iptables-1.8.3-3
- Change URL to point at iptables project, not netfilter overview page - Reuse URL value in tarball source - Reduce globbing of library file names to expose future SONAME changes - Add bootstrapping for libip*tc SONAME bump
This commit is contained in:
parent
28d2f32245
commit
972fb0a368
@ -1,486 +0,0 @@
|
||||
From 1d0089550ab9882ac90d0fc673f213c51e133552 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 13 Mar 2019 20:46:12 +0100
|
||||
Subject: [PATCH] doc: Add arptables-nft man pages
|
||||
|
||||
These are 1:1 copies from legacy arptables repository.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit 4dbb6b9118e32a9b748ead893106de59579424f5)
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
iptables/Makefile.am | 3 +
|
||||
iptables/arptables-nft-restore.8 | 41 ++++
|
||||
iptables/arptables-nft-save.8 | 37 ++++
|
||||
iptables/arptables-nft.8 | 352 +++++++++++++++++++++++++++++++
|
||||
4 files changed, 433 insertions(+)
|
||||
create mode 100644 iptables/arptables-nft-restore.8
|
||||
create mode 100644 iptables/arptables-nft-save.8
|
||||
create mode 100644 iptables/arptables-nft.8
|
||||
|
||||
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
|
||||
index 581dc32ba846b..52309679d390c 100644
|
||||
--- a/iptables/Makefile.am
|
||||
+++ b/iptables/Makefile.am
|
||||
@@ -63,6 +63,9 @@ man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \
|
||||
ip6tables-save.8 iptables-extensions.8 \
|
||||
xtables-nft.8 xtables-translate.8 xtables-legacy.8 \
|
||||
xtables-monitor.8
|
||||
+if ENABLE_NFTABLES
|
||||
+man_MANS += arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8
|
||||
+endif
|
||||
CLEANFILES = iptables.8 xtables-monitor.8 \
|
||||
xtables-config-parser.c xtables-config-syntax.c
|
||||
|
||||
diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
|
||||
new file mode 100644
|
||||
index 0000000000000..4f2f623673415
|
||||
--- /dev/null
|
||||
+++ b/iptables/arptables-nft-restore.8
|
||||
@@ -0,0 +1,41 @@
|
||||
+.TH ARPTABLES-RESTORE 8 "Nov 07, 2013" "" ""
|
||||
+.\"
|
||||
+.\" Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
|
||||
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
|
||||
+.\" It is based on the iptables-restore man page.
|
||||
+.\"
|
||||
+.\" This program is free software; you can redistribute it and/or modify
|
||||
+.\" it under the terms of the GNU General Public License as published by
|
||||
+.\" the Free Software Foundation; either version 2 of the License, or
|
||||
+.\" (at your option) any later version.
|
||||
+.\"
|
||||
+.\" This program is distributed in the hope that it will be useful,
|
||||
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+.\" GNU General Public License for more details.
|
||||
+.\"
|
||||
+.\" You should have received a copy of the GNU General Public License
|
||||
+.\" along with this program; if not, write to the Free Software
|
||||
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
+.\"
|
||||
+.\"
|
||||
+.SH NAME
|
||||
+arptables-restore \(em Restore ARP Tables
|
||||
+.SH SYNOPSIS
|
||||
+\fBarptables\-restore
|
||||
+.SH DESCRIPTION
|
||||
+.PP
|
||||
+.B arptables-restore
|
||||
+is used to restore ARP Tables from data specified on STDIN or
|
||||
+via a file as first argument.
|
||||
+Use I/O redirection provided by your shell to read from a file
|
||||
+.TP
|
||||
+.B arptables-restore
|
||||
+flushes (deletes) all previous contents of the respective ARP Table.
|
||||
+.SH BUGS
|
||||
+None known as of arptables-0.0.4 release
|
||||
+.SH AUTHOR
|
||||
+Jesper Dangaard Brouer <brouer@redhat.com>
|
||||
+.SH SEE ALSO
|
||||
+\fBarptables\-save\fP(8), \fBarptables\fP(8)
|
||||
+.PP
|
||||
diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
|
||||
new file mode 100644
|
||||
index 0000000000000..34791a9c087f0
|
||||
--- /dev/null
|
||||
+++ b/iptables/arptables-nft-save.8
|
||||
@@ -0,0 +1,37 @@
|
||||
+.TH ARPTABLES-SAVE 8 "Nov 07, 2013" "" ""
|
||||
+.\"
|
||||
+.\" Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
|
||||
+.\" Man page written by Harald Welte <laforge@gnumonks.org>
|
||||
+.\" It is based on the iptables-save man page.
|
||||
+.\"
|
||||
+.\" This program is free software; you can redistribute it and/or modify
|
||||
+.\" it under the terms of the GNU General Public License as published by
|
||||
+.\" the Free Software Foundation; either version 2 of the License, or
|
||||
+.\" (at your option) any later version.
|
||||
+.\"
|
||||
+.\" This program is distributed in the hope that it will be useful,
|
||||
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+.\" GNU General Public License for more details.
|
||||
+.\"
|
||||
+.\" You should have received a copy of the GNU General Public License
|
||||
+.\" along with this program; if not, write to the Free Software
|
||||
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
+.\"
|
||||
+.\"
|
||||
+.SH NAME
|
||||
+arptables-save \(em dump arptables rules to stdout
|
||||
+.SH SYNOPSIS
|
||||
+\fBarptables\-save
|
||||
+.SH DESCRIPTION
|
||||
+.PP
|
||||
+.B arptables-save
|
||||
+is used to dump the contents of an ARP Table in easily parseable format
|
||||
+to STDOUT. Use I/O-redirection provided by your shell to write to a file.
|
||||
+.SH BUGS
|
||||
+None known as of arptables-0.0.4 release
|
||||
+.SH AUTHOR
|
||||
+Jesper Dangaard Brouer <brouer@redhat.com>
|
||||
+.SH SEE ALSO
|
||||
+\fBarptables\-restore\fP(8), \fBarptables\fP(8)
|
||||
+.PP
|
||||
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
|
||||
new file mode 100644
|
||||
index 0000000000000..3ce99e3757004
|
||||
--- /dev/null
|
||||
+++ b/iptables/arptables-nft.8
|
||||
@@ -0,0 +1,352 @@
|
||||
+.TH ARPTABLES 8 "June 2018"
|
||||
+.\"
|
||||
+.\" Man page originally written by Jochen Friedrich <jochen@scram.de>,
|
||||
+.\" maintained by Bart De Schuymer.
