Lines Matching refs:to
32 and is also scheduled to replace the old syslog-based ipt_LOG
40 through your machine, in order to figure out how they are related
43 This is required to do Masquerading or other kinds of Network
44 Address Translation. It can also be used to enhance packet
56 `CONNMARK' target and `connmark' match. Similar to the mark value
65 This option enables security markings to be applied to
66 connections. Typically they are copied to connections from
68 connections to packets with the same target, with the packets
79 Normally, each connection needs to have a unique system wide
80 identity. Connection tracking zones allow to have multiple
92 to be shown in procfs under net/netfilter/nf_conntrack. This
102 to get notified about changes in the connection tracking state.
111 extension. This allows you to attach timeout policies to flow
121 This allows you to store the flow start-time and to obtain
131 to connection tracking entries. It selected by the connlabel match.
139 tracking code will be able to do state tracking on DCCP connections.
152 tracking code will be able to do state tracking on SCTP connections.
154 If you want to compile it as a module, say M here and read
162 tracking code will be able to do state tracking on UDP-Lite
175 machine, then you may want to enable this feature. This allows the
176 connection tracking and natting code to allow the sub-channels that
192 which generalize ip_conntrack to support other layer 3 protocols.
220 There is a commonly-used extension to IRC called
221 Direct Client-to-Client Protocol (DCC). This enables users to send
222 files to each other, and also chat to each other without the need
225 using NAT, this extension will enable you to send files and initiate
226 chats. Note that you do NOT need this extension to get files or
239 unprivileged port and responded to with unicast messages to the
240 same port. This make them hard to firewall properly because connection
245 of "ip address show" should look similar to this:
259 unprivileged port and responded to with unicast messages to the
260 same port. This make them hard to firewall properly because connection
273 This module adds support for PPTP (Point to Point Tunnelling
277 box, you may want to enable this feature.
291 SANE is a protocol for remote access to scanners as implemented
336 fine-grain tuning. This allows you to attach specific timeout
337 policies to flows, instead of using the global timeout policy.
421 For it to work you will have to configure certain iptables rules
422 and use policy routing. For more information on how to set it up
431 This is required if you intend to use any of ip_tables,
444 Netfilter mark matching allows you to match packets based on the
446 The target allows you to create rules in the "mangle" table which alter
449 Prior to routing, the nfmark can influence the routing method (see
451 other subsystems to change their behavior.
461 Netfilter allows you to store a mark value per connection (a.k.a.
462 ctmark), similarly to the packet mark (nfmark). Using this
486 This option adds a 'AUDIT' target, which can be used to create
499 You can use this target to compute and fill in the checksum in
501 if you need to work around old applications such as dhcp clients,
502 that do not work well with checksum offloads, but don't want to disable
511 This option adds a `CLASSIFY' target, which enables the user to set
535 to connections, and restores security markings from connections
536 to packets (if the packets are not already marked). This would
547 This options adds a `CT' target, which allows to specify initial
548 connection tracking parameters like events to be delivered and
549 the helper to be used.
558 This option adds a `DSCP' target, which allows you to manipulate
563 It also adds the "TOS" target, which allows you to create rules in
565 or the Priority field of an IPv6 packet, prior to routing.
575 targets, which enable the user to change the
576 hoplimit/time-to-live value of the IP header.
578 While it is safe to decrement the hoplimit/TTL value, the
579 modules also allow to increment and set the hoplimit value of
580 the header to arbitrary values. This is EXTREMELY DANGEROUS
591 The target allows you to create rules in the "raw" and "mangle" tables
594 MARK value as routing key") and can also be used by other subsystems to
616 This option adds a `LED' target, which allows you to blink LEDs in
617 response to particular packets passing through your machine.
619 This can be used to turn a spare LED into a network activity LED,
620 which only flashes in response to FTP transfers, for example. Or
622 somebody connects to your machine via SSH.
624 You will need support for the "led" class to make this work.
629 Then attach the new trigger to an LED on your system:
639 This option adds a `LOG' target, which allows you to create rules in
640 any iptables table which records the packet header to the syslog.
668 This option enables the NFLOG target, which allows to LOG
680 As opposed to QUEUE, it supports 65535 different queues,
696 This option adds a `RATEEST' target, which allows to measure
697 rates similar to TC estimators. The `rateest' match can be
698 used to match on the measured rates.
707 mapped onto the incoming interface's address, causing the packets to
708 come to the local machine instead of passing through. This is
714 tristate '"TEE" - packet cloning to alternate destination'
720 this clone be rerouted to another nexthop.
