:1375
+#: original/man8/iptables-extensions.8:903
msgid ""
-"Also use the packets' nfmark value when performing the reverse path route "
-"lookup."
+"Used to select whether to match the policy used for decapsulation or the "
+"policy that will be used for encapsulation. B<in> is valid in the "
+"B<PREROUTING, INPUT and FORWARD> chains, B<out> is valid in the "
+"B<POSTROUTING, OUTPUT and FORWARD> chains."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1448 original/man8/iptables.8:1375
+#: original/man8/iptables-extensions.8:903
#, no-wrap
-msgid "B<--accept-local>"
+msgid "B<--pol> {B<none>|B<ipsec>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1455 original/man8/iptables.8:1382
+#: original/man8/iptables-extensions.8:907
msgid ""
-"This will permit packets arriving from the network with a source address "
-"that is also assigned to the local machine. B<--invert> This will invert "
-"the sense of the match. Instead of matching packets that passed the reverse "
-"path filter test, match those that have failed it."
+"Matches if the packet is subject to IPsec processing. B<--pol none> cannot "
+"be combined with B<--strict>."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1457 original/man8/iptables.8:1384
-msgid "Example to log and drop packets failing the reverse path filter test:"
+#. type: TP
+#: original/man8/iptables-extensions.8:907
+#, no-wrap
+msgid "B<--strict>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1459 original/man8/iptables.8:1386
-#, fuzzy
-#| msgid " iptables -t nat -n -L\n"
-msgid "iptables -t raw -N RPFILTER"
-msgstr " iptables -t nat -n -L\n"
+#: original/man8/iptables-extensions.8:911
+msgid ""
+"Selects whether to match the exact policy or match if any rule of the policy "
+"matches the given policy."
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1461 original/man8/iptables.8:1388
-msgid "iptables -t raw -A RPFILTER -m rpfilter -j RETURN"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1463 original/man8/iptables.8:1390
+#: original/man8/iptables-extensions.8:915
msgid ""
-"iptables -t raw -A RPFILTER -m limit --limit 10/minute -j NFLOG --nflog-"
-"prefix \"rpfilter drop\""
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1465 original/man8/iptables.8:1392
-msgid "iptables -t raw -A RPFILTER -j DROP"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1467 original/man8/iptables.8:1394
-msgid "iptables -t raw -A PREROUTING -j RPFILTER"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1469 original/man8/iptables.8:1396
-msgid "Example to drop failed packets, without logging:"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1471 original/man8/iptables.8:1398
-msgid "iptables -t raw -A RPFILTER -m rpfilter --invert -j DROP"
+"For each policy element that is to be described, one can use one or more of "
+"the following options. When B<--strict> is in effect, at least one must be "
+"used per element."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1471
+#. type: TP
+#: original/man8/iptables-extensions.8:915
#, no-wrap
-msgid "rt"
+msgid "[B<!>] B<--reqid> I<id>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1473
-msgid "Match on IPv6 routing header"
+#: original/man8/iptables-extensions.8:922
+msgid ""
+"Matches the reqid of the policy rule. The reqid can be specified with "
+"B<setkey(8)> using B<unique:id> as level."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1473
+#: original/man8/iptables-extensions.8:922
#, fuzzy, no-wrap
-#| msgid "B<--icmp-type >[!] I<typename>"
-msgid "[B<!>] B<--rt-type> I<type>"
-msgstr "B<--icmp-type >[!] I<typename>"
+#| msgid "B<--ahspi >[!] I<spi>[:I<spi>]"
+msgid "[B<!>] B<--spi> I<spi>"
+msgstr "B<--ahspi >[!] I<spi>[:I<spi>]"
#. type: Plain text
-#: original/man8/ip6tables.8:1476
-msgid "Match the type (numeric)."
+#: original/man8/iptables-extensions.8:925
+msgid "Matches the SPI of the SA."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1476
+#: original/man8/iptables-extensions.8:925
#, no-wrap
-msgid "[B<!>] B<--rt-segsleft> I<num>[B<:>I<num>]"
+msgid "[B<!>] B<--proto> {B<ah>|B<esp>|B<ipcomp>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1479
-msgid "Match the `segments left' field (range)."
+#: original/man8/iptables-extensions.8:928
+msgid "Matches the encapsulation protocol."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1479
-#, fuzzy, no-wrap
-#| msgid "B<-t>, B<--table> B<tablename>"
-msgid "[B<!>] B<--rt-len> I<length>"
-msgstr "B<-t>, B<--table> B<tablename>"
+#: original/man8/iptables-extensions.8:928
+#, no-wrap
+msgid "[B<!>] B<--mode> {B<tunnel>|B<transport>}"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1482
-msgid "Match the length of this header."
-msgstr ""
+#: original/man8/iptables-extensions.8:931
+#, fuzzy
+#| msgid "Matches the given TTL value."
+msgid "Matches the encapsulation mode."
+msgstr "指定された TTL 値にマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:1482
-#, no-wrap
-msgid "B<--rt-0-res>"
-msgstr ""
+#: original/man8/iptables-extensions.8:931
+#, fuzzy, no-wrap
+#| msgid "B<-s, --source >[!] I<address>[/I<mask>]"
+msgid "[B<!>] B<--tunnel-src> I<addr>[B</>I<mask>]"
+msgstr "B<-s, --source >[!] I<address>[/I<mask>]"
#. type: Plain text
-#: original/man8/ip6tables.8:1485
-msgid "Match the reserved field, too (type=0)"
+#: original/man8/iptables-extensions.8:935
+msgid ""
+"Matches the source end-point address of a tunnel mode SA. Only valid with "
+"B<--mode tunnel>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1485
-#, no-wrap
-msgid "B<--rt-0-addrs> I<addr>[B<,>I<addr>...]"
-msgstr ""
+#: original/man8/iptables-extensions.8:935
+#, fuzzy, no-wrap
+#| msgid "B<--ctrepldst >I<[!] address>B<[/>I<mask>B<]>"
+msgid "[B<!>] B<--tunnel-dst> I<addr>[B</>I<mask>]"
+msgstr "B<--ctrepldst >I<[!] address>B<[/>I<mask>B<]>"
#. type: Plain text
-#: original/man8/ip6tables.8:1488
-msgid "Match type=0 addresses (list)."
+#: original/man8/iptables-extensions.8:939
+msgid ""
+"Matches the destination end-point address of a tunnel mode SA. Only valid "
+"with B<--mode tunnel>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1488
+#: original/man8/iptables-extensions.8:939
#, no-wrap
-msgid "B<--rt-0-not-strict>"
+msgid "B<--next>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1491
-msgid "List of type=0 addresses is not a strict list."
+#: original/man8/iptables-extensions.8:943
+msgid ""
+"Start the next element in the policy specification. Can only be used with "
+"B<--strict>."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1491 original/man8/iptables.8:1398
-#, no-wrap
-msgid "sctp"
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:1496 original/man8/iptables.8:1403
+#: original/man8/iptables-extensions.8:943
#, no-wrap
-msgid "[B<!>] B<--chunk-types> {B<all>|B<any>|B<only>} I<chunktype>[B<:>I<flags>] [...]"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1500 original/man8/iptables.8:1407
-msgid ""
-"The flag letter in upper case indicates that the flag is to match if set, in "
-"the lower case indicates to match if unset."
+msgid "quota"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1502 original/man8/iptables.8:1409
+#: original/man8/iptables-extensions.8:948
msgid ""
-"Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN "
-"SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE "
-"ASCONF ASCONF_ACK FORWARD_TSN"
+"Implements network quotas by decrementing a byte counter with each packet. "
+"The condition matches until the byte counter reaches zero. Behavior is "
+"reversed with negation (i.e. the condition does not match until the byte "
+"counter reaches zero)."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1504 original/man8/iptables.8:1411
-msgid "chunk type available flags"
-msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:948
+#, fuzzy, no-wrap
+#| msgid "B<-t>, B<--table> B<tablename>"
+msgid "[B<!>] B<--quota> I<bytes>"
+msgstr "B<-t>, B<--table> B<tablename>"
#. type: Plain text
-#: original/man8/ip6tables.8:1506 original/man8/iptables.8:1413
-msgid "DATA I U B E i u b e"
+#: original/man8/iptables-extensions.8:951
+msgid "The quota in bytes."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1508 original/man8/iptables.8:1415
-msgid "ABORT T t"
+#. type: SS
+#: original/man8/iptables-extensions.8:951
+#, no-wrap
+msgid "rateest"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1510 original/man8/iptables.8:1417
-msgid "SHUTDOWN_COMPLETE T t"
+#: original/man8/iptables-extensions.8:955
+msgid ""
+"The rate estimator can match on estimated rates as collected by the RATEEST "
+"target. It supports matching on absolute bps/pps values, comparing two rate "
+"estimators and matching on the difference between two rate estimators."
msgstr ""
+#. * Absolute:
#. type: Plain text
-#: original/man8/ip6tables.8:1512 original/man8/iptables.8:1419
-msgid "(lowercase means flag should be \"off\", uppercase means \"on\")"
+#: original/man8/iptables-extensions.8:959
+msgid ""
+"For a better understanding of the available options, these are all possible "
+"combinations:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1516 original/man8/iptables.8:1423
-msgid "iptables -A INPUT -p sctp --dport 80 -j DROP"
+#: original/man8/iptables-extensions.8:961
+msgid "B<rateest> I<operator> B<rateest-bps>"
msgstr ""
+#. * Absolute + Delta:
#. type: Plain text
-#: original/man8/ip6tables.8:1518 original/man8/iptables.8:1425
-msgid "iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP"
+#: original/man8/iptables-extensions.8:964
+msgid "B<rateest> I<operator> B<rateest-pps>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1520 original/man8/iptables.8:1427
-msgid "iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT"
-msgstr ""
-
-#. type: SS
-#: original/man8/ip6tables.8:1520 original/man8/iptables.8:1427
-#, no-wrap
-msgid "set"
+#: original/man8/iptables-extensions.8:966
+msgid "(B<rateest> minus B<rateest-bps1>) I<operator> B<rateest-bps2>"
msgstr ""
+#. * Relative:
#. type: Plain text
-#: original/man8/ip6tables.8:1522 original/man8/iptables.8:1429
-#, fuzzy
-#| msgid "This module matches the SPIs in AH header of IPSec packets."
-msgid "This module matches IP sets which can be defined by ipset(8)."
-msgstr "このモジュールは IPSec パケットの AH ヘッダーの SPI 値にマッチする。"
-
-#. type: TP
-#: original/man8/ip6tables.8:1522 original/man8/iptables.8:1429
-#, no-wrap
-msgid "[B<!>] B<--match-set> I<setname> I<flag>[B<,>I<flag>]..."
+#: original/man8/iptables-extensions.8:969
+msgid "(B<rateest> minus B<rateest-pps1>) I<operator> B<rateest-pps2>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1529 original/man8/iptables.8:1436
-msgid ""
-"where flags are the comma separated list of B<src> and/or B<dst> "
-"specifications and there can be no more than six of them. Hence the command"
+#: original/man8/iptables-extensions.8:971
+msgid "B<rateest1> I<operator> B<rateest2> B<rateest-bps>(without rate!)"
msgstr ""
+#. * Relative + Delta:
#. type: Plain text
-#: original/man8/ip6tables.8:1531 original/man8/iptables.8:1438
-#, fuzzy, no-wrap
-#| msgid " iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN\n"
-msgid " iptables -A FORWARD -m set --match-set test src,dst\n"
-msgstr " iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN\n"
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1537 original/man8/iptables.8:1444
-msgid ""
-"will match packets, for which (if the set type is ipportmap) the source "
-"address and destination port pair can be found in the specified set. If the "
-"set type of the specified set is single dimension (for example ipmap), then "
-"the command will match packets for which the source address can be found in "
-"the specified set."
+#: original/man8/iptables-extensions.8:974
+msgid "B<rateest1> I<operator> B<rateest2> B<rateest-pps>(without rate!)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1540 original/man8/iptables.8:1447
+#: original/man8/iptables-extensions.8:977
msgid ""
-"The option B<--match-set> can be replaced by B<--set> if that does not clash "
-"with an option of other extensions."
+"(B<rateest1> minus B<rateest-bps1>) I<operator> (B<rateest2> minus B<rateest-"
+"bps2>)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1543 original/man8/iptables.8:1450
+#: original/man8/iptables-extensions.8:980
msgid ""
-"Use of -m set requires that ipset kernel support is provided, which, for "
-"standard kernels, is the case since Linux 2.6.39."
+"(B<rateest1> minus B<rateest-pps1>) I<operator> (B<rateest2> minus B<rateest-"
+"pps2>)"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1543 original/man8/iptables.8:1450
+#. type: TP
+#: original/man8/iptables-extensions.8:980
#, no-wrap
-msgid "socket"
+msgid "B<--rateest-delta>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1546 original/man8/iptables.8:1453
+#: original/man8/iptables-extensions.8:987
msgid ""
-"This matches if an open socket can be found by doing a socket lookup on the "
-"packet."
+"For each estimator (either absolute or relative mode), calculate the "
+"difference between the estimator-determined flow rate and the static value "
+"chosen with the BPS/PPS options. If the flow rate is higher than the "
+"specified BPS/PPS, 0 will be used instead of a negative value. In other "
+"words, \"max(0, rateest#_rate - rateest#_bps)\" is used."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1546 original/man8/iptables.8:1453
+#: original/man8/iptables-extensions.8:987
#, no-wrap
-msgid "B<--transparent>"
+msgid "[B<!>] B<--rateest-lt>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1549 original/man8/iptables.8:1456
-msgid "Ignore non-transparent sockets."
+#: original/man8/iptables-extensions.8:990
+msgid "Match if rate is less than given rate/estimator."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1549 original/man8/iptables.8:1456
+#. type: TP
+#: original/man8/iptables-extensions.8:990
#, no-wrap
-msgid "state"
-msgstr "state"
+msgid "[B<!>] B<--rateest-gt>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1552 original/man8/iptables.8:1459
-msgid ""
-"This module, when combined with connection tracking, allows access to the "
-"connection tracking state for this packet."
+#: original/man8/iptables-extensions.8:993
+msgid "Match if rate is greater than given rate/estimator."
msgstr ""
-"このモジュールは、接続追跡 (connection tracking) と組み合わせて用いると、 パ"
-"ケットについての接続追跡状態を知ることができる。"
#. type: TP
-#: original/man8/ip6tables.8:1552 original/man8/iptables.8:1459
-#, fuzzy, no-wrap
-#| msgid "B<--state >I<state>"
-msgid "[B<!>] B<--state> I<state>"
-msgstr "B<--state >I<state>"
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1574 original/man8/iptables.8:1481
-#, fuzzy
-#| msgid ""
-#| "Where state is a comma separated list of the connection states to match. "
-#| "Possible states are B<INVALID> meaning that the packet could not be "
-#| "identified for some reason which includes running out of memory and ICMP "
-#| "errors which don't correspond to any known connection, B<ESTABLISHED> "
-#| "meaning that the packet is associated with a connection which has seen "
-#| "packets in both directions, B<NEW> meaning that the packet has started a "
-#| "new connection, or otherwise associated with a connection which has not "
-#| "seen packets in both directions, and B<RELATED> meaning that the packet "
-#| "is starting a new connection, but is associated with an existing "
-#| "connection, such as an FTP data transfer, or an ICMP error."
-msgid ""
-"Where state is a comma separated list of the connection states to match. "
-"Possible states are B<INVALID> meaning that the packet could not be "
-"identified for some reason which includes running out of memory and ICMP "
-"errors which don't correspond to any known connection, B<ESTABLISHED> "
-"meaning that the packet is associated with a connection which has seen "
-"packets in both directions, B<NEW> meaning that the packet has started a new "
-"connection, or otherwise associated with a connection which has not seen "
-"packets in both directions, and B<RELATED> meaning that the packet is "
-"starting a new connection, but is associated with an existing connection, "
-"such as an FTP data transfer, or an ICMP error. B<UNTRACKED> meaning that "
-"the packet is not tracked at all, which happens if you use the NOTRACK "
-"target in raw table."
-msgstr ""
-"state は、マッチングを行うための、コンマで区切られた接続状態のリストである。 "
-"指定可能な state は以下の通り。 B<INVALID>: このパケットは既知の接続と関係し"
-"ていない。 B<ESTABLISHED>: このパケットは、過去双方向にパケットがやり取りされ"
-"た接続に属するパケットである。 B<NEW>: このパケットが新しい接続を開始した"
-"か、 双方向にはパケットがやり取りされていない接続に属するパケットである。 "
-"B<RELATED>: このパケットが新しい接続を開始しているが、 FTP データ転送や ICMP "
-"エラーのように、既存の接続に関係している。"
-
-#. type: SS
-#: original/man8/ip6tables.8:1574 original/man8/iptables.8:1481
+#: original/man8/iptables-extensions.8:993
#, no-wrap
-msgid "statistic"
+msgid "[B<!>] B<--rateest-eq>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1579 original/man8/iptables.8:1486
-msgid ""
-"This module matches packets based on some statistic condition. It supports "
-"two distinct modes settable with the B<--mode> option."
+#: original/man8/iptables-extensions.8:996
+msgid "Match if rate is equal to given rate/estimator."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1581 original/man8/iptables.8:1488
-msgid "Supported options:"
+#: original/man8/iptables-extensions.8:1000
+msgid ""
+"In the so-called \"absolute mode\", only one rate estimator is used and "
+"compared against a static value, while in \"relative mode\", two rate "
+"estimators are compared against another."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1581 original/man8/iptables.8:1488
+#: original/man8/iptables-extensions.8:1000
#, fuzzy, no-wrap
-#| msgid "B<--cmd-owner >I<name>"
-msgid "B<--mode> I<mode>"
-msgstr "B<--cmd-owner >I<name>"
+#| msgid "B<-t>, B<--table> B<tablename>"
+msgid "B<--rateest> I<name>"
+msgstr "B<-t>, B<--table> B<tablename>"
#. type: Plain text
-#: original/man8/ip6tables.8:1587 original/man8/iptables.8:1494
-msgid ""
-"Set the matching mode of the matching rule, supported modes are B<random> "
-"and B<nth.>"
+#: original/man8/iptables-extensions.8:1003
+msgid "Name of the one rate estimator for absolute mode."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1587 original/man8/iptables.8:1494
+#: original/man8/iptables-extensions.8:1003
#, fuzzy, no-wrap
#| msgid "B<-t>, B<--table> B<tablename>"
-msgid "[B<!>] B<--probability> I<p>"
+msgid "B<--rateest1> I<name>"
msgstr "B<-t>, B<--table> B<tablename>"
-#. type: Plain text
-#: original/man8/ip6tables.8:1592 original/man8/iptables.8:1499
-msgid ""
-"Set the probability for a packet to be randomly matched. It only works with "
-"the B<random> mode. I<p> must be within 0.0 and 1.0. The supported "
-"granularity is in 1/2147483648th increments."
-msgstr ""
-
#. type: TP
-#: original/man8/ip6tables.8:1592 original/man8/iptables.8:1499
+#: original/man8/iptables-extensions.8:1005
#, fuzzy, no-wrap
#| msgid "B<-t>, B<--table> B<tablename>"
-msgid "[B<!>] B<--every> I<n>"
+msgid "B<--rateest2> I<name>"
msgstr "B<-t>, B<--table> B<tablename>"
#. type: Plain text
-#: original/man8/ip6tables.8:1599 original/man8/iptables.8:1506
-msgid ""
-"Match one packet every nth packet. It works only with the B<nth> mode (see "
-"also the B<--packet> option)."
+#: original/man8/iptables-extensions.8:1008
+msgid "The names of the two rate estimators for relative mode."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1599 original/man8/iptables.8:1506
-#, no-wrap
-msgid "B<--packet> I<p>"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1604 original/man8/iptables.8:1511
-msgid ""
-"Set the initial counter value (0 E<lt>= p E<lt>= n-1, default 0) for the "
-"B<nth> mode."
-msgstr ""
+#: original/man8/iptables-extensions.8:1008
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--rateest-bps> [I<value>]"
+msgstr "B<--set-mss >I<value>"
-#. type: SS
-#: original/man8/ip6tables.8:1604 original/man8/iptables.8:1511
-#, no-wrap
-msgid "string"
+#. type: TP
+#: original/man8/iptables-extensions.8:1010
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--rateest-pps> [I<value>]"
+msgstr "B<--set-mss >I<value>"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1012
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--rateest-bps1> [I<value>]"
+msgstr "B<--set-mss >I<value>"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1014
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--rateest-bps2> [I<value>]"
+msgstr "B<--set-mss >I<value>"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1016
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--rateest-pps1> [I<value>]"
+msgstr "B<--set-mss >I<value>"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1018
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--rateest-pps2> [I<value>]"
+msgstr "B<--set-mss >I<value>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1024
+msgid ""
+"Compare the estimator(s) by bytes or packets per second, and compare against "
+"the chosen value. See the above bullet list for which option is to be used "
+"in which case. A unit suffix may be used - available ones are: bit, [kmgt]"
+"bit, [KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1606 original/man8/iptables.8:1513
+#: original/man8/iptables-extensions.8:1028
msgid ""
-"This modules matches a given string by using some pattern matching strategy. "
-"It requires a linux kernel E<gt>= 2.6.14."
+"Example: This is what can be used to route outgoing data connections from an "
+"FTP server over two lines based on the available bandwidth at the time the "
+"data connection was started:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1606 original/man8/iptables.8:1513
-#, no-wrap
-msgid "B<--algo> {B<bm>|B<kmp>}"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1030
+msgid "# Estimate outgoing rates"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1609 original/man8/iptables.8:1516
+#: original/man8/iptables-extensions.8:1033
msgid ""
-"Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-"
-"Morris)"
+"iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name eth0 --"
+"rateest-interval 250ms --rateest-ewma 0.5s"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1609 original/man8/iptables.8:1516
-#, fuzzy, no-wrap
-#| msgid "B<--tos >I<tos>"
-msgid "B<--from> I<offset>"
-msgstr "B<--tos >I<tos>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:1612 original/man8/iptables.8:1519
+#: original/man8/iptables-extensions.8:1036
msgid ""
-"Set the offset from which it starts looking for any matching. If not passed, "
-"default is 0."
+"iptables -t mangle -A POSTROUTING -o ppp0 -j RATEEST --rateest-name ppp0 --"
+"rateest-interval 250ms --rateest-ewma 0.5s"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1612 original/man8/iptables.8:1519
-#, fuzzy, no-wrap
-#| msgid "B<--tos >I<tos>"
-msgid "B<--to> I<offset>"
-msgstr "B<--tos >I<tos>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1038
+msgid "# Mark based on available bandwidth"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1617 original/man8/iptables.8:1524
+#: original/man8/iptables-extensions.8:1042
msgid ""
-"Set the offset up to which should be scanned. That is, byte I<offset>-1 "
-"(counting from 0) is the last one that is scanned. If not passed, default "
-"is the packet size."
+"iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper "
+"ftp -m rateest --rateest-delta --rateest1 eth0 --rateest-bps1 2.5mbit --"
+"rateest-gt --rateest2 ppp0 --rateest-bps2 2mbit -j CONNMARK --set-mark 1"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1617 original/man8/iptables.8:1524
-#, no-wrap
-msgid "[B<!>] B<--string> I<pattern>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1046
+msgid ""
+"iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper "
+"ftp -m rateest --rateest-delta --rateest1 ppp0 --rateest-bps1 2mbit --"
+"rateest-gt --rateest2 eth0 --rateest-bps2 2.5mbit -j CONNMARK --set-mark 2"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1620 original/man8/iptables.8:1527
-#, fuzzy
-#| msgid "Matches the given TTL value."
-msgid "Matches the given pattern."
-msgstr "指定された TTL 値にマッチする。"
+#: original/man8/iptables-extensions.8:1048
+msgid "iptables -t mangle -A balance -j CONNMARK --restore-mark"
+msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:1620 original/man8/iptables.8:1527
+#. type: SS
+#: original/man8/iptables-extensions.8:1048
#, no-wrap
-msgid "[B<!>] B<--hex-string> I<pattern>"
+msgid "realm (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1623 original/man8/iptables.8:1530
-#, fuzzy
-#| msgid "Matches the given TTL value."
-msgid "Matches the given pattern in hex notation."
-msgstr "指定された TTL 値にマッチする。"
+#: original/man8/iptables-extensions.8:1051
+msgid ""
+"This matches the routing realm. Routing realms are used in complex routing "
+"setups involving dynamic routing protocols like BGP."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1051
+#, fuzzy, no-wrap
+#| msgid "B<--mark >I<value>[/I<mask>]"
+msgid "[B<!>] B<--realm> I<value>[B</>I<mask>]"
+msgstr "B<--mark >I<value>[/I<mask>]"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1056
+msgid ""
+"Matches a given realm number (and optionally mask). If not a number, value "
+"can be a named realm from /etc/iproute2/rt_realms (mask can not be used in "
+"that case)."
+msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1623 original/man8/iptables.8:1530
+#: original/man8/iptables-extensions.8:1056
#, no-wrap
-msgid "tcp"
-msgstr "tcp"
+msgid "recent"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1626 original/man8/iptables.8:1533
-#, fuzzy
-#| msgid ""
-#| "These extensions are loaded if `--protocol tcp' is specified. It provides "
-#| "the following options:"
+#: original/man8/iptables-extensions.8:1059
msgid ""
-"These extensions can be used if `--protocol tcp' is specified. It provides "
-"the following options:"
+"Allows you to dynamically create a list of IP addresses and then match "
+"against that list in a few different ways."
msgstr ""
-"これらの拡張は `--protocol tcp' が指定され場合にロードされ、 以下のオプション"
-"が提供される:"
#. type: Plain text
-#: original/man8/ip6tables.8:1637 original/man8/iptables.8:1544
-#, fuzzy
-#| msgid ""
-#| "Source port or port range specification. This can either be a service "
-#| "name or a port number. An inclusive range can also be specified, using "
-#| "the format I<port>:I<port>. If the first port is omitted, \"0\" is "
-#| "assumed; if the last is omitted, \"65535\" is assumed. If the second "
-#| "port greater then the first they will be swapped. The flag B<--sport> is "
-#| "a convenient alias for this option."
+#: original/man8/iptables-extensions.8:1063
msgid ""
-"Source port or port range specification. This can either be a service name "
-"or a port number. An inclusive range can also be specified, using the format "
-"I<first>B<:>I<last>. If the first port is omitted, \"0\" is assumed; if the "
-"last is omitted, \"65535\" is assumed. If the first port is greater than "
-"the second one they will be swapped. The flag B<--sport> is a convenient "
-"alias for this option."
+"For example, you can create a \"badguy\" list out of people attempting to "
+"connect to port 139 on your firewall and then DROP all future packets from "
+"them without considering them."
msgstr ""
-"送信元ポートまたはポート範囲の指定。 サービス名またはポート番号を指定で\n"
-"きる。 I<port>:I<port> という形式で、2 つの番号を含む範囲を指定すること\n"
-"もできる。 最初のポートを省略した場合、\"0\" を仮定する。 最後のポートを\n"
-"省略した場合、\"65535\" を仮定する。 最初のポートが最後のポートより大きい\n"
-"場合、2 つは入れ換えられる。 フラグ B<--sport> は、このオプションの便利\n"
-"な別名である。"
#. type: Plain text
-#: original/man8/ip6tables.8:1642 original/man8/iptables.8:1549
+#: original/man8/iptables-extensions.8:1066
msgid ""
-"Destination port or port range specification. The flag B<--dport> is a "
-"convenient alias for this option."
+"B<--set>, B<--rcheck>, B<--update> and B<--remove> are mutually exclusive."
msgstr ""
-"送信先ポートまたはポート範囲の指定。 フラグ B<--dport> は、このオプションの便"
-"利な別名である。"
#. type: TP
-#: original/man8/ip6tables.8:1642 original/man8/iptables.8:1549
+#: original/man8/iptables-extensions.8:1066
#, fuzzy, no-wrap
-#| msgid "B<--tcp-flags >[!] I<mask> I<comp>"
-msgid "[B<!>] B<--tcp-flags> I<mask> I<comp>"
-msgstr "B<--tcp-flags >[!] I<mask> I<comp>"
+#| msgid "B<--cmd-owner >I<name>"
+msgid "B<--name> I<name>"
+msgstr "B<--cmd-owner >I<name>"
#. type: Plain text
-#: original/man8/ip6tables.8:1650 original/man8/iptables.8:1557
-#, fuzzy
-#| msgid ""
-#| "Match when the TCP flags are as specified. The first argument is the "
-#| "flags which we should examine, written as a comma-separated list, and the "
-#| "second argument is a comma-separated list of flags which must be set. "
-#| "Flags are: B<SYN ACK FIN RST URG PSH ALL NONE>. Hence the command"
+#: original/man8/iptables-extensions.8:1070
msgid ""
-"Match when the TCP flags are as specified. The first argument I<mask> is "
-"the flags which we should examine, written as a comma-separated list, and "
-"the second argument I<comp> is a comma-separated list of flags which must be "
-"set. Flags are: B<SYN ACK FIN RST URG PSH ALL NONE>. Hence the command"
+"Specify the list to use for the commands. If no name is given then "
+"B<DEFAULT> will be used."
msgstr ""
-"TCP フラグが指定されたものと等しい場合にマッチする。 第 1 引き数は評価\n"
-"対象とするフラグで、コンマ区切りのリストである。 第 2 引き数は必ず設定\n"
-"しなければならないフラグで、コンマ区切りのリストである。 指定できるフラ\n"
-"グは B<SYN ACK FIN RST URG PSH ALL NONE> である。 よって、コマンド"
-#. type: Plain text
-#: original/man8/ip6tables.8:1652 original/man8/iptables.8:1559
-#, no-wrap
-msgid " iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN\n"
-msgstr " iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN\n"
+#. type: TP
+#: original/man8/iptables-extensions.8:1070
+#, fuzzy, no-wrap
+#| msgid "B<-v, --verbose>"
+msgid "[B<!>] B<--set>"
+msgstr "B<-v, --verbose>"
#. type: Plain text
-#: original/man8/ip6tables.8:1655 original/man8/iptables.8:1562
+#: original/man8/iptables-extensions.8:1075
msgid ""
-"will only match packets with the SYN flag set, and the ACK, FIN and RST "
-"flags unset."
+"This will add the source address of the packet to the list. If the source "
+"address is already in the list, this will update the existing entry. This "
+"will always return success (or failure if B<!> is passed in)."
msgstr ""
-"は、SYN フラグが設定され ACK, FIN, RST フラグが設定されていない パケットにの"
-"みマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:1655 original/man8/iptables.8:1562
-#, fuzzy, no-wrap
-#| msgid "B<[!] --syn>"
-msgid "[B<!>] B<--syn>"
-msgstr "B<[!] --syn>"
+#: original/man8/iptables-extensions.8:1075
+#, no-wrap
+msgid "B<--rsource>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1665 original/man8/iptables.8:1572
-#, fuzzy
-#| msgid ""
-#| "Only match TCP packets with the SYN bit set and the ACK and RST bits "
-#| "cleared. Such packets are used to request TCP connection initiation; for "
-#| "example, blocking such packets coming in an interface will prevent "
-#| "incoming TCP connections, but outgoing TCP connections will be "
-#| "unaffected. It is equivalent to B<--tcp-flags SYN,RST,ACK SYN>. If the "
-#| "\"!\" flag precedes the \"--syn\", the sense of the option is inverted."
+#: original/man8/iptables-extensions.8:1079
msgid ""
-"Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits "
-"cleared. Such packets are used to request TCP connection initiation; for "
-"example, blocking such packets coming in an interface will prevent incoming "
-"TCP connections, but outgoing TCP connections will be unaffected. It is "
-"equivalent to B<--tcp-flags SYN,RST,ACK,FIN SYN>. If the \"!\" flag "
-"precedes the \"--syn\", the sense of the option is inverted."
+"Match/save the source address of each packet in the recent list table. This "
+"is the default."
msgstr ""
-"SYN ビットが設定され ACK と RST ビットがクリアされている TCP パケットに\n"
-"のみマッチする。このようなパケットは TCP 接続の開始要求に使われる。例え\n"
-"ば、あるインターフェースに入ってくるこのようなパケットをブロックすれば、\n"
-"内側への TCP 接続は禁止されるが、外側への TCP 接続には影響しない。 これ\n"
-"は B<--tcp-flags SYN,RST,ACK SYN> と等しい。 \"--syn\" の前に \"!\" フラグ\n"
-"を置くと、 SYN ビットがクリアされ ACK と RST ビットが設定されている\n"
-"TCP パケットにのみマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:1665 original/man8/iptables.8:1572
+#: original/man8/iptables-extensions.8:1079
#, fuzzy, no-wrap
-#| msgid "B<--tcp-option >[!] I<number>"
-msgid "[B<!>] B<--tcp-option> I<number>"
-msgstr "B<--tcp-option >[!] I<number>"
+#| msgid "B<--physdev-is-out>"
+msgid "B<--rdest>"
+msgstr "B<--physdev-is-out>"
#. type: Plain text
-#: original/man8/ip6tables.8:1668 original/man8/iptables.8:1575
-msgid "Match if TCP option set."
-msgstr "TCP オプションが設定されている場合にマッチする。"
+#: original/man8/iptables-extensions.8:1082
+msgid ""
+"Match/save the destination address of each packet in the recent list table."
+msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1668 original/man8/iptables.8:1575
+#. type: TP
+#: original/man8/iptables-extensions.8:1082
#, no-wrap
-msgid "tcpmss"
+msgid "B<--mask>netmask"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1670 original/man8/iptables.8:1577
-msgid ""
-"This matches the TCP MSS (maximum segment size) field of the TCP header. "
-"You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only "
-"negotiated during the TCP handshake at connection startup time."
+#: original/man8/iptables-extensions.8:1085
+msgid "Netmask that will be applied to this recent list."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1670 original/man8/iptables.8:1577
+#: original/man8/iptables-extensions.8:1085
#, fuzzy, no-wrap
-#| msgid "B<--mss >I<value>[:I<value>]"
-msgid "[B<!>] B<--mss> I<value>[B<:>I<value>]"
-msgstr "B<--mss >I<value>[:I<value>]"
+#| msgid "B<-c>, B<--counters>"
+msgid "[B<!>] B<--rcheck>"
+msgstr "B<-c>, B<--counters>"
#. type: Plain text
-#: original/man8/ip6tables.8:1673 original/man8/iptables.8:1580
-#, fuzzy
-#| msgid "Matches the given TTL value."
-msgid "Match a given TCP MSS value or range."
-msgstr "指定された TTL 値にマッチする。"
-
-#. type: SS
-#: original/man8/ip6tables.8:1673 original/man8/iptables.8:1580
-#, no-wrap
-msgid "time"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1677 original/man8/iptables.8:1584
-msgid ""
-"This matches if the packet arrival time/date is within a given range. All "
-"options are optional, but are ANDed when specified. All times are "
-"interpreted as UTC by default."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:1677 original/man8/iptables.8:1584
-#, no-wrap
-msgid "B<--datestart> I<YYYY>[B<->I<MM>[B<->I<DD>[B<T>I<hh>[B<:>I<mm>[B<:>I<ss>]]]]]"
+#: original/man8/iptables-extensions.8:1088
+msgid "Check if the source address of the packet is currently in the list."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1679 original/man8/iptables.8:1586
-#, no-wrap
-msgid "B<--datestop> I<YYYY>[B<->I<MM>[B<->I<DD>[B<T>I<hh>[B<:>I<mm>[B<:>I<ss>]]]]]"
-msgstr ""
+#: original/man8/iptables-extensions.8:1088
+#, fuzzy, no-wrap
+#| msgid "B<-c>, B<--counters>"
+msgid "[B<!>] B<--update>"
+msgstr "B<-c>, B<--counters>"
#. type: Plain text
-#: original/man8/ip6tables.8:1683 original/man8/iptables.8:1590
+#: original/man8/iptables-extensions.8:1092
msgid ""
-"Only match during the given time, which must be in ISO 8601 \"T\" notation. "
-"The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07."
+"Like B<--rcheck>, except it will update the \"last seen\" timestamp if it "
+"matches."
msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:1092
+#, fuzzy, no-wrap
+#| msgid "B<-v, --verbose>"
+msgid "[B<!>] B<--remove>"
+msgstr "B<-v, --verbose>"
+
#. type: Plain text
-#: original/man8/ip6tables.8:1686 original/man8/iptables.8:1593
+#: original/man8/iptables-extensions.8:1097
msgid ""
-"If --datestart or --datestop are not specified, it will default to "
-"1970-01-01 and 2038-01-19, respectively."
-msgstr ""
-
-#. type: TP
-#: original/man8/ip6tables.8:1686 original/man8/iptables.8:1593
-#, no-wrap
-msgid "B<--timestart> I<hh>B<:>I<mm>[B<:>I<ss>]"
+"Check if the source address of the packet is currently in the list and if so "
+"that address will be removed from the list and the rule will return true. If "
+"the address is not found, false is returned."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1688 original/man8/iptables.8:1595
-#, no-wrap
-msgid "B<--timestop> I<hh>B<:>I<mm>[B<:>I<ss>]"
-msgstr ""
+#: original/man8/iptables-extensions.8:1097
+#, fuzzy, no-wrap
+#| msgid "B<--set-tos >I<tos>"
+msgid "B<--seconds> I<seconds>"
+msgstr "B<--set-tos >I<tos>"
#. type: Plain text
-#: original/man8/ip6tables.8:1693 original/man8/iptables.8:1600
+#: original/man8/iptables-extensions.8:1102
msgid ""
-"Only match during the given daytime. The possible time range is 00:00:00 to "
-"23:59:59. Leading zeroes are allowed (e.g. \"06:03\") and correctly "
-"interpreted as base-10."
+"This option must be used in conjunction with one of B<--rcheck> or B<--"
+"update>. When used, this will narrow the match to only happen when the "
+"address is in the list and was seen within the last given number of seconds."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1693 original/man8/iptables.8:1600
+#: original/man8/iptables-extensions.8:1102
#, no-wrap
-msgid "[B<!>] B<--monthdays> I<day>[B<,>I<day>...]"
+msgid "B<--reap>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1699 original/man8/iptables.8:1606
+#: original/man8/iptables-extensions.8:1107
msgid ""
-"Only match on the given days of the month. Possible values are B<1> to "
-"B<31>. Note that specifying B<31> will of course not match on months which "
-"do not have a 31st day; the same goes for 28- or 29-day February."
