.BR "--fragfirst "
Matches on the first fragment.
.TP
-.BR "[--fragmore]"
+\fB--fragmore\fP
Matches if there are more fragments.
.TP
-.BR "[--fraglast]"
+\fB--fraglast\fP
Matches if this is the last fragment.
also be mangled), and rules should cease being examined. It takes one
type of option:
.TP
-.BR "--to-destination " "[\fIipaddr\fP][-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+\fB--to-destination\fP [\fIipaddr\fP][\fB-\fP\fIipaddr\fP][\fB:\fP\fIport\fP[\fB-\fP\fIport\fP]]
which can specify a single new destination IP address, an inclusive
range of IP addresses, and optionally, a port range (which is only
valid if the rule also specifies
(`--to 1.2.3.4-1.2.3.7') and gives a client the same
source-/destination-address for each connection.
.TP
-.BI "--to " "<ipaddr>-<ipaddr>"
+\fB--to\fP \fIipaddr\fP[\fB-\fP\fIipaddr\fP]
Addresses to map source to. May be specified more than once for
multiple ranges.
.TP
mangled), and rules should cease being examined. It takes one type
of option:
.TP
-.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+\fB--to-source\fP \fIipaddr\fP[\fB-\fP\fIipaddr\fP][\fB:\fP\fIport\fP[\fB-\fP\fIport\fP]]
which can specify a single new source IP address, an inclusive range
of IP addresses, and optionally, a port range (which is only valid if
the rule also specifies
This module matches the netfilter mark field associated with a connection
(which can be set using the \fBCONNMARK\fR target below).
.TP
-\fB--mark\fR \fIvalue\fR[\fB/\fR\fImask\fR]
+[\fB!\fP] \fB--mark\fR \fIvalue\fR[\fB/\fR\fImask\fR]
Matches packets in connections with the given mark value (if a mask is
specified, this is logically ANDed with the mark before the comparison).
This module matches packets related to a specific conntrack-helper.
.TP
-.BI "--helper " "string"
+[\fB!\fP] \fB--helper\fP \fIstring\fP
Matches packets related to the specified conntrack-helper.
.RS
.PP
This matches on a given arbitrary range of IP addresses.
.TP
-[\fB!\fR] \fB--src-range\fR \fIfrom\fR-\fIto\fR
+[\fB!\fR] \fB--src-range\fR \fIfrom\fR[\fB-\fP\fIto\fR]
Match source IP in the specified range.
.TP
-[\fB!\fR] \fB--dst-range\fR \fIfrom\fR-\fIto\fR
+[\fB!\fR] \fB--dst-range\fR \fIfrom\fR[\fB-\fP\fIto\fR]
Match destination IP in the specified range.
.B MARK
target below).
.TP
-.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
+[\fB!\fP] \fB--mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
Matches packets with the given unsigned mark value (if a \fImask\fP is
specified, this is logically ANDed with the \fImask\fP before the
comparison).
POSTROUTING chains. Forwarded packets do not have any socket associated with
them. Packets from kernel threads do have a socket, but usually no owner.
.TP
-\fB--uid-owner\fR \fIusername\fR
+[\fB!\fP] \fB--uid-owner\fP \fIusername\fP
.TP
-\fB--uid-owner\fR \fIuserid\fR[\fB-\fR\fIuserid\fR]
+[\fB!\fP] \fB--uid-owner\fP \fIuserid\fP[\fB-\fP\fIuserid\fP]
Matches if the packet socket's file structure (if it has one) is owned by the
given user. You may also specify a numerical UID, or an UID range.
.TP
-\fB--gid-owner\fR \fIgroupname\fR
+[\fB!\fP] \fB--gid-owner\fP \fIgroupname\fP
.TP
-\fB--gid-owner\fR \fIgroupid\fR[\fB-\fR\fIgroupid\fR]
+[\fB!\fP] \fB--gid-owner\fP \fIgroupid\fP[\fB-\fR\fIgroupid\fP]
Matches if the packet socket's file structure is owned by the given group.
You may also specify a numerical GID, or a GID range.
.TP
-\fB--socket-exists\fR
+[\fB!\fP] \fB--socket-exists\fP
Matches if the packet is associated with a socket.
including the "Precedence" bits) or the (also 8-bit) Priority field in the IPv6
header.
.TP
-\fB--tos\fR \fIvalue\fR[\fB/\fR\fImask\fR]
+[\fB!\fP] \fB--tos\fR \fIvalue\fR[\fB/\fR\fImask\fR]
Matches packets with the given TOS mark value. If a mask is specified, it is
logically ANDed with the TOS mark before the comparison.
.TP
-\fB--tos\fR \fIsymbol\fR
+[\fB!\fP] \fB--tos\fR \fIsymbol\fR
You can specify a symbolic name when using the tos match for IPv4. The list of
recognized TOS names can be obtained by calling iptables with \fB-m tos -h\fR.
Note that this implies a mask of 0x3F, i.e. all but the ECN bits.
projects / thirdparty / iptables.git / commitdiff
