OSDN -- 오픈 소스 소프트웨어 개발 및 다운로드
Translation Status of 한국말 translation status for ko
  • R/O
  • HTTP
  • SSH
  • HTTPS
Fork

iptables: Commit


Commit MetaInfo

Revisiond0c4ba014332d53f2facb60c7e4bf29a91d1b352 (tree)
Time2013-04-03 12:21:38
AuthorAkihiro MOTOKI <amotoki@gmai...>
CommiterAkihiro MOTOKI

Log Message

iptables: Update original to 1.4.18

Change Summary

Incremental Difference

--- a/original/man8/ip6tables-restore.8
+++ b/original/man8/ip6tables-restore.8
@@ -21,7 +21,8 @@
2121 .SH NAME
2222 ip6tables-restore \(em Restore IPv6 Tables
2323 .SH SYNOPSIS
24-\fBip6tables\-restore\fP [\fB\-c\fP] [\fB\-n\fP]
24+\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
25+[\fB\-T\fP \fIname\fP]
2526 .SH DESCRIPTION
2627 .PP
2728 .B ip6tables-restore
@@ -31,8 +32,23 @@ I/O redirection provided by your shell to read from a file
3132 \fB\-c\fR, \fB\-\-counters\fR
3233 restore the values of all packet and byte counters
3334 .TP
35+\fB\-h\fP, \fB\-\-help\fP
36+Print a short option summary.
37+.TP
3438 \fB\-n\fR, \fB\-\-noflush\fR
35-don't flush the previous contents of the table. If not specified,
39+don't flush the previous contents of the table. If not specified,
40+\fBip6tables-restore\fP flushes (deletes) all previous contents of the
41+respective table.
42+.TP
43+\fB\-t\fP, \fB\-\-test\fP
44+Only parse and construct the ruleset, but do not commit it.
45+.TP
46+\fB\-v\fP, \fB\-\-verbose\fP
47+Print additional debug info during ruleset processing.
48+.TP
49+\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
50+Specify the path to the modprobe program. By default, ip6tables-restore will
51+inspect /proc/sys/kernel/modprobe to determine the executable's path.
3652 .TP
3753 \fB\-T\fP, \fB\-\-table\fP \fIname\fP
3854 Restore only the named table even if the input stream contains other ones.
--- a/original/man8/ip6tables.8
+++ b/original/man8/ip6tables.8
@@ -1,4 +1,4 @@
1-.TH IP6TABLES 8 "" "iptables 1.4.13" "iptables 1.4.13"
1+.TH IP6TABLES 8 "" "iptables 1.4.18" "iptables 1.4.18"
22 .\"
33 .\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
44 .\" It is based on iptables man page.
@@ -87,7 +87,7 @@ or a rule in a built-in chain with target \fBRETURN\fP
8787 is matched, the target specified by the chain policy determines the
8888 fate of the packet.
8989 .SH TABLES
90-There are currently three independent tables (which tables are present
90+There are currently five independent tables (which tables are present
9191 at any time depends on the kernel configuration options and which
9292 modules are present).
9393 .TP
@@ -106,6 +106,13 @@ the built-in chains \fBINPUT\fP (for packets destined to local sockets),
106106 \fBFORWARD\fP (for packets being routed through the box), and
107107 \fBOUTPUT\fP (for locally-generated packets).
108108 .TP
109+\fBnat\fP:
110+This table is consulted when a packet that creates a new
111+connection is encountered. It consists of three built-ins: \fBPREROUTING\fP
112+(for altering packets as soon as they come in), \fBOUTPUT\fP
113+(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
114+(for altering packets as they are about to go out). Available since kernel 3.7.
115+.TP
109116 \fBmangle\fP:
110117 This table is used for specialized packet alteration. Until kernel
111118 2.4.17 it had two built-in chains: \fBPREROUTING\fP
@@ -240,6 +247,15 @@ Give a (currently very brief) description of the command syntax.
240247 The following parameters make up a rule specification (as used in the
241248 add, delete, insert, replace and append commands).
242249 .TP
250+\fB\-4\fP, \fB\-\-ipv4\fP
251+If a rule using the \fB\-4\fP option is inserted with (and only with)
252+ip6tables-restore, it will be silently ignored. Any other uses will throw an
253+error. This option allows to put both IPv4 and IPv6 rules in a single rule file
254+for use with both iptables-restore and ip6tables-restore.
255+.TP
256+\fB\-6\fP, \fB\-\-ipv6\fP
257+This option has no effect in ip6tables and ip6tables-restore.
258+.TP
243259 [\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
244260 The protocol of the rule or of the packet to check.
245261 The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
@@ -281,6 +297,13 @@ See the description of the \fB\-s\fP
281297 (source) flag for a detailed description of the syntax. The flag
282298 \fB\-\-dst\fP is an alias for this option.
283299 .TP
300+\fB\-m\fP, \fB\-\-match\fP \fImatch\fP
301+Specifies a match to use, that is, an extension module that tests for a
302+specific property. The set of matches make up the condition under which a
303+target is invoked. Matches are evaluated first to last as specified on the
304+command line and work in short-circuit fashion, i.e. if one extension yields
305+false, evaluation will stop.
306+.TP
284307 \fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
285308 This specifies the target of the rule; i.e., what to do if the packet
286309 matches it. The target can be a user-defined chain (other than the
@@ -362,2083 +385,8 @@ When adding or inserting rules into a chain, use \fIcommand\fP
362385 to load any necessary modules (targets, match extensions, etc).
363386 .SH MATCH EXTENSIONS
364387 .PP
365-ip6tables can use extended packet matching modules
366-with the \fB\-m\fP or \fB\-\-match\fP
367-options, followed by the matching module name; after these, various
368-extra command line options become available, depending on the specific
369-module. You can specify multiple extended match modules in one line,
370-and you can use the \fB\-h\fP or \fB\-\-help\fP
371-options after the module has been specified to receive help specific
372-to that module.
373-.PP
374-If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an
375-unknown option is encountered, ip6tables will try load a match module of the
376-same name as the protocol, to try making the option available.
377-.\" @MATCH@
378-.SS addrtype
379-This module matches packets based on their
380-.B address type.
381-Address types are used within the kernel networking stack and categorize
382-addresses into various groups. The exact definition of that group depends on the specific layer three protocol.
383-.PP
384-The following address types are possible:
385-.TP
386-.BI "UNSPEC"
387-an unspecified address (i.e. 0.0.0.0)
388-.TP
389-.BI "UNICAST"
390-an unicast address
391-.TP
392-.BI "LOCAL"
393-a local address
394-.TP
395-.BI "BROADCAST"
396-a broadcast address
397-.TP
398-.BI "ANYCAST"
399-an anycast packet
400-.TP
401-.BI "MULTICAST"
402-a multicast address
403-.TP
404-.BI "BLACKHOLE"
405-a blackhole address
406-.TP
407-.BI "UNREACHABLE"
408-an unreachable address
409-.TP
410-.BI "PROHIBIT"
411-a prohibited address
412-.TP
413-.BI "THROW"
414-FIXME
415-.TP
416-.BI "NAT"
417-FIXME
418-.TP
419-.BI "XRESOLVE"
420-.TP
421-[\fB!\fP] \fB\-\-src\-type\fP \fItype\fP
422-Matches if the source address is of given type
423-.TP
424-[\fB!\fP] \fB\-\-dst\-type\fP \fItype\fP
425-Matches if the destination address is of given type
426-.TP
427-.BI "\-\-limit\-iface\-in"
428-The address type checking can be limited to the interface the packet is coming
429-in. This option is only valid in the
430-.BR PREROUTING ,
431-.B INPUT
432-and
433-.B FORWARD
434-chains. It cannot be specified with the
435-\fB\-\-limit\-iface\-out\fP
436-option.
437-.TP
438-\fB\-\-limit\-iface\-out\fP
439-The address type checking can be limited to the interface the packet is going
440-out. This option is only valid in the
441-.BR POSTROUTING ,
442-.B OUTPUT
443-and
444-.B FORWARD
445-chains. It cannot be specified with the
446-\fB\-\-limit\-iface\-in\fP
447-option.
448-.SS ah
449-This module matches the parameters in Authentication header of IPsec packets.
450-.TP
451-[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
452-Matches SPI.
453-.TP
454-[\fB!\fP] \fB\-\-ahlen\fP \fIlength\fP
455-Total length of this header in octets.
456-.TP
457-\fB\-\-ahres\fP
458-Matches if the reserved field is filled with zero.
459-.SS cluster
460-Allows you to deploy gateway and back-end load-sharing clusters without the
461-need of load-balancers.
462-.PP
463-This match requires that all the nodes see the same packets. Thus, the cluster
464-match decides if this node has to handle a packet given the following options:
465-.TP
466-\fB\-\-cluster\-total\-nodes\fP \fInum\fP
467-Set number of total nodes in cluster.
468-.TP
469-[\fB!\fP] \fB\-\-cluster\-local\-node\fP \fInum\fP
470-Set the local node number ID.
471-.TP
472-[\fB!\fP] \fB\-\-cluster\-local\-nodemask\fP \fImask\fP
473-Set the local node number ID mask. You can use this option instead
474-of \fB\-\-cluster\-local\-node\fP.
475-.TP
476-\fB\-\-cluster\-hash\-seed\fP \fIvalue\fP
477-Set seed value of the Jenkins hash.
478-.PP
479-Example:
480-.IP
481-iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster
482-\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
483-\-\-cluster\-hash\-seed 0xdeadbeef
484-\-j MARK \-\-set-mark 0xffff
485-.IP
486-iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster
487-\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
488-\-\-cluster\-hash\-seed 0xdeadbeef
489-\-j MARK -\-set\-mark 0xffff
490-.IP
491-iptables \-A PREROUTING \-t mangle \-i eth1
492-\-m mark ! \-\-mark 0xffff \-j DROP
493-.IP
494-iptables \-A PREROUTING \-t mangle \-i eth2
495-\-m mark ! \-\-mark 0xffff \-j DROP
496-.PP
497-And the following commands to make all nodes see the same packets:
498-.IP
499-ip maddr add 01:00:5e:00:01:01 dev eth1
500-.IP
501-ip maddr add 01:00:5e:00:01:02 dev eth2
502-.IP
503-arptables \-A OUTPUT \-o eth1 \-\-h\-length 6
504-\-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01
505-.IP
506-arptables \-A INPUT \-i eth1 \-\-h-length 6
507-\-\-destination-mac 01:00:5e:00:01:01
508-\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
509-.IP
510-arptables \-A OUTPUT \-o eth2 \-\-h\-length 6
511-\-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:02
512-.IP
513-arptables \-A INPUT \-i eth2 \-\-h\-length 6
514-\-\-destination\-mac 01:00:5e:00:01:02
515-\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
516-.PP
517-In the case of TCP connections, pickup facility has to be disabled
518-to avoid marking TCP ACK packets coming in the reply direction as
519-valid.
520-.IP
521-echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
522-.SS comment
523-Allows you to add comments (up to 256 characters) to any rule.
524-.TP
525-\fB\-\-comment\fP \fIcomment\fP
526-.TP
527-Example:
528-iptables \-A INPUT \-i eth1 \-m comment \-\-comment "my local LAN"
529-.SS connbytes
530-Match by how many bytes or packets a connection (or one of the two
531-flows constituting the connection) has transferred so far, or by
532-average bytes per packet.
533-.PP
534-The counters are 64-bit and are thus not expected to overflow ;)
535-.PP
536-The primary use is to detect long-lived downloads and mark them to be
537-scheduled using a lower priority band in traffic control.
538-.PP
539-The transferred bytes per connection can also be viewed through
540-`conntrack \-L` and accessed via ctnetlink.
541-.PP
542-NOTE that for connections which have no accounting information, the match will
543-always return false. The "net.netfilter.nf_conntrack_acct" sysctl flag controls
544-whether \fBnew\fP connections will be byte/packet counted. Existing connection
545-flows will not be gaining/losing a/the accounting structure when be sysctl flag
546-is flipped.
547-.TP
548-[\fB!\fP] \fB\-\-connbytes\fP \fIfrom\fP[\fB:\fP\fIto\fP]
549-match packets from a connection whose packets/bytes/average packet
550-size is more than FROM and less than TO bytes/packets. if TO is
551-omitted only FROM check is done. "!" is used to match packets not
552-falling in the range.
553-.TP
554-\fB\-\-connbytes\-dir\fP {\fBoriginal\fP|\fBreply\fP|\fBboth\fP}
555-which packets to consider
556-.TP
557-\fB\-\-connbytes\-mode\fP {\fBpackets\fP|\fBbytes\fP|\fBavgpkt\fP}
558-whether to check the amount of packets, number of bytes transferred or
559-the average size (in bytes) of all packets received so far. Note that
560-when "both" is used together with "avgpkt", and data is going (mainly)
561-only in one direction (for example HTTP), the average packet size will
562-be about half of the actual data packets.
563-.TP
564-Example:
565-iptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes\-dir both \-\-connbytes\-mode bytes ...
566-.SS connlimit
567-Allows you to restrict the number of parallel connections to a server per
568-client IP address (or client address block).
569-.TP
570-\fB\-\-connlimit\-upto\fP \fIn\fP
571-Match if the number of existing connections is below or equal \fIn\fP.
572-.TP
573-\fB\-\-connlimit\-above\fP \fIn\fP
574-Match if the number of existing connections is above \fIn\fP.
575-.TP
576-\fB\-\-connlimit\-mask\fP \fIprefix_length\fP
577-Group hosts using the prefix length. For IPv4, this must be a number between
578-(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the
579-maximum prefix length for the applicable protocol is used.
580-.TP
581-\fB\-\-connlimit\-saddr\fP
582-Apply the limit onto the source group. This is the default if
583-\-\-connlimit\-daddr is not specified.
584-.TP
585-\fB\-\-connlimit\-daddr\fP
586-Apply the limit onto the destination group.
587-.PP
588-Examples:
589-.TP
590-# allow 2 telnet connections per client host
591-iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-above 2 \-j REJECT
592-.TP
593-# you can also match the other way around:
594-iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-upto 2 \-j ACCEPT
595-.TP
596-# limit the number of parallel HTTP requests to 16 per class C sized \
597-source network (24 bit netmask)
598-iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16
599-\-\-connlimit\-mask 24 \-j REJECT
600-.TP
601-# limit the number of parallel HTTP requests to 16 for the link local network
602-(ipv6)
603-ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above
604-16 \-\-connlimit\-mask 64 \-j REJECT
605-.TP
606-# Limit the number of connections to a particular host:
607-ip6tables \-p tcp \-\-syn \-\-dport 49152:65535 \-d 2001:db8::1 \-m connlimit
608-\-\-connlimit-above 100 \-j REJECT
609-.SS connmark
610-This module matches the netfilter mark field associated with a connection
611-(which can be set using the \fBCONNMARK\fP target below).
612-.TP
613-[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
614-Matches packets in connections with the given mark value (if a mask is
615-specified, this is logically ANDed with the mark before the comparison).
616-.SS conntrack
617-This module, when combined with connection tracking, allows access to the
618-connection tracking state for this packet/connection.
619-.TP
620-[\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP
621-\fIstatelist\fP is a comma separated list of the connection states to match.
622-Possible states are listed below.
623-.TP
624-[\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP
625-Layer-4 protocol to match (by number or name)
626-.TP
627-[\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
628-.TP
629-[\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
630-.TP
631-[\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
632-.TP
633-[\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
634-Match against original/reply source/destination address
635-.TP
636-[\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
637-.TP
638-[\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP[\fB:\fP\fIport\fP]
639-.TP
640-[\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
641-.TP
642-[\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP[\fB:\fP\fIport\fP]
643-Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key.
644-Matching against port ranges is only supported in kernel versions above 2.6.38.
645-.TP
646-[\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP
647-\fIstatuslist\fP is a comma separated list of the connection statuses to match.
648-Possible statuses are listed below.
649-.TP
650-[\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP]
651-Match remaining lifetime in seconds against given value or range of values
652-(inclusive)
653-.TP
654-\fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP}
655-Match packets that are flowing in the specified direction. If this flag is not
656-specified at all, matches packets in both directions.
657-.PP
658-States for \fB\-\-ctstate\fP:
659-.TP
660-\fBINVALID\fP
661-meaning that the packet is associated with no known connection
662-.TP
663-\fBNEW\fP
664-meaning that the packet has started a new connection, or otherwise associated
665-with a connection which has not seen packets in both directions, and
666-.TP
667-\fBESTABLISHED\fP
668-meaning that the packet is associated with a connection which has seen packets
669-in both directions,
670-.TP
671-\fBRELATED\fP
672-meaning that the packet is starting a new connection, but is associated with an
673-existing connection, such as an FTP data transfer, or an ICMP error.
674-.TP
675-\fBUNTRACKED\fP
676-meaning that the packet is not tracked at all, which happens if you use
677-the NOTRACK target in raw table.
678-.TP
679-\fBSNAT\fP
680-A virtual state, matching if the original source address differs from the reply
681-destination.
682-.TP
683-\fBDNAT\fP
684-A virtual state, matching if the original destination differs from the reply
685-source.
686-.PP
687-Statuses for \fB\-\-ctstatus\fP:
688-.TP
689-\fBNONE\fP
690-None of the below.
691-.TP
692-\fBEXPECTED\fP
693-This is an expected connection (i.e. a conntrack helper set it up)
694-.TP
695-\fBSEEN_REPLY\fP
696-Conntrack has seen packets in both directions.
697-.TP
698-\fBASSURED\fP
699-Conntrack entry should never be early-expired.
700-.TP
701-\fBCONFIRMED\fP
702-Connection is confirmed: originating packet has left box.
703-.SS cpu
704-.TP
705-[\fB!\fP] \fB\-\-cpu\fP \fInumber\fP
706-Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1
707-Can be used in combination with RPS (Remote Packet Steering) or
708-multiqueue NICs to spread network traffic on different queues.
709-.PP
710-Example:
711-.PP
712-iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 0
713-\-j REDIRECT \-\-to\-port 8080
714-.PP
715-iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 1
716-\-j REDIRECT \-\-to\-port 8081
717-.PP
718-Available since Linux 2.6.36.
719-.SS dccp
720-.TP
721-[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
722-.TP
723-[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
724-.TP
725-[\fB!\fP] \fB\-\-dccp\-types\fP \fImask\fP
726-Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated
727-list of packet types. Packet types are:
728-.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" .
729-.TP
730-[\fB!\fP] \fB\-\-dccp\-option\fP \fInumber\fP
731-Match if DCCP option set.
732-.SS dscp
733-This module matches the 6 bit DSCP field within the TOS field in the
734-IP header. DSCP has superseded TOS within the IETF.
735-.TP
736-[\fB!\fP] \fB\-\-dscp\fP \fIvalue\fP
737-Match against a numeric (decimal or hex) value [0-63].
738-.TP
739-[\fB!\fP] \fB\-\-dscp\-class\fP \fIclass\fP
740-Match the DiffServ class. This value may be any of the
741-BE, EF, AFxx or CSx classes. It will then be converted
742-into its according numeric value.
743-.SS dst
744-This module matches the parameters in Destination Options header
745-.TP
746-[\fB!\fP] \fB\-\-dst\-len\fP \fIlength\fP
747-Total length of this header in octets.
748-.TP
749-\fB\-\-dst\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...]
750-numeric type of option and the length of the option data in octets.
751-.SS ecn
752-This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168
753-.TP
754-[\fB!\fP] \fB\-\-ecn\-tcp\-cwr\fP
755-This matches if the TCP ECN CWR (Congestion Window Received) bit is set.
756-.TP
757-[\fB!\fP] \fB\-\-ecn\-tcp\-ece\fP
758-This matches if the TCP ECN ECE (ECN Echo) bit is set.
759-.TP
760-[\fB!\fP] \fB\-\-ecn\-ip\-ect\fP \fInum\fP
761-This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to specify
762-a number between `0' and `3'.
763-.SS esp
764-This module matches the SPIs in ESP header of IPsec packets.
765-.TP
766-[\fB!\fP] \fB\-\-espspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
767-.SS eui64
768-This module matches the EUI-64 part of a stateless autoconfigured IPv6 address.
769-It compares the EUI-64 derived from the source MAC address in Ethernet frame
770-with the lower 64 bits of the IPv6 source address. But "Universal/Local"
771-bit is not compared. This module doesn't match other link layer frame, and
772-is only valid in the
773-.BR PREROUTING ,
774-.BR INPUT
775-and
776-.BR FORWARD
777-chains.
778-.SS frag
779-This module matches the parameters in Fragment header.
780-.TP
781-[\fB!\fP] \fB\-\-fragid\fP \fIid\fP[\fB:\fP\fIid\fP]
782-Matches the given Identification or range of it.
783-.TP
784-[\fB!\fP] \fB\-\-fraglen\fP \fIlength\fP
785-This option cannot be used with kernel version 2.6.10 or later. The length of
786-Fragment header is static and this option doesn't make sense.
787-.TP
788-\fB\-\-fragres\fP
789-Matches if the reserved fields are filled with zero.
790-.TP
791-\fB\-\-fragfirst\fP
792-Matches on the first fragment.
793-.TP
794-\fB\-\-fragmore\fP
795-Matches if there are more fragments.
796-.TP
797-\fB\-\-fraglast\fP
798-Matches if this is the last fragment.
799-.SS hashlimit
800-\fBhashlimit\fP uses hash buckets to express a rate limiting match (like the
801-\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables
802-rule. Grouping can be done per-hostgroup (source and/or destination address)
803-and/or per-port. It gives you the ability to express "\fIN\fP packets per time
804-quantum per group" (see below for some examples).
805-.PP
806-A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and
807-\fB\-\-hashlimit\-name\fP are required.
808-.TP
809-\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
810-Match if the rate is below or equal to \fIamount\fP/quantum. It is specified as
811-a number, with an optional time quantum suffix; the default is 3/hour.
812-.TP
813-\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
814-Match if the rate is above \fIamount\fP/quantum.
815-.TP
816-\fB\-\-hashlimit\-burst\fP \fIamount\fP
817-Maximum initial number of packets to match: this number gets recharged by one
818-every time the limit specified above is not reached, up to this number; the
819-default is 5.
820-.TP
821-\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP...
822-A comma-separated list of objects to take into consideration. If no
823-\-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the
824-expensive of doing the hash housekeeping.
825-.TP
826-\fB\-\-hashlimit\-srcmask\fP \fIprefix\fP
827-When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be
828-grouped according to the given prefix length and the so-created subnet will be
829-subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note
830-that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying
831-srcip for \-\-hashlimit\-mode, but is technically more expensive.
832-.TP
833-\fB\-\-hashlimit\-dstmask\fP \fIprefix\fP
834-Like \-\-hashlimit\-srcmask, but for destination addresses.
835-.TP
836-\fB\-\-hashlimit\-name\fP \fIfoo\fP
837-The name for the /proc/net/ipt_hashlimit/foo entry.
838-.TP
839-\fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP
840-The number of buckets of the hash table
841-.TP
842-\fB\-\-hashlimit\-htable\-max\fP \fIentries\fP
843-Maximum entries in the hash.
844-.TP
845-\fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP
846-After how many milliseconds do hash entries expire.
847-.TP
848-\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP
849-How many milliseconds between garbage collection intervals.
850-.PP
851-Examples:
852-.TP
853-matching on source host
854-"1000 packets per second for every host in 192.168.0.0/16" =>
855-\-s 192.168.0.0/16 \-\-hashlimit\-mode srcip \-\-hashlimit\-upto 1000/sec
856-.TP
857-matching on source port
858-"100 packets per second for every service of 192.168.1.1" =>
859-\-s 192.168.1.1 \-\-hashlimit\-mode srcport \-\-hashlimit\-upto 100/sec
860-.TP
861-matching on subnet
862-"10000 packets per minute for every /28 subnet (groups of 8 addresses)
863-in 10.0.0.0/8" =>
864-\-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min
865-.SS hbh
866-This module matches the parameters in Hop-by-Hop Options header
867-.TP
868-[\fB!\fP] \fB\-\-hbh\-len\fP \fIlength\fP
869-Total length of this header in octets.
870-.TP
871-\fB\-\-hbh\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...]
872-numeric type of option and the length of the option data in octets.
873-.SS helper
874-This module matches packets related to a specific conntrack-helper.
875-.TP
876-[\fB!\fP] \fB\-\-helper\fP \fIstring\fP
877-Matches packets related to the specified conntrack-helper.
878-.RS
879-.PP
880-string can be "ftp" for packets related to a ftp-session on default port.
881-For other ports append \-portnr to the value, ie. "ftp\-2121".
882-.PP
883-Same rules apply for other conntrack-helpers.
884-.RE
885-.SS hl
886-This module matches the Hop Limit field in the IPv6 header.
887-.TP
888-[\fB!\fP] \fB\-\-hl\-eq\fP \fIvalue\fP
889-Matches if Hop Limit equals \fIvalue\fP.
890-.TP
891-\fB\-\-hl\-lt\fP \fIvalue\fP
892-Matches if Hop Limit is less than \fIvalue\fP.
893-.TP
894-\fB\-\-hl\-gt\fP \fIvalue\fP
895-Matches if Hop Limit is greater than \fIvalue\fP.
896-.SS icmp6
897-This extension can be used if `\-\-protocol ipv6\-icmp' or `\-\-protocol icmpv6' is
898-specified. It provides the following option:
899-.TP
900-[\fB!\fP] \fB\-\-icmpv6\-type\fP \fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP
901-This allows specification of the ICMPv6 type, which can be a numeric
902-ICMPv6
903-.IR type ,
904-.IR type
905-and
906-.IR code ,
907-or one of the ICMPv6 type names shown by the command
908-.nf
909- ip6tables \-p ipv6\-icmp \-h
910-.fi
911-.SS iprange
912-This matches on a given arbitrary range of IP addresses.
913-.TP
914-[\fB!\fP] \fB\-\-src\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP]
915-Match source IP in the specified range.
916-.TP
917-[\fB!\fP] \fB\-\-dst\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP]
918-Match destination IP in the specified range.
919-.SS ipv6header
920-This module matches IPv6 extension headers and/or upper layer header.
921-.TP
922-\fB\-\-soft\fP
923-Matches if the packet includes \fBany\fP of the headers specified with
924-\fB\-\-header\fP.
925-.TP
926-[\fB!\fP] \fB\-\-header\fP \fIheader\fP[\fB,\fP\fIheader\fP...]
927-Matches the packet which EXACTLY includes all specified headers. The headers
928-encapsulated with ESP header are out of scope.
929-Possible \fIheader\fP types can be:
930-.TP
931-\fBhop\fP|\fBhop\-by\-hop\fP
932-Hop-by-Hop Options header
933-.TP
934-\fBdst\fP
935-Destination Options header
936-.TP
937-\fBroute\fP
938-Routing header
939-.TP
940-\fBfrag\fP
941-Fragment header
942-.TP
943-\fBauth\fP
944-Authentication header
945-.TP
946-\fBesp\fP
947-Encapsulating Security Payload header
948-.TP
949-\fBnone\fP
950-No Next header which matches 59 in the 'Next Header field' of IPv6 header or
951-any IPv6 extension headers
952-.TP
953-\fBproto\fP
954-which matches any upper layer protocol header. A protocol name from
955-/etc/protocols and numeric value also allowed. The number 255 is equivalent to
956-\fBproto\fP.
957-.SS ipvs
958-Match IPVS connection properties.
959-.TP
960-[\fB!\fP] \fB\-\-ipvs\fP
961-packet belongs to an IPVS connection
962-.TP
963-Any of the following options implies \-\-ipvs (even negated)
964-.TP
965-[\fB!\fP] \fB\-\-vproto\fP \fIprotocol\fP
966-VIP protocol to match; by number or name, e.g. "tcp"
967-.TP
968-[\fB!\fP] \fB\-\-vaddr\fP \fIaddress\fP[\fB/\fP\fImask\fP]
969-VIP address to match
970-.TP
971-[\fB!\fP] \fB\-\-vport\fP \fIport\fP
972-VIP port to match; by number or name, e.g. "http"
973-.TP
974-\fB\-\-vdir\fP {\fBORIGINAL\fP|\fBREPLY\fP}
975-flow direction of packet
976-.TP
977-[\fB!\fP] \fB\-\-vmethod\fP {\fBGATE\fP|\fBIPIP\fP|\fBMASQ\fP}
978-IPVS forwarding method used
979-.TP
980-[\fB!\fP] \fB\-\-vportctl\fP \fIport\fP
981-VIP port of the controlling connection to match, e.g. 21 for FTP
982-.SS length
983-This module matches the length of the layer-3 payload (e.g. layer-4 packet)
984-of a packet against a specific value
985-or range of values.
986-.TP
987-[\fB!\fP] \fB\-\-length\fP \fIlength\fP[\fB:\fP\fIlength\fP]
988-.SS limit
989-This module matches at a limited rate using a token bucket filter.
990-A rule using this extension will match until this limit is reached.
991-It can be used in combination with the
992-.B LOG
993-target to give limited logging, for example.
994-.PP
995-xt_limit has no negation support - you will have to use \-m hashlimit !
996-\-\-hashlimit \fIrate\fP in this case whilst omitting \-\-hashlimit\-mode.
997-.TP
998-\fB\-\-limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
999-Maximum average matching rate: specified as a number, with an optional
1000-`/second', `/minute', `/hour', or `/day' suffix; the default is
1001-3/hour.
1002-.TP
1003-\fB\-\-limit\-burst\fP \fInumber\fP
1004-Maximum initial number of packets to match: this number gets
1005-recharged by one every time the limit specified above is not reached,
1006-up to this number; the default is 5.
1007-.SS mac
1008-.TP
1009-[\fB!\fP] \fB\-\-mac\-source\fP \fIaddress\fP
1010-Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
1011-Note that this only makes sense for packets coming from an Ethernet device
1012-and entering the
1013-.BR PREROUTING ,
1014-.B FORWARD
1015-or
1016-.B INPUT
1017-chains.
1018-.SS mark
1019-This module matches the netfilter mark field associated with a packet
1020-(which can be set using the
1021-.B MARK
1022-target below).
1023-.TP
1024-[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
1025-Matches packets with the given unsigned mark value (if a \fImask\fP is
1026-specified, this is logically ANDed with the \fImask\fP before the
1027-comparison).
1028-.SS mh
1029-This extension is loaded if `\-\-protocol ipv6\-mh' or `\-\-protocol mh' is
1030-specified. It provides the following option:
1031-.TP
1032-[\fB!\fP] \fB\-\-mh\-type\fP \fItype\fP[\fB:\fP\fItype\fP]
1033-This allows specification of the Mobility Header(MH) type, which can be
1034-a numeric MH
1035-.IR type ,
1036-.IR type
1037-or one of the MH type names shown by the command
1038-.nf
1039- ip6tables \-p ipv6\-mh \-h
1040-.fi
1041-.SS multiport
1042-This module matches a set of source or destination ports. Up to 15
1043-ports can be specified. A port range (port:port) counts as two
1044-ports. It can only be used in conjunction with
1045-\fB\-p tcp\fP
1046-or
1047-\fB\-p udp\fP.
1048-.TP
1049-[\fB!\fP] \fB\-\-source\-ports\fP,\fB\-\-sports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
1050-Match if the source port is one of the given ports. The flag
1051-\fB\-\-sports\fP
1052-is a convenient alias for this option. Multiple ports or port ranges are
1053-separated using a comma, and a port range is specified using a colon.
1054-\fB53,1024:65535\fP would therefore match ports 53 and all from 1024 through
1055-65535.
1056-.TP
1057-[\fB!\fP] \fB\-\-destination\-ports\fP,\fB\-\-dports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
1058-Match if the destination port is one of the given ports. The flag
1059-\fB\-\-dports\fP
1060-is a convenient alias for this option.
1061-.TP
1062-[\fB!\fP] \fB\-\-ports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
1063-Match if either the source or destination ports are equal to one of
1064-the given ports.
1065-.SS nfacct
1066-The nfacct match provides the extended accounting infrastructure for iptables.
1067-You have to use this match together with the standalone user-space utility
1068-.B nfacct(8)
1069-.PP
1070-The only option available for this match is the following:
1071-.TP
1072-\fB\-\-nfacct\-name\fP \fIname\fP
1073-This allows you to specify the existing object name that will be use for
1074-accounting the traffic that this rule-set is matching.
1075-.PP
1076-To use this extension, you have to create an accounting object:
1077-.IP
1078-nfacct add http\-traffic
1079-.PP
1080-Then, you have to attach it to the accounting object via iptables:
1081-.IP
1082-iptables \-I INPUT \-p tcp \-\-sport 80 \-m nfacct \-\-nfacct\-name http\-traffic
1083-.IP
1084-iptables \-I OUTPUT \-p tcp \-\-dport 80 \-m nfacct \-\-nfacct\-name http\-traffic
1085-.PP
1086-Then, you can check for the amount of traffic that the rules match:
1087-.IP
1088-nfacct get http\-traffic
1089-.IP
1090-{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = http-traffic;
1091-.PP
1092-You can obtain
1093-.B nfacct(8)
1094-from http://www.netfilter.org or, alternatively, from the git.netfilter.org
1095-repository.
1096-.SS owner
1097-This module attempts to match various characteristics of the packet creator,
1098-for locally generated packets. This match is only valid in the OUTPUT and
1099-POSTROUTING chains. Forwarded packets do not have any socket associated with
1100-them. Packets from kernel threads do have a socket, but usually no owner.
1101-.TP
1102-[\fB!\fP] \fB\-\-uid\-owner\fP \fIusername\fP
1103-.TP
1104-[\fB!\fP] \fB\-\-uid\-owner\fP \fIuserid\fP[\fB\-\fP\fIuserid\fP]
1105-Matches if the packet socket's file structure (if it has one) is owned by the
1106-given user. You may also specify a numerical UID, or an UID range.
1107-.TP
1108-[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupname\fP
1109-.TP
1110-[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupid\fP[\fB\-\fP\fIgroupid\fP]
1111-Matches if the packet socket's file structure is owned by the given group.
1112-You may also specify a numerical GID, or a GID range.
1113-.TP
1114-[\fB!\fP] \fB\-\-socket\-exists\fP
1115-Matches if the packet is associated with a socket.
1116-.SS physdev
1117-This module matches on the bridge port input and output devices enslaved
1118-to a bridge device. This module is a part of the infrastructure that enables
1119-a transparent bridging IP firewall and is only useful for kernel versions
1120-above version 2.5.44.
1121-.TP
1122-[\fB!\fP] \fB\-\-physdev\-in\fP \fIname\fP
1123-Name of a bridge port via which a packet is received (only for
1124-packets entering the
1125-.BR INPUT ,
1126-.B FORWARD
1127-and
1128-.B PREROUTING
1129-chains). If the interface name ends in a "+", then any
1130-interface which begins with this name will match. If the packet didn't arrive
1131-through a bridge device, this packet won't match this option, unless '!' is used.
1132-.TP
1133-[\fB!\fP] \fB\-\-physdev\-out\fP \fIname\fP
1134-Name of a bridge port via which a packet is going to be sent (for packets
1135-entering the
1136-.BR FORWARD ,
1137-.B OUTPUT
1138-and
1139-.B POSTROUTING
1140-chains). If the interface name ends in a "+", then any
1141-interface which begins with this name will match. Note that in the
1142-.BR nat " and " mangle
1143-.B OUTPUT
1144-chains one cannot match on the bridge output port, however one can in the
1145-.B "filter OUTPUT"
1146-chain. If the packet won't leave by a bridge device or if it is yet unknown what
1147-the output device will be, then the packet won't match this option,
1148-unless '!' is used.
1149-.TP
1150-[\fB!\fP] \fB\-\-physdev\-is\-in\fP
1151-Matches if the packet has entered through a bridge interface.
1152-.TP
1153-[\fB!\fP] \fB\-\-physdev\-is\-out\fP
1154-Matches if the packet will leave through a bridge interface.
1155-.TP
1156-[\fB!\fP] \fB\-\-physdev\-is\-bridged\fP
1157-Matches if the packet is being bridged and therefore is not being routed.
1158-This is only useful in the FORWARD and POSTROUTING chains.
1159-.SS pkttype
1160-This module matches the link-layer packet type.
1161-.TP
1162-[\fB!\fP] \fB\-\-pkt\-type\fP {\fBunicast\fP|\fBbroadcast\fP|\fBmulticast\fP}
1163-.SS policy
1164-This modules matches the policy used by IPsec for handling a packet.
1165-.TP
1166-\fB\-\-dir\fP {\fBin\fP|\fBout\fP}
1167-Used to select whether to match the policy used for decapsulation or the
1168-policy that will be used for encapsulation.
1169-.B in
1170-is valid in the
1171-.B PREROUTING, INPUT and FORWARD
1172-chains,
1173-.B out
1174-is valid in the
1175-.B POSTROUTING, OUTPUT and FORWARD
1176-chains.
1177-.TP
1178-\fB\-\-pol\fP {\fBnone\fP|\fBipsec\fP}
1179-Matches if the packet is subject to IPsec processing. \fB\-\-pol none\fP
1180-cannot be combined with \fB\-\-strict\fP.
1181-.TP
1182-\fB\-\-strict\fP
1183-Selects whether to match the exact policy or match if any rule of
1184-the policy matches the given policy.
1185-.PP
1186-For each policy element that is to be described, one can use one or more of
1187-the following options. When \fB\-\-strict\fP is in effect, at least one must be
1188-used per element.
1189-.TP
1190-[\fB!\fP] \fB\-\-reqid\fP \fIid\fP
1191-Matches the reqid of the policy rule. The reqid can be specified with
1192-.B setkey(8)
1193-using
1194-.B unique:id
1195-as level.
1196-.TP
1197-[\fB!\fP] \fB\-\-spi\fP \fIspi\fP
1198-Matches the SPI of the SA.
1199-.TP
1200-[\fB!\fP] \fB\-\-proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP}
1201-Matches the encapsulation protocol.
1202-.TP
1203-[\fB!\fP] \fB\-\-mode\fP {\fBtunnel\fP|\fBtransport\fP}
1204-Matches the encapsulation mode.
1205-.TP
1206-[\fB!\fP] \fB\-\-tunnel\-src\fP \fIaddr\fP[\fB/\fP\fImask\fP]
1207-Matches the source end-point address of a tunnel mode SA.
1208-Only valid with \fB\-\-mode tunnel\fP.
1209-.TP
1210-[\fB!\fP] \fB\-\-tunnel\-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP]
1211-Matches the destination end-point address of a tunnel mode SA.
1212-Only valid with \fB\-\-mode tunnel\fP.
1213-.TP
1214-\fB\-\-next\fP
1215-Start the next element in the policy specification. Can only be used with
1216-\fB\-\-strict\fP.
1217-.SS quota
1218-Implements network quotas by decrementing a byte counter with each
1219-packet. The condition matches until the byte counter reaches zero. Behavior
1220-is reversed with negation (i.e. the condition does not match until the
1221-byte counter reaches zero).
1222-.TP
1223-[\fB!\fP] \fB\-\-quota\fP \fIbytes\fP
1224-The quota in bytes.
1225-.SS rateest
1226-The rate estimator can match on estimated rates as collected by the RATEEST
1227-target. It supports matching on absolute bps/pps values, comparing two rate
1228-estimators and matching on the difference between two rate estimators.
