@ iptables top directory
grep -r @PACKAGE_VERSION@ original/
-sed -i -e 's/@PACKAGE_VERSION@/1.4.18/' original/man8/iptables.8
-sed -i -e 's/@PACKAGE_VERSION@/1.4.18/' original/man8/ip6tables.8
+sed -i -e 's/@PACKAGE_AND_VERSION@/1.4.21/' original/man8/iptables.8
+patch -p3 < patch.original
git add -u
git add original
-.TH IPTABLES-XML 8 "Jul 16, 2007" "" ""
+.TH IPTABLES-XML 1 "" "iptables 1.4.21" "iptables 1.4.21"
.\"
.\" Man page written by Sam Liddicott <azez@ufomechanic.net>
.\" It is based on the iptables-save man page.
-.TH IP6TABLES-RESTORE 8 "Jan 30, 2002" "" ""
-.\"
-.\" Man page written by Harald Welte <laforge@gnumonks.org>
-.\" It is based on the iptables man page.
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-ip6tables-restore \(em Restore IPv6 Tables
-.SH SYNOPSIS
-\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
-[\fB\-T\fP \fIname\fP]
-.SH DESCRIPTION
-.PP
-.B ip6tables-restore
-is used to restore IPv6 Tables from data specified on STDIN. Use
-I/O redirection provided by your shell to read from a file
-.TP
-\fB\-c\fR, \fB\-\-counters\fR
-restore the values of all packet and byte counters
-.TP
-\fB\-h\fP, \fB\-\-help\fP
-Print a short option summary.
-.TP
-\fB\-n\fR, \fB\-\-noflush\fR
-don't flush the previous contents of the table. If not specified,
-\fBip6tables-restore\fP flushes (deletes) all previous contents of the
-respective table.
-.TP
-\fB\-t\fP, \fB\-\-test\fP
-Only parse and construct the ruleset, but do not commit it.
-.TP
-\fB\-v\fP, \fB\-\-verbose\fP
-Print additional debug info during ruleset processing.
-.TP
-\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
-Specify the path to the modprobe program. By default, ip6tables-restore will
-inspect /proc/sys/kernel/modprobe to determine the executable's path.
-.TP
-\fB\-T\fP, \fB\-\-table\fP \fIname\fP
-Restore only the named table even if the input stream contains other ones.
-.B ip6tables-restore
-flushes (deletes) all previous contents of the respective IPv6 Table.
-.SH BUGS
-None known as of iptables-1.2.1 release
-.SH AUTHORS
-Harald Welte <laforge@gnumonks.org>
-.br
-Andras Kis-Szabo <kisza@sch.bme.hu>
-.SH SEE ALSO
-\fBip6tables\-save\fP(8), \fBip6tables\fP(8)
-.PP
-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
-which details NAT, and the netfilter-hacking-HOWTO which details the
-internals.
+.so man8/iptables-restore.8
-.TH IP6TABLES-SAVE 8 "Jan 30, 2002" "" ""
-.\"
-.\" Man page written by Harald Welte <laforge@gnumonks.org>
-.\" It is based on the iptables man page.
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-ip6tables-save \(em dump iptables rules to stdout
-.SH SYNOPSIS
-\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP
-.SH DESCRIPTION
-.PP
-.B ip6tables-save
-is used to dump the contents of an IPv6 Table in easily parseable format
-to STDOUT. Use I/O-redirection provided by your shell to write to a file.
-.TP
-\fB\-M\fP \fImodprobe_program\fP
-Specify the path to the modprobe program. By default, iptables-save will
-inspect /proc/sys/kernel/modprobe to determine the executable's path.
-.TP
-\fB\-c\fR, \fB\-\-counters\fR
-include the current values of all packet and byte counters in the output
-.TP
-\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
-restrict output to only one table. If not specified, output includes all
-available tables.
-.SH BUGS
-None known as of iptables-1.2.1 release
-.SH AUTHORS
-Harald Welte <laforge@gnumonks.org>
-.br
-Andras Kis-Szabo <kisza@sch.bme.hu>
-.SH SEE ALSO
-\fBip6tables\-restore\fP(8), \fBip6tables\fP(8)
-.PP
-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
-which details NAT, and the netfilter-hacking-HOWTO which details the
-internals.
+.so man8/iptables-save.8
-.TH IP6TABLES 8 "" "iptables 1.4.18" "iptables 1.4.18"
-.\"
-.\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
-.\" It is based on iptables man page.
-.\"
-.\" iptables page by Herve Eychenne <rv@wallfire.org>
-.\" It is based on ipchains man page.
-.\"
-.\" ipchains page by Paul ``Rusty'' Russell March 1997
-.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-ip6tables \(em IPv6 packet filter administration
-.SH SYNOPSIS
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
-\fIchain rule-specification\fP [\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP]
-\fIrule-specification\fP [\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-R\fP \fIchain rulenum
-rule-specification\fP [\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-D\fP \fIchain rulenum\fP
-[\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-S\fP [\fIchain\fP [\fIrulenum\fP]]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP}
-[\fIchain\fP [\fIrulenum\fP]] [\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
-[\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP
-.SH DESCRIPTION
-\fBIp6tables\fP is used to set up, maintain, and inspect the
-tables of IPv6 packet
-filter rules in the Linux kernel. Several different tables
-may be defined. Each table contains a number of built-in
-chains and may also contain user-defined chains.
-.PP
-Each chain is a list of rules which can match a set of packets. Each
-rule specifies what to do with a packet that matches. This is called
-a `target', which may be a jump to a user-defined chain in the same
-table.
-.SH TARGETS
-A firewall rule specifies criteria for a packet and a target. If the
-packet does not match, the next rule in the chain is the examined; if
-it does match, then the next rule is specified by the value of the
-target, which can be the name of a user-defined chain or one of the
-special values \fBACCEPT\fP, \fBDROP\fP, \fBQUEUE\fP or \fBRETURN\fP.
-.PP
-\fBACCEPT\fP means to let the packet through.
-\fBDROP\fP means to drop the packet on the floor.
-\fBQUEUE\fP means to pass the packet to userspace.
-(How the packet can be received
-by a userspace process differs by the particular queue handler. 2.4.x
-and 2.6.x kernels up to 2.6.13 include the \fBip_queue\fP
-queue handler. Kernels 2.6.14 and later additionally include the
-\fBnfnetlink_queue\fP queue handler. Packets with a target of QUEUE will be
-sent to queue number '0' in this case. Please also see the \fBNFQUEUE\fP
-target as described later in this man page.)
-\fBRETURN\fP means stop traversing this chain and resume at the next
-rule in the
-previous (calling) chain. If the end of a built-in chain is reached
-or a rule in a built-in chain with target \fBRETURN\fP
-is matched, the target specified by the chain policy determines the
-fate of the packet.
-.SH TABLES
-There are currently five independent tables (which tables are present
-at any time depends on the kernel configuration options and which
-modules are present).
-.TP
-\fB\-t\fP, \fB\-\-table\fP \fItable\fP
-This option specifies the packet matching table which the command
-should operate on. If the kernel is configured with automatic module
-loading, an attempt will be made to load the appropriate module for
-that table if it is not already there.
-
-The tables are as follows:
-.RS
-.TP .4i
-\fBfilter\fP:
-This is the default table (if no \-t option is passed). It contains
-the built-in chains \fBINPUT\fP (for packets destined to local sockets),
-\fBFORWARD\fP (for packets being routed through the box), and
-\fBOUTPUT\fP (for locally-generated packets).
-.TP
-\fBnat\fP:
-This table is consulted when a packet that creates a new
-connection is encountered. It consists of three built-ins: \fBPREROUTING\fP
-(for altering packets as soon as they come in), \fBOUTPUT\fP
-(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
-(for altering packets as they are about to go out). Available since kernel 3.7.
-.TP
-\fBmangle\fP:
-This table is used for specialized packet alteration. Until kernel
-2.4.17 it had two built-in chains: \fBPREROUTING\fP
-(for altering incoming packets before routing) and \fBOUTPUT\fP
-(for altering locally-generated packets before routing).
-Since kernel 2.4.18, three other built-in chains are also supported:
-\fBINPUT\fP (for packets coming into the box itself), \fBFORWARD\fP
-(for altering packets being routed through the box), and \fBPOSTROUTING\fP
-(for altering packets as they are about to go out).
-.TP
-\fBraw\fP:
-This table is used mainly for configuring exemptions from connection
-tracking in combination with the NOTRACK target. It registers at the netfilter
-hooks with higher priority and is thus called before ip_conntrack, or any other
-IP tables. It provides the following built-in chains: \fBPREROUTING\fP
-(for packets arriving via any network interface) \fBOUTPUT\fP
-(for packets generated by local processes)
-.TP
-\fBsecurity\fP:
-This table is used for Mandatory Access Control (MAC) networking rules, such
-as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
-Mandatory Access Control is implemented by Linux Security Modules such as
-SELinux. The security table is called after the filter table, allowing any
-Discretionary Access Control (DAC) rules in the filter table to take effect
-before MAC rules. This table provides the following built-in chains:
-\fBINPUT\fP (for packets coming into the box itself),
-\fBOUTPUT\fP (for altering locally-generated packets before routing), and
-\fBFORWARD\fP (for altering packets being routed through the box).
-.RE
-.SH OPTIONS
-The options that are recognized by
-\fBip6tables\fP can be divided into several different groups.
-.SS COMMANDS
-These options specify the specific action to perform. Only one of them
-can be specified on the command line unless otherwise specified
-below. For all the long versions of the command and option names, you
-need to use only enough letters to ensure that
-\fBip6tables\fP can differentiate it from all other options.
-.TP
-\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
-Append one or more rules to the end of the selected chain.
-When the source and/or destination names resolve to more than one
-address, a rule will be added for each possible address combination.
-.TP
-\fB\-C\fP, \fB\-\-check\fP \fIchain rule-specification\fP
-Check whether a rule matching the specification does exist in the
-selected chain. This command uses the same logic as \fB\-D\fP to
-find a matching entry, but does not alter the existing iptables
-configuration and uses its exit code to indicate success or failure.
-.TP
-\fB\-D\fP, \fB\-\-delete\fP \fIchain rule-specification\fP
-.ns
-.TP
-\fB\-D\fP, \fB\-\-delete\fP \fIchain rulenum\fP
-Delete one or more rules from the selected chain. There are two
-versions of this command: the rule can be specified as a number in the
-chain (starting at 1 for the first rule) or a rule to match.
-.TP
-\fB\-I\fP, \fB\-\-insert\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
-Insert one or more rules in the selected chain as the given rule
-number. So, if the rule number is 1, the rule or rules are inserted
-at the head of the chain. This is also the default if no rule number
-is specified.
-.TP
-\fB\-R\fP, \fB\-\-replace\fP \fIchain rulenum rule-specification\fP
-Replace a rule in the selected chain. If the source and/or
-destination names resolve to multiple addresses, the command will
-fail. Rules are numbered starting at 1.
-.TP
-\fB\-L\fP, \fB\-\-list\fP [\fIchain\fP]
-List all rules in the selected chain. If no chain is selected, all
-chains are listed. Like every other ip6tables command, it applies to the
-specified table (filter is the default).
-.IP ""
-Please note that it is often used with the \fB\-n\fP
-option, in order to avoid long reverse DNS lookups.
-It is legal to specify the \fB\-Z\fP
-(zero) option as well, in which case the chain(s) will be atomically
-listed and zeroed. The exact output is affected by the other
-arguments given. The exact rules are suppressed until you use
-.nf
- ip6tables \-L \-v
-.fi
-.TP
-\fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP]
-Print all rules in the selected chain. If no chain is selected, all
-chains are printed like ip6tables-save. Like every other ip6tables command,
-it applies to the specified table (filter is the default).
-.TP
-\fB\-F\fP, \fB\-\-flush\fP [\fIchain\fP]
-Flush the selected chain (all the chains in the table if none is given).
-This is equivalent to deleting all the rules one by one.
-.TP
-\fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP [\fIrulenum\fP]]
-Zero the packet and byte counters in all chains, or only the given chain,
-or only the given rule in a chain. It is legal to
-specify the
-\fB\-L\fP, \fB\-\-list\fP
-(list) option as well, to see the counters immediately before they are
-cleared. (See above.)
-.TP
-\fB\-N\fP, \fB\-\-new\-chain\fP \fIchain\fP
-Create a new user-defined chain by the given name. There must be no
-target of that name already.
-.TP
-\fB\-X\fP, \fB\-\-delete\-chain\fP [\fIchain\fP]
-Delete the optional user-defined chain specified. There must be no references
-to the chain. If there are, you must delete or replace the referring rules
-before the chain can be deleted. The chain must be empty, i.e. not contain
-any rules. If no argument is given, it will attempt to delete every
-non-builtin chain in the table.
-.TP
-\fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP
-Set the policy for the chain to the given target. See the section \fBTARGETS\fP
-for the legal targets. Only built-in (non-user-defined) chains can have
-policies, and neither built-in nor user-defined chains can be policy
-targets.
-.TP
-\fB\-E\fP, \fB\-\-rename\-chain\fP \fIold\-chain new\-chain\fP
-Rename the user specified chain to the user supplied name. This is
-cosmetic, and has no effect on the structure of the table.
-.TP
-\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
-Append one or more rules to the end of the selected chain.
-When the source and/or destination names resolve to more than one
-address, a rule will be added for each possible address combination.
-.TP
-\fB\-h\fP
-Help.
-Give a (currently very brief) description of the command syntax.
-.SS PARAMETERS
-The following parameters make up a rule specification (as used in the
-add, delete, insert, replace and append commands).
-.TP
-\fB\-4\fP, \fB\-\-ipv4\fP
-If a rule using the \fB\-4\fP option is inserted with (and only with)
-ip6tables-restore, it will be silently ignored. Any other uses will throw an
-error. This option allows to put both IPv4 and IPv6 rules in a single rule file
-for use with both iptables-restore and ip6tables-restore.
-.TP
-\fB\-6\fP, \fB\-\-ipv6\fP
-This option has no effect in ip6tables and ip6tables-restore.
-.TP
-[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
-The protocol of the rule or of the packet to check.
-The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
-\fBicmpv6\fP, \fBesp\fP, \fBmh\fP or the special keyword "\fBall\fP",
-or it can be a numeric value, representing one of these protocols or a
-different one. A protocol name from /etc/protocols is also allowed.
-But IPv6 extension headers except \fBesp\fP are not allowed.
-\fBesp\fP and \fBipv6\-nonext\fP
-can be used with Kernel version 2.6.11 or later.
-A "!" argument before the protocol inverts the
-test. The number zero is equivalent to \fBall\fP, which means that you cannot
-test the protocol field for the value 0 directly. To match on a HBH header,
-even if it were the last, you cannot use \fB\-p 0\fP, but always need
-\fB\-m hbh\fP.
-"\fBall\fP"
-will match with all protocols and is taken as default when this
-option is omitted.
-.TP
-[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP]
-Source specification.
-\fIAddress\fP can be either be a hostname,
-a network IP address (with \fB/\fP\fImask\fP), or a plain IP address.
-Names will be resolved once only, before the rule is submitted to the kernel.
-Please note that specifying any name to be resolved with a remote query such as
-DNS is a really bad idea.
-(Resolving network names is not supported at this time.)
-The \fImask\fP is a plain number,
-specifying the number of 1's at the left side of the network mask.
-A "!" argument before the address specification inverts the sense of
-the address. The flag \fB\-\-src\fP
-is an alias for this option.
-Multiple addresses can be specified, but this will \fBexpand to multiple
-rules\fP (when adding with \-A), or will cause multiple rules to be
-deleted (with \-D).
-.TP
-[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP]
-Destination specification.
-See the description of the \fB\-s\fP
-(source) flag for a detailed description of the syntax. The flag
-\fB\-\-dst\fP is an alias for this option.