+"This option can only be used in conjunction with B<--seconds>. When used, "
+"this will cause entries older than the last given number of seconds to be "
+"purged."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1699 original/man8/iptables.8:1606
-#, no-wrap
-msgid "[B<!>] B<--weekdays> I<day>[B<,>I<day>...]"
-msgstr ""
+#: original/man8/iptables-extensions.8:1107
+#, fuzzy, no-wrap
+#| msgid "B<--tos >I<tos>"
+msgid "B<--hitcount> I<hits>"
+msgstr "B<--tos >I<tos>"
#. type: Plain text
-#: original/man8/ip6tables.8:1705 original/man8/iptables.8:1612
+#: original/man8/iptables-extensions.8:1117
msgid ""
-"Only match on the given weekdays. Possible values are B<Mon>, B<Tue>, "
-"B<Wed>, B<Thu>, B<Fri>, B<Sat>, B<Sun>, or values from B<1> to B<7>, "
-"respectively. You may also use two-character variants (B<Mo>, B<Tu>, etc.)."
+"This option must be used in conjunction with one of B<--rcheck> or B<--"
+"update>. When used, this will narrow the match to only happen when the "
+"address is in the list and packets had been received greater than or equal "
+"to the given value. This option may be used along with B<--seconds> to "
+"create an even narrower match requiring a certain number of hits within a "
+"specific time frame. The maximum value for the hitcount parameter is given "
+"by the \"ip_pkt_list_tot\" parameter of the xt_recent kernel module. "
+"Exceeding this value on the command line will cause the rule to be rejected."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1705 original/man8/iptables.8:1612
-#, no-wrap
-msgid "B<--kerneltz>"
-msgstr ""
+#: original/man8/iptables-extensions.8:1117
+#, fuzzy, no-wrap
+#| msgid "B<--ttl >I<ttl>"
+msgid "B<--rttl>"
+msgstr "B<--ttl >I<ttl>"
#. type: Plain text
-#: original/man8/ip6tables.8:1709 original/man8/iptables.8:1616
+#: original/man8/iptables-extensions.8:1125
msgid ""
-"Use the kernel timezone instead of UTC to determine whether a packet meets "
-"the time regulations."
+"This option may only be used in conjunction with one of B<--rcheck> or B<--"
+"update>. When used, this will narrow the match to only happen when the "
+"address is in the list and the TTL of the current packet matches that of the "
+"packet which hit the B<--set> rule. This may be useful if you have problems "
+"with people faking their source address in order to DoS you via this module "
+"by disallowing others access to your site by sending bogus packets to you."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1715 original/man8/iptables.8:1622
+#: original/man8/iptables-extensions.8:1129
msgid ""
-"About kernel timezones: Linux keeps the system time in UTC, and always does "
-"so. On boot, system time is initialized from a referential time source. "
-"Where this time source has no timezone information, such as the x86 CMOS "
-"RTC, UTC will be assumed. If the time source is however not in UTC, "
-"userspace should provide the correct system time and timezone to the kernel "
-"once it has the information."
+"iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1726 original/man8/iptables.8:1633
+#: original/man8/iptables-extensions.8:1131
msgid ""
-"Local time is a feature on top of the (timezone independent) system time. "
-"Each process has its own idea of local time, specified via the TZ "
-"environment variable. The kernel also has its own timezone offset variable. "
-"The TZ userspace environment variable specifies how the UTC-based system "
-"time is displayed, e.g. when you run date(1), or what you see on your "
-"desktop clock. The TZ string may resolve to different offsets at different "
-"dates, which is what enables the automatic time-jumping in userspace. when "
-"DST changes. The kernel's timezone offset variable is used when it has to "
-"convert between non-UTC sources, such as FAT filesystems, to UTC (since the "
-"latter is what the rest of the system uses)."
+"iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set "
+"-j DROP"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1735 original/man8/iptables.8:1642
+#: original/man8/iptables-extensions.8:1134
msgid ""
-"The caveat with the kernel timezone is that Linux distributions may ignore "
-"to set the kernel timezone, and instead only set the system time. Even if a "
-"particular distribution does set the timezone at boot, it is usually does "
-"not keep the kernel timezone offset - which is what changes on DST - up to "
-"date. ntpd will not touch the kernel timezone, so running it will not "
-"resolve the issue. As such, one may encounter a timezone that is always "
-"+0000, or one that is wrong half of the time of the year. As such, B<using --"
-"kerneltz is highly discouraged.>"
+"Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also "
+"has some examples of usage."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1737 original/man8/iptables.8:1644
-msgid "EXAMPLES. To match on weekends, use:"
+#: original/man8/iptables-extensions.8:1137
+msgid ""
+"B</proc/net/xt_recent/*> are the current lists of addresses and information "
+"about each entry of each list."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1739 original/man8/iptables.8:1646
-msgid "-m time --weekdays Sa,Su"
+#: original/man8/iptables-extensions.8:1140
+msgid ""
+"Each file in B</proc/net/xt_recent/> can be read from to see the current "
+"list or written two using the following commands to modify the list:"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1741 original/man8/iptables.8:1648
-msgid "Or, to match (once) on a national holiday block:"
+#. type: TP
+#: original/man8/iptables-extensions.8:1140
+#, no-wrap
+msgid "B<echo +>I<addr>B< E<gt>/proc/net/xt_recent/DEFAULT>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1743 original/man8/iptables.8:1650
-msgid "-m time --datestart 2007-12-24 --datestop 2007-12-27"
+#: original/man8/iptables-extensions.8:1143
+msgid "to add I<addr> to the DEFAULT list"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1746 original/man8/iptables.8:1653
-msgid ""
-"Since the stop time is actually inclusive, you would need the following stop "
-"time to not match the first second of the new day:"
+#. type: TP
+#: original/man8/iptables-extensions.8:1143
+#, no-wrap
+msgid "B<echo ->I<addr>B< E<gt>/proc/net/xt_recent/DEFAULT>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1748 original/man8/iptables.8:1655
-msgid "-m time --datestart 2007-01-01T17:00 --datestop 2007-01-01T23:59:59"
+#: original/man8/iptables-extensions.8:1146
+msgid "to remove I<addr> from the DEFAULT list"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1750 original/man8/iptables.8:1657
-msgid "During lunch hour:"
+#. type: TP
+#: original/man8/iptables-extensions.8:1146
+#, no-wrap
+msgid "B<echo / E<gt>/proc/net/xt_recent/DEFAULT>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1752 original/man8/iptables.8:1659
-msgid "-m time --timestart 12:30 --timestop 13:30"
+#: original/man8/iptables-extensions.8:1149
+msgid "to flush the DEFAULT list (remove all entries)."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1754 original/man8/iptables.8:1661
-msgid "The fourth Friday in the month:"
+#: original/man8/iptables-extensions.8:1151
+msgid "The module itself accepts parameters, defaults shown:"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1756 original/man8/iptables.8:1663
-msgid "-m time --weekdays Fr --monthdays 22,23,24,25,26,27,28"
+#. type: TP
+#: original/man8/iptables-extensions.8:1151
+#, no-wrap
+msgid "B<ip_list_tot>=I<100>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1760 original/man8/iptables.8:1667
-msgid ""
-"(Note that this exploits a certain mathematical property. It is not possible "
-"to say \"fourth Thursday OR fourth Friday\" in one rule. It is possible with "
-"multiple rules, though.)"
+#: original/man8/iptables-extensions.8:1154
+msgid "Number of addresses remembered per table."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1760 original/man8/iptables.8:1667
+#. type: TP
+#: original/man8/iptables-extensions.8:1154
#, no-wrap
-msgid "tos"
-msgstr "tos"
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1764 original/man8/iptables.8:1671
-#, fuzzy
-#| msgid ""
-#| "This module matches the 8 bits of Type of Service field in the IP header "
-#| "(ie. including the precedence bits)."
-msgid ""
-"This module matches the 8-bit Type of Service field in the IPv4 header (i."
-"e. including the \"Precedence\" bits) or the (also 8-bit) Priority field in "
-"the IPv6 header."
+msgid "B<ip_pkt_list_tot>=I<20>"
msgstr ""
-"このモジュールは IP ヘッダーの 8 ビットの (つまり上位ビットを含む) Type of "
-"Service フィールドにマッチする。"
-
-#. type: TP
-#: original/man8/ip6tables.8:1764 original/man8/iptables.8:1671
-#, fuzzy, no-wrap
-#| msgid "B<--mark >I<value>[/I<mask>]"
-msgid "[B<!>] B<--tos> I<value>[B</>I<mask>]"
-msgstr "B<--mark >I<value>[/I<mask>]"
#. type: Plain text
-#: original/man8/ip6tables.8:1768 original/man8/iptables.8:1675
-#, fuzzy
-#| msgid ""
-#| "Matches packets with the given unsigned mark value (if a mask is "
-#| "specified, this is logically ANDed with the mask before the comparison)."
-msgid ""
-"Matches packets with the given TOS mark value. If a mask is specified, it is "
-"logically ANDed with the TOS mark before the comparison."
+#: original/man8/iptables-extensions.8:1157
+msgid "Number of packets per address remembered."
msgstr ""
-"指定された符号なし mark 値のパケットにマッチする (mask が指定されると、比較の"
-"前に mask との論理積 (AND) がとられる)。"
#. type: TP
-#: original/man8/ip6tables.8:1768 original/man8/iptables.8:1675
-#, fuzzy, no-wrap
-#| msgid "B<--tos >I<tos>"
-msgid "[B<!>] B<--tos> I<symbol>"
-msgstr "B<--tos >I<tos>"
+#: original/man8/iptables-extensions.8:1157
+#, no-wrap
+msgid "B<ip_list_hash_size>=I<0>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1773 original/man8/iptables.8:1680
+#: original/man8/iptables-extensions.8:1160
msgid ""
-"You can specify a symbolic name when using the tos match for IPv4. The list "
-"of recognized TOS names can be obtained by calling iptables with B<-m tos -"
-"h>. Note that this implies a mask of 0x3F, i.e. all but the ECN bits."
+"Hash table size. 0 means to calculate it based on ip_list_tot, default: 512."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1773 original/man8/iptables.8:1691
+#. type: TP
+#: original/man8/iptables-extensions.8:1160
#, no-wrap
-msgid "u32"
+msgid "B<ip_list_perms>=I<0644>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1777 original/man8/iptables.8:1695
-msgid ""
-"U32 tests whether quantities of up to 4 bytes extracted from a packet have "
-"specified values. The specification of what to extract is general enough to "
-"find data at given offsets from tcp headers or payloads."
+#: original/man8/iptables-extensions.8:1163
+msgid "Permissions for /proc/net/xt_recent/* files."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1777 original/man8/iptables.8:1695
+#: original/man8/iptables-extensions.8:1163
#, no-wrap
-msgid "[B<!>] B<--u32> I<tests>"
+msgid "B<ip_list_uid>=I<0>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1780 original/man8/iptables.8:1698
-msgid "The argument amounts to a program in a small language described below."
+#: original/man8/iptables-extensions.8:1166
+msgid "Numerical UID for ownership of /proc/net/xt_recent/* files."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1782 original/man8/iptables.8:1700
-msgid "tests := location \"=\" value | tests \"&&\" location \"=\" value"
+#. type: TP
+#: original/man8/iptables-extensions.8:1166
+#, no-wrap
+msgid "B<ip_list_gid>=I<0>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1784 original/man8/iptables.8:1702
-msgid "value := range | value \",\" range"
+#: original/man8/iptables-extensions.8:1169
+msgid "Numerical GID for ownership of /proc/net/xt_recent/* files."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1786 original/man8/iptables.8:1704
-msgid "range := number | number \":\" number"
-msgstr ""
+#. type: SS
+#: original/man8/iptables-extensions.8:1169
+#, fuzzy, no-wrap
+#| msgid "B<filter>:"
+msgid "rpfilter"
+msgstr "B<filter>:"
#. type: Plain text
-#: original/man8/ip6tables.8:1789 original/man8/iptables.8:1707
+#: original/man8/iptables-extensions.8:1178
msgid ""
-"a single number, I<n>, is interpreted the same as I<n:n>. I<n:m> is "
-"interpreted as the range of numbers B<E<gt>=n> and B<E<lt>=m>."
+"Performs a reverse path filter test on a packet. If a reply to the packet "
+"would be sent via the same interface that the packet arrived on, the packet "
+"will match. Note that, unlike the in-kernel rp_filter, packets protected by "
+"IPSec are not treated specially. Combine this match with the policy match "
+"if you want this. Also, packets arriving via the loopback interface are "
+"always permitted. This match can only be used in the PREROUTING chain of "
+"the raw or mangle table."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1791 original/man8/iptables.8:1709
-msgid "location := number | location operator number"
-msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:1178
+#, fuzzy, no-wrap
+#| msgid "B<--tos >I<tos>"
+msgid "B<--loose>"
+msgstr "B<--tos >I<tos>"
#. type: Plain text
-#: original/man8/ip6tables.8:1793 original/man8/iptables.8:1711
-msgid "operator := \"&\" | \"E<lt>E<lt>\" | \"E<gt>E<gt>\" | \"@\""
+#: original/man8/iptables-extensions.8:1182
+msgid ""
+"Used to specifiy that the reverse path filter test should match even if the "
+"selected output device is not the expected one."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1798 original/man8/iptables.8:1716
-msgid ""
-"The operators B<&>, B<E<lt>E<lt>>, B<E<gt>E<gt>> and B<&&> mean the same as "
-"in C. The B<=> is really a set membership operator and the value syntax "
-"describes a set. The B<@> operator is what allows moving to the next header "
-"and is described further below."
+#. type: TP
+#: original/man8/iptables-extensions.8:1182
+#, no-wrap
+msgid "B<--validmark>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1801 original/man8/iptables.8:1719
+#: original/man8/iptables-extensions.8:1185
msgid ""
-"There are currently some artificial implementation limits on the size of the "
-"tests:"
+"Also use the packets' nfmark value when performing the reverse path route "
+"lookup."
msgstr ""
-#. type: IP
-#: original/man8/ip6tables.8:1801 original/man8/ip6tables.8:1803
-#: original/man8/ip6tables.8:1805 original/man8/iptables.8:1719
-#: original/man8/iptables.8:1721 original/man8/iptables.8:1723
+#. type: TP
+#: original/man8/iptables-extensions.8:1185
#, no-wrap
-msgid " *"
+msgid "B<--accept-local>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1803 original/man8/iptables.8:1721
-msgid "no more than 10 of \"B<=>\" (and 9 \"B<&&>\"s) in the u32 argument"
+#: original/man8/iptables-extensions.8:1189
+msgid ""
+"This will permit packets arriving from the network with a source address "
+"that is also assigned to the local machine."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1805 original/man8/iptables.8:1723
-msgid "no more than 10 ranges (and 9 commas) per value"
-msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:1189
+#, fuzzy, no-wrap
+#| msgid "B<-I, --insert>"
+msgid "B<--invert>"
+msgstr "B<-I, --insert>"
#. type: Plain text
-#: original/man8/ip6tables.8:1807 original/man8/iptables.8:1725
-msgid "no more than 10 numbers (and 9 operators) per location"
+#: original/man8/iptables-extensions.8:1193
+msgid ""
+"This will invert the sense of the match. Instead of matching packets that "
+"passed the reverse path filter test, match those that have failed it."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1810 original/man8/iptables.8:1728
-msgid ""
-"To describe the meaning of location, imagine the following machine that "
-"interprets it. There are three registers:"
+#: original/man8/iptables-extensions.8:1195
+msgid "Example to log and drop packets failing the reverse path filter test:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1812 original/man8/iptables.8:1730
-msgid "A is of type B<char *>, initially the address of the IP header"
-msgstr ""
+#: original/man8/iptables-extensions.8:1197
+#, fuzzy
+#| msgid " iptables -t nat -n -L\n"
+msgid "iptables -t raw -N RPFILTER"
+msgstr " iptables -t nat -n -L\n"
#. type: Plain text
-#: original/man8/ip6tables.8:1814 original/man8/iptables.8:1732
-msgid "B and C are unsigned 32 bit integers, initially zero"
+#: original/man8/iptables-extensions.8:1199
+msgid "iptables -t raw -A RPFILTER -m rpfilter -j RETURN"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1816 original/man8/iptables.8:1734
-msgid "The instructions are:"
+#: original/man8/iptables-extensions.8:1201
+msgid ""
+"iptables -t raw -A RPFILTER -m limit --limit 10/minute -j NFLOG --nflog-"
+"prefix \"rpfilter drop\""
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1818 original/man8/iptables.8:1736
-msgid "number B = number;"
+#: original/man8/iptables-extensions.8:1203
+msgid "iptables -t raw -A RPFILTER -j DROP"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1820 original/man8/iptables.8:1738
-msgid ""
-"C = (*(A+B)E<lt>E<lt>24) + (*(A+B+1)E<lt>E<lt>16) + (*(A+B+2)E<lt>E<lt>8) + *"
-"(A+B+3)"
+#: original/man8/iptables-extensions.8:1205
+msgid "iptables -t raw -A PREROUTING -j RPFILTER"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1822 original/man8/iptables.8:1740
-msgid "&number C = C & number"
+#: original/man8/iptables-extensions.8:1207
+msgid "Example to drop failed packets, without logging:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1824 original/man8/iptables.8:1742
-msgid "E<lt>E<lt> number C = C E<lt>E<lt> number"
+#: original/man8/iptables-extensions.8:1209
+msgid "iptables -t raw -A RPFILTER -m rpfilter --invert -j DROP"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1826 original/man8/iptables.8:1744
-msgid "E<gt>E<gt> number C = C E<gt>E<gt> number"
+#. type: SS
+#: original/man8/iptables-extensions.8:1209
+#, no-wrap
+msgid "rt (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1828 original/man8/iptables.8:1746
-msgid "@number A = A + C; then do the instruction number"
+#: original/man8/iptables-extensions.8:1211
+msgid "Match on IPv6 routing header"
msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:1211
+#, fuzzy, no-wrap
+#| msgid "B<--icmp-type >[!] I<typename>"
+msgid "[B<!>] B<--rt-type> I<type>"
+msgstr "B<--icmp-type >[!] I<typename>"
+
#. type: Plain text
-#: original/man8/ip6tables.8:1831 original/man8/iptables.8:1749
-msgid ""
-"Any access of memory outside [skb-E<gt>data,skb-E<gt>end] causes the match "
-"to fail. Otherwise the result of the computation is the final value of C."
+#: original/man8/iptables-extensions.8:1214
+msgid "Match the type (numeric)."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1835 original/man8/iptables.8:1753
-msgid ""
-"Whitespace is allowed but not required in the tests. However, the characters "
-"that do occur there are likely to require shell quoting, so it is a good "
-"idea to enclose the arguments in quotes."
+#. type: TP
+#: original/man8/iptables-extensions.8:1214
+#, no-wrap
+msgid "[B<!>] B<--rt-segsleft> I<num>[B<:>I<num>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1839 original/man8/iptables.8:1757
-msgid "match IP packets with total length E<gt>= 256"
+#: original/man8/iptables-extensions.8:1217
+msgid "Match the `segments left' field (range)."
msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:1217
+#, fuzzy, no-wrap
+#| msgid "B<-t>, B<--table> B<tablename>"
+msgid "[B<!>] B<--rt-len> I<length>"
+msgstr "B<-t>, B<--table> B<tablename>"
+
#. type: Plain text
-#: original/man8/ip6tables.8:1841 original/man8/iptables.8:1759
-msgid "The IP header contains a total length field in bytes 2-3."
+#: original/man8/iptables-extensions.8:1220
+msgid "Match the length of this header."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1843 original/man8/iptables.8:1761
-msgid "--u32 \"B<0 & 0xFFFF = 0x100:0xFFFF>\""
+#. type: TP
+#: original/man8/iptables-extensions.8:1220
+#, no-wrap
+msgid "B<--rt-0-res>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1845 original/man8/iptables.8:1763
-msgid "read bytes 0-3"
+#: original/man8/iptables-extensions.8:1223
+msgid "Match the reserved field, too (type=0)"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1848 original/man8/iptables.8:1766
-msgid ""
-"AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the "
-"range [0x100:0xFFFF]"
+#. type: TP
+#: original/man8/iptables-extensions.8:1223
+#, no-wrap
+msgid "B<--rt-0-addrs> I<addr>[B<,>I<addr>...]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1850 original/man8/iptables.8:1768
-msgid "Example: (more realistic, hence more complicated)"
+#: original/man8/iptables-extensions.8:1226
+msgid "Match type=0 addresses (list)."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1852 original/man8/iptables.8:1770
-msgid "match ICMP packets with icmp type 0"
+#. type: TP
+#: original/man8/iptables-extensions.8:1226
+#, no-wrap
+msgid "B<--rt-0-not-strict>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1854 original/man8/iptables.8:1772
-msgid "First test that it is an ICMP packet, true iff byte 9 (protocol) = 1"
+#: original/man8/iptables-extensions.8:1229
+msgid "List of type=0 addresses is not a strict list."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1856 original/man8/iptables.8:1774
-msgid "--u32 \"B<6 & 0xFF = 1 &&> ..."
+#. type: SS
+#: original/man8/iptables-extensions.8:1229
+#, no-wrap
+msgid "sctp"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1863 original/man8/iptables.8:1781
-msgid ""
-"read bytes 6-9, use B<&> to throw away bytes 6-8 and compare the result to "
-"1. Next test that it is not a fragment. (If so, it might be part of such a "
-"packet but we cannot always tell.) N.B.: This test is generally needed if "
-"you want to match anything beyond the IP header. The last 6 bits of byte 6 "
-"and all of byte 7 are 0 iff this is a complete packet (not a fragment). "
-"Alternatively, you can allow first fragments by only testing the last 5 bits "
-"of byte 6."
+#. type: TP
+#: original/man8/iptables-extensions.8:1234
+#, no-wrap
+msgid "[B<!>] B<--chunk-types> {B<all>|B<any>|B<only>} I<chunktype>[B<:>I<flags>] [...]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1865 original/man8/iptables.8:1783
-msgid "... B<4 & 0x3FFF = 0 &&> ..."
+#: original/man8/iptables-extensions.8:1238
+msgid ""
+"The flag letter in upper case indicates that the flag is to match if set, in "
+"the lower case indicates to match if unset."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1869 original/man8/iptables.8:1787
+#: original/man8/iptables-extensions.8:1240
msgid ""
-"Last test: the first byte past the IP header (the type) is 0. This is where "
-"we have to use the @syntax. The length of the IP header (IHL) in 32 bit "
-"words is stored in the right half of byte 0 of the IP header itself."
+"Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN "
+"SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE "
+"ASCONF ASCONF_ACK FORWARD_TSN"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1871 original/man8/iptables.8:1789
-msgid "... B<0 E<gt>E<gt> 22 & 0x3C @ 0 E<gt>E<gt> 24 = 0>\""
+#: original/man8/iptables-extensions.8:1242
+msgid "chunk type available flags"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1883 original/man8/iptables.8:1801
-msgid ""
-"The first 0 means read bytes 0-3, B<E<gt>E<gt>22> means shift that 22 bits "
-"to the right. Shifting 24 bits would give the first byte, so only 22 bits is "
-"four times that plus a few more bits. B<&3C> then eliminates the two extra "
-"bits on the right and the first four bits of the first byte. For instance, "
-"if IHL=5, then the IP header is 20 (4 x 5) bytes long. In this case, bytes "
-"0-1 are (in binary) xxxx0101 yyzzzzzz, B<E<gt>E<gt>22> gives the 10 bit "
-"value xxxx0101yy and B<&3C> gives 010100. B<@> means to use this number as a "
-"new offset into the packet, and read four bytes starting from there. This is "
-"the first 4 bytes of the ICMP payload, of which byte 0 is the ICMP type. "
-"Therefore, we simply shift the value 24 to the right to throw out all but "
-"the first byte and compare the result with 0."
+#: original/man8/iptables-extensions.8:1244
+msgid "DATA I U B E i u b e"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1887 original/man8/iptables.8:1805
-msgid "TCP payload bytes 8-12 is any of 1, 2, 5 or 8"
+#: original/man8/iptables-extensions.8:1246
+msgid "ABORT T t"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1889 original/man8/iptables.8:1807
-msgid "First we test that the packet is a tcp packet (similar to ICMP)."
+#: original/man8/iptables-extensions.8:1248
+msgid "SHUTDOWN_COMPLETE T t"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1891 original/man8/iptables.8:1809
-msgid "--u32 \"B<6 & 0xFF = 6 &&> ..."
+#: original/man8/iptables-extensions.8:1250
+msgid "(lowercase means flag should be \"off\", uppercase means \"on\")"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1893 original/man8/iptables.8:1811
-msgid "Next, test that it is not a fragment (same as above)."
+#: original/man8/iptables-extensions.8:1254
+msgid "iptables -A INPUT -p sctp --dport 80 -j DROP"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1895 original/man8/iptables.8:1813
-msgid "... B<0 E<gt>E<gt> 22 & 0x3C @ 12 E<gt>E<gt> 26 & 0x3C @ 8 = 1,2,5,8>\""
+#: original/man8/iptables-extensions.8:1256
+msgid "iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1903 original/man8/iptables.8:1821
-msgid ""
-"B<0E<gt>E<gt>22&3C> as above computes the number of bytes in the IP header. "
-"B<@> makes this the new offset into the packet, which is the start of the "
-"TCP header. The length of the TCP header (again in 32 bit words) is the left "
-"half of byte 12 of the TCP header. The B<12E<gt>E<gt>26&3C> computes this "
-"length in bytes (similar to the IP header before). \"@\" makes this the new "
-"offset, which is the start of the TCP payload. Finally, 8 reads bytes 8-12 "
-"of the payload and B<=> checks whether the result is any of 1, 2, 5 or 8."
+#: original/man8/iptables-extensions.8:1258
+msgid "iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT"
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1903 original/man8/iptables.8:1821
+#: original/man8/iptables-extensions.8:1258
#, no-wrap
-msgid "udp"
-msgstr "udp"
+msgid "set"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1906 original/man8/iptables.8:1824
+#: original/man8/iptables-extensions.8:1260
#, fuzzy
-#| msgid ""
-#| "These extensions are loaded if `--protocol udp' is specified. It "
-#| "provides the following options:"
-msgid ""
-"These extensions can be used if `--protocol udp' is specified. It provides "
-"the following options:"
+#| msgid "This module matches the SPIs in AH header of IPSec packets."
+msgid "This module matches IP sets which can be defined by ipset(8)."
+msgstr "このモジュールは IPSec パケットの AH ヘッダーの SPI 値にマッチする。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1260
+#, no-wrap
+msgid "[B<!>] B<--match-set> I<setname> I<flag>[B<,>I<flag>]..."
msgstr ""
-"これらの拡張は `--protocol udp' が指定された場合にロードされ、 以下のオプショ"
-"ンが提供される:"
#. type: Plain text
-#: original/man8/ip6tables.8:1912 original/man8/iptables.8:1830
+#: original/man8/iptables-extensions.8:1267
msgid ""
-"Source port or port range specification. See the description of the B<--"
-"source-port> option of the TCP extension for details."
+"where flags are the comma separated list of B<src> and/or B<dst> "
+"specifications and there can be no more than six of them. Hence the command"
msgstr ""
-"送信元ポートまたはポート範囲の指定。 詳細は TCP 拡張の B<--source-port> オプ"
-"ションの説明を参照すること。"
#. type: Plain text
-#: original/man8/ip6tables.8:1918 original/man8/iptables.8:1836
+#: original/man8/iptables-extensions.8:1269
+#, fuzzy, no-wrap
+#| msgid " iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN\n"
+msgid " iptables -A FORWARD -m set --match-set test src,dst\n"
+msgstr " iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN\n"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1275
msgid ""
-"Destination port or port range specification. See the description of the "
-"B<--destination-port> option of the TCP extension for details."
+"will match packets, for which (if the set type is ipportmap) the source "
+"address and destination port pair can be found in the specified set. If the "
+"set type of the specified set is single dimension (for example ipmap), then "
+"the command will match packets for which the source address can be found in "
+"the specified set."
msgstr ""
-"送信先ポートまたはポート範囲の指定。 詳細は TCP 拡張の B<--destination-port> "
-"オプションの説明を参照すること。"
-#. type: SH
-#: original/man8/ip6tables.8:1918 original/man8/iptables.8:1839
+#. type: TP
+#: original/man8/iptables-extensions.8:1275
#, no-wrap
-msgid "TARGET EXTENSIONS"
-msgstr "ターゲットの拡張"
+msgid "B<--return--nomatch>"
+msgstr ""
-#. @TARGET@
#. type: Plain text
-#: original/man8/ip6tables.8:1922
+#: original/man8/iptables-extensions.8:1281
msgid ""
-"ip6tables can use extended target modules: the following are included in the "
-"standard distribution."
+"If the B<--return--nomatch> option is specified and the set type supports "
+"the B<nomatch> flag, then the matching is reversed: a match with an element "
+"flagged with B<nomatch> returns B<true>, while a match with a plain element "
+"returns B<false>."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1284
+msgid ""
+"The option B<--match-set> can be replaced by B<--set> if that does not clash "
+"with an option of other extensions."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1287
+msgid ""
+"Use of -m set requires that ipset kernel support is provided, which, for "
+"standard kernels, is the case since Linux 2.6.39."
msgstr ""
-"iptables は拡張ターゲットモジュールを使うことができる: 以下のものが、標準的な"
-"ディストリビューションに含まれている。"
#. type: SS
-#: original/man8/ip6tables.8:1922 original/man8/iptables.8:1843
+#: original/man8/iptables-extensions.8:1287
#, no-wrap
-msgid "AUDIT"
+msgid "socket"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1926 original/man8/iptables.8:1847
+#: original/man8/iptables-extensions.8:1290
msgid ""
-"This target allows to create audit records for packets hitting the target. "
-"It can be used to record accepted, dropped, and rejected packets. See auditd"
-"(8) for additional details."
+"This matches if an open socket can be found by doing a socket lookup on the "
+"packet."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1926 original/man8/iptables.8:1847
+#: original/man8/iptables-extensions.8:1290
#, no-wrap
-msgid "B<--type> {B<accept>|B<drop>|B<reject>}"
+msgid "B<--transparent>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1929 original/man8/iptables.8:1850
-msgid "Set type of audit record."
+#: original/man8/iptables-extensions.8:1293
+msgid "Ignore non-transparent sockets."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1933 original/man8/iptables.8:1854
-#, fuzzy
-#| msgid " iptables -j TOS -h\n"
-msgid "iptables -N AUDIT_DROP"
-msgstr " iptables -j TOS -h\n"
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1935 original/man8/iptables.8:1856
-msgid "iptables -A AUDIT_DROP -j AUDIT --type drop"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1937 original/man8/iptables.8:1858
-#, fuzzy
-#| msgid " iptables -j TOS -h\n"
-msgid "iptables -A AUDIT_DROP -j DROP"
-msgstr " iptables -j TOS -h\n"
-
#. type: SS
-#: original/man8/ip6tables.8:1937 original/man8/iptables.8:1858
+#: original/man8/iptables-extensions.8:1293
#, no-wrap
-msgid "CHECKSUM"
-msgstr ""
+msgid "state"
+msgstr "state"
#. type: Plain text
-#: original/man8/ip6tables.8:1940 original/man8/iptables.8:1861
+#: original/man8/iptables-extensions.8:1296
#, fuzzy
#| msgid ""
-#| "This target allows to selectively work around known ECN blackholes. It "
-#| "can only be used in the mangle table."
+#| "This module, when combined with connection tracking, allows access to the "
+#| "connection tracking state for this packet."
msgid ""
-"This target allows to selectively work around broken/old applications. It "
-"can only be used in the mangle table."
+"The \"state\" extension is a subset of the \"conntrack\" module. \"state\" "
+"allows access to the connection tracking state for this packet."
msgstr ""
-"ã\81\93ã\81®ã\82¿ã\83¼ã\82²ã\83\83ã\83\88ã\81¯ ECN ã\83\96ã\83©ã\83\83ã\82¯ã\83\9bã\83¼ã\83«å\95\8fé¡\8cã\81¸ã\81®å¯¾å\87¦ã\82\92å\8f¯è\83½ã\81«ã\81\99ã\82\8bã\80\82 mangle ã\83\86ã\83¼ã\83\96ã\83«"
-"ã\81§ã\81®ã\81¿ä½¿ç\94¨できる。"
+"ã\81\93ã\81®ã\83¢ã\82¸ã\83¥ã\83¼ã\83«ã\81¯ã\80\81æ\8e¥ç¶\9a追跡 (connection tracking) ã\81¨çµ\84ã\81¿å\90\88ã\82\8fã\81\9bã\81¦ç\94¨ã\81\84ã\82\8bã\81¨ã\80\81 ã\83\91"
+"ã\82±ã\83\83ã\83\88ã\81«ã\81¤ã\81\84ã\81¦ã\81®æ\8e¥ç¶\9a追跡ç\8a¶æ\85\8bã\82\92ç\9f¥ã\82\8bã\81\93ã\81¨ã\81\8cできる。"
#. type: TP
-#: original/man8/ip6tables.8:1940 original/man8/iptables.8:1861
-#, no-wrap
-msgid "B<--checksum-fill>"
-msgstr ""
+#: original/man8/iptables-extensions.8:1296
+#, fuzzy, no-wrap
+#| msgid "B<--state >I<state>"
+msgid "[B<!>] B<--state> I<state>"
+msgstr "B<--state >I<state>"
#. type: Plain text
-#: original/man8/ip6tables.8:1946 original/man8/iptables.8:1867
+#: original/man8/iptables-extensions.8:1302
msgid ""
-"Compute and fill in the checksum in a packet that lacks a checksum. This is "
-"particularly useful, if you need to work around old applications such as "
-"dhcp clients, that do not work well with checksum offloads, but don't want "
-"to disable checksum offload in your device."
+"Where state is a comma separated list of the connection states to match. "
+"Only a subset of the states unterstood by \"conntrack\" are recognized: "
+"B<INVALID>, B<ESTABLISHED>, B<NEW>, B<RELATED> or B<UNTRACKED>. For their "
+"description, see the \"conntrack\" heading in this manpage."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:1946 original/man8/iptables.8:1867
+#: original/man8/iptables-extensions.8:1302
#, no-wrap
-msgid "CLASSIFY"
+msgid "statistic"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1948 original/man8/iptables.8:1869
+#: original/man8/iptables-extensions.8:1307
msgid ""
-"This module allows you to set the skb-E<gt>priority value (and thus classify "
-"the packet into a specific CBQ class)."
+"This module matches packets based on some statistic condition. It supports "
+"two distinct modes settable with the B<--mode> option."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1309
+msgid "Supported options:"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1948 original/man8/iptables.8:1869
+#: original/man8/iptables-extensions.8:1309
#, fuzzy, no-wrap
-#| msgid "B<--set-mark >I<mark>"
-msgid "B<--set-class> I<major>B<:>I<minor>"
-msgstr "B<--set-mark >I<mark>"
+#| msgid "B<--cmd-owner >I<name>"
+msgid "B<--mode> I<mode>"
+msgstr "B<--cmd-owner >I<name>"
#. type: Plain text
-#: original/man8/ip6tables.8:1952 original/man8/iptables.8:1873
+#: original/man8/iptables-extensions.8:1315
msgid ""
-"Set the major and minor class value. The values are always interpreted as "
-"hexadecimal even if no 0x prefix is given."
+"Set the matching mode of the matching rule, supported modes are B<random> "
+"and B<nth.>"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:1952 original/man8/iptables.8:1898
+#. type: TP
+#: original/man8/iptables-extensions.8:1315
#, fuzzy, no-wrap
-#| msgid "MARK"
-msgid "CONNMARK"
-msgstr "MARK"
+#| msgid "B<-t>, B<--table> B<tablename>"
+msgid "[B<!>] B<--probability> I<p>"
+msgstr "B<-t>, B<--table> B<tablename>"
#. type: Plain text
-#: original/man8/ip6tables.8:1955 original/man8/iptables.8:1901
-#, fuzzy
-#| msgid ""
-#| "This is used to set the netfilter mark value associated with the packet. "
-#| "It is only valid in the B<mangle> table."
+#: original/man8/iptables-extensions.8:1320
msgid ""
-"This module sets the netfilter mark value associated with a connection. The "
-"mark is 32 bits wide."
+"Set the probability for a packet to be randomly matched. It only works with "
+"the B<random> mode. I<p> must be within 0.0 and 1.0. The supported "
+"granularity is in 1/2147483648th increments."
msgstr ""
-"パケットに関連づけられた netfilter の mark 値を指定する。 B<mangle> テーブル"
-"のみで有効である。"
#. type: TP
-#: original/man8/ip6tables.8:1955 original/man8/ip6tables.8:2138
-#: original/man8/iptables.8:1901 original/man8/iptables.8:2114
+#: original/man8/iptables-extensions.8:1320
#, fuzzy, no-wrap
-#| msgid "B<--mark >I<value>[/I<mask>]"
-msgid "B<--set-xmark> I<value>[B</>I<mask>]"
-msgstr "B<--mark >I<value>[/I<mask>]"
+#| msgid "B<-t>, B<--table> B<tablename>"
+msgid "[B<!>] B<--every> I<n>"
+msgstr "B<-t>, B<--table> B<tablename>"
#. type: Plain text
-#: original/man8/ip6tables.8:1958 original/man8/iptables.8:1904
-msgid "Zero out the bits given by I<mask> and XOR I<value> into the ctmark."
+#: original/man8/iptables-extensions.8:1327
+msgid ""
+"Match one packet every nth packet. It works only with the B<nth> mode (see "
+"also the B<--packet> option)."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1958 original/man8/iptables.8:1904
+#: original/man8/iptables-extensions.8:1327
#, no-wrap
-msgid "B<--save-mark> [B<--nfmask> I<nfmask>] [B<--ctmask> I<ctmask>]"
+msgid "B<--packet> I<p>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1962 original/man8/iptables.8:1908
+#: original/man8/iptables-extensions.8:1332
msgid ""
-"Copy the packet mark (nfmark) to the connection mark (ctmark) using the "
-"given masks. The new nfmark value is determined as follows:"
+"Set the initial counter value (0 E<lt>= p E<lt>= n-1, default 0) for the "
+"B<nth> mode."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1964 original/man8/iptables.8:1910
-msgid "ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)"
+#. type: SS
+#: original/man8/iptables-extensions.8:1332
+#, no-wrap
+msgid "string"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1968 original/man8/iptables.8:1914
+#: original/man8/iptables-extensions.8:1334
msgid ""
-"i.e. I<ctmask> defines what bits to clear and I<nfmask> what bits of the "
-"nfmark to XOR into the ctmark. I<ctmask> and I<nfmask> default to 0xFFFFFFFF."