731 This option adds a `TPROXY' target, which is somewhat similar to
733 to redirect traffic to a transparent proxy. It does _not_ depend
743 The TRACE target allows you to mark packets so that the kernel
747 If you want to compile it as a module, say M here and read
765 This option adds a `TCPMSS' target, which allows you to alter the
766 MSS value of TCP SYN packets, to control the maximum size for that
767 connection (usually limiting it to your outgoing interface's MTU
770 This is used to overcome criminally braindead ISPs or servers which
779 Workaround: activate this option and add a rule to your firewall
783 -j TCPMSS --clamp-mss-to-pmtu
792 This option adds a "TCPOPTSTRIP" target, which allows you to strip
803 This option allows you to match what routing thinks of an address,
806 If you want to compile it as a module, say M here and read
813 BPF matching applies a linux socket filter to each packet and
823 This option allows you to build work-load-sharing clusters of
838 This option adds a `comment' dummy-match, which allows you to put
841 If you want to compile it as a module, say M here and read
849 This option adds a `connbytes' match, which allows you to match the
852 If you want to compile it as a module, say M here and read
861 This match allows you to test and assign userspace-defined labels names
862 to a connection. The kernel only stores bit values - mapping
863 names to bits is done by userspace.
865 Unlike connmark, more than 32 flag bits may be assigned to a
873 This match allows you to match against the number of parallel
874 connections to a server per client IP address (or address block).
903 CPU matching allows you to match packets based on the CPU
913 With this option enabled, you will be able to use the iptables
914 `dccp' match in order to match on DCCP source/destination ports
917 If you want to compile it as a module, say M here and read
924 This options adds a `devgroup' match, which allows to match on the
925 device group a network device is assigned to.
933 This option adds a `DSCP' match, which allows you to match against
938 It will also add a "tos" match, which allows you to match packets
948 This option adds an "ECN" match, which allows you to match against
957 This match extension allows you to match a range of SPIs
969 As opposed to `limit', this match dynamically creates a hash table
973 It enables you to express policies like `10kpps for any given
982 Helper matching allows you to match packets in dynamic connections
991 HL matching allows you to match packets based on the hoplimit
992 in the IPv6 header, or the time-to-live field in the IPv4
999 This option adds a "iprange" match, which allows you to match based on
1011 This option allows you to match against IPVS properties of a packet.
1019 This option allows you to match the length of a packet against a
1028 limit matching allows you to control the rate at which a rule can be
1030 target support", below) and to avoid some Denial of Service attacks.
1038 MAC matching allows you to match packets based on the source
1056 Multiport matching allows you to match TCP or UDP packets based on
1067 This option allows you to use the extended accounting through
1077 that allows to passively match the remote operating system by
1089 Socket owner matching allows you to match locally-generated packets
1091 possible to check whether a socket actually exists.
1100 Policy matching allows you to match packets based on the
1120 Packet type matching allows you to match a packet by
1133 This option replaces the `owner' match. In addition to matching
1134 on uid, it keeps stats based on a tag assigned to a socket.
1136 The tags are assignable to sockets from user space (e.g. a download
1137 manager can assign the socket to another UID for accounting).
1148 This option adds a `quota' match, which allows to match on a
1151 If you want to compile it as a module, say M here and read
1158 This option adds a `quota2' match, which allows to match on a
1163 If you want to compile it as a module, say M here and read
1172 This option allows `quota2' to log ONCE when a quota limit
1174 It logs similarly to how ipt_ULOG would without data.
1183 This option adds a `rateest' match, which allows to match on the
1193 This option adds a `realm' match, which allows you to use the realm
1199 If you want to compile it as a module, say M here and read
1217 With this option enabled, you will be able to use the
1218 `sctp' match in order to match on SCTP source/destination ports
1221 If you want to compile it as a module, say M here and read
1234 This option adds a `socket' match, which can be used to match
1237 routing to implement full featured non-locally bound sockets.
1246 Connection state matching allows you to match packets based on their
1247 relationship to a tracked connection (ie. previous packets). This
1256 This option adds a `statistic' match, which allows you to match
1269 This option adds a `string' match, which allows you to look for
1278 This option adds a `tcpmss' match, which allows you to examine the
1288 This option adds a "time" match, which allows you to match based on
1295 If you want to compile it as a module, say M here.
1302 u32 allows you to extract quantities of up to 4 bytes from a packet,
1305 The specification of what to extract is general enough to skip over