|
||||
+.\" It is based on the iptables man page.
|
||||
+.\"
|
||||
+.\" Iptables page by Herve Eychenne March 2000.
|
||||
+.\"
|
||||
+.\" This program is free software; you can redistribute it and/or modify
|
||||
+.\" it under the terms of the GNU General Public License as published by
|
||||
+.\" the Free Software Foundation; either version 2 of the License, or
|
||||
+.\" (at your option) any later version.
|
||||
+.\"
|
||||
+.\" This program is distributed in the hope that it will be useful,
|
||||
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+.\" GNU General Public License for more details.
|
||||
+.\"
|
||||
+.\" You should have received a copy of the GNU General Public License
|
||||
+.\" along with this program; if not, write to the Free Software
|
||||
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
+.\"
|
||||
+.\"
|
||||
+.SH NAME
|
||||
+arptables \- ARP table administration (legacy)
|
||||
+.SH SYNOPSIS
|
||||
+.BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ]
|
||||
+.br
|
||||
+.BR "arptables " [ "-t table" ] " -" [ RI ] " chain rulenum rule-specification " [ options ]
|
||||
+.br
|
||||
+.BR "arptables " [ "-t table" ] " -D chain rulenum " [ options ]
|
||||
+.br
|
||||
+.BR "arptables " [ "-t table" ] " -" [ "LFZ" ] " " [ chain ] " " [ options ]
|
||||
+.br
|
||||
+.BR "arptables " [ "-t table" ] " -" [ "NX" ] " chain"
|
||||
+.br
|
||||
+.BR "arptables " [ "-t table" ] " -E old-chain-name new-chain-name"
|
||||
+.br
|
||||
+.BR "arptables " [ "-t table" ] " -P chain target " [ options ]
|
||||
+
|
||||
+.SH LEGACY
|
||||
+This tool uses the old xtables/setsockopt framework, and is a legacy version
|
||||
+of arptables. That means that a new, more modern tool exists with the same
|
||||
+functionality using the nf_tables framework and you are encouraged to migrate now.
|
||||
+The new binaries (formerly known as -compat) uses the same syntax and
|
||||
+semantics than this legacy one.
|
||||
+
|
||||
+You can still use this legacy tool. You should probably get some specific
|
||||
+information from your Linux distribution or vendor.
|
||||
+More docs are available at https://wiki.nftables.org
|
||||
+
|
||||
+.SH DESCRIPTION
|
||||
+.B arptables
|
||||
+is a user space tool, it is used to set up and maintain the
|
||||
+tables of ARP rules in the Linux kernel. These rules inspect
|
||||
+the ARP frames which they see.
|
||||
+.B arptables
|
||||
+is analogous to the
|
||||
+.B iptables
|
||||
+user space tool, but
|
||||
+.B arptables
|
||||
+is less complicated.
|
||||
+
|
||||
+.SS CHAINS
|
||||
+The kernel table is used to divide functionality into
|
||||
+different sets of rules. Each set of rules is called a chain.
|
||||
+Each chain is an ordered list of rules that can match ARP frames. If a
|
||||
+rule matches an ARP frame, then a processing specification tells
|
||||
+what to do with that matching frame. The processing specification is
|
||||
+called a 'target'. However, if the frame does not match the current
|
||||
+rule in the chain, then the next rule in the chain is examined and so forth.
|
||||
+The user can create new (user-defined) chains which can be used as the 'target' of a rule.
|
||||
+
|
||||
+.SS TARGETS
|
||||
+A firewall rule specifies criteria for an ARP frame and a frame
|
||||
+processing specification called a target. When a frame matches a rule,
|
||||
+then the next action performed by the kernel is specified by the target.
|
||||
+The target can be one of these values:
|
||||
+.IR ACCEPT ,
|
||||
+.IR DROP ,
|
||||
+.IR CONTINUE ,
|
||||
+.IR RETURN ,
|
||||
+an 'extension' (see below) or a user-defined chain.
|
||||
+.PP
|
||||
+.I ACCEPT
|
||||
+means to let the frame through.
|
||||
+.I DROP
|
||||
+means the frame has to be dropped.
|
||||
+.I CONTINUE
|
||||
+means the next rule has to be checked. This can be handy to know how many
|
||||
+frames pass a certain point in the chain or to log those frames.
|
||||
+.I RETURN
|
||||
+means stop traversing this chain and resume at the next rule in the
|
||||
+previous (calling) chain.
|
||||
+For the extension targets please see the
|
||||
+.B "TARGET EXTENSIONS"
|
||||
+section of this man page.
|
||||
+.SS TABLES
|
||||
+There is only one ARP table in the Linux
|
||||
+kernel. The table is
|
||||
+.BR filter.
|
||||
+You can drop the '-t filter' argument to the arptables command.
|
||||
+The -t argument must be the
|
||||
+first argument on the arptables command line, if used.
|
||||
+.TP
|
||||
+.B "-t, --table"
|
||||
+.br
|
||||
+.BR filter ,
|
||||
+is the only table and contains two (Linux kernels 2.4.X) or three (Linux kernels 2.6.0 and later) built-in chains:
|
||||
+.B INPUT
|
||||
+(for frames destined for the host),
|
||||
+.B OUTPUT
|
||||
+(for locally-generated frames) and
|
||||
+.B FORWARD
|
||||
+(for frames being forwarded by the bridge code). The
|
||||
+.B FORWARD
|
||||
+chain doesn't exist in Linux 2.4.X kernels.
|
||||
+.br
|
||||
+.br
|
||||
+.SH ARPTABLES COMMAND LINE ARGUMENTS
|
||||
+After the initial arptables command line argument, the remaining
|
||||
+arguments can be divided into several different groups. These groups
|
||||
+are commands, miscellaneous commands, rule-specifications, match-extensions,
|
||||
+and watcher-extensions.
|
||||
+.SS COMMANDS
|
||||
+The arptables command arguments specify the actions to perform on the table
|
||||
+defined with the -t argument. If you do not use the -t argument to name
|
||||
+a table, the commands apply to the default filter table.
|
||||
+With the exception of the
|
||||
+.B "-Z"
|
||||
+command, only one command may be used on the command line at a time.
|
||||
+.TP
|
||||
+.B "-A, --append"
|
||||
+Append a rule to the end of the selected chain.
