Lines Matching full:to
10 This allows you to classify packets from ingress using the Netfilter
18 This allows you to classify packets before transmission using the
43 to list the base netfilter hooks via NFNETLINK.
71 and is also scheduled to replace the old syslog-based ipt_LOG
89 through your machine, in order to figure out how they are related
92 This is required to do Masquerading or other kinds of Network
93 Address Translation. It can also be used to enhance packet
96 To compile it as a module, choose M here. If unsure, say N.
105 This is a simpler but less flexible logging method compared to
107 If both are enabled the backend to use can be configured at run-time
119 `CONNMARK' target and `connmark' match. Similar to the mark value
128 This option enables security markings to be applied to
129 connections. Typically they are copied to connections from
131 connections to packets with the same target, with the packets
141 Normally, each connection needs to have a unique system wide
142 identity. Connection tracking zones allow to have multiple
153 to be shown in procfs under net/netfilter/nf_conntrack. This
163 to get notified about changes in the connection tracking state.
172 extension. This allows you to attach timeout policies to flow
182 This allows you to store the flow start-time and to obtain
192 to connection tracking entries. It can be used with xtables connlabel
208 tracking code will be able to do state tracking on SCTP connections.
218 tracking code will be able to do state tracking on UDP-Lite
231 machine, then you may want to enable this feature. This allows the
232 connection tracking and natting code to allow the sub-channels that
236 To compile it as a module, choose M here. If unsure, say N.
248 To compile it as a module, choose M here. If unsure, say N.
268 To compile it as a module, choose M here. If unsure, say N.
274 There is a commonly-used extension to IRC called
275 Direct Client-to-Client Protocol (DCC). This enables users to send
276 files to each other, and also chat to each other without the need
279 using NAT, this extension will enable you to send files and initiate
280 chats. Note that you do NOT need this extension to get files or
283 To compile it as a module, choose M here. If unsure, say N.
293 unprivileged port and responded to with unicast messages to the
294 same port. This make them hard to firewall properly because connection
299 of "ip address show" should look similar to this:
305 To compile it as a module, choose M here. If unsure, say N.
313 unprivileged port and responded to with unicast messages to the
314 same port. This make them hard to firewall properly because connection
320 To compile it as a module, choose M here. If unsure, say N.
327 This module adds support for PPTP (Point to Point Tunnelling
331 box, you may want to enable this feature.
339 To compile it as a module, choose M here. If unsure, say N.
345 SANE is a protocol for remote access to scanners as implemented
352 To compile it as a module, choose M here. If unsure, say N.
364 To compile it as a module, choose M here. If unsure, say N.
375 To compile it as a module, choose M here. If unsure, say N.
391 fine-grain tuning. This allows you to attach specific timeout
392 policies to flows, instead of using the global timeout policy.
471 nftables is the new packet classification framework that intends to
475 (https://www.netfilter.org/projects/nftables) uses to build the
477 allows you to construct mappings between matchings and actions
480 To compile it as a module, choose M here.
499 This option adds the number generator expression used to perform
500 incremental counting and random numbers bound to a upper limit.
506 This option adds the "ct" expression that you can use to match
519 This option adds the "flow_offload" expression that you can use to
528 This option adds the "connlimit" expression that you can use to
534 This option adds the "log" expression that you can use to log
540 This option adds the "limit" expression that you can use to
550 to perform NAT in the masquerade flavour.
559 to perform NAT in the redirect flavour.
567 This option adds the "nat" expression that you can use to perform
573 This option adds the "tunnel" expression that you can use to set
580 This is required if you intend to use the userspace queueing
586 This option adds the "quota" expression that you can use to match
594 This option adds the "reject" expression that you can use to
607 This is required if you intend to use any of existing
614 This option adds the "hash" expression that you can use to perform
627 The lookup will be delegated to the IPv4 or IPv6 FIB depending
634 This option adds an expression that you can use to extract properties
669 The SYNPROXY expression allows you to intercept TCP connections and
670 establish them using syncookies before they are passed on to the
671 server. This allows to avoid conntrack and server resource usage
700 The lookup will be delegated to the IPv4 or IPv6 FIB depending
709 The return packet generation will be delegated to the IPv4
723 To compile it as a module, choose M here.
733 To compile it as a module, choose M here.
741 to be shown in procfs under net/netfilter/nf_flowtable.
747 This is required if you intend to use any of ip_tables,
756 This option provides a translation layer to run 32bit arp,ip(6),ebtables
768 Legacy support is not limited to IP, it also includes EBTABLES and
779 Netfilter mark matching allows you to match packets based on the
781 The target allows you to create rules in the "mangle" table which alter
784 Prior to routing, the nfmark can influence the routing method and can
785 also be used by other subsystems to change their behavior.
