Commands, options, filenames, and possibly references to other manpages, should always use the minus. (Important for copy-n-paste and e.g. following manpage links.) Everything else can do with the dash. --- iptables/xtables-legacy.8 | 22 +++++++------- iptables/xtables-nft.8 | 60 +++++++++++++++++++-------------------- 2 files changed, 41 insertions(+), 41 deletions(-) diff --git a/iptables/xtables-legacy.8 b/iptables/xtables-legacy.8 index eb075e2c..5b4ab32a 100644 --- a/iptables/xtables-legacy.8 +++ b/iptables/xtables-legacy.8 @@ -25,29 +25,29 @@ .TH XTABLES-LEGACY 8 "June 2018" .SH NAME -xtables-legacy \- iptables using old getsockopt/setsockopt based kernel api +xtables-legacy \(em iptables using old getsockopt/setsockopt-based kernel api .SH DESCRIPTION \fBxtables-legacy\fP are the original versions of iptables that use -old getsockopt/setsockopt based kernel interface. +old getsockopt/setsockopt-based kernel interface. This kernel interface has some limitations, therefore iptables can also be used with the newer nf_tables based API. See -.B xtables-nft(8) +.B xtables\-nft(8) for information about the xtables-nft variants of iptables. .SH USAGE The xtables-legacy-multi binary can be linked to the traditional names: .nf - /sbin/iptables \-> /sbin/iptables-legacy-multi - /sbin/ip6tables \-> /sbin/ip6tables-legacy-mulit - /sbin/iptables-save \-> /sbin/ip6tables-legacy-mulit - /sbin/iptables-restore \-> /sbin/ip6tables-legacy-mulit + /sbin/iptables -> /sbin/iptables\-legacy\-multi + /sbin/ip6tables -> /sbin/ip6tables\-legacy\-multi + /sbin/iptables\-save -> /sbin/ip6tables\-legacy\-multi + /sbin/iptables\-restore -> /sbin/ip6tables\-legacy\-multi .fi -The iptables version string will indicate if the legacy API (get/setsockopt) or -the new nf_tables api is used: +The iptables version string will indicate whether the legacy API (get/setsockopt) or +the new nf_tables API is used: .nf iptables \-V iptables v1.7 (legacy) @@ -64,9 +64,9 @@ updates might be lost. This can be worked around partially with the \-\-wait op There is also no method to monitor changes to the ruleset, except periodically calling iptables-legacy-save and checking for any differences in output. -.B xtables-monitor(8) +.B xtables\-monitor(8) will need the -.B xtables-nft(8) +.B xtables\-nft(8) versions to work, it cannot display changes made using the. .B iptables-legacy tools. diff --git a/iptables/xtables-nft.8 b/iptables/xtables-nft.8 index 91d5b54e..9c223eda 100644 --- a/iptables/xtables-nft.8 +++ b/iptables/xtables-nft.8 @@ -25,31 +25,31 @@ .TH XTABLES-NFT 8 "June 2018" .SH NAME -xtables-nft \- iptables using nftables kernel api +xtables-nft \(em iptables using nftables kernel api .SH DESCRIPTION -\fBxtables-nft\fP are versions of iptables that use the nftables api. - is set of tools to help the system administrator migrate the +\fBxtables-nft\fP are versions of iptables that use the nftables API. +This is a set of tools to help the system administrator migrate the ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and \fBebtables(8)\fP to \fBnftables(8)\fP. The \fBxtables-nft\fP set is composed of several commands: .IP \[bu] 2 -iptables-nft +iptables\-nft .IP \[bu] -iptables-nft-save +iptables\-nft\-save .IP \[bu] -iptables-nft-restore +iptables\-nft\-restore .IP \[bu] -ip6tables-nft +ip6tables\-nft .IP \[bu] -ip6tables-nft-save +ip6tables\-nft\-save .IP \[bu] -ip6tables-nft-restore +ip6tables\-nft\-restore .IP \[bu] -arptables-nft +arptables\-nft .IP \[bu] -ebtables-nft +ebtables\-nft These tools use the libxtables framework extensions and hook to the nf_tables kernel subsystem