|
||||
+.TP
|
||||
+.B "-D, --delete"
|
||||
+Delete the specified rule from the selected chain. There are two ways to
|
||||
+use this command. The first is by specifying an interval of rule numbers
|
||||
+to delete, syntax: start_nr[:end_nr]. Using negative numbers is allowed, for more
|
||||
+details about using negative numbers, see the -I command. The second usage is by
|
||||
+specifying the complete rule as it would have been specified when it was added.
|
||||
+.TP
|
||||
+.B "-I, --insert"
|
||||
+Insert the specified rule into the selected chain at the specified rule number.
|
||||
+If the current number of rules equals N, then the specified number can be
|
||||
+between -N and N+1. For a positive number i, it holds that i and i-N-1 specify the
|
||||
+same place in the chain where the rule should be inserted. The number 0 specifies
|
||||
+the place past the last rule in the chain and using this number is therefore
|
||||
+equivalent with using the -A command.
|
||||
+.TP
|
||||
+.B "-R, --replace"
|
||||
+Replaces the specified rule into the selected chain at the specified rule number.
|
||||
+If the current number of rules equals N, then the specified number can be
|
||||
+between 1 and N. i specifies the place in the chain where the rule should be replaced.
|
||||
+.TP
|
||||
+.B "-P, --policy"
|
||||
+Set the policy for the chain to the given target. The policy can be
|
||||
+.BR ACCEPT ", " DROP " or " RETURN .
|
||||
+.TP
|
||||
+.B "-F, --flush"
|
||||
+Flush the selected chain. If no chain is selected, then every chain will be
|
||||
+flushed. Flushing the chain does not change the policy of the
|
||||
+chain, however.
|
||||
+.TP
|
||||
+.B "-Z, --zero"
|
||||
+Set the counters of the selected chain to zero. If no chain is selected, all the counters
|
||||
+are set to zero. The
|
||||
+.B "-Z"
|
||||
+command can be used in conjunction with the
|
||||
+.B "-L"
|
||||
+command.
|
||||
+When both the
|
||||
+.B "-Z"
|
||||
+and
|
||||
+.B "-L"
|
||||
+commands are used together in this way, the rule counters are printed on the screen
|
||||
+before they are set to zero.
|
||||
+.TP
|
||||
+.B "-L, --list"
|
||||
+List all rules in the selected chain. If no chain is selected, all chains
|
||||
+are listed.
|
||||
+.TP
|
||||
+.B "-N, --new-chain"
|
||||
+Create a new user-defined chain with the given name. The number of
|
||||
+user-defined chains is unlimited. A user-defined chain name has maximum
|
||||
+length of 31 characters.
|
||||
+.TP
|
||||
+.B "-X, --delete-chain"
|
||||
+Delete the specified user-defined chain. There must be no remaining references
|
||||
+to the specified chain, otherwise
|
||||
+.B arptables
|
||||
+will refuse to delete it. If no chain is specified, all user-defined
|
||||
+chains that aren't referenced will be removed.
|
||||
+.TP
|
||||
+.B "-E, --rename-chain"
|
||||
+Rename the specified chain to a new name. Besides renaming a user-defined
|
||||
+chain, you may rename a standard chain name to a name that suits your
|
||||
+taste. For example, if you like PREBRIDGING more than PREROUTING,
|
||||
+then you can use the -E command to rename the PREROUTING chain. If you do
|
||||
+rename one of the standard
|
||||
+.B arptables
|
||||
+chain names, please be sure to mention
|
||||
+this fact should you post a question on the
|
||||
+.B arptables
|
||||
+mailing lists.
|
||||
+It would be wise to use the standard name in your post. Renaming a standard
|
||||
+.B arptables
|
||||
+chain in this fashion has no effect on the structure or function
|
||||
+of the
|
||||
+.B arptables
|
||||
+kernel table.
|
||||
+
|
||||
+.SS MISCELLANOUS COMMANDS
|
||||
+.TP
|
||||
+.B "-V, --version"
|
||||
+Show the version of the arptables userspace program.
|
||||
+.TP
|
||||
+.B "-h, --help"
|
||||
+Give a brief description of the command syntax.
|
||||
+.TP
|
||||
+.BR "-j, --jump " "\fItarget\fP"
|
||||
+The target of the rule. This is one of the following values:
|
||||
+.BR ACCEPT ,
|
||||
+.BR DROP ,
|
||||
+.BR CONTINUE ,
|
||||
+.BR RETURN ,
|
||||
+a target extension (see
|
||||
+.BR "TARGET EXTENSIONS" ")"
|
||||
+or a user-defined chain name.
|
||||
+.TP
|
||||
+.BI "-c, --set-counters " "PKTS BYTES"
|
||||
+This enables the administrator to initialize the packet and byte
|
||||
+counters of a rule (during
|
||||
+.B INSERT,
|
||||
+.B APPEND,
|
||||
+.B REPLACE
|
||||
+operations).
|
||||
+
|
||||
+.SS RULE-SPECIFICATIONS
|
||||
+The following command line arguments make up a rule specification (as used
|
||||
+in the add and delete commands). A "!" option before the specification
|
||||
+inverts the test for that specification. Apart from these standard rule
|
||||
+specifications there are some other command line arguments of interest.
|
||||
+.TP
|
||||
+.BR "-s, --source-ip " "[!] \fIaddress\fP[/\fImask]\fP"
|
||||
+The Source IP specification.
|
||||
+.TP
|
||||
+.BR "-d, --destination-ip " "[!] \fIaddress\fP[/\fImask]\fP"
|
||||
+The Destination IP specification.
|
||||
+.TP
|
||||
+.BR "--source-mac " "[!] \fIaddress\fP[/\fImask\fP]"
|
||||
+The source mac address. Both mask and address are written as 6 hexadecimal
|
||||
+numbers separated by colons.
|
||||
+.TP
|
||||
+.BR "--destination-mac " "[!] \fIaddress\fP[/\fImask\fP]"
|
||||
+The destination mac address. Both mask and address are written as 6 hexadecimal
|
||||
+numbers separated by colons.
|
||||
+.TP
|
||||
+.BR "-i, --in-interface " "[!] \fIname\fP"
|
||||
+The interface via which a frame is received (for the
|
||||
+.BR INPUT " and " FORWARD
|
||||
+chains). The flag
|
||||
+.B --in-if
|
||||
+is an alias for this option.
