From 0541154a5e8ff7b282b787efe2294f128ec6ffc1 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sat, 3 Oct 2009 21:41:29 +0200 Subject: [PATCH] doc: properly escape non-hyphens --- extensions/ACCOUNT/libxt_ACCOUNT.man | 4 ++-- extensions/libxt_CHAOS.man | 4 ++-- extensions/libxt_DHCPMAC.man | 14 +++++------ extensions/libxt_IPMARK.man | 24 +++++++++---------- extensions/libxt_LOGMARK.man | 10 ++++---- extensions/libxt_RAWDNAT.man | 2 +- extensions/libxt_RAWSNAT.man | 10 ++++---- extensions/libxt_SYSRQ.man | 36 ++++++++++++++-------------- extensions/libxt_TARPIT.man | 12 +++++----- extensions/libxt_TEE.man | 2 +- extensions/libxt_condition.man | 2 +- extensions/libxt_dhcpmac.man | 2 +- extensions/libxt_fuzzy.man | 4 ++-- extensions/libxt_geoip.man | 4 ++-- extensions/libxt_iface.man | 2 +- extensions/libxt_ipp2p.man | 32 ++++++++++++------------- extensions/libxt_ipv4options.man | 20 ++++++++-------- extensions/libxt_length.man | 15 ++++++------ extensions/libxt_lscan.man | 8 +++---- extensions/libxt_psd.man | 8 +++---- extensions/libxt_quota2.man | 14 +++++------ 21 files changed, 115 insertions(+), 114 deletions(-) diff --git a/extensions/ACCOUNT/libxt_ACCOUNT.man b/extensions/ACCOUNT/libxt_ACCOUNT.man index 14b9fee..2a26c67 100644 --- a/extensions/ACCOUNT/libxt_ACCOUNT.man +++ b/extensions/ACCOUNT/libxt_ACCOUNT.man @@ -56,8 +56,8 @@ the \fBiptaccount\fP(8) tool, which features following options: .PP Here is an example of use: .PP -iptables \-A FORWARD \-j ACCOUNT \-\-addr 0.0.0.0/0 \-\-tname all_outgoing -iptables \-A FORWARD \-j ACCOUNT \-\-addr 192.168.1.0/24 \-\-tname sales +iptables \-A FORWARD \-j ACCOUNT \-\-addr 0.0.0.0/0 \-\-tname all_outgoing; +iptables \-A FORWARD \-j ACCOUNT \-\-addr 192.168.1.0/24 \-\-tname sales; .PP This creates two tables called "all_outgoing" and "sales" which can be queried using the userspace library/iptaccount tool. diff --git a/extensions/libxt_CHAOS.man b/extensions/libxt_CHAOS.man index d698c1b..c7d6d1f 100644 --- a/extensions/libxt_CHAOS.man +++ b/extensions/libxt_CHAOS.man @@ -1,13 +1,13 @@ Causes confusion on the other end by doing odd things with incoming packets. CHAOS will randomly reply (or not) with one of its configurable subtargets: .TP -\fB--delude\fP +\fB\-\-delude\fP Use the REJECT and DELUDE targets as a base to do a sudden or deferred connection reset, fooling some network scanners to return non-deterministic (randomly open/closed) results, and in case it is deemed open, it is actually closed/filtered. .TP -\fB--tarpit\fP +\fB\-\-tarpit\fP Use the REJECT and TARPIT target as a base to hold the connection until it times out. This consumes conntrack entries when connection tracking is loaded (which usually is on most machines), and routers inbetween you and the Internet diff --git a/extensions/libxt_DHCPMAC.man b/extensions/libxt_DHCPMAC.man index 757e20f..f69a5c8 100644 --- a/extensions/libxt_DHCPMAC.man +++ b/extensions/libxt_DHCPMAC.man @@ -4,7 +4,7 @@ VMware does not allow to set a non-VMware MAC address before an operating system is booted (and the MAC be changed with `ip link set eth0 address aa:bb..