-.TP
-\fB\-m\fP, \fB\-\-match\fP \fImatch\fP
-Specifies a match to use, that is, an extension module that tests for a
-specific property. The set of matches make up the condition under which a
-target is invoked. Matches are evaluated first to last as specified on the
-command line and work in short-circuit fashion, i.e. if one extension yields
-false, evaluation will stop.
-.TP
-\fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
-This specifies the target of the rule; i.e., what to do if the packet
-matches it. The target can be a user-defined chain (other than the
-one this rule is in), one of the special builtin targets which decide
-the fate of the packet immediately, or an extension (see \fBEXTENSIONS\fP
-below). If this
-option is omitted in a rule (and \fB\-g\fP
-is not used), then matching the rule will have no
-effect on the packet's fate, but the counters on the rule will be
-incremented.
-.TP
-\fB\-g\fP, \fB\-\-goto\fP \fIchain\fP
-This specifies that the processing should continue in a user
-specified chain. Unlike the \-\-jump option return will not continue
-processing in this chain but instead in the chain that called us via
-\-\-jump.
-.TP
-[\fB!\fP] \fB\-i\fP, \fB\-\-in\-interface\fP \fIname\fP
-Name of an interface via which a packet was received (only for
-packets entering the \fBINPUT\fP, \fBFORWARD\fP and \fBPREROUTING\fP
-chains). When the "!" argument is used before the interface name, the
-sense is inverted. If the interface name ends in a "+", then any
-interface which begins with this name will match. If this option is
-omitted, any interface name will match.
-.TP
-[\fB!\fP] \fB\-o\fP, \fB\-\-out\-interface\fP \fIname\fP
-Name of an interface via which a packet is going to be sent (for packets
-entering the \fBFORWARD\fP, \fBOUTPUT\fP and \fBPOSTROUTING\fP
-chains). When the "!" argument is used before the interface name, the
-sense is inverted. If the interface name ends in a "+", then any
-interface which begins with this name will match. If this option is
-omitted, any interface name will match.
-.\" Currently not supported (header-based)
-.\" .TP
-.\" [\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
-.\" This means that the rule only refers to second and further fragments
-.\" of fragmented packets. Since there is no way to tell the source or
-.\" destination ports of such a packet (or ICMP type), such a packet will
-.\" not match any rules which specify them. When the "!" argument
-.\" precedes the "\-f" flag, the rule will only match head fragments, or
-.\" unfragmented packets.
-.TP
-\fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
-This enables the administrator to initialize the packet and byte
-counters of a rule (during \fBINSERT\fP, \fBAPPEND\fP, \fBREPLACE\fP
-operations).
-.SS "OTHER OPTIONS"
-The following additional options can be specified:
-.TP
-\fB\-v\fP, \fB\-\-verbose\fP
-Verbose output. This option makes the list command show the interface
-name, the rule options (if any), and the TOS masks. The packet and
-byte counters are also listed, with the suffix 'K', 'M' or 'G' for
-1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
-the \fB\-x\fP flag to change this).
-For appending, insertion, deletion and replacement, this causes
-detailed information on the rule or rules to be printed. \fB\-v\fP may be
-specified multiple times to possibly emit more detailed debug statements.
-.TP
-\fB\-n\fP, \fB\-\-numeric\fP
-Numeric output.
-IP addresses and port numbers will be printed in numeric format.
-By default, the program will try to display them as host names,
-network names, or services (whenever applicable).
-.TP
-\fB\-x\fP, \fB\-\-exact\fP
-Expand numbers.
-Display the exact value of the packet and byte counters,
-instead of only the rounded number in K's (multiples of 1000)
-M's (multiples of 1000K) or G's (multiples of 1000M). This option is
-only relevant for the \fB\-L\fP command.
-.TP
-\fB\-\-line\-numbers\fP
-When listing rules, add line numbers to the beginning of each rule,
-corresponding to that rule's position in the chain.
-.TP
-\fB\-\-modprobe=\fP\fIcommand\fP
-When adding or inserting rules into a chain, use \fIcommand\fP
-to load any necessary modules (targets, match extensions, etc).
-.SH MATCH EXTENSIONS
-.PP
-iptables can use extended packet matching and target modules.
-A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
-.SH DIAGNOSTICS
-Various error messages are printed to standard error. The exit code
-is 0 for correct functioning. Errors which appear to be caused by
-invalid or abused command line parameters cause an exit code of 2, and
-other errors cause an exit code of 1.
-.SH BUGS
-Bugs? What's this? ;-)
-Well... the counters are not reliable on sparc64.
-.SH COMPATIBILITY WITH IPCHAINS
-This \fBip6tables\fP
-is very similar to ipchains by Rusty Russell. The main difference is
-that the chains \fBINPUT\fP and \fBOUTPUT\fP
-are only traversed for packets coming into the local host and
-originating from the local host respectively. Hence every packet only
-passes through one of the three chains (except loopback traffic, which
-involves both INPUT and OUTPUT chains); previously a forwarded packet
-would pass through all three.
-.PP
-The other main difference is that \fB\-i\fP refers to the input interface;
-\fB\-o\fP refers to the output interface, and both are available for packets
-entering the \fBFORWARD\fP chain.
-There are several other changes in ip6tables.
-.SH SEE ALSO
-\fBip6tables\-save\fP(8),
-\fBip6tables\-restore\fP(8),
-\fBiptables\fP(8),
-\fBiptables\-apply\fP(8),
-\fBiptables\-extensions\fP(8),
-\fBiptables\-save\fP(8),
-\fBiptables\-restore\fP(8),
-\fBlibipq\fP(3).
-.PP
-The packet-filtering-HOWTO details iptables usage for
-packet filtering,
-the netfilter-extensions-HOWTO details the extensions that are
-not in the standard distribution,
-and the netfilter-hacking-HOWTO details the netfilter internals.
-.br
-See
-.BR "http://www.netfilter.org/" .
-.SH AUTHORS
-Rusty Russell wrote iptables, in early consultation with Michael
-Neuling.
-.PP
-Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
-selection framework in iptables, then wrote the mangle table, the owner match,
-the mark stuff, and ran around doing cool stuff everywhere.
-.PP
-James Morris wrote the TOS target, and tos match.
-.PP
-Jozsef Kadlecsik wrote the REJECT target.
-.PP
-Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as TTL match+target and libipulog.
-.PP
-The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
-Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
-Harald Welte and Rusty Russell.
-.PP
-ip6tables man page created by Andras Kis-Szabo, based on
-iptables man page written by Herve Eychenne <rv@wallfire.org>.
-.\" .. and did I mention that we are incredibly cool people?
-.\" .. sexy, too ..
-.\" .. witty, charming, powerful ..
-.\" .. and most of all, modest ..
-.SH VERSION
-.PP
-This manual page applies to ip6tables 1.4.18.
+.so man8/iptables.8
.\" Author: Martin F. Krafft
.\" Date: Jun 04, 2006
.\"
-.TH iptables\-apply 8 2006-06-04
+.TH IPTABLES\-APPLY 8 "" "iptables 1.4.21" "iptables 1.4.21"
.\" disable hyphenation
.nh
.SH NAME
-.TH iptables-extensions 8 "" "iptables 1.4.18" "iptables 1.4.18"
+.TH iptables-extensions 8 "" "iptables 1.4.21" "iptables 1.4.21"
.SH NAME
iptables-extensions \(em list of extensions in the standard iptables distribution
.SH SYNOPSIS
This module matches the SPIs in Authentication header of IPsec packets.
.TP
[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
+.SS bpf
+Match using Linux Socket Filter. Expects a BPF program in decimal format. This
+is the format generated by the \fBnfbpf_compile\fP utility.
+.TP
+\fB\-\-bytecode\fP \fIcode\fP
+Pass the BPF byte code format (described in the example below).
+.PP
+The code format is similar to the output of the tcpdump -ddd command: one line
+that stores the number of instructions, followed by one line for each
+instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal
+notation. Fields encode the operation, jump offset if true, jump offset if
+false and generic multiuse field 'K'. Comments are not supported.
+.PP
+For example, to read only packets matching 'ip proto 6', insert the following,
+without the comments or trailing whitespace:
+.IP
+4 # number of instructions
+.br
+48 0 0 9 # load byte ip->proto
+.br
+21 0 1 6 # jump equal IPPROTO_TCP
+.br
+6 0 0 1 # return pass (non-zero)
+.br
+6 0 0 0 # return fail (zero)
+.PP
+You can pass this filter to the bpf match with the following command:
+.IP
+iptables \-A OUTPUT \-m bpf \-\-bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' \-j ACCEPT
+.PP
+Or instead, you can invoke the nfbpf_compile utility.
+.IP
+iptables \-A OUTPUT \-m bpf \-\-bytecode "`nfbpf_compile RAW 'ip proto 6'`" \-j ACCEPT
+.PP
+You may want to learn more about BPF from FreeBSD's bpf(4) manpage.
.SS cluster
Allows you to deploy gateway and back-end load-sharing clusters without the
need of load-balancers.
\-\-destination\-mac 01:00:5e:00:01:02
\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
.PP
+\fBNOTE\fP: the arptables commands above use mainstream syntax. If you
+are using arptables-jf included in some RedHat, CentOS and Fedora
+versions, you will hit syntax errors. Therefore, you'll have to adapt
+these to the arptables-jf syntax to get them working.
+.PP
In the case of TCP connections, pickup facility has to be disabled
to avoid marking TCP ACK packets coming in the reply direction as
valid.
The packet is associated with no known connection.
.TP
\fBNEW\fP
-The packet has started a new connection, or otherwise associated
+The packet has started a new connection or otherwise associated
with a connection which has not seen packets in both directions.
.TP
\fBESTABLISHED\fP
.TP
\fBRELATED\fP
The packet is starting a new connection, but is associated with an
-existing connection, such as an FTP data transfer, or an ICMP error.
+existing connection, such as an FTP data transfer or an ICMP error.
.TP
\fBUNTRACKED\fP
The packet is not tracked at all, which happens if you explicitly untrack it
matching on subnet
"10000 packets per minute for every /28 subnet (groups of 8 addresses)
in 10.0.0.0/8" =>
-\-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min
+\-s 10.0.0.0/8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min
.TP
matching bytes per second
"flows exceeding 512kbyte/s" =>
.IR type
or one of the MH type names shown by the command
.nf
- ip6tables \-p ipv6\-mh \-h
+ ip6tables \-p mh \-h
.fi
.SS multiport
This module matches a set of source or destination ports. Up to 15
ports can be specified. A port range (port:port) counts as two
-ports. It can only be used in conjunction with
-\fB\-p tcp\fP
-or
-\fB\-p udp\fP.
+ports. It can only be used in conjunction with one of the
+following protocols:
+\fBtcp\fP, \fBudp\fP, \fBudplite\fP, \fBdccp\fP and \fBsctp\fP.
.TP
[\fB!\fP] \fB\-\-source\-ports\fP,\fB\-\-sports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
Match if the source port is one of the given ports. The flag
\fB\-\-rdest\fP
Match/save the destination address of each packet in the recent list table.
.TP
-\fB\-\-mask\fPnetmask
+\fB\-\-mask\fP \fInetmask\fP
Netmask that will be applied to this recent list.
.TP
[\fB!\fP] \fB\-\-rcheck\fP
.IP
iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
.PP
-Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
-some examples of usage.
-.PP
\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information
about each entry of each list.
.PP
then the command will match packets for which the source address can be
found in the specified set.
.TP
-\fB\-\-return\-\-nomatch\fP
-If the \fB\-\-return\-\-nomatch\fP option is specified and the set type
+\fB\-\-return\-nomatch\fP
+If the \fB\-\-return\-nomatch\fP option is specified and the set type
supports the \fBnomatch\fP flag, then the matching is reversed: a match
with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a
match with a plain element returns \fBfalse\fP.
+.TP
+\fB!\fP \fB\-\-update\-counters\fP
+If the \fB\-\-update\-counters\fP flag is negated, then the packet and
+byte counters of the matching element in the set won't be updated. Default
+the packet and byte counters are updated.
+.TP
+\fB!\fP \fB\-\-update\-subcounters\fP
+If the \fB\-\-update\-subcounters\fP flag is negated, then the packet and
+byte counters of the matching element in the member set of a list type of
+set won't be updated. Default the packet and byte counters are updated.
+.TP
+[\fB!\fP] \fB\-\-packets\-eq\fP \fIvalue\fP
+If the packet is matched an element in the set, match only if the
+packet counter of the element matches the given value too.
+.TP
+\fB\-\-packets\-lt\fP \fIvalue\fP
+If the packet is matched an element in the set, match only if the
+packet counter of the element is less than the given value as well.
+.TP
+\fB\-\-packets\-gt\fP \fIvalue\fP
+If the packet is matched an element in the set, match only if the
+packet counter of the element is greater than the given value as well.
+.TP
+[\fB!\fP] \fB\-bytes\-eq\fP \fIvalue\fP
+If the packet is matched an element in the set, match only if the
+byte counter of the element matches the given value too.
+.TP
+\fB\-\-bytes\-lt\fP \fIvalue\fP
+If the packet is matched an element in the set, match only if the
+byte counter of the element is less than the given value as well.
+.TP
+\fB\-\-bytes\-gt\fP \fIvalue\fP
+If the packet is matched an element in the set, match only if the
+byte counter of the element is greater than the given value as well.
+.PP
+The packet and byte counters related options and flags are ignored
+when the set was defined without counter support.
.PP
The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does
not clash with an option of other extensions.
Use of -m set requires that ipset kernel support is provided, which, for
standard kernels, is the case since Linux 2.6.39.
.SS socket
-This matches if an open socket can be found by doing a socket lookup on the
-packet.
+This matches if an open TCP/UDP socket can be found by doing a socket lookup on the
+packet. It matches if there is an established or non\-zero bound listening
+socket (possibly with a non\-local address). The lookup is performed using
+the \fBpacket\fP tuple of TCP/UDP packets, or the original TCP/UDP header
+\fBembedded\fP in an ICMP/ICPMv6 error packet.
.TP
\fB\-\-transparent\fP
Ignore non-transparent sockets.
+.TP
+\fB\-\-nowildcard\fP
+Do not ignore sockets bound to 'any' address.
+The socket match won't accept zero\-bound listeners by default, since
+then local services could intercept traffic that would otherwise be forwarded.
+This option therefore has security implications when used to match traffic being
+forwarded to redirect such packets to local machine with policy routing.
+When using the socket match to implement fully transparent
+proxies bound to non\-local addresses it is recommended to use the \-\-transparent
+option instead.
+.PP
+Example (assuming packets with mark 1 are delivered locally):
+.IP
+\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1
.SS state
The "state" extension is a subset of the "conntrack" module.
"state" allows access to the connection tracking state for this packet.
.TP
[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP
Matches the given pattern in hex notation.
+.TP
+Examples:
+.IP
+# The string pattern can be used for simple text characters.
+.br
+iptables \-A INPUT \-p tcp \-\-dport 80 \-m string \-\-algo bm \-\-string 'GET /index.html' \-j LOG
+.IP
+# The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|.
+.br
+iptables \-p udp \-\-dport 53 \-m string \-\-algo bm \-\-from 40 \-\-to 57 \-\-hex\-string '|03|www|09|netfilter|03|org|00|'
.SS tcp
These extensions can be used if `\-\-protocol tcp' is specified. It
provides the following options:
Use the timeout policy identified by \fIname\fP for the connection. This is
provides more flexible timeout policy definition than global timeout values
available at /proc/sys/net/netfilter/nf_conntrack_*_timeout_*.
-.SS DNAT (IPv4-specific)
+.SS DNAT
This target is only valid in the
.B nat
table, in the
chains, and user-defined chains which are only called from those
chains. It specifies that the destination address of the packet
should be modified (and all future packets in this connection will
-also be mangled), and rules should cease being examined. It takes one
-type of option:
+also be mangled), and rules should cease being examined. It takes the
+following options:
.TP
\fB\-\-to\-destination\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]]
which can specify a single new destination IP address, an inclusive
-range of IP addresses, and optionally, a port range (which is only
-valid if the rule also specifies
-\fB\-p tcp\fP
-or
-\fB\-p udp\fP).
