bugzilla-daemon at netfilter.org
2023-May-28 06:02 UTC
[Bug 1682] New: Issues in iptables man pages
https://bugzilla.netfilter.org/show_bug.cgi?id=1682
Bug ID: 1682
Summary: Issues in iptables man pages
Product: iptables
Version: 1.8.x
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P5
Component: iptables
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: debian at helgefjell.de
Dear iptables maintainer,
the manpage-l10n project maintains a large number of translations of
man pages both from a large variety of sources (including iptables) as
well for a large variety of target languages.
During their work translators notice different possible issues in the
original (english) man pages. Sometimes this is a straightforward
typo, sometimes a hard to read sentence, sometimes this is a
convention not held up and sometimes we simply do not understand the
original.
We use several distributions as sources and update regularly (at
least every 2 month). This means we are fairly recent (some
distributions like archlinux also update frequently) but might miss
the latest upstream version once in a while, so the error might be
already fixed. We apologize and ask you to close the issue immediately
if this should be the case, but given the huge volume of projects and
the very limited number of volunteers we are not able to double check
each and every issue.
Secondly we translators see the manpages in the neutral po format,
i.e. converted and harmonized, but not the original source (be it man,
groff, xml or other). So we cannot provide a true patch (where
possible), but only an approximation which you need to convert into
your source format.
Finally the issues I'm reporting have accumulated over time and are
not always discovered by me, so sometimes my description of the
problem my be a bit limited - do not hesitate to ask so we can clarify
them.
I'm now reporting the errors for your project. If future reports
should use another channel, please let me know.
Man page: iptables.8
Issue: "consult" sounds strange, maybe "used"?
"This table is consulted when a packet that creates a new connection is
"
"encountered. It consists of four built-ins: B<PREROUTING> (for
altering "
"packets as soon as they come in), B<INPUT> (for altering packets
destined "
"for local sockets), B<OUTPUT> (for altering locally-generated
packets before "
"routing), and B<POSTROUTING> (for altering packets as they are about
to go "
"out). IPv6 NAT support is available since kernel 3.7."
--
Man page: iptables.8
Issue 1: B<OUTPUT> ? and B<OUTPUT>
Issue 2: Missing full stop at end
"This table is used mainly for configuring exemptions from connection
"
"tracking in combination with the NOTRACK target. It registers at the
"
"netfilter hooks with higher priority and is thus called before
ip_conntrack, "
"or any other IP tables. It provides the following built-in chains: "
"B<PREROUTING> (for packets arriving via any network interface)
B<OUTPUT> "
"(for packets generated by local processes)"
--
Man page: iptables.8
Issue: B<iptables-nft> ? B<iptables-nft>(8)
"Delete the chain specified. There must be no references to the chain. If
"
"there are, you must delete or replace the referring rules before the chain
"
"can be deleted. The chain must be empty, i.e. not contain any rules. If
no "
"argument is given, it will delete all empty chains in the table. Empty
"
"builtin chains can only be deleted with B<iptables-nft>."
--
Man page: iptables.8
Issue 1: iptables ? B<iptables>
Issue 2: iptables-restore ? B<iptables-restore>(8)
Issue 3: ip6tables-restore ? B<ip6tables-restore>(8)
"This option has no effect in iptables and iptables-restore. If a rule
using "
"the B<-4> option is inserted with (and only with)
ip6tables-restore, it "
"will be silently ignored. Any other uses will throw an error. This option
"
"allows IPv4 and IPv6 rules in a single rule file for use with both
iptables-"
"restore and ip6tables-restore."
--
Man page: iptables.8
Issue 1: ip6tables ? B<ip6tables>
Issue 2: ip6tables-restore ? B<ip6tables-restore>(8)
Issue 3: iptables-restore ? B<iptables-restore>(8)
"If a rule using the B<-6> option is inserted with (and only with)
iptables-"
"restore, it will be silently ignored. Any other uses will throw an error.
"
"This option allows IPv4 and IPv6 rules in a single rule file for use with
"
"both iptables-restore and ip6tables-restore. This option has no effect in
"
"ip6tables and ip6tables-restore."
--
Man page: iptables.8
Issue 1: B<icmpv6>,B<esp> ? B<icmpv6>, B<esp>
Issue 2: /etc/protocols ? I</etc/protocols>
Issue 3: ip6tables ? B<ip6tables>
"The protocol of the rule or of the packet to check. The specified
protocol "
"can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>,
B<icmpv6>,B<esp>, B<ah>, "
"B<sctp>, B<mh> or the special keyword
\"B<all>\", or it can be a numeric "
"value, representing one of these protocols or a different one. A protocol
"
"name from /etc/protocols is also allowed. A \"!\" argument
before the "
"protocol inverts the test. The number zero is equivalent to B<all>.
