diff options
Diffstat (limited to 'contrib/ipfilter/man')
-rw-r--r-- | contrib/ipfilter/man/ipf.5 | 7 | ||||
-rw-r--r-- | contrib/ipfilter/man/ipftest.1 | 18 | ||||
-rw-r--r-- | contrib/ipfilter/man/ipmon.8 | 10 | ||||
-rw-r--r-- | contrib/ipfilter/man/ipnat.5 | 3 | ||||
-rw-r--r-- | contrib/ipfilter/man/ipnat.8 | 6 |
5 files changed, 36 insertions, 8 deletions
diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5 index d6b6ac1..8bdaedc 100644 --- a/contrib/ipfilter/man/ipf.5 +++ b/contrib/ipfilter/man/ipf.5 @@ -57,8 +57,8 @@ port-range = "port" port-num range port-num . flags = "flags" flag { flag } [ "/" flag { flag } ] . with = "with" | "and" . icmp = "icmp-type" icmp-type [ "code" decnumber ] . -return-code = "("icmp-code")" . -keep = "keep" "state" | "keep" "frags" . +return-code = "(" icmp-code ")" . +keep = "keep" "state" [ "(" state-options ")" ] | "keep" "frags" . loglevel = facility"."priority | priority . nummask = host-name [ "/" decnumber ] . @@ -66,7 +66,10 @@ host-name = ipaddr | hostname | "any" . ipaddr = host-num "." host-num "." host-num "." host-num . host-num = digit [ digit [ digit ] ] . port-num = service-name | decnumber . +state-options = state-opts [ "," state-options ] . +state-opts = "age" decnumber [ "/" decnumber ] | "strict" | + "no-icmp-err" | "limit" decnumber | "newisn" | "sync" . withopt = [ "not" | "no" ] opttype [ withopt ] . opttype = "ipopts" | "short" | "frag" | "opt" optname . optname = ipopts [ "," optname ] . diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1 index df8320a..402195f 100644 --- a/contrib/ipfilter/man/ipftest.1 +++ b/contrib/ipfilter/man/ipftest.1 @@ -5,7 +5,7 @@ ipftest \- test packet filter rules with arbitrary input. .SH SYNOPSIS .B ipftest [ -.B \-6bdDoRvx +.B \-6bCdDoRvx ] [ .B \-F input-format @@ -28,6 +28,9 @@ interface .B \-r <filename> ] [ +.B \-S +<ip_address> +] [ .B \-T <optionlist> ] @@ -57,6 +60,11 @@ Cause the output to be a brief summary (one-word) of the result of passing the packet through the filter; either "pass", "block" or "nomatch". This is used in the regression testing. .TP +.B \-C +Force the checksums to be (re)calculated for all packets being input into +\fBipftest\fP. This may be necessary if pcap files from tcpdump are being +fed in where there are partial checksums present due to hardware offloading. +.TP .B \-d Turn on filter rule debugging. Currently, this only shows you what caused the rule to not match in the IP header checking (addresses/netmasks, etc). @@ -168,6 +176,14 @@ Specify the filename from which to read filter rules in \fBipf\fP(5) format. .B \-R Don't attempt to convert IP addresses to hostnames. .TP +.BR \-S \0<ip_address> +The IP address specifived with this option is used by ipftest to determine +whether a packet should be treated as "input" or "output". If the source +address in an IP packet matches then it is considered to be inbound. If it +does not match then it is considered to be outbound. This is primarily +for use with tcpdump (pcap) files where there is no in/out information +saved with each packet. +.TP .BR \-T \0<optionlist> This option simulates the run-time changing of IPFilter kernel variables available with the \fB\-T\fP option of \fBipf\fP. diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 index 48b2a41..44ef53a 100644 --- a/contrib/ipfilter/man/ipmon.8 +++ b/contrib/ipfilter/man/ipmon.8 @@ -5,7 +5,7 @@ ipmon \- monitors /dev/ipl for logged packets .SH SYNOPSIS .B ipmon [ -.B \-abDFhnpstvxX +.B \-abBDFhnpstvxX ] [ .B "\-N <device>" ] [ @@ -72,6 +72,9 @@ unreachable message. In order for \fBipmon\fP to properly work, the kernel option \fBIPFILTER_LOG\fP must be turned on in your kernel. Please see \fBoptions(4)\fP for more details. +.LP +\fBipmon\fP reopns its log file(s) and rereads its configuration file +when it receives a SIGHUP signal. .SH OPTIONS .TP .B \-a @@ -82,6 +85,11 @@ are displayed to the same output 'device' (stderr or syslog). For rules which log the body of a packet, generate hex output representing the packet contents after the headers. .TP +.B \-B <binarylogfilename> +Enable logging of the raw, unformatted binary data to the specified +\fI<binarylogfilename>\fP file. This can be read, later, using \fBipmon\fP +with the \fB-f\fP option. +.TP .B \-D Cause ipmon to turn itself into a daemon. Using subshells or backgrounding of ipmon is not required to turn it into an orphan so it can run indefinitely. diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 index 210f09a..6d3f9bc 100644 --- a/contrib/ipfilter/man/ipnat.5 +++ b/contrib/ipfilter/man/ipnat.5 @@ -12,9 +12,10 @@ ipmap :: = mapblock | redir | map . map ::= mapit ifname lhs "->" dstipmask [ mapicmp | mapport | mapproxy ] mapoptions . mapblock ::= "map-block" ifname lhs "->" ipmask [ ports ] mapoptions . -redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport rdroptions . +redir ::= "rdr" ifname rlhs "->" ip [ "," ip ] rdrport rdroptions . lhs ::= ipmask | fromto . +rlhs ::= ipmask dport | fromto . dport ::= "port" portnum [ "-" portnum ] . ports ::= "ports" numports | "auto" . rdrport ::= "port" portnum . diff --git a/contrib/ipfilter/man/ipnat.8 b/contrib/ipfilter/man/ipnat.8 index 87f2da5..192c1e7 100644 --- a/contrib/ipfilter/man/ipnat.8 +++ b/contrib/ipfilter/man/ipnat.8 @@ -35,7 +35,7 @@ enabled. .TP .B \-C delete all entries in the current NAT rule listing (NAT rules) - .TP +.TP .B \-d Enable printing of some extra debugging information. .TP @@ -54,10 +54,10 @@ This flag (no-change) prevents \fBipf\fP from actually making any ioctl calls or doing anything which would alter the currently running kernel. .TP .B \-r -Remove matching NAT rules rather than add them to the internal lists +Remove matching NAT rules rather than add them to the internal lists. .TP .B \-s -Retrieve and display NAT statistics +Retrieve and display NAT statistics. .TP .B \-v Turn verbose mode on. Displays information relating to rule processing |