Lines Matching full:to
10 This allows you to classify packets from ingress using the Netfilter
47 and is also scheduled to replace the old syslog-based ipt_LOG
65 through your machine, in order to figure out how they are related
68 This is required to do Masquerading or other kinds of Network
69 Address Translation. It can also be used to enhance packet
72 To compile it as a module, choose M here. If unsure, say N.
90 `CONNMARK' target and `connmark' match. Similar to the mark value
99 This option enables security markings to be applied to
100 connections. Typically they are copied to connections from
102 connections to packets with the same target, with the packets
112 Normally, each connection needs to have a unique system wide
113 identity. Connection tracking zones allow to have multiple
125 to be shown in procfs under net/netfilter/nf_conntrack. This
135 to get notified about changes in the connection tracking state.
144 extension. This allows you to attach timeout policies to flow
154 This allows you to store the flow start-time and to obtain
164 to connection tracking entries. It can be used with xtables connlabel
173 tracking code will be able to do state tracking on DCCP connections.
187 tracking code will be able to do state tracking on SCTP connections.
197 tracking code will be able to do state tracking on UDP-Lite
210 machine, then you may want to enable this feature. This allows the
211 connection tracking and natting code to allow the sub-channels that
215 To compile it as a module, choose M here. If unsure, say N.
227 To compile it as a module, choose M here. If unsure, say N.
247 To compile it as a module, choose M here. If unsure, say N.
253 There is a commonly-used extension to IRC called
254 Direct Client-to-Client Protocol (DCC). This enables users to send
255 files to each other, and also chat to each other without the need
258 using NAT, this extension will enable you to send files and initiate
259 chats. Note that you do NOT need this extension to get files or
262 To compile it as a module, choose M here. If unsure, say N.
272 unprivileged port and responded to with unicast messages to the
273 same port. This make them hard to firewall properly because connection
278 of "ip address show" should look similar to this:
284 To compile it as a module, choose M here. If unsure, say N.
292 unprivileged port and responded to with unicast messages to the
293 same port. This make them hard to firewall properly because connection
299 To compile it as a module, choose M here. If unsure, say N.
306 This module adds support for PPTP (Point to Point Tunnelling
310 box, you may want to enable this feature.
318 To compile it as a module, choose M here. If unsure, say N.
324 SANE is a protocol for remote access to scanners as implemented
331 To compile it as a module, choose M here. If unsure, say N.
343 To compile it as a module, choose M here. If unsure, say N.
354 To compile it as a module, choose M here. If unsure, say N.
370 fine-grain tuning. This allows you to attach specific timeout
371 policies to flows, instead of using the global timeout policy.
447 nftables is the new packet classification framework that intends to
451 (https://www.netfilter.org/projects/nftables) uses to build the
453 allows you to construct mappings between matchings and actions
456 To compile it as a module, choose M here.
475 This option adds the number generator expression used to perform
476 incremental counting and random numbers bound to a upper limit.
482 This option adds the "ct" expression that you can use to match
489 This option adds the "flow_offload" expression that you can use to
495 This option adds the "counter" expression that you can use to
504 This option adds the "connlimit" expression that you can use to
510 This option adds the "log" expression that you can use to log
516 This option adds the "limit" expression that you can use to
526 to perform NAT in the masquerade flavour.
535 to perform NAT in the redirect flavour.
543 This option adds the "nat" expression that you can use to perform
549 This option adds the "tunnel" expression that you can use to set
555 This option adds the "objref" expression that allows you to refer to
562 This is required if you intend to use the userspace queueing
568 This option adds the "quota" expression that you can use to match
576 This option adds the "reject" expression that you can use to
589 This is required if you intend to use any of existing
596 This option adds the "hash" expression that you can use to perform
609 The lookup will be delegated to the IPv4 or IPv6 FIB depending
616 This option adds an expression that you can use to extract properties
651 The SYNPROXY expression allows you to intercept TCP connections and
652 establish them using syncookies before they are passed on to the
653 server. This allows to avoid conntrack and server resource usage
682 The lookup will be delegated to the IPv4 or IPv6 FIB depending
695 To compile it as a module, choose M here.
705 To compile it as a module, choose M here.
711 This is required if you intend to use any of ip_tables,
724 Netfilter mark matching allows you to match packets based on the
726 The target allows you to create rules in the "mangle" table which alter
729 Prior to routing, the nfmark can influence the routing method and can
730 also be used by other subsystems to change their behavior.