1229-.PP
1230-For a better understanding of the available options, these are all possible
1231-combinations:
1232-.\" * Absolute:
1233-.IP \(bu 4
1234-\fBrateest\fP \fIoperator\fP \fBrateest-bps\fP
1235-.IP \(bu 4
1236-\fBrateest\fP \fIoperator\fP \fBrateest-pps\fP
1237-.\" * Absolute + Delta:
1238-.IP \(bu 4
1239-(\fBrateest\fP minus \fBrateest-bps1\fP) \fIoperator\fP \fBrateest-bps2\fP
1240-.IP \(bu 4
1241-(\fBrateest\fP minus \fBrateest-pps1\fP) \fIoperator\fP \fBrateest-pps2\fP
1242-.\" * Relative:
1243-.IP \(bu 4
1244-\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-bps\fP(without rate!)
1245-.IP \(bu 4
1246-\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-pps\fP(without rate!)
1247-.\" * Relative + Delta:
1248-.IP \(bu 4
1249-(\fBrateest1\fP minus \fBrateest-bps1\fP) \fIoperator\fP
1250-(\fBrateest2\fP minus \fBrateest-bps2\fP)
1251-.IP \(bu 4
1252-(\fBrateest1\fP minus \fBrateest-pps1\fP) \fIoperator\fP
1253-(\fBrateest2\fP minus \fBrateest-pps2\fP)
1254-.TP
1255-\fB\-\-rateest\-delta\fP
1256-For each estimator (either absolute or relative mode), calculate the difference
1257-between the estimator-determined flow rate and the static value chosen with the
1258-BPS/PPS options. If the flow rate is higher than the specified BPS/PPS, 0 will
1259-be used instead of a negative value. In other words, "max(0, rateest#_rate -
1260-rateest#_bps)" is used.
1261-.TP
1262-[\fB!\fP] \fB\-\-rateest\-lt\fP
1263-Match if rate is less than given rate/estimator.
1264-.TP
1265-[\fB!\fP] \fB\-\-rateest\-gt\fP
1266-Match if rate is greater than given rate/estimator.
1267-.TP
1268-[\fB!\fP] \fB\-\-rateest\-eq\fP
1269-Match if rate is equal to given rate/estimator.
1270-.PP
1271-In the so-called "absolute mode", only one rate estimator is used and compared
1272-against a static value, while in "relative mode", two rate estimators are
1273-compared against another.
1274-.TP
1275-\fB\-\-rateest\fP \fIname\fP
1276-Name of the one rate estimator for absolute mode.
1277-.TP
1278-\fB\-\-rateest1\fP \fIname\fP
1279-.TP
1280-\fB\-\-rateest2\fP \fIname\fP
1281-The names of the two rate estimators for relative mode.
1282-.TP
1283-\fB\-\-rateest\-bps\fP [\fIvalue\fP]
1284-.TP
1285-\fB\-\-rateest\-pps\fP [\fIvalue\fP]
1286-.TP
1287-\fB\-\-rateest\-bps1\fP [\fIvalue\fP]
1288-.TP
1289-\fB\-\-rateest\-bps2\fP [\fIvalue\fP]
1290-.TP
1291-\fB\-\-rateest\-pps1\fP [\fIvalue\fP]
1292-.TP
1293-\fB\-\-rateest\-pps2\fP [\fIvalue\fP]
1294-Compare the estimator(s) by bytes or packets per second, and compare against
1295-the chosen value. See the above bullet list for which option is to be used in
1296-which case. A unit suffix may be used - available ones are: bit, [kmgt]bit,
1297-[KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps.
1298-.PP
1299-Example: This is what can be used to route outgoing data connections from an
1300-FTP server over two lines based on the available bandwidth at the time the data
1301-connection was started:
1302-.PP
1303-# Estimate outgoing rates
1304-.PP
1305-iptables \-t mangle \-A POSTROUTING \-o eth0 \-j RATEEST \-\-rateest\-name eth0
1306-\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s
1307-.PP
1308-iptables \-t mangle \-A POSTROUTING \-o ppp0 \-j RATEEST \-\-rateest\-name ppp0
1309-\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s
1310-.PP
1311-# Mark based on available bandwidth
1312-.PP
1313-iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp
1314-\-m rateest \-\-rateest\-delta \-\-rateest1 eth0 \-\-rateest\-bps1 2.5mbit \-\-rateest\-gt
1315-\-\-rateest2 ppp0 \-\-rateest\-bps2 2mbit \-j CONNMARK \-\-set\-mark 1
1316-.PP
1317-iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp
1318-\-m rateest \-\-rateest\-delta \-\-rateest1 ppp0 \-\-rateest\-bps1 2mbit \-\-rateest\-gt
1319-\-\-rateest2 eth0 \-\-rateest\-bps2 2.5mbit \-j CONNMARK \-\-set\-mark 2
1320-.PP
1321-iptables \-t mangle \-A balance \-j CONNMARK \-\-restore\-mark
1322-.SS recent
1323-Allows you to dynamically create a list of IP addresses and then match against
1324-that list in a few different ways.
1325-.PP
1326-For example, you can create a "badguy" list out of people attempting to connect
1327-to port 139 on your firewall and then DROP all future packets from them without
1328-considering them.
1329-.PP
1330-\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are
1331-mutually exclusive.
1332-.TP
1333-\fB\-\-name\fP \fIname\fP
1334-Specify the list to use for the commands. If no name is given then
1335-\fBDEFAULT\fP will be used.
1336-.TP
1337-[\fB!\fP] \fB\-\-set\fP
1338-This will add the source address of the packet to the list. If the source
1339-address is already in the list, this will update the existing entry. This will
1340-always return success (or failure if \fB!\fP is passed in).
1341-.TP
1342-\fB\-\-rsource\fP
1343-Match/save the source address of each packet in the recent list table. This
1344-is the default.
1345-.TP
1346-\fB\-\-rdest\fP
1347-Match/save the destination address of each packet in the recent list table.
1348-.TP
1349-[\fB!\fP] \fB\-\-rcheck\fP
1350-Check if the source address of the packet is currently in the list.
1351-.TP
1352-[\fB!\fP] \fB\-\-update\fP
1353-Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it
1354-matches.
1355-.TP
1356-[\fB!\fP] \fB\-\-remove\fP
1357-Check if the source address of the packet is currently in the list and if so
1358-that address will be removed from the list and the rule will return true. If
1359-the address is not found, false is returned.
1360-.TP
1361-\fB\-\-seconds\fP \fIseconds\fP
1362-This option must be used in conjunction with one of \fB\-\-rcheck\fP or
1363-\fB\-\-update\fP. When used, this will narrow the match to only happen when the
1364-address is in the list and was seen within the last given number of seconds.
1365-.TP
1366-\fB\-\-reap\fP
1367-This option can only be used in conjunction with \fB\-\-seconds\fP.
1368-When used, this will cause entries older than the last given number of seconds
1369-to be purged.
1370-.TP
1371-\fB\-\-hitcount\fP \fIhits\fP
1372-This option must be used in conjunction with one of \fB\-\-rcheck\fP or
1373-\fB\-\-update\fP. When used, this will narrow the match to only happen when the
1374-address is in the list and packets had been received greater than or equal to
1375-the given value. This option may be used along with \fB\-\-seconds\fP to create
1376-an even narrower match requiring a certain number of hits within a specific
1377-time frame. The maximum value for the hitcount parameter is given by the
1378-"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this
1379-value on the command line will cause the rule to be rejected.
1380-.TP
1381-\fB\-\-rttl\fP
1382-This option may only be used in conjunction with one of \fB\-\-rcheck\fP or
1383-\fB\-\-update\fP. When used, this will narrow the match to only happen when the
1384-address is in the list and the TTL of the current packet matches that of the
1385-packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems
1386-with people faking their source address in order to DoS you via this module by
1387-disallowing others access to your site by sending bogus packets to you.
1388-.PP
1389-Examples:
1390-.IP
1391-iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP
1392-.IP
1393-iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
1394-.PP
1395-Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
1396-some examples of usage.
1397-.PP
1398-\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information
1399-about each entry of each list.
1400-.PP
1401-Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current
1402-list or written two using the following commands to modify the list:
1403-.TP
1404-\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
1405-to add \fIaddr\fP to the DEFAULT list
1406-.TP
1407-\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
1408-to remove \fIaddr\fP from the DEFAULT list
1409-.TP
1410-\fBecho / >/proc/net/xt_recent/DEFAULT\fP
1411-to flush the DEFAULT list (remove all entries).
1412-.PP
1413-The module itself accepts parameters, defaults shown:
1414-.TP
1415-\fBip_list_tot\fP=\fI100\fP
1416-Number of addresses remembered per table.
1417-.TP
1418-\fBip_pkt_list_tot\fP=\fI20\fP
1419-Number of packets per address remembered.
1420-.TP
1421-\fBip_list_hash_size\fP=\fI0\fP
1422-Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.
1423-.TP
1424-\fBip_list_perms\fP=\fI0644\fP
1425-Permissions for /proc/net/xt_recent/* files.
1426-.TP
1427-\fBip_list_uid\fP=\fI0\fP
1428-Numerical UID for ownership of /proc/net/xt_recent/* files.
1429-.TP
1430-\fBip_list_gid\fP=\fI0\fP
1431-Numerical GID for ownership of /proc/net/xt_recent/* files.
1432-.SS rpfilter
1433-Performs a reverse path filter test on a packet.
1434-If a reply to the packet would be sent via the same interface
1435-that the packet arrived on, the packet will match.
1436-Note that, unlike the in-kernel rp_filter, packets protected
1437-by IPSec are not treated specially. Combine this match with
1438-the policy match if you want this.
1439-Also, packets arriving via the loopback interface are always permitted.
1440-This match can only be used in the PREROUTING chain of the raw or mangle table.
1441-.TP
1442-\fB\-\-loose\fP
1443-Used to specifiy that the reverse path filter test should match
1444-even if the selected output device is not the expected one.
1445-.TP
1446-\fB\-\-validmark\fP
1447-Also use the packets' nfmark value when performing the reverse path route lookup.
1448-.TP
1449-\fB\-\-accept\-local\fP
1450-This will permit packets arriving from the network with a source address that is also
1451-assigned to the local machine.
1452-\fB\-\-invert\fP
1453-This will invert the sense of the match. Instead of matching packets that passed the
1454-reverse path filter test, match those that have failed it.
1455-.PP
1456-Example to log and drop packets failing the reverse path filter test:
1457-
1458-iptables \-t raw \-N RPFILTER
1459-
1460-iptables \-t raw \-A RPFILTER \-m rpfilter \-j RETURN
1461-
1462-iptables \-t raw \-A RPFILTER \-m limit \-\-limit 10/minute \-j NFLOG \-\-nflog\-prefix "rpfilter drop"
1463-
1464-iptables \-t raw \-A RPFILTER \-j DROP
1465-
1466-iptables \-t raw \-A PREROUTING \-j RPFILTER
1467-
1468-Example to drop failed packets, without logging:
1469-
1470-iptables \-t raw \-A RPFILTER \-m rpfilter \-\-invert \-j DROP
1471-.SS rt
1472-Match on IPv6 routing header
1473-.TP
1474-[\fB!\fP] \fB\-\-rt\-type\fP \fItype\fP
1475-Match the type (numeric).
1476-.TP
1477-[\fB!\fP] \fB\-\-rt\-segsleft\fP \fInum\fP[\fB:\fP\fInum\fP]
1478-Match the `segments left' field (range).
1479-.TP
1480-[\fB!\fP] \fB\-\-rt\-len\fP \fIlength\fP
1481-Match the length of this header.
1482-.TP
1483-\fB\-\-rt\-0\-res\fP
1484-Match the reserved field, too (type=0)
1485-.TP
1486-\fB\-\-rt\-0\-addrs\fP \fIaddr\fP[\fB,\fP\fIaddr\fP...]
1487-Match type=0 addresses (list).
1488-.TP
1489-\fB\-\-rt\-0\-not\-strict\fP
1490-List of type=0 addresses is not a strict list.
1491-.SS sctp
1492-.TP
1493-[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
1494-.TP
1495-[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
1496-.TP
1497-[\fB!\fP] \fB\-\-chunk\-types\fP {\fBall\fP|\fBany\fP|\fBonly\fP} \fIchunktype\fP[\fB:\fP\fIflags\fP] [...]
1498-The flag letter in upper case indicates that the flag is to match if set,
1499-in the lower case indicates to match if unset.
1500-
1501-Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN
1502-
1503-chunk type available flags
1504-.br
1505-DATA I U B E i u b e
1506-.br
1507-ABORT T t
1508-.br
1509-SHUTDOWN_COMPLETE T t
1510-
1511-(lowercase means flag should be "off", uppercase means "on")
1512-.P
1513-Examples:
1514-
1515-iptables \-A INPUT \-p sctp \-\-dport 80 \-j DROP
1516-
1517-iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA,INIT \-j DROP
1518-
1519-iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA:Be \-j ACCEPT
1520-.SS set
1521-This module matches IP sets which can be defined by ipset(8).
1522-.TP
1523-[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]...
1524-where flags are the comma separated list of
1525-.BR "src"
1526-and/or
1527-.BR "dst"
1528-specifications and there can be no more than six of them. Hence the command
1529-.IP
1530- iptables \-A FORWARD \-m set \-\-match\-set test src,dst
1531-.IP
1532-will match packets, for which (if the set type is ipportmap) the source
1533-address and destination port pair can be found in the specified set. If
1534-the set type of the specified set is single dimension (for example ipmap),
1535-then the command will match packets for which the source address can be
1536-found in the specified set.
1537-.PP
1538-The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does
1539-not clash with an option of other extensions.
1540-.PP
1541-Use of -m set requires that ipset kernel support is provided, which, for
1542-standard kernels, is the case since Linux 2.6.39.
1543-.SS socket
1544-This matches if an open socket can be found by doing a socket lookup on the
1545-packet.
1546-.TP
1547-\fB\-\-transparent\fP
1548-Ignore non-transparent sockets.
1549-.SS state
1550-This module, when combined with connection tracking, allows access to
1551-the connection tracking state for this packet.
1552-.TP
1553-[\fB!\fP] \fB\-\-state\fP \fIstate\fP
1554-Where state is a comma separated list of the connection states to
1555-match. Possible states are
1556-.B INVALID
1557-meaning that the packet could not be identified for some reason which
1558-includes running out of memory and ICMP errors which don't correspond to any
1559-known connection,
1560-.B ESTABLISHED
1561-meaning that the packet is associated with a connection which has seen
1562-packets in both directions,
1563-.B NEW
1564-meaning that the packet has started a new connection, or otherwise
1565-associated with a connection which has not seen packets in both
1566-directions, and
1567-.B RELATED
1568-meaning that the packet is starting a new connection, but is
1569-associated with an existing connection, such as an FTP data transfer,
1570-or an ICMP error.
1571-.B UNTRACKED
1572-meaning that the packet is not tracked at all, which happens if you use
1573-the NOTRACK target in raw table.
1574-.SS statistic
1575-This module matches packets based on some statistic condition.
1576-It supports two distinct modes settable with the
1577-\fB\-\-mode\fP
1578-option.
1579-.PP
1580-Supported options:
1581-.TP
1582-\fB\-\-mode\fP \fImode\fP
1583-Set the matching mode of the matching rule, supported modes are
1584-.B random
1585-and
1586-.B nth.
1587-.TP
1588-[\fB!\fP] \fB\-\-probability\fP \fIp\fP
1589-Set the probability for a packet to be randomly matched. It only works with the
1590-\fBrandom\fP mode. \fIp\fP must be within 0.0 and 1.0. The supported
1591-granularity is in 1/2147483648th increments.
1592-.TP
1593-[\fB!\fP] \fB\-\-every\fP \fIn\fP
1594-Match one packet every nth packet. It works only with the
1595-.B nth
1596-mode (see also the
1597-\fB\-\-packet\fP
1598-option).
1599-.TP
1600-\fB\-\-packet\fP \fIp\fP
1601-Set the initial counter value (0 <= p <= n\-1, default 0) for the
1602-.B nth
1603-mode.
1604-.SS string
1605-This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
1606-.TP
1607-\fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP}
1608-Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
1609-.TP
1610-\fB\-\-from\fP \fIoffset\fP
1611-Set the offset from which it starts looking for any matching. If not passed, default is 0.
1612-.TP
1613-\fB\-\-to\fP \fIoffset\fP
1614-Set the offset up to which should be scanned. That is, byte \fIoffset\fP-1
1615-(counting from 0) is the last one that is scanned.
1616-If not passed, default is the packet size.
1617-.TP
1618-[\fB!\fP] \fB\-\-string\fP \fIpattern\fP
1619-Matches the given pattern.
1620-.TP
1621-[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP
1622-Matches the given pattern in hex notation.
1623-.SS tcp
1624-These extensions can be used if `\-\-protocol tcp' is specified. It
1625-provides the following options:
1626-.TP
1627-[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
1628-Source port or port range specification. This can either be a service
1629-name or a port number. An inclusive range can also be specified,
1630-using the format \fIfirst\fP\fB:\fP\fIlast\fP.
1631-If the first port is omitted, "0" is assumed; if the last is omitted,
1632-"65535" is assumed.
1633-If the first port is greater than the second one they will be swapped.
1634-The flag
1635-\fB\-\-sport\fP
1636-is a convenient alias for this option.
1637-.TP
1638-[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
1639-Destination port or port range specification. The flag
1640-\fB\-\-dport\fP
1641-is a convenient alias for this option.
1642-.TP
1643-[\fB!\fP] \fB\-\-tcp\-flags\fP \fImask\fP \fIcomp\fP
1644-Match when the TCP flags are as specified. The first argument \fImask\fP is the
1645-flags which we should examine, written as a comma-separated list, and
1646-the second argument \fIcomp\fP is a comma-separated list of flags which must be
1647-set. Flags are:
1648-.BR "SYN ACK FIN RST URG PSH ALL NONE" .
1649-Hence the command
1650-.nf
1651- iptables \-A FORWARD \-p tcp \-\-tcp\-flags SYN,ACK,FIN,RST SYN
1652-.fi
1653-will only match packets with the SYN flag set, and the ACK, FIN and
1654-RST flags unset.
1655-.TP
1656-[\fB!\fP] \fB\-\-syn\fP
1657-Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
1658-cleared. Such packets are used to request TCP connection initiation;
1659-for example, blocking such packets coming in an interface will prevent
1660-incoming TCP connections, but outgoing TCP connections will be
1661-unaffected.
1662-It is equivalent to \fB\-\-tcp\-flags SYN,RST,ACK,FIN SYN\fP.
1663-If the "!" flag precedes the "\-\-syn", the sense of the
1664-option is inverted.
1665-.TP
1666-[\fB!\fP] \fB\-\-tcp\-option\fP \fInumber\fP
1667-Match if TCP option set.
1668-.SS tcpmss
1669-This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
1670-.TP
1671-[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP]
1672-Match a given TCP MSS value or range.
1673-.SS time
1674-This matches if the packet arrival time/date is within a given range. All
1675-options are optional, but are ANDed when specified. All times are interpreted
1676-as UTC by default.
1677-.TP
1678-\fB\-\-datestart\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]]
1679-.TP
1680-\fB\-\-datestop\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]]
1681-Only match during the given time, which must be in ISO 8601 "T" notation.
1682-The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07.
1683-.IP
1684-If \-\-datestart or \-\-datestop are not specified, it will default to 1970-01-01
1685-and 2038-01-19, respectively.
1686-.TP
1687-\fB\-\-timestart\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]
1688-.TP
1689-\fB\-\-timestop\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]
1690-Only match during the given daytime. The possible time range is 00:00:00 to
1691-23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted
1692-as base-10.
1693-.TP
1694-[\fB!\fP] \fB\-\-monthdays\fP \fIday\fP[\fB,\fP\fIday\fP...]
1695-Only match on the given days of the month. Possible values are \fB1\fP
1696-to \fB31\fP. Note that specifying \fB31\fP will of course not match
1697-on months which do not have a 31st day; the same goes for 28- or 29-day
1698-February.
1699-.TP
1700-[\fB!\fP] \fB\-\-weekdays\fP \fIday\fP[\fB,\fP\fIday\fP...]
1701-Only match on the given weekdays. Possible values are \fBMon\fP, \fBTue\fP,
1702-\fBWed\fP, \fBThu\fP, \fBFri\fP, \fBSat\fP, \fBSun\fP, or values from \fB1\fP
1703-to \fB7\fP, respectively. You may also use two-character variants (\fBMo\fP,
1704-\fBTu\fP, etc.).
1705-.TP
1706-\fB\-\-kerneltz\fP
1707-Use the kernel timezone instead of UTC to determine whether a packet meets the
1708-time regulations.
1709-.PP
1710-About kernel timezones: Linux keeps the system time in UTC, and always does so.
1711-On boot, system time is initialized from a referential time source. Where this
1712-time source has no timezone information, such as the x86 CMOS RTC, UTC will be
1713-assumed. If the time source is however not in UTC, userspace should provide the
1714-correct system time and timezone to the kernel once it has the information.
1715-.PP
1716-Local time is a feature on top of the (timezone independent) system time. Each
1717-process has its own idea of local time, specified via the TZ environment
1718-variable. The kernel also has its own timezone offset variable. The TZ
1719-userspace environment variable specifies how the UTC-based system time is
1720-displayed, e.g. when you run date(1), or what you see on your desktop clock.
1721-The TZ string may resolve to different offsets at different dates, which is
1722-what enables the automatic time-jumping in userspace. when DST changes. The
1723-kernel's timezone offset variable is used when it has to convert between
1724-non-UTC sources, such as FAT filesystems, to UTC (since the latter is what the
1725-rest of the system uses).
1726-.PP
1727-The caveat with the kernel timezone is that Linux distributions may ignore to
1728-set the kernel timezone, and instead only set the system time. Even if a
1729-particular distribution does set the timezone at boot, it is usually does not
1730-keep the kernel timezone offset - which is what changes on DST - up to date.
1731-ntpd will not touch the kernel timezone, so running it will not resolve the
1732-issue. As such, one may encounter a timezone that is always +0000, or one that
1733-is wrong half of the time of the year. As such, \fBusing \-\-kerneltz is highly
1734-discouraged.\fP
1735-.PP
1736-EXAMPLES. To match on weekends, use:
1737-.IP
1738-\-m time \-\-weekdays Sa,Su
1739-.PP
1740-Or, to match (once) on a national holiday block:
1741-.IP
1742-\-m time \-\-datestart 2007\-12\-24 \-\-datestop 2007\-12\-27
1743-.PP
1744-Since the stop time is actually inclusive, you would need the following stop
1745-time to not match the first second of the new day:
1746-.IP
1747-\-m time \-\-datestart 2007\-01\-01T17:00 \-\-datestop 2007\-01\-01T23:59:59
1748-.PP
1749-During lunch hour:
1750-.IP
1751-\-m time \-\-timestart 12:30 \-\-timestop 13:30
1752-.PP
1753-The fourth Friday in the month:
1754-.IP
1755-\-m time \-\-weekdays Fr \-\-monthdays 22,23,24,25,26,27,28
1756-.PP
1757-(Note that this exploits a certain mathematical property. It is not possible to
1758-say "fourth Thursday OR fourth Friday" in one rule. It is possible with
1759-multiple rules, though.)
1760-.SS tos
1761-This module matches the 8-bit Type of Service field in the IPv4 header (i.e.
1762-including the "Precedence" bits) or the (also 8-bit) Priority field in the IPv6
1763-header.
1764-.TP
1765-[\fB!\fP] \fB\-\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP]
1766-Matches packets with the given TOS mark value. If a mask is specified, it is
1767-logically ANDed with the TOS mark before the comparison.
1768-.TP
1769-[\fB!\fP] \fB\-\-tos\fP \fIsymbol\fP
1770-You can specify a symbolic name when using the tos match for IPv4. The list of
1771-recognized TOS names can be obtained by calling iptables with \fB\-m tos \-h\fP.
1772-Note that this implies a mask of 0x3F, i.e. all but the ECN bits.
1773-.SS u32
1774-U32 tests whether quantities of up to 4 bytes extracted from a packet have
1775-specified values. The specification of what to extract is general enough to
1776-find data at given offsets from tcp headers or payloads.
1777-.TP
1778-[\fB!\fP] \fB\-\-u32\fP \fItests\fP
1779-The argument amounts to a program in a small language described below.
1780-.IP
1781-tests := location "=" value | tests "&&" location "=" value
1782-.IP
1783-value := range | value "," range
1784-.IP
1785-range := number | number ":" number
1786-.PP
1787-a single number, \fIn\fP, is interpreted the same as \fIn:n\fP. \fIn:m\fP is
1788-interpreted as the range of numbers \fB>=n\fP and \fB<=m\fP.
1789-.IP "" 4
1790-location := number | location operator number
1791-.IP "" 4
1792-operator := "&" | "<<" | ">>" | "@"
1793-.PP
1794-The operators \fB&\fP, \fB<<\fP, \fB>>\fP and \fB&&\fP mean the same as in C.
1795-The \fB=\fP is really a set membership operator and the value syntax describes
1796-a set. The \fB@\fP operator is what allows moving to the next header and is
1797-described further below.
1798-.PP
1799-There are currently some artificial implementation limits on the size of the
1800-tests:
1801-.IP " *"
1802-no more than 10 of "\fB=\fP" (and 9 "\fB&&\fP"s) in the u32 argument
1803-.IP " *"
1804-no more than 10 ranges (and 9 commas) per value
1805-.IP " *"
1806-no more than 10 numbers (and 9 operators) per location
1807-.PP
1808-To describe the meaning of location, imagine the following machine that
1809-interprets it. There are three registers:
1810-.IP
1811-A is of type \fBchar *\fP, initially the address of the IP header
1812-.IP
1813-B and C are unsigned 32 bit integers, initially zero
1814-.PP
1815-The instructions are:
1816-.IP
1817-number B = number;
1818-.IP
1819-C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3)
1820-.IP
1821-&number C = C & number
1822-.IP
1823-<< number C = C << number
1824-.IP
1825->> number C = C >> number
1826-.IP
1827-@number A = A + C; then do the instruction number
1828-.PP
1829-Any access of memory outside [skb\->data,skb\->end] causes the match to fail.
1830-Otherwise the result of the computation is the final value of C.
1831-.PP
1832-Whitespace is allowed but not required in the tests. However, the characters
1833-that do occur there are likely to require shell quoting, so it is a good idea
1834-to enclose the arguments in quotes.
1835-.PP
1836-Example:
1837-.IP
1838-match IP packets with total length >= 256
1839-.IP
1840-The IP header contains a total length field in bytes 2-3.
1841-.IP
1842-\-\-u32 "\fB0 & 0xFFFF = 0x100:0xFFFF\fP"
1843-.IP
1844-read bytes 0-3
1845-.IP
1846-AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the range
1847-[0x100:0xFFFF]
1848-.PP
1849-Example: (more realistic, hence more complicated)
1850-.IP
1851-match ICMP packets with icmp type 0
1852-.IP
1853-First test that it is an ICMP packet, true iff byte 9 (protocol) = 1
1854-.IP
1855-\-\-u32 "\fB6 & 0xFF = 1 &&\fP ...
1856-.IP
1857-read bytes 6-9, use \fB&\fP to throw away bytes 6-8 and compare the result to
1858-1. Next test that it is not a fragment. (If so, it might be part of such a
1859-packet but we cannot always tell.) N.B.: This test is generally needed if you
1860-want to match anything beyond the IP header. The last 6 bits of byte 6 and all
1861-of byte 7 are 0 iff this is a complete packet (not a fragment). Alternatively,
1862-you can allow first fragments by only testing the last 5 bits of byte 6.
1863-.IP
1864- ... \fB4 & 0x3FFF = 0 &&\fP ...
1865-.IP
1866-Last test: the first byte past the IP header (the type) is 0. This is where we
1867-have to use the @syntax. The length of the IP header (IHL) in 32 bit words is
1868-stored in the right half of byte 0 of the IP header itself.
1869-.IP
1870- ... \fB0 >> 22 & 0x3C @ 0 >> 24 = 0\fP"
1871-.IP
1872-The first 0 means read bytes 0-3, \fB>>22\fP means shift that 22 bits to the
1873-right. Shifting 24 bits would give the first byte, so only 22 bits is four
1874-times that plus a few more bits. \fB&3C\fP then eliminates the two extra bits
1875-on the right and the first four bits of the first byte. For instance, if IHL=5,
1876-then the IP header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in
1877-binary) xxxx0101 yyzzzzzz, \fB>>22\fP gives the 10 bit value xxxx0101yy and
1878-\fB&3C\fP gives 010100. \fB@\fP means to use this number as a new offset into
1879-the packet, and read four bytes starting from there. This is the first 4 bytes
1880-of the ICMP payload, of which byte 0 is the ICMP type. Therefore, we simply
1881-shift the value 24 to the right to throw out all but the first byte and compare
1882-the result with 0.
1883-.PP
1884-Example:
1885-.IP
1886-TCP payload bytes 8-12 is any of 1, 2, 5 or 8
1887-.IP
1888-First we test that the packet is a tcp packet (similar to ICMP).
1889-.IP
1890-\-\-u32 "\fB6 & 0xFF = 6 &&\fP ...
1891-.IP
1892-Next, test that it is not a fragment (same as above).
1893-.IP
1894- ... \fB0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8\fP"
1895-.IP
1896-\fB0>>22&3C\fP as above computes the number of bytes in the IP header. \fB@\fP
1897-makes this the new offset into the packet, which is the start of the TCP
1898-header. The length of the TCP header (again in 32 bit words) is the left half
1899-of byte 12 of the TCP header. The \fB12>>26&3C\fP computes this length in bytes
1900-(similar to the IP header before). "@" makes this the new offset, which is the
1901-start of the TCP payload. Finally, 8 reads bytes 8-12 of the payload and
1902-\fB=\fP checks whether the result is any of 1, 2, 5 or 8.
1903-.SS udp
1904-These extensions can be used if `\-\-protocol udp' is specified. It
1905-provides the following options:
1906-.TP
1907-[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
1908-Source port or port range specification.
1909-See the description of the
1910-\fB\-\-source\-port\fP
1911-option of the TCP extension for details.
1912-.TP
1913-[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
1914-Destination port or port range specification.
1915-See the description of the
1916-\fB\-\-destination\-port\fP
1917-option of the TCP extension for details.
1918-.SH TARGET EXTENSIONS
1919-ip6tables can use extended target modules: the following are included
1920-in the standard distribution.
1921-.\" @TARGET@
1922-.SS AUDIT
1923-This target allows to create audit records for packets hitting the target.
1924-It can be used to record accepted, dropped, and rejected packets. See
1925-auditd(8) for additional details.
1926-.TP
1927-\fB\-\-type\fP {\fBaccept\fP|\fBdrop\fP|\fBreject\fP}
1928-Set type of audit record.
1929-.PP
1930-Example:
1931-.IP
1932-iptables \-N AUDIT_DROP
1933-.IP
1934-iptables \-A AUDIT_DROP \-j AUDIT \-\-type drop
1935-.IP
1936-iptables \-A AUDIT_DROP \-j DROP
1937-.SS CHECKSUM
1938-This target allows to selectively work around broken/old applications.
1939-It can only be used in the mangle table.
1940-.TP
1941-\fB\-\-checksum\-fill\fP
1942-Compute and fill in the checksum in a packet that lacks a checksum.
1943-This is particularly useful, if you need to work around old applications
1944-such as dhcp clients, that do not work well with checksum offloads,
1945-but don't want to disable checksum offload in your device.
1946-.SS CLASSIFY
1947-This module allows you to set the skb\->priority value (and thus classify the packet into a specific CBQ class).
1948-.TP
1949-\fB\-\-set\-class\fP \fImajor\fP\fB:\fP\fIminor\fP
1950-Set the major and minor class value. The values are always interpreted as
1951-hexadecimal even if no 0x prefix is given.
1952-.SS CONNMARK
1953-This module sets the netfilter mark value associated with a connection. The
1954-mark is 32 bits wide.
1955-.TP
1956-\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
1957-Zero out the bits given by \fImask\fP and XOR \fIvalue\fP into the ctmark.
1958-.TP
1959-\fB\-\-save\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP]
1960-Copy the packet mark (nfmark) to the connection mark (ctmark) using the given
1961-masks. The new nfmark value is determined as follows:
1962-.IP
1963-ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)
1964-.IP
1965-i.e. \fIctmask\fP defines what bits to clear and \fInfmask\fP what bits of the
1966-nfmark to XOR into the ctmark. \fIctmask\fP and \fInfmask\fP default to
1967-0xFFFFFFFF.
1968-.TP
1969-\fB\-\-restore\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP]
1970-Copy the connection mark (ctmark) to the packet mark (nfmark) using the given
1971-masks. The new ctmark value is determined as follows:
1972-.IP
1973-nfmark = (nfmark & ~\fInfmask\fP) ^ (ctmark & \fIctmask\fP);
1974-.IP
1975-i.e. \fInfmask\fP defines what bits to clear and \fIctmask\fP what bits of the
1976-ctmark to XOR into the nfmark. \fIctmask\fP and \fInfmask\fP default to
1977-0xFFFFFFFF.
1978-.IP
1979-\fB\-\-restore\-mark\fP is only valid in the \fBmangle\fP table.
1980-.PP
1981-The following mnemonics are available for \fB\-\-set\-xmark\fP:
1982-.TP
1983-\fB\-\-and\-mark\fP \fIbits\fP
1984-Binary AND the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark
1985-0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.)
1986-.TP
1987-\fB\-\-or\-mark\fP \fIbits\fP
1988-Binary OR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
1989-\fIbits\fP\fB/\fP\fIbits\fP.)
1990-.TP
1991-\fB\-\-xor\-mark\fP \fIbits\fP
1992-Binary XOR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
1993-\fIbits\fP\fB/0\fP.)
1994-.TP
1995-\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
1996-Set the connection mark. If a mask is specified then only those bits set in the
1997-mask are modified.
1998-.TP
1999-\fB\-\-save\-mark\fP [\fB\-\-mask\fP \fImask\fP]
2000-Copy the nfmark to the ctmark. If a mask is specified, only those bits are
2001-copied.
2002-.TP
2003-\fB\-\-restore\-mark\fP [\fB\-\-mask\fP \fImask\fP]
2004-Copy the ctmark to the nfmark. If a mask is specified, only those bits are
2005-copied. This is only valid in the \fBmangle\fP table.
2006-.SS CONNSECMARK
2007-This module copies security markings from packets to connections
2008-(if unlabeled), and from connections back to packets (also only
2009-if unlabeled). Typically used in conjunction with SECMARK, it is
2010-valid in the
2011-.B security
2012-table (for backwards compatibility with older kernels, it is also
2013-valid in the
2014-.B mangle
2015-table).
2016-.TP
2017-\fB\-\-save\fP
2018-If the packet has a security marking, copy it to the connection
2019-if the connection is not marked.
2020-.TP
2021-\fB\-\-restore\fP
2022-If the packet does not have a security marking, and the connection
2023-does, copy the security marking from the connection to the packet.
2024-
2025-.SS CT
2026-The CT target allows to set parameters for a packet or its associated
2027-connection. The target attaches a "template" connection tracking entry to
2028-the packet, which is then used by the conntrack core when initializing
2029-a new ct entry. This target is thus only valid in the "raw" table.
2030-.TP
2031-\fB\-\-notrack\fP
2032-Disables connection tracking for this packet.
2033-.TP
2034-\fB\-\-helper\fP \fIname\fP
2035-Use the helper identified by \fIname\fP for the connection. This is more
2036-flexible than loading the conntrack helper modules with preset ports.
2037-.TP
2038-\fB\-\-ctevents\fP \fIevent\fP[\fB,\fP...]
2039-Only generate the specified conntrack events for this connection. Possible
2040-event types are: \fBnew\fP, \fBrelated\fP, \fBdestroy\fP, \fBreply\fP,
2041-\fBassured\fP, \fBprotoinfo\fP, \fBhelper\fP, \fBmark\fP (this refers to
2042-the ctmark, not nfmark), \fBnatseqinfo\fP, \fBsecmark\fP (ctsecmark).
2043-.TP
2044-\fB\-\-expevents\fP \fIevent\fP[\fB,\fP...]
2045-Only generate the specified expectation events for this connection.
2046-Possible event types are: \fBnew\fP.
2047-.TP
2048-\fB\-\-zone\fP \fIid\fP
2049-Assign this packet to zone \fIid\fP and only have lookups done in that zone.
2050-By default, packets have zone 0.
2051-.SS DSCP
2052-This target allows to alter the value of the DSCP bits within the TOS
2053-header of the IPv4 packet. As this manipulates a packet, it can only
2054-be used in the mangle table.
2055-.TP
2056-\fB\-\-set\-dscp\fP \fIvalue\fP
2057-Set the DSCP field to a numerical value (can be decimal or hex)
2058-.TP
2059-\fB\-\-set\-dscp\-class\fP \fIclass\fP
2060-Set the DSCP field to a DiffServ class.
2061-.SS HL
2062-This is used to modify the Hop Limit field in IPv6 header. The Hop Limit field
2063-is similar to what is known as TTL value in IPv4. Setting or incrementing the
2064-Hop Limit field can potentially be very dangerous, so it should be avoided at
2065-any cost. This target is only valid in
2066-.B mangle
2067-table.
2068-.PP
2069-.B Don't ever set or increment the value on packets that leave your local network!
2070-.TP
2071-\fB\-\-hl\-set\fP \fIvalue\fP
2072-Set the Hop Limit to `value'.
2073-.TP
2074-\fB\-\-hl\-dec\fP \fIvalue\fP
2075-Decrement the Hop Limit `value' times.
2076-.TP
2077-\fB\-\-hl\-inc\fP \fIvalue\fP
2078-Increment the Hop Limit `value' times.
2079-.SS IDLETIMER
2080-This target can be used to identify when interfaces have been idle for a
2081-certain period of time. Timers are identified by labels and are created when
2082-a rule is set with a new label. The rules also take a timeout value (in
2083-seconds) as an option. If more than one rule uses the same timer label, the
2084-timer will be restarted whenever any of the rules get a hit. One entry for
2085-each timer is created in sysfs. This attribute contains the timer remaining
2086-for the timer to expire. The attributes are located under the xt_idletimer
2087-class:
2088-.PP
2089-/sys/class/xt_idletimer/timers/<label>
2090-.PP
2091-When the timer expires, the target module sends a sysfs notification to the
2092-userspace, which can then decide what to do (eg. disconnect to save power).
2093-.TP
2094-\fB\-\-timeout\fP \fIamount\fP
2095-This is the time in seconds that will trigger the notification.
2096-.TP
2097-\fB\-\-label\fP \fIstring\fP
2098-This is a unique identifier for the timer. The maximum length for the
2099-label string is 27 characters.
2100-.SS LOG
2101-Turn on kernel logging of matching packets. When this option is set
2102-for a rule, the Linux kernel will print some information on all
2103-matching packets (like most IPv6 IPv6-header fields) via the kernel log
2104-(where it can be read with
2105-.I dmesg
2106-or
2107-.IR syslogd (8)).
2108-This is a "non-terminating target", i.e. rule traversal continues at
2109-the next rule. So if you want to LOG the packets you refuse, use two
2110-separate rules with the same matching criteria, first using target LOG
2111-then DROP (or REJECT).
2112-.TP
2113-\fB\-\-log\-level\fP \fIlevel\fP
2114-Level of logging (numeric or see \fIsyslog.conf\fP(5)).
2115-.TP
2116-\fB\-\-log\-prefix\fP \fIprefix\fP
2117-Prefix log messages with the specified prefix; up to 29 letters long,
2118-and useful for distinguishing messages in the logs.
2119-.TP
2120-\fB\-\-log\-tcp\-sequence\fP
2121-Log TCP sequence numbers. This is a security risk if the log is
2122-readable by users.
2123-.TP
2124-\fB\-\-log\-tcp\-options\fP
2125-Log options from the TCP packet header.
2126-.TP
2127-\fB\-\-log\-ip\-options\fP
2128-Log options from the IPv6 packet header.
