+++ /dev/null
-.TH iptables-extensions 8 "" "iptables 1.4.21" "iptables 1.4.21"
-.SH NAME
-iptables-extensions \(em list of extensions in the standard iptables distribution
-.SH SYNOPSIS
-\fBip6tables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
-[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
-.PP
-\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
-[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
-.SH MATCH EXTENSIONS
-iptables can use extended packet matching modules
-with the \fB\-m\fP or \fB\-\-match\fP
-options, followed by the matching module name; after these, various
-extra command line options become available, depending on the specific
-module. You can specify multiple extended match modules in one line,
-and you can use the \fB\-h\fP or \fB\-\-help\fP
-options after the module has been specified to receive help specific
-to that module. The extended match modules are evaluated in the order
-they are specified in the rule.
-.PP
-If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an
-unknown option is encountered, iptables will try load a match module of the
-same name as the protocol, to try making the option available.
-.\" @MATCH@
-.SS addrtype
-This module matches packets based on their
-.B address type.
-Address types are used within the kernel networking stack and categorize
-addresses into various groups. The exact definition of that group depends on the specific layer three protocol.
-.PP
-The following address types are possible:
-.TP
-.BI "UNSPEC"
-an unspecified address (i.e. 0.0.0.0)
-.TP
-.BI "UNICAST"
-an unicast address
-.TP
-.BI "LOCAL"
-a local address
-.TP
-.BI "BROADCAST"
-a broadcast address
-.TP
-.BI "ANYCAST"
-an anycast packet
-.TP
-.BI "MULTICAST"
-a multicast address
-.TP
-.BI "BLACKHOLE"
-a blackhole address
-.TP
-.BI "UNREACHABLE"
-an unreachable address
-.TP
-.BI "PROHIBIT"
-a prohibited address
-.TP
-.BI "THROW"
-FIXME
-.TP
-.BI "NAT"
-FIXME
-.TP
-.BI "XRESOLVE"
-.TP
-[\fB!\fP] \fB\-\-src\-type\fP \fItype\fP
-Matches if the source address is of given type
-.TP
-[\fB!\fP] \fB\-\-dst\-type\fP \fItype\fP
-Matches if the destination address is of given type
-.TP
-.BI "\-\-limit\-iface\-in"
-The address type checking can be limited to the interface the packet is coming
-in. This option is only valid in the
-.BR PREROUTING ,
-.B INPUT
-and
-.B FORWARD
-chains. It cannot be specified with the
-\fB\-\-limit\-iface\-out\fP
-option.
-.TP
-\fB\-\-limit\-iface\-out\fP
-The address type checking can be limited to the interface the packet is going
-out. This option is only valid in the
-.BR POSTROUTING ,
-.B OUTPUT
-and
-.B FORWARD
-chains. It cannot be specified with the
-\fB\-\-limit\-iface\-in\fP
-option.
-.SS ah (IPv6-specific)
-This module matches the parameters in Authentication header of IPsec packets.
-.TP
-[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
-Matches SPI.
-.TP
-[\fB!\fP] \fB\-\-ahlen\fP \fIlength\fP
-Total length of this header in octets.
-.TP
-\fB\-\-ahres\fP
-Matches if the reserved field is filled with zero.
-.SS ah (IPv4-specific)
-This module matches the SPIs in Authentication header of IPsec packets.
-.TP
-[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
-.SS bpf
-Match using Linux Socket Filter. Expects a BPF program in decimal format. This
-is the format generated by the \fBnfbpf_compile\fP utility.
-.TP
-\fB\-\-bytecode\fP \fIcode\fP
-Pass the BPF byte code format (described in the example below).
-.PP
-The code format is similar to the output of the tcpdump -ddd command: one line
-that stores the number of instructions, followed by one line for each
-instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal
-notation. Fields encode the operation, jump offset if true, jump offset if
-false and generic multiuse field 'K'. Comments are not supported.
-.PP
-For example, to read only packets matching 'ip proto 6', insert the following,
-without the comments or trailing whitespace:
-.IP
-4 # number of instructions
-.br
-48 0 0 9 # load byte ip->proto
-.br
-21 0 1 6 # jump equal IPPROTO_TCP
-.br
-6 0 0 1 # return pass (non-zero)
-.br
-6 0 0 0 # return fail (zero)
-.PP
-You can pass this filter to the bpf match with the following command:
-.IP
-iptables \-A OUTPUT \-m bpf \-\-bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' \-j ACCEPT
-.PP
-Or instead, you can invoke the nfbpf_compile utility.
-.IP
-iptables \-A OUTPUT \-m bpf \-\-bytecode "`nfbpf_compile RAW 'ip proto 6'`" \-j ACCEPT
-.PP
-You may want to learn more about BPF from FreeBSD's bpf(4) manpage.
-.SS cluster
-Allows you to deploy gateway and back-end load-sharing clusters without the
-need of load-balancers.
-.PP
-This match requires that all the nodes see the same packets. Thus, the cluster
-match decides if this node has to handle a packet given the following options:
-.TP
-\fB\-\-cluster\-total\-nodes\fP \fInum\fP
-Set number of total nodes in cluster.
-.TP
-[\fB!\fP] \fB\-\-cluster\-local\-node\fP \fInum\fP
-Set the local node number ID.
-.TP
-[\fB!\fP] \fB\-\-cluster\-local\-nodemask\fP \fImask\fP
-Set the local node number ID mask. You can use this option instead
-of \fB\-\-cluster\-local\-node\fP.
-.TP
-\fB\-\-cluster\-hash\-seed\fP \fIvalue\fP
-Set seed value of the Jenkins hash.
-.PP
-Example:
-.IP
-iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster
-\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
-\-\-cluster\-hash\-seed 0xdeadbeef
-\-j MARK \-\-set-mark 0xffff
-.IP
-iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster
-\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
-\-\-cluster\-hash\-seed 0xdeadbeef
-\-j MARK -\-set\-mark 0xffff
-.IP
-iptables \-A PREROUTING \-t mangle \-i eth1
-\-m mark ! \-\-mark 0xffff \-j DROP
-.IP
-iptables \-A PREROUTING \-t mangle \-i eth2
-\-m mark ! \-\-mark 0xffff \-j DROP
-.PP
-And the following commands to make all nodes see the same packets:
-.IP
-ip maddr add 01:00:5e:00:01:01 dev eth1
-.IP
-ip maddr add 01:00:5e:00:01:02 dev eth2
-.IP
-arptables \-A OUTPUT \-o eth1 \-\-h\-length 6
-\-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01
-.IP
-arptables \-A INPUT \-i eth1 \-\-h-length 6
-\-\-destination-mac 01:00:5e:00:01:01
-\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
-.IP
-arptables \-A OUTPUT \-o eth2 \-\-h\-length 6
-\-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:02
-.IP
-arptables \-A INPUT \-i eth2 \-\-h\-length 6
-\-\-destination\-mac 01:00:5e:00:01:02
-\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
-.PP
-\fBNOTE\fP: the arptables commands above use mainstream syntax. If you
-are using arptables-jf included in some RedHat, CentOS and Fedora
-versions, you will hit syntax errors. Therefore, you'll have to adapt
-these to the arptables-jf syntax to get them working.
-.PP
-In the case of TCP connections, pickup facility has to be disabled
-to avoid marking TCP ACK packets coming in the reply direction as
-valid.
-.IP
-echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
-.SS comment
-Allows you to add comments (up to 256 characters) to any rule.
-.TP
-\fB\-\-comment\fP \fIcomment\fP
-.TP
-Example:
-iptables \-A INPUT \-i eth1 \-m comment \-\-comment "my local LAN"
-.SS connbytes
-Match by how many bytes or packets a connection (or one of the two
-flows constituting the connection) has transferred so far, or by
-average bytes per packet.
-.PP
-The counters are 64-bit and are thus not expected to overflow ;)
-.PP
-The primary use is to detect long-lived downloads and mark them to be
-scheduled using a lower priority band in traffic control.
-.PP
-The transferred bytes per connection can also be viewed through
-`conntrack \-L` and accessed via ctnetlink.
-.PP
-NOTE that for connections which have no accounting information, the match will
-always return false. The "net.netfilter.nf_conntrack_acct" sysctl flag controls
-whether \fBnew\fP connections will be byte/packet counted. Existing connection
-flows will not be gaining/losing a/the accounting structure when be sysctl flag
-is flipped.
-.TP
-[\fB!\fP] \fB\-\-connbytes\fP \fIfrom\fP[\fB:\fP\fIto\fP]
-match packets from a connection whose packets/bytes/average packet
-size is more than FROM and less than TO bytes/packets. if TO is
-omitted only FROM check is done. "!" is used to match packets not
-falling in the range.
-.TP
-\fB\-\-connbytes\-dir\fP {\fBoriginal\fP|\fBreply\fP|\fBboth\fP}
-which packets to consider
-.TP
-\fB\-\-connbytes\-mode\fP {\fBpackets\fP|\fBbytes\fP|\fBavgpkt\fP}
-whether to check the amount of packets, number of bytes transferred or
-the average size (in bytes) of all packets received so far. Note that
-when "both" is used together with "avgpkt", and data is going (mainly)
-only in one direction (for example HTTP), the average packet size will
-be about half of the actual data packets.
-.TP
-Example:
-iptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes\-dir both \-\-connbytes\-mode bytes ...
-.SS connlimit
-Allows you to restrict the number of parallel connections to a server per
-client IP address (or client address block).
-.TP
-\fB\-\-connlimit\-upto\fP \fIn\fP
-Match if the number of existing connections is below or equal \fIn\fP.
-.TP
-\fB\-\-connlimit\-above\fP \fIn\fP
-Match if the number of existing connections is above \fIn\fP.
-.TP
-\fB\-\-connlimit\-mask\fP \fIprefix_length\fP
-Group hosts using the prefix length. For IPv4, this must be a number between
-(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the
-maximum prefix length for the applicable protocol is used.
-.TP
-\fB\-\-connlimit\-saddr\fP
-Apply the limit onto the source group. This is the default if
-\-\-connlimit\-daddr is not specified.
-.TP
-\fB\-\-connlimit\-daddr\fP
-Apply the limit onto the destination group.
-.PP
-Examples:
-.TP
-# allow 2 telnet connections per client host
-iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-above 2 \-j REJECT
-.TP
-# you can also match the other way around:
-iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-upto 2 \-j ACCEPT
-.TP
-# limit the number of parallel HTTP requests to 16 per class C sized \
-source network (24 bit netmask)
-iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16
-\-\-connlimit\-mask 24 \-j REJECT
-.TP
-# limit the number of parallel HTTP requests to 16 for the link local network
-(ipv6)
-ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above
-16 \-\-connlimit\-mask 64 \-j REJECT
-.TP
-# Limit the number of connections to a particular host:
-ip6tables \-p tcp \-\-syn \-\-dport 49152:65535 \-d 2001:db8::1 \-m connlimit
-\-\-connlimit-above 100 \-j REJECT
-.SS connmark
-This module matches the netfilter mark field associated with a connection
-(which can be set using the \fBCONNMARK\fP target below).
-.TP
-[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
-Matches packets in connections with the given mark value (if a mask is
-specified, this is logically ANDed with the mark before the comparison).
-.SS conntrack
-This module, when combined with connection tracking, allows access to the
-connection tracking state for this packet/connection.
-.TP
-[\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP
-\fIstatelist\fP is a comma separated list of the connection states to match.
-Possible states are listed below.
-.TP
-[\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP
-Layer-4 protocol to match (by number or name)
-.TP
-[\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
-.TP
-[\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
-.TP
-[\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
-.TP
-[\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
-Match against original/reply source/destination address
-.TP
-[\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
-.TP
-[\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP[\fB:\fP\fIport\fP]
-.TP
-[\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
-.TP
-[\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP[\fB:\fP\fIport\fP]
-Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key.
-Matching against port ranges is only supported in kernel versions above 2.6.38.
-.TP
-[\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP
-\fIstatuslist\fP is a comma separated list of the connection statuses to match.
-Possible statuses are listed below.
-.TP
-[\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP]
-Match remaining lifetime in seconds against given value or range of values
-(inclusive)
-.TP
-\fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP}
-Match packets that are flowing in the specified direction. If this flag is not
-specified at all, matches packets in both directions.
-.PP
-States for \fB\-\-ctstate\fP:
-.TP
-\fBINVALID\fP
-The packet is associated with no known connection.
-.TP
-\fBNEW\fP
-The packet has started a new connection or otherwise associated
-with a connection which has not seen packets in both directions.
-.TP
-\fBESTABLISHED\fP
-The packet is associated with a connection which has seen packets
-in both directions.
-.TP
-\fBRELATED\fP
-The packet is starting a new connection, but is associated with an
-existing connection, such as an FTP data transfer or an ICMP error.
-.TP
-\fBUNTRACKED\fP
-The packet is not tracked at all, which happens if you explicitly untrack it
-by using \-j CT \-\-notrack in the raw table.
-.TP
-\fBSNAT\fP
-A virtual state, matching if the original source address differs from the reply
-destination.
-.TP
-\fBDNAT\fP
-A virtual state, matching if the original destination differs from the reply
-source.
-.PP
-Statuses for \fB\-\-ctstatus\fP:
-.TP
-\fBNONE\fP
-None of the below.
-.TP
-\fBEXPECTED\fP
-This is an expected connection (i.e. a conntrack helper set it up).
-.TP
-\fBSEEN_REPLY\fP
-Conntrack has seen packets in both directions.
-.TP
-\fBASSURED\fP
-Conntrack entry should never be early-expired.