+"This modules matches a given string by using some pattern matching strategy. "
+"It requires a linux kernel E<gt>= 2.6.14."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1968 original/man8/iptables.8:1914
+#: original/man8/iptables-extensions.8:1334
#, no-wrap
-msgid "B<--restore-mark> [B<--nfmask> I<nfmask>] [B<--ctmask> I<ctmask>]"
+msgid "B<--algo> {B<bm>|B<kmp>}"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1972 original/man8/iptables.8:1918
+#: original/man8/iptables-extensions.8:1337
msgid ""
-"Copy the connection mark (ctmark) to the packet mark (nfmark) using the "
-"given masks. The new ctmark value is determined as follows:"
+"Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-"
+"Morris)"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:1974 original/man8/iptables.8:1920
-msgid "nfmark = (nfmark & ~I<nfmask>) ^ (ctmark & I<ctmask>);"
-msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:1337
+#, fuzzy, no-wrap
+#| msgid "B<--tos >I<tos>"
+msgid "B<--from> I<offset>"
+msgstr "B<--tos >I<tos>"
#. type: Plain text
-#: original/man8/ip6tables.8:1978 original/man8/iptables.8:1924
+#: original/man8/iptables-extensions.8:1340
msgid ""
-"i.e. I<nfmask> defines what bits to clear and I<ctmask> what bits of the "
-"ctmark to XOR into the nfmark. I<ctmask> and I<nfmask> default to 0xFFFFFFFF."
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1980 original/man8/iptables.8:1926
-msgid "B<--restore-mark> is only valid in the B<mangle> table."
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:1982 original/man8/iptables.8:1928
-msgid "The following mnemonics are available for B<--set-xmark>:"
+"Set the offset from which it starts looking for any matching. If not passed, "
+"default is 0."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1982 original/man8/ip6tables.8:2148
-#: original/man8/iptables.8:1928 original/man8/iptables.8:2124
+#: original/man8/iptables-extensions.8:1340
#, fuzzy, no-wrap
-#| msgid "B<--set-mark >I<mark>"
-msgid "B<--and-mark> I<bits>"
-msgstr "B<--set-mark >I<mark>"
+#| msgid "B<--tos >I<tos>"
+msgid "B<--to> I<offset>"
+msgstr "B<--tos >I<tos>"
#. type: Plain text
-#: original/man8/ip6tables.8:1986 original/man8/iptables.8:1932
+#: original/man8/iptables-extensions.8:1345
msgid ""
-"Binary AND the ctmark with I<bits>. (Mnemonic for B<--set-xmark 0/"
-">I<invbits>, where I<invbits> is the binary negation of I<bits>.)"
+"Set the offset up to which should be scanned. That is, byte I<offset>-1 "
+"(counting from 0) is the last one that is scanned. If not passed, default "
+"is the packet size."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:1986 original/man8/ip6tables.8:2152
-#: original/man8/iptables.8:1932 original/man8/iptables.8:2128
-#, fuzzy, no-wrap
-#| msgid "B<--set-mark >I<mark>"
-msgid "B<--or-mark> I<bits>"
-msgstr "B<--set-mark >I<mark>"
+#: original/man8/iptables-extensions.8:1345
+#, no-wrap
+msgid "[B<!>] B<--string> I<pattern>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1990 original/man8/iptables.8:1936
-msgid ""
-"Binary OR the ctmark with I<bits>. (Mnemonic for B<--set-xmark> I<bits>B</"
-">I<bits>.)"
-msgstr ""
+#: original/man8/iptables-extensions.8:1348
+#, fuzzy
+#| msgid "Matches the given TTL value."
+msgid "Matches the given pattern."
+msgstr "指定された TTL 値にマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:1990 original/man8/ip6tables.8:2156
-#: original/man8/iptables.8:1936 original/man8/iptables.8:2132
-#, fuzzy, no-wrap
-#| msgid "B<--set-mark >I<mark>"
-msgid "B<--xor-mark> I<bits>"
-msgstr "B<--set-mark >I<mark>"
+#: original/man8/iptables-extensions.8:1348
+#, no-wrap
+msgid "[B<!>] B<--hex-string> I<pattern>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:1994 original/man8/iptables.8:1940
-msgid ""
-"Binary XOR the ctmark with I<bits>. (Mnemonic for B<--set-xmark> "
-"I<bits>B</0>.)"
-msgstr ""
+#: original/man8/iptables-extensions.8:1351
+#, fuzzy
+#| msgid "Matches the given TTL value."
+msgid "Matches the given pattern in hex notation."
+msgstr "指定された TTL 値にマッチする。"
-#. type: TP
-#: original/man8/ip6tables.8:1994 original/man8/ip6tables.8:2142
-#: original/man8/iptables.8:1940 original/man8/iptables.8:2118
-#, fuzzy, no-wrap
-#| msgid "B<--mark >I<value>[/I<mask>]"
-msgid "B<--set-mark> I<value>[B</>I<mask>]"
-msgstr "B<--mark >I<value>[/I<mask>]"
+#. type: SS
+#: original/man8/iptables-extensions.8:1351
+#, no-wrap
+msgid "tcp"
+msgstr "tcp"
#. type: Plain text
-#: original/man8/ip6tables.8:1998 original/man8/iptables.8:1944
+#: original/man8/iptables-extensions.8:1354
+#, fuzzy
+#| msgid ""
+#| "These extensions are loaded if `--protocol tcp' is specified. It provides "
+#| "the following options:"
msgid ""
-"Set the connection mark. If a mask is specified then only those bits set in "
-"the mask are modified."
+"These extensions can be used if `--protocol tcp' is specified. It provides "
+"the following options:"
msgstr ""
+"これらの拡張は `--protocol tcp' が指定され場合にロードされ、 以下のオプション"
+"が提供される:"
-#. type: TP
-#: original/man8/ip6tables.8:1998 original/man8/iptables.8:1944
-#, fuzzy, no-wrap
-#| msgid "B<--set-mark >I<mark>"
-msgid "B<--save-mark> [B<--mask> I<mask>]"
-msgstr "B<--set-mark >I<mark>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1365
+#, fuzzy
+#| msgid ""
+#| "Source port or port range specification. This can either be a service "
+#| "name or a port number. An inclusive range can also be specified, using "
+#| "the format I<port>:I<port>. If the first port is omitted, \"0\" is "
+#| "assumed; if the last is omitted, \"65535\" is assumed. If the second "
+#| "port greater then the first they will be swapped. The flag B<--sport> is "
+#| "a convenient alias for this option."
+msgid ""
+"Source port or port range specification. This can either be a service name "
+"or a port number. An inclusive range can also be specified, using the format "
+"I<first>B<:>I<last>. If the first port is omitted, \"0\" is assumed; if the "
+"last is omitted, \"65535\" is assumed. If the first port is greater than "
+"the second one they will be swapped. The flag B<--sport> is a convenient "
+"alias for this option."
+msgstr ""
+"送信元ポートまたはポート範囲の指定。 サービス名またはポート番号を指定で\n"
+"きる。 I<port>:I<port> という形式で、2 つの番号を含む範囲を指定すること\n"
+"もできる。 最初のポートを省略した場合、\"0\" を仮定する。 最後のポートを\n"
+"省略した場合、\"65535\" を仮定する。 最初のポートが最後のポートより大きい\n"
+"場合、2 つは入れ換えられる。 フラグ B<--sport> は、このオプションの便利\n"
+"な別名である。"
#. type: Plain text
-#: original/man8/ip6tables.8:2002 original/man8/iptables.8:1948
+#: original/man8/iptables-extensions.8:1370
msgid ""
-"Copy the nfmark to the ctmark. If a mask is specified, only those bits are "
-"copied."
+"Destination port or port range specification. The flag B<--dport> is a "
+"convenient alias for this option."
msgstr ""
+"送信先ポートまたはポート範囲の指定。 フラグ B<--dport> は、このオプションの便"
+"利な別名である。"
#. type: TP
-#: original/man8/ip6tables.8:2002 original/man8/iptables.8:1948
+#: original/man8/iptables-extensions.8:1370
#, fuzzy, no-wrap
-#| msgid "B<--set-mark >I<mark>"
-msgid "B<--restore-mark> [B<--mask> I<mask>]"
-msgstr "B<--set-mark >I<mark>"
+#| msgid "B<--tcp-flags >[!] I<mask> I<comp>"
+msgid "[B<!>] B<--tcp-flags> I<mask> I<comp>"
+msgstr "B<--tcp-flags >[!] I<mask> I<comp>"
#. type: Plain text
-#: original/man8/ip6tables.8:2006 original/man8/iptables.8:1952
+#: original/man8/iptables-extensions.8:1378
#, fuzzy
#| msgid ""
-#| "This is used to set the netfilter mark value associated with the packet. "
-#| "It is only valid in the B<mangle> table."
+#| "Match when the TCP flags are as specified. The first argument is the "
+#| "flags which we should examine, written as a comma-separated list, and the "
+#| "second argument is a comma-separated list of flags which must be set. "
+#| "Flags are: B<SYN ACK FIN RST URG PSH ALL NONE>. Hence the command"
msgid ""
-"Copy the ctmark to the nfmark. If a mask is specified, only those bits are "
-"copied. This is only valid in the B<mangle> table."
+"Match when the TCP flags are as specified. The first argument I<mask> is "
+"the flags which we should examine, written as a comma-separated list, and "
+"the second argument I<comp> is a comma-separated list of flags which must be "
+"set. Flags are: B<SYN ACK FIN RST URG PSH ALL NONE>. Hence the command"
msgstr ""
-"パケットに関連づけられた netfilter の mark 値を指定する。 B<mangle> テーブル"
-"のみで有効である。"
+"TCP フラグが指定されたものと等しい場合にマッチする。 第 1 引き数は評価\n"
+"対象とするフラグで、コンマ区切りのリストである。 第 2 引き数は必ず設定\n"
+"しなければならないフラグで、コンマ区切りのリストである。 指定できるフラ\n"
+"グは B<SYN ACK FIN RST URG PSH ALL NONE> である。 よって、コマンド"
-#. type: SS
-#: original/man8/ip6tables.8:2006 original/man8/iptables.8:1952
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1380
#, no-wrap
-msgid "CONNSECMARK"
-msgstr ""
+msgid " iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN\n"
+msgstr " iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN\n"
#. type: Plain text
-#: original/man8/ip6tables.8:2016 original/man8/iptables.8:1962
+#: original/man8/iptables-extensions.8:1383
msgid ""
-"This module copies security markings from packets to connections (if "
-"unlabeled), and from connections back to packets (also only if unlabeled). "
-"Typically used in conjunction with SECMARK, it is valid in the B<security> "
-"table (for backwards compatibility with older kernels, it is also valid in "
-"the B<mangle> table)."
+"will only match packets with the SYN flag set, and the ACK, FIN and RST "
+"flags unset."
msgstr ""
+"は、SYN フラグが設定され ACK, FIN, RST フラグが設定されていない パケットにの"
+"みマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:2016 original/man8/iptables.8:1962
-#, no-wrap
-msgid "B<--save>"
-msgstr ""
+#: original/man8/iptables-extensions.8:1383
+#, fuzzy, no-wrap
+#| msgid "B<[!] --syn>"
+msgid "[B<!>] B<--syn>"
+msgstr "B<[!] --syn>"
#. type: Plain text
-#: original/man8/ip6tables.8:2020 original/man8/iptables.8:1966
+#: original/man8/iptables-extensions.8:1393
+#, fuzzy
+#| msgid ""
+#| "Only match TCP packets with the SYN bit set and the ACK and RST bits "
+#| "cleared. Such packets are used to request TCP connection initiation; for "
+#| "example, blocking such packets coming in an interface will prevent "
+#| "incoming TCP connections, but outgoing TCP connections will be "
+#| "unaffected. It is equivalent to B<--tcp-flags SYN,RST,ACK SYN>. If the "
+#| "\"!\" flag precedes the \"--syn\", the sense of the option is inverted."
msgid ""
-"If the packet has a security marking, copy it to the connection if the "
-"connection is not marked."
+"Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits "
+"cleared. Such packets are used to request TCP connection initiation; for "
+"example, blocking such packets coming in an interface will prevent incoming "
+"TCP connections, but outgoing TCP connections will be unaffected. It is "
+"equivalent to B<--tcp-flags SYN,RST,ACK,FIN SYN>. If the \"!\" flag "
+"precedes the \"--syn\", the sense of the option is inverted."
msgstr ""
+"SYN ビットが設定され ACK と RST ビットがクリアされている TCP パケットに\n"
+"のみマッチする。このようなパケットは TCP 接続の開始要求に使われる。例え\n"
+"ば、あるインターフェースに入ってくるこのようなパケットをブロックすれば、\n"
+"内側への TCP 接続は禁止されるが、外側への TCP 接続には影響しない。 これ\n"
+"は B<--tcp-flags SYN,RST,ACK SYN> と等しい。 \"--syn\" の前に \"!\" フラグ\n"
+"を置くと、 SYN ビットがクリアされ ACK と RST ビットが設定されている\n"
+"TCP パケットにのみマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:2020 original/man8/iptables.8:1966
+#: original/man8/iptables-extensions.8:1393
+#, fuzzy, no-wrap
+#| msgid "B<--tcp-option >[!] I<number>"
+msgid "[B<!>] B<--tcp-option> I<number>"
+msgstr "B<--tcp-option >[!] I<number>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1396
+msgid "Match if TCP option set."
+msgstr "TCP オプションが設定されている場合にマッチする。"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:1396
#, no-wrap
-msgid "B<--restore>"
+msgid "tcpmss"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2024 original/man8/iptables.8:1970
+#: original/man8/iptables-extensions.8:1398
msgid ""
-"If the packet does not have a security marking, and the connection does, "
-"copy the security marking from the connection to the packet."
+"This matches the TCP MSS (maximum segment size) field of the TCP header. "
+"You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only "
+"negotiated during the TCP handshake at connection startup time."
msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:1398
+#, fuzzy, no-wrap
+#| msgid "B<--mss >I<value>[:I<value>]"
+msgid "[B<!>] B<--mss> I<value>[B<:>I<value>]"
+msgstr "B<--mss >I<value>[:I<value>]"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1401
+#, fuzzy
+#| msgid "Matches the given TTL value."
+msgid "Match a given TCP MSS value or range."
+msgstr "指定された TTL 値にマッチする。"
+
#. type: SS
-#: original/man8/ip6tables.8:2025 original/man8/iptables.8:1971
+#: original/man8/iptables-extensions.8:1401
#, no-wrap
-msgid "CT"
+msgid "time"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2030 original/man8/iptables.8:1976
+#: original/man8/iptables-extensions.8:1405
msgid ""
-"The CT target allows to set parameters for a packet or its associated "
-"connection. The target attaches a \"template\" connection tracking entry to "
-"the packet, which is then used by the conntrack core when initializing a new "
-"ct entry. This target is thus only valid in the \"raw\" table."
+"This matches if the packet arrival time/date is within a given range. All "
+"options are optional, but are ANDed when specified. All times are "
+"interpreted as UTC by default."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2030 original/man8/iptables.8:1976
+#: original/man8/iptables-extensions.8:1405
#, no-wrap
-msgid "B<--notrack>"
+msgid "B<--datestart> I<YYYY>[B<->I<MM>[B<->I<DD>[B<T>I<hh>[B<:>I<mm>[B<:>I<ss>]]]]]"
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:2033 original/man8/iptables.8:1979
-msgid "Disables connection tracking for this packet."
+#. type: TP
+#: original/man8/iptables-extensions.8:1407
+#, no-wrap
+msgid "B<--datestop> I<YYYY>[B<->I<MM>[B<->I<DD>[B<T>I<hh>[B<:>I<mm>[B<:>I<ss>]]]]]"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2033 original/man8/iptables.8:1979
-#, fuzzy, no-wrap
-#| msgid "B<--helper >I<string>"
-msgid "B<--helper> I<name>"
-msgstr "B<--helper >I<string>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1411
+msgid ""
+"Only match during the given time, which must be in ISO 8601 \"T\" notation. "
+"The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07."
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2037 original/man8/iptables.8:1983
+#: original/man8/iptables-extensions.8:1414
msgid ""
-"Use the helper identified by I<name> for the connection. This is more "
-"flexible than loading the conntrack helper modules with preset ports."
+"If --datestart or --datestop are not specified, it will default to "
+"1970-01-01 and 2038-01-19, respectively."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2037 original/man8/iptables.8:1983
+#: original/man8/iptables-extensions.8:1414
#, no-wrap
-msgid "B<--ctevents> I<event>[B<,>...]"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/ip6tables.8:2043 original/man8/iptables.8:1989
-msgid ""
-"Only generate the specified conntrack events for this connection. Possible "
-"event types are: B<new>, B<related>, B<destroy>, B<reply>, B<assured>, "
-"B<protoinfo>, B<helper>, B<mark> (this refers to the ctmark, not nfmark), "
-"B<natseqinfo>, B<secmark> (ctsecmark)."
+msgid "B<--timestart> I<hh>B<:>I<mm>[B<:>I<ss>]"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2043 original/man8/iptables.8:1989
+#: original/man8/iptables-extensions.8:1416
#, no-wrap
-msgid "B<--expevents> I<event>[B<,>...]"
+msgid "B<--timestop> I<hh>B<:>I<mm>[B<:>I<ss>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2047 original/man8/iptables.8:1993
+#: original/man8/iptables-extensions.8:1421
msgid ""
-"Only generate the specified expectation events for this connection. "
-"Possible event types are: B<new>."
+"Only match during the given daytime. The possible time range is 00:00:00 to "
+"23:59:59. Leading zeroes are allowed (e.g. \"06:03\") and correctly "
+"interpreted as base-10."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2047 original/man8/iptables.8:1993
-#, fuzzy, no-wrap
-#| msgid "B<--uid-owner >I<userid>"
-msgid "B<--zone> I<id>"
-msgstr "B<--uid-owner >I<userid>"
+#: original/man8/iptables-extensions.8:1421
+#, no-wrap
+msgid "[B<!>] B<--monthdays> I<day>[B<,>I<day>...]"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2051 original/man8/iptables.8:1997
+#: original/man8/iptables-extensions.8:1427
msgid ""
-"Assign this packet to zone I<id> and only have lookups done in that zone. "
-"By default, packets have zone 0."
+"Only match on the given days of the month. Possible values are B<1> to "
+"B<31>. Note that specifying B<31> will of course not match on months which "
+"do not have a 31st day; the same goes for 28- or 29-day February."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2051 original/man8/iptables.8:2037
+#. type: TP
+#: original/man8/iptables-extensions.8:1427
#, no-wrap
-msgid "DSCP"
-msgstr "DSCP"
+msgid "[B<!>] B<--weekdays> I<day>[B<,>I<day>...]"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2055 original/man8/iptables.8:2041
+#: original/man8/iptables-extensions.8:1433
msgid ""
-"This target allows to alter the value of the DSCP bits within the TOS header "
-"of the IPv4 packet. As this manipulates a packet, it can only be used in "
-"the mangle table."
+"Only match on the given weekdays. Possible values are B<Mon>, B<Tue>, "
+"B<Wed>, B<Thu>, B<Fri>, B<Sat>, B<Sun>, or values from B<1> to B<7>, "
+"respectively. You may also use two-character variants (B<Mo>, B<Tu>, etc.)."
msgstr ""
-"このターゲットは、IPv4 パケットの TOS ヘッダーにある DSCP ビットの値の書き換"
-"えを可能にする。 これはパケットを操作するので、mangle テーブルでのみ使用でき"
-"る。"
#. type: TP
-#: original/man8/ip6tables.8:2055 original/man8/iptables.8:2041
+#: original/man8/iptables-extensions.8:1433
#, fuzzy, no-wrap
-#| msgid "B<--set-dscp >I<value>"
-msgid "B<--set-dscp> I<value>"
-msgstr "B<--set-dscp >I<value>"
+#| msgid "B<--tos >I<tos>"
+msgid "B<--contiguous>"
+msgstr "B<--tos >I<tos>"
#. type: Plain text
-#: original/man8/ip6tables.8:2058 original/man8/iptables.8:2044
-msgid "Set the DSCP field to a numerical value (can be decimal or hex)"
-msgstr "DSCP フィールドの数値を設定する (10 進または 16 進)。"
+#: original/man8/iptables-extensions.8:1437
+msgid ""
+"When B<--timestop> is smaller than B<--timestart> value, match this as a "
+"single time period instead distinct intervals. See EXAMPLES."
+msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2058 original/man8/iptables.8:2044
-#, fuzzy, no-wrap
-#| msgid "B<--set-dscp-class >I<class>"
-msgid "B<--set-dscp-class> I<class>"
-msgstr "B<--set-dscp-class >I<class>"
-
-#. type: Plain text
-#: original/man8/ip6tables.8:2061 original/man8/iptables.8:2047
-msgid "Set the DSCP field to a DiffServ class."
-msgstr "DSCP フィールドの DiffServ クラスを設定する。"
-
-#. type: SS
-#: original/man8/ip6tables.8:2061
+#: original/man8/iptables-extensions.8:1437
#, no-wrap
-msgid "HL"
+msgid "B<--kerneltz>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2068
+#: original/man8/iptables-extensions.8:1441
msgid ""
-"This is used to modify the Hop Limit field in IPv6 header. The Hop Limit "
-"field is similar to what is known as TTL value in IPv4. Setting or "
-"incrementing the Hop Limit field can potentially be very dangerous, so it "
-"should be avoided at any cost. This target is only valid in B<mangle> table."
+"Use the kernel timezone instead of UTC to determine whether a packet meets "
+"the time regulations."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2070 original/man8/iptables.8:2564
+#: original/man8/iptables-extensions.8:1447
msgid ""
-"B<Don't ever set or increment the value on packets that leave your local "
-"network!>"
+"About kernel timezones: Linux keeps the system time in UTC, and always does "
+"so. On boot, system time is initialized from a referential time source. "
+"Where this time source has no timezone information, such as the x86 CMOS "
+"RTC, UTC will be assumed. If the time source is however not in UTC, "
+"userspace should provide the correct system time and timezone to the kernel "
+"once it has the information."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2070
-#, fuzzy, no-wrap
-#| msgid "B<--set-mss >I<value>"
-msgid "B<--hl-set> I<value>"
-msgstr "B<--set-mss >I<value>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:2073
-msgid "Set the Hop Limit to `value'."
+#: original/man8/iptables-extensions.8:1458
+msgid ""
+"Local time is a feature on top of the (timezone independent) system time. "
+"Each process has its own idea of local time, specified via the TZ "
+"environment variable. The kernel also has its own timezone offset variable. "
+"The TZ userspace environment variable specifies how the UTC-based system "
+"time is displayed, e.g. when you run date(1), or what you see on your "
+"desktop clock. The TZ string may resolve to different offsets at different "
+"dates, which is what enables the automatic time-jumping in userspace. when "
+"DST changes. The kernel's timezone offset variable is used when it has to "
+"convert between non-UTC sources, such as FAT filesystems, to UTC (since the "
+"latter is what the rest of the system uses)."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2073
-#, fuzzy, no-wrap
-#| msgid "B<--dscp >I<value>"
-msgid "B<--hl-dec> I<value>"
-msgstr "B<--dscp >I<value>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:2076
-msgid "Decrement the Hop Limit `value' times."
+#: original/man8/iptables-extensions.8:1467
+msgid ""
+"The caveat with the kernel timezone is that Linux distributions may ignore "
+"to set the kernel timezone, and instead only set the system time. Even if a "
+"particular distribution does set the timezone at boot, it is usually does "
+"not keep the kernel timezone offset - which is what changes on DST - up to "
+"date. ntpd will not touch the kernel timezone, so running it will not "
+"resolve the issue. As such, one may encounter a timezone that is always "
+"+0000, or one that is wrong half of the time of the year. As such, B<using --"
+"kerneltz is highly discouraged.>"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2076
-#, fuzzy, no-wrap
-#| msgid "B<--dscp >I<value>"
-msgid "B<--hl-inc> I<value>"
-msgstr "B<--dscp >I<value>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:2079
-msgid "Increment the Hop Limit `value' times."
+#: original/man8/iptables-extensions.8:1469
+msgid "EXAMPLES. To match on weekends, use:"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2079 original/man8/iptables.8:2055
-#, no-wrap
-msgid "IDLETIMER"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1471
+msgid "-m time --weekdays Sa,Su"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2088 original/man8/iptables.8:2064
-msgid ""
-"This target can be used to identify when interfaces have been idle for a "
-"certain period of time. Timers are identified by labels and are created "
-"when a rule is set with a new label. The rules also take a timeout value "
-"(in seconds) as an option. If more than one rule uses the same timer label, "
-"the timer will be restarted whenever any of the rules get a hit. One entry "
-"for each timer is created in sysfs. This attribute contains the timer "
-"remaining for the timer to expire. The attributes are located under the "
-"xt_idletimer class:"
+#: original/man8/iptables-extensions.8:1473
+msgid "Or, to match (once) on a national holiday block:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2090 original/man8/iptables.8:2066
-msgid "/sys/class/xt_idletimer/timers/E<lt>labelE<gt>"
+#: original/man8/iptables-extensions.8:1475
+msgid "-m time --datestart 2007-12-24 --datestop 2007-12-27"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2093 original/man8/iptables.8:2069
+#: original/man8/iptables-extensions.8:1478
msgid ""
-"When the timer expires, the target module sends a sysfs notification to the "
-"userspace, which can then decide what to do (eg. disconnect to save power)."
+"Since the stop time is actually inclusive, you would need the following stop "
+"time to not match the first second of the new day:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2093 original/man8/iptables.8:2069
-#, fuzzy, no-wrap
-#| msgid "B<--limit >I<rate>"
-msgid "B<--timeout> I<amount>"
-msgstr "B<--limit >I<rate>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:2096 original/man8/iptables.8:2072
-msgid "This is the time in seconds that will trigger the notification."
+#: original/man8/iptables-extensions.8:1480
+msgid "-m time --datestart 2007-01-01T17:00 --datestop 2007-01-01T23:59:59"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2096 original/man8/iptables.8:2072
-#, fuzzy, no-wrap
-#| msgid "B<--helper >I<string>"
-msgid "B<--label> I<string>"
-msgstr "B<--helper >I<string>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1482
+msgid "During lunch hour:"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2100 original/man8/iptables.8:2076
-msgid ""
-"This is a unique identifier for the timer. The maximum length for the label "
-"string is 27 characters."
+#: original/man8/iptables-extensions.8:1484
+msgid "-m time --timestart 12:30 --timestop 13:30"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1486
+msgid "The fourth Friday in the month:"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1488
+msgid "-m time --weekdays Fr --monthdays 22,23,24,25,26,27,28"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1492
+msgid ""
+"(Note that this exploits a certain mathematical property. It is not possible "
+"to say \"fourth Thursday OR fourth Friday\" in one rule. It is possible with "
+"multiple rules, though.)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1494
+msgid "Matching across days might not do what is expected. For instance,"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1500
+msgid ""
+"-m time --weekdays Mo --timestart 23:00 --timestop 01:00 Will match Monday, "
+"for one hour from midnight to 1 a.m., and then again for another hour from "
+"23:00 onwards. If this is unwanted, e.g. if you would like 'match for two "
+"hours from Montay 23:00 onwards' you need to also specify the --contiguous "
+"option in the example above."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:2100 original/man8/iptables.8:2076
+#: original/man8/iptables-extensions.8:1500
#, no-wrap
-msgid "LOG"
-msgstr "LOG"
+msgid "tos"
+msgstr "tos"
#. type: Plain text
-#: original/man8/ip6tables.8:2112
+#: original/man8/iptables-extensions.8:1504
+#, fuzzy
+#| msgid ""
+#| "This module matches the 8 bits of Type of Service field in the IP header "
+#| "(ie. including the precedence bits)."
msgid ""
-"Turn on kernel logging of matching packets. When this option is set for a "
-"rule, the Linux kernel will print some information on all matching packets "
-"(like most IPv6 IPv6-header fields) via the kernel log (where it can be read "
-"with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. "
-"rule traversal continues at the next rule. So if you want to LOG the "
-"packets you refuse, use two separate rules with the same matching criteria, "
-"first using target LOG then DROP (or REJECT)."
+"This module matches the 8-bit Type of Service field in the IPv4 header (i."
+"e. including the \"Precedence\" bits) or the (also 8-bit) Priority field in "
+"the IPv6 header."
msgstr ""
-"マッチしたパケットをカーネルログに記録する。 このオプションがルールに対して設"
-"定されると、 Linux カーネルはマッチしたパケットについての (IPv6 における大部"
-"分の IPv6 ヘッダフィールドのような) 何らかの情報を カーネルログに表示する "
-"(カーネルログは I<dmesg> または I<syslogd>(8) で見ることができる)。 これは"
-"「非終了タ ーゲット」である。 すなわち、ルールの検討は、次のルールへと継続さ"
-"れる。 よって、拒否するパケットをログ記録したければ、 同じマッチング判断基準"
-"を持つ 2 つのルールを使用し、 最初のルールで LOG ターゲットを、 次のルールで "
-"DROP (または REJECT) ターゲットを指定する。"
+"このモジュールは IP ヘッダーの 8 ビットの (つまり上位ビットを含む) Type of "
+"Service フィールドにマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:2112 original/man8/iptables.8:2088
+#: original/man8/iptables-extensions.8:1504
#, fuzzy, no-wrap
-#| msgid "B<--log-level >I<level>"
-msgid "B<--log-level> I<level>"
-msgstr "B<--log-level >I<level>"
+#| msgid "B<--mark >I<value>[/I<mask>]"
+msgid "[B<!>] B<--tos> I<value>[B</>I<mask>]"
+msgstr "B<--mark >I<value>[/I<mask>]"
#. type: Plain text
-#: original/man8/ip6tables.8:2115 original/man8/iptables.8:2091
-msgid "Level of logging (numeric or see I<syslog.conf>(5))."
+#: original/man8/iptables-extensions.8:1508
+#, fuzzy
+#| msgid ""
+#| "Matches packets with the given unsigned mark value (if a mask is "
+#| "specified, this is logically ANDed with the mask before the comparison)."
+msgid ""
+"Matches packets with the given TOS mark value. If a mask is specified, it is "
+"logically ANDed with the TOS mark before the comparison."
msgstr ""
-"ログ記録のレベル (数値て指定するか、(名前で指定する場合は)\n"
-"I<syslog.conf>(5) を参照すること)。"
+"指定された符号なし mark 値のパケットにマッチする (mask が指定されると、比較の"
+"前に mask との論理積 (AND) がとられる)。"
#. type: TP
-#: original/man8/ip6tables.8:2115 original/man8/iptables.8:2091
+#: original/man8/iptables-extensions.8:1508
#, fuzzy, no-wrap
-#| msgid "B<--log-prefix >I<prefix>"
-msgid "B<--log-prefix> I<prefix>"
-msgstr "B<--log-prefix >I<prefix>"
+#| msgid "B<--tos >I<tos>"
+msgid "[B<!>] B<--tos> I<symbol>"
+msgstr "B<--tos >I<tos>"
#. type: Plain text
-#: original/man8/ip6tables.8:2119 original/man8/iptables.8:2095
+#: original/man8/iptables-extensions.8:1513
msgid ""
-"Prefix log messages with the specified prefix; up to 29 letters long, and "
-"useful for distinguishing messages in the logs."
+"You can specify a symbolic name when using the tos match for IPv4. The list "
+"of recognized TOS names can be obtained by calling iptables with B<-m tos -"
+"h>. Note that this implies a mask of 0x3F, i.e. all but the ECN bits."
msgstr ""
-"指定したプレフィックスをログメッセージの前に付ける。\n"
-"プレフィックスは 29 文字までの長さで、\n"
-"ログの中でメッセージを区別するのに役立つ。"
-#. type: TP
-#: original/man8/ip6tables.8:2119 original/man8/iptables.8:2095
+#. type: SS
+#: original/man8/iptables-extensions.8:1513
#, no-wrap
-msgid "B<--log-tcp-sequence>"
-msgstr "B<--log-tcp-sequence>"
+msgid "ttl (IPv4-specific)"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2123 original/man8/iptables.8:2099
-msgid ""
-"Log TCP sequence numbers. This is a security risk if the log is readable by "
-"users."
-msgstr ""
-"TCP シーケンス番号をログに記録する。 ログがユーザーから読める場合、セキュリ"
-"ティ上の危険がある。"
+#: original/man8/iptables-extensions.8:1515
+msgid "This module matches the time to live field in the IP header."
+msgstr "このモジュールは IP ヘッダーの time to live フィールドにマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:2123 original/man8/iptables.8:2099
-#, no-wrap
-msgid "B<--log-tcp-options>"
-msgstr "B<--log-tcp-options>"
+#: original/man8/iptables-extensions.8:1515
+#, fuzzy, no-wrap
+#| msgid "B<--ttl >I<ttl>"
+msgid "[B<!>] B<--ttl-eq> I<ttl>"
+msgstr "B<--ttl >I<ttl>"
#. type: Plain text
-#: original/man8/ip6tables.8:2126 original/man8/iptables.8:2102
-msgid "Log options from the TCP packet header."
-msgstr "TCP パケットヘッダのオプションをログに記録する。"
+#: original/man8/iptables-extensions.8:1518
+msgid "Matches the given TTL value."
+msgstr "指定された TTL 値にマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:2126 original/man8/iptables.8:2102
-#, no-wrap
-msgid "B<--log-ip-options>"
-msgstr "B<--log-ip-options>"
+#: original/man8/iptables-extensions.8:1518
+#, fuzzy, no-wrap
+#| msgid "B<--ttl >I<ttl>"
+msgid "B<--ttl-gt> I<ttl>"
+msgstr "B<--ttl >I<ttl>"
#. type: Plain text
-#: original/man8/ip6tables.8:2129
-msgid "Log options from the IPv6 packet header."
-msgstr "IPv6 パケットヘッダのオプションをログに記録する。"
+#: original/man8/iptables-extensions.8:1521
+#, fuzzy
+#| msgid "Matches the given TTL value."
+msgid "Matches if TTL is greater than the given TTL value."
+msgstr "指定された TTL 値にマッチする。"
#. type: TP
-#: original/man8/ip6tables.8:2129 original/man8/iptables.8:2105
+#: original/man8/iptables-extensions.8:1521
#, fuzzy, no-wrap
-#| msgid "B<--log-ip-options>"
-msgid "B<--log-uid>"
-msgstr "B<--log-ip-options>"
+#| msgid "B<--ttl >I<ttl>"
+msgid "B<--ttl-lt> I<ttl>"
+msgstr "B<--ttl >I<ttl>"
#. type: Plain text
-#: original/man8/ip6tables.8:2132 original/man8/iptables.8:2108
-msgid "Log the userid of the process which generated the packet."
-msgstr ""
+#: original/man8/iptables-extensions.8:1524
+#, fuzzy
+#| msgid "Matches the given TTL value."
+msgid "Matches if TTL is less than the given TTL value."
+msgstr "指定された TTL 値にマッチする。"
#. type: SS
-#: original/man8/ip6tables.8:2132 original/man8/iptables.8:2108
+#: original/man8/iptables-extensions.8:1524
#, no-wrap
-msgid "MARK"
-msgstr "MARK"
+msgid "u32"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2138 original/man8/iptables.8:2114
+#: original/man8/iptables-extensions.8:1528
msgid ""
-"This target is used to set the Netfilter mark value associated with the "
-"packet. It can, for example, be used in conjunction with routing based on "
-"fwmark (needs iproute2). If you plan on doing so, note that the mark needs "
-"to be set in the PREROUTING chain of the mangle table to affect routing. "
-"The mark field is 32 bits wide."
+"U32 tests whether quantities of up to 4 bytes extracted from a packet have "
+"specified values. The specification of what to extract is general enough to "
+"find data at given offsets from tcp headers or payloads."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:2142 original/man8/iptables.8:2118
-msgid ""
-"Zeroes out the bits given by I<mask> and XORs I<value> into the packet mark "
-"(\"nfmark\"). If I<mask> is omitted, 0xFFFFFFFF is assumed."
+#. type: TP
+#: original/man8/iptables-extensions.8:1528
+#, no-wrap
+msgid "[B<!>] B<--u32> I<tests>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2146 original/man8/iptables.8:2122
-msgid ""
-"Zeroes out the bits given by I<mask> and ORs I<value> into the packet mark. "
-"If I<mask> is omitted, 0xFFFFFFFF is assumed."
+#: original/man8/iptables-extensions.8:1531
+msgid "The argument amounts to a program in a small language described below."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2148 original/man8/ip6tables.8:2385
-#: original/man8/iptables.8:2124 original/man8/iptables.8:2496
-msgid "The following mnemonics are available:"
+#: original/man8/iptables-extensions.8:1533
+msgid "tests := location \"=\" value | tests \"&&\" location \"=\" value"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2152 original/man8/iptables.8:2128
-msgid ""
-"Binary AND the nfmark with I<bits>. (Mnemonic for B<--set-xmark 0/"
-">I<invbits>, where I<invbits> is the binary negation of I<bits>.)"
+#: original/man8/iptables-extensions.8:1535
+msgid "value := range | value \",\" range"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2156 original/man8/iptables.8:2132
-msgid ""
-"Binary OR the nfmark with I<bits>. (Mnemonic for B<--set-xmark> I<bits>B</"
-">I<bits>.)"
+#: original/man8/iptables-extensions.8:1537
+msgid "range := number | number \":\" number"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2160 original/man8/iptables.8:2136
+#: original/man8/iptables-extensions.8:1540
msgid ""
-"Binary XOR the nfmark with I<bits>. (Mnemonic for B<--set-xmark> "
-"I<bits>B</0>.)"