2129-.TP
2130-\fB\-\-log\-uid\fP
2131-Log the userid of the process which generated the packet.
2132-.SS MARK
2133-This target is used to set the Netfilter mark value associated with the packet.
2134-It can, for example, be used in conjunction with routing based on fwmark (needs
2135-iproute2). If you plan on doing so, note that the mark needs to be set in the
2136-PREROUTING chain of the mangle table to affect routing.
2137-The mark field is 32 bits wide.
2138-.TP
2139-\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
2140-Zeroes out the bits given by \fImask\fP and XORs \fIvalue\fP into the packet
2141-mark ("nfmark"). If \fImask\fP is omitted, 0xFFFFFFFF is assumed.
2142-.TP
2143-\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
2144-Zeroes out the bits given by \fImask\fP and ORs \fIvalue\fP into the packet
2145-mark. If \fImask\fP is omitted, 0xFFFFFFFF is assumed.
2146-.PP
2147-The following mnemonics are available:
2148-.TP
2149-\fB\-\-and\-mark\fP \fIbits\fP
2150-Binary AND the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark
2151-0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.)
2152-.TP
2153-\fB\-\-or\-mark\fP \fIbits\fP
2154-Binary OR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
2155-\fIbits\fP\fB/\fP\fIbits\fP.)
2156-.TP
2157-\fB\-\-xor\-mark\fP \fIbits\fP
2158-Binary XOR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
2159-\fIbits\fP\fB/0\fP.)
2160-.SS NFLOG
2161-This target provides logging of matching packets. When this target is
2162-set for a rule, the Linux kernel will pass the packet to the loaded
2163-logging backend to log the packet. This is usually used in combination
2164-with nfnetlink_log as logging backend, which will multicast the packet
2165-through a
2166-.IR netlink
2167-socket to the specified multicast group. One or more userspace processes
2168-may subscribe to the group to receive the packets. Like LOG, this is a
2169-non-terminating target, i.e. rule traversal continues at the next rule.
2170-.TP
2171-\fB\-\-nflog\-group\fP \fInlgroup\fP
2172-The netlink group (0 - 2^16\-1) to which packets are (only applicable for
2173-nfnetlink_log). The default value is 0.
2174-.TP
2175-\fB\-\-nflog\-prefix\fP \fIprefix\fP
2176-A prefix string to include in the log message, up to 64 characters
2177-long, useful for distinguishing messages in the logs.
2178-.TP
2179-\fB\-\-nflog\-range\fP \fIsize\fP
2180-The number of bytes to be copied to userspace (only applicable for
2181-nfnetlink_log). nfnetlink_log instances may specify their own
2182-range, this option overrides it.
2183-.TP
2184-\fB\-\-nflog\-threshold\fP \fIsize\fP
2185-Number of packets to queue inside the kernel before sending them
2186-to userspace (only applicable for nfnetlink_log). Higher values
2187-result in less overhead per packet, but increase delay until the
2188-packets reach userspace. The default value is 1.
2189-.BR
2190-.SS NFQUEUE
2191-This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
2192-you to put a packet into any specific queue, identified by its 16-bit queue
2193-number.
2194-It can only be used with Kernel versions 2.6.14 or later, since it requires
2195-the
2196-.B
2197-nfnetlink_queue
2198-kernel support. The \fBqueue-balance\fP option was added in Linux 2.6.31,
2199-\fBqueue-bypass\fP in 2.6.39.
2200-.TP
2201-\fB\-\-queue\-num\fP \fIvalue\fP
2202-This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0.
2203-.PP
2204-.TP
2205-\fB\-\-queue\-balance\fP \fIvalue\fP\fB:\fP\fIvalue\fP
2206-This specifies a range of queues to use. Packets are then balanced across the given queues.
2207-This is useful for multicore systems: start multiple instances of the userspace program on
2208-queues x, x+1, .. x+n and use "\-\-queue\-balance \fIx\fP\fB:\fP\fIx+n\fP".
2209-Packets belonging to the same connection are put into the same nfqueue.
2210-.PP
2211-.TP
2212-\fB\-\-queue\-bypass\fP
2213-By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued
2214-are dropped. When this option is used, the NFQUEUE rule is silently bypassed instead. The packet
2215-will move on to the next rule.
2216-.SS NOTRACK
2217-This target disables connection tracking for all packets matching that rule.
2218-.PP
2219-It can only be used in the
2220-.B raw
2221-table.
2222-.SS RATEEST
2223-The RATEEST target collects statistics, performs rate estimation calculation
2224-and saves the results for later evaluation using the \fBrateest\fP match.
2225-.TP
2226-\fB\-\-rateest\-name\fP \fIname\fP
2227-Count matched packets into the pool referred to by \fIname\fP, which is freely
2228-choosable.
2229-.TP
2230-\fB\-\-rateest\-interval\fP \fIamount\fP{\fBs\fP|\fBms\fP|\fBus\fP}
2231-Rate measurement interval, in seconds, milliseconds or microseconds.
2232-.TP
2233-\fB\-\-rateest\-ewmalog\fP \fIvalue\fP
2234-Rate measurement averaging time constant.
2235-.SS REJECT
2236-This is used to send back an error packet in response to the matched
2237-packet: otherwise it is equivalent to
2238-.B DROP
2239-so it is a terminating TARGET, ending rule traversal.
2240-This target is only valid in the
2241-.BR INPUT ,
2242-.B FORWARD
2243-and
2244-.B OUTPUT
2245-chains, and user-defined chains which are only called from those
2246-chains. The following option controls the nature of the error packet
2247-returned:
2248-.TP
2249-\fB\-\-reject\-with\fP \fItype\fP
2250-The type given can be
2251-\fBicmp6\-no\-route\fP,
2252-\fBno\-route\fP,
2253-\fBicmp6\-adm\-prohibited\fP,
2254-\fBadm\-prohibited\fP,
2255-\fBicmp6\-addr\-unreachable\fP,
2256-\fBaddr\-unreach\fP,
2257-\fBicmp6\-port\-unreachable\fP or
2258-\fBport\-unreach\fP
2259-which return the appropriate ICMPv6 error message (\fBport\-unreach\fP is
2260-the default). Finally, the option
2261-\fBtcp\-reset\fP
2262-can be used on rules which only match the TCP protocol: this causes a
2263-TCP RST packet to be sent back. This is mainly useful for blocking
2264-.I ident
2265-(113/tcp) probes which frequently occur when sending mail to broken mail
2266-hosts (which won't accept your mail otherwise).
2267-\fBtcp\-reset\fP
2268-can only be used with kernel versions 2.6.14 or later.
2269-.SS SECMARK
2270-This is used to set the security mark value associated with the
2271-packet for use by security subsystems such as SELinux. It is
2272-valid in the
2273-.B security
2274-table (for backwards compatibility with older kernels, it is also
2275-valid in the
2276-.B mangle
2277-table). The mark is 32 bits wide.
2278-.TP
2279-\fB\-\-selctx\fP \fIsecurity_context\fP
2280-.SS SET
2281-This modules adds and/or deletes entries from IP sets which can be defined
2282-by ipset(8).
2283-.TP
2284-\fB\-\-add\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...]
2285-add the address(es)/port(s) of the packet to the sets
2286-.TP
2287-\fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...]
2288-delete the address(es)/port(s) of the packet from the sets
2289-.IP
2290-where flags are
2291-.BR "src"
2292-and/or
2293-.BR "dst"
2294-specifications and there can be no more than six of them.
2295-.TP
2296-\fB\-\-timeout\fP \fIvalue\fP
2297-when adding entry, the timeout value to use instead of the default
2298-one from the set definition
2299-.TP
2300-\fB\-\-exist\fP
2301-when adding entry if it already exists, reset the timeout value
2302-to the specified one or to the default from the set definition
2303-.PP
2304-Use of -j SET requires that ipset kernel support is provided, which, for
2305-standard kernels, is the case since Linux 2.6.39.
2306-.SS TCPMSS
2307-This target allows to alter the MSS value of TCP SYN packets, to control
2308-the maximum size for that connection (usually limiting it to your
2309-outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
2310-Of course, it can only be used
2311-in conjunction with
2312-\fB\-p tcp\fP.
2313-.PP
2314-This target is used to overcome criminally braindead ISPs or servers
2315-which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
2316-packets. The symptoms of this
2317-problem are that everything works fine from your Linux
2318-firewall/router, but machines behind it can never exchange large
2319-packets:
2320-.IP 1. 4
2321-Web browsers connect, then hang with no data received.
2322-.IP 2. 4
2323-Small mail works fine, but large emails hang.
2324-.IP 3. 4
2325-ssh works fine, but scp hangs after initial handshaking.
2326-.PP
2327-Workaround: activate this option and add a rule to your firewall
2328-configuration like:
2329-.IP
2330- iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN
2331- \-j TCPMSS \-\-clamp\-mss\-to\-pmtu
2332-.TP
2333-\fB\-\-set\-mss\fP \fIvalue\fP
2334-Explicitly sets MSS option to specified value. If the MSS of the packet is
2335-already lower than \fIvalue\fP, it will \fBnot\fP be increased (from Linux
2336-2.6.25 onwards) to avoid more problems with hosts relying on a proper MSS.
2337-.TP
2338-\fB\-\-clamp\-mss\-to\-pmtu\fP
2339-Automatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6).
2340-This may not function as desired where asymmetric routes with differing
2341-path MTU exist \(em the kernel uses the path MTU which it would use to send
2342-packets from itself to the source and destination IP addresses. Prior to
2343-Linux 2.6.25, only the path MTU to the destination IP address was
2344-considered by this option; subsequent kernels also consider the path MTU
2345-to the source IP address.
2346-.PP
2347-These options are mutually exclusive.
2348-.SS TCPOPTSTRIP
2349-This target will strip TCP options off a TCP packet. (It will actually replace
2350-them by NO-OPs.) As such, you will need to add the \fB\-p tcp\fP parameters.
2351-.TP
2352-\fB\-\-strip\-options\fP \fIoption\fP[\fB,\fP\fIoption\fP...]
2353-Strip the given option(s). The options may be specified by TCP option number or
2354-by symbolic name. The list of recognized options can be obtained by calling
2355-iptables with \fB\-j TCPOPTSTRIP \-h\fP.
2356-.SS TEE
2357-The \fBTEE\fP target will clone a packet and redirect this clone to another
2358-machine on the \fBlocal\fP network segment. In other words, the nexthop
2359-must be the target, or you will have to configure the nexthop to forward it
2360-further if so desired.
2361-.TP
2362-\fB\-\-gateway\fP \fIipaddr\fP
2363-Send the cloned packet to the host reachable at the given IP address.
2364-Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.
2365-.PP
2366-To forward all incoming traffic on eth0 to an Network Layer logging box:
2367-.PP
2368-\-t mangle \-A PREROUTING \-i eth0 \-j TEE \-\-gateway 2001:db8::1
2369-.SS TOS
2370-This module sets the Type of Service field in the IPv4 header (including the
2371-"precedence" bits) or the Priority field in the IPv6 header. Note that TOS
2372-shares the same bits as DSCP and ECN. The TOS target is only valid in the
2373-\fBmangle\fP table.
2374-.TP
2375-\fB\-\-set\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP]
2376-Zeroes out the bits given by \fImask\fP (see NOTE below) and XORs \fIvalue\fP
2377-into the TOS/Priority field. If \fImask\fP is omitted, 0xFF is assumed.
2378-.TP
2379-\fB\-\-set\-tos\fP \fIsymbol\fP
2380-You can specify a symbolic name when using the TOS target for IPv4. It implies
2381-a mask of 0xFF (see NOTE below). The list of recognized TOS names can be
2382-obtained by calling iptables with \fB\-j TOS \-h\fP.
2383-.PP
2384-The following mnemonics are available:
2385-.TP
2386-\fB\-\-and\-tos\fP \fIbits\fP
2387-Binary AND the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos
2388-0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.
2389-See NOTE below.)
2390-.TP
2391-\fB\-\-or\-tos\fP \fIbits\fP
2392-Binary OR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP
2393-\fIbits\fP\fB/\fP\fIbits\fP. See NOTE below.)
2394-.TP
2395-\fB\-\-xor\-tos\fP \fIbits\fP
2396-Binary XOR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP
2397-\fIbits\fP\fB/0\fP. See NOTE below.)
2398-.PP
2399-NOTE: In Linux kernels up to and including 2.6.38, with the exception of
2400-longterm releases 2.6.32 (>=.42), 2.6.33 (>=.15), and 2.6.35 (>=.14), there is
2401-a bug whereby IPv6 TOS mangling does not behave as documented and differs from
2402-the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it
2403-needs to be inverted before applying it to the original TOS field. However, the
2404-aformentioned kernels forgo the inversion which breaks --set-tos and its
2405-mnemonics.
2406-.SS TPROXY
2407-This target is only valid in the \fBmangle\fP table, in the \fBPREROUTING\fP
2408-chain and user-defined chains which are only called from this chain. It
2409-redirects the packet to a local socket without changing the packet header in
2410-any way. It can also change the mark value which can then be used in advanced
2411-routing rules.
2412-It takes three options:
2413-.TP
2414-\fB\-\-on\-port\fP \fIport\fP
2415-This specifies a destination port to use. It is a required option, 0 means the
2416-new destination port is the same as the original. This is only valid if the
2417-rule also specifies \fB\-p tcp\fP or \fB\-p udp\fP.
2418-.TP
2419-\fB\-\-on\-ip\fP \fIaddress\fP
2420-This specifies a destination address to use. By default the address is the IP
2421-address of the incoming interface. This is only valid if the rule also
2422-specifies \fB\-p tcp\fP or \fB\-p udp\fP.
2423-.TP
2424-\fB\-\-tproxy\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
2425-Marks packets with the given value/mask. The fwmark value set here can be used
2426-by advanced routing. (Required for transparent proxying to work: otherwise
2427-these packets will get forwarded, which is probably not what you want.)
2428-.SS TRACE
2429-This target marks packets so that the kernel will log every rule which match
2430-the packets as those traverse the tables, chains, rules.
2431-.PP
2432-A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this
2433-to be visible.
2434-The packets are logged with the string prefix:
2435-"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
2436-plain rule, "return" for implicit rule at the end of a user defined chain
2437-and "policy" for the policy of the built in chains.
2438-.br
2439-It can only be used in the
2440-.BR raw
2441-table.
388+iptables can use extended packet matching and target modules.
389+A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
2442390 .SH DIAGNOSTICS
2443391 Various error messages are printed to standard error. The exit code
2444392 is 0 for correct functioning. Errors which appear to be caused by
@@ -2465,6 +413,8 @@ There are several other changes in ip6tables.
2465413 \fBip6tables\-save\fP(8),
2466414 \fBip6tables\-restore\fP(8),
2467415 \fBiptables\fP(8),
416+\fBiptables\-apply\fP(8),
417+\fBiptables\-extensions\fP(8),
2468418 \fBiptables\-save\fP(8),
2469419 \fBiptables\-restore\fP(8),
2470420 \fBlibipq\fP(3).
@@ -2503,4 +453,4 @@ iptables man page written by Herve Eychenne <rv@wallfire.org>.
2503453 .\" .. and most of all, modest ..
2504454 .SH VERSION
2505455 .PP
2506-This manual page applies to ip6tables @PACKAGE_VERSION@.
456+This manual page applies to ip6tables 1.4.18.
--- a/original/man8/iptables-apply.8
+++ b/original/man8/iptables-apply.8
@@ -18,7 +18,7 @@ connection, the user will not be able to answer affirmatively. In this
1818 case, the script rolls back to the previous ruleset after the timeout
1919 expired. The timeout can be set with \fB\-t\fP.
2020 .PP
21-When called as ip6tables\-apply, the script will use
21+When called as \fBip6tables\-apply\fP, the script will use
2222 ip6tables\-save/\-restore instead.
2323 .SH OPTIONS
2424 .TP
--- /dev/null
+++ b/original/man8/iptables-extensions.8
@@ -0,0 +1,2649 @@
1+.TH iptables-extensions 8 "" "iptables 1.4.18" "iptables 1.4.18"
2+.SH NAME
3+iptables-extensions \(em list of extensions in the standard iptables distribution
4+.SH SYNOPSIS
5+\fBip6tables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
6+[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
7+.PP
8+\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
9+[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
10+.SH MATCH EXTENSIONS
11+iptables can use extended packet matching modules
12+with the \fB\-m\fP or \fB\-\-match\fP
13+options, followed by the matching module name; after these, various
14+extra command line options become available, depending on the specific
15+module. You can specify multiple extended match modules in one line,
16+and you can use the \fB\-h\fP or \fB\-\-help\fP
17+options after the module has been specified to receive help specific
18+to that module. The extended match modules are evaluated in the order
19+they are specified in the rule.
20+.PP
21+If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an
22+unknown option is encountered, iptables will try load a match module of the
23+same name as the protocol, to try making the option available.
24+.\" @MATCH@
25+.SS addrtype
26+This module matches packets based on their
27+.B address type.
28+Address types are used within the kernel networking stack and categorize
29+addresses into various groups. The exact definition of that group depends on the specific layer three protocol.
30+.PP
31+The following address types are possible:
32+.TP
33+.BI "UNSPEC"
34+an unspecified address (i.e. 0.0.0.0)
35+.TP
36+.BI "UNICAST"
37+an unicast address
38+.TP
39+.BI "LOCAL"
40+a local address
41+.TP
42+.BI "BROADCAST"
43+a broadcast address
44+.TP
45+.BI "ANYCAST"
46+an anycast packet
47+.TP
48+.BI "MULTICAST"
49+a multicast address
50+.TP
51+.BI "BLACKHOLE"
52+a blackhole address
53+.TP
54+.BI "UNREACHABLE"
55+an unreachable address
56+.TP
57+.BI "PROHIBIT"
58+a prohibited address
59+.TP
60+.BI "THROW"
61+FIXME
62+.TP
63+.BI "NAT"
64+FIXME
65+.TP
66+.BI "XRESOLVE"
67+.TP
68+[\fB!\fP] \fB\-\-src\-type\fP \fItype\fP
69+Matches if the source address is of given type
70+.TP
71+[\fB!\fP] \fB\-\-dst\-type\fP \fItype\fP
72+Matches if the destination address is of given type
73+.TP
74+.BI "\-\-limit\-iface\-in"
75+The address type checking can be limited to the interface the packet is coming
76+in. This option is only valid in the
77+.BR PREROUTING ,
78+.B INPUT
79+and
80+.B FORWARD
81+chains. It cannot be specified with the
82+\fB\-\-limit\-iface\-out\fP
83+option.
84+.TP
85+\fB\-\-limit\-iface\-out\fP
86+The address type checking can be limited to the interface the packet is going
87+out. This option is only valid in the
88+.BR POSTROUTING ,
89+.B OUTPUT
90+and
91+.B FORWARD
92+chains. It cannot be specified with the
93+\fB\-\-limit\-iface\-in\fP
94+option.
95+.SS ah (IPv6-specific)
96+This module matches the parameters in Authentication header of IPsec packets.
97+.TP
98+[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
99+Matches SPI.
100+.TP
101+[\fB!\fP] \fB\-\-ahlen\fP \fIlength\fP
102+Total length of this header in octets.
103+.TP
104+\fB\-\-ahres\fP
105+Matches if the reserved field is filled with zero.
106+.SS ah (IPv4-specific)
107+This module matches the SPIs in Authentication header of IPsec packets.
108+.TP
109+[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
110+.SS cluster
111+Allows you to deploy gateway and back-end load-sharing clusters without the
112+need of load-balancers.
113+.PP
114+This match requires that all the nodes see the same packets. Thus, the cluster
115+match decides if this node has to handle a packet given the following options:
116+.TP
117+\fB\-\-cluster\-total\-nodes\fP \fInum\fP
118+Set number of total nodes in cluster.
119+.TP
120+[\fB!\fP] \fB\-\-cluster\-local\-node\fP \fInum\fP
121+Set the local node number ID.
122+.TP
123+[\fB!\fP] \fB\-\-cluster\-local\-nodemask\fP \fImask\fP
124+Set the local node number ID mask. You can use this option instead
125+of \fB\-\-cluster\-local\-node\fP.
126+.TP
127+\fB\-\-cluster\-hash\-seed\fP \fIvalue\fP
128+Set seed value of the Jenkins hash.
129+.PP
130+Example:
131+.IP
132+iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster
133+\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
134+\-\-cluster\-hash\-seed 0xdeadbeef
135+\-j MARK \-\-set-mark 0xffff
136+.IP
137+iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster
138+\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
139+\-\-cluster\-hash\-seed 0xdeadbeef
140+\-j MARK -\-set\-mark 0xffff
141+.IP
142+iptables \-A PREROUTING \-t mangle \-i eth1
143+\-m mark ! \-\-mark 0xffff \-j DROP
144+.IP
145+iptables \-A PREROUTING \-t mangle \-i eth2
146+\-m mark ! \-\-mark 0xffff \-j DROP
147+.PP
148+And the following commands to make all nodes see the same packets:
149+.IP
150+ip maddr add 01:00:5e:00:01:01 dev eth1
151+.IP
152+ip maddr add 01:00:5e:00:01:02 dev eth2
153+.IP
154+arptables \-A OUTPUT \-o eth1 \-\-h\-length 6
155+\-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01
156+.IP
157+arptables \-A INPUT \-i eth1 \-\-h-length 6
158+\-\-destination-mac 01:00:5e:00:01:01
159+\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
160+.IP
161+arptables \-A OUTPUT \-o eth2 \-\-h\-length 6
162+\-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:02
163+.IP
164+arptables \-A INPUT \-i eth2 \-\-h\-length 6
165+\-\-destination\-mac 01:00:5e:00:01:02
166+\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
167+.PP
168+In the case of TCP connections, pickup facility has to be disabled
169+to avoid marking TCP ACK packets coming in the reply direction as
170+valid.
171+.IP
172+echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
173+.SS comment
174+Allows you to add comments (up to 256 characters) to any rule.
175+.TP
176+\fB\-\-comment\fP \fIcomment\fP
177+.TP
178+Example:
179+iptables \-A INPUT \-i eth1 \-m comment \-\-comment "my local LAN"
180+.SS connbytes
181+Match by how many bytes or packets a connection (or one of the two
182+flows constituting the connection) has transferred so far, or by
183+average bytes per packet.
184+.PP
185+The counters are 64-bit and are thus not expected to overflow ;)
186+.PP
187+The primary use is to detect long-lived downloads and mark them to be
188+scheduled using a lower priority band in traffic control.
189+.PP
190+The transferred bytes per connection can also be viewed through
191+`conntrack \-L` and accessed via ctnetlink.
192+.PP
193+NOTE that for connections which have no accounting information, the match will
194+always return false. The "net.netfilter.nf_conntrack_acct" sysctl flag controls
195+whether \fBnew\fP connections will be byte/packet counted. Existing connection
196+flows will not be gaining/losing a/the accounting structure when be sysctl flag
197+is flipped.
198+.TP
199+[\fB!\fP] \fB\-\-connbytes\fP \fIfrom\fP[\fB:\fP\fIto\fP]
200+match packets from a connection whose packets/bytes/average packet
201+size is more than FROM and less than TO bytes/packets. if TO is
202+omitted only FROM check is done. "!" is used to match packets not
203+falling in the range.
204+.TP
205+\fB\-\-connbytes\-dir\fP {\fBoriginal\fP|\fBreply\fP|\fBboth\fP}
206+which packets to consider
207+.TP
208+\fB\-\-connbytes\-mode\fP {\fBpackets\fP|\fBbytes\fP|\fBavgpkt\fP}
209+whether to check the amount of packets, number of bytes transferred or
210+the average size (in bytes) of all packets received so far. Note that
211+when "both" is used together with "avgpkt", and data is going (mainly)
212+only in one direction (for example HTTP), the average packet size will
213+be about half of the actual data packets.
214+.TP
215+Example:
216+iptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes\-dir both \-\-connbytes\-mode bytes ...
217+.SS connlimit
218+Allows you to restrict the number of parallel connections to a server per
219+client IP address (or client address block).
220+.TP
221+\fB\-\-connlimit\-upto\fP \fIn\fP
222+Match if the number of existing connections is below or equal \fIn\fP.
223+.TP
224+\fB\-\-connlimit\-above\fP \fIn\fP
225+Match if the number of existing connections is above \fIn\fP.
226+.TP
227+\fB\-\-connlimit\-mask\fP \fIprefix_length\fP
228+Group hosts using the prefix length. For IPv4, this must be a number between
229+(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the
230+maximum prefix length for the applicable protocol is used.
231+.TP
232+\fB\-\-connlimit\-saddr\fP
233+Apply the limit onto the source group. This is the default if
234+\-\-connlimit\-daddr is not specified.
235+.TP
236+\fB\-\-connlimit\-daddr\fP
237+Apply the limit onto the destination group.
238+.PP
239+Examples:
240+.TP
241+# allow 2 telnet connections per client host
242+iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-above 2 \-j REJECT
243+.TP
244+# you can also match the other way around:
245+iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-upto 2 \-j ACCEPT
246+.TP
247+# limit the number of parallel HTTP requests to 16 per class C sized \
248+source network (24 bit netmask)
249+iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16
250+\-\-connlimit\-mask 24 \-j REJECT
251+.TP
252+# limit the number of parallel HTTP requests to 16 for the link local network
253+(ipv6)
254+ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above
255+16 \-\-connlimit\-mask 64 \-j REJECT
256+.TP
257+# Limit the number of connections to a particular host:
258+ip6tables \-p tcp \-\-syn \-\-dport 49152:65535 \-d 2001:db8::1 \-m connlimit
259+\-\-connlimit-above 100 \-j REJECT
260+.SS connmark
261+This module matches the netfilter mark field associated with a connection
262+(which can be set using the \fBCONNMARK\fP target below).
263+.TP
264+[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
265+Matches packets in connections with the given mark value (if a mask is
266+specified, this is logically ANDed with the mark before the comparison).
267+.SS conntrack
268+This module, when combined with connection tracking, allows access to the
269+connection tracking state for this packet/connection.
270+.TP
271+[\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP
272+\fIstatelist\fP is a comma separated list of the connection states to match.
273+Possible states are listed below.
274+.TP
275+[\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP
276+Layer-4 protocol to match (by number or name)
277+.TP
278+[\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
279+.TP
280+[\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
281+.TP
282+[\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
283+.TP
284+[\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
285+Match against original/reply source/destination address
286+.TP
287+[\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
288+.TP
289+[\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP[\fB:\fP\fIport\fP]
290+.TP
291+[\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
292+.TP
293+[\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP[\fB:\fP\fIport\fP]
294+Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key.
295+Matching against port ranges is only supported in kernel versions above 2.6.38.
296+.TP
297+[\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP
298+\fIstatuslist\fP is a comma separated list of the connection statuses to match.
299+Possible statuses are listed below.
300+.TP
301+[\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP]
302+Match remaining lifetime in seconds against given value or range of values
303+(inclusive)
304+.TP
305+\fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP}
306+Match packets that are flowing in the specified direction. If this flag is not
307+specified at all, matches packets in both directions.
308+.PP
309+States for \fB\-\-ctstate\fP:
310+.TP
311+\fBINVALID\fP
312+The packet is associated with no known connection.
313+.TP
314+\fBNEW\fP
315+The packet has started a new connection, or otherwise associated
316+with a connection which has not seen packets in both directions.
317+.TP
318+\fBESTABLISHED\fP
319+The packet is associated with a connection which has seen packets
320+in both directions.
321+.TP
322+\fBRELATED\fP
323+The packet is starting a new connection, but is associated with an
324+existing connection, such as an FTP data transfer, or an ICMP error.
325+.TP
326+\fBUNTRACKED\fP
327+The packet is not tracked at all, which happens if you explicitly untrack it
328+by using \-j CT \-\-notrack in the raw table.
329+.TP
330+\fBSNAT\fP
331+A virtual state, matching if the original source address differs from the reply
332+destination.
333+.TP
334+\fBDNAT\fP
335+A virtual state, matching if the original destination differs from the reply
336+source.
337+.PP
338+Statuses for \fB\-\-ctstatus\fP:
339+.TP
340+\fBNONE\fP
341+None of the below.
342+.TP
343+\fBEXPECTED\fP
344+This is an expected connection (i.e. a conntrack helper set it up).
345+.TP
346+\fBSEEN_REPLY\fP
347+Conntrack has seen packets in both directions.
348+.TP
349+\fBASSURED\fP
350+Conntrack entry should never be early-expired.
351+.TP
352+\fBCONFIRMED\fP
353+Connection is confirmed: originating packet has left box.
354+.SS cpu
355+.TP
356+[\fB!\fP] \fB\-\-cpu\fP \fInumber\fP
357+Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1
358+Can be used in combination with RPS (Remote Packet Steering) or
359+multiqueue NICs to spread network traffic on different queues.
360+.PP
361+Example:
362+.PP
363+iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 0
364+\-j REDIRECT \-\-to\-port 8080
365+.PP
366+iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 1
367+\-j REDIRECT \-\-to\-port 8081
368+.PP
369+Available since Linux 2.6.36.
370+.SS dccp
371+.TP
372+[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
373+.TP
374+[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
375+.TP
376+[\fB!\fP] \fB\-\-dccp\-types\fP \fImask\fP
377+Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated
378+list of packet types. Packet types are:
379+.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" .
380+.TP
381+[\fB!\fP] \fB\-\-dccp\-option\fP \fInumber\fP
382+Match if DCCP option set.
383+.SS devgroup
384+Match device group of a packets incoming/outgoing interface.
385+.TP
386+[\fB!\fP] \fB\-\-src\-group\fP \fIname\fP
387+Match device group of incoming device
388+.TP
389+[\fB!\fP] \fB\-\-dst\-group\fP \fIname\fP
390+Match device group of outgoing device
391+.SS dscp
392+This module matches the 6 bit DSCP field within the TOS field in the
393+IP header. DSCP has superseded TOS within the IETF.
394+.TP
395+[\fB!\fP] \fB\-\-dscp\fP \fIvalue\fP
396+Match against a numeric (decimal or hex) value [0-63].
397+.TP
398+[\fB!\fP] \fB\-\-dscp\-class\fP \fIclass\fP
399+Match the DiffServ class. This value may be any of the
400+BE, EF, AFxx or CSx classes. It will then be converted
401+into its according numeric value.
402+.SS dst (IPv6-specific)
403+This module matches the parameters in Destination Options header
404+.TP
405+[\fB!\fP] \fB\-\-dst\-len\fP \fIlength\fP
406+Total length of this header in octets.
407+.TP
408+\fB\-\-dst\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...]
409+numeric type of option and the length of the option data in octets.
410+.SS ecn
411+This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168
412+.TP
413+[\fB!\fP] \fB\-\-ecn\-tcp\-cwr\fP
414+This matches if the TCP ECN CWR (Congestion Window Received) bit is set.
415+.TP
416+[\fB!\fP] \fB\-\-ecn\-tcp\-ece\fP
417+This matches if the TCP ECN ECE (ECN Echo) bit is set.
418+.TP
419+[\fB!\fP] \fB\-\-ecn\-ip\-ect\fP \fInum\fP
420+This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to specify
421+a number between `0' and `3'.
422+.SS esp
423+This module matches the SPIs in ESP header of IPsec packets.
424+.TP
425+[\fB!\fP] \fB\-\-espspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
426+.SS eui64 (IPv6-specific)
427+This module matches the EUI-64 part of a stateless autoconfigured IPv6 address.
428+It compares the EUI-64 derived from the source MAC address in Ethernet frame
429+with the lower 64 bits of the IPv6 source address. But "Universal/Local"
430+bit is not compared. This module doesn't match other link layer frame, and
431+is only valid in the
432+.BR PREROUTING ,
433+.BR INPUT
434+and
435+.BR FORWARD
436+chains.
437+.SS frag (IPv6-specific)
438+This module matches the parameters in Fragment header.
439+.TP
440+[\fB!\fP] \fB\-\-fragid\fP \fIid\fP[\fB:\fP\fIid\fP]
441+Matches the given Identification or range of it.
442+.TP
443+[\fB!\fP] \fB\-\-fraglen\fP \fIlength\fP
444+This option cannot be used with kernel version 2.6.10 or later. The length of
445+Fragment header is static and this option doesn't make sense.
446+.TP
447+\fB\-\-fragres\fP
448+Matches if the reserved fields are filled with zero.
449+.TP
450+\fB\-\-fragfirst\fP
451+Matches on the first fragment.
452+.TP
453+\fB\-\-fragmore\fP
454+Matches if there are more fragments.
455+.TP
456+\fB\-\-fraglast\fP
457+Matches if this is the last fragment.
458+.SS hashlimit
459+\fBhashlimit\fP uses hash buckets to express a rate limiting match (like the
460+\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables
461+rule. Grouping can be done per-hostgroup (source and/or destination address)
462+and/or per-port. It gives you the ability to express "\fIN\fP packets per time
463+quantum per group" or "\fIN\fP bytes per seconds" (see below for some examples).
464+.PP
465+A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and
466+\fB\-\-hashlimit\-name\fP are required.
467+.TP
468+\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
469+Match if the rate is below or equal to \fIamount\fP/quantum. It is specified either as
470+a number, with an optional time quantum suffix (the default is 3/hour), or as
471+\fIamount\fPb/second (number of bytes per second).
472+.TP
473+\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
474+Match if the rate is above \fIamount\fP/quantum.
475+.TP
476+\fB\-\-hashlimit\-burst\fP \fIamount\fP
477+Maximum initial number of packets to match: this number gets recharged by one
478+every time the limit specified above is not reached, up to this number; the
479+default is 5. When byte-based rate matching is requested, this option specifies
480+the amount of bytes that can exceed the given rate. This option should be used
481+with caution -- if the entry expires, the burst value is reset too.
482+.TP
483+\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP...
484+A comma-separated list of objects to take into consideration. If no
485+\-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the
486+expensive of doing the hash housekeeping.
487+.TP
488+\fB\-\-hashlimit\-srcmask\fP \fIprefix\fP
489+When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be
490+grouped according to the given prefix length and the so-created subnet will be
491+subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note
492+that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying
493+srcip for \-\-hashlimit\-mode, but is technically more expensive.
494+.TP
495+\fB\-\-hashlimit\-dstmask\fP \fIprefix\fP
496+Like \-\-hashlimit\-srcmask, but for destination addresses.
497+.TP
498+\fB\-\-hashlimit\-name\fP \fIfoo\fP
499+The name for the /proc/net/ipt_hashlimit/foo entry.
500+.TP
501+\fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP
502+The number of buckets of the hash table
503+.TP
504+\fB\-\-hashlimit\-htable\-max\fP \fIentries\fP
505+Maximum entries in the hash.
506+.TP
507+\fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP
508+After how many milliseconds do hash entries expire.
509+.TP
510+\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP
511+How many milliseconds between garbage collection intervals.
512+.PP
513+Examples:
514+.TP
515+matching on source host
516+"1000 packets per second for every host in 192.168.0.0/16" =>
517+\-s 192.168.0.0/16 \-\-hashlimit\-mode srcip \-\-hashlimit\-upto 1000/sec
518+.TP
519+matching on source port
520+"100 packets per second for every service of 192.168.1.1" =>
521+\-s 192.168.1.1 \-\-hashlimit\-mode srcport \-\-hashlimit\-upto 100/sec
522+.TP
523+matching on subnet
524+"10000 packets per minute for every /28 subnet (groups of 8 addresses)
525+in 10.0.0.0/8" =>
526+\-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min
527+.TP
528+matching bytes per second
529+"flows exceeding 512kbyte/s" =>
530+\-\-hashlimit-mode srcip,dstip,srcport,dstport \-\-hashlimit\-above 512kb/s
531+.TP
532+matching bytes per second
533+"hosts that exceed 512kbyte/s, but permit up to 1Megabytes without matching"
534+\-\-hashlimit-mode dstip \-\-hashlimit\-above 512kb/s \-\-hashlimit-burst 1mb
535+.SS hbh (IPv6-specific)
536+This module matches the parameters in Hop-by-Hop Options header
537+.TP
538+[\fB!\fP] \fB\-\-hbh\-len\fP \fIlength\fP
539+Total length of this header in octets.
540+.TP
541+\fB\-\-hbh\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...]
542+numeric type of option and the length of the option data in octets.
543+.SS helper
544+This module matches packets related to a specific conntrack-helper.
545+.TP
546+[\fB!\fP] \fB\-\-helper\fP \fIstring\fP
547+Matches packets related to the specified conntrack-helper.
548+.RS
549+.PP
550+string can be "ftp" for packets related to a ftp-session on default port.
551+For other ports append \-portnr to the value, ie. "ftp\-2121".
552+.PP
553+Same rules apply for other conntrack-helpers.
554+.RE
555+.SS hl (IPv6-specific)
556+This module matches the Hop Limit field in the IPv6 header.
557+.TP
558+[\fB!\fP] \fB\-\-hl\-eq\fP \fIvalue\fP
559+Matches if Hop Limit equals \fIvalue\fP.
560+.TP
561+\fB\-\-hl\-lt\fP \fIvalue\fP
562+Matches if Hop Limit is less than \fIvalue\fP.
563+.TP
564+\fB\-\-hl\-gt\fP \fIvalue\fP
565+Matches if Hop Limit is greater than \fIvalue\fP.
566+.SS icmp (IPv4-specific)
567+This extension can be used if `\-\-protocol icmp' is specified. It
568+provides the following option:
569+.TP
570+[\fB!\fP] \fB\-\-icmp\-type\fP {\fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP}
571+This allows specification of the ICMP type, which can be a numeric
572+ICMP type, type/code pair, or one of the ICMP type names shown by the command
573+.nf
574+ iptables \-p icmp \-h
575+.fi
576+.SS icmp6 (IPv6-specific)
577+This extension can be used if `\-\-protocol ipv6\-icmp' or `\-\-protocol icmpv6' is
578+specified. It provides the following option:
579+.TP
580+[\fB!\fP] \fB\-\-icmpv6\-type\fP \fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP
581+This allows specification of the ICMPv6 type, which can be a numeric
582+ICMPv6
583+.IR type ,
584+.IR type
585+and
586+.IR code ,
587+or one of the ICMPv6 type names shown by the command
588+.nf
589+ ip6tables \-p ipv6\-icmp \-h
590+.fi
591+.SS iprange
592+This matches on a given arbitrary range of IP addresses.
593+.TP
594+[\fB!\fP] \fB\-\-src\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP]
595+Match source IP in the specified range.
596+.TP
597+[\fB!\fP] \fB\-\-dst\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP]
598+Match destination IP in the specified range.
599+.SS ipv6header (IPv6-specific)
600+This module matches IPv6 extension headers and/or upper layer header.
601+.TP
602+\fB\-\-soft\fP
603+Matches if the packet includes \fBany\fP of the headers specified with
604+\fB\-\-header\fP.
605+.TP
606+[\fB!\fP] \fB\-\-header\fP \fIheader\fP[\fB,\fP\fIheader\fP...]
607+Matches the packet which EXACTLY includes all specified headers. The headers
608+encapsulated with ESP header are out of scope.
609+Possible \fIheader\fP types can be:
610+.TP
611+\fBhop\fP|\fBhop\-by\-hop\fP
612+Hop-by-Hop Options header
613+.TP
614+\fBdst\fP
615+Destination Options header
616+.TP
617+\fBroute\fP
618+Routing header
619+.TP
620+\fBfrag\fP
621+Fragment header
622+.TP
623+\fBauth\fP
624+Authentication header
625+.TP
626+\fBesp\fP
627+Encapsulating Security Payload header
628+.TP
629+\fBnone\fP
630+No Next header which matches 59 in the 'Next Header field' of IPv6 header or
631+any IPv6 extension headers
632+.TP
633+\fBproto\fP
634+which matches any upper layer protocol header. A protocol name from
635+/etc/protocols and numeric value also allowed. The number 255 is equivalent to
636+\fBproto\fP.