|
||||
+.TP
|
||||
+.BR "-o, --out-interface " "[!] \fIname\fP"
|
||||
+The interface via which a frame is going to be sent (for the
|
||||
+.BR OUTPUT " and " FORWARD
|
||||
+chains). The flag
|
||||
+.B --out-if
|
||||
+is an alias for this option.
|
||||
+.TP
|
||||
+.BR "-l, --h-length " "\fIlength\fP[/\fImask\fP]"
|
||||
+The hardware length (nr of bytes)
|
||||
+.TP
|
||||
+.BR "--opcode " "\fIcode\fP[/\fImask\fP]
|
||||
+The operation code (2 bytes). Available values are:
|
||||
+.BR 1 = Request
|
||||
+.BR 2 = Reply
|
||||
+.BR 3 = Request_Reverse
|
||||
+.BR 4 = Reply_Reverse
|
||||
+.BR 5 = DRARP_Request
|
||||
+.BR 6 = DRARP_Reply
|
||||
+.BR 7 = DRARP_Error
|
||||
+.BR 8 = InARP_Request
|
||||
+.BR 9 = ARP_NAK .
|
||||
+.TP
|
||||
+.BR "--h-type " "\fItype\fP[/\fImask\fP]"
|
||||
+The hardware type (2 bytes, hexadecimal). Available values are:
|
||||
+.BR 1 = Ethernet .
|
||||
+.TP
|
||||
+.BR "--proto-type " "\fItype\fP[/\fImask\fP]"
|
||||
+The protocol type (2 bytes). Available values are:
|
||||
+.BR 0x800 = IPv4 .
|
||||
+
|
||||
+.SS TARGET-EXTENSIONS
|
||||
+.B arptables
|
||||
+extensions are precompiled into the userspace tool. So there is no need
|
||||
+to explicitly load them with a -m option like in
|
||||
+.BR iptables .
|
||||
+However, these
|
||||
+extensions deal with functionality supported by supplemental kernel modules.
|
||||
+.SS mangle
|
||||
+.TP
|
||||
+.BR "--mangle-ip-s IP address"
|
||||
+Mangles Source IP Address to given value.
|
||||
+.TP
|
||||
+.BR "--mangle-ip-d IP address"
|
||||
+Mangles Destination IP Address to given value.
|
||||
+.TP
|
||||
+.BR "--mangle-mac-s MAC address"
|
||||
+Mangles Source MAC Address to given value.
|
||||
+.TP
|
||||
+.BR "--mangle-mac-d MAC address"
|
||||
+Mangles Destination MAC Address to given value.
|
||||
+.TP
|
||||
+.BR "--mangle-target target "
|
||||
+Target of ARP mangle operation
|
||||
+.BR "" ( DROP ", " CONTINUE " or " ACCEPT " -- default is " ACCEPT ).
|
||||
+.SS CLASSIFY
|
||||
+This module allows you to set the skb->priority value (and thus clas-
|
||||
+sify the packet into a specific CBQ class).
|
||||
+
|
||||
+.TP
|
||||
+.BR "--set-class major:minor"
|
||||
+
|
||||
+Set the major and minor class value. The values are always
|
||||
+interpreted as hexadecimal even if no 0x prefix is given.
|
||||
+
|
||||
+.SS MARK
|
||||
+This module allows you to set the skb->mark value (and thus classify
|
||||
+the packet by the mark in u32)
|
||||
+
|
||||
+.TP
|
||||
+.BR "--set-mark mark"
|
||||
+Set the mark value. The values are always
|
||||
+interpreted as hexadecimal even if no 0x prefix is given
|
||||
+
|
||||
+.TP
|
||||
+.BR "--and-mark mark"
|
||||
+Binary AND the mark with bits.
|
||||
+
|
||||
+.TP
|
||||
+.BR "--or-mark mark"
|
||||
+Binary OR the mark with bits.
|
||||
+
|
||||
+.SH MAILINGLISTS
|
||||
+.BR "" "See " http://netfilter.org/mailinglists.html
|
||||
+.SH SEE ALSO
|
||||
+.BR iptables "(8), " ebtables "(8), " arp "(8), " rarp "(8), " ifconfig "(8), " route (8)
|
||||
+.PP
|
||||
+.BR "" "See " http://ebtables.sf.net
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,192 +0,0 @@
|
||||
From 2efbd30ed9f1db90b32b556d0e3df16d05281bc7 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 13 Mar 2019 20:46:13 +0100
|
||||
Subject: [PATCH] doc: Adjust arptables man pages
|
||||
|
||||
Change content to suit the shipped nft-based variant. Most relevant
|
||||
changes:
|
||||
|
||||
* FORWARD chain is not supported
|
||||
* arptables-nft-save supports a few parameters
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit 1a0cd997d601794c7031346063b8b77f4af2a13e)
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
iptables/arptables-nft-restore.8 | 6 ++--
|
||||
iptables/arptables-nft-save.8 | 20 +++++++++----
|
||||
iptables/arptables-nft.8 | 48 +++++++++++++++-----------------
|
||||
3 files changed, 39 insertions(+), 35 deletions(-)
|
||||
|
||||
diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
|
||||
index 4f2f623673415..09d9082cf9fd3 100644
|
||||
--- a/iptables/arptables-nft-restore.8
|
||||
+++ b/iptables/arptables-nft-restore.8
|
||||
@@ -1,4 +1,4 @@
|
||||
-.TH ARPTABLES-RESTORE 8 "Nov 07, 2013" "" ""
|
||||
+.TH ARPTABLES-RESTORE 8 "March 2019" "" ""
|
||||
.\"
|
||||
.\" Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
|
||||
.\" Man page written by Harald Welte <laforge@gnumonks.org>
|
||||
@@ -20,7 +20,7 @@
|
||||
.\"
|
||||
.\"
|
||||
.SH NAME
|
||||
-arptables-restore \(em Restore ARP Tables
|
||||
+arptables-restore \- Restore ARP Tables (nft-based)
|
||||
.SH SYNOPSIS
|
||||
\fBarptables\-restore
|
||||
.SH DESCRIPTION
|
||||
@@ -32,8 +32,6 @@ Use I/O redirection provided by your shell to read from a file
|
||||
.TP
|
||||
.B arptables-restore
|
||||
flushes (deletes) all previous contents of the respective ARP Table.