740 Netfilter allows you to store a mark value per connection (a.k.a.
741 ctmark), similarly to the packet mark (nfmark). Using this
754 To compile it as a module, choose M here. If unsure, say N.
765 This option adds a 'AUDIT' target, which can be used to create
768 To compileit as a module, choose M here. If unsure, say N.
776 table to work around buggy DHCP clients in virtualized environments.
779 that the checksum would normally be offloaded to hardware and
781 This target can be used to fill in the checksum using iptables
784 To compile it as a module, choose M here. If unsure, say N.
790 This option adds a `CLASSIFY' target, which enables the user to set
796 To compile it as a module, choose M here. If unsure, say N.
814 to connections, and restores security markings from connections
815 to packets (if the packets are not already marked). This would
818 To compile it as a module, choose M here. If unsure, say N.
826 This options adds a `CT' target, which allows to specify initial
827 connection tracking parameters like events to be delivered and
828 the helper to be used.
830 To compile it as a module, choose M here. If unsure, say N.
837 This option adds a `DSCP' target, which allows you to manipulate
842 It also adds the "TOS" target, which allows you to create rules in
844 or the Priority field of an IPv6 packet, prior to routing.
846 To compile it as a module, choose M here. If unsure, say N.
854 targets, which enable the user to change the
855 hoplimit/time-to-live value of the IP header.
857 While it is safe to decrement the hoplimit/TTL value, the
858 modules also allow to increment and set the hoplimit value of
859 the header to arbitrary values. This is EXTREMELY DANGEROUS
870 The target allows you to create rules in the "raw" and "mangle" tables
873 by other subsystems to change their behaviour.
875 To compile it as a module, choose M here. If unsure, say N.
887 To compile it as a module, choose M here. If unsure, say N.
894 This option adds a `LED' target, which allows you to blink LEDs in
895 response to particular packets passing through your machine.
897 This can be used to turn a spare LED into a network activity LED,
898 which only flashes in response to FTP transfers, for example. Or
900 somebody connects to your machine via SSH.
902 You will need support for the "led" class to make this work.
904 To create an LED trigger for incoming SSH traffic:
907 Then attach the new trigger to an LED on your system:
920 This option adds a `LOG' target, which allows you to create rules in
921 any iptables table which records the packet header to the syslog.
923 To compile it as a module, choose M here. If unsure, say N.
940 To compile it as a module, choose M here. If unsure, say N.
950 To compile it as a module, choose M here. If unsure, say N.
957 This option enables the NFLOG target, which allows to LOG
960 To compile it as a module, choose M here. If unsure, say N.
969 As opposed to QUEUE, it supports 65535 different queues,
972 To compile it as a module, choose M here. If unsure, say N.
985 This option adds a `RATEEST' target, which allows to measure
986 rates similar to TC estimators. The `rateest' match can be
987 used to match on the measured rates.
989 To compile it as a module, choose M here. If unsure, say N.
997 mapped onto the incoming interface's address, causing the packets to
998 come to the local machine instead of passing through. This is
1001 To compile it as a module, choose M here. If unsure, say N.
1010 changed to seem to come from a particular interface's address, and
1015 To compile it as a module, choose M here. If unsure, say N.
1018 tristate '"TEE" - packet cloning to alternate destination'
1027 this clone be rerouted to another nexthop.
1041 This option adds a `TPROXY' target, which is somewhat similar to
1043 to redirect traffic to a transparent proxy. It does _not_ depend
1045 For it to work you will have to configure certain iptables rules
1046 and use policy routing. For more information on how to set it up
1049 To compile it as a module, choose M here. If unsure, say N.
1056 The TRACE target allows you to mark packets so that the kernel
1060 If you want to compile it as a module, say M here and read
1071 To compile it as a module, choose M here. If unsure, say N.
1078 This option adds a `TCPMSS' target, which allows you to alter the
1079 MSS value of TCP SYN packets, to control the maximum size for that
1080 connection (usually limiting it to your outgoing interface's MTU
1083 This is used to overcome criminally braindead ISPs or servers which
1092 Workaround: activate this option and add a rule to your firewall
1096 -j TCPMSS --clamp-mss-to-pmtu
1098 To compile it as a module, choose M here. If unsure, say N.
1105 This option adds a "TCPOPTSTRIP" target, which allows you to strip
1116 This option allows you to match what routing thinks of an address,
1119 If you want to compile it as a module, say M here and read
1126 BPF matching applies a linux socket filter to each packet and
1129 To compile it as a module, choose M here. If unsure, say N.
1137 Socket/process control group matching allows you to match locally
1139 belong to.
