OSDN > Finden Software > Linux JM　(Japanese Man-page) Project > SCM > git > iptables > Commit

Linux JM　(Japanese Man-page) Project
Fork
LDP_man-pages
coreutils
iptables
jm

R/O
HTTP
SSH
HTTPS

iptables: Commit

Commit MetaInfo

Revision	af9196ed46a6fead76f526dc2bf3131d5d3a1e36 (tree)
Zeit	2014-05-07 04:50:28
Autor	Akihiro MOTOKI <amotoki@gmai...>
Commiter	Akihiro MOTOKI

Log Message

iptables: Update original to 1.4.21

Ändern Zusammenfassung

modified: README.JM (diff)
modified: original/man1/iptables-xml.1 (diff)
modified: original/man8/ip6tables-restore.8 (diff)
modified: original/man8/ip6tables-save.8 (diff)
modified: original/man8/ip6tables.8 (diff)
modified: original/man8/iptables-apply.8 (diff)
modified: original/man8/iptables-extensions.8 (diff)
modified: original/man8/iptables-restore.8 (diff)
modified: original/man8/iptables-save.8 (diff)
modified: original/man8/iptables.8 (diff)
modified: po4a/man1/iptables-xml.1.ja.po (diff)
modified: po4a/man8/iptables-apply.8.ja.po (diff)
modified: po4a/man8/iptables-extensions.8.ja.po (diff)
modified: po4a/man8/iptables-restore.8.ja.po (diff)
modified: po4a/man8/iptables-save.8.ja.po (diff)
modified: po4a/man8/iptables.8.ja.po (diff)
modified: translation_list (diff)

Diff

--- a/README.JM

+++ b/README.JM

		@@ -25,8 +25,8 @@ cp */.8 ../../original/man8/
25	25	@ iptables top directory
26	26
27	27	grep -r @PACKAGE_VERSION@ original/
28		-sed -i -e 's/@PACKAGE_VERSION@/1.4.18/' original/man8/iptables.8
29		-sed -i -e 's/@PACKAGE_VERSION@/1.4.18/' original/man8/ip6tables.8
	28	+sed -i -e 's/@PACKAGE_AND_VERSION@/1.4.21/' original/man8/iptables.8
	29	+patch -p3 < patch.original
30	30
31	31	git add -u
32	32	git add original

--- a/original/man1/iptables-xml.1

+++ b/original/man1/iptables-xml.1

		@@ -1,4 +1,4 @@
1		-.TH IPTABLES-XML 8 "Jul 16, 2007" "" ""
	1	+.TH IPTABLES-XML 1 "" "iptables 1.4.21" "iptables 1.4.21"
2	2	.\"
3	3	.\" Man page written by Sam Liddicott <azez@ufomechanic.net>
4	4	.\" It is based on the iptables-save man page.

--- a/original/man8/ip6tables-restore.8

+++ b/original/man8/ip6tables-restore.8

		@@ -1,68 +1 @@
1		-.TH IP6TABLES-RESTORE 8 "Jan 30, 2002" "" ""
2		-.\"
3		-.\" Man page written by Harald Welte <laforge@gnumonks.org>
4		-.\" It is based on the iptables man page.
5		-.\"
6		-.\" This program is free software; you can redistribute it and/or modify
7		-.\" it under the terms of the GNU General Public License as published by
8		-.\" the Free Software Foundation; either version 2 of the License, or
9		-.\" (at your option) any later version.
10		-.\"
11		-.\" This program is distributed in the hope that it will be useful,
12		-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
13		-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14		-.\" GNU General Public License for more details.
15		-.\"
16		-.\" You should have received a copy of the GNU General Public License
17		-.\" along with this program; if not, write to the Free Software
18		-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19		-.\"
20		-.\"
21		-.SH NAME
22		-ip6tables-restore \(em Restore IPv6 Tables
23		-.SH SYNOPSIS
24		-\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
25		-[\fB\-T\fP \fIname\fP]
26		-.SH DESCRIPTION
27		-.PP
28		-.B ip6tables-restore
29		-is used to restore IPv6 Tables from data specified on STDIN. Use
30		-I/O redirection provided by your shell to read from a file
31		-.TP
32		-\fB\-c\fR, \fB\-\-counters\fR
33		-restore the values of all packet and byte counters
34		-.TP
35		-\fB\-h\fP, \fB\-\-help\fP
36		-Print a short option summary.
37		-.TP
38		-\fB\-n\fR, \fB\-\-noflush\fR
39		-don't flush the previous contents of the table. If not specified,
40		-\fBip6tables-restore\fP flushes (deletes) all previous contents of the
41		-respective table.
42		-.TP
43		-\fB\-t\fP, \fB\-\-test\fP
44		-Only parse and construct the ruleset, but do not commit it.
45		-.TP
46		-\fB\-v\fP, \fB\-\-verbose\fP
47		-Print additional debug info during ruleset processing.
48		-.TP
49		-\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
50		-Specify the path to the modprobe program. By default, ip6tables-restore will
51		-inspect /proc/sys/kernel/modprobe to determine the executable's path.
52		-.TP
53		-\fB\-T\fP, \fB\-\-table\fP \fIname\fP
54		-Restore only the named table even if the input stream contains other ones.
55		-.B ip6tables-restore
56		-flushes (deletes) all previous contents of the respective IPv6 Table.
57		-.SH BUGS
58		-None known as of iptables-1.2.1 release
59		-.SH AUTHORS
60		-Harald Welte <laforge@gnumonks.org>
61		-.br
62		-Andras Kis-Szabo <kisza@sch.bme.hu>
63		-.SH SEE ALSO
64		-\fBip6tables\-save\fP(8), \fBip6tables\fP(8)
65		-.PP
66		-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
67		-which details NAT, and the netfilter-hacking-HOWTO which details the
68		-internals.
	1	+.so man8/iptables-restore.8

--- a/original/man8/ip6tables-save.8

+++ b/original/man8/ip6tables-save.8

		@@ -1,53 +1 @@
1		-.TH IP6TABLES-SAVE 8 "Jan 30, 2002" "" ""
2		-.\"
3		-.\" Man page written by Harald Welte <laforge@gnumonks.org>
4		-.\" It is based on the iptables man page.
5		-.\"
6		-.\" This program is free software; you can redistribute it and/or modify
7		-.\" it under the terms of the GNU General Public License as published by
8		-.\" the Free Software Foundation; either version 2 of the License, or
9		-.\" (at your option) any later version.
10		-.\"
11		-.\" This program is distributed in the hope that it will be useful,
12		-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
13		-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14		-.\" GNU General Public License for more details.
15		-.\"
16		-.\" You should have received a copy of the GNU General Public License
17		-.\" along with this program; if not, write to the Free Software
18		-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19		-.\"
20		-.\"
21		-.SH NAME
22		-ip6tables-save \(em dump iptables rules to stdout
23		-.SH SYNOPSIS
24		-\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
25		-[\fB\-t\fP \fItable\fP
26		-.SH DESCRIPTION
27		-.PP
28		-.B ip6tables-save
29		-is used to dump the contents of an IPv6 Table in easily parseable format
30		-to STDOUT. Use I/O-redirection provided by your shell to write to a file.
31		-.TP
32		-\fB\-M\fP \fImodprobe_program\fP
33		-Specify the path to the modprobe program. By default, iptables-save will
34		-inspect /proc/sys/kernel/modprobe to determine the executable's path.
35		-.TP
36		-\fB\-c\fR, \fB\-\-counters\fR
37		-include the current values of all packet and byte counters in the output
38		-.TP
39		-\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
40		-restrict output to only one table. If not specified, output includes all
41		-available tables.
42		-.SH BUGS
43		-None known as of iptables-1.2.1 release
44		-.SH AUTHORS
45		-Harald Welte <laforge@gnumonks.org>
46		-.br
47		-Andras Kis-Szabo <kisza@sch.bme.hu>
48		-.SH SEE ALSO
49		-\fBip6tables\-restore\fP(8), \fBip6tables\fP(8)
50		-.PP
51		-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
52		-which details NAT, and the netfilter-hacking-HOWTO which details the
53		-internals.
	1	+.so man8/iptables-save.8

--- a/original/man8/ip6tables.8

+++ b/original/man8/ip6tables.8

		@@ -1,456 +1 @@
1		-.TH IP6TABLES 8 "" "iptables 1.4.18" "iptables 1.4.18"
2		-.\"
3		-.\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
4		-.\" It is based on iptables man page.
5		-.\"
6		-.\" iptables page by Herve Eychenne <rv@wallfire.org>
7		-.\" It is based on ipchains man page.
8		-.\"
9		-.\" ipchains page by Paul ``Rusty'' Russell March 1997
10		-.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
11		-.\"
12		-.\" This program is free software; you can redistribute it and/or modify
13		-.\" it under the terms of the GNU General Public License as published by
14		-.\" the Free Software Foundation; either version 2 of the License, or
15		-.\" (at your option) any later version.
16		-.\"
17		-.\" This program is distributed in the hope that it will be useful,
18		-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
19		-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20		-.\" GNU General Public License for more details.
21		-.\"
22		-.\" You should have received a copy of the GNU General Public License
23		-.\" along with this program; if not, write to the Free Software
24		-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25		-.\"
26		-.\"
27		-.SH NAME
28		-ip6tables \(em IPv6 packet filter administration
29		-.SH SYNOPSIS
30		-\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP\|\fB\-C\fP\|\fB\-D\fP}
31		-\fIchain rule-specification\fP [\fIoptions...\fP]
32		-.PP
33		-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP]
34		-\fIrule-specification\fP [\fIoptions...\fP]
35		-.PP
36		-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-R\fP \fIchain rulenum
37		-rule-specification\fP [\fIoptions...\fP]
38		-.PP
39		-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-D\fP \fIchain rulenum\fP
40		-[\fIoptions...\fP]
41		-.PP
42		-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-S\fP [\fIchain\fP [\fIrulenum\fP]]
43		-.PP
44		-\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP\|\fB\-L\fP\|\fB\-Z\fP}
45		-[\fIchain\fP [\fIrulenum\fP]] [\fIoptions...\fP]
46		-.PP
47		-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP
48		-.PP
49		-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
50		-.PP
51		-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
52		-[\fIoptions...\fP]
53		-.PP
54		-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP
55		-.SH DESCRIPTION
56		-\fBIp6tables\fP is used to set up, maintain, and inspect the
57		-tables of IPv6 packet
58		-filter rules in the Linux kernel. Several different tables
59		-may be defined. Each table contains a number of built-in
60		-chains and may also contain user-defined chains.
61		-.PP
62		-Each chain is a list of rules which can match a set of packets. Each
63		-rule specifies what to do with a packet that matches. This is called
64		-a `target', which may be a jump to a user-defined chain in the same
65		-table.
66		-.SH TARGETS
67		-A firewall rule specifies criteria for a packet and a target. If the
68		-packet does not match, the next rule in the chain is the examined; if
69		-it does match, then the next rule is specified by the value of the
70		-target, which can be the name of a user-defined chain or one of the
71		-special values \fBACCEPT\fP, \fBDROP\fP, \fBQUEUE\fP or \fBRETURN\fP.
72		-.PP
73		-\fBACCEPT\fP means to let the packet through.
74		-\fBDROP\fP means to drop the packet on the floor.
75		-\fBQUEUE\fP means to pass the packet to userspace.
76		-(How the packet can be received
77		-by a userspace process differs by the particular queue handler. 2.4.x
78		-and 2.6.x kernels up to 2.6.13 include the \fBip_queue\fP
79		-queue handler. Kernels 2.6.14 and later additionally include the
80		-\fBnfnetlink_queue\fP queue handler. Packets with a target of QUEUE will be
81		-sent to queue number '0' in this case. Please also see the \fBNFQUEUE\fP
82		-target as described later in this man page.)
83		-\fBRETURN\fP means stop traversing this chain and resume at the next
84		-rule in the
85		-previous (calling) chain. If the end of a built-in chain is reached
86		-or a rule in a built-in chain with target \fBRETURN\fP
87		-is matched, the target specified by the chain policy determines the
88		-fate of the packet.
89		-.SH TABLES
90		-There are currently five independent tables (which tables are present
91		-at any time depends on the kernel configuration options and which
92		-modules are present).
93		-.TP
94		-\fB\-t\fP, \fB\-\-table\fP \fItable\fP
95		-This option specifies the packet matching table which the command
96		-should operate on. If the kernel is configured with automatic module
97		-loading, an attempt will be made to load the appropriate module for
98		-that table if it is not already there.
99		-
100		-The tables are as follows:
101		-.RS
102		-.TP .4i
103		-\fBfilter\fP:
104		-This is the default table (if no \-t option is passed). It contains
105		-the built-in chains \fBINPUT\fP (for packets destined to local sockets),
106		-\fBFORWARD\fP (for packets being routed through the box), and
107		-\fBOUTPUT\fP (for locally-generated packets).
108		-.TP
109		-\fBnat\fP:
110		-This table is consulted when a packet that creates a new
111		-connection is encountered. It consists of three built-ins: \fBPREROUTING\fP
112		-(for altering packets as soon as they come in), \fBOUTPUT\fP
113		-(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
114		-(for altering packets as they are about to go out). Available since kernel 3.7.
115		-.TP
116		-\fBmangle\fP:
117		-This table is used for specialized packet alteration. Until kernel
118		-2.4.17 it had two built-in chains: \fBPREROUTING\fP
119		-(for altering incoming packets before routing) and \fBOUTPUT\fP
120		-(for altering locally-generated packets before routing).
121		-Since kernel 2.4.18, three other built-in chains are also supported:
122		-\fBINPUT\fP (for packets coming into the box itself), \fBFORWARD\fP
123		-(for altering packets being routed through the box), and \fBPOSTROUTING\fP
124		-(for altering packets as they are about to go out).
125		-.TP
126		-\fBraw\fP:
127		-This table is used mainly for configuring exemptions from connection
128		-tracking in combination with the NOTRACK target. It registers at the netfilter
129		-hooks with higher priority and is thus called before ip_conntrack, or any other
130		-IP tables. It provides the following built-in chains: \fBPREROUTING\fP
131		-(for packets arriving via any network interface) \fBOUTPUT\fP
132		-(for packets generated by local processes)
133		-.TP
134		-\fBsecurity\fP:
135		-This table is used for Mandatory Access Control (MAC) networking rules, such
136		-as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
137		-Mandatory Access Control is implemented by Linux Security Modules such as
138		-SELinux. The security table is called after the filter table, allowing any
139		-Discretionary Access Control (DAC) rules in the filter table to take effect
140		-before MAC rules. This table provides the following built-in chains:
141		-\fBINPUT\fP (for packets coming into the box itself),
142		-\fBOUTPUT\fP (for altering locally-generated packets before routing), and
143		-\fBFORWARD\fP (for altering packets being routed through the box).
144		-.RE
145		-.SH OPTIONS
146		-The options that are recognized by
147		-\fBip6tables\fP can be divided into several different groups.
148		-.SS COMMANDS
149		-These options specify the specific action to perform. Only one of them
150		-can be specified on the command line unless otherwise specified
151		-below. For all the long versions of the command and option names, you
152		-need to use only enough letters to ensure that
153		-\fBip6tables\fP can differentiate it from all other options.
154		-.TP
155		-\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
156		-Append one or more rules to the end of the selected chain.
157		-When the source and/or destination names resolve to more than one
158		-address, a rule will be added for each possible address combination.
159		-.TP
160		-\fB\-C\fP, \fB\-\-check\fP \fIchain rule-specification\fP
161		-Check whether a rule matching the specification does exist in the
162		-selected chain. This command uses the same logic as \fB\-D\fP to
163		-find a matching entry, but does not alter the existing iptables
164		-configuration and uses its exit code to indicate success or failure.
165		-.TP
166		-\fB\-D\fP, \fB\-\-delete\fP \fIchain rule-specification\fP
167		-.ns
168		-.TP
169		-\fB\-D\fP, \fB\-\-delete\fP \fIchain rulenum\fP
170		-Delete one or more rules from the selected chain. There are two
171		-versions of this command: the rule can be specified as a number in the
172		-chain (starting at 1 for the first rule) or a rule to match.
173		-.TP
174		-\fB\-I\fP, \fB\-\-insert\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
175		-Insert one or more rules in the selected chain as the given rule
176		-number. So, if the rule number is 1, the rule or rules are inserted
177		-at the head of the chain. This is also the default if no rule number
178		-is specified.
179		-.TP
180		-\fB\-R\fP, \fB\-\-replace\fP \fIchain rulenum rule-specification\fP
181		-Replace a rule in the selected chain. If the source and/or
182		-destination names resolve to multiple addresses, the command will
183		-fail. Rules are numbered starting at 1.
184		-.TP
185		-\fB\-L\fP, \fB\-\-list\fP [\fIchain\fP]
186		-List all rules in the selected chain. If no chain is selected, all
187		-chains are listed. Like every other ip6tables command, it applies to the
188		-specified table (filter is the default).
189		-.IP ""
190		-Please note that it is often used with the \fB\-n\fP
191		-option, in order to avoid long reverse DNS lookups.
192		-It is legal to specify the \fB\-Z\fP
193		-(zero) option as well, in which case the chain(s) will be atomically
194		-listed and zeroed. The exact output is affected by the other
195		-arguments given. The exact rules are suppressed until you use
196		-.nf
197		- ip6tables \-L \-v
198		-.fi
199		-.TP
200		-\fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP]
201		-Print all rules in the selected chain. If no chain is selected, all
202		-chains are printed like ip6tables-save. Like every other ip6tables command,
203		-it applies to the specified table (filter is the default).
204		-.TP
205		-\fB\-F\fP, \fB\-\-flush\fP [\fIchain\fP]
206		-Flush the selected chain (all the chains in the table if none is given).
207		-This is equivalent to deleting all the rules one by one.
208		-.TP
209		-\fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP [\fIrulenum\fP]]
210		-Zero the packet and byte counters in all chains, or only the given chain,
211		-or only the given rule in a chain. It is legal to
212		-specify the
213		-\fB\-L\fP, \fB\-\-list\fP
214		-(list) option as well, to see the counters immediately before they are
215		-cleared. (See above.)
216		-.TP
217		-\fB\-N\fP, \fB\-\-new\-chain\fP \fIchain\fP
218		-Create a new user-defined chain by the given name. There must be no
219		-target of that name already.
220		-.TP
221		-\fB\-X\fP, \fB\-\-delete\-chain\fP [\fIchain\fP]
222		-Delete the optional user-defined chain specified. There must be no references
223		-to the chain. If there are, you must delete or replace the referring rules
224		-before the chain can be deleted. The chain must be empty, i.e. not contain
225		-any rules. If no argument is given, it will attempt to delete every
226		-non-builtin chain in the table.
227		-.TP
228		-\fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP
229		-Set the policy for the chain to the given target. See the section \fBTARGETS\fP
230		-for the legal targets. Only built-in (non-user-defined) chains can have
231		-policies, and neither built-in nor user-defined chains can be policy
232		-targets.
233		-.TP
234		-\fB\-E\fP, \fB\-\-rename\-chain\fP \fIold\-chain new\-chain\fP
235		-Rename the user specified chain to the user supplied name. This is
236		-cosmetic, and has no effect on the structure of the table.
237		-.TP
238		-\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
239		-Append one or more rules to the end of the selected chain.
240		-When the source and/or destination names resolve to more than one
241		-address, a rule will be added for each possible address combination.
242		-.TP
243		-\fB\-h\fP
244		-Help.
245		-Give a (currently very brief) description of the command syntax.
246		-.SS PARAMETERS
247		-The following parameters make up a rule specification (as used in the
248		-add, delete, insert, replace and append commands).
249		-.TP
250		-\fB\-4\fP, \fB\-\-ipv4\fP
251		-If a rule using the \fB\-4\fP option is inserted with (and only with)
252		-ip6tables-restore, it will be silently ignored. Any other uses will throw an
253		-error. This option allows to put both IPv4 and IPv6 rules in a single rule file
254		-for use with both iptables-restore and ip6tables-restore.
255		-.TP
256		-\fB\-6\fP, \fB\-\-ipv6\fP
257		-This option has no effect in ip6tables and ip6tables-restore.
258		-.TP
259		-[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
260		-The protocol of the rule or of the packet to check.
261		-The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
262		-\fBicmpv6\fP, \fBesp\fP, \fBmh\fP or the special keyword "\fBall\fP",
263		-or it can be a numeric value, representing one of these protocols or a
264		-different one. A protocol name from /etc/protocols is also allowed.
265		-But IPv6 extension headers except \fBesp\fP are not allowed.
266		-\fBesp\fP and \fBipv6\-nonext\fP
267		-can be used with Kernel version 2.6.11 or later.
268		-A "!" argument before the protocol inverts the
269		-test. The number zero is equivalent to \fBall\fP, which means that you cannot
270		-test the protocol field for the value 0 directly. To match on a HBH header,
271		-even if it were the last, you cannot use \fB\-p 0\fP, but always need
272		-\fB\-m hbh\fP.
273		-"\fBall\fP"
274		-will match with all protocols and is taken as default when this
275		-option is omitted.
276		-.TP
277		-[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP]
278		-Source specification.
279		-\fIAddress\fP can be either be a hostname,
280		-a network IP address (with \fB/\fP\fImask\fP), or a plain IP address.
281		-Names will be resolved once only, before the rule is submitted to the kernel.
282		-Please note that specifying any name to be resolved with a remote query such as
283		-DNS is a really bad idea.
284		-(Resolving network names is not supported at this time.)
285		-The \fImask\fP is a plain number,
286		-specifying the number of 1's at the left side of the network mask.
287		-A "!" argument before the address specification inverts the sense of
288		-the address. The flag \fB\-\-src\fP
289		-is an alias for this option.
290		-Multiple addresses can be specified, but this will \fBexpand to multiple
291		-rules\fP (when adding with \-A), or will cause multiple rules to be
292		-deleted (with \-D).
293		-.TP
294		-[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP]
295		-Destination specification.
296		-See the description of the \fB\-s\fP
297		-(source) flag for a detailed description of the syntax. The flag
298		-\fB\-\-dst\fP is an alias for this option.
299		-.TP
300		-\fB\-m\fP, \fB\-\-match\fP \fImatch\fP
301		-Specifies a match to use, that is, an extension module that tests for a
302		-specific property. The set of matches make up the condition under which a
303		-target is invoked. Matches are evaluated first to last as specified on the
304		-command line and work in short-circuit fashion, i.e. if one extension yields
305		-false, evaluation will stop.
306		-.TP
307		-\fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
308		-This specifies the target of the rule; i.e., what to do if the packet
309		-matches it. The target can be a user-defined chain (other than the
310		-one this rule is in), one of the special builtin targets which decide
311		-the fate of the packet immediately, or an extension (see \fBEXTENSIONS\fP
312		-below). If this
313		-option is omitted in a rule (and \fB\-g\fP
314		-is not used), then matching the rule will have no
315		-effect on the packet's fate, but the counters on the rule will be
316		-incremented.
317		-.TP
318		-\fB\-g\fP, \fB\-\-goto\fP \fIchain\fP
319		-This specifies that the processing should continue in a user
320		-specified chain. Unlike the \-\-jump option return will not continue
321		-processing in this chain but instead in the chain that called us via
322		-\-\-jump.
323		-.TP
324		-[\fB!\fP] \fB\-i\fP, \fB\-\-in\-interface\fP \fIname\fP
325		-Name of an interface via which a packet was received (only for
326		-packets entering the \fBINPUT\fP, \fBFORWARD\fP and \fBPREROUTING\fP
327		-chains). When the "!" argument is used before the interface name, the
328		-sense is inverted. If the interface name ends in a "+", then any
329		-interface which begins with this name will match. If this option is
330		-omitted, any interface name will match.
331		-.TP
332		-[\fB!\fP] \fB\-o\fP, \fB\-\-out\-interface\fP \fIname\fP
333		-Name of an interface via which a packet is going to be sent (for packets
334		-entering the \fBFORWARD\fP, \fBOUTPUT\fP and \fBPOSTROUTING\fP
335		-chains). When the "!" argument is used before the interface name, the
336		-sense is inverted. If the interface name ends in a "+", then any
337		-interface which begins with this name will match. If this option is
338		-omitted, any interface name will match.
339		-.\" Currently not supported (header-based)
340		-.\" .TP
341		-.\" [\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
342		-.\" This means that the rule only refers to second and further fragments
343		-.\" of fragmented packets. Since there is no way to tell the source or
344		-.\" destination ports of such a packet (or ICMP type), such a packet will
345		-.\" not match any rules which specify them. When the "!" argument
346		-.\" precedes the "\-f" flag, the rule will only match head fragments, or
347		-.\" unfragmented packets.
348		-.TP
349		-\fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
350		-This enables the administrator to initialize the packet and byte
351		-counters of a rule (during \fBINSERT\fP, \fBAPPEND\fP, \fBREPLACE\fP
352		-operations).
353		-.SS "OTHER OPTIONS"
354		-The following additional options can be specified:
355		-.TP
356		-\fB\-v\fP, \fB\-\-verbose\fP
357		-Verbose output. This option makes the list command show the interface
358		-name, the rule options (if any), and the TOS masks. The packet and
359		-byte counters are also listed, with the suffix 'K', 'M' or 'G' for
360		-1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
361		-the \fB\-x\fP flag to change this).
362		-For appending, insertion, deletion and replacement, this causes
363		-detailed information on the rule or rules to be printed. \fB\-v\fP may be
364		-specified multiple times to possibly emit more detailed debug statements.
365		-.TP
366		-\fB\-n\fP, \fB\-\-numeric\fP
367		-Numeric output.
368		-IP addresses and port numbers will be printed in numeric format.
369		-By default, the program will try to display them as host names,
370		-network names, or services (whenever applicable).
371		-.TP
372		-\fB\-x\fP, \fB\-\-exact\fP
373		-Expand numbers.
374		-Display the exact value of the packet and byte counters,
375		-instead of only the rounded number in K's (multiples of 1000)
376		-M's (multiples of 1000K) or G's (multiples of 1000M). This option is
377		-only relevant for the \fB\-L\fP command.
378		-.TP
379		-\fB\-\-line\-numbers\fP
380		-When listing rules, add line numbers to the beginning of each rule,
381		-corresponding to that rule's position in the chain.
382		-.TP
383		-\fB\-\-modprobe=\fP\fIcommand\fP
384		-When adding or inserting rules into a chain, use \fIcommand\fP
385		-to load any necessary modules (targets, match extensions, etc).
386		-.SH MATCH EXTENSIONS
387		-.PP
388		-iptables can use extended packet matching and target modules.
389		-A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
390		-.SH DIAGNOSTICS
391		-Various error messages are printed to standard error. The exit code
392		-is 0 for correct functioning. Errors which appear to be caused by
393		-invalid or abused command line parameters cause an exit code of 2, and
394		-other errors cause an exit code of 1.
395		-.SH BUGS
396		-Bugs? What's this? ;-)
397		-Well... the counters are not reliable on sparc64.
398		-.SH COMPATIBILITY WITH IPCHAINS
399		-This \fBip6tables\fP
400		-is very similar to ipchains by Rusty Russell. The main difference is
401		-that the chains \fBINPUT\fP and \fBOUTPUT\fP
402		-are only traversed for packets coming into the local host and
403		-originating from the local host respectively. Hence every packet only
404		-passes through one of the three chains (except loopback traffic, which
405		-involves both INPUT and OUTPUT chains); previously a forwarded packet
406		-would pass through all three.
407		-.PP
408		-The other main difference is that \fB\-i\fP refers to the input interface;
409		-\fB\-o\fP refers to the output interface, and both are available for packets
410		-entering the \fBFORWARD\fP chain.
411		-There are several other changes in ip6tables.
412		-.SH SEE ALSO
413		-\fBip6tables\-save\fP(8),
414		-\fBip6tables\-restore\fP(8),
415		-\fBiptables\fP(8),
416		-\fBiptables\-apply\fP(8),
417		-\fBiptables\-extensions\fP(8),
418		-\fBiptables\-save\fP(8),
419		-\fBiptables\-restore\fP(8),
420		-\fBlibipq\fP(3).
421		-.PP
422		-The packet-filtering-HOWTO details iptables usage for
423		-packet filtering,
424		-the netfilter-extensions-HOWTO details the extensions that are
425		-not in the standard distribution,
426		-and the netfilter-hacking-HOWTO details the netfilter internals.
427		-.br
428		-See
429		-.BR "http://www.netfilter.org/" .
430		-.SH AUTHORS
431		-Rusty Russell wrote iptables, in early consultation with Michael
432		-Neuling.
433		-.PP
434		-Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
435		-selection framework in iptables, then wrote the mangle table, the owner match,
436		-the mark stuff, and ran around doing cool stuff everywhere.
437		-.PP
438		-James Morris wrote the TOS target, and tos match.
439		-.PP
440		-Jozsef Kadlecsik wrote the REJECT target.
441		-.PP
442		-Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as TTL match+target and libipulog.
443		-.PP
444		-The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
445		-Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
446		-Harald Welte and Rusty Russell.
447		-.PP
448		-ip6tables man page created by Andras Kis-Szabo, based on
449		-iptables man page written by Herve Eychenne <rv@wallfire.org>.
450		-.\" .. and did I mention that we are incredibly cool people?
451		-.\" .. sexy, too ..
452		-.\" .. witty, charming, powerful ..
453		-.\" .. and most of all, modest ..
454		-.SH VERSION
455		-.PP
456		-This manual page applies to ip6tables 1.4.18.
	1	+.so man8/iptables.8