-.TP
-\fBCONFIRMED\fP
-Connection is confirmed: originating packet has left box.
-.SS cpu
-.TP
-[\fB!\fP] \fB\-\-cpu\fP \fInumber\fP
-Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1
-Can be used in combination with RPS (Remote Packet Steering) or
-multiqueue NICs to spread network traffic on different queues.
-.PP
-Example:
-.PP
-iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 0
-\-j REDIRECT \-\-to\-port 8080
-.PP
-iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 1
-\-j REDIRECT \-\-to\-port 8081
-.PP
-Available since Linux 2.6.36.
-.SS dccp
-.TP
-[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
-.TP
-[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
-.TP
-[\fB!\fP] \fB\-\-dccp\-types\fP \fImask\fP
-Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated
-list of packet types. Packet types are:
-.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" .
-.TP
-[\fB!\fP] \fB\-\-dccp\-option\fP \fInumber\fP
-Match if DCCP option set.
-.SS devgroup
-Match device group of a packets incoming/outgoing interface.
-.TP
-[\fB!\fP] \fB\-\-src\-group\fP \fIname\fP
-Match device group of incoming device
-.TP
-[\fB!\fP] \fB\-\-dst\-group\fP \fIname\fP
-Match device group of outgoing device
-.SS dscp
-This module matches the 6 bit DSCP field within the TOS field in the
-IP header. DSCP has superseded TOS within the IETF.
-.TP
-[\fB!\fP] \fB\-\-dscp\fP \fIvalue\fP
-Match against a numeric (decimal or hex) value [0-63].
-.TP
-[\fB!\fP] \fB\-\-dscp\-class\fP \fIclass\fP
-Match the DiffServ class. This value may be any of the
-BE, EF, AFxx or CSx classes. It will then be converted
-into its according numeric value.
-.SS dst (IPv6-specific)
-This module matches the parameters in Destination Options header
-.TP
-[\fB!\fP] \fB\-\-dst\-len\fP \fIlength\fP
-Total length of this header in octets.
-.TP
-\fB\-\-dst\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...]
-numeric type of option and the length of the option data in octets.
-.SS ecn
-This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168
-.TP
-[\fB!\fP] \fB\-\-ecn\-tcp\-cwr\fP
-This matches if the TCP ECN CWR (Congestion Window Received) bit is set.
-.TP
-[\fB!\fP] \fB\-\-ecn\-tcp\-ece\fP
-This matches if the TCP ECN ECE (ECN Echo) bit is set.
-.TP
-[\fB!\fP] \fB\-\-ecn\-ip\-ect\fP \fInum\fP
-This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to specify
-a number between `0' and `3'.
-.SS esp
-This module matches the SPIs in ESP header of IPsec packets.
-.TP
-[\fB!\fP] \fB\-\-espspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
-.SS eui64 (IPv6-specific)
-This module matches the EUI-64 part of a stateless autoconfigured IPv6 address.
-It compares the EUI-64 derived from the source MAC address in Ethernet frame
-with the lower 64 bits of the IPv6 source address. But "Universal/Local"
-bit is not compared. This module doesn't match other link layer frame, and
-is only valid in the
-.BR PREROUTING ,
-.BR INPUT
-and
-.BR FORWARD
-chains.
-.SS frag (IPv6-specific)
-This module matches the parameters in Fragment header.
-.TP
-[\fB!\fP] \fB\-\-fragid\fP \fIid\fP[\fB:\fP\fIid\fP]
-Matches the given Identification or range of it.
-.TP
-[\fB!\fP] \fB\-\-fraglen\fP \fIlength\fP
-This option cannot be used with kernel version 2.6.10 or later. The length of
-Fragment header is static and this option doesn't make sense.
-.TP
-\fB\-\-fragres\fP
-Matches if the reserved fields are filled with zero.
-.TP
-\fB\-\-fragfirst\fP
-Matches on the first fragment.
-.TP
-\fB\-\-fragmore\fP
-Matches if there are more fragments.
-.TP
-\fB\-\-fraglast\fP
-Matches if this is the last fragment.
-.SS hashlimit
-\fBhashlimit\fP uses hash buckets to express a rate limiting match (like the
-\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables
-rule. Grouping can be done per-hostgroup (source and/or destination address)
-and/or per-port. It gives you the ability to express "\fIN\fP packets per time
-quantum per group" or "\fIN\fP bytes per seconds" (see below for some examples).
-.PP
-A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and
-\fB\-\-hashlimit\-name\fP are required.
-.TP
-\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
-Match if the rate is below or equal to \fIamount\fP/quantum. It is specified either as
-a number, with an optional time quantum suffix (the default is 3/hour), or as
-\fIamount\fPb/second (number of bytes per second).
-.TP
-\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
-Match if the rate is above \fIamount\fP/quantum.
-.TP
-\fB\-\-hashlimit\-burst\fP \fIamount\fP
-Maximum initial number of packets to match: this number gets recharged by one
-every time the limit specified above is not reached, up to this number; the
-default is 5. When byte-based rate matching is requested, this option specifies
-the amount of bytes that can exceed the given rate. This option should be used
-with caution -- if the entry expires, the burst value is reset too.
-.TP
-\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP...
-A comma-separated list of objects to take into consideration. If no
-\-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the
-expensive of doing the hash housekeeping.
-.TP
-\fB\-\-hashlimit\-srcmask\fP \fIprefix\fP
-When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be
-grouped according to the given prefix length and the so-created subnet will be
-subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note
-that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying
-srcip for \-\-hashlimit\-mode, but is technically more expensive.
-.TP
-\fB\-\-hashlimit\-dstmask\fP \fIprefix\fP
-Like \-\-hashlimit\-srcmask, but for destination addresses.
-.TP
-\fB\-\-hashlimit\-name\fP \fIfoo\fP
-The name for the /proc/net/ipt_hashlimit/foo entry.
-.TP
-\fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP
-The number of buckets of the hash table
-.TP
-\fB\-\-hashlimit\-htable\-max\fP \fIentries\fP
-Maximum entries in the hash.
-.TP
-\fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP
-After how many milliseconds do hash entries expire.
-.TP
-\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP
-How many milliseconds between garbage collection intervals.
-.PP
-Examples:
-.TP
-matching on source host
-"1000 packets per second for every host in 192.168.0.0/16" =>
-\-s 192.168.0.0/16 \-\-hashlimit\-mode srcip \-\-hashlimit\-upto 1000/sec
-.TP
-matching on source port
-"100 packets per second for every service of 192.168.1.1" =>
-\-s 192.168.1.1 \-\-hashlimit\-mode srcport \-\-hashlimit\-upto 100/sec
-.TP
-matching on subnet
-"10000 packets per minute for every /28 subnet (groups of 8 addresses)
-in 10.0.0.0/8" =>
-\-s 10.0.0.0/8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min
-.TP
-matching bytes per second
-"flows exceeding 512kbyte/s" =>
-\-\-hashlimit-mode srcip,dstip,srcport,dstport \-\-hashlimit\-above 512kb/s
-.TP
-matching bytes per second
-"hosts that exceed 512kbyte/s, but permit up to 1Megabytes without matching"
-\-\-hashlimit-mode dstip \-\-hashlimit\-above 512kb/s \-\-hashlimit-burst 1mb
-.SS hbh (IPv6-specific)
-This module matches the parameters in Hop-by-Hop Options header
-.TP
-[\fB!\fP] \fB\-\-hbh\-len\fP \fIlength\fP
-Total length of this header in octets.
-.TP
-\fB\-\-hbh\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...]
-numeric type of option and the length of the option data in octets.
-.SS helper
-This module matches packets related to a specific conntrack-helper.
-.TP
-[\fB!\fP] \fB\-\-helper\fP \fIstring\fP
-Matches packets related to the specified conntrack-helper.
-.RS
-.PP
-string can be "ftp" for packets related to a ftp-session on default port.
-For other ports append \-portnr to the value, ie. "ftp\-2121".
-.PP
-Same rules apply for other conntrack-helpers.
-.RE
-.SS hl (IPv6-specific)
-This module matches the Hop Limit field in the IPv6 header.
-.TP
-[\fB!\fP] \fB\-\-hl\-eq\fP \fIvalue\fP
-Matches if Hop Limit equals \fIvalue\fP.
-.TP
-\fB\-\-hl\-lt\fP \fIvalue\fP
-Matches if Hop Limit is less than \fIvalue\fP.
-.TP
-\fB\-\-hl\-gt\fP \fIvalue\fP
-Matches if Hop Limit is greater than \fIvalue\fP.
-.SS icmp (IPv4-specific)
-This extension can be used if `\-\-protocol icmp' is specified. It
-provides the following option:
-.TP
-[\fB!\fP] \fB\-\-icmp\-type\fP {\fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP}
-This allows specification of the ICMP type, which can be a numeric
-ICMP type, type/code pair, or one of the ICMP type names shown by the command
-.nf
- iptables \-p icmp \-h
-.fi
-.SS icmp6 (IPv6-specific)
-This extension can be used if `\-\-protocol ipv6\-icmp' or `\-\-protocol icmpv6' is
-specified. It provides the following option:
-.TP
-[\fB!\fP] \fB\-\-icmpv6\-type\fP \fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP
-This allows specification of the ICMPv6 type, which can be a numeric
-ICMPv6
-.IR type ,
-.IR type
-and
-.IR code ,
-or one of the ICMPv6 type names shown by the command
-.nf
- ip6tables \-p ipv6\-icmp \-h
-.fi
-.SS iprange
-This matches on a given arbitrary range of IP addresses.
-.TP
-[\fB!\fP] \fB\-\-src\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP]
-Match source IP in the specified range.
-.TP
-[\fB!\fP] \fB\-\-dst\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP]
-Match destination IP in the specified range.
-.SS ipv6header (IPv6-specific)
-This module matches IPv6 extension headers and/or upper layer header.
-.TP
-\fB\-\-soft\fP
-Matches if the packet includes \fBany\fP of the headers specified with
-\fB\-\-header\fP.
-.TP
-[\fB!\fP] \fB\-\-header\fP \fIheader\fP[\fB,\fP\fIheader\fP...]
-Matches the packet which EXACTLY includes all specified headers. The headers
-encapsulated with ESP header are out of scope.
-Possible \fIheader\fP types can be:
-.TP
-\fBhop\fP|\fBhop\-by\-hop\fP
-Hop-by-Hop Options header
-.TP
-\fBdst\fP
-Destination Options header
-.TP
-\fBroute\fP
-Routing header
-.TP
-\fBfrag\fP
-Fragment header
-.TP
-\fBauth\fP
-Authentication header
-.TP
-\fBesp\fP
-Encapsulating Security Payload header
-.TP
-\fBnone\fP
-No Next header which matches 59 in the 'Next Header field' of IPv6 header or
-any IPv6 extension headers
-.TP
-\fBproto\fP
-which matches any upper layer protocol header. A protocol name from
-/etc/protocols and numeric value also allowed. The number 255 is equivalent to
-\fBproto\fP.
-.SS ipvs
-Match IPVS connection properties.
-.TP
-[\fB!\fP] \fB\-\-ipvs\fP
-packet belongs to an IPVS connection
-.TP
-Any of the following options implies \-\-ipvs (even negated)
-.TP
-[\fB!\fP] \fB\-\-vproto\fP \fIprotocol\fP
-VIP protocol to match; by number or name, e.g. "tcp"
-.TP
-[\fB!\fP] \fB\-\-vaddr\fP \fIaddress\fP[\fB/\fP\fImask\fP]
-VIP address to match
-.TP
-[\fB!\fP] \fB\-\-vport\fP \fIport\fP
-VIP port to match; by number or name, e.g. "http"
-.TP
-\fB\-\-vdir\fP {\fBORIGINAL\fP|\fBREPLY\fP}
-flow direction of packet
-.TP
-[\fB!\fP] \fB\-\-vmethod\fP {\fBGATE\fP|\fBIPIP\fP|\fBMASQ\fP}
-IPVS forwarding method used
-.TP
-[\fB!\fP] \fB\-\-vportctl\fP \fIport\fP
-VIP port of the controlling connection to match, e.g. 21 for FTP
-.SS length
-This module matches the length of the layer-3 payload (e.g. layer-4 packet)
-of a packet against a specific value
-or range of values.
-.TP
-[\fB!\fP] \fB\-\-length\fP \fIlength\fP[\fB:\fP\fIlength\fP]
-.SS limit
-This module matches at a limited rate using a token bucket filter.
-A rule using this extension will match until this limit is reached.
-It can be used in combination with the
-.B LOG
-target to give limited logging, for example.
-.PP
-xt_limit has no negation support - you will have to use \-m hashlimit !
-\-\-hashlimit \fIrate\fP in this case whilst omitting \-\-hashlimit\-mode.
-.TP
-\fB\-\-limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
-Maximum average matching rate: specified as a number, with an optional
-`/second', `/minute', `/hour', or `/day' suffix; the default is
-3/hour.
-.TP
-\fB\-\-limit\-burst\fP \fInumber\fP
-Maximum initial number of packets to match: this number gets
-recharged by one every time the limit specified above is not reached,
-up to this number; the default is 5.
-.SS mac
-.TP
-[\fB!\fP] \fB\-\-mac\-source\fP \fIaddress\fP
-Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
-Note that this only makes sense for packets coming from an Ethernet device
-and entering the
-.BR PREROUTING ,
-.B FORWARD
-or
-.B INPUT
-chains.
-.SS mark
-This module matches the netfilter mark field associated with a packet
-(which can be set using the
-.B MARK
-target below).