637+.SS ipvs
638+Match IPVS connection properties.
639+.TP
640+[\fB!\fP] \fB\-\-ipvs\fP
641+packet belongs to an IPVS connection
642+.TP
643+Any of the following options implies \-\-ipvs (even negated)
644+.TP
645+[\fB!\fP] \fB\-\-vproto\fP \fIprotocol\fP
646+VIP protocol to match; by number or name, e.g. "tcp"
647+.TP
648+[\fB!\fP] \fB\-\-vaddr\fP \fIaddress\fP[\fB/\fP\fImask\fP]
649+VIP address to match
650+.TP
651+[\fB!\fP] \fB\-\-vport\fP \fIport\fP
652+VIP port to match; by number or name, e.g. "http"
653+.TP
654+\fB\-\-vdir\fP {\fBORIGINAL\fP|\fBREPLY\fP}
655+flow direction of packet
656+.TP
657+[\fB!\fP] \fB\-\-vmethod\fP {\fBGATE\fP|\fBIPIP\fP|\fBMASQ\fP}
658+IPVS forwarding method used
659+.TP
660+[\fB!\fP] \fB\-\-vportctl\fP \fIport\fP
661+VIP port of the controlling connection to match, e.g. 21 for FTP
662+.SS length
663+This module matches the length of the layer-3 payload (e.g. layer-4 packet)
664+of a packet against a specific value
665+or range of values.
666+.TP
667+[\fB!\fP] \fB\-\-length\fP \fIlength\fP[\fB:\fP\fIlength\fP]
668+.SS limit
669+This module matches at a limited rate using a token bucket filter.
670+A rule using this extension will match until this limit is reached.
671+It can be used in combination with the
672+.B LOG
673+target to give limited logging, for example.
674+.PP
675+xt_limit has no negation support - you will have to use \-m hashlimit !
676+\-\-hashlimit \fIrate\fP in this case whilst omitting \-\-hashlimit\-mode.
677+.TP
678+\fB\-\-limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
679+Maximum average matching rate: specified as a number, with an optional
680+`/second', `/minute', `/hour', or `/day' suffix; the default is
681+3/hour.
682+.TP
683+\fB\-\-limit\-burst\fP \fInumber\fP
684+Maximum initial number of packets to match: this number gets
685+recharged by one every time the limit specified above is not reached,
686+up to this number; the default is 5.
687+.SS mac
688+.TP
689+[\fB!\fP] \fB\-\-mac\-source\fP \fIaddress\fP
690+Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
691+Note that this only makes sense for packets coming from an Ethernet device
692+and entering the
693+.BR PREROUTING ,
694+.B FORWARD
695+or
696+.B INPUT
697+chains.
698+.SS mark
699+This module matches the netfilter mark field associated with a packet
700+(which can be set using the
701+.B MARK
702+target below).
703+.TP
704+[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
705+Matches packets with the given unsigned mark value (if a \fImask\fP is
706+specified, this is logically ANDed with the \fImask\fP before the
707+comparison).
708+.SS mh (IPv6-specific)
709+This extension is loaded if `\-\-protocol ipv6\-mh' or `\-\-protocol mh' is
710+specified. It provides the following option:
711+.TP
712+[\fB!\fP] \fB\-\-mh\-type\fP \fItype\fP[\fB:\fP\fItype\fP]
713+This allows specification of the Mobility Header(MH) type, which can be
714+a numeric MH
715+.IR type ,
716+.IR type
717+or one of the MH type names shown by the command
718+.nf
719+ ip6tables \-p ipv6\-mh \-h
720+.fi
721+.SS multiport
722+This module matches a set of source or destination ports. Up to 15
723+ports can be specified. A port range (port:port) counts as two
724+ports. It can only be used in conjunction with
725+\fB\-p tcp\fP
726+or
727+\fB\-p udp\fP.
728+.TP
729+[\fB!\fP] \fB\-\-source\-ports\fP,\fB\-\-sports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
730+Match if the source port is one of the given ports. The flag
731+\fB\-\-sports\fP
732+is a convenient alias for this option. Multiple ports or port ranges are
733+separated using a comma, and a port range is specified using a colon.
734+\fB53,1024:65535\fP would therefore match ports 53 and all from 1024 through
735+65535.
736+.TP
737+[\fB!\fP] \fB\-\-destination\-ports\fP,\fB\-\-dports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
738+Match if the destination port is one of the given ports. The flag
739+\fB\-\-dports\fP
740+is a convenient alias for this option.
741+.TP
742+[\fB!\fP] \fB\-\-ports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
743+Match if either the source or destination ports are equal to one of
744+the given ports.
745+.SS nfacct
746+The nfacct match provides the extended accounting infrastructure for iptables.
747+You have to use this match together with the standalone user-space utility
748+.B nfacct(8)
749+.PP
750+The only option available for this match is the following:
751+.TP
752+\fB\-\-nfacct\-name\fP \fIname\fP
753+This allows you to specify the existing object name that will be use for
754+accounting the traffic that this rule-set is matching.
755+.PP
756+To use this extension, you have to create an accounting object:
757+.IP
758+nfacct add http\-traffic
759+.PP
760+Then, you have to attach it to the accounting object via iptables:
761+.IP
762+iptables \-I INPUT \-p tcp \-\-sport 80 \-m nfacct \-\-nfacct\-name http\-traffic
763+.IP
764+iptables \-I OUTPUT \-p tcp \-\-dport 80 \-m nfacct \-\-nfacct\-name http\-traffic
765+.PP
766+Then, you can check for the amount of traffic that the rules match:
767+.IP
768+nfacct get http\-traffic
769+.IP
770+{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = http-traffic;
771+.PP
772+You can obtain
773+.B nfacct(8)
774+from http://www.netfilter.org or, alternatively, from the git.netfilter.org
775+repository.
776+.SS osf
777+The osf module does passive operating system fingerprinting. This modules
778+compares some data (Window Size, MSS, options and their order, TTL, DF,
779+and others) from packets with the SYN bit set.
780+.TP
781+[\fB!\fP] \fB\-\-genre\fP \fIstring\fP
782+Match an operating system genre by using a passive fingerprinting.
783+.TP
784+\fB\-\-ttl\fP \fIlevel\fP
785+Do additional TTL checks on the packet to determine the operating system.
786+\fIlevel\fP can be one of the following values:
787+.IP \(bu 4
788+0 - True IP address and fingerprint TTL comparison. This generally works for
789+LANs.
790+.IP \(bu 4
791+1 - Check if the IP header's TTL is less than the fingerprint one. Works for
792+globally-routable addresses.
793+.IP \(bu 4
794+2 - Do not compare the TTL at all.
795+.TP
796+\fB\-\-log\fP \fIlevel\fP
797+Log determined genres into dmesg even if they do not match the desired one.
798+\fIlevel\fP can be one of the following values:
799+.IP \(bu 4
800+0 - Log all matched or unknown signatures
801+.IP \(bu 4
802+1 - Log only the first one
803+.IP \(bu 4
804+2 - Log all known matched signatures
805+.PP
806+You may find something like this in syslog:
807+.PP
808+Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 ->
809+11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4
810+.PP
811+OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load
812+fingerprints from a file, use:
813+.PP
814+\fBnfnl_osf -f /usr/share/xtables/pf.os\fP
815+.PP
816+To remove them again,
817+.PP
818+\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP
819+.PP
820+The fingerprint database can be downlaoded from
821+http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
822+.SS owner
823+This module attempts to match various characteristics of the packet creator,
824+for locally generated packets. This match is only valid in the OUTPUT and
825+POSTROUTING chains. Forwarded packets do not have any socket associated with
826+them. Packets from kernel threads do have a socket, but usually no owner.
827+.TP
828+[\fB!\fP] \fB\-\-uid\-owner\fP \fIusername\fP
829+.TP
830+[\fB!\fP] \fB\-\-uid\-owner\fP \fIuserid\fP[\fB\-\fP\fIuserid\fP]
831+Matches if the packet socket's file structure (if it has one) is owned by the
832+given user. You may also specify a numerical UID, or an UID range.
833+.TP
834+[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupname\fP
835+.TP
836+[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupid\fP[\fB\-\fP\fIgroupid\fP]
837+Matches if the packet socket's file structure is owned by the given group.
838+You may also specify a numerical GID, or a GID range.
839+.TP
840+[\fB!\fP] \fB\-\-socket\-exists\fP
841+Matches if the packet is associated with a socket.
842+.SS physdev
843+This module matches on the bridge port input and output devices enslaved
844+to a bridge device. This module is a part of the infrastructure that enables
845+a transparent bridging IP firewall and is only useful for kernel versions
846+above version 2.5.44.
847+.TP
848+[\fB!\fP] \fB\-\-physdev\-in\fP \fIname\fP
849+Name of a bridge port via which a packet is received (only for
850+packets entering the
851+.BR INPUT ,
852+.B FORWARD
853+and
854+.B PREROUTING
855+chains). If the interface name ends in a "+", then any
856+interface which begins with this name will match. If the packet didn't arrive
857+through a bridge device, this packet won't match this option, unless '!' is used.
858+.TP
859+[\fB!\fP] \fB\-\-physdev\-out\fP \fIname\fP
860+Name of a bridge port via which a packet is going to be sent (for packets
861+entering the
862+.BR FORWARD ,
863+.B OUTPUT
864+and
865+.B POSTROUTING
866+chains). If the interface name ends in a "+", then any
867+interface which begins with this name will match. Note that in the
868+.BR nat " and " mangle
869+.B OUTPUT
870+chains one cannot match on the bridge output port, however one can in the
871+.B "filter OUTPUT"
872+chain. If the packet won't leave by a bridge device or if it is yet unknown what
873+the output device will be, then the packet won't match this option,
874+unless '!' is used.
875+.TP
876+[\fB!\fP] \fB\-\-physdev\-is\-in\fP
877+Matches if the packet has entered through a bridge interface.
878+.TP
879+[\fB!\fP] \fB\-\-physdev\-is\-out\fP
880+Matches if the packet will leave through a bridge interface.
881+.TP
882+[\fB!\fP] \fB\-\-physdev\-is\-bridged\fP
883+Matches if the packet is being bridged and therefore is not being routed.
884+This is only useful in the FORWARD and POSTROUTING chains.
885+.SS pkttype
886+This module matches the link-layer packet type.
887+.TP
888+[\fB!\fP] \fB\-\-pkt\-type\fP {\fBunicast\fP|\fBbroadcast\fP|\fBmulticast\fP}
889+.SS policy
890+This modules matches the policy used by IPsec for handling a packet.
891+.TP
892+\fB\-\-dir\fP {\fBin\fP|\fBout\fP}
893+Used to select whether to match the policy used for decapsulation or the
894+policy that will be used for encapsulation.
895+.B in
896+is valid in the
897+.B PREROUTING, INPUT and FORWARD
898+chains,
899+.B out
900+is valid in the
901+.B POSTROUTING, OUTPUT and FORWARD
902+chains.
903+.TP
904+\fB\-\-pol\fP {\fBnone\fP|\fBipsec\fP}
905+Matches if the packet is subject to IPsec processing. \fB\-\-pol none\fP
906+cannot be combined with \fB\-\-strict\fP.
907+.TP
908+\fB\-\-strict\fP
909+Selects whether to match the exact policy or match if any rule of
910+the policy matches the given policy.
911+.PP
912+For each policy element that is to be described, one can use one or more of
913+the following options. When \fB\-\-strict\fP is in effect, at least one must be
914+used per element.
915+.TP
916+[\fB!\fP] \fB\-\-reqid\fP \fIid\fP
917+Matches the reqid of the policy rule. The reqid can be specified with
918+.B setkey(8)
919+using
920+.B unique:id
921+as level.
922+.TP
923+[\fB!\fP] \fB\-\-spi\fP \fIspi\fP
924+Matches the SPI of the SA.
925+.TP
926+[\fB!\fP] \fB\-\-proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP}
927+Matches the encapsulation protocol.
928+.TP
929+[\fB!\fP] \fB\-\-mode\fP {\fBtunnel\fP|\fBtransport\fP}
930+Matches the encapsulation mode.
931+.TP
932+[\fB!\fP] \fB\-\-tunnel\-src\fP \fIaddr\fP[\fB/\fP\fImask\fP]
933+Matches the source end-point address of a tunnel mode SA.
934+Only valid with \fB\-\-mode tunnel\fP.
935+.TP
936+[\fB!\fP] \fB\-\-tunnel\-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP]
937+Matches the destination end-point address of a tunnel mode SA.
938+Only valid with \fB\-\-mode tunnel\fP.
939+.TP
940+\fB\-\-next\fP
941+Start the next element in the policy specification. Can only be used with
942+\fB\-\-strict\fP.
943+.SS quota
944+Implements network quotas by decrementing a byte counter with each
945+packet. The condition matches until the byte counter reaches zero. Behavior
946+is reversed with negation (i.e. the condition does not match until the
947+byte counter reaches zero).
948+.TP
949+[\fB!\fP] \fB\-\-quota\fP \fIbytes\fP
950+The quota in bytes.
951+.SS rateest
952+The rate estimator can match on estimated rates as collected by the RATEEST
953+target. It supports matching on absolute bps/pps values, comparing two rate
954+estimators and matching on the difference between two rate estimators.
955+.PP
956+For a better understanding of the available options, these are all possible
957+combinations:
958+.\" * Absolute:
959+.IP \(bu 4
960+\fBrateest\fP \fIoperator\fP \fBrateest-bps\fP
961+.IP \(bu 4
962+\fBrateest\fP \fIoperator\fP \fBrateest-pps\fP
963+.\" * Absolute + Delta:
964+.IP \(bu 4
965+(\fBrateest\fP minus \fBrateest-bps1\fP) \fIoperator\fP \fBrateest-bps2\fP
966+.IP \(bu 4
967+(\fBrateest\fP minus \fBrateest-pps1\fP) \fIoperator\fP \fBrateest-pps2\fP
968+.\" * Relative:
969+.IP \(bu 4
970+\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-bps\fP(without rate!)
971+.IP \(bu 4
972+\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-pps\fP(without rate!)
973+.\" * Relative + Delta:
974+.IP \(bu 4
975+(\fBrateest1\fP minus \fBrateest-bps1\fP) \fIoperator\fP
976+(\fBrateest2\fP minus \fBrateest-bps2\fP)
977+.IP \(bu 4
978+(\fBrateest1\fP minus \fBrateest-pps1\fP) \fIoperator\fP
979+(\fBrateest2\fP minus \fBrateest-pps2\fP)
980+.TP
981+\fB\-\-rateest\-delta\fP
982+For each estimator (either absolute or relative mode), calculate the difference
983+between the estimator-determined flow rate and the static value chosen with the
984+BPS/PPS options. If the flow rate is higher than the specified BPS/PPS, 0 will
985+be used instead of a negative value. In other words, "max(0, rateest#_rate -
986+rateest#_bps)" is used.
987+.TP
988+[\fB!\fP] \fB\-\-rateest\-lt\fP
989+Match if rate is less than given rate/estimator.
990+.TP
991+[\fB!\fP] \fB\-\-rateest\-gt\fP
992+Match if rate is greater than given rate/estimator.
993+.TP
994+[\fB!\fP] \fB\-\-rateest\-eq\fP
995+Match if rate is equal to given rate/estimator.
996+.PP
997+In the so-called "absolute mode", only one rate estimator is used and compared
998+against a static value, while in "relative mode", two rate estimators are
999+compared against another.
1000+.TP
1001+\fB\-\-rateest\fP \fIname\fP
1002+Name of the one rate estimator for absolute mode.
1003+.TP
1004+\fB\-\-rateest1\fP \fIname\fP
1005+.TP
1006+\fB\-\-rateest2\fP \fIname\fP
1007+The names of the two rate estimators for relative mode.
1008+.TP
1009+\fB\-\-rateest\-bps\fP [\fIvalue\fP]
1010+.TP
1011+\fB\-\-rateest\-pps\fP [\fIvalue\fP]
1012+.TP
1013+\fB\-\-rateest\-bps1\fP [\fIvalue\fP]
1014+.TP
1015+\fB\-\-rateest\-bps2\fP [\fIvalue\fP]
1016+.TP
1017+\fB\-\-rateest\-pps1\fP [\fIvalue\fP]
1018+.TP
1019+\fB\-\-rateest\-pps2\fP [\fIvalue\fP]
1020+Compare the estimator(s) by bytes or packets per second, and compare against
1021+the chosen value. See the above bullet list for which option is to be used in
1022+which case. A unit suffix may be used - available ones are: bit, [kmgt]bit,
1023+[KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps.
1024+.PP
1025+Example: This is what can be used to route outgoing data connections from an
1026+FTP server over two lines based on the available bandwidth at the time the data
1027+connection was started:
1028+.PP
1029+# Estimate outgoing rates
1030+.PP
1031+iptables \-t mangle \-A POSTROUTING \-o eth0 \-j RATEEST \-\-rateest\-name eth0
1032+\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s
1033+.PP
1034+iptables \-t mangle \-A POSTROUTING \-o ppp0 \-j RATEEST \-\-rateest\-name ppp0
1035+\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s
1036+.PP
1037+# Mark based on available bandwidth
1038+.PP
1039+iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp
1040+\-m rateest \-\-rateest\-delta \-\-rateest1 eth0 \-\-rateest\-bps1 2.5mbit \-\-rateest\-gt
1041+\-\-rateest2 ppp0 \-\-rateest\-bps2 2mbit \-j CONNMARK \-\-set\-mark 1
1042+.PP
1043+iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp
1044+\-m rateest \-\-rateest\-delta \-\-rateest1 ppp0 \-\-rateest\-bps1 2mbit \-\-rateest\-gt
1045+\-\-rateest2 eth0 \-\-rateest\-bps2 2.5mbit \-j CONNMARK \-\-set\-mark 2
1046+.PP
1047+iptables \-t mangle \-A balance \-j CONNMARK \-\-restore\-mark
1048+.SS realm (IPv4-specific)
1049+This matches the routing realm. Routing realms are used in complex routing
1050+setups involving dynamic routing protocols like BGP.
1051+.TP
1052+[\fB!\fP] \fB\-\-realm\fP \fIvalue\fP[\fB/\fP\fImask\fP]
1053+Matches a given realm number (and optionally mask). If not a number, value
1054+can be a named realm from /etc/iproute2/rt_realms (mask can not be used in
1055+that case).
1056+.SS recent
1057+Allows you to dynamically create a list of IP addresses and then match against
1058+that list in a few different ways.
1059+.PP
1060+For example, you can create a "badguy" list out of people attempting to connect
1061+to port 139 on your firewall and then DROP all future packets from them without
1062+considering them.
1063+.PP
1064+\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are
1065+mutually exclusive.
1066+.TP
1067+\fB\-\-name\fP \fIname\fP
1068+Specify the list to use for the commands. If no name is given then
1069+\fBDEFAULT\fP will be used.
1070+.TP
1071+[\fB!\fP] \fB\-\-set\fP
1072+This will add the source address of the packet to the list. If the source
1073+address is already in the list, this will update the existing entry. This will
1074+always return success (or failure if \fB!\fP is passed in).
1075+.TP
1076+\fB\-\-rsource\fP
1077+Match/save the source address of each packet in the recent list table. This
1078+is the default.
1079+.TP
1080+\fB\-\-rdest\fP
1081+Match/save the destination address of each packet in the recent list table.
1082+.TP
1083+\fB\-\-mask\fPnetmask
1084+Netmask that will be applied to this recent list.
1085+.TP
1086+[\fB!\fP] \fB\-\-rcheck\fP
1087+Check if the source address of the packet is currently in the list.
1088+.TP
1089+[\fB!\fP] \fB\-\-update\fP
1090+Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it
1091+matches.
1092+.TP
1093+[\fB!\fP] \fB\-\-remove\fP
1094+Check if the source address of the packet is currently in the list and if so
1095+that address will be removed from the list and the rule will return true. If
1096+the address is not found, false is returned.
1097+.TP
1098+\fB\-\-seconds\fP \fIseconds\fP
1099+This option must be used in conjunction with one of \fB\-\-rcheck\fP or
1100+\fB\-\-update\fP. When used, this will narrow the match to only happen when the
1101+address is in the list and was seen within the last given number of seconds.
1102+.TP
1103+\fB\-\-reap\fP
1104+This option can only be used in conjunction with \fB\-\-seconds\fP.
1105+When used, this will cause entries older than the last given number of seconds
1106+to be purged.
1107+.TP
1108+\fB\-\-hitcount\fP \fIhits\fP
1109+This option must be used in conjunction with one of \fB\-\-rcheck\fP or
1110+\fB\-\-update\fP. When used, this will narrow the match to only happen when the
1111+address is in the list and packets had been received greater than or equal to
1112+the given value. This option may be used along with \fB\-\-seconds\fP to create
1113+an even narrower match requiring a certain number of hits within a specific
1114+time frame. The maximum value for the hitcount parameter is given by the
1115+"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this
1116+value on the command line will cause the rule to be rejected.
1117+.TP
1118+\fB\-\-rttl\fP
1119+This option may only be used in conjunction with one of \fB\-\-rcheck\fP or
1120+\fB\-\-update\fP. When used, this will narrow the match to only happen when the
1121+address is in the list and the TTL of the current packet matches that of the
1122+packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems
1123+with people faking their source address in order to DoS you via this module by
1124+disallowing others access to your site by sending bogus packets to you.
1125+.PP
1126+Examples:
1127+.IP
1128+iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP
1129+.IP
1130+iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
1131+.PP
1132+Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
1133+some examples of usage.
1134+.PP
1135+\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information
1136+about each entry of each list.
1137+.PP
1138+Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current
1139+list or written two using the following commands to modify the list:
1140+.TP
1141+\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
1142+to add \fIaddr\fP to the DEFAULT list
1143+.TP
1144+\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
1145+to remove \fIaddr\fP from the DEFAULT list
1146+.TP
1147+\fBecho / >/proc/net/xt_recent/DEFAULT\fP
1148+to flush the DEFAULT list (remove all entries).
1149+.PP
1150+The module itself accepts parameters, defaults shown:
1151+.TP
1152+\fBip_list_tot\fP=\fI100\fP
1153+Number of addresses remembered per table.
1154+.TP
1155+\fBip_pkt_list_tot\fP=\fI20\fP
1156+Number of packets per address remembered.
1157+.TP
1158+\fBip_list_hash_size\fP=\fI0\fP
1159+Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.
1160+.TP
1161+\fBip_list_perms\fP=\fI0644\fP
1162+Permissions for /proc/net/xt_recent/* files.
1163+.TP
1164+\fBip_list_uid\fP=\fI0\fP
1165+Numerical UID for ownership of /proc/net/xt_recent/* files.
1166+.TP
1167+\fBip_list_gid\fP=\fI0\fP
1168+Numerical GID for ownership of /proc/net/xt_recent/* files.
1169+.SS rpfilter
1170+Performs a reverse path filter test on a packet.
1171+If a reply to the packet would be sent via the same interface
1172+that the packet arrived on, the packet will match.
1173+Note that, unlike the in-kernel rp_filter, packets protected
1174+by IPSec are not treated specially. Combine this match with
1175+the policy match if you want this.
1176+Also, packets arriving via the loopback interface are always permitted.
1177+This match can only be used in the PREROUTING chain of the raw or mangle table.
1178+.TP
1179+\fB\-\-loose\fP
1180+Used to specifiy that the reverse path filter test should match
1181+even if the selected output device is not the expected one.
1182+.TP
1183+\fB\-\-validmark\fP
1184+Also use the packets' nfmark value when performing the reverse path route lookup.
1185+.TP
1186+\fB\-\-accept\-local\fP
1187+This will permit packets arriving from the network with a source address that is also
1188+assigned to the local machine.
1189+.TP
1190+\fB\-\-invert\fP
1191+This will invert the sense of the match. Instead of matching packets that passed the
1192+reverse path filter test, match those that have failed it.
1193+.PP
1194+Example to log and drop packets failing the reverse path filter test:
1195+
1196+iptables \-t raw \-N RPFILTER
1197+
1198+iptables \-t raw \-A RPFILTER \-m rpfilter \-j RETURN
1199+
1200+iptables \-t raw \-A RPFILTER \-m limit \-\-limit 10/minute \-j NFLOG \-\-nflog\-prefix "rpfilter drop"
1201+
1202+iptables \-t raw \-A RPFILTER \-j DROP
1203+
1204+iptables \-t raw \-A PREROUTING \-j RPFILTER
1205+
1206+Example to drop failed packets, without logging:
1207+
1208+iptables \-t raw \-A RPFILTER \-m rpfilter \-\-invert \-j DROP
1209+.SS rt (IPv6-specific)
1210+Match on IPv6 routing header
1211+.TP
1212+[\fB!\fP] \fB\-\-rt\-type\fP \fItype\fP
1213+Match the type (numeric).
1214+.TP
1215+[\fB!\fP] \fB\-\-rt\-segsleft\fP \fInum\fP[\fB:\fP\fInum\fP]
1216+Match the `segments left' field (range).
1217+.TP
1218+[\fB!\fP] \fB\-\-rt\-len\fP \fIlength\fP
1219+Match the length of this header.
1220+.TP
1221+\fB\-\-rt\-0\-res\fP
1222+Match the reserved field, too (type=0)
1223+.TP
1224+\fB\-\-rt\-0\-addrs\fP \fIaddr\fP[\fB,\fP\fIaddr\fP...]
1225+Match type=0 addresses (list).
1226+.TP
1227+\fB\-\-rt\-0\-not\-strict\fP
1228+List of type=0 addresses is not a strict list.
1229+.SS sctp
1230+.TP
1231+[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
1232+.TP
1233+[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
1234+.TP
1235+[\fB!\fP] \fB\-\-chunk\-types\fP {\fBall\fP|\fBany\fP|\fBonly\fP} \fIchunktype\fP[\fB:\fP\fIflags\fP] [...]
1236+The flag letter in upper case indicates that the flag is to match if set,
1237+in the lower case indicates to match if unset.
1238+
1239+Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN
1240+
1241+chunk type available flags
1242+.br
1243+DATA I U B E i u b e
1244+.br
1245+ABORT T t
1246+.br
1247+SHUTDOWN_COMPLETE T t
1248+
1249+(lowercase means flag should be "off", uppercase means "on")
1250+.P
1251+Examples:
1252+
1253+iptables \-A INPUT \-p sctp \-\-dport 80 \-j DROP
1254+
1255+iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA,INIT \-j DROP
1256+
1257+iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA:Be \-j ACCEPT
1258+.SS set
1259+This module matches IP sets which can be defined by ipset(8).
1260+.TP
1261+[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]...
1262+where flags are the comma separated list of
1263+.BR "src"
1264+and/or
1265+.BR "dst"
1266+specifications and there can be no more than six of them. Hence the command
1267+.IP
1268+ iptables \-A FORWARD \-m set \-\-match\-set test src,dst
1269+.IP
1270+will match packets, for which (if the set type is ipportmap) the source
1271+address and destination port pair can be found in the specified set. If
1272+the set type of the specified set is single dimension (for example ipmap),
1273+then the command will match packets for which the source address can be
1274+found in the specified set.
1275+.TP
1276+\fB\-\-return\-\-nomatch\fP
1277+If the \fB\-\-return\-\-nomatch\fP option is specified and the set type
1278+supports the \fBnomatch\fP flag, then the matching is reversed: a match
1279+with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a
1280+match with a plain element returns \fBfalse\fP.
1281+.PP
1282+The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does
1283+not clash with an option of other extensions.
1284+.PP
1285+Use of -m set requires that ipset kernel support is provided, which, for
1286+standard kernels, is the case since Linux 2.6.39.
1287+.SS socket
1288+This matches if an open socket can be found by doing a socket lookup on the
1289+packet.
1290+.TP
1291+\fB\-\-transparent\fP
1292+Ignore non-transparent sockets.
1293+.SS state
1294+The "state" extension is a subset of the "conntrack" module.
1295+"state" allows access to the connection tracking state for this packet.
1296+.TP
1297+[\fB!\fP] \fB\-\-state\fP \fIstate\fP
1298+Where state is a comma separated list of the connection states to match. Only a
1299+subset of the states unterstood by "conntrack" are recognized: \fBINVALID\fP,
1300+\fBESTABLISHED\fP, \fBNEW\fP, \fBRELATED\fP or \fBUNTRACKED\fP. For their
1301+description, see the "conntrack" heading in this manpage.
1302+.SS statistic
1303+This module matches packets based on some statistic condition.
1304+It supports two distinct modes settable with the
1305+\fB\-\-mode\fP
1306+option.
1307+.PP
1308+Supported options:
1309+.TP
1310+\fB\-\-mode\fP \fImode\fP
1311+Set the matching mode of the matching rule, supported modes are
1312+.B random
1313+and
1314+.B nth.
1315+.TP
1316+[\fB!\fP] \fB\-\-probability\fP \fIp\fP
1317+Set the probability for a packet to be randomly matched. It only works with the
1318+\fBrandom\fP mode. \fIp\fP must be within 0.0 and 1.0. The supported
1319+granularity is in 1/2147483648th increments.
1320+.TP
1321+[\fB!\fP] \fB\-\-every\fP \fIn\fP
1322+Match one packet every nth packet. It works only with the
1323+.B nth
1324+mode (see also the
1325+\fB\-\-packet\fP
1326+option).
1327+.TP
1328+\fB\-\-packet\fP \fIp\fP
1329+Set the initial counter value (0 <= p <= n\-1, default 0) for the
1330+.B nth
1331+mode.
1332+.SS string
1333+This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
1334+.TP
1335+\fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP}
1336+Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
1337+.TP
1338+\fB\-\-from\fP \fIoffset\fP
1339+Set the offset from which it starts looking for any matching. If not passed, default is 0.
1340+.TP
1341+\fB\-\-to\fP \fIoffset\fP
1342+Set the offset up to which should be scanned. That is, byte \fIoffset\fP-1
1343+(counting from 0) is the last one that is scanned.
1344+If not passed, default is the packet size.
1345+.TP
1346+[\fB!\fP] \fB\-\-string\fP \fIpattern\fP
1347+Matches the given pattern.
1348+.TP
1349+[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP
1350+Matches the given pattern in hex notation.
1351+.SS tcp
1352+These extensions can be used if `\-\-protocol tcp' is specified. It
1353+provides the following options:
1354+.TP
1355+[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
1356+Source port or port range specification. This can either be a service
1357+name or a port number. An inclusive range can also be specified,
1358+using the format \fIfirst\fP\fB:\fP\fIlast\fP.
1359+If the first port is omitted, "0" is assumed; if the last is omitted,
1360+"65535" is assumed.
1361+If the first port is greater than the second one they will be swapped.
1362+The flag
1363+\fB\-\-sport\fP
1364+is a convenient alias for this option.
1365+.TP
1366+[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
1367+Destination port or port range specification. The flag
1368+\fB\-\-dport\fP
1369+is a convenient alias for this option.
1370+.TP
1371+[\fB!\fP] \fB\-\-tcp\-flags\fP \fImask\fP \fIcomp\fP
1372+Match when the TCP flags are as specified. The first argument \fImask\fP is the
1373+flags which we should examine, written as a comma-separated list, and
1374+the second argument \fIcomp\fP is a comma-separated list of flags which must be
1375+set. Flags are:
1376+.BR "SYN ACK FIN RST URG PSH ALL NONE" .
1377+Hence the command
1378+.nf
1379+ iptables \-A FORWARD \-p tcp \-\-tcp\-flags SYN,ACK,FIN,RST SYN
1380+.fi
1381+will only match packets with the SYN flag set, and the ACK, FIN and
1382+RST flags unset.
1383+.TP
1384+[\fB!\fP] \fB\-\-syn\fP
1385+Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
1386+cleared. Such packets are used to request TCP connection initiation;
1387+for example, blocking such packets coming in an interface will prevent
1388+incoming TCP connections, but outgoing TCP connections will be
1389+unaffected.
1390+It is equivalent to \fB\-\-tcp\-flags SYN,RST,ACK,FIN SYN\fP.
1391+If the "!" flag precedes the "\-\-syn", the sense of the
1392+option is inverted.
1393+.TP
1394+[\fB!\fP] \fB\-\-tcp\-option\fP \fInumber\fP
1395+Match if TCP option set.
1396+.SS tcpmss
1397+This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
1398+.TP
1399+[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP]
1400+Match a given TCP MSS value or range.
1401+.SS time
1402+This matches if the packet arrival time/date is within a given range. All
1403+options are optional, but are ANDed when specified. All times are interpreted
1404+as UTC by default.
1405+.TP
1406+\fB\-\-datestart\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]]
1407+.TP
1408+\fB\-\-datestop\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]]
1409+Only match during the given time, which must be in ISO 8601 "T" notation.
1410+The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07.
1411+.IP
1412+If \-\-datestart or \-\-datestop are not specified, it will default to 1970-01-01
1413+and 2038-01-19, respectively.
1414+.TP
1415+\fB\-\-timestart\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]
1416+.TP
1417+\fB\-\-timestop\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]
1418+Only match during the given daytime. The possible time range is 00:00:00 to
1419+23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted
1420+as base-10.
1421+.TP
1422+[\fB!\fP] \fB\-\-monthdays\fP \fIday\fP[\fB,\fP\fIday\fP...]
1423+Only match on the given days of the month. Possible values are \fB1\fP
1424+to \fB31\fP. Note that specifying \fB31\fP will of course not match
1425+on months which do not have a 31st day; the same goes for 28- or 29-day
1426+February.
1427+.TP
1428+[\fB!\fP] \fB\-\-weekdays\fP \fIday\fP[\fB,\fP\fIday\fP...]
1429+Only match on the given weekdays. Possible values are \fBMon\fP, \fBTue\fP,
1430+\fBWed\fP, \fBThu\fP, \fBFri\fP, \fBSat\fP, \fBSun\fP, or values from \fB1\fP
1431+to \fB7\fP, respectively. You may also use two-character variants (\fBMo\fP,
1432+\fBTu\fP, etc.).
1433+.TP
1434+\fB\-\-contiguous\fP
1435+When \fB\-\-timestop\fP is smaller than \fB\-\-timestart\fP value, match
1436+this as a single time period instead distinct intervals. See EXAMPLES.
1437+.TP
1438+\fB\-\-kerneltz\fP
1439+Use the kernel timezone instead of UTC to determine whether a packet meets the
1440+time regulations.
1441+.PP
1442+About kernel timezones: Linux keeps the system time in UTC, and always does so.
1443+On boot, system time is initialized from a referential time source. Where this
1444+time source has no timezone information, such as the x86 CMOS RTC, UTC will be
1445+assumed. If the time source is however not in UTC, userspace should provide the
1446+correct system time and timezone to the kernel once it has the information.
1447+.PP
1448+Local time is a feature on top of the (timezone independent) system time. Each
1449+process has its own idea of local time, specified via the TZ environment
1450+variable. The kernel also has its own timezone offset variable. The TZ
1451+userspace environment variable specifies how the UTC-based system time is
1452+displayed, e.g. when you run date(1), or what you see on your desktop clock.
1453+The TZ string may resolve to different offsets at different dates, which is
1454+what enables the automatic time-jumping in userspace. when DST changes. The
1455+kernel's timezone offset variable is used when it has to convert between
1456+non-UTC sources, such as FAT filesystems, to UTC (since the latter is what the
1457+rest of the system uses).
1458+.PP
1459+The caveat with the kernel timezone is that Linux distributions may ignore to
1460+set the kernel timezone, and instead only set the system time. Even if a
1461+particular distribution does set the timezone at boot, it is usually does not
1462+keep the kernel timezone offset - which is what changes on DST - up to date.
1463+ntpd will not touch the kernel timezone, so running it will not resolve the
1464+issue. As such, one may encounter a timezone that is always +0000, or one that
1465+is wrong half of the time of the year. As such, \fBusing \-\-kerneltz is highly
1466+discouraged.\fP
1467+.PP
1468+EXAMPLES. To match on weekends, use:
1469+.IP
1470+\-m time \-\-weekdays Sa,Su
1471+.PP
1472+Or, to match (once) on a national holiday block:
1473+.IP
1474+\-m time \-\-datestart 2007\-12\-24 \-\-datestop 2007\-12\-27
1475+.PP
1476+Since the stop time is actually inclusive, you would need the following stop
1477+time to not match the first second of the new day:
1478+.IP
1479+\-m time \-\-datestart 2007\-01\-01T17:00 \-\-datestop 2007\-01\-01T23:59:59
1480+.PP
1481+During lunch hour:
1482+.IP
1483+\-m time \-\-timestart 12:30 \-\-timestop 13:30
1484+.PP
1485+The fourth Friday in the month:
1486+.IP
1487+\-m time \-\-weekdays Fr \-\-monthdays 22,23,24,25,26,27,28
1488+.PP
1489+(Note that this exploits a certain mathematical property. It is not possible to
1490+say "fourth Thursday OR fourth Friday" in one rule. It is possible with
1491+multiple rules, though.)
1492+.PP
1493+Matching across days might not do what is expected. For instance,
1494+.IP
1495+\-m time \-\-weekdays Mo \-\-timestart 23:00 \-\-timestop 01:00
1496+Will match Monday, for one hour from midnight to 1 a.m., and then
1497+again for another hour from 23:00 onwards. If this is unwanted, e.g. if you
1498+would like 'match for two hours from Montay 23:00 onwards' you need to also specify
1499+the \-\-contiguous option in the example above.
1500+.SS tos
1501+This module matches the 8-bit Type of Service field in the IPv4 header (i.e.
1502+including the "Precedence" bits) or the (also 8-bit) Priority field in the IPv6
1503+header.
1504+.TP
1505+[\fB!\fP] \fB\-\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP]
1506+Matches packets with the given TOS mark value. If a mask is specified, it is
1507+logically ANDed with the TOS mark before the comparison.
1508+.TP
1509+[\fB!\fP] \fB\-\-tos\fP \fIsymbol\fP
1510+You can specify a symbolic name when using the tos match for IPv4. The list of
1511+recognized TOS names can be obtained by calling iptables with \fB\-m tos \-h\fP.
1512+Note that this implies a mask of 0x3F, i.e. all but the ECN bits.
1513+.SS ttl (IPv4-specific)
1514+This module matches the time to live field in the IP header.
1515+.TP
1516+[\fB!\fP] \fB\-\-ttl\-eq\fP \fIttl\fP
1517+Matches the given TTL value.
1518+.TP
1519+\fB\-\-ttl\-gt\fP \fIttl\fP
1520+Matches if TTL is greater than the given TTL value.
1521+.TP
1522+\fB\-\-ttl\-lt\fP \fIttl\fP
1523+Matches if TTL is less than the given TTL value.
1524+.SS u32
1525+U32 tests whether quantities of up to 4 bytes extracted from a packet have
1526+specified values. The specification of what to extract is general enough to
1527+find data at given offsets from tcp headers or payloads.
1528+.TP
1529+[\fB!\fP] \fB\-\-u32\fP \fItests\fP
1530+The argument amounts to a program in a small language described below.
1531+.IP
1532+tests := location "=" value | tests "&&" location "=" value
1533+.IP
1534+value := range | value "," range
1535+.IP
1536+range := number | number ":" number
1537+.PP
1538+a single number, \fIn\fP, is interpreted the same as \fIn:n\fP. \fIn:m\fP is
1539+interpreted as the range of numbers \fB>=n\fP and \fB<=m\fP.