"
"\"B<all>\" will match with all protocols and is taken as
default when this "
"option is omitted. Note that, in ip6tables, IPv6 extension headers except
"
"B<esp> are not allowed. B<esp> and B<ipv6-nonext> can
be used with Kernel "
"version 2.6.11 or later. The number zero is equivalent to B<all>,
which "
"means that you cannot test the protocol field for the value 0 directly. To
"
"match on a HBH header, even if it were the last, you cannot use B<-p
0>, but "
"always need B<-m hbh>."
--
Man page: iptables.8
Issue: iptables ? B<iptables>
"Source specification. I<Address> can be either a network name, a
hostname, a "
"network IP address (with B</>I<mask>), or a plain IP address.
Hostnames will "
"be resolved once only, before the rule is submitted to the kernel. Please
"
"note that specifying any name to be resolved with a remote query such as
DNS "
"is a really bad idea. The I<mask> can be either an ipv4 network
mask (for "
"iptables) or a plain number, specifying the number of 1's at the left
side "
"of the network mask. Thus, an iptables mask of I<24> is equivalent
to "
"I<255.255.255.0>. A \"!\" argument before the address
specification inverts "
"the sense of the address. The flag B<--src> is an alias for this
option. "
"Multiple addresses can be specified, but this will B<expand to multiple
"
"rules> (when adding with -A), or will cause multiple rules to be
deleted "
"(with -D)."
--
Man page: iptables.8
Issue: B<EXTENSIONS> ? B<MATCH AND TARGET EXTENSIONS>?
"This specifies the target of the rule; i.e., what to do if the packet
"
"matches it. The target can be a user-defined chain (other than the one
this "
"rule is in), one of the special builtin targets which decide the fate of
the "
"packet immediately, or an extension (see B<EXTENSIONS> below). If
this "
"option is omitted in a rule (and B<-g> is not used), then matching
the rule "
"will have no effect on the packet's fate, but the counters on the rule
will "
"be incremented."
--
Man page: iptables.8
Issue: return ? B<RETURN>?
"This specifies that the processing should continue in a user specified
"
"chain. Unlike the --jump option return will not continue processing in
this "
"chain but instead in the chain that called us via --jump."
--
Man page: iptables.8
Issue: ip6tables. ? B<ip6tables>.
"This means that the rule only refers to second and further IPv4 fragments
of "
"fragmented packets. Since there is no way to tell the source or
destination "
"ports of such a packet (or ICMP type), such a packet will not match any
"
"rules which specify them. When the \"!\" argument precedes the
\"-f\" flag, "
"the rule will only match head fragments, or unfragmented packets. This
"
"option is IPv4 specific, it is not available in ip6tables."
--
Man page: iptables.8
Issue: 1000) ? 1000),
"Expand numbers. Display the exact value of the packet and byte counters,
"
"instead of only the rounded number in K's (multiples of 1000) M's
"
"(multiples of 1000K) or G's (multiples of 1000M). This option is only
"
"relevant for the B<-L> command."
--
Man page: iptables.8
Issue: http ? https
"Bugs? What's this? ;-) Well, you might want to have a look at
http://"
"bugzilla.netfilter.org/ B<iptables> will exit immediately with an
error code "
"of 111 if it finds that it was called as a setuid-to-root program.
iptables "
"cannot be used safely in this manner because it trusts the shared
libraries "
"(matches, targets) loaded at run time, the search path can be set using
"
"environment variables."
--
Man page: iptables.8
Issue 1: should simplify ? should avoid
Issue 2: filtering seen previously. ? filtering.
"The various forms of NAT have been separated out; B<iptables> is a
pure "
"packet filter when using the default `filter' table, with optional
extension "
"modules. This should simplify much of the previous confusion over the
"
"combination of IP masquerading and packet filtering seen previously. So
the "
"following options are handled differently:"
--
Man page: iptables.8
Issue: iptables. ? B<iptables>.
"There are several other changes in iptables."
--
Man page: iptables.8
Issue: iptables/ip6tables ? B<iptables>/B<ip6tables>
"This manual page applies to iptables/ip6tables 1.8.9."
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230528/b04eeec9/attachment.html>
bugzilla-daemon at netfilter.org
2023-Aug-04 23:45 UTC
[Bug 1682] Issues in iptables man pages
https://bugzilla.netfilter.org/show_bug.cgi?id=1682
Phil Sutter <phil at nwl.cc> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |phil at nwl.cc
Resolution|--- |FIXED
--- Comment #1 from Phil Sutter <phil at nwl.cc> ---
Resolved by this series of patches:
https://lore.kernel.org/all/ZM2Mo+Y0ddgBmcDi at orbyte.nwl.cc/
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230804/24c03195/attachment.html>