.TP
.BI "XRESOLVE"
.TP
-.BI "--src-type " "type"
+[\fB!\fP] \fB--src-type\fP \fItype\fP
Matches if the source address is of given type
.TP
-.BI "--dst-type " "type"
+[\fB!\fP] \fB--dst-type\fP \fItype\fP
Matches if the destination address is of given type
.TP
.BI "--limit-iface-in"
This allows you to match the ECN bits of the IPv4 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168
.TP
-.BI "--ecn-tcp-cwr"
+[\fB!\fP] \fB--ecn-tcp-cwr\fP
This matches if the TCP ECN CWR (Congestion Window Received) bit is set.
.TP
-.BI "--ecn-tcp-ece"
+[\fB!\fP] \fB--ecn-tcp-ece\fP
This matches if the TCP ECN ECE (ECN Echo) bit is set.
.TP
-.BI "--ecn-ip-ect " "num"
+[\fB!\fP] \fB--ecn-ip-ect\fP \fInum\fP
This matches a particular IPv4 ECT (ECN-Capable Transport). You have to specify
a number between `0' and `3'.
This modules macthes IP sets which can be defined by ipset(8).
.TP
-\fB--set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...]
+[\fB!\fP] \fB--set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]...
where flags are
.BR "src"
and/or
omitted only FROM check is done. "!" is used to match packets not
falling in the range.
.TP
-\fB--connbytes-dir\fR [\fBoriginal\fR|\fBreply\fR|\fBboth\fR]
+\fB--connbytes-dir\fR {\fBoriginal\fR|\fBreply\fR|\fBboth\fR}
which packets to consider
.TP
-\fB--connbytes-mode\fR [\fBpackets\fR|\fBbytes\fR|\fBavgpkt\fR]
+\fB--connbytes-mode\fR {\fBpackets\fR|\fBbytes\fR|\fBavgpkt\fR}
whether to check the amount of packets, number of bytes transferred or
the average size (in bytes) of all packets received so far. Note that
when "both" is used together with "avgpkt", and data is going (mainly)
.TP
[\fB!\fP] \fB--destination-port\fP,\fB--dport\fP \fIport\fP[\fB:\fP\fIport\fP]
.TP
-\fB--dccp-types\fR [\fB!\fR] \fImask\fP
+[\fB!\fP] \fB--dccp-types\fR \fImask\fP
Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated
list of packet types. Packet types are:
.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" .
.TP
-\fB--dccp-option\fR [\fB!\fR\] \fInumber\fP
+[\fB!\fP] \fB--dccp-option\fR \fInumber\fP
Match if DCP option set.
This module matches the 6 bit DSCP field within the TOS field in the
IP header. DSCP has superseded TOS within the IETF.
.TP
-.BI "--dscp " "value"
+[\fB!\fP] \fB--dscp\fP \fIvalue\fP
Match against a numeric (decimal or hex) value [0-63].
.TP
-\fB--dscp-class\fP \fIclass\fP
+[\fB!\fP] \fB--dscp-class\fP \fIclass\fP
Match the DiffServ class. This value may be any of the
BE, EF, AFxx or CSx classes. It will then be converted
into its according numeric value.
every time the limit specified above is not reached, up to this number; the
default is 5.
.TP
-\fB--hashlimit-mode\fR [\fBsrcip\fR|\fBsrcport\fR|\fBdstip\fR|\fBdstport\fR[\fB,\fR...]]
+\fB--hashlimit-mode\fR {\fBsrcip\fR|\fBsrcport\fR|\fBdstip\fR|\fBdstport\fR}\fB,\fP...
A comma-separated list of objects to take into consideration. If no
--hashlimit-mode option is given, hashlimit acts like limit, but at the
expensive of doing the hash housekeeping.
f a packet against a specific value
or range of values.
.TP
-.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
+[\fB!\fP] \fB--length\fP \fIlength\fP[\fB:\fP\fIlength\fP]
.B LOG
target to give limited logging, for example.
.TP
-.BI "--limit " "rate"
+[\fB!\fP] \fB--limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
Maximum average matching rate: specified as a number, with an optional
`/second', `/minute', `/hour', or `/day' suffix; the default is
3/hour.
or
.BR "-p udp" .
.TP
-[\fB!\fP] \fB--source-ports\fP,\fB--sport\fP \fIport\fP[\fB,\fP\fIport\fP[\fB,\fP\fIport\fP\fB:\fP\fIport\fP...]]
+[\fB!\fP] \fB--source-ports\fP,\fB--sport\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
Match if the source port is one of the given ports. The flag
.B --sports
-is a convenient alias for this option.
+is a convenient alias for this option. Multiple ports or port ranges are
+separated using a comma, and a port range is specified using a colon.
+\fB53,1024:65535\fP would therefore match ports 53 and all from 1024 through
+65535.
.TP
-[\fB!\fP] \fB--destination-ports\fP,\fB--dport\fP \fIport\fP[\fB,\fP\fIport\fP[\fB,\fP\fIport\fP\fB:\fP\fIport\fP...]]
+[\fB!\fP] \fB--destination-ports\fP,\fB--dport\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
Match if the destination port is one of the given ports. The flag
.B --dports
is a convenient alias for this option.