1540+.IP "" 4
1541+location := number | location operator number
1542+.IP "" 4
1543+operator := "&" | "<<" | ">>" | "@"
1544+.PP
1545+The operators \fB&\fP, \fB<<\fP, \fB>>\fP and \fB&&\fP mean the same as in C.
1546+The \fB=\fP is really a set membership operator and the value syntax describes
1547+a set. The \fB@\fP operator is what allows moving to the next header and is
1548+described further below.
1549+.PP
1550+There are currently some artificial implementation limits on the size of the
1551+tests:
1552+.IP " *"
1553+no more than 10 of "\fB=\fP" (and 9 "\fB&&\fP"s) in the u32 argument
1554+.IP " *"
1555+no more than 10 ranges (and 9 commas) per value
1556+.IP " *"
1557+no more than 10 numbers (and 9 operators) per location
1558+.PP
1559+To describe the meaning of location, imagine the following machine that
1560+interprets it. There are three registers:
1561+.IP
1562+A is of type \fBchar *\fP, initially the address of the IP header
1563+.IP
1564+B and C are unsigned 32 bit integers, initially zero
1565+.PP
1566+The instructions are:
1567+.IP
1568+number B = number;
1569+.IP
1570+C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3)
1571+.IP
1572+&number C = C & number
1573+.IP
1574+<< number C = C << number
1575+.IP
1576+>> number C = C >> number
1577+.IP
1578+@number A = A + C; then do the instruction number
1579+.PP
1580+Any access of memory outside [skb\->data,skb\->end] causes the match to fail.
1581+Otherwise the result of the computation is the final value of C.
1582+.PP
1583+Whitespace is allowed but not required in the tests. However, the characters
1584+that do occur there are likely to require shell quoting, so it is a good idea
1585+to enclose the arguments in quotes.
1586+.PP
1587+Example:
1588+.IP
1589+match IP packets with total length >= 256
1590+.IP
1591+The IP header contains a total length field in bytes 2-3.
1592+.IP
1593+\-\-u32 "\fB0 & 0xFFFF = 0x100:0xFFFF\fP"
1594+.IP
1595+read bytes 0-3
1596+.IP
1597+AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the range
1598+[0x100:0xFFFF]
1599+.PP
1600+Example: (more realistic, hence more complicated)
1601+.IP
1602+match ICMP packets with icmp type 0
1603+.IP
1604+First test that it is an ICMP packet, true iff byte 9 (protocol) = 1
1605+.IP
1606+\-\-u32 "\fB6 & 0xFF = 1 &&\fP ...
1607+.IP
1608+read bytes 6-9, use \fB&\fP to throw away bytes 6-8 and compare the result to
1609+1. Next test that it is not a fragment. (If so, it might be part of such a
1610+packet but we cannot always tell.) N.B.: This test is generally needed if you
1611+want to match anything beyond the IP header. The last 6 bits of byte 6 and all
1612+of byte 7 are 0 iff this is a complete packet (not a fragment). Alternatively,
1613+you can allow first fragments by only testing the last 5 bits of byte 6.
1614+.IP
1615+ ... \fB4 & 0x3FFF = 0 &&\fP ...
1616+.IP
1617+Last test: the first byte past the IP header (the type) is 0. This is where we
1618+have to use the @syntax. The length of the IP header (IHL) in 32 bit words is
1619+stored in the right half of byte 0 of the IP header itself.
1620+.IP
1621+ ... \fB0 >> 22 & 0x3C @ 0 >> 24 = 0\fP"
1622+.IP
1623+The first 0 means read bytes 0-3, \fB>>22\fP means shift that 22 bits to the
1624+right. Shifting 24 bits would give the first byte, so only 22 bits is four
1625+times that plus a few more bits. \fB&3C\fP then eliminates the two extra bits
1626+on the right and the first four bits of the first byte. For instance, if IHL=5,
1627+then the IP header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in
1628+binary) xxxx0101 yyzzzzzz, \fB>>22\fP gives the 10 bit value xxxx0101yy and
1629+\fB&3C\fP gives 010100. \fB@\fP means to use this number as a new offset into
1630+the packet, and read four bytes starting from there. This is the first 4 bytes
1631+of the ICMP payload, of which byte 0 is the ICMP type. Therefore, we simply
1632+shift the value 24 to the right to throw out all but the first byte and compare
1633+the result with 0.
1634+.PP
1635+Example:
1636+.IP
1637+TCP payload bytes 8-12 is any of 1, 2, 5 or 8
1638+.IP
1639+First we test that the packet is a tcp packet (similar to ICMP).
1640+.IP
1641+\-\-u32 "\fB6 & 0xFF = 6 &&\fP ...
1642+.IP
1643+Next, test that it is not a fragment (same as above).
1644+.IP
1645+ ... \fB0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8\fP"
1646+.IP
1647+\fB0>>22&3C\fP as above computes the number of bytes in the IP header. \fB@\fP
1648+makes this the new offset into the packet, which is the start of the TCP
1649+header. The length of the TCP header (again in 32 bit words) is the left half
1650+of byte 12 of the TCP header. The \fB12>>26&3C\fP computes this length in bytes
1651+(similar to the IP header before). "@" makes this the new offset, which is the
1652+start of the TCP payload. Finally, 8 reads bytes 8-12 of the payload and
1653+\fB=\fP checks whether the result is any of 1, 2, 5 or 8.
1654+.SS udp
1655+These extensions can be used if `\-\-protocol udp' is specified. It
1656+provides the following options:
1657+.TP
1658+[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
1659+Source port or port range specification.
1660+See the description of the
1661+\fB\-\-source\-port\fP
1662+option of the TCP extension for details.
1663+.TP
1664+[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
1665+Destination port or port range specification.
1666+See the description of the
1667+\fB\-\-destination\-port\fP
1668+option of the TCP extension for details.
1669+.SS unclean (IPv4-specific)
1670+This module takes no options, but attempts to match packets which seem
1671+malformed or unusual. This is regarded as experimental.
1672+.SH TARGET EXTENSIONS
1673+iptables can use extended target modules: the following are included
1674+in the standard distribution.
1675+.\" @TARGET@
1676+.SS AUDIT
1677+This target allows to create audit records for packets hitting the target.
1678+It can be used to record accepted, dropped, and rejected packets. See
1679+auditd(8) for additional details.
1680+.TP
1681+\fB\-\-type\fP {\fBaccept\fP|\fBdrop\fP|\fBreject\fP}
1682+Set type of audit record.
1683+.PP
1684+Example:
1685+.IP
1686+iptables \-N AUDIT_DROP
1687+.IP
1688+iptables \-A AUDIT_DROP \-j AUDIT \-\-type drop
1689+.IP
1690+iptables \-A AUDIT_DROP \-j DROP
1691+.SS CHECKSUM
1692+This target allows to selectively work around broken/old applications.
1693+It can only be used in the mangle table.
1694+.TP
1695+\fB\-\-checksum\-fill\fP
1696+Compute and fill in the checksum in a packet that lacks a checksum.
1697+This is particularly useful, if you need to work around old applications
1698+such as dhcp clients, that do not work well with checksum offloads,
1699+but don't want to disable checksum offload in your device.
1700+.SS CLASSIFY
1701+This module allows you to set the skb\->priority value (and thus classify the packet into a specific CBQ class).
1702+.TP
1703+\fB\-\-set\-class\fP \fImajor\fP\fB:\fP\fIminor\fP
1704+Set the major and minor class value. The values are always interpreted as
1705+hexadecimal even if no 0x prefix is given.
1706+.SS CLUSTERIP (IPv4-specific)
1707+This module allows you to configure a simple cluster of nodes that share
1708+a certain IP and MAC address without an explicit load balancer in front of
1709+them. Connections are statically distributed between the nodes in this
1710+cluster.
1711+.TP
1712+\fB\-\-new\fP
1713+Create a new ClusterIP. You always have to set this on the first rule
1714+for a given ClusterIP.
1715+.TP
1716+\fB\-\-hashmode\fP \fImode\fP
1717+Specify the hashing mode. Has to be one of
1718+\fBsourceip\fP, \fBsourceip\-sourceport\fP, \fBsourceip\-sourceport\-destport\fP.
1719+.TP
1720+\fB\-\-clustermac\fP \fImac\fP
1721+Specify the ClusterIP MAC address. Has to be a link\-layer multicast address
1722+.TP
1723+\fB\-\-total\-nodes\fP \fInum\fP
1724+Number of total nodes within this cluster.
1725+.TP
1726+\fB\-\-local\-node\fP \fInum\fP
1727+Local node number within this cluster.
1728+.TP
1729+\fB\-\-hash\-init\fP \fIrnd\fP
1730+Specify the random seed used for hash initialization.
1731+.SS CONNMARK
1732+This module sets the netfilter mark value associated with a connection. The
1733+mark is 32 bits wide.
1734+.TP
1735+\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
1736+Zero out the bits given by \fImask\fP and XOR \fIvalue\fP into the ctmark.
1737+.TP
1738+\fB\-\-save\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP]
1739+Copy the packet mark (nfmark) to the connection mark (ctmark) using the given
1740+masks. The new nfmark value is determined as follows:
1741+.IP
1742+ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)
1743+.IP
1744+i.e. \fIctmask\fP defines what bits to clear and \fInfmask\fP what bits of the
1745+nfmark to XOR into the ctmark. \fIctmask\fP and \fInfmask\fP default to
1746+0xFFFFFFFF.
1747+.TP
1748+\fB\-\-restore\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP]
1749+Copy the connection mark (ctmark) to the packet mark (nfmark) using the given
1750+masks. The new ctmark value is determined as follows:
1751+.IP
1752+nfmark = (nfmark & ~\fInfmask\fP) ^ (ctmark & \fIctmask\fP);
1753+.IP
1754+i.e. \fInfmask\fP defines what bits to clear and \fIctmask\fP what bits of the
1755+ctmark to XOR into the nfmark. \fIctmask\fP and \fInfmask\fP default to
1756+0xFFFFFFFF.
1757+.IP
1758+\fB\-\-restore\-mark\fP is only valid in the \fBmangle\fP table.
1759+.PP
1760+The following mnemonics are available for \fB\-\-set\-xmark\fP:
1761+.TP
1762+\fB\-\-and\-mark\fP \fIbits\fP
1763+Binary AND the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark
1764+0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.)
1765+.TP
1766+\fB\-\-or\-mark\fP \fIbits\fP
1767+Binary OR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
1768+\fIbits\fP\fB/\fP\fIbits\fP.)
1769+.TP
1770+\fB\-\-xor\-mark\fP \fIbits\fP
1771+Binary XOR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
1772+\fIbits\fP\fB/0\fP.)
1773+.TP
1774+\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
1775+Set the connection mark. If a mask is specified then only those bits set in the
1776+mask are modified.
1777+.TP
1778+\fB\-\-save\-mark\fP [\fB\-\-mask\fP \fImask\fP]
1779+Copy the nfmark to the ctmark. If a mask is specified, only those bits are
1780+copied.
1781+.TP
1782+\fB\-\-restore\-mark\fP [\fB\-\-mask\fP \fImask\fP]
1783+Copy the ctmark to the nfmark. If a mask is specified, only those bits are
1784+copied. This is only valid in the \fBmangle\fP table.
1785+.SS CONNSECMARK
1786+This module copies security markings from packets to connections
1787+(if unlabeled), and from connections back to packets (also only
1788+if unlabeled). Typically used in conjunction with SECMARK, it is
1789+valid in the
1790+.B security
1791+table (for backwards compatibility with older kernels, it is also
1792+valid in the
1793+.B mangle
1794+table).
1795+.TP
1796+\fB\-\-save\fP
1797+If the packet has a security marking, copy it to the connection
1798+if the connection is not marked.
1799+.TP
1800+\fB\-\-restore\fP
1801+If the packet does not have a security marking, and the connection
1802+does, copy the security marking from the connection to the packet.
1803+
1804+.SS CT
1805+The CT target allows to set parameters for a packet or its associated
1806+connection. The target attaches a "template" connection tracking entry to
1807+the packet, which is then used by the conntrack core when initializing
1808+a new ct entry. This target is thus only valid in the "raw" table.
1809+.TP
1810+\fB\-\-notrack\fP
1811+Disables connection tracking for this packet.
1812+.TP
1813+\fB\-\-helper\fP \fIname\fP
1814+Use the helper identified by \fIname\fP for the connection. This is more
1815+flexible than loading the conntrack helper modules with preset ports.
1816+.TP
1817+\fB\-\-ctevents\fP \fIevent\fP[\fB,\fP...]
1818+Only generate the specified conntrack events for this connection. Possible
1819+event types are: \fBnew\fP, \fBrelated\fP, \fBdestroy\fP, \fBreply\fP,
1820+\fBassured\fP, \fBprotoinfo\fP, \fBhelper\fP, \fBmark\fP (this refers to
1821+the ctmark, not nfmark), \fBnatseqinfo\fP, \fBsecmark\fP (ctsecmark).
1822+.TP
1823+\fB\-\-expevents\fP \fIevent\fP[\fB,\fP...]
1824+Only generate the specified expectation events for this connection.
1825+Possible event types are: \fBnew\fP.
1826+.TP
1827+\fB\-\-zone\fP \fIid\fP
1828+Assign this packet to zone \fIid\fP and only have lookups done in that zone.
1829+By default, packets have zone 0.
1830+.TP
1831+\fB\-\-timeout\fP \fIname\fP
1832+Use the timeout policy identified by \fIname\fP for the connection. This is
1833+provides more flexible timeout policy definition than global timeout values
1834+available at /proc/sys/net/netfilter/nf_conntrack_*_timeout_*.
1835+.SS DNAT (IPv4-specific)
1836+This target is only valid in the
1837+.B nat
1838+table, in the
1839+.B PREROUTING
1840+and
1841+.B OUTPUT
1842+chains, and user-defined chains which are only called from those
1843+chains. It specifies that the destination address of the packet
1844+should be modified (and all future packets in this connection will
1845+also be mangled), and rules should cease being examined. It takes one
1846+type of option:
1847+.TP
1848+\fB\-\-to\-destination\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]]
1849+which can specify a single new destination IP address, an inclusive
1850+range of IP addresses, and optionally, a port range (which is only
1851+valid if the rule also specifies
1852+\fB\-p tcp\fP
1853+or
1854+\fB\-p udp\fP).
1855+If no port range is specified, then the destination port will never be
1856+modified. If no IP address is specified then only the destination port
1857+will be modified.
1858+
1859+In Kernels up to 2.6.10 you can add several \-\-to\-destination options. For
1860+those kernels, if you specify more than one destination address, either via an
1861+address range or multiple \-\-to\-destination options, a simple round-robin (one
1862+after another in cycle) load balancing takes place between these addresses.
1863+Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
1864+anymore.
1865+.TP
1866+\fB\-\-random\fP
1867+If option
1868+\fB\-\-random\fP
1869+is used then port mapping will be randomized (kernel >= 2.6.22).
1870+.TP
1871+\fB\-\-persistent\fP
1872+Gives a client the same source-/destination-address for each connection.
1873+This supersedes the SAME target. Support for persistent mappings is available
1874+from 2.6.29-rc2.
1875+.SS DSCP
1876+This target allows to alter the value of the DSCP bits within the TOS
1877+header of the IPv4 packet. As this manipulates a packet, it can only
1878+be used in the mangle table.
1879+.TP
1880+\fB\-\-set\-dscp\fP \fIvalue\fP
1881+Set the DSCP field to a numerical value (can be decimal or hex)
1882+.TP
1883+\fB\-\-set\-dscp\-class\fP \fIclass\fP
1884+Set the DSCP field to a DiffServ class.
1885+.SS ECN (IPv4-specific)
1886+This target allows to selectively work around known ECN blackholes.
1887+It can only be used in the mangle table.
1888+.TP
1889+\fB\-\-ecn\-tcp\-remove\fP
1890+Remove all ECN bits from the TCP header. Of course, it can only be used
1891+in conjunction with
1892+\fB\-p tcp\fP.
1893+.SS HL (IPv6-specific)
1894+This is used to modify the Hop Limit field in IPv6 header. The Hop Limit field
1895+is similar to what is known as TTL value in IPv4. Setting or incrementing the
1896+Hop Limit field can potentially be very dangerous, so it should be avoided at
1897+any cost. This target is only valid in
1898+.B mangle
1899+table.
1900+.PP
1901+.B Don't ever set or increment the value on packets that leave your local network!
1902+.TP
1903+\fB\-\-hl\-set\fP \fIvalue\fP
1904+Set the Hop Limit to `value'.
1905+.TP
1906+\fB\-\-hl\-dec\fP \fIvalue\fP
1907+Decrement the Hop Limit `value' times.
1908+.TP
1909+\fB\-\-hl\-inc\fP \fIvalue\fP
1910+Increment the Hop Limit `value' times.
1911+.SS HMARK
1912+Like MARK, i.e. set the fwmark, but the mark is calculated from hashing
1913+packet selector at choice. You have also to specify the mark range and,
1914+optionally, the offset to start from. ICMP error messages are inspected
1915+and used to calculate the hashing.
1916+.PP
1917+Existing options are:
1918+.TP
1919+\fB\-\-hmark\-tuple\fP tuple\fI\fP
1920+Possible tuple members are:
1921+.B src
1922+meaning source address (IPv4, IPv6 address),
1923+.B dst
1924+meaning destination address (IPv4, IPv6 address),
1925+.B sport
1926+meaning source port (TCP, UDP, UDPlite, SCTP, DCCP),
1927+.B dport
1928+meaning destination port (TCP, UDP, UDPlite, SCTP, DCCP),
1929+.B spi
1930+meaning Security Parameter Index (AH, ESP), and
1931+.B ct
1932+meaning the usage of the conntrack tuple instead of the packet selectors.
1933+.TP
1934+\fB\-\-hmark\-mod\fP \fIvalue (must be > 0)\fP
1935+Modulus for hash calculation (to limit the range of possible marks)
1936+.TP
1937+\fB\-\-hmark\-offset\fP \fIvalue\fP
1938+Offset to start marks from.
1939+.TP
1940+For advanced usage, instead of using \-\-hmark\-tuple, you can specify custom
1941+prefixes and masks:
1942+.TP
1943+\fB\-\-hmark\-src\-prefix\fP \fIcidr\fP
1944+The source address mask in CIDR notation.
1945+.TP
1946+\fB\-\-hmark\-dst\-prefix\fP \fIcidr\fP
1947+The destination address mask in CIDR notation.
1948+.TP
1949+\fB\-\-hmark\-sport\-mask\fP \fIvalue\fP
1950+A 16 bit source port mask in hexadecimal.
1951+.TP
1952+\fB\-\-hmark\-dport\-mask\fP \fIvalue\fP
1953+A 16 bit destination port mask in hexadecimal.
1954+.TP
1955+\fB\-\-hmark\-spi\-mask\fP \fIvalue\fP
1956+A 32 bit field with spi mask.
1957+.TP
1958+\fB\-\-hmark\-proto\-mask\fP \fIvalue\fP
1959+An 8 bit field with layer 4 protocol number.
1960+.TP
1961+\fB\-\-hmark\-rnd\fP \fIvalue\fP
1962+A 32 bit random custom value to feed hash calculation.
1963+.PP
1964+\fIExamples:\fP
1965+.PP
1966+iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW
1967+ \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000
1968+\-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe
1969+.PP
1970+iptables \-t mangle \-A PREROUTING -j HMARK \-\-hmark\-offset 10000
1971+\-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef
1972+.SS IDLETIMER
1973+This target can be used to identify when interfaces have been idle for a
1974+certain period of time. Timers are identified by labels and are created when
1975+a rule is set with a new label. The rules also take a timeout value (in
1976+seconds) as an option. If more than one rule uses the same timer label, the
1977+timer will be restarted whenever any of the rules get a hit. One entry for
1978+each timer is created in sysfs. This attribute contains the timer remaining
1979+for the timer to expire. The attributes are located under the xt_idletimer
1980+class:
1981+.PP
1982+/sys/class/xt_idletimer/timers/<label>
1983+.PP
1984+When the timer expires, the target module sends a sysfs notification to the
1985+userspace, which can then decide what to do (eg. disconnect to save power).
1986+.TP
1987+\fB\-\-timeout\fP \fIamount\fP
1988+This is the time in seconds that will trigger the notification.
1989+.TP
1990+\fB\-\-label\fP \fIstring\fP
1991+This is a unique identifier for the timer. The maximum length for the
1992+label string is 27 characters.
1993+.SS LED
1994+This creates an LED-trigger that can then be attached to system indicator
1995+lights, to blink or illuminate them when certain packets pass through the
1996+system. One example might be to light up an LED for a few minutes every time
1997+an SSH connection is made to the local machine. The following options control
1998+the trigger behavior:
1999+.TP
2000+\fB\-\-led\-trigger\-id\fP \fIname\fP
2001+This is the name given to the LED trigger. The actual name of the trigger
2002+will be prefixed with "netfilter-".
2003+.TP
2004+\fB\-\-led-delay\fP \fIms\fP
2005+This indicates how long (in milliseconds) the LED should be left illuminated
2006+when a packet arrives before being switched off again. The default is 0
2007+(blink as fast as possible.) The special value \fIinf\fP can be given to
2008+leave the LED on permanently once activated. (In this case the trigger will
2009+need to be manually detached and reattached to the LED device to switch it
2010+off again.)
2011+.TP
2012+\fB\-\-led\-always\-blink\fP
2013+Always make the LED blink on packet arrival, even if the LED is already on.
2014+This allows notification of new packets even with long delay values (which
2015+otherwise would result in a silent prolonging of the delay time.)
2016+.TP
2017+Example:
2018+.TP
2019+Create an LED trigger for incoming SSH traffic:
2020+iptables \-A INPUT \-p tcp \-\-dport 22 \-j LED \-\-led\-trigger\-id ssh
2021+.TP
2022+Then attach the new trigger to an LED:
2023+echo netfilter\-ssh >/sys/class/leds/\fIledname\fP/trigger
2024+.SS LOG (IPv6-specific)
2025+Turn on kernel logging of matching packets. When this option is set
2026+for a rule, the Linux kernel will print some information on all
2027+matching packets (like most IPv6 IPv6-header fields) via the kernel log
2028+(where it can be read with
2029+.I dmesg
2030+or
2031+.IR syslogd (8)).
2032+This is a "non-terminating target", i.e. rule traversal continues at
2033+the next rule. So if you want to LOG the packets you refuse, use two
2034+separate rules with the same matching criteria, first using target LOG
2035+then DROP (or REJECT).
2036+.TP
2037+\fB\-\-log\-level\fP \fIlevel\fP
2038+Level of logging, which can be (system-specific) numeric or a mnemonic.
2039+Possible values are (in decreasing order of priority): \fBemerg\fP,
2040+\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP
2041+or \fBdebug\fP.
2042+.TP
2043+\fB\-\-log\-prefix\fP \fIprefix\fP
2044+Prefix log messages with the specified prefix; up to 29 letters long,
2045+and useful for distinguishing messages in the logs.
2046+.TP
2047+\fB\-\-log\-tcp\-sequence\fP
2048+Log TCP sequence numbers. This is a security risk if the log is
2049+readable by users.
2050+.TP
2051+\fB\-\-log\-tcp\-options\fP
2052+Log options from the TCP packet header.
2053+.TP
2054+\fB\-\-log\-ip\-options\fP
2055+Log options from the IPv6 packet header.
2056+.TP
2057+\fB\-\-log\-uid\fP
2058+Log the userid of the process which generated the packet.
2059+.SS LOG (IPv4-specific)
2060+Turn on kernel logging of matching packets. When this option is set
2061+for a rule, the Linux kernel will print some information on all
2062+matching packets (like most IP header fields) via the kernel log
2063+(where it can be read with
2064+.I dmesg
2065+or
2066+.IR syslogd (8)).
2067+This is a "non-terminating target", i.e. rule traversal continues at
2068+the next rule. So if you want to LOG the packets you refuse, use two
2069+separate rules with the same matching criteria, first using target LOG
2070+then DROP (or REJECT).
2071+.TP
2072+\fB\-\-log\-level\fP \fIlevel\fP
2073+Level of logging, which can be (system-specific) numeric or a mnemonic.
2074+Possible values are (in decreasing order of priority): \fBemerg\fP,
2075+\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP
2076+or \fBdebug\fP.
2077+.TP
2078+\fB\-\-log\-prefix\fP \fIprefix\fP
2079+Prefix log messages with the specified prefix; up to 29 letters long,
2080+and useful for distinguishing messages in the logs.
2081+.TP
2082+\fB\-\-log\-tcp\-sequence\fP
2083+Log TCP sequence numbers. This is a security risk if the log is
2084+readable by users.
2085+.TP
2086+\fB\-\-log\-tcp\-options\fP
2087+Log options from the TCP packet header.
2088+.TP
2089+\fB\-\-log\-ip\-options\fP
2090+Log options from the IP packet header.
2091+.TP
2092+\fB\-\-log\-uid\fP
2093+Log the userid of the process which generated the packet.
2094+.SS MARK
2095+This target is used to set the Netfilter mark value associated with the packet.
2096+It can, for example, be used in conjunction with routing based on fwmark (needs
2097+iproute2). If you plan on doing so, note that the mark needs to be set in the
2098+PREROUTING chain of the mangle table to affect routing.
2099+The mark field is 32 bits wide.
2100+.TP
2101+\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
2102+Zeroes out the bits given by \fImask\fP and XORs \fIvalue\fP into the packet
2103+mark ("nfmark"). If \fImask\fP is omitted, 0xFFFFFFFF is assumed.
2104+.TP
2105+\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
2106+Zeroes out the bits given by \fImask\fP and ORs \fIvalue\fP into the packet
2107+mark. If \fImask\fP is omitted, 0xFFFFFFFF is assumed.
2108+.PP
2109+The following mnemonics are available:
2110+.TP
2111+\fB\-\-and\-mark\fP \fIbits\fP
2112+Binary AND the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark
2113+0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.)
2114+.TP
2115+\fB\-\-or\-mark\fP \fIbits\fP
2116+Binary OR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
2117+\fIbits\fP\fB/\fP\fIbits\fP.)
2118+.TP
2119+\fB\-\-xor\-mark\fP \fIbits\fP
2120+Binary XOR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
2121+\fIbits\fP\fB/0\fP.)
2122+.SS MASQUERADE (IPv6-specific)
2123+This target is only valid in the
2124+.B nat
2125+table, in the
2126+.B POSTROUTING
2127+chain. It should only be used with dynamically assigned IPv6 (dialup)
2128+connections: if you have a static IP address, you should use the SNAT
2129+target. Masquerading is equivalent to specifying a mapping to the IP
2130+address of the interface the packet is going out, but also has the
2131+effect that connections are
2132+.I forgotten
2133+when the interface goes down. This is the correct behavior when the
2134+next dialup is unlikely to have the same interface address (and hence
2135+any established connections are lost anyway).
2136+.TP
2137+\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
2138+This specifies a range of source ports to use, overriding the default
2139+.B SNAT
2140+source port-selection heuristics (see above). This is only valid
2141+if the rule also specifies
2142+\fB\-p tcp\fP
2143+or
2144+\fB\-p udp\fP.
2145+.TP
2146+\fB\-\-random\fP
2147+Randomize source port mapping
2148+If option
2149+\fB\-\-random\fP
2150+is used then port mapping will be randomized.
2151+.RS
2152+.PP
2153+.SS MASQUERADE (IPv4-specific)
2154+This target is only valid in the
2155+.B nat
2156+table, in the
2157+.B POSTROUTING
2158+chain. It should only be used with dynamically assigned IP (dialup)
2159+connections: if you have a static IP address, you should use the SNAT
2160+target. Masquerading is equivalent to specifying a mapping to the IP
2161+address of the interface the packet is going out, but also has the
2162+effect that connections are
2163+.I forgotten
2164+when the interface goes down. This is the correct behavior when the
2165+next dialup is unlikely to have the same interface address (and hence
2166+any established connections are lost anyway).
2167+.TP
2168+\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
2169+This specifies a range of source ports to use, overriding the default
2170+.B SNAT
2171+source port-selection heuristics (see above). This is only valid
2172+if the rule also specifies
2173+\fB\-p tcp\fP
2174+or
2175+\fB\-p udp\fP.
2176+.TP
2177+\fB\-\-random\fP
2178+Randomize source port mapping
2179+If option
2180+\fB\-\-random\fP
2181+is used then port mapping will be randomized (kernel >= 2.6.21).
2182+.RS
2183+.PP
2184+.SS MIRROR (IPv4-specific)
2185+This is an experimental demonstration target which inverts the source
2186+and destination fields in the IP header and retransmits the packet.
2187+It is only valid in the
2188+.BR INPUT ,
2189+.B FORWARD
2190+and
2191+.B PREROUTING
2192+chains, and user-defined chains which are only called from those
2193+chains. Note that the outgoing packets are
2194+.B NOT
2195+seen by any packet filtering chains, connection tracking or NAT, to
2196+avoid loops and other problems.
2197+.SS NETMAP (IPv4-specific)
2198+This target allows you to statically map a whole network of addresses onto
2199+another network of addresses. It can only be used from rules in the
2200+.B nat
2201+table.
2202+.TP
2203+\fB\-\-to\fP \fIaddress\fP[\fB/\fP\fImask\fP]
2204+Network address to map to. The resulting address will be constructed in the
2205+following way: All 'one' bits in the mask are filled in from the new `address'.
2206+All bits that are zero in the mask are filled in from the original address.
2207+.SS NFLOG
2208+This target provides logging of matching packets. When this target is
2209+set for a rule, the Linux kernel will pass the packet to the loaded
2210+logging backend to log the packet. This is usually used in combination
2211+with nfnetlink_log as logging backend, which will multicast the packet
2212+through a
2213+.IR netlink
2214+socket to the specified multicast group. One or more userspace processes
2215+may subscribe to the group to receive the packets. Like LOG, this is a
2216+non-terminating target, i.e. rule traversal continues at the next rule.
2217+.TP
2218+\fB\-\-nflog\-group\fP \fInlgroup\fP
2219+The netlink group (0 - 2^16\-1) to which packets are (only applicable for
2220+nfnetlink_log). The default value is 0.
2221+.TP
2222+\fB\-\-nflog\-prefix\fP \fIprefix\fP
2223+A prefix string to include in the log message, up to 64 characters
2224+long, useful for distinguishing messages in the logs.
2225+.TP
2226+\fB\-\-nflog\-range\fP \fIsize\fP
2227+The number of bytes to be copied to userspace (only applicable for
2228+nfnetlink_log). nfnetlink_log instances may specify their own
2229+range, this option overrides it.
2230+.TP
2231+\fB\-\-nflog\-threshold\fP \fIsize\fP
2232+Number of packets to queue inside the kernel before sending them
2233+to userspace (only applicable for nfnetlink_log). Higher values
2234+result in less overhead per packet, but increase delay until the
2235+packets reach userspace. The default value is 1.
2236+.BR
2237+.SS NFQUEUE
2238+This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
2239+you to put a packet into any specific queue, identified by its 16-bit queue
2240+number.
2241+It can only be used with Kernel versions 2.6.14 or later, since it requires
2242+the
2243+.B
2244+nfnetlink_queue
2245+kernel support. The \fBqueue-balance\fP option was added in Linux 2.6.31,
2246+\fBqueue-bypass\fP in 2.6.39.
2247+.TP
2248+\fB\-\-queue\-num\fP \fIvalue\fP
2249+This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0.
2250+.PP
2251+.TP
2252+\fB\-\-queue\-balance\fP \fIvalue\fP\fB:\fP\fIvalue\fP
2253+This specifies a range of queues to use. Packets are then balanced across the given queues.
2254+This is useful for multicore systems: start multiple instances of the userspace program on
2255+queues x, x+1, .. x+n and use "\-\-queue\-balance \fIx\fP\fB:\fP\fIx+n\fP".
2256+Packets belonging to the same connection are put into the same nfqueue.
2257+.PP
2258+.TP
2259+\fB\-\-queue\-bypass\fP
2260+By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued
2261+are dropped. When this option is used, the NFQUEUE rule is silently bypassed instead. The packet
2262+will move on to the next rule.
2263+.SS NOTRACK
2264+This target disables connection tracking for all packets matching that rule.
2265+It is obsoleted by \-j CT \-\-notrack. Like CT, NOTRACK can only be used in
2266+the \fBraw\fP table.
2267+.SS RATEEST
2268+The RATEEST target collects statistics, performs rate estimation calculation
2269+and saves the results for later evaluation using the \fBrateest\fP match.
2270+.TP
2271+\fB\-\-rateest\-name\fP \fIname\fP
2272+Count matched packets into the pool referred to by \fIname\fP, which is freely
2273+choosable.
2274+.TP
2275+\fB\-\-rateest\-interval\fP \fIamount\fP{\fBs\fP|\fBms\fP|\fBus\fP}
2276+Rate measurement interval, in seconds, milliseconds or microseconds.
2277+.TP
2278+\fB\-\-rateest\-ewmalog\fP \fIvalue\fP
2279+Rate measurement averaging time constant.
2280+.SS REDIRECT (IPv4-specific)
2281+This target is only valid in the
2282+.B nat
2283+table, in the
2284+.B PREROUTING
2285+and
2286+.B OUTPUT
2287+chains, and user-defined chains which are only called from those
2288+chains. It redirects the packet to the machine itself by changing the
2289+destination IP to the primary address of the incoming interface
2290+(locally-generated packets are mapped to the 127.0.0.1 address).
2291+.TP
2292+\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
2293+This specifies a destination port or range of ports to use: without
2294+this, the destination port is never altered. This is only valid
2295+if the rule also specifies
2296+\fB\-p tcp\fP
2297+or
2298+\fB\-p udp\fP.
2299+.TP
2300+\fB\-\-random\fP
2301+If option
2302+\fB\-\-random\fP
2303+is used then port mapping will be randomized (kernel >= 2.6.22).
2304+.RS
2305+.PP
2306+.SS REJECT (IPv6-specific)
2307+This is used to send back an error packet in response to the matched
2308+packet: otherwise it is equivalent to
2309+.B DROP
2310+so it is a terminating TARGET, ending rule traversal.
2311+This target is only valid in the
2312+.BR INPUT ,
2313+.B FORWARD
2314+and
2315+.B OUTPUT
2316+chains, and user-defined chains which are only called from those
2317+chains. The following option controls the nature of the error packet
2318+returned:
2319+.TP
2320+\fB\-\-reject\-with\fP \fItype\fP
2321+The type given can be
2322+\fBicmp6\-no\-route\fP,
2323+\fBno\-route\fP,
2324+\fBicmp6\-adm\-prohibited\fP,
2325+\fBadm\-prohibited\fP,
2326+\fBicmp6\-addr\-unreachable\fP,
2327+\fBaddr\-unreach\fP,
2328+\fBicmp6\-port\-unreachable\fP or
2329+\fBport\-unreach\fP
2330+which return the appropriate ICMPv6 error message (\fBport\-unreach\fP is
2331+the default). Finally, the option
2332+\fBtcp\-reset\fP
2333+can be used on rules which only match the TCP protocol: this causes a
2334+TCP RST packet to be sent back. This is mainly useful for blocking
2335+.I ident
2336+(113/tcp) probes which frequently occur when sending mail to broken mail
2337+hosts (which won't accept your mail otherwise).
2338+\fBtcp\-reset\fP
2339+can only be used with kernel versions 2.6.14 or later.
2340+.SS REJECT (IPv4-specific)
2341+This is used to send back an error packet in response to the matched
2342+packet: otherwise it is equivalent to
2343+.B DROP
2344+so it is a terminating TARGET, ending rule traversal.
2345+This target is only valid in the
2346+.BR INPUT ,
2347+.B FORWARD
2348+and
2349+.B OUTPUT
2350+chains, and user-defined chains which are only called from those
2351+chains. The following option controls the nature of the error packet
2352+returned:
2353+.TP
2354+\fB\-\-reject\-with\fP \fItype\fP
2355+The type given can be
2356+\fBicmp\-net\-unreachable\fP,
2357+\fBicmp\-host\-unreachable\fP,
2358+\fBicmp\-port\-unreachable\fP,
2359+\fBicmp\-proto\-unreachable\fP,
2360+\fBicmp\-net\-prohibited\fP,
2361+\fBicmp\-host\-prohibited\fP or
2362+\fBicmp\-admin\-prohibited\fP (*)
2363+which return the appropriate ICMP error message (\fBport\-unreachable\fP is
2364+the default). The option
2365+\fBtcp\-reset\fP
2366+can be used on rules which only match the TCP protocol: this causes a
2367+TCP RST packet to be sent back. This is mainly useful for blocking
2368+.I ident
2369+(113/tcp) probes which frequently occur when sending mail to broken mail
2370+hosts (which won't accept your mail otherwise).
2371+.PP
2372+(*) Using icmp\-admin\-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
2373+.SS SAME (IPv4-specific)
2374+Similar to SNAT/DNAT depending on chain: it takes a range of addresses
2375+(`\-\-to 1.2.3.4\-1.2.3.7') and gives a client the same
2376+source-/destination-address for each connection.
2377+.PP
2378+N.B.: The DNAT target's \fB\-\-persistent\fP option replaced the SAME target.
2379+.TP
2380+\fB\-\-to\fP \fIipaddr\fP[\fB\-\fP\fIipaddr\fP]
2381+Addresses to map source to. May be specified more than once for
2382+multiple ranges.
2383+.TP
2384+\fB\-\-nodst\fP
2385+Don't use the destination-ip in the calculations when selecting the
2386+new source-ip
2387+.TP
2388+\fB\-\-random\fP
2389+Port mapping will be forcibly randomized to avoid attacks based on
2390+port prediction (kernel >= 2.6.21).
2391+.SS SECMARK
2392+This is used to set the security mark value associated with the
2393+packet for use by security subsystems such as SELinux. It is
2394+valid in the
2395+.B security
2396+table (for backwards compatibility with older kernels, it is also
2397+valid in the
2398+.B mangle
2399+table). The mark is 32 bits wide.
2400+.TP
2401+\fB\-\-selctx\fP \fIsecurity_context\fP
2402+.SS SET
2403+This module adds and/or deletes entries from IP sets which can be defined
2404+by ipset(8).
2405+.TP
2406+\fB\-\-add\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...]
2407+add the address(es)/port(s) of the packet to the set
2408+.TP
2409+\fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...]
2410+delete the address(es)/port(s) of the packet from the set
2411+.IP
2412+where \fIflag\fP(s) are
2413+.BR "src"
2414+and/or
2415+.BR "dst"
2416+specifications and there can be no more than six of them.
2417+.TP
2418+\fB\-\-timeout\fP \fIvalue\fP
2419+when adding an entry, the timeout value to use instead of the default
2420+one from the set definition
2421+.TP
2422+\fB\-\-exist\fP
2423+when adding an entry if it already exists, reset the timeout value
2424+to the specified one or to the default from the set definition
2425+.PP
2426+Use of -j SET requires that ipset kernel support is provided, which, for
2427+standard kernels, is the case since Linux 2.6.39.
2428+.SS SNAT (IPv4-specific)
2429+This target is only valid in the
2430+.B nat
2431+table, in the
2432+.B POSTROUTING
2433+chain. It specifies that the source address of the packet should be
2434+modified (and all future packets in this connection will also be
2435+mangled), and rules should cease being examined. It takes one type
2436+of option:
2437+.TP
2438+\fB\-\-to\-source\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]]
2439+which can specify a single new source IP address, an inclusive range
2440+of IP addresses, and optionally, a port range (which is only valid if
2441+the rule also specifies
2442+\fB\-p tcp\fP
2443+or
2444+\fB\-p udp\fP).
2445+If no port range is specified, then source ports below 512 will be
2446+mapped to other ports below 512: those between 512 and 1023 inclusive
2447+will be mapped to ports below 1024, and other ports will be mapped to
2448+1024 or above. Where possible, no port alteration will occur.