+range of IP addresses. Optionally a port range,
+if the rule also specifies one of the following protocols:
+\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
If no port range is specified, then the destination port will never be
modified. If no IP address is specified then only the destination port
will be modified.
-
In Kernels up to 2.6.10 you can add several \-\-to\-destination options. For
those kernels, if you specify more than one destination address, either via an
address range or multiple \-\-to\-destination options, a simple round-robin (one
Gives a client the same source-/destination-address for each connection.
This supersedes the SAME target. Support for persistent mappings is available
from 2.6.29-rc2.
+.TP
+IPv6 support available since Linux kernels >= 3.7.
+.SS DNPT (IPv6-specific)
+Provides stateless destination IPv6-to-IPv6 Network Prefix Translation (as
+described by RFC 6296).
+.PP
+You have to use this target in the
+.B mangle
+table, not in the
+.B nat
+table. It takes the following options:
+.TP
+\fB\-\-src\-pfx\fP [\fIprefix/\fP\fIlength]
+Set source prefix that you want to translate and length
+.TP
+\fB\-\-dst\-pfx\fP [\fIprefix/\fP\fIlength]
+Set destination prefix that you want to use in the translation and length
+.PP
+You have to use the SNPT target to undo the translation. Example:
+.IP
+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
+\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
+.IP
+ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
+\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst-pfx fd00::/64
+.PP
+You may need to enable IPv6 neighbor proxy:
+.IP
+sysctl -w net.ipv6.conf.all.proxy_ndp=1
+.PP
+You also have to use the
+.B NOTRACK
+target to disable connection tracking for translated flows.
.SS DSCP
This target allows to alter the value of the DSCP bits within the TOS
header of the IPv4 packet. As this manipulates a packet, it can only
.TP
Then attach the new trigger to an LED:
echo netfilter\-ssh >/sys/class/leds/\fIledname\fP/trigger
-.SS LOG (IPv6-specific)
+.SS LOG
Turn on kernel logging of matching packets. When this option is set
for a rule, the Linux kernel will print some information on all
-matching packets (like most IPv6 IPv6-header fields) via the kernel log
-(where it can be read with
-.I dmesg
-or
-.IR syslogd (8)).
-This is a "non-terminating target", i.e. rule traversal continues at
-the next rule. So if you want to LOG the packets you refuse, use two
-separate rules with the same matching criteria, first using target LOG
-then DROP (or REJECT).
-.TP
-\fB\-\-log\-level\fP \fIlevel\fP
-Level of logging, which can be (system-specific) numeric or a mnemonic.
-Possible values are (in decreasing order of priority): \fBemerg\fP,
-\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP
-or \fBdebug\fP.
-.TP
-\fB\-\-log\-prefix\fP \fIprefix\fP
-Prefix log messages with the specified prefix; up to 29 letters long,
-and useful for distinguishing messages in the logs.
-.TP
-\fB\-\-log\-tcp\-sequence\fP
-Log TCP sequence numbers. This is a security risk if the log is
-readable by users.
-.TP
-\fB\-\-log\-tcp\-options\fP
-Log options from the TCP packet header.
-.TP
-\fB\-\-log\-ip\-options\fP
-Log options from the IPv6 packet header.
-.TP
-\fB\-\-log\-uid\fP
-Log the userid of the process which generated the packet.
-.SS LOG (IPv4-specific)
-Turn on kernel logging of matching packets. When this option is set
-for a rule, the Linux kernel will print some information on all
-matching packets (like most IP header fields) via the kernel log
-(where it can be read with
-.I dmesg
-or
-.IR syslogd (8)).
+matching packets (like most IP/IPv6 header fields) via the kernel log
+(where it can be read with \fIdmesg(1)\fP or read in the syslog).
+.PP
This is a "non-terminating target", i.e. rule traversal continues at
the next rule. So if you want to LOG the packets you refuse, use two
separate rules with the same matching criteria, first using target LOG
Log options from the TCP packet header.
.TP
\fB\-\-log\-ip\-options\fP
-Log options from the IP packet header.
+Log options from the IP/IPv6 packet header.
.TP
\fB\-\-log\-uid\fP
Log the userid of the process which generated the packet.
\fB\-\-xor\-mark\fP \fIbits\fP
Binary XOR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
\fIbits\fP\fB/0\fP.)
-.SS MASQUERADE (IPv6-specific)
-This target is only valid in the
-.B nat
-table, in the
-.B POSTROUTING
-chain. It should only be used with dynamically assigned IPv6 (dialup)
-connections: if you have a static IP address, you should use the SNAT
-target. Masquerading is equivalent to specifying a mapping to the IP
-address of the interface the packet is going out, but also has the
-effect that connections are
-.I forgotten
-when the interface goes down. This is the correct behavior when the
-next dialup is unlikely to have the same interface address (and hence
-any established connections are lost anyway).
-.TP
-\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
-This specifies a range of source ports to use, overriding the default
-.B SNAT
-source port-selection heuristics (see above). This is only valid
-if the rule also specifies
-\fB\-p tcp\fP
-or
-\fB\-p udp\fP.
-.TP
-\fB\-\-random\fP
-Randomize source port mapping
-If option
-\fB\-\-random\fP
-is used then port mapping will be randomized.
-.RS
-.PP
-.SS MASQUERADE (IPv4-specific)
+.SS MASQUERADE
This target is only valid in the
.B nat
table, in the
This specifies a range of source ports to use, overriding the default
.B SNAT
source port-selection heuristics (see above). This is only valid
-if the rule also specifies
-\fB\-p tcp\fP
-or
-\fB\-p udp\fP.
+if the rule also specifies one of the following protocols:
+\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
.TP
\fB\-\-random\fP
Randomize source port mapping
If option
\fB\-\-random\fP
is used then port mapping will be randomized (kernel >= 2.6.21).
-.RS
-.PP
+.TP
+IPv6 support available since Linux kernels >= 3.7.
.SS MIRROR (IPv4-specific)
This is an experimental demonstration target which inverts the source
and destination fields in the IP header and retransmits the packet.
.B NOT
seen by any packet filtering chains, connection tracking or NAT, to
avoid loops and other problems.
-.SS NETMAP (IPv4-specific)
+.SS NETMAP
This target allows you to statically map a whole network of addresses onto
another network of addresses. It can only be used from rules in the
.B nat
Network address to map to. The resulting address will be constructed in the
following way: All 'one' bits in the mask are filled in from the new `address'.
All bits that are zero in the mask are filled in from the original address.
+.TP
+IPv6 support available since Linux kernels >= 3.7.
.SS NFLOG
This target provides logging of matching packets. When this target is
set for a rule, the Linux kernel will pass the packet to the loaded
packets reach userspace. The default value is 1.
.BR
.SS NFQUEUE
-This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
-you to put a packet into any specific queue, identified by its 16-bit queue
-number.
-It can only be used with Kernel versions 2.6.14 or later, since it requires
-the
+This target passes the packet to userspace using the
+\fBnfnetlink_queue\fP handler. The packet is put into the queue
+identified by its 16-bit queue number. Userspace can inspect
+and modify the packet if desired. Userspace must then drop or
+reinject the packet into the kernel. Please see libnetfilter_queue
+for details.
.B
nfnetlink_queue
-kernel support. The \fBqueue-balance\fP option was added in Linux 2.6.31,
+was added in Linux 2.6.14. The \fBqueue-balance\fP option was added in Linux 2.6.31,
\fBqueue-bypass\fP in 2.6.39.
.TP
\fB\-\-queue\-num\fP \fIvalue\fP
.TP
\fB\-\-queue\-bypass\fP
By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued
-are dropped. When this option is used, the NFQUEUE rule is silently bypassed instead. The packet
-will move on to the next rule.
+are dropped. When this option is used, the NFQUEUE rule behaves like ACCEPT instead, and the packet
+will move on to the next table.
+.PP
+.TP
+\fB\-\-queue\-cpu-fanout\fP
+Available starting Linux kernel 3.10. When used together with
+\fB--queue-balance\fP this will use the CPU ID as an index to map packets to
+the queues. The idea is that you can improve performance if there's a queue
+per CPU. This requires \fB--queue-balance\fP to be specified.
.SS NOTRACK
-This target disables connection tracking for all packets matching that rule.
-It is obsoleted by \-j CT \-\-notrack. Like CT, NOTRACK can only be used in
+This extension disables connection tracking for all packets matching that rule.
+It is equivalent with \-j CT \-\-notrack. Like CT, NOTRACK can only be used in
the \fBraw\fP table.
.SS RATEEST
The RATEEST target collects statistics, performs rate estimation calculation
.TP
\fB\-\-rateest\-ewmalog\fP \fIvalue\fP
Rate measurement averaging time constant.
-.SS REDIRECT (IPv4-specific)
+.SS REDIRECT
This target is only valid in the
.B nat
table, in the
chains, and user-defined chains which are only called from those
chains. It redirects the packet to the machine itself by changing the
destination IP to the primary address of the incoming interface
-(locally-generated packets are mapped to the 127.0.0.1 address).
+(locally-generated packets are mapped to the localhost address,
+127.0.0.1 for IPv4 and ::1 for IPv6).
.TP
\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
This specifies a destination port or range of ports to use: without
this, the destination port is never altered. This is only valid
-if the rule also specifies
-\fB\-p tcp\fP
-or
-\fB\-p udp\fP.
+if the rule also specifies one of the following protocols:
+\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
.TP
\fB\-\-random\fP
If option
\fB\-\-random\fP
is used then port mapping will be randomized (kernel >= 2.6.22).
-.RS
-.PP
+.TP
+IPv6 support available starting Linux kernels >= 3.7.
.SS REJECT (IPv6-specific)
This is used to send back an error packet in response to the matched
packet: otherwise it is equivalent to
\fBicmp6\-adm\-prohibited\fP,
\fBadm\-prohibited\fP,
\fBicmp6\-addr\-unreachable\fP,
-\fBaddr\-unreach\fP,
-\fBicmp6\-port\-unreachable\fP or
-\fBport\-unreach\fP
-which return the appropriate ICMPv6 error message (\fBport\-unreach\fP is
+\fBaddr\-unreach\fP, or
+\fBicmp6\-port\-unreachable\fP,
+which return the appropriate ICMPv6 error message (\fBicmp6\-port\-unreachable\fP is
the default). Finally, the option
\fBtcp\-reset\fP
can be used on rules which only match the TCP protocol: this causes a
\fBicmp\-port\-unreachable\fP,
\fBicmp\-proto\-unreachable\fP,
\fBicmp\-net\-prohibited\fP,
-\fBicmp\-host\-prohibited\fP or
-\fBicmp\-admin\-prohibited\fP (*)
-which return the appropriate ICMP error message (\fBport\-unreachable\fP is
+\fBicmp\-host\-prohibited\fP, or
+\fBicmp\-admin\-prohibited\fP (*),
+which return the appropriate ICMP error message (\fBicmp\-port\-unreachable\fP is
the default). The option
\fBtcp\-reset\fP
can be used on rules which only match the TCP protocol: this causes a
.PP
Use of -j SET requires that ipset kernel support is provided, which, for
standard kernels, is the case since Linux 2.6.39.
-.SS SNAT (IPv4-specific)
+.SS SNAT
This target is only valid in the
.B nat
table, in the
.B POSTROUTING
-chain. It specifies that the source address of the packet should be
+and
+.B INPUT
+chains, and user-defined chains which are only called from those
+chains. It specifies that the source address of the packet should be
modified (and all future packets in this connection will also be
-mangled), and rules should cease being examined. It takes one type
-of option:
+mangled), and rules should cease being examined. It takes the
+following options:
.TP
\fB\-\-to\-source\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]]
which can specify a single new source IP address, an inclusive range
-of IP addresses, and optionally, a port range (which is only valid if
-the rule also specifies
-\fB\-p tcp\fP
-or
-\fB\-p udp\fP).
+of IP addresses. Optionally a port range,
+if the rule also specifies one of the following protocols:
+\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
If no port range is specified, then source ports below 512 will be
mapped to other ports below 512: those between 512 and 1023 inclusive
will be mapped to ports below 1024, and other ports will be mapped to
1024 or above. Where possible, no port alteration will occur.
-
In Kernels up to 2.6.10, you can add several \-\-to\-source options. For those
kernels, if you specify more than one source address, either via an address
range or multiple \-\-to\-source options, a simple round-robin (one after another
Gives a client the same source-/destination-address for each connection.
This supersedes the SAME target. Support for persistent mappings is available
from 2.6.29-rc2.
+.PP
+Kernels prior to 2.6.36-rc1 don't have the ability to
+.B SNAT
+in the
+.B INPUT
+chain.
+.TP
+IPv6 support available since Linux kernels >= 3.7.
+.SS SNPT (IPv6-specific)
+Provides stateless source IPv6-to-IPv6 Network Prefix Translation (as described
+by RFC 6296).
+.PP
+You have to use this target in the
+.B mangle
+table, not in the
+.B nat
+table. It takes the following options:
+.TP
+\fB\-\-src\-pfx\fP [\fIprefix/\fP\fIlength]
+Set source prefix that you want to translate and length
+.TP
+\fB\-\-dst\-pfx\fP [\fIprefix/\fP\fIlength]
+Set destination prefix that you want to use in the translation and length
+.PP
+You have to use the DNPT target to undo the translation. Example:
+.IP
+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
+\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
+.IP
+ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
+\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst-pfx fd00::/64
+.PP
+You may need to enable IPv6 neighbor proxy:
+.IP
+sysctl -w net.ipv6.conf.all.proxy_ndp=1
+.PP
+You also have to use the
+.B NOTRACK
+target to disable connection tracking for translated flows.
.SS TCPMSS
This target allows to alter the MSS value of TCP SYN packets, to control
the maximum size for that connection (usually limiting it to your
\fB\-\-ttl\-inc\fP \fIvalue\fP
Increment the TTL value `value' times.
.SS ULOG (IPv4-specific)
-This target provides userspace logging of matching packets. When this
+This is the deprecated ipv4-only predecessor of the NFLOG target.
+It provides userspace logging of matching packets. When this
target is set for a rule, the Linux kernel will multicast this packet
through a
.IR netlink
-.TH IPTABLES-RESTORE 8 "Jan 04, 2001" "" ""
+.TH IPTABLES-RESTORE 8 "" "iptables 1.4.21" "iptables 1.4.21"
.\"
.\" Man page written by Harald Welte <laforge@gnumonks.org>
.\" It is based on the iptables man page.
.\"
.SH NAME
iptables-restore \(em Restore IP Tables
+.P
+ip6tables-restore \(em Restore IPv6 Tables
.SH SYNOPSIS
\fBiptables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
+.P
+\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
[\fB\-T\fP \fIname\fP]
.SH DESCRIPTION
.PP
.B iptables-restore
-is used to restore IP Tables from data specified on STDIN. Use
+and
+.B ip6tables-restore
+are used to restore IP and IPv6 Tables from data specified on STDIN. Use
I/O redirection provided by your shell to read from a file
.TP
\fB\-c\fR, \fB\-\-counters\fR
\fB\-h\fP, \fB\-\-help\fP
Print a short option summary.
.TP
-\fB\-n\fR, \fB\-\-noflush\fR
-don't flush the previous contents of the table. If not specified,
-.B iptables-restore
-flushes (deletes) all previous contents of the respective table.
+\fB\-n\fR, \fB\-\-noflush\fR
+don't flush the previous contents of the table. If not specified,
+both commands flush (delete) all previous contents of the respective table.
.TP
\fB\-t\fP, \fB\-\-test\fP
Only parse and construct the ruleset, but do not commit it.
Restore only the named table even if the input stream contains other ones.
.SH BUGS
None known as of iptables-1.2.1 release
-.SH AUTHOR
-Harald Welte <laforge@gnumonks.org>
+.SH AUTHORS
+Harald Welte <laforge@gnumonks.org> wrote iptables-restore based on code
+from Rusty Russell.