`). .TP -\fB--set-mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP] +\fB\-\-set\-mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP] Replace the client host MAC address field in the DHCP message with the given MAC address. This option is mandatory. The \fImask\fP parameter specifies the prefix length of bits to change. @@ -12,13 +12,13 @@ prefix length of bits to change. EXAMPLE, replacing all addresses from one of VMware's assigned vendor IDs (00:50:56) addresses with something else: .PP -iptables -t mangle -A FORWARD -p udp --dport 67 -m physdev --physdev-in vmnet1 --m dhcpmac --mac 00:50:56:00:00:00/24 -j DHCPMAC --set-mac -ab:cd:ef:00:00:00/24 +iptables \-t mangle \-A FORWARD \-p udp \-\-dport 67 \-m physdev +\-\-physdev\-in vmnet1 \-m dhcpmac \-\-mac 00:50:56:00:00:00/24 \-j DHCPMAC +\-\-set\-mac ab:cd:ef:00:00:00/24 .PP -iptables -t mangle -A FORWARD -p udp --dport 68 -m physdev --physdev-out vmnet1 --m dhcpmac --mac ab:cd:ef:00:00:00/24 -j DHCPMAC --set-mac -00:50:56:00:00:00/24 +iptables \-t mangle \-A FORWARD \-p udp \-\-dport 68 \-m physdev +\-\-physdev\-out vmnet1 \-m dhcpmac \-\-mac ab:cd:ef:00:00:00/24 \-j DHCPMAC +\-\-set\-mac 00:50:56:00:00:00/24 .PP (This assumes there is a bridge interface that has vmnet1 as a port. You will also need to add appropriate ebtables rules to change the MAC address of the diff --git a/extensions/libxt_IPMARK.man b/extensions/libxt_IPMARK.man index ac4a532..cac330c 100644 --- a/extensions/libxt_IPMARK.man +++ b/extensions/libxt_IPMARK.man @@ -4,16 +4,16 @@ firewall based classifier. This target is to be used inside the \fBmangle\fP table. .TP -\fB--addr\fP {\fBsrc\fP|\fBdst\fP} +\fB\-\-addr\fP {\fBsrc\fP|\fBdst\fP} Select source or destination IP address as a basis for the mark. .TP -\fB--and-mask\fP \fImask\fP +\fB\-\-and\-mask\fP \fImask\fP Perform bitwise AND on the IP address and this bitmask. .TP -\fB--or-mask\fP \fImask\fP +\fB\-\-or\-mask\fP \fImask\fP Perform bitwise OR on the IP address and this bitmask. .TP -\fB--shift\fP \fIvalue\fP +\fB\-\-shift\fP \fIvalue\fP Shift addresses to the right by the given number of bits before taking it as a mark. (This is done before ANDing or ORing it.) This option is needed to select part of an IPv6 address, because marks are only 32 bits in size. @@ -34,16 +34,16 @@ tc filter add dev eth3 parent 1:0 protocol ip fw .PP Earlier we had many rules just like below: .IP -iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK ---set-mark 0x10502 +iptables \-t mangle \-A POSTROUTING \-o eth3 \-d 192.168.5.2 \-j MARK +\-\-set\-mark 0x10502 .IP -iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK ---set-mark 0x10503 +iptables \-t mangle \-A POSTROUTING \-o eth3 \-d 192.168.5.3 \-j MARK +\-\-set\-mark 0x10503 .PP Using IPMARK target we can replace all the mangle/mark rules with only one: .IP -iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr dst ---and-mask 0xffff --or-mask 0x10000 +iptables \-t mangle \-A POSTROUTING \-o eth3 \-j IPMARK \-\-addr dst +\-\-and\-mask 0xffff \-\-or\-mask 0x10000 .PP On the routers with hundreds of users there should be significant load decrease (e.g. twice). @@ -52,5 +52,5 @@ decrease (e.g. twice). 