.TP
-[\fB!\fP] \fB--ports\fP \fIport\fP[\fB,\fP\fIport\fP[\fB,\fP\fIport\fP\fB:\fP\fIport\fP...]]
+[\fB!\fP] \fB--ports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
Match if either the source or destination ports are equal to one of
the given ports.
{
printf(
"pkttype match options:\n"
-" --pkt-type [!] packettype\tmatch packet type\n");
+"[!] --pkt-type packettype match packet type\n");
print_types();
}
This module matches the link-layer packet type.
.TP
-\fB--pkt-type\fP {\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP}
+[\fB!\fP] \fB--pkt-type\fP {\fBunicast\fP|\fBbroadcast\fP|\fBmulticast\fP}
Selects whether to match the exact policy or match if any rule of
the policy matches the given policy.
.TP
-.BI "--reqid " "id"
+[\fB!\fP] \fB--reqid\fP \fIid\fP
Matches the reqid of the policy rule. The reqid can be specified with
.B setkey(8)
using
.B unique:id
as level.
.TP
-.BI "--spi " "spi"
+[\fB!\fP] \fB--spi\fP \fIspi\fP
Matches the SPI of the SA.
.TP
-\fB--proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP}
+[\fB!\fP] \fB--proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP}
Matches the encapsulation protocol.
.TP
-\fB--mode\fP {\fBtunnel\fP|\fBtransport\fP}
+[\fB!\fP] \fB--mode\fP {\fBtunnel\fP|\fBtransport\fP}
Matches the encapsulation mode.
.TP
-\fB--tunnel-src\fP \fIaddr\fP[\fB/\fP\fImask\fP]
+[\fB!\fP] \fB--tunnel-src\fP \fIaddr\fP[\fB/\fP\fImask\fP]
Matches the source end-point address of a tunnel mode SA.
Only valid with \fB--mode tunnel\fP.
.TP
-\fB--tunnel-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP]
+[\fB!\fP] \fB--tunnel-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP]
Matches the destination end-point address of a tunnel mode SA.
Only valid with \fB--mode tunnel\fP.
.TP
This module, when combined with connection tracking, allows access to
the connection tracking state for this packet.
.TP
-.BI "--state " "state"
+[\fB!\fP] \fB--state\fP \fIstate\fP
Where state is a comma separated list of the connection states to
match. Possible states are
.B INVALID
"--from Offset to start searching from\n"
"--to Offset to stop searching\n"
"--algo Algorithm\n"
-"--string [!] string Match a string in a packet\n"
-"--hex-string [!] string Match a hex string in a packet\n");
+"[!] --string string Match a string in a packet\n"
+"[!] --hex-string string Match a hex string in a packet\n");
}
static const struct option string_opts[] = {
.BI "--to " "offset"
Set the offset from which it starts looking for any matching. If not passed, default is the packet size.
.TP
-.BI "--string " "pattern"
+[\fB!\fP] \fB--string\fP \fIpattern\fP
Matches the given pattern.
-.BI "--hex-string " "pattern"
+.TP
+[\fB!\fP] \fB--hex-string\fP \fIpattern\fP
Matches the given pattern in hex notation.
{
printf(
"time match options:\n"
-" --datestart time Start and stop time, to be given in ISO 8601\n"
-" --datestop time (YYYY[-MM[-DD[Thh[:mm[:ss]]]]])\n"
-" --timestart time Start and stop daytime (hh:mm[:ss])\n"
-" --timestop time (between 00:00:00 and 23:59:59)\n"
-" --monthdays value List of days on which to match, separated by comma\n"
-" (Possible days: 1 to 31; defaults to all)\n"
-" --weekdays value List of weekdays on which to match, sep. by comma\n"
-" (Possible days: Mon,Tue,Wed,Thu,Fri,Sat,Sun or 1 to 7\n"
-" Defaults to all weekdays.)\n"
-" --localtz/--utc Time is interpreted as UTC/local time\n");
+" --datestart time Start and stop time, to be given in ISO 8601\n"
+" --datestop time (YYYY[-MM[-DD[Thh[:mm[:ss]]]]])\n"
+" --timestart time Start and stop daytime (hh:mm[:ss])\n"
+" --timestop time (between 00:00:00 and 23:59:59)\n"
+"[!] --monthdays value List of days on which to match, separated by comma\n"
+" (Possible days: 1 to 31; defaults to all)\n"
+"[!] --weekdays value List of weekdays on which to match, sep. by comma\n"
+" (Possible days: Mon,Tue,Wed,Thu,Fri,Sat,Sun or 1 to 7\n"
+" Defaults to all weekdays.)\n"
+" --localtz/--utc Time is interpreted as UTC/local time\n");
}
static void time_init(struct xt_entry_match *m)
23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted
as base-10.
.TP
-[\fB!\fR] \fB--monthday\fR \fIday\fR[\fB,\fR\fIday\fR...]
+[\fB!\fR] \fB--monthdays\fR \fIday\fR[\fB,\fR\fIday\fR...]
.IP
Only match on the given days of the month. Possible values are \fB1\fR
to \fB31\fR. Note that specifying \fB31\fR will of course not match
projects / thirdparty / iptables.git / commitdiff
