Lines Matching full:to
10 This allows you to classify packets from ingress using the Netfilter
18 This allows you to classify packets before transmission using the
43 to list the base netfilter hooks via NFNETLINK.
71 and is also scheduled to replace the old syslog-based ipt_LOG
89 through your machine, in order to figure out how they are related
92 This is required to do Masquerading or other kinds of Network
93 Address Translation. It can also be used to enhance packet
96 To compile it as a module, choose M here. If unsure, say N.
105 This is a simpler but less flexible logging method compared to
107 If both are enabled the backend to use can be configured at run-time
119 `CONNMARK' target and `connmark' match. Similar to the mark value
128 This option enables security markings to be applied to
129 connections. Typically they are copied to connections from
131 connections to packets with the same target, with the packets
141 Normally, each connection needs to have a unique system wide
142 identity. Connection tracking zones allow to have multiple
153 to be shown in procfs under net/netfilter/nf_conntrack. This
163 to get notified about changes in the connection tracking state.
172 extension. This allows you to attach timeout policies to flow
182 This allows you to store the flow start-time and to obtain
192 to connection tracking entries. It can be used with xtables connlabel
204 tracking code will be able to do state tracking on DCCP connections.
218 tracking code will be able to do state tracking on SCTP connections.
228 tracking code will be able to do state tracking on UDP-Lite
241 machine, then you may want to enable this feature. This allows the
242 connection tracking and natting code to allow the sub-channels that
246 To compile it as a module, choose M here. If unsure, say N.
258 To compile it as a module, choose M here. If unsure, say N.
278 To compile it as a module, choose M here. If unsure, say N.
284 There is a commonly-used extension to IRC called
285 Direct Client-to-Client Protocol (DCC). This enables users to send
286 files to each other, and also chat to each other without the need
289 using NAT, this extension will enable you to send files and initiate
290 chats. Note that you do NOT need this extension to get files or
293 To compile it as a module, choose M here. If unsure, say N.
303 unprivileged port and responded to with unicast messages to the
304 same port. This make them hard to firewall properly because connection
309 of "ip address show" should look similar to this:
315 To compile it as a module, choose M here. If unsure, say N.
323 unprivileged port and responded to with unicast messages to the
324 same port. This make them hard to firewall properly because connection
330 To compile it as a module, choose M here. If unsure, say N.
337 This module adds support for PPTP (Point to Point Tunnelling
341 box, you may want to enable this feature.
349 To compile it as a module, choose M here. If unsure, say N.
355 SANE is a protocol for remote access to scanners as implemented
362 To compile it as a module, choose M here. If unsure, say N.
374 To compile it as a module, choose M here. If unsure, say N.
385 To compile it as a module, choose M here. If unsure, say N.
401 fine-grain tuning. This allows you to attach specific timeout
402 policies to flows, instead of using the global timeout policy.
481 nftables is the new packet classification framework that intends to
485 (https://www.netfilter.org/projects/nftables) uses to build the
487 allows you to construct mappings between matchings and actions
490 To compile it as a module, choose M here.
509 This option adds the number generator expression used to perform
510 incremental counting and random numbers bound to a upper limit.
516 This option adds the "ct" expression that you can use to match
523 This option adds the "flow_offload" expression that you can use to
532 This option adds the "connlimit" expression that you can use to
538 This option adds the "log" expression that you can use to log
544 This option adds the "limit" expression that you can use to
554 to perform NAT in the masquerade flavour.
563 to perform NAT in the redirect flavour.
571 This option adds the "nat" expression that you can use to perform
577 This option adds the "tunnel" expression that you can use to set
584 This is required if you intend to use the userspace queueing
590 This option adds the "quota" expression that you can use to match
598 This option adds the "reject" expression that you can use to
611 This is required if you intend to use any of existing
618 This option adds the "hash" expression that you can use to perform
631 The lookup will be delegated to the IPv4 or IPv6 FIB depending
638 This option adds an expression that you can use to extract properties
673 The SYNPROXY expression allows you to intercept TCP connections and
674 establish them using syncookies before they are passed on to the
675 server. This allows to avoid conntrack and server resource usage
704 The lookup will be delegated to the IPv4 or IPv6 FIB depending
713 The return packet generation will be delegated to the IPv4
727 To compile it as a module, choose M here.
737 To compile it as a module, choose M here.
745 to be shown in procfs under net/netfilter/nf_flowtable.
751 This is required if you intend to use any of ip_tables,
760 This option provides a translation layer to run 32bit arp,ip(6),ebtables
773 Netfilter mark matching allows you to match packets based on the
775 The target allows you to create rules in the "mangle" table which alter
778 Prior to routing, the nfmark can influence the routing method and can
779 also be used by other subsystems to change their behavior.