--- a/original/man8/iptables-apply.8

+++ b/original/man8/iptables-apply.8

		@@ -2,7 +2,7 @@
2	2	.\" Author: Martin F. Krafft
3	3	.\" Date: Jun 04, 2006
4	4	.\"
5		-.TH iptables\-apply 8 2006-06-04
	5	+.TH IPTABLES\-APPLY 8 "" "iptables 1.4.21" "iptables 1.4.21"
6	6	.\" disable hyphenation
7	7	.nh
8	8	.SH NAME

--- a/original/man8/iptables-extensions.8

+++ b/original/man8/iptables-extensions.8

		@@ -1,4 +1,4 @@
1		-.TH iptables-extensions 8 "" "iptables 1.4.18" "iptables 1.4.18"
	1	+.TH iptables-extensions 8 "" "iptables 1.4.21" "iptables 1.4.21"
2	2	.SH NAME
3	3	iptables-extensions \(em list of extensions in the standard iptables distribution
4	4	.SH SYNOPSIS

		@@ -107,6 +107,41 @@ Matches if the reserved field is filled with zero.
107	107	This module matches the SPIs in Authentication header of IPsec packets.
108	108	.TP
109	109	[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
	110	+.SS bpf
	111	+Match using Linux Socket Filter. Expects a BPF program in decimal format. This
	112	+is the format generated by the \fBnfbpf_compile\fP utility.
	113	+.TP
	114	+\fB\-\-bytecode\fP \fIcode\fP
	115	+Pass the BPF byte code format (described in the example below).
	116	+.PP
	117	+The code format is similar to the output of the tcpdump -ddd command: one line
	118	+that stores the number of instructions, followed by one line for each
	119	+instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal
	120	+notation. Fields encode the operation, jump offset if true, jump offset if
	121	+false and generic multiuse field 'K'. Comments are not supported.
	122	+.PP
	123	+For example, to read only packets matching 'ip proto 6', insert the following,
	124	+without the comments or trailing whitespace:
	125	+.IP
	126	+4 # number of instructions
	127	+.br
	128	+48 0 0 9 # load byte ip->proto
	129	+.br
	130	+21 0 1 6 # jump equal IPPROTO_TCP
	131	+.br
	132	+6 0 0 1 # return pass (non-zero)
	133	+.br
	134	+6 0 0 0 # return fail (zero)
	135	+.PP
	136	+You can pass this filter to the bpf match with the following command:
	137	+.IP
	138	+iptables \-A OUTPUT \-m bpf \-\-bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' \-j ACCEPT
	139	+.PP
	140	+Or instead, you can invoke the nfbpf_compile utility.
	141	+.IP
	142	+iptables \-A OUTPUT \-m bpf \-\-bytecode "`nfbpf_compile RAW 'ip proto 6'`" \-j ACCEPT
	143	+.PP
	144	+You may want to learn more about BPF from FreeBSD's bpf(4) manpage.
110	145	.SS cluster
111	146	Allows you to deploy gateway and back-end load-sharing clusters without the
112	147	need of load-balancers.

		@@ -165,6 +200,11 @@ arptables \-A INPUT \-i eth2 \-\-h\-length 6
165	200	\-\-destination\-mac 01:00:5e:00:01:02
166	201	\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
167	202	.PP
	203	+\fBNOTE\fP: the arptables commands above use mainstream syntax. If you
	204	+are using arptables-jf included in some RedHat, CentOS and Fedora
	205	+versions, you will hit syntax errors. Therefore, you'll have to adapt
	206	+these to the arptables-jf syntax to get them working.
	207	+.PP
168	208	In the case of TCP connections, pickup facility has to be disabled
169	209	to avoid marking TCP ACK packets coming in the reply direction as
170	210	valid.

		@@ -312,7 +352,7 @@ States for \fB\-\-ctstate\fP:
312	352	The packet is associated with no known connection.
313	353	.TP
314	354	\fBNEW\fP
315		-The packet has started a new connection, or otherwise associated
	355	+The packet has started a new connection or otherwise associated
316	356	with a connection which has not seen packets in both directions.
317	357	.TP
318	358	\fBESTABLISHED\fP

		@@ -321,7 +361,7 @@ in both directions.
321	361	.TP
322	362	\fBRELATED\fP
323	363	The packet is starting a new connection, but is associated with an
324		-existing connection, such as an FTP data transfer, or an ICMP error.
	364	+existing connection, such as an FTP data transfer or an ICMP error.
325	365	.TP
326	366	\fBUNTRACKED\fP
327	367	The packet is not tracked at all, which happens if you explicitly untrack it

		@@ -523,7 +563,7 @@ matching on source port
523	563	matching on subnet
524	564	"10000 packets per minute for every /28 subnet (groups of 8 addresses)
525	565	in 10.0.0.0/8" =>
526		-\-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min
	566	+\-s 10.0.0.0/8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min
527	567	.TP
528	568	matching bytes per second
529	569	"flows exceeding 512kbyte/s" =>

		@@ -716,15 +756,14 @@ a numeric MH
716	756	.IR type
717	757	or one of the MH type names shown by the command
718	758	.nf
719		- ip6tables \-p ipv6\-mh \-h
	759	+ ip6tables \-p mh \-h
720	760	.fi
721	761	.SS multiport
722	762	This module matches a set of source or destination ports. Up to 15
723	763	ports can be specified. A port range (port:port) counts as two
724		-ports. It can only be used in conjunction with
725		-\fB\-p tcp\fP
726		-or
727		-\fB\-p udp\fP.
	764	+ports. It can only be used in conjunction with one of the
	765	+following protocols:
	766	+\fBtcp\fP, \fBudp\fP, \fBudplite\fP, \fBdccp\fP and \fBsctp\fP.
728	767	.TP
729	768	[\fB!\fP] \fB\-\-source\-ports\fP,\fB\-\-sports\fP \fIport\fP[\fB,\fP\fIport\fP\|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
730	769	Match if the source port is one of the given ports. The flag

		@@ -1080,7 +1119,7 @@ is the default.
1080	1119	\fB\-\-rdest\fP
1081	1120	Match/save the destination address of each packet in the recent list table.
1082	1121	.TP
1083		-\fB\-\-mask\fPnetmask
	1122	+\fB\-\-mask\fP \fInetmask\fP
1084	1123	Netmask that will be applied to this recent list.
1085	1124	.TP
1086	1125	[\fB!\fP] \fB\-\-rcheck\fP

		@@ -1129,9 +1168,6 @@ iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DR
1129	1168	.IP
1130	1169	iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
1131	1170	.PP
1132		-Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
1133		-some examples of usage.
1134		-.PP
1135	1171	\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information
1136	1172	about each entry of each list.
1137	1173	.PP

		@@ -1273,11 +1309,48 @@ the set type of the specified set is single dimension (for example ipmap),
1273	1309	then the command will match packets for which the source address can be
1274	1310	found in the specified set.
1275	1311	.TP
1276		-\fB\-\-return\-\-nomatch\fP
1277		-If the \fB\-\-return\-\-nomatch\fP option is specified and the set type
	1312	+\fB\-\-return\-nomatch\fP
	1313	+If the \fB\-\-return\-nomatch\fP option is specified and the set type
1278	1314	supports the \fBnomatch\fP flag, then the matching is reversed: a match
1279	1315	with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a
1280	1316	match with a plain element returns \fBfalse\fP.
	1317	+.TP
	1318	+\fB!\fP \fB\-\-update\-counters\fP
	1319	+If the \fB\-\-update\-counters\fP flag is negated, then the packet and
	1320	+byte counters of the matching element in the set won't be updated. Default
	1321	+the packet and byte counters are updated.
	1322	+.TP
	1323	+\fB!\fP \fB\-\-update\-subcounters\fP
	1324	+If the \fB\-\-update\-subcounters\fP flag is negated, then the packet and
	1325	+byte counters of the matching element in the member set of a list type of
	1326	+set won't be updated. Default the packet and byte counters are updated.
	1327	+.TP
	1328	+[\fB!\fP] \fB\-\-packets\-eq\fP \fIvalue\fP
	1329	+If the packet is matched an element in the set, match only if the
	1330	+packet counter of the element matches the given value too.
	1331	+.TP
	1332	+\fB\-\-packets\-lt\fP \fIvalue\fP
	1333	+If the packet is matched an element in the set, match only if the
	1334	+packet counter of the element is less than the given value as well.
	1335	+.TP
	1336	+\fB\-\-packets\-gt\fP \fIvalue\fP
	1337	+If the packet is matched an element in the set, match only if the
	1338	+packet counter of the element is greater than the given value as well.
	1339	+.TP
	1340	+[\fB!\fP] \fB\-bytes\-eq\fP \fIvalue\fP
	1341	+If the packet is matched an element in the set, match only if the
	1342	+byte counter of the element matches the given value too.
	1343	+.TP
	1344	+\fB\-\-bytes\-lt\fP \fIvalue\fP
	1345	+If the packet is matched an element in the set, match only if the
	1346	+byte counter of the element is less than the given value as well.
	1347	+.TP
	1348	+\fB\-\-bytes\-gt\fP \fIvalue\fP
	1349	+If the packet is matched an element in the set, match only if the
	1350	+byte counter of the element is greater than the given value as well.
	1351	+.PP
	1352	+The packet and byte counters related options and flags are ignored
	1353	+when the set was defined without counter support.
1281	1354	.PP
1282	1355	The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does
1283	1356	not clash with an option of other extensions.

		@@ -1285,11 +1358,28 @@ not clash with an option of other extensions.
1285	1358	Use of -m set requires that ipset kernel support is provided, which, for
1286	1359	standard kernels, is the case since Linux 2.6.39.
1287	1360	.SS socket
1288		-This matches if an open socket can be found by doing a socket lookup on the
1289		-packet.
	1361	+This matches if an open TCP/UDP socket can be found by doing a socket lookup on the
	1362	+packet. It matches if there is an established or non\-zero bound listening
	1363	+socket (possibly with a non\-local address). The lookup is performed using
	1364	+the \fBpacket\fP tuple of TCP/UDP packets, or the original TCP/UDP header
	1365	+\fBembedded\fP in an ICMP/ICPMv6 error packet.
1290	1366	.TP
1291	1367	\fB\-\-transparent\fP
1292	1368	Ignore non-transparent sockets.
	1369	+.TP
	1370	+\fB\-\-nowildcard\fP
	1371	+Do not ignore sockets bound to 'any' address.
	1372	+The socket match won't accept zero\-bound listeners by default, since
	1373	+then local services could intercept traffic that would otherwise be forwarded.
	1374	+This option therefore has security implications when used to match traffic being
	1375	+forwarded to redirect such packets to local machine with policy routing.
	1376	+When using the socket match to implement fully transparent
	1377	+proxies bound to non\-local addresses it is recommended to use the \-\-transparent
	1378	+option instead.
	1379	+.PP
	1380	+Example (assuming packets with mark 1 are delivered locally):
	1381	+.IP
	1382	+\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1
1293	1383	.SS state
1294	1384	The "state" extension is a subset of the "conntrack" module.
1295	1385	"state" allows access to the connection tracking state for this packet.