|
||||
-.SH BUGS
|
||||
-None known as of arptables-0.0.4 release
|
||||
.SH AUTHOR
|
||||
Jesper Dangaard Brouer <brouer@redhat.com>
|
||||
.SH SEE ALSO
|
||||
diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
|
||||
index 34791a9c087f0..905e59854cc28 100644
|
||||
--- a/iptables/arptables-nft-save.8
|
||||
+++ b/iptables/arptables-nft-save.8
|
||||
@@ -1,4 +1,4 @@
|
||||
-.TH ARPTABLES-SAVE 8 "Nov 07, 2013" "" ""
|
||||
+.TH ARPTABLES-SAVE 8 "March 2019" "" ""
|
||||
.\"
|
||||
.\" Man page written by Jesper Dangaard Brouer <brouer@redhat.com> based on a
|
||||
.\" Man page written by Harald Welte <laforge@gnumonks.org>
|
||||
@@ -20,16 +20,26 @@
|
||||
.\"
|
||||
.\"
|
||||
.SH NAME
|
||||
-arptables-save \(em dump arptables rules to stdout
|
||||
+arptables-save \- dump arptables rules to stdout (nft-based)
|
||||
.SH SYNOPSIS
|
||||
-\fBarptables\-save
|
||||
+\fBarptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
|
||||
+.P
|
||||
+\fBarptables\-save\fP [\fB\-V\fP]
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
.B arptables-save
|
||||
is used to dump the contents of an ARP Table in easily parseable format
|
||||
to STDOUT. Use I/O-redirection provided by your shell to write to a file.
|
||||
-.SH BUGS
|
||||
-None known as of arptables-0.0.4 release
|
||||
+.TP
|
||||
+\fB\-M\fR, \fB\-\-modprobe\fR \fImodprobe_program\fP
|
||||
+Specify the path to the modprobe program. By default, arptables-save will
|
||||
+inspect /proc/sys/kernel/modprobe to determine the executable's path.
|
||||
+.TP
|
||||
+\fB\-c\fR, \fB\-\-counters\fR
|
||||
+Include the current values of all packet and byte counters in the output.
|
||||
+.TP
|
||||
+\fB\-V\fR, \fB\-\-version\fR
|
||||
+Print version information and exit.
|
||||
.SH AUTHOR
|
||||
Jesper Dangaard Brouer <brouer@redhat.com>
|
||||
.SH SEE ALSO
|
||||
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
|
||||
index 3ce99e3757004..ea31e0842acd4 100644
|
||||
--- a/iptables/arptables-nft.8
|
||||
+++ b/iptables/arptables-nft.8
|
||||
@@ -1,4 +1,4 @@
|
||||
-.TH ARPTABLES 8 "June 2018"
|
||||
+.TH ARPTABLES 8 "March 2019"
|
||||
.\"
|
||||
.\" Man page originally written by Jochen Friedrich <jochen@scram.de>,
|
||||
.\" maintained by Bart De Schuymer.
|
||||
@@ -22,7 +22,7 @@
|
||||
.\"
|
||||
.\"
|
||||
.SH NAME
|
||||
-arptables \- ARP table administration (legacy)
|
||||
+arptables \- ARP table administration (nft-based)
|
||||
.SH SYNOPSIS
|
||||
.BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ]
|
||||
.br
|
||||
@@ -38,17 +38,6 @@ arptables \- ARP table administration (legacy)
|
||||
.br
|
||||
.BR "arptables " [ "-t table" ] " -P chain target " [ options ]
|
||||
|
||||
-.SH LEGACY
|
||||
-This tool uses the old xtables/setsockopt framework, and is a legacy version
|
||||
-of arptables. That means that a new, more modern tool exists with the same
|
||||
-functionality using the nf_tables framework and you are encouraged to migrate now.
|
||||
-The new binaries (formerly known as -compat) uses the same syntax and
|
||||
-semantics than this legacy one.
|
||||
-
|
||||
-You can still use this legacy tool. You should probably get some specific
|
||||
-information from your Linux distribution or vendor.
|
||||
-More docs are available at https://wiki.nftables.org
|
||||
-
|
||||
.SH DESCRIPTION
|
||||
.B arptables
|
||||
is a user space tool, it is used to set up and maintain the
|
||||
@@ -106,15 +95,11 @@ first argument on the arptables command line, if used.
|
||||
.B "-t, --table"
|
||||
.br
|
||||
.BR filter ,
|
||||
-is the only table and contains two (Linux kernels 2.4.X) or three (Linux kernels 2.6.0 and later) built-in chains:
|
||||
+is the only table and contains two built-in chains:
|
||||
.B INPUT
|
||||
-(for frames destined for the host),
|
||||
+(for frames destined for the host) and
|
||||
.B OUTPUT
|
||||
-(for locally-generated frames) and
|
||||
-.B FORWARD
|
||||
-(for frames being forwarded by the bridge code). The
|
||||
-.B FORWARD
|
||||
-chain doesn't exist in Linux 2.4.X kernels.
|
||||
+(for locally-generated frames).
|
||||
.br
|
||||
.br
|
||||
.SH ARPTABLES COMMAND LINE ARGUMENTS
|
||||
@@ -258,15 +243,15 @@ numbers separated by colons.
|
||||
.TP
|
||||
.BR "-i, --in-interface " "[!] \fIname\fP"
|
||||
The interface via which a frame is received (for the
|
||||
-.BR INPUT " and " FORWARD
|
||||
-chains). The flag
|
||||
+.B INPUT
|
||||
+chain). The flag
|
||||
.B --in-if
|
||||
is an alias for this option.
|
||||
.TP
|
||||
.BR "-o, --out-interface " "[!] \fIname\fP"
|
||||
The interface via which a frame is going to be sent (for the
|
||||
-.BR OUTPUT " and " FORWARD
|
||||
-chains). The flag
|
||||
+.B OUTPUT
|
||||
+chain). The flag
|
||||
.B --out-if
|
||||
is an alias for this option.
|
||||
.TP
|
||||
@@ -344,9 +329,20 @@ Binary AND the mark with bits.
|
||||
.BR "--or-mark mark"
|
||||
Binary OR the mark with bits.
|
||||
|
||||
+.SH NOTES
|
||||
+In this nft-based version of
|
||||
+.BR arptables ,
|
||||
+support for
|
||||
+.B FORWARD
|
||||
+chain has not been implemented. Since ARP packets are "forwarded" only by Linux
|
||||
+bridges, the same may be achieved using
|
||||
+.B FORWARD
|
||||
+chain in
|
||||
+.BR ebtables .
