tracking in combination with the NOTRACK target. It registers at the netfilter
hooks with higher priority and is thus called before ip_conntrack, or any other
IP tables. It provides the following built-in chains: \fBPREROUTING\fP
-(for packets arriving via any network interface) \fBOUTPUT\fP
-(for packets generated by local processes)
+(for packets arriving via any network interface) and \fBOUTPUT\fP
+(for packets generated by local processes).
.TP
\fBsecurity\fP:
This table is used for Mandatory Access Control (MAC) networking rules, such
[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
The protocol of the rule or of the packet to check.
The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
-\fBicmp\fP, \fBicmpv6\fP,\fBesp\fP, \fBah\fP, \fBsctp\fP, \fBmh\fP or the special keyword "\fBall\fP",
+\fBicmp\fP, \fBicmpv6\fP, \fBesp\fP, \fBah\fP, \fBsctp\fP, \fBmh\fP or the special keyword "\fBall\fP",
or it can be a numeric value, representing one of these protocols or a
different one. A protocol name from /etc/protocols is also allowed.
A "!" argument before the protocol inverts the
\fB\-x\fP, \fB\-\-exact\fP
Expand numbers.
Display the exact value of the packet and byte counters,
-instead of only the rounded number in K's (multiples of 1000)
+instead of only the rounded number in K's (multiples of 1000),
M's (multiples of 1000K) or G's (multiples of 1000M). This option is
only relevant for the \fB\-L\fP command.
.TP
.PP
The various forms of NAT have been separated out; \fBiptables\fP
is a pure packet filter when using the default `filter' table, with
-optional extension modules. This should simplify much of the previous
+optional extension modules. This should avoid much of the
confusion over the combination of IP masquerading and packet filtering
seen previously. So the following options are handled differently:
.nf
projects / thirdparty / iptables.git / commitdiff