		@@ -1348,6 +1438,16 @@ Matches the given pattern.
1348	1438	.TP
1349	1439	[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP
1350	1440	Matches the given pattern in hex notation.
	1441	+.TP
	1442	+Examples:
	1443	+.IP
	1444	+# The string pattern can be used for simple text characters.
	1445	+.br
	1446	+iptables \-A INPUT \-p tcp \-\-dport 80 \-m string \-\-algo bm \-\-string 'GET /index.html' \-j LOG
	1447	+.IP
	1448	+# The hex string pattern can be used for non-printable characters, like \|0D 0A\| or \|0D0A\|.
	1449	+.br
	1450	+iptables \-p udp \-\-dport 53 \-m string \-\-algo bm \-\-from 40 \-\-to 57 \-\-hex\-string '\|03\|www\|09\|netfilter\|03\|org\|00\|'
1351	1451	.SS tcp
1352	1452	These extensions can be used if `\-\-protocol tcp' is specified. It
1353	1453	provides the following options:

		@@ -1832,7 +1932,7 @@ By default, packets have zone 0.
1832	1932	Use the timeout policy identified by \fIname\fP for the connection. This is
1833	1933	provides more flexible timeout policy definition than global timeout values
1834	1934	available at /proc/sys/net/netfilter/nf_conntrack__timeout_.
1835		-.SS DNAT (IPv4-specific)
	1935	+.SS DNAT
1836	1936	This target is only valid in the
1837	1937	.B nat
1838	1938	table, in the

		@@ -1842,20 +1942,17 @@ and
1842	1942	chains, and user-defined chains which are only called from those
1843	1943	chains. It specifies that the destination address of the packet
1844	1944	should be modified (and all future packets in this connection will
1845		-also be mangled), and rules should cease being examined. It takes one
1846		-type of option:
	1945	+also be mangled), and rules should cease being examined. It takes the
	1946	+following options:
1847	1947	.TP
1848	1948	\fB\-\-to\-destination\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]]
1849	1949	which can specify a single new destination IP address, an inclusive
1850		-range of IP addresses, and optionally, a port range (which is only
1851		-valid if the rule also specifies
1852		-\fB\-p tcp\fP
1853		-or
1854		-\fB\-p udp\fP).
	1950	+range of IP addresses. Optionally a port range,
	1951	+if the rule also specifies one of the following protocols:
	1952	+\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
1855	1953	If no port range is specified, then the destination port will never be
1856	1954	modified. If no IP address is specified then only the destination port
1857	1955	will be modified.
1858		-
1859	1956	In Kernels up to 2.6.10 you can add several \-\-to\-destination options. For
1860	1957	those kernels, if you specify more than one destination address, either via an
1861	1958	address range or multiple \-\-to\-destination options, a simple round-robin (one

		@@ -1872,6 +1969,39 @@ is used then port mapping will be randomized (kernel >= 2.6.22).
1872	1969	Gives a client the same source-/destination-address for each connection.
1873	1970	This supersedes the SAME target. Support for persistent mappings is available
1874	1971	from 2.6.29-rc2.
	1972	+.TP
	1973	+IPv6 support available since Linux kernels >= 3.7.
	1974	+.SS DNPT (IPv6-specific)
	1975	+Provides stateless destination IPv6-to-IPv6 Network Prefix Translation (as
	1976	+described by RFC 6296).
	1977	+.PP
	1978	+You have to use this target in the
	1979	+.B mangle
	1980	+table, not in the
	1981	+.B nat
	1982	+table. It takes the following options:
	1983	+.TP
	1984	+\fB\-\-src\-pfx\fP [\fIprefix/\fP\fIlength]
	1985	+Set source prefix that you want to translate and length
	1986	+.TP
	1987	+\fB\-\-dst\-pfx\fP [\fIprefix/\fP\fIlength]
	1988	+Set destination prefix that you want to use in the translation and length
	1989	+.PP
	1990	+You have to use the SNPT target to undo the translation. Example:
	1991	+.IP
	1992	+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
	1993	+\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
	1994	+.IP
	1995	+ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
	1996	+\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst-pfx fd00::/64
	1997	+.PP
	1998	+You may need to enable IPv6 neighbor proxy:
	1999	+.IP
	2000	+sysctl -w net.ipv6.conf.all.proxy_ndp=1
	2001	+.PP
	2002	+You also have to use the
	2003	+.B NOTRACK
	2004	+target to disable connection tracking for translated flows.
1875	2005	.SS DSCP
1876	2006	This target allows to alter the value of the DSCP bits within the TOS
1877	2007	header of the IPv4 packet. As this manipulates a packet, it can only

		@@ -2021,49 +2151,12 @@ iptables \-A INPUT \-p tcp \-\-dport 22 \-j LED \-\-led\-trigger\-id ssh
2021	2151	.TP
2022	2152	Then attach the new trigger to an LED:
2023	2153	echo netfilter\-ssh >/sys/class/leds/\fIledname\fP/trigger
2024		-.SS LOG (IPv6-specific)
	2154	+.SS LOG
2025	2155	Turn on kernel logging of matching packets. When this option is set
2026	2156	for a rule, the Linux kernel will print some information on all
2027		-matching packets (like most IPv6 IPv6-header fields) via the kernel log
2028		-(where it can be read with
2029		-.I dmesg
2030		-or
2031		-.IR syslogd (8)).
2032		-This is a "non-terminating target", i.e. rule traversal continues at
2033		-the next rule. So if you want to LOG the packets you refuse, use two
2034		-separate rules with the same matching criteria, first using target LOG
2035		-then DROP (or REJECT).
2036		-.TP
2037		-\fB\-\-log\-level\fP \fIlevel\fP
2038		-Level of logging, which can be (system-specific) numeric or a mnemonic.
2039		-Possible values are (in decreasing order of priority): \fBemerg\fP,
2040		-\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP
2041		-or \fBdebug\fP.
2042		-.TP
2043		-\fB\-\-log\-prefix\fP \fIprefix\fP
2044		-Prefix log messages with the specified prefix; up to 29 letters long,
2045		-and useful for distinguishing messages in the logs.
2046		-.TP
2047		-\fB\-\-log\-tcp\-sequence\fP
2048		-Log TCP sequence numbers. This is a security risk if the log is
2049		-readable by users.
2050		-.TP
2051		-\fB\-\-log\-tcp\-options\fP
2052		-Log options from the TCP packet header.
2053		-.TP
2054		-\fB\-\-log\-ip\-options\fP
2055		-Log options from the IPv6 packet header.
2056		-.TP
2057		-\fB\-\-log\-uid\fP
2058		-Log the userid of the process which generated the packet.
2059		-.SS LOG (IPv4-specific)
2060		-Turn on kernel logging of matching packets. When this option is set
2061		-for a rule, the Linux kernel will print some information on all
2062		-matching packets (like most IP header fields) via the kernel log
2063		-(where it can be read with
2064		-.I dmesg
2065		-or
2066		-.IR syslogd (8)).
	2157	+matching packets (like most IP/IPv6 header fields) via the kernel log
	2158	+(where it can be read with \fIdmesg(1)\fP or read in the syslog).
	2159	+.PP
2067	2160	This is a "non-terminating target", i.e. rule traversal continues at
2068	2161	the next rule. So if you want to LOG the packets you refuse, use two
2069	2162	separate rules with the same matching criteria, first using target LOG

		@@ -2087,7 +2180,7 @@ readable by users.
2087	2180	Log options from the TCP packet header.
2088	2181	.TP
2089	2182	\fB\-\-log\-ip\-options\fP
2090		-Log options from the IP packet header.
	2183	+Log options from the IP/IPv6 packet header.
2091	2184	.TP
2092	2185	\fB\-\-log\-uid\fP
2093	2186	Log the userid of the process which generated the packet.

		@@ -2119,38 +2212,7 @@ Binary OR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
2119	2212	\fB\-\-xor\-mark\fP \fIbits\fP
2120	2213	Binary XOR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
2121	2214	\fIbits\fP\fB/0\fP.)
2122		-.SS MASQUERADE (IPv6-specific)
2123		-This target is only valid in the
2124		-.B nat
2125		-table, in the
2126		-.B POSTROUTING
2127		-chain. It should only be used with dynamically assigned IPv6 (dialup)
2128		-connections: if you have a static IP address, you should use the SNAT
2129		-target. Masquerading is equivalent to specifying a mapping to the IP
2130		-address of the interface the packet is going out, but also has the
2131		-effect that connections are
2132		-.I forgotten
2133		-when the interface goes down. This is the correct behavior when the
2134		-next dialup is unlikely to have the same interface address (and hence
2135		-any established connections are lost anyway).
2136		-.TP
2137		-\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
2138		-This specifies a range of source ports to use, overriding the default
2139		-.B SNAT
2140		-source port-selection heuristics (see above). This is only valid
2141		-if the rule also specifies
2142		-\fB\-p tcp\fP
2143		-or
2144		-\fB\-p udp\fP.
2145		-.TP
2146		-\fB\-\-random\fP
2147		-Randomize source port mapping
2148		-If option
2149		-\fB\-\-random\fP
2150		-is used then port mapping will be randomized.
2151		-.RS
2152		-.PP
2153		-.SS MASQUERADE (IPv4-specific)
	2215	+.SS MASQUERADE
2154	2216	This target is only valid in the
2155	2217	.B nat
2156	2218	table, in the

		@@ -2169,18 +2231,16 @@ any established connections are lost anyway).
2169	2231	This specifies a range of source ports to use, overriding the default
2170	2232	.B SNAT
2171	2233	source port-selection heuristics (see above). This is only valid
2172		-if the rule also specifies
2173		-\fB\-p tcp\fP
2174		-or
2175		-\fB\-p udp\fP.
	2234	+if the rule also specifies one of the following protocols:
	2235	+\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
2176	2236	.TP
2177	2237	\fB\-\-random\fP
2178	2238	Randomize source port mapping
2179	2239	If option
2180	2240	\fB\-\-random\fP
2181	2241	is used then port mapping will be randomized (kernel >= 2.6.21).
2182		-.RS
2183		-.PP
	2242	+.TP
	2243	+IPv6 support available since Linux kernels >= 3.7.
2184	2244	.SS MIRROR (IPv4-specific)
2185	2245	This is an experimental demonstration target which inverts the source
2186	2246	and destination fields in the IP header and retransmits the packet.

		@@ -2194,7 +2254,7 @@ chains. Note that the outgoing packets are
2194	2254	.B NOT
2195	2255	seen by any packet filtering chains, connection tracking or NAT, to
2196	2256	avoid loops and other problems.
2197		-.SS NETMAP (IPv4-specific)
	2257	+.SS NETMAP
2198	2258	This target allows you to statically map a whole network of addresses onto
2199	2259	another network of addresses. It can only be used from rules in the
2200	2260	.B nat

		@@ -2204,6 +2264,8 @@ table.
2204	2264	Network address to map to. The resulting address will be constructed in the
2205	2265	following way: All 'one' bits in the mask are filled in from the new `address'.
2206	2266	All bits that are zero in the mask are filled in from the original address.
	2267	+.TP
	2268	+IPv6 support available since Linux kernels >= 3.7.
2207	2269	.SS NFLOG
2208	2270	This target provides logging of matching packets. When this target is
2209	2271	set for a rule, the Linux kernel will pass the packet to the loaded

		@@ -2235,14 +2297,15 @@ result in less overhead per packet, but increase delay until the
2235	2297	packets reach userspace. The default value is 1.
2236	2298	.BR
2237	2299	.SS NFQUEUE
2238		-This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
2239		-you to put a packet into any specific queue, identified by its 16-bit queue
2240		-number.
2241		-It can only be used with Kernel versions 2.6.14 or later, since it requires
2242		-the
	2300	+This target passes the packet to userspace using the
	2301	+\fBnfnetlink_queue\fP handler. The packet is put into the queue
	2302	+identified by its 16-bit queue number. Userspace can inspect
	2303	+and modify the packet if desired. Userspace must then drop or
	2304	+reinject the packet into the kernel. Please see libnetfilter_queue
	2305	+for details.
2243	2306	.B
2244	2307	nfnetlink_queue
2245		-kernel support. The \fBqueue-balance\fP option was added in Linux 2.6.31,
	2308	+was added in Linux 2.6.14. The \fBqueue-balance\fP option was added in Linux 2.6.31,
2246	2309	\fBqueue-bypass\fP in 2.6.39.
2247	2310	.TP
2248	2311	\fB\-\-queue\-num\fP \fIvalue\fP

		@@ -2258,11 +2321,18 @@ Packets belonging to the same connection are put into the same nfqueue.
2258	2321	.TP
2259	2322	\fB\-\-queue\-bypass\fP
2260	2323	By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued
2261		-are dropped. When this option is used, the NFQUEUE rule is silently bypassed instead. The packet
2262		-will move on to the next rule.
	2324	+are dropped. When this option is used, the NFQUEUE rule behaves like ACCEPT instead, and the packet
	2325	+will move on to the next table.
	2326	+.PP
	2327	+.TP
	2328	+\fB\-\-queue\-cpu-fanout\fP
	2329	+Available starting Linux kernel 3.10. When used together with
	2330	+\fB--queue-balance\fP this will use the CPU ID as an index to map packets to
	2331	+the queues. The idea is that you can improve performance if there's a queue
	2332	+per CPU. This requires \fB--queue-balance\fP to be specified.
2263	2333	.SS NOTRACK
2264		-This target disables connection tracking for all packets matching that rule.
2265		-It is obsoleted by \-j CT \-\-notrack. Like CT, NOTRACK can only be used in
	2334	+This extension disables connection tracking for all packets matching that rule.
	2335	+It is equivalent with \-j CT \-\-notrack. Like CT, NOTRACK can only be used in
2266	2336	the \fBraw\fP table.
2267	2337	.SS RATEEST
2268	2338	The RATEEST target collects statistics, performs rate estimation calculation

		@@ -2277,7 +2347,7 @@ Rate measurement interval, in seconds, milliseconds or microseconds.
2277	2347	.TP
2278	2348	\fB\-\-rateest\-ewmalog\fP \fIvalue\fP
2279	2349	Rate measurement averaging time constant.
2280		-.SS REDIRECT (IPv4-specific)
	2350	+.SS REDIRECT
2281	2351	This target is only valid in the
2282	2352	.B nat
2283	2353	table, in the

		@@ -2287,22 +2357,21 @@ and
2287	2357	chains, and user-defined chains which are only called from those
2288	2358	chains. It redirects the packet to the machine itself by changing the
2289	2359	destination IP to the primary address of the incoming interface
2290		-(locally-generated packets are mapped to the 127.0.0.1 address).
	2360	+(locally-generated packets are mapped to the localhost address,
	2361	+127.0.0.1 for IPv4 and ::1 for IPv6).
2291	2362	.TP
2292	2363	\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
2293	2364	This specifies a destination port or range of ports to use: without
2294	2365	this, the destination port is never altered. This is only valid
2295		-if the rule also specifies
2296		-\fB\-p tcp\fP
2297		-or
2298		-\fB\-p udp\fP.
	2366	+if the rule also specifies one of the following protocols:
	2367	+\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
2299	2368	.TP
2300	2369	\fB\-\-random\fP
2301	2370	If option
2302	2371	\fB\-\-random\fP
2303	2372	is used then port mapping will be randomized (kernel >= 2.6.22).
2304		-.RS
2305		-.PP
	2373	+.TP
	2374	+IPv6 support available starting Linux kernels >= 3.7.
2306	2375	.SS REJECT (IPv6-specific)
2307	2376	This is used to send back an error packet in response to the matched
2308	2377	packet: otherwise it is equivalent to

		@@ -2324,10 +2393,9 @@ The type given can be
2324	2393	\fBicmp6\-adm\-prohibited\fP,
2325	2394	\fBadm\-prohibited\fP,
2326	2395	\fBicmp6\-addr\-unreachable\fP,
2327		-\fBaddr\-unreach\fP,
2328		-\fBicmp6\-port\-unreachable\fP or
2329		-\fBport\-unreach\fP
2330		-which return the appropriate ICMPv6 error message (\fBport\-unreach\fP is
	2396	+\fBaddr\-unreach\fP, or
	2397	+\fBicmp6\-port\-unreachable\fP,
	2398	+which return the appropriate ICMPv6 error message (\fBicmp6\-port\-unreachable\fP is
2331	2399	the default). Finally, the option
2332	2400	\fBtcp\-reset\fP
2333	2401	can be used on rules which only match the TCP protocol: this causes a

		@@ -2358,9 +2426,9 @@ The type given can be
2358	2426	\fBicmp\-port\-unreachable\fP,
2359	2427	\fBicmp\-proto\-unreachable\fP,
2360	2428	\fBicmp\-net\-prohibited\fP,
2361		-\fBicmp\-host\-prohibited\fP or
2362		-\fBicmp\-admin\-prohibited\fP (*)
2363		-which return the appropriate ICMP error message (\fBport\-unreachable\fP is
	2429	+\fBicmp\-host\-prohibited\fP, or
	2430	+\fBicmp\-admin\-prohibited\fP (*),
	2431	+which return the appropriate ICMP error message (\fBicmp\-port\-unreachable\fP is
2364	2432	the default). The option
2365	2433	\fBtcp\-reset\fP
2366	2434	can be used on rules which only match the TCP protocol: this causes a

		@@ -2425,28 +2493,28 @@ to the specified one or to the default from the set definition
2425	2493	.PP
2426	2494	Use of -j SET requires that ipset kernel support is provided, which, for
2427	2495	standard kernels, is the case since Linux 2.6.39.
2428		-.SS SNAT (IPv4-specific)
	2496	+.SS SNAT
2429	2497	This target is only valid in the
2430	2498	.B nat
2431	2499	table, in the
2432	2500	.B POSTROUTING
2433		-chain. It specifies that the source address of the packet should be
	2501	+and
	2502	+.B INPUT
	2503	+chains, and user-defined chains which are only called from those
	2504	+chains. It specifies that the source address of the packet should be
2434	2505	modified (and all future packets in this connection will also be
2435		-mangled), and rules should cease being examined. It takes one type
2436		-of option:
	2506	+mangled), and rules should cease being examined. It takes the
	2507	+following options:
2437	2508	.TP
2438	2509	\fB\-\-to\-source\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]]
2439	2510	which can specify a single new source IP address, an inclusive range
2440		-of IP addresses, and optionally, a port range (which is only valid if
2441		-the rule also specifies
2442		-\fB\-p tcp\fP
2443		-or
2444		-\fB\-p udp\fP).
	2511	+of IP addresses. Optionally a port range,
	2512	+if the rule also specifies one of the following protocols:
	2513	+\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
2445	2514	If no port range is specified, then source ports below 512 will be
2446	2515	mapped to other ports below 512: those between 512 and 1023 inclusive
2447	2516	will be mapped to ports below 1024, and other ports will be mapped to
2448	2517	1024 or above. Where possible, no port alteration will occur.
2449		-
2450	2518	In Kernels up to 2.6.10, you can add several \-\-to\-source options. For those
2451	2519	kernels, if you specify more than one source address, either via an address
2452	2520	range or multiple \-\-to\-source options, a simple round-robin (one after another

		@@ -2463,6 +2531,45 @@ is used then port mapping will be randomized (kernel >= 2.6.21).
2463	2531	Gives a client the same source-/destination-address for each connection.
2464	2532	This supersedes the SAME target. Support for persistent mappings is available
2465	2533	from 2.6.29-rc2.
	2534	+.PP
	2535	+Kernels prior to 2.6.36-rc1 don't have the ability to
	2536	+.B SNAT
	2537	+in the
	2538	+.B INPUT
	2539	+chain.
	2540	+.TP
	2541	+IPv6 support available since Linux kernels >= 3.7.
	2542	+.SS SNPT (IPv6-specific)
	2543	+Provides stateless source IPv6-to-IPv6 Network Prefix Translation (as described
	2544	+by RFC 6296).
	2545	+.PP
	2546	+You have to use this target in the
	2547	+.B mangle
	2548	+table, not in the
	2549	+.B nat
	2550	+table. It takes the following options:
	2551	+.TP
	2552	+\fB\-\-src\-pfx\fP [\fIprefix/\fP\fIlength]
	2553	+Set source prefix that you want to translate and length
	2554	+.TP
	2555	+\fB\-\-dst\-pfx\fP [\fIprefix/\fP\fIlength]
	2556	+Set destination prefix that you want to use in the translation and length
	2557	+.PP
	2558	+You have to use the DNPT target to undo the translation. Example:
	2559	+.IP
	2560	+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
	2561	+\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
	2562	+.IP
	2563	+ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
	2564	+\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst-pfx fd00::/64
	2565	+.PP
	2566	+You may need to enable IPv6 neighbor proxy:
	2567	+.IP
	2568	+sysctl -w net.ipv6.conf.all.proxy_ndp=1
	2569	+.PP
	2570	+You also have to use the
	2571	+.B NOTRACK
	2572	+target to disable connection tracking for translated flows.
2466	2573	.SS TCPMSS
2467	2574	This target allows to alter the MSS value of TCP SYN packets, to control
2468	2575	the maximum size for that connection (usually limiting it to your

		@@ -2620,7 +2727,8 @@ Decrement the TTL value `value' times.
2620	2727	\fB\-\-ttl\-inc\fP \fIvalue\fP
2621	2728	Increment the TTL value `value' times.
2622	2729	.SS ULOG (IPv4-specific)
2623		-This target provides userspace logging of matching packets. When this
	2730	+This is the deprecated ipv4-only predecessor of the NFLOG target.
	2731	+It provides userspace logging of matching packets. When this
2624	2732	target is set for a rule, the Linux kernel will multicast this packet
2625	2733	through a
2626	2734	.IR netlink

--- a/original/man8/iptables-restore.8

+++ b/original/man8/iptables-restore.8

		@@ -1,4 +1,4 @@
1		-.TH IPTABLES-RESTORE 8 "Jan 04, 2001" "" ""
	1	+.TH IPTABLES-RESTORE 8 "" "iptables 1.4.21" "iptables 1.4.21"
2	2	.\"
3	3	.\" Man page written by Harald Welte <laforge@gnumonks.org>
4	4	.\" It is based on the iptables man page.