|
||||
+
|
||||
.SH MAILINGLISTS
|
||||
.BR "" "See " http://netfilter.org/mailinglists.html
|
||||
.SH SEE ALSO
|
||||
-.BR iptables "(8), " ebtables "(8), " arp "(8), " rarp "(8), " ifconfig "(8), " route (8)
|
||||
+.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
|
||||
.PP
|
||||
-.BR "" "See " http://ebtables.sf.net
|
||||
+.BR "" "See " https://wiki.nftables.org
|
||||
--
|
||||
2.21.0
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,275 +0,0 @@
|
||||
From a3310b304ca75f45505b89071b1537a6fcc97228 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 13 Mar 2019 20:46:15 +0100
|
||||
Subject: [PATCH] doc: Adjust ebtables man page
|
||||
|
||||
Change content to match nft-variant, most notably:
|
||||
|
||||
* There is no broute table, drop all references to it
|
||||
* Comment out description of among and string matches, we don't support
|
||||
them (yet)
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit 1939cbc25e6f51cebaa7a2d71c45bb312bab8668)
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
iptables/ebtables-nft.8 | 164 ++++++++++++++++------------------------
|
||||
1 file changed, 67 insertions(+), 97 deletions(-)
|
||||
|
||||
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
|
||||
index 55204ab91e8a4..db8b2ab28cca5 100644
|
||||
--- a/iptables/ebtables-nft.8
|
||||
+++ b/iptables/ebtables-nft.8
|
||||
@@ -24,7 +24,7 @@
|
||||
.\"
|
||||
.\"
|
||||
.SH NAME
|
||||
-ebtables-legacy (2.0.10.4@) \- Ethernet bridge frame table administration (legacy)
|
||||
+ebtables \- Ethernet bridge frame table administration (nft-based)
|
||||
.SH SYNOPSIS
|
||||
.BR "ebtables " [ -t " table ] " - [ ACDI "] chain rule specification [match extensions] [watcher extensions] target"
|
||||
.br
|
||||
@@ -51,17 +51,6 @@ ebtables-legacy (2.0.10.4@) \- Ethernet bridge frame table administration (legac
|
||||
.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save
|
||||
.br
|
||||
|
||||
-.SH LEGACY
|
||||
-This tool uses the old xtables/setsockopt framework, and is a legacy version
|
||||
-of ebtables. That means that a new, more modern tool exists with the same
|
||||
-functionality using the nf_tables framework and you are encouraged to migrate now.
|
||||
-The new binaries (known as ebtables-nft and formerly known as ebtables-compat)
|
||||
-uses the same syntax and semantics than this legacy one.
|
||||
-
|
||||
-You can still use this legacy tool. You should probably get some specific
|
||||
-information from your Linux distribution or vendor.
|
||||
-More docs are available at https://wiki.nftables.org
|
||||
-
|
||||
.SH DESCRIPTION
|
||||
.B ebtables
|
||||
is an application program used to set up and maintain the
|
||||
@@ -72,7 +61,7 @@ It is analogous to the
|
||||
application, but less complicated, due to the fact that the Ethernet protocol
|
||||
is much simpler than the IP protocol.
|
||||
.SS CHAINS
|
||||
-There are three ebtables tables with built-in chains in the
|
||||
+There are two ebtables tables with built-in chains in the
|
||||
Linux kernel. These tables are used to divide functionality into
|
||||
different sets of rules. Each set of rules is called a chain.
|
||||
Each chain is an ordered list of rules that can match Ethernet frames. If a
|
||||
@@ -98,10 +87,7 @@ an 'extension' (see below) or a jump to a user-defined chain.
|
||||
.B ACCEPT
|
||||
means to let the frame through.
|
||||
.B DROP
|
||||
-means the frame has to be dropped. In the
|
||||
-.BR BROUTING " chain however, the " ACCEPT " and " DROP " target have different"
|
||||
-meanings (see the info provided for the
|
||||
-.BR -t " option)."
|
||||
+means the frame has to be dropped.
|
||||
.B CONTINUE
|
||||
means the next rule has to be checked. This can be handy, f.e., to know how many
|
||||
frames pass a certain point in the chain, to log those frames or to apply multiple
|
||||
@@ -113,14 +99,16 @@ For the extension targets please refer to the
|
||||
.B "TARGET EXTENSIONS"
|
||||
section of this man page.
|
||||
.SS TABLES
|
||||
-As stated earlier, there are three ebtables tables in the Linux
|
||||
+As stated earlier, there are two ebtables tables in the Linux
|
||||
kernel. The table names are
|
||||
-.BR filter ", " nat " and " broute .
|
||||
-Of these three tables,
|
||||
+.BR filter " and " nat .
|
||||
+Of these two tables,
|
||||
the filter table is the default table that the command operates on.
|
||||
If you are working with the filter table, then you can drop the '-t filter'
|
||||
argument to the ebtables command. However, you will need to provide
|
||||
-the -t argument for the other two tables. Moreover, the -t argument must be the
|
||||
+the -t argument for
|
||||
+.B nat
|
||||
+table. Moreover, the -t argument must be the
|
||||
first argument on the ebtables command line, if used.
|
||||
.TP
|
||||
.B "-t, --table"
|
||||
@@ -149,25 +137,6 @@ iptables world to ebtables it is easier to have the same names. Note that you
|
||||
can change the name
|
||||
.BR "" ( -E )
|
||||
if you don't like the default.
|
||||
-.br
|
||||
-.br
|
||||
-.B broute
|
||||
-is used to make a brouter, it has one built-in chain:
|
||||
-.BR BROUTING .
|
||||
-The targets
|
||||
-.BR DROP " and " ACCEPT
|
||||
-have a special meaning in the broute table (these names are used instead of
|
||||
-more descriptive names to keep the implementation generic).
|
||||
-.B DROP
|
||||
-actually means the frame has to be routed, while
|
||||
-.B ACCEPT
|
||||
-means the frame has to be bridged. The
|
||||
-.B BROUTING
|
||||
-chain is traversed very early. However, it is only traversed by frames entering on
|
||||
-a bridge port that is in forwarding state. Normally those frames
|
||||
-would be bridged, but you can decide otherwise here. The
|
||||
-.B redirect
|
||||
-target is very handy here.
|
||||
.SH EBTABLES COMMAND LINE ARGUMENTS
|
||||
After the initial ebtables '-t table' command line argument, the remaining
|
||||
arguments can be divided into several groups. These groups
|
||||
@@ -553,35 +522,35 @@ If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type field must
|
||||
be consulted to determine the payload protocol. This is a two byte
|
||||
(hexadecimal) argument. Only 802.3 frames with DSAP/SSAP 0xaa are
|
||||
checked for type.
