anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-12-06 16:13:54 +01:00
Code Issues Releases Wiki Activity

doc: markup paragraphs

Browse Source
This commit is contained in:
Jan Engelhardt
2013-06-02 16:53:56 +02:00
parent fe7a30c746
commit e027089782
23 changed files with 48 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
extensions/libxt_CHAOS.man
View File

@@ -1,3 +1,4 @@
.PP
Causes confusion on the other end by doing odd things with incoming packets. Causes confusion on the other end by doing odd things with incoming packets.
CHAOS will randomly reply (or not) with one of its configurable subtargets: CHAOS will randomly reply (or not) with one of its configurable subtargets:
.TP .TP

1
extensions/libxt_DELUDE.man
View File

@@ -1,3 +1,4 @@
.PP
The DELUDE target will reply to a SYN packet with SYN-ACK, and to all other The DELUDE target will reply to a SYN packet with SYN-ACK, and to all other
packets with an RST. This will terminate the connection much like REJECT, but packets with an RST. This will terminate the connection much like REJECT, but
network scanners doing TCP half-open discovery can be spoofed to make them network scanners doing TCP half-open discovery can be spoofed to make them

1
extensions/libxt_DHCPMAC.man
View File

@@ -1,3 +1,4 @@
.PP
In conjunction with ebtables, DHCPMAC can be used to completely change all MAC In conjunction with ebtables, DHCPMAC can be used to completely change all MAC
addresses from and to a VMware-based virtual machine. This is needed because addresses from and to a VMware-based virtual machine. This is needed because
VMware does not allow to set a non-VMware MAC address before an operating VMware does not allow to set a non-VMware MAC address before an operating

