Lines Matching refs:to
10 This allows you to classify packets from ingress using the Netfilter
47 and is also scheduled to replace the old syslog-based ipt_LOG
65 through your machine, in order to figure out how they are related
68 This is required to do Masquerading or other kinds of Network
69 Address Translation. It can also be used to enhance packet
90 `CONNMARK' target and `connmark' match. Similar to the mark value
99 This option enables security markings to be applied to
100 connections. Typically they are copied to connections from
102 connections to packets with the same target, with the packets
112 Normally, each connection needs to have a unique system wide
113 identity. Connection tracking zones allow to have multiple
124 to be shown in procfs under net/netfilter/nf_conntrack. This
134 to get notified about changes in the connection tracking state.
143 extension. This allows you to attach timeout policies to flow
153 This allows you to store the flow start-time and to obtain
163 to connection tracking entries. It can be used with xtables connlabel
172 tracking code will be able to do state tracking on DCCP connections.
186 tracking code will be able to do state tracking on SCTP connections.
196 tracking code will be able to do state tracking on UDP-Lite
209 machine, then you may want to enable this feature. This allows the
210 connection tracking and natting code to allow the sub-channels that
252 There is a commonly-used extension to IRC called
253 Direct Client-to-Client Protocol (DCC). This enables users to send
254 files to each other, and also chat to each other without the need
257 using NAT, this extension will enable you to send files and initiate
258 chats. Note that you do NOT need this extension to get files or
271 unprivileged port and responded to with unicast messages to the
272 same port. This make them hard to firewall properly because connection
277 of "ip address show" should look similar to this:
291 unprivileged port and responded to with unicast messages to the
292 same port. This make them hard to firewall properly because connection
305 This module adds support for PPTP (Point to Point Tunnelling
309 box, you may want to enable this feature.
323 SANE is a protocol for remote access to scanners as implemented
369 fine-grain tuning. This allows you to attach specific timeout
370 policies to flows, instead of using the global timeout policy.
446 nftables is the new packet classification framework that intends to
450 (https://www.netfilter.org/projects/nftables) uses to build the
452 allows you to construct mappings between matchings and actions
474 This option adds the number generator expression used to perform
475 incremental counting and random numbers bound to a upper limit.
481 This option adds the "ct" expression that you can use to match
488 This option adds the "flow_offload" expression that you can use to
494 This option adds the "counter" expression that you can use to
503 This option adds the "connlimit" expression that you can use to
509 This option adds the "log" expression that you can use to log
515 This option adds the "limit" expression that you can use to
525 to perform NAT in the masquerade flavour.
534 to perform NAT in the redirect flavour.
542 This option adds the "nat" expression that you can use to perform
548 This option adds the "tunnel" expression that you can use to set
554 This option adds the "objref" expression that allows you to refer to
561 This is required if you intend to use the userspace queueing
567 This option adds the "quota" expression that you can use to match
575 This option adds the "reject" expression that you can use to
588 This is required if you intend to use any of existing
595 This option adds the "hash" expression that you can use to perform
608 The lookup will be delegated to the IPv4 or IPv6 FIB depending
615 This option adds an expression that you can use to extract properties
650 The SYNPROXY expression allows you to intercept TCP connections and
651 establish them using syncookies before they are passed on to the
652 server. This allows to avoid conntrack and server resource usage
681 The lookup will be delegated to the IPv4 or IPv6 FIB depending
710 This is required if you intend to use any of ip_tables,
723 Netfilter mark matching allows you to match packets based on the
725 The target allows you to create rules in the "mangle" table which alter
728 Prior to routing, the nfmark can influence the routing method and can
729 also be used by other subsystems to change their behavior.
739 Netfilter allows you to store a mark value per connection (a.k.a.
740 ctmark), similarly to the packet mark (nfmark). Using this
764 This option adds a 'AUDIT' target, which can be used to create
775 table to work around buggy DHCP clients in virtualized environments.
778 that the checksum would normally be offloaded to hardware and
780 This target can be used to fill in the checksum using iptables
789 This option adds a `CLASSIFY' target, which enables the user to set
813 to connections, and restores security markings from connections
814 to packets (if the packets are not already marked). This would
825 This options adds a `CT' target, which allows to specify initial
826 connection tracking parameters like events to be delivered and
827 the helper to be used.
836 This option adds a `DSCP' target, which allows you to manipulate
841 It also adds the "TOS" target, which allows you to create rules in
843 or the Priority field of an IPv6 packet, prior to routing.
853 targets, which enable the user to change the
854 hoplimit/time-to-live value of the IP header.
856 While it is safe to decrement the hoplimit/TTL value, the
857 modules also allow to increment and set the hoplimit value of
858 the header to arbitrary values. This is EXTREMELY DANGEROUS
869 The target allows you to create rules in the "raw" and "mangle" tables
872 by other subsystems to change their behaviour.
893 This option adds a `LED' target, which allows you to blink LEDs in
894 response to particular packets passing through your machine.
896 This can be used to turn a spare LED into a network activity LED,
897 which only flashes in response to FTP transfers, for example. Or
899 somebody connects to your machine via SSH.