2449+
2450+In Kernels up to 2.6.10, you can add several \-\-to\-source options. For those
2451+kernels, if you specify more than one source address, either via an address
2452+range or multiple \-\-to\-source options, a simple round-robin (one after another
2453+in cycle) takes place between these addresses.
2454+Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
2455+anymore.
2456+.TP
2457+\fB\-\-random\fP
2458+If option
2459+\fB\-\-random\fP
2460+is used then port mapping will be randomized (kernel >= 2.6.21).
2461+.TP
2462+\fB\-\-persistent\fP
2463+Gives a client the same source-/destination-address for each connection.
2464+This supersedes the SAME target. Support for persistent mappings is available
2465+from 2.6.29-rc2.
2466+.SS TCPMSS
2467+This target allows to alter the MSS value of TCP SYN packets, to control
2468+the maximum size for that connection (usually limiting it to your
2469+outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
2470+Of course, it can only be used
2471+in conjunction with
2472+\fB\-p tcp\fP.
2473+.PP
2474+This target is used to overcome criminally braindead ISPs or servers
2475+which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
2476+packets. The symptoms of this
2477+problem are that everything works fine from your Linux
2478+firewall/router, but machines behind it can never exchange large
2479+packets:
2480+.IP 1. 4
2481+Web browsers connect, then hang with no data received.
2482+.IP 2. 4
2483+Small mail works fine, but large emails hang.
2484+.IP 3. 4
2485+ssh works fine, but scp hangs after initial handshaking.
2486+.PP
2487+Workaround: activate this option and add a rule to your firewall
2488+configuration like:
2489+.IP
2490+ iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN
2491+ \-j TCPMSS \-\-clamp\-mss\-to\-pmtu
2492+.TP
2493+\fB\-\-set\-mss\fP \fIvalue\fP
2494+Explicitly sets MSS option to specified value. If the MSS of the packet is
2495+already lower than \fIvalue\fP, it will \fBnot\fP be increased (from Linux
2496+2.6.25 onwards) to avoid more problems with hosts relying on a proper MSS.
2497+.TP
2498+\fB\-\-clamp\-mss\-to\-pmtu\fP
2499+Automatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6).
2500+This may not function as desired where asymmetric routes with differing
2501+path MTU exist \(em the kernel uses the path MTU which it would use to send
2502+packets from itself to the source and destination IP addresses. Prior to
2503+Linux 2.6.25, only the path MTU to the destination IP address was
2504+considered by this option; subsequent kernels also consider the path MTU
2505+to the source IP address.
2506+.PP
2507+These options are mutually exclusive.
2508+.SS TCPOPTSTRIP
2509+This target will strip TCP options off a TCP packet. (It will actually replace
2510+them by NO-OPs.) As such, you will need to add the \fB\-p tcp\fP parameters.
2511+.TP
2512+\fB\-\-strip\-options\fP \fIoption\fP[\fB,\fP\fIoption\fP...]
2513+Strip the given option(s). The options may be specified by TCP option number or
2514+by symbolic name. The list of recognized options can be obtained by calling
2515+iptables with \fB\-j TCPOPTSTRIP \-h\fP.
2516+.SS TEE
2517+The \fBTEE\fP target will clone a packet and redirect this clone to another
2518+machine on the \fBlocal\fP network segment. In other words, the nexthop
2519+must be the target, or you will have to configure the nexthop to forward it
2520+further if so desired.
2521+.TP
2522+\fB\-\-gateway\fP \fIipaddr\fP
2523+Send the cloned packet to the host reachable at the given IP address.
2524+Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.
2525+.PP
2526+To forward all incoming traffic on eth0 to an Network Layer logging box:
2527+.PP
2528+\-t mangle \-A PREROUTING \-i eth0 \-j TEE \-\-gateway 2001:db8::1
2529+.SS TOS
2530+This module sets the Type of Service field in the IPv4 header (including the
2531+"precedence" bits) or the Priority field in the IPv6 header. Note that TOS
2532+shares the same bits as DSCP and ECN. The TOS target is only valid in the
2533+\fBmangle\fP table.
2534+.TP
2535+\fB\-\-set\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP]
2536+Zeroes out the bits given by \fImask\fP (see NOTE below) and XORs \fIvalue\fP
2537+into the TOS/Priority field. If \fImask\fP is omitted, 0xFF is assumed.
2538+.TP
2539+\fB\-\-set\-tos\fP \fIsymbol\fP
2540+You can specify a symbolic name when using the TOS target for IPv4. It implies
2541+a mask of 0xFF (see NOTE below). The list of recognized TOS names can be
2542+obtained by calling iptables with \fB\-j TOS \-h\fP.
2543+.PP
2544+The following mnemonics are available:
2545+.TP
2546+\fB\-\-and\-tos\fP \fIbits\fP
2547+Binary AND the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos
2548+0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.
2549+See NOTE below.)
2550+.TP
2551+\fB\-\-or\-tos\fP \fIbits\fP
2552+Binary OR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP
2553+\fIbits\fP\fB/\fP\fIbits\fP. See NOTE below.)
2554+.TP
2555+\fB\-\-xor\-tos\fP \fIbits\fP
2556+Binary XOR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP
2557+\fIbits\fP\fB/0\fP. See NOTE below.)
2558+.PP
2559+NOTE: In Linux kernels up to and including 2.6.38, with the exception of
2560+longterm releases 2.6.32 (>=.42), 2.6.33 (>=.15), and 2.6.35 (>=.14), there is
2561+a bug whereby IPv6 TOS mangling does not behave as documented and differs from
2562+the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it
2563+needs to be inverted before applying it to the original TOS field. However, the
2564+aformentioned kernels forgo the inversion which breaks --set-tos and its
2565+mnemonics.
2566+.SS TPROXY
2567+This target is only valid in the \fBmangle\fP table, in the \fBPREROUTING\fP
2568+chain and user-defined chains which are only called from this chain. It
2569+redirects the packet to a local socket without changing the packet header in
2570+any way. It can also change the mark value which can then be used in advanced
2571+routing rules.
2572+It takes three options:
2573+.TP
2574+\fB\-\-on\-port\fP \fIport\fP
2575+This specifies a destination port to use. It is a required option, 0 means the
2576+new destination port is the same as the original. This is only valid if the
2577+rule also specifies \fB\-p tcp\fP or \fB\-p udp\fP.
2578+.TP
2579+\fB\-\-on\-ip\fP \fIaddress\fP
2580+This specifies a destination address to use. By default the address is the IP
2581+address of the incoming interface. This is only valid if the rule also
2582+specifies \fB\-p tcp\fP or \fB\-p udp\fP.
2583+.TP
2584+\fB\-\-tproxy\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
2585+Marks packets with the given value/mask. The fwmark value set here can be used
2586+by advanced routing. (Required for transparent proxying to work: otherwise
2587+these packets will get forwarded, which is probably not what you want.)
2588+.SS TRACE
2589+This target marks packets so that the kernel will log every rule which match
2590+the packets as those traverse the tables, chains, rules.
2591+.PP
2592+A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this
2593+to be visible.
2594+The packets are logged with the string prefix:
2595+"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
2596+plain rule, "return" for implicit rule at the end of a user defined chain
2597+and "policy" for the policy of the built in chains.
2598+.br
2599+It can only be used in the
2600+.BR raw
2601+table.
2602+.SS TTL (IPv4-specific)
2603+This is used to modify the IPv4 TTL header field. The TTL field determines
2604+how many hops (routers) a packet can traverse until it's time to live is
2605+exceeded.
2606+.PP
2607+Setting or incrementing the TTL field can potentially be very dangerous,
2608+so it should be avoided at any cost. This target is only valid in
2609+.B mangle
2610+table.
2611+.PP
2612+.B Don't ever set or increment the value on packets that leave your local network!
2613+.TP
2614+\fB\-\-ttl\-set\fP \fIvalue\fP
2615+Set the TTL value to `value'.
2616+.TP
2617+\fB\-\-ttl\-dec\fP \fIvalue\fP
2618+Decrement the TTL value `value' times.
2619+.TP
2620+\fB\-\-ttl\-inc\fP \fIvalue\fP
2621+Increment the TTL value `value' times.
2622+.SS ULOG (IPv4-specific)
2623+This target provides userspace logging of matching packets. When this
2624+target is set for a rule, the Linux kernel will multicast this packet
2625+through a
2626+.IR netlink
2627+socket. One or more userspace processes may then subscribe to various
2628+multicast groups and receive the packets.
2629+Like LOG, this is a "non-terminating target", i.e. rule traversal
2630+continues at the next rule.
2631+.TP
2632+\fB\-\-ulog\-nlgroup\fP \fInlgroup\fP
2633+This specifies the netlink group (1-32) to which the packet is sent.
2634+Default value is 1.
2635+.TP
2636+\fB\-\-ulog\-prefix\fP \fIprefix\fP
2637+Prefix log messages with the specified prefix; up to 32 characters
2638+long, and useful for distinguishing messages in the logs.
2639+.TP
2640+\fB\-\-ulog\-cprange\fP \fIsize\fP
2641+Number of bytes to be copied to userspace. A value of 0 always copies
2642+the entire packet, regardless of its size. Default is 0.
2643+.TP
2644+\fB\-\-ulog\-qthreshold\fP \fIsize\fP
2645+Number of packet to queue inside kernel. Setting this value to, e.g. 10
2646+accumulates ten packets inside the kernel and transmits them as one
2647+netlink multipart message to userspace. Default is 1 (for backwards
2648+compatibility).
2649+.br
--- a/original/man8/iptables-restore.8
+++ b/original/man8/iptables-restore.8
@@ -21,7 +21,8 @@
2121 .SH NAME
2222 iptables-restore \(em Restore IP Tables
2323 .SH SYNOPSIS
24-\fBiptables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] [\fB\-T\fP \fIname\fP]
24+\fBiptables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
25+[\fB\-T\fP \fIname\fP]
2526 .SH DESCRIPTION
2627 .PP
2728 .B iptables-restore
@@ -31,10 +32,23 @@ I/O redirection provided by your shell to read from a file
3132 \fB\-c\fR, \fB\-\-counters\fR
3233 restore the values of all packet and byte counters
3334 .TP
35+\fB\-h\fP, \fB\-\-help\fP
36+Print a short option summary.
37+.TP
3438 \fB\-n\fR, \fB\-\-noflush\fR
3539 don't flush the previous contents of the table. If not specified,
3640 .B iptables-restore
37-flushes (deletes) all previous contents of the respective IP Table.
41+flushes (deletes) all previous contents of the respective table.
42+.TP
43+\fB\-t\fP, \fB\-\-test\fP
44+Only parse and construct the ruleset, but do not commit it.
45+.TP
46+\fB\-v\fP, \fB\-\-verbose\fP
47+Print additional debug info during ruleset processing.
48+.TP
49+\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
50+Specify the path to the modprobe program. By default, iptables-restore will
51+inspect /proc/sys/kernel/modprobe to determine the executable's path.
3852 .TP
3953 \fB\-T\fP, \fB\-\-table\fP \fIname\fP
4054 Restore only the named table even if the input stream contains other ones.
--- a/original/man8/iptables.8
+++ b/original/man8/iptables.8
@@ -1,4 +1,4 @@
1-.TH IPTABLES 8 "" "iptables 1.4.13" "iptables 1.4.13"
1+.TH IPTABLES 8 "" "iptables 1.4.18" "iptables 1.4.18"
22 .\"
33 .\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
44 .\" It is based on ipchains page.
@@ -86,7 +86,7 @@ or a rule in a built-in chain with target \fBRETURN\fP
8686 is matched, the target specified by the chain policy determines the
8787 fate of the packet.
8888 .SH TABLES
89-There are currently three independent tables (which tables are present
89+There are currently five independent tables (which tables are present
9090 at any time depends on the kernel configuration options and which
9191 modules are present).
9292 .TP
@@ -243,6 +243,15 @@ Give a (currently very brief) description of the command syntax.
243243 The following parameters make up a rule specification (as used in the
244244 add, delete, insert, replace and append commands).
245245 .TP
246+\fB\-4\fP, \fB\-\-ipv4\fP
247+This option has no effect in iptables and iptables-restore.
248+.TP
249+\fB\-6\fP, \fB\-\-ipv6\fP
250+If a rule using the \fB\-6\fP option is inserted with (and only with)
251+iptables-restore, it will be silently ignored. Any other uses will throw an
252+error. This option allows to put both IPv4 and IPv6 rules in a single rule file
253+for use with both iptables-restore and ip6tables-restore.
254+.TP
246255 [\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
247256 The protocol of the rule or of the packet to check.
248257 The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
@@ -277,6 +286,13 @@ See the description of the \fB\-s\fP
277286 (source) flag for a detailed description of the syntax. The flag
278287 \fB\-\-dst\fP is an alias for this option.
279288 .TP
289+\fB\-m\fP, \fB\-\-match\fP \fImatch\fP
290+Specifies a match to use, that is, an extension module that tests for a
291+specific property. The set of matches make up the condition under which a
292+target is invoked. Matches are evaluated first to last as specified on the
293+command line and work in short-circuit fashion, i.e. if one extension yields
294+false, evaluation will stop.
295+.TP
280296 \fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
281297 This specifies the target of the rule; i.e., what to do if the packet
282298 matches it. The target can be a user-defined chain (other than the
@@ -355,2249 +371,10 @@ corresponding to that rule's position in the chain.
355371 \fB\-\-modprobe=\fP\fIcommand\fP
356372 When adding or inserting rules into a chain, use \fIcommand\fP
357373 to load any necessary modules (targets, match extensions, etc).
358-.SH MATCH EXTENSIONS
359-.PP
360-iptables can use extended packet matching modules
361-with the \fB\-m\fP or \fB\-\-match\fP
362-options, followed by the matching module name; after these, various
363-extra command line options become available, depending on the specific
364-module. You can specify multiple extended match modules in one line,
365-and you can use the \fB\-h\fP or \fB\-\-help\fP
366-options after the module has been specified to receive help specific
367-to that module.
368-.PP
369-If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an
370-unknown option is encountered, iptables will try load a match module of the
371-same name as the protocol, to try making the option available.
372-.\" @MATCH@
373-.SS addrtype
374-This module matches packets based on their
375-.B address type.
376-Address types are used within the kernel networking stack and categorize
377-addresses into various groups. The exact definition of that group depends on the specific layer three protocol.
378-.PP
379-The following address types are possible:
380-.TP
381-.BI "UNSPEC"
382-an unspecified address (i.e. 0.0.0.0)
383-.TP
384-.BI "UNICAST"
385-an unicast address
386-.TP
387-.BI "LOCAL"
388-a local address
389-.TP
390-.BI "BROADCAST"
391-a broadcast address
392-.TP
393-.BI "ANYCAST"
394-an anycast packet
395-.TP
396-.BI "MULTICAST"
397-a multicast address
398-.TP
399-.BI "BLACKHOLE"
400-a blackhole address
401-.TP
402-.BI "UNREACHABLE"
403-an unreachable address
404-.TP
405-.BI "PROHIBIT"
406-a prohibited address
407-.TP
408-.BI "THROW"
409-FIXME
410-.TP
411-.BI "NAT"
412-FIXME
413-.TP
414-.BI "XRESOLVE"
415-.TP
416-[\fB!\fP] \fB\-\-src\-type\fP \fItype\fP
417-Matches if the source address is of given type
418-.TP
419-[\fB!\fP] \fB\-\-dst\-type\fP \fItype\fP
420-Matches if the destination address is of given type
421-.TP
422-.BI "\-\-limit\-iface\-in"
423-The address type checking can be limited to the interface the packet is coming
424-in. This option is only valid in the
425-.BR PREROUTING ,
426-.B INPUT
427-and
428-.B FORWARD
429-chains. It cannot be specified with the
430-\fB\-\-limit\-iface\-out\fP
431-option.
432-.TP
433-\fB\-\-limit\-iface\-out\fP
434-The address type checking can be limited to the interface the packet is going
435-out. This option is only valid in the
436-.BR POSTROUTING ,
437-.B OUTPUT
438-and
439-.B FORWARD
440-chains. It cannot be specified with the
441-\fB\-\-limit\-iface\-in\fP
442-option.
443-.SS ah
444-This module matches the SPIs in Authentication header of IPsec packets.
445-.TP
446-[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
447-.SS cluster
448-Allows you to deploy gateway and back-end load-sharing clusters without the
449-need of load-balancers.
450-.PP
451-This match requires that all the nodes see the same packets. Thus, the cluster
452-match decides if this node has to handle a packet given the following options:
453-.TP
454-\fB\-\-cluster\-total\-nodes\fP \fInum\fP
455-Set number of total nodes in cluster.
456-.TP
457-[\fB!\fP] \fB\-\-cluster\-local\-node\fP \fInum\fP
458-Set the local node number ID.
459-.TP
460-[\fB!\fP] \fB\-\-cluster\-local\-nodemask\fP \fImask\fP
461-Set the local node number ID mask. You can use this option instead
462-of \fB\-\-cluster\-local\-node\fP.
463-.TP
464-\fB\-\-cluster\-hash\-seed\fP \fIvalue\fP
465-Set seed value of the Jenkins hash.
466-.PP
467-Example:
468-.IP
469-iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster
470-\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
471-\-\-cluster\-hash\-seed 0xdeadbeef
472-\-j MARK \-\-set-mark 0xffff
473-.IP
474-iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster
475-\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
476-\-\-cluster\-hash\-seed 0xdeadbeef
477-\-j MARK -\-set\-mark 0xffff
478-.IP
479-iptables \-A PREROUTING \-t mangle \-i eth1
480-\-m mark ! \-\-mark 0xffff \-j DROP
481-.IP
482-iptables \-A PREROUTING \-t mangle \-i eth2
483-\-m mark ! \-\-mark 0xffff \-j DROP
484-.PP
485-And the following commands to make all nodes see the same packets:
486-.IP
487-ip maddr add 01:00:5e:00:01:01 dev eth1
488-.IP
489-ip maddr add 01:00:5e:00:01:02 dev eth2
490-.IP
491-arptables \-A OUTPUT \-o eth1 \-\-h\-length 6
492-\-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01
493-.IP
494-arptables \-A INPUT \-i eth1 \-\-h-length 6
495-\-\-destination-mac 01:00:5e:00:01:01
496-\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
497-.IP
498-arptables \-A OUTPUT \-o eth2 \-\-h\-length 6
499-\-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:02
500-.IP
501-arptables \-A INPUT \-i eth2 \-\-h\-length 6
502-\-\-destination\-mac 01:00:5e:00:01:02
503-\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
504-.PP
505-In the case of TCP connections, pickup facility has to be disabled
506-to avoid marking TCP ACK packets coming in the reply direction as
507-valid.
508-.IP
509-echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
510-.SS comment
511-Allows you to add comments (up to 256 characters) to any rule.
512-.TP
513-\fB\-\-comment\fP \fIcomment\fP
514-.TP
515-Example:
516-iptables \-A INPUT \-i eth1 \-m comment \-\-comment "my local LAN"
517-.SS connbytes
518-Match by how many bytes or packets a connection (or one of the two
519-flows constituting the connection) has transferred so far, or by
520-average bytes per packet.
521-.PP
522-The counters are 64-bit and are thus not expected to overflow ;)
523-.PP
524-The primary use is to detect long-lived downloads and mark them to be
525-scheduled using a lower priority band in traffic control.
526-.PP
527-The transferred bytes per connection can also be viewed through
528-`conntrack \-L` and accessed via ctnetlink.
529-.PP
530-NOTE that for connections which have no accounting information, the match will
531-always return false. The "net.netfilter.nf_conntrack_acct" sysctl flag controls
532-whether \fBnew\fP connections will be byte/packet counted. Existing connection
533-flows will not be gaining/losing a/the accounting structure when be sysctl flag
534-is flipped.
535-.TP
536-[\fB!\fP] \fB\-\-connbytes\fP \fIfrom\fP[\fB:\fP\fIto\fP]
537-match packets from a connection whose packets/bytes/average packet
538-size is more than FROM and less than TO bytes/packets. if TO is
539-omitted only FROM check is done. "!" is used to match packets not
540-falling in the range.
541-.TP
542-\fB\-\-connbytes\-dir\fP {\fBoriginal\fP|\fBreply\fP|\fBboth\fP}
543-which packets to consider
544-.TP
545-\fB\-\-connbytes\-mode\fP {\fBpackets\fP|\fBbytes\fP|\fBavgpkt\fP}
546-whether to check the amount of packets, number of bytes transferred or
547-the average size (in bytes) of all packets received so far. Note that
548-when "both" is used together with "avgpkt", and data is going (mainly)
549-only in one direction (for example HTTP), the average packet size will
550-be about half of the actual data packets.
551-.TP
552-Example:
553-iptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes\-dir both \-\-connbytes\-mode bytes ...
554-.SS connlimit
555-Allows you to restrict the number of parallel connections to a server per
556-client IP address (or client address block).
557-.TP
558-\fB\-\-connlimit\-upto\fP \fIn\fP
559-Match if the number of existing connections is below or equal \fIn\fP.
560-.TP
561-\fB\-\-connlimit\-above\fP \fIn\fP
562-Match if the number of existing connections is above \fIn\fP.
563-.TP
564-\fB\-\-connlimit\-mask\fP \fIprefix_length\fP
565-Group hosts using the prefix length. For IPv4, this must be a number between
566-(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the
567-maximum prefix length for the applicable protocol is used.
568-.TP
569-\fB\-\-connlimit\-saddr\fP
570-Apply the limit onto the source group. This is the default if
571-\-\-connlimit\-daddr is not specified.
572-.TP
573-\fB\-\-connlimit\-daddr\fP
574-Apply the limit onto the destination group.
575-.PP
576-Examples:
577-.TP
578-# allow 2 telnet connections per client host
579-iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-above 2 \-j REJECT
580-.TP
581-# you can also match the other way around:
582-iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-upto 2 \-j ACCEPT
583-.TP
584-# limit the number of parallel HTTP requests to 16 per class C sized \
585-source network (24 bit netmask)
586-iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16
587-\-\-connlimit\-mask 24 \-j REJECT
588-.TP
589-# limit the number of parallel HTTP requests to 16 for the link local network
590-(ipv6)
591-ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above
592-16 \-\-connlimit\-mask 64 \-j REJECT
593-.TP
594-# Limit the number of connections to a particular host:
595-ip6tables \-p tcp \-\-syn \-\-dport 49152:65535 \-d 2001:db8::1 \-m connlimit
596-\-\-connlimit-above 100 \-j REJECT
597-.SS connmark
598-This module matches the netfilter mark field associated with a connection
599-(which can be set using the \fBCONNMARK\fP target below).
600-.TP
601-[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
602-Matches packets in connections with the given mark value (if a mask is
603-specified, this is logically ANDed with the mark before the comparison).
604-.SS conntrack
605-This module, when combined with connection tracking, allows access to the
606-connection tracking state for this packet/connection.
607-.TP
608-[\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP
609-\fIstatelist\fP is a comma separated list of the connection states to match.
610-Possible states are listed below.
611-.TP
612-[\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP
613-Layer-4 protocol to match (by number or name)
614-.TP
615-[\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
616-.TP
617-[\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
618-.TP
619-[\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
620-.TP
621-[\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
622-Match against original/reply source/destination address
623-.TP
624-[\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
625-.TP
626-[\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP[\fB:\fP\fIport\fP]
627-.TP
628-[\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
629-.TP
630-[\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP[\fB:\fP\fIport\fP]
631-Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key.
632-Matching against port ranges is only supported in kernel versions above 2.6.38.
633-.TP
634-[\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP
635-\fIstatuslist\fP is a comma separated list of the connection statuses to match.
636-Possible statuses are listed below.
637-.TP
638-[\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP]
639-Match remaining lifetime in seconds against given value or range of values
640-(inclusive)
641-.TP
642-\fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP}
643-Match packets that are flowing in the specified direction. If this flag is not
644-specified at all, matches packets in both directions.
645-.PP
646-States for \fB\-\-ctstate\fP:
647-.TP
648-\fBINVALID\fP
649-meaning that the packet is associated with no known connection
650-.TP
651-\fBNEW\fP
652-meaning that the packet has started a new connection, or otherwise associated
653-with a connection which has not seen packets in both directions, and
654-.TP
655-\fBESTABLISHED\fP
656-meaning that the packet is associated with a connection which has seen packets
657-in both directions,
658-.TP
659-\fBRELATED\fP
660-meaning that the packet is starting a new connection, but is associated with an
661-existing connection, such as an FTP data transfer, or an ICMP error.
662-.TP
663-\fBUNTRACKED\fP
664-meaning that the packet is not tracked at all, which happens if you use
665-the NOTRACK target in raw table.
666-.TP
667-\fBSNAT\fP
668-A virtual state, matching if the original source address differs from the reply
669-destination.
670-.TP
671-\fBDNAT\fP
672-A virtual state, matching if the original destination differs from the reply
673-source.
674-.PP
675-Statuses for \fB\-\-ctstatus\fP:
676-.TP
677-\fBNONE\fP
678-None of the below.
679-.TP
680-\fBEXPECTED\fP
681-This is an expected connection (i.e. a conntrack helper set it up)
682-.TP
683-\fBSEEN_REPLY\fP
684-Conntrack has seen packets in both directions.
685-.TP
686-\fBASSURED\fP
687-Conntrack entry should never be early-expired.
688-.TP
689-\fBCONFIRMED\fP
690-Connection is confirmed: originating packet has left box.
691-.SS cpu
692-.TP
693-[\fB!\fP] \fB\-\-cpu\fP \fInumber\fP
694-Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1
695-Can be used in combination with RPS (Remote Packet Steering) or
696-multiqueue NICs to spread network traffic on different queues.
697-.PP
698-Example:
699-.PP
700-iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 0
701-\-j REDIRECT \-\-to\-port 8080
702-.PP
703-iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 1
704-\-j REDIRECT \-\-to\-port 8081
705-.PP
706-Available since Linux 2.6.36.
707-.SS dccp
708-.TP
709-[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
710-.TP
711-[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
712-.TP
713-[\fB!\fP] \fB\-\-dccp\-types\fP \fImask\fP
714-Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated
715-list of packet types. Packet types are:
716-.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" .
717-.TP
718-[\fB!\fP] \fB\-\-dccp\-option\fP \fInumber\fP
719-Match if DCCP option set.
720-.SS dscp
721-This module matches the 6 bit DSCP field within the TOS field in the
722-IP header. DSCP has superseded TOS within the IETF.
723-.TP
724-[\fB!\fP] \fB\-\-dscp\fP \fIvalue\fP
725-Match against a numeric (decimal or hex) value [0-63].
726-.TP
727-[\fB!\fP] \fB\-\-dscp\-class\fP \fIclass\fP
728-Match the DiffServ class. This value may be any of the
729-BE, EF, AFxx or CSx classes. It will then be converted
730-into its according numeric value.
731-.SS ecn
732-This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168
733-.TP
734-[\fB!\fP] \fB\-\-ecn\-tcp\-cwr\fP
735-This matches if the TCP ECN CWR (Congestion Window Received) bit is set.
736-.TP
737-[\fB!\fP] \fB\-\-ecn\-tcp\-ece\fP
738-This matches if the TCP ECN ECE (ECN Echo) bit is set.
739-.TP
740-[\fB!\fP] \fB\-\-ecn\-ip\-ect\fP \fInum\fP
741-This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to specify
742-a number between `0' and `3'.
743-.SS esp
744-This module matches the SPIs in ESP header of IPsec packets.
745-.TP
746-[\fB!\fP] \fB\-\-espspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
747-.SS hashlimit
748-\fBhashlimit\fP uses hash buckets to express a rate limiting match (like the
749-\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables
750-rule. Grouping can be done per-hostgroup (source and/or destination address)
751-and/or per-port. It gives you the ability to express "\fIN\fP packets per time
752-quantum per group" (see below for some examples).
753-.PP
754-A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and
755-\fB\-\-hashlimit\-name\fP are required.
756-.TP
757-\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
758-Match if the rate is below or equal to \fIamount\fP/quantum. It is specified as
759-a number, with an optional time quantum suffix; the default is 3/hour.
760-.TP
761-\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
762-Match if the rate is above \fIamount\fP/quantum.
763-.TP
764-\fB\-\-hashlimit\-burst\fP \fIamount\fP
765-Maximum initial number of packets to match: this number gets recharged by one
766-every time the limit specified above is not reached, up to this number; the
767-default is 5.
768-.TP
769-\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP...
770-A comma-separated list of objects to take into consideration. If no
771-\-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the
772-expensive of doing the hash housekeeping.
773-.TP
774-\fB\-\-hashlimit\-srcmask\fP \fIprefix\fP
775-When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be
776-grouped according to the given prefix length and the so-created subnet will be
777-subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note
778-that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying
779-srcip for \-\-hashlimit\-mode, but is technically more expensive.
780-.TP
781-\fB\-\-hashlimit\-dstmask\fP \fIprefix\fP
782-Like \-\-hashlimit\-srcmask, but for destination addresses.
783-.TP
784-\fB\-\-hashlimit\-name\fP \fIfoo\fP
785-The name for the /proc/net/ipt_hashlimit/foo entry.
786-.TP
787-\fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP
788-The number of buckets of the hash table
789-.TP
790-\fB\-\-hashlimit\-htable\-max\fP \fIentries\fP
791-Maximum entries in the hash.
792-.TP
793-\fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP
794-After how many milliseconds do hash entries expire.
795-.TP
796-\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP
797-How many milliseconds between garbage collection intervals.
798-.PP
799-Examples:
800-.TP
801-matching on source host
802-"1000 packets per second for every host in 192.168.0.0/16" =>
803-\-s 192.168.0.0/16 \-\-hashlimit\-mode srcip \-\-hashlimit\-upto 1000/sec
804-.TP
805-matching on source port
806-"100 packets per second for every service of 192.168.1.1" =>
807-\-s 192.168.1.1 \-\-hashlimit\-mode srcport \-\-hashlimit\-upto 100/sec
808-.TP
809-matching on subnet
810-"10000 packets per minute for every /28 subnet (groups of 8 addresses)
811-in 10.0.0.0/8" =>
812-\-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min
813-.SS helper
814-This module matches packets related to a specific conntrack-helper.
815-.TP
816-[\fB!\fP] \fB\-\-helper\fP \fIstring\fP
817-Matches packets related to the specified conntrack-helper.
818-.RS
819-.PP
820-string can be "ftp" for packets related to a ftp-session on default port.
821-For other ports append \-portnr to the value, ie. "ftp\-2121".
822-.PP
823-Same rules apply for other conntrack-helpers.
824-.RE
825-.SS icmp
826-This extension can be used if `\-\-protocol icmp' is specified. It
827-provides the following option:
828-.TP
829-[\fB!\fP] \fB\-\-icmp\-type\fP {\fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP}
830-This allows specification of the ICMP type, which can be a numeric
831-ICMP type, type/code pair, or one of the ICMP type names shown by the command
832-.nf
833- iptables \-p icmp \-h
834-.fi
835-.SS iprange
836-This matches on a given arbitrary range of IP addresses.
837-.TP
838-[\fB!\fP] \fB\-\-src\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP]
839-Match source IP in the specified range.
840-.TP
841-[\fB!\fP] \fB\-\-dst\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP]
842-Match destination IP in the specified range.
843-.SS ipvs
844-Match IPVS connection properties.
845-.TP
846-[\fB!\fP] \fB\-\-ipvs\fP
847-packet belongs to an IPVS connection
848-.TP
849-Any of the following options implies \-\-ipvs (even negated)
850-.TP
851-[\fB!\fP] \fB\-\-vproto\fP \fIprotocol\fP
852-VIP protocol to match; by number or name, e.g. "tcp"
853-.TP
854-[\fB!\fP] \fB\-\-vaddr\fP \fIaddress\fP[\fB/\fP\fImask\fP]
855-VIP address to match
856-.TP
857-[\fB!\fP] \fB\-\-vport\fP \fIport\fP
858-VIP port to match; by number or name, e.g. "http"
859-.TP
860-\fB\-\-vdir\fP {\fBORIGINAL\fP|\fBREPLY\fP}
861-flow direction of packet
862-.TP
863-[\fB!\fP] \fB\-\-vmethod\fP {\fBGATE\fP|\fBIPIP\fP|\fBMASQ\fP}
864-IPVS forwarding method used
865-.TP
866-[\fB!\fP] \fB\-\-vportctl\fP \fIport\fP
867-VIP port of the controlling connection to match, e.g. 21 for FTP
868-.SS length
869-This module matches the length of the layer-3 payload (e.g. layer-4 packet)
870-of a packet against a specific value
871-or range of values.
872-.TP
873-[\fB!\fP] \fB\-\-length\fP \fIlength\fP[\fB:\fP\fIlength\fP]
874-.SS limit
875-This module matches at a limited rate using a token bucket filter.
876-A rule using this extension will match until this limit is reached.
877-It can be used in combination with the
878-.B LOG
879-target to give limited logging, for example.
880-.PP
881-xt_limit has no negation support - you will have to use \-m hashlimit !
882-\-\-hashlimit \fIrate\fP in this case whilst omitting \-\-hashlimit\-mode.
883-.TP
884-\fB\-\-limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
885-Maximum average matching rate: specified as a number, with an optional
886-`/second', `/minute', `/hour', or `/day' suffix; the default is
887-3/hour.
888-.TP
889-\fB\-\-limit\-burst\fP \fInumber\fP
890-Maximum initial number of packets to match: this number gets
891-recharged by one every time the limit specified above is not reached,
892-up to this number; the default is 5.
893-.SS mac
894-.TP
895-[\fB!\fP] \fB\-\-mac\-source\fP \fIaddress\fP
896-Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
897-Note that this only makes sense for packets coming from an Ethernet device
898-and entering the
899-.BR PREROUTING ,
900-.B FORWARD
901-or
902-.B INPUT
903-chains.
904-.SS mark
905-This module matches the netfilter mark field associated with a packet
906-(which can be set using the
907-.B MARK
908-target below).
909-.TP
910-[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
911-Matches packets with the given unsigned mark value (if a \fImask\fP is
912-specified, this is logically ANDed with the \fImask\fP before the
913-comparison).
914-.SS multiport
915-This module matches a set of source or destination ports. Up to 15
916-ports can be specified. A port range (port:port) counts as two
917-ports. It can only be used in conjunction with
918-\fB\-p tcp\fP
919-or
920-\fB\-p udp\fP.
921-.TP
922-[\fB!\fP] \fB\-\-source\-ports\fP,\fB\-\-sports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
923-Match if the source port is one of the given ports. The flag
924-\fB\-\-sports\fP
925-is a convenient alias for this option. Multiple ports or port ranges are
926-separated using a comma, and a port range is specified using a colon.
927-\fB53,1024:65535\fP would therefore match ports 53 and all from 1024 through
928-65535.
929-.TP
930-[\fB!\fP] \fB\-\-destination\-ports\fP,\fB\-\-dports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
931-Match if the destination port is one of the given ports. The flag
932-\fB\-\-dports\fP
933-is a convenient alias for this option.
934-.TP
935-[\fB!\fP] \fB\-\-ports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
936-Match if either the source or destination ports are equal to one of
937-the given ports.
938-.SS nfacct
939-The nfacct match provides the extended accounting infrastructure for iptables.
940-You have to use this match together with the standalone user-space utility
941-.B nfacct(8)
942-.PP
943-The only option available for this match is the following:
944-.TP
945-\fB\-\-nfacct\-name\fP \fIname\fP
946-This allows you to specify the existing object name that will be use for
947-accounting the traffic that this rule-set is matching.
948-.PP
949-To use this extension, you have to create an accounting object:
950-.IP
951-nfacct add http\-traffic
952-.PP
953-Then, you have to attach it to the accounting object via iptables:
954-.IP
955-iptables \-I INPUT \-p tcp \-\-sport 80 \-m nfacct \-\-nfacct\-name http\-traffic
956-.IP
957-iptables \-I OUTPUT \-p tcp \-\-dport 80 \-m nfacct \-\-nfacct\-name http\-traffic
958-.PP
959-Then, you can check for the amount of traffic that the rules match:
960-.IP
961-nfacct get http\-traffic
962-.IP
963-{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = http-traffic;
964-.PP
965-You can obtain
966-.B nfacct(8)
967-from http://www.netfilter.org or, alternatively, from the git.netfilter.org
968-repository.
969-.SS osf
970-The osf module does passive operating system fingerprinting. This modules
971-compares some data (Window Size, MSS, options and their order, TTL, DF,
972-and others) from packets with the SYN bit set.
973-.TP
974-[\fB!\fP] \fB\-\-genre\fP \fIstring\fP
975-Match an operating system genre by using a passive fingerprinting.
976-.TP
977-\fB\-\-ttl\fP \fIlevel\fP
978-Do additional TTL checks on the packet to determine the operating system.
979-\fIlevel\fP can be one of the following values:
980-.IP \(bu 4
981-0 - True IP address and fingerprint TTL comparison. This generally works for
982-LANs.
983-.IP \(bu 4
984-1 - Check if the IP header's TTL is less than the fingerprint one. Works for
985-globally-routable addresses.
986-.IP \(bu 4
987-2 - Do not compare the TTL at all.
988-.TP
989-\fB\-\-log\fP \fIlevel\fP
990-Log determined genres into dmesg even if they do not match the desired one.
991-\fIlevel\fP can be one of the following values:
992-.IP \(bu 4
993-0 - Log all matched or unknown signatures
994-.IP \(bu 4
995-1 - Log only the first one
996-.IP \(bu 4
997-2 - Log all known matched signatures
998-.PP
999-You may find something like this in syslog:
1000-.PP
1001-Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 ->
1002-11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4
1003-.PP
1004-OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load
1005-fingerprints from a file, use:
1006-.PP
1007-\fBnfnl_osf -f /usr/share/xtables/pf.os\fP
1008-.PP
1009-To remove them again,
1010-.PP
1011-\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP
1012-.PP
1013-The fingerprint database can be downlaoded from
1014-http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
1015-.SS owner
1016-This module attempts to match various characteristics of the packet creator,
1017-for locally generated packets. This match is only valid in the OUTPUT and
1018-POSTROUTING chains. Forwarded packets do not have any socket associated with
1019-them. Packets from kernel threads do have a socket, but usually no owner.
1020-.TP
1021-[\fB!\fP] \fB\-\-uid\-owner\fP \fIusername\fP
1022-.TP
1023-[\fB!\fP] \fB\-\-uid\-owner\fP \fIuserid\fP[\fB\-\fP\fIuserid\fP]
1024-Matches if the packet socket's file structure (if it has one) is owned by the
1025-given user. You may also specify a numerical UID, or an UID range.
1026-.TP
1027-[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupname\fP
1028-.TP
1029-[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupid\fP[\fB\-\fP\fIgroupid\fP]
1030-Matches if the packet socket's file structure is owned by the given group.
1031-You may also specify a numerical GID, or a GID range.
1032-.TP
1033-[\fB!\fP] \fB\-\-socket\-exists\fP
1034-Matches if the packet is associated with a socket.
1035-.SS physdev
1036-This module matches on the bridge port input and output devices enslaved
1037-to a bridge device. This module is a part of the infrastructure that enables
1038-a transparent bridging IP firewall and is only useful for kernel versions
1039-above version 2.5.44.
1040-.TP
1041-[\fB!\fP] \fB\-\-physdev\-in\fP \fIname\fP
1042-Name of a bridge port via which a packet is received (only for
1043-packets entering the
1044-.BR INPUT ,
1045-.B FORWARD
1046-and
1047-.B PREROUTING
1048-chains). If the interface name ends in a "+", then any
1049-interface which begins with this name will match. If the packet didn't arrive
1050-through a bridge device, this packet won't match this option, unless '!' is used.