+.br
+Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
.SH SEE ALSO
\fBiptables\-save\fP(8), \fBiptables\fP(8)
.PP
-.TH IPTABLES-SAVE 8 "Jan 04, 2001" "" ""
+.TH IPTABLES-SAVE 8 "" "iptables 1.4.21" "iptables 1.4.21"
.\"
.\" Man page written by Harald Welte <laforge@gnumonks.org>
.\" It is based on the iptables man page.
.\"
.SH NAME
iptables-save \(em dump iptables rules to stdout
+.P
+ip6tables-save \(em dump iptables rules to stdout
.SH SYNOPSIS
\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
[\fB\-t\fP \fItable\fP]
+.P
+\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
+[\fB\-t\fP \fItable\fP
.SH DESCRIPTION
.PP
.B iptables-save
-is used to dump the contents of an IP Table in easily parseable format
+and
+.B ip6tables-save
+are used to dump the contents of IP or IPv6 Table in easily parseable format
to STDOUT. Use I/O-redirection provided by your shell to write to a file.
.TP
\fB\-M\fP \fImodprobe_program\fP
available tables.
.SH BUGS
None known as of iptables-1.2.1 release
-.SH AUTHOR
+.SH AUTHORS
Harald Welte <laforge@gnumonks.org>
+.br
+Rusty Russell <rusty@rustcorp.com.au>
+.br
+Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
.SH SEE ALSO
\fBiptables\-restore\fP(8), \fBiptables\fP(8)
.PP
-.TH IPTABLES 8 "" "iptables 1.4.18" "iptables 1.4.18"
+.TH IPTABLES 8 "" "iptables 1.4.21" "iptables 1.4.21"
.\"
.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
.\" It is based on ipchains page.
.\"
.\"
.SH NAME
-iptables \(em administration tool for IPv4 packet filtering and NAT
+iptables/ip6tables \(em administration tool for IPv4/IPv6 packet filtering and NAT
.SH SYNOPSIS
\fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
\fIchain\fP \fIrule-specification\fP
+.P
+\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
+\fIchain rule-specification\fP
.PP
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
.PP
.PP
target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
.SH DESCRIPTION
-\fBIptables\fP is used to set up, maintain, and inspect the
-tables of IPv4 packet
+\fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
+tables of IPv4 and IPv6 packet
filter rules in the Linux kernel. Several different tables
may be defined. Each table contains a number of built-in
chains and may also contain user-defined chains.
table.
.SH TARGETS
A firewall rule specifies criteria for a packet and a target. If the
-packet does not match, the next rule in the chain is the examined; if
+packet does not match, the next rule in the chain is examined; if
it does match, then the next rule is specified by the value of the
-target, which can be the name of a user-defined chain or one of the
-special values \fBACCEPT\fP, \fBDROP\fP, \fBQUEUE\fP or \fBRETURN\fP.
+target, which can be the name of a user-defined chain, one of the targets
+described in \fBiptables\-extensions\fP(8), or one of the
+special values \fBACCEPT\fP, \fBDROP\fP or \fBRETURN\fP.
.PP
\fBACCEPT\fP means to let the packet through.
\fBDROP\fP means to drop the packet on the floor.
-\fBQUEUE\fP means to pass the packet to userspace.
-(How the packet can be received
-by a userspace process differs by the particular queue handler. 2.4.x
-and 2.6.x kernels up to 2.6.13 include the \fBip_queue\fP
-queue handler. Kernels 2.6.14 and later additionally include the
-\fBnfnetlink_queue\fP queue handler. Packets with a target of QUEUE will be
-sent to queue number '0' in this case. Please also see the \fBNFQUEUE\fP
-target as described later in this man page.)
\fBRETURN\fP means stop traversing this chain and resume at the next
rule in the
previous (calling) chain. If the end of a built-in chain is reached
(for altering packets as soon as they come in), \fBOUTPUT\fP
(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
(for altering packets as they are about to go out).
+IPv6 NAT support is available since kernel 3.7.
.TP
\fBmangle\fP:
This table is used for specialized packet alteration. Until kernel
.RE
.SH OPTIONS
The options that are recognized by
-\fBiptables\fP can be divided into several different groups.
+\fBiptables\fP and \fBip6tables\fP can be divided into several different groups.
.SS COMMANDS
These options specify the desired action to perform. Only one of them
can be specified on the command line unless otherwise stated
.TP
\fB\-4\fP, \fB\-\-ipv4\fP
This option has no effect in iptables and iptables-restore.
+If a rule using the \fB\-4\fP option is inserted with (and only with)
+ip6tables-restore, it will be silently ignored. Any other uses will throw an
+error. This option allows to put both IPv4 and IPv6 rules in a single rule file
+for use with both iptables-restore and ip6tables-restore.
.TP
\fB\-6\fP, \fB\-\-ipv6\fP
If a rule using the \fB\-6\fP option is inserted with (and only with)
iptables-restore, it will be silently ignored. Any other uses will throw an
error. This option allows to put both IPv4 and IPv6 rules in a single rule file
for use with both iptables-restore and ip6tables-restore.
+This option has no effect in ip6tables and ip6tables-restore.
.TP
[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
The protocol of the rule or of the packet to check.
The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
-\fBicmp\fP, \fBesp\fP, \fBah\fP, \fBsctp\fP or the special keyword "\fBall\fP",
+\fBicmp\fP, \fBicmpv6\fP,\fBesp\fP, \fBah\fP, \fBsctp\fP, \fBmh\fP or the special keyword "\fBall\fP",
or it can be a numeric value, representing one of these protocols or a
different one. A protocol name from /etc/protocols is also allowed.
A "!" argument before the protocol inverts the
test. The number zero is equivalent to \fBall\fP. "\fBall\fP"
will match with all protocols and is taken as default when this
option is omitted.
+Note that, in ip6tables, IPv6 extension headers except \fBesp\fP are not allowed.
+\fBesp\fP and \fBipv6\-nonext\fP
+can be used with Kernel version 2.6.11 or later.
+The number zero is equivalent to \fBall\fP, which means that you cannot
+test the protocol field for the value 0 directly. To match on a HBH header,
+even if it were the last, you cannot use \fB\-p 0\fP, but always need
+\fB\-m hbh\fP.
.TP
[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
Source specification. \fIAddress\fP
Please note that specifying any name to be resolved with a remote query such as
DNS is a really bad idea.
The \fImask\fP
-can be either a network mask or a plain number,
+can be either an ipv4 network mask (for iptables) or a plain number,
specifying the number of 1's at the left side of the network mask.
-Thus, a mask of \fI24\fP is equivalent to \fI255.255.255.0\fP.
+Thus, an iptables mask of \fI24\fP is equivalent to \fI255.255.255.0\fP.
A "!" argument before the address specification inverts the sense of
the address. The flag \fB\-\-src\fP is an alias for this option.
Multiple addresses can be specified, but this will \fBexpand to multiple
omitted, any interface name will match.
.TP
[\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
-This means that the rule only refers to second and further fragments
+This means that the rule only refers to second and further IPv4 fragments
of fragmented packets. Since there is no way to tell the source or
destination ports of such a packet (or ICMP type), such a packet will
not match any rules which specify them. When the "!" argument
precedes the "\-f" flag, the rule will only match head fragments, or
-unfragmented packets.
+unfragmented packets. This option is IPv4 specific, it is not available
+in ip6tables.
.TP
\fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
This enables the administrator to initialize the packet and byte
detailed information on the rule or rules to be printed. \fB\-v\fP may be
specified multiple times to possibly emit more detailed debug statements.
.TP
+\fB\-w\fP, \fB\-\-wait\fP
+Wait for the xtables lock.
+To prevent multiple instances of the program from running concurrently,
+an attempt will be made to obtain an exclusive lock at launch. By default,
+the program will exit if the lock cannot be obtained. This option will
+make the program wait until the exclusive lock can be obtained.
+.TP
\fB\-n\fP, \fB\-\-numeric\fP
Numeric output.
IP addresses and port numbers will be printed in numeric format.
\fBiptables\-save\fP(8),
\fBiptables\-restore\fP(8),
\fBiptables\-extensions\fP(8),
-\fBip6tables\fP(8),
-\fBip6tables\-save\fP(8),
-\fBip6tables\-restore\fP(8),
-\fBlibipq\fP(3).
.PP
The packet-filtering-HOWTO details iptables usage for
packet filtering, the NAT-HOWTO details NAT,
.\" .. and most of all, modest ..
.SH VERSION
.PP
-This manual page applies to iptables 1.4.18.
+This manual page applies to iptables/ip6tables 1.4.21.
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
"PO-Revision-Date: 2013-04-09 00:09+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
#. type: TH
#, no-wrap
-msgid "Jul 16, 2007"
-msgstr "Jul 16, 2007"
+msgid "iptables 1.4.21"
+msgstr ""
#. Man page written by Sam Liddicott <azez@ufomechanic.net>
#. It is based on the iptables-save man page.
#. type: Plain text
msgid "B<iptables-save>(8), B<iptables-restore>(8), B<iptables>(8)"
msgstr "B<iptables-save>(8), B<iptables-restore>(8), B<iptables>(8)"
+
+#~ msgid "Jul 16, 2007"
+#~ msgstr "Jul 16, 2007"
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
"PO-Revision-Date: 2013-04-08 16:11+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
#. type: TH
#, no-wrap
-msgid "iptables-apply"
-msgstr "iptables-apply"
+msgid "IPTABLES-APPLY"
+msgstr ""
#. type: TH
#, no-wrap
-msgid "2006-06-04"
-msgstr "2006-06-04"
+msgid "iptables 1.4.21"
+msgstr ""
#. type: SH
#, no-wrap
#. type: Plain text
msgid "Permission is granted to copy, distribute and/or modify this document under the terms of the Artistic License 2.0."
msgstr "この文書のコピー、配布、修正は Artistic License 2.0 の下で行うことができる。"
+
+#~ msgid "iptables-apply"
+#~ msgstr "iptables-apply"
+
+#~ msgid "2006-06-04"
+#~ msgstr "2006-06-04"
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
"PO-Revision-Date: 2014-05-07 03:36+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
msgstr "iptables-extensions"
#. type: TH
-#, no-wrap
-msgid "iptables 1.4.18"
+#, fuzzy, no-wrap
+#| msgid "iptables 1.4.18"
+msgid "iptables 1.4.21"
msgstr "iptables 1.4.18"
#. type: SH
#. type: SS
#, no-wrap
+msgid "bpf"
+msgstr ""
+
+#. type: Plain text
+msgid "Match using Linux Socket Filter. Expects a BPF program in decimal format. This is the format generated by the B<nfbpf_compile> utility."
+msgstr ""
+
+#. type: TP
+#, fuzzy, no-wrap
+#| msgid "B<--mode> I<mode>"
+msgid "B<--bytecode> I<code>"
+msgstr "B<--mode> I<mode>"
+
+#. type: Plain text
+msgid "Pass the BPF byte code format (described in the example below)."
+msgstr ""
+
+#. type: Plain text
+msgid "The code format is similar to the output of the tcpdump -ddd command: one line that stores the number of instructions, followed by one line for each instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal notation. Fields encode the operation, jump offset if true, jump offset if false and generic multiuse field 'K'. Comments are not supported."
+msgstr ""
+
+#. type: Plain text
+msgid "For example, to read only packets matching 'ip proto 6', insert the following, without the comments or trailing whitespace:"
+msgstr ""
+
+#. type: Plain text
+msgid "4 # number of instructions"
+msgstr ""
+
+#. type: Plain text
+msgid "48 0 0 9 # load byte ip-E<gt>proto"
+msgstr ""
+
+#. type: Plain text
+msgid "21 0 1 6 # jump equal IPPROTO_TCP"
+msgstr ""
+
+#. type: Plain text
+msgid "6 0 0 1 # return pass (non-zero)"
+msgstr ""
+
+#. type: Plain text
+msgid "6 0 0 0 # return fail (zero)"
+msgstr ""
+
+#. type: Plain text
+msgid "You can pass this filter to the bpf match with the following command:"
+msgstr ""
+
+#. type: Plain text
+msgid "iptables -A OUTPUT -m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' -j ACCEPT"
+msgstr ""
+
+#. type: Plain text
+msgid "Or instead, you can invoke the nfbpf_compile utility."
+msgstr ""
+
+#. type: Plain text
+msgid "iptables -A OUTPUT -m bpf --bytecode \"`nfbpf_compile RAW 'ip proto 6'`\" -j ACCEPT"
+msgstr ""
+
+#. type: Plain text
+msgid "You may want to learn more about BPF from FreeBSD's bpf(4) manpage."
+msgstr ""
+
+#. type: SS
+#, no-wrap
msgid "cluster"
msgstr "cluster"
msgstr "arptables -A INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:02 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27"
#. type: Plain text
+msgid "B<NOTE>: the arptables commands above use mainstream syntax. If you are using arptables-jf included in some RedHat, CentOS and Fedora versions, you will hit syntax errors. Therefore, you'll have to adapt these to the arptables-jf syntax to get them working."
+msgstr ""
+
+#. type: Plain text
msgid "In the case of TCP connections, pickup facility has to be disabled to avoid marking TCP ACK packets coming in the reply direction as valid."
msgstr "TCP 接続の場合には、応答方向で受信した TCP ACK パケットが有効とマークされないようにするため、ピックアップ (pickup) 機能を無効する必要がある。"
msgid "Apply the limit onto the destination group."
msgstr "宛先グループに対して制限を適用する。"
-#. type: Plain text
+#. type: TP
+#, no-wrap
msgid "Examples:"
msgstr "例:"
msgstr "B<NEW>"
#. type: Plain text
-msgid "The packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions."
+#, fuzzy
+#| msgid "The packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions."
+msgid "The packet has started a new connection or otherwise associated with a connection which has not seen packets in both directions."
msgstr "そのパケットが新しいコネクションを開始しようとしている。 もしくは、 両方の方向でパケットが観測されていないコネクションに関連付けられる。"
#. type: TP
msgstr "B<RELATED>"
#. type: Plain text
-msgid "The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error."
+#, fuzzy
+#| msgid "The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error."
+msgid "The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error."
msgstr "そのパケットは、新しいコネクションを開始しようとしているが、 既存のコネクションと関連付けられる。 FTP データ転送や ICMP エラーなどが該当する。"
#. type: TP
msgstr "サブネットに対するマッチ"
#. type: Plain text
-msgid "\"10000 packets per minute for every /28 subnet (groups of 8 addresses) in 10.0.0.0/8\" =E<gt> -s 10.0.0.8 --hashlimit-mask 28 --hashlimit-upto 10000/min"
+#, fuzzy
+#| msgid "\"10000 packets per minute for every /28 subnet (groups of 8 addresses) in 10.0.0.0/8\" =E<gt> -s 10.0.0.8 --hashlimit-mask 28 --hashlimit-upto 10000/min"
+msgid "\"10000 packets per minute for every /28 subnet (groups of 8 addresses) in 10.0.0.0/8\" =E<gt> -s 10.0.0.0/8 --hashlimit-mask 28 --hashlimit-upto 10000/min"
msgstr "\"10.0.0.0/8 内の /28 サブネット (アドレス 8 個のグループ) それぞれに対して 10000 パケット/秒\" =E<gt> -s 10.0.0.8 --hashlimit-mask 28 --hashlimit-upto 10000/min"
#. type: TP
msgstr "Mobility Header (MH) タイプを指定できる。 タイプ指定には、 数値の MH タイプか、 以下のコマンドで表示される MH タイプ名を指定できる。"
#. type: Plain text
-#, no-wrap
-msgid " ip6tables -p ipv6-mh -h\n"
+#, fuzzy, no-wrap
+#| msgid " ip6tables -p ipv6-mh -h\n"
+msgid " ip6tables -p mh -h\n"
msgstr " ip6tables -p ipv6-mh -h\n"
#. type: SS
msgstr "multiport"
#. type: Plain text
-msgid "This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two ports. It can only be used in conjunction with B<-p tcp> or B<-p udp>."