-.TP
-[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
-Matches packets with the given unsigned mark value (if a \fImask\fP is
-specified, this is logically ANDed with the \fImask\fP before the
-comparison).
-.SS mh (IPv6-specific)
-This extension is loaded if `\-\-protocol ipv6\-mh' or `\-\-protocol mh' is
-specified. It provides the following option:
-.TP
-[\fB!\fP] \fB\-\-mh\-type\fP \fItype\fP[\fB:\fP\fItype\fP]
-This allows specification of the Mobility Header(MH) type, which can be
-a numeric MH
-.IR type ,
-.IR type
-or one of the MH type names shown by the command
-.nf
- ip6tables \-p mh \-h
-.fi
-.SS multiport
-This module matches a set of source or destination ports. Up to 15
-ports can be specified. A port range (port:port) counts as two
-ports. It can only be used in conjunction with one of the
-following protocols:
-\fBtcp\fP, \fBudp\fP, \fBudplite\fP, \fBdccp\fP and \fBsctp\fP.
-.TP
-[\fB!\fP] \fB\-\-source\-ports\fP,\fB\-\-sports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
-Match if the source port is one of the given ports. The flag
-\fB\-\-sports\fP
-is a convenient alias for this option. Multiple ports or port ranges are
-separated using a comma, and a port range is specified using a colon.
-\fB53,1024:65535\fP would therefore match ports 53 and all from 1024 through
-65535.
-.TP
-[\fB!\fP] \fB\-\-destination\-ports\fP,\fB\-\-dports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
-Match if the destination port is one of the given ports. The flag
-\fB\-\-dports\fP
-is a convenient alias for this option.
-.TP
-[\fB!\fP] \fB\-\-ports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
-Match if either the source or destination ports are equal to one of
-the given ports.
-.SS nfacct
-The nfacct match provides the extended accounting infrastructure for iptables.
-You have to use this match together with the standalone user-space utility
-.B nfacct(8)
-.PP
-The only option available for this match is the following:
-.TP
-\fB\-\-nfacct\-name\fP \fIname\fP
-This allows you to specify the existing object name that will be use for
-accounting the traffic that this rule-set is matching.
-.PP
-To use this extension, you have to create an accounting object:
-.IP
-nfacct add http\-traffic
-.PP
-Then, you have to attach it to the accounting object via iptables:
-.IP
-iptables \-I INPUT \-p tcp \-\-sport 80 \-m nfacct \-\-nfacct\-name http\-traffic
-.IP
-iptables \-I OUTPUT \-p tcp \-\-dport 80 \-m nfacct \-\-nfacct\-name http\-traffic
-.PP
-Then, you can check for the amount of traffic that the rules match:
-.IP
-nfacct get http\-traffic
-.IP
-{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = http-traffic;
-.PP
-You can obtain
-.B nfacct(8)
-from http://www.netfilter.org or, alternatively, from the git.netfilter.org
-repository.
-.SS osf
-The osf module does passive operating system fingerprinting. This modules
-compares some data (Window Size, MSS, options and their order, TTL, DF,
-and others) from packets with the SYN bit set.
-.TP
-[\fB!\fP] \fB\-\-genre\fP \fIstring\fP
-Match an operating system genre by using a passive fingerprinting.
-.TP
-\fB\-\-ttl\fP \fIlevel\fP
-Do additional TTL checks on the packet to determine the operating system.
-\fIlevel\fP can be one of the following values:
-.IP \(bu 4
-0 - True IP address and fingerprint TTL comparison. This generally works for
-LANs.
-.IP \(bu 4
-1 - Check if the IP header's TTL is less than the fingerprint one. Works for
-globally-routable addresses.
-.IP \(bu 4
-2 - Do not compare the TTL at all.
-.TP
-\fB\-\-log\fP \fIlevel\fP
-Log determined genres into dmesg even if they do not match the desired one.
-\fIlevel\fP can be one of the following values:
-.IP \(bu 4
-0 - Log all matched or unknown signatures
-.IP \(bu 4
-1 - Log only the first one
-.IP \(bu 4
-2 - Log all known matched signatures
-.PP
-You may find something like this in syslog:
-.PP
-Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 ->
-11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4
-.PP
-OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load
-fingerprints from a file, use:
-.PP
-\fBnfnl_osf -f /usr/share/xtables/pf.os\fP
-.PP
-To remove them again,
-.PP
-\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP
-.PP
-The fingerprint database can be downlaoded from
-http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
-.SS owner
-This module attempts to match various characteristics of the packet creator,
-for locally generated packets. This match is only valid in the OUTPUT and
-POSTROUTING chains. Forwarded packets do not have any socket associated with
-them. Packets from kernel threads do have a socket, but usually no owner.
-.TP
-[\fB!\fP] \fB\-\-uid\-owner\fP \fIusername\fP
-.TP
-[\fB!\fP] \fB\-\-uid\-owner\fP \fIuserid\fP[\fB\-\fP\fIuserid\fP]
-Matches if the packet socket's file structure (if it has one) is owned by the
-given user. You may also specify a numerical UID, or an UID range.
-.TP
-[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupname\fP
-.TP
-[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupid\fP[\fB\-\fP\fIgroupid\fP]
-Matches if the packet socket's file structure is owned by the given group.
-You may also specify a numerical GID, or a GID range.
-.TP
-[\fB!\fP] \fB\-\-socket\-exists\fP
-Matches if the packet is associated with a socket.
-.SS physdev
-This module matches on the bridge port input and output devices enslaved
-to a bridge device. This module is a part of the infrastructure that enables
-a transparent bridging IP firewall and is only useful for kernel versions
-above version 2.5.44.
-.TP
-[\fB!\fP] \fB\-\-physdev\-in\fP \fIname\fP
-Name of a bridge port via which a packet is received (only for
-packets entering the
-.BR INPUT ,
-.B FORWARD
-and
-.B PREROUTING
-chains). If the interface name ends in a "+", then any
-interface which begins with this name will match. If the packet didn't arrive
-through a bridge device, this packet won't match this option, unless '!' is used.
-.TP
-[\fB!\fP] \fB\-\-physdev\-out\fP \fIname\fP
-Name of a bridge port via which a packet is going to be sent (for packets
-entering the
-.BR FORWARD ,
-.B OUTPUT
-and
-.B POSTROUTING
-chains). If the interface name ends in a "+", then any
-interface which begins with this name will match. Note that in the
-.BR nat " and " mangle
-.B OUTPUT
-chains one cannot match on the bridge output port, however one can in the
-.B "filter OUTPUT"
-chain. If the packet won't leave by a bridge device or if it is yet unknown what
-the output device will be, then the packet won't match this option,
-unless '!' is used.
-.TP
-[\fB!\fP] \fB\-\-physdev\-is\-in\fP
-Matches if the packet has entered through a bridge interface.
-.TP
-[\fB!\fP] \fB\-\-physdev\-is\-out\fP
-Matches if the packet will leave through a bridge interface.
-.TP
-[\fB!\fP] \fB\-\-physdev\-is\-bridged\fP
-Matches if the packet is being bridged and therefore is not being routed.
-This is only useful in the FORWARD and POSTROUTING chains.
-.SS pkttype
-This module matches the link-layer packet type.
-.TP
-[\fB!\fP] \fB\-\-pkt\-type\fP {\fBunicast\fP|\fBbroadcast\fP|\fBmulticast\fP}
-.SS policy
-This modules matches the policy used by IPsec for handling a packet.
-.TP
-\fB\-\-dir\fP {\fBin\fP|\fBout\fP}
-Used to select whether to match the policy used for decapsulation or the
-policy that will be used for encapsulation.
-.B in
-is valid in the
-.B PREROUTING, INPUT and FORWARD
-chains,
-.B out
-is valid in the
-.B POSTROUTING, OUTPUT and FORWARD
-chains.
-.TP
-\fB\-\-pol\fP {\fBnone\fP|\fBipsec\fP}
-Matches if the packet is subject to IPsec processing. \fB\-\-pol none\fP
-cannot be combined with \fB\-\-strict\fP.
-.TP
-\fB\-\-strict\fP
-Selects whether to match the exact policy or match if any rule of
-the policy matches the given policy.
-.PP
-For each policy element that is to be described, one can use one or more of
-the following options. When \fB\-\-strict\fP is in effect, at least one must be
-used per element.
-.TP
-[\fB!\fP] \fB\-\-reqid\fP \fIid\fP
-Matches the reqid of the policy rule. The reqid can be specified with
-.B setkey(8)
-using
-.B unique:id
-as level.
-.TP
-[\fB!\fP] \fB\-\-spi\fP \fIspi\fP
-Matches the SPI of the SA.
-.TP
-[\fB!\fP] \fB\-\-proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP}
-Matches the encapsulation protocol.
-.TP
-[\fB!\fP] \fB\-\-mode\fP {\fBtunnel\fP|\fBtransport\fP}
-Matches the encapsulation mode.
-.TP
-[\fB!\fP] \fB\-\-tunnel\-src\fP \fIaddr\fP[\fB/\fP\fImask\fP]
-Matches the source end-point address of a tunnel mode SA.
-Only valid with \fB\-\-mode tunnel\fP.
-.TP
-[\fB!\fP] \fB\-\-tunnel\-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP]
-Matches the destination end-point address of a tunnel mode SA.
-Only valid with \fB\-\-mode tunnel\fP.
-.TP
-\fB\-\-next\fP
-Start the next element in the policy specification. Can only be used with
-\fB\-\-strict\fP.
-.SS quota
-Implements network quotas by decrementing a byte counter with each
-packet. The condition matches until the byte counter reaches zero. Behavior
-is reversed with negation (i.e. the condition does not match until the
-byte counter reaches zero).
-.TP
-[\fB!\fP] \fB\-\-quota\fP \fIbytes\fP
-The quota in bytes.
-.SS rateest
-The rate estimator can match on estimated rates as collected by the RATEEST
-target. It supports matching on absolute bps/pps values, comparing two rate
-estimators and matching on the difference between two rate estimators.
-.PP
-For a better understanding of the available options, these are all possible
-combinations:
-.\" * Absolute:
-.IP \(bu 4
-\fBrateest\fP \fIoperator\fP \fBrateest-bps\fP
-.IP \(bu 4
-\fBrateest\fP \fIoperator\fP \fBrateest-pps\fP
-.\" * Absolute + Delta:
-.IP \(bu 4
-(\fBrateest\fP minus \fBrateest-bps1\fP) \fIoperator\fP \fBrateest-bps2\fP
-.IP \(bu 4
-(\fBrateest\fP minus \fBrateest-pps1\fP) \fIoperator\fP \fBrateest-pps2\fP
-.\" * Relative:
-.IP \(bu 4
-\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-bps\fP(without rate!)
-.IP \(bu 4
-\fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-pps\fP(without rate!)
-.\" * Relative + Delta:
-.IP \(bu 4
-(\fBrateest1\fP minus \fBrateest-bps1\fP) \fIoperator\fP
-(\fBrateest2\fP minus \fBrateest-bps2\fP)
-.IP \(bu 4
-(\fBrateest1\fP minus \fBrateest-pps1\fP) \fIoperator\fP
-(\fBrateest2\fP minus \fBrateest-pps2\fP)
-.TP
-\fB\-\-rateest\-delta\fP
-For each estimator (either absolute or relative mode), calculate the difference
-between the estimator-determined flow rate and the static value chosen with the
-BPS/PPS options. If the flow rate is higher than the specified BPS/PPS, 0 will
-be used instead of a negative value. In other words, "max(0, rateest#_rate -
-rateest#_bps)" is used.
-.TP
-[\fB!\fP] \fB\-\-rateest\-lt\fP
-Match if rate is less than given rate/estimator.
-.TP
-[\fB!\fP] \fB\-\-rateest\-gt\fP
-Match if rate is greater than given rate/estimator.
-.TP
-[\fB!\fP] \fB\-\-rateest\-eq\fP
-Match if rate is equal to given rate/estimator.
-.PP
-In the so-called "absolute mode", only one rate estimator is used and compared
-against a static value, while in "relative mode", two rate estimators are
-compared against another.
-.TP
-\fB\-\-rateest\fP \fIname\fP
-Name of the one rate estimator for absolute mode.
-.TP
-\fB\-\-rateest1\fP \fIname\fP
-.TP
-\fB\-\-rateest2\fP \fIname\fP
-The names of the two rate estimators for relative mode.
-.TP
-\fB\-\-rateest\-bps\fP [\fIvalue\fP]
-.TP
-\fB\-\-rateest\-pps\fP [\fIvalue\fP]
-.TP
-\fB\-\-rateest\-bps1\fP [\fIvalue\fP]
-.TP
-\fB\-\-rateest\-bps2\fP [\fIvalue\fP]
-.TP
-\fB\-\-rateest\-pps1\fP [\fIvalue\fP]
-.TP
-\fB\-\-rateest\-pps2\fP [\fIvalue\fP]
-Compare the estimator(s) by bytes or packets per second, and compare against
-the chosen value. See the above bullet list for which option is to be used in
-which case. A unit suffix may be used - available ones are: bit, [kmgt]bit,
-[KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps.