+"a single number, I<n>, is interpreted the same as I<n:n>. I<n:m> is "
+"interpreted as the range of numbers B<E<gt>=n> and B<E<lt>=m>."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2160 original/man8/iptables.8:2190
-#, no-wrap
-msgid "NFLOG"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1542
+msgid "location := number | location operator number"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2170 original/man8/iptables.8:2200
-#, fuzzy
-#| msgid ""
-#| "This target provides userspace logging of matching packets. When this "
-#| "target is set for a rule, the Linux kernel will multicast this packet "
-#| "through a I<netlink> socket. One or more userspace processes may then "
-#| "subscribe to various multicast groups and receive the packets. Like LOG, "
-#| "this is a \"non-terminating target\", i.e. rule traversal continues at "
-#| "the next rule."
-msgid ""
-"This target provides logging of matching packets. When this target is set "
-"for a rule, the Linux kernel will pass the packet to the loaded logging "
-"backend to log the packet. This is usually used in combination with "
-"nfnetlink_log as logging backend, which will multicast the packet through a "
-"I<netlink> socket to the specified multicast group. One or more userspace "
-"processes may subscribe to the group to receive the packets. Like LOG, this "
-"is a non-terminating target, i.e. rule traversal continues at the next rule."
+#: original/man8/iptables-extensions.8:1544
+msgid "operator := \"&\" | \"E<lt>E<lt>\" | \"E<gt>E<gt>\" | \"@\""
msgstr ""
-"このターゲットは、マッチしたパケットを ユーザー空間でログ記録する機能を提供す"
-"る。 このターゲットがルールに設定されると、 Linux カーネルは、そのパケットを "
-"I<netlink> ソケットを用いてマルチキャストする。 そして、1 つ以上のユーザー空"
-"間プロセスが いろいろなマルチキャストグループに登録をおこない、 パケットを受"
-"信する。 LOG と同様、これは \"非終了ターゲット\" であり、 ルールの検討は次の"
-"ルールへと継続される。"
-
-#. type: TP
-#: original/man8/ip6tables.8:2170 original/man8/iptables.8:2200
-#, fuzzy, no-wrap
-#| msgid "B<--ulog-nlgroup >I<nlgroup>"
-msgid "B<--nflog-group> I<nlgroup>"
-msgstr "B<--ulog-nlgroup >I<nlgroup>"
#. type: Plain text
-#: original/man8/ip6tables.8:2174 original/man8/iptables.8:2204
-#, fuzzy
-#| msgid ""
-#| "This specifies the netlink group (1-32) to which the packet is sent. "
-#| "Default value is 1."
+#: original/man8/iptables-extensions.8:1549
msgid ""
-"The netlink group (0 - 2^16-1) to which packets are (only applicable for "
-"nfnetlink_log). The default value is 0."
+"The operators B<&>, B<E<lt>E<lt>>, B<E<gt>E<gt>> and B<&&> mean the same as "
+"in C. The B<=> is really a set membership operator and the value syntax "
+"describes a set. The B<@> operator is what allows moving to the next header "
+"and is described further below."
msgstr ""
-"パケットを送信する netlink グループ (1-32) を指定する。 デフォルトの値は 1 で"
-"ある。"
-
-#. type: TP
-#: original/man8/ip6tables.8:2174 original/man8/iptables.8:2204
-#, fuzzy, no-wrap
-#| msgid "B<--log-prefix >I<prefix>"
-msgid "B<--nflog-prefix> I<prefix>"
-msgstr "B<--log-prefix >I<prefix>"
#. type: Plain text
-#: original/man8/ip6tables.8:2178 original/man8/iptables.8:2208
-#, fuzzy
-#| msgid ""
-#| "Prefix log messages with the specified prefix; up to 32 characters long, "
-#| "and useful for distinguishing messages in the logs."
+#: original/man8/iptables-extensions.8:1552
msgid ""
-"A prefix string to include in the log message, up to 64 characters long, "
-"useful for distinguishing messages in the logs."
+"There are currently some artificial implementation limits on the size of the "
+"tests:"
msgstr ""
-"指定したプレフィックスをログメッセージの前に付ける。 32 文字までの指定でき"
-"る。 ログの中でメッセージを区別するのに便利である。"
-#. type: TP
-#: original/man8/ip6tables.8:2178 original/man8/iptables.8:2208
-#, fuzzy, no-wrap
-#| msgid "B<--ulog-cprange >I<size>"
-msgid "B<--nflog-range> I<size>"
-msgstr "B<--ulog-cprange >I<size>"
+#. type: IP
+#: original/man8/iptables-extensions.8:1552
+#: original/man8/iptables-extensions.8:1554
+#: original/man8/iptables-extensions.8:1556
+#, no-wrap
+msgid " *"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2183 original/man8/iptables.8:2213
-msgid ""
-"The number of bytes to be copied to userspace (only applicable for "
-"nfnetlink_log). nfnetlink_log instances may specify their own range, this "
-"option overrides it."
+#: original/man8/iptables-extensions.8:1554
+msgid "no more than 10 of \"B<=>\" (and 9 \"B<&&>\"s) in the u32 argument"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2183 original/man8/iptables.8:2213
-#, fuzzy, no-wrap
-#| msgid "B<--ulog-qthreshold >I<size>"
-msgid "B<--nflog-threshold> I<size>"
-msgstr "B<--ulog-qthreshold >I<size>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:2190 original/man8/iptables.8:2220
-msgid ""
-"Number of packets to queue inside the kernel before sending them to "
-"userspace (only applicable for nfnetlink_log). Higher values result in less "
-"overhead per packet, but increase delay until the packets reach userspace. "
-"The default value is 1."
+#: original/man8/iptables-extensions.8:1556
+msgid "no more than 10 ranges (and 9 commas) per value"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2190 original/man8/iptables.8:2220
-#, no-wrap
-msgid "NFQUEUE"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1558
+msgid "no more than 10 numbers (and 9 operators) per location"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2200 original/man8/iptables.8:2230
+#: original/man8/iptables-extensions.8:1561
msgid ""
-"This target is an extension of the QUEUE target. As opposed to QUEUE, it "
-"allows you to put a packet into any specific queue, identified by its 16-bit "
-"queue number. It can only be used with Kernel versions 2.6.14 or later, "
-"since it requires the B<nfnetlink_queue> kernel support. The B<queue-"
-"balance> option was added in Linux 2.6.31, B<queue-bypass> in 2.6.39."
+"To describe the meaning of location, imagine the following machine that "
+"interprets it. There are three registers:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2200 original/man8/iptables.8:2230
-#, fuzzy, no-wrap
-#| msgid "B<--set-mss >I<value>"
-msgid "B<--queue-num> I<value>"
-msgstr "B<--set-mss >I<value>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:2203 original/man8/iptables.8:2233
-msgid ""
-"This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. "
-"The default value is 0."
+#: original/man8/iptables-extensions.8:1563
+msgid "A is of type B<char *>, initially the address of the IP header"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2204 original/man8/iptables.8:2234
-#, fuzzy, no-wrap
-#| msgid "B<--mss >I<value>[:I<value>]"
-msgid "B<--queue-balance> I<value>B<:>I<value>"
-msgstr "B<--mss >I<value>[:I<value>]"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1565
+msgid "B and C are unsigned 32 bit integers, initially zero"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2210 original/man8/iptables.8:2240
-msgid ""
-"This specifies a range of queues to use. Packets are then balanced across "
-"the given queues. This is useful for multicore systems: start multiple "
-"instances of the userspace program on queues x, x+1, .. x+n and use \"--"
-"queue-balance I<x>B<:>I<x+n>\". Packets belonging to the same connection "
-"are put into the same nfqueue."
+#: original/man8/iptables-extensions.8:1567
+msgid "The instructions are:"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2211 original/man8/iptables.8:2241
-#, no-wrap
-msgid "B<--queue-bypass>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1569
+msgid "number B = number;"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2216 original/man8/iptables.8:2246
+#: original/man8/iptables-extensions.8:1571
msgid ""
-"By default, if no userspace program is listening on an NFQUEUE, then all "
-"packets that are to be queued are dropped. When this option is used, the "
-"NFQUEUE rule is silently bypassed instead. The packet will move on to the "
-"next rule."
+"C = (*(A+B)E<lt>E<lt>24) + (*(A+B+1)E<lt>E<lt>16) + (*(A+B+2)E<lt>E<lt>8) + *"
+"(A+B+3)"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2216 original/man8/iptables.8:2246
-#, no-wrap
-msgid "NOTRACK"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1573
+msgid "&number C = C & number"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2218 original/man8/iptables.8:2248
-msgid ""
-"This target disables connection tracking for all packets matching that rule."
+#: original/man8/iptables-extensions.8:1575
+msgid "E<lt>E<lt> number C = C E<lt>E<lt> number"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2222 original/man8/ip6tables.8:2442
-#: original/man8/iptables.8:2252 original/man8/iptables.8:2553
-msgid "It can only be used in the B<raw> table."
+#: original/man8/iptables-extensions.8:1577
+msgid "E<gt>E<gt> number C = C E<gt>E<gt> number"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2222 original/man8/iptables.8:2252
-#, no-wrap
-msgid "RATEEST"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1579
+msgid "@number A = A + C; then do the instruction number"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2225 original/man8/iptables.8:2255
+#: original/man8/iptables-extensions.8:1582
msgid ""
-"The RATEEST target collects statistics, performs rate estimation calculation "
-"and saves the results for later evaluation using the B<rateest> match."
+"Any access of memory outside [skb-E<gt>data,skb-E<gt>end] causes the match "
+"to fail. Otherwise the result of the computation is the final value of C."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2225 original/man8/iptables.8:2255
-#, fuzzy, no-wrap
-#| msgid "B<--ctstate >I<state>"
-msgid "B<--rateest-name> I<name>"
-msgstr "B<--ctstate >I<state>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:2229 original/man8/iptables.8:2259
+#: original/man8/iptables-extensions.8:1586
msgid ""
-"Count matched packets into the pool referred to by I<name>, which is freely "
-"choosable."
+"Whitespace is allowed but not required in the tests. However, the characters "
+"that do occur there are likely to require shell quoting, so it is a good "
+"idea to enclose the arguments in quotes."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2229 original/man8/iptables.8:2259
-#, no-wrap
-msgid "B<--rateest-interval> I<amount>{B<s>|B<ms>|B<us>}"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1590
+msgid "match IP packets with total length E<gt>= 256"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2232 original/man8/iptables.8:2262
-msgid "Rate measurement interval, in seconds, milliseconds or microseconds."
+#: original/man8/iptables-extensions.8:1592
+msgid "The IP header contains a total length field in bytes 2-3."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2232 original/man8/iptables.8:2262
-#, fuzzy, no-wrap
-#| msgid "B<--set-mss >I<value>"
-msgid "B<--rateest-ewmalog> I<value>"
-msgstr "B<--set-mss >I<value>"
-
#. type: Plain text
-#: original/man8/ip6tables.8:2235 original/man8/iptables.8:2265
-msgid "Rate measurement averaging time constant."
+#: original/man8/iptables-extensions.8:1594
+msgid "--u32 \"B<0 & 0xFFFF = 0x100:0xFFFF>\""
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2235 original/man8/iptables.8:2291
-#, no-wrap
-msgid "REJECT"
-msgstr "REJECT"
-
#. type: Plain text
-#: original/man8/ip6tables.8:2248 original/man8/iptables.8:2304
-msgid ""
-"This is used to send back an error packet in response to the matched packet: "
-"otherwise it is equivalent to B<DROP> so it is a terminating TARGET, ending "
-"rule traversal. This target is only valid in the B<INPUT>, B<FORWARD> and "
-"B<OUTPUT> chains, and user-defined chains which are only called from those "
-"chains. The following option controls the nature of the error packet "
-"returned:"
+#: original/man8/iptables-extensions.8:1596
+msgid "read bytes 0-3"
msgstr ""
-"マッチしたパケットの応答としてエラーパケットを送信するために使われる。\n"
-"エラーパケットを送らなければ、 B<DROP> と同じであり、TARGET を終了し、\n"
-"ルールの検討を終了する。 このターゲットは、 B<INPUT>, B<FORWARD>,\n"
-"B<OUTPUT> チェインと、これらのチェインから呼ばれる ユーザー定義チェイン\n"
-"だけで有効である。以下のオプションは、返されるエラーパケットの特性を\n"
-"制御する。"
-
-#. type: TP
-#: original/man8/ip6tables.8:2248 original/man8/iptables.8:2304
-#, fuzzy, no-wrap
-#| msgid "B<--reject-with >I<type>"
-msgid "B<--reject-with> I<type>"
-msgstr "B<--reject-with >I<type>"
#. type: Plain text
-#: original/man8/ip6tables.8:2269
-#, fuzzy
-#| msgid ""
-#| "which return the appropriate IPv6-ICMP error message (B<port-unreach> is "
-#| "the default). Finally, the option B<tcp-reset> can be used on rules which "
-#| "only match the TCP protocol: this causes a TCP RST packet to be sent "
-#| "back. This is mainly useful for blocking I<ident> (113/tcp) probes which "
-#| "frequently occur when sending mail to broken mail hosts (which won't "
-#| "accept your mail otherwise)."
+#: original/man8/iptables-extensions.8:1599
msgid ""
-"The type given can be B<icmp6-no-route>, B<no-route>, B<icmp6-adm-"
-"prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, B<addr-unreach>, "
-"B<icmp6-port-unreachable> or B<port-unreach> which return the appropriate "
-"ICMPv6 error message (B<port-unreach> is the default). Finally, the option "
-"B<tcp-reset> can be used on rules which only match the TCP protocol: this "
-"causes a TCP RST packet to be sent back. This is mainly useful for blocking "
-"I<ident> (113/tcp) probes which frequently occur when sending mail to broken "
-"mail hosts (which won't accept your mail otherwise). B<tcp-reset> can only "
-"be used with kernel versions 2.6.14 or later."
+"AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the "
+"range [0x100:0xFFFF]"
msgstr ""
-"であり、適切な IPv6-ICMP エラーメッセージを返す (B<port-unreach> がデフォルト"
-"である)。 さらに、TCP プロトコルにのみマッチするルールに対して、オプション "
-"B<tcp-reset> を使うことができる。 このオプションを使うと、TCP RST パケットが"
-"送り返される。 主として I<ident> (113/tcp) による探査を阻止するのに役立つ。 "
-"I<ident> による探査は、壊れている (メールを受け取らない) メールホストに メー"
-"ルが送られる場合に頻繁に起こる。"
-#. type: SS
-#: original/man8/ip6tables.8:2269 original/man8/iptables.8:2342
-#, fuzzy, no-wrap
-#| msgid "MARK"
-msgid "SECMARK"
-msgstr "MARK"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1601
+msgid "Example: (more realistic, hence more complicated)"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2278 original/man8/iptables.8:2351
-msgid ""
-"This is used to set the security mark value associated with the packet for "
-"use by security subsystems such as SELinux. It is valid in the B<security> "
-"table (for backwards compatibility with older kernels, it is also valid in "
-"the B<mangle> table). The mark is 32 bits wide."
+#: original/man8/iptables-extensions.8:1603
+msgid "match ICMP packets with icmp type 0"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2278 original/man8/iptables.8:2351
-#, no-wrap
-msgid "B<--selctx> I<security_context>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1605
+msgid "First test that it is an ICMP packet, true iff byte 9 (protocol) = 1"
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2280 original/man8/iptables.8:2353
-#, no-wrap
-msgid "SET"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1607
+msgid "--u32 \"B<6 & 0xFF = 1 &&> ..."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2283 original/man8/iptables.8:2356
+#: original/man8/iptables-extensions.8:1614
msgid ""
-"This modules adds and/or deletes entries from IP sets which can be defined "
-"by ipset(8)."
+"read bytes 6-9, use B<&> to throw away bytes 6-8 and compare the result to "
+"1. Next test that it is not a fragment. (If so, it might be part of such a "
+"packet but we cannot always tell.) N.B.: This test is generally needed if "
+"you want to match anything beyond the IP header. The last 6 bits of byte 6 "
+"and all of byte 7 are 0 iff this is a complete packet (not a fragment). "
+"Alternatively, you can allow first fragments by only testing the last 5 bits "
+"of byte 6."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2283 original/man8/iptables.8:2356
-#, no-wrap
-msgid "B<--add-set> I<setname> I<flag>[B<,>I<flag>...]"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1616
+msgid "... B<4 & 0x3FFF = 0 &&> ..."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2286 original/man8/iptables.8:2359
-msgid "add the address(es)/port(s) of the packet to the sets"
+#: original/man8/iptables-extensions.8:1620
+msgid ""
+"Last test: the first byte past the IP header (the type) is 0. This is where "
+"we have to use the @syntax. The length of the IP header (IHL) in 32 bit "
+"words is stored in the right half of byte 0 of the IP header itself."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2286 original/man8/iptables.8:2359
-#, no-wrap
-msgid "B<--del-set> I<setname> I<flag>[B<,>I<flag>...]"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1622
+msgid "... B<0 E<gt>E<gt> 22 & 0x3C @ 0 E<gt>E<gt> 24 = 0>\""
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2289 original/man8/iptables.8:2362
-msgid "delete the address(es)/port(s) of the packet from the sets"
+#: original/man8/iptables-extensions.8:1634
+msgid ""
+"The first 0 means read bytes 0-3, B<E<gt>E<gt>22> means shift that 22 bits "
+"to the right. Shifting 24 bits would give the first byte, so only 22 bits is "
+"four times that plus a few more bits. B<&3C> then eliminates the two extra "
+"bits on the right and the first four bits of the first byte. For instance, "
+"if IHL=5, then the IP header is 20 (4 x 5) bytes long. In this case, bytes "
+"0-1 are (in binary) xxxx0101 yyzzzzzz, B<E<gt>E<gt>22> gives the 10 bit "
+"value xxxx0101yy and B<&3C> gives 010100. B<@> means to use this number as a "
+"new offset into the packet, and read four bytes starting from there. This is "
+"the first 4 bytes of the ICMP payload, of which byte 0 is the ICMP type. "
+"Therefore, we simply shift the value 24 to the right to throw out all but "
+"the first byte and compare the result with 0."
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2295 original/man8/iptables.8:2368
-msgid ""
-"where flags are B<src> and/or B<dst> specifications and there can be no more "
-"than six of them."
+#: original/man8/iptables-extensions.8:1638
+msgid "TCP payload bytes 8-12 is any of 1, 2, 5 or 8"
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2295 original/man8/iptables.8:2368
-#, fuzzy, no-wrap
-#| msgid "B<--set-mss >I<value>"
-msgid "B<--timeout> I<value>"
-msgstr "B<--set-mss >I<value>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1640
+msgid "First we test that the packet is a tcp packet (similar to ICMP)."
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2299 original/man8/iptables.8:2372
-msgid ""
-"when adding entry, the timeout value to use instead of the default one from "
-"the set definition"
+#: original/man8/iptables-extensions.8:1642
+msgid "--u32 \"B<6 & 0xFF = 6 &&> ..."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2299 original/man8/iptables.8:2372
-#, fuzzy, no-wrap
-#| msgid "B<-x, --exact>"
-msgid "B<--exist>"
-msgstr "B<-x, --exact>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1644
+msgid "Next, test that it is not a fragment (same as above)."
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2303 original/man8/iptables.8:2376
-msgid ""
-"when adding entry if it already exists, reset the timeout value to the "
-"specified one or to the default from the set definition"
+#: original/man8/iptables-extensions.8:1646
+msgid "... B<0 E<gt>E<gt> 22 & 0x3C @ 12 E<gt>E<gt> 26 & 0x3C @ 8 = 1,2,5,8>\""
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2306 original/man8/iptables.8:2379
+#: original/man8/iptables-extensions.8:1654
msgid ""
-"Use of -j SET requires that ipset kernel support is provided, which, for "
-"standard kernels, is the case since Linux 2.6.39."
+"B<0E<gt>E<gt>22&3C> as above computes the number of bytes in the IP header. "
+"B<@> makes this the new offset into the packet, which is the start of the "
+"TCP header. The length of the TCP header (again in 32 bit words) is the left "
+"half of byte 12 of the TCP header. The B<12E<gt>E<gt>26&3C> computes this "
+"length in bytes (similar to the IP header before). \"@\" makes this the new "
+"offset, which is the start of the TCP payload. Finally, 8 reads bytes 8-12 "
+"of the payload and B<=> checks whether the result is any of 1, 2, 5 or 8."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:2306 original/man8/iptables.8:2417
+#: original/man8/iptables-extensions.8:1654
#, no-wrap
-msgid "TCPMSS"
-msgstr "TCPMSS"
+msgid "udp"
+msgstr "udp"
#. type: Plain text
-#: original/man8/ip6tables.8:2313 original/man8/iptables.8:2424
+#: original/man8/iptables-extensions.8:1657
#, fuzzy
#| msgid ""
-#| "This target allows to alter the MSS value of TCP SYN packets, to control "
-#| "the maximum size for that connection (usually limiting it to your "
-#| "outgoing interface's MTU minus 40). Of course, it can only be used in "
-#| "conjunction with B<-p tcp>."
+#| "These extensions are loaded if `--protocol udp' is specified. It "
+#| "provides the following options:"
msgid ""
-"This target allows to alter the MSS value of TCP SYN packets, to control the "
-"maximum size for that connection (usually limiting it to your outgoing "
-"interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively). Of course, "
-"it can only be used in conjunction with B<-p tcp>."
+"These extensions can be used if `--protocol udp' is specified. It provides "
+"the following options:"
msgstr ""
-"このターゲットを用いると、TCP の SYN パケットの MSS 値を書き換え、 そのコネク"
-"ションの最大サイズ (通常は、送信インターフェースの MTU から 40 引いた値) を"
-"制御できる。 もちろん B<-p tcp> と組み合わせてしか使えない。"
+"これらの拡張は `--protocol udp' が指定された場合にロードされ、 以下のオプショ"
+"ンが提供される:"
#. type: Plain text
-#: original/man8/ip6tables.8:2320 original/man8/iptables.8:2431
-#, fuzzy
-#| msgid ""
-#| "This target is used to overcome criminally braindead ISPs or servers "
-#| "which block ICMP Fragmentation Needed packets. The symptoms of this "
-#| "problem are that everything works fine from your Linux firewall/router, "
-#| "but machines behind it can never exchange large packets:"
+#: original/man8/iptables-extensions.8:1663
msgid ""
-"This target is used to overcome criminally braindead ISPs or servers which "
-"block \"ICMP Fragmentation Needed\" or \"ICMPv6 Packet Too Big\" packets. "
-"The symptoms of this problem are that everything works fine from your Linux "
-"firewall/router, but machines behind it can never exchange large packets:"
-msgstr ""
-"このターゲットは犯罪的に頭のいかれた ISP や ICMP Fragmentation Needed パケッ"
-"トをブロックしてしまうサーバーを 乗り越えるために使用する。 Linux ファイア"
-"ウォール/ルーターでは何も問題がないのに、 そこにぶら下がるマシンでは以下のよ"
-"うに大きなパケットを やりとりできないというのが、この問題の兆候である。"
-
-#. type: IP
-#: original/man8/ip6tables.8:2320 original/man8/iptables.8:2431
-#, no-wrap
-msgid "1."
+"Source port or port range specification. See the description of the B<--"
+"source-port> option of the TCP extension for details."
msgstr ""
+"送信元ポートまたはポート範囲の指定。 詳細は TCP 拡張の B<--source-port> オプ"
+"ションの説明を参照すること。"
#. type: Plain text
-#: original/man8/ip6tables.8:2322 original/man8/iptables.8:2433
-msgid "Web browsers connect, then hang with no data received."
-msgstr "ウェブ・ブラウザで接続が、何のデータも受け取らずにハングする"
+#: original/man8/iptables-extensions.8:1669
+msgid ""
+"Destination port or port range specification. See the description of the "
+"B<--destination-port> option of the TCP extension for details."
+msgstr ""
+"送信先ポートまたはポート範囲の指定。 詳細は TCP 拡張の B<--destination-port> "
+"オプションの説明を参照すること。"
-#. type: IP
-#: original/man8/ip6tables.8:2322 original/man8/iptables.8:2433
+#. type: SS
+#: original/man8/iptables-extensions.8:1669
#, no-wrap
-msgid "2."
+msgid "unclean (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2324 original/man8/iptables.8:2435
-msgid "Small mail works fine, but large emails hang."
-msgstr "短いメールは問題ないが、長いメールがハングする"
-
-#. type: IP
-#: original/man8/ip6tables.8:2324 original/man8/iptables.8:2435
-#, no-wrap
-msgid "3."
+#: original/man8/iptables-extensions.8:1672
+msgid ""
+"This module takes no options, but attempts to match packets which seem "
+"malformed or unusual. This is regarded as experimental."
msgstr ""
+"このモジュールにはオプションがないが、 おかしく正常でないように見えるパケット"
+"にマッチする。 これは実験的なものとして扱われている。"
-#. type: Plain text
-#: original/man8/ip6tables.8:2326 original/man8/iptables.8:2437
-msgid "ssh works fine, but scp hangs after initial handshaking."
-msgstr "ssh は問題ないが、scp は最初のハンドシェーク後にハングする"
+#. type: SH
+#: original/man8/iptables-extensions.8:1672
+#, no-wrap
+msgid "TARGET EXTENSIONS"
+msgstr "ターゲットの拡張"
+#. @TARGET@
#. type: Plain text
-#: original/man8/ip6tables.8:2329 original/man8/iptables.8:2440
+#: original/man8/iptables-extensions.8:1676
msgid ""
-"Workaround: activate this option and add a rule to your firewall "
-"configuration like:"
+"iptables can use extended target modules: the following are included in the "
+"standard distribution."
+msgstr ""
+"iptables は拡張ターゲットモジュールを使うことができる: 以下のものが、標準的な"
+"ディストリビューションに含まれている。"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:1676
+#, no-wrap
+msgid "AUDIT"
msgstr ""
-"回避方法: このオプションを有効にし、以下のようなルールを ファイアウォールの設"
-"定に追加する。"
#. type: Plain text
-#: original/man8/ip6tables.8:2332 original/man8/iptables.8:2443
-#, fuzzy, no-wrap
-#| msgid ""
-#| " iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\e\n"
-#| " -j TCPMSS --clamp-mss-to-pmtu\n"
+#: original/man8/iptables-extensions.8:1680
msgid ""
-" iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN\n"
-" -j TCPMSS --clamp-mss-to-pmtu\n"
+"This target allows to create audit records for packets hitting the target. "
+"It can be used to record accepted, dropped, and rejected packets. See auditd"
+"(8) for additional details."
msgstr ""
-" iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\e\n"
-" -j TCPMSS --clamp-mss-to-pmtu\n"
#. type: TP
-#: original/man8/ip6tables.8:2332 original/man8/iptables.8:2443
-#, fuzzy, no-wrap
-#| msgid "B<--set-mss >I<value>"
-msgid "B<--set-mss> I<value>"
-msgstr "B<--set-mss >I<value>"
+#: original/man8/iptables-extensions.8:1680
+#, no-wrap
+msgid "B<--type> {B<accept>|B<drop>|B<reject>}"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2337 original/man8/iptables.8:2448
-msgid ""
-"Explicitly sets MSS option to specified value. If the MSS of the packet is "
-"already lower than I<value>, it will B<not> be increased (from Linux 2.6.25 "
-"onwards) to avoid more problems with hosts relying on a proper MSS."
+#: original/man8/iptables-extensions.8:1683
+msgid "Set type of audit record."
msgstr ""
-#. type: TP
-#: original/man8/ip6tables.8:2337 original/man8/iptables.8:2448
-#, no-wrap
-msgid "B<--clamp-mss-to-pmtu>"
-msgstr "B<--clamp-mss-to-pmtu>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1687
+#, fuzzy
+#| msgid " iptables -j TOS -h\n"
+msgid "iptables -N AUDIT_DROP"
+msgstr " iptables -j TOS -h\n"
#. type: Plain text
-#: original/man8/ip6tables.8:2346 original/man8/iptables.8:2457
-msgid ""
-"Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60 for IPv6). "
-"This may not function as desired where asymmetric routes with differing path "
-"MTU exist \\(em the kernel uses the path MTU which it would use to send "
-"packets from itself to the source and destination IP addresses. Prior to "
-"Linux 2.6.25, only the path MTU to the destination IP address was considered "
-"by this option; subsequent kernels also consider the path MTU to the source "
-"IP address."
+#: original/man8/iptables-extensions.8:1689
+msgid "iptables -A AUDIT_DROP -j AUDIT --type drop"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2348 original/man8/iptables.8:2459
-msgid "These options are mutually exclusive."
-msgstr "これらのオプションはどちらか 1 つしか指定できない。"
+#: original/man8/iptables-extensions.8:1691
+#, fuzzy
+#| msgid " iptables -j TOS -h\n"
+msgid "iptables -A AUDIT_DROP -j DROP"
+msgstr " iptables -j TOS -h\n"
#. type: SS
-#: original/man8/ip6tables.8:2348 original/man8/iptables.8:2459
+#: original/man8/iptables-extensions.8:1691
#, no-wrap
-msgid "TCPOPTSTRIP"
+msgid "CHECKSUM"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2351 original/man8/iptables.8:2462
+#: original/man8/iptables-extensions.8:1694
+#, fuzzy
+#| msgid ""
+#| "This target allows to selectively work around known ECN blackholes. It "
+#| "can only be used in the mangle table."
msgid ""
-"This target will strip TCP options off a TCP packet. (It will actually "
-"replace them by NO-OPs.) As such, you will need to add the B<-p tcp> "
-"parameters."
+"This target allows to selectively work around broken/old applications. It "
+"can only be used in the mangle table."
msgstr ""
+"このターゲットは ECN ブラックホール問題への対処を可能にする。 mangle テーブル"
+"でのみ使用できる。"
#. type: TP
-#: original/man8/ip6tables.8:2351 original/man8/iptables.8:2462
-#, fuzzy, no-wrap
-#| msgid "B<--destination-ports >I<port>[,I<port>[,I<port>...]]"
-msgid "B<--strip-options> I<option>[B<,>I<option>...]"
-msgstr "B<--destination-ports >I<port>[,I<port>[,I<port>...]]"
+#: original/man8/iptables-extensions.8:1694
+#, no-wrap
+msgid "B<--checksum-fill>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2356 original/man8/iptables.8:2467
+#: original/man8/iptables-extensions.8:1700
msgid ""
-"Strip the given option(s). The options may be specified by TCP option number "
-"or by symbolic name. The list of recognized options can be obtained by "
-"calling iptables with B<-j TCPOPTSTRIP -h>."
+"Compute and fill in the checksum in a packet that lacks a checksum. This is "
+"particularly useful, if you need to work around old applications such as "
+"dhcp clients, that do not work well with checksum offloads, but don't want "
+"to disable checksum offload in your device."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:2356 original/man8/iptables.8:2467
+#: original/man8/iptables-extensions.8:1700
#, no-wrap
-msgid "TEE"
+msgid "CLASSIFY"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2361 original/man8/iptables.8:2472
+#: original/man8/iptables-extensions.8:1702
msgid ""
-"The B<TEE> target will clone a packet and redirect this clone to another "
-"machine on the B<local> network segment. In other words, the nexthop must be "
-"the target, or you will have to configure the nexthop to forward it further "
-"if so desired."
+"This module allows you to set the skb-E<gt>priority value (and thus classify "
+"the packet into a specific CBQ class)."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2361 original/man8/iptables.8:2472
-#, no-wrap
-msgid "B<--gateway> I<ipaddr>"
-msgstr ""
+#: original/man8/iptables-extensions.8:1702
+#, fuzzy, no-wrap
+#| msgid "B<--set-mark >I<mark>"
+msgid "B<--set-class> I<major>B<:>I<minor>"
+msgstr "B<--set-mark >I<mark>"
#. type: Plain text
-#: original/man8/ip6tables.8:2365 original/man8/iptables.8:2476
+#: original/man8/iptables-extensions.8:1706
msgid ""
-"Send the cloned packet to the host reachable at the given IP address. Use "
-"of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid."
+"Set the major and minor class value. The values are always interpreted as "
+"hexadecimal even if no 0x prefix is given."
msgstr ""
-#. type: Plain text
-#: original/man8/ip6tables.8:2367 original/man8/iptables.8:2478
-msgid ""
-"To forward all incoming traffic on eth0 to an Network Layer logging box:"
+#. type: SS
+#: original/man8/iptables-extensions.8:1706
+#, no-wrap
+msgid "CLUSTERIP (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2369 original/man8/iptables.8:2480
-msgid "-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1"
+#: original/man8/iptables-extensions.8:1711
+msgid ""
+"This module allows you to configure a simple cluster of nodes that share a "
+"certain IP and MAC address without an explicit load balancer in front of "
+"them. Connections are statically distributed between the nodes in this "
+"cluster."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2369 original/man8/iptables.8:2480
+#. type: TP
+#: original/man8/iptables-extensions.8:1711
#, no-wrap
-msgid "TOS"
-msgstr "TOS"
+msgid "B<--new>"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2374 original/man8/iptables.8:2485
+#: original/man8/iptables-extensions.8:1715
msgid ""
-"This module sets the Type of Service field in the IPv4 header (including the "
-"\"precedence\" bits) or the Priority field in the IPv6 header. Note that TOS "
-"shares the same bits as DSCP and ECN. The TOS target is only valid in the "
-"B<mangle> table."
+"Create a new ClusterIP. You always have to set this on the first rule for a "
+"given ClusterIP."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2374 original/man8/iptables.8:2485
+#: original/man8/iptables-extensions.8:1715
#, fuzzy, no-wrap
-#| msgid "B<--mark >I<value>[/I<mask>]"
-msgid "B<--set-tos> I<value>[B</>I<mask>]"
-msgstr "B<--mark >I<value>[/I<mask>]"
+#| msgid "B<--cmd-owner >I<name>"
+msgid "B<--hashmode> I<mode>"
+msgstr "B<--cmd-owner >I<name>"
#. type: Plain text
-#: original/man8/ip6tables.8:2378 original/man8/iptables.8:2489
+#: original/man8/iptables-extensions.8:1719
msgid ""
-"Zeroes out the bits given by I<mask> (see NOTE below) and XORs I<value> into "
-"the TOS/Priority field. If I<mask> is omitted, 0xFF is assumed."
+"Specify the hashing mode. Has to be one of B<sourceip>, B<sourceip-"
+"sourceport>, B<sourceip-sourceport-destport>."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2378 original/man8/iptables.8:2489
+#: original/man8/iptables-extensions.8:1719
#, fuzzy, no-wrap
-#| msgid "B<--set-tos >I<tos>"
-msgid "B<--set-tos> I<symbol>"
-msgstr "B<--set-tos >I<tos>"
+#| msgid "B<--set-mark >I<mark>"
+msgid "B<--clustermac> I<mac>"
+msgstr "B<--set-mark >I<mark>"
#. type: Plain text
-#: original/man8/ip6tables.8:2383 original/man8/iptables.8:2494
+#: original/man8/iptables-extensions.8:1722
msgid ""
-"You can specify a symbolic name when using the TOS target for IPv4. It "
-"implies a mask of 0xFF (see NOTE below). The list of recognized TOS names "
-"can be obtained by calling iptables with B<-j TOS -h>."
+"Specify the ClusterIP MAC address. Has to be a link-layer multicast address"
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2385 original/man8/iptables.8:2496
+#: original/man8/iptables-extensions.8:1722
#, fuzzy, no-wrap
-#| msgid "B<--tos >I<tos>"
-msgid "B<--and-tos> I<bits>"
-msgstr "B<--tos >I<tos>"
+#| msgid "B<-t>, B<--table> B<tablename>"
+msgid "B<--total-nodes> I<num>"
+msgstr "B<-t>, B<--table> B<tablename>"
#. type: Plain text
-#: original/man8/ip6tables.8:2390 original/man8/iptables.8:2501
-msgid ""
-"Binary AND the TOS value with I<bits>. (Mnemonic for B<--set-tos 0/"
-">I<invbits>, where I<invbits> is the binary negation of I<bits>. See NOTE "
-"below.)"
+#: original/man8/iptables-extensions.8:1725
+msgid "Number of total nodes within this cluster."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2390 original/man8/iptables.8:2501
+#: original/man8/iptables-extensions.8:1725
#, fuzzy, no-wrap
-#| msgid "B<--tos >I<tos>"
-msgid "B<--or-tos> I<bits>"
-msgstr "B<--tos >I<tos>"
+#| msgid "B<--cmd-owner >I<name>"
+msgid "B<--local-node> I<num>"
+msgstr "B<--cmd-owner >I<name>"
#. type: Plain text
-#: original/man8/ip6tables.8:2394 original/man8/iptables.8:2505
-msgid ""
-"Binary OR the TOS value with I<bits>. (Mnemonic for B<--set-tos> I<bits>B</"
-">I<bits>. See NOTE below.)"
+#: original/man8/iptables-extensions.8:1728
+msgid "Local node number within this cluster."
msgstr ""
#. type: TP
-#: original/man8/ip6tables.8:2394 original/man8/iptables.8:2505
+#: original/man8/iptables-extensions.8:1728
#, fuzzy, no-wrap
-#| msgid "B<--tos >I<tos>"
-msgid "B<--xor-tos> I<bits>"
-msgstr "B<--tos >I<tos>"
-
-#. type: Plain text
-#: original/man8/ip6tables.8:2398 original/man8/iptables.8:2509
-msgid ""
-"Binary XOR the TOS value with I<bits>. (Mnemonic for B<--set-tos> "
-"I<bits>B</0>. See NOTE below.)"
-msgstr ""
+#| msgid "B<--limit >I<rate>"
+msgid "B<--hash-init> I<rnd>"
+msgstr "B<--limit >I<rate>"
#. type: Plain text
-#: original/man8/ip6tables.8:2406 original/man8/iptables.8:2517
-msgid ""
-"NOTE: In Linux kernels up to and including 2.6.38, with the exception of "
-"longterm releases 2.6.32 (E<gt>=.42), 2.6.33 (E<gt>=.15), and 2.6.35 "
-"(E<gt>=.14), there is a bug whereby IPv6 TOS mangling does not behave as "
-"documented and differs from the IPv4 version. The TOS mask indicates the "
-"bits one wants to zero out, so it needs to be inverted before applying it to "
-"the original TOS field. However, the aformentioned kernels forgo the "
-"inversion which breaks --set-tos and its mnemonics."