51
extensions/libxt_DNETMAP.man
View File

@@ -1,16 +1,16 @@
.PP
The \fBDNETMAP\fR target allows dynamic two-way 1:1 mapping of IPv4 subnets. The \fBDNETMAP\fR target allows dynamic two-way 1:1 mapping of IPv4 subnets.
Single rule can map private subnet to shorter public subnet creating and Single rule can map private subnet to shorter public subnet creating and
maintaining unambigeous private-public ip bindings. Second rule can be used to maintaining unambigeous private-public ip bindings. Second rule can be used to
map new flows to private subnet according to maintained bindings. Target allows map new flows to private subnet according to maintained bindings. Target allows
efficient public IPv4 space usage and unambigeous NAT at the same time. efficient public IPv4 space usage and unambigeous NAT at the same time.
.PP
Target can be used only in \fBnat\fR table in \fBPOSTROUTING\fR or \fBOUTPUT\fR Target can be used only in \fBnat\fR table in \fBPOSTROUTING\fR or \fBOUTPUT\fR
chains for SNAT and in \fBPREROUTING\fR for DNAT. Only flows directed to bound chains for SNAT and in \fBPREROUTING\fR for DNAT. Only flows directed to bound
IPs will be DNATed. Packet continues chain traversal if there is no free IPs will be DNATed. Packet continues chain traversal if there is no free
postnat-ip to be assigned to prenat-ip. Default binding \fBttl\fR is \fI10 postnat-ip to be assigned to prenat-ip. Default binding \fBttl\fR is \fI10
minutes\fR and can be changed using \fBdefault_ttl\fR module option. Default ip minutes\fR and can be changed using \fBdefault_ttl\fR module option. Default ip
hash size is 256 and can be changed using \fBhash_size\fR module option. hash size is 256 and can be changed using \fBhash_size\fR module option.
.TP .TP
\fB\-\-prefix\fR \fIaddr\fR\fB/\fR\fImask\fR \fB\-\-prefix\fR \fIaddr\fR\fB/\fR\fImask\fR
Network subnet to map to. If not specified, all existing prefixes are used. Network subnet to map to. If not specified, all existing prefixes are used.
@@ -35,7 +35,7 @@ bindings ttl is kept unchanged. If not specified then default ttl value (600s)
is used. is used.
.PP .PP
\fB* /proc interface\fR \fB* /proc interface\fR
.PP
Module creates following entries for each new specified subnet: Module creates following entries for each new specified subnet:
.TP .TP
\fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR \fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR
@@ -80,71 +80,70 @@ and are available for dynamic bindings.
Note! Entries are removed if the last iptables rule for a specific prefix is Note! Entries are removed if the last iptables rule for a specific prefix is
deleted unless there's persistent flag set. deleted unless there's persistent flag set.
.PP .PP
\fB* Logging\fR \fB* Logging\fR
.PP
Module logs binding add/timeout events to klog. This behaviour can be disabled Module logs binding add/timeout events to klog. This behaviour can be disabled
using \fBdisable_log\fR module parameter. using \fBdisable_log\fR module parameter.
.PP
\fB* Examples\fR \fB* Examples\fR
.PP
\fB1.\fR Map subnet 192.168.0.0/24 to subnets 20.0.0.0/26. SNAT only: \fB1.\fR Map subnet 192.168.0.0/24 to subnets 20.0.0.0/26. SNAT only:
.PP
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
.PP
Active hosts from 192.168.0.0/24 subnet are mapped to 20.0.0.0/26. If packet Active hosts from 192.168.0.0/24 subnet are mapped to 20.0.0.0/26. If packet
from not yet bound prenat-ip hits the rule and there are no free or timed-out from not yet bound prenat-ip hits the rule and there are no free or timed-out
(ttl<0) entries in prefix 20.0.0.0/28, then notice is logged to klog and chain (ttl<0) entries in prefix 20.0.0.0/28, then notice is logged to klog and chain
traversal continues. If packet from already bound prenat-ip hits the rule, traversal continues. If packet from already bound prenat-ip hits the rule,
bindings ttl value is regenerated to default_ttl and SNAT is performed. bindings ttl value is regenerated to default_ttl and SNAT is performed.
.PP
\fB2.\fR Use of \fB\-\-reuse\fR and \fB\-\-ttl\fR switches, multiple rule \fB2.\fR Use of \fB\-\-reuse\fR and \fB\-\-ttl\fR switches, multiple rule
interaction: interaction:
.PP
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix
20.0.0.0/26 \-\-reuse \-\-ttl 200 20.0.0.0/26 \-\-reuse \-\-ttl 200
.PP
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 30.0.0.0/26 iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 30.0.0.0/26
.PP
Active hosts from 192.168.0.0/24 subnet are mapped to 20.0.0.0/26 with ttl = Active hosts from 192.168.0.0/24 subnet are mapped to 20.0.0.0/26 with ttl =
200 seconds. If there are no free addresses in first prefix the next one 200 seconds. If there are no free addresses in first prefix the next one
(30.0.0.0/26) is used with default ttl. It's important to note that the first (30.0.0.0/26) is used with default ttl. It's important to note that the first
rule SNATs all flows whose source IP is already actively (ttl>0) bound to ANY rule SNATs all flows whose source IP is already actively (ttl>0) bound to ANY
prefix. Parameter \fB\-\-reuse\fR makes this functionality work even for prefix. Parameter \fB\-\-reuse\fR makes this functionality work even for
inactive (ttl<0) entries. inactive (ttl<0) entries.
.PP
If both subnets are exhaused, then chain traversal continues. If both subnets are exhaused, then chain traversal continues.
.PP
\fB3.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 bidirectional way: \fB3.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 bidirectional way:
.PP
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
.PP
iptables \-t nat \-A PREROUTING \-j DNETMAP iptables \-t nat \-A PREROUTING \-j DNETMAP
.PP
If host 192.168.0.10 generates some traffic, it gets bound to first free IP in If host 192.168.0.10 generates some traffic, it gets bound to first free IP in
subnet - 20.0.0.0. Now any traffic directed to 20.0.0.0 gets DNATed to subnet - 20.0.0.0. Now any traffic directed to 20.0.0.0 gets DNATed to
192.168.0.10 as long as there's an active (ttl>0) binding. There's no need to 192.168.0.10 as long as there's an active (ttl>0) binding. There's no need to
specify \fB\-\-prefix\fR parameter in PREROUTING rule, because this way it DNATs specify \fB\-\-prefix\fR parameter in PREROUTING rule, because this way it DNATs
traffic to all active prefixes. You could specify prefix it you'd like to make traffic to all active prefixes. You could specify prefix it you'd like to make
DNAT work for specific prefix only. DNAT work for specific prefix only.
.PP
\fB4.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 with static assignments only: \fB4.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 with static assignments only:
.PP
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
\-\-static \-\-static
.PP
echo "+192.168.0.10:20.0.0.1" > /proc/net/xt_DNETMAP/20.0.0.0_26 echo "+192.168.0.10:20.0.0.1" > /proc/net/xt_DNETMAP/20.0.0.0_26
.br .br
echo "+192.168.0.11:20.0.0.2" > /proc/net/xt_DNETMAP/20.0.0.0_26 echo "+192.168.0.11:20.0.0.2" > /proc/net/xt_DNETMAP/20.0.0.0_26
.br .br
echo "+192.168.0.51:20.0.0.3" > /proc/net/xt_DNETMAP/20.0.0.0_26 echo "+192.168.0.51:20.0.0.3" > /proc/net/xt_DNETMAP/20.0.0.0_26
.PP
This configuration will allow only preconfigured static bindings to work due to This configuration will allow only preconfigured static bindings to work due to
\fBstatic\fR rule option. Without this flag dynamic bindings would be created \fBstatic\fR rule option. Without this flag dynamic bindings would be created
using non-static entries. using non-static entries.
.PP
\fB5.\fR Persistent prefix: \fB5.\fR Persistent prefix:
.PP
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
\-\-persistent \-\-persistent
.br .br
@@ -153,13 +152,13 @@ iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
.br .br
echo "+persistent" > /proc/net/xt_DNETMAP/20.0.0.0_26 echo "+persistent" > /proc/net/xt_DNETMAP/20.0.0.0_26
.PP
Now we can check persistent flag of the prefix: Now we can check persistent flag of the prefix:
.br .br
cat /proc/net/xt_DNETMAP/20.0.0.0_26 cat /proc/net/xt_DNETMAP/20.0.0.0_26
.br .br
0 0 64 0 \fBpersistent\fR 0 0 64 0 \fBpersistent\fR
.PP
Flush iptables nat table and see that prefix is still in existence: Flush iptables nat table and see that prefix is still in existence:
.br .br
iptables \-F \-t nat iptables \-F \-t nat