-.PP
-Example: This is what can be used to route outgoing data connections from an
-FTP server over two lines based on the available bandwidth at the time the data
-connection was started:
-.PP
-# Estimate outgoing rates
-.PP
-iptables \-t mangle \-A POSTROUTING \-o eth0 \-j RATEEST \-\-rateest\-name eth0
-\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s
-.PP
-iptables \-t mangle \-A POSTROUTING \-o ppp0 \-j RATEEST \-\-rateest\-name ppp0
-\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s
-.PP
-# Mark based on available bandwidth
-.PP
-iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp
-\-m rateest \-\-rateest\-delta \-\-rateest1 eth0 \-\-rateest\-bps1 2.5mbit \-\-rateest\-gt
-\-\-rateest2 ppp0 \-\-rateest\-bps2 2mbit \-j CONNMARK \-\-set\-mark 1
-.PP
-iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp
-\-m rateest \-\-rateest\-delta \-\-rateest1 ppp0 \-\-rateest\-bps1 2mbit \-\-rateest\-gt
-\-\-rateest2 eth0 \-\-rateest\-bps2 2.5mbit \-j CONNMARK \-\-set\-mark 2
-.PP
-iptables \-t mangle \-A balance \-j CONNMARK \-\-restore\-mark
-.SS realm (IPv4-specific)
-This matches the routing realm. Routing realms are used in complex routing
-setups involving dynamic routing protocols like BGP.
-.TP
-[\fB!\fP] \fB\-\-realm\fP \fIvalue\fP[\fB/\fP\fImask\fP]
-Matches a given realm number (and optionally mask). If not a number, value
-can be a named realm from /etc/iproute2/rt_realms (mask can not be used in
-that case).
-.SS recent
-Allows you to dynamically create a list of IP addresses and then match against
-that list in a few different ways.
-.PP
-For example, you can create a "badguy" list out of people attempting to connect
-to port 139 on your firewall and then DROP all future packets from them without
-considering them.
-.PP
-\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are
-mutually exclusive.
-.TP
-\fB\-\-name\fP \fIname\fP
-Specify the list to use for the commands. If no name is given then
-\fBDEFAULT\fP will be used.
-.TP
-[\fB!\fP] \fB\-\-set\fP
-This will add the source address of the packet to the list. If the source
-address is already in the list, this will update the existing entry. This will
-always return success (or failure if \fB!\fP is passed in).
-.TP
-\fB\-\-rsource\fP
-Match/save the source address of each packet in the recent list table. This
-is the default.
-.TP
-\fB\-\-rdest\fP
-Match/save the destination address of each packet in the recent list table.
-.TP
-\fB\-\-mask\fP \fInetmask\fP
-Netmask that will be applied to this recent list.
-.TP
-[\fB!\fP] \fB\-\-rcheck\fP
-Check if the source address of the packet is currently in the list.
-.TP
-[\fB!\fP] \fB\-\-update\fP
-Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it
-matches.
-.TP
-[\fB!\fP] \fB\-\-remove\fP
-Check if the source address of the packet is currently in the list and if so
-that address will be removed from the list and the rule will return true. If
-the address is not found, false is returned.
-.TP
-\fB\-\-seconds\fP \fIseconds\fP
-This option must be used in conjunction with one of \fB\-\-rcheck\fP or
-\fB\-\-update\fP. When used, this will narrow the match to only happen when the
-address is in the list and was seen within the last given number of seconds.
-.TP
-\fB\-\-reap\fP
-This option can only be used in conjunction with \fB\-\-seconds\fP.
-When used, this will cause entries older than the last given number of seconds
-to be purged.
-.TP
-\fB\-\-hitcount\fP \fIhits\fP
-This option must be used in conjunction with one of \fB\-\-rcheck\fP or
-\fB\-\-update\fP. When used, this will narrow the match to only happen when the
-address is in the list and packets had been received greater than or equal to
-the given value. This option may be used along with \fB\-\-seconds\fP to create
-an even narrower match requiring a certain number of hits within a specific
-time frame. The maximum value for the hitcount parameter is given by the
-"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this
-value on the command line will cause the rule to be rejected.
-.TP
-\fB\-\-rttl\fP
-This option may only be used in conjunction with one of \fB\-\-rcheck\fP or
-\fB\-\-update\fP. When used, this will narrow the match to only happen when the
-address is in the list and the TTL of the current packet matches that of the
-packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems
-with people faking their source address in order to DoS you via this module by
-disallowing others access to your site by sending bogus packets to you.
-.PP
-Examples:
-.IP
-iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP
-.IP
-iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
-.PP
-\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information
-about each entry of each list.
-.PP
-Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current
-list or written two using the following commands to modify the list:
-.TP
-\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
-to add \fIaddr\fP to the DEFAULT list
-.TP
-\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
-to remove \fIaddr\fP from the DEFAULT list
-.TP
-\fBecho / >/proc/net/xt_recent/DEFAULT\fP
-to flush the DEFAULT list (remove all entries).
-.PP
-The module itself accepts parameters, defaults shown:
-.TP
-\fBip_list_tot\fP=\fI100\fP
-Number of addresses remembered per table.
-.TP
-\fBip_pkt_list_tot\fP=\fI20\fP
-Number of packets per address remembered.
-.TP
-\fBip_list_hash_size\fP=\fI0\fP
-Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.
-.TP
-\fBip_list_perms\fP=\fI0644\fP
-Permissions for /proc/net/xt_recent/* files.
-.TP
-\fBip_list_uid\fP=\fI0\fP
-Numerical UID for ownership of /proc/net/xt_recent/* files.
-.TP
-\fBip_list_gid\fP=\fI0\fP
-Numerical GID for ownership of /proc/net/xt_recent/* files.
-.SS rpfilter
-Performs a reverse path filter test on a packet.
-If a reply to the packet would be sent via the same interface
-that the packet arrived on, the packet will match.
-Note that, unlike the in-kernel rp_filter, packets protected
-by IPSec are not treated specially. Combine this match with
-the policy match if you want this.
-Also, packets arriving via the loopback interface are always permitted.
-This match can only be used in the PREROUTING chain of the raw or mangle table.
-.TP
-\fB\-\-loose\fP
-Used to specifiy that the reverse path filter test should match
-even if the selected output device is not the expected one.
-.TP
-\fB\-\-validmark\fP
-Also use the packets' nfmark value when performing the reverse path route lookup.
-.TP
-\fB\-\-accept\-local\fP
-This will permit packets arriving from the network with a source address that is also
-assigned to the local machine.
-.TP
-\fB\-\-invert\fP
-This will invert the sense of the match. Instead of matching packets that passed the
-reverse path filter test, match those that have failed it.
-.PP
-Example to log and drop packets failing the reverse path filter test:
-
-iptables \-t raw \-N RPFILTER
-
-iptables \-t raw \-A RPFILTER \-m rpfilter \-j RETURN
-
-iptables \-t raw \-A RPFILTER \-m limit \-\-limit 10/minute \-j NFLOG \-\-nflog\-prefix "rpfilter drop"
-
-iptables \-t raw \-A RPFILTER \-j DROP
-
-iptables \-t raw \-A PREROUTING \-j RPFILTER
-
-Example to drop failed packets, without logging:
-
-iptables \-t raw \-A RPFILTER \-m rpfilter \-\-invert \-j DROP
-.SS rt (IPv6-specific)
-Match on IPv6 routing header
-.TP
-[\fB!\fP] \fB\-\-rt\-type\fP \fItype\fP
-Match the type (numeric).
-.TP
-[\fB!\fP] \fB\-\-rt\-segsleft\fP \fInum\fP[\fB:\fP\fInum\fP]
-Match the `segments left' field (range).
-.TP
-[\fB!\fP] \fB\-\-rt\-len\fP \fIlength\fP
-Match the length of this header.
-.TP
-\fB\-\-rt\-0\-res\fP
-Match the reserved field, too (type=0)
-.TP
-\fB\-\-rt\-0\-addrs\fP \fIaddr\fP[\fB,\fP\fIaddr\fP...]
-Match type=0 addresses (list).
-.TP
-\fB\-\-rt\-0\-not\-strict\fP
-List of type=0 addresses is not a strict list.
-.SS sctp
-.TP
-[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
-.TP
-[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
-.TP
-[\fB!\fP] \fB\-\-chunk\-types\fP {\fBall\fP|\fBany\fP|\fBonly\fP} \fIchunktype\fP[\fB:\fP\fIflags\fP] [...]
-The flag letter in upper case indicates that the flag is to match if set,
-in the lower case indicates to match if unset.
-
-Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN
-
-chunk type available flags
-.br
-DATA I U B E i u b e
-.br
-ABORT T t
-.br
-SHUTDOWN_COMPLETE T t
-
-(lowercase means flag should be "off", uppercase means "on")
-.P
-Examples:
-
-iptables \-A INPUT \-p sctp \-\-dport 80 \-j DROP
-
-iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA,INIT \-j DROP
-
-iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA:Be \-j ACCEPT
-.SS set
-This module matches IP sets which can be defined by ipset(8).
-.TP
-[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]...
-where flags are the comma separated list of
-.BR "src"
-and/or
-.BR "dst"
-specifications and there can be no more than six of them. Hence the command
-.IP
- iptables \-A FORWARD \-m set \-\-match\-set test src,dst
-.IP
-will match packets, for which (if the set type is ipportmap) the source
-address and destination port pair can be found in the specified set. If
-the set type of the specified set is single dimension (for example ipmap),
-then the command will match packets for which the source address can be
-found in the specified set.
-.TP
-\fB\-\-return\-nomatch\fP
-If the \fB\-\-return\-nomatch\fP option is specified and the set type
-supports the \fBnomatch\fP flag, then the matching is reversed: a match
-with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a
-match with a plain element returns \fBfalse\fP.
-.TP
-\fB!\fP \fB\-\-update\-counters\fP
-If the \fB\-\-update\-counters\fP flag is negated, then the packet and
-byte counters of the matching element in the set won't be updated. Default
-the packet and byte counters are updated.
-.TP
-\fB!\fP \fB\-\-update\-subcounters\fP
-If the \fB\-\-update\-subcounters\fP flag is negated, then the packet and
-byte counters of the matching element in the member set of a list type of
-set won't be updated. Default the packet and byte counters are updated.
-.TP
-[\fB!\fP] \fB\-\-packets\-eq\fP \fIvalue\fP
-If the packet is matched an element in the set, match only if the
-packet counter of the element matches the given value too.
-.TP
-\fB\-\-packets\-lt\fP \fIvalue\fP
-If the packet is matched an element in the set, match only if the
-packet counter of the element is less than the given value as well.
-.TP
-\fB\-\-packets\-gt\fP \fIvalue\fP
-If the packet is matched an element in the set, match only if the
-packet counter of the element is greater than the given value as well.
-.TP
-[\fB!\fP] \fB\-bytes\-eq\fP \fIvalue\fP
-If the packet is matched an element in the set, match only if the
-byte counter of the element matches the given value too.
-.TP
-\fB\-\-bytes\-lt\fP \fIvalue\fP
-If the packet is matched an element in the set, match only if the
-byte counter of the element is less than the given value as well.
-.TP
-\fB\-\-bytes\-gt\fP \fIvalue\fP
-If the packet is matched an element in the set, match only if the
-byte counter of the element is greater than the given value as well.
-.PP
-The packet and byte counters related options and flags are ignored
-when the set was defined without counter support.
-.PP
-The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does
-not clash with an option of other extensions.
-.PP
-Use of -m set requires that ipset kernel support is provided, which, for
-standard kernels, is the case since Linux 2.6.39.
-.SS socket
-This matches if an open TCP/UDP socket can be found by doing a socket lookup on the
-packet. It matches if there is an established or non\-zero bound listening
-socket (possibly with a non\-local address). The lookup is performed using
-the \fBpacket\fP tuple of TCP/UDP packets, or the original TCP/UDP header
-\fBembedded\fP in an ICMP/ICPMv6 error packet.
-.TP
-\fB\-\-transparent\fP
-Ignore non-transparent sockets.
-.TP
-\fB\-\-nowildcard\fP
-Do not ignore sockets bound to 'any' address.
-The socket match won't accept zero\-bound listeners by default, since
-then local services could intercept traffic that would otherwise be forwarded.
-This option therefore has security implications when used to match traffic being
-forwarded to redirect such packets to local machine with policy routing.
-When using the socket match to implement fully transparent
-proxies bound to non\-local addresses it is recommended to use the \-\-transparent
-option instead.
-.PP
-Example (assuming packets with mark 1 are delivered locally):
-.IP
-\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1
-.SS state
-The "state" extension is a subset of the "conntrack" module.
-"state" allows access to the connection tracking state for this packet.
-.TP
-[\fB!\fP] \fB\-\-state\fP \fIstate\fP
-Where state is a comma separated list of the connection states to match. Only a
-subset of the states unterstood by "conntrack" are recognized: \fBINVALID\fP,
-\fBESTABLISHED\fP, \fBNEW\fP, \fBRELATED\fP or \fBUNTRACKED\fP. For their
-description, see the "conntrack" heading in this manpage.
-.SS statistic
-This module matches packets based on some statistic condition.
-It supports two distinct modes settable with the
-\fB\-\-mode\fP
-option.
-.PP
-Supported options:
-.TP
-\fB\-\-mode\fP \fImode\fP
-Set the matching mode of the matching rule, supported modes are
-.B random
-and
-.B nth.
-.TP
-[\fB!\fP] \fB\-\-probability\fP \fIp\fP
-Set the probability for a packet to be randomly matched. It only works with the
-\fBrandom\fP mode. \fIp\fP must be within 0.0 and 1.0. The supported
-granularity is in 1/2147483648th increments.
-.TP
-[\fB!\fP] \fB\-\-every\fP \fIn\fP
-Match one packet every nth packet. It works only with the
-.B nth
-mode (see also the
-\fB\-\-packet\fP
-option).
-.TP
-\fB\-\-packet\fP \fIp\fP
-Set the initial counter value (0 <= p <= n\-1, default 0) for the
-.B nth
-mode.