+#: original/man8/iptables-extensions.8:1731
+msgid "Specify the random seed used for hash initialization."
msgstr ""
#. type: SS
-#: original/man8/ip6tables.8:2406 original/man8/iptables.8:2517
-#, no-wrap
-msgid "TPROXY"
-msgstr ""
+#: original/man8/iptables-extensions.8:1731
+#, fuzzy, no-wrap
+#| msgid "MARK"
+msgid "CONNMARK"
+msgstr "MARK"
#. type: Plain text
-#: original/man8/ip6tables.8:2413 original/man8/iptables.8:2524
+#: original/man8/iptables-extensions.8:1734
#, fuzzy
#| msgid ""
-#| "This target is only valid in the B<nat> table, in the B<PREROUTING> and "
-#| "B<OUTPUT> chains, and user-defined chains which are only called from "
-#| "those chains. It alters the destination IP address to send the packet to "
-#| "the machine itself (locally-generated packets are mapped to the 127.0.0.1 "
-#| "address). It takes one option:"
+#| "This is used to set the netfilter mark value associated with the packet. "
+#| "It is only valid in the B<mangle> table."
msgid ""
-"This target is only valid in the B<mangle> table, in the B<PREROUTING> chain "
-"and user-defined chains which are only called from this chain. It redirects "
-"the packet to a local socket without changing the packet header in any way. "
-"It can also change the mark value which can then be used in advanced routing "
-"rules. It takes three options:"
+"This module sets the netfilter mark value associated with a connection. The "
+"mark is 32 bits wide."
msgstr ""
-"このターゲットは、 B<nat> テーブル内の B<PREROUTING> チェイン及び B<OUTPUT> "
-"チェイン、そしてこれらチェインから呼び出される ユーザー定義チェインでのみ有効"
-"である。 このターゲットはパケットの送信先 IP アドレスを マシン自身の IP アド"
-"レスに変換する。 (ローカルで生成されたパケットは、アドレス 127.0.0.1 にマップ"
-"される)。 このターゲットにはオプションが 1 つある:"
+"パケットに関連づけられた netfilter の mark 値を指定する。 B<mangle> テーブル"
+"のみで有効である。"
#. type: TP
-#: original/man8/ip6tables.8:2413 original/man8/iptables.8:2524
+#: original/man8/iptables-extensions.8:1734
+#: original/man8/iptables-extensions.8:2100
#, fuzzy, no-wrap
-#| msgid "B<--to-ports >I<port>[-I<port>]"
-msgid "B<--on-port> I<port>"
-msgstr "B<--to-ports >I<port>[-I<port>]"
+#| msgid "B<--mark >I<value>[/I<mask>]"
+msgid "B<--set-xmark> I<value>[B</>I<mask>]"
+msgstr "B<--mark >I<value>[/I<mask>]"
#. type: Plain text
-#: original/man8/ip6tables.8:2418 original/man8/iptables.8:2529
-#, fuzzy
-#| msgid ""
-#| "This specifies a destination port or range of ports to use: without this, "
-#| "the destination port is never altered. This is only valid if the rule "
-#| "also specifies B<-p tcp> or B<-p udp>."
-msgid ""
-"This specifies a destination port to use. It is a required option, 0 means "
-"the new destination port is the same as the original. This is only valid if "
-"the rule also specifies B<-p tcp> or B<-p udp>."
+#: original/man8/iptables-extensions.8:1737
+msgid "Zero out the bits given by I<mask> and XOR I<value> into the ctmark."
msgstr ""
-"このオプションは使用される送信先ポート・ポート範囲・複数ポートを指定する。 こ"
-"のオプションが指定されない場合、送信先ポートは変更されない。 ルールが B<-p "
-"tcp> または B<-p udp> を指定している場合にのみ有効である。"
#. type: TP
-#: original/man8/ip6tables.8:2418 original/man8/iptables.8:2529
-#, fuzzy, no-wrap
-#| msgid "B<--mac-source >[!] I<address>"
-msgid "B<--on-ip> I<address>"
-msgstr "B<--mac-source >[!] I<address>"
+#: original/man8/iptables-extensions.8:1737
+#, no-wrap
+msgid "B<--save-mark> [B<--nfmask> I<nfmask>] [B<--ctmask> I<ctmask>]"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2423 original/man8/iptables.8:2534
-#, fuzzy
-#| msgid ""
-#| "This specifies a destination port or range of ports to use: without this, "
-#| "the destination port is never altered. This is only valid if the rule "
-#| "also specifies B<-p tcp> or B<-p udp>."
+#: original/man8/iptables-extensions.8:1741
msgid ""
-"This specifies a destination address to use. By default the address is the "
-"IP address of the incoming interface. This is only valid if the rule also "
-"specifies B<-p tcp> or B<-p udp>."
+"Copy the packet mark (nfmark) to the connection mark (ctmark) using the "
+"given masks. The new nfmark value is determined as follows:"
msgstr ""
-"このオプションは使用される送信先ポート・ポート範囲・複数ポートを指定する。 こ"
-"のオプションが指定されない場合、送信先ポートは変更されない。 ルールが B<-p "
-"tcp> または B<-p udp> を指定している場合にのみ有効である。"
-#. type: TP
-#: original/man8/ip6tables.8:2423 original/man8/iptables.8:2534
-#, fuzzy, no-wrap
-#| msgid "B<--mark >I<value>[/I<mask>]"
-msgid "B<--tproxy-mark> I<value>[B</>I<mask>]"
-msgstr "B<--mark >I<value>[/I<mask>]"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1743
+msgid "ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)"
+msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2428 original/man8/iptables.8:2539
+#: original/man8/iptables-extensions.8:1747
msgid ""
-"Marks packets with the given value/mask. The fwmark value set here can be "
-"used by advanced routing. (Required for transparent proxying to work: "
-"otherwise these packets will get forwarded, which is probably not what you "
-"want.)"
+"i.e. I<ctmask> defines what bits to clear and I<nfmask> what bits of the "
+"nfmark to XOR into the ctmark. I<ctmask> and I<nfmask> default to 0xFFFFFFFF."
msgstr ""
-#. type: SS
-#: original/man8/ip6tables.8:2428 original/man8/iptables.8:2539
+#. type: TP
+#: original/man8/iptables-extensions.8:1747
#, no-wrap
-msgid "TRACE"
+msgid "B<--restore-mark> [B<--nfmask> I<nfmask>] [B<--ctmask> I<ctmask>]"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2431 original/man8/iptables.8:2542
+#: original/man8/iptables-extensions.8:1751
msgid ""
-"This target marks packets so that the kernel will log every rule which match "
-"the packets as those traverse the tables, chains, rules."
+"Copy the connection mark (ctmark) to the packet mark (nfmark) using the "
+"given masks. The new ctmark value is determined as follows:"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2438 original/man8/iptables.8:2549
-msgid ""
-"A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for "
-"this to be visible. The packets are logged with the string prefix: \"TRACE: "
-"tablename:chainname:type:rulenum \" where type can be \"rule\" for plain "
-"rule, \"return\" for implicit rule at the end of a user defined chain and "
-"\"policy\" for the policy of the built in chains."
+#: original/man8/iptables-extensions.8:1753
+msgid "nfmark = (nfmark & ~I<nfmask>) ^ (ctmark & I<ctmask>);"
msgstr ""
-#. type: SH
-#: original/man8/ip6tables.8:2442 original/man8/iptables.8:2601
-#, no-wrap
-msgid "DIAGNOSTICS"
-msgstr "返り値"
-
#. type: Plain text
-#: original/man8/ip6tables.8:2447 original/man8/iptables.8:2606
+#: original/man8/iptables-extensions.8:1757
msgid ""
-"Various error messages are printed to standard error. The exit code is 0 "
-"for correct functioning. Errors which appear to be caused by invalid or "
-"abused command line parameters cause an exit code of 2, and other errors "
-"cause an exit code of 1."
+"i.e. I<nfmask> defines what bits to clear and I<ctmask> what bits of the "
+"ctmark to XOR into the nfmark. I<ctmask> and I<nfmask> default to 0xFFFFFFFF."
msgstr ""
-"いろいろなエラーメッセージが標準エラーに表示される。 正しく機能した場合、終了"
-"コードは 0 である。 不正なコマンドラインパラメータによりエラーが発生した場合"
-"は、 終了コード 2 が返される。 その他のエラーの場合は、終了コード 1 が返され"
-"る。"
#. type: Plain text
-#: original/man8/ip6tables.8:2450
-msgid ""
-"Bugs? What's this? ;-) Well... the counters are not reliable on sparc64."
+#: original/man8/iptables-extensions.8:1759
+msgid "B<--restore-mark> is only valid in the B<mangle> table."
msgstr ""
-"バグ? バグって何? ;-) えーと…、sparc64 ではカウンター値が信頼できない。"
-
-#. type: SH
-#: original/man8/ip6tables.8:2450 original/man8/iptables.8:2609
-#, no-wrap
-msgid "COMPATIBILITY WITH IPCHAINS"
-msgstr "IPCHAINS との互換性"
#. type: Plain text
-#: original/man8/ip6tables.8:2459
-msgid ""
-"This B<ip6tables> is very similar to ipchains by Rusty Russell. The main "
-"difference is that the chains B<INPUT> and B<OUTPUT> are only traversed for "
-"packets coming into the local host and originating from the local host "
-"respectively. Hence every packet only passes through one of the three "
-"chains (except loopback traffic, which involves both INPUT and OUTPUT "
-"chains); previously a forwarded packet would pass through all three."
+#: original/man8/iptables-extensions.8:1761
+msgid "The following mnemonics are available for B<--set-xmark>:"
msgstr ""
-"B<ip6tables> は、Rusty Russell の ipchains と非常によく似ている。 大きな違い"
-"は、チェイン B<INPUT> と B<OUTPUT> が、それぞれローカルホストに入ってくるパ"
-"ケットと、 ローカルホストから出されるパケットのみしか調べないという点であ"
-"る。 よって、全てのパケットは 3 つあるチェインのうち 1 つしか通らない (ループ"
-"バックトラフィックは例外で、INPUT と OUTPUT チェインの両方を通る)。 以前は "
-"(ipchains では)、 フォワードされるパケットが 3 つのチェイン全てを通っていた。"
-#. type: Plain text
-#: original/man8/ip6tables.8:2464
-msgid ""
-"The other main difference is that B<-i> refers to the input interface; B<-o> "
-"refers to the output interface, and both are available for packets entering "
-"the B<FORWARD> chain. There are several other changes in ip6tables."
-msgstr ""
-"その他の大きな違いは、 B<-i> で入力インターフェース、 B<-o> で出力インター"
-"フェースを指定し、 ともに B<FORWARD> チェインに入るパケットに対して指定可能な"
-"点である。 ip6tables では、その他にもいくつかの変更がある。"
+#. type: TP
+#: original/man8/iptables-extensions.8:1761
+#: original/man8/iptables-extensions.8:2110
+#, fuzzy, no-wrap
+#| msgid "B<--set-mark >I<mark>"
+msgid "B<--and-mark> I<bits>"
+msgstr "B<--set-mark >I<mark>"
#. type: Plain text
-#: original/man8/ip6tables.8:2471
-#, fuzzy
-#| msgid ""
-#| "B<ip6tables-save>(8), B<ip6tables-restore(8),> B<iptables>(8), B<iptables-"
-#| "save>(8), B<iptables-restore>(8)."
+#: original/man8/iptables-extensions.8:1765
msgid ""
-"B<ip6tables-save>(8), B<ip6tables-restore>(8), B<iptables>(8), B<iptables-"
-"save>(8), B<iptables-restore>(8), B<libipq>(3)."
+"Binary AND the ctmark with I<bits>. (Mnemonic for B<--set-xmark 0/"
+">I<invbits>, where I<invbits> is the binary negation of I<bits>.)"
msgstr ""
-"B<ip6tables-save>(8), B<ip6tables-restore(8),> B<iptables>(8), B<iptables-"
-"save>(8), B<iptables-restore>(8)."
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1765
+#: original/man8/iptables-extensions.8:2114
+#, fuzzy, no-wrap
+#| msgid "B<--set-mark >I<mark>"
+msgid "B<--or-mark> I<bits>"
+msgstr "B<--set-mark >I<mark>"
#. type: Plain text
-#: original/man8/ip6tables.8:2477
-#, fuzzy
-#| msgid ""
-#| "The packet-filtering-HOWTO details iptables usage for packet filtering, "
-#| "the NAT-HOWTO details NAT, the netfilter-extensions-HOWTO details the "
-#| "extensions that are not in the standard distribution, and the netfilter-"
-#| "hacking-HOWTO details the netfilter internals."
+#: original/man8/iptables-extensions.8:1769
msgid ""
-"The packet-filtering-HOWTO details iptables usage for packet filtering, the "
-"netfilter-extensions-HOWTO details the extensions that are not in the "
-"standard distribution, and the netfilter-hacking-HOWTO details the netfilter "
-"internals."
+"Binary OR the ctmark with I<bits>. (Mnemonic for B<--set-xmark> I<bits>B</"
+">I<bits>.)"
msgstr ""
-"パケットフィルタリングについての詳細な iptables の使用法を\n"
-"説明している packet-filtering-HOWTO。\n"
-"NAT について詳細に説明している NAT-HOWTO。\n"
-"標準的な配布には含まれない拡張の詳細を 説明している \n"
-"netfilter-extensions-HOWTO。\n"
-"内部構造について詳細に説明している netfilter-hacking-HOWTO。"
-#. type: Plain text
-#: original/man8/ip6tables.8:2480 original/man8/iptables.8:2650
-msgid "See B<http://www.netfilter.org/>."
-msgstr "B<http://www.netfilter.org/> を参照。"
+#. type: TP
+#: original/man8/iptables-extensions.8:1769
+#: original/man8/iptables-extensions.8:2118
+#, fuzzy, no-wrap
+#| msgid "B<--set-mark >I<mark>"
+msgid "B<--xor-mark> I<bits>"
+msgstr "B<--set-mark >I<mark>"
#. type: Plain text
-#: original/man8/ip6tables.8:2483
+#: original/man8/iptables-extensions.8:1773
msgid ""
-"Rusty Russell wrote iptables, in early consultation with Michael Neuling."
+"Binary XOR the ctmark with I<bits>. (Mnemonic for B<--set-xmark> "
+"I<bits>B</0>.)"
msgstr ""
-"Rusty Russell は、初期の段階で Michael Neuling に相談して iptables を書いた。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1773
+#: original/man8/iptables-extensions.8:2104
+#, fuzzy, no-wrap
+#| msgid "B<--mark >I<value>[/I<mask>]"
+msgid "B<--set-mark> I<value>[B</>I<mask>]"
+msgstr "B<--mark >I<value>[/I<mask>]"
#. type: Plain text
-#: original/man8/ip6tables.8:2487 original/man8/iptables.8:2657
+#: original/man8/iptables-extensions.8:1777
msgid ""
-"Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet "
-"selection framework in iptables, then wrote the mangle table, the owner "
-"match, the mark stuff, and ran around doing cool stuff everywhere."
+"Set the connection mark. If a mask is specified then only those bits set in "
+"the mask are modified."
msgstr ""
-"Marc Boucher は Rusty に iptables の一般的なパケット選択の考え方を勧めて、 "
-"ipnatctl を止めさせた。 そして、mangle テーブル・所有者マッチング・ mark 機能"
-"を書き、いたるところで使われている素晴らしいコードを書いた。"
-#. type: Plain text
-#: original/man8/ip6tables.8:2489 original/man8/iptables.8:2659
-msgid "James Morris wrote the TOS target, and tos match."
-msgstr "James Morris が TOS ターゲットと tos マッチングを書いた。"
-
-#. type: Plain text
-#: original/man8/ip6tables.8:2491 original/man8/iptables.8:2661
-msgid "Jozsef Kadlecsik wrote the REJECT target."
-msgstr "Jozsef Kadlecsik が REJECT ターゲットを書いた。"
+#. type: TP
+#: original/man8/iptables-extensions.8:1777
+#, fuzzy, no-wrap
+#| msgid "B<--set-mark >I<mark>"
+msgid "B<--save-mark> [B<--mask> I<mask>]"
+msgstr "B<--set-mark >I<mark>"
#. type: Plain text
-#: original/man8/ip6tables.8:2493
-#, fuzzy
-#| msgid "Harald Welte wrote the ULOG target, TTL match+target and libipulog."
+#: original/man8/iptables-extensions.8:1781
msgid ""
-"Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as "
-"TTL match+target and libipulog."
+"Copy the nfmark to the ctmark. If a mask is specified, only those bits are "
+"copied."
msgstr ""
-"Harald Welte が ULOG ターゲット・TTL マッチングと TTL ターゲット・ libipulog "
-"を書いた。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1781
+#, fuzzy, no-wrap
+#| msgid "B<--set-mark >I<mark>"
+msgid "B<--restore-mark> [B<--mask> I<mask>]"
+msgstr "B<--set-mark >I<mark>"
#. type: Plain text
-#: original/man8/ip6tables.8:2497 original/man8/iptables.8:2667
+#: original/man8/iptables-extensions.8:1785
#, fuzzy
#| msgid ""
-#| "The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef "
-#| "Kadlecsik, James Morris, Harald Welte and Rusty Russell."
+#| "This is used to set the netfilter mark value associated with the packet. "
+#| "It is only valid in the B<mangle> table."
msgid ""
-"The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki "
-"Kozakai, Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso, "
-"Harald Welte and Rusty Russell."
+"Copy the ctmark to the nfmark. If a mask is specified, only those bits are "
+"copied. This is only valid in the B<mangle> table."
+msgstr ""
+"パケットに関連づけられた netfilter の mark 値を指定する。 B<mangle> テーブル"
+"のみで有効である。"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:1785
+#, no-wrap
+msgid "CONNSECMARK"
msgstr ""
-"Netfilter コアチームは、Marc Boucher, Martin Josefsson, Jozsef Kadlecsik, "
-"James Morris, Harald Welte, Rusty Russell である。"
-#. .. and did I mention that we are incredibly cool people?
-#. .. sexy, too ..
-#. .. witty, charming, powerful ..
-#. .. and most of all, modest ..
#. type: Plain text
-#: original/man8/ip6tables.8:2504
+#: original/man8/iptables-extensions.8:1795
msgid ""
-"ip6tables man page created by Andras Kis-Szabo, based on iptables man page "
-"written by Herve Eychenne E<lt>rv@wallfire.orgE<gt>."
+"This module copies security markings from packets to connections (if "
+"unlabeled), and from connections back to packets (also only if unlabeled). "
+"Typically used in conjunction with SECMARK, it is valid in the B<security> "
+"table (for backwards compatibility with older kernels, it is also valid in "
+"the B<mangle> table)."
msgstr ""
-"ip6tables の man ページは、Andras Kis-Szabo によって作成された。 これは "
-"Herve Eychenne E<lt>rv@wallfire.orgE<gt> によって書かれた iptables の man "
-"ページを元にしている。"
-#. type: SH
-#: original/man8/ip6tables.8:2504 original/man8/iptables.8:2673
+#. type: TP
+#: original/man8/iptables-extensions.8:1795
#, no-wrap
-msgid "VERSION"
+msgid "B<--save>"
msgstr ""
#. type: Plain text
-#: original/man8/ip6tables.8:2506
-msgid "This manual page applies to ip6tables @PACKAGE_VERSION@."
+#: original/man8/iptables-extensions.8:1799
+msgid ""
+"If the packet has a security marking, copy it to the connection if the "
+"connection is not marked."
msgstr ""
-#. type: TH
-#: original/man8/iptables-restore.8:1
+#. type: TP
+#: original/man8/iptables-extensions.8:1799
#, no-wrap
-msgid "IPTABLES-RESTORE"
-msgstr "IPTABLES-RESTORE"
-
-#. type: TH
-#: original/man8/iptables-restore.8:1 original/man8/iptables-save.8:1
-#, no-wrap
-msgid "Jan 04, 2001"
-msgstr "Jan 04, 2001"
+msgid "B<--restore>"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables-restore.8:23
-#, fuzzy
-#| msgid "iptables-restore - Restore IP Tables"
-msgid "iptables-restore \\(em Restore IP Tables"
-msgstr "iptables-restore - IP テーブルを復元する"
+#: original/man8/iptables-extensions.8:1803
+msgid ""
+"If the packet does not have a security marking, and the connection does, "
+"copy the security marking from the connection to the packet."
+msgstr ""
-#. type: Plain text
-#: original/man8/iptables-restore.8:25
-#, fuzzy
-#| msgid "B<iptables-restore >[-c] [-n]"
-msgid "B<iptables-restore> [B<-c>] [B<-n>] [B<-T> I<name>]"
-msgstr "B<iptables-restore >[-c] [-n]"
+#. type: SS
+#: original/man8/iptables-extensions.8:1804
+#, no-wrap
+msgid "CT"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables-restore.8:30
+#: original/man8/iptables-extensions.8:1809
msgid ""
-"B<iptables-restore> is used to restore IP Tables from data specified on "
-"STDIN. Use I/O redirection provided by your shell to read from a file"
+"The CT target allows to set parameters for a packet or its associated "
+"connection. The target attaches a \"template\" connection tracking entry to "
+"the packet, which is then used by the conntrack core when initializing a new "
+"ct entry. This target is thus only valid in the \"raw\" table."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1809
+#, no-wrap
+msgid "B<--notrack>"
msgstr ""
-"B<iptables-restore> は標準入力で指定されたデータから IP テーブルを復元するた"
-"めに使われる。 ファイルから読み込むためには、 シェルで提供されている I/O リダ"
-"イレクションを使うこと。"
#. type: Plain text
-#: original/man8/iptables-restore.8:38
-msgid ""
-"don't flush the previous contents of the table. If not specified, B<iptables-"
-"restore> flushes (deletes) all previous contents of the respective IP Table."
+#: original/man8/iptables-extensions.8:1812
+msgid "Disables connection tracking for this packet."
msgstr ""
-"これまでのテーブルの内容をフラッシュしない。 指定されない場合、 B<iptables-"
-"restore> は、これまでの各 IP テーブルの内容を全てフラッシュ (削除) する。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1812
+#, fuzzy, no-wrap
+#| msgid "B<--helper >I<string>"
+msgid "B<--helper> I<name>"
+msgstr "B<--helper >I<string>"
#. type: Plain text
-#: original/man8/iptables-restore.8:41
+#: original/man8/iptables-extensions.8:1816
msgid ""
-"Restore only the named table even if the input stream contains other ones."
+"Use the helper identified by I<name> for the connection. This is more "
+"flexible than loading the conntrack helper modules with preset ports."
msgstr ""
-#. type: SH
-#: original/man8/iptables-restore.8:43 original/man8/iptables-save.8:44
-#: original/man1/iptables-xml.1:84
+#. type: TP
+#: original/man8/iptables-extensions.8:1816
#, no-wrap
-msgid "AUTHOR"
-msgstr "作者"
+msgid "B<--ctevents> I<event>[B<,>...]"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables-restore.8:47
-msgid "B<iptables-save>(8), B<iptables>(8)"
-msgstr "B<iptables-save>(8), B<iptables>(8)"
+#: original/man8/iptables-extensions.8:1822
+msgid ""
+"Only generate the specified conntrack events for this connection. Possible "
+"event types are: B<new>, B<related>, B<destroy>, B<reply>, B<assured>, "
+"B<protoinfo>, B<helper>, B<mark> (this refers to the ctmark, not nfmark), "
+"B<natseqinfo>, B<secmark> (ctsecmark)."
+msgstr ""
-#. type: TH
-#: original/man8/iptables-save.8:1
+#. type: TP
+#: original/man8/iptables-extensions.8:1822
#, no-wrap
-msgid "IPTABLES-SAVE"
-msgstr "IPTABLES-SAVE"
+msgid "B<--expevents> I<event>[B<,>...]"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables-save.8:23
-msgid "iptables-save \\(em dump iptables rules to stdout"
+#: original/man8/iptables-extensions.8:1826
+msgid ""
+"Only generate the specified expectation events for this connection. "
+"Possible event types are: B<new>."
msgstr ""
-#. type: Plain text
-#: original/man8/iptables-save.8:26
-#, fuzzy
-#| msgid "B<iptables-save >[-c] [-t table]"
-msgid "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
-msgstr "B<iptables-save >[-c] [-t table]"
+#. type: TP
+#: original/man8/iptables-extensions.8:1826
+#, fuzzy, no-wrap
+#| msgid "B<--uid-owner >I<userid>"
+msgid "B<--zone> I<id>"
+msgstr "B<--uid-owner >I<userid>"
#. type: Plain text
-#: original/man8/iptables-save.8:31
+#: original/man8/iptables-extensions.8:1830
msgid ""
-"B<iptables-save> is used to dump the contents of an IP Table in easily "
-"parseable format to STDOUT. Use I/O-redirection provided by your shell to "
-"write to a file."
+"Assign this packet to zone I<id> and only have lookups done in that zone. "
+"By default, packets have zone 0."
msgstr ""
-"B<iptables-save> は IP テーブルの内容を簡単に解析できる形式で 標準出力にダン"
-"プするために使われる。 ファイルに書き出すためには、 シェルで提供されている I/"
-"O リダイレクションを使うこと。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1830
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--timeout> I<name>"
+msgstr "B<--set-mss >I<value>"
#. type: Plain text
-#: original/man8/iptables-save.8:48
-msgid "B<iptables-restore>(8), B<iptables>(8)"
-msgstr "B<iptables-restore>(8), B<iptables>(8)"
+#: original/man8/iptables-extensions.8:1835
+msgid ""
+"Use the timeout policy identified by I<name> for the connection. This is "
+"provides more flexible timeout policy definition than global timeout values "
+"available at /proc/sys/net/netfilter/nf_conntrack_*_timeout_*."
+msgstr ""
-#. type: TH
-#: original/man8/iptables.8:1
+#. type: SS
+#: original/man8/iptables-extensions.8:1835
#, no-wrap
-msgid "IPTABLES"
-msgstr "IPTABLES"
+msgid "DNAT (IPv4-specific)"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:27
-#, fuzzy
-#| msgid "iptables - administration tool for IPv4 packet filtering and NAT"
-msgid "iptables \\(em administration tool for IPv4 packet filtering and NAT"
-msgstr "iptables - IPv4 のパケットフィルタと NAT を管理するツール"
+#: original/man8/iptables-extensions.8:1847
+msgid ""
+"This target is only valid in the B<nat> table, in the B<PREROUTING> and "
+"B<OUTPUT> chains, and user-defined chains which are only called from those "
+"chains. It specifies that the destination address of the packet should be "
+"modified (and all future packets in this connection will also be mangled), "
+"and rules should cease being examined. It takes one type of option:"
+msgstr ""
+"このターゲットは B<nat> テーブルの B<PREROUTING>, B<OUTPUT> チェイン、これら"
+"のチェインから呼び出される ユーザー定義チェインのみで有効である。 このター"
+"ゲットはパケットの送信先アドレスを修正する (この接続の以降のパケットも修正し"
+"て分からなく (mangle) する)。 さらに、ルールによるチェックを止めさせる。 この"
+"ターゲットにはオプションが 1 種類ある:"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1847
+#, fuzzy, no-wrap
+#| msgid "B<--to-destination >I<ipaddr>[-I<ipaddr>][:I<port>-I<port>]"
+msgid "B<--to-destination> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
+msgstr "B<--to-destination >I<ipaddr>[-I<ipaddr>][:I<port>-I<port>]"
#. type: Plain text
-#: original/man8/iptables.8:30
+#: original/man8/iptables-extensions.8:1858
#, fuzzy
-#| msgid "B<iptables [-t table] -[AD] >chain rule-specification [options]"
+#| msgid ""
+#| "which can specify a single new destination IP address, an inclusive range "
+#| "of IP addresses, and optionally, a port range (which is only valid if the "
+#| "rule also specifies B<-p tcp> or B<-p udp>). If no port range is "
+#| "specified, then the destination port will never be modified."
msgid ""
-"B<iptables> [B<-t> I<table>] {B<-A>|B<-C>|B<-D>} I<chain> I<rule-"
-"specification>"
-msgstr "B<iptables [-t table] -[AD] >チェイン ルールの詳細 [オプション]"
+"which can specify a single new destination IP address, an inclusive range of "
+"IP addresses, and optionally, a port range (which is only valid if the rule "
+"also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then "
+"the destination port will never be modified. If no IP address is specified "
+"then only the destination port will be modified."
+msgstr ""
+"1 つの新しい送信先 IP アドレス、または IP アドレスの範囲が指定できる。 ポート"
+"の範囲を指定することもできる (これはルールで B<-p tcp> または B<-p udp> を指"
+"定している場合にのみ有効)。 ポートの範囲が指定されていない場合、送信先ポート"
+"は変更されない。"
#. type: Plain text
-#: original/man8/iptables.8:32
+#: original/man8/iptables-extensions.8:1865
#, fuzzy
#| msgid ""
-#| "B<iptables [-t table] -I >chain [rulenum] rule-specification [options]"
+#| "You can add several --to-destination options. If you specify more than "
+#| "one destination address, either via an address range or multiple --to-"
+#| "destination options, a simple round-robin (one after another in cycle) "
+#| "load balancing takes place between these adresses."
msgid ""
-"B<iptables> [B<-t> I<table>] B<-I> I<chain> [I<rulenum>] I<rule-"
-"specification>"
+"In Kernels up to 2.6.10 you can add several --to-destination options. For "
+"those kernels, if you specify more than one destination address, either via "
+"an address range or multiple --to-destination options, a simple round-robin "
+"(one after another in cycle) load balancing takes place between these "
+"addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT "
+"to multiple ranges anymore."
msgstr ""
-"B<iptables [-t table] -I >チェイン [ルール番号] ルールの詳細 [オプション]"
+"複数の --to-destination オプションを指定することができる。 アドレスの範囲に"
+"よって、 もしくは複数の --to-destination オプションによって 2 つ以上の送信先"
+"アドレスを指定した場合、 それらのアドレスを使った単純なラウンド・ロビン (順々"
+"に循環させる) がおこなわれる。"
-#. type: Plain text
-#: original/man8/iptables.8:34
-#, fuzzy
-#| msgid "B<iptables [-t table] -R >chain rulenum rule-specification [options]"
-msgid "B<iptables> [B<-t> I<table>] B<-R> I<chain rulenum rule-specification>"
+#. type: TP
+#: original/man8/iptables-extensions.8:1865
+#: original/man8/iptables-extensions.8:2145
+#: original/man8/iptables-extensions.8:2176
+#: original/man8/iptables-extensions.8:2299
+#: original/man8/iptables-extensions.8:2387
+#: original/man8/iptables-extensions.8:2456
+#, no-wrap
+msgid "B<--random>"
msgstr ""
-"B<iptables [-t table] -R >チェイン ルール番号 ルールの詳細 [オプション]"
#. type: Plain text
-#: original/man8/iptables.8:36
-#, fuzzy
-#| msgid "B<iptables [-t table] -D >chain rulenum [options]"
-msgid "B<iptables> [B<-t> I<table>] B<-D> I<chain rulenum>"
-msgstr "B<iptables [-t table] -D >チェイン ルール番号 [オプション]"
+#: original/man8/iptables-extensions.8:1870
+#: original/man8/iptables-extensions.8:2304
+msgid ""
+"If option B<--random> is used then port mapping will be randomized (kernel "
+"E<gt>= 2.6.22)."
+msgstr ""
-#. type: Plain text
-#: original/man8/iptables.8:38
-#, fuzzy
-#| msgid "B<iptables [-t table] -D >chain rulenum [options]"
-msgid "B<iptables> [B<-t> I<table>] B<-S> [I<chain> [I<rulenum>]]"
-msgstr "B<iptables [-t table] -D >チェイン ルール番号 [オプション]"
+#. type: TP
+#: original/man8/iptables-extensions.8:1870
+#: original/man8/iptables-extensions.8:2461
+#, fuzzy, no-wrap
+#| msgid "B<--helper >I<string>"
+msgid "B<--persistent>"
+msgstr "B<--helper >I<string>"
#. type: Plain text
-#: original/man8/iptables.8:40
-#, fuzzy
-#| msgid "B<iptables [-t table] -D >chain rulenum [options]"
+#: original/man8/iptables-extensions.8:1875
+#: original/man8/iptables-extensions.8:2466
msgid ""
-"B<iptables> [B<-t> I<table>] {B<-F>|B<-L>|B<-Z>} [I<chain> [I<rulenum>]] "
-"[I<options...>]"
-msgstr "B<iptables [-t table] -D >チェイン ルール番号 [オプション]"
+"Gives a client the same source-/destination-address for each connection. "
+"This supersedes the SAME target. Support for persistent mappings is "
+"available from 2.6.29-rc2."
+msgstr ""
-#. type: Plain text
-#: original/man8/iptables.8:42
-#, fuzzy
-#| msgid "B<iptables [-t table] -N >chain"
-msgid "B<iptables> [B<-t> I<table>] B<-N> I<chain>"
-msgstr "B<iptables [-t table] -N >チェイン"
+#. type: SS
+#: original/man8/iptables-extensions.8:1875
+#, no-wrap
+msgid "DSCP"
+msgstr "DSCP"
#. type: Plain text
-#: original/man8/iptables.8:44
-#, fuzzy
-#| msgid "B<iptables [-t table] -X >[chain]"
-msgid "B<iptables> [B<-t> I<table>] B<-X> [I<chain>]"
-msgstr "B<iptables [-t table] -X >[チェイン]"
+#: original/man8/iptables-extensions.8:1879
+msgid ""
+"This target allows to alter the value of the DSCP bits within the TOS header "
+"of the IPv4 packet. As this manipulates a packet, it can only be used in "
+"the mangle table."
+msgstr ""
+"このターゲットは、IPv4 パケットの TOS ヘッダーにある DSCP ビットの値の書き換"
+"えを可能にする。 これはパケットを操作するので、mangle テーブルでのみ使用でき"
+"る。"
-#. type: Plain text
-#: original/man8/iptables.8:46
-#, fuzzy
-#| msgid "B<iptables [-t table] -P >chain target [options]"
-msgid "B<iptables> [B<-t> I<table>] B<-P> I<chain target>"
-msgstr "B<iptables [-t table] -P >チェイン ターゲット [オプション]"
+#. type: TP
+#: original/man8/iptables-extensions.8:1879
+#, fuzzy, no-wrap
+#| msgid "B<--set-dscp >I<value>"
+msgid "B<--set-dscp> I<value>"
+msgstr "B<--set-dscp >I<value>"
#. type: Plain text
-#: original/man8/iptables.8:48
-#, fuzzy
-#| msgid "B<iptables [-t table] -E >old-chain-name new-chain-name"
-msgid "B<iptables> [B<-t> I<table>] B<-E> I<old-chain-name new-chain-name>"
-msgstr "B<iptables [-t table] -E >旧チェイン名 新チェイン名"
+#: original/man8/iptables-extensions.8:1882
+msgid "Set the DSCP field to a numerical value (can be decimal or hex)"
+msgstr "DSCP フィールドの数値を設定する (10 進または 16 進)。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1882
+#, fuzzy, no-wrap
+#| msgid "B<--set-dscp-class >I<class>"
+msgid "B<--set-dscp-class> I<class>"
+msgstr "B<--set-dscp-class >I<class>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1885
+msgid "Set the DSCP field to a DiffServ class."
+msgstr "DSCP フィールドの DiffServ クラスを設定する。"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:1885
+#, no-wrap
+msgid "ECN (IPv4-specific)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1888
+msgid ""
+"This target allows to selectively work around known ECN blackholes. It can "
+"only be used in the mangle table."
+msgstr ""
+"このターゲットは ECN ブラックホール問題への対処を可能にする。 mangle テーブル"
+"でのみ使用できる。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1888
+#, no-wrap
+msgid "B<--ecn-tcp-remove>"
+msgstr "B<--ecn-tcp-remove>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1893
+msgid ""
+"Remove all ECN bits from the TCP header. Of course, it can only be used in "
+"conjunction with B<-p tcp>."