1051-.TP
1052-[\fB!\fP] \fB\-\-physdev\-out\fP \fIname\fP
1053-Name of a bridge port via which a packet is going to be sent (for packets
1054-entering the
1055-.BR FORWARD ,
1056-.B OUTPUT
1057-and
1058-.B POSTROUTING
1059-chains). If the interface name ends in a "+", then any
1060-interface which begins with this name will match. Note that in the
1061-.BR nat " and " mangle
1062-.B OUTPUT
1063-chains one cannot match on the bridge output port, however one can in the
1064-.B "filter OUTPUT"
1065-chain. If the packet won't leave by a bridge device or if it is yet unknown what
1066-the output device will be, then the packet won't match this option,
1067-unless '!' is used.
1068-.TP
1069-[\fB!\fP] \fB\-\-physdev\-is\-in\fP
1070-Matches if the packet has entered through a bridge interface.
1071-.TP
1072-[\fB!\fP] \fB\-\-physdev\-is\-out\fP
1073-Matches if the packet will leave through a bridge interface.
1074-.TP
1075-[\fB!\fP] \fB\-\-physdev\-is\-bridged\fP
1076-Matches if the packet is being bridged and therefore is not being routed.
1077-This is only useful in the FORWARD and POSTROUTING chains.
1078-.SS pkttype
1079-This module matches the link-layer packet type.
1080-.TP
1081-[\fB!\fP] \fB\-\-pkt\-type\fP {\fBunicast\fP|\fBbroadcast\fP|\fBmulticast\fP}
1082-.SS policy
1083-This modules matches the policy used by IPsec for handling a packet.
1084-.TP
1085-\fB\-\-dir\fP {\fBin\fP|\fBout\fP}
1086-Used to select whether to match the policy used for decapsulation or the
1087-policy that will be used for encapsulation.
1088-.B in
1089-is valid in the
1090-.B PREROUTING, INPUT and FORWARD
1091-chains,
1092-.B out
1093-is valid in the
1094-.B POSTROUTING, OUTPUT and FORWARD
1095-chains.
1096-.TP
1097-\fB\-\-pol\fP {\fBnone\fP|\fBipsec\fP}
1098-Matches if the packet is subject to IPsec processing. \fB\-\-pol none\fP
1099-cannot be combined with \fB\-\-strict\fP.
1100-.TP
1101-\fB\-\-strict\fP
1102-Selects whether to match the exact policy or match if any rule of
1103-the policy matches the given policy.
1104-.PP
1105-For each policy element that is to be described, one can use one or more of
1106-the following options. When \fB\-\-strict\fP is in effect, at least one must be
1107-used per element.
1108-.TP
1109-[\fB!\fP] \fB\-\-reqid\fP \fIid\fP
1110-Matches the reqid of the policy rule. The reqid can be specified with
1111-.B setkey(8)
1112-using
1113-.B unique:id
1114-as level.
1115-.TP
1116-[\fB!\fP] \fB\-\-spi\fP \fIspi\fP
1117-Matches the SPI of the SA.
1118-.TP
1119-[\fB!\fP] \fB\-\-proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP}
1120-Matches the encapsulation protocol.
1121-.TP
1122-[\fB!\fP] \fB\-\-mode\fP {\fBtunnel\fP|\fBtransport\fP}
1123-Matches the encapsulation mode.
1124-.TP
1125-[\fB!\fP] \fB\-\-tunnel\-src\fP \fIaddr\fP[\fB/\fP\fImask\fP]
1126-Matches the source end-point address of a tunnel mode SA.
1127-Only valid with \fB\-\-mode tunnel\fP.
1128-.TP
1129-[\fB!\fP] \fB\-\-tunnel\-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP]
1130-Matches the destination end-point address of a tunnel mode SA.
1131-Only valid with \fB\-\-mode tunnel\fP.
1132-.TP
1133-\fB\-\-next\fP
1134-Start the next element in the policy specification. Can only be used with
1135-\fB\-\-strict\fP.
1136-.SS quota
1137-Implements network quotas by decrementing a byte counter with each
1138-packet. The condition matches until the byte counter reaches zero. Behavior
1139-is reversed with negation (i.e. the condition does not match until the
1140-byte counter reaches zero).
1141-.TP
1142-[\fB!\fP] \fB\-\-quota\fP \fIbytes\fP
1143-The quota in bytes.
1144-.SS rateest
1145-The rate estimator can match on estimated rates as collected by the RATEEST
1146-target. It supports matching on absolute bps/pps values, comparing two rate
1147-estimators and matching on the difference between two rate estimators.
1148-.PP
1149-For a better understanding of the available options, these are all possible
1150-combinations:
1151-.\" * Absolute:
1152-.IP \(bu 4
1153-\fBrateest\fP \fIoperator\fP \fBrateest-bps\fP
1154-.IP \(bu 4
1155-\fBrateest\fP \fIoperator\fP \fBrateest-pps\fP
1156-.\" * Absolute + Delta:
1157-.IP \(bu 4
1158-(\fBrateest\fP minus \fBrateest-bps1\fP) \fIoperator\fP \fBrateest-bps2\fP
1159-.IP \(bu 4
1160-(\fBrateest\fP minus \fBrateest-pps1\fP) \fIoperator\fP \fBrateest-pps2\fP
1161-.\" * Relative:
1162-.IP \(bu 4
1163-\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-bps\fP(without rate!)
1164-.IP \(bu 4
1165-\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-pps\fP(without rate!)
1166-.\" * Relative + Delta:
1167-.IP \(bu 4
1168-(\fBrateest1\fP minus \fBrateest-bps1\fP) \fIoperator\fP
1169-(\fBrateest2\fP minus \fBrateest-bps2\fP)
1170-.IP \(bu 4
1171-(\fBrateest1\fP minus \fBrateest-pps1\fP) \fIoperator\fP
1172-(\fBrateest2\fP minus \fBrateest-pps2\fP)
1173-.TP
1174-\fB\-\-rateest\-delta\fP
1175-For each estimator (either absolute or relative mode), calculate the difference
1176-between the estimator-determined flow rate and the static value chosen with the
1177-BPS/PPS options. If the flow rate is higher than the specified BPS/PPS, 0 will
1178-be used instead of a negative value. In other words, "max(0, rateest#_rate -
1179-rateest#_bps)" is used.
1180-.TP
1181-[\fB!\fP] \fB\-\-rateest\-lt\fP
1182-Match if rate is less than given rate/estimator.
1183-.TP
1184-[\fB!\fP] \fB\-\-rateest\-gt\fP
1185-Match if rate is greater than given rate/estimator.
1186-.TP
1187-[\fB!\fP] \fB\-\-rateest\-eq\fP
1188-Match if rate is equal to given rate/estimator.
1189-.PP
1190-In the so-called "absolute mode", only one rate estimator is used and compared
1191-against a static value, while in "relative mode", two rate estimators are
1192-compared against another.
1193-.TP
1194-\fB\-\-rateest\fP \fIname\fP
1195-Name of the one rate estimator for absolute mode.
1196-.TP
1197-\fB\-\-rateest1\fP \fIname\fP
1198-.TP
1199-\fB\-\-rateest2\fP \fIname\fP
1200-The names of the two rate estimators for relative mode.
1201-.TP
1202-\fB\-\-rateest\-bps\fP [\fIvalue\fP]
1203-.TP
1204-\fB\-\-rateest\-pps\fP [\fIvalue\fP]
1205-.TP
1206-\fB\-\-rateest\-bps1\fP [\fIvalue\fP]
1207-.TP
1208-\fB\-\-rateest\-bps2\fP [\fIvalue\fP]
1209-.TP
1210-\fB\-\-rateest\-pps1\fP [\fIvalue\fP]
1211-.TP
1212-\fB\-\-rateest\-pps2\fP [\fIvalue\fP]
1213-Compare the estimator(s) by bytes or packets per second, and compare against
1214-the chosen value. See the above bullet list for which option is to be used in
1215-which case. A unit suffix may be used - available ones are: bit, [kmgt]bit,
1216-[KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps.
1217-.PP
1218-Example: This is what can be used to route outgoing data connections from an
1219-FTP server over two lines based on the available bandwidth at the time the data
1220-connection was started:
1221-.PP
1222-# Estimate outgoing rates
1223-.PP
1224-iptables \-t mangle \-A POSTROUTING \-o eth0 \-j RATEEST \-\-rateest\-name eth0
1225-\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s
1226-.PP
1227-iptables \-t mangle \-A POSTROUTING \-o ppp0 \-j RATEEST \-\-rateest\-name ppp0
1228-\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s
1229-.PP
1230-# Mark based on available bandwidth
1231-.PP
1232-iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp
1233-\-m rateest \-\-rateest\-delta \-\-rateest1 eth0 \-\-rateest\-bps1 2.5mbit \-\-rateest\-gt
1234-\-\-rateest2 ppp0 \-\-rateest\-bps2 2mbit \-j CONNMARK \-\-set\-mark 1
1235-.PP
1236-iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp
1237-\-m rateest \-\-rateest\-delta \-\-rateest1 ppp0 \-\-rateest\-bps1 2mbit \-\-rateest\-gt
1238-\-\-rateest2 eth0 \-\-rateest\-bps2 2.5mbit \-j CONNMARK \-\-set\-mark 2
1239-.PP
1240-iptables \-t mangle \-A balance \-j CONNMARK \-\-restore\-mark
1241-.SS realm
1242-This matches the routing realm. Routing realms are used in complex routing
1243-setups involving dynamic routing protocols like BGP.
1244-.TP
1245-[\fB!\fP] \fB\-\-realm\fP \fIvalue\fP[\fB/\fP\fImask\fP]
1246-Matches a given realm number (and optionally mask). If not a number, value
1247-can be a named realm from /etc/iproute2/rt_realms (mask can not be used in
1248-that case).
1249-.SS recent
1250-Allows you to dynamically create a list of IP addresses and then match against
1251-that list in a few different ways.
1252-.PP
1253-For example, you can create a "badguy" list out of people attempting to connect
1254-to port 139 on your firewall and then DROP all future packets from them without
1255-considering them.
1256-.PP
1257-\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are
1258-mutually exclusive.
1259-.TP
1260-\fB\-\-name\fP \fIname\fP
1261-Specify the list to use for the commands. If no name is given then
1262-\fBDEFAULT\fP will be used.
1263-.TP
1264-[\fB!\fP] \fB\-\-set\fP
1265-This will add the source address of the packet to the list. If the source
1266-address is already in the list, this will update the existing entry. This will
1267-always return success (or failure if \fB!\fP is passed in).
1268-.TP
1269-\fB\-\-rsource\fP
1270-Match/save the source address of each packet in the recent list table. This
1271-is the default.
1272-.TP
1273-\fB\-\-rdest\fP
1274-Match/save the destination address of each packet in the recent list table.
1275-.TP
1276-[\fB!\fP] \fB\-\-rcheck\fP
1277-Check if the source address of the packet is currently in the list.
1278-.TP
1279-[\fB!\fP] \fB\-\-update\fP
1280-Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it
1281-matches.
1282-.TP
1283-[\fB!\fP] \fB\-\-remove\fP
1284-Check if the source address of the packet is currently in the list and if so
1285-that address will be removed from the list and the rule will return true. If
1286-the address is not found, false is returned.
1287-.TP
1288-\fB\-\-seconds\fP \fIseconds\fP
1289-This option must be used in conjunction with one of \fB\-\-rcheck\fP or
1290-\fB\-\-update\fP. When used, this will narrow the match to only happen when the
1291-address is in the list and was seen within the last given number of seconds.
1292-.TP
1293-\fB\-\-reap\fP
1294-This option can only be used in conjunction with \fB\-\-seconds\fP.
1295-When used, this will cause entries older than the last given number of seconds
1296-to be purged.
1297-.TP
1298-\fB\-\-hitcount\fP \fIhits\fP
1299-This option must be used in conjunction with one of \fB\-\-rcheck\fP or
1300-\fB\-\-update\fP. When used, this will narrow the match to only happen when the
1301-address is in the list and packets had been received greater than or equal to
1302-the given value. This option may be used along with \fB\-\-seconds\fP to create
1303-an even narrower match requiring a certain number of hits within a specific
1304-time frame. The maximum value for the hitcount parameter is given by the
1305-"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this
1306-value on the command line will cause the rule to be rejected.
1307-.TP
1308-\fB\-\-rttl\fP
1309-This option may only be used in conjunction with one of \fB\-\-rcheck\fP or
1310-\fB\-\-update\fP. When used, this will narrow the match to only happen when the
1311-address is in the list and the TTL of the current packet matches that of the
1312-packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems
1313-with people faking their source address in order to DoS you via this module by
1314-disallowing others access to your site by sending bogus packets to you.
1315-.PP
1316-Examples:
1317-.IP
1318-iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP
1319-.IP
1320-iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
1321-.PP
1322-Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
1323-some examples of usage.
374+.SH MATCH AND TARGET EXTENSIONS
1324375 .PP
1325-\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information
1326-about each entry of each list.
1327-.PP
1328-Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current
1329-list or written two using the following commands to modify the list:
1330-.TP
1331-\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
1332-to add \fIaddr\fP to the DEFAULT list
1333-.TP
1334-\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
1335-to remove \fIaddr\fP from the DEFAULT list
1336-.TP
1337-\fBecho / >/proc/net/xt_recent/DEFAULT\fP
1338-to flush the DEFAULT list (remove all entries).
1339-.PP
1340-The module itself accepts parameters, defaults shown:
1341-.TP
1342-\fBip_list_tot\fP=\fI100\fP
1343-Number of addresses remembered per table.
1344-.TP
1345-\fBip_pkt_list_tot\fP=\fI20\fP
1346-Number of packets per address remembered.
1347-.TP
1348-\fBip_list_hash_size\fP=\fI0\fP
1349-Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.
1350-.TP
1351-\fBip_list_perms\fP=\fI0644\fP
1352-Permissions for /proc/net/xt_recent/* files.
1353-.TP
1354-\fBip_list_uid\fP=\fI0\fP
1355-Numerical UID for ownership of /proc/net/xt_recent/* files.
1356-.TP
1357-\fBip_list_gid\fP=\fI0\fP
1358-Numerical GID for ownership of /proc/net/xt_recent/* files.
1359-.SS rpfilter
1360-Performs a reverse path filter test on a packet.
1361-If a reply to the packet would be sent via the same interface
1362-that the packet arrived on, the packet will match.
1363-Note that, unlike the in-kernel rp_filter, packets protected
1364-by IPSec are not treated specially. Combine this match with
1365-the policy match if you want this.
1366-Also, packets arriving via the loopback interface are always permitted.
1367-This match can only be used in the PREROUTING chain of the raw or mangle table.
1368-.TP
1369-\fB\-\-loose\fP
1370-Used to specifiy that the reverse path filter test should match
1371-even if the selected output device is not the expected one.
1372-.TP
1373-\fB\-\-validmark\fP
1374-Also use the packets' nfmark value when performing the reverse path route lookup.
1375-.TP
1376-\fB\-\-accept\-local\fP
1377-This will permit packets arriving from the network with a source address that is also
1378-assigned to the local machine.
1379-\fB\-\-invert\fP
1380-This will invert the sense of the match. Instead of matching packets that passed the
1381-reverse path filter test, match those that have failed it.
1382-.PP
1383-Example to log and drop packets failing the reverse path filter test:
1384-
1385-iptables \-t raw \-N RPFILTER
1386-
1387-iptables \-t raw \-A RPFILTER \-m rpfilter \-j RETURN
1388-
1389-iptables \-t raw \-A RPFILTER \-m limit \-\-limit 10/minute \-j NFLOG \-\-nflog\-prefix "rpfilter drop"
1390-
1391-iptables \-t raw \-A RPFILTER \-j DROP
1392-
1393-iptables \-t raw \-A PREROUTING \-j RPFILTER
1394-
1395-Example to drop failed packets, without logging:
1396-
1397-iptables \-t raw \-A RPFILTER \-m rpfilter \-\-invert \-j DROP
1398-.SS sctp
1399-.TP
1400-[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
1401-.TP
1402-[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
1403-.TP
1404-[\fB!\fP] \fB\-\-chunk\-types\fP {\fBall\fP|\fBany\fP|\fBonly\fP} \fIchunktype\fP[\fB:\fP\fIflags\fP] [...]
1405-The flag letter in upper case indicates that the flag is to match if set,
1406-in the lower case indicates to match if unset.
1407-
1408-Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN
1409-
1410-chunk type available flags
1411-.br
1412-DATA I U B E i u b e
1413-.br
1414-ABORT T t
1415-.br
1416-SHUTDOWN_COMPLETE T t
1417-
1418-(lowercase means flag should be "off", uppercase means "on")
1419-.P
1420-Examples:
1421-
1422-iptables \-A INPUT \-p sctp \-\-dport 80 \-j DROP
1423-
1424-iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA,INIT \-j DROP
1425-
1426-iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA:Be \-j ACCEPT
1427-.SS set
1428-This module matches IP sets which can be defined by ipset(8).
1429-.TP
1430-[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]...
1431-where flags are the comma separated list of
1432-.BR "src"
1433-and/or
1434-.BR "dst"
1435-specifications and there can be no more than six of them. Hence the command
1436-.IP
1437- iptables \-A FORWARD \-m set \-\-match\-set test src,dst
1438-.IP
1439-will match packets, for which (if the set type is ipportmap) the source
1440-address and destination port pair can be found in the specified set. If
1441-the set type of the specified set is single dimension (for example ipmap),
1442-then the command will match packets for which the source address can be
1443-found in the specified set.
1444-.PP
1445-The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does
1446-not clash with an option of other extensions.
1447-.PP
1448-Use of -m set requires that ipset kernel support is provided, which, for
1449-standard kernels, is the case since Linux 2.6.39.
1450-.SS socket
1451-This matches if an open socket can be found by doing a socket lookup on the
1452-packet.
1453-.TP
1454-\fB\-\-transparent\fP
1455-Ignore non-transparent sockets.
1456-.SS state
1457-This module, when combined with connection tracking, allows access to
1458-the connection tracking state for this packet.
1459-.TP
1460-[\fB!\fP] \fB\-\-state\fP \fIstate\fP
1461-Where state is a comma separated list of the connection states to
1462-match. Possible states are
1463-.B INVALID
1464-meaning that the packet could not be identified for some reason which
1465-includes running out of memory and ICMP errors which don't correspond to any
1466-known connection,
1467-.B ESTABLISHED
1468-meaning that the packet is associated with a connection which has seen
1469-packets in both directions,
1470-.B NEW
1471-meaning that the packet has started a new connection, or otherwise
1472-associated with a connection which has not seen packets in both
1473-directions, and
1474-.B RELATED
1475-meaning that the packet is starting a new connection, but is
1476-associated with an existing connection, such as an FTP data transfer,
1477-or an ICMP error.
1478-.B UNTRACKED
1479-meaning that the packet is not tracked at all, which happens if you use
1480-the NOTRACK target in raw table.
1481-.SS statistic
1482-This module matches packets based on some statistic condition.
1483-It supports two distinct modes settable with the
1484-\fB\-\-mode\fP
1485-option.
1486-.PP
1487-Supported options:
1488-.TP
1489-\fB\-\-mode\fP \fImode\fP
1490-Set the matching mode of the matching rule, supported modes are
1491-.B random
1492-and
1493-.B nth.
1494-.TP
1495-[\fB!\fP] \fB\-\-probability\fP \fIp\fP
1496-Set the probability for a packet to be randomly matched. It only works with the
1497-\fBrandom\fP mode. \fIp\fP must be within 0.0 and 1.0. The supported
1498-granularity is in 1/2147483648th increments.
1499-.TP
1500-[\fB!\fP] \fB\-\-every\fP \fIn\fP
1501-Match one packet every nth packet. It works only with the
1502-.B nth
1503-mode (see also the
1504-\fB\-\-packet\fP
1505-option).
1506-.TP
1507-\fB\-\-packet\fP \fIp\fP
1508-Set the initial counter value (0 <= p <= n\-1, default 0) for the
1509-.B nth
1510-mode.
1511-.SS string
1512-This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
1513-.TP
1514-\fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP}
1515-Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
1516-.TP
1517-\fB\-\-from\fP \fIoffset\fP
1518-Set the offset from which it starts looking for any matching. If not passed, default is 0.
1519-.TP
1520-\fB\-\-to\fP \fIoffset\fP
1521-Set the offset up to which should be scanned. That is, byte \fIoffset\fP-1
1522-(counting from 0) is the last one that is scanned.
1523-If not passed, default is the packet size.
1524-.TP
1525-[\fB!\fP] \fB\-\-string\fP \fIpattern\fP
1526-Matches the given pattern.
1527-.TP
1528-[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP
1529-Matches the given pattern in hex notation.
1530-.SS tcp
1531-These extensions can be used if `\-\-protocol tcp' is specified. It
1532-provides the following options:
1533-.TP
1534-[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
1535-Source port or port range specification. This can either be a service
1536-name or a port number. An inclusive range can also be specified,
1537-using the format \fIfirst\fP\fB:\fP\fIlast\fP.
1538-If the first port is omitted, "0" is assumed; if the last is omitted,
1539-"65535" is assumed.
1540-If the first port is greater than the second one they will be swapped.
1541-The flag
1542-\fB\-\-sport\fP
1543-is a convenient alias for this option.
1544-.TP
1545-[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
1546-Destination port or port range specification. The flag
1547-\fB\-\-dport\fP
1548-is a convenient alias for this option.
1549-.TP
1550-[\fB!\fP] \fB\-\-tcp\-flags\fP \fImask\fP \fIcomp\fP
1551-Match when the TCP flags are as specified. The first argument \fImask\fP is the
1552-flags which we should examine, written as a comma-separated list, and
1553-the second argument \fIcomp\fP is a comma-separated list of flags which must be
1554-set. Flags are:
1555-.BR "SYN ACK FIN RST URG PSH ALL NONE" .
1556-Hence the command
1557-.nf
1558- iptables \-A FORWARD \-p tcp \-\-tcp\-flags SYN,ACK,FIN,RST SYN
1559-.fi
1560-will only match packets with the SYN flag set, and the ACK, FIN and
1561-RST flags unset.
1562-.TP
1563-[\fB!\fP] \fB\-\-syn\fP
1564-Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
1565-cleared. Such packets are used to request TCP connection initiation;
1566-for example, blocking such packets coming in an interface will prevent
1567-incoming TCP connections, but outgoing TCP connections will be
1568-unaffected.
1569-It is equivalent to \fB\-\-tcp\-flags SYN,RST,ACK,FIN SYN\fP.
1570-If the "!" flag precedes the "\-\-syn", the sense of the
1571-option is inverted.
1572-.TP
1573-[\fB!\fP] \fB\-\-tcp\-option\fP \fInumber\fP
1574-Match if TCP option set.
1575-.SS tcpmss
1576-This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
1577-.TP
1578-[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP]
1579-Match a given TCP MSS value or range.
1580-.SS time
1581-This matches if the packet arrival time/date is within a given range. All
1582-options are optional, but are ANDed when specified. All times are interpreted
1583-as UTC by default.
1584-.TP
1585-\fB\-\-datestart\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]]
1586-.TP
1587-\fB\-\-datestop\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]]
1588-Only match during the given time, which must be in ISO 8601 "T" notation.
1589-The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07.
1590-.IP
1591-If \-\-datestart or \-\-datestop are not specified, it will default to 1970-01-01
1592-and 2038-01-19, respectively.
1593-.TP
1594-\fB\-\-timestart\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]
1595-.TP
1596-\fB\-\-timestop\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]
1597-Only match during the given daytime. The possible time range is 00:00:00 to
1598-23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted
1599-as base-10.
1600-.TP
1601-[\fB!\fP] \fB\-\-monthdays\fP \fIday\fP[\fB,\fP\fIday\fP...]
1602-Only match on the given days of the month. Possible values are \fB1\fP
1603-to \fB31\fP. Note that specifying \fB31\fP will of course not match
1604-on months which do not have a 31st day; the same goes for 28- or 29-day
1605-February.
1606-.TP
1607-[\fB!\fP] \fB\-\-weekdays\fP \fIday\fP[\fB,\fP\fIday\fP...]
1608-Only match on the given weekdays. Possible values are \fBMon\fP, \fBTue\fP,
1609-\fBWed\fP, \fBThu\fP, \fBFri\fP, \fBSat\fP, \fBSun\fP, or values from \fB1\fP
1610-to \fB7\fP, respectively. You may also use two-character variants (\fBMo\fP,
1611-\fBTu\fP, etc.).
1612-.TP
1613-\fB\-\-kerneltz\fP
1614-Use the kernel timezone instead of UTC to determine whether a packet meets the
1615-time regulations.
1616-.PP
1617-About kernel timezones: Linux keeps the system time in UTC, and always does so.
1618-On boot, system time is initialized from a referential time source. Where this
1619-time source has no timezone information, such as the x86 CMOS RTC, UTC will be
1620-assumed. If the time source is however not in UTC, userspace should provide the
1621-correct system time and timezone to the kernel once it has the information.
1622-.PP
1623-Local time is a feature on top of the (timezone independent) system time. Each
1624-process has its own idea of local time, specified via the TZ environment
1625-variable. The kernel also has its own timezone offset variable. The TZ
1626-userspace environment variable specifies how the UTC-based system time is
1627-displayed, e.g. when you run date(1), or what you see on your desktop clock.
1628-The TZ string may resolve to different offsets at different dates, which is
1629-what enables the automatic time-jumping in userspace. when DST changes. The
1630-kernel's timezone offset variable is used when it has to convert between
1631-non-UTC sources, such as FAT filesystems, to UTC (since the latter is what the
1632-rest of the system uses).
1633-.PP
1634-The caveat with the kernel timezone is that Linux distributions may ignore to
1635-set the kernel timezone, and instead only set the system time. Even if a
1636-particular distribution does set the timezone at boot, it is usually does not
1637-keep the kernel timezone offset - which is what changes on DST - up to date.
1638-ntpd will not touch the kernel timezone, so running it will not resolve the
1639-issue. As such, one may encounter a timezone that is always +0000, or one that
1640-is wrong half of the time of the year. As such, \fBusing \-\-kerneltz is highly
1641-discouraged.\fP
1642-.PP
1643-EXAMPLES. To match on weekends, use:
1644-.IP
1645-\-m time \-\-weekdays Sa,Su
1646-.PP
1647-Or, to match (once) on a national holiday block:
1648-.IP
1649-\-m time \-\-datestart 2007\-12\-24 \-\-datestop 2007\-12\-27
1650-.PP
1651-Since the stop time is actually inclusive, you would need the following stop
1652-time to not match the first second of the new day:
1653-.IP
1654-\-m time \-\-datestart 2007\-01\-01T17:00 \-\-datestop 2007\-01\-01T23:59:59
1655-.PP
1656-During lunch hour:
1657-.IP
1658-\-m time \-\-timestart 12:30 \-\-timestop 13:30
1659-.PP
1660-The fourth Friday in the month:
1661-.IP
1662-\-m time \-\-weekdays Fr \-\-monthdays 22,23,24,25,26,27,28
1663-.PP
1664-(Note that this exploits a certain mathematical property. It is not possible to
1665-say "fourth Thursday OR fourth Friday" in one rule. It is possible with
1666-multiple rules, though.)
1667-.SS tos
1668-This module matches the 8-bit Type of Service field in the IPv4 header (i.e.
1669-including the "Precedence" bits) or the (also 8-bit) Priority field in the IPv6
1670-header.
1671-.TP
1672-[\fB!\fP] \fB\-\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP]
1673-Matches packets with the given TOS mark value. If a mask is specified, it is
1674-logically ANDed with the TOS mark before the comparison.
1675-.TP
1676-[\fB!\fP] \fB\-\-tos\fP \fIsymbol\fP
1677-You can specify a symbolic name when using the tos match for IPv4. The list of
1678-recognized TOS names can be obtained by calling iptables with \fB\-m tos \-h\fP.
1679-Note that this implies a mask of 0x3F, i.e. all but the ECN bits.
1680-.SS ttl
1681-This module matches the time to live field in the IP header.
1682-.TP
1683-[\fB!\fP] \fB\-\-ttl\-eq\fP \fIttl\fP
1684-Matches the given TTL value.
1685-.TP
1686-\fB\-\-ttl\-gt\fP \fIttl\fP
1687-Matches if TTL is greater than the given TTL value.
1688-.TP
1689-\fB\-\-ttl\-lt\fP \fIttl\fP
1690-Matches if TTL is less than the given TTL value.
1691-.SS u32
1692-U32 tests whether quantities of up to 4 bytes extracted from a packet have
1693-specified values. The specification of what to extract is general enough to
1694-find data at given offsets from tcp headers or payloads.
1695-.TP
1696-[\fB!\fP] \fB\-\-u32\fP \fItests\fP
1697-The argument amounts to a program in a small language described below.
1698-.IP
1699-tests := location "=" value | tests "&&" location "=" value
1700-.IP
1701-value := range | value "," range
1702-.IP
1703-range := number | number ":" number
1704-.PP
1705-a single number, \fIn\fP, is interpreted the same as \fIn:n\fP. \fIn:m\fP is
1706-interpreted as the range of numbers \fB>=n\fP and \fB<=m\fP.
1707-.IP "" 4
1708-location := number | location operator number
1709-.IP "" 4
1710-operator := "&" | "<<" | ">>" | "@"
1711-.PP
1712-The operators \fB&\fP, \fB<<\fP, \fB>>\fP and \fB&&\fP mean the same as in C.
1713-The \fB=\fP is really a set membership operator and the value syntax describes
1714-a set. The \fB@\fP operator is what allows moving to the next header and is
1715-described further below.
1716-.PP
1717-There are currently some artificial implementation limits on the size of the
1718-tests:
1719-.IP " *"
1720-no more than 10 of "\fB=\fP" (and 9 "\fB&&\fP"s) in the u32 argument
1721-.IP " *"
1722-no more than 10 ranges (and 9 commas) per value
1723-.IP " *"
1724-no more than 10 numbers (and 9 operators) per location
1725-.PP
1726-To describe the meaning of location, imagine the following machine that
1727-interprets it. There are three registers:
1728-.IP
1729-A is of type \fBchar *\fP, initially the address of the IP header
1730-.IP
1731-B and C are unsigned 32 bit integers, initially zero
1732-.PP
1733-The instructions are:
1734-.IP
1735-number B = number;
1736-.IP
1737-C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3)
1738-.IP
1739-&number C = C & number
1740-.IP
1741-<< number C = C << number
1742-.IP
1743->> number C = C >> number
1744-.IP
1745-@number A = A + C; then do the instruction number
1746-.PP
1747-Any access of memory outside [skb\->data,skb\->end] causes the match to fail.
1748-Otherwise the result of the computation is the final value of C.
1749-.PP
1750-Whitespace is allowed but not required in the tests. However, the characters
1751-that do occur there are likely to require shell quoting, so it is a good idea
1752-to enclose the arguments in quotes.
1753-.PP
1754-Example:
1755-.IP
1756-match IP packets with total length >= 256
1757-.IP
1758-The IP header contains a total length field in bytes 2-3.
1759-.IP
1760-\-\-u32 "\fB0 & 0xFFFF = 0x100:0xFFFF\fP"
1761-.IP
1762-read bytes 0-3
1763-.IP
1764-AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the range
1765-[0x100:0xFFFF]
1766-.PP
1767-Example: (more realistic, hence more complicated)
1768-.IP
1769-match ICMP packets with icmp type 0
1770-.IP
1771-First test that it is an ICMP packet, true iff byte 9 (protocol) = 1
1772-.IP
1773-\-\-u32 "\fB6 & 0xFF = 1 &&\fP ...
1774-.IP
1775-read bytes 6-9, use \fB&\fP to throw away bytes 6-8 and compare the result to
1776-1. Next test that it is not a fragment. (If so, it might be part of such a
1777-packet but we cannot always tell.) N.B.: This test is generally needed if you
1778-want to match anything beyond the IP header. The last 6 bits of byte 6 and all
1779-of byte 7 are 0 iff this is a complete packet (not a fragment). Alternatively,
1780-you can allow first fragments by only testing the last 5 bits of byte 6.
1781-.IP
1782- ... \fB4 & 0x3FFF = 0 &&\fP ...
1783-.IP
1784-Last test: the first byte past the IP header (the type) is 0. This is where we
1785-have to use the @syntax. The length of the IP header (IHL) in 32 bit words is
1786-stored in the right half of byte 0 of the IP header itself.
1787-.IP
1788- ... \fB0 >> 22 & 0x3C @ 0 >> 24 = 0\fP"
1789-.IP
1790-The first 0 means read bytes 0-3, \fB>>22\fP means shift that 22 bits to the
1791-right. Shifting 24 bits would give the first byte, so only 22 bits is four
1792-times that plus a few more bits. \fB&3C\fP then eliminates the two extra bits
1793-on the right and the first four bits of the first byte. For instance, if IHL=5,
1794-then the IP header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in
1795-binary) xxxx0101 yyzzzzzz, \fB>>22\fP gives the 10 bit value xxxx0101yy and
1796-\fB&3C\fP gives 010100. \fB@\fP means to use this number as a new offset into
1797-the packet, and read four bytes starting from there. This is the first 4 bytes
1798-of the ICMP payload, of which byte 0 is the ICMP type. Therefore, we simply
1799-shift the value 24 to the right to throw out all but the first byte and compare
1800-the result with 0.
1801-.PP
1802-Example:
1803-.IP
1804-TCP payload bytes 8-12 is any of 1, 2, 5 or 8
1805-.IP
1806-First we test that the packet is a tcp packet (similar to ICMP).
1807-.IP
1808-\-\-u32 "\fB6 & 0xFF = 6 &&\fP ...
1809-.IP
1810-Next, test that it is not a fragment (same as above).
1811-.IP
1812- ... \fB0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8\fP"
1813-.IP
1814-\fB0>>22&3C\fP as above computes the number of bytes in the IP header. \fB@\fP
1815-makes this the new offset into the packet, which is the start of the TCP
1816-header. The length of the TCP header (again in 32 bit words) is the left half
1817-of byte 12 of the TCP header. The \fB12>>26&3C\fP computes this length in bytes
1818-(similar to the IP header before). "@" makes this the new offset, which is the
1819-start of the TCP payload. Finally, 8 reads bytes 8-12 of the payload and
1820-\fB=\fP checks whether the result is any of 1, 2, 5 or 8.
1821-.SS udp
1822-These extensions can be used if `\-\-protocol udp' is specified. It
1823-provides the following options:
1824-.TP
1825-[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
1826-Source port or port range specification.
1827-See the description of the
1828-\fB\-\-source\-port\fP
1829-option of the TCP extension for details.
1830-.TP
1831-[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
1832-Destination port or port range specification.
1833-See the description of the
1834-\fB\-\-destination\-port\fP
1835-option of the TCP extension for details.
1836-.SS unclean
1837-This module takes no options, but attempts to match packets which seem
1838-malformed or unusual. This is regarded as experimental.
1839-.SH TARGET EXTENSIONS
1840-iptables can use extended target modules: the following are included
1841-in the standard distribution.
1842-.\" @TARGET@
1843-.SS AUDIT
1844-This target allows to create audit records for packets hitting the target.
1845-It can be used to record accepted, dropped, and rejected packets. See
1846-auditd(8) for additional details.
1847-.TP
1848-\fB\-\-type\fP {\fBaccept\fP|\fBdrop\fP|\fBreject\fP}
1849-Set type of audit record.
1850-.PP
1851-Example:
1852-.IP
1853-iptables \-N AUDIT_DROP
1854-.IP
1855-iptables \-A AUDIT_DROP \-j AUDIT \-\-type drop
1856-.IP
1857-iptables \-A AUDIT_DROP \-j DROP
1858-.SS CHECKSUM
1859-This target allows to selectively work around broken/old applications.
1860-It can only be used in the mangle table.
1861-.TP
1862-\fB\-\-checksum\-fill\fP
1863-Compute and fill in the checksum in a packet that lacks a checksum.
1864-This is particularly useful, if you need to work around old applications
1865-such as dhcp clients, that do not work well with checksum offloads,
1866-but don't want to disable checksum offload in your device.
1867-.SS CLASSIFY
1868-This module allows you to set the skb\->priority value (and thus classify the packet into a specific CBQ class).
1869-.TP
1870-\fB\-\-set\-class\fP \fImajor\fP\fB:\fP\fIminor\fP
1871-Set the major and minor class value. The values are always interpreted as
1872-hexadecimal even if no 0x prefix is given.
1873-.SS CLUSTERIP
1874-This module allows you to configure a simple cluster of nodes that share
1875-a certain IP and MAC address without an explicit load balancer in front of
1876-them. Connections are statically distributed between the nodes in this
1877-cluster.
1878-.TP
1879-\fB\-\-new\fP
1880-Create a new ClusterIP. You always have to set this on the first rule
1881-for a given ClusterIP.
1882-.TP
1883-\fB\-\-hashmode\fP \fImode\fP
1884-Specify the hashing mode. Has to be one of
1885-\fBsourceip\fP, \fBsourceip\-sourceport\fP, \fBsourceip\-sourceport\-destport\fP.
1886-.TP
1887-\fB\-\-clustermac\fP \fImac\fP
1888-Specify the ClusterIP MAC address. Has to be a link\-layer multicast address
1889-.TP
1890-\fB\-\-total\-nodes\fP \fInum\fP
1891-Number of total nodes within this cluster.
1892-.TP
1893-\fB\-\-local\-node\fP \fInum\fP
1894-Local node number within this cluster.
1895-.TP
1896-\fB\-\-hash\-init\fP \fIrnd\fP
1897-Specify the random seed used for hash initialization.
1898-.SS CONNMARK
1899-This module sets the netfilter mark value associated with a connection. The
1900-mark is 32 bits wide.
1901-.TP
1902-\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
1903-Zero out the bits given by \fImask\fP and XOR \fIvalue\fP into the ctmark.
1904-.TP
1905-\fB\-\-save\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP]
1906-Copy the packet mark (nfmark) to the connection mark (ctmark) using the given
1907-masks. The new nfmark value is determined as follows:
1908-.IP
1909-ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)
1910-.IP
1911-i.e. \fIctmask\fP defines what bits to clear and \fInfmask\fP what bits of the
1912-nfmark to XOR into the ctmark. \fIctmask\fP and \fInfmask\fP default to
1913-0xFFFFFFFF.
1914-.TP
1915-\fB\-\-restore\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP]
1916-Copy the connection mark (ctmark) to the packet mark (nfmark) using the given
1917-masks. The new ctmark value is determined as follows:
1918-.IP
1919-nfmark = (nfmark & ~\fInfmask\fP) ^ (ctmark & \fIctmask\fP);
1920-.IP
1921-i.e. \fInfmask\fP defines what bits to clear and \fIctmask\fP what bits of the
1922-ctmark to XOR into the nfmark. \fIctmask\fP and \fInfmask\fP default to
1923-0xFFFFFFFF.
1924-.IP
1925-\fB\-\-restore\-mark\fP is only valid in the \fBmangle\fP table.
1926-.PP
1927-The following mnemonics are available for \fB\-\-set\-xmark\fP:
1928-.TP
1929-\fB\-\-and\-mark\fP \fIbits\fP
1930-Binary AND the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark
1931-0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.)
1932-.TP
1933-\fB\-\-or\-mark\fP \fIbits\fP
1934-Binary OR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
1935-\fIbits\fP\fB/\fP\fIbits\fP.)
1936-.TP
1937-\fB\-\-xor\-mark\fP \fIbits\fP
1938-Binary XOR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
1939-\fIbits\fP\fB/0\fP.)