-.SS string
-This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
-.TP
-\fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP}
-Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
-.TP
-\fB\-\-from\fP \fIoffset\fP
-Set the offset from which it starts looking for any matching. If not passed, default is 0.
-.TP
-\fB\-\-to\fP \fIoffset\fP
-Set the offset up to which should be scanned. That is, byte \fIoffset\fP-1
-(counting from 0) is the last one that is scanned.
-If not passed, default is the packet size.
-.TP
-[\fB!\fP] \fB\-\-string\fP \fIpattern\fP
-Matches the given pattern.
-.TP
-[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP
-Matches the given pattern in hex notation.
-.TP
-Examples:
-.IP
-# The string pattern can be used for simple text characters.
-.br
-iptables \-A INPUT \-p tcp \-\-dport 80 \-m string \-\-algo bm \-\-string 'GET /index.html' \-j LOG
-.IP
-# The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|.
-.br
-iptables \-p udp \-\-dport 53 \-m string \-\-algo bm \-\-from 40 \-\-to 57 \-\-hex\-string '|03|www|09|netfilter|03|org|00|'
-.SS tcp
-These extensions can be used if `\-\-protocol tcp' is specified. It
-provides the following options:
-.TP
-[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
-Source port or port range specification. This can either be a service
-name or a port number. An inclusive range can also be specified,
-using the format \fIfirst\fP\fB:\fP\fIlast\fP.
-If the first port is omitted, "0" is assumed; if the last is omitted,
-"65535" is assumed.
-If the first port is greater than the second one they will be swapped.
-The flag
-\fB\-\-sport\fP
-is a convenient alias for this option.
-.TP
-[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
-Destination port or port range specification. The flag
-\fB\-\-dport\fP
-is a convenient alias for this option.
-.TP
-[\fB!\fP] \fB\-\-tcp\-flags\fP \fImask\fP \fIcomp\fP
-Match when the TCP flags are as specified. The first argument \fImask\fP is the
-flags which we should examine, written as a comma-separated list, and
-the second argument \fIcomp\fP is a comma-separated list of flags which must be
-set. Flags are:
-.BR "SYN ACK FIN RST URG PSH ALL NONE" .
-Hence the command
-.nf
- iptables \-A FORWARD \-p tcp \-\-tcp\-flags SYN,ACK,FIN,RST SYN
-.fi
-will only match packets with the SYN flag set, and the ACK, FIN and
-RST flags unset.
-.TP
-[\fB!\fP] \fB\-\-syn\fP
-Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
-cleared. Such packets are used to request TCP connection initiation;
-for example, blocking such packets coming in an interface will prevent
-incoming TCP connections, but outgoing TCP connections will be
-unaffected.
-It is equivalent to \fB\-\-tcp\-flags SYN,RST,ACK,FIN SYN\fP.
-If the "!" flag precedes the "\-\-syn", the sense of the
-option is inverted.
-.TP
-[\fB!\fP] \fB\-\-tcp\-option\fP \fInumber\fP
-Match if TCP option set.
-.SS tcpmss
-This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
-.TP
-[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP]
-Match a given TCP MSS value or range.
-.SS time
-This matches if the packet arrival time/date is within a given range. All
-options are optional, but are ANDed when specified. All times are interpreted
-as UTC by default.
-.TP
-\fB\-\-datestart\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]]
-.TP
-\fB\-\-datestop\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]]
-Only match during the given time, which must be in ISO 8601 "T" notation.
-The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07.
-.IP
-If \-\-datestart or \-\-datestop are not specified, it will default to 1970-01-01
-and 2038-01-19, respectively.
-.TP
-\fB\-\-timestart\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]
-.TP
-\fB\-\-timestop\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]
-Only match during the given daytime. The possible time range is 00:00:00 to
-23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted
-as base-10.
-.TP
-[\fB!\fP] \fB\-\-monthdays\fP \fIday\fP[\fB,\fP\fIday\fP...]
-Only match on the given days of the month. Possible values are \fB1\fP
-to \fB31\fP. Note that specifying \fB31\fP will of course not match
-on months which do not have a 31st day; the same goes for 28- or 29-day
-February.
-.TP
-[\fB!\fP] \fB\-\-weekdays\fP \fIday\fP[\fB,\fP\fIday\fP...]
-Only match on the given weekdays. Possible values are \fBMon\fP, \fBTue\fP,
-\fBWed\fP, \fBThu\fP, \fBFri\fP, \fBSat\fP, \fBSun\fP, or values from \fB1\fP
-to \fB7\fP, respectively. You may also use two-character variants (\fBMo\fP,
-\fBTu\fP, etc.).
-.TP
-\fB\-\-contiguous\fP
-When \fB\-\-timestop\fP is smaller than \fB\-\-timestart\fP value, match
-this as a single time period instead distinct intervals. See EXAMPLES.
-.TP
-\fB\-\-kerneltz\fP
-Use the kernel timezone instead of UTC to determine whether a packet meets the
-time regulations.
-.PP
-About kernel timezones: Linux keeps the system time in UTC, and always does so.
-On boot, system time is initialized from a referential time source. Where this
-time source has no timezone information, such as the x86 CMOS RTC, UTC will be
-assumed. If the time source is however not in UTC, userspace should provide the
-correct system time and timezone to the kernel once it has the information.
-.PP
-Local time is a feature on top of the (timezone independent) system time. Each
-process has its own idea of local time, specified via the TZ environment
-variable. The kernel also has its own timezone offset variable. The TZ
-userspace environment variable specifies how the UTC-based system time is
-displayed, e.g. when you run date(1), or what you see on your desktop clock.
-The TZ string may resolve to different offsets at different dates, which is
-what enables the automatic time-jumping in userspace. when DST changes. The
-kernel's timezone offset variable is used when it has to convert between
-non-UTC sources, such as FAT filesystems, to UTC (since the latter is what the
-rest of the system uses).
-.PP
-The caveat with the kernel timezone is that Linux distributions may ignore to
-set the kernel timezone, and instead only set the system time. Even if a
-particular distribution does set the timezone at boot, it is usually does not
-keep the kernel timezone offset - which is what changes on DST - up to date.
-ntpd will not touch the kernel timezone, so running it will not resolve the
-issue. As such, one may encounter a timezone that is always +0000, or one that
-is wrong half of the time of the year. As such, \fBusing \-\-kerneltz is highly
-discouraged.\fP
-.PP
-EXAMPLES. To match on weekends, use:
-.IP
-\-m time \-\-weekdays Sa,Su
-.PP
-Or, to match (once) on a national holiday block:
-.IP
-\-m time \-\-datestart 2007\-12\-24 \-\-datestop 2007\-12\-27
-.PP
-Since the stop time is actually inclusive, you would need the following stop
-time to not match the first second of the new day:
-.IP
-\-m time \-\-datestart 2007\-01\-01T17:00 \-\-datestop 2007\-01\-01T23:59:59
-.PP
-During lunch hour:
-.IP
-\-m time \-\-timestart 12:30 \-\-timestop 13:30
-.PP
-The fourth Friday in the month:
-.IP
-\-m time \-\-weekdays Fr \-\-monthdays 22,23,24,25,26,27,28
-.PP
-(Note that this exploits a certain mathematical property. It is not possible to
-say "fourth Thursday OR fourth Friday" in one rule. It is possible with
-multiple rules, though.)
-.PP
-Matching across days might not do what is expected. For instance,
-.IP
-\-m time \-\-weekdays Mo \-\-timestart 23:00 \-\-timestop 01:00
-Will match Monday, for one hour from midnight to 1 a.m., and then
-again for another hour from 23:00 onwards. If this is unwanted, e.g. if you
-would like 'match for two hours from Montay 23:00 onwards' you need to also specify
-the \-\-contiguous option in the example above.
-.SS tos
-This module matches the 8-bit Type of Service field in the IPv4 header (i.e.
-including the "Precedence" bits) or the (also 8-bit) Priority field in the IPv6
-header.
-.TP
-[\fB!\fP] \fB\-\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP]
-Matches packets with the given TOS mark value. If a mask is specified, it is
-logically ANDed with the TOS mark before the comparison.
-.TP
-[\fB!\fP] \fB\-\-tos\fP \fIsymbol\fP
-You can specify a symbolic name when using the tos match for IPv4. The list of
-recognized TOS names can be obtained by calling iptables with \fB\-m tos \-h\fP.
-Note that this implies a mask of 0x3F, i.e. all but the ECN bits.
-.SS ttl (IPv4-specific)
-This module matches the time to live field in the IP header.
-.TP
-[\fB!\fP] \fB\-\-ttl\-eq\fP \fIttl\fP
-Matches the given TTL value.
-.TP
-\fB\-\-ttl\-gt\fP \fIttl\fP
-Matches if TTL is greater than the given TTL value.
-.TP
-\fB\-\-ttl\-lt\fP \fIttl\fP
-Matches if TTL is less than the given TTL value.
-.SS u32
-U32 tests whether quantities of up to 4 bytes extracted from a packet have
-specified values. The specification of what to extract is general enough to
-find data at given offsets from tcp headers or payloads.
-.TP
-[\fB!\fP] \fB\-\-u32\fP \fItests\fP
-The argument amounts to a program in a small language described below.
-.IP
-tests := location "=" value | tests "&&" location "=" value
-.IP
-value := range | value "," range
-.IP
-range := number | number ":" number
-.PP
-a single number, \fIn\fP, is interpreted the same as \fIn:n\fP. \fIn:m\fP is
-interpreted as the range of numbers \fB>=n\fP and \fB<=m\fP.
-.IP "" 4
-location := number | location operator number
-.IP "" 4
-operator := "&" | "<<" | ">>" | "@"
-.PP
-The operators \fB&\fP, \fB<<\fP, \fB>>\fP and \fB&&\fP mean the same as in C.
-The \fB=\fP is really a set membership operator and the value syntax describes
-a set. The \fB@\fP operator is what allows moving to the next header and is
-described further below.
-.PP
-There are currently some artificial implementation limits on the size of the
-tests:
-.IP " *"
-no more than 10 of "\fB=\fP" (and 9 "\fB&&\fP"s) in the u32 argument
-.IP " *"
-no more than 10 ranges (and 9 commas) per value
-.IP " *"
-no more than 10 numbers (and 9 operators) per location
-.PP
-To describe the meaning of location, imagine the following machine that
-interprets it. There are three registers:
-.IP
-A is of type \fBchar *\fP, initially the address of the IP header
-.IP
-B and C are unsigned 32 bit integers, initially zero
-.PP
-The instructions are:
-.IP
-number B = number;
-.IP
-C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3)
-.IP
-&number C = C & number
-.IP
-<< number C = C << number
-.IP
->> number C = C >> number
-.IP
-@number A = A + C; then do the instruction number
-.PP
-Any access of memory outside [skb\->data,skb\->end] causes the match to fail.
-Otherwise the result of the computation is the final value of C.
-.PP
-Whitespace is allowed but not required in the tests. However, the characters
-that do occur there are likely to require shell quoting, so it is a good idea
-to enclose the arguments in quotes.
-.PP
-Example:
-.IP
-match IP packets with total length >= 256
-.IP
-The IP header contains a total length field in bytes 2-3.
-.IP
-\-\-u32 "\fB0 & 0xFFFF = 0x100:0xFFFF\fP"
-.IP
-read bytes 0-3
-.IP
-AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the range
-[0x100:0xFFFF]
-.PP
-Example: (more realistic, hence more complicated)
-.IP
-match ICMP packets with icmp type 0
-.IP
-First test that it is an ICMP packet, true iff byte 9 (protocol) = 1
-.IP
-\-\-u32 "\fB6 & 0xFF = 1 &&\fP ...
-.IP
-read bytes 6-9, use \fB&\fP to throw away bytes 6-8 and compare the result to
-1. Next test that it is not a fragment. (If so, it might be part of such a
-packet but we cannot always tell.) N.B.: This test is generally needed if you
-want to match anything beyond the IP header. The last 6 bits of byte 6 and all
-of byte 7 are 0 iff this is a complete packet (not a fragment). Alternatively,
-you can allow first fragments by only testing the last 5 bits of byte 6.
-.IP
- ... \fB4 & 0x3FFF = 0 &&\fP ...
-.IP
-Last test: the first byte past the IP header (the type) is 0. This is where we
-have to use the @syntax. The length of the IP header (IHL) in 32 bit words is
-stored in the right half of byte 0 of the IP header itself.
-.IP
- ... \fB0 >> 22 & 0x3C @ 0 >> 24 = 0\fP"
-.IP
-The first 0 means read bytes 0-3, \fB>>22\fP means shift that 22 bits to the
-right. Shifting 24 bits would give the first byte, so only 22 bits is four
-times that plus a few more bits. \fB&3C\fP then eliminates the two extra bits
-on the right and the first four bits of the first byte. For instance, if IHL=5,
-then the IP header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in
-binary) xxxx0101 yyzzzzzz, \fB>>22\fP gives the 10 bit value xxxx0101yy and
-\fB&3C\fP gives 010100. \fB@\fP means to use this number as a new offset into
-the packet, and read four bytes starting from there. This is the first 4 bytes
-of the ICMP payload, of which byte 0 is the ICMP type. Therefore, we simply
-shift the value 24 to the right to throw out all but the first byte and compare
-the result with 0.
-.PP
-Example:
-.IP
-TCP payload bytes 8-12 is any of 1, 2, 5 or 8
-.IP
-First we test that the packet is a tcp packet (similar to ICMP).
-.IP
-\-\-u32 "\fB6 & 0xFF = 6 &&\fP ...