2001:db8:45:1d:20d:93ff:fe9b:e443 and the resulting mark should be 0x93ff, then a right-shift of 16 is needed first: .IP --t mangle -A PREROUTING -s 2001:db8::/32 -j IPMARK --addr src --shift 16 ---and-mask 0xFFFF +\-t mangle \-A PREROUTING \-s 2001:db8::/32 \-j IPMARK \-\-addr src \-\-shift +16 \-\-and\-mask 0xFFFF diff --git a/extensions/libxt_LOGMARK.man b/extensions/libxt_LOGMARK.man index e954aa4..1d810ae 100644 --- a/extensions/libxt_LOGMARK.man +++ b/extensions/libxt_LOGMARK.man @@ -1,17 +1,17 @@ The LOGMARK target will log packet and connection marks to syslog. .TP -\fB--log-level\fR \fIlevel\fR +\fB\-\-log\-level\fR \fIlevel\fR A logging level between 0 and 8 (inclusive). .TP -\fB--log-prefix\fR \fIstring\fR +\fB\-\-log\-prefix\fR \fIstring\fR Prefix log messages with the specified prefix; up to 29 bytes long, and useful for distinguishing messages in the logs. .TP -\fB--log-nfmark\fR +\fB\-\-log\-nfmark\fR Include the packet mark in the log. .TP -\fB--log-ctmark\fR +\fB\-\-log\-ctmark\fR Include the connection mark in the log. .TP -\fB--log-secmark\fR +\fB\-\-log\-secmark\fR Include the packet secmark in the log. diff --git a/extensions/libxt_RAWDNAT.man b/extensions/libxt_RAWDNAT.man index 8ba2473..062ca55 100644 --- a/extensions/libxt_RAWDNAT.man +++ b/extensions/libxt_RAWDNAT.man @@ -1,7 +1,7 @@ The \fBRAWDNAT\fR target will rewrite the destination address in the IP header, much like the \fBNETMAP\fR target. .TP -\fB--to-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR] +\fB\-\-to\-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR] Network address to map to. The resulting address will be constructed the following way: All 'one' bits in the \fImask\fR are filled in from the new \fIaddress\fR. All bits that are zero in the mask are filled in from the diff --git a/extensions/libxt_RAWSNAT.man b/extensions/libxt_RAWSNAT.man index d7f68b8..aa2dca3 100644 --- a/extensions/libxt_RAWSNAT.man +++ b/extensions/libxt_RAWSNAT.man @@ -8,7 +8,7 @@ which makes it possible to change the source address either when the packet enters the machine or when it leaves it. The reason for this table constraint is that RAWNAT must happen outside of connection tracking. .TP -\fB--to-source\fR \fIaddr\fR[\fB/\fR\fImask\fR] +\fB\-\-to\-source\fR \fIaddr\fR[\fB/\fR\fImask\fR] Network address to map to. The resulting address will be constructed the following way: All 'one' bits in the \fImask\fR are filled in from the new \fIaddress\fR. All bits that are zero in the mask are filled in from the @@ -17,13 +17,13 @@ original address. As an example, changing the destination for packets forwarded from an internal LAN to the internet: .IP --t raw -A PREROUTING -i lan0 -d 212.201.100.135 -j RAWDNAT --to-destination 199.181.132.250 --t rawpost -A POSTROUTING -o lan0 -s 199.181.132.250 -j RAWSNAT --to-source 212.201.100.135 +\-t raw \-A PREROUTING \-i lan0 \-d 212.201.100.135 \-j RAWDNAT \-\-to\-destination 199.181.132.250; +\-t rawpost \-A POSTROUTING \-o lan0 \-s 199.181.132.250 \-j RAWSNAT \-\-to\-source 212.201.100.135; .PP Note that changing addresses may influence the route selection! Specifically, it statically NATs packets, not connections, like the normal DNAT/SNAT targets -would do. Also note that it can transform already-NATed connections -- as said, -it is completely external to Netfilter's connection tracking/NAT. +would do. Also note that it can transform already-NATed connections \(em as +said, it is completely external to Netfilter's connection tracking/NAT. .PP If the machine itself generates packets that are to