+msgstr ""
+"TCP ヘッダーから全ての ECN ビット (訳注: ECE/CWR フラグ) を取り除く。 当然、 "
+"B<-p tcp> オプションとの組合わせでのみ使用できる。"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:1893
+#, no-wrap
+msgid "HL (IPv6-specific)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1900
+msgid ""
+"This is used to modify the Hop Limit field in IPv6 header. The Hop Limit "
+"field is similar to what is known as TTL value in IPv4. Setting or "
+"incrementing the Hop Limit field can potentially be very dangerous, so it "
+"should be avoided at any cost. This target is only valid in B<mangle> table."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1902
+#: original/man8/iptables-extensions.8:2613
+msgid ""
+"B<Don't ever set or increment the value on packets that leave your local "
+"network!>"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1902
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--hl-set> I<value>"
+msgstr "B<--set-mss >I<value>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1905
+msgid "Set the Hop Limit to `value'."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1905
+#, fuzzy, no-wrap
+#| msgid "B<--dscp >I<value>"
+msgid "B<--hl-dec> I<value>"
+msgstr "B<--dscp >I<value>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1908
+msgid "Decrement the Hop Limit `value' times."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1908
+#, fuzzy, no-wrap
+#| msgid "B<--dscp >I<value>"
+msgid "B<--hl-inc> I<value>"
+msgstr "B<--dscp >I<value>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1911
+msgid "Increment the Hop Limit `value' times."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:1911
+#, fuzzy, no-wrap
+#| msgid "MARK"
+msgid "HMARK"
+msgstr "MARK"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1916
+msgid ""
+"Like MARK, i.e. set the fwmark, but the mark is calculated from hashing "
+"packet selector at choice. You have also to specify the mark range and, "
+"optionally, the offset to start from. ICMP error messages are inspected and "
+"used to calculate the hashing."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1918
+msgid "Existing options are:"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1918
+#, no-wrap
+msgid "B<--hmark-tuple> tuple"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1933
+msgid ""
+"Possible tuple members are: B<src> meaning source address (IPv4, IPv6 "
+"address), B<dst> meaning destination address (IPv4, IPv6 address), B<sport> "
+"meaning source port (TCP, UDP, UDPlite, SCTP, DCCP), B<dport> meaning "
+"destination port (TCP, UDP, UDPlite, SCTP, DCCP), B<spi> meaning Security "
+"Parameter Index (AH, ESP), and B<ct> meaning the usage of the conntrack "
+"tuple instead of the packet selectors."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1933
+#, no-wrap
+msgid "B<--hmark-mod> I<value (must be E<gt> 0)>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1936
+msgid "Modulus for hash calculation (to limit the range of possible marks)"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1936
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--hmark-offset> I<value>"
+msgstr "B<--set-mss >I<value>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1939
+msgid "Offset to start marks from."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1939
+#, no-wrap
+msgid "For advanced usage, instead of using --hmark-tuple, you can specify custom"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1942
+msgid "prefixes and masks:"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1942
+#, fuzzy, no-wrap
+#| msgid "B<--log-prefix >I<prefix>"
+msgid "B<--hmark-src-prefix> I<cidr>"
+msgstr "B<--log-prefix >I<prefix>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1945
+msgid "The source address mask in CIDR notation."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1945
+#, fuzzy, no-wrap
+#| msgid "B<--log-prefix >I<prefix>"
+msgid "B<--hmark-dst-prefix> I<cidr>"
+msgstr "B<--log-prefix >I<prefix>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1948
+msgid "The destination address mask in CIDR notation."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1948
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--hmark-sport-mask> I<value>"
+msgstr "B<--set-mss >I<value>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1951
+msgid "A 16 bit source port mask in hexadecimal."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1951
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--hmark-dport-mask> I<value>"
+msgstr "B<--set-mss >I<value>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1954
+msgid "A 16 bit destination port mask in hexadecimal."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1954
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--hmark-spi-mask> I<value>"
+msgstr "B<--set-mss >I<value>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1957
+msgid "A 32 bit field with spi mask."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1957
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--hmark-proto-mask> I<value>"
+msgstr "B<--set-mss >I<value>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1960
+msgid "An 8 bit field with layer 4 protocol number."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1960
+#, fuzzy, no-wrap
+#| msgid "B<--dscp >I<value>"
+msgid "B<--hmark-rnd> I<value>"
+msgstr "B<--dscp >I<value>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1963
+msgid "A 32 bit random custom value to feed hash calculation."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1965
+msgid "I<Examples:>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1969
+#, no-wrap
+msgid ""
+"iptables -t mangle -A PREROUTING -m conntrack --ctstate NEW\n"
+" -j HMARK --hmark-tuple ct,src,dst,proto --hmark-offset 10000\n"
+"--hmark-mod 10 --hmark-rnd 0xfeedcafe\n"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1972
+msgid ""
+"iptables -t mangle -A PREROUTING -j HMARK --hmark-offset 10000 --hmark-tuple "
+"src,dst,proto --hmark-mod 10 --hmark-rnd 0xdeafbeef"
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:1972
+#, no-wrap
+msgid "IDLETIMER"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1981
+msgid ""
+"This target can be used to identify when interfaces have been idle for a "
+"certain period of time. Timers are identified by labels and are created "
+"when a rule is set with a new label. The rules also take a timeout value "
+"(in seconds) as an option. If more than one rule uses the same timer label, "
+"the timer will be restarted whenever any of the rules get a hit. One entry "
+"for each timer is created in sysfs. This attribute contains the timer "
+"remaining for the timer to expire. The attributes are located under the "
+"xt_idletimer class:"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1983
+msgid "/sys/class/xt_idletimer/timers/E<lt>labelE<gt>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1986
+msgid ""
+"When the timer expires, the target module sends a sysfs notification to the "
+"userspace, which can then decide what to do (eg. disconnect to save power)."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1986
+#, fuzzy, no-wrap
+#| msgid "B<--limit >I<rate>"
+msgid "B<--timeout> I<amount>"
+msgstr "B<--limit >I<rate>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1989
+msgid "This is the time in seconds that will trigger the notification."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1989
+#, fuzzy, no-wrap
+#| msgid "B<--helper >I<string>"
+msgid "B<--label> I<string>"
+msgstr "B<--helper >I<string>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1993
+msgid ""
+"This is a unique identifier for the timer. The maximum length for the label "
+"string is 27 characters."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:1993
+#, no-wrap
+msgid "LED"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:1999
+msgid ""
+"This creates an LED-trigger that can then be attached to system indicator "
+"lights, to blink or illuminate them when certain packets pass through the "
+"system. One example might be to light up an LED for a few minutes every time "
+"an SSH connection is made to the local machine. The following options "
+"control the trigger behavior:"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:1999
+#, fuzzy, no-wrap
+#| msgid "B<--helper >I<string>"
+msgid "B<--led-trigger-id> I<name>"
+msgstr "B<--helper >I<string>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2003
+msgid ""
+"This is the name given to the LED trigger. The actual name of the trigger "
+"will be prefixed with \"netfilter-\"."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2003
+#, fuzzy, no-wrap
+#| msgid "B<--cmd-owner >I<name>"
+msgid "B<--led-delay> I<ms>"
+msgstr "B<--cmd-owner >I<name>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2011
+msgid ""
+"This indicates how long (in milliseconds) the LED should be left illuminated "
+"when a packet arrives before being switched off again. The default is 0 "
+"(blink as fast as possible.) The special value I<inf> can be given to leave "
+"the LED on permanently once activated. (In this case the trigger will need "
+"to be manually detached and reattached to the LED device to switch it off "
+"again.)"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2011
+#, no-wrap
+msgid "B<--led-always-blink>"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2016
+msgid ""
+"Always make the LED blink on packet arrival, even if the LED is already on. "
+"This allows notification of new packets even with long delay values (which "
+"otherwise would result in a silent prolonging of the delay time.)"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2018
+#, no-wrap
+msgid "Create an LED trigger for incoming SSH traffic:"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2021
+msgid "iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh"
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2021
+#, no-wrap
+msgid "Then attach the new trigger to an LED:"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2024
+msgid "echo netfilter-ssh E<gt>/sys/class/leds/I<ledname>/trigger"
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2024
+#, no-wrap
+msgid "LOG (IPv6-specific)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2036
+msgid ""
+"Turn on kernel logging of matching packets. When this option is set for a "
+"rule, the Linux kernel will print some information on all matching packets "
+"(like most IPv6 IPv6-header fields) via the kernel log (where it can be read "
+"with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. "
+"rule traversal continues at the next rule. So if you want to LOG the "
+"packets you refuse, use two separate rules with the same matching criteria, "
+"first using target LOG then DROP (or REJECT)."
+msgstr ""
+"マッチしたパケットをカーネルログに記録する。 このオプションがルールに対して設"
+"定されると、 Linux カーネルはマッチしたパケットについての (IPv6 における大部"
+"分の IPv6 ヘッダフィールドのような) 何らかの情報を カーネルログに表示する "
+"(カーネルログは I<dmesg> または I<syslogd>(8) で見ることができる)。 これは"
+"「非終了タ ーゲット」である。 すなわち、ルールの検討は、次のルールへと継続さ"
+"れる。 よって、拒否するパケットをログ記録したければ、 同じマッチング判断基準"
+"を持つ 2 つのルールを使用し、 最初のルールで LOG ターゲットを、 次のルールで "
+"DROP (または REJECT) ターゲットを指定する。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2036
+#: original/man8/iptables-extensions.8:2071
+#, fuzzy, no-wrap
+#| msgid "B<--log-level >I<level>"
+msgid "B<--log-level> I<level>"
+msgstr "B<--log-level >I<level>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2042
+#: original/man8/iptables-extensions.8:2077
+msgid ""
+"Level of logging, which can be (system-specific) numeric or a mnemonic. "
+"Possible values are (in decreasing order of priority): B<emerg>, B<alert>, "
+"B<crit>, B<error>, B<warning>, B<notice>, B<info> or B<debug>."
+msgstr ""
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2042
+#: original/man8/iptables-extensions.8:2077
+#, fuzzy, no-wrap
+#| msgid "B<--log-prefix >I<prefix>"
+msgid "B<--log-prefix> I<prefix>"
+msgstr "B<--log-prefix >I<prefix>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2046
+#: original/man8/iptables-extensions.8:2081
+msgid ""
+"Prefix log messages with the specified prefix; up to 29 letters long, and "
+"useful for distinguishing messages in the logs."
+msgstr ""
+"指定したプレフィックスをログメッセージの前に付ける。\n"
+"プレフィックスは 29 文字までの長さで、\n"
+"ログの中でメッセージを区別するのに役立つ。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2046
+#: original/man8/iptables-extensions.8:2081
+#, no-wrap
+msgid "B<--log-tcp-sequence>"
+msgstr "B<--log-tcp-sequence>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2050
+#: original/man8/iptables-extensions.8:2085
+msgid ""
+"Log TCP sequence numbers. This is a security risk if the log is readable by "
+"users."
+msgstr ""
+"TCP シーケンス番号をログに記録する。 ログがユーザーから読める場合、セキュリ"
+"ティ上の危険がある。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2050
+#: original/man8/iptables-extensions.8:2085
+#, no-wrap
+msgid "B<--log-tcp-options>"
+msgstr "B<--log-tcp-options>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2053
+#: original/man8/iptables-extensions.8:2088
+msgid "Log options from the TCP packet header."
+msgstr "TCP パケットヘッダのオプションをログに記録する。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2053
+#: original/man8/iptables-extensions.8:2088
+#, no-wrap
+msgid "B<--log-ip-options>"
+msgstr "B<--log-ip-options>"
#. type: Plain text
-#: original/man8/iptables.8:50
-msgid "rule-specification = [I<matches...>] [I<target>]"
+#: original/man8/iptables-extensions.8:2056
+msgid "Log options from the IPv6 packet header."
+msgstr "IPv6 パケットヘッダのオプションをログに記録する。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2056
+#: original/man8/iptables-extensions.8:2091
+#, fuzzy, no-wrap
+#| msgid "B<--log-ip-options>"
+msgid "B<--log-uid>"
+msgstr "B<--log-ip-options>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2059
+#: original/man8/iptables-extensions.8:2094
+msgid "Log the userid of the process which generated the packet."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2059
+#, no-wrap
+msgid "LOG (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:52
-msgid "match = B<-m> I<matchname> [I<per-match-options>]"
+#: original/man8/iptables-extensions.8:2071
+msgid ""
+"Turn on kernel logging of matching packets. When this option is set for a "
+"rule, the Linux kernel will print some information on all matching packets "
+"(like most IP header fields) via the kernel log (where it can be read with "
+"I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule "
+"traversal continues at the next rule. So if you want to LOG the packets you "
+"refuse, use two separate rules with the same matching criteria, first using "
+"target LOG then DROP (or REJECT)."
+msgstr ""
+"マッチしたパケットをカーネルログに記録する。 このオプションがルールに対して設"
+"定されると、 Linux カーネルはマッチしたパケットについての (大部分の IP ヘッ"
+"ダーフィールドのような) 何らかの情報を カーネルログに表示する (カーネルログ"
+"は I<dmesg> または I<syslogd>(8) で見ることができる)。 これは \"非終了ター"
+"ゲット\" である。 すなわち、ルールの検討は、次のルールへと継続される。 よっ"
+"て、拒否するパケットをログ記録したければ、 同じマッチング判断基準を持つ 2 つ"
+"のルールを使用し、 最初のルールで LOG ターゲットを、 次のルールで DROP (また"
+"は REJECT) ターゲットを指定する。"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2091
+msgid "Log options from the IP packet header."
+msgstr "IP パケットヘッダーのオプションをログに記録する。"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2094
+#, no-wrap
+msgid "MARK"
+msgstr "MARK"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2100
+msgid ""
+"This target is used to set the Netfilter mark value associated with the "
+"packet. It can, for example, be used in conjunction with routing based on "
+"fwmark (needs iproute2). If you plan on doing so, note that the mark needs "
+"to be set in the PREROUTING chain of the mangle table to affect routing. "
+"The mark field is 32 bits wide."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:54
-msgid "target = B<-j> I<targetname> [I<per-target-options>]"
+#: original/man8/iptables-extensions.8:2104
+msgid ""
+"Zeroes out the bits given by I<mask> and XORs I<value> into the packet mark "
+"(\"nfmark\"). If I<mask> is omitted, 0xFFFFFFFF is assumed."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:60
+#: original/man8/iptables-extensions.8:2108
+msgid ""
+"Zeroes out the bits given by I<mask> and ORs I<value> into the packet mark. "
+"If I<mask> is omitted, 0xFFFFFFFF is assumed."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2110
+#: original/man8/iptables-extensions.8:2545
+msgid "The following mnemonics are available:"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2114
+msgid ""
+"Binary AND the nfmark with I<bits>. (Mnemonic for B<--set-xmark 0/"
+">I<invbits>, where I<invbits> is the binary negation of I<bits>.)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2118
+msgid ""
+"Binary OR the nfmark with I<bits>. (Mnemonic for B<--set-xmark> I<bits>B</"
+">I<bits>.)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2122
+msgid ""
+"Binary XOR the nfmark with I<bits>. (Mnemonic for B<--set-xmark> "
+"I<bits>B</0>.)"
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2122
+#, no-wrap
+msgid "MASQUERADE (IPv6-specific)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2136
#, fuzzy
#| msgid ""
-#| "B<Iptables> is used to set up, maintain, and inspect the tables of IP "
-#| "packet filter rules in the Linux kernel. Several different tables may be "
-#| "defined. Each table contains a number of built-in chains and may also "
-#| "contain user-defined chains."
+#| "This target is only valid in the B<nat> table, in the B<POSTROUTING> "
+#| "chain. It should only be used with dynamically assigned IP (dialup) "
+#| "connections: if you have a static IP address, you should use the SNAT "
+#| "target. Masquerading is equivalent to specifying a mapping to the IP "
+#| "address of the interface the packet is going out, but also has the effect "
+#| "that connections are I<forgotten> when the interface goes down. This is "
+#| "the correct behavior when the next dialup is unlikely to have the same "
+#| "interface address (and hence any established connections are lost "
+#| "anyway). It takes one option:"
msgid ""
-"B<Iptables> is used to set up, maintain, and inspect the tables of IPv4 "
-"packet filter rules in the Linux kernel. Several different tables may be "
-"defined. Each table contains a number of built-in chains and may also "
-"contain user-defined chains."
+"This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. "
+"It should only be used with dynamically assigned IPv6 (dialup) connections: "
+"if you have a static IP address, you should use the SNAT target. "
+"Masquerading is equivalent to specifying a mapping to the IP address of the "
+"interface the packet is going out, but also has the effect that connections "
+"are I<forgotten> when the interface goes down. This is the correct behavior "
+"when the next dialup is unlikely to have the same interface address (and "
+"hence any established connections are lost anyway)."
msgstr ""
-"B<iptables> は Linux カーネルの IP パケットフィルタルールのテーブルを 設定・"
-"管理・検査するために使われる。 複数の異なるテーブルを定義できる。 各テーブル"
-"にはたくさんの組み込み済みチェインが含まれており、 さらにユーザー定義のチェイ"
-"ンを加えることもできる。"
+"このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 "
+"動的割り当て IP (ダイヤルアップ) 接続の場合にのみ使うべきである。 固定 IP ア"
+"ドレスならば、SNAT ターゲットを使うべきである。 マスカレーディングは、パケッ"
+"トが送信されるインターフェースの IP アドレスへのマッピングを指定するのと同じ"
+"であるが、 インターフェースが停止した場合に接続をI<忘れる>という効果がある。 "
+"次のダイヤルアップでは同じインターフェースアドレスになる可能性が低い (そのた"
+"め、前回確立された接続は失われる) 場合、 この動作は正しい。 このターゲットに"
+"はオプションが 1 つある。"
#. type: TP
-#: original/man8/iptables.8:107
-#, no-wrap
-msgid "B<nat>:"
-msgstr "B<nat>:"
+#: original/man8/iptables-extensions.8:2136
+#: original/man8/iptables-extensions.8:2167
+#: original/man8/iptables-extensions.8:2291
+#, fuzzy, no-wrap
+#| msgid "B<--to-ports >I<port>[-I<port>]"
+msgid "B<--to-ports> I<port>[B<->I<port>]"
+msgstr "B<--to-ports >I<port>[-I<port>]"
#. type: Plain text
-#: original/man8/iptables.8:114
+#: original/man8/iptables-extensions.8:2145
+#: original/man8/iptables-extensions.8:2176
msgid ""
-"This table is consulted when a packet that creates a new connection is "
-"encountered. It consists of three built-ins: B<PREROUTING> (for altering "
-"packets as soon as they come in), B<OUTPUT> (for altering locally-generated "
-"packets before routing), and B<POSTROUTING> (for altering packets as they "
-"are about to go out)."
+"This specifies a range of source ports to use, overriding the default "
+"B<SNAT> source port-selection heuristics (see above). This is only valid if "
+"the rule also specifies B<-p tcp> or B<-p udp>."
msgstr ""
-"このテーブルは新しい接続を開くようなパケットに対して参照される。 これには "
-"B<PREROUTING> (パケットが入ってきた場合、すぐにそのパケットを変換するための"
-"チェイン)・ B<OUTPUT> (ローカルで生成されたパケットをルーティングの前に変換す"
-"るためのチェイン)・ B<POSTROUTING> (パケットが出て行くときに変換するための"
-"チェイン) という 3 つの組み込み済みチェインが含まれる。"
+"このオプションは、使用する送信元ポートの範囲を指定し、 デフォルトの B<SNAT> "
+"送信元ポートの選択方法 (上記) よりも優先される。 ルールが B<-p tcp> または "
+"B<-p udp> を指定している場合にのみ有効である。"
#. type: Plain text
-#: original/man8/iptables.8:147
+#: original/man8/iptables-extensions.8:2151
msgid ""
-"The options that are recognized by B<iptables> can be divided into several "
-"different groups."
-msgstr "B<iptables> で使えるオプションは、いくつかのグループに分けられる。"
+"Randomize source port mapping If option B<--random> is used then port "
+"mapping will be randomized."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2153
+#, no-wrap
+msgid "MASQUERADE (IPv4-specific)"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:153
+#: original/man8/iptables-extensions.8:2167
#, fuzzy
#| msgid ""
-#| "These options specify the specific action to perform. Only one of them "
-#| "can be specified on the command line unless otherwise specified below. "
-#| "For all the long versions of the command and option names, you need to "
-#| "use only enough letters to ensure that B<iptables> can differentiate it "
-#| "from all other options."
+#| "This target is only valid in the B<nat> table, in the B<POSTROUTING> "
+#| "chain. It should only be used with dynamically assigned IP (dialup) "
+#| "connections: if you have a static IP address, you should use the SNAT "
+#| "target. Masquerading is equivalent to specifying a mapping to the IP "
+#| "address of the interface the packet is going out, but also has the effect "
+#| "that connections are I<forgotten> when the interface goes down. This is "
+#| "the correct behavior when the next dialup is unlikely to have the same "
+#| "interface address (and hence any established connections are lost "
+#| "anyway). It takes one option:"
msgid ""
-"These options specify the desired action to perform. Only one of them can be "
-"specified on the command line unless otherwise stated below. For long "
-"versions of the command and option names, you need to use only enough "
-"letters to ensure that B<iptables> can differentiate it from all other "
-"options."
+"This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. "
+"It should only be used with dynamically assigned IP (dialup) connections: "
+"if you have a static IP address, you should use the SNAT target. "
+"Masquerading is equivalent to specifying a mapping to the IP address of the "
+"interface the packet is going out, but also has the effect that connections "
+"are I<forgotten> when the interface goes down. This is the correct behavior "
+"when the next dialup is unlikely to have the same interface address (and "
+"hence any established connections are lost anyway)."
msgstr ""
-"これらのオプションは、実行する特定の動作を指定する。 以下の説明で注記されてい"
-"ない限り、 コマンドラインで指定できるのはこの中の 1 つだけである。 長いバー"
-"ジョンのコマンド名とオプション名は、 B<iptables> が他のコマンド名やオプション"
-"名と区別できる範囲で (文字を省略して) 指定することもできる。"
+"このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 "
+"動的割り当て IP (ダイヤルアップ) 接続の場合にのみ使うべきである。 固定 IP ア"
+"ドレスならば、SNAT ターゲットを使うべきである。 マスカレーディングは、パケッ"
+"トが送信されるインターフェースの IP アドレスへのマッピングを指定するのと同じ"
+"であるが、 インターフェースが停止した場合に接続をI<忘れる>という効果がある。 "
+"次のダイヤルアップでは同じインターフェースアドレスになる可能性が低い (そのた"
+"め、前回確立された接続は失われる) 場合、 この動作は正しい。 このターゲットに"
+"はオプションが 1 つある。"
#. type: Plain text
-#: original/man8/iptables.8:188
+#: original/man8/iptables-extensions.8:2182
+msgid ""
+"Randomize source port mapping If option B<--random> is used then port "
+"mapping will be randomized (kernel E<gt>= 2.6.21)."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2184
+#, no-wrap
+msgid "MIRROR (IPv4-specific)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2197
+msgid ""
+"This is an experimental demonstration target which inverts the source and "
+"destination fields in the IP header and retransmits the packet. It is only "
+"valid in the B<INPUT>, B<FORWARD> and B<PREROUTING> chains, and user-defined "
+"chains which are only called from those chains. Note that the outgoing "
+"packets are B<NOT> seen by any packet filtering chains, connection tracking "
+"or NAT, to avoid loops and other problems."
+msgstr ""
+"実験的なデモンストレーション用のターゲットであり、 IP ヘッダーの送信元と送信"
+"先フィールドを入れ換え、 パケットを再送信するものである。 これは B<INPUT>, "
+"B<FORWARD>, B<PREROUTING> チェインと、これらのチェインから呼び出される ユー"
+"ザー定義チェインだけで有効である。 ループ等の問題を回避するため、外部に送られ"
+"るパケットは いかなるパケットフィルタリングチェイン・接続追跡・NAT からも 監"
+"視B<されない>。"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2197
+#, no-wrap
+msgid "NETMAP (IPv4-specific)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2202
#, fuzzy
#| msgid ""
-#| "List all rules in the selected chain. If no chain is selected, all "
-#| "chains are listed. As every other iptables command, it applies to the "
-#| "specified table (filter is the default), so NAT rules get listed by"
+#| "This target allows to selectively work around known ECN blackholes. It "
+#| "can only be used in the mangle table."
msgid ""
-"List all rules in the selected chain. If no chain is selected, all chains "
-"are listed. Like every other iptables command, it applies to the specified "
-"table (filter is the default), so NAT rules get listed by"
+"This target allows you to statically map a whole network of addresses onto "
+"another network of addresses. It can only be used from rules in the B<nat> "
+"table."
msgstr ""
-"選択されたチェインにある全てのルールを一覧表示する。 チェインが指定されない場"
-"合、全てのチェインにあるリストが一覧表示される。 他の各 iptables コマンドと同"
-"様に、指定されたテーブル (デフォルトは filter) に対して作用する。 よって NAT "
-"ルールを表示するには以下のようにする。"
+"このターゲットは ECN ブラックホール問題への対処を可能にする。 mangle テーブル"
+"でのみ使用できる。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2202
+#, fuzzy, no-wrap
+#| msgid "B<-s, --source >[!] I<address>[/I<mask>]"
+msgid "B<--to> I<address>[B</>I<mask>]"
+msgstr "B<-s, --source >[!] I<address>[/I<mask>]"
#. type: Plain text
-#: original/man8/iptables.8:190
-#, no-wrap
-msgid " iptables -t nat -n -L\n"
-msgstr " iptables -t nat -n -L\n"
+#: original/man8/iptables-extensions.8:2207
+msgid ""
+"Network address to map to. The resulting address will be constructed in the "
+"following way: All 'one' bits in the mask are filled in from the new "
+"`address'. All bits that are zero in the mask are filled in from the "
+"original address."
+msgstr ""
-#. type: Plain text
-#: original/man8/iptables.8:199
+#. type: SS
+#: original/man8/iptables-extensions.8:2207
#, no-wrap
-msgid " iptables -L -v\n"
-msgstr " iptables -L -v\n"
+msgid "NFLOG"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:205
+#: original/man8/iptables-extensions.8:2217
#, fuzzy
#| msgid ""
-#| "List all rules in the selected chain. If no chain is selected, all "
-#| "chains are listed. As every other iptables command, it applies to the "
-#| "specified table (filter is the default), so NAT rules get listed by"
+#| "This target provides userspace logging of matching packets. When this "
+#| "target is set for a rule, the Linux kernel will multicast this packet "
+#| "through a I<netlink> socket. One or more userspace processes may then "
+#| "subscribe to various multicast groups and receive the packets. Like LOG, "
+#| "this is a \"non-terminating target\", i.e. rule traversal continues at "
+#| "the next rule."
msgid ""
-"Print all rules in the selected chain. If no chain is selected, all chains "
-"are printed like iptables-save. Like every other iptables command, it "
-"applies to the specified table (filter is the default)."
+"This target provides logging of matching packets. When this target is set "
+"for a rule, the Linux kernel will pass the packet to the loaded logging "
+"backend to log the packet. This is usually used in combination with "
+"nfnetlink_log as logging backend, which will multicast the packet through a "
+"I<netlink> socket to the specified multicast group. One or more userspace "
+"processes may subscribe to the group to receive the packets. Like LOG, this "
+"is a non-terminating target, i.e. rule traversal continues at the next rule."
msgstr ""
-"選択されたチェインにある全てのルールを一覧表示する。 チェインが指定されない場"
-"合、全てのチェインにあるリストが一覧表示される。 他の各 iptables コマンドと同"
-"様に、指定されたテーブル (デフォルトは filter) に対して作用する。 よって NAT "
-"ルールを表示するには以下のようにする。"
+"このターゲットは、マッチしたパケットを ユーザー空間でログ記録する機能を提供す"
+"る。 このターゲットがルールに設定されると、 Linux カーネルは、そのパケットを "
+"I<netlink> ソケットを用いてマルチキャストする。 そして、1 つ以上のユーザー空"
+"間プロセスが いろいろなマルチキャストグループに登録をおこない、 パケットを受"
+"信する。 LOG と同様、これは \"非終了ターゲット\" であり、 ルールの検討は次の"
+"ルールへと継続される。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2217
+#, fuzzy, no-wrap
+#| msgid "B<--ulog-nlgroup >I<nlgroup>"
+msgid "B<--nflog-group> I<nlgroup>"
+msgstr "B<--ulog-nlgroup >I<nlgroup>"
#. type: Plain text
-#: original/man8/iptables.8:256
+#: original/man8/iptables-extensions.8:2221
#, fuzzy
#| msgid ""
-#| "The protocol of the rule or of the packet to check. The specified "
-#| "protocol can be one of I<tcp>, I<udp>, I<icmp>, or I<all>, or it can be a "
-#| "numeric value, representing one of these protocols or a different one. A "
-#| "protocol name from /etc/protocols is also allowed. A \"!\" argument "
-#| "before the protocol inverts the test. The number zero is equivalent to "
-#| "I<all>. Protocol I<all> will match with all protocols and is taken as "
-#| "default when this option is omitted."
+#| "This specifies the netlink group (1-32) to which the packet is sent. "
+#| "Default value is 1."
msgid ""
-"The protocol of the rule or of the packet to check. The specified protocol "
-"can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>, B<esp>, B<ah>, B<sctp> or "
-"the special keyword \"B<all>\", or it can be a numeric value, representing "
-"one of these protocols or a different one. A protocol name from /etc/"
-"protocols is also allowed. A \"!\" argument before the protocol inverts the "
-"test. The number zero is equivalent to B<all>. \"B<all>\" will match with "
-"all protocols and is taken as default when this option is omitted."
+"The netlink group (0 - 2^16-1) to which packets are (only applicable for "
+"nfnetlink_log). The default value is 0."
msgstr ""
-"ルールで使われるプロトコル、またはチェックされるパケットのプロトコル。 指定で"
-"きるプロトコルは、 I<tcp>, I<udp>, I<icmp>, I<all> のいずれか 1 つか、数値で"
-"ある。 数値には、これらのプロトコルのどれかないし別のプロトコルを表す 数値を"
-"指定することができる。 /etc/protocols にあるプロトコル名も指定できる。 プロト"
-"コルの前に \"!\" を置くと、そのプロトコルを除外するという意味になる。 数値 0 "
-"は I<all> と等しい。 プロトコル I<all> は全てのプロトコルとマッチし、 このオ"
-"プションが省略された際のデフォルトである。"
+"パケットを送信する netlink グループ (1-32) を指定する。 デフォルトの値は 1 で"
+"ある。"
#. type: TP
-#: original/man8/iptables.8:256
+#: original/man8/iptables-extensions.8:2221
#, fuzzy, no-wrap
-#| msgid "B<-s, --source >[!] I<address>[/I<mask>]"
-msgid "[B<!>] B<-s>, B<--source> I<address>[B</>I<mask>][B<,>I<...>]"
-msgstr "B<-s, --source >[!] I<address>[/I<mask>]"
+#| msgid "B<--log-prefix >I<prefix>"
+msgid "B<--nflog-prefix> I<prefix>"
+msgstr "B<--log-prefix >I<prefix>"
#. type: Plain text
-#: original/man8/iptables.8:273
+#: original/man8/iptables-extensions.8:2225
#, fuzzy
#| msgid ""
-#| "Source specification. I<Address> can be either a network name, a "
-#| "hostname (please note that specifying any name to be resolved with a "
-#| "remote query such as DNS is a really bad idea), a network IP address "
-#| "(with /mask), or a plain IP address. The I<mask> can be either a network "
-#| "mask or a plain number, specifying the number of 1's at the left side of "
-#| "the network mask. Thus, a mask of I<24> is equivalent to "
-#| "I<255.255.255.0>. A \"!\" argument before the address specification "
-#| "inverts the sense of the address. The flag B<--src> is an alias for this "
-#| "option."
+#| "Prefix log messages with the specified prefix; up to 32 characters long, "
+#| "and useful for distinguishing messages in the logs."
msgid ""
-"Source specification. I<Address> can be either a network name, a hostname, a "
-"network IP address (with B</>I<mask>), or a plain IP address. Hostnames will "
-"be resolved once only, before the rule is submitted to the kernel. Please "
-"note that specifying any name to be resolved with a remote query such as DNS "
-"is a really bad idea. The I<mask> can be either a network mask or a plain "
-"number, specifying the number of 1's at the left side of the network mask. "
-"Thus, a mask of I<24> is equivalent to I<255.255.255.0>. A \"!\" argument "
-"before the address specification inverts the sense of the address. The flag "
-"B<--src> is an alias for this option. Multiple addresses can be specified, "
-"but this will B<expand to multiple rules> (when adding with -A), or will "
-"cause multiple rules to be deleted (with -D)."
+"A prefix string to include in the log message, up to 64 characters long, "
+"useful for distinguishing messages in the logs."
msgstr ""
-"送信元の指定。 I<address> はホスト名 (DNS のようなリモートへの問い合わせで解"
-"決する名前を指定するのは非常に良くない) ・ネットワーク IP アドレス (/mask を"
-"指定する)・ 通常の IP アドレス、のいずれかである。 I<mask> はネットワークマス"
-"クか、 ネットワークマスクの左側にある 1 の数を指定する数値である。 つまり、 "
-"I<24> という mask は I<255.255.255.0> に等しい。 アドレス指定の前に \"!\" を"
-"置くと、そのアドレスを除外するという意味になる。 フラグ B<--src> は、このオプ"
-"ションの別名である。"
+"指定したプレフィックスをログメッセージの前に付ける。 32 文字までの指定でき"
+"る。 ログの中でメッセージを区別するのに便利である。"
#. type: TP
-#: original/man8/iptables.8:273
+#: original/man8/iptables-extensions.8:2225
#, fuzzy, no-wrap
-#| msgid "B<-d, --destination >[!] I<address>[/I<mask>]"
-msgid "[B<!>] B<-d>, B<--destination> I<address>[B</>I<mask>][B<,>I<...>]"
-msgstr "B<-d, --destination >[!] I<address>[/I<mask>]"
+#| msgid "B<--ulog-cprange >I<size>"
+msgid "B<--nflog-range> I<size>"
+msgstr "B<--ulog-cprange >I<size>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2230
+msgid ""
+"The number of bytes to be copied to userspace (only applicable for "
+"nfnetlink_log). nfnetlink_log instances may specify their own range, this "
+"option overrides it."
+msgstr ""
#. type: TP
-#: original/man8/iptables.8:312
+#: original/man8/iptables-extensions.8:2230
#, fuzzy, no-wrap
-#| msgid "B<[!] -f, --fragment>"
-msgid "[B<!>] B<-f>, B<--fragment>"
-msgstr "B<[!] -f, --fragment>"
+#| msgid "B<--ulog-qthreshold >I<size>"
+msgid "B<--nflog-threshold> I<size>"
+msgstr "B<--ulog-qthreshold >I<size>"
#. type: Plain text
-#: original/man8/iptables.8:320
+#: original/man8/iptables-extensions.8:2237
msgid ""
-"This means that the rule only refers to second and further fragments of "
-"fragmented packets. Since there is no way to tell the source or destination "
-"ports of such a packet (or ICMP type), such a packet will not match any "
-"rules which specify them. When the \"!\" argument precedes the \"-f\" flag, "
-"the rule will only match head fragments, or unfragmented packets."
+"Number of packets to queue inside the kernel before sending them to "
+"userspace (only applicable for nfnetlink_log). Higher values result in less "
+"overhead per packet, but increase delay until the packets reach userspace. "
+"The default value is 1."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2237
+#, no-wrap
+msgid "NFQUEUE"
msgstr ""
-"このオプションは、分割されたパケット (fragmented packet) のうち 2 番目以降の"
-"パケットだけを参照するルールであることを意味する。 このようなパケット (また"
-"は ICMP タイプのパケット) は 送信元・送信先ポートを知る方法がないので、 送信"
-"元や送信先を指定するようなルールにはマッチしない。 \"-f\" フラグの前に \"!\" "
-"を置くと、 分割されたパケットのうち最初のものか、 分割されていないパケットだ"
-"けにマッチする。"
#. type: Plain text
-#: original/man8/iptables.8:368
-#, fuzzy
-#| msgid ""
-#| "iptables can use extended packet matching modules. These are loaded in "
-#| "two ways: implicitly, when B<-p> or B<--protocol> is specified, or with "
-#| "the B<-m> or B<--match> options, followed by the matching module name; "
-#| "after these, various extra command line options become available, "
-#| "depending on the specific module. You can specify multiple extended "
-#| "match modules in one line, and you can use the B<-h> or B<--help> options "
-#| "after the module has been specified to receive help specific to that "
-#| "module."
+#: original/man8/iptables-extensions.8:2247
msgid ""
-"iptables can use extended packet matching modules with the B<-m> or B<--"
-"match> options, followed by the matching module name; after these, various "
-"extra command line options become available, depending on the specific "
-"module. You can specify multiple extended match modules in one line, and "
-"you can use the B<-h> or B<--help> options after the module has been "
-"specified to receive help specific to that module."
+"This target is an extension of the QUEUE target. As opposed to QUEUE, it "
+"allows you to put a packet into any specific queue, identified by its 16-bit "
+"queue number. It can only be used with Kernel versions 2.6.14 or later, "
+"since it requires the B<nfnetlink_queue> kernel support. The B<queue-"
+"balance> option was added in Linux 2.6.31, B<queue-bypass> in 2.6.39."
msgstr ""
-"iptables は拡張されたパケットマッチングモジュールを使うことができる。 これら"
-"のモジュールは 2 種類の方法でロードされる: モジュールは、 B<-p> または B<--"
-"protocol> で暗黙のうちに指定されるか、 B<-m> または B<--match> の後にモジュー"
-"ル名を続けて指定される。 これらのモジュールの後ろには、モジュールに応じて 他"
-"のいろいろなコマンドラインオプションを指定することができる。 複数の拡張マッチ"
-"ングモジュールを一行で指定することができる。 また、モジュールに特有のヘルプを"
-"表示させるためには、 モジュールを指定した後で B<-h> または B<--help> を指定す"
-"ればよい。"
-#. @MATCH@
+#. type: TP
+#: original/man8/iptables-extensions.8:2247
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--queue-num> I<value>"
+msgstr "B<--set-mss >I<value>"
+
#. type: Plain text
-#: original/man8/iptables.8:373
+#: original/man8/iptables-extensions.8:2250
msgid ""
-"If the B<-p> or B<--protocol> was specified and if and only if an unknown "
-"option is encountered, iptables will try load a match module of the same "
-"name as the protocol, to try making the option available."
+"This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. "
+"The default value is 0."
msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:2251
+#, fuzzy, no-wrap
+#| msgid "B<--mss >I<value>[:I<value>]"
+msgid "B<--queue-balance> I<value>B<:>I<value>"
+msgstr "B<--mss >I<value>[:I<value>]"
+
#. type: Plain text
-#: original/man8/iptables.8:445
-#, fuzzy
-#| msgid "This module matches the SPIs in AH header of IPSec packets."
-msgid "This module matches the SPIs in Authentication header of IPsec packets."
-msgstr "このモジュールは IPSec パケットの AH ヘッダーの SPI 値にマッチする。"
+#: original/man8/iptables-extensions.8:2257
+msgid ""
+"This specifies a range of queues to use. Packets are then balanced across "
+"the given queues. This is useful for multicore systems: start multiple "
+"instances of the userspace program on queues x, x+1, .. x+n and use \"--"
+"queue-balance I<x>B<:>I<x+n>\". Packets belonging to the same connection "
+"are put into the same nfqueue."
+msgstr ""
-#. type: SS
-#: original/man8/iptables.8:825
+#. type: TP
+#: original/man8/iptables-extensions.8:2258
#, no-wrap
-msgid "icmp"
-msgstr "icmp"
+msgid "B<--queue-bypass>"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:828
-#, fuzzy
-#| msgid ""
-#| "This extension is loaded if `--protocol icmp' is specified. It provides "
-#| "the following option:"
+#: original/man8/iptables-extensions.8:2263
msgid ""
-"This extension can be used if `--protocol icmp' is specified. It provides "
-"the following option:"
+"By default, if no userspace program is listening on an NFQUEUE, then all "
+"packets that are to be queued are dropped. When this option is used, the "
+"NFQUEUE rule is silently bypassed instead. The packet will move on to the "
+"next rule."
msgstr ""
-"この拡張は `--protocol icmp' が指定された場合にロードされ、 以下のオプション"
-"が提供される:"
-#. type: TP
-#: original/man8/iptables.8:828
-#, fuzzy, no-wrap
-#| msgid "B<--icmp-type >[!] I<typename>"
-msgid "[B<!>] B<--icmp-type> {I<type>[B</>I<code>]|I<typename>}"
-msgstr "B<--icmp-type >[!] I<typename>"
+#. type: SS
+#: original/man8/iptables-extensions.8:2263
+#, no-wrap
+msgid "NOTRACK"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:832
-#, fuzzy
-#| msgid ""
-#| "This allows specification of the ICMP type, which can be a numeric ICMP "
-#| "type, or one of the ICMP type names shown by the command"
+#: original/man8/iptables-extensions.8:2267
msgid ""
-"This allows specification of the ICMP type, which can be a numeric ICMP "
-"type, type/code pair, or one of the ICMP type names shown by the command"
+"This target disables connection tracking for all packets matching that "
+"rule. It is obsoleted by -j CT --notrack. Like CT, NOTRACK can only be used "
+"in the B<raw> table."
msgstr ""
-"ICMP タイプを指定できる。タイプ指定には、 数値の ICMP タイプ、または以下のコ"
-"マンド で表示される ICMP タイプ名を指定できる。"
-#. type: Plain text
-#: original/man8/iptables.8:834
+#. type: SS
+#: original/man8/iptables-extensions.8:2267
#, no-wrap
-msgid " iptables -p icmp -h\n"
-msgstr " iptables -p icmp -h\n"
+msgid "RATEEST"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2270
+msgid ""
+"The RATEEST target collects statistics, performs rate estimation calculation "
+"and saves the results for later evaluation using the B<rateest> match."