+#, fuzzy
+#| msgid "This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two ports. It can only be used in conjunction with B<-p tcp> or B<-p udp>."
+msgid "This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two ports. It can only be used in conjunction with one of the following protocols: B<tcp>, B<udp>, B<udplite>, B<dccp> and B<sctp>."
msgstr "このモジュールは送信元ポートや宛先ポートの集合にマッチする。 ポートは 15 個まで指定できる。 ポートの範囲指定 (port:port) は 2 ポートとカウントされる。 このモジュールが使用できるのは B<-p tcp> か B<-p udp> と組み合わせた場合だけである。"
#. type: TP
msgstr "recent リストのテーブルの照合/保存で、各パケットの宛先アドレスを使う。"
#. type: TP
-#, no-wrap
-msgid "B<--mask>netmask"
+#, fuzzy, no-wrap
+#| msgid "B<--mask>netmask"
+msgid "B<--mask> I<netmask>"
msgstr "B<--mask>netmask"
#. type: Plain text
msgstr "iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP"
#. type: Plain text
-msgid "Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has some examples of usage."
-msgstr "Steve の ipt_recent ウェブサイト (http://snowman.net/projects/ipt_recent/) にも使用例がいくつかある。"
-
-#. type: Plain text
msgid "B</proc/net/xt_recent/*> are the current lists of addresses and information about each entry of each list."
msgstr "B</proc/net/xt_recent/*> は現在のアドレスのリストと各リストの各エントリーの情報である。"
msgstr ""
#. type: TP
-#, no-wrap
-msgid "B<--return--nomatch>"
+#, fuzzy, no-wrap
+#| msgid "B<--return--nomatch>"
+msgid "B<--return-nomatch>"
msgstr "B<--return--nomatch>"
#. type: Plain text
-msgid "If the B<--return--nomatch> option is specified and the set type supports the B<nomatch> flag, then the matching is reversed: a match with an element flagged with B<nomatch> returns B<true>, while a match with a plain element returns B<false>."
+msgid "If the B<--return-nomatch> option is specified and the set type supports the B<nomatch> flag, then the matching is reversed: a match with an element flagged with B<nomatch> returns B<true>, while a match with a plain element returns B<false>."
+msgstr ""
+
+#. type: TP
+#, fuzzy, no-wrap
+#| msgid "[B<!>] B<--update>"
+msgid "B<!> B<--update-counters>"
+msgstr "[B<!>] B<--update>"
+
+#. type: Plain text
+msgid "If the B<--update-counters> flag is negated, then the packet and byte counters of the matching element in the set won't be updated. Default the packet and byte counters are updated."
+msgstr ""
+
+#. type: TP
+#, fuzzy, no-wrap
+#| msgid "[B<!>] B<--update>"
+msgid "B<!> B<--update-subcounters>"
+msgstr "[B<!>] B<--update>"
+
+#. type: Plain text
+msgid "If the B<--update-subcounters> flag is negated, then the packet and byte counters of the matching element in the member set of a list type of set won't be updated. Default the packet and byte counters are updated."
+msgstr ""
+
+#. type: TP
+#, fuzzy, no-wrap
+#| msgid "[B<!>] B<--hl-eq> I<value>"
+msgid "[B<!>] B<--packets-eq> I<value>"
+msgstr "[B<!>] B<--hl-eq> I<value>"
+
+#. type: Plain text
+msgid "If the packet is matched an element in the set, match only if the packet counter of the element matches the given value too."
+msgstr ""
+
+#. type: TP
+#, fuzzy, no-wrap
+#| msgid "B<--hl-lt> I<value>"
+msgid "B<--packets-lt> I<value>"
+msgstr "B<--hl-lt> I<value>"
+
+#. type: Plain text
+msgid "If the packet is matched an element in the set, match only if the packet counter of the element is less than the given value as well."
+msgstr ""
+
+#. type: TP
+#, fuzzy, no-wrap
+#| msgid "B<--hl-gt> I<value>"
+msgid "B<--packets-gt> I<value>"
+msgstr "B<--hl-gt> I<value>"
+
+#. type: Plain text
+msgid "If the packet is matched an element in the set, match only if the packet counter of the element is greater than the given value as well."
+msgstr ""
+
+#. type: TP
+#, fuzzy, no-wrap
+#| msgid "[B<!>] B<--hl-eq> I<value>"
+msgid "[B<!>] B<-bytes-eq> I<value>"
+msgstr "[B<!>] B<--hl-eq> I<value>"
+
+#. type: Plain text
+msgid "If the packet is matched an element in the set, match only if the byte counter of the element matches the given value too."
+msgstr ""
+
+#. type: TP
+#, fuzzy, no-wrap
+#| msgid "B<--hl-lt> I<value>"
+msgid "B<--bytes-lt> I<value>"
+msgstr "B<--hl-lt> I<value>"
+
+#. type: Plain text
+msgid "If the packet is matched an element in the set, match only if the byte counter of the element is less than the given value as well."
+msgstr ""
+
+#. type: TP
+#, fuzzy, no-wrap
+#| msgid "B<--hl-gt> I<value>"
+msgid "B<--bytes-gt> I<value>"
+msgstr "B<--hl-gt> I<value>"
+
+#. type: Plain text
+msgid "If the packet is matched an element in the set, match only if the byte counter of the element is greater than the given value as well."
+msgstr ""
+
+#. type: Plain text
+msgid "The packet and byte counters related options and flags are ignored when the set was defined without counter support."
msgstr ""
#. type: Plain text
msgstr "socket"
#. type: Plain text
-msgid "This matches if an open socket can be found by doing a socket lookup on the packet."
+msgid "This matches if an open TCP/UDP socket can be found by doing a socket lookup on the packet. It matches if there is an established or non-zero bound listening socket (possibly with a non-local address). The lookup is performed using the B<packet> tuple of TCP/UDP packets, or the original TCP/UDP header B<embedded> in an ICMP/ICPMv6 error packet."
msgstr ""
#. type: TP
msgid "Ignore non-transparent sockets."
msgstr "非透過 (non-transparent) ソケットを無視する。"
+#. type: TP
+#, fuzzy, no-wrap
+#| msgid "B<--nodst>"
+msgid "B<--nowildcard>"
+msgstr "B<--nodst>"
+
+#. type: Plain text
+msgid "Do not ignore sockets bound to 'any' address. The socket match won't accept zero-bound listeners by default, since then local services could intercept traffic that would otherwise be forwarded. This option therefore has security implications when used to match traffic being forwarded to redirect such packets to local machine with policy routing. When using the socket match to implement fully transparent proxies bound to non-local addresses it is recommended to use the --transparent option instead."
+msgstr ""
+
+#. type: Plain text
+msgid "Example (assuming packets with mark 1 are delivered locally):"
+msgstr ""
+
+#. type: Plain text
+#, fuzzy
+#| msgid "-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1"
+msgid "-t mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1"
+msgstr "-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1"
+
#. type: SS
#, no-wrap
msgid "state"
msgid "Matches the given pattern in hex notation."
msgstr "指定された 16 進表記のパターンにマッチする。"
+#. type: Plain text
+msgid "# The string pattern can be used for simple text characters."
+msgstr ""
+
+#. type: Plain text
+#, fuzzy
+#| msgid "iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh"
+msgid "iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /index.html' -j LOG"
+msgstr "iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh"
+
+#. type: Plain text
+msgid "# The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|."
+msgstr ""
+
+#. type: Plain text
+msgid "iptables -p udp --dport 53 -m string --algo bm --from 40 --to 57 --hex-string '|03|www|09|netfilter|03|org|00|'"
+msgstr ""
+
#. type: SS
#, no-wrap
msgid "tcp"
msgstr ""
#. type: SS
-#, no-wrap
-msgid "DNAT (IPv4-specific)"
-msgstr "DNAT (IPv4 の場合)"
+#, fuzzy, no-wrap
+#| msgid "B<DNAT>"
+msgid "DNAT"
+msgstr "B<DNAT>"
#. type: Plain text
-msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:"
+#, fuzzy
+#| msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:"
+msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes the following options:"
msgstr "このターゲットは B<nat> テーブルの B<PREROUTING>, B<OUTPUT> チェイン、 これらのチェインから呼び出される ユーザー定義チェインのみで有効である。 このターゲットはパケットの宛先アドレスを修正する (このコネクションの以降のパケットも修正して分からなく (mangle) する)。 さらに、 ルールによるチェックを止めさせる。 このターゲットにはオプションが 1 種類ある:"
#. type: TP
msgstr "B<--to-destination> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
#. type: Plain text
-msgid "which can specify a single new destination IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then the destination port will never be modified. If no IP address is specified then only the destination port will be modified."
-msgstr "1 つの新しい宛先 IP アドレス、 または IP アドレスの範囲が指定できる。 ポートの範囲を指定することもできる (これはルールで B<-p tcp> または B<-p udp> を指定している場合にのみ有効)。 ポートの範囲が指定されていない場合、 宛先ポートは変更されない。 IP アドレスが指定されなかった場合は、 宛先ポートだけが変更される。"
-
-#. type: Plain text
-msgid "In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels, if you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another in cycle) load balancing takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
+#, fuzzy
+#| msgid "In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels, if you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another in cycle) load balancing takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
+msgid "which can specify a single new destination IP address, an inclusive range of IP addresses. Optionally a port range, if the rule also specifies one of the following protocols: B<tcp>, B<udp>, B<dccp> or B<sctp>. If no port range is specified, then the destination port will never be modified. If no IP address is specified then only the destination port will be modified. In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels, if you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another in cycle) load balancing takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
msgstr "2.6.10 以前のカーネルでは、 複数の --to-destination オプションを指定することができる。 これらのカーネルでは、 アドレスの範囲指定や --to-destination オプションの複数回指定により 2 つ以上の宛先アドレスを指定した場合、 それらのアドレスを使った単純なラウンドロビンによる負荷分散が行われる。 それ以降のカーネル (E<gt>= 2.6.11-rc1) には複数の範囲を NAT する機能は存在しない。"
#. type: TP
msgid "Gives a client the same source-/destination-address for each connection. This supersedes the SAME target. Support for persistent mappings is available from 2.6.29-rc2."
msgstr ""
+#. type: TP
+#, no-wrap
+msgid "IPv6 support available since Linux kernels E<gt>= 3.7."
+msgstr ""
+
+#. type: SS
+#, fuzzy, no-wrap
+#| msgid "DNAT (IPv4-specific)"
+msgid "DNPT (IPv6-specific)"
+msgstr "DNAT (IPv4 の場合)"
+
+#. type: Plain text
+msgid "Provides stateless destination IPv6-to-IPv6 Network Prefix Translation (as described by RFC 6296)."
+msgstr ""
+
+#. type: Plain text
+msgid "You have to use this target in the B<mangle> table, not in the B<nat> table. It takes the following options:"
+msgstr ""
+
+#. type: TP
+#, fuzzy, no-wrap
+#| msgid "B<--connlimit-mask> I<prefix_length>"
+msgid "B<--src-pfx> [I<prefix/>I<length]>"
+msgstr "B<--connlimit-mask> I<prefix_length>"
+
+#. type: Plain text
+msgid "Set source prefix that you want to translate and length"
+msgstr ""
+
+#. type: TP
+#, fuzzy, no-wrap
+#| msgid "B<--connlimit-mask> I<prefix_length>"
+msgid "B<--dst-pfx> [I<prefix/>I<length]>"
+msgstr "B<--connlimit-mask> I<prefix_length>"
+
+#. type: Plain text
+msgid "Set destination prefix that you want to use in the translation and length"
+msgstr ""
+
+#. type: Plain text
+msgid "You have to use the SNPT target to undo the translation. Example:"
+msgstr ""
+
+#. type: Plain text
+msgid "ip6tables -t mangle -I POSTROUTING -s fd00::/64 \\! -o vboxnet0 -j SNPT --src-pfx fd00::/64 --dst-pfx 2001:e20:2000:40f::/64"
+msgstr ""
+
+#. type: Plain text
+msgid "ip6tables -t mangle -I PREROUTING -i wlan0 -d 2001:e20:2000:40f::/64 -j DNPT --src-pfx 2001:e20:2000:40f::/64 --dst-pfx fd00::/64"
+msgstr ""
+
+#. type: Plain text
+msgid "You may need to enable IPv6 neighbor proxy:"
+msgstr ""
+
+#. type: Plain text
+msgid "sysctl -w net.ipv6.conf.all.proxy_ndp=1"
+msgstr ""
+
+#. type: Plain text
+msgid "You also have to use the B<NOTRACK> target to disable connection tracking for translated flows."
+msgstr ""
+
#. type: SS
#, no-wrap
msgid "DSCP"
msgstr "echo netfilter-ssh E<gt>/sys/class/leds/I<ledname>/trigger"
#. type: SS
-#, no-wrap
-msgid "LOG (IPv6-specific)"
-msgstr "LOG (IPv6 の場合)"
+#, fuzzy, no-wrap
+#| msgid "NFLOG"
+msgid "LOG"
+msgstr "NFLOG"
#. type: Plain text
-msgid "Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IPv6 IPv6-header fields) via the kernel log (where it can be read with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT)."
+#, fuzzy
+#| msgid "Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IPv6 IPv6-header fields) via the kernel log (where it can be read with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT)."
+msgid "Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IP/IPv6 header fields) via the kernel log (where it can be read with I<dmesg(1)> or read in the syslog)."
msgstr "マッチしたパケットをカーネルログに記録する。 このオプションがルールに対して設定されると、 Linux カーネルはマッチしたパケットについての (IPv6 における大部分の IPv6 ヘッダーフィールドのような) 何らかの情報を カーネルログに表示する (カーネルログは I<dmesg> または I<syslogd>(8) で見ることができる)。 これは「非終了タ ーゲット」である。 すなわち、 ルールの探索は、 次のルールへと継続される。 よって、 拒否するパケットをログ記録したければ、 同じマッチング判断基準を持つ 2 つのルールを使用し、 最初のルールで LOG ターゲットを、 次のルールで DROP (または REJECT) ターゲットを指定する。"
+#. type: Plain text
+#, fuzzy
+#| msgid "Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IP header fields) via the kernel log (where it can be read with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT)."
+msgid "This is a \"non-terminating target\", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT)."
+msgstr "マッチしたパケットをカーネルログに記録する。 このオプションがルールに対して設定されると、 Linux カーネルはマッチしたパケットについての (大部分の IP ヘッダーフィールドのような) 何らかの情報を カーネルログに表示する (カーネルログは I<dmesg> または I<syslogd>(8) で見ることができる)。 これは \"非終了ターゲット\" である。 すなわち、 ルールの探索は次のルールへと継続される。 よって、 拒否するパケットをログ記録したければ、 同じマッチング判断基準を持つ 2 つのルールを使用し、 最初のルールで LOG ターゲットを、 次のルールで DROP (または REJECT) ターゲットを指定する。"
+
#. type: TP
#, no-wrap
msgid "B<--log-level> I<level>"
msgstr "B<--log-ip-options>"
#. type: Plain text
-msgid "Log options from the IPv6 packet header."
+#, fuzzy
+#| msgid "Log options from the IPv6 packet header."
+msgid "Log options from the IP/IPv6 packet header."
msgstr "IPv6 パケットヘッダーのオプションをログに記録する。"
#. type: TP
#. type: SS
#, no-wrap
-msgid "LOG (IPv4-specific)"
-msgstr "LOG (IPv4 の場合)"
-
-#. type: Plain text
-msgid "Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IP header fields) via the kernel log (where it can be read with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT)."
-msgstr "マッチしたパケットをカーネルログに記録する。 このオプションがルールに対して設定されると、 Linux カーネルはマッチしたパケットについての (大部分の IP ヘッダーフィールドのような) 何らかの情報を カーネルログに表示する (カーネルログは I<dmesg> または I<syslogd>(8) で見ることができる)。 これは \"非終了ターゲット\" である。 すなわち、 ルールの探索は次のルールへと継続される。 よって、 拒否するパケットをログ記録したければ、 同じマッチング判断基準を持つ 2 つのルールを使用し、 最初のルールで LOG ターゲットを、 次のルールで DROP (または REJECT) ターゲットを指定する。"
-
-#. type: Plain text
-msgid "Log options from the IP packet header."
