diff options
author | Darren Reed <darrenr@FreeBSD.org> | 2004-06-21 22:53:03 +0000 |
---|---|---|
committer | Darren Reed <darrenr@FreeBSD.org> | 2004-06-21 22:53:03 +0000 |
commit | 0076f431584bada9a9e1a0ed773415e2def07bfe (patch) | |
tree | 8c812415a26f6e084b0a0b81079b87781f9eb672 /contrib/ipfilter/man | |
parent | 0338547942dd47e06443b736894c70efb7c8a955 (diff) | |
download | src-0076f431584bada9a9e1a0ed773415e2def07bfe.tar.gz src-0076f431584bada9a9e1a0ed773415e2def07bfe.zip |
Committ changes from 3.4.31 -> 3.4.35
* fix bug parsing port comparisons in proxy rules
* make parsing errors in ipf/ipnat return an error rather than return
indicating success.
* make parsing errors in ipf/ipnat return an error rather than return
indicating success.
* make ipfstat work as a set{g,u}id thing - gave up privs before opening
/dev/ipl
* fix ipfstat -A
* make "ipfstat -f" output more informative
* various changes to ipsend for sending packets with ipv4 options
* ipmon was not correctly calculating the length of the IPv6 packet (excluded
ipv6 header length)
MFC: 1 week
Notes
Notes:
svn path=/head/; revision=130890
Diffstat (limited to 'contrib/ipfilter/man')
-rw-r--r-- | contrib/ipfilter/man/ipf.5 | 14 | ||||
-rw-r--r-- | contrib/ipfilter/man/ipf.8 | 2 | ||||
-rw-r--r-- | contrib/ipfilter/man/ipfstat.8 | 4 | ||||
-rw-r--r-- | contrib/ipfilter/man/ipmon.8 | 6 |
4 files changed, 14 insertions, 12 deletions
diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5 index ecd6caf8072f..2f998b539d97 100644 --- a/contrib/ipfilter/man/ipf.5 +++ b/contrib/ipfilter/man/ipf.5 @@ -1,11 +1,11 @@ .\" $FreeBSD$ .TH IPF 5 .SH NAME -ipf, ipf.conf \- IP packet filter rule syntax +ipf, ipf.conf, ipf6.conf \- IP packet filter rule syntax .SH DESCRIPTION .PP A rule file for \fBipf\fP may have any name or even be stdin. As -\fBipfstat\fP produces parseable rules as output when displaying the internal +\fBipfstat\fP produces parsable rules as output when displaying the internal kernel filter lists, it is quite plausible to use its output to feed back into \fBipf\fP. Thus, to remove all filters on input packets, the following could be done: @@ -38,7 +38,7 @@ log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . call = "call" [ "now" ] function-name . skip = "skip" decnumber . dup = "dup-to" interface-name[":"ipaddr] . -froute = "fastroute" | "to" interface-name . +froute = "fastroute" | "to" interface-name[":"ipaddr] . protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . srcdst = "all" | fromto . fromto = "from" [ "!" ] object "to" [ "!" ] object . @@ -117,7 +117,7 @@ below). Filters are installed by default at the end of the kernel's filter lists, prepending the rule with \fB@n\fP will cause it to be inserted as the n'th entry in the current list. This is especially useful when -modifying and testing active filter rulesets. See ipf(1) for more +modifying and testing active filter rulesets. See ipf(8) for more information. .SH ACTIONS .PP @@ -137,7 +137,7 @@ with a rule which is being applied to TCP packets. When using \fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP, it is possible to specify the actual unreachable `type'. That is, whether it is a network unreachable, port unreachable or even administratively -prohibitied. This is done by enclosing the ICMP code associated with +prohibited. This is done by enclosing the ICMP code associated with it in parenthesis directly following \fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP as follows: .nf @@ -387,7 +387,7 @@ against, e.g.: .TP .B icmp-type is only effective when used with \fBproto icmp\fP and must NOT be used -in conjuction with \fBflags\fP. There are a number of types, which can be +in conjunction with \fBflags\fP. There are a number of types, which can be referred to by an abbreviation recognised by this language, or the numbers with which they are associated can be used. The most important from a security point of view is the ICMP redirect. @@ -428,7 +428,7 @@ indicates that the rule should be put in group (number n) rather than group 0. .PP When a packet is logged, with either the \fBlog\fP action or option, the headers of the packet are written to the \fBipl\fP packet logging -psuedo-device. Immediately following the \fBlog\fP keyword, the +pseudo-device. Immediately following the \fBlog\fP keyword, the following qualifiers may be used (in order): .TP .B body diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8 index a1f5b061e608..661375a52e3a 100644 --- a/contrib/ipfilter/man/ipf.8 +++ b/contrib/ipfilter/man/ipf.8 @@ -113,7 +113,7 @@ the current interface status list. .TP .B \-z For each rule in the input file, reset the statistics for it to zero and -display the statistics prior to them being zero'd. +display the statistics prior to them being zeroed. .TP .B \-Z Zero global statistics held in the kernel for filtering only (this doesn't diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8 index f4e5d5bc1426..e2f38a015757 100644 --- a/contrib/ipfilter/man/ipfstat.8 +++ b/contrib/ipfilter/man/ipfstat.8 @@ -65,7 +65,7 @@ This option is only valid in combination with \fB\-t\fP. Limit the state top display to show only state entries whose destination IP address and port match the addport argument. The addrport specification is of the form ipaddress[,port]. The ipaddress and port should be either numerical or the -string "any" (specifying any ip address resp. any port). If the \fB\-D\fP +string "any" (specifying any IP address resp. any port). If the \fB\-D\fP option is not specified, it defaults to "\fB\-D\fP any,any". .TP .B \-f @@ -141,7 +141,7 @@ kernel. Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In this mode the state table is displayed similar to the way \fBtop\fP displays the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP -commandline options can be used to restrict the state entries that will be +command line options can be used to restrict the state entries that will be shown and to specify the frequency of display updates. .PP In state top mode, the following keys can be used to influence the displayed diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 index a559e940db63..d7f94dfab363 100644 --- a/contrib/ipfilter/man/ipmon.8 +++ b/contrib/ipfilter/man/ipmon.8 @@ -83,11 +83,11 @@ are displayed to the same output 'device' (stderr or syslog). .TP .B \-b For rules which log the body of a packet, generate hex output representing -the packet contents afte the headers. +the packet contents after the headers. .TP .B \-D Cause ipmon to turn itself into a daemon. Using subshells or backgrounding -of ipmon is not required to turn it into an orphan so it can run indefinately. +of ipmon is not required to turn it into an orphan so it can run indefinitely. .TP .B "\-f <device>" specify an alternative device/file from which to read the log information @@ -171,3 +171,5 @@ recorded data. .SH SEE ALSO ipl(4), ipf(8), ipfstat(8), ipnat(8) .\".SH BUGS +.PP +If you find any, please send email to me at darrenr@pobox.com |