901 You will need support for the "led" class to make this work.
906 Then attach the new trigger to an LED on your system:
919 This option adds a `LOG' target, which allows you to create rules in
920 any iptables table which records the packet header to the syslog.
956 This option enables the NFLOG target, which allows to LOG
968 As opposed to QUEUE, it supports 65535 different queues,
984 This option adds a `RATEEST' target, which allows to measure
985 rates similar to TC estimators. The `rateest' match can be
986 used to match on the measured rates.
996 mapped onto the incoming interface's address, causing the packets to
997 come to the local machine instead of passing through. This is
1009 changed to seem to come from a particular interface's address, and
1017 tristate '"TEE" - packet cloning to alternate destination'
1026 this clone be rerouted to another nexthop.
1040 This option adds a `TPROXY' target, which is somewhat similar to
1042 to redirect traffic to a transparent proxy. It does _not_ depend
1044 For it to work you will have to configure certain iptables rules
1045 and use policy routing. For more information on how to set it up
1055 The TRACE target allows you to mark packets so that the kernel
1059 If you want to compile it as a module, say M here and read
1077 This option adds a `TCPMSS' target, which allows you to alter the
1078 MSS value of TCP SYN packets, to control the maximum size for that
1079 connection (usually limiting it to your outgoing interface's MTU
1082 This is used to overcome criminally braindead ISPs or servers which
1091 Workaround: activate this option and add a rule to your firewall
1095 -j TCPMSS --clamp-mss-to-pmtu
1104 This option adds a "TCPOPTSTRIP" target, which allows you to strip
1115 This option allows you to match what routing thinks of an address,
1118 If you want to compile it as a module, say M here and read
1125 BPF matching applies a linux socket filter to each packet and
1136 Socket/process control group matching allows you to match locally
1138 belong to.
1145 This option allows you to build work-load-sharing clusters of
1160 This option adds a `comment' dummy-match, which allows you to put
1163 If you want to compile it as a module, say M here and read
1171 This option adds a `connbytes' match, which allows you to match the
1174 If you want to compile it as a module, say M here and read
1183 This match allows you to test and assign userspace-defined labels names
1184 to a connection. The kernel only stores bit values - mapping
1185 names to bits is done by userspace.
1187 Unlike connmark, more than 32 flag bits may be assigned to a
1196 This match allows you to match against the number of parallel
1197 connections to a server per client IP address (or address block).
1226 CPU matching allows you to match packets based on the CPU
1236 With this option enabled, you will be able to use the iptables
1237 `dccp' match in order to match on DCCP source/destination ports
1240 If you want to compile it as a module, say M here and read
1247 This options adds a `devgroup' match, which allows to match on the
1248 device group a network device is assigned to.
1256 This option adds a `DSCP' match, which allows you to match against
1261 It will also add a "tos" match, which allows you to match packets
1271 This option adds an "ECN" match, which allows you to match against
1280 This match extension allows you to match a range of SPIs
1292 As opposed to `limit', this match dynamically creates a hash table
1296 It enables you to express policies like `10kpps for any given
1305 Helper matching allows you to match packets in dynamic connections
1314 HL matching allows you to match packets based on the hoplimit
1315 in the IPv6 header, or the time-to-live field in the IPv4
1322 This match extension allows you to match a range of CPIs(16 bits)
1331 This option adds a "iprange" match, which allows you to match based on
1343 This option allows you to match against IPVS properties of a packet.
1352 This option adds an "L2TP" match, which allows you to match against
1361 This option allows you to match the length of a packet against a
1370 limit matching allows you to control the rate at which a rule can be
1372 target support", below) and to avoid some Denial of Service attacks.
1380 MAC matching allows you to match packets based on the source
1398 Multiport matching allows you to match TCP or UDP packets based on
1409 This option allows you to use the extended accounting through
1420 that allows to passively match the remote operating system by
1432 Socket owner matching allows you to match locally-generated packets
1434 possible to check whether a socket actually exists.
1441 Policy matching allows you to match packets based on the
1461 Packet type matching allows you to match a packet by
1473 This option adds a `quota' match, which allows to match on a
1476 If you want to compile it as a module, say M here and read
1483 This option adds a `quota2' match, which allows to match on a
1488 If you want to compile it as a module, say M here and read
1496 This option allows `quota2' to log ONCE when a quota limit
1498 It logs similarly to how ipt_ULOG would without data.
1507 This option adds a `rateest' match, which allows to match on the
1517 This option adds a `realm' match, which allows you to use the realm
1523 If you want to compile it as a module, say M here and read
1541 With this option enabled, you will be able to use the
1542 `sctp' match in order to match on SCTP source/destination ports
1545 If you want to compile it as a module, say M here and read
1559 This option adds a `socket' match, which can be used to match
1562 routing to implement full featured non-locally bound sockets.
1571 Connection state matching allows you to match packets based on their
1572 relationship to a tracked connection (ie. previous packets). This
1581 This option adds a `statistic' match, which allows you to match
1594 This option adds a `string' match, which allows you to look for
1603 This option adds a `tcpmss' match, which allows you to examine the
1613 This option adds a "time" match, which allows you to match based on
1620 If you want to compile it as a module, say M here.
1627 u32 allows you to extract quantities of up to 4 bytes from a packet,
1630 The specification of what to extract is general enough to skip over