diff options
| author | darrenr <darrenr@FreeBSD.org> | 2003-02-15 06:27:40 +0000 |
|---|---|---|
| committer | darrenr <darrenr@FreeBSD.org> | 2003-02-15 06:27:40 +0000 |
| commit | bb1b56a0d0298883a2ab7c9a86a66dedb7a42c0b (patch) | |
| tree | 29f4be4986706d6bd410350a9d79520c171b297f /contrib/ipfilter/man | |
| parent | 3aab5fb9fd5d3200009207f552a48b8100b853b2 (diff) | |
| download | FreeBSD-src-bb1b56a0d0298883a2ab7c9a86a66dedb7a42c0b.zip FreeBSD-src-bb1b56a0d0298883a2ab7c9a86a66dedb7a42c0b.tar.gz | |
Import userland tools for IPFilter 3.4.31 into -current
Diffstat (limited to 'contrib/ipfilter/man')
| -rw-r--r-- | contrib/ipfilter/man/ipf.4 | 2 | ||||
| -rw-r--r-- | contrib/ipfilter/man/ipf.5 | 2 | ||||
| -rw-r--r-- | contrib/ipfilter/man/ipf.8 | 2 | ||||
| -rw-r--r-- | contrib/ipfilter/man/ipfs.8 | 4 | ||||
| -rw-r--r-- | contrib/ipfilter/man/ipfstat.8 | 4 | ||||
| -rw-r--r-- | contrib/ipfilter/man/ipftest.1 | 8 | ||||
| -rw-r--r-- | contrib/ipfilter/man/ipmon.8 | 4 | ||||
| -rw-r--r-- | contrib/ipfilter/man/ipnat.5 | 39 | ||||
| -rw-r--r-- | contrib/ipfilter/man/ipnat.8 | 2 |
9 files changed, 50 insertions, 17 deletions
diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4 index 1bd1503..7d6436a 100644 --- a/contrib/ipfilter/man/ipf.4 +++ b/contrib/ipfilter/man/ipf.4 @@ -162,7 +162,7 @@ and FR_OUTQUE (see above). This ioctl is also implemented for or just all those which are not established if passed 1. .IP "\fBGeneral Logging Flags\fP" 0 -There are two flags which can be set to log packets independantly of the +There are two flags which can be set to log packets independently of the rules used. These allow for packets which are either passed or blocked to be logged. To set (and clear)/get these flags, two ioctls are provided: diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5 index c359703..8c7dac0 100644 --- a/contrib/ipfilter/man/ipf.5 +++ b/contrib/ipfilter/man/ipf.5 @@ -61,7 +61,7 @@ host-num = digit [ digit [ digit ] ] . port-num = service-name | decnumber . withopt = [ "not" | "no" ] opttype [ withopt ] . -opttype = "ipopts" | "short" | "frag" | "opt" ipopts . +opttype = "ipopts" | "short" | "frag" | "opt" optname . optname = ipopts [ "," optname ] . ipopts = optlist | "sec-class" [ secname ] . secname = seclvl [ "," secname ] . diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8 index ea92e80..8688566 100644 --- a/contrib/ipfilter/man/ipf.8 +++ b/contrib/ipfilter/man/ipf.8 @@ -55,7 +55,7 @@ the order on the command line being that used to execute options. .TP .BR \-F \0<s|S> To flush entries from the state table, the \fB-F\fP option is used in -conjuction with either "s" (removes state information about any non-fully +conjunction with either "s" (removes state information about any non-fully established connections) or "S" (deletes the entire state table). Only one of the two options may be given. A fully established connection will show up in \fBipfstat -s\fP output as 4/4, with deviations either diff --git a/contrib/ipfilter/man/ipfs.8 b/contrib/ipfilter/man/ipfs.8 index 04b8863..b07935a 100644 --- a/contrib/ipfilter/man/ipfs.8 +++ b/contrib/ipfilter/man/ipfs.8 @@ -80,12 +80,12 @@ Lock state tables in the kernel. .B \-r Read information in from the specified file and load it into the kernel. This requires the state tables to have already been locked -and does not change the lock once comlete. +and does not change the lock once complete. .TP .B \-w Write information out to the specified file and from the kernel. This requires the state tables to have already been locked -and does not change the lock once comlete. +and does not change the lock once complete. .TP .B \-R Restores all saved state information, if any, from two files, diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8 index a5909d0..f641d59 100644 --- a/contrib/ipfilter/man/ipfstat.8 +++ b/contrib/ipfilter/man/ipfstat.8 @@ -122,7 +122,7 @@ be used while ipfstat is in top mode. .BR \-T \0<refreshtime> This option is only valid in combination with \fB\-t\fP. Specifies how often the state top display should be updated. The refresh time is the number of -seconds between an update. Any postive integer can be used. The default (and +seconds between an update. Any positive integer can be used. The default (and minimal update time) is 1. .TP .B \-v @@ -162,7 +162,7 @@ the number of bytes. States are sorted in descending order, but you can use the \fBr\fP key to sort them in ascending order. .SH STATE TOP LIMITATIONS It is currently not possible to interactively change the source, destination -and protocol filters or the refreh frequency. This must be done from the +and protocol filters or the refresh frequency. This must be done from the command line. .PP The screen must have at least 80 columns. This is however not checked. diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1 index 9f7f2e3..e7cc13a 100644 --- a/contrib/ipfilter/man/ipftest.1 +++ b/contrib/ipfilter/man/ipftest.1 @@ -14,6 +14,9 @@ interface [ .B \-i <filename> +] [ +.B \-s +<ipaddress> ] .SH DESCRIPTION .PP @@ -128,6 +131,11 @@ Specify the filename from which to take input. Default is stdin. .TP .BR \-r \0<filename> Specify the filename from which to read filter rules. +.TP +.BR \-s \0<ipaddress> +Where the input format is incapable of telling \fBipftest\fP whther a packet is +going in or out, setting this option to an IP address results in the direction +being set to out if the source matches or in if the destination matches. .SH SEE ALSO ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c) .SH BUGS diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 index 0030c74..6a40802 100644 --- a/contrib/ipfilter/man/ipmon.8 +++ b/contrib/ipfilter/man/ipmon.8 @@ -54,7 +54,7 @@ setting, not a particular rule. .LP 6. The addresses. This is actually three fields: the source address and port -(separted by a comma), the \fB->\fP symbol, and the destination address +(separated by a comma), the \fB->\fP symbol, and the destination address and port. E.g.: \fB209.53.17.22,80 -> 198.73.220.17,1722\fP. .LP 7. \fBPR\fP followed by the protocol name or number, e.g., \fBPR tcp\fP. @@ -110,7 +110,7 @@ equivalent to using \fB-o NSI\fP. .TP .B \-O Specify which log files you do not wish to read from. This is most sensibly -used with the \fB-a\fP. Letters available as paramters to this are the same +used with the \fB-a\fP. Letters available as parameters to this are the same as for \fB-o\fP. .TP .B \-p diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 index f0a4ac9..fe45464 100644 --- a/contrib/ipfilter/man/ipnat.5 +++ b/contrib/ipfilter/man/ipnat.5 @@ -7,10 +7,10 @@ The format for files accepted by ipnat is described by the following grammar: .nf ipmap :: = mapblock | redir | map . -map ::= mapit ifname ipmask "->" dstipmask [ mapport ] . -map ::= mapit ifname fromto "->" dstipmask [ mapport ] . -mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] . -redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport options . +map ::= mapit ifname ipmask "->" dstipmask [ mapport ] mapoptions. +map ::= mapit ifname fromto "->" dstipmask [ mapport ] mapoptions. +mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] mapoptions. +redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport rdroptions . dport ::= "port" portnum [ "-" portnum ] . ports ::= "ports" numports | "auto" . @@ -20,7 +20,8 @@ fromto ::= "from" object "to" object . ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . dstipmask ::= ipmask | "range" ip "-" ip . mapport ::= "portmap" tcpudp portspec . -options ::= [ tcpudp ] [ rr ] . +mapoptions ::= [ tcpudp ] [ "frag" ] [ age ] [ clamp ] . +rdroptions ::= [ tcpudp ] [ rr ] [ "frag" ] [ age ] [ clamp ] . object :: = addr [ port-comp | port-range ] . addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . @@ -28,8 +29,12 @@ port-comp :: = "port" compare port-num . port-range :: = "port" port-num range port-num . rr ::= "round-robin" . -nummask = host-name [ "/" decnumber ] . -tcpudp ::= "tcp" | "udp" | "tcp/udp" . +age ::= "age" decnumber [ "/" decnumber ] . +clamp ::= "mssclamp" decnumber . +tcpudp ::= "tcp/udp" | protocol . + +protocol ::= protocol-name | decnumber . +nummask ::= host-name [ "/" decnumber ] . portspec ::= "auto" | portnumber ":" portnumber . portnumber ::= number { numbers } . ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . @@ -107,6 +112,26 @@ rule. Such a rule might look like the following: .PP Only IP address and port numbers can be compared against. This is available with all NAT rules. +.SH COMMAND QUALIFIERS +At the end of each rule, a number of qualifiers can be used to change how +the rule works. They are as follows: +.TP +protocol +A specific protocol may be given either by its name (as found in +/etc/protocols) or its number. A special case for supporting both +TCP and UDP is allowed with the name \fBtcp/udp\fP. +.TP +.B round-robin +Once a rule with this term has been successfully used, it is put at the +bottom of the list of those available so that each one will get used, in +turn, in a list of matching left hand sides. +.TP +.B frag +This qualifier is currently has no impact on NAT operation. +.TP +.B age +If more refined timeouts are required than those available globally for +NAT settings, this allows you to set them for \fBnon-TCP\fP use. .SH TRANSLATION .PP To the right of the "->" is the address and port specificaton which will be diff --git a/contrib/ipfilter/man/ipnat.8 b/contrib/ipfilter/man/ipnat.8 index 760e0af..3b365ed 100644 --- a/contrib/ipfilter/man/ipnat.8 +++ b/contrib/ipfilter/man/ipnat.8 @@ -29,7 +29,7 @@ active NAT mappings) Show the list of current NAT table entry mappings. .TP .B \-n -This flag (no-change) prevents \fBipf\fP from actually making any ioctl +This flag (no-change) prevents \fBipnat\fP from actually making any ioctl calls or doing anything which would alter the currently running kernel. .TP .B \-s |