		@@ -20,13 +20,19 @@
20	20	.\"
21	21	.SH NAME
22	22	iptables-restore \(em Restore IP Tables
	23	+.P
	24	+ip6tables-restore \(em Restore IPv6 Tables
23	25	.SH SYNOPSIS
24	26	\fBiptables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
	27	+.P
	28	+\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
25	29	[\fB\-T\fP \fIname\fP]
26	30	.SH DESCRIPTION
27	31	.PP
28	32	.B iptables-restore
29		-is used to restore IP Tables from data specified on STDIN. Use
	33	+and
	34	+.B ip6tables-restore
	35	+are used to restore IP and IPv6 Tables from data specified on STDIN. Use
30	36	I/O redirection provided by your shell to read from a file
31	37	.TP
32	38	\fB\-c\fR, \fB\-\-counters\fR

		@@ -35,10 +41,9 @@ restore the values of all packet and byte counters
35	41	\fB\-h\fP, \fB\-\-help\fP
36	42	Print a short option summary.
37	43	.TP
38		-\fB\-n\fR, \fB\-\-noflush\fR
39		-don't flush the previous contents of the table. If not specified,
40		-.B iptables-restore
41		-flushes (deletes) all previous contents of the respective table.
	44	+\fB\-n\fR, \fB\-\-noflush\fR
	45	+don't flush the previous contents of the table. If not specified,
	46	+both commands flush (delete) all previous contents of the respective table.
42	47	.TP
43	48	\fB\-t\fP, \fB\-\-test\fP
44	49	Only parse and construct the ruleset, but do not commit it.

		@@ -54,8 +59,11 @@ inspect /proc/sys/kernel/modprobe to determine the executable's path.
54	59	Restore only the named table even if the input stream contains other ones.
55	60	.SH BUGS
56	61	None known as of iptables-1.2.1 release
57		-.SH AUTHOR
58		-Harald Welte <laforge@gnumonks.org>
	62	+.SH AUTHORS
	63	+Harald Welte <laforge@gnumonks.org> wrote iptables-restore based on code
	64	+from Rusty Russell.
	65	+.br
	66	+Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
59	67	.SH SEE ALSO
60	68	\fBiptables\-save\fP(8), \fBiptables\fP(8)
61	69	.PP

--- a/original/man8/iptables-save.8

+++ b/original/man8/iptables-save.8

		@@ -1,4 +1,4 @@
1		-.TH IPTABLES-SAVE 8 "Jan 04, 2001" "" ""
	1	+.TH IPTABLES-SAVE 8 "" "iptables 1.4.21" "iptables 1.4.21"
2	2	.\"
3	3	.\" Man page written by Harald Welte <laforge@gnumonks.org>
4	4	.\" It is based on the iptables man page.

		@@ -20,13 +20,20 @@
20	20	.\"
21	21	.SH NAME
22	22	iptables-save \(em dump iptables rules to stdout
	23	+.P
	24	+ip6tables-save \(em dump iptables rules to stdout
23	25	.SH SYNOPSIS
24	26	\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
25	27	[\fB\-t\fP \fItable\fP]
	28	+.P
	29	+\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
	30	+[\fB\-t\fP \fItable\fP
26	31	.SH DESCRIPTION
27	32	.PP
28	33	.B iptables-save
29		-is used to dump the contents of an IP Table in easily parseable format
	34	+and
	35	+.B ip6tables-save
	36	+are used to dump the contents of IP or IPv6 Table in easily parseable format
30	37	to STDOUT. Use I/O-redirection provided by your shell to write to a file.
31	38	.TP
32	39	\fB\-M\fP \fImodprobe_program\fP

		@@ -41,8 +48,12 @@ restrict output to only one table. If not specified, output includes all
41	48	available tables.
42	49	.SH BUGS
43	50	None known as of iptables-1.2.1 release
44		-.SH AUTHOR
	51	+.SH AUTHORS
45	52	Harald Welte <laforge@gnumonks.org>
	53	+.br
	54	+Rusty Russell <rusty@rustcorp.com.au>
	55	+.br
	56	+Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
46	57	.SH SEE ALSO
47	58	\fBiptables\-restore\fP(8), \fBiptables\fP(8)
48	59	.PP

--- a/original/man8/iptables.8

+++ b/original/man8/iptables.8

		@@ -1,4 +1,4 @@
1		-.TH IPTABLES 8 "" "iptables 1.4.18" "iptables 1.4.18"
	1	+.TH IPTABLES 8 "" "iptables 1.4.21" "iptables 1.4.21"
2	2	.\"
3	3	.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
4	4	.\" It is based on ipchains page.

		@@ -23,10 +23,13 @@
23	23	.\"
24	24	.\"
25	25	.SH NAME
26		-iptables \(em administration tool for IPv4 packet filtering and NAT
	26	+iptables/ip6tables \(em administration tool for IPv4/IPv6 packet filtering and NAT
27	27	.SH SYNOPSIS
28	28	\fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP\|\fB\-C\fP\|\fB\-D\fP}
29	29	\fIchain\fP \fIrule-specification\fP
	30	+.P
	31	+\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP\|\fB\-C\fP\|\fB\-D\fP}
	32	+\fIchain rule-specification\fP
30	33	.PP
31	34	\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
32	35	.PP

		@@ -52,8 +55,8 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
52	55	.PP
53	56	target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
54	57	.SH DESCRIPTION
55		-\fBIptables\fP is used to set up, maintain, and inspect the
56		-tables of IPv4 packet
	58	+\fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
	59	+tables of IPv4 and IPv6 packet
57	60	filter rules in the Linux kernel. Several different tables
58	61	may be defined. Each table contains a number of built-in
59	62	chains and may also contain user-defined chains.

		@@ -64,21 +67,14 @@ a `target', which may be a jump to a user-defined chain in the same
64	67	table.
65	68	.SH TARGETS
66	69	A firewall rule specifies criteria for a packet and a target. If the
67		-packet does not match, the next rule in the chain is the examined; if
	70	+packet does not match, the next rule in the chain is examined; if
68	71	it does match, then the next rule is specified by the value of the
69		-target, which can be the name of a user-defined chain or one of the
70		-special values \fBACCEPT\fP, \fBDROP\fP, \fBQUEUE\fP or \fBRETURN\fP.
	72	+target, which can be the name of a user-defined chain, one of the targets
	73	+described in \fBiptables\-extensions\fP(8), or one of the
	74	+special values \fBACCEPT\fP, \fBDROP\fP or \fBRETURN\fP.
71	75	.PP
72	76	\fBACCEPT\fP means to let the packet through.
73	77	\fBDROP\fP means to drop the packet on the floor.
74		-\fBQUEUE\fP means to pass the packet to userspace.
75		-(How the packet can be received
76		-by a userspace process differs by the particular queue handler. 2.4.x
77		-and 2.6.x kernels up to 2.6.13 include the \fBip_queue\fP
78		-queue handler. Kernels 2.6.14 and later additionally include the
79		-\fBnfnetlink_queue\fP queue handler. Packets with a target of QUEUE will be
80		-sent to queue number '0' in this case. Please also see the \fBNFQUEUE\fP
81		-target as described later in this man page.)
82	78	\fBRETURN\fP means stop traversing this chain and resume at the next
83	79	rule in the
84	80	previous (calling) chain. If the end of a built-in chain is reached

		@@ -111,6 +107,7 @@ connection is encountered. It consists of three built-ins: \fBPREROUTING\fP
111	107	(for altering packets as soon as they come in), \fBOUTPUT\fP
112	108	(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
113	109	(for altering packets as they are about to go out).
	110	+IPv6 NAT support is available since kernel 3.7.
114	111	.TP
115	112	\fBmangle\fP:
116	113	This table is used for specialized packet alteration. Until kernel

		@@ -143,7 +140,7 @@ before MAC rules. This table provides the following built-in chains:
143	140	.RE
144	141	.SH OPTIONS
145	142	The options that are recognized by
146		-\fBiptables\fP can be divided into several different groups.
	143	+\fBiptables\fP and \fBip6tables\fP can be divided into several different groups.
147	144	.SS COMMANDS
148	145	These options specify the desired action to perform. Only one of them
149	146	can be specified on the command line unless otherwise stated

		@@ -245,23 +242,35 @@ add, delete, insert, replace and append commands).
245	242	.TP
246	243	\fB\-4\fP, \fB\-\-ipv4\fP
247	244	This option has no effect in iptables and iptables-restore.
	245	+If a rule using the \fB\-4\fP option is inserted with (and only with)
	246	+ip6tables-restore, it will be silently ignored. Any other uses will throw an
	247	+error. This option allows to put both IPv4 and IPv6 rules in a single rule file
	248	+for use with both iptables-restore and ip6tables-restore.
248	249	.TP
249	250	\fB\-6\fP, \fB\-\-ipv6\fP
250	251	If a rule using the \fB\-6\fP option is inserted with (and only with)
251	252	iptables-restore, it will be silently ignored. Any other uses will throw an
252	253	error. This option allows to put both IPv4 and IPv6 rules in a single rule file
253	254	for use with both iptables-restore and ip6tables-restore.
	255	+This option has no effect in ip6tables and ip6tables-restore.
254	256	.TP
255	257	[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
256	258	The protocol of the rule or of the packet to check.
257	259	The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
258		-\fBicmp\fP, \fBesp\fP, \fBah\fP, \fBsctp\fP or the special keyword "\fBall\fP",
	260	+\fBicmp\fP, \fBicmpv6\fP,\fBesp\fP, \fBah\fP, \fBsctp\fP, \fBmh\fP or the special keyword "\fBall\fP",
259	261	or it can be a numeric value, representing one of these protocols or a
260	262	different one. A protocol name from /etc/protocols is also allowed.
261	263	A "!" argument before the protocol inverts the
262	264	test. The number zero is equivalent to \fBall\fP. "\fBall\fP"
263	265	will match with all protocols and is taken as default when this
264	266	option is omitted.
	267	+Note that, in ip6tables, IPv6 extension headers except \fBesp\fP are not allowed.
	268	+\fBesp\fP and \fBipv6\-nonext\fP
	269	+can be used with Kernel version 2.6.11 or later.
	270	+The number zero is equivalent to \fBall\fP, which means that you cannot
	271	+test the protocol field for the value 0 directly. To match on a HBH header,
	272	+even if it were the last, you cannot use \fB\-p 0\fP, but always need
	273	+\fB\-m hbh\fP.
265	274	.TP
266	275	[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
267	276	Source specification. \fIAddress\fP

		@@ -271,9 +280,9 @@ be resolved once only, before the rule is submitted to the kernel.
271	280	Please note that specifying any name to be resolved with a remote query such as
272	281	DNS is a really bad idea.
273	282	The \fImask\fP
274		-can be either a network mask or a plain number,
	283	+can be either an ipv4 network mask (for iptables) or a plain number,
275	284	specifying the number of 1's at the left side of the network mask.
276		-Thus, a mask of \fI24\fP is equivalent to \fI255.255.255.0\fP.
	285	+Thus, an iptables mask of \fI24\fP is equivalent to \fI255.255.255.0\fP.
277	286	A "!" argument before the address specification inverts the sense of
278	287	the address. The flag \fB\-\-src\fP is an alias for this option.
279	288	Multiple addresses can be specified, but this will \fBexpand to multiple

		@@ -327,12 +336,13 @@ interface which begins with this name will match. If this option is
327	336	omitted, any interface name will match.
328	337	.TP
329	338	[\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
330		-This means that the rule only refers to second and further fragments
	339	+This means that the rule only refers to second and further IPv4 fragments
331	340	of fragmented packets. Since there is no way to tell the source or
332	341	destination ports of such a packet (or ICMP type), such a packet will
333	342	not match any rules which specify them. When the "!" argument
334	343	precedes the "\-f" flag, the rule will only match head fragments, or
335		-unfragmented packets.
	344	+unfragmented packets. This option is IPv4 specific, it is not available
	345	+in ip6tables.
336	346	.TP
337	347	\fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
338	348	This enables the administrator to initialize the packet and byte

		@@ -351,6 +361,13 @@ For appending, insertion, deletion and replacement, this causes
351	361	detailed information on the rule or rules to be printed. \fB\-v\fP may be
352	362	specified multiple times to possibly emit more detailed debug statements.
353	363	.TP
	364	+\fB\-w\fP, \fB\-\-wait\fP
	365	+Wait for the xtables lock.
	366	+To prevent multiple instances of the program from running concurrently,
	367	+an attempt will be made to obtain an exclusive lock at launch. By default,
	368	+the program will exit if the lock cannot be obtained. This option will
	369	+make the program wait until the exclusive lock can be obtained.
	370	+.TP
354	371	\fB\-n\fP, \fB\-\-numeric\fP
355	372	Numeric output.
356	373	IP addresses and port numbers will be printed in numeric format.

		@@ -413,10 +430,6 @@ There are several other changes in iptables.
413	430	\fBiptables\-save\fP(8),
414	431	\fBiptables\-restore\fP(8),
415	432	\fBiptables\-extensions\fP(8),
416		-\fBip6tables\fP(8),
417		-\fBip6tables\-save\fP(8),
418		-\fBip6tables\-restore\fP(8),
419		-\fBlibipq\fP(3).
420	433	.PP
421	434	The packet-filtering-HOWTO details iptables usage for
422	435	packet filtering, the NAT-HOWTO details NAT,

		@@ -451,4 +464,4 @@ Man page originally written by Herve Eychenne <rv@wallfire.org>.
451	464	.\" .. and most of all, modest ..
452	465	.SH VERSION
453	466	.PP
454		-This manual page applies to iptables 1.4.18.
	467	+This manual page applies to iptables/ip6tables 1.4.21.

--- a/po4a/man1/iptables-xml.1.ja.po

+++ b/po4a/man1/iptables-xml.1.ja.po

		@@ -6,7 +6,7 @@
6	6	msgid ""
7	7	msgstr ""
8	8	"Project-Id-Version: PACKAGE VERSION\n"
9		-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
	9	+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
10	10	"PO-Revision-Date: 2013-04-09 00:09+0900\n"
11	11	"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
12	12	"Language-Team: LANGUAGE <LL@li.org>\n"

		@@ -22,8 +22,8 @@ msgstr "IPTABLES-XML"
22	22
23	23	#. type: TH
24	24	#, no-wrap
25		-msgid "Jul 16, 2007"
26		-msgstr "Jul 16, 2007"
	25	+msgid "iptables 1.4.21"
	26	+msgstr ""
27	27
28	28	#. Man page written by Sam Liddicott <azez@ufomechanic.net>
29	29	#. It is based on the iptables-save man page.

		@@ -176,3 +176,6 @@ msgstr "関連項目"
176	176	#. type: Plain text
177	177	msgid "B<iptables-save>(8), B<iptables-restore>(8), B<iptables>(8)"
178	178	msgstr "B<iptables-save>(8), B<iptables-restore>(8), B<iptables>(8)"
	179	+
	180	+#~ msgid "Jul 16, 2007"
	181	+#~ msgstr "Jul 16, 2007"

--- a/po4a/man8/iptables-apply.8.ja.po

+++ b/po4a/man8/iptables-apply.8.ja.po

		@@ -6,7 +6,7 @@
6	6	msgid ""
7	7	msgstr ""
8	8	"Project-Id-Version: PACKAGE VERSION\n"
9		-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
	9	+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
10	10	"PO-Revision-Date: 2013-04-08 16:11+0900\n"
11	11	"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
12	12	"Language-Team: LANGUAGE <LL@li.org>\n"

		@@ -17,13 +17,13 @@ msgstr ""
17	17
18	18	#. type: TH
19	19	#, no-wrap
20		-msgid "iptables-apply"
21		-msgstr "iptables-apply"
	20	+msgid "IPTABLES-APPLY"
	21	+msgstr ""
22	22
23	23	#. type: TH
24	24	#, no-wrap
25		-msgid "2006-06-04"
26		-msgstr "2006-06-04"
	25	+msgid "iptables 1.4.21"
	26	+msgstr ""
27	27
28	28	#. type: SH
29	29	#, no-wrap

		@@ -113,3 +113,9 @@ msgstr "このマニュアルページは Martin F. Krafft E<lt>madduck@madduck.
113	113	#. type: Plain text
114	114	msgid "Permission is granted to copy, distribute and/or modify this document under the terms of the Artistic License 2.0."
115	115	msgstr "この文書のコピー、配布、修正は Artistic License 2.0 の下で行うことができる。"
	116	+
	117	+#~ msgid "iptables-apply"
	118	+#~ msgstr "iptables-apply"
	119	+
	120	+#~ msgid "2006-06-04"
	121	+#~ msgstr "2006-06-04"

--- a/po4a/man8/iptables-extensions.8.ja.po

+++ b/po4a/man8/iptables-extensions.8.ja.po

		@@ -6,7 +6,7 @@
6	6	msgid ""
7	7	msgstr ""
8	8	"Project-Id-Version: PACKAGE VERSION\n"
9		-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
	9	+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
10	10	"PO-Revision-Date: 2014-05-07 03:36+0900\n"
11	11	"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
12	12	"Language-Team: LANGUAGE <LL@li.org>\n"

		@@ -21,8 +21,9 @@ msgid "iptables-extensions"
21	21	msgstr "iptables-extensions"
22	22
23	23	#. type: TH
24		-#, no-wrap
25		-msgid "iptables 1.4.18"
	24	+#, fuzzy, no-wrap
	25	+#\| msgid "iptables 1.4.18"
	26	+msgid "iptables 1.4.21"
26	27	msgstr "iptables 1.4.18"
27	28
28	29	#. type: SH

		@@ -257,6 +258,73 @@ msgstr "このモジュールは IPsec パケットの認証ヘッダー (AH)
257	258
258	259	#. type: SS
259	260	#, no-wrap
	261	+msgid "bpf"
	262	+msgstr ""
	263	+
	264	+#. type: Plain text
	265	+msgid "Match using Linux Socket Filter. Expects a BPF program in decimal format. This is the format generated by the B<nfbpf_compile> utility."
	266	+msgstr ""
	267	+
	268	+#. type: TP
	269	+#, fuzzy, no-wrap
	270	+#\| msgid "B<--mode> I<mode>"
	271	+msgid "B<--bytecode> I<code>"
	272	+msgstr "B<--mode> I<mode>"
	273	+
	274	+#. type: Plain text
	275	+msgid "Pass the BPF byte code format (described in the example below)."
	276	+msgstr ""
	277	+
	278	+#. type: Plain text
	279	+msgid "The code format is similar to the output of the tcpdump -ddd command: one line that stores the number of instructions, followed by one line for each instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal notation. Fields encode the operation, jump offset if true, jump offset if false and generic multiuse field 'K'. Comments are not supported."
	280	+msgstr ""
	281	+
	282	+#. type: Plain text
	283	+msgid "For example, to read only packets matching 'ip proto 6', insert the following, without the comments or trailing whitespace:"
	284	+msgstr ""
	285	+
	286	+#. type: Plain text
	287	+msgid "4 # number of instructions"
	288	+msgstr ""
	289	+
	290	+#. type: Plain text
	291	+msgid "48 0 0 9 # load byte ip-E<gt>proto"
	292	+msgstr ""
	293	+
	294	+#. type: Plain text
	295	+msgid "21 0 1 6 # jump equal IPPROTO_TCP"
	296	+msgstr ""
	297	+
	298	+#. type: Plain text
	299	+msgid "6 0 0 1 # return pass (non-zero)"
	300	+msgstr ""
	301	+
	302	+#. type: Plain text
	303	+msgid "6 0 0 0 # return fail (zero)"
	304	+msgstr ""
	305	+
	306	+#. type: Plain text
	307	+msgid "You can pass this filter to the bpf match with the following command:"
	308	+msgstr ""
	309	+
	310	+#. type: Plain text
	311	+msgid "iptables -A OUTPUT -m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' -j ACCEPT"
	312	+msgstr ""
	313	+
	314	+#. type: Plain text
	315	+msgid "Or instead, you can invoke the nfbpf_compile utility."
	316	+msgstr ""
	317	+
	318	+#. type: Plain text
	319	+msgid "iptables -A OUTPUT -m bpf --bytecode \"`nfbpf_compile RAW 'ip proto 6'`\" -j ACCEPT"
	320	+msgstr ""
	321	+
	322	+#. type: Plain text
	323	+msgid "You may want to learn more about BPF from FreeBSD's bpf(4) manpage."
	324	+msgstr ""
	325	+
	326	+#. type: SS
	327	+#, no-wrap
260	328	msgid "cluster"
261	329	msgstr "cluster"
262	330

		@@ -354,6 +422,10 @@ msgid "arptables -A INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:
354	422	msgstr "arptables -A INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:02 -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27"
355	423
356	424	#. type: Plain text
	425	+msgid "B<NOTE>: the arptables commands above use mainstream syntax. If you are using arptables-jf included in some RedHat, CentOS and Fedora versions, you will hit syntax errors. Therefore, you'll have to adapt these to the arptables-jf syntax to get them working."
	426	+msgstr ""
	427	+
	428	+#. type: Plain text
357	429	msgid "In the case of TCP connections, pickup facility has to be disabled to avoid marking TCP ACK packets coming in the reply direction as valid."
358	430	msgstr "TCP 接続の場合には、応答方向で受信した TCP ACK パケットが有効とマークされないようにするため、ピックアップ (pickup) 機能を無効する必要がある。"
359	431

