From patchwork Tue Oct 24 13:19:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Engelhardt X-Patchwork-Id: 1854395 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4SFCMP4yB0z23kh for ; Wed, 25 Oct 2023 00:19:29 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234283AbjJXNT2 (ORCPT ); Tue, 24 Oct 2023 09:19:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36858 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234374AbjJXNT0 (ORCPT ); Tue, 24 Oct 2023 09:19:26 -0400 Received: from a3.inai.de (a3.inai.de [IPv6:2a01:4f8:10b:45d8::f5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A4EA510E for ; Tue, 24 Oct 2023 06:19:21 -0700 (PDT) Received: by a3.inai.de (Postfix, from userid 65534) id E082C587850F1; Tue, 24 Oct 2023 15:19:19 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from a4.inai.de (a4.inai.de [IPv6:2a01:4f8:10b:45d8::f8]) by a3.inai.de (Postfix) with ESMTP id 5D20558740D54 for ; Tue, 24 Oct 2023 15:19:19 +0200 (CEST) From: Jan Engelhardt To: netfilter-devel@vger.kernel.org Subject: [PATCH 1/6] man: encode minushyphen the way groff/man requires it Date: Tue, 24 Oct 2023 15:19:14 +0200 Message-ID: <20231024131919.28665-1-jengelh@inai.de> X-Mailer: git-send-email 2.42.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Sparked by a recent LWN article[1], I made a sweep over the iptables manpages for incorrectly encoded dashes. If the output is supposed to be a U+002D character (which is the case for options and everything that is going to be copy-and-pasted), \- must be used. [1] https://lwn.net/Articles/947941/ (paywalled until about 2023-11-06) --- extensions/libip6t_DNPT.man | 2 +- extensions/libip6t_REJECT.man | 7 ++++--- extensions/libip6t_SNPT.man | 2 +- extensions/libipt_REJECT.man | 7 ++++--- extensions/libxt_CT.man | 4 ++-- extensions/libxt_HMARK.man | 2 +- extensions/libxt_LED.man | 4 ++-- extensions/libxt_MASQUERADE.man | 4 ++-- extensions/libxt_NFLOG.man | 2 +- extensions/libxt_NFQUEUE.man | 9 +++++---- extensions/libxt_SET.man | 2 +- extensions/libxt_SNAT.man | 2 +- extensions/libxt_SYNPROXY.man | 2 +- extensions/libxt_TRACE.man | 4 ++-- extensions/libxt_bpf.man | 8 ++++---- extensions/libxt_cgroup.man | 2 +- extensions/libxt_cluster.man | 8 ++++---- extensions/libxt_connlabel.man | 10 +++++----- extensions/libxt_connlimit.man | 2 +- extensions/libxt_hashlimit.man | 4 ++-- extensions/libxt_nfacct.man | 2 +- extensions/libxt_osf.man | 4 ++-- extensions/libxt_owner.man | 2 +- extensions/libxt_socket.man | 2 +- 24 files changed, 50 insertions(+), 47 deletions(-) diff --git a/extensions/libip6t_DNPT.man b/extensions/libip6t_DNPT.man index 9b060f5b..a9c06700 100644 --- a/extensions/libip6t_DNPT.man +++ b/extensions/libip6t_DNPT.man @@ -19,7 +19,7 @@ ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0 \-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64 .IP ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64 -\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst-pfx fd00::/64 +\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst\-pfx fd00::/64 .PP You may need to enable IPv6 neighbor proxy: .IP diff --git a/extensions/libip6t_REJECT.man b/extensions/libip6t_REJECT.man index 3c42768e..e68d6f03 100644 --- a/extensions/libip6t_REJECT.man +++ b/extensions/libip6t_REJECT.man @@ -44,9 +44,10 @@ response for a packet so classed would then terminate the healthy connection. .PP So, instead of: .PP --A INPUT ... -j REJECT +\-A INPUT ... \-j REJECT .PP do consider using: .PP --A INPUT ... -m conntrack --ctstate INVALID -j DROP --A INPUT ... -j REJECT +\-A INPUT ... \-m conntrack \-\-ctstate INVALID \-j DROP +.br +\-A INPUT ... \-j REJECT diff --git a/extensions/libip6t_SNPT.man b/extensions/libip6t_SNPT.man index 97e0071b..1185d9c0 100644 --- a/extensions/libip6t_SNPT.man +++ b/extensions/libip6t_SNPT.man @@ -19,7 +19,7 @@ ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0 \-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64 .IP ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64 -\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst-pfx fd00::/64 +\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst\-pfx fd00::/64 .PP You may need to enable IPv6 neighbor proxy: .IP diff --git a/extensions/libipt_REJECT.man b/extensions/libipt_REJECT.man index cc47aead..a7196cdc 100644 --- a/extensions/libipt_REJECT.man +++ b/extensions/libipt_REJECT.man @@ -44,9 +44,10 @@ response for a packet so classed would then terminate the healthy connection. .PP So, instead of: .PP --A INPUT ... -j REJECT +\-A INPUT ... \-j REJECT .PP do consider using: .PP --A INPUT ... -m conntrack --ctstate INVALID -j DROP --A INPUT ... -j REJECT +\-A INPUT ... \-m conntrack \-\-ctstate INVALID \-j DROP +.br +\-A INPUT ... \-j REJECT diff --git a/extensions/libxt_CT.man b/extensions/libxt_CT.man index fc692f9a..7523ead4 100644 --- a/extensions/libxt_CT.man +++ b/extensions/libxt_CT.man @@ -20,12 +20,12 @@ the ctmark, not nfmark), \fBnatseqinfo\fP, \fBsecmark\fP (ctsecmark). Only generate the specified expectation events for this connection. Possible event types are: \fBnew\fP. .TP -\fB\-\-zone-orig\fP {\fIid\fP|\fBmark\fP} +\fB\-\-zone\-orig\fP {\fIid\fP|\fBmark\fP} For traffic coming from ORIGINAL direction, assign this packet to zone \fIid\fP and only have lookups done in that zone. If \fBmark\fP is used instead of \fIid\fP, the zone is derived from the packet nfmark. .TP -\fB\-\-zone-reply\fP {\fIid\fP|\fBmark\fP} +\fB\-\-zone\-reply\fP {\fIid\fP|\fBmark\fP} For traffic coming from REPLY direction, assign this packet to zone \fIid\fP and only have lookups done in that zone. If \fBmark\fP is used instead of \fIid\fP, the zone is derived from the packet nfmark. diff --git a/extensions/libxt_HMARK.man b/extensions/libxt_HMARK.man index cd7ffd54..63d18cb5 100644 --- a/extensions/libxt_HMARK.man +++ b/extensions/libxt_HMARK.man @@ -53,7 +53,7 @@ A 32 bit random custom value to feed hash calculation. \fIExamples:\fP .PP iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW - \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000 + \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark\-offset 10000 \-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe .PP iptables \-t mangle \-A PREROUTING \-j HMARK \-\-hmark\-offset 10000 diff --git a/extensions/libxt_LED.man b/extensions/libxt_LED.man index 81c2f296..d92fd940 100644 --- a/extensions/libxt_LED.man +++ b/extensions/libxt_LED.man @@ -6,9 +6,9 @@ the trigger behavior: .TP \fB\-\-led\-trigger\-id\fP \fIname\fP This is the name given to the LED trigger. The actual name of the trigger -will be prefixed with "netfilter-". +will be prefixed with "netfilter\-". .TP -\fB\-\-led-delay\fP \fIms\fP +\fB\-\-led\-delay\fP \fIms\fP This indicates how long (in milliseconds) the LED should be left illuminated when a packet arrives before being switched off again. The default is 0 (blink as fast as possible.) The special value \fIinf\fP can be given to diff --git a/extensions/libxt_MASQUERADE.man b/extensions/libxt_MASQUERADE.man index 26d91ddb..e2009086 100644 --- a/extensions/libxt_MASQUERADE.man +++ b/extensions/libxt_MASQUERADE.man @@ -21,9 +21,9 @@ if the rule also specifies one of the following protocols: .TP \fB\-\-random\fP Randomize source port mapping (kernel >= 2.6.21). -Since kernel 5.0, \fB\-\-random\fP is identical to \fB\-\-random-fully\fP. +Since kernel 5.0, \fB\-\-random\fP is identical to \fB\-\-random\-fully\fP. .TP -\fB\-\-random-fully\fP +\fB\-\-random\-fully\fP Fully randomize source port mapping (kernel >= 3.13). .TP IPv6 support available since Linux kernels >= 3.7. diff --git a/extensions/libxt_NFLOG.man b/extensions/libxt_NFLOG.man index 318e6305..99f1b66d 100644 --- a/extensions/libxt_NFLOG.man +++ b/extensions/libxt_NFLOG.man @@ -17,7 +17,7 @@ A prefix string to include in the log message, up to 64 characters long, useful for distinguishing messages in the logs. .TP \fB\-\-nflog\-range\fP \fIsize\fP -This option has never worked, use --nflog-size instead +This option has never worked, use \-\-nflog\-size instead .TP \fB\-\-nflog\-size\fP \fIsize\fP The number of bytes to be copied to userspace (only applicable for diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man index 950b0d24..5126609d 100644 --- a/extensions/libxt_NFQUEUE.man +++ b/extensions/libxt_NFQUEUE.man @@ -6,7 +6,8 @@ reinject the packet into the kernel. Please see libnetfilter_queue for details. .B nfnetlink_queue -was added in Linux 2.6.14. The \fBqueue-balance\fP option was added in Linux 2.6.31, +was added in Linux 2.6.14. The \fBqueue\-balance\fP option was added in Linux +2.6.31, \fBqueue-bypass\fP in 2.6.39. .TP \fB\-\-queue\-num\fP \fIvalue\fP @@ -28,8 +29,8 @@ are dropped. When this option is used, the NFQUEUE rule behaves like ACCEPT ins will move on to the next table. .PP .TP -\fB\-\-queue\-cpu-fanout\fP +\fB\-\-queue\-cpu\-fanout\fP Available starting Linux kernel 3.10. When used together with -\fB--queue-balance\fP this will use the CPU ID as an index to map packets to +\fB\-\-queue\-balance\fP this will use the CPU ID as an index to map packets to the queues. The idea is that you can improve performance if there's a queue -per CPU. This requires \fB--queue-balance\fP to be specified. +per CPU. This requires \fB\-\-queue\-balance\fP to be specified. diff --git a/extensions/libxt_SET.man b/extensions/libxt_SET.man index c4713378..037969ea 100644 --- a/extensions/libxt_SET.man +++ b/extensions/libxt_SET.man @@ -26,7 +26,7 @@ when adding an entry if it already exists, reset the timeout value to the specified one or to the default from the set definition .TP \fB\-\-map\-set\fP \fIset\-name\fP -the set-name should be created with --skbinfo option +the set-name should be created with \-\-skbinfo option \fB\-\-map\-mark\fP map firewall mark to packet by lookup of value in the set \fB\-\-map\-prio\fP diff --git a/extensions/libxt_SNAT.man b/extensions/libxt_SNAT.man index 80a698a6..d879c871 100644 --- a/extensions/libxt_SNAT.man +++ b/extensions/libxt_SNAT.man @@ -23,7 +23,7 @@ will be mapped to ports below 1024, and other ports will be mapped to \fB\-\-random\fP Randomize source port mapping through a hash-based algorithm (kernel >= 2.6.21). .TP -\fB\-\-random-fully\fP +\fB\-\-random\-fully\fP Fully randomize source port mapping through a PRNG (kernel >= 3.14). .TP \fB\-\-persistent\fP diff --git a/extensions/libxt_SYNPROXY.man b/extensions/libxt_SYNPROXY.man index 30a71ed2..521a1d28 100644 --- a/extensions/libxt_SYNPROXY.man +++ b/extensions/libxt_SYNPROXY.man @@ -22,7 +22,7 @@ Example: .PP Determine tcp options used by backend, from an external system .IP -tcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)' +tcpdump \-pni eth0 -c 1 'tcp[tcpflags] == (tcp\-syn|tcp\-ack)' .br port 80 & .br diff --git a/extensions/libxt_TRACE.man b/extensions/libxt_TRACE.man index 5187a8d2..9cfa2711 100644 --- a/extensions/libxt_TRACE.man +++ b/extensions/libxt_TRACE.man @@ -15,6 +15,6 @@ With iptables-nft, the target is translated into nftables' .B "meta nftrace" expression. Hence the kernel sends trace events via netlink to userspace where they may be displayed using -.B "xtables-monitor --trace" +.B "xtables\-monitor \-\-trace" command. For details, refer to -.BR xtables-monitor (8). +.BR xtables\-monitor (8). diff --git a/extensions/libxt_bpf.man b/extensions/libxt_bpf.man index d6da2043..b79c21db 100644 --- a/extensions/libxt_bpf.man +++ b/extensions/libxt_bpf.man @@ -28,7 +28,7 @@ without the comments or trailing whitespace: .IP 4 # number of instructions .br -48 0 0 9 # load byte ip->proto +48 0 0 9 # load byte ip\->proto .br 21 0 1 6 # jump equal IPPROTO_TCP .br @@ -44,7 +44,7 @@ Or instead, you can invoke the nfbpf_compile utility. .IP iptables \-A OUTPUT \-m bpf \-\-bytecode "`nfbpf_compile RAW 'ip proto 6'`" \-j ACCEPT .PP -Or use tcpdump -ddd. In that case, generate BPF