1
extensions/libxt_ECHO.man
View File

@@ -1,3 +1,4 @@
.PP
The \fBECHO\fP target will send back all packets it received. It serves as an The \fBECHO\fP target will send back all packets it received. It serves as an
examples for an Xtables target. examples for an Xtables target.
.PP .PP

3
extensions/libxt_IPMARK.man
View File

@@ -1,7 +1,8 @@
.PP
Allows you to mark a received packet basing on its IP address. This Allows you to mark a received packet basing on its IP address. This
can replace many mangle/mark entries with only one, if you use can replace many mangle/mark entries with only one, if you use
firewall based classifier. firewall based classifier.
.PP
This target is to be used inside the \fBmangle\fP table. This target is to be used inside the \fBmangle\fP table.
.TP .TP
\fB\-\-addr\fP {\fBsrc\fP|\fBdst\fP} \fB\-\-addr\fP {\fBsrc\fP|\fBdst\fP}

1
extensions/libxt_LOGMARK.man
View File

@@ -1,3 +1,4 @@
.PP
The LOGMARK target will log packet and connection marks to syslog. The LOGMARK target will log packet and connection marks to syslog.
.TP .TP
\fB\-\-log\-level\fR \fIlevel\fR \fB\-\-log\-level\fR \fIlevel\fR

1
extensions/libxt_RAWDNAT.man
View File

@@ -1,3 +1,4 @@
.PP
The \fBRAWDNAT\fR target will rewrite the destination address in the IP header, The \fBRAWDNAT\fR target will rewrite the destination address in the IP header,
much like the \fBNETMAP\fR target. much like the \fBNETMAP\fR target.
.TP .TP

1
extensions/libxt_RAWSNAT.man
View File

@@ -1,3 +1,4 @@
.PP
The \fBRAWSNAT\fR and \fBRAWDNAT\fP targets provide stateless network address The \fBRAWSNAT\fR and \fBRAWDNAT\fP targets provide stateless network address
translation. translation.
.PP .PP

1
extensions/libxt_STEAL.man
View File

@@ -1,2 +1,3 @@
.PP
Like the DROP target, but does not throw an error like DROP when used in the Like the DROP target, but does not throw an error like DROP when used in the
\fBOUTPUT\fP chain. \fBOUTPUT\fP chain.