		@@ -491,7 +563,8 @@ msgstr "B<--connlimit-daddr>"
491	563	msgid "Apply the limit onto the destination group."
492	564	msgstr "宛先グループに対して制限を適用する。"
493	565
494		-#. type: Plain text
	566	+#. type: TP
	567	+#, no-wrap
495	568	msgid "Examples:"
496	569	msgstr "例:"
497	570

		@@ -679,7 +752,9 @@ msgid "B<NEW>"
679	752	msgstr "B<NEW>"
680	753
681	754	#. type: Plain text
682		-msgid "The packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions."
	755	+#, fuzzy
	756	+#\| msgid "The packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions."
	757	+msgid "The packet has started a new connection or otherwise associated with a connection which has not seen packets in both directions."
683	758	msgstr "そのパケットが新しいコネクションを開始しようとしている。もしくは、両方の方向でパケットが観測されていないコネクションに関連付けられる。"
684	759
685	760	#. type: TP

		@@ -697,7 +772,9 @@ msgid "B<RELATED>"
697	772	msgstr "B<RELATED>"
698	773
699	774	#. type: Plain text
700		-msgid "The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error."
	775	+#, fuzzy
	776	+#\| msgid "The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error."
	777	+msgid "The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error."
701	778	msgstr "そのパケットは、新しいコネクションを開始しようとしているが、既存のコネクションと関連付けられる。 FTP データ転送や ICMP エラーなどが該当する。"
702	779
703	780	#. type: TP

		@@ -1170,7 +1247,9 @@ msgid "matching on subnet"
1170	1247	msgstr "サブネットに対するマッチ"
1171	1248
1172	1249	#. type: Plain text
1173		-msgid "\"10000 packets per minute for every /28 subnet (groups of 8 addresses) in 10.0.0.0/8\" =E<gt> -s 10.0.0.8 --hashlimit-mask 28 --hashlimit-upto 10000/min"
	1250	+#, fuzzy
	1251	+#\| msgid "\"10000 packets per minute for every /28 subnet (groups of 8 addresses) in 10.0.0.0/8\" =E<gt> -s 10.0.0.8 --hashlimit-mask 28 --hashlimit-upto 10000/min"
	1252	+msgid "\"10000 packets per minute for every /28 subnet (groups of 8 addresses) in 10.0.0.0/8\" =E<gt> -s 10.0.0.0/8 --hashlimit-mask 28 --hashlimit-upto 10000/min"
1174	1253	msgstr "\"10.0.0.0/8 内の /28 サブネット (アドレス 8 個のグループ) それぞれに対して 10000 パケット/秒\" =E<gt> -s 10.0.0.8 --hashlimit-mask 28 --hashlimit-upto 10000/min"
1175	1254
1176	1255	#. type: TP

		@@ -1611,8 +1690,9 @@ msgid "This allows specification of the Mobility Header(MH) type, which can be a
1611	1690	msgstr "Mobility Header (MH) タイプを指定できる。タイプ指定には、数値の MH タイプか、以下のコマンドで表示される MH タイプ名を指定できる。"
1612	1691
1613	1692	#. type: Plain text
1614		-#, no-wrap
1615		-msgid " ip6tables -p ipv6-mh -h\n"
	1693	+#, fuzzy, no-wrap
	1694	+#\| msgid " ip6tables -p ipv6-mh -h\n"
	1695	+msgid " ip6tables -p mh -h\n"
1616	1696	msgstr " ip6tables -p ipv6-mh -h\n"
1617	1697
1618	1698	#. type: SS

		@@ -1621,7 +1701,9 @@ msgid "multiport"
1621	1701	msgstr "multiport"
1622	1702
1623	1703	#. type: Plain text
1624		-msgid "This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two ports. It can only be used in conjunction with B<-p tcp> or B<-p udp>."
	1704	+#, fuzzy
	1705	+#\| msgid "This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two ports. It can only be used in conjunction with B<-p tcp> or B<-p udp>."
	1706	+msgid "This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two ports. It can only be used in conjunction with one of the following protocols: B<tcp>, B<udp>, B<udplite>, B<dccp> and B<sctp>."
1625	1707	msgstr "このモジュールは送信元ポートや宛先ポートの集合にマッチする。ポートは 15 個まで指定できる。ポートの範囲指定 (port:port) は 2 ポートとカウントされる。このモジュールが使用できるのは B<-p tcp> か B<-p udp> と組み合わせた場合だけである。"
1626	1708
1627	1709	#. type: TP

		@@ -2289,8 +2371,9 @@ msgid "Match/save the destination address of each packet in the recent list tabl
2289	2371	msgstr "recent リストのテーブルの照合/保存で、各パケットの宛先アドレスを使う。"
2290	2372
2291	2373	#. type: TP
2292		-#, no-wrap
2293		-msgid "B<--mask>netmask"
	2374	+#, fuzzy, no-wrap
	2375	+#\| msgid "B<--mask>netmask"
	2376	+msgid "B<--mask> I<netmask>"
2294	2377	msgstr "B<--mask>netmask"
2295	2378
2296	2379	#. type: Plain text

		@@ -2369,10 +2452,6 @@ msgid "iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --
2369	2452	msgstr "iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP"
2370	2453
2371	2454	#. type: Plain text
2372		-msgid "Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has some examples of usage."
2373		-msgstr "Steve の ipt_recent ウェブサイト (http://snowman.net/projects/ipt_recent/) にも使用例がいくつかある。"
2374		-
2375		-#. type: Plain text
2376	2455	msgid "B</proc/net/xt_recent/*> are the current lists of addresses and information about each entry of each list."
2377	2456	msgstr "B</proc/net/xt_recent/*> は現在のアドレスのリストと各リストの各エントリーの情報である。"
2378	2457

		@@ -2683,12 +2762,97 @@ msgid "will match packets, for which (if the set type is ipportmap) the source a
2683	2762	msgstr ""
2684	2763
2685	2764	#. type: TP
2686		-#, no-wrap
2687		-msgid "B<--return--nomatch>"
	2765	+#, fuzzy, no-wrap
	2766	+#\| msgid "B<--return--nomatch>"
	2767	+msgid "B<--return-nomatch>"
2688	2768	msgstr "B<--return--nomatch>"
2689	2769
2690	2770	#. type: Plain text
2691		-msgid "If the B<--return--nomatch> option is specified and the set type supports the B<nomatch> flag, then the matching is reversed: a match with an element flagged with B<nomatch> returns B<true>, while a match with a plain element returns B<false>."
	2771	+msgid "If the B<--return-nomatch> option is specified and the set type supports the B<nomatch> flag, then the matching is reversed: a match with an element flagged with B<nomatch> returns B<true>, while a match with a plain element returns B<false>."
	2772	+msgstr ""
	2773	+
	2774	+#. type: TP
	2775	+#, fuzzy, no-wrap
	2776	+#\| msgid "[B<!>] B<--update>"
	2777	+msgid "B<!> B<--update-counters>"
	2778	+msgstr "[B<!>] B<--update>"
	2779	+
	2780	+#. type: Plain text
	2781	+msgid "If the B<--update-counters> flag is negated, then the packet and byte counters of the matching element in the set won't be updated. Default the packet and byte counters are updated."
	2782	+msgstr ""
	2783	+
	2784	+#. type: TP
	2785	+#, fuzzy, no-wrap
	2786	+#\| msgid "[B<!>] B<--update>"
	2787	+msgid "B<!> B<--update-subcounters>"
	2788	+msgstr "[B<!>] B<--update>"
	2789	+
	2790	+#. type: Plain text
	2791	+msgid "If the B<--update-subcounters> flag is negated, then the packet and byte counters of the matching element in the member set of a list type of set won't be updated. Default the packet and byte counters are updated."
	2792	+msgstr ""
	2793	+
	2794	+#. type: TP
	2795	+#, fuzzy, no-wrap
	2796	+#\| msgid "[B<!>] B<--hl-eq> I<value>"
	2797	+msgid "[B<!>] B<--packets-eq> I<value>"
	2798	+msgstr "[B<!>] B<--hl-eq> I<value>"
	2799	+
	2800	+#. type: Plain text
	2801	+msgid "If the packet is matched an element in the set, match only if the packet counter of the element matches the given value too."
	2802	+msgstr ""
	2803	+
	2804	+#. type: TP
	2805	+#, fuzzy, no-wrap
	2806	+#\| msgid "B<--hl-lt> I<value>"
	2807	+msgid "B<--packets-lt> I<value>"
	2808	+msgstr "B<--hl-lt> I<value>"
	2809	+
	2810	+#. type: Plain text
	2811	+msgid "If the packet is matched an element in the set, match only if the packet counter of the element is less than the given value as well."
	2812	+msgstr ""
	2813	+
	2814	+#. type: TP
	2815	+#, fuzzy, no-wrap
	2816	+#\| msgid "B<--hl-gt> I<value>"
	2817	+msgid "B<--packets-gt> I<value>"
	2818	+msgstr "B<--hl-gt> I<value>"
	2819	+
	2820	+#. type: Plain text
	2821	+msgid "If the packet is matched an element in the set, match only if the packet counter of the element is greater than the given value as well."
	2822	+msgstr ""
	2823	+
	2824	+#. type: TP
	2825	+#, fuzzy, no-wrap
	2826	+#\| msgid "[B<!>] B<--hl-eq> I<value>"
	2827	+msgid "[B<!>] B<-bytes-eq> I<value>"
	2828	+msgstr "[B<!>] B<--hl-eq> I<value>"
	2829	+
	2830	+#. type: Plain text
	2831	+msgid "If the packet is matched an element in the set, match only if the byte counter of the element matches the given value too."
	2832	+msgstr ""
	2833	+
	2834	+#. type: TP
	2835	+#, fuzzy, no-wrap
	2836	+#\| msgid "B<--hl-lt> I<value>"
	2837	+msgid "B<--bytes-lt> I<value>"
	2838	+msgstr "B<--hl-lt> I<value>"
	2839	+
	2840	+#. type: Plain text
	2841	+msgid "If the packet is matched an element in the set, match only if the byte counter of the element is less than the given value as well."
	2842	+msgstr ""
	2843	+
	2844	+#. type: TP
	2845	+#, fuzzy, no-wrap
	2846	+#\| msgid "B<--hl-gt> I<value>"
	2847	+msgid "B<--bytes-gt> I<value>"
	2848	+msgstr "B<--hl-gt> I<value>"
	2849	+
	2850	+#. type: Plain text
	2851	+msgid "If the packet is matched an element in the set, match only if the byte counter of the element is greater than the given value as well."
	2852	+msgstr ""
	2853	+
	2854	+#. type: Plain text
	2855	+msgid "The packet and byte counters related options and flags are ignored when the set was defined without counter support."
2692	2856	msgstr ""
2693	2857
2694	2858	#. type: Plain text

		@@ -2705,7 +2869,7 @@ msgid "socket"
2705	2869	msgstr "socket"
2706	2870
2707	2871	#. type: Plain text
2708		-msgid "This matches if an open socket can be found by doing a socket lookup on the packet."
	2872	+msgid "This matches if an open TCP/UDP socket can be found by doing a socket lookup on the packet. It matches if there is an established or non-zero bound listening socket (possibly with a non-local address). The lookup is performed using the B<packet> tuple of TCP/UDP packets, or the original TCP/UDP header B<embedded> in an ICMP/ICPMv6 error packet."
2709	2873	msgstr ""
2710	2874
2711	2875	#. type: TP

		@@ -2717,6 +2881,26 @@ msgstr "B<--transparent>"
2717	2881	msgid "Ignore non-transparent sockets."
2718	2882	msgstr "非透過 (non-transparent) ソケットを無視する。"
2719	2883
	2884	+#. type: TP
	2885	+#, fuzzy, no-wrap
	2886	+#\| msgid "B<--nodst>"
	2887	+msgid "B<--nowildcard>"
	2888	+msgstr "B<--nodst>"
	2889	+
	2890	+#. type: Plain text
	2891	+msgid "Do not ignore sockets bound to 'any' address. The socket match won't accept zero-bound listeners by default, since then local services could intercept traffic that would otherwise be forwarded. This option therefore has security implications when used to match traffic being forwarded to redirect such packets to local machine with policy routing. When using the socket match to implement fully transparent proxies bound to non-local addresses it is recommended to use the --transparent option instead."
	2892	+msgstr ""
	2893	+
	2894	+#. type: Plain text
	2895	+msgid "Example (assuming packets with mark 1 are delivered locally):"
	2896	+msgstr ""
	2897	+
	2898	+#. type: Plain text
	2899	+#, fuzzy
	2900	+#\| msgid "-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1"
	2901	+msgid "-t mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1"
	2902	+msgstr "-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1"
	2903	+
2720	2904	#. type: SS
2721	2905	#, no-wrap
2722	2906	msgid "state"

		@@ -2838,6 +3022,24 @@ msgstr "[B<!>] B<--hex-string> I<pattern>"
2838	3022	msgid "Matches the given pattern in hex notation."
2839	3023	msgstr "指定された 16 進表記のパターンにマッチする。"
2840	3024
	3025	+#. type: Plain text
	3026	+msgid "# The string pattern can be used for simple text characters."
	3027	+msgstr ""
	3028	+
	3029	+#. type: Plain text
	3030	+#, fuzzy
	3031	+#\| msgid "iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh"
	3032	+msgid "iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /index.html' -j LOG"
	3033	+msgstr "iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh"
	3034	+
	3035	+#. type: Plain text
	3036	+msgid "# The hex string pattern can be used for non-printable characters, like \|0D 0A\| or \|0D0A\|."
	3037	+msgstr ""
	3038	+
	3039	+#. type: Plain text
	3040	+msgid "iptables -p udp --dport 53 -m string --algo bm --from 40 --to 57 --hex-string '\|03\|www\|09\|netfilter\|03\|org\|00\|'"
	3041	+msgstr ""
	3042	+
2841	3043	#. type: SS
2842	3044	#, no-wrap
2843	3045	msgid "tcp"

		@@ -3681,12 +3883,15 @@ msgid "Use the timeout policy identified by I<name> for the connection. This is
3681	3883	msgstr ""
3682	3884
3683	3885	#. type: SS
3684		-#, no-wrap
3685		-msgid "DNAT (IPv4-specific)"
3686		-msgstr "DNAT (IPv4 の場合)"
	3886	+#, fuzzy, no-wrap
	3887	+#\| msgid "B<DNAT>"
	3888	+msgid "DNAT"
	3889	+msgstr "B<DNAT>"
3687	3890
3688	3891	#. type: Plain text
3689		-msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:"
	3892	+#, fuzzy
	3893	+#\| msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:"
	3894	+msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes the following options:"
3690	3895	msgstr "このターゲットは B<nat> テーブルの B<PREROUTING>, B<OUTPUT> チェイン、これらのチェインから呼び出されるユーザー定義チェインのみで有効である。このターゲットはパケットの宛先アドレスを修正する (このコネクションの以降のパケットも修正して分からなく (mangle) する)。さらに、ルールによるチェックを止めさせる。このターゲットにはオプションが 1 種類ある:"
3691	3896
3692	3897	#. type: TP

		@@ -3695,11 +3900,9 @@ msgid "B<--to-destination> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
3695	3900	msgstr "B<--to-destination> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
3696	3901
3697	3902	#. type: Plain text
3698		-msgid "which can specify a single new destination IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then the destination port will never be modified. If no IP address is specified then only the destination port will be modified."
3699		-msgstr "1 つの新しい宛先 IP アドレス、または IP アドレスの範囲が指定できる。ポートの範囲を指定することもできる (これはルールで B<-p tcp> または B<-p udp> を指定している場合にのみ有効)。ポートの範囲が指定されていない場合、宛先ポートは変更されない。 IP アドレスが指定されなかった場合は、宛先ポートだけが変更される。"
3700		-
3701		-#. type: Plain text
3702		-msgid "In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels, if you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another in cycle) load balancing takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
	3903	+#, fuzzy
	3904	+#\| msgid "In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels, if you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another in cycle) load balancing takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
	3905	+msgid "which can specify a single new destination IP address, an inclusive range of IP addresses. Optionally a port range, if the rule also specifies one of the following protocols: B<tcp>, B<udp>, B<dccp> or B<sctp>. If no port range is specified, then the destination port will never be modified. If no IP address is specified then only the destination port will be modified. In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels, if you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another in cycle) load balancing takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
3703	3906	msgstr "2.6.10 以前のカーネルでは、複数の --to-destination オプションを指定することができる。これらのカーネルでは、アドレスの範囲指定や --to-destination オプションの複数回指定により 2 つ以上の宛先アドレスを指定した場合、それらのアドレスを使った単純なラウンドロビンによる負荷分散が行われる。それ以降のカーネル (E<gt>= 2.6.11-rc1) には複数の範囲を NAT する機能は存在しない。"
3704	3907
3705	3908	#. type: TP

		@@ -3720,6 +3923,69 @@ msgstr "B<--persistent>"
3720	3923	msgid "Gives a client the same source-/destination-address for each connection. This supersedes the SAME target. Support for persistent mappings is available from 2.6.29-rc2."
3721	3924	msgstr ""
3722	3925
	3926	+#. type: TP
	3927	+#, no-wrap
	3928	+msgid "IPv6 support available since Linux kernels E<gt>= 3.7."
	3929	+msgstr ""
	3930	+
	3931	+#. type: SS
	3932	+#, fuzzy, no-wrap
	3933	+#\| msgid "DNAT (IPv4-specific)"
	3934	+msgid "DNPT (IPv6-specific)"
	3935	+msgstr "DNAT (IPv4 の場合)"
	3936	+
	3937	+#. type: Plain text
	3938	+msgid "Provides stateless destination IPv6-to-IPv6 Network Prefix Translation (as described by RFC 6296)."
	3939	+msgstr ""
	3940	+
	3941	+#. type: Plain text
	3942	+msgid "You have to use this target in the B<mangle> table, not in the B<nat> table. It takes the following options:"
	3943	+msgstr ""
	3944	+
	3945	+#. type: TP
	3946	+#, fuzzy, no-wrap
	3947	+#\| msgid "B<--connlimit-mask> I<prefix_length>"
	3948	+msgid "B<--src-pfx> [I<prefix/>I<length]>"
	3949	+msgstr "B<--connlimit-mask> I<prefix_length>"
	3950	+
	3951	+#. type: Plain text
	3952	+msgid "Set source prefix that you want to translate and length"
	3953	+msgstr ""
	3954	+
	3955	+#. type: TP
	3956	+#, fuzzy, no-wrap
	3957	+#\| msgid "B<--connlimit-mask> I<prefix_length>"
	3958	+msgid "B<--dst-pfx> [I<prefix/>I<length]>"
	3959	+msgstr "B<--connlimit-mask> I<prefix_length>"
	3960	+
	3961	+#. type: Plain text
	3962	+msgid "Set destination prefix that you want to use in the translation and length"
	3963	+msgstr ""
	3964	+
	3965	+#. type: Plain text
	3966	+msgid "You have to use the SNPT target to undo the translation. Example:"
	3967	+msgstr ""
	3968	+
	3969	+#. type: Plain text
	3970	+msgid "ip6tables -t mangle -I POSTROUTING -s fd00::/64 \\! -o vboxnet0 -j SNPT --src-pfx fd00::/64 --dst-pfx 2001:e20:2000:40f::/64"
	3971	+msgstr ""
	3972	+
	3973	+#. type: Plain text
	3974	+msgid "ip6tables -t mangle -I PREROUTING -i wlan0 -d 2001:e20:2000:40f::/64 -j DNPT --src-pfx 2001:e20:2000:40f::/64 --dst-pfx fd00::/64"
	3975	+msgstr ""
	3976	+
	3977	+#. type: Plain text
	3978	+msgid "You may need to enable IPv6 neighbor proxy:"
	3979	+msgstr ""
	3980	+
	3981	+#. type: Plain text
	3982	+msgid "sysctl -w net.ipv6.conf.all.proxy_ndp=1"
	3983	+msgstr ""
	3984	+
	3985	+#. type: Plain text
	3986	+msgid "You also have to use the B<NOTRACK> target to disable connection tracking for translated flows."
	3987	+msgstr ""
	3988	+
3723	3989	#. type: SS
3724	3990	#, no-wrap
3725	3991	msgid "DSCP"