|
||||
-.SS among
|
||||
-Match a MAC address or MAC/IP address pair versus a list of MAC addresses
|
||||
-and MAC/IP address pairs.
|
||||
-A list entry has the following format:
|
||||
-.IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple"
|
||||
-list entries are separated by a comma, specifying an IP address corresponding to
|
||||
-the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address
|
||||
-but different IP address (and vice versa) can be specified. If the MAC address doesn't
|
||||
-match any entry from the list, the frame doesn't match the rule (unless "!" was used).
|
||||
-.TP
|
||||
-.BR "--among-dst " "[!] \fIlist\fP"
|
||||
-Compare the MAC destination to the given list. If the Ethernet frame has type
|
||||
-.IR IPv4 " or " ARP ,
|
||||
-then comparison with MAC/IP destination address pairs from the
|
||||
-list is possible.
|
||||
-.TP
|
||||
-.BR "--among-src " "[!] \fIlist\fP"
|
||||
-Compare the MAC source to the given list. If the Ethernet frame has type
|
||||
-.IR IPv4 " or " ARP ,
|
||||
-then comparison with MAC/IP source address pairs from the list
|
||||
-is possible.
|
||||
-.TP
|
||||
-.BR "--among-dst-file " "[!] \fIfile\fP"
|
||||
-Same as
|
||||
-.BR --among-dst " but the list is read in from the specified file."
|
||||
-.TP
|
||||
-.BR "--among-src-file " "[!] \fIfile\fP"
|
||||
-Same as
|
||||
-.BR --among-src " but the list is read in from the specified file."
|
||||
+.\" .SS among
|
||||
+.\" Match a MAC address or MAC/IP address pair versus a list of MAC addresses
|
||||
+.\" and MAC/IP address pairs.
|
||||
+.\" A list entry has the following format:
|
||||
+.\" .IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple"
|
||||
+.\" list entries are separated by a comma, specifying an IP address corresponding to
|
||||
+.\" the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address
|
||||
+.\" but different IP address (and vice versa) can be specified. If the MAC address doesn't
|
||||
+.\" match any entry from the list, the frame doesn't match the rule (unless "!" was used).
|
||||
+.\" .TP
|
||||
+.\" .BR "--among-dst " "[!] \fIlist\fP"
|
||||
+.\" Compare the MAC destination to the given list. If the Ethernet frame has type
|
||||
+.\" .IR IPv4 " or " ARP ,
|
||||
+.\" then comparison with MAC/IP destination address pairs from the
|
||||
+.\" list is possible.
|
||||
+.\" .TP
|
||||
+.\" .BR "--among-src " "[!] \fIlist\fP"
|
||||
+.\" Compare the MAC source to the given list. If the Ethernet frame has type
|
||||
+.\" .IR IPv4 " or " ARP ,
|
||||
+.\" then comparison with MAC/IP source address pairs from the list
|
||||
+.\" is possible.
|
||||
+.\" .TP
|
||||
+.\" .BR "--among-dst-file " "[!] \fIfile\fP"
|
||||
+.\" Same as
|
||||
+.\" .BR --among-dst " but the list is read in from the specified file."
|
||||
+.\" .TP
|
||||
+.\" .BR "--among-src-file " "[!] \fIfile\fP"
|
||||
+.\" Same as
|
||||
+.\" .BR --among-src " but the list is read in from the specified file."
|
||||
.SS arp
|
||||
Specify (R)ARP fields. The protocol must be specified as
|
||||
.IR ARP " or " RARP .
|
||||
@@ -822,26 +791,26 @@ The hello time timer (0-65535) range.
|
||||
.TP
|
||||
.BR "--stp-forward-delay " "[!] [\fIdelay\fP][:\fIdelay\fP]"
|
||||
The forward delay timer (0-65535) range.
|
||||
-.SS string
|
||||
-This module matches on a given string using some pattern matching strategy.
|
||||
-.TP
|
||||
-.BR "--string-algo " "\fIalgorithm\fP"
|
||||
-The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
|
||||
-.TP
|
||||
-.BR "--string-from " "\fIoffset\fP"
|
||||
-The lowest offset from which a match can start. (default: 0)
|
||||
-.TP
|
||||
-.BR "--string-to " "\fIoffset\fP"
|
||||
-The highest offset from which a match can start. (default: size of frame)
|
||||
-.TP
|
||||
-.BR "--string " "[!] \fIpattern\fP"
|
||||
-Matches the given pattern.
|
||||
-.TP
|
||||
-.BR "--string-hex " "[!] \fIpattern\fP"
|
||||
-Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|'
|
||||
-.TP
|
||||
-.BR "--string-icase"
|
||||
-Ignore case when searching.
|
||||
+.\" .SS string
|
||||
+.\" This module matches on a given string using some pattern matching strategy.
|
||||
+.\" .TP
|
||||
+.\" .BR "--string-algo " "\fIalgorithm\fP"
|
||||
+.\" The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
|
||||
+.\" .TP
|
||||
+.\" .BR "--string-from " "\fIoffset\fP"
|
||||
+.\" The lowest offset from which a match can start. (default: 0)
|
||||
+.\" .TP
|
||||
+.\" .BR "--string-to " "\fIoffset\fP"
|
||||
+.\" The highest offset from which a match can start. (default: size of frame)
|
||||
+.\" .TP
|
||||
+.\" .BR "--string " "[!] \fIpattern\fP"
|
||||
+.\" Matches the given pattern.
|
||||
+.\" .TP
|
||||
+.\" .BR "--string-hex " "[!] \fIpattern\fP"
|
||||
+.\" Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|'
|
||||
+.\" .TP
|
||||
+.\" .BR "--string-icase"
|
||||
+.\" Ignore case when searching.
|
||||
.SS vlan
|
||||
Specify 802.1Q Tag Control Information fields.
|
||||
The protocol must be specified as
|
||||
@@ -1026,7 +995,6 @@ The default target
|
||||
The
|
||||
.B dnat
|
||||
target can only be used in the
|
||||
-.BR BROUTING " chain of the " broute " table and the "
|
||||
.BR PREROUTING " and " OUTPUT " chains of the " nat " table."
|
||||
It specifies that the destination MAC address has to be changed.