-.IP
-Next, test that it is not a fragment (same as above).
-.IP
- ... \fB0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8\fP"
-.IP
-\fB0>>22&3C\fP as above computes the number of bytes in the IP header. \fB@\fP
-makes this the new offset into the packet, which is the start of the TCP
-header. The length of the TCP header (again in 32 bit words) is the left half
-of byte 12 of the TCP header. The \fB12>>26&3C\fP computes this length in bytes
-(similar to the IP header before). "@" makes this the new offset, which is the
-start of the TCP payload. Finally, 8 reads bytes 8-12 of the payload and
-\fB=\fP checks whether the result is any of 1, 2, 5 or 8.
-.SS udp
-These extensions can be used if `\-\-protocol udp' is specified. It
-provides the following options:
-.TP
-[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
-Source port or port range specification.
-See the description of the
-\fB\-\-source\-port\fP
-option of the TCP extension for details.
-.TP
-[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
-Destination port or port range specification.
-See the description of the
-\fB\-\-destination\-port\fP
-option of the TCP extension for details.
-.SS unclean (IPv4-specific)
-This module takes no options, but attempts to match packets which seem
-malformed or unusual. This is regarded as experimental.
-.SH TARGET EXTENSIONS
-iptables can use extended target modules: the following are included
-in the standard distribution.
-.\" @TARGET@
-.SS AUDIT
-This target allows to create audit records for packets hitting the target.
-It can be used to record accepted, dropped, and rejected packets. See
-auditd(8) for additional details.
-.TP
-\fB\-\-type\fP {\fBaccept\fP|\fBdrop\fP|\fBreject\fP}
-Set type of audit record.
-.PP
-Example:
-.IP
-iptables \-N AUDIT_DROP
-.IP
-iptables \-A AUDIT_DROP \-j AUDIT \-\-type drop
-.IP
-iptables \-A AUDIT_DROP \-j DROP
-.SS CHECKSUM
-This target allows to selectively work around broken/old applications.
-It can only be used in the mangle table.
-.TP
-\fB\-\-checksum\-fill\fP
-Compute and fill in the checksum in a packet that lacks a checksum.
-This is particularly useful, if you need to work around old applications
-such as dhcp clients, that do not work well with checksum offloads,
-but don't want to disable checksum offload in your device.
-.SS CLASSIFY
-This module allows you to set the skb\->priority value (and thus classify the packet into a specific CBQ class).
-.TP
-\fB\-\-set\-class\fP \fImajor\fP\fB:\fP\fIminor\fP
-Set the major and minor class value. The values are always interpreted as
-hexadecimal even if no 0x prefix is given.
-.SS CLUSTERIP (IPv4-specific)
-This module allows you to configure a simple cluster of nodes that share
-a certain IP and MAC address without an explicit load balancer in front of
-them. Connections are statically distributed between the nodes in this
-cluster.
-.TP
-\fB\-\-new\fP
-Create a new ClusterIP. You always have to set this on the first rule
-for a given ClusterIP.
-.TP
-\fB\-\-hashmode\fP \fImode\fP
-Specify the hashing mode. Has to be one of
-\fBsourceip\fP, \fBsourceip\-sourceport\fP, \fBsourceip\-sourceport\-destport\fP.
-.TP
-\fB\-\-clustermac\fP \fImac\fP
-Specify the ClusterIP MAC address. Has to be a link\-layer multicast address
-.TP
-\fB\-\-total\-nodes\fP \fInum\fP
-Number of total nodes within this cluster.
-.TP
-\fB\-\-local\-node\fP \fInum\fP
-Local node number within this cluster.
-.TP
-\fB\-\-hash\-init\fP \fIrnd\fP
-Specify the random seed used for hash initialization.
-.SS CONNMARK
-This module sets the netfilter mark value associated with a connection. The
-mark is 32 bits wide.
-.TP
-\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
-Zero out the bits given by \fImask\fP and XOR \fIvalue\fP into the ctmark.
-.TP
-\fB\-\-save\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP]
-Copy the packet mark (nfmark) to the connection mark (ctmark) using the given
-masks. The new nfmark value is determined as follows:
-.IP
-ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)
-.IP
-i.e. \fIctmask\fP defines what bits to clear and \fInfmask\fP what bits of the
-nfmark to XOR into the ctmark. \fIctmask\fP and \fInfmask\fP default to
-0xFFFFFFFF.
-.TP
-\fB\-\-restore\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP]
-Copy the connection mark (ctmark) to the packet mark (nfmark) using the given
-masks. The new ctmark value is determined as follows:
-.IP
-nfmark = (nfmark & ~\fInfmask\fP) ^ (ctmark & \fIctmask\fP);
-.IP
-i.e. \fInfmask\fP defines what bits to clear and \fIctmask\fP what bits of the
-ctmark to XOR into the nfmark. \fIctmask\fP and \fInfmask\fP default to
-0xFFFFFFFF.
-.IP
-\fB\-\-restore\-mark\fP is only valid in the \fBmangle\fP table.
-.PP
-The following mnemonics are available for \fB\-\-set\-xmark\fP:
-.TP
-\fB\-\-and\-mark\fP \fIbits\fP
-Binary AND the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark
-0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.)
-.TP
-\fB\-\-or\-mark\fP \fIbits\fP
-Binary OR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
-\fIbits\fP\fB/\fP\fIbits\fP.)
-.TP
-\fB\-\-xor\-mark\fP \fIbits\fP
-Binary XOR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
-\fIbits\fP\fB/0\fP.)
-.TP
-\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
-Set the connection mark. If a mask is specified then only those bits set in the
-mask are modified.
-.TP
-\fB\-\-save\-mark\fP [\fB\-\-mask\fP \fImask\fP]
-Copy the nfmark to the ctmark. If a mask is specified, only those bits are
-copied.
-.TP
-\fB\-\-restore\-mark\fP [\fB\-\-mask\fP \fImask\fP]
-Copy the ctmark to the nfmark. If a mask is specified, only those bits are
-copied. This is only valid in the \fBmangle\fP table.
-.SS CONNSECMARK
-This module copies security markings from packets to connections
-(if unlabeled), and from connections back to packets (also only
-if unlabeled). Typically used in conjunction with SECMARK, it is
-valid in the
-.B security
-table (for backwards compatibility with older kernels, it is also
-valid in the
-.B mangle
-table).
-.TP
-\fB\-\-save\fP
-If the packet has a security marking, copy it to the connection
-if the connection is not marked.
-.TP
-\fB\-\-restore\fP
-If the packet does not have a security marking, and the connection
-does, copy the security marking from the connection to the packet.
-
-.SS CT
-The CT target allows to set parameters for a packet or its associated
-connection. The target attaches a "template" connection tracking entry to
-the packet, which is then used by the conntrack core when initializing
-a new ct entry. This target is thus only valid in the "raw" table.
-.TP
-\fB\-\-notrack\fP
-Disables connection tracking for this packet.
-.TP
-\fB\-\-helper\fP \fIname\fP
-Use the helper identified by \fIname\fP for the connection. This is more
-flexible than loading the conntrack helper modules with preset ports.
-.TP
-\fB\-\-ctevents\fP \fIevent\fP[\fB,\fP...]
-Only generate the specified conntrack events for this connection. Possible
-event types are: \fBnew\fP, \fBrelated\fP, \fBdestroy\fP, \fBreply\fP,
-\fBassured\fP, \fBprotoinfo\fP, \fBhelper\fP, \fBmark\fP (this refers to
-the ctmark, not nfmark), \fBnatseqinfo\fP, \fBsecmark\fP (ctsecmark).
-.TP
-\fB\-\-expevents\fP \fIevent\fP[\fB,\fP...]
-Only generate the specified expectation events for this connection.
-Possible event types are: \fBnew\fP.
-.TP
-\fB\-\-zone\fP \fIid\fP
-Assign this packet to zone \fIid\fP and only have lookups done in that zone.
-By default, packets have zone 0.
-.TP
-\fB\-\-timeout\fP \fIname\fP
-Use the timeout policy identified by \fIname\fP for the connection. This is
-provides more flexible timeout policy definition than global timeout values
-available at /proc/sys/net/netfilter/nf_conntrack_*_timeout_*.
-.SS DNAT
-This target is only valid in the
-.B nat
-table, in the
-.B PREROUTING
-and
-.B OUTPUT
-chains, and user-defined chains which are only called from those
-chains. It specifies that the destination address of the packet
-should be modified (and all future packets in this connection will
-also be mangled), and rules should cease being examined. It takes the
-following options:
-.TP
-\fB\-\-to\-destination\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]]
-which can specify a single new destination IP address, an inclusive
-range of IP addresses. Optionally a port range,
-if the rule also specifies one of the following protocols:
-\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
-If no port range is specified, then the destination port will never be
-modified. If no IP address is specified then only the destination port
-will be modified.
-In Kernels up to 2.6.10 you can add several \-\-to\-destination options. For
-those kernels, if you specify more than one destination address, either via an
-address range or multiple \-\-to\-destination options, a simple round-robin (one
-after another in cycle) load balancing takes place between these addresses.
-Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
-anymore.
-.TP
-\fB\-\-random\fP
-If option
-\fB\-\-random\fP
-is used then port mapping will be randomized (kernel >= 2.6.22).
-.TP
-\fB\-\-persistent\fP
-Gives a client the same source-/destination-address for each connection.
-This supersedes the SAME target. Support for persistent mappings is available
-from 2.6.29-rc2.
-.TP
-IPv6 support available since Linux kernels >= 3.7.
-.SS DNPT (IPv6-specific)
-Provides stateless destination IPv6-to-IPv6 Network Prefix Translation (as
-described by RFC 6296).
-.PP
-You have to use this target in the
-.B mangle
-table, not in the
-.B nat
-table. It takes the following options:
-.TP
-\fB\-\-src\-pfx\fP [\fIprefix/\fP\fIlength]
-Set source prefix that you want to translate and length
-.TP
-\fB\-\-dst\-pfx\fP [\fIprefix/\fP\fIlength]
-Set destination prefix that you want to use in the translation and length
-.PP
-You have to use the SNPT target to undo the translation. Example:
-.IP
-ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
-\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
-.IP
-ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
-\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst-pfx fd00::/64
-.PP
-You may need to enable IPv6 neighbor proxy:
-.IP
-sysctl -w net.ipv6.conf.all.proxy_ndp=1
-.PP
-You also have to use the
-.B NOTRACK
-target to disable connection tracking for translated flows.
-.SS DSCP
-This target allows to alter the value of the DSCP bits within the TOS
-header of the IPv4 packet. As this manipulates a packet, it can only
-be used in the mangle table.
-.TP
-\fB\-\-set\-dscp\fP \fIvalue\fP
-Set the DSCP field to a numerical value (can be decimal or hex)
-.TP
-\fB\-\-set\-dscp\-class\fP \fIclass\fP
-Set the DSCP field to a DiffServ class.
-.SS ECN (IPv4-specific)
-This target allows to selectively work around known ECN blackholes.
-It can only be used in the mangle table.
-.TP
-\fB\-\-ecn\-tcp\-remove\fP
-Remove all ECN bits from the TCP header. Of course, it can only be used
-in conjunction with
-\fB\-p tcp\fP.
-.SS HL (IPv6-specific)
-This is used to modify the Hop Limit field in IPv6 header. The Hop Limit field
-is similar to what is known as TTL value in IPv4. Setting or incrementing the
-Hop Limit field can potentially be very dangerous, so it should be avoided at
-any cost. This target is only valid in
-.B mangle
-table.
-.PP
-.B Don't ever set or increment the value on packets that leave your local network!
-.TP
-\fB\-\-hl\-set\fP \fIvalue\fP
-Set the Hop Limit to `value'.
-.TP
-\fB\-\-hl\-dec\fP \fIvalue\fP
-Decrement the Hop Limit `value' times.
-.TP
-\fB\-\-hl\-inc\fP \fIvalue\fP
-Increment the Hop Limit `value' times.
-.SS HMARK
-Like MARK, i.e. set the fwmark, but the mark is calculated from hashing
-packet selector at choice. You have also to specify the mark range and,
-optionally, the offset to start from. ICMP error messages are inspected
-and used to calculate the hashing.
-.PP
-Existing options are:
-.TP
-\fB\-\-hmark\-tuple\fP tuple\fI\fP
-Possible tuple members are:
-.B src
-meaning source address (IPv4, IPv6 address),
-.B dst
-meaning destination address (IPv4, IPv6 address),
-.B sport
-meaning source port (TCP, UDP, UDPlite, SCTP, DCCP),
-.B dport
-meaning destination port (TCP, UDP, UDPlite, SCTP, DCCP),
-.B spi
-meaning Security Parameter Index (AH, ESP), and
-.B ct
-meaning the usage of the conntrack tuple instead of the packet selectors.
-.TP
-\fB\-\-hmark\-mod\fP \fIvalue (must be > 0)\fP
-Modulus for hash calculation (to limit the range of possible marks)
-.TP
-\fB\-\-hmark\-offset\fP \fIvalue\fP
-Offset to start marks from.
-.TP
-For advanced usage, instead of using \-\-hmark\-tuple, you can specify custom
-prefixes and masks:
-.TP
-\fB\-\-hmark\-src\-prefix\fP \fIcidr\fP
-The source address mask in CIDR notation.
-.TP
-\fB\-\-hmark\-dst\-prefix\fP \fIcidr\fP
-The destination address mask in CIDR notation.
-.TP
-\fB\-\-hmark\-sport\-mask\fP \fIvalue\fP
-A 16 bit source port mask in hexadecimal.