789 Netfilter allows you to store a mark value per connection (a.k.a.
790 ctmark), similarly to the packet mark (nfmark). Using this
803 To compile it as a module, choose M here. If unsure, say N.
814 This option adds a 'AUDIT' target, which can be used to create
817 To compileit as a module, choose M here. If unsure, say N.
825 table to work around buggy DHCP clients in virtualized environments.
828 that the checksum would normally be offloaded to hardware and
830 This target can be used to fill in the checksum using iptables
833 To compile it as a module, choose M here. If unsure, say N.
839 This option adds a `CLASSIFY' target, which enables the user to set
845 To compile it as a module, choose M here. If unsure, say N.
863 to connections, and restores security markings from connections
864 to packets (if the packets are not already marked). This would
867 To compile it as a module, choose M here. If unsure, say N.
875 This options adds a `CT' target, which allows to specify initial
876 connection tracking parameters like events to be delivered and
877 the helper to be used.
879 To compile it as a module, choose M here. If unsure, say N.
886 This option adds a `DSCP' target, which allows you to manipulate
891 It also adds the "TOS" target, which allows you to create rules in
893 or the Priority field of an IPv6 packet, prior to routing.
895 To compile it as a module, choose M here. If unsure, say N.
903 targets, which enable the user to change the
904 hoplimit/time-to-live value of the IP header.
906 While it is safe to decrement the hoplimit/TTL value, the
907 modules also allow to increment and set the hoplimit value of
908 the header to arbitrary values. This is EXTREMELY DANGEROUS
919 The target allows you to create rules in the "raw" and "mangle" tables
922 by other subsystems to change their behaviour.
924 To compile it as a module, choose M here. If unsure, say N.
936 To compile it as a module, choose M here. If unsure, say N.
943 This option adds a `LED' target, which allows you to blink LEDs in
944 response to particular packets passing through your machine.
946 This can be used to turn a spare LED into a network activity LED,
947 which only flashes in response to FTP transfers, for example. Or
949 somebody connects to your machine via SSH.
951 You will need support for the "led" class to make this work.
953 To create an LED trigger for incoming SSH traffic:
956 Then attach the new trigger to an LED on your system:
968 This option adds a `LOG' target, which allows you to create rules in
969 any iptables table which records the packet header to the syslog.
971 To compile it as a module, choose M here. If unsure, say N.
988 To compile it as a module, choose M here. If unsure, say N.
998 To compile it as a module, choose M here. If unsure, say N.
1005 This option enables the NFLOG target, which allows to LOG
1008 To compile it as a module, choose M here. If unsure, say N.
1017 As opposed to QUEUE, it supports 65535 different queues,
1020 To compile it as a module, choose M here. If unsure, say N.
1033 This option adds a `RATEEST' target, which allows to measure
1034 rates similar to TC estimators. The `rateest' match can be
1035 used to match on the measured rates.
1037 To compile it as a module, choose M here. If unsure, say N.
1045 mapped onto the incoming interface's address, causing the packets to
1046 come to the local machine instead of passing through. This is
1049 To compile it as a module, choose M here. If unsure, say N.
1058 changed to seem to come from a particular interface's address, and
1063 To compile it as a module, choose M here. If unsure, say N.
1066 tristate '"TEE" - packet cloning to alternate destination'
1075 this clone be rerouted to another nexthop.
1089 This option adds a `TPROXY' target, which is somewhat similar to
1091 to redirect traffic to a transparent proxy. It does _not_ depend
1093 For it to work you will have to configure certain iptables rules
1094 and use policy routing. For more information on how to set it up
1097 To compile it as a module, choose M here. If unsure, say N.
1104 The TRACE target allows you to mark packets so that the kernel
1108 If you want to compile it as a module, say M here and read
1119 To compile it as a module, choose M here. If unsure, say N.
1126 This option adds a `TCPMSS' target, which allows you to alter the
1127 MSS value of TCP SYN packets, to control the maximum size for that
1128 connection (usually limiting it to your outgoing interface's MTU
1131 This is used to overcome criminally braindead ISPs or servers which
1140 Workaround: activate this option and add a rule to your firewall
1144 -j TCPMSS --clamp-mss-to-pmtu
1146 To compile it as a module, choose M here. If unsure, say N.
1153 This option adds a "TCPOPTSTRIP" target, which allows you to strip
1164 This option allows you to match what routing thinks of an address,
1167 If you want to compile it as a module, say M here and read
1174 BPF matching applies a linux socket filter to each packet and
1177 To compile it as a module, choose M here. If unsure, say N.
1185 Socket/process control group matching allows you to match locally
1187 belong to.