-msgstr "IP パケットヘッダーのオプションをログに記録する。"
-
-#. type: SS
-#, no-wrap
msgid "MARK"
msgstr "MARK"
#. type: SS
#, no-wrap
-msgid "MASQUERADE (IPv6-specific)"
-msgstr "MASQUERADE (IPv6 の場合)"
+msgid "MASQUERADE"
+msgstr ""
#. type: Plain text
-msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It should only be used with dynamically assigned IPv6 (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are I<forgotten> when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway)."
-msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 動的割り当て IPv6 (ダイヤルアップ) コネクションの場合にのみ使うべきである。 固定 IP アドレスならば、 SNAT ターゲットを使うべきである。 マスカレーディングは、 パケットが送信されるインターフェースの IP アドレスへのマッピングを指定するのと同じであるが、 インターフェースが停止した場合にコネクションをI<忘れる>という効果がある。 次のダイヤルアップでは同じインターフェースアドレスになる可能性が低い (そのため、 前回確立されたコネクションは失われる) 場合、 この動作は正しい。"
+msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are I<forgotten> when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway)."
+msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 動的割り当て IP (ダイヤルアップ) コネクションの場合にのみ使うべきである。 固定 IP アドレスならば、 SNAT ターゲットを使うべきである。 マスカレーディングは、 パケットが送信されるインターフェースの IP アドレスへのマッピングを指定するのと同じであるが、 インターフェースが停止した場合にコネクションをI<忘れる>という効果がある。 次のダイヤルアップでは同じインターフェースアドレスになる可能性が低い (そのため、 前回確立されたコネクションは失われる) 場合、 この動作は正しい。"
#. type: TP
#, no-wrap
msgstr "B<--to-ports> I<port>[B<->I<port>]"
#. type: Plain text
-msgid "This specifies a range of source ports to use, overriding the default B<SNAT> source port-selection heuristics (see above). This is only valid if the rule also specifies B<-p tcp> or B<-p udp>."
+#, fuzzy
+#| msgid "This specifies a range of source ports to use, overriding the default B<SNAT> source port-selection heuristics (see above). This is only valid if the rule also specifies B<-p tcp> or B<-p udp>."
+msgid "This specifies a range of source ports to use, overriding the default B<SNAT> source port-selection heuristics (see above). This is only valid if the rule also specifies one of the following protocols: B<tcp>, B<udp>, B<dccp> or B<sctp>."
msgstr "このオプションは、 使用する送信元ポートの範囲を指定し、 デフォルトの B<SNAT> 送信元ポートの選択方法 (上記) よりも優先される。 ルールが B<-p tcp> または B<-p udp> を指定している場合にのみ有効である。"
#. type: Plain text
-msgid "Randomize source port mapping If option B<--random> is used then port mapping will be randomized."
-msgstr ""
-
-#. type: SS
-#, no-wrap
-msgid "MASQUERADE (IPv4-specific)"
-msgstr "MASQUERADE (IPv4 の場合)"
-
-#. type: Plain text
-msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are I<forgotten> when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway)."
-msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 動的割り当て IP (ダイヤルアップ) コネクションの場合にのみ使うべきである。 固定 IP アドレスならば、 SNAT ターゲットを使うべきである。 マスカレーディングは、 パケットが送信されるインターフェースの IP アドレスへのマッピングを指定するのと同じであるが、 インターフェースが停止した場合にコネクションをI<忘れる>という効果がある。 次のダイヤルアップでは同じインターフェースアドレスになる可能性が低い (そのため、 前回確立されたコネクションは失われる) 場合、 この動作は正しい。"
-
-#. type: Plain text
msgid "Randomize source port mapping If option B<--random> is used then port mapping will be randomized (kernel E<gt>= 2.6.21)."
msgstr ""
#. type: SS
#, no-wrap
-msgid "NETMAP (IPv4-specific)"
-msgstr "NETMAP (IPv4 の場合)"
+msgid "NETMAP"
+msgstr ""
#. type: Plain text
msgid "This target allows you to statically map a whole network of addresses onto another network of addresses. It can only be used from rules in the B<nat> table."
msgstr "NFQUEUE"
#. type: Plain text
-msgid "This target is an extension of the QUEUE target. As opposed to QUEUE, it allows you to put a packet into any specific queue, identified by its 16-bit queue number. It can only be used with Kernel versions 2.6.14 or later, since it requires the B<nfnetlink_queue> kernel support. The B<queue-balance> option was added in Linux 2.6.31, B<queue-bypass> in 2.6.39."
+msgid "This target passes the packet to userspace using the B<nfnetlink_queue> handler. The packet is put into the queue identified by its 16-bit queue number. Userspace can inspect and modify the packet if desired. Userspace must then drop or reinject the packet into the kernel. Please see libnetfilter_queue for details. B<nfnetlink_queue> was added in Linux 2.6.14. The B<queue-balance> option was added in Linux 2.6.31, B<queue-bypass> in 2.6.39."
msgstr ""
#. type: TP
msgstr "B<--queue-bypass>"
#. type: Plain text
-msgid "By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued are dropped. When this option is used, the NFQUEUE rule is silently bypassed instead. The packet will move on to the next rule."
+msgid "By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued are dropped. When this option is used, the NFQUEUE rule behaves like ACCEPT instead, and the packet will move on to the next table."
+msgstr ""
+
+#. type: TP
+#, fuzzy, no-wrap
+#| msgid "B<--queue-bypass>"
+msgid "B<--queue-cpu-fanout>"
+msgstr "B<--queue-bypass>"
+
+#. type: Plain text
+msgid "Available starting Linux kernel 3.10. When used together with B<--queue-balance> this will use the CPU ID as an index to map packets to the queues. The idea is that you can improve performance if there's a queue per CPU. This requires B<--queue-balance> to be specified."
msgstr ""
#. type: SS
msgstr "NOTRACK"
#. type: Plain text
-msgid "This target disables connection tracking for all packets matching that rule. It is obsoleted by -j CT --notrack. Like CT, NOTRACK can only be used in the B<raw> table."
+msgid "This extension disables connection tracking for all packets matching that rule. It is equivalent with -j CT --notrack. Like CT, NOTRACK can only be used in the B<raw> table."
msgstr ""
#. type: SS
#. type: SS
#, no-wrap
-msgid "REDIRECT (IPv4-specific)"
-msgstr "REDIRECT (IPv4 の場合)"
+msgid "REDIRECT"
+msgstr ""
#. type: Plain text
-msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address)."
+#, fuzzy
+#| msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address)."
+msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the localhost address, 127.0.0.1 for IPv4 and ::1 for IPv6)."
msgstr "このターゲットは、 B<nat> テーブルの B<PREROUTING> チェインと B<OUTPUT> チェイン、 およびこれらチェインから呼び出されるユーザー定義チェインでのみ有効である。 このターゲットは、 宛先 IP をパケットを受信したインタフェースの最初のアドレスに変更することで、 パケットをそのマシン自身にリダイレクトする (ローカルで生成されたパケットは、 アドレス 127.0.0.1 にマップされる)。"
#. type: Plain text
-msgid "This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies B<-p tcp> or B<-p udp>."
+#, fuzzy
+#| msgid "This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies B<-p tcp> or B<-p udp>."
+msgid "This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies one of the following protocols: B<tcp>, B<udp>, B<dccp> or B<sctp>."
msgstr "このオプションは使用される宛先ポート・ポート範囲・複数ポートを指定する。 このオプションが指定されない場合、 宛先ポートは変更されない。 ルールが B<-p tcp> または B<-p udp> を指定している場合にのみ有効である。"
+#. type: TP
+#, no-wrap
+msgid "IPv6 support available starting Linux kernels E<gt>= 3.7."
+msgstr ""
+
#. type: SS
#, no-wrap
msgid "REJECT (IPv6-specific)"
msgstr "B<--reject-with> I<type>"
#. type: Plain text
-msgid "The type given can be B<icmp6-no-route>, B<no-route>, B<icmp6-adm-prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, B<addr-unreach>, B<icmp6-port-unreachable> or B<port-unreach> which return the appropriate ICMPv6 error message (B<port-unreach> is the default). Finally, the option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise). B<tcp-reset> can only be used with kernel versions 2.6.14 or later."
+#, fuzzy
+#| msgid "The type given can be B<icmp6-no-route>, B<no-route>, B<icmp6-adm-prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, B<addr-unreach>, B<icmp6-port-unreachable> or B<port-unreach> which return the appropriate ICMPv6 error message (B<port-unreach> is the default). Finally, the option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise). B<tcp-reset> can only be used with kernel versions 2.6.14 or later."
+msgid "The type given can be B<icmp6-no-route>, B<no-route>, B<icmp6-adm-prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, B<addr-unreach>, or B<icmp6-port-unreachable>, which return the appropriate ICMPv6 error message (B<icmp6-port-unreachable> is the default). Finally, the option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise). B<tcp-reset> can only be used with kernel versions 2.6.14 or later."
msgstr "指定できるタイプは B<icmp6-no-route>, B<no-route>, B<icmp6-adm-prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, B<addr-unreach>, B<icmp6-port-unreachable>, B<port-unreach> である。 指定したタイプの適切な IPv6 エラーメッセージが返される (B<port-unreach> がデフォルトである)。 さらに、 TCP プロトコルにのみマッチするルールに対して、 オプション B<tcp-reset> を使うことができる。 このオプションを使うと、 TCP RST パケットが送り返される。 主として I<ident> (113/tcp) による探査を阻止するのに役立つ。 I<ident> による探査は、 壊れている (メールを受け取らない) メールホストに メールが送られる場合に頻繁に起こる。 B<tcp-reset> はバージョン 2.6.14 以降のカーネルでのみ使用できる。"
#. type: SS
msgstr "REJECT (IPv4 の場合)"
#. type: Plain text
-msgid "The type given can be B<icmp-net-unreachable>, B<icmp-host-unreachable>, B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, B<icmp-host-prohibited> or B<icmp-admin-prohibited> (*) which return the appropriate ICMP error message (B<port-unreachable> is the default). The option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise)."
+#, fuzzy
+#| msgid "The type given can be B<icmp-net-unreachable>, B<icmp-host-unreachable>, B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, B<icmp-host-prohibited> or B<icmp-admin-prohibited> (*) which return the appropriate ICMP error message (B<port-unreachable> is the default). The option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise)."
+msgid "The type given can be B<icmp-net-unreachable>, B<icmp-host-unreachable>, B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, B<icmp-host-prohibited>, or B<icmp-admin-prohibited> (*), which return the appropriate ICMP error message (B<icmp-port-unreachable> is the default). The option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise)."
msgstr "指定できるタイプは B<icmp-net-unreachable>, B<icmp-host-unreachable>, B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, B<icmp-host-prohibited>, B<icmp-admin-prohibited> (*) である。指定したタイプの適切な ICMP エラーメッセージを返す (B<port-unreachable> がデフォルトである)。 TCP プロトコルにのみマッチするルールに対して、 オプション B<tcp-reset> を使うことができる。 このオプションを使うと、 TCP RST パケットが送り返される。 主として I<ident> (113/tcp) による探査を阻止するのに役立つ。 I<ident> による探査は、 壊れている (メールを受け取らない) メールホストに メールが送られる場合に頻繁に起こる。"
#. type: Plain text
msgstr "-j SET を使用するには ipset のカーネルサポートが必要である。 標準のカーネルでは、 Linux 2.6.39 以降で提供されている。"
#. type: SS
-#, no-wrap
-msgid "SNAT (IPv4-specific)"
-msgstr "SNAT (IPv4 の場合)"
+#, fuzzy, no-wrap
+#| msgid "B<SNAT>"
+msgid "SNAT"
+msgstr "B<SNAT>"
#. type: Plain text
-msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:"
-msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 このターゲットはパケットの送信元アドレスを修正させる (このコネクションの以降のパケットも修正して分からなく (mangle) する)。 さらに、 ルールが評価を中止するように指示する。 このターゲットにはオプションが 1 種類ある:"
+#, fuzzy
+#| msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:"
+msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> and B<INPUT> chains, and user-defined chains which are only called from those chains. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes the following options:"
+msgstr "このターゲットは B<nat> テーブルの B<PREROUTING>, B<OUTPUT> チェイン、 これらのチェインから呼び出される ユーザー定義チェインのみで有効である。 このターゲットはパケットの宛先アドレスを修正する (このコネクションの以降のパケットも修正して分からなく (mangle) する)。 さらに、 ルールによるチェックを止めさせる。 このターゲットにはオプションが 1 種類ある:"
#. type: TP
#, no-wrap
msgstr "B<--to-source> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
#. type: Plain text
-msgid "which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur."
+#, fuzzy
+#| msgid "which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur."
+msgid "which can specify a single new source IP address, an inclusive range of IP addresses. Optionally a port range, if the rule also specifies one of the following protocols: B<tcp>, B<udp>, B<dccp> or B<sctp>. If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur. In Kernels up to 2.6.10, you can add several --to-source options. For those kernels, if you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
msgstr "1 つの新しい送信元 IP アドレス、 または IP アドレスの範囲が指定できる。 ポートの範囲を指定することもできる (ルールが B<-p tcp> または B<-p udp> を指定している場合にのみ有効)。 ポートの範囲が指定されていない場合、 512 未満の送信元ポートは、 他の 512 未満のポートにマッピングされる。 512 〜 1023 までのポートは、 1024 未満のポートにマッピングされる。 それ以外のポートは、 1024 以上のポートにマッピングされる。 可能であれば、 ポートの変換は起こらない。"
#. type: Plain text
-msgid "In Kernels up to 2.6.10, you can add several --to-source options. For those kernels, if you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
-msgstr "2.6.10 以前のカーネルでは、 複数の --to-source オプションを指定することができる。 これらのカーネルでは、 アドレスの範囲指定や --to-source オプションの複数回指定により 2 つ以上の送信元アドレスを指定した場合、 それらのアドレスを使った単純なラウンド・ロビンが行われる。 それ以降のカーネル (E<gt>= 2.6.11-rc1) には複数の範囲を NAT する機能は存在しない。"
+msgid "If option B<--random> is used then port mapping will be randomized (kernel E<gt>= 2.6.21)."
+msgstr ""
#. type: Plain text
-msgid "If option B<--random> is used then port mapping will be randomized (kernel E<gt>= 2.6.21)."
+msgid "Kernels prior to 2.6.36-rc1 don't have the ability to B<SNAT> in the B<INPUT> chain."
+msgstr ""
+
+#. type: SS
+#, fuzzy, no-wrap
+#| msgid "SNAT (IPv4-specific)"
+msgid "SNPT (IPv6-specific)"
+msgstr "SNAT (IPv4 の場合)"
+
+#. type: Plain text
+msgid "Provides stateless source IPv6-to-IPv6 Network Prefix Translation (as described by RFC 6296)."
+msgstr ""
+
+#. type: Plain text
+msgid "You have to use the DNPT target to undo the translation. Example:"
msgstr ""
#. type: SS
msgstr "ULOG (IPv4 の場合)"
#. type: Plain text
-msgid "This target provides userspace logging of matching packets. When this target is set for a rule, the Linux kernel will multicast this packet through a I<netlink> socket. One or more userspace processes may then subscribe to various multicast groups and receive the packets. Like LOG, this is a \"non-terminating target\", i.e. rule traversal continues at the next rule."
+#, fuzzy
+#| msgid "This target provides userspace logging of matching packets. When this target is set for a rule, the Linux kernel will multicast this packet through a I<netlink> socket. One or more userspace processes may then subscribe to various multicast groups and receive the packets. Like LOG, this is a \"non-terminating target\", i.e. rule traversal continues at the next rule."