|
||||
.TP
|
||||
@@ -1089,11 +1057,8 @@ The
|
||||
.B redirect
|
||||
target will change the MAC target address to that of the bridge device the
|
||||
frame arrived on. This target can only be used in the
|
||||
-.BR BROUTING " chain of the " broute " table and the "
|
||||
.BR PREROUTING " chain of the " nat " table."
|
||||
-In the
|
||||
-.BR BROUTING " chain, the MAC address of the bridge port is used as destination address,"
|
||||
-.BR "" "in the " PREROUTING " chain, the MAC address of the bridge is used."
|
||||
+The MAC address of the bridge is used as destination address."
|
||||
.TP
|
||||
.BR "--redirect-target " "\fItarget\fP"
|
||||
.br
|
||||
@@ -1135,12 +1100,17 @@ arp message and the hardware address length in the arp header is 6 bytes.
|
||||
.br
|
||||
.SH FILES
|
||||
.I /etc/ethertypes
|
||||
-.I /var/lib/ebtables/lock
|
||||
.SH ENVIRONMENT VARIABLES
|
||||
.I EBTABLES_ATOMIC_FILE
|
||||
.SH MAILINGLISTS
|
||||
.BR "" "See " http://netfilter.org/mailinglists.html
|
||||
+.SH BUGS
|
||||
+The version of ebtables this man page ships with does not support the
|
||||
+.B broute
|
||||
+table. Also there is no support for
|
||||
+.BR among " and " string
|
||||
+matches. And finally, this list is probably not complete.
|
||||
.SH SEE ALSO
|
||||
-.BR iptables "(8), " brctl "(8), " ifconfig "(8), " route (8)
|
||||
+.BR xtables-nft "(8), " iptables "(8), " ip (8)
|
||||
.PP
|
||||
-.BR "" "See " http://ebtables.sf.net
|
||||
+.BR "" "See " https://wiki.nftables.org
|
||||
--
|
||||
2.21.0
|
||||
|
@ -4,19 +4,33 @@
|
||||
# service legacy actions (RHBZ#748134)
|
||||
%global legacy_actions %{_libexecdir}/initscripts/legacy-actions
|
||||
|
||||
# Bootstrap mode providing old and new versions of libip{4,6}tc in parallel
|
||||
%global bootstrap 1
|
||||
|
||||
%if 0%{?bootstrap}
|
||||
%global version_old 1.8.2
|
||||
%global iptc_so_ver_old 0
|
||||
%endif
|
||||
%global iptc_so_ver 2
|
||||
|
||||
Name: iptables
|
||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
URL: http://www.netfilter.org/projects/iptables
|
||||
Version: 1.8.3
|
||||
Release: 2%{?dist}
|
||||
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
|
||||
Release: 3%{?dist}
|
||||
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
Source3: iptables.service
|
||||
Source4: sysconfig_iptables
|
||||
Source5: sysconfig_ip6tables
|
||||
Source6: arptables-nft-helper
|
||||
%if 0%{?bootstrap}
|
||||
Source7: %{url}/files/%{name}-%{version_old}.tar.bz2
|
||||
Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch
|
||||
%endif
|
||||
|
||||
Patch1: 0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch
|
||||
URL: http://www.netfilter.org/
|
||||
# pf.os: ISC license
|
||||
# iptables-apply: Artistic Licence 2.0
|
||||
License: GPLv2 and Artistic Licence 2.0 and ISC
|
||||
@ -115,6 +129,14 @@ nftables compatibility for iptables, arptables and ebtables.
|
||||
%prep
|
||||
%autosetup -p1
|
||||
|
||||
%if 0%{?bootstrap}
|
||||
%{__mkdir} -p bootstrap_ver
|
||||
pushd bootstrap_ver
|
||||
%{__tar} --strip-components=1 -xf %{SOURCE7}
|
||||
%{__patch} -p1 <%{SOURCE8}
|
||||
popd
|
||||
%endif
|
||||
|
||||
%build
|
||||
./autogen.sh
|
||||
CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \
|
||||
@ -128,7 +150,31 @@ rm -f include/linux/types.h
|
||||
|
||||
make %{?_smp_mflags}
|
||||
|
||||
%if 0%{?bootstrap}
|
||||
pushd bootstrap_ver
|
||||
./autogen.sh
|
||||
CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \
|
||||
%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr
|
||||
|
||||
# do not use rpath
|
||||
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
|
||||
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
|
||||
|
||||
rm -f include/linux/types.h
|
||||
|
||||
make %{?_smp_mflags}
|
||||
popd
|
||||
%endif
|
||||
|
||||
%install
|
||||
%if 0%{?bootstrap}
|
||||
%make_install -C bootstrap_ver
|
||||
%{_bindir}/find %{buildroot} -xtype f -not \
|
||||
-name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print
|
||||
%{_bindir}/find %{buildroot} -type l -not \
|
||||
-name 'libip*tc.so.%{iptc_so_ver_old}*' -delete -print
|
||||
%endif
|
||||
|
||||
make install DESTDIR=%{buildroot}
|
||||
# remove la file(s)
|
||||
rm -f %{buildroot}/%{_libdir}/*.la
|
||||
@ -315,8 +361,11 @@ fi
|
||||
%ghost %{_sbindir}/ip6tables-save
|
||||
|
||||
%files libs
|
||||
%{_libdir}/libip*tc.so.*
|
||||
%{_libdir}/libxtables.so.*
|
||||
%{_libdir}/libip*tc.so.%{iptc_so_ver}*
|
||||
%if 0%{?bootstrap}
|
||||
%{_libdir}/libip*tc.so.%{iptc_so_ver_old}*
|
||||
%endif
|
||||
%{_libdir}/libxtables.so.12*
|
||||
|
||||
%files devel
|
||||
%dir %{_includedir}/iptables
|
||||
@ -393,6 +442,12 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Jun 25 2019 Phil Sutter <psutter@redhat.com> - 1.8.3-3
|
||||
- Change URL to point at iptables project, not netfilter overview page
|
||||
- Reuse URL value in tarball source
|
||||
- Reduce globbing of library file names to expose future SONAME changes
|
||||
- Add bootstrapping for libip*tc SONAME bump
|
||||
|
||||
* Tue Jun 25 2019 Phil Sutter <psutter@redhat.com> - 1.8.3-2
|
||||
- Install new man page for nfbpf_compile utility
|
||||
- Move nfnl_osf man page to utils subpackage
|
||||
|
Loading…
Reference in New Issue
Block a user