1194 This option allows you to build work-load-sharing clusters of
1209 This option adds a `comment' dummy-match, which allows you to put
1212 If you want to compile it as a module, say M here and read
1220 This option adds a `connbytes' match, which allows you to match the
1223 If you want to compile it as a module, say M here and read
1232 This match allows you to test and assign userspace-defined labels names
1233 to a connection. The kernel only stores bit values - mapping
1234 names to bits is done by userspace.
1236 Unlike connmark, more than 32 flag bits may be assigned to a
1245 This match allows you to match against the number of parallel
1246 connections to a server per client IP address (or address block).
1269 To compile it as a module, choose M here. If unsure, say N.
1275 CPU matching allows you to match packets based on the CPU
1278 To compile it as a module, choose M here. If unsure, say N.
1285 With this option enabled, you will be able to use the iptables
1286 `dccp' match in order to match on DCCP source/destination ports
1289 If you want to compile it as a module, say M here and read
1296 This options adds a `devgroup' match, which allows to match on the
1297 device group a network device is assigned to.
1299 To compile it as a module, choose M here. If unsure, say N.
1305 This option adds a `DSCP' match, which allows you to match against
1310 It will also add a "tos" match, which allows you to match packets
1314 To compile it as a module, choose M here. If unsure, say N.
1320 This option adds an "ECN" match, which allows you to match against
1323 To compile it as a module, choose M here. If unsure, say N.
1329 This match extension allows you to match a range of SPIs
1332 To compile it as a module, choose M here. If unsure, say N.
1341 As opposed to `limit', this match dynamically creates a hash table
1345 It enables you to express policies like `10kpps for any given
1354 Helper matching allows you to match packets in dynamic connections
1357 To compile it as a module, choose M here. If unsure, say Y.
1363 HL matching allows you to match packets based on the hoplimit
1364 in the IPv6 header, or the time-to-live field in the IPv4
1371 This match extension allows you to match a range of CPIs(16 bits)
1374 To compile it as a module, choose M here. If unsure, say N.
1380 This option adds a "iprange" match, which allows you to match based on
1392 This option allows you to match against IPVS properties of a packet.
1401 This option adds an "L2TP" match, which allows you to match against
1404 To compile it as a module, choose M here. If unsure, say N.
1410 This option allows you to match the length of a packet against a
1413 To compile it as a module, choose M here. If unsure, say N.
1419 limit matching allows you to control the rate at which a rule can be
1421 target support", below) and to avoid some Denial of Service attacks.
1423 To compile it as a module, choose M here. If unsure, say N.
1429 MAC matching allows you to match packets based on the source
1432 To compile it as a module, choose M here. If unsure, say N.
1447 Multiport matching allows you to match TCP or UDP packets based on
1451 To compile it as a module, choose M here. If unsure, say N.
1458 This option allows you to use the extended accounting through
1461 To compile it as a module, choose M here. If unsure, say N.
1469 that allows to passively match the remote operating system by
1475 To compile it as a module, choose M here. If unsure, say N.
1481 Socket owner matching allows you to match locally-generated packets
1483 possible to check whether a socket actually exists.
1490 Policy matching allows you to match packets based on the
1494 To compile it as a module, choose M here. If unsure, say N.
1504 To compile it as a module, choose M here. If unsure, say N.
1510 Packet type matching allows you to match a packet by
1516 To compile it as a module, choose M here. If unsure, say N.
1522 This option adds a `quota' match, which allows to match on a
1525 If you want to compile it as a module, say M here and read
1533 This option adds a `rateest' match, which allows to match on the
1536 To compile it as a module, choose M here. If unsure, say N.
1543 This option adds a `realm' match, which allows you to use the realm
1549 If you want to compile it as a module, say M here and read
1567 With this option enabled, you will be able to use the
1568 `sctp' match in order to match on SCTP source/destination ports
1571 If you want to compile it as a module, say M here and read
1585 This option adds a `socket' match, which can be used to match
1588 routing to implement full featured non-locally bound sockets.
1590 To compile it as a module, choose M here. If unsure, say N.
1597 Connection state matching allows you to match packets based on their
1598 relationship to a tracked connection (ie. previous packets). This
1601 To compile it as a module, choose M here. If unsure, say N.
1607 This option adds a `statistic' match, which allows you to match
1610 To compile it as a module, choose M here. If unsure, say N.
1620 This option adds a `string' match, which allows you to look for
1623 To compile it as a module, choose M here. If unsure, say N.
1629 This option adds a `tcpmss' match, which allows you to examine the
1633 To compile it as a module, choose M here. If unsure, say N.
1639 This option adds a "time" match, which allows you to match based on
1646 If you want to compile it as a module, say M here.
1653 u32 allows you to extract quantities of up to 4 bytes from a packet,
1656 The specification of what to extract is general enough to skip over