		@@ -4026,14 +4292,23 @@ msgid "echo netfilter-ssh E<gt>/sys/class/leds/I<ledname>/trigger"
4026	4292	msgstr "echo netfilter-ssh E<gt>/sys/class/leds/I<ledname>/trigger"
4027	4293
4028	4294	#. type: SS
4029		-#, no-wrap
4030		-msgid "LOG (IPv6-specific)"
4031		-msgstr "LOG (IPv6 の場合)"
	4295	+#, fuzzy, no-wrap
	4296	+#\| msgid "NFLOG"
	4297	+msgid "LOG"
	4298	+msgstr "NFLOG"
4032	4299
4033	4300	#. type: Plain text
4034		-msgid "Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IPv6 IPv6-header fields) via the kernel log (where it can be read with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT)."
	4301	+#, fuzzy
	4302	+#\| msgid "Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IPv6 IPv6-header fields) via the kernel log (where it can be read with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT)."
	4303	+msgid "Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IP/IPv6 header fields) via the kernel log (where it can be read with I<dmesg(1)> or read in the syslog)."
4035	4304	msgstr "マッチしたパケットをカーネルログに記録する。このオプションがルールに対して設定されると、 Linux カーネルはマッチしたパケットについての (IPv6 における大部分の IPv6 ヘッダーフィールドのような) 何らかの情報をカーネルログに表示する (カーネルログは I<dmesg> または I<syslogd>(8) で見ることができる)。これは「非終了ターゲット」である。すなわち、ルールの探索は、次のルールへと継続される。よって、拒否するパケットをログ記録したければ、同じマッチング判断基準を持つ 2 つのルールを使用し、最初のルールで LOG ターゲットを、次のルールで DROP (または REJECT) ターゲットを指定する。"
4036	4305
	4306	+#. type: Plain text
	4307	+#, fuzzy
	4308	+#\| msgid "Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IP header fields) via the kernel log (where it can be read with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT)."
	4309	+msgid "This is a \"non-terminating target\", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT)."
	4310	+msgstr "マッチしたパケットをカーネルログに記録する。このオプションがルールに対して設定されると、 Linux カーネルはマッチしたパケットについての (大部分の IP ヘッダーフィールドのような) 何らかの情報をカーネルログに表示する (カーネルログは I<dmesg> または I<syslogd>(8) で見ることができる)。これは \"非終了ターゲット\" である。すなわち、ルールの探索は次のルールへと継続される。よって、拒否するパケットをログ記録したければ、同じマッチング判断基準を持つ 2 つのルールを使用し、最初のルールで LOG ターゲットを、次のルールで DROP (または REJECT) ターゲットを指定する。"
	4311	+
4037	4312	#. type: TP
4038	4313	#, no-wrap
4039	4314	msgid "B<--log-level> I<level>"

		@@ -4079,7 +4354,9 @@ msgid "B<--log-ip-options>"
4079	4354	msgstr "B<--log-ip-options>"
4080	4355
4081	4356	#. type: Plain text
4082		-msgid "Log options from the IPv6 packet header."
	4357	+#, fuzzy
	4358	+#\| msgid "Log options from the IPv6 packet header."
	4359	+msgid "Log options from the IP/IPv6 packet header."
4083	4360	msgstr "IPv6 パケットヘッダーのオプションをログに記録する。"
4084	4361
4085	4362	#. type: TP

		@@ -4093,19 +4370,6 @@ msgstr ""
4093	4370
4094	4371	#. type: SS
4095	4372	#, no-wrap
4096		-msgid "LOG (IPv4-specific)"
4097		-msgstr "LOG (IPv4 の場合)"
4098		-
4099		-#. type: Plain text
4100		-msgid "Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IP header fields) via the kernel log (where it can be read with I<dmesg> or I<syslogd>(8)). This is a \"non-terminating target\", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT)."
4101		-msgstr "マッチしたパケットをカーネルログに記録する。このオプションがルールに対して設定されると、 Linux カーネルはマッチしたパケットについての (大部分の IP ヘッダーフィールドのような) 何らかの情報をカーネルログに表示する (カーネルログは I<dmesg> または I<syslogd>(8) で見ることができる)。これは \"非終了ターゲット\" である。すなわち、ルールの探索は次のルールへと継続される。よって、拒否するパケットをログ記録したければ、同じマッチング判断基準を持つ 2 つのルールを使用し、最初のルールで LOG ターゲットを、次のルールで DROP (または REJECT) ターゲットを指定する。"
4102		-
4103		-#. type: Plain text
4104		-msgid "Log options from the IP packet header."
4105		-msgstr "IP パケットヘッダーのオプションをログに記録する。"
4106		-
4107		-#. type: SS
4108		-#, no-wrap
4109	4373	msgid "MARK"
4110	4374	msgstr "MARK"
4111	4375

		@@ -4139,12 +4403,12 @@ msgstr ""
4139	4403
4140	4404	#. type: SS
4141	4405	#, no-wrap
4142		-msgid "MASQUERADE (IPv6-specific)"
4143		-msgstr "MASQUERADE (IPv6 の場合)"
	4406	+msgid "MASQUERADE"
	4407	+msgstr ""
4144	4408
4145	4409	#. type: Plain text
4146		-msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It should only be used with dynamically assigned IPv6 (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are I<forgotten> when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway)."
4147		-msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。動的割り当て IPv6 (ダイヤルアップ) コネクションの場合にのみ使うべきである。固定 IP アドレスならば、 SNAT ターゲットを使うべきである。マスカレーディングは、パケットが送信されるインターフェースの IP アドレスへのマッピングを指定するのと同じであるが、インターフェースが停止した場合にコネクションをI<忘れる>という効果がある。次のダイヤルアップでは同じインターフェースアドレスになる可能性が低い (そのため、前回確立されたコネクションは失われる) 場合、この動作は正しい。"
	4410	+msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are I<forgotten> when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway)."
	4411	+msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。動的割り当て IP (ダイヤルアップ) コネクションの場合にのみ使うべきである。固定 IP アドレスならば、 SNAT ターゲットを使うべきである。マスカレーディングは、パケットが送信されるインターフェースの IP アドレスへのマッピングを指定するのと同じであるが、インターフェースが停止した場合にコネクションをI<忘れる>という効果がある。次のダイヤルアップでは同じインターフェースアドレスになる可能性が低い (そのため、前回確立されたコネクションは失われる) 場合、この動作は正しい。"
4148	4412
4149	4413	#. type: TP
4150	4414	#, no-wrap

		@@ -4152,23 +4416,12 @@ msgid "B<--to-ports> I<port>[B<->I<port>]"
4152	4416	msgstr "B<--to-ports> I<port>[B<->I<port>]"
4153	4417
4154	4418	#. type: Plain text
4155		-msgid "This specifies a range of source ports to use, overriding the default B<SNAT> source port-selection heuristics (see above). This is only valid if the rule also specifies B<-p tcp> or B<-p udp>."
	4419	+#, fuzzy
	4420	+#\| msgid "This specifies a range of source ports to use, overriding the default B<SNAT> source port-selection heuristics (see above). This is only valid if the rule also specifies B<-p tcp> or B<-p udp>."
	4421	+msgid "This specifies a range of source ports to use, overriding the default B<SNAT> source port-selection heuristics (see above). This is only valid if the rule also specifies one of the following protocols: B<tcp>, B<udp>, B<dccp> or B<sctp>."
4156	4422	msgstr "このオプションは、使用する送信元ポートの範囲を指定し、デフォルトの B<SNAT> 送信元ポートの選択方法 (上記) よりも優先される。ルールが B<-p tcp> または B<-p udp> を指定している場合にのみ有効である。"
4157	4423
4158	4424	#. type: Plain text
4159		-msgid "Randomize source port mapping If option B<--random> is used then port mapping will be randomized."
4160		-msgstr ""
4161		-
4162		-#. type: SS
4163		-#, no-wrap
4164		-msgid "MASQUERADE (IPv4-specific)"
4165		-msgstr "MASQUERADE (IPv4 の場合)"
4166		-
4167		-#. type: Plain text
4168		-msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are I<forgotten> when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway)."
4169		-msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。動的割り当て IP (ダイヤルアップ) コネクションの場合にのみ使うべきである。固定 IP アドレスならば、 SNAT ターゲットを使うべきである。マスカレーディングは、パケットが送信されるインターフェースの IP アドレスへのマッピングを指定するのと同じであるが、インターフェースが停止した場合にコネクションをI<忘れる>という効果がある。次のダイヤルアップでは同じインターフェースアドレスになる可能性が低い (そのため、前回確立されたコネクションは失われる) 場合、この動作は正しい。"
4170		-
4171		-#. type: Plain text
4172	4425	msgid "Randomize source port mapping If option B<--random> is used then port mapping will be randomized (kernel E<gt>= 2.6.21)."
4173	4426	msgstr ""
4174	4427

		@@ -4183,8 +4436,8 @@ msgstr "実験的なデモンストレーション用のターゲットであり
4183	4436
4184	4437	#. type: SS
4185	4438	#, no-wrap
4186		-msgid "NETMAP (IPv4-specific)"
4187		-msgstr "NETMAP (IPv4 の場合)"
	4439	+msgid "NETMAP"
	4440	+msgstr ""
4188	4441
4189	4442	#. type: Plain text
4190	4443	msgid "This target allows you to statically map a whole network of addresses onto another network of addresses. It can only be used from rules in the B<nat> table."

		@@ -4250,7 +4503,7 @@ msgid "NFQUEUE"
4250	4503	msgstr "NFQUEUE"
4251	4504
4252	4505	#. type: Plain text
4253		-msgid "This target is an extension of the QUEUE target. As opposed to QUEUE, it allows you to put a packet into any specific queue, identified by its 16-bit queue number. It can only be used with Kernel versions 2.6.14 or later, since it requires the B<nfnetlink_queue> kernel support. The B<queue-balance> option was added in Linux 2.6.31, B<queue-bypass> in 2.6.39."
	4506	+msgid "This target passes the packet to userspace using the B<nfnetlink_queue> handler. The packet is put into the queue identified by its 16-bit queue number. Userspace can inspect and modify the packet if desired. Userspace must then drop or reinject the packet into the kernel. Please see libnetfilter_queue for details. B<nfnetlink_queue> was added in Linux 2.6.14. The B<queue-balance> option was added in Linux 2.6.31, B<queue-bypass> in 2.6.39."
4254	4507	msgstr ""
4255	4508
4256	4509	#. type: TP

		@@ -4277,7 +4530,17 @@ msgid "B<--queue-bypass>"
4277	4530	msgstr "B<--queue-bypass>"
4278	4531
4279	4532	#. type: Plain text
4280		-msgid "By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued are dropped. When this option is used, the NFQUEUE rule is silently bypassed instead. The packet will move on to the next rule."
	4533	+msgid "By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued are dropped. When this option is used, the NFQUEUE rule behaves like ACCEPT instead, and the packet will move on to the next table."
	4534	+msgstr ""
	4535	+
	4536	+#. type: TP
	4537	+#, fuzzy, no-wrap
	4538	+#\| msgid "B<--queue-bypass>"
	4539	+msgid "B<--queue-cpu-fanout>"
	4540	+msgstr "B<--queue-bypass>"
	4541	+
	4542	+#. type: Plain text
	4543	+msgid "Available starting Linux kernel 3.10. When used together with B<--queue-balance> this will use the CPU ID as an index to map packets to the queues. The idea is that you can improve performance if there's a queue per CPU. This requires B<--queue-balance> to be specified."
4281	4544	msgstr ""
4282	4545
4283	4546	#. type: SS

		@@ -4286,7 +4549,7 @@ msgid "NOTRACK"
4286	4549	msgstr "NOTRACK"
4287	4550
4288	4551	#. type: Plain text
4289		-msgid "This target disables connection tracking for all packets matching that rule. It is obsoleted by -j CT --notrack. Like CT, NOTRACK can only be used in the B<raw> table."
	4552	+msgid "This extension disables connection tracking for all packets matching that rule. It is equivalent with -j CT --notrack. Like CT, NOTRACK can only be used in the B<raw> table."
4290	4553	msgstr ""
4291	4554
4292	4555	#. type: SS

		@@ -4327,17 +4590,26 @@ msgstr ""
4327	4590
4328	4591	#. type: SS
4329	4592	#, no-wrap
4330		-msgid "REDIRECT (IPv4-specific)"
4331		-msgstr "REDIRECT (IPv4 の場合)"
	4593	+msgid "REDIRECT"
	4594	+msgstr ""
4332	4595
4333	4596	#. type: Plain text
4334		-msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address)."
	4597	+#, fuzzy
	4598	+#\| msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address)."
	4599	+msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the localhost address, 127.0.0.1 for IPv4 and ::1 for IPv6)."
4335	4600	msgstr "このターゲットは、 B<nat> テーブルの B<PREROUTING> チェインと B<OUTPUT> チェイン、およびこれらチェインから呼び出されるユーザー定義チェインでのみ有効である。このターゲットは、宛先 IP をパケットを受信したインタフェースの最初のアドレスに変更することで、パケットをそのマシン自身にリダイレクトする (ローカルで生成されたパケットは、アドレス 127.0.0.1 にマップされる)。"
4336	4601
4337	4602	#. type: Plain text
4338		-msgid "This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies B<-p tcp> or B<-p udp>."
	4603	+#, fuzzy
	4604	+#\| msgid "This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies B<-p tcp> or B<-p udp>."
	4605	+msgid "This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies one of the following protocols: B<tcp>, B<udp>, B<dccp> or B<sctp>."
4339	4606	msgstr "このオプションは使用される宛先ポート・ポート範囲・複数ポートを指定する。このオプションが指定されない場合、宛先ポートは変更されない。ルールが B<-p tcp> または B<-p udp> を指定している場合にのみ有効である。"
4340	4607
	4608	+#. type: TP
	4609	+#, no-wrap
	4610	+msgid "IPv6 support available starting Linux kernels E<gt>= 3.7."
	4611	+msgstr ""
	4612	+
4341	4613	#. type: SS
4342	4614	#, no-wrap
4343	4615	msgid "REJECT (IPv6-specific)"

		@@ -4359,7 +4631,9 @@ msgid "B<--reject-with> I<type>"
4359	4631	msgstr "B<--reject-with> I<type>"
4360	4632
4361	4633	#. type: Plain text
4362		-msgid "The type given can be B<icmp6-no-route>, B<no-route>, B<icmp6-adm-prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, B<addr-unreach>, B<icmp6-port-unreachable> or B<port-unreach> which return the appropriate ICMPv6 error message (B<port-unreach> is the default). Finally, the option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise). B<tcp-reset> can only be used with kernel versions 2.6.14 or later."
	4634	+#, fuzzy
	4635	+#\| msgid "The type given can be B<icmp6-no-route>, B<no-route>, B<icmp6-adm-prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, B<addr-unreach>, B<icmp6-port-unreachable> or B<port-unreach> which return the appropriate ICMPv6 error message (B<port-unreach> is the default). Finally, the option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise). B<tcp-reset> can only be used with kernel versions 2.6.14 or later."
	4636	+msgid "The type given can be B<icmp6-no-route>, B<no-route>, B<icmp6-adm-prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, B<addr-unreach>, or B<icmp6-port-unreachable>, which return the appropriate ICMPv6 error message (B<icmp6-port-unreachable> is the default). Finally, the option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise). B<tcp-reset> can only be used with kernel versions 2.6.14 or later."
4363	4637	msgstr "指定できるタイプは B<icmp6-no-route>, B<no-route>, B<icmp6-adm-prohibited>, B<adm-prohibited>, B<icmp6-addr-unreachable>, B<addr-unreach>, B<icmp6-port-unreachable>, B<port-unreach> である。指定したタイプの適切な IPv6 エラーメッセージが返される (B<port-unreach> がデフォルトである)。さらに、 TCP プロトコルにのみマッチするルールに対して、オプション B<tcp-reset> を使うことができる。このオプションを使うと、 TCP RST パケットが送り返される。主として I<ident> (113/tcp) による探査を阻止するのに役立つ。 I<ident> による探査は、壊れている (メールを受け取らない) メールホストにメールが送られる場合に頻繁に起こる。 B<tcp-reset> はバージョン 2.6.14 以降のカーネルでのみ使用できる。"
4364	4638
4365	4639	#. type: SS

		@@ -4368,7 +4642,9 @@ msgid "REJECT (IPv4-specific)"
4368	4642	msgstr "REJECT (IPv4 の場合)"
4369	4643
4370	4644	#. type: Plain text
4371		-msgid "The type given can be B<icmp-net-unreachable>, B<icmp-host-unreachable>, B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, B<icmp-host-prohibited> or B<icmp-admin-prohibited> (*) which return the appropriate ICMP error message (B<port-unreachable> is the default). The option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise)."
	4645	+#, fuzzy
	4646	+#\| msgid "The type given can be B<icmp-net-unreachable>, B<icmp-host-unreachable>, B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, B<icmp-host-prohibited> or B<icmp-admin-prohibited> (*) which return the appropriate ICMP error message (B<port-unreachable> is the default). The option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise)."
	4647	+msgid "The type given can be B<icmp-net-unreachable>, B<icmp-host-unreachable>, B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, B<icmp-host-prohibited>, or B<icmp-admin-prohibited> (*), which return the appropriate ICMP error message (B<icmp-port-unreachable> is the default). The option B<tcp-reset> can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking I<ident> (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise)."
4372	4648	msgstr "指定できるタイプは B<icmp-net-unreachable>, B<icmp-host-unreachable>, B<icmp-port-unreachable>, B<icmp-proto-unreachable>, B<icmp-net-prohibited>, B<icmp-host-prohibited>, B<icmp-admin-prohibited> (*) である。指定したタイプの適切な ICMP エラーメッセージを返す (B<port-unreachable> がデフォルトである)。 TCP プロトコルにのみマッチするルールに対して、オプション B<tcp-reset> を使うことができる。このオプションを使うと、 TCP RST パケットが送り返される。主として I<ident> (113/tcp) による探査を阻止するのに役立つ。 I<ident> による探査は、壊れている (メールを受け取らない) メールホストにメールが送られる場合に頻繁に起こる。"
4373	4649
4374	4650	#. type: Plain text

		@@ -4478,13 +4754,16 @@ msgid "Use of -j SET requires that ipset kernel support is provided, which, for
4478	4754	msgstr "-j SET を使用するには ipset のカーネルサポートが必要である。標準のカーネルでは、 Linux 2.6.39 以降で提供されている。"
4479	4755
4480	4756	#. type: SS
4481		-#, no-wrap
4482		-msgid "SNAT (IPv4-specific)"
4483		-msgstr "SNAT (IPv4 の場合)"
	4757	+#, fuzzy, no-wrap
	4758	+#\| msgid "B<SNAT>"
	4759	+msgid "SNAT"
	4760	+msgstr "B<SNAT>"
4484	4761
4485	4762	#. type: Plain text
4486		-msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:"
4487		-msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。このターゲットはパケットの送信元アドレスを修正させる (このコネクションの以降のパケットも修正して分からなく (mangle) する)。さらに、ルールが評価を中止するように指示する。このターゲットにはオプションが 1 種類ある:"
	4763	+#, fuzzy
	4764	+#\| msgid "This target is only valid in the B<nat> table, in the B<PREROUTING> and B<OUTPUT> chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:"
	4765	+msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> and B<INPUT> chains, and user-defined chains which are only called from those chains. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes the following options:"
	4766	+msgstr "このターゲットは B<nat> テーブルの B<PREROUTING>, B<OUTPUT> チェイン、これらのチェインから呼び出されるユーザー定義チェインのみで有効である。このターゲットはパケットの宛先アドレスを修正する (このコネクションの以降のパケットも修正して分からなく (mangle) する)。さらに、ルールによるチェックを止めさせる。このターゲットにはオプションが 1 種類ある:"
4488	4767
4489	4768	#. type: TP
4490	4769	#, no-wrap

		@@ -4492,15 +4771,31 @@ msgid "B<--to-source> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
4492	4771	msgstr "B<--to-source> [I<ipaddr>[B<->I<ipaddr>]][B<:>I<port>[B<->I<port>]]"
4493	4772
4494	4773	#. type: Plain text
4495		-msgid "which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur."
	4774	+#, fuzzy
	4775	+#\| msgid "which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur."
	4776	+msgid "which can specify a single new source IP address, an inclusive range of IP addresses. Optionally a port range, if the rule also specifies one of the following protocols: B<tcp>, B<udp>, B<dccp> or B<sctp>. If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur. In Kernels up to 2.6.10, you can add several --to-source options. For those kernels, if you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
4496	4777	msgstr "1 つの新しい送信元 IP アドレス、または IP アドレスの範囲が指定できる。ポートの範囲を指定することもできる (ルールが B<-p tcp> または B<-p udp> を指定している場合にのみ有効)。ポートの範囲が指定されていない場合、 512 未満の送信元ポートは、他の 512 未満のポートにマッピングされる。 512 〜 1023 までのポートは、 1024 未満のポートにマッピングされる。それ以外のポートは、 1024 以上のポートにマッピングされる。可能であれば、ポートの変換は起こらない。"
4497	4778
4498	4779	#. type: Plain text
4499		-msgid "In Kernels up to 2.6.10, you can add several --to-source options. For those kernels, if you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
4500		-msgstr "2.6.10 以前のカーネルでは、複数の --to-source オプションを指定することができる。これらのカーネルでは、アドレスの範囲指定や --to-source オプションの複数回指定により 2 つ以上の送信元アドレスを指定した場合、それらのアドレスを使った単純なラウンド・ロビンが行われる。それ以降のカーネル (E<gt>= 2.6.11-rc1) には複数の範囲を NAT する機能は存在しない。"
	4780	+msgid "If option B<--random> is used then port mapping will be randomized (kernel E<gt>= 2.6.21)."
	4781	+msgstr ""
4501	4782
4502	4783	#. type: Plain text
4503		-msgid "If option B<--random> is used then port mapping will be randomized (kernel E<gt>= 2.6.21)."
	4784	+msgid "Kernels prior to 2.6.36-rc1 don't have the ability to B<SNAT> in the B<INPUT> chain."
	4785	+msgstr ""
	4786	+
	4787	+#. type: SS
	4788	+#, fuzzy, no-wrap
	4789	+#\| msgid "SNAT (IPv4-specific)"
	4790	+msgid "SNPT (IPv6-specific)"
	4791	+msgstr "SNAT (IPv4 の場合)"
	4792	+
	4793	+#. type: Plain text
	4794	+msgid "Provides stateless source IPv6-to-IPv6 Network Prefix Translation (as described by RFC 6296)."
	4795	+msgstr ""
	4796	+
	4797	+#. type: Plain text
	4798	+msgid "You have to use the DNPT target to undo the translation. Example:"
4504	4799	msgstr ""
4505	4800
4506	4801	#. type: SS

