and libip6t_tcp.man.
" --tcp-flags [!] mask comp match when TCP flags & mask == comp\n"
" (Flags: SYN ACK FIN RST URG PSH ALL NONE)\n"
"[!] --syn match when only SYN flag set\n"
-" (equivalent to --tcp-flags SYN,RST,ACK SYN)\n"
+" (equivalent to --tcp-flags SYN,RST,ACK,FIN SYN)\n"
" --source-port [!] port[:port]\n"
" --sport ...\n"
" match source port(s)\n"
RST flags unset.
.TP
.B "[!] --syn"
-Only match TCP packets with the SYN bit set and the ACK and RST bits
+Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
cleared. Such packets are used to request TCP connection initiation;
for example, blocking such packets coming in an interface will prevent
incoming TCP connections, but outgoing TCP connections will be
" --tcp-flags [!] mask comp match when TCP flags & mask == comp\n"
" (Flags: SYN ACK FIN RST URG PSH ALL NONE)\n"
"[!] --syn match when only SYN flag set\n"
-" (equivalent to --tcp-flags SYN,RST,ACK SYN)\n"
+" (equivalent to --tcp-flags SYN,RST,ACK,FIN SYN)\n"
" --source-port [!] port[:port]\n"
" --sport ...\n"
" match source port(s)\n"