-.TP
-\fB\-\-hmark\-dport\-mask\fP \fIvalue\fP
-A 16 bit destination port mask in hexadecimal.
-.TP
-\fB\-\-hmark\-spi\-mask\fP \fIvalue\fP
-A 32 bit field with spi mask.
-.TP
-\fB\-\-hmark\-proto\-mask\fP \fIvalue\fP
-An 8 bit field with layer 4 protocol number.
-.TP
-\fB\-\-hmark\-rnd\fP \fIvalue\fP
-A 32 bit random custom value to feed hash calculation.
-.PP
-\fIExamples:\fP
-.PP
-iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW
- \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000
-\-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe
-.PP
-iptables \-t mangle \-A PREROUTING -j HMARK \-\-hmark\-offset 10000
-\-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef
-.SS IDLETIMER
-This target can be used to identify when interfaces have been idle for a
-certain period of time. Timers are identified by labels and are created when
-a rule is set with a new label. The rules also take a timeout value (in
-seconds) as an option. If more than one rule uses the same timer label, the
-timer will be restarted whenever any of the rules get a hit. One entry for
-each timer is created in sysfs. This attribute contains the timer remaining
-for the timer to expire. The attributes are located under the xt_idletimer
-class:
-.PP
-/sys/class/xt_idletimer/timers/<label>
-.PP
-When the timer expires, the target module sends a sysfs notification to the
-userspace, which can then decide what to do (eg. disconnect to save power).
-.TP
-\fB\-\-timeout\fP \fIamount\fP
-This is the time in seconds that will trigger the notification.
-.TP
-\fB\-\-label\fP \fIstring\fP
-This is a unique identifier for the timer. The maximum length for the
-label string is 27 characters.
-.SS LED
-This creates an LED-trigger that can then be attached to system indicator
-lights, to blink or illuminate them when certain packets pass through the
-system. One example might be to light up an LED for a few minutes every time
-an SSH connection is made to the local machine. The following options control
-the trigger behavior:
-.TP
-\fB\-\-led\-trigger\-id\fP \fIname\fP
-This is the name given to the LED trigger. The actual name of the trigger
-will be prefixed with "netfilter-".
-.TP
-\fB\-\-led-delay\fP \fIms\fP
-This indicates how long (in milliseconds) the LED should be left illuminated
-when a packet arrives before being switched off again. The default is 0
-(blink as fast as possible.) The special value \fIinf\fP can be given to
-leave the LED on permanently once activated. (In this case the trigger will
-need to be manually detached and reattached to the LED device to switch it
-off again.)
-.TP
-\fB\-\-led\-always\-blink\fP
-Always make the LED blink on packet arrival, even if the LED is already on.
-This allows notification of new packets even with long delay values (which
-otherwise would result in a silent prolonging of the delay time.)
-.TP
-Example:
-.TP
-Create an LED trigger for incoming SSH traffic:
-iptables \-A INPUT \-p tcp \-\-dport 22 \-j LED \-\-led\-trigger\-id ssh
-.TP
-Then attach the new trigger to an LED:
-echo netfilter\-ssh >/sys/class/leds/\fIledname\fP/trigger
-.SS LOG
-Turn on kernel logging of matching packets. When this option is set
-for a rule, the Linux kernel will print some information on all
-matching packets (like most IP/IPv6 header fields) via the kernel log
-(where it can be read with \fIdmesg(1)\fP or read in the syslog).
-.PP
-This is a "non-terminating target", i.e. rule traversal continues at
-the next rule. So if you want to LOG the packets you refuse, use two
-separate rules with the same matching criteria, first using target LOG
-then DROP (or REJECT).
-.TP
-\fB\-\-log\-level\fP \fIlevel\fP
-Level of logging, which can be (system-specific) numeric or a mnemonic.
-Possible values are (in decreasing order of priority): \fBemerg\fP,
-\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP
-or \fBdebug\fP.
-.TP
-\fB\-\-log\-prefix\fP \fIprefix\fP
-Prefix log messages with the specified prefix; up to 29 letters long,
-and useful for distinguishing messages in the logs.
-.TP
-\fB\-\-log\-tcp\-sequence\fP
-Log TCP sequence numbers. This is a security risk if the log is
-readable by users.
-.TP
-\fB\-\-log\-tcp\-options\fP
-Log options from the TCP packet header.
-.TP
-\fB\-\-log\-ip\-options\fP
-Log options from the IP/IPv6 packet header.
-.TP
-\fB\-\-log\-uid\fP
-Log the userid of the process which generated the packet.
-.SS MARK
-This target is used to set the Netfilter mark value associated with the packet.
-It can, for example, be used in conjunction with routing based on fwmark (needs
-iproute2). If you plan on doing so, note that the mark needs to be set in the
-PREROUTING chain of the mangle table to affect routing.
-The mark field is 32 bits wide.
-.TP
-\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
-Zeroes out the bits given by \fImask\fP and XORs \fIvalue\fP into the packet
-mark ("nfmark"). If \fImask\fP is omitted, 0xFFFFFFFF is assumed.
-.TP
-\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
-Zeroes out the bits given by \fImask\fP and ORs \fIvalue\fP into the packet
-mark. If \fImask\fP is omitted, 0xFFFFFFFF is assumed.
-.PP
-The following mnemonics are available:
-.TP
-\fB\-\-and\-mark\fP \fIbits\fP
-Binary AND the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark
-0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.)
-.TP
-\fB\-\-or\-mark\fP \fIbits\fP
-Binary OR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
-\fIbits\fP\fB/\fP\fIbits\fP.)
-.TP
-\fB\-\-xor\-mark\fP \fIbits\fP
-Binary XOR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP
-\fIbits\fP\fB/0\fP.)
-.SS MASQUERADE
-This target is only valid in the
-.B nat
-table, in the
-.B POSTROUTING
-chain. It should only be used with dynamically assigned IP (dialup)
-connections: if you have a static IP address, you should use the SNAT
-target. Masquerading is equivalent to specifying a mapping to the IP
-address of the interface the packet is going out, but also has the
-effect that connections are
-.I forgotten
-when the interface goes down. This is the correct behavior when the
-next dialup is unlikely to have the same interface address (and hence
-any established connections are lost anyway).
-.TP
-\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
-This specifies a range of source ports to use, overriding the default
-.B SNAT
-source port-selection heuristics (see above). This is only valid
-if the rule also specifies one of the following protocols:
-\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
-.TP
-\fB\-\-random\fP
-Randomize source port mapping
-If option
-\fB\-\-random\fP
-is used then port mapping will be randomized (kernel >= 2.6.21).
-.TP
-IPv6 support available since Linux kernels >= 3.7.
-.SS MIRROR (IPv4-specific)
-This is an experimental demonstration target which inverts the source
-and destination fields in the IP header and retransmits the packet.
-It is only valid in the
-.BR INPUT ,
-.B FORWARD
-and
-.B PREROUTING
-chains, and user-defined chains which are only called from those
-chains. Note that the outgoing packets are
-.B NOT
-seen by any packet filtering chains, connection tracking or NAT, to
-avoid loops and other problems.
-.SS NETMAP
-This target allows you to statically map a whole network of addresses onto
-another network of addresses. It can only be used from rules in the
-.B nat
-table.
-.TP
-\fB\-\-to\fP \fIaddress\fP[\fB/\fP\fImask\fP]
-Network address to map to. The resulting address will be constructed in the
-following way: All 'one' bits in the mask are filled in from the new `address'.
-All bits that are zero in the mask are filled in from the original address.
-.TP
-IPv6 support available since Linux kernels >= 3.7.
-.SS NFLOG
-This target provides logging of matching packets. When this target is
-set for a rule, the Linux kernel will pass the packet to the loaded
-logging backend to log the packet. This is usually used in combination
-with nfnetlink_log as logging backend, which will multicast the packet
-through a
-.IR netlink
-socket to the specified multicast group. One or more userspace processes
-may subscribe to the group to receive the packets. Like LOG, this is a
-non-terminating target, i.e. rule traversal continues at the next rule.
-.TP
-\fB\-\-nflog\-group\fP \fInlgroup\fP
-The netlink group (0 - 2^16\-1) to which packets are (only applicable for
-nfnetlink_log). The default value is 0.
-.TP
-\fB\-\-nflog\-prefix\fP \fIprefix\fP
-A prefix string to include in the log message, up to 64 characters
-long, useful for distinguishing messages in the logs.
-.TP
-\fB\-\-nflog\-range\fP \fIsize\fP
-The number of bytes to be copied to userspace (only applicable for
-nfnetlink_log). nfnetlink_log instances may specify their own
-range, this option overrides it.
-.TP
-\fB\-\-nflog\-threshold\fP \fIsize\fP
-Number of packets to queue inside the kernel before sending them
-to userspace (only applicable for nfnetlink_log). Higher values
-result in less overhead per packet, but increase delay until the
-packets reach userspace. The default value is 1.
-.BR
-.SS NFQUEUE
-This target passes the packet to userspace using the
-\fBnfnetlink_queue\fP handler. The packet is put into the queue
-identified by its 16-bit queue number. Userspace can inspect
-and modify the packet if desired. Userspace must then drop or
-reinject the packet into the kernel. Please see libnetfilter_queue
-for details.
-.B
-nfnetlink_queue
-was added in Linux 2.6.14. The \fBqueue-balance\fP option was added in Linux 2.6.31,
-\fBqueue-bypass\fP in 2.6.39.
-.TP
-\fB\-\-queue\-num\fP \fIvalue\fP
-This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0.
-.PP
-.TP
-\fB\-\-queue\-balance\fP \fIvalue\fP\fB:\fP\fIvalue\fP
-This specifies a range of queues to use. Packets are then balanced across the given queues.
-This is useful for multicore systems: start multiple instances of the userspace program on
-queues x, x+1, .. x+n and use "\-\-queue\-balance \fIx\fP\fB:\fP\fIx+n\fP".
-Packets belonging to the same connection are put into the same nfqueue.
-.PP
-.TP
-\fB\-\-queue\-bypass\fP
-By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued
-are dropped. When this option is used, the NFQUEUE rule behaves like ACCEPT instead, and the packet
-will move on to the next table.
-.PP
-.TP
-\fB\-\-queue\-cpu-fanout\fP
-Available starting Linux kernel 3.10. When used together with
-\fB--queue-balance\fP this will use the CPU ID as an index to map packets to
-the queues. The idea is that you can improve performance if there's a queue
-per CPU. This requires \fB--queue-balance\fP to be specified.
-.SS NOTRACK
-This extension disables connection tracking for all packets matching that rule.
-It is equivalent with \-j CT \-\-notrack. Like CT, NOTRACK can only be used in
-the \fBraw\fP table.
-.SS RATEEST
-The RATEEST target collects statistics, performs rate estimation calculation
-and saves the results for later evaluation using the \fBrateest\fP match.
-.TP
-\fB\-\-rateest\-name\fP \fIname\fP
-Count matched packets into the pool referred to by \fIname\fP, which is freely
-choosable.
-.TP
-\fB\-\-rateest\-interval\fP \fIamount\fP{\fBs\fP|\fBms\fP|\fBus\fP}
-Rate measurement interval, in seconds, milliseconds or microseconds.
-.TP
-\fB\-\-rateest\-ewmalog\fP \fIvalue\fP
-Rate measurement averaging time constant.
-.SS REDIRECT
-This target is only valid in the
-.B nat
-table, in the
-.B PREROUTING
-and
-.B OUTPUT
-chains, and user-defined chains which are only called from those
-chains. It redirects the packet to the machine itself by changing the
-destination IP to the primary address of the incoming interface
-(locally-generated packets are mapped to the localhost address,
-127.0.0.1 for IPv4 and ::1 for IPv6).
-.TP
-\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
-This specifies a destination port or range of ports to use: without
-this, the destination port is never altered. This is only valid
-if the rule also specifies one of the following protocols:
-\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
-.TP
-\fB\-\-random\fP
-If option
-\fB\-\-random\fP
-is used then port mapping will be randomized (kernel >= 2.6.22).
-.TP
-IPv6 support available starting Linux kernels >= 3.7.
-.SS REJECT (IPv6-specific)
-This is used to send back an error packet in response to the matched
-packet: otherwise it is equivalent to
-.B DROP
-so it is a terminating TARGET, ending rule traversal.
-This target is only valid in the
-.BR INPUT ,
-.B FORWARD
-and
-.B OUTPUT
-chains, and user-defined chains which are only called from those
-chains. The following option controls the nature of the error packet
-returned:
-.TP
-\fB\-\-reject\-with\fP \fItype\fP
-The type given can be
-\fBicmp6\-no\-route\fP,
-\fBno\-route\fP,
-\fBicmp6\-adm\-prohibited\fP,
-\fBadm\-prohibited\fP,
-\fBicmp6\-addr\-unreachable\fP,
-\fBaddr\-unreach\fP, or
-\fBicmp6\-port\-unreachable\fP,
-which return the appropriate ICMPv6 error message (\fBicmp6\-port\-unreachable\fP is
-the default). Finally, the option
-\fBtcp\-reset\fP
-can be used on rules which only match the TCP protocol: this causes a
-TCP RST packet to be sent back. This is mainly useful for blocking
-.I ident
-(113/tcp) probes which frequently occur when sending mail to broken mail
-hosts (which won't accept your mail otherwise).
-\fBtcp\-reset\fP
-can only be used with kernel versions 2.6.14 or later.
-.SS REJECT (IPv4-specific)
-This is used to send back an error packet in response to the matched
-packet: otherwise it is equivalent to
-.B DROP
-so it is a terminating TARGET, ending rule traversal.