		@@ -4779,7 +5074,9 @@ msgid "ULOG (IPv4-specific)"
4779	5074	msgstr "ULOG (IPv4 の場合)"
4780	5075
4781	5076	#. type: Plain text
4782		-msgid "This target provides userspace logging of matching packets. When this target is set for a rule, the Linux kernel will multicast this packet through a I<netlink> socket. One or more userspace processes may then subscribe to various multicast groups and receive the packets. Like LOG, this is a \"non-terminating target\", i.e. rule traversal continues at the next rule."
	5077	+#, fuzzy
	5078	+#\| msgid "This target provides userspace logging of matching packets. When this target is set for a rule, the Linux kernel will multicast this packet through a I<netlink> socket. One or more userspace processes may then subscribe to various multicast groups and receive the packets. Like LOG, this is a \"non-terminating target\", i.e. rule traversal continues at the next rule."
	5079	+msgid "This is the deprecated ipv4-only predecessor of the NFLOG target. It provides userspace logging of matching packets. When this target is set for a rule, the Linux kernel will multicast this packet through a I<netlink> socket. One or more userspace processes may then subscribe to various multicast groups and receive the packets. Like LOG, this is a \"non-terminating target\", i.e. rule traversal continues at the next rule."
4783	5080	msgstr "このターゲットは、マッチしたパケットをユーザー空間でログ記録する機能を提供する。このターゲットがルールに設定されると、 Linux カーネルは、そのパケットを I<netlink> ソケットを用いてマルチキャストする。そして、 1 つ以上のユーザー空間プロセスがいろいろなマルチキャストグループに登録をおこない、パケットを受信する。 LOG と同様、これは \"非終了ターゲット\" であり、ルールの探索は次のルールへと継続される。"
4784	5081
4785	5082	#. type: TP

		@@ -4817,3 +5114,39 @@ msgstr "B<--ulog-qthreshold> I<size>"
4817	5114	#. type: Plain text
4818	5115	msgid "Number of packet to queue inside kernel. Setting this value to, e.g. 10 accumulates ten packets inside the kernel and transmits them as one netlink multipart message to userspace. Default is 1 (for backwards compatibility)."
4819	5116	msgstr "カーネル内部のキューに入れられるパケットの数。例えば、この値を 10 にした場合、カーネル内部で 10 個のパケットをまとめ、 1 つの netlink マルチパートメッセージとしてユーザー空間に送る。 (過去のものとの互換性のため) デフォルトは 1 である。"
	5117	+
	5118	+#~ msgid "Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has some examples of usage."
	5119	+#~ msgstr "Steve の ipt_recent ウェブサイト (http://snowman.net/projects/ipt_recent/) にも使用例がいくつかある。"
	5120	+
	5121	+#~ msgid "which can specify a single new destination IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies B<-p tcp> or B<-p udp>). If no port range is specified, then the destination port will never be modified. If no IP address is specified then only the destination port will be modified."
	5122	+#~ msgstr "1 つの新しい宛先 IP アドレス、または IP アドレスの範囲が指定できる。ポートの範囲を指定することもできる (これはルールで B<-p tcp> または B<-p udp> を指定している場合にのみ有効)。ポートの範囲が指定されていない場合、宛先ポートは変更されない。 IP アドレスが指定されなかった場合は、宛先ポートだけが変更される。"
	5123	+
	5124	+#~ msgid "LOG (IPv6-specific)"
	5125	+#~ msgstr "LOG (IPv6 の場合)"
	5126	+
	5127	+#~ msgid "LOG (IPv4-specific)"
	5128	+#~ msgstr "LOG (IPv4 の場合)"
	5129	+
	5130	+#~ msgid "Log options from the IP packet header."
	5131	+#~ msgstr "IP パケットヘッダーのオプションをログに記録する。"
	5132	+
	5133	+#~ msgid "MASQUERADE (IPv6-specific)"
	5134	+#~ msgstr "MASQUERADE (IPv6 の場合)"
	5135	+
	5136	+#~ msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It should only be used with dynamically assigned IPv6 (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are I<forgotten> when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway)."
	5137	+#~ msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。動的割り当て IPv6 (ダイヤルアップ) コネクションの場合にのみ使うべきである。固定 IP アドレスならば、 SNAT ターゲットを使うべきである。マスカレーディングは、パケットが送信されるインターフェースの IP アドレスへのマッピングを指定するのと同じであるが、インターフェースが停止した場合にコネクションをI<忘れる>という効果がある。次のダイヤルアップでは同じインターフェースアドレスになる可能性が低い (そのため、前回確立されたコネクションは失われる) 場合、この動作は正しい。"
	5138	+
	5139	+#~ msgid "MASQUERADE (IPv4-specific)"
	5140	+#~ msgstr "MASQUERADE (IPv4 の場合)"
	5141	+
	5142	+#~ msgid "NETMAP (IPv4-specific)"
	5143	+#~ msgstr "NETMAP (IPv4 の場合)"
	5144	+
	5145	+#~ msgid "REDIRECT (IPv4-specific)"
	5146	+#~ msgstr "REDIRECT (IPv4 の場合)"
	5147	+
	5148	+#~ msgid "This target is only valid in the B<nat> table, in the B<POSTROUTING> chain. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:"
	5149	+#~ msgstr "このターゲットは B<nat> テーブルの B<POSTROUTING> チェインのみで有効である。このターゲットはパケットの送信元アドレスを修正させる (このコネクションの以降のパケットも修正して分からなく (mangle) する)。さらに、ルールが評価を中止するように指示する。このターゲットにはオプションが 1 種類ある:"
	5150	+
	5151	+#~ msgid "In Kernels up to 2.6.10, you can add several --to-source options. For those kernels, if you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these addresses. Later Kernels (E<gt>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore."
	5152	+#~ msgstr "2.6.10 以前のカーネルでは、複数の --to-source オプションを指定することができる。これらのカーネルでは、アドレスの範囲指定や --to-source オプションの複数回指定により 2 つ以上の送信元アドレスを指定した場合、それらのアドレスを使った単純なラウンド・ロビンが行われる。それ以降のカーネル (E<gt>= 2.6.11-rc1) には複数の範囲を NAT する機能は存在しない。"

--- a/po4a/man8/iptables-restore.8.ja.po

+++ b/po4a/man8/iptables-restore.8.ja.po

		@@ -6,7 +6,7 @@
6	6	msgid ""
7	7	msgstr ""
8	8	"Project-Id-Version: PACKAGE VERSION\n"
9		-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
	9	+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
10	10	"PO-Revision-Date: 2013-04-08 16:21+0900\n"
11	11	"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
12	12	"Language-Team: LANGUAGE <LL@li.org>\n"

		@@ -22,8 +22,8 @@ msgstr "IPTABLES-RESTORE"
22	22
23	23	#. type: TH
24	24	#, no-wrap
25		-msgid "Jan 04, 2001"
26		-msgstr "Jan 04, 2001"
	25	+msgid "iptables 1.4.21"
	26	+msgstr ""
27	27
28	28	#. Man page written by Harald Welte <laforge@gnumonks.org>
29	29	#. It is based on the iptables man page.

		@@ -47,13 +47,27 @@ msgstr "名前"
47	47	msgid "iptables-restore \\(em Restore IP Tables"
48	48	msgstr "iptables-restore \\(em IP テーブルを復元する"
49	49
	50	+#. type: Plain text
	51	+#, fuzzy
	52	+#\| msgid "iptables-restore \\(em Restore IP Tables"
	53	+msgid "ip6tables-restore \\(em Restore IPv6 Tables"
	54	+msgstr "iptables-restore \\(em IP テーブルを復元する"
	55	+
50	56	#. type: SH
51	57	#, no-wrap
52	58	msgid "SYNOPSIS"
53	59	msgstr "書式"
54	60
55	61	#. type: Plain text
56		-msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
	62	+#, fuzzy
	63	+#\| msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
	64	+msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>]"
	65	+msgstr "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
	66	+
	67	+#. type: Plain text
	68	+#, fuzzy
	69	+#\| msgid "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
	70	+msgid "B<ip6tables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
57	71	msgstr "B<iptables-restore> [B<-chntv>] [B<-M> I<modprobe>] [B<-T> I<name>]"
58	72
59	73	#. type: SH

		@@ -62,7 +76,9 @@ msgid "DESCRIPTION"
62	76	msgstr "説明"
63	77
64	78	#. type: Plain text
65		-msgid "B<iptables-restore> is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file"
	79	+#, fuzzy
	80	+#\| msgid "B<iptables-restore> is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file"
	81	+msgid "B<iptables-restore> and B<ip6tables-restore> are used to restore IP and IPv6 Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file"
66	82	msgstr "B<iptables-restore> は標準入力で指定されたデータから IP テーブルを復元するために使われる。ファイルから読み込むためには、シェルで提供されている I/O リダイレクションを使うこと。"
67	83
68	84	#. type: TP

		@@ -84,12 +100,15 @@ msgid "Print a short option summary."
84	100	msgstr "簡潔なオプション一覧を表示する。"
85	101
86	102	#. type: TP
87		-#, no-wrap
88		-msgid "B<-n>, B<--noflush> "
	103	+#, fuzzy, no-wrap
	104	+#\| msgid "B<-n>, B<--noflush> "
	105	+msgid "B<-n>, B<--noflush>"
89	106	msgstr "B<-n>, B<--noflush> "
90	107
91	108	#. type: Plain text
92		-msgid "don't flush the previous contents of the table. If not specified, B<iptables-restore> flushes (deletes) all previous contents of the respective table."
	109	+#, fuzzy
	110	+#\| msgid "don't flush the previous contents of the table. If not specified, B<iptables-restore> flushes (deletes) all previous contents of the respective table."
	111	+msgid "don't flush the previous contents of the table. If not specified, both commands flush (delete) all previous contents of the respective table."
93	112	msgstr "これまでのテーブルの内容をフラッシュしない。指定されない場合、 B<iptables-restore> は、これまでの各テーブルの内容を全てフラッシュ (削除) する。"
94	113
95	114	#. type: TP

		@@ -138,14 +157,21 @@ msgid "None known as of iptables-1.2.1 release"
138	157	msgstr "iptables-1.2.1 リリースでは知られていない。"
139	158
140	159	#. type: SH
141		-#, no-wrap
142		-msgid "AUTHOR"
	160	+#, fuzzy, no-wrap
	161	+#\| msgid "AUTHOR"
	162	+msgid "AUTHORS"
143	163	msgstr "作者"
144	164
145	165	#. type: Plain text
146		-msgid "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
	166	+#, fuzzy
	167	+#\| msgid "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
	168	+msgid "Harald Welte E<lt>laforge@gnumonks.orgE<gt> wrote iptables-restore based on code from Rusty Russell."
147	169	msgstr "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
148	170
	171	+#. type: Plain text
	172	+msgid "Andras Kis-Szabo E<lt>kisza@sch.bme.huE<gt> contributed ip6tables-restore."
	173	+msgstr ""
	174	+
149	175	#. type: SH
150	176	#, no-wrap
151	177	msgid "SEE ALSO"

		@@ -158,3 +184,6 @@ msgstr "B<iptables-save>(8), B<iptables>(8)"
158	184	#. type: Plain text
159	185	msgid "The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the internals."
160	186	msgstr "より多くの iptables の使用法について詳細に説明している iptables-HOWTO。 NAT について詳細に説明している NAT-HOWTO。内部構造について詳細に説明している netfilter-hacking-HOWTO。"
	187	+
	188	+#~ msgid "Jan 04, 2001"
	189	+#~ msgstr "Jan 04, 2001"

--- a/po4a/man8/iptables-save.8.ja.po

+++ b/po4a/man8/iptables-save.8.ja.po

		@@ -6,7 +6,7 @@
6	6	msgid ""
7	7	msgstr ""
8	8	"Project-Id-Version: PACKAGE VERSION\n"
9		-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
	9	+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
10	10	"PO-Revision-Date: 2013-04-08 14:54+0900\n"
11	11	"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
12	12	"Language-Team: LANGUAGE <LL@li.org>\n"

		@@ -22,8 +22,8 @@ msgstr "IPTABLES-SAVE"
22	22
23	23	#. type: TH
24	24	#, no-wrap
25		-msgid "Jan 04, 2001"
26		-msgstr "Jan 04, 2001"
	25	+msgid "iptables 1.4.21"
	26	+msgstr ""
27	27
28	28	#. Man page written by Harald Welte <laforge@gnumonks.org>
29	29	#. It is based on the iptables man page.

		@@ -47,6 +47,12 @@ msgstr "名前"
47	47	msgid "iptables-save \\(em dump iptables rules to stdout"
48	48	msgstr "iptables-save \\(em iptables ルールを標準出力にダンプする"
49	49
	50	+#. type: Plain text
	51	+#, fuzzy
	52	+#\| msgid "iptables-save \\(em dump iptables rules to stdout"
	53	+msgid "ip6tables-save \\(em dump iptables rules to stdout"
	54	+msgstr "iptables-save \\(em iptables ルールを標準出力にダンプする"
	55	+
50	56	#. type: SH
51	57	#, no-wrap
52	58	msgid "SYNOPSIS"

		@@ -56,13 +62,21 @@ msgstr "書式"
56	62	msgid "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
57	63	msgstr "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
58	64
	65	+#. type: Plain text
	66	+#, fuzzy
	67	+#\| msgid "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
	68	+msgid "B<ip6tables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>"
	69	+msgstr "B<iptables-save> [B<-M> I<modprobe>] [B<-c>] [B<-t> I<table>]"
	70	+
59	71	#. type: SH
60	72	#, no-wrap
61	73	msgid "DESCRIPTION"
62	74	msgstr "説明"
63	75
64	76	#. type: Plain text
65		-msgid "B<iptables-save> is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file."
	77	+#, fuzzy
	78	+#\| msgid "B<iptables-save> is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file."
	79	+msgid "B<iptables-save> and B<ip6tables-save> are used to dump the contents of IP or IPv6 Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file."
66	80	msgstr "B<iptables-save> は IP テーブルの内容を簡単に解析できる形式で標準出力にダンプするために使われる。ファイルに書き出すためには、シェルで提供されている I/O リダイレクションを使うこと。"
67	81
68	82	#. type: TP

		@@ -102,14 +116,23 @@ msgid "None known as of iptables-1.2.1 release"
102	116	msgstr "iptables-1.2.1 リリースでは知られていない。"
103	117
104	118	#. type: SH
105		-#, no-wrap
106		-msgid "AUTHOR"
	119	+#, fuzzy, no-wrap
	120	+#\| msgid "AUTHOR"
	121	+msgid "AUTHORS"
107	122	msgstr "作者"
108	123
109	124	#. type: Plain text
110	125	msgid "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
111	126	msgstr "Harald Welte E<lt>laforge@gnumonks.orgE<gt>"
112	127
	128	+#. type: Plain text
	129	+msgid "Rusty Russell E<lt>rusty@rustcorp.com.auE<gt>"
	130	+msgstr ""
	131	+
	132	+#. type: Plain text
	133	+msgid "Andras Kis-Szabo E<lt>kisza@sch.bme.huE<gt> contributed ip6tables-save."
	134	+msgstr ""
	135	+
113	136	#. type: SH
114	137	#, no-wrap
115	138	msgid "SEE ALSO"

		@@ -122,3 +145,6 @@ msgstr "B<iptables-restore>(8), B<iptables>(8)"
122	145	#. type: Plain text
123	146	msgid "The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the internals."
124	147	msgstr "より多くの iptables の使用法について詳細に説明している iptables-HOWTO。 NAT について詳細に説明している NAT-HOWTO。内部構造について詳細に説明している netfilter-hacking-HOWTO。"
	148	+
	149	+#~ msgid "Jan 04, 2001"
	150	+#~ msgstr "Jan 04, 2001"

--- a/po4a/man8/iptables.8.ja.po

+++ b/po4a/man8/iptables.8.ja.po

		@@ -6,7 +6,7 @@
6	6	msgid ""
7	7	msgstr ""
8	8	"Project-Id-Version: PACKAGE VERSION\n"
9		-"POT-Creation-Date: 2013-04-08 14:07+0900\n"
	9	+"POT-Creation-Date: 2014-05-07 04:08+0900\n"
10	10	"PO-Revision-Date: 2013-05-24 16:53+0900\n"
11	11	"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
12	12	"Language-Team: LANGUAGE <LL@li.org>\n"

		@@ -21,8 +21,9 @@ msgid "IPTABLES"
21	21	msgstr "IPTABLES"
22	22
23	23	#. type: TH
24		-#, no-wrap
25		-msgid "iptables 1.4.18"
	24	+#, fuzzy, no-wrap
	25	+#\| msgid "iptables 1.4.18"
	26	+msgid "iptables 1.4.21"
26	27	msgstr "iptables 1.4.18"
27	28
28	29	#. Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)

		@@ -47,7 +48,9 @@ msgid "NAME"
47	48	msgstr "名前"
48	49
49	50	#. type: Plain text
50		-msgid "iptables \\(em administration tool for IPv4 packet filtering and NAT"
	51	+#, fuzzy
	52	+#\| msgid "iptables \\(em administration tool for IPv4 packet filtering and NAT"
	53	+msgid "iptables/ip6tables \\(em administration tool for IPv4/IPv6 packet filtering and NAT"
51	54	msgstr "iptables \\(em IPv4 のパケットフィルタと NAT の管理ツール"
52	55
53	56	#. type: SH

		@@ -60,6 +63,12 @@ msgid "B<iptables> [B<-t> I<table>] {B<-A>\|B<-C>\|B<-D>} I<chain> I<rule-specific
60	63	msgstr "B<iptables> [B<-t> I<table>] {B<-A>\|B<-C>\|B<-D>} I<chain> I<rule-specification>"
61	64
62	65	#. type: Plain text
	66	+#, fuzzy
	67	+#\| msgid "B<iptables> [B<-t> I<table>] {B<-A>\|B<-C>\|B<-D>} I<chain> I<rule-specification>"
	68	+msgid "B<ip6tables> [B<-t> I<table>] {B<-A>\|B<-C>\|B<-D>} I<chain rule-specification>"
	69	+msgstr "B<iptables> [B<-t> I<table>] {B<-A>\|B<-C>\|B<-D>} I<chain> I<rule-specification>"
	70	+
	71	+#. type: Plain text
63	72	msgid "B<iptables> [B<-t> I<table>] B<-I> I<chain> [I<rulenum>] I<rule-specification>"
64	73	msgstr "B<iptables> [B<-t> I<table>] B<-I> I<chain> [I<rulenum>] I<rule-specification>"
65	74

		@@ -113,7 +122,9 @@ msgid "DESCRIPTION"
113	122	msgstr "説明"
114	123
115	124	#. type: Plain text
116		-msgid "B<Iptables> is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains."
	125	+#, fuzzy
	126	+#\| msgid "B<Iptables> is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains."
	127	+msgid "B<Iptables> and B<ip6tables> are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains."
117	128	msgstr "B<iptables> は Linux カーネルの IPv4 パケットフィルタルールのテーブルの設定・管理・検査に使用される。複数の異なるテーブルを定義できる。各テーブルには数個の組み込みチェインがあり、さらにユーザー定義のチェインを加えることもできる。"
118	129
119	130	#. type: Plain text