+msgid "This is the deprecated ipv4-only predecessor of the NFLOG target. It provides userspace logging of matching packets. When this target is set for a rule, the Linux kernel will multicast this packet through a I<netlink> socket. One or more userspace processes may then subscribe to various multicast groups and receive the packets. Like LOG, this is a \"non-terminating target\", i.e. rule traversal continues at the next rule."
msgstr "このターゲットは、 マッチしたパケットを ユーザー空間でログ記録する機能を提供する。 このターゲットがルールに設定されると、 Linux カーネルは、 そのパケットを I<netlink> ソケットを用いてマルチキャストする。 そして、 1 つ以上のユーザー空間プロセスが いろいろなマルチキャストグループに登録をおこない、 パケットを受信する。 LOG と同様、 これは \"非終了ターゲット\" であり、 ルールの探索は次のルールへと継続される。"
#. type: TP
#. type: Plain text
msgid "Number of packet to queue inside kernel. Setting this value to, e.g. 10 accumulates ten packets inside the kernel and transmits them as one netlink multipart message to userspace. Default is 1 (for backwards compatibility)."
msgstr "カーネル内部のキューに入れられるパケットの数。 例えば、 この値を 10 にした場合、 カーネル内部で 10 個のパケットをまとめ、 1 つの netlink マルチパートメッセージとしてユーザー空間に送る。 (過去のものとの互換性のため) デフォルトは 1 である。"
+
+#~ msgid "Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has some examples of usage."
+#~ msgstr "Steve の ipt_recent ウェブサイト (http://snowman.net/projects/ipt_recent/) にも使用例がいくつかある。"
+
+#~ msgid "which can specify a single new destination IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then the destination port will never be modified. If no IP address is specified then only the destination port will be modified."
+#~ msgstr "1 つの新しい宛先 IP アドレス、 または IP アドレスの範囲が指定できる。 ポートの範囲を指定することもできる (これはルールで B<-p tcp> または B<-p udp> を指定している場合にのみ有効)。 ポートの範囲が指定されていない場合、 宛先ポートは変更されない。 IP アドレスが指定されなかった場合は、 宛先ポートだけが変更される。"
+
+#~ msgid "LOG (IPv6-specific)"
+#~ msgstr "LOG (IPv6 の場合)"
+
+#~ msgid "LOG (IPv4-specific)"
+#~ msgstr "LOG (IPv4 の場合)"
+
+#~ msgid "Log options from the IP packet header."
+#~ msgstr "IP パケットヘッダーのオプションをログに記録する。"
+
+#~ msgid "MASQUERADE (IPv6-specific)"
+#~ msgstr "MASQUERADE (IPv6 の場合)"
+
+#~ msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It should only be used with dynamically assigned IPv6 (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are I<forgotten> when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway)."
+#~ msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 動的割り当て IPv6 (ダイヤルアップ) コネクションの場合にのみ使うべきである。 固定 IP アドレスならば、 SNAT ターゲットを使うべきである。 マスカレーディングは、 パケットが送信されるインターフェースの IP アドレスへのマッピングを指定するのと同じであるが、 インターフェースが停止した場合にコネクションをI<忘れる>という効果がある。 次のダイヤルアップでは同じインターフェースアドレスになる可能性が低い (そのため、 前回確立されたコネクションは失われる) 場合、 この動作は正しい。"
+
+#~ msgid "MASQUERADE (IPv4-specific)"
+#~ msgstr "MASQUERADE (IPv4 の場合)"
+
+#~ msgid "NETMAP (IPv4-specific)"
+#~ msgstr "NETMAP (IPv4 の場合)"
+
+#~ msgid "REDIRECT (IPv4-specific)"
+#~ msgstr "REDIRECT (IPv4 の場合)"
+
+#~ msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:"
+#~ msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。 このターゲットはパケットの送信元アドレスを修正させる (このコネクションの以降のパケットも修正して分からなく (mangle) する)。 さらに、 ルールが評価を中止するように指示する。 このターゲットにはオプションが 1 種類ある:"
+
+#~ msgid "In Kernels up to 2.6.10, you can add several --to-source options. For those kernels, if you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
+#~ msgstr "2.6.10 以前のカーネルでは、 複数の --to-source オプションを指定することができる。 これらのカーネルでは、 アドレスの範囲指定や --to-source オプションの複数回指定により 2 つ以上の送信元アドレスを指定した場合、 それらのアドレスを使った単純なラウンド・ロビンが行われる。 それ以降のカーネル (E<gt>= 2.6.11-rc1) には複数の範囲を NAT する機能は存在しない。"
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
"PO-Revision-Date: 2013-04-08 16:21+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
#. type: TH
#, no-wrap
-msgid "Jan 04, 2001"
-msgstr "Jan 04, 2001"
+msgid "iptables 1.4.21"
+msgstr ""
#. Man page written by Harald Welte <laforge@gnumonks.org>
#. It is based on the iptables man page.
msgid "iptables-restore \\(em Restore IP Tables"
msgstr "iptables-restore \\(em IP テーブルを復元する"
+#. type: Plain text
+#, fuzzy
+#| msgid "iptables-restore \\(em Restore IP Tables"
+msgid "ip6tables-restore \\(em Restore IPv6 Tables"
+msgstr "iptables-restore \\(em IP テーブルを復元する"
+
#. type: SH
#, no-wrap
msgid "SYNOPSIS"
msgstr "書式"
#. type: Plain text
-msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
+#, fuzzy
+#| msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
+msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>]"
+msgstr "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
+
+#. type: Plain text
+#, fuzzy
+#| msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
+msgid "B<ip6tables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
msgstr "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
#. type: SH
msgstr "説明"
#. type: Plain text
-msgid "B<iptables-restore> is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file"
+#, fuzzy
+#| msgid "B<iptables-restore> is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file"
+msgid "B<iptables-restore> and B<ip6tables-restore> are used to restore IP and IPv6 Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file"
msgstr "B<iptables-restore> は標準入力で指定されたデータから IP テーブルを復元するために使われる。 ファイルから読み込むためには、 シェルで提供されている I/O リダイレクションを使うこと。"
#. type: TP
msgstr "簡潔なオプション一覧を表示する。"
#. type: TP
-#, no-wrap
-msgid "B<-n>, B<--noflush> "
+#, fuzzy, no-wrap
+#| msgid "B<-n>, B<--noflush> "
+msgid "B<-n>, B<--noflush>"
msgstr "B<-n>, B<--noflush> "
#. type: Plain text
-msgid "don't flush the previous contents of the table. If not specified, B<iptables-restore> flushes (deletes) all previous contents of the respective table."
+#, fuzzy
+#| msgid "don't flush the previous contents of the table. If not specified, B<iptables-restore> flushes (deletes) all previous contents of the respective table."
+msgid "don't flush the previous contents of the table. If not specified, both commands flush (delete) all previous contents of the respective table."
msgstr "これまでのテーブルの内容をフラッシュしない。 指定されない場合、 B<iptables-restore> は、これまでの各テーブルの内容を全てフラッシュ (削除) する。"
#. type: TP
msgstr "iptables-1.2.1 リリースでは知られていない。"
#. type: SH
-#, no-wrap
-msgid "AUTHOR"
+#, fuzzy, no-wrap
+#| msgid "AUTHOR"
+msgid "AUTHORS"
msgstr "作者"
#. type: Plain text
-msgid "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
+#, fuzzy
+#| msgid "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
+msgid "Harald Welte E<lt>laforge@gnumonks.orgE<gt> wrote iptables-restore based on code from Rusty Russell."
msgstr "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
+#. type: Plain text
+msgid "Andras Kis-Szabo E<lt>kisza@sch.bme.huE<gt> contributed ip6tables-restore."
+msgstr ""
+
#. type: SH
#, no-wrap
msgid "SEE ALSO"
#. type: Plain text
msgid "The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the internals."
msgstr "より多くの iptables の使用法について 詳細に説明している iptables-HOWTO。 NAT について詳細に説明している NAT-HOWTO。 内部構造について詳細に説明している netfilter-hacking-HOWTO。"
+
+#~ msgid "Jan 04, 2001"
+#~ msgstr "Jan 04, 2001"
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
"PO-Revision-Date: 2013-04-08 14:54+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
#. type: TH
#, no-wrap
-msgid "Jan 04, 2001"
-msgstr "Jan 04, 2001"
+msgid "iptables 1.4.21"
+msgstr ""
#. Man page written by Harald Welte <laforge@gnumonks.org>
#. It is based on the iptables man page.
msgid "iptables-save \\(em dump iptables rules to stdout"
msgstr "iptables-save \\(em iptables ルールを標準出力にダンプする"
+#. type: Plain text
+#, fuzzy
+#| msgid "iptables-save \\(em dump iptables rules to stdout"
+msgid "ip6tables-save \\(em dump iptables rules to stdout"
+msgstr "iptables-save \\(em iptables ルールを標準出力にダンプする"
+
#. type: SH
#, no-wrap
msgid "SYNOPSIS"
msgid "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
msgstr "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
+#. type: Plain text
+#, fuzzy
+#| msgid "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
+msgid "B<ip6tables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>"
+msgstr "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
+
#. type: SH
#, no-wrap
msgid "DESCRIPTION"
msgstr "説明"
#. type: Plain text
-msgid "B<iptables-save> is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file."
+#, fuzzy
+#| msgid "B<iptables-save> is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file."
+msgid "B<iptables-save> and B<ip6tables-save> are used to dump the contents of IP or IPv6 Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file."
msgstr "B<iptables-save> は IP テーブルの内容を簡単に解析できる形式で 標準出力にダンプするために使われる。 ファイルに書き出すためには、 シェルで提供されている I/O リダイレクションを使うこと。"
#. type: TP
msgstr "iptables-1.2.1 リリースでは知られていない。"
#. type: SH
-#, no-wrap
-msgid "AUTHOR"
+#, fuzzy, no-wrap
+#| msgid "AUTHOR"
+msgid "AUTHORS"
msgstr "作者"
#. type: Plain text
msgid "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
msgstr "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
+#. type: Plain text
+msgid "Rusty Russell E<lt>rusty@rustcorp.com.auE<gt>"
+msgstr ""
+
+#. type: Plain text
+msgid "Andras Kis-Szabo E<lt>kisza@sch.bme.huE<gt> contributed ip6tables-save."
+msgstr ""
+
#. type: SH
#, no-wrap
msgid "SEE ALSO"
#. type: Plain text
msgid "The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the internals."
msgstr "より多くの iptables の使用法について 詳細に説明している iptables-HOWTO。 NAT について詳細に説明している NAT-HOWTO。 内部構造について詳細に説明している netfilter-hacking-HOWTO。"
+
+#~ msgid "Jan 04, 2001"
+#~ msgstr "Jan 04, 2001"
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
"PO-Revision-Date: 2013-05-24 16:53+0900\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
msgstr "IPTABLES"
#. type: TH
-#, no-wrap
-msgid "iptables 1.4.18"
+#, fuzzy, no-wrap
+#| msgid "iptables 1.4.18"
+msgid "iptables 1.4.21"
msgstr "iptables 1.4.18"
#. Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
msgstr "名前"
#. type: Plain text
-msgid "iptables \\(em administration tool for IPv4 packet filtering and NAT"
+#, fuzzy
+#| msgid "iptables \\(em administration tool for IPv4 packet filtering and NAT"
+msgid "iptables/ip6tables \\(em administration tool for IPv4/IPv6 packet filtering and NAT"
msgstr "iptables \\(em IPv4 のパケットフィルタと NAT の管理ツール"
#. type: SH
msgstr "B<iptables> [B<-t> I<table>] {B<-A>|B<-C>|B<-D>} I<chain> I<rule-specification>"
#. type: Plain text
+#, fuzzy
+#| msgid "B<iptables> [B<-t> I<table>] {B<-A>|B<-C>|B<-D>} I<chain> I<rule-specification>"
+msgid "B<ip6tables> [B<-t> I<table>] {B<-A>|B<-C>|B<-D>} I<chain rule-specification>"
+msgstr "B<iptables> [B<-t> I<table>] {B<-A>|B<-C>|B<-D>} I<chain> I<rule-specification>"
+
+#. type: Plain text
msgid "B<iptables> [B<-t> I<table>] B<-I> I<chain> [I<rulenum>] I<rule-specification>"
msgstr "B<iptables> [B<-t> I<table>] B<-I> I<chain> [I<rulenum>] I<rule-specification>"
msgstr "説明"
#. type: Plain text
-msgid "B<Iptables> is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains."
+#, fuzzy
+#| msgid "B<Iptables> is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains."
+msgid "B<Iptables> and B<ip6tables> are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains."
msgstr "B<iptables> は Linux カーネルの IPv4 パケットフィルタルールのテーブルの設定・管理・検査に使用される。 複数の異なるテーブルを定義できる。 各テーブルには数個の組み込みチェインがあり、 さらにユーザー定義のチェインを加えることもできる。"
#. type: Plain text
msgstr "ターゲット"
#. type: Plain text
-msgid "A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values B<ACCEPT>, B<DROP>, B<QUEUE> or B<RETURN>."
+#, fuzzy
+#| msgid "A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values B<ACCEPT>, B<DROP>, B<QUEUE> or B<RETURN>."
+msgid "A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain, one of the targets described in B<iptables-extensions>(8), or one of the special values B<ACCEPT>, B<DROP> or B<RETURN>."
msgstr "ファイアウォールのルールでは、 パケットのマッチ条件とターゲットを指定する。 パケットがマッチしない場合、 チェイン内の次のルールが評価される。 パケットがマッチした場合、 ターゲットの値によって次のルールが指定される。 ターゲットの値には、 ユーザー定義チェインの名前、 もしくは特別な値 B<ACCEPT>, B<DROP>, B<QUEUE>, B<RETURN> のいずれか 1 つを指定する。"
#. type: Plain text
-msgid "B<ACCEPT> means to let the packet through. B<DROP> means to drop the packet on the floor. B<QUEUE> means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the B<ip_queue> queue handler. Kernels 2.6.14 and later additionally include the B<nfnetlink_queue> queue handler. Packets with a target of QUEUE will be sent to queue number '0' in this case. Please also see the B<NFQUEUE> target as described later in this man page.) B<RETURN> means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target B<RETURN> is matched, the target specified by the chain policy determines the fate of the packet."
+#, fuzzy
+#| msgid "B<ACCEPT> means to let the packet through. B<DROP> means to drop the packet on the floor. B<QUEUE> means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the B<ip_queue> queue handler. Kernels 2.6.14 and later additionally include the B<nfnetlink_queue> queue handler. Packets with a target of QUEUE will be sent to queue number '0' in this case. Please also see the B<NFQUEUE> target as described later in this man page.) B<RETURN> means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target B<RETURN> is matched, the target specified by the chain policy determines the fate of the packet."
+msgid "B<ACCEPT> means to let the packet through. B<DROP> means to drop the packet on the floor. B<RETURN> means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target B<RETURN> is matched, the target specified by the chain policy determines the fate of the packet."
msgstr "B<ACCEPT> はパケット通過、 B<DROP> はパケット廃棄を意味する。 B<QUEUE> はそのパケットをユーザー空間に渡すという意味である。 (ユーザー空間プロセスがパケットをどのように受信するかは、個々のキューハンドラにより異なる。バージョン 2.4.x および 2.6.13 までの 2.6.x のカーネルでは B<ip_queue> キューハンドラが読み込まれる。バージョン 2.6.14 以降のカーネルでは、これに加えて B<nfnetlink_queue> キューハンドラも利用できる。ターゲットが QUEUE のパケットは、キュー番号 '0' に送信される。この man ページの後ろの方で説明されている B<NFQUEUE> ターゲットについても参照のこと。) B<RETURN> は、このチェインを辿るのを中止して、 前の (呼び出し元) チェインの次のルールから再開するという意味である。 組み込みチェインの最後に到達した場合、 または組み込みチェインでターゲット B<RETURN> を持つルールにマッチした場合、 パケットをどのように処理するかは、そのチェインのポリシーで指定されたターゲットにより決まる。"
#. type: SH
msgstr "B<nat>:"
#. type: Plain text
-msgid "This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: B<PREROUTING> (for altering packets as soon as they come in), B<OUTPUT> (for altering locally-generated packets before routing), and B<POSTROUTING> (for altering packets as they are about to go out)."