-This target is only valid in the
-.BR INPUT ,
-.B FORWARD
-and
-.B OUTPUT
-chains, and user-defined chains which are only called from those
-chains. The following option controls the nature of the error packet
-returned:
-.TP
-\fB\-\-reject\-with\fP \fItype\fP
-The type given can be
-\fBicmp\-net\-unreachable\fP,
-\fBicmp\-host\-unreachable\fP,
-\fBicmp\-port\-unreachable\fP,
-\fBicmp\-proto\-unreachable\fP,
-\fBicmp\-net\-prohibited\fP,
-\fBicmp\-host\-prohibited\fP, or
-\fBicmp\-admin\-prohibited\fP (*),
-which return the appropriate ICMP error message (\fBicmp\-port\-unreachable\fP is
-the default). The option
-\fBtcp\-reset\fP
-can be used on rules which only match the TCP protocol: this causes a
-TCP RST packet to be sent back. This is mainly useful for blocking
-.I ident
-(113/tcp) probes which frequently occur when sending mail to broken mail
-hosts (which won't accept your mail otherwise).
-.PP
-(*) Using icmp\-admin\-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
-.SS SAME (IPv4-specific)
-Similar to SNAT/DNAT depending on chain: it takes a range of addresses
-(`\-\-to 1.2.3.4\-1.2.3.7') and gives a client the same
-source-/destination-address for each connection.
-.PP
-N.B.: The DNAT target's \fB\-\-persistent\fP option replaced the SAME target.
-.TP
-\fB\-\-to\fP \fIipaddr\fP[\fB\-\fP\fIipaddr\fP]
-Addresses to map source to. May be specified more than once for
-multiple ranges.
-.TP
-\fB\-\-nodst\fP
-Don't use the destination-ip in the calculations when selecting the
-new source-ip
-.TP
-\fB\-\-random\fP
-Port mapping will be forcibly randomized to avoid attacks based on
-port prediction (kernel >= 2.6.21).
-.SS SECMARK
-This is used to set the security mark value associated with the
-packet for use by security subsystems such as SELinux. It is
-valid in the
-.B security
-table (for backwards compatibility with older kernels, it is also
-valid in the
-.B mangle
-table). The mark is 32 bits wide.
-.TP
-\fB\-\-selctx\fP \fIsecurity_context\fP
-.SS SET
-This module adds and/or deletes entries from IP sets which can be defined
-by ipset(8).
-.TP
-\fB\-\-add\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...]
-add the address(es)/port(s) of the packet to the set
-.TP
-\fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...]
-delete the address(es)/port(s) of the packet from the set
-.IP
-where \fIflag\fP(s) are
-.BR "src"
-and/or
-.BR "dst"
-specifications and there can be no more than six of them.
-.TP
-\fB\-\-timeout\fP \fIvalue\fP
-when adding an entry, the timeout value to use instead of the default
-one from the set definition
-.TP
-\fB\-\-exist\fP
-when adding an entry if it already exists, reset the timeout value
-to the specified one or to the default from the set definition
-.PP
-Use of -j SET requires that ipset kernel support is provided, which, for
-standard kernels, is the case since Linux 2.6.39.
-.SS SNAT
-This target is only valid in the
-.B nat
-table, in the
-.B POSTROUTING
-and
-.B INPUT
-chains, and user-defined chains which are only called from those
-chains. It specifies that the source address of the packet should be
-modified (and all future packets in this connection will also be
-mangled), and rules should cease being examined. It takes the
-following options:
-.TP
-\fB\-\-to\-source\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]]
-which can specify a single new source IP address, an inclusive range
-of IP addresses. Optionally a port range,
-if the rule also specifies one of the following protocols:
-\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
-If no port range is specified, then source ports below 512 will be
-mapped to other ports below 512: those between 512 and 1023 inclusive
-will be mapped to ports below 1024, and other ports will be mapped to
-1024 or above. Where possible, no port alteration will occur.
-In Kernels up to 2.6.10, you can add several \-\-to\-source options. For those
-kernels, if you specify more than one source address, either via an address
-range or multiple \-\-to\-source options, a simple round-robin (one after another
-in cycle) takes place between these addresses.
-Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
-anymore.
-.TP
-\fB\-\-random\fP
-If option
-\fB\-\-random\fP
-is used then port mapping will be randomized (kernel >= 2.6.21).
-.TP
-\fB\-\-persistent\fP
-Gives a client the same source-/destination-address for each connection.
-This supersedes the SAME target. Support for persistent mappings is available
-from 2.6.29-rc2.
-.PP
-Kernels prior to 2.6.36-rc1 don't have the ability to
-.B SNAT
-in the
-.B INPUT
-chain.
-.TP
-IPv6 support available since Linux kernels >= 3.7.
-.SS SNPT (IPv6-specific)
-Provides stateless source IPv6-to-IPv6 Network Prefix Translation (as described
-by RFC 6296).
-.PP
-You have to use this target in the
-.B mangle
-table, not in the
-.B nat
-table. It takes the following options:
-.TP
-\fB\-\-src\-pfx\fP [\fIprefix/\fP\fIlength]
-Set source prefix that you want to translate and length
-.TP
-\fB\-\-dst\-pfx\fP [\fIprefix/\fP\fIlength]
-Set destination prefix that you want to use in the translation and length
-.PP
-You have to use the DNPT target to undo the translation. Example:
-.IP
-ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
-\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
-.IP
-ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
-\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst-pfx fd00::/64
-.PP
-You may need to enable IPv6 neighbor proxy:
-.IP
-sysctl -w net.ipv6.conf.all.proxy_ndp=1
-.PP
-You also have to use the
-.B NOTRACK
-target to disable connection tracking for translated flows.
-.SS TCPMSS
-This target allows to alter the MSS value of TCP SYN packets, to control
-the maximum size for that connection (usually limiting it to your
-outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
-Of course, it can only be used
-in conjunction with
-\fB\-p tcp\fP.
-.PP
-This target is used to overcome criminally braindead ISPs or servers
-which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
-packets. The symptoms of this
-problem are that everything works fine from your Linux
-firewall/router, but machines behind it can never exchange large
-packets:
-.IP 1. 4
-Web browsers connect, then hang with no data received.
-.IP 2. 4
-Small mail works fine, but large emails hang.
-.IP 3. 4
-ssh works fine, but scp hangs after initial handshaking.
-.PP
-Workaround: activate this option and add a rule to your firewall
-configuration like:
-.IP
- iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN
- \-j TCPMSS \-\-clamp\-mss\-to\-pmtu
-.TP
-\fB\-\-set\-mss\fP \fIvalue\fP
-Explicitly sets MSS option to specified value. If the MSS of the packet is
-already lower than \fIvalue\fP, it will \fBnot\fP be increased (from Linux
-2.6.25 onwards) to avoid more problems with hosts relying on a proper MSS.
-.TP
-\fB\-\-clamp\-mss\-to\-pmtu\fP
-Automatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6).
-This may not function as desired where asymmetric routes with differing
-path MTU exist \(em the kernel uses the path MTU which it would use to send
-packets from itself to the source and destination IP addresses. Prior to
-Linux 2.6.25, only the path MTU to the destination IP address was
-considered by this option; subsequent kernels also consider the path MTU
-to the source IP address.
-.PP
-These options are mutually exclusive.
-.SS TCPOPTSTRIP
-This target will strip TCP options off a TCP packet. (It will actually replace
-them by NO-OPs.) As such, you will need to add the \fB\-p tcp\fP parameters.
-.TP
-\fB\-\-strip\-options\fP \fIoption\fP[\fB,\fP\fIoption\fP...]
-Strip the given option(s). The options may be specified by TCP option number or
-by symbolic name. The list of recognized options can be obtained by calling
-iptables with \fB\-j TCPOPTSTRIP \-h\fP.
-.SS TEE
-The \fBTEE\fP target will clone a packet and redirect this clone to another
-machine on the \fBlocal\fP network segment. In other words, the nexthop
-must be the target, or you will have to configure the nexthop to forward it
-further if so desired.
-.TP
-\fB\-\-gateway\fP \fIipaddr\fP
-Send the cloned packet to the host reachable at the given IP address.
-Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.
-.PP
-To forward all incoming traffic on eth0 to an Network Layer logging box:
-.PP
-\-t mangle \-A PREROUTING \-i eth0 \-j TEE \-\-gateway 2001:db8::1
-.SS TOS
-This module sets the Type of Service field in the IPv4 header (including the
-"precedence" bits) or the Priority field in the IPv6 header. Note that TOS
-shares the same bits as DSCP and ECN. The TOS target is only valid in the
-\fBmangle\fP table.
-.TP
-\fB\-\-set\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP]
-Zeroes out the bits given by \fImask\fP (see NOTE below) and XORs \fIvalue\fP
-into the TOS/Priority field. If \fImask\fP is omitted, 0xFF is assumed.
-.TP
-\fB\-\-set\-tos\fP \fIsymbol\fP
-You can specify a symbolic name when using the TOS target for IPv4. It implies
-a mask of 0xFF (see NOTE below). The list of recognized TOS names can be
-obtained by calling iptables with \fB\-j TOS \-h\fP.
-.PP
-The following mnemonics are available:
-.TP
-\fB\-\-and\-tos\fP \fIbits\fP
-Binary AND the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos
-0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.
-See NOTE below.)
-.TP
-\fB\-\-or\-tos\fP \fIbits\fP
-Binary OR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP
-\fIbits\fP\fB/\fP\fIbits\fP. See NOTE below.)
-.TP
-\fB\-\-xor\-tos\fP \fIbits\fP
-Binary XOR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP
-\fIbits\fP\fB/0\fP. See NOTE below.)
-.PP
-NOTE: In Linux kernels up to and including 2.6.38, with the exception of
-longterm releases 2.6.32 (>=.42), 2.6.33 (>=.15), and 2.6.35 (>=.14), there is
-a bug whereby IPv6 TOS mangling does not behave as documented and differs from
-the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it
-needs to be inverted before applying it to the original TOS field. However, the
-aformentioned kernels forgo the inversion which breaks --set-tos and its
-mnemonics.
-.SS TPROXY
-This target is only valid in the \fBmangle\fP table, in the \fBPREROUTING\fP
-chain and user-defined chains which are only called from this chain. It
-redirects the packet to a local socket without changing the packet header in
-any way. It can also change the mark value which can then be used in advanced
-routing rules.
-It takes three options:
-.TP
-\fB\-\-on\-port\fP \fIport\fP
-This specifies a destination port to use. It is a required option, 0 means the
-new destination port is the same as the original. This is only valid if the
-rule also specifies \fB\-p tcp\fP or \fB\-p udp\fP.
-.TP
-\fB\-\-on\-ip\fP \fIaddress\fP
-This specifies a destination address to use. By default the address is the IP
-address of the incoming interface. This is only valid if the rule also
-specifies \fB\-p tcp\fP or \fB\-p udp\fP.
-.TP
-\fB\-\-tproxy\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
-Marks packets with the given value/mask. The fwmark value set here can be used
-by advanced routing. (Required for transparent proxying to work: otherwise
-these packets will get forwarded, which is probably not what you want.)
-.SS TRACE
-This target marks packets so that the kernel will log every rule which match
-the packets as those traverse the tables, chains, rules.
-.PP
-A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this
-to be visible.
-The packets are logged with the string prefix:
-"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
-plain rule, "return" for implicit rule at the end of a user defined chain
-and "policy" for the policy of the built in chains.
-.br
-It can only be used in the
-.BR raw
-table.
-.SS TTL (IPv4-specific)
-This is used to modify the IPv4 TTL header field. The TTL field determines
-how many hops (routers) a packet can traverse until it's time to live is
-exceeded.
-.PP
-Setting or incrementing the TTL field can potentially be very dangerous,
-so it should be avoided at any cost. This target is only valid in
-.B mangle
-table.
-.PP
-.B Don't ever set or increment the value on packets that leave your local network!
-.TP
-\fB\-\-ttl\-set\fP \fIvalue\fP
-Set the TTL value to `value'.
-.TP
-\fB\-\-ttl\-dec\fP \fIvalue\fP
-Decrement the TTL value `value' times.
-.TP
-\fB\-\-ttl\-inc\fP \fIvalue\fP
-Increment the TTL value `value' times.
-.SS ULOG (IPv4-specific)
-This is the deprecated ipv4-only predecessor of the NFLOG target.
-It provides userspace logging of matching packets. When this
-target is set for a rule, the Linux kernel will multicast this packet
-through a
-.IR netlink
-socket. One or more userspace processes may then subscribe to various
-multicast groups and receive the packets.
-Like LOG, this is a "non-terminating target", i.e. rule traversal
-continues at the next rule.
-.TP
-\fB\-\-ulog\-nlgroup\fP \fInlgroup\fP
-This specifies the netlink group (1-32) to which the packet is sent.
-Default value is 1.
-.TP
-\fB\-\-ulog\-prefix\fP \fIprefix\fP
-Prefix log messages with the specified prefix; up to 32 characters
-long, and useful for distinguishing messages in the logs.
-.TP
-\fB\-\-ulog\-cprange\fP \fIsize\fP
-Number of bytes to be copied to userspace. A value of 0 always copies
-the entire packet, regardless of its size. Default is 0.
-.TP
-\fB\-\-ulog\-qthreshold\fP \fIsize\fP
-Number of packet to queue inside kernel. Setting this value to, e.g. 10
-accumulates ten packets inside the kernel and transmits them as one
-netlink multipart message to userspace. Default is 1 (for backwards
-compatibility).
-.br
OSDN Git Service