		@@ -126,11 +137,15 @@ msgid "TARGETS"
126	137	msgstr "ターゲット"
127	138
128	139	#. type: Plain text
129		-msgid "A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values B<ACCEPT>, B<DROP>, B<QUEUE> or B<RETURN>."
	140	+#, fuzzy
	141	+#\| msgid "A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values B<ACCEPT>, B<DROP>, B<QUEUE> or B<RETURN>."
	142	+msgid "A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain, one of the targets described in B<iptables-extensions>(8), or one of the special values B<ACCEPT>, B<DROP> or B<RETURN>."
130	143	msgstr "ファイアウォールのルールでは、パケットのマッチ条件とターゲットを指定する。パケットがマッチしない場合、チェイン内の次のルールが評価される。パケットがマッチした場合、ターゲットの値によって次のルールが指定される。ターゲットの値には、ユーザー定義チェインの名前、もしくは特別な値 B<ACCEPT>, B<DROP>, B<QUEUE>, B<RETURN> のいずれか 1 つを指定する。"
131	144
132	145	#. type: Plain text
133		-msgid "B<ACCEPT> means to let the packet through. B<DROP> means to drop the packet on the floor. B<QUEUE> means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the B<ip_queue> queue handler. Kernels 2.6.14 and later additionally include the B<nfnetlink_queue> queue handler. Packets with a target of QUEUE will be sent to queue number '0' in this case. Please also see the B<NFQUEUE> target as described later in this man page.) B<RETURN> means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target B<RETURN> is matched, the target specified by the chain policy determines the fate of the packet."
	146	+#, fuzzy
	147	+#\| msgid "B<ACCEPT> means to let the packet through. B<DROP> means to drop the packet on the floor. B<QUEUE> means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the B<ip_queue> queue handler. Kernels 2.6.14 and later additionally include the B<nfnetlink_queue> queue handler. Packets with a target of QUEUE will be sent to queue number '0' in this case. Please also see the B<NFQUEUE> target as described later in this man page.) B<RETURN> means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target B<RETURN> is matched, the target specified by the chain policy determines the fate of the packet."
	148	+msgid "B<ACCEPT> means to let the packet through. B<DROP> means to drop the packet on the floor. B<RETURN> means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target B<RETURN> is matched, the target specified by the chain policy determines the fate of the packet."
134	149	msgstr "B<ACCEPT> はパケット通過、 B<DROP> はパケット廃棄を意味する。 B<QUEUE> はそのパケットをユーザー空間に渡すという意味である。 (ユーザー空間プロセスがパケットをどのように受信するかは、個々のキューハンドラにより異なる。バージョン 2.4.x および 2.6.13 までの 2.6.x のカーネルでは B<ip_queue> キューハンドラが読み込まれる。バージョン 2.6.14 以降のカーネルでは、これに加えて B<nfnetlink_queue> キューハンドラも利用できる。ターゲットが QUEUE のパケットは、キュー番号 '0' に送信される。この man ページの後ろの方で説明されている B<NFQUEUE> ターゲットについても参照のこと。) B<RETURN> は、このチェインを辿るのを中止して、前の (呼び出し元) チェインの次のルールから再開するという意味である。組み込みチェインの最後に到達した場合、または組み込みチェインでターゲット B<RETURN> を持つルールにマッチした場合、パケットをどのように処理するかは、そのチェインのポリシーで指定されたターゲットにより決まる。"
135	150
136	151	#. type: SH

		@@ -170,7 +185,9 @@ msgid "B<nat>:"
170	185	msgstr "B<nat>:"
171	186
172	187	#. type: Plain text
173		-msgid "This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: B<PREROUTING> (for altering packets as soon as they come in), B<OUTPUT> (for altering locally-generated packets before routing), and B<POSTROUTING> (for altering packets as they are about to go out)."
	188	+#, fuzzy
	189	+#\| msgid "This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: B<PREROUTING> (for altering packets as soon as they come in), B<OUTPUT> (for altering locally-generated packets before routing), and B<POSTROUTING> (for altering packets as they are about to go out)."
	190	+msgid "This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: B<PREROUTING> (for altering packets as soon as they come in), B<OUTPUT> (for altering locally-generated packets before routing), and B<POSTROUTING> (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7."
174	191	msgstr "このテーブルは新しい接続を開くパケットの場合に参照される。 B<PREROUTING> (パケットが入ってきた場合、すぐにそのパケットを変換するためのチェイン)、 B<OUTPUT> (ローカルで生成されたパケットをルーティングの前に変換するためのチェイン)、 B<POSTROUTING> (パケットが出て行くときに変換するためのチェイン) という 3 つの組み込みチェインがある。"
175	192
176	193	#. type: TP

		@@ -206,7 +223,9 @@ msgid "OPTIONS"
206	223	msgstr "オプション"
207	224
208	225	#. type: Plain text
209		-msgid "The options that are recognized by B<iptables> can be divided into several different groups."
	226	+#, fuzzy
	227	+#\| msgid "The options that are recognized by B<iptables> can be divided into several different groups."
	228	+msgid "The options that are recognized by B<iptables> and B<ip6tables> can be divided into several different groups."
210	229	msgstr "B<iptables> で使えるオプションは、いくつかのグループに分けられる。"
211	230
212	231	#. type: SS

		@@ -378,8 +397,10 @@ msgid "B<-4>, B<--ipv4>"
378	397	msgstr "B<-4>, B<--ipv4>"
379	398
380	399	#. type: Plain text
381		-msgid "This option has no effect in iptables and iptables-restore."
382		-msgstr "このオプションは iptables と iptables-restore では効果を持たない。"
	400	+#, fuzzy
	401	+#\| msgid "If a rule using the B<-6> option is inserted with (and only with) iptables-restore, it will be silently ignored. Any other uses will throw an error. This option allows to put both IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore."
	402	+msgid "This option has no effect in iptables and iptables-restore. If a rule using the B<-4> option is inserted with (and only with) ip6tables-restore, it will be silently ignored. Any other uses will throw an error. This option allows to put both IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore."
	403	+msgstr "B<-6> オプションを使ったルールを iptables-restore で挿入された場合、(この場合に限り) そのルールは黙って無視される。それ以外の使い方をした場合はエラーが発生する。このオプションを使うと、 IPv4 と IPv6 の両方のルールを一つのルールファイルに記述し、iptables-restore と ip6tables-restore の両方でそのファイルを使うことができる。"
383	404
384	405	#. type: TP
385	406	#, no-wrap

		@@ -387,7 +408,9 @@ msgid "B<-6>, B<--ipv6>"
387	408	msgstr "B<-6>, B<--ipv6>"
388	409
389	410	#. type: Plain text
390		-msgid "If a rule using the B<-6> option is inserted with (and only with) iptables-restore, it will be silently ignored. Any other uses will throw an error. This option allows to put both IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore."
	411	+#, fuzzy
	412	+#\| msgid "If a rule using the B<-6> option is inserted with (and only with) iptables-restore, it will be silently ignored. Any other uses will throw an error. This option allows to put both IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore."
	413	+msgid "If a rule using the B<-6> option is inserted with (and only with) iptables-restore, it will be silently ignored. Any other uses will throw an error. This option allows to put both IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore. This option has no effect in ip6tables and ip6tables-restore."
391	414	msgstr "B<-6> オプションを使ったルールを iptables-restore で挿入された場合、(この場合に限り) そのルールは黙って無視される。それ以外の使い方をした場合はエラーが発生する。このオプションを使うと、 IPv4 と IPv6 の両方のルールを一つのルールファイルに記述し、iptables-restore と ip6tables-restore の両方でそのファイルを使うことができる。"
392	415
393	416	#. type: TP

		@@ -396,7 +419,9 @@ msgid "[B<!>] B<-p>, B<--protocol> I<protocol>"
396	419	msgstr "[B<!>] B<-p>, B<--protocol> I<protocol>"
397	420
398	421	#. type: Plain text
399		-msgid "The protocol of the rule or of the packet to check. The specified protocol can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>, B<esp>, B<ah>, B<sctp> or the special keyword \"B<all>\", or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A \"!\" argument before the protocol inverts the test. The number zero is equivalent to B<all>. \"B<all>\" will match with all protocols and is taken as default when this option is omitted."
	422	+#, fuzzy
	423	+#\| msgid "The protocol of the rule or of the packet to check. The specified protocol can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>, B<esp>, B<ah>, B<sctp> or the special keyword \"B<all>\", or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A \"!\" argument before the protocol inverts the test. The number zero is equivalent to B<all>. \"B<all>\" will match with all protocols and is taken as default when this option is omitted."
	424	+msgid "The protocol of the rule or of the packet to check. The specified protocol can be one of B<tcp>, B<udp>, B<udplite>, B<icmp>, B<icmpv6>,B<esp>, B<ah>, B<sctp>, B<mh> or the special keyword \"B<all>\", or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A \"!\" argument before the protocol inverts the test. The number zero is equivalent to B<all>. \"B<all>\" will match with all protocols and is taken as default when this option is omitted. Note that, in ip6tables, IPv6 extension headers except B<esp> are not allowed. B<esp> and B<ipv6-nonext> can be used with Kernel version 2.6.11 or later. The number zero is equivalent to B<all>, which means that you cannot test the protocol field for the value 0 directly. To match on a HBH header, even if it were the last, you cannot use B<-p 0>, but always need B<-m hbh>."
400	425	msgstr "ルールで使われるプロトコル、またはチェックされるパケットのプロトコル。指定できるプロトコルは、 B<tcp>, B<udp>, B<udplite>, B<icmp>, B<esp>, B<ah>, B<sctp> と特別なキーワード B<all> のいずれか 1 つか、または数値である。数値には、これらのプロトコルのどれか、またはそれ以外のプロトコルを表す数値を指定することができる。 /etc/protocols にあるプロトコル名も指定できる。プロトコルの前に \"!\" を置くと、そのプロトコルを除外するという意味になる。数値 0 は B<all> と等しい。 \"B<all>\" は全てのプロトコルとマッチし、このオプションが省略された際のデフォルトである。"
401	426
402	427	#. type: TP

		@@ -405,7 +430,9 @@ msgid "[B<!>] B<-s>, B<--source> I<address>[B</>I<mask>][B<,>I<...>]"
405	430	msgstr "[B<!>] B<-s>, B<--source> I<address>[B</>I<mask>][B<,>I<...>]"
406	431
407	432	#. type: Plain text
408		-msgid "Source specification. I<Address> can be either a network name, a hostname, a network IP address (with B</>I<mask>), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The I<mask> can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of I<24> is equivalent to I<255.255.255.0>. A \"!\" argument before the address specification inverts the sense of the address. The flag B<--src> is an alias for this option. Multiple addresses can be specified, but this will B<expand to multiple rules> (when adding with -A), or will cause multiple rules to be deleted (with -D)."
	433	+#, fuzzy
	434	+#\| msgid "Source specification. I<Address> can be either a network name, a hostname, a network IP address (with B</>I<mask>), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The I<mask> can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of I<24> is equivalent to I<255.255.255.0>. A \"!\" argument before the address specification inverts the sense of the address. The flag B<--src> is an alias for this option. Multiple addresses can be specified, but this will B<expand to multiple rules> (when adding with -A), or will cause multiple rules to be deleted (with -D)."
	435	+msgid "Source specification. I<Address> can be either a network name, a hostname, a network IP address (with B</>I<mask>), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The I<mask> can be either an ipv4 network mask (for iptables) or a plain number, specifying the number of 1's at the left side of the network mask. Thus, an iptables mask of I<24> is equivalent to I<255.255.255.0>. A \"!\" argument before the address specification inverts the sense of the address. The flag B<--src> is an alias for this option. Multiple addresses can be specified, but this will B<expand to multiple rules> (when adding with -A), or will cause multiple rules to be deleted (with -D)."
409	436	msgstr "送信元の指定。 I<address> はホスト名、ネットワーク IP アドレス (B</>I<mask> を指定する)、通常の IP アドレスのいずれかである。ホスト名の解決は、カーネルにルールが登録される前に一度だけ行われる。 DNS のようなリモートへの問い合わせで解決する名前を指定するのは非常に良くないことである。 I<mask> には、ネットワークマスクか、ネットワークマスクの左側にある 1 の数を表す数値を指定する。つまり、 I<24> という mask は I<255.255.255.0> と同じである。アドレス指定の前に \"!\" を置くと、そのアドレスを除外するという意味になる。フラグ B<--src> は、このオプションの別名である。複数のアドレスを指定することができるが、その場合は (-A での追加であれば) B<複数のルールに展開され>、 (-D での削除であれば) 複数のルールが削除されることになる。"
410	437
411	438	#. type: TP

		@@ -468,7 +495,9 @@ msgid "[B<!>] B<-f>, B<--fragment>"
468	495	msgstr "[B<!>] B<-f>, B<--fragment>"
469	496
470	497	#. type: Plain text
471		-msgid "This means that the rule only refers to second and further fragments of fragmented packets. Since there is no way to tell the source or destination ports of such a packet (or ICMP type), such a packet will not match any rules which specify them. When the \"!\" argument precedes the \"-f\" flag, the rule will only match head fragments, or unfragmented packets."
	498	+#, fuzzy
	499	+#\| msgid "This means that the rule only refers to second and further fragments of fragmented packets. Since there is no way to tell the source or destination ports of such a packet (or ICMP type), such a packet will not match any rules which specify them. When the \"!\" argument precedes the \"-f\" flag, the rule will only match head fragments, or unfragmented packets."
	500	+msgid "This means that the rule only refers to second and further IPv4 fragments of fragmented packets. Since there is no way to tell the source or destination ports of such a packet (or ICMP type), such a packet will not match any rules which specify them. When the \"!\" argument precedes the \"-f\" flag, the rule will only match head fragments, or unfragmented packets. This option is IPv4 specific, it is not available in ip6tables."
472	501	msgstr "分割されたパケット (fragmented packet) のうち 2 番目以降のパケットだけを参照するルールであることを意味する。このようなパケット (または ICMP タイプのパケット) は送信元ポートと宛先ポートを知る方法がないので、送信元ポートや宛先ポートを指定するようなルールにはマッチしない。 \"-f\" フラグの前に \"!\" を置くと、分割されたパケットのうち最初のフラグメントか、分割されていないパケットだけにマッチする。"
473	502
474	503	#. type: TP

		@@ -499,6 +528,16 @@ msgid "Verbose output. This option makes the list command show the interface na
499	528	msgstr "詳細な出力を行う。 list コマンドの際に、インターフェース名、ルールのオプション (ある場合のみ)、 TOS マスクを表示させる。パケットとバイトカウンタも表示される。添字 'K', 'M', 'G' は、それぞれ 1000, 1,000,000, 1,000,000,000 倍を表す (これを変更する B<-x> フラグも見よ)。このオプションを append, insert, delete, replace コマンドに適用すると、ルールについての詳細な情報を表示する。 B<-v> は複数回指定することができ、数が多くなるとより多くのデバッグ情報が出力される。"
500	529
501	530	#. type: TP
	531	+#, fuzzy, no-wrap
	532	+#\| msgid "B<-x>, B<--exact>"
	533	+msgid "B<-w>, B<--wait>"
	534	+msgstr "B<-x>, B<--exact>"
	535	+
	536	+#. type: Plain text
	537	+msgid "Wait for the xtables lock. To prevent multiple instances of the program from running concurrently, an attempt will be made to obtain an exclusive lock at launch. By default, the program will exit if the lock cannot be obtained. This option will make the program wait until the exclusive lock can be obtained."
	538	+msgstr ""
	539	+
	540	+#. type: TP
502	541	#, no-wrap
503	542	msgid "B<-n>, B<--numeric>"
504	543	msgstr "B<-n>, B<--numeric>"

		@@ -599,7 +638,9 @@ msgid "SEE ALSO"
599	638	msgstr "関連項目"
600	639
601	640	#. type: Plain text
602		-msgid "B<iptables-apply>(8), B<iptables-save>(8), B<iptables-restore>(8), B<iptables-extensions>(8), B<ip6tables>(8), B<ip6tables-save>(8), B<ip6tables-restore>(8), B<libipq>(3)."
	641	+#, fuzzy
	642	+#\| msgid "B<iptables-apply>(8), B<iptables-save>(8), B<iptables-restore>(8), B<iptables-extensions>(8), B<ip6tables>(8), B<ip6tables-save>(8), B<ip6tables-restore>(8), B<libipq>(3)."
	643	+msgid "B<iptables-apply>(8), B<iptables-save>(8), B<iptables-restore>(8), B<iptables-extensions>(8),"
603	644	msgstr "B<iptables-apply>(8), B<iptables-save>(8), B<iptables-restore>(8), B<iptables-extensions>(8), B<ip6tables>(8), B<ip6tables-save>(8), B<ip6tables-restore>(8), B<libipq>(3)."
604	645
605	646	#. type: Plain text

		@@ -653,5 +694,10 @@ msgid "VERSION"
653	694	msgstr "バージョン"
654	695
655	696	#. type: Plain text
656		-msgid "This manual page applies to iptables 1.4.18."
	697	+#, fuzzy
	698	+#\| msgid "This manual page applies to iptables 1.4.18."
	699	+msgid "This manual page applies to iptables/ip6tables 1.4.21."
657	700	msgstr "この man ページは iptables 1.4.18 について説明している。"
	701	+
	702	+#~ msgid "This option has no effect in iptables and iptables-restore."
	703	+#~ msgstr "このオプションは iptables と iptables-restore では効果を持たない。"

--- a/translation_list

+++ b/translation_list

		@@ -1,20 +1,20 @@
1		-○:iptables:1.4.18:2012/03/27:iptables-xml:1:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
2		-×:iptables:1.4.18:2012/03/27:ipq_create_handle:3:::::
3		-※:iptables:1.4.18:2012/03/27:ipq_destroy_handle:3:ipq_create_handle:3:
4		-×:iptables:1.4.18:2012/03/27:ipq_errstr:3:::::
5		-※:iptables:1.4.18:2012/03/27:ipq_get_msgerr:3:ipq_message_type:3:
6		-※:iptables:1.4.18:2012/03/27:ipq_get_packet:3:ipq_message_type:3:
7		-×:iptables:1.4.18:2012/03/27:ipq_message_type:3:::::
8		-※:iptables:1.4.18:2012/03/27:ipq_perror:3:ipq_errstr:3:
9		-×:iptables:1.4.18:2012/03/27:ipq_read:3:::::
10		-×:iptables:1.4.18:2012/03/27:ipq_set_mode:3:::::
11		-×:iptables:1.4.18:2012/03/27:ipq_set_verdict:3:::::
12		-×:iptables:1.4.18:2012/03/27:libipq:3:::::
13		-○:iptables:1.4.18:2013/03/03:ip6tables:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
14		-○:iptables:1.4.18:2013/03/03:ip6tables-restore:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
15		-○:iptables:1.4.18:2012/03/27:ip6tables-save:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
16		-○:iptables:1.4.18:2013/03/03:iptables:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
17		-○:iptables:1.4.18:2013/03/03:iptables-apply:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
18		-○:iptables:1.4.18:2013/03/03:iptables-extensions:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
19		-○:iptables:1.4.18:2013/03/03:iptables-restore:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
20		-○:iptables:1.4.18:2012/03/27:iptables-save:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
	1	+☆:iptables:1.4.18=>1.4.21:2013/11/22:iptables-xml:1:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
	2	+×:iptables:1.4.21:2012/03/27:ipq_create_handle:3:::::
	3	+※:iptables:1.4.21:2012/03/27:ipq_destroy_handle:3:ipq_create_handle:3:
	4	+×:iptables:1.4.21:2012/03/27:ipq_errstr:3:::::
	5	+※:iptables:1.4.21:2012/03/27:ipq_get_msgerr:3:ipq_message_type:3:
	6	+※:iptables:1.4.21:2012/03/27:ipq_get_packet:3:ipq_message_type:3:
	7	+×:iptables:1.4.21:2012/03/27:ipq_message_type:3:::::
	8	+※:iptables:1.4.21:2012/03/27:ipq_perror:3:ipq_errstr:3:
	9	+×:iptables:1.4.21:2012/03/27:ipq_read:3:::::
	10	+×:iptables:1.4.21:2012/03/27:ipq_set_mode:3:::::
	11	+×:iptables:1.4.21:2012/03/27:ipq_set_verdict:3:::::
	12	+×:iptables:1.4.21:2013/11/22:libipq:3:::::
	13	+＠:iptables:1.4.21:2013/11/22:ip6tables:8:iptables:8:
	14	+＠:iptables:1.4.21:2013/11/22:ip6tables-restore:8:iptables-restore:8:
	15	+＠:iptables:1.4.21:2013/11/22:ip6tables-save:8:iptables-save:8:
	16	+☆:iptables:1.4.18=>1.4.21:2013/11/22:iptables:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
	17	+☆:iptables:1.4.18=>1.4.21:2013/11/22:iptables-apply:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
	18	+☆:iptables:1.4.18=>1.4.21:2013/11/22:iptables-extensions:8:2014/05/07::amotoki@gmail.com:Akihiro Motoki:
	19	+☆:iptables:1.4.18=>1.4.21:2013/11/22:iptables-restore:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:
	20	+☆:iptables:1.4.18=>1.4.21:2013/11/22:iptables-save:8:2014/05/06::amotoki@gmail.com:Akihiro Motoki:

Show on old repository browser