targeting a device with the +Or use tcpdump \-ddd. In that case, generate BPF targeting a device with the same data link type as the xtables match. Iptables passes packets from the network layer up, without mac layer. Select a device with data link type RAW, such as a tun device: @@ -53,8 +53,8 @@ ip tuntap add tun0 mode tun .br ip link set tun0 up .br -tcpdump -ddd -i tun0 ip proto 6 +tcpdump \-ddd \-i tun0 ip proto 6 .PP -See tcpdump -L -i $dev for a list of known data link types for a given device. +See tcpdump \-L \-i $dev for a list of known data link types for a given device. .PP You may want to learn more about BPF from FreeBSD's bpf(4) manpage. diff --git a/extensions/libxt_cgroup.man b/extensions/libxt_cgroup.man index 4d5d1d86..140afb48 100644 --- a/extensions/libxt_cgroup.man +++ b/extensions/libxt_cgroup.man @@ -15,7 +15,7 @@ option and \-\-path can't be used together. .PP Example: .IP -iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-path service/http-server \-j DROP +iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-path service/http\-server \-j DROP .IP iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1 \-j DROP diff --git a/extensions/libxt_cluster.man b/extensions/libxt_cluster.man index 23448e26..63054471 100644 --- a/extensions/libxt_cluster.man +++ b/extensions/libxt_cluster.man @@ -22,7 +22,7 @@ Example: iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster \-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 \-\-cluster\-hash\-seed 0xdeadbeef -\-j MARK \-\-set-mark 0xffff +\-j MARK \-\-set\-mark 0xffff .IP iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster \-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 @@ -42,10 +42,10 @@ ip maddr add 01:00:5e:00:01:01 dev eth1 ip maddr add 01:00:5e:00:01:02 dev eth2 .IP arptables \-A OUTPUT \-o eth1 \-\-h\-length 6 -\-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01 +\-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:01 .IP -arptables \-A INPUT \-i eth1 \-\-h-length 6 -\-\-destination-mac 01:00:5e:00:01:01 +arptables \-A INPUT \-i eth1 \-\-h\-length 6 +\-\-destination\-mac 01:00:5e:00:01:01 \-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27 .IP arptables \-A OUTPUT \-o eth2 \-\-h\-length 6 diff --git a/extensions/libxt_connlabel.man b/extensions/libxt_connlabel.man index bdaa51e8..7ce18cf5 100644 --- a/extensions/libxt_connlabel.man +++ b/extensions/libxt_connlabel.man @@ -23,11 +23,11 @@ Label translation is done via the \fB/etc/xtables/connlabel.conf\fP configuratio Example: .IP .nf -0 eth0-in -1 eth0-out -2 ppp-in -3 ppp-out -4 bulk-traffic +0 eth0\-in +1 eth0\-out +2 ppp\-in +3 ppp\-out +4 bulk\-traffic 5 interactive .fi .PP diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man index ad9f40fa..2292e9cc 100644 --- a/extensions/libxt_connlimit.man +++ b/extensions/libxt_connlimit.man @@ -39,4 +39,4 @@ ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit .TP # Limit the number of connections to a particular host: ip6tables \-p tcp \-\-syn \-\-dport 49152:65535 \-d 2001:db8::1 \-m connlimit -\-\-connlimit-above 100 \-j REJECT +\-\-connlimit\-above 100 \-j REJECT diff --git a/extensions/libxt_hashlimit.man b/extensions/libxt_hashlimit.man index 8a35d564..627fcd0a 100644 --- a/extensions/libxt_hashlimit.man +++ b/extensions/libxt_hashlimit.man @@ -77,8 +77,8 @@ in 10.0.0.0/8" => .TP matching bytes per second "flows exceeding 512kbyte/s" => -\-\-hashlimit-mode srcip,dstip,srcport,dstport \-\-hashlimit\-above 512kb/s +\-\-hashlimit\-mode srcip,dstip,srcport,dstport \-\-hashlimit\-above 512kb/s .TP matching bytes per second "hosts that exceed 512kbyte/s, but permit up to 1Megabytes without matching" -\-\-hashlimit-mode dstip \-\-hashlimit\-above 512kb/s \-\-hashlimit-burst 1mb +\-\-hashlimit\-mode dstip \-\-hashlimit\-above 512kb/s \-\-hashlimit\-burst 1mb diff --git a/extensions/libxt_nfacct.man b/extensions/libxt_nfacct.man index a818fedd..4e05891e 100644 --- a/extensions/libxt_nfacct.man +++ b/extensions/libxt_nfacct.man @@ -22,7 +22,7 @@ Then, you can check for the amount of traffic that the rules match: .IP nfacct get http\-traffic .IP -{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = http-traffic; +{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = http\-traffic; .PP You can obtain .B nfacct(8) diff --git a/extensions/libxt_osf.man b/extensions/libxt_osf.man index 41103f29..e68440f5 100644 --- a/extensions/libxt_osf.man +++ b/extensions/libxt_osf.man @@ -29,7 +29,7 @@ Log determined genres into dmesg even if they do not match the desired one. .PP You may find something like this in syslog: .PP -Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> +Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 \-> 11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4 .PP OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load @@ -42,4 +42,4 @@ To remove them again, \fBnfnl_osf \-f /usr/share/xtables/pf.os \-d\fP .PP The fingerprint database can be downloaded from -http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . +http://www.openbsd.org/cgi\-bin/cvsweb/src/etc/pf.os . diff --git a/extensions/libxt_owner.man b/extensions/libxt_owner.man index e2479865..fd6fe190 100644 --- a/extensions/libxt_owner.man +++ b/extensions/libxt_owner.man @@ -16,7 +16,7 @@ Matches if the packet socket's file structure is owned by the given group. You may also specify a numerical GID, or a GID range. .TP \fB\-\-suppl\-groups\fP -Causes group(s) specified with \fB\-\-gid-owner\fP to be also checked in the +Causes group(s) specified with \fB\-\-gid\-owner\fP to be also checked in the supplementary groups of a process. .TP [\fB!\fP] \fB\-\-socket\-exists\fP diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man index f809df69..a268b443 100644 --- a/extensions/libxt_socket.man +++ b/extensions/libxt_socket.man @@ -29,7 +29,7 @@ to be matched when restoring the packet mark. Example: An application opens 2 transparent (\fBIP_TRANSPARENT\fP) sockets and sets a mark on them with \fBSO_MARK\fP socket option. We can filter matching packets: .IP -\-t mangle \-I PREROUTING \-m socket \-\-transparent \-\-restore-skmark \-j action +\-t mangle \-I PREROUTING \-m socket \-\-transparent \-\-restore\-skmark \-j action .IP \-t mangle \-A action \-m mark \-\-mark 10 \-j action2 .IP From patchwork Tue Oct 24 13:19:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Engelhardt X-Patchwork-Id: 1854391 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4SFCMN2Mslz23k5 for ; Wed, 25 Oct 2023 00:19:28 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234262AbjJXNTZ (ORCPT ); Tue, 24 Oct 2023 09:19:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36822 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234283AbjJXNTY (ORCPT ); Tue, 24 Oct 2023 09:19:24 -0400 Received: from a3.inai.de (a3.inai.de [IPv6:2a01:4f8:10b:45d8::f5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A58E710F for ; Tue, 24 Oct 2023 06:19:21 -0700 (PDT) Received: by a3.inai.de (Postfix, from userid 65534) id 01FB958740D54; Tue, 24 Oct 2023 15:19:20 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from a4.inai.de (a4.inai.de [IPv6:2a01:4f8:10b:45d8::f8]) by a3.inai.de (Postfix) with ESMTP id 6CD2F58783417 for ; Tue, 24 Oct 2023 15:19:19 +0200 (CEST) From: Jan Engelhardt To: netfilter-devel@vger.kernel.org Subject: [PATCH 2/6] man: encode emdash the way groff/man requires it Date: Tue, 24 Oct 2023 15:19:15 +0200 Message-ID: <20231024131919.28665-2-jengelh@inai.de> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231024131919.28665-1-jengelh@inai.de> References: <20231024131919.28665-1-jengelh@inai.de> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Unlike LaTeX, two/three U+002D in the source do not translate to an en-/em-dash in man. Using \(em addresses this. --- extensions/libxt_hashlimit.man | 2 +- extensions/libxt_limit.man | 2 +- extensions/libxt_time.man | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/extensions/libxt_hashlimit.man b/extensions/libxt_hashlimit.man index 627fcd0a..b95a52d2 100644 --- a/extensions/libxt_hashlimit.man +++ b/extensions/libxt_hashlimit.man @@ -20,7 +20,7 @@ Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate. This option should be used -with caution -- if the entry expires, the burst value is reset too. +with caution \(em if the entry expires, the burst value is reset too. .TP \fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP... A comma-separated list of objects to take into consideration. If no diff --git a/extensions/libxt_limit.man b/extensions/libxt_limit.man index 6fb94ccf..b477dd94 100644 --- a/extensions/libxt_limit.man +++ b/extensions/libxt_limit.man @@ -4,7 +4,7 @@ It can be used in combination with the .B LOG target to give limited logging, for example. .PP -xt_limit has no negation support - you will have to use \-m hashlimit ! +xt_limit has no negation support \(em you will have to use \-m hashlimit ! \-\-hashlimit \fIrate\fP in this case whilst omitting \-\-hashlimit\-mode. .TP \fB\-\-limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] diff --git a/extensions/libxt_time.man b/extensions/libxt_time.man index 4c0cae06..5b749a48 100644 --- a/extensions/libxt_time.man +++ b/extensions/libxt_time.man @@ -58,7 +58,7 @@ rest of the system uses). The caveat with the kernel timezone is that Linux distributions may ignore to set the kernel timezone, and instead only set the system time. Even if a particular distribution does set the timezone at boot, it is usually does not -keep the kernel timezone offset - which is what changes on DST - up to date. +keep the kernel timezone offset \(em which is what changes on DST \(em up to date. ntpd will not touch the kernel timezone, so running it will not resolve the issue. As such, one may encounter a timezone that is always +0000, or one that is wrong half of the time of the year. As such, \fBusing \-\-kerneltz is highly From patchwork Tue Oct 24 13:19:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Engelhardt X-Patchwork-Id: 1854390 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4SFCMN0d37z23jn for ; Wed, 25 Oct 2023 00:19:28 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234285AbjJXNTY (ORCPT ); Tue, 24 Oct 2023 09:19:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36820 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234262AbjJXNTY (ORCPT ); Tue, 24 Oct 2023 09:19:24 -0400 Received: from a3.inai.de (a3.inai.de [IPv6:2a01:4f8:10b:45d8::f5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A37F8E8 for ; Tue, 24 Oct 2023 06:19:21 -0700 (PDT) Received: by a3.inai.de (Postfix, from userid 65534) id 2E94658783417; Tue, 24 Oct 2023 15:19:20 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from a4.inai.de (a4.inai.de [IPv6:2a01:4f8:10b:45d8::f8]) by a3.inai.de (Postfix) with ESMTP id 7A82A58783FC6 for ; Tue, 24 Oct 2023 15:19:19 +0200 (CEST) From: Jan Engelhardt To: netfilter-devel@vger.kernel.org Subject: [PATCH 3/6] man: encode hyphens the way groff/man requires it Date: Tue, 24 Oct 2023 15:19:16 +0200 Message-ID: <20231024131919.28665-3-jengelh@inai.de> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231024131919.28665-1-jengelh@inai.de> References: <20231024131919.28665-1-jengelh@inai.de> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Here is one instance in SYNPROXY.man where we want hyphens (U+2010) rather than U+002D. --- extensions/libxt_SYNPROXY.man | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/libxt_SYNPROXY.man b/extensions/libxt_SYNPROXY.man index 521a1d28..bc2b3eec 100644 --- a/extensions/libxt_SYNPROXY.man +++ b/extensions/libxt_SYNPROXY.man @@ -40,7 +40,7 @@ telnet 192.0.2.42 80 .br length 0 .PP -Switch tcp_loose mode off, so conntrack will mark out\-of\-flow +Switch tcp_loose mode off, so conntrack will mark out-of-flow packets as state INVALID. .IP echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose From patchwork Tue Oct 24 13:19:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Engelhardt X-Patchwork-Id: 1854392 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4SFCMN5crHz23kh for ; Wed, 25 Oct 2023 00:19:28 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234366AbjJXNT0 (ORCPT ); Tue, 24 Oct 2023 09:19:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36828 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234346AbjJXNTY (ORCPT ); Tue, 24 Oct 2023 09:19:24 -0400 Received: from a3.inai.de (a3.inai.de [IPv6:2a01:4f8:10b:45d8::f5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A4C76E9 for ; Tue, 24 Oct 2023 06:19:21 -0700 (PDT) Received: by a3.inai.de (Postfix, from userid 65534) id 3D58A58783FC6; Tue, 24 Oct 2023 15:19:20 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from a4.inai.de (a4.inai.de [IPv6:2a01:4f8:10b:45d8::f8]) by a3.inai.de (Postfix) with ESMTP id 8738D58783FC7 for ; Tue, 24 Oct 2023 15:19:19 +0200 (CEST) From: Jan Engelhardt To: netfilter-devel@vger.kernel.org Subject: [PATCH 4/6] man: consistent casing of "IPv[46]" Date: Tue, 24 Oct 2023 15:19:17 +0200 Message-ID: <20231024131919.28665-4-jengelh@inai.de> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231024131919.28665-1-jengelh@inai.de> References: <20231024131919.28665-1-jengelh@inai.de> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org --- extensions/libipt_ULOG.man | 2 +- extensions/libxt_connlimit.man | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/extensions/libipt_ULOG.man b/extensions/libipt_ULOG.man index c91f7764..453a5600 100644 --- a/extensions/libipt_ULOG.man +++ b/extensions/libipt_ULOG.man @@ -1,4 +1,4 @@ -This is the deprecated ipv4-only predecessor of the NFLOG target. +This is the deprecated IPv4-only predecessor of the NFLOG target. It provides userspace logging of matching packets. When this target is set for a rule, the Linux kernel will multicast this packet through a diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man index 2292e9cc..980bf6c5 100644 --- a/extensions/libxt_connlimit.man +++ b/extensions/libxt_connlimit.man @@ -33,7 +33,7 @@ iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16 \-\-connlimit\-mask 24 \-j REJECT .TP # limit the number of parallel HTTP requests to 16 for the link local network -(ipv6) +(IPv6) ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above 16 \-\-connlimit\-mask 64 \-j REJECT .TP From patchwork Tue Oct 24 13:19:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Engelhardt X-Patchwork-Id: 1854393 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4SFCMP1mQKz23jn for ; Wed, 25 Oct 2023 00:19:29 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234387AbjJXNT1 (ORCPT ); Tue, 24 Oct 2023 09:19:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36844 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234364AbjJXNTY (ORCPT ); Tue, 24 Oct 2023 09:19:24 -0400 Received: from a3.inai.de (a3.inai.de [IPv6:2a01:4f8:10b:45d8::f5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B1F37110 for ; Tue, 24 Oct 2023 06:19:21 -0700 (PDT) Received: by a3.inai.de (Postfix, from userid 65534) id 4BD2358783FC7; Tue, 24 Oct 2023 15:19:20 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from a4.inai.de (a4.inai.de [IPv6:2a01:4f8:10b:45d8::f8]) by a3.inai.de (Postfix) with ESMTP id 946D758783FC8 for ; Tue, 24 Oct 2023 15:19:19 +0200 (CEST) From: Jan Engelhardt To: netfilter-devel@vger.kernel.org Subject: [PATCH 5/6] man: grammar fixes to some manpages Date: Tue, 24 Oct 2023 15:19:18 +0200 Message-ID: <20231024131919.28665-5-jengelh@inai.de> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231024131919.28665-1-jengelh@inai.de> References: <20231024131919.28665-1-jengelh@inai.de> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org English generally uses open compounds rather than closed ones; fix the excess hyphens in words. Fix a missing dash for the portnr option as well. --- extensions/libxt_helper.man | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/extensions/libxt_helper.man b/extensions/libxt_helper.man index 772b1350..fb8a206c 100644 --- a/extensions/libxt_helper.man +++ b/extensions/libxt_helper.man @@ -1,11 +1,11 @@ -This module matches packets related to a specific conntrack-helper. +This module matches packets related to a specific conntrack helper. .TP [\fB!