1
extensions/libxt_SYSRQ.man
View File

@@ -1,3 +1,4 @@
.PP
The SYSRQ target allows to remotely trigger sysrq on the local machine over the The SYSRQ target allows to remotely trigger sysrq on the local machine over the
network. This can be useful when vital parts of the machine hang, for example network. This can be useful when vital parts of the machine hang, for example
an oops in a filesystem causing locks to be not released and processes to get an oops in a filesystem causing locks to be not released and processes to get

1
extensions/libxt_TARPIT.man
View File

@@ -1,3 +1,4 @@
.PP
Captures and holds incoming TCP connections using no local per-connection Captures and holds incoming TCP connections using no local per-connection
resources. resources.
.PP .PP

1
extensions/libxt_condition.man
View File

@@ -1,3 +1,4 @@
.PP
This matches if a specific condition variable is (un)set. This matches if a specific condition variable is (un)set.
.TP .TP
[\fB!\fP] \fB\-\-condition\fP \fIname\fP [\fB!\fP] \fB\-\-condition\fP \fIname\fP

1
extensions/libxt_fuzzy.man
View File

@@ -1,3 +1,4 @@
.PP
This module matches a rate limit based on a fuzzy logic controller (FLC). This module matches a rate limit based on a fuzzy logic controller (FLC).
.TP .TP
\fB\-\-lower\-limit\fP \fInumber\fP \fB\-\-lower\-limit\fP \fInumber\fP

1
extensions/libxt_geoip.man
View File

@@ -1,3 +1,4 @@
.PP
Match a packet by its source or destination country. Match a packet by its source or destination country.
.TP .TP
[\fB!\fP] \fB\-\-src\-cc\fP, \fB\-\-source\-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP] [\fB!\fP] \fB\-\-src\-cc\fP, \fB\-\-source\-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP]

1
extensions/libxt_gradm.man
View File

@@ -1,3 +1,4 @@
.PP
This module matches packets based on grsecurity RBAC status. This module matches packets based on grsecurity RBAC status.
.TP .TP
[\fB!\fP] \fB\-\-enabled\fP [\fB!\fP] \fB\-\-enabled\fP

1
extensions/libxt_iface.man
View File

@@ -1,3 +1,4 @@
.PP
Allows you to check interface states. First, an interface needs to be selected Allows you to check interface states. First, an interface needs to be selected
for comparison. Exactly one option of the following three must be specified: for comparison. Exactly one option of the following three must be specified:
.TP .TP

1
extensions/libxt_ipp2p.man
View File

@@ -1,3 +1,4 @@
.PP
This module matches certain packets in P2P flows. It is not This module matches certain packets in P2P flows. It is not
designed to match all packets belonging to a P2P connection \(em designed to match all packets belonging to a P2P connection \(em
use IPP2P together with CONNMARK for this purpose. use IPP2P together with CONNMARK for this purpose.

1
extensions/libxt_ipv4options.man
View File

@@ -1,3 +1,4 @@
.PP
The "ipv4options" module allows to match against a set of IPv4 header options. The "ipv4options" module allows to match against a set of IPv4 header options.
.TP .TP
\fB\-\-flags\fP [\fB!\fP]\fIsymbol\fP[\fB,\fP[\fB!\fP]\fIsymbol...\fP] \fB\-\-flags\fP [\fB!\fP]\fIsymbol\fP[\fB,\fP[\fB!\fP]\fIsymbol...\fP]

1
extensions/libxt_length2.man
View File

@@ -1,3 +1,4 @@
.PP
This module matches the length of a packet against a specific value or range of This module matches the length of a packet against a specific value or range of
values. values.
.TP .TP

1
extensions/libxt_lscan.man
View File

@@ -1,3 +1,4 @@
.PP
Detects simple low-level scan attempts based upon the packet's contents. Detects simple low-level scan attempts based upon the packet's contents.
(This is (This is
different from other implementations, which also try to match the rate of new different from other implementations, which also try to match the rate of new

1
extensions/libxt_psd.man
View File

@@ -1,3 +1,4 @@
.PP
Attempt to detect TCP and UDP port scans. This match was derived from Attempt to detect TCP and UDP port scans. This match was derived from
Solar Designer's scanlogd. Solar Designer's scanlogd.
.TP .TP

1
extensions/libxt_quota2.man
View File

@@ -1,3 +1,4 @@
.PP
The "quota2" implements a named counter which can be increased or decreased The "quota2" implements a named counter which can be increased or decreased
on a per-match basis. Available modes are packet counting or byte counting. on a per-match basis. Available modes are packet counting or byte counting.
The value of the counter can be read and reset through procfs, thereby making The value of the counter can be read and reset through procfs, thereby making