+msgstr ""
-#. type: SS
-#: original/man8/iptables.8:969
+#. type: TP
+#: original/man8/iptables-extensions.8:2270
#, fuzzy, no-wrap
-#| msgid "tos"
-msgid "osf"
-msgstr "tos"
+#| msgid "B<--ctstate >I<state>"
+msgid "B<--rateest-name> I<name>"
+msgstr "B<--ctstate >I<state>"
#. type: Plain text
-#: original/man8/iptables.8:973
+#: original/man8/iptables-extensions.8:2274
msgid ""
-"The osf module does passive operating system fingerprinting. This modules "
-"compares some data (Window Size, MSS, options and their order, TTL, DF, and "
-"others) from packets with the SYN bit set."
+"Count matched packets into the pool referred to by I<name>, which is freely "
+"choosable."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:973
-#, fuzzy, no-wrap
-#| msgid "B<--helper >I<string>"
-msgid "[B<!>] B<--genre> I<string>"
-msgstr "B<--helper >I<string>"
+#: original/man8/iptables-extensions.8:2274
+#, no-wrap
+msgid "B<--rateest-interval> I<amount>{B<s>|B<ms>|B<us>}"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:976
-msgid "Match an operating system genre by using a passive fingerprinting."
+#: original/man8/iptables-extensions.8:2277
+msgid "Rate measurement interval, in seconds, milliseconds or microseconds."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:976
+#: original/man8/iptables-extensions.8:2277
#, fuzzy, no-wrap
-#| msgid "B<--ttl >I<ttl>"
-msgid "B<--ttl> I<level>"
-msgstr "B<--ttl >I<ttl>"
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--rateest-ewmalog> I<value>"
+msgstr "B<--set-mss >I<value>"
#. type: Plain text
-#: original/man8/iptables.8:980
-msgid ""
-"Do additional TTL checks on the packet to determine the operating system. "
-"I<level> can be one of the following values:"
+#: original/man8/iptables-extensions.8:2280
+msgid "Rate measurement averaging time constant."
+msgstr ""
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2280
+#, no-wrap
+msgid "REDIRECT (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:983
+#: original/man8/iptables-extensions.8:2291
+#, fuzzy
+#| msgid ""
+#| "This target is only valid in the B<nat> table, in the B<PREROUTING> and "
+#| "B<OUTPUT> chains, and user-defined chains which are only called from "
+#| "those chains. It alters the destination IP address to send the packet to "
+#| "the machine itself (locally-generated packets are mapped to the 127.0.0.1 "
+#| "address). It takes one option:"
msgid ""
-"0 - True IP address and fingerprint TTL comparison. This generally works for "
-"LANs."
+"This target is only valid in the B<nat> table, in the B<PREROUTING> and "
+"B<OUTPUT> chains, and user-defined chains which are only called from those "
+"chains. It redirects the packet to the machine itself by changing the "
+"destination IP to the primary address of the incoming interface (locally-"
+"generated packets are mapped to the 127.0.0.1 address)."
msgstr ""
+"このターゲットは、 B<nat> テーブル内の B<PREROUTING> チェイン及び B<OUTPUT> "
+"チェイン、そしてこれらチェインから呼び出される ユーザー定義チェインでのみ有効"
+"である。 このターゲットはパケットの送信先 IP アドレスを マシン自身の IP アド"
+"レスに変換する。 (ローカルで生成されたパケットは、アドレス 127.0.0.1 にマップ"
+"される)。 このターゲットにはオプションが 1 つある:"
#. type: Plain text
-#: original/man8/iptables.8:986
+#: original/man8/iptables-extensions.8:2299
msgid ""
-"1 - Check if the IP header's TTL is less than the fingerprint one. Works for "
-"globally-routable addresses."
+"This specifies a destination port or range of ports to use: without this, "
+"the destination port is never altered. This is only valid if the rule also "
+"specifies B<-p tcp> or B<-p udp>."
+msgstr ""
+"このオプションは使用される送信先ポート・ポート範囲・複数ポートを指定する。 こ"
+"のオプションが指定されない場合、送信先ポートは変更されない。 ルールが B<-p "
+"tcp> または B<-p udp> を指定している場合にのみ有効である。"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2306
+#, no-wrap
+msgid "REJECT (IPv6-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:988
-msgid "2 - Do not compare the TTL at all."
+#: original/man8/iptables-extensions.8:2319
+#: original/man8/iptables-extensions.8:2353
+msgid ""
+"This is used to send back an error packet in response to the matched packet: "
+"otherwise it is equivalent to B<DROP> so it is a terminating TARGET, ending "
+"rule traversal. This target is only valid in the B<INPUT>, B<FORWARD> and "
+"B<OUTPUT> chains, and user-defined chains which are only called from those "
+"chains. The following option controls the nature of the error packet "
+"returned:"
msgstr ""
+"マッチしたパケットの応答としてエラーパケットを送信するために使われる。\n"
+"エラーパケットを送らなければ、 B<DROP> と同じであり、TARGET を終了し、\n"
+"ルールの検討を終了する。 このターゲットは、 B<INPUT>, B<FORWARD>,\n"
+"B<OUTPUT> チェインと、これらのチェインから呼ばれる ユーザー定義チェイン\n"
+"だけで有効である。以下のオプションは、返されるエラーパケットの特性を\n"
+"制御する。"
#. type: TP
-#: original/man8/iptables.8:988
+#: original/man8/iptables-extensions.8:2319
+#: original/man8/iptables-extensions.8:2353
#, fuzzy, no-wrap
-#| msgid "B<--log-level >I<level>"
-msgid "B<--log> I<level>"
-msgstr "B<--log-level >I<level>"
+#| msgid "B<--reject-with >I<type>"
+msgid "B<--reject-with> I<type>"
+msgstr "B<--reject-with >I<type>"
#. type: Plain text
-#: original/man8/iptables.8:992
+#: original/man8/iptables-extensions.8:2340
+#, fuzzy
+#| msgid ""
+#| "which return the appropriate IPv6-ICMP error message (B<port-unreach> is "
+#| "the default). Finally, the option B<tcp-reset> can be used on rules which "
+#| "only match the TCP protocol: this causes a TCP RST packet to be sent "
+#| "back. This is mainly useful for blocking I<ident> (113/tcp) probes which "
+#| "frequently occur when sending mail to broken mail hosts (which won't "
+#| "accept your mail otherwise)."
msgid ""
-"Log determined genres into dmesg even if they do not match the desired one. "
-"I<level> can be one of the following values:"
+"The type given can be B<icmp6-no-route>, B<no-route>, B<icmp6-adm-"
+"prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, B<addr-unreach>, "
+"B<icmp6-port-unreachable> or B<port-unreach> which return the appropriate "
+"ICMPv6 error message (B<port-unreach> is the default). Finally, the option "
+"B<tcp-reset> can be used on rules which only match the TCP protocol: this "
+"causes a TCP RST packet to be sent back. This is mainly useful for blocking "
+"I<ident> (113/tcp) probes which frequently occur when sending mail to broken "
+"mail hosts (which won't accept your mail otherwise). B<tcp-reset> can only "
+"be used with kernel versions 2.6.14 or later."
msgstr ""
+"であり、適切な IPv6-ICMP エラーメッセージを返す (B<port-unreach> がデフォルト"
+"である)。 さらに、TCP プロトコルにのみマッチするルールに対して、オプション "
+"B<tcp-reset> を使うことができる。 このオプションを使うと、TCP RST パケットが"
+"送り返される。 主として I<ident> (113/tcp) による探査を阻止するのに役立つ。 "
+"I<ident> による探査は、壊れている (メールを受け取らない) メールホストに メー"
+"ルが送られる場合に頻繁に起こる。"
-#. type: Plain text
-#: original/man8/iptables.8:994
-msgid "0 - Log all matched or unknown signatures"
+#. type: SS
+#: original/man8/iptables-extensions.8:2340
+#, no-wrap
+msgid "REJECT (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:996
-msgid "1 - Log only the first one"
+#: original/man8/iptables-extensions.8:2371
+#, fuzzy
+#| msgid ""
+#| "which return the appropriate ICMP error message (B<port-unreachable> is "
+#| "the default). The option B<tcp-reset> can be used on rules which only "
+#| "match the TCP protocol: this causes a TCP RST packet to be sent back. "
+#| "This is mainly useful for blocking I<ident> (113/tcp) probes which "
+#| "frequently occur when sending mail to broken mail hosts (which won't "
+#| "accept your mail otherwise)."
+msgid ""
+"The type given can be B<icmp-net-unreachable>, B<icmp-host-unreachable>, "
+"B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, "
+"B<icmp-host-prohibited> or B<icmp-admin-prohibited> (*) which return the "
+"appropriate ICMP error message (B<port-unreachable> is the default). The "
+"option B<tcp-reset> can be used on rules which only match the TCP protocol: "
+"this causes a TCP RST packet to be sent back. This is mainly useful for "
+"blocking I<ident> (113/tcp) probes which frequently occur when sending mail "
+"to broken mail hosts (which won't accept your mail otherwise)."
msgstr ""
+"であり、適切な ICMP エラーメッセージを返す (B<port-unreachable> がデフォルト"
+"である)。 TCP プロトコルにのみマッチするルールに対して、オプション B<tcp-"
+"reset> を使うことができる。 このオプションを使うと、TCP RST パケットが送り返"
+"される。 主として I<ident> (113/tcp) による探査を阻止するのに役立つ。 "
+"I<ident> による探査は、壊れている (メールを受け取らない) メールホストに メー"
+"ルが送られる場合に頻繁に起こる。"
#. type: Plain text
-#: original/man8/iptables.8:998
-msgid "2 - Log all known matched signatures"
+#: original/man8/iptables-extensions.8:2373
+msgid ""
+"(*) Using icmp-admin-prohibited with kernels that do not support it will "
+"result in a plain DROP instead of REJECT"
msgstr ""
+"(*) icmp-admin-prohibited をサポートしないカーネルで、 icmp-admin-prohibited "
+"を使用すると、 REJECT ではなく単なる DROP になる。"
-#. type: Plain text
-#: original/man8/iptables.8:1000
-msgid "You may find something like this in syslog:"
+#. type: SS
+#: original/man8/iptables-extensions.8:2373
+#, no-wrap
+msgid "SAME (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1003
+#: original/man8/iptables-extensions.8:2377
msgid ""
-"Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -E<gt> "
-"11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -E<gt> 1.2.3.5:22 "
-"hops=4"
+"Similar to SNAT/DNAT depending on chain: it takes a range of addresses (`--"
+"to 1.2.3.4-1.2.3.7') and gives a client the same source-/destination-address "
+"for each connection."
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1006
+#: original/man8/iptables-extensions.8:2379
msgid ""
-"OS fingerprints are loadable using the B<nfnl_osf> program. To load "
-"fingerprints from a file, use:"
+"N.B.: The DNAT target's B<--persistent> option replaced the SAME target."
msgstr ""
-#. type: Plain text
-#: original/man8/iptables.8:1008
-msgid "B<nfnl_osf -f /usr/share/xtables/pf.os>"
-msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:2379
+#, fuzzy, no-wrap
+#| msgid "B<--to-source >I<ipaddr>[-I<ipaddr>][:I<port>-I<port>]"
+msgid "B<--to> I<ipaddr>[B<->I<ipaddr>]"
+msgstr "B<--to-source >I<ipaddr>[-I<ipaddr>][:I<port>-I<port>]"
#. type: Plain text
-#: original/man8/iptables.8:1010
-msgid "To remove them again,"
+#: original/man8/iptables-extensions.8:2383
+msgid ""
+"Addresses to map source to. May be specified more than once for multiple "
+"ranges."
msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:2383
+#, fuzzy, no-wrap
+#| msgid "B<--tos >I<tos>"
+msgid "B<--nodst>"
+msgstr "B<--tos >I<tos>"
+
#. type: Plain text
-#: original/man8/iptables.8:1012
-msgid "B<nfnl_osf -f /usr/share/xtables/pf.os -d>"
+#: original/man8/iptables-extensions.8:2387
+msgid ""
+"Don't use the destination-ip in the calculations when selecting the new "
+"source-ip"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1015
+#: original/man8/iptables-extensions.8:2391
msgid ""
-"The fingerprint database can be downlaoded from http://www.openbsd.org/cgi-"
-"bin/cvsweb/src/etc/pf.os ."
+"Port mapping will be forcibly randomized to avoid attacks based on port "
+"prediction (kernel E<gt>= 2.6.21)."
msgstr ""
#. type: SS
-#: original/man8/iptables.8:1241
-#, no-wrap
-msgid "realm"
-msgstr ""
+#: original/man8/iptables-extensions.8:2391
+#, fuzzy, no-wrap
+#| msgid "MARK"
+msgid "SECMARK"
+msgstr "MARK"
#. type: Plain text
-#: original/man8/iptables.8:1244
+#: original/man8/iptables-extensions.8:2400
msgid ""
-"This matches the routing realm. Routing realms are used in complex routing "
-"setups involving dynamic routing protocols like BGP."
+"This is used to set the security mark value associated with the packet for "
+"use by security subsystems such as SELinux. It is valid in the B<security> "
+"table (for backwards compatibility with older kernels, it is also valid in "
+"the B<mangle> table). The mark is 32 bits wide."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:1244
-#, fuzzy, no-wrap
-#| msgid "B<--mark >I<value>[/I<mask>]"
-msgid "[B<!>] B<--realm> I<value>[B</>I<mask>]"
-msgstr "B<--mark >I<value>[/I<mask>]"
-
-#. type: Plain text
-#: original/man8/iptables.8:1249
-msgid ""
-"Matches a given realm number (and optionally mask). If not a number, value "
-"can be a named realm from /etc/iproute2/rt_realms (mask can not be used in "
-"that case)."
+#: original/man8/iptables-extensions.8:2400
+#, no-wrap
+msgid "B<--selctx> I<security_context>"
msgstr ""
#. type: SS
-#: original/man8/iptables.8:1680
+#: original/man8/iptables-extensions.8:2402
#, no-wrap
-msgid "ttl"
-msgstr "ttl"
-
-#. type: Plain text
-#: original/man8/iptables.8:1682
-msgid "This module matches the time to live field in the IP header."
-msgstr "このモジュールは IP ヘッダーの time to live フィールドにマッチする。"
-
-#. type: TP
-#: original/man8/iptables.8:1682
-#, fuzzy, no-wrap
-#| msgid "B<--ttl >I<ttl>"
-msgid "[B<!>] B<--ttl-eq> I<ttl>"
-msgstr "B<--ttl >I<ttl>"
+msgid "SET"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1685
-msgid "Matches the given TTL value."
-msgstr "指定された TTL 値にマッチする。"
+#: original/man8/iptables-extensions.8:2405
+#, fuzzy
+#| msgid "This module matches the SPIs in AH header of IPSec packets."
+msgid ""
+"This module adds and/or deletes entries from IP sets which can be defined by "
+"ipset(8)."
+msgstr "このモジュールは IPSec パケットの AH ヘッダーの SPI 値にマッチする。"
#. type: TP
-#: original/man8/iptables.8:1685
-#, fuzzy, no-wrap
-#| msgid "B<--ttl >I<ttl>"
-msgid "B<--ttl-gt> I<ttl>"
-msgstr "B<--ttl >I<ttl>"
+#: original/man8/iptables-extensions.8:2405
+#, no-wrap
+msgid "B<--add-set> I<setname> I<flag>[B<,>I<flag>...]"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1688
-#, fuzzy
-#| msgid "Matches the given TTL value."
-msgid "Matches if TTL is greater than the given TTL value."
-msgstr "指定された TTL 値にマッチする。"
+#: original/man8/iptables-extensions.8:2408
+msgid "add the address(es)/port(s) of the packet to the set"
+msgstr ""
#. type: TP
-#: original/man8/iptables.8:1688
-#, fuzzy, no-wrap
-#| msgid "B<--ttl >I<ttl>"
-msgid "B<--ttl-lt> I<ttl>"
-msgstr "B<--ttl >I<ttl>"
-
-#. type: Plain text
-#: original/man8/iptables.8:1691
-#, fuzzy
-#| msgid "Matches the given TTL value."
-msgid "Matches if TTL is less than the given TTL value."
-msgstr "指定された TTL 値にマッチする。"
+#: original/man8/iptables-extensions.8:2408
+#, no-wrap
+msgid "B<--del-set> I<setname> I<flag>[B<,>I<flag>...]"
+msgstr ""
-#. type: SS
-#: original/man8/iptables.8:1836
-#, no-wrap
-msgid "unclean"
-msgstr "unclean"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2411
+msgid "delete the address(es)/port(s) of the packet from the set"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1839
+#: original/man8/iptables-extensions.8:2417
msgid ""
-"This module takes no options, but attempts to match packets which seem "
-"malformed or unusual. This is regarded as experimental."
+"where I<flag>(s) are B<src> and/or B<dst> specifications and there can be no "
+"more than six of them."
msgstr ""
-"このモジュールにはオプションがないが、 おかしく正常でないように見えるパケット"
-"にマッチする。 これは実験的なものとして扱われている。"
-#. @TARGET@
+#. type: TP
+#: original/man8/iptables-extensions.8:2417
+#, fuzzy, no-wrap
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--timeout> I<value>"
+msgstr "B<--set-mss >I<value>"
+
#. type: Plain text
-#: original/man8/iptables.8:1843
+#: original/man8/iptables-extensions.8:2421
msgid ""
-"iptables can use extended target modules: the following are included in the "
-"standard distribution."
+"when adding an entry, the timeout value to use instead of the default one "
+"from the set definition"
msgstr ""
-"iptables は拡張ターゲットモジュールを使うことができる: 以下のものが、標準的な"
-"ディストリビューションに含まれている。"
-#. type: SS
-#: original/man8/iptables.8:1873
-#, no-wrap
-msgid "CLUSTERIP"
+#. type: TP
+#: original/man8/iptables-extensions.8:2421
+#, fuzzy, no-wrap
+#| msgid "B<-x, --exact>"
+msgid "B<--exist>"
+msgstr "B<-x, --exact>"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2425
+msgid ""
+"when adding an entry if it already exists, reset the timeout value to the "
+"specified one or to the default from the set definition"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1878
+#: original/man8/iptables-extensions.8:2428
msgid ""
-"This module allows you to configure a simple cluster of nodes that share a "
-"certain IP and MAC address without an explicit load balancer in front of "
-"them. Connections are statically distributed between the nodes in this "
-"cluster."
+"Use of -j SET requires that ipset kernel support is provided, which, for "
+"standard kernels, is the case since Linux 2.6.39."
msgstr ""
-#. type: TP
-#: original/man8/iptables.8:1878
+#. type: SS
+#: original/man8/iptables-extensions.8:2428
#, no-wrap
-msgid "B<--new>"
+msgid "SNAT (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1882
+#: original/man8/iptables-extensions.8:2437
msgid ""
-"Create a new ClusterIP. You always have to set this on the first rule for a "
-"given ClusterIP."
+"This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. "
+"It specifies that the source address of the packet should be modified (and "
+"all future packets in this connection will also be mangled), and rules "
+"should cease being examined. It takes one type of option:"
msgstr ""
+"このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 "
+"このターゲットはパケットの送信元アドレスを修正させる (この接続の以降のパケッ"
+"トも修正して分からなく (mangle) する)。 さらに、ルールが評価を中止するように"
+"指示する。 このターゲットにはオプションが 1 種類ある:"
#. type: TP
-#: original/man8/iptables.8:1882
+#: original/man8/iptables-extensions.8:2437
#, fuzzy, no-wrap
-#| msgid "B<--cmd-owner >I<name>"
-msgid "B<--hashmode> I<mode>"
-msgstr "B<--cmd-owner >I<name>"
+#| msgid "B<--to-source >I<ipaddr>[-I<ipaddr>][:I<port>-I<port>]"
+msgid "B<--to-source> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
+msgstr "B<--to-source >I<ipaddr>[-I<ipaddr>][:I<port>-I<port>]"
#. type: Plain text
-#: original/man8/iptables.8:1886
+#: original/man8/iptables-extensions.8:2449
msgid ""
-"Specify the hashing mode. Has to be one of B<sourceip>, B<sourceip-"
-"sourceport>, B<sourceip-sourceport-destport>."
+"which can specify a single new source IP address, an inclusive range of IP "
+"addresses, and optionally, a port range (which is only valid if the rule "
+"also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then "
+"source ports below 512 will be mapped to other ports below 512: those "
+"between 512 and 1023 inclusive will be mapped to ports below 1024, and other "
+"ports will be mapped to 1024 or above. Where possible, no port alteration "
+"will occur."
msgstr ""
+"1 つの新しい送信元 IP アドレス、または IP アドレスの範囲が指定できる。 ポート"
+"の範囲を指定することもできる (ルールが B<-p tcp> または B<-p udp> を指定して"
+"いる場合にのみ有効)。 ポートの範囲が指定されていない場合、 512 未満の送信元"
+"ポートは、他の 512 未満のポートにマッピングされる。 512 〜 1023 までのポート"
+"は、1024 未満のポートにマッピングされる。 それ以外のポートは、1024 以上のポー"
+"トにマッピングされる。 可能であれば、ポートの変換は起こらない。"
-#. type: TP
-#: original/man8/iptables.8:1886
-#, fuzzy, no-wrap
-#| msgid "B<--set-mark >I<mark>"
-msgid "B<--clustermac> I<mac>"
-msgstr "B<--set-mark >I<mark>"
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2456
+#, fuzzy
+#| msgid ""
+#| "You can add several --to-source options. If you specify more than one "
+#| "source address, either via an address range or multiple --to-source "
+#| "options, a simple round-robin (one after another in cycle) takes place "
+#| "between these adresses."
+msgid ""
+"In Kernels up to 2.6.10, you can add several --to-source options. For those "
+"kernels, if you specify more than one source address, either via an address "
+"range or multiple --to-source options, a simple round-robin (one after "
+"another in cycle) takes place between these addresses. Later Kernels "
+"(E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
+msgstr ""
+"複数の --to-source オプションを指定することができる。 アドレスの範囲によっ"
+"て、 もしくは複数の --to-source オプションによって 2 つ以上の送信元アドレスを"
+"指定した場合、 それらのアドレスを使った単純なラウンド・ロビン (順々に循環させ"
+"る) がおこなわれる。"
#. type: Plain text
-#: original/man8/iptables.8:1889
+#: original/man8/iptables-extensions.8:2461
msgid ""
-"Specify the ClusterIP MAC address. Has to be a link-layer multicast address"
+"If option B<--random> is used then port mapping will be randomized (kernel "
+"E<gt>= 2.6.21)."
msgstr ""
-#. type: TP
-#: original/man8/iptables.8:1889
-#, fuzzy, no-wrap
-#| msgid "B<-t>, B<--table> B<tablename>"
-msgid "B<--total-nodes> I<num>"
-msgstr "B<-t>, B<--table> B<tablename>"
+#. type: SS
+#: original/man8/iptables-extensions.8:2466
+#, no-wrap
+msgid "TCPMSS"
+msgstr "TCPMSS"
#. type: Plain text
-#: original/man8/iptables.8:1892
-msgid "Number of total nodes within this cluster."
+#: original/man8/iptables-extensions.8:2473
+#, fuzzy
+#| msgid ""
+#| "This target allows to alter the MSS value of TCP SYN packets, to control "
+#| "the maximum size for that connection (usually limiting it to your "
+#| "outgoing interface's MTU minus 40). Of course, it can only be used in "
+#| "conjunction with B<-p tcp>."
+msgid ""
+"This target allows to alter the MSS value of TCP SYN packets, to control the "
+"maximum size for that connection (usually limiting it to your outgoing "
+"interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively). Of course, "
+"it can only be used in conjunction with B<-p tcp>."
msgstr ""
-
-#. type: TP
-#: original/man8/iptables.8:1892
-#, fuzzy, no-wrap
-#| msgid "B<--cmd-owner >I<name>"
-msgid "B<--local-node> I<num>"
-msgstr "B<--cmd-owner >I<name>"
+"このターゲットを用いると、TCP の SYN パケットの MSS 値を書き換え、 そのコネク"
+"ションの最大サイズ (通常は、送信インターフェースの MTU から 40 引いた値) を"
+"制御できる。 もちろん B<-p tcp> と組み合わせてしか使えない。"
#. type: Plain text
-#: original/man8/iptables.8:1895
-msgid "Local node number within this cluster."
+#: original/man8/iptables-extensions.8:2480
+#, fuzzy
+#| msgid ""
+#| "This target is used to overcome criminally braindead ISPs or servers "
+#| "which block ICMP Fragmentation Needed packets. The symptoms of this "
+#| "problem are that everything works fine from your Linux firewall/router, "
+#| "but machines behind it can never exchange large packets:"
+msgid ""
+"This target is used to overcome criminally braindead ISPs or servers which "
+"block \"ICMP Fragmentation Needed\" or \"ICMPv6 Packet Too Big\" packets. "
+"The symptoms of this problem are that everything works fine from your Linux "
+"firewall/router, but machines behind it can never exchange large packets:"
msgstr ""
+"このターゲットは犯罪的に頭のいかれた ISP や ICMP Fragmentation Needed パケッ"
+"トをブロックしてしまうサーバーを 乗り越えるために使用する。 Linux ファイア"
+"ウォール/ルーターでは何も問題がないのに、 そこにぶら下がるマシンでは以下のよ"
+"うに大きなパケットを やりとりできないというのが、この問題の兆候である。"
-#. type: TP
-#: original/man8/iptables.8:1895
-#, fuzzy, no-wrap
-#| msgid "B<--limit >I<rate>"
-msgid "B<--hash-init> I<rnd>"
-msgstr "B<--limit >I<rate>"
+#. type: IP
+#: original/man8/iptables-extensions.8:2480
+#, no-wrap
+msgid "1."
+msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:1898
-msgid "Specify the random seed used for hash initialization."
+#: original/man8/iptables-extensions.8:2482
+msgid "Web browsers connect, then hang with no data received."
+msgstr "ウェブ・ブラウザで接続が、何のデータも受け取らずにハングする"
+
+#. type: IP
+#: original/man8/iptables-extensions.8:2482
+#, no-wrap
+msgid "2."
msgstr ""
-#. type: SS
-#: original/man8/iptables.8:1997
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2484
+msgid "Small mail works fine, but large emails hang."
+msgstr "短いメールは問題ないが、長いメールがハングする"
+
+#. type: IP
+#: original/man8/iptables-extensions.8:2484
#, no-wrap
-msgid "DNAT"
-msgstr "DNAT"
+msgid "3."
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2486
+msgid "ssh works fine, but scp hangs after initial handshaking."
+msgstr "ssh は問題ないが、scp は最初のハンドシェーク後にハングする"
#. type: Plain text
-#: original/man8/iptables.8:2009
+#: original/man8/iptables-extensions.8:2489
msgid ""
-"This target is only valid in the B<nat> table, in the B<PREROUTING> and "
-"B<OUTPUT> chains, and user-defined chains which are only called from those "
-"chains. It specifies that the destination address of the packet should be "
-"modified (and all future packets in this connection will also be mangled), "
-"and rules should cease being examined. It takes one type of option:"
+"Workaround: activate this option and add a rule to your firewall "
+"configuration like:"
msgstr ""
-"このターゲットは B<nat> テーブルの B<PREROUTING>, B<OUTPUT> チェイン、これら"
-"のチェインから呼び出される ユーザー定義チェインのみで有効である。 このター"
-"ゲットはパケットの送信先アドレスを修正する (この接続の以降のパケットも修正し"
-"て分からなく (mangle) する)。 さらに、ルールによるチェックを止めさせる。 この"
-"ターゲットにはオプションが 1 種類ある:"
+"回避方法: このオプションを有効にし、以下のようなルールを ファイアウォールの設"
+"定に追加する。"
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2492
+#, fuzzy, no-wrap
+#| msgid ""
+#| " iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\e\n"
+#| " -j TCPMSS --clamp-mss-to-pmtu\n"
+msgid ""
+" iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN\n"
+" -j TCPMSS --clamp-mss-to-pmtu\n"
+msgstr ""
+" iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\e\n"
+" -j TCPMSS --clamp-mss-to-pmtu\n"
#. type: TP
-#: original/man8/iptables.8:2009
+#: original/man8/iptables-extensions.8:2492
#, fuzzy, no-wrap
-#| msgid "B<--to-destination >I<ipaddr>[-I<ipaddr>][:I<port>-I<port>]"
-msgid "B<--to-destination> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
-msgstr "B<--to-destination >I<ipaddr>[-I<ipaddr>][:I<port>-I<port>]"
+#| msgid "B<--set-mss >I<value>"
+msgid "B<--set-mss> I<value>"
+msgstr "B<--set-mss >I<value>"
#. type: Plain text
-#: original/man8/iptables.8:2020
-#, fuzzy
-#| msgid ""
-#| "which can specify a single new destination IP address, an inclusive range "
-#| "of IP addresses, and optionally, a port range (which is only valid if the "
-#| "rule also specifies B<-p tcp> or B<-p udp>). If no port range is "
-#| "specified, then the destination port will never be modified."
+#: original/man8/iptables-extensions.8:2497
msgid ""
-"which can specify a single new destination IP address, an inclusive range of "
-"IP addresses, and optionally, a port range (which is only valid if the rule "
-"also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then "
-"the destination port will never be modified. If no IP address is specified "
-"then only the destination port will be modified."
+"Explicitly sets MSS option to specified value. If the MSS of the packet is "
+"already lower than I<value>, it will B<not> be increased (from Linux 2.6.25 "
+"onwards) to avoid more problems with hosts relying on a proper MSS."
msgstr ""
-"1 つの新しい送信先 IP アドレス、または IP アドレスの範囲が指定できる。 ポート"
-"の範囲を指定することもできる (これはルールで B<-p tcp> または B<-p udp> を指"
-"定している場合にのみ有効)。 ポートの範囲が指定されていない場合、送信先ポート"
-"は変更されない。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2497
+#, no-wrap
+msgid "B<--clamp-mss-to-pmtu>"
+msgstr "B<--clamp-mss-to-pmtu>"
#. type: Plain text
-#: original/man8/iptables.8:2027
-#, fuzzy
-#| msgid ""
-#| "You can add several --to-destination options. If you specify more than "
-#| "one destination address, either via an address range or multiple --to-"
-#| "destination options, a simple round-robin (one after another in cycle) "
-#| "load balancing takes place between these adresses."
+#: original/man8/iptables-extensions.8:2506
msgid ""
-"In Kernels up to 2.6.10 you can add several --to-destination options. For "
-"those kernels, if you specify more than one destination address, either via "
-"an address range or multiple --to-destination options, a simple round-robin "
-"(one after another in cycle) load balancing takes place between these "
-"addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT "
-"to multiple ranges anymore."
+"Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60 for IPv6). "
+"This may not function as desired where asymmetric routes with differing path "
+"MTU exist \\(em the kernel uses the path MTU which it would use to send "
+"packets from itself to the source and destination IP addresses. Prior to "
+"Linux 2.6.25, only the path MTU to the destination IP address was considered "
+"by this option; subsequent kernels also consider the path MTU to the source "
+"IP address."
msgstr ""
-"複数の --to-destination オプションを指定することができる。 アドレスの範囲に"
-"よって、 もしくは複数の --to-destination オプションによって 2 つ以上の送信先"
-"アドレスを指定した場合、 それらのアドレスを使った単純なラウンド・ロビン (順々"
-"に循環させる) がおこなわれる。"
-#. type: TP
-#: original/man8/iptables.8:2027 original/man8/iptables.8:2159
-#: original/man8/iptables.8:2284 original/man8/iptables.8:2338
-#: original/man8/iptables.8:2407
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2508
+msgid "These options are mutually exclusive."
+msgstr "これらのオプションはどちらか 1 つしか指定できない。"
+
+#. type: SS
+#: original/man8/iptables-extensions.8:2508
#, no-wrap
-msgid "B<--random>"
+msgid "TCPOPTSTRIP"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2032 original/man8/iptables.8:2289
+#: original/man8/iptables-extensions.8:2511
msgid ""
-"If option B<--random> is used then port mapping will be randomized (kernel "
-"E<gt>= 2.6.22)."
+"This target will strip TCP options off a TCP packet. (It will actually "
+"replace them by NO-OPs.) As such, you will need to add the B<-p tcp> "
+"parameters."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:2032 original/man8/iptables.8:2412
+#: original/man8/iptables-extensions.8:2511
#, fuzzy, no-wrap
-#| msgid "B<--helper >I<string>"
-msgid "B<--persistent>"
-msgstr "B<--helper >I<string>"
+#| msgid "B<--destination-ports >I<port>[,I<port>[,I<port>...]]"
+msgid "B<--strip-options> I<option>[B<,>I<option>...]"
+msgstr "B<--destination-ports >I<port>[,I<port>[,I<port>...]]"
#. type: Plain text
-#: original/man8/iptables.8:2037 original/man8/iptables.8:2417
+#: original/man8/iptables-extensions.8:2516
msgid ""
-"Gives a client the same source-/destination-address for each connection. "
-"This supersedes the SAME target. Support for persistent mappings is "
-"available from 2.6.29-rc2."
+"Strip the given option(s). The options may be specified by TCP option number "
+"or by symbolic name. The list of recognized options can be obtained by "
+"calling iptables with B<-j TCPOPTSTRIP -h>."
msgstr ""
#. type: SS
-#: original/man8/iptables.8:2047
+#: original/man8/iptables-extensions.8:2516
#, no-wrap
-msgid "ECN"
-msgstr "ECN"
+msgid "TEE"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2050
+#: original/man8/iptables-extensions.8:2521
msgid ""
-"This target allows to selectively work around known ECN blackholes. It can "
-"only be used in the mangle table."
+"The B<TEE> target will clone a packet and redirect this clone to another "
+"machine on the B<local> network segment. In other words, the nexthop must be "
+"the target, or you will have to configure the nexthop to forward it further "
+"if so desired."
msgstr ""
-"このターゲットは ECN ブラックホール問題への対処を可能にする。 mangle テーブル"
-"でのみ使用できる。"
#. type: TP
-#: original/man8/iptables.8:2050
+#: original/man8/iptables-extensions.8:2521
#, no-wrap
-msgid "B<--ecn-tcp-remove>"
-msgstr "B<--ecn-tcp-remove>"
+msgid "B<--gateway> I<ipaddr>"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2055
+#: original/man8/iptables-extensions.8:2525
msgid ""
-"Remove all ECN bits from the TCP header. Of course, it can only be used in "
-"conjunction with B<-p tcp>."
+"Send the cloned packet to the host reachable at the given IP address. Use "
+"of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid."
msgstr ""
-"TCP ヘッダーから全ての ECN ビット (訳注: ECE/CWR フラグ) を取り除く。 当然、 "
-"B<-p tcp> オプションとの組合わせでのみ使用できる。"
#. type: Plain text
-#: original/man8/iptables.8:2088
+#: original/man8/iptables-extensions.8:2527
msgid ""
-"Turn on kernel logging of matching packets. When this option is set for a "
-"rule, the Linux kernel will print some information on all matching packets "
-"(like most IP header fields) via the kernel log (where it can be read with "
-"I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule "
-"traversal continues at the next rule. So if you want to LOG the packets you "
-"refuse, use two separate rules with the same matching criteria, first using "
-"target LOG then DROP (or REJECT)."
+"To forward all incoming traffic on eth0 to an Network Layer logging box:"
msgstr ""
-"マッチしたパケットをカーネルログに記録する。 このオプションがルールに対して設"
-"定されると、 Linux カーネルはマッチしたパケットについての (大部分の IP ヘッ"
-"ダーフィールドのような) 何らかの情報を カーネルログに表示する (カーネルログ"
-"は I<dmesg> または I<syslogd>(8) で見ることができる)。 これは \"非終了ター"
-"ゲット\" である。 すなわち、ルールの検討は、次のルールへと継続される。 よっ"
-"て、拒否するパケットをログ記録したければ、 同じマッチング判断基準を持つ 2 つ"
-"のルールを使用し、 最初のルールで LOG ターゲットを、 次のルールで DROP (また"
-"は REJECT) ターゲットを指定する。"
#. type: Plain text
-#: original/man8/iptables.8:2105
-msgid "Log options from the IP packet header."
-msgstr "IP パケットヘッダーのオプションをログに記録する。"
+#: original/man8/iptables-extensions.8:2529
+msgid "-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1"
+msgstr ""
#. type: SS
-#: original/man8/iptables.8:2136
+#: original/man8/iptables-extensions.8:2529
#, no-wrap
-msgid "MASQUERADE"
-msgstr "MASQUERADE"
+msgid "TOS"
+msgstr "TOS"
#. type: Plain text
-#: original/man8/iptables.8:2150
-#, fuzzy
-#| msgid ""
-#| "This target is only valid in the B<nat> table, in the B<POSTROUTING> "
-#| "chain. It should only be used with dynamically assigned IP (dialup) "
-#| "connections: if you have a static IP address, you should use the SNAT "
-#| "target. Masquerading is equivalent to specifying a mapping to the IP "
-#| "address of the interface the packet is going out, but also has the effect "
-#| "that connections are I<forgotten> when the interface goes down. This is "
-#| "the correct behavior when the next dialup is unlikely to have the same "
-#| "interface address (and hence any established connections are lost "
-#| "anyway). It takes one option:"
+#: original/man8/iptables-extensions.8:2534
msgid ""
-"This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. "
-"It should only be used with dynamically assigned IP (dialup) connections: "
-"if you have a static IP address, you should use the SNAT target. "
-"Masquerading is equivalent to specifying a mapping to the IP address of the "
-"interface the packet is going out, but also has the effect that connections "
-"are I<forgotten> when the interface goes down. This is the correct behavior "
-"when the next dialup is unlikely to have the same interface address (and "
-"hence any established connections are lost anyway)."