using the \fBnft_compat\fP module. @@ -60,7 +60,7 @@ native syntax of \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and \fBebtables(8)\fP. You should use the xtables-nft tools exactly the same way as you would use the -corresponding original tool. +corresponding original tools. Adding a rule will result in that rule being added to the nf_tables kernel subsystem instead. @@ -70,13 +70,13 @@ When these tools were designed, the main idea was to replace each legacy binary with a symlink to the xtables-nft program, for example: .nf - /sbin/iptables \-> /usr/sbin/iptables-nft-multi - /sbin/ip6tables \-> /usr/sbin/ip6tables-nft-mulit - /sbin/arptables \-> /usr/sbin/arptables-nft-multi - /sbin/ebtables \-> /usr/sbin/ebtables-nft-multi + /sbin/iptables -> /usr/sbin/iptables\-nft\-multi + /sbin/ip6tables -> /usr/sbin/ip6tables\-nft\-multi + /sbin/arptables -> /usr/sbin/arptables\-nft\-multi + /sbin/ebtables -> /usr/sbin/ebtables\-nft\-multi .fi -The iptables version string will indicate if the legacy API (get/setsockopt) or +The iptables version string will indicate whether the legacy API (get/setsockopt) or the new nf_tables api is used: .nf iptables \-V @@ -85,19 +85,19 @@ the new nf_tables api is used: .SH DIFFERENCES TO LEGACY IPTABLES -Because the xtables-nft tools use the nf_tables kernel api, rule additions -are deletions are always atomic. Unlike iptables-legacy, iptables-nft \-A .. +Because the xtables-nft tools use the nf_tables kernel API, rule additions +and deletions are always atomic. Unlike iptables-legacy, iptables-nft \-A .. will NOT need to retrieve the current ruleset from the kernel, change it, and re-load the altered ruleset. Instead, iptables-nft will tell the kernel to add one rule. For this reason, the iptables-legacy \-\-wait option is a no-op in iptables-nft. Use of the xtables-nft tools allow monitoring ruleset changes using the -.B xtables-monitor(8) +.B xtables\-monitor(8) command. When using \-j TRACE to debug packet traversal to the ruleset, note that you will need to use -.B xtables-monitor(8) +.B xtables\-monitor(8) in \-\-trace mode to obtain monitoring trace events. .SH EXAMPLES @@ -105,13 +105,13 @@ One basic example is creating the skeleton ruleset in nf_tables from the xtables-nft tools, in a fresh machine: .nf - root@machine:~# iptables-nft -L + root@machine:~# iptables\-nft \-L [...] - root@machine:~# ip6tables-nft -L + root@machine:~# ip6tables\-nft \-L [...] - root@machine:~# arptables-nft -L + root@machine:~# arptables\-nft \-L [...] - root@machine:~# ebtables-nft -L + root@machine:~# ebtables\-nft \-L [...] root@machine:~# nft list ruleset table ip filter { @@ -142,15 +142,15 @@ xtables-nft tools, in a fresh machine: } table bridge filter { chain INPUT { - type filter hook input priority -200; policy accept; + type filter hook input priority \-200; policy accept; } chain FORWARD { - type filter hook forward priority -200; policy accept; + type filter hook forward priority \-200; policy accept; } chain OUTPUT { - type filter hook output priority -200; policy accept; + type filter hook output priority \-200; policy accept; } } table arp filter { @@ -175,8 +175,8 @@ To migrate your complete filter ruleset, in the case of \fBiptables(8)\fP, you would use: .nf - root@machine:~# iptables-legacy-save > myruleset # reads from x_tables - root@machine:~# iptables-nft-restore myruleset # writes to nf_tables + root@machine:~# iptables\-legacy\-save > myruleset # reads from x_tables + root@machine:~# iptables\-nft\-restore myruleset # writes to nf_tables .fi -- 2.17.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html