+#, fuzzy
+#| msgid "This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: B<PREROUTING> (for altering packets as soon as they come in), B<OUTPUT> (for altering locally-generated packets before routing), and B<POSTROUTING> (for altering packets as they are about to go out)."
+msgid "This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: B<PREROUTING> (for altering packets as soon as they come in), B<OUTPUT> (for altering locally-generated packets before routing), and B<POSTROUTING> (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7."
msgstr "このテーブルは新しい接続を開くパケットの場合に参照される。 B<PREROUTING> (パケットが入ってきた場合、すぐにそのパケットを変換するためのチェイン)、 B<OUTPUT> (ローカルで生成されたパケットをルーティングの前に変換するためのチェイン)、 B<POSTROUTING> (パケットが出て行くときに変換するためのチェイン) という 3 つの組み込みチェインがある。"
#. type: TP
msgstr "オプション"
#. type: Plain text
-msgid "The options that are recognized by B<iptables> can be divided into several different groups."
+#, fuzzy
+#| msgid "The options that are recognized by B<iptables> can be divided into several different groups."
+msgid "The options that are recognized by B<iptables> and B<ip6tables> can be divided into several different groups."
msgstr "B<iptables> で使えるオプションは、いくつかのグループに分けられる。"
#. type: SS
msgstr "B<-4>, B<--ipv4>"
#. type: Plain text
-msgid "This option has no effect in iptables and iptables-restore."
-msgstr "このオプションは iptables と iptables-restore では効果を持たない。"
+#, fuzzy
+#| msgid "If a rule using the B<-6> option is inserted with (and only with) iptables-restore, it will be silently ignored. Any other uses will throw an error. This option allows to put both IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore."
+msgid "This option has no effect in iptables and iptables-restore. If a rule using the B<-4> option is inserted with (and only with) ip6tables-restore, it will be silently ignored. Any other uses will throw an error. This option allows to put both IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore."
+msgstr "B<-6> オプションを使ったルールを iptables-restore で挿入された場合、(この場合に限り) そのルールは黙って無視される。それ以外の使い方をした場合はエラーが発生する。このオプションを使うと、 IPv4 と IPv6 の両方のルールを一つのルールファイルに記述し、iptables-restore と ip6tables-restore の両方でそのファイルを使うことができる。"
#. type: TP
#, no-wrap
msgstr "B<-6>, B<--ipv6>"
#. type: Plain text
-msgid "If a rule using the B<-6> option is inserted with (and only with) iptables-restore, it will be silently ignored. Any other uses will throw an error. This option allows to put both IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore."
+#, fuzzy
+#| msgid "If a rule using the B<-6> option is inserted with (and only with) iptables-restore, it will be silently ignored. Any other uses will throw an error. This option allows to put both IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore."
+msgid "If a rule using the B<-6> option is inserted with (and only with) iptables-restore, it will be silently ignored. Any other uses will throw an error. This option allows to put both IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore. This option has no effect in ip6tables and ip6tables-restore."
msgstr "B<-6> オプションを使ったルールを iptables-restore で挿入された場合、(この場合に限り) そのルールは黙って無視される。それ以外の使い方をした場合はエラーが発生する。このオプションを使うと、 IPv4 と IPv6 の両方のルールを一つのルールファイルに記述し、iptables-restore と ip6tables-restore の両方でそのファイルを使うことができる。"
#. type: TP
msgstr "[B<!>] B<-p>, B<--protocol> I<protocol>"
#. type: Plain text
-msgid "The protocol of the rule or of the packet to check. The specified protocol can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>, B<esp>, B<ah>, B<sctp> or the special keyword \"B<all>\", or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A \"!\" argument before the protocol inverts the test. The number zero is equivalent to B<all>. \"B<all>\" will match with all protocols and is taken as default when this option is omitted."
+#, fuzzy
+#| msgid "The protocol of the rule or of the packet to check. The specified protocol can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>, B<esp>, B<ah>, B<sctp> or the special keyword \"B<all>\", or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A \"!\" argument before the protocol inverts the test. The number zero is equivalent to B<all>. \"B<all>\" will match with all protocols and is taken as default when this option is omitted."
+msgid "The protocol of the rule or of the packet to check. The specified protocol can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>, B<icmpv6>,B<esp>, B<ah>, B<sctp>, B<mh> or the special keyword \"B<all>\", or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A \"!\" argument before the protocol inverts the test. The number zero is equivalent to B<all>. \"B<all>\" will match with all protocols and is taken as default when this option is omitted. Note that, in ip6tables, IPv6 extension headers except B<esp> are not allowed. B<esp> and B<ipv6-nonext> can be used with Kernel version 2.6.11 or later. The number zero is equivalent to B<all>, which means that you cannot test the protocol field for the value 0 directly. To match on a HBH header, even if it were the last, you cannot use B<-p 0>, but always need B<-m hbh>."
msgstr "ルールで使われるプロトコル、またはチェックされるパケットのプロトコル。 指定できるプロトコルは、 B<tcp>, B<udp>, B<udplite>, B<icmp>, B<esp>, B<ah>, B<sctp> と特別なキーワード B<all> のいずれか 1 つか、または数値である。 数値には、これらのプロトコルのどれか、またはそれ以外のプロトコルを表す数値を指定することができる。 /etc/protocols にあるプロトコル名も指定できる。 プロトコルの前に \"!\" を置くと、そのプロトコルを除外するという意味になる。 数値 0 は B<all> と等しい。 \"B<all>\" は全てのプロトコルとマッチし、このオプションが省略された際のデフォルトである。"
#. type: TP
msgstr "[B<!>] B<-s>, B<--source> I<address>[B</>I<mask>][B<,>I<...>]"
#. type: Plain text
-msgid "Source specification. I<Address> can be either a network name, a hostname, a network IP address (with B</>I<mask>), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The I<mask> can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of I<24> is equivalent to I<255.255.255.0>. A \"!\" argument before the address specification inverts the sense of the address. The flag B<--src> is an alias for this option. Multiple addresses can be specified, but this will B<expand to multiple rules> (when adding with -A), or will cause multiple rules to be deleted (with -D)."
+#, fuzzy
+#| msgid "Source specification. I<Address> can be either a network name, a hostname, a network IP address (with B</>I<mask>), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The I<mask> can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of I<24> is equivalent to I<255.255.255.0>. A \"!\" argument before the address specification inverts the sense of the address. The flag B<--src> is an alias for this option. Multiple addresses can be specified, but this will B<expand to multiple rules> (when adding with -A), or will cause multiple rules to be deleted (with -D)."
+msgid "Source specification. I<Address> can be either a network name, a hostname, a network IP address (with B</>I<mask>), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The I<mask> can be either an ipv4 network mask (for iptables) or a plain number, specifying the number of 1's at the left side of the network mask. Thus, an iptables mask of I<24> is equivalent to I<255.255.255.0>. A \"!\" argument before the address specification inverts the sense of the address. The flag B<--src> is an alias for this option. Multiple addresses can be specified, but this will B<expand to multiple rules> (when adding with -A), or will cause multiple rules to be deleted (with -D)."
msgstr "送信元の指定。 I<address> はホスト名、ネットワーク IP アドレス (B</>I<mask> を指定する)、通常の IP アドレスのいずれかである。ホスト名の解決は、カーネルにルールが登録される前に一度だけ行われる。 DNS のようなリモートへの問い合わせで解決する名前を指定するのは非常に良くないことである。 I<mask> には、ネットワークマスクか、ネットワークマスクの左側にある 1 の数を表す数値を指定する。つまり、 I<24> という mask は I<255.255.255.0> と同じである。 アドレス指定の前に \"!\" を置くと、そのアドレスを除外するという意味になる。 フラグ B<--src> は、このオプションの別名である。複数のアドレスを指定することができるが、その場合は (-A での追加であれば) B<複数のルールに展開され>、 (-D での削除であれば) 複数のルールが削除されることになる。"
#. type: TP
msgstr "[B<!>] B<-f>, B<--fragment>"
#. type: Plain text
-msgid "This means that the rule only refers to second and further fragments of fragmented packets. Since there is no way to tell the source or destination ports of such a packet (or ICMP type), such a packet will not match any rules which specify them. When the \"!\" argument precedes the \"-f\" flag, the rule will only match head fragments, or unfragmented packets."
+#, fuzzy
+#| msgid "This means that the rule only refers to second and further fragments of fragmented packets. Since there is no way to tell the source or destination ports of such a packet (or ICMP type), such a packet will not match any rules which specify them. When the \"!\" argument precedes the \"-f\" flag, the rule will only match head fragments, or unfragmented packets."
+msgid "This means that the rule only refers to second and further IPv4 fragments of fragmented packets. Since there is no way to tell the source or destination ports of such a packet (or ICMP type), such a packet will not match any rules which specify them. When the \"!\" argument precedes the \"-f\" flag, the rule will only match head fragments, or unfragmented packets. This option is IPv4 specific, it is not available in ip6tables."
msgstr "分割されたパケット (fragmented packet) のうち 2 番目以降のパケットだけを参照するルールであることを意味する。 このようなパケット (または ICMP タイプのパケット) は 送信元ポートと宛先ポートを知る方法がないので、 送信元ポートや宛先ポートを指定するようなルールにはマッチしない。 \"-f\" フラグの前に \"!\" を置くと、 分割されたパケットのうち最初のフラグメントか、 分割されていないパケットだけにマッチする。"
#. type: TP
msgstr "詳細な出力を行う。 list コマンドの際に、 インターフェース名、 ルールのオプション (ある場合のみ)、 TOS マスクを表示させる。 パケットとバイトカウンタも表示される。 添字 'K', 'M', 'G' は、 それぞれ 1000, 1,000,000, 1,000,000,000 倍を表す (これを変更する B<-x> フラグも見よ)。 このオプションを append, insert, delete, replace コマンドに適用すると、 ルールについての詳細な情報を表示する。 B<-v> は複数回指定することができ、 数が多くなるとより多くのデバッグ情報が出力される。"
#. type: TP
+#, fuzzy, no-wrap
+#| msgid "B<-x>, B<--exact>"
+msgid "B<-w>, B<--wait>"
+msgstr "B<-x>, B<--exact>"
+
+#. type: Plain text
+msgid "Wait for the xtables lock. To prevent multiple instances of the program from running concurrently, an attempt will be made to obtain an exclusive lock at launch. By default, the program will exit if the lock cannot be obtained. This option will make the program wait until the exclusive lock can be obtained."
+msgstr ""
+
+#. type: TP
#, no-wrap
msgid "B<-n>, B<--numeric>"
msgstr "B<-n>, B<--numeric>"
msgstr "関連項目"
#. type: Plain text
-msgid "B<iptables-apply>(8), B<iptables-save>(8), B<iptables-restore>(8), B<iptables-extensions>(8), B<ip6tables>(8), B<ip6tables-save>(8), B<ip6tables-restore>(8), B<libipq>(3)."
+#, fuzzy
+#| msgid "B<iptables-apply>(8), B<iptables-save>(8), B<iptables-restore>(8), B<iptables-extensions>(8), B<ip6tables>(8), B<ip6tables-save>(8), B<ip6tables-restore>(8), B<libipq>(3)."
+msgid "B<iptables-apply>(8), B<iptables-save>(8), B<iptables-restore>(8), B<iptables-extensions>(8),"
msgstr "B<iptables-apply>(8), B<iptables-save>(8), B<iptables-restore>(8), B<iptables-extensions>(8), B<ip6tables>(8), B<ip6tables-save>(8), B<ip6tables-restore>(8), B<libipq>(3)."
#. type: Plain text
msgstr "バージョン"
#. type: Plain text
-msgid "This manual page applies to iptables 1.4.18."
+#, fuzzy
+#| msgid "This manual page applies to iptables 1.4.18."
+msgid "This manual page applies to iptables/ip6tables 1.4.21."
msgstr "この man ページは iptables 1.4.18 について説明している。"
+
+#~ msgid "This option has no effect in iptables and iptables-restore."
+#~ msgstr "このオプションは iptables と iptables-restore では効果を持たない。"
-â\97\8b:iptables:1.4.18:2012/03/27:iptables-xml:1:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
-×:iptables:1.4.18:2012/03/27:ipq_create_handle:3:::::
-※:iptables:1.4.18:2012/03/27:ipq_destroy_handle:3:ipq_create_handle:3:
-×:iptables:1.4.18:2012/03/27:ipq_errstr:3:::::
-※:iptables:1.4.18:2012/03/27:ipq_get_msgerr:3:ipq_message_type:3:
-※:iptables:1.4.18:2012/03/27:ipq_get_packet:3:ipq_message_type:3:
-×:iptables:1.4.18:2012/03/27:ipq_message_type:3:::::
-※:iptables:1.4.18:2012/03/27:ipq_perror:3:ipq_errstr:3:
-×:iptables:1.4.18:2012/03/27:ipq_read:3:::::
-×:iptables:1.4.18:2012/03/27:ipq_set_mode:3:::::
-×:iptables:1.4.18:2012/03/27:ipq_set_verdict:3:::::
-×:iptables:1.4.18:2012/03/27:libipq:3:::::
-○:iptables:1.4.18:2013/03/03:ip6tables:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
-○:iptables:1.4.18:2013/03/03:ip6tables-restore:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
-○:iptables:1.4.18:2012/03/27:ip6tables-save:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
-â\97\8b:iptables:1.4.18:2013/03/03:iptables:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
-â\97\8b:iptables:1.4.18:2013/03/03:iptables-apply:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
-â\97\8b:iptables:1.4.18:2013/03/03:iptables-extensions:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
-â\97\8b:iptables:1.4.18:2013/03/03:iptables-restore:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
-â\97\8b:iptables:1.4.18:2012/03/27:iptables-save:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
+â\98\86:iptables:1.4.18=>1.4.21:2013/11/22:iptables-xml:1:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
+×:iptables:1.4.21:2012/03/27:ipq_create_handle:3:::::
+※:iptables:1.4.21:2012/03/27:ipq_destroy_handle:3:ipq_create_handle:3:
+×:iptables:1.4.21:2012/03/27:ipq_errstr:3:::::
+※:iptables:1.4.21:2012/03/27:ipq_get_msgerr:3:ipq_message_type:3:
+※:iptables:1.4.21:2012/03/27:ipq_get_packet:3:ipq_message_type:3:
+×:iptables:1.4.21:2012/03/27:ipq_message_type:3:::::
+※:iptables:1.4.21:2012/03/27:ipq_perror:3:ipq_errstr:3:
+×:iptables:1.4.21:2012/03/27:ipq_read:3:::::
+×:iptables:1.4.21:2012/03/27:ipq_set_mode:3:::::
+×:iptables:1.4.21:2012/03/27:ipq_set_verdict:3:::::
+×:iptables:1.4.21:2013/11/22:libipq:3:::::
+@:iptables:1.4.21:2013/11/22:ip6tables:8:iptables:8:
+@:iptables:1.4.21:2013/11/22:ip6tables-restore:8:iptables-restore:8:
+@:iptables:1.4.21:2013/11/22:ip6tables-save:8:iptables-save:8:
+â\98\86:iptables:1.4.18=>1.4.21:2013/11/22:iptables:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
+â\98\86:iptables:1.4.18=>1.4.21:2013/11/22:iptables-apply:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
+â\98\86:iptables:1.4.18=>1.4.21:2013/11/22:iptables-extensions:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
+â\98\86:iptables:1.4.18=>1.4.21:2013/11/22:iptables-restore:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
+â\98\86:iptables:1.4.18=>1.4.21:2013/11/22:iptables-save:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
OSDN Git Service