be rawnat'ed, you need a rule in the OUTPUT chain instead, just like you would with the stateful NAT diff --git a/extensions/libxt_SYSRQ.man b/extensions/libxt_SYSRQ.man index 4f0241d..89878e0 100644 --- a/extensions/libxt_SYSRQ.man +++ b/extensions/libxt_SYSRQ.man @@ -1,7 +1,7 @@ The SYSRQ target allows to remotely trigger sysrq on the local machine over the network. This can be useful when vital parts of the machine hang, for example an oops in a filesystem causing locks to be not released and processes to get -stuck as a result - if still possible, use /proc/sysrq-trigger. Even when +stuck as a result \(em if still possible, use /proc/sysrq-trigger. Even when processes are stuck, interrupts are likely to be still processed, and as such, sysrq can be triggered through incoming network packets. .PP @@ -11,30 +11,30 @@ requests. The initial sequence number comes from the time of day so you will have a small window of vulnerability should time go backwards at a reboot. However, the file /sys/module/xt_SYSREQ/seqno can be used to both query and update the current sequence number. Also, you should limit as to who can issue -commands using \fB-s\fP and/or \fB-m mac\fP, and also that the destination is -correct using \fB-d\fP (to protect against potential broadcast packets), noting -that it is still short of MAC/IP spoofing: +commands using \fB\-s\fP and/or \fB\-m mac\fP, and also that the destination is +correct using \fB\-d\fP (to protect against potential broadcast packets), +noting that it is still short of MAC/IP spoofing: .IP --A INPUT -s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7 --p udp --dport 9 -j SYSRQ +\-A INPUT \-s 10.10.25.1 \-m mac \-\-mac\-source aa:bb:cc:dd:ee:ff \-d +10.10.25.7 \-p udp \-\-dport 9 \-j SYSRQ .IP -(with IPsec) -A INPUT -s 10.10.25.1 -d 10.10.25.7 -m policy --dir in --pol -ipsec --proto esp --tunnel-src 10.10.25.1 --tunnel-dst 10.10.25.7 --p udp --dport 9 -j SYSRQ +(with IPsec) \-A INPUT \-s 10.10.25.1 \-d 10.10.25.7 \-m policy \-\-dir in +\-\-pol ipsec \-\-proto esp \-\-tunnel\-src 10.10.25.1 \-\-tunnel\-dst +10.10.25.7 \-p udp \-\-dport 9 \-j SYSRQ .PP You should also limit the rate at which connections can be received to limit the CPU time taken by illegal requests, for example: .IP --A INPUT -s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7 --p udp --dport 9 -m limit --limit 5/minute -j SYSRQ +\-A INPUT \-s 10.10.25.1 \-m mac \-\-mac\-source aa:bb:cc:dd:ee:ff \-d +10.10.25.7 \-p udp \-\-dport 9 \-m limit \-\-limit 5/minute \-j SYSRQ .PP -This extension does not take any options. The \fB-p udp\fP options are +This extension does not take any options. The \fB\-p udp\fP options are required. .PP The SYSRQ password can be changed through /sys/module/xt_SYSRQ/parameters/password, for example: .IP -echo -n "password" >/sys/module/xt_SYSRQ/parameters/password +echo \-n "password" >/sys/module/xt_SYSRQ/parameters/password .PP Alternatively, the password may be specified at modprobe time, but this is insecure as people can possible see it through ps(1). You can use an option @@ -59,17 +59,17 @@ sysrq_key="s" # the SysRq key(s) password="password" seqno="$(date +%s)" salt="$(dd bs=12 count=1 if=/dev/urandom 2>/dev/null | - openssl enc -base64)" + openssl enc \-base64)" req="$sysrq_key,$seqno,$salt" -req="$req,$(echo -n "$req,$password" | sha1sum | cut -c1-40)" +req="$req,$(echo \-n "$req,$password" | sha1sum | cut \-c1\-40)" -echo "$req" | socat stdin udp-sendto:10.10.25.7:9 +echo "$req" | socat stdin udp\-sendto:10.10.25.7:9 # or -echo "$req" | netcat -uw1 10.10.25.7 9 +echo "$req" | netcat \-uw1 10.10.25.7 9 .fi .PP See the Linux docs for possible sysrq keys. Important ones are: re(b)oot, -power(o)ff, (s)ync filesystems, (u)mount and remount readonly. More than one +power(o)ff, (s)ync filesystems, (u)mount and remount readonly. More than one sysrq key can be used at once, but bear in mind that, for example, a sync may not complete before a subsequent reboot or poweroff. .PP diff --git a/extensions/libxt_TARPIT.man b/extensions/libxt_TARPIT.man index 891aeb3..2a760d5 100644 --- a/extensions/libxt_TARPIT.man +++ b/extensions/libxt_TARPIT.man @@ -11,16 +11,16 @@ tarpit. To tarpit connections to TCP port 80 destined for the current machine: .IP --A INPUT -p tcp -m tcp --dport 80 -j TARPIT -.P +\-A INPUT \-p tcp \-m tcp \-\-dport 80 \-j TARPIT +.PP To significantly slow down Code Red/Nimda-style scans of unused address space, forward unused ip addresses to a Linux box not acting as a router (e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP forwarding on the Linux box, and add: .IP --A FORWARD -p tcp -j TARPIT +\-A FORWARD \-p tcp \-j TARPIT .IP --A FORWARD -j DROP +\-A FORWARD \-j DROP .PP NOTE: If you use the conntrack module while you are using TARPIT, you should also use @@ -28,6 +28,6 @@ the NOTRACK target, or the kernel will unnecessarily allocate resources for each TARPITted connection. To TARPIT incoming connections to the standard IRC port while using conntrack, you could: .IP --t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK +\-t raw \-A PREROUTING \-p tcp \-\-dport 6667 \-j NOTRACK .IP --A INPUT -p tcp --dport 6667 -j TARPIT +\-A INPUT \-p tcp \-\-dport 6667 \-j TARPIT diff --git a/extensions/libxt_TEE.man b/extensions/libxt_TEE.man index 3fe6aca..8cff7b0 100644 --- a/extensions/libxt_TEE.man +++ b/extensions/libxt_TEE.man @@ -3,6 +3,6 @@ machine on the \fBlocal\fP network segment. In other words, the nexthop must be the target, or you will have to configure the nexthop to forward it further if so desired. .TP -\fB--gw\fP \fIipaddr\fP +\fB\-\-gw\fP \fIipaddr\fP Send the cloned packet to the host reachable at the given IP address. Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid. diff --git a/extensions/libxt_condition.man b/extensions/libxt_condition.man index c5939ed..769e295 100644 --- a/extensions/libxt_condition.man +++ b/extensions/libxt_condition.man @@ -1,4 +1,4 @@ This matches if a specific condition variable is (un)set. .TP -[\fB!\fP] \fB--condition\fP \fIname\fP +[\fB!\fP] \fB\-\-condition\fP \fIname\fP Match on boolean value stored in /proc/net/nf_condition/\fIname\fP. diff --git a/extensions/libxt_dhcpmac.man b/extensions/libxt_dhcpmac.man index 05d4ce8..a77bf33 100644 --- a/extensions/libxt_dhcpmac.man +++ b/extensions/libxt_dhcpmac.man @@ -1,4 +1,4 @@ .TP -\fB--mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP] +\fB\-\-mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP] Matches the DHCP "Client Host" address (a MAC address) in a DHCP message. \fImask\fP specifies the prefix