795 Netfilter allows you to store a mark value per connection (a.k.a.
796 ctmark), similarly to the packet mark (nfmark). Using this
809 To compile it as a module, choose M here. If unsure, say N.
820 This option adds a 'AUDIT' target, which can be used to create
823 To compileit as a module, choose M here. If unsure, say N.
831 table to work around buggy DHCP clients in virtualized environments.
834 that the checksum would normally be offloaded to hardware and
836 This target can be used to fill in the checksum using iptables
839 To compile it as a module, choose M here. If unsure, say N.
845 This option adds a `CLASSIFY' target, which enables the user to set
851 To compile it as a module, choose M here. If unsure, say N.
869 to connections, and restores security markings from connections
870 to packets (if the packets are not already marked). This would
873 To compile it as a module, choose M here. If unsure, say N.
881 This options adds a `CT' target, which allows to specify initial
882 connection tracking parameters like events to be delivered and
883 the helper to be used.
885 To compile it as a module, choose M here. If unsure, say N.
892 This option adds a `DSCP' target, which allows you to manipulate
897 It also adds the "TOS" target, which allows you to create rules in
899 or the Priority field of an IPv6 packet, prior to routing.
901 To compile it as a module, choose M here. If unsure, say N.
909 targets, which enable the user to change the
910 hoplimit/time-to-live value of the IP header.
912 While it is safe to decrement the hoplimit/TTL value, the
913 modules also allow to increment and set the hoplimit value of
914 the header to arbitrary values. This is EXTREMELY DANGEROUS
925 The target allows you to create rules in the "raw" and "mangle" tables
928 by other subsystems to change their behaviour.
930 To compile it as a module, choose M here. If unsure, say N.
942 To compile it as a module, choose M here. If unsure, say N.
949 This option adds a `LED' target, which allows you to blink LEDs in
950 response to particular packets passing through your machine.
952 This can be used to turn a spare LED into a network activity LED,
953 which only flashes in response to FTP transfers, for example. Or
955 somebody connects to your machine via SSH.
957 You will need support for the "led" class to make this work.
959 To create an LED trigger for incoming SSH traffic:
962 Then attach the new trigger to an LED on your system:
974 This option adds a `LOG' target, which allows you to create rules in
975 any iptables table which records the packet header to the syslog.
977 To compile it as a module, choose M here. If unsure, say N.
994 To compile it as a module, choose M here. If unsure, say N.
1004 To compile it as a module, choose M here. If unsure, say N.
1011 This option enables the NFLOG target, which allows to LOG
1014 To compile it as a module, choose M here. If unsure, say N.
1023 As opposed to QUEUE, it supports 65535 different queues,
1026 To compile it as a module, choose M here. If unsure, say N.
1039 This option adds a `RATEEST' target, which allows to measure
1040 rates similar to TC estimators. The `rateest' match can be
1041 used to match on the measured rates.
1043 To compile it as a module, choose M here. If unsure, say N.
1051 mapped onto the incoming interface's address, causing the packets to
1052 come to the local machine instead of passing through. This is
1055 To compile it as a module, choose M here. If unsure, say N.
1064 changed to seem to come from a particular interface's address, and
1069 To compile it as a module, choose M here. If unsure, say N.
1072 tristate '"TEE" - packet cloning to alternate destination'
1081 this clone be rerouted to another nexthop.
1095 This option adds a `TPROXY' target, which is somewhat similar to
1097 to redirect traffic to a transparent proxy. It does _not_ depend
1099 For it to work you will have to configure certain iptables rules
1100 and use policy routing. For more information on how to set it up
1103 To compile it as a module, choose M here. If unsure, say N.
1110 The TRACE target allows you to mark packets so that the kernel
1114 If you want to compile it as a module, say M here and read
1125 To compile it as a module, choose M here. If unsure, say N.
1132 This option adds a `TCPMSS' target, which allows you to alter the
1133 MSS value of TCP SYN packets, to control the maximum size for that
1134 connection (usually limiting it to your outgoing interface's MTU
1137 This is used to overcome criminally braindead ISPs or servers which
1146 Workaround: activate this option and add a rule to your firewall
1150 -j TCPMSS --clamp-mss-to-pmtu
1152 To compile it as a module, choose M here. If unsure, say N.
1159 This option adds a "TCPOPTSTRIP" target, which allows you to strip
1170 This option allows you to match what routing thinks of an address,
1173 If you want to compile it as a module, say M here and read
1180 BPF matching applies a linux socket filter to each packet and
1183 To compile it as a module, choose M here. If unsure, say N.
1191 Socket/process control group matching allows you to match locally
1193 belong to.