1940-.TP
1941-\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
1942-Set the connection mark. If a mask is specified then only those bits set in the
1943-mask are modified.
1944-.TP
1945-\fB\-\-save\-mark\fP [\fB\-\-mask\fP \fImask\fP]
1946-Copy the nfmark to the ctmark. If a mask is specified, only those bits are
1947-copied.
1948-.TP
1949-\fB\-\-restore\-mark\fP [\fB\-\-mask\fP \fImask\fP]
1950-Copy the ctmark to the nfmark. If a mask is specified, only those bits are
1951-copied. This is only valid in the \fBmangle\fP table.
1952-.SS CONNSECMARK
1953-This module copies security markings from packets to connections
1954-(if unlabeled), and from connections back to packets (also only
1955-if unlabeled). Typically used in conjunction with SECMARK, it is
1956-valid in the
1957-.B security
1958-table (for backwards compatibility with older kernels, it is also
1959-valid in the
1960-.B mangle
1961-table).
1962-.TP
1963-\fB\-\-save\fP
1964-If the packet has a security marking, copy it to the connection
1965-if the connection is not marked.
1966-.TP
1967-\fB\-\-restore\fP
1968-If the packet does not have a security marking, and the connection
1969-does, copy the security marking from the connection to the packet.
1970-
1971-.SS CT
1972-The CT target allows to set parameters for a packet or its associated
1973-connection. The target attaches a "template" connection tracking entry to
1974-the packet, which is then used by the conntrack core when initializing
1975-a new ct entry. This target is thus only valid in the "raw" table.
1976-.TP
1977-\fB\-\-notrack\fP
1978-Disables connection tracking for this packet.
1979-.TP
1980-\fB\-\-helper\fP \fIname\fP
1981-Use the helper identified by \fIname\fP for the connection. This is more
1982-flexible than loading the conntrack helper modules with preset ports.
1983-.TP
1984-\fB\-\-ctevents\fP \fIevent\fP[\fB,\fP...]
1985-Only generate the specified conntrack events for this connection. Possible
1986-event types are: \fBnew\fP, \fBrelated\fP, \fBdestroy\fP, \fBreply\fP,
1987-\fBassured\fP, \fBprotoinfo\fP, \fBhelper\fP, \fBmark\fP (this refers to
1988-the ctmark, not nfmark), \fBnatseqinfo\fP, \fBsecmark\fP (ctsecmark).
1989-.TP
1990-\fB\-\-expevents\fP \fIevent\fP[\fB,\fP...]
1991-Only generate the specified expectation events for this connection.
1992-Possible event types are: \fBnew\fP.
1993-.TP
1994-\fB\-\-zone\fP \fIid\fP
1995-Assign this packet to zone \fIid\fP and only have lookups done in that zone.
1996-By default, packets have zone 0.
1997-.SS DNAT
1998-This target is only valid in the
1999-.B nat
2000-table, in the
2001-.B PREROUTING
2002-and
2003-.B OUTPUT
2004-chains, and user-defined chains which are only called from those
2005-chains. It specifies that the destination address of the packet
2006-should be modified (and all future packets in this connection will
2007-also be mangled), and rules should cease being examined. It takes one
2008-type of option:
2009-.TP
2010-\fB\-\-to\-destination\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]]
2011-which can specify a single new destination IP address, an inclusive
2012-range of IP addresses, and optionally, a port range (which is only
2013-valid if the rule also specifies
2014-\fB\-p tcp\fP
2015-or
2016-\fB\-p udp\fP).
2017-If no port range is specified, then the destination port will never be
2018-modified. If no IP address is specified then only the destination port
2019-will be modified.
2020-
2021-In Kernels up to 2.6.10 you can add several \-\-to\-destination options. For
2022-those kernels, if you specify more than one destination address, either via an
2023-address range or multiple \-\-to\-destination options, a simple round-robin (one
2024-after another in cycle) load balancing takes place between these addresses.
2025-Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
2026-anymore.
2027-.TP
2028-\fB\-\-random\fP
2029-If option
2030-\fB\-\-random\fP
2031-is used then port mapping will be randomized (kernel >= 2.6.22).
2032-.TP
2033-\fB\-\-persistent\fP
2034-Gives a client the same source-/destination-address for each connection.
2035-This supersedes the SAME target. Support for persistent mappings is available
2036-from 2.6.29-rc2.
2037-.SS DSCP
2038-This target allows to alter the value of the DSCP bits within the TOS
2039-header of the IPv4 packet. As this manipulates a packet, it can only
2040-be used in the mangle table.
2041-.TP
2042-\fB\-\-set\-dscp\fP \fIvalue\fP
2043-Set the DSCP field to a numerical value (can be decimal or hex)
2044-.TP
2045-\fB\-\-set\-dscp\-class\fP \fIclass\fP
2046-Set the DSCP field to a DiffServ class.
2047-.SS ECN
2048-This target allows to selectively work around known ECN blackholes.
2049-It can only be used in the mangle table.
2050-.TP
2051-\fB\-\-ecn\-tcp\-remove\fP
2052-Remove all ECN bits from the TCP header. Of course, it can only be used
2053-in conjunction with
2054-\fB\-p tcp\fP.
2055-.SS IDLETIMER
2056-This target can be used to identify when interfaces have been idle for a
2057-certain period of time. Timers are identified by labels and are created when
2058-a rule is set with a new label. The rules also take a timeout value (in
2059-seconds) as an option. If more than one rule uses the same timer label, the
2060-timer will be restarted whenever any of the rules get a hit. One entry for
2061-each timer is created in sysfs. This attribute contains the timer remaining
2062-for the timer to expire. The attributes are located under the xt_idletimer
2063-class:
2064-.PP
2065-/sys/class/xt_idletimer/timers/<label>
2066-.PP
2067-When the timer expires, the target module sends a sysfs notification to the
2068-userspace, which can then decide what to do (eg. disconnect to save power).
2069-.TP
2070-\fB\-\-timeout\fP \fIamount\fP
2071-This is the time in seconds that will trigger the notification.
2072-.TP
2073-\fB\-\-label\fP \fIstring\fP
2074-This is a unique identifier for the timer. The maximum length for the
2075-label string is 27 characters.
2076-.SS LOG
2077-Turn on kernel logging of matching packets. When this option is set
2078-for a rule, the Linux kernel will print some information on all
2079-matching packets (like most IP header fields) via the kernel log
2080-(where it can be read with
2081-.I dmesg
2082-or
2083-.IR syslogd (8)).
2084-This is a "non-terminating target", i.e. rule traversal continues at
2085-the next rule. So if you want to LOG the packets you refuse, use two
2086-separate rules with the same matching criteria, first using target LOG
2087-then DROP (or REJECT).
2088-.TP
2089-\fB\-\-log\-level\fP \fIlevel\fP
2090-Level of logging (numeric or see \fIsyslog.conf\fP(5)).
2091-.TP
2092-\fB\-\-log\-prefix\fP \fIprefix\fP
2093-Prefix log messages with the specified prefix; up to 29 letters long,
2094-and useful for distinguishing messages in the logs.
2095-.TP
2096-\fB\-\-log\-tcp\-sequence\fP
2097-Log TCP sequence numbers. This is a security risk if the log is
2098-readable by users.
2099-.TP
2100-\fB\-\-log\-tcp\-options\fP
2101-Log options from the TCP packet header.
2102-.TP
2103-\fB\-\-log\-ip\-options\fP
2104-Log options from the IP packet header.
2105-.TP
2106-\fB\-\-log\-uid\fP
2107-Log the userid of the process which generated the packet.
2108-.SS MARK
2109-This target is used to set the Netfilter mark value associated with the packet.
2110-It can, for example, be used in conjunction with routing based on fwmark (needs
2111-iproute2). If you plan on doing so, note that the mark needs to be set in the
2112-PREROUTING chain of the mangle table to affect routing.
2113-The mark field is 32 bits wide.
2114-.TP
2115-\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
2116-Zeroes out the bits given by \fImask\fP and XORs \fIvalue\fP into the packet
2117-mark ("nfmark"). If \fImask\fP is omitted, 0xFFFFFFFF is assumed.
2118-.TP
2119-\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
2120-Zeroes out the bits given by \fImask\fP and ORs \fIvalue\fP into the packet
2121-mark. If \fImask\fP is omitted, 0xFFFFFFFF is assumed.
2122-.PP
2123-The following mnemonics are available:
2124-.TP
2125-\fB\-\-and\-mark\fP \fIbits\fP
2126-Binary AND the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark
2127-0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.)
2128-.TP
2129-\fB\-\-or\-mark\fP \fIbits\fP
2130-Binary OR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
2131-\fIbits\fP\fB/\fP\fIbits\fP.)
2132-.TP
2133-\fB\-\-xor\-mark\fP \fIbits\fP
2134-Binary XOR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
2135-\fIbits\fP\fB/0\fP.)
2136-.SS MASQUERADE
2137-This target is only valid in the
2138-.B nat
2139-table, in the
2140-.B POSTROUTING
2141-chain. It should only be used with dynamically assigned IP (dialup)
2142-connections: if you have a static IP address, you should use the SNAT
2143-target. Masquerading is equivalent to specifying a mapping to the IP
2144-address of the interface the packet is going out, but also has the
2145-effect that connections are
2146-.I forgotten
2147-when the interface goes down. This is the correct behavior when the
2148-next dialup is unlikely to have the same interface address (and hence
2149-any established connections are lost anyway).
2150-.TP
2151-\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
2152-This specifies a range of source ports to use, overriding the default
2153-.B SNAT
2154-source port-selection heuristics (see above). This is only valid
2155-if the rule also specifies
2156-\fB\-p tcp\fP
2157-or
2158-\fB\-p udp\fP.
2159-.TP
2160-\fB\-\-random\fP
2161-Randomize source port mapping
2162-If option
2163-\fB\-\-random\fP
2164-is used then port mapping will be randomized (kernel >= 2.6.21).
2165-.RS
2166-.PP
2167-.SS MIRROR
2168-This is an experimental demonstration target which inverts the source
2169-and destination fields in the IP header and retransmits the packet.
2170-It is only valid in the
2171-.BR INPUT ,
2172-.B FORWARD
2173-and
2174-.B PREROUTING
2175-chains, and user-defined chains which are only called from those
2176-chains. Note that the outgoing packets are
2177-.B NOT
2178-seen by any packet filtering chains, connection tracking or NAT, to
2179-avoid loops and other problems.
2180-.SS NETMAP
2181-This target allows you to statically map a whole network of addresses onto
2182-another network of addresses. It can only be used from rules in the
2183-.B nat
2184-table.
2185-.TP
2186-\fB\-\-to\fP \fIaddress\fP[\fB/\fP\fImask\fP]
2187-Network address to map to. The resulting address will be constructed in the
2188-following way: All 'one' bits in the mask are filled in from the new `address'.
2189-All bits that are zero in the mask are filled in from the original address.
2190-.SS NFLOG
2191-This target provides logging of matching packets. When this target is
2192-set for a rule, the Linux kernel will pass the packet to the loaded
2193-logging backend to log the packet. This is usually used in combination
2194-with nfnetlink_log as logging backend, which will multicast the packet
2195-through a
2196-.IR netlink
2197-socket to the specified multicast group. One or more userspace processes
2198-may subscribe to the group to receive the packets. Like LOG, this is a
2199-non-terminating target, i.e. rule traversal continues at the next rule.
2200-.TP
2201-\fB\-\-nflog\-group\fP \fInlgroup\fP
2202-The netlink group (0 - 2^16\-1) to which packets are (only applicable for
2203-nfnetlink_log). The default value is 0.
2204-.TP
2205-\fB\-\-nflog\-prefix\fP \fIprefix\fP
2206-A prefix string to include in the log message, up to 64 characters
2207-long, useful for distinguishing messages in the logs.
2208-.TP
2209-\fB\-\-nflog\-range\fP \fIsize\fP
2210-The number of bytes to be copied to userspace (only applicable for
2211-nfnetlink_log). nfnetlink_log instances may specify their own
2212-range, this option overrides it.
2213-.TP
2214-\fB\-\-nflog\-threshold\fP \fIsize\fP
2215-Number of packets to queue inside the kernel before sending them
2216-to userspace (only applicable for nfnetlink_log). Higher values
2217-result in less overhead per packet, but increase delay until the
2218-packets reach userspace. The default value is 1.
2219-.BR
2220-.SS NFQUEUE
2221-This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
2222-you to put a packet into any specific queue, identified by its 16-bit queue
2223-number.
2224-It can only be used with Kernel versions 2.6.14 or later, since it requires
2225-the
2226-.B
2227-nfnetlink_queue
2228-kernel support. The \fBqueue-balance\fP option was added in Linux 2.6.31,
2229-\fBqueue-bypass\fP in 2.6.39.
2230-.TP
2231-\fB\-\-queue\-num\fP \fIvalue\fP
2232-This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0.
2233-.PP
2234-.TP
2235-\fB\-\-queue\-balance\fP \fIvalue\fP\fB:\fP\fIvalue\fP
2236-This specifies a range of queues to use. Packets are then balanced across the given queues.
2237-This is useful for multicore systems: start multiple instances of the userspace program on
2238-queues x, x+1, .. x+n and use "\-\-queue\-balance \fIx\fP\fB:\fP\fIx+n\fP".
2239-Packets belonging to the same connection are put into the same nfqueue.
2240-.PP
2241-.TP
2242-\fB\-\-queue\-bypass\fP
2243-By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued
2244-are dropped. When this option is used, the NFQUEUE rule is silently bypassed instead. The packet
2245-will move on to the next rule.
2246-.SS NOTRACK
2247-This target disables connection tracking for all packets matching that rule.
2248-.PP
2249-It can only be used in the
2250-.B raw
2251-table.
2252-.SS RATEEST
2253-The RATEEST target collects statistics, performs rate estimation calculation
2254-and saves the results for later evaluation using the \fBrateest\fP match.
2255-.TP
2256-\fB\-\-rateest\-name\fP \fIname\fP
2257-Count matched packets into the pool referred to by \fIname\fP, which is freely
2258-choosable.
2259-.TP
2260-\fB\-\-rateest\-interval\fP \fIamount\fP{\fBs\fP|\fBms\fP|\fBus\fP}
2261-Rate measurement interval, in seconds, milliseconds or microseconds.
2262-.TP
2263-\fB\-\-rateest\-ewmalog\fP \fIvalue\fP
2264-Rate measurement averaging time constant.
2265-.SS REDIRECT
2266-This target is only valid in the
2267-.B nat
2268-table, in the
2269-.B PREROUTING
2270-and
2271-.B OUTPUT
2272-chains, and user-defined chains which are only called from those
2273-chains. It redirects the packet to the machine itself by changing the
2274-destination IP to the primary address of the incoming interface
2275-(locally-generated packets are mapped to the 127.0.0.1 address).
2276-.TP
2277-\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
2278-This specifies a destination port or range of ports to use: without
2279-this, the destination port is never altered. This is only valid
2280-if the rule also specifies
2281-\fB\-p tcp\fP
2282-or
2283-\fB\-p udp\fP.
2284-.TP
2285-\fB\-\-random\fP
2286-If option
2287-\fB\-\-random\fP
2288-is used then port mapping will be randomized (kernel >= 2.6.22).
2289-.RS
2290-.PP
2291-.SS REJECT
2292-This is used to send back an error packet in response to the matched
2293-packet: otherwise it is equivalent to
2294-.B DROP
2295-so it is a terminating TARGET, ending rule traversal.
2296-This target is only valid in the
2297-.BR INPUT ,
2298-.B FORWARD
2299-and
2300-.B OUTPUT
2301-chains, and user-defined chains which are only called from those
2302-chains. The following option controls the nature of the error packet
2303-returned:
2304-.TP
2305-\fB\-\-reject\-with\fP \fItype\fP
2306-The type given can be
2307-\fBicmp\-net\-unreachable\fP,
2308-\fBicmp\-host\-unreachable\fP,
2309-\fBicmp\-port\-unreachable\fP,
2310-\fBicmp\-proto\-unreachable\fP,
2311-\fBicmp\-net\-prohibited\fP,
2312-\fBicmp\-host\-prohibited\fP or
2313-\fBicmp\-admin\-prohibited\fP (*)
2314-which return the appropriate ICMP error message (\fBport\-unreachable\fP is
2315-the default). The option
2316-\fBtcp\-reset\fP
2317-can be used on rules which only match the TCP protocol: this causes a
2318-TCP RST packet to be sent back. This is mainly useful for blocking
2319-.I ident
2320-(113/tcp) probes which frequently occur when sending mail to broken mail
2321-hosts (which won't accept your mail otherwise).
2322-.PP
2323-(*) Using icmp\-admin\-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
2324-.SS SAME
2325-Similar to SNAT/DNAT depending on chain: it takes a range of addresses
2326-(`\-\-to 1.2.3.4\-1.2.3.7') and gives a client the same
2327-source-/destination-address for each connection.
2328-.PP
2329-N.B.: The DNAT target's \fB\-\-persistent\fP option replaced the SAME target.
2330-.TP
2331-\fB\-\-to\fP \fIipaddr\fP[\fB\-\fP\fIipaddr\fP]
2332-Addresses to map source to. May be specified more than once for
2333-multiple ranges.
2334-.TP
2335-\fB\-\-nodst\fP
2336-Don't use the destination-ip in the calculations when selecting the
2337-new source-ip
2338-.TP
2339-\fB\-\-random\fP
2340-Port mapping will be forcibly randomized to avoid attacks based on
2341-port prediction (kernel >= 2.6.21).
2342-.SS SECMARK
2343-This is used to set the security mark value associated with the
2344-packet for use by security subsystems such as SELinux. It is
2345-valid in the
2346-.B security
2347-table (for backwards compatibility with older kernels, it is also
2348-valid in the
2349-.B mangle
2350-table). The mark is 32 bits wide.
2351-.TP
2352-\fB\-\-selctx\fP \fIsecurity_context\fP
2353-.SS SET
2354-This modules adds and/or deletes entries from IP sets which can be defined
2355-by ipset(8).
2356-.TP
2357-\fB\-\-add\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...]
2358-add the address(es)/port(s) of the packet to the sets
2359-.TP
2360-\fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...]
2361-delete the address(es)/port(s) of the packet from the sets
2362-.IP
2363-where flags are
2364-.BR "src"
2365-and/or
2366-.BR "dst"
2367-specifications and there can be no more than six of them.
2368-.TP
2369-\fB\-\-timeout\fP \fIvalue\fP
2370-when adding entry, the timeout value to use instead of the default
2371-one from the set definition
2372-.TP
2373-\fB\-\-exist\fP
2374-when adding entry if it already exists, reset the timeout value
2375-to the specified one or to the default from the set definition
2376-.PP
2377-Use of -j SET requires that ipset kernel support is provided, which, for
2378-standard kernels, is the case since Linux 2.6.39.
2379-.SS SNAT
2380-This target is only valid in the
2381-.B nat
2382-table, in the
2383-.B POSTROUTING
2384-chain. It specifies that the source address of the packet should be
2385-modified (and all future packets in this connection will also be
2386-mangled), and rules should cease being examined. It takes one type
2387-of option:
2388-.TP
2389-\fB\-\-to\-source\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]]
2390-which can specify a single new source IP address, an inclusive range
2391-of IP addresses, and optionally, a port range (which is only valid if
2392-the rule also specifies
2393-\fB\-p tcp\fP
2394-or
2395-\fB\-p udp\fP).
2396-If no port range is specified, then source ports below 512 will be
2397-mapped to other ports below 512: those between 512 and 1023 inclusive
2398-will be mapped to ports below 1024, and other ports will be mapped to
2399-1024 or above. Where possible, no port alteration will occur.
2400-
2401-In Kernels up to 2.6.10, you can add several \-\-to\-source options. For those
2402-kernels, if you specify more than one source address, either via an address
2403-range or multiple \-\-to\-source options, a simple round-robin (one after another
2404-in cycle) takes place between these addresses.
2405-Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
2406-anymore.
2407-.TP
2408-\fB\-\-random\fP
2409-If option
2410-\fB\-\-random\fP
2411-is used then port mapping will be randomized (kernel >= 2.6.21).
2412-.TP
2413-\fB\-\-persistent\fP
2414-Gives a client the same source-/destination-address for each connection.
2415-This supersedes the SAME target. Support for persistent mappings is available
2416-from 2.6.29-rc2.
2417-.SS TCPMSS
2418-This target allows to alter the MSS value of TCP SYN packets, to control
2419-the maximum size for that connection (usually limiting it to your
2420-outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
2421-Of course, it can only be used
2422-in conjunction with
2423-\fB\-p tcp\fP.
2424-.PP
2425-This target is used to overcome criminally braindead ISPs or servers
2426-which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
2427-packets. The symptoms of this
2428-problem are that everything works fine from your Linux
2429-firewall/router, but machines behind it can never exchange large
2430-packets:
2431-.IP 1. 4
2432-Web browsers connect, then hang with no data received.
2433-.IP 2. 4
2434-Small mail works fine, but large emails hang.
2435-.IP 3. 4
2436-ssh works fine, but scp hangs after initial handshaking.
2437-.PP
2438-Workaround: activate this option and add a rule to your firewall
2439-configuration like:
2440-.IP
2441- iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN
2442- \-j TCPMSS \-\-clamp\-mss\-to\-pmtu
2443-.TP
2444-\fB\-\-set\-mss\fP \fIvalue\fP
2445-Explicitly sets MSS option to specified value. If the MSS of the packet is
2446-already lower than \fIvalue\fP, it will \fBnot\fP be increased (from Linux
2447-2.6.25 onwards) to avoid more problems with hosts relying on a proper MSS.
2448-.TP
2449-\fB\-\-clamp\-mss\-to\-pmtu\fP
2450-Automatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6).
2451-This may not function as desired where asymmetric routes with differing
2452-path MTU exist \(em the kernel uses the path MTU which it would use to send
2453-packets from itself to the source and destination IP addresses. Prior to
2454-Linux 2.6.25, only the path MTU to the destination IP address was
2455-considered by this option; subsequent kernels also consider the path MTU
2456-to the source IP address.
2457-.PP
2458-These options are mutually exclusive.
2459-.SS TCPOPTSTRIP
2460-This target will strip TCP options off a TCP packet. (It will actually replace
2461-them by NO-OPs.) As such, you will need to add the \fB\-p tcp\fP parameters.
2462-.TP
2463-\fB\-\-strip\-options\fP \fIoption\fP[\fB,\fP\fIoption\fP...]
2464-Strip the given option(s). The options may be specified by TCP option number or
2465-by symbolic name. The list of recognized options can be obtained by calling
2466-iptables with \fB\-j TCPOPTSTRIP \-h\fP.
2467-.SS TEE
2468-The \fBTEE\fP target will clone a packet and redirect this clone to another
2469-machine on the \fBlocal\fP network segment. In other words, the nexthop
2470-must be the target, or you will have to configure the nexthop to forward it
2471-further if so desired.
2472-.TP
2473-\fB\-\-gateway\fP \fIipaddr\fP
2474-Send the cloned packet to the host reachable at the given IP address.
2475-Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.
2476-.PP
2477-To forward all incoming traffic on eth0 to an Network Layer logging box:
2478-.PP
2479-\-t mangle \-A PREROUTING \-i eth0 \-j TEE \-\-gateway 2001:db8::1
2480-.SS TOS
2481-This module sets the Type of Service field in the IPv4 header (including the
2482-"precedence" bits) or the Priority field in the IPv6 header. Note that TOS
2483-shares the same bits as DSCP and ECN. The TOS target is only valid in the
2484-\fBmangle\fP table.
2485-.TP
2486-\fB\-\-set\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP]
2487-Zeroes out the bits given by \fImask\fP (see NOTE below) and XORs \fIvalue\fP
2488-into the TOS/Priority field. If \fImask\fP is omitted, 0xFF is assumed.
2489-.TP
2490-\fB\-\-set\-tos\fP \fIsymbol\fP
2491-You can specify a symbolic name when using the TOS target for IPv4. It implies
2492-a mask of 0xFF (see NOTE below). The list of recognized TOS names can be
2493-obtained by calling iptables with \fB\-j TOS \-h\fP.
2494-.PP
2495-The following mnemonics are available:
2496-.TP
2497-\fB\-\-and\-tos\fP \fIbits\fP
2498-Binary AND the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos
2499-0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.
2500-See NOTE below.)
2501-.TP
2502-\fB\-\-or\-tos\fP \fIbits\fP
2503-Binary OR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP
2504-\fIbits\fP\fB/\fP\fIbits\fP. See NOTE below.)
2505-.TP
2506-\fB\-\-xor\-tos\fP \fIbits\fP
2507-Binary XOR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP
2508-\fIbits\fP\fB/0\fP. See NOTE below.)
2509-.PP
2510-NOTE: In Linux kernels up to and including 2.6.38, with the exception of
2511-longterm releases 2.6.32 (>=.42), 2.6.33 (>=.15), and 2.6.35 (>=.14), there is
2512-a bug whereby IPv6 TOS mangling does not behave as documented and differs from
2513-the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it
2514-needs to be inverted before applying it to the original TOS field. However, the
2515-aformentioned kernels forgo the inversion which breaks --set-tos and its
2516-mnemonics.
2517-.SS TPROXY
2518-This target is only valid in the \fBmangle\fP table, in the \fBPREROUTING\fP
2519-chain and user-defined chains which are only called from this chain. It
2520-redirects the packet to a local socket without changing the packet header in
2521-any way. It can also change the mark value which can then be used in advanced
2522-routing rules.
2523-It takes three options:
2524-.TP
2525-\fB\-\-on\-port\fP \fIport\fP
2526-This specifies a destination port to use. It is a required option, 0 means the
2527-new destination port is the same as the original. This is only valid if the
2528-rule also specifies \fB\-p tcp\fP or \fB\-p udp\fP.
2529-.TP
2530-\fB\-\-on\-ip\fP \fIaddress\fP
2531-This specifies a destination address to use. By default the address is the IP
2532-address of the incoming interface. This is only valid if the rule also
2533-specifies \fB\-p tcp\fP or \fB\-p udp\fP.
2534-.TP
2535-\fB\-\-tproxy\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
2536-Marks packets with the given value/mask. The fwmark value set here can be used
2537-by advanced routing. (Required for transparent proxying to work: otherwise
2538-these packets will get forwarded, which is probably not what you want.)
2539-.SS TRACE
2540-This target marks packets so that the kernel will log every rule which match
2541-the packets as those traverse the tables, chains, rules.
2542-.PP
2543-A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this
2544-to be visible.
2545-The packets are logged with the string prefix:
2546-"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
2547-plain rule, "return" for implicit rule at the end of a user defined chain
2548-and "policy" for the policy of the built in chains.
2549-.br
2550-It can only be used in the
2551-.BR raw
2552-table.
2553-.SS TTL
2554-This is used to modify the IPv4 TTL header field. The TTL field determines
2555-how many hops (routers) a packet can traverse until it's time to live is
2556-exceeded.
2557-.PP
2558-Setting or incrementing the TTL field can potentially be very dangerous,
2559-so it should be avoided at any cost. This target is only valid in
2560-.B mangle
2561-table.
2562-.PP
2563-.B Don't ever set or increment the value on packets that leave your local network!
2564-.TP
2565-\fB\-\-ttl\-set\fP \fIvalue\fP
2566-Set the TTL value to `value'.
2567-.TP
2568-\fB\-\-ttl\-dec\fP \fIvalue\fP
2569-Decrement the TTL value `value' times.
2570-.TP
2571-\fB\-\-ttl\-inc\fP \fIvalue\fP
2572-Increment the TTL value `value' times.
2573-.SS ULOG
2574-This target provides userspace logging of matching packets. When this
2575-target is set for a rule, the Linux kernel will multicast this packet
2576-through a
2577-.IR netlink
2578-socket. One or more userspace processes may then subscribe to various
2579-multicast groups and receive the packets.
2580-Like LOG, this is a "non-terminating target", i.e. rule traversal
2581-continues at the next rule.
2582-.TP
2583-\fB\-\-ulog\-nlgroup\fP \fInlgroup\fP
2584-This specifies the netlink group (1-32) to which the packet is sent.
2585-Default value is 1.
2586-.TP
2587-\fB\-\-ulog\-prefix\fP \fIprefix\fP
2588-Prefix log messages with the specified prefix; up to 32 characters
2589-long, and useful for distinguishing messages in the logs.
2590-.TP
2591-\fB\-\-ulog\-cprange\fP \fIsize\fP
2592-Number of bytes to be copied to userspace. A value of 0 always copies
2593-the entire packet, regardless of its size. Default is 0.
2594-.TP
2595-\fB\-\-ulog\-qthreshold\fP \fIsize\fP
2596-Number of packet to queue inside kernel. Setting this value to, e.g. 10
2597-accumulates ten packets inside the kernel and transmits them as one
2598-netlink multipart message to userspace. Default is 1 (for backwards
2599-compatibility).
2600-.br
376+iptables can use extended packet matching and target modules.
377+A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
2601378 .SH DIAGNOSTICS
2602379 Various error messages are printed to standard error. The exit code
2603380 is 0 for correct functioning. Errors which appear to be caused by
@@ -2632,8 +409,10 @@ seen previously. So the following options are handled differently:
2632409 .fi
2633410 There are several other changes in iptables.
2634411 .SH SEE ALSO
412+\fBiptables\-apply\fP(8),
2635413 \fBiptables\-save\fP(8),
2636414 \fBiptables\-restore\fP(8),
415+\fBiptables\-extensions\fP(8),
2637416 \fBip6tables\fP(8),
2638417 \fBip6tables\-save\fP(8),
2639418 \fBip6tables\-restore\fP(8),
@@ -2672,4 +451,4 @@ Man page originally written by Herve Eychenne <rv@wallfire.org>.
2672451 .\" .. and most of all, modest ..
2673452 .SH VERSION
2674453 .PP
2675-This manual page applies to iptables @PACKAGE_VERSION@.
454+This manual page applies to iptables 1.4.18.
--- a/patch.original
+++ b/patch.original
@@ -1,8 +1,8 @@
11 diff --git a/manual/iptables/original/man3/libipq.3 b/manual/iptables/original/man3/libipq.3
2-index 1a0984d..a2dfbfb 100644
2+index 611fcdf..e619c23 100644
33 --- a/manual/iptables/original/man3/libipq.3
44 +++ b/manual/iptables/original/man3/libipq.3
5-@@ -48,9 +48,9 @@ and queued for userspace processing via the QUEUE target. For example,
5+@@ -46,9 +46,9 @@ and queued for userspace processing via the QUEUE target. For example,
66 running the following commands:
77 .PP
88 # modprobe iptable_filter
@@ -11,89 +11,6 @@ index 1a0984d..a2dfbfb 100644
1111 # modprobe ip_queue
1212 -.br
1313 +.br
14- # iptables -A OUTPUT -p icmp -j QUEUE
14+ # iptables \-A OUTPUT \-p icmp \-j QUEUE
1515 .PP
1616 will cause any locally generated ICMP packets (e.g. ping output) to
17-diff --git a/manual/iptables/original/man8/ip6tables-restore.8 b/manual/iptables/original/man8/ip6tables-restore.8
18-index 43c1268..55e82ce 100644
19---- a/manual/iptables/original/man8/ip6tables-restore.8
20-+++ b/manual/iptables/original/man8/ip6tables-restore.8
21-@@ -33,7 +33,6 @@ I/O redirection provided by your shell to read from a file
22- restore the values of all packet and byte counters
23- .TP
24- \fB\-n\fR, \fB\-\-noflush\fR
25--.TP
26- don't flush the previous contents of the table. If not specified,
27- .B ip6tables-restore
28- flushes (deletes) all previous contents of the respective IPv6 Table.
29-diff --git a/manual/iptables/original/man8/ip6tables-save.8 b/manual/iptables/original/man8/ip6tables-save.8
30-index c8b3e96..48c70a6 100644
31---- a/manual/iptables/original/man8/ip6tables-save.8
32-+++ b/manual/iptables/original/man8/ip6tables-save.8
33-@@ -33,7 +33,6 @@ to STDOUT. Use I/O-redirection provided by your shell to write to a file.
34- include the current values of all packet and byte counters in the output
35- .TP
36- \fB\-t\fR, \fB\-\-table\fR \fBtablename\fR
37--.TP
38- restrict output to only one table. If not specified, output includes all
39- available tables.
40- .SH BUGS
41-diff --git a/manual/iptables/original/man8/iptables-restore.8 b/manual/iptables/original/man8/iptables-restore.8
42-index e2649e5..e80d943 100644
43---- a/manual/iptables/original/man8/iptables-restore.8
44-+++ b/manual/iptables/original/man8/iptables-restore.8
45-@@ -33,7 +33,6 @@ I/O redirection provided by your shell to read from a file
46- restore the values of all packet and byte counters
47- .TP
48- \fB\-n\fR, \fB\-\-noflush\fR
49--.TP
50- don't flush the previous contents of the table. If not specified,
51- .B iptables-restore
52- flushes (deletes) all previous contents of the respective IP Table.
53-diff --git a/manual/iptables/original/man8/iptables-save.8 b/manual/iptables/original/man8/iptables-save.8
54-index f9c7d65..152e4db 100644
55---- a/manual/iptables/original/man8/iptables-save.8
56-+++ b/manual/iptables/original/man8/iptables-save.8
57-@@ -33,7 +33,6 @@ to STDOUT. Use I/O-redirection provided by your shell to write to a file.
58- include the current values of all packet and byte counters in the output
59- .TP
60- \fB\-t\fR, \fB\-\-table\fR \fBtablename\fR
61--.TP
62- restrict output to only one table. If not specified, output includes all
63- available tables.
64- .SH BUGS
65-diff --git a/manual/iptables/original/man8/iptables.8 b/manual/iptables/original/man8/iptables.8
66-index b79f1ec..258fce3 100644
67---- a/manual/iptables/original/man8/iptables.8
68-+++ b/manual/iptables/original/man8/iptables.8
69-@@ -589,8 +589,8 @@ interface which begins with this name will match. Note that in the
70- chains one cannot match on the bridge output port, however one can in the
71- .B "filter OUTPUT"
72- chain. If the packet won't leave by a bridge device or it is yet unknown what
73--the output device will be, then the packet won't match this option, unless
74--'!' is used.
75-+the output device will be, then the packet won't match this option,
76-+unless '!' is used.
77- .TP
78- .B --physdev-is-in
79- Matches if the packet has entered through a bridge interface.
80-@@ -883,7 +883,8 @@ TCP RST packet to be sent back. This is mainly useful for blocking
81- .I ident
82- (113/tcp) probes which frequently occur when sending mail to broken mail
83- hosts (which won't accept your mail otherwise).
84--.TP
85-+.RS
86-+.PP
87- (*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
88- .SS SNAT
89- This target is only valid in the
90-@@ -1021,7 +1022,8 @@ refers to the output interface, and both are available for packets
91- entering the
92- .B FORWARD
93- chain.
94--.PP The various forms of NAT have been separated out;
95-+.PP
96-+The various forms of NAT have been separated out;
97- .B iptables
98- is a pure packet filter when using the default `filter' table, with
99- optional extension modules. This should simplify much of the previous
--- a/translation_list
+++ b/translation_list
@@ -1,19 +1,20 @@
1-×:iptables:1.4.13:2012/03/27:iptables-xml:1:::::
2-×:iptables:1.4.13:2012/03/27:ipq_create_handle:3:::::
3-※:iptables:1.4.13:2012/03/27:ipq_destroy_handle:3:ipq_create_handle:3:
4-×:iptables:1.4.13:2012/03/27:ipq_errstr:3:::::
5-※:iptables:1.4.13:2012/03/27:ipq_get_msgerr:3:ipq_message_type:3:
6-※:iptables:1.4.13:2012/03/27:ipq_get_packet:3:ipq_message_type:3:
7-×:iptables:1.4.13:2012/03/27:ipq_message_type:3:::::
8-※:iptables:1.4.13:2012/03/27:ipq_perror:3:ipq_errstr:3:
9-×:iptables:1.4.13:2012/03/27:ipq_read:3:::::
10-×:iptables:1.4.13:2012/03/27:ipq_set_mode:3:::::
11-×:iptables:1.4.13:2012/03/27:ipq_set_verdict:3:::::
12-×:iptables:1.4.13:2012/03/27:libipq:3:::::
13-☆:iptables:1.2.9=>1.4.13:2012/03/27:ip6tables:8:2004/03/12::ysato444@yahoo.co.jp:Yuichi SATO:
14-☆:iptables:1.2.9=>1.4.13:2012/03/27:ip6tables-restore:8:2003/05/13::ysato444@yahoo.co.jp:Yuichi SATO:
15-☆:iptables:1.2.9=>1.4.13:2012/03/27:ip6tables-save:8:2003/05/13::ysato444@yahoo.co.jp:Yuichi SATO:
16-☆:iptables:1.2.9=>1.4.13:2012/03/27:iptables:8:2004/03/12::ysato444@yahoo.co.jp:Yuichi SATO:
17-×:iptables:1.4.13:2012/03/27:iptables-apply:8:::::
18-☆:iptables:1.2.9=>1.4.13:2012/03/27:iptables-restore:8:2001/05/15::ysato@h4.dion.ne.jp:Yuichi SATO:
19-☆:iptables:1.2.9=>1.4.13:2012/03/27:iptables-save:8:2001/05/15::ysato@h4.dion.ne.jp:Yuichi SATO:
1+×:iptables:1.4.18:2012/03/27:iptables-xml:1:::::
2+×:iptables:1.4.18:2012/03/27:ipq_create_handle:3:::::
3+※:iptables:1.4.18:2012/03/27:ipq_destroy_handle:3:ipq_create_handle:3:
4+×:iptables:1.4.18:2012/03/27:ipq_errstr:3:::::
5+※:iptables:1.4.18:2012/03/27:ipq_get_msgerr:3:ipq_message_type:3:
6+※:iptables:1.4.18:2012/03/27:ipq_get_packet:3:ipq_message_type:3:
7+×:iptables:1.4.18:2012/03/27:ipq_message_type:3:::::
8+※:iptables:1.4.18:2012/03/27:ipq_perror:3:ipq_errstr:3:
9+×:iptables:1.4.18:2012/03/27:ipq_read:3:::::
10+×:iptables:1.4.18:2012/03/27:ipq_set_mode:3:::::
11+×:iptables:1.4.18:2012/03/27:ipq_set_verdict:3:::::
12+×:iptables:1.4.18:2012/03/27:libipq:3:::::
13+☆:iptables:1.2.9=>1.4.18:2013/03/03:ip6tables:8:2004/03/12::ysato444@yahoo.co.jp:Yuichi SATO:
14+☆:iptables:1.2.9=>1.4.18:2013/03/03:ip6tables-restore:8:2003/05/13::ysato444@yahoo.co.jp:Yuichi SATO:
15+☆:iptables:1.2.9=>1.4.18:2012/03/27:ip6tables-save:8:2003/05/13::ysato444@yahoo.co.jp:Yuichi SATO:
16+☆:iptables:1.2.9=>1.4.18:2013/03/03:iptables:8:2004/03/12::ysato444@yahoo.co.jp:Yuichi SATO:
17+×:iptables:1.4.18:2013/03/03:iptables-apply:8:::::
18+×:iptables:1.4.18:2013/03/03:iptables-extensions:8:::::
19+☆:iptables:1.2.9=>1.4.18:2013/03/03:iptables-restore:8:2001/05/15::ysato@h4.dion.ne.jp:Yuichi SATO:
20+☆:iptables:1.2.9=>1.4.18:2012/03/27:iptables-save:8:2001/05/15::ysato@h4.dion.ne.jp:Yuichi SATO:
Show on old repository browser