length of the initial portion to match. diff --git a/extensions/libxt_fuzzy.man b/extensions/libxt_fuzzy.man index c2bed1e..28f3d08 100644 --- a/extensions/libxt_fuzzy.man +++ b/extensions/libxt_fuzzy.man @@ -1,7 +1,7 @@ This module matches a rate limit based on a fuzzy logic controller (FLC). .TP -\fB--lower-limit\fP \fInumber\fP +\fB\-\-lower\-limit\fP \fInumber\fP Specifies the lower limit, in packets per second. .TP -\fB--upper-limit\fP \fInumber\fP +\fB\-\-upper\-limit\fP \fInumber\fP Specifies the upper limit, also in packets per second. diff --git a/extensions/libxt_geoip.man b/extensions/libxt_geoip.man index 5f7ca04..acb4ab6 100644 --- a/extensions/libxt_geoip.man +++ b/extensions/libxt_geoip.man @@ -1,9 +1,9 @@ Match a packet by its source or destination country. .TP -[\fB!\fP] \fB--src-cc\fP, \fB--source-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP] +[\fB!\fP] \fB\-\-src\-cc\fP, \fB\-\-source\-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP] Match packet coming from (one of) the specified country(ies) .TP -[\fB!\fP] \fB--dst-cc\fP, \fB--destination-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP] +[\fB!\fP] \fB\-\-dst\-cc\fP, \fB\-\-destination\-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP] Match packet going to (one of) the specified country(ies) .TP NOTE: diff --git a/extensions/libxt_iface.man b/extensions/libxt_iface.man index 7dc6820..fb9c04e 100644 --- a/extensions/libxt_iface.man +++ b/extensions/libxt_iface.man @@ -30,7 +30,7 @@ Check the MULTICAST flag. [\fB!\fP] \fB\-\-dynamic\fP Check the DYNAMIC flag. .TP -[\fB!\fP] \fB\-\-lower-up\fP +[\fB!\fP] \fB\-\-lower\-up\fP Check the LOWER_UP flag. .TP [\fB!\fP] \fB\-\-dormant\fP diff --git a/extensions/libxt_ipp2p.man b/extensions/libxt_ipp2p.man index 9a76451..21253d2 100644 --- a/extensions/libxt_ipp2p.man +++ b/extensions/libxt_ipp2p.man @@ -1,41 +1,41 @@ This module matches certain packets in P2P flows. It is not -designed to match all packets belonging to a P2P connection - +designed to match all packets belonging to a P2P connection \(em use IPP2P together with CONNMARK for this purpose. .PP -Use it together with -p tcp or -p udp to search these protocols -only or without -p switch to search packets of both protocols. +Use it together with \-p tcp or \-p udp to search these protocols +only or without \-p switch to search packets of both protocols. .PP IPP2P provides the following options, of which one or more may be specified on the command line: .TP -.B "--edk " +\fB\-\-edk\fP Matches as many eDonkey/eMule packets as possible. .TP -.B "--kazaa " +\fB\-\-kazaa\fP Matches as many KaZaA packets as possible. .TP -.B "--gnu " +\fB\-\-gnu\fP Matches as many Gnutella packets as possible. .TP -.B "--dc " +\fB\-\-dc\fP Matches as many Direct Connect packets as possible. .TP -.B "--bit " +\fB\-\-bit\fP Matches BitTorrent packets. .TP -.B "--apple " +\fB\-\-apple\fP Matches AppleJuice packets. .TP -.B "--soul " +\fB\-\-soul\fP Matches some SoulSeek packets. Considered as beta, use careful! .TP -.B "--winmx " +\fB\-\-winmx\fP Matches some WinMX packets. Considered as beta, use careful! .TP -.B "--ares " -Matches Ares and AresLite packets. Use together with -j DROP only. +\fB\-\-ares\fP +Matches Ares and AresLite packets. Use together with \-j