+"This module sets the Type of Service field in the IPv4 header (including the "
+"\"precedence\" bits) or the Priority field in the IPv6 header. Note that TOS "
+"shares the same bits as DSCP and ECN. The TOS target is only valid in the "
+"B<mangle> table."
msgstr ""
-"このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 "
-"動的割り当て IP (ダイヤルアップ) 接続の場合にのみ使うべきである。 固定 IP ア"
-"ドレスならば、SNAT ターゲットを使うべきである。 マスカレーディングは、パケッ"
-"トが送信されるインターフェースの IP アドレスへのマッピングを指定するのと同じ"
-"であるが、 インターフェースが停止した場合に接続をI<忘れる>という効果がある。 "
-"次のダイヤルアップでは同じインターフェースアドレスになる可能性が低い (そのた"
-"め、前回確立された接続は失われる) 場合、 この動作は正しい。 このターゲットに"
-"はオプションが 1 つある。"
#. type: TP
-#: original/man8/iptables.8:2150 original/man8/iptables.8:2276
+#: original/man8/iptables-extensions.8:2534
#, fuzzy, no-wrap
-#| msgid "B<--to-ports >I<port>[-I<port>]"
-msgid "B<--to-ports> I<port>[B<->I<port>]"
-msgstr "B<--to-ports >I<port>[-I<port>]"
+#| msgid "B<--mark >I<value>[/I<mask>]"
+msgid "B<--set-tos> I<value>[B</>I<mask>]"
+msgstr "B<--mark >I<value>[/I<mask>]"
#. type: Plain text
-#: original/man8/iptables.8:2159
+#: original/man8/iptables-extensions.8:2538
msgid ""
-"This specifies a range of source ports to use, overriding the default "
-"B<SNAT> source port-selection heuristics (see above). This is only valid if "
-"the rule also specifies B<-p tcp> or B<-p udp>."
+"Zeroes out the bits given by I<mask> (see NOTE below) and XORs I<value> into "
+"the TOS/Priority field. If I<mask> is omitted, 0xFF is assumed."
msgstr ""
-"このオプションは、使用する送信元ポートの範囲を指定し、 デフォルトの B<SNAT> "
-"送信元ポートの選択方法 (上記) よりも優先される。 ルールが B<-p tcp> または "
-"B<-p udp> を指定している場合にのみ有効である。"
+
+#. type: TP
+#: original/man8/iptables-extensions.8:2538
+#, fuzzy, no-wrap
+#| msgid "B<--set-tos >I<tos>"
+msgid "B<--set-tos> I<symbol>"
+msgstr "B<--set-tos >I<tos>"
#. type: Plain text
-#: original/man8/iptables.8:2165
+#: original/man8/iptables-extensions.8:2543
msgid ""
-"Randomize source port mapping If option B<--random> is used then port "
-"mapping will be randomized (kernel E<gt>= 2.6.21)."
+"You can specify a symbolic name when using the TOS target for IPv4. It "
+"implies a mask of 0xFF (see NOTE below). The list of recognized TOS names "
+"can be obtained by calling iptables with B<-j TOS -h>."
msgstr ""
-#. type: SS
-#: original/man8/iptables.8:2167
-#, no-wrap
-msgid "MIRROR"
-msgstr "MIRROR"
+#. type: TP
+#: original/man8/iptables-extensions.8:2545
+#, fuzzy, no-wrap
+#| msgid "B<--tos >I<tos>"
+msgid "B<--and-tos> I<bits>"
+msgstr "B<--tos >I<tos>"
#. type: Plain text
-#: original/man8/iptables.8:2180
+#: original/man8/iptables-extensions.8:2550
msgid ""
-"This is an experimental demonstration target which inverts the source and "
-"destination fields in the IP header and retransmits the packet. It is only "
-"valid in the B<INPUT>, B<FORWARD> and B<PREROUTING> chains, and user-defined "
-"chains which are only called from those chains. Note that the outgoing "
-"packets are B<NOT> seen by any packet filtering chains, connection tracking "
-"or NAT, to avoid loops and other problems."
+"Binary AND the TOS value with I<bits>. (Mnemonic for B<--set-tos 0/"
+">I<invbits>, where I<invbits> is the binary negation of I<bits>. See NOTE "
+"below.)"
msgstr ""
-"実験的なデモンストレーション用のターゲットであり、 IP ヘッダーの送信元と送信"
-"先フィールドを入れ換え、 パケットを再送信するものである。 これは B<INPUT>, "
-"B<FORWARD>, B<PREROUTING> チェインと、これらのチェインから呼び出される ユー"
-"ザー定義チェインだけで有効である。 ループ等の問題を回避するため、外部に送られ"
-"るパケットは いかなるパケットフィルタリングチェイン・接続追跡・NAT からも 監"
-"視B<されない>。"
-#. type: SS
-#: original/man8/iptables.8:2180
-#, no-wrap
-msgid "NETMAP"
-msgstr ""
+#. type: TP
+#: original/man8/iptables-extensions.8:2550
+#, fuzzy, no-wrap
+#| msgid "B<--tos >I<tos>"
+msgid "B<--or-tos> I<bits>"
+msgstr "B<--tos >I<tos>"
#. type: Plain text
-#: original/man8/iptables.8:2185
-#, fuzzy
-#| msgid ""
-#| "This target allows to selectively work around known ECN blackholes. It "
-#| "can only be used in the mangle table."
+#: original/man8/iptables-extensions.8:2554
msgid ""
-"This target allows you to statically map a whole network of addresses onto "
-"another network of addresses. It can only be used from rules in the B<nat> "
-"table."
+"Binary OR the TOS value with I<bits>. (Mnemonic for B<--set-tos> I<bits>B</"
+">I<bits>. See NOTE below.)"
msgstr ""
-"このターゲットは ECN ブラックホール問題への対処を可能にする。 mangle テーブル"
-"でのみ使用できる。"
#. type: TP
-#: original/man8/iptables.8:2185
+#: original/man8/iptables-extensions.8:2554
#, fuzzy, no-wrap
-#| msgid "B<-s, --source >[!] I<address>[/I<mask>]"
-msgid "B<--to> I<address>[B</>I<mask>]"
-msgstr "B<-s, --source >[!] I<address>[/I<mask>]"
+#| msgid "B<--tos >I<tos>"
+msgid "B<--xor-tos> I<bits>"
+msgstr "B<--tos >I<tos>"
#. type: Plain text
-#: original/man8/iptables.8:2190
+#: original/man8/iptables-extensions.8:2558
msgid ""
-"Network address to map to. The resulting address will be constructed in the "
-"following way: All 'one' bits in the mask are filled in from the new "
-"`address'. All bits that are zero in the mask are filled in from the "
-"original address."
+"Binary XOR the TOS value with I<bits>. (Mnemonic for B<--set-tos> "
+"I<bits>B</0>. See NOTE below.)"
+msgstr ""
+
+#. type: Plain text
+#: original/man8/iptables-extensions.8:2566
+msgid ""
+"NOTE: In Linux kernels up to and including 2.6.38, with the exception of "
+"longterm releases 2.6.32 (E<gt>=.42), 2.6.33 (E<gt>=.15), and 2.6.35 "
+"(E<gt>=.14), there is a bug whereby IPv6 TOS mangling does not behave as "
+"documented and differs from the IPv4 version. The TOS mask indicates the "
+"bits one wants to zero out, so it needs to be inverted before applying it to "
+"the original TOS field. However, the aformentioned kernels forgo the "
+"inversion which breaks --set-tos and its mnemonics."
msgstr ""
#. type: SS
-#: original/man8/iptables.8:2265
+#: original/man8/iptables-extensions.8:2566
#, no-wrap
-msgid "REDIRECT"
-msgstr "REDIRECT"
+msgid "TPROXY"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2276
+#: original/man8/iptables-extensions.8:2573
#, fuzzy
#| msgid ""
#| "This target is only valid in the B<nat> table, in the B<PREROUTING> and "
#| "the machine itself (locally-generated packets are mapped to the 127.0.0.1 "
#| "address). It takes one option:"
msgid ""
-"This target is only valid in the B<nat> table, in the B<PREROUTING> and "
-"B<OUTPUT> chains, and user-defined chains which are only called from those "
-"chains. It redirects the packet to the machine itself by changing the "
-"destination IP to the primary address of the incoming interface (locally-"
-"generated packets are mapped to the 127.0.0.1 address)."
+"This target is only valid in the B<mangle> table, in the B<PREROUTING> chain "
+"and user-defined chains which are only called from this chain. It redirects "
+"the packet to a local socket without changing the packet header in any way. "
+"It can also change the mark value which can then be used in advanced routing "
+"rules. It takes three options:"
msgstr ""
"このターゲットは、 B<nat> テーブル内の B<PREROUTING> チェイン及び B<OUTPUT> "
"チェイン、そしてこれらチェインから呼び出される ユーザー定義チェインでのみ有効"
"レスに変換する。 (ローカルで生成されたパケットは、アドレス 127.0.0.1 にマップ"
"される)。 このターゲットにはオプションが 1 つある:"
-#. type: Plain text
-#: original/man8/iptables.8:2284
-msgid ""
-"This specifies a destination port or range of ports to use: without this, "
-"the destination port is never altered. This is only valid if the rule also "
-"specifies B<-p tcp> or B<-p udp>."
-msgstr ""
-"このオプションは使用される送信先ポート・ポート範囲・複数ポートを指定する。 こ"
-"のオプションが指定されない場合、送信先ポートは変更されない。 ルールが B<-p "
-"tcp> または B<-p udp> を指定している場合にのみ有効である。"
+#. type: TP
+#: original/man8/iptables-extensions.8:2573
+#, fuzzy, no-wrap
+#| msgid "B<--to-ports >I<port>[-I<port>]"
+msgid "B<--on-port> I<port>"
+msgstr "B<--to-ports >I<port>[-I<port>]"
#. type: Plain text
-#: original/man8/iptables.8:2322
+#: original/man8/iptables-extensions.8:2578
#, fuzzy
#| msgid ""
-#| "which return the appropriate ICMP error message (B<port-unreachable> is "
-#| "the default). The option B<tcp-reset> can be used on rules which only "
-#| "match the TCP protocol: this causes a TCP RST packet to be sent back. "
-#| "This is mainly useful for blocking I<ident> (113/tcp) probes which "
-#| "frequently occur when sending mail to broken mail hosts (which won't "
-#| "accept your mail otherwise)."
-msgid ""
-"The type given can be B<icmp-net-unreachable>, B<icmp-host-unreachable>, "
-"B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, "
-"B<icmp-host-prohibited> or B<icmp-admin-prohibited> (*) which return the "
-"appropriate ICMP error message (B<port-unreachable> is the default). The "
-"option B<tcp-reset> can be used on rules which only match the TCP protocol: "
-"this causes a TCP RST packet to be sent back. This is mainly useful for "
-"blocking I<ident> (113/tcp) probes which frequently occur when sending mail "
-"to broken mail hosts (which won't accept your mail otherwise)."
-msgstr ""
-"であり、適切な ICMP エラーメッセージを返す (B<port-unreachable> がデフォルト"
-"である)。 TCP プロトコルにのみマッチするルールに対して、オプション B<tcp-"
-"reset> を使うことができる。 このオプションを使うと、TCP RST パケットが送り返"
-"される。 主として I<ident> (113/tcp) による探査を阻止するのに役立つ。 "
-"I<ident> による探査は、壊れている (メールを受け取らない) メールホストに メー"
-"ルが送られる場合に頻繁に起こる。"
-
-#. type: Plain text
-#: original/man8/iptables.8:2324
-msgid ""
-"(*) Using icmp-admin-prohibited with kernels that do not support it will "
-"result in a plain DROP instead of REJECT"
-msgstr ""
-"(*) icmp-admin-prohibited をサポートしないカーネルで、 icmp-admin-prohibited "
-"を使用すると、 REJECT ではなく単なる DROP になる。"
-
-#. type: SS
-#: original/man8/iptables.8:2324
-#, no-wrap
-msgid "SAME"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:2328
-msgid ""
-"Similar to SNAT/DNAT depending on chain: it takes a range of addresses (`--"
-"to 1.2.3.4-1.2.3.7') and gives a client the same source-/destination-address "
-"for each connection."
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:2330
+#| "This specifies a destination port or range of ports to use: without this, "
+#| "the destination port is never altered. This is only valid if the rule "
+#| "also specifies B<-p tcp> or B<-p udp>."
msgid ""
-"N.B.: The DNAT target's B<--persistent> option replaced the SAME target."
+"This specifies a destination port to use. It is a required option, 0 means "
+"the new destination port is the same as the original. This is only valid if "
+"the rule also specifies B<-p tcp> or B<-p udp>."
msgstr ""
+"このオプションは使用される送信先ポート・ポート範囲・複数ポートを指定する。 こ"
+"のオプションが指定されない場合、送信先ポートは変更されない。 ルールが B<-p "
+"tcp> または B<-p udp> を指定している場合にのみ有効である。"
#. type: TP
-#: original/man8/iptables.8:2330
+#: original/man8/iptables-extensions.8:2578
#, fuzzy, no-wrap
-#| msgid "B<--to-source >I<ipaddr>[-I<ipaddr>][:I<port>-I<port>]"
-msgid "B<--to> I<ipaddr>[B<->I<ipaddr>]"
-msgstr "B<--to-source >I<ipaddr>[-I<ipaddr>][:I<port>-I<port>]"
+#| msgid "B<--mac-source >[!] I<address>"
+msgid "B<--on-ip> I<address>"
+msgstr "B<--mac-source >[!] I<address>"
#. type: Plain text
-#: original/man8/iptables.8:2334
+#: original/man8/iptables-extensions.8:2583
+#, fuzzy
+#| msgid ""
+#| "This specifies a destination port or range of ports to use: without this, "
+#| "the destination port is never altered. This is only valid if the rule "
+#| "also specifies B<-p tcp> or B<-p udp>."
msgid ""
-"Addresses to map source to. May be specified more than once for multiple "
-"ranges."
+"This specifies a destination address to use. By default the address is the "
+"IP address of the incoming interface. This is only valid if the rule also "
+"specifies B<-p tcp> or B<-p udp>."
msgstr ""
+"このオプションは使用される送信先ポート・ポート範囲・複数ポートを指定する。 こ"
+"のオプションが指定されない場合、送信先ポートは変更されない。 ルールが B<-p "
+"tcp> または B<-p udp> を指定している場合にのみ有効である。"
#. type: TP
-#: original/man8/iptables.8:2334
+#: original/man8/iptables-extensions.8:2583
#, fuzzy, no-wrap
-#| msgid "B<--tos >I<tos>"
-msgid "B<--nodst>"
-msgstr "B<--tos >I<tos>"
-
-#. type: Plain text
-#: original/man8/iptables.8:2338
-msgid ""
-"Don't use the destination-ip in the calculations when selecting the new "
-"source-ip"
-msgstr ""
+#| msgid "B<--mark >I<value>[/I<mask>]"
+msgid "B<--tproxy-mark> I<value>[B</>I<mask>]"
+msgstr "B<--mark >I<value>[/I<mask>]"
#. type: Plain text
-#: original/man8/iptables.8:2342
+#: original/man8/iptables-extensions.8:2588
msgid ""
-"Port mapping will be forcibly randomized to avoid attacks based on port "
-"prediction (kernel E<gt>= 2.6.21)."
+"Marks packets with the given value/mask. The fwmark value set here can be "
+"used by advanced routing. (Required for transparent proxying to work: "
+"otherwise these packets will get forwarded, which is probably not what you "
+"want.)"
msgstr ""
#. type: SS
-#: original/man8/iptables.8:2379
+#: original/man8/iptables-extensions.8:2588
#, no-wrap
-msgid "SNAT"
-msgstr "SNAT"
-
-#. type: Plain text
-#: original/man8/iptables.8:2388
-msgid ""
-"This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. "
-"It specifies that the source address of the packet should be modified (and "
-"all future packets in this connection will also be mangled), and rules "
-"should cease being examined. It takes one type of option:"
+msgid "TRACE"
msgstr ""
-"このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 "
-"このターゲットはパケットの送信元アドレスを修正させる (この接続の以降のパケッ"
-"トも修正して分からなく (mangle) する)。 さらに、ルールが評価を中止するように"
-"指示する。 このターゲットにはオプションが 1 種類ある:"
-
-#. type: TP
-#: original/man8/iptables.8:2388
-#, fuzzy, no-wrap
-#| msgid "B<--to-source >I<ipaddr>[-I<ipaddr>][:I<port>-I<port>]"
-msgid "B<--to-source> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
-msgstr "B<--to-source >I<ipaddr>[-I<ipaddr>][:I<port>-I<port>]"
#. type: Plain text
-#: original/man8/iptables.8:2400
+#: original/man8/iptables-extensions.8:2591
msgid ""
-"which can specify a single new source IP address, an inclusive range of IP "
-"addresses, and optionally, a port range (which is only valid if the rule "
-"also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then "
-"source ports below 512 will be mapped to other ports below 512: those "
-"between 512 and 1023 inclusive will be mapped to ports below 1024, and other "
-"ports will be mapped to 1024 or above. Where possible, no port alteration "
-"will occur."
+"This target marks packets so that the kernel will log every rule which match "
+"the packets as those traverse the tables, chains, rules."
msgstr ""
-"1 つの新しい送信元 IP アドレス、または IP アドレスの範囲が指定できる。 ポート"
-"の範囲を指定することもできる (ルールが B<-p tcp> または B<-p udp> を指定して"
-"いる場合にのみ有効)。 ポートの範囲が指定されていない場合、 512 未満の送信元"
-"ポートは、他の 512 未満のポートにマッピングされる。 512 〜 1023 までのポート"
-"は、1024 未満のポートにマッピングされる。 それ以外のポートは、1024 以上のポー"
-"トにマッピングされる。 可能であれば、ポートの変換は起こらない。"
#. type: Plain text
-#: original/man8/iptables.8:2407
-#, fuzzy
-#| msgid ""
-#| "You can add several --to-source options. If you specify more than one "
-#| "source address, either via an address range or multiple --to-source "
-#| "options, a simple round-robin (one after another in cycle) takes place "
-#| "between these adresses."
+#: original/man8/iptables-extensions.8:2598
msgid ""
-"In Kernels up to 2.6.10, you can add several --to-source options. For those "
-"kernels, if you specify more than one source address, either via an address "
-"range or multiple --to-source options, a simple round-robin (one after "
-"another in cycle) takes place between these addresses. Later Kernels "
-"(E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
+"A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for "
+"this to be visible. The packets are logged with the string prefix: \"TRACE: "
+"tablename:chainname:type:rulenum \" where type can be \"rule\" for plain "
+"rule, \"return\" for implicit rule at the end of a user defined chain and "
+"\"policy\" for the policy of the built in chains."
msgstr ""
-"複数の --to-source オプションを指定することができる。 アドレスの範囲によっ"
-"て、 もしくは複数の --to-source オプションによって 2 つ以上の送信元アドレスを"
-"指定した場合、 それらのアドレスを使った単純なラウンド・ロビン (順々に循環させ"
-"る) がおこなわれる。"
#. type: Plain text
-#: original/man8/iptables.8:2412
-msgid ""
-"If option B<--random> is used then port mapping will be randomized (kernel "
-"E<gt>= 2.6.21)."
+#: original/man8/iptables-extensions.8:2602
+msgid "It can only be used in the B<raw> table."
msgstr ""
#. type: SS
-#: original/man8/iptables.8:2553
+#: original/man8/iptables-extensions.8:2602
#, no-wrap
-msgid "TTL"
+msgid "TTL (IPv4-specific)"
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2557
+#: original/man8/iptables-extensions.8:2606
msgid ""
"This is used to modify the IPv4 TTL header field. The TTL field determines "
"how many hops (routers) a packet can traverse until it's time to live is "
msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2562
+#: original/man8/iptables-extensions.8:2611
msgid ""
"Setting or incrementing the TTL field can potentially be very dangerous, so "
"it should be avoided at any cost. This target is only valid in B<mangle> "
msgstr ""
#. type: TP
-#: original/man8/iptables.8:2564
+#: original/man8/iptables-extensions.8:2613
#, fuzzy, no-wrap
#| msgid "B<--set-mss >I<value>"
msgid "B<--ttl-set> I<value>"
msgstr "B<--set-mss >I<value>"
#. type: Plain text
-#: original/man8/iptables.8:2567
+#: original/man8/iptables-extensions.8:2616
msgid "Set the TTL value to `value'."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:2567
+#: original/man8/iptables-extensions.8:2616
#, fuzzy, no-wrap
#| msgid "B<--set-dscp >I<value>"
msgid "B<--ttl-dec> I<value>"
msgstr "B<--set-dscp >I<value>"
#. type: Plain text
-#: original/man8/iptables.8:2570
+#: original/man8/iptables-extensions.8:2619
msgid "Decrement the TTL value `value' times."
msgstr ""
#. type: TP
-#: original/man8/iptables.8:2570
+#: original/man8/iptables-extensions.8:2619
#, fuzzy, no-wrap
#| msgid "B<--set-dscp >I<value>"
msgid "B<--ttl-inc> I<value>"
msgstr "B<--set-dscp >I<value>"
#. type: Plain text
-#: original/man8/iptables.8:2573
+#: original/man8/iptables-extensions.8:2622
msgid "Increment the TTL value `value' times."
msgstr ""
#. type: SS
-#: original/man8/iptables.8:2573
+#: original/man8/iptables-extensions.8:2622
#, no-wrap
-msgid "ULOG"
-msgstr "ULOG"
+msgid "ULOG (IPv4-specific)"
+msgstr ""
#. type: Plain text
-#: original/man8/iptables.8:2582
+#: original/man8/iptables-extensions.8:2631
msgid ""
"This target provides userspace logging of matching packets. When this "
"target is set for a rule, the Linux kernel will multicast this packet "
"ルールへと継続される。"
#. type: TP
-#: original/man8/iptables.8:2582
+#: original/man8/iptables-extensions.8:2631
#, fuzzy, no-wrap
#| msgid "B<--ulog-nlgroup >I<nlgroup>"
msgid "B<--ulog-nlgroup> I<nlgroup>"
msgstr "B<--ulog-nlgroup >I<nlgroup>"
#. type: Plain text
-#: original/man8/iptables.8:2586
+#: original/man8/iptables-extensions.8:2635
msgid ""
"This specifies the netlink group (1-32) to which the packet is sent. "
"Default value is 1."
"ある。"
#. type: TP
-#: original/man8/iptables.8:2586
+#: original/man8/iptables-extensions.8:2635
#, fuzzy, no-wrap
#| msgid "B<--ulog-prefix >I<prefix>"
msgid "B<--ulog-prefix> I<prefix>"
msgstr "B<--ulog-prefix >I<prefix>"
#. type: Plain text
-#: original/man8/iptables.8:2590
+#: original/man8/iptables-extensions.8:2639
msgid ""
"Prefix log messages with the specified prefix; up to 32 characters long, and "
"useful for distinguishing messages in the logs."
"る。 ログの中でメッセージを区別するのに便利である。"
#. type: TP
-#: original/man8/iptables.8:2590
+#: original/man8/iptables-extensions.8:2639
#, fuzzy, no-wrap
#| msgid "B<--ulog-cprange >I<size>"
msgid "B<--ulog-cprange> I<size>"
msgstr "B<--ulog-cprange >I<size>"
#. type: Plain text
-#: original/man8/iptables.8:2594
+#: original/man8/iptables-extensions.8:2643
msgid ""
"Number of bytes to be copied to userspace. A value of 0 always copies the "
"entire packet, regardless of its size. Default is 0."
"全パケットをコピーする。 デフォルトは 0 である。"
#. type: TP
-#: original/man8/iptables.8:2594
+#: original/man8/iptables-extensions.8:2643
#, fuzzy, no-wrap
#| msgid "B<--ulog-qthreshold >I<size>"
msgid "B<--ulog-qthreshold> I<size>"
msgstr "B<--ulog-qthreshold >I<size>"
#. type: Plain text
-#: original/man8/iptables.8:2600
+#: original/man8/iptables-extensions.8:2649
msgid ""
"Number of packet to queue inside kernel. Setting this value to, e.g. 10 "
"accumulates ten packets inside the kernel and transmits them as one netlink "
"セージとしてユーザー空間に送る。 (過去のものとの互換性のため) デフォルトは 1 "
"である。"
-#. type: Plain text
-#: original/man8/iptables.8:2609
-msgid ""
-"Bugs? What's this? ;-) Well, you might want to have a look at http://"
-"bugzilla.netfilter.org/"
-msgstr ""
-
-#. type: Plain text
-#: original/man8/iptables.8:2618
-msgid ""
-"This B<iptables> is very similar to ipchains by Rusty Russell. The main "
-"difference is that the chains B<INPUT> and B<OUTPUT> are only traversed for "
-"packets coming into the local host and originating from the local host "
-"respectively. Hence every packet only passes through one of the three "
-"chains (except loopback traffic, which involves both INPUT and OUTPUT "
-"chains); previously a forwarded packet would pass through all three."
-msgstr ""
-"B<iptables> は、Rusty Russell の ipchains と非常によく似ている。 大きな違い"
-"は、チェイン B<INPUT> と B<OUTPUT> が、それぞれローカルホストに入ってくるパ"
-"ケットと、 ローカルホストから出されるパケットのみしか調べないという点であ"
-"る。 よって、(INPUT と OUTPUT の両方のチェインを起動する ループバックトラ"
-"フィックを除く) 全てのパケットは 3 つあるチェインのうち 1 しか通らない。 以"
-"前は (ipchains では)、 フォワードされるパケットは 3 つのチェイン全てを通って"
-"いた。"
-
-#. type: Plain text
-#: original/man8/iptables.8:2622
-msgid ""
-"The other main difference is that B<-i> refers to the input interface; B<-o> "
-"refers to the output interface, and both are available for packets entering "
-"the B<FORWARD> chain."
-msgstr ""
-"その他の大きな違いは、 B<-i> で入力インターフェース、 B<-o> で出力インター"
-"フェースを参照すること、 そしてともに B<FORWARD> チェインに入るパケットに対し"
-"て指定可能な点である。"
-
-#. type: Plain text
-#: original/man8/iptables.8:2628
-msgid ""
-"The various forms of NAT have been separated out; B<iptables> is a pure "
-"packet filter when using the default `filter' table, with optional extension "
-"modules. This should simplify much of the previous confusion over the "
-"combination of IP masquerading and packet filtering seen previously. So the "
-"following options are handled differently:"
-msgstr ""
-"NAT のいろいろな形式が分割された。 オプションの拡張モジュールとともに デフォ"
-"ルトの「フィルタ」テーブルを用いた場合、 B<iptables> は純粋なパケットフィルタ"
-"となる。 これは、以前みられた IP マスカレーディングとパケットフィルタリング"
-"の 組合せによる混乱を簡略化する。 よって、オプション"
-
-#. type: Plain text
-#: original/man8/iptables.8:2632
-#, no-wrap
-msgid ""
-" -j MASQ\n"
-" -M -S\n"
-" -M -L\n"
-msgstr ""
-" -j MASQ\n"
-" -M -S\n"
-" -M -L\n"
-
-#. type: Plain text
-#: original/man8/iptables.8:2634
-msgid "There are several other changes in iptables."
-msgstr ""
-"は別のものとして扱われる。 iptables では、その他にもいくつかの変更がある。"
-
-#. type: Plain text
-#: original/man8/iptables.8:2641
-#, fuzzy
-#| msgid ""
-#| "B<iptables-save>(8), B<iptables-restore>(8), B<ip6tables>(8), B<ip6tables-"
-#| "save>(8), B<ip6tables-restore>(8)."
-msgid ""
-"B<iptables-save>(8), B<iptables-restore>(8), B<ip6tables>(8), B<ip6tables-"
-"save>(8), B<ip6tables-restore>(8), B<libipq>(3)."
-msgstr ""
-"B<iptables-save>(8), B<iptables-restore>(8), B<ip6tables>(8), B<ip6tables-"
-"save>(8), B<ip6tables-restore>(8)."
-
-#. type: Plain text
-#: original/man8/iptables.8:2647
-msgid ""
-"The packet-filtering-HOWTO details iptables usage for packet filtering, the "
-"NAT-HOWTO details NAT, the netfilter-extensions-HOWTO details the extensions "
-"that are not in the standard distribution, and the netfilter-hacking-HOWTO "
-"details the netfilter internals."
-msgstr ""
-"パケットフィルタリングについての詳細な iptables の使用法を\n"
-"説明している packet-filtering-HOWTO。\n"
-"NAT について詳細に説明している NAT-HOWTO。\n"
-"標準的な配布には含まれない拡張の詳細を 説明している \n"
-"netfilter-extensions-HOWTO。\n"
-"内部構造について詳細に説明している netfilter-hacking-HOWTO。"
-
-#. type: Plain text
-#: original/man8/iptables.8:2653
-#, fuzzy
-#| msgid ""
-#| "Rusty Russell wrote iptables, in early consultation with Michael Neuling."
-msgid ""
-"Rusty Russell originally wrote iptables, in early consultation with Michael "
-"Neuling."
-msgstr ""
-"Rusty Russell は、初期の段階で Michael Neuling に相談して iptables を書いた。"
-
-#. type: Plain text
-#: original/man8/iptables.8:2663
-#, fuzzy
-#| msgid ""
-#| "Harald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets."
-msgid ""
-"Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as "
-"the TTL, DSCP, ECN matches and targets."
-msgstr ""
-"Harald Welte が ULOG ターゲットと、 TTL, DSCP, ECN のマッチ・ターゲットを書い"
-"た。"
-
-#. .. and did I mention that we are incredibly cool people?
-#. .. sexy, too ..
-#. .. witty, charming, powerful ..
-#. .. and most of all, modest ..
-#. type: Plain text
-#: original/man8/iptables.8:2673
-#, fuzzy
-#| msgid "Man page written by Herve Eychenne E<lt>rv@wallfire.orgE<gt>."
-msgid ""
-"Man page originally written by Herve Eychenne E<lt>rv@wallfire.orgE<gt>."
-msgstr "man ページは Herve Eychenne E<lt>rv@wallfire.orgE<gt> が書いた。"
-
-#. type: Plain text
-#: original/man8/iptables.8:2675
-msgid "This manual page applies to iptables @PACKAGE_VERSION@."
-msgstr ""
-
#. type: TH
#: original/man8/iptables-apply.8:5
#, fuzzy, no-wrap
#. type: Plain text
#: original/man8/iptables-apply.8:23
msgid ""
-"When called as ip6tables-apply, the script will use ip6tables-save/-restore "
-"instead."
+"When called as B<ip6tables-apply>, the script will use ip6tables-save/-"
+"restore instead."
msgstr ""
#. type: TP
"ruleset."
msgstr ""
-#. type: TP
-#: original/man8/iptables-apply.8:28
-#, fuzzy, no-wrap
-#| msgid "B<-c>, B<--counters>"
-msgid "B<-h>, B<--help>"
-msgstr "B<-c>, B<--counters>"
-
#. type: Plain text
#: original/man8/iptables-apply.8:31
msgid "Display usage information."
msgid "B<iptables-save>(8), B<iptables-restore>(8), B<iptables>(8)"
msgstr "B<iptables-restore>(8), B<iptables>(8)"
+#, fuzzy
+#~| msgid "B<ip6tables-restore >[-c] [-n]"
+#~ msgid "B<ip6tables-restore> [B<-c>] [B<-n>]"
+#~ msgstr "B<ip6tables-restore >[-c] [-n]"
+
+#, fuzzy
+#~| msgid ""
+#~| "ip6tables can use extended packet matching modules. These are loaded in "
+#~| "two ways: implicitly, when B<-p> or B<--protocol> is specified, or with "
+#~| "the B<-m> or B<--match> options, followed by the matching module name; "
+#~| "after these, various extra command line options become available, "
+#~| "depending on the specific module. You can specify multiple extended "
+#~| "match modules in one line, and you can use the B<-h> or B<--help> "
+#~| "options after the module has been specified to receive help specific to "
+#~| "that module."
+#~ msgid ""
+#~ "ip6tables can use extended packet matching modules with the B<-m> or B<--"
+#~ "match> options, followed by the matching module name; after these, "
+#~ "various extra command line options become available, depending on the "
+#~ "specific module. You can specify multiple extended match modules in one "
+#~ "line, and you can use the B<-h> or B<--help> options after the module has "
+#~ "been specified to receive help specific to that module."
+#~ msgstr ""
+#~ "ip6tables は拡張されたパケットマッチングモジュールを使うことができる。 こ"
+#~ "れらのモジュールは 2 種類の方法でロードされる: モジュールは、 B<-p> また"
+#~ "は B<--protocol> で暗黙のうちに指定されるか、 B<-m> または B<--match> の後"
+#~ "にモジュール名を続けて指定される。 これらのモジュールの後ろには、モジュー"
+#~ "ルに応じて 他のいろいろなコマンドラインオプションを指定することができる。 "
+#~ "複数の拡張マッチングモジュールを 1 行で指定することができる。 また、モ"
+#~ "ジュールに特有のヘルプを表示させるためには、 モジュールを指定した後で B<-"
+#~ "h> または B<--help> を指定すればよい。"
+
+#~ msgid "ah"
+#~ msgstr "ah"
+
+#, fuzzy
+#~| msgid "icmp"
+#~ msgid "icmp6"
+#~ msgstr "icmp"
+
+#, fuzzy
+#~| msgid ""
+#~| "Where state is a comma separated list of the connection states to "
+#~| "match. Possible states are B<INVALID> meaning that the packet could not "
+#~| "be identified for some reason which includes running out of memory and "
+#~| "ICMP errors which don't correspond to any known connection, "
+#~| "B<ESTABLISHED> meaning that the packet is associated with a connection "
+#~| "which has seen packets in both directions, B<NEW> meaning that the "
+#~| "packet has started a new connection, or otherwise associated with a "
+#~| "connection which has not seen packets in both directions, and B<RELATED> "
+#~| "meaning that the packet is starting a new connection, but is associated "
+#~| "with an existing connection, such as an FTP data transfer, or an ICMP "
+#~| "error."
+#~ msgid ""
+#~ "Where state is a comma separated list of the connection states to match. "
+#~ "Possible states are B<INVALID> meaning that the packet could not be "
+#~ "identified for some reason which includes running out of memory and ICMP "
+#~ "errors which don't correspond to any known connection, B<ESTABLISHED> "
+#~ "meaning that the packet is associated with a connection which has seen "
+#~ "packets in both directions, B<NEW> meaning that the packet has started a "
+#~ "new connection, or otherwise associated with a connection which has not "
+#~ "seen packets in both directions, and B<RELATED> meaning that the packet "
+#~ "is starting a new connection, but is associated with an existing "
+#~ "connection, such as an FTP data transfer, or an ICMP error. B<UNTRACKED> "
+#~ "meaning that the packet is not tracked at all, which happens if you use "
+#~ "the NOTRACK target in raw table."
+#~ msgstr ""
+#~ "state は、マッチングを行うための、コンマで区切られた接続状態のリストであ"
+#~ "る。 指定可能な state は以下の通り。 B<INVALID>: このパケットは既知の接続"
+#~ "と関係していない。 B<ESTABLISHED>: このパケットは、過去双方向にパケットが"
+#~ "やり取りされた接続に属するパケットである。 B<NEW>: このパケットが新しい接"
+#~ "続を開始したか、 双方向にはパケットがやり取りされていない接続に属するパ"
+#~ "ケットである。 B<RELATED>: このパケットが新しい接続を開始しているが、 FTP "
+#~ "データ転送や ICMP エラーのように、既存の接続に関係している。"
+
+#~ msgid ""
+#~ "ip6tables can use extended target modules: the following are included in "
+#~ "the standard distribution."
+#~ msgstr ""
+#~ "iptables は拡張ターゲットモジュールを使うことができる: 以下のものが、標準"
+#~ "的なディストリビューションに含まれている。"
+
+#~ msgid "LOG"
+#~ msgstr "LOG"
+
+#~ msgid "Level of logging (numeric or see I<syslog.conf>(5))."
+#~ msgstr ""
+#~ "ログ記録のレベル (数値て指定するか、(名前で指定する場合は)\n"
+#~ "I<syslog.conf>(5) を参照すること)。"
+
+#~ msgid "REJECT"
+#~ msgstr "REJECT"
+
+#~ msgid "icmp"
+#~ msgstr "icmp"
+
+#~ msgid "ttl"
+#~ msgstr "ttl"
+
+#~ msgid "unclean"
+#~ msgstr "unclean"
+
+#~ msgid "DNAT"
+#~ msgstr "DNAT"
+
+#~ msgid "ECN"
+#~ msgstr "ECN"
+
+#~ msgid "MASQUERADE"
+#~ msgstr "MASQUERADE"
+
+#~ msgid "MIRROR"
+#~ msgstr "MIRROR"
+
+#~ msgid "REDIRECT"
+#~ msgstr "REDIRECT"
+
+#~ msgid "SNAT"
+#~ msgstr "SNAT"
+
+#~ msgid "ULOG"
+#~ msgstr "ULOG"
+
#~ msgid "Mar 09, 2002"
#~ msgstr "Mar 09, 2002"
#~ msgid "B<-t, --table >I<table>"
#~ msgstr "B<-t, --table >I<table>"
-#~ msgid "B<-I, --insert>"
-#~ msgstr "B<-I, --insert>"
-
#~ msgid ""
#~ "List all rules in the selected chain. If no chain is selected, all "
#~ "chains are listed. As every other iptables command, it applies to the "
#~ msgstr ""
#~ "引き数は、マッチを行う標準的な名前でも数値でもよい (名前のリストを見るには"
-#~ msgid " iptables -m tos -h\n"
-#~ msgstr " iptables -m tos -h\n"
-
#~ msgid "to see the list), or a numeric value to match."
#~ msgstr "を使うこと)。"
OSDN Git Service