\fP] \fB\-\-helper\fP \fIstring\fP -Matches packets related to the specified conntrack-helper. +Matches packets related to the specified conntrack helper. .RS .PP -string can be "ftp" for packets related to a ftp-session on default port. -For other ports append \-portnr to the value, ie. "ftp\-2121". +string can be "ftp" for packets related to an FTP session on default port. +For other ports, append \-\-portnr to the value, ie. "ftp\-2121". .PP -Same rules apply for other conntrack-helpers. +Same rules apply for other conntrack helpers. .RE From patchwork Tue Oct 24 13:19:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Engelhardt X-Patchwork-Id: 1854394 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4SFCMP3Lrkz23k5 for ; Wed, 25 Oct 2023 00:19:29 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234364AbjJXNT2 (ORCPT ); Tue, 24 Oct 2023 09:19:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36860 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234283AbjJXNT0 (ORCPT ); Tue, 24 Oct 2023 09:19:26 -0400 Received: from a3.inai.de (a3.inai.de [IPv6:2a01:4f8:10b:45d8::f5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 91729C2 for ; Tue, 24 Oct 2023 06:19:24 -0700 (PDT) Received: by a3.inai.de (Postfix, from userid 65534) id 5EA9558783FC8; Tue, 24 Oct 2023 15:19:20 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from a4.inai.de (a4.inai.de [IPv6:2a01:4f8:10b:45d8::f8]) by a3.inai.de (Postfix) with ESMTP id A16D9587850F0 for ; Tue, 24 Oct 2023 15:19:19 +0200 (CEST) From: Jan Engelhardt To: netfilter-devel@vger.kernel.org Subject: [PATCH 6/6] man: use native bullet point markup Date: Tue, 24 Oct 2023 15:19:19 +0200 Message-ID: <20231024131919.28665-6-jengelh@inai.de> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231024131919.28665-1-jengelh@inai.de> References: <20231024131919.28665-1-jengelh@inai.de> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Replace some "fake" bullet point by the official syntax/markup for bulleted lists. --- extensions/libxt_connlimit.man | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man index 980bf6c5..aa7df2b2 100644 --- a/extensions/libxt_connlimit.man +++ b/extensions/libxt_connlimit.man @@ -20,23 +20,28 @@ Apply the limit onto the source group. This is the default if Apply the limit onto the destination group. .PP Examples: -.TP -# allow 2 telnet connections per client host +.IP \(bu 4 +allow 2 telnet connections per client host: +.br iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-above 2 \-j REJECT -.TP -# you can also match the other way around: +.IP \(bu 4 +you can also match the other way around: +.br iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-upto 2 \-j ACCEPT -.TP -# limit the number of parallel HTTP requests to 16 per class C sized \ -source network (24 bit netmask) +.IP \(bu 4 +limit the number of parallel HTTP requests to 16 per class C sized \ +source network (24 bit netmask): +.br iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16 \-\-connlimit\-mask 24 \-j REJECT -.TP -# limit the number of parallel HTTP requests to 16 for the link local network -(IPv6) +.IP \(bu 4 +limit the number of parallel HTTP requests to 16 for the link local network +(IPv6): +.br ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above 16 \-\-connlimit\-mask 64 \-j REJECT -.TP -# Limit the number of connections to a particular host: +.IP \(bu 4 +Limit the number of connections to a particular host: +.br ip6tables \-p tcp \-\-syn \-\-dport 49152:65535 \-d 2001:db8::1 \-m connlimit \-\-connlimit\-above 100 \-j REJECT