DROP only. .TP -.B "--debug " +\fB\-\-debug\fP Prints some information about each hit into kernel logfile. May produce huge logfiles so beware! .PP @@ -44,5 +44,5 @@ exchanged as a result of running filesharing programs. .PP There is more information on http://ipp2p.org/ , but it has not been updated since September 2006, and the syntax there is different from the ipp2p.c -provided in Xtables-addons; most importantly, the --ipp2p flag was removed due -to its ambiguity to match "all known" protocols. +provided in Xtables-addons; most importantly, the \-\-ipp2p flag was removed +due to its ambiguity to match "all known" protocols. diff --git a/extensions/libxt_ipv4options.man b/extensions/libxt_ipv4options.man index 0628804..6676280 100644 --- a/extensions/libxt_ipv4options.man +++ b/extensions/libxt_ipv4options.man @@ -13,25 +13,25 @@ where only at least one symbol spec must be true. .PP Known symbol names (and their number): .PP -1 - \fBnop\fP +1 \(em \fBnop\fP .PP -2 - \fBsecurity\fP - RFC 1108 +2 \(em \fBsecurity\fP \(em RFC 1108 .PP -3 - \fBlsrr\fP - Loose Source Routing, RFC 791 +3 \(em \fBlsrr\fP \(em Loose Source Routing, RFC 791 .PP -4 - \fBtimestamp\fP - RFC 781, 791 +4 \(em \fBtimestamp\fP \(em RFC 781, 791 .PP -7 - \fBrecord\-route\fP - RFC 791 +7 \(em \fBrecord\-route\fP \em RFC 791 .PP -9 - \fBssrr\fP - Strict Source Routing, RFC 791 +9 \(em \fBssrr\fP \(em Strict Source Routing, RFC 791 .PP -11 - \fBmtu\-probe\fP - RFC 1063 +11 \(em \fBmtu\-probe\fP \(em RFC 1063 .PP -12 - \fBmtu\-reply\fP - RFC 1063 +12 \(em \fBmtu\-reply\fP \(em RFC 1063 .PP -18 - \fBtraceroute\fP - RFC 1393 +18 \(em \fBtraceroute\fP \(em RFC 1393 .PP -20 - \fBrouter-alert\fP - RFC 2113 +20 \(em \fBrouter-alert\fP \(em RFC 2113 .PP Examples: .PP diff --git a/extensions/libxt_length.man b/extensions/libxt_length.man index 235504e..8da040b 100644 --- a/extensions/libxt_length.man +++ b/extensions/libxt_length.man @@ -1,18 +1,19 @@ This module matches the length of a packet against a specific value or range of values. .TP -[\fB!\fR] \fB--length\fR \fIlength\fR[\fB:\fR\fIlength\fR] +[\fB!\fR] \fB\-\-length\fR \fIlength\fR[\fB:\fR\fIlength\fR] Match exact length or length range. .TP -\fB--layer3\fR +\fB\-\-layer3\fR Match the layer3 frame size (e.g. IPv4/v6 header plus payload). .TP -\fB--layer4\fR +\fB\-\-layer4\fR Match the layer4 frame size (e.g. TCP/UDP header plus payload). .TP -\fB--layer5\fR +\fB\-\-layer5\fR Match the layer5 frame size (e.g. TCP/UDP payload, often called layer7). .PP -If no --layer* option is given, --layer3 is assumed by default. Note that using ---layer5 may not match a packet if it is not one of the recognized types -(currently TCP, UDP, UDPLite, ICMP, AH and ESP) or which has no 5th layer. +If no \-\-layer* option is given, \-\-layer3 is assumed by default. Note that +using \-\-layer5 may not match a packet if it is not one of the recognized +types (currently TCP, UDP, UDPLite, ICMP, AH and ESP) or which has no 5th +layer. diff --git a/extensions/libxt_lscan.man b/extensions/libxt_lscan.man index a39867a..4ec6ec0 100644 --- a/extensions/libxt_lscan.man +++ b/extensions/libxt_lscan.man @@ -6,19 +6,19 @@ out, but this information can be used in conjunction with other rules to block the remote host's future connections. So this match