1146 This option allows you to build work-load-sharing clusters of
1161 This option adds a `comment' dummy-match, which allows you to put
1164 If you want to compile it as a module, say M here and read
1172 This option adds a `connbytes' match, which allows you to match the
1175 If you want to compile it as a module, say M here and read
1184 This match allows you to test and assign userspace-defined labels names
1185 to a connection. The kernel only stores bit values - mapping
1186 names to bits is done by userspace.
1188 Unlike connmark, more than 32 flag bits may be assigned to a
1197 This match allows you to match against the number of parallel
1198 connections to a server per client IP address (or address block).
1221 To compile it as a module, choose M here. If unsure, say N.
1227 CPU matching allows you to match packets based on the CPU
1230 To compile it as a module, choose M here. If unsure, say N.
1237 With this option enabled, you will be able to use the iptables
1238 `dccp' match in order to match on DCCP source/destination ports
1241 If you want to compile it as a module, say M here and read
1248 This options adds a `devgroup' match, which allows to match on the
1249 device group a network device is assigned to.
1251 To compile it as a module, choose M here. If unsure, say N.
1257 This option adds a `DSCP' match, which allows you to match against
1262 It will also add a "tos" match, which allows you to match packets
1266 To compile it as a module, choose M here. If unsure, say N.
1272 This option adds an "ECN" match, which allows you to match against
1275 To compile it as a module, choose M here. If unsure, say N.
1281 This match extension allows you to match a range of SPIs
1284 To compile it as a module, choose M here. If unsure, say N.
1293 As opposed to `limit', this match dynamically creates a hash table
1297 It enables you to express policies like `10kpps for any given
1306 Helper matching allows you to match packets in dynamic connections
1309 To compile it as a module, choose M here. If unsure, say Y.
1315 HL matching allows you to match packets based on the hoplimit
1316 in the IPv6 header, or the time-to-live field in the IPv4
1323 This match extension allows you to match a range of CPIs(16 bits)
1326 To compile it as a module, choose M here. If unsure, say N.
1332 This option adds a "iprange" match, which allows you to match based on
1344 This option allows you to match against IPVS properties of a packet.
1353 This option adds an "L2TP" match, which allows you to match against
1356 To compile it as a module, choose M here. If unsure, say N.
1362 This option allows you to match the length of a packet against a
1365 To compile it as a module, choose M here. If unsure, say N.
1371 limit matching allows you to control the rate at which a rule can be
1373 target support", below) and to avoid some Denial of Service attacks.
1375 To compile it as a module, choose M here. If unsure, say N.
1381 MAC matching allows you to match packets based on the source
1384 To compile it as a module, choose M here. If unsure, say N.
1399 Multiport matching allows you to match TCP or UDP packets based on
1403 To compile it as a module, choose M here. If unsure, say N.
1410 This option allows you to use the extended accounting through
1413 To compile it as a module, choose M here. If unsure, say N.
1421 that allows to passively match the remote operating system by
1427 To compile it as a module, choose M here. If unsure, say N.
1433 Socket owner matching allows you to match locally-generated packets
1435 possible to check whether a socket actually exists.
1442 Policy matching allows you to match packets based on the
1446 To compile it as a module, choose M here. If unsure, say N.
1456 To compile it as a module, choose M here. If unsure, say N.
1462 Packet type matching allows you to match a packet by
1468 To compile it as a module, choose M here. If unsure, say N.
1474 This option adds a `quota' match, which allows to match on a
1477 If you want to compile it as a module, say M here and read
1485 This option adds a `rateest' match, which allows to match on the
1488 To compile it as a module, choose M here. If unsure, say N.
1495 This option adds a `realm' match, which allows you to use the realm
1501 If you want to compile it as a module, say M here and read
1519 With this option enabled, you will be able to use the
1520 `sctp' match in order to match on SCTP source/destination ports
1523 If you want to compile it as a module, say M here and read
1537 This option adds a `socket' match, which can be used to match
1540 routing to implement full featured non-locally bound sockets.
1542 To compile it as a module, choose M here. If unsure, say N.
1549 Connection state matching allows you to match packets based on their
1550 relationship to a tracked connection (ie. previous packets). This
1553 To compile it as a module, choose M here. If unsure, say N.
1559 This option adds a `statistic' match, which allows you to match
1562 To compile it as a module, choose M here. If unsure, say N.
1572 This option adds a `string' match, which allows you to look for
1575 To compile it as a module, choose M here. If unsure, say N.
1581 This option adds a `tcpmss' match, which allows you to examine the
1585 To compile it as a module, choose M here. If unsure, say N.
1591 This option adds a "time" match, which allows you to match based on
1598 If you want to compile it as a module, say M here.
1605 u32 allows you to extract quantities of up to 4 bytes from a packet,
1608 The specification of what to extract is general enough to skip over