module will match on the (probably) last packet the remote side will send to your machine. .TP -\fB--stealth\fR +\fB\-\-stealth\fR Match if the packet did not belong to any known TCP connection (Stealth/FIN/XMAS/NULL scan). .TP -\fB--synscan\fR +\fB\-\-synscan\fR Match if the connection was a TCP half-open discovery (SYN scan), i.e. the connection was torn down after the 2nd packet in the 3-way handshake. .TP -\fB--cnscan\fR +\fB\-\-cnscan\fR Match if the connection was a TCP full open discovery (connect scan), i.e. the connection was torn down after completion of the 3-way handshake. .TP -\fB--grscan\fR +\fB\-\-grscan\fR Match if data in the connection only flew in the direction of the remote side, e.g. if the connection was terminated after a locally running daemon sent its identification. (E.g. openssh, smtp, ftpd.) This may falsely trigger on diff --git a/extensions/libxt_psd.man b/extensions/libxt_psd.man index b73fffc..25975fa 100644 --- a/extensions/libxt_psd.man +++ b/extensions/libxt_psd.man @@ -1,18 +1,18 @@ Attempt to detect TCP and UDP port scans. This match was derived from Solar Designer's scanlogd. .TP -.BI "--psd-weight-threshold " "threshold" +\fB\-\-psd\-weight\-threshold\fP \fIthreshold\fP Total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence. .TP -.BI "--psd-delay-threshold " "delay" +\fB\-\-psd\-delay\-threshold\fP \fIdelay\fP Delay (in hundredths of second) for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence. .TP -.BI "--psd-lo-ports-weight " "weight" +\fB\-\-psd\-lo\-ports\-weight\fP \fIweight\fP Weight of the packet with privileged (<=1024) destination port. .TP -.BI "--psd-hi-ports-weight " "weight" +\fB\-\-psd\-hi\-ports\-weight\fP \fIweight\fP Weight of the packet with non-priviliged destination port. diff --git a/extensions/libxt_quota2.man b/extensions/libxt_quota2.man index e18c681..affa32f 100644 --- a/extensions/libxt_quota2.man +++ b/extensions/libxt_quota2.man @@ -7,25 +7,25 @@ When counting down from the initial quota, the counter will stop at 0 and the match will return false, just like the original "quota" match. In growing (upcounting) mode, it will always return true. .TP -\fB--grow\fP +\fB\-\-grow\fP Count upwards instead of downwards. .TP -\fB--name\fP \fIname\fP +\fB\-\-name\fP \fIname\fP Assign the counter a specific name. This option must be present, as an empty name is not allowed. Names starting with a dot or names containing a slash are prohibited. .TP -[\fB!\fP] \fB--quota\fP \fIiq\fP +[\fB!\fP] \fB\-\-quota\fP \fIiq\fP Specify the initial quota for this counter. If the counter already exists, it is not reset. An "!" may be used to invert the result of the match. The -negation has no effect when \fB--grow\fP is used. +negation has no effect when \fB\-\-grow\fP is used. .TP -\fB--packets\fP +\fB\-\-packets\fP Count packets instead of bytes that passed the quota2 match. .PP Because counters in quota2 can be shared, you can combine them for various purposes, for example, a bytebucket filter that only lets as much traffic go out as has come in: .PP --A INPUT -p tcp --dport 6881 -m quota --name bt --grow --A OUTPUT -p tcp --sport 6881 -m quota --name bt +\-A INPUT \-p tcp \-\-dport 6881 \-m quota \-\-name bt \-\-grow; +\-A OUTPUT \-p tcp \-\-sport 6881 \-m quota \-\-name bt;