1200 This option allows you to build work-load-sharing clusters of
1215 This option adds a `comment' dummy-match, which allows you to put
1218 If you want to compile it as a module, say M here and read
1226 This option adds a `connbytes' match, which allows you to match the
1229 If you want to compile it as a module, say M here and read
1238 This match allows you to test and assign userspace-defined labels names
1239 to a connection. The kernel only stores bit values - mapping
1240 names to bits is done by userspace.
1242 Unlike connmark, more than 32 flag bits may be assigned to a
1251 This match allows you to match against the number of parallel
1252 connections to a server per client IP address (or address block).
1275 To compile it as a module, choose M here. If unsure, say N.
1281 CPU matching allows you to match packets based on the CPU
1284 To compile it as a module, choose M here. If unsure, say N.
1291 With this option enabled, you will be able to use the iptables
1292 `dccp' match in order to match on DCCP source/destination ports
1295 If you want to compile it as a module, say M here and read
1302 This options adds a `devgroup' match, which allows to match on the
1303 device group a network device is assigned to.
1305 To compile it as a module, choose M here. If unsure, say N.
1311 This option adds a `DSCP' match, which allows you to match against
1316 It will also add a "tos" match, which allows you to match packets
1320 To compile it as a module, choose M here. If unsure, say N.
1326 This option adds an "ECN" match, which allows you to match against
1329 To compile it as a module, choose M here. If unsure, say N.
1335 This match extension allows you to match a range of SPIs
1338 To compile it as a module, choose M here. If unsure, say N.
1347 As opposed to `limit', this match dynamically creates a hash table
1351 It enables you to express policies like `10kpps for any given
1360 Helper matching allows you to match packets in dynamic connections
1363 To compile it as a module, choose M here. If unsure, say Y.
1369 HL matching allows you to match packets based on the hoplimit
1370 in the IPv6 header, or the time-to-live field in the IPv4
1377 This match extension allows you to match a range of CPIs(16 bits)
1380 To compile it as a module, choose M here. If unsure, say N.
1386 This option adds a "iprange" match, which allows you to match based on
1398 This option allows you to match against IPVS properties of a packet.
1407 This option adds an "L2TP" match, which allows you to match against
1410 To compile it as a module, choose M here. If unsure, say N.
1416 This option allows you to match the length of a packet against a
1419 To compile it as a module, choose M here. If unsure, say N.
1425 limit matching allows you to control the rate at which a rule can be
1427 target support", below) and to avoid some Denial of Service attacks.
1429 To compile it as a module, choose M here. If unsure, say N.
1435 MAC matching allows you to match packets based on the source
1438 To compile it as a module, choose M here. If unsure, say N.
1453 Multiport matching allows you to match TCP or UDP packets based on
1457 To compile it as a module, choose M here. If unsure, say N.
1464 This option allows you to use the extended accounting through
1467 To compile it as a module, choose M here. If unsure, say N.
1475 that allows to passively match the remote operating system by
1481 To compile it as a module, choose M here. If unsure, say N.
1487 Socket owner matching allows you to match locally-generated packets
1489 possible to check whether a socket actually exists.
1496 Policy matching allows you to match packets based on the
1500 To compile it as a module, choose M here. If unsure, say N.
1510 To compile it as a module, choose M here. If unsure, say N.
1516 Packet type matching allows you to match a packet by
1522 To compile it as a module, choose M here. If unsure, say N.
1528 This option adds a `quota' match, which allows to match on a
1531 If you want to compile it as a module, say M here and read
1539 This option adds a `rateest' match, which allows to match on the
1542 To compile it as a module, choose M here. If unsure, say N.
1549 This option adds a `realm' match, which allows you to use the realm
1555 If you want to compile it as a module, say M here and read
1573 With this option enabled, you will be able to use the
1574 `sctp' match in order to match on SCTP source/destination ports
1577 If you want to compile it as a module, say M here and read
1591 This option adds a `socket' match, which can be used to match
1594 routing to implement full featured non-locally bound sockets.
1596 To compile it as a module, choose M here. If unsure, say N.
1603 Connection state matching allows you to match packets based on their
1604 relationship to a tracked connection (ie. previous packets). This
1607 To compile it as a module, choose M here. If unsure, say N.
1613 This option adds a `statistic' match, which allows you to match
1616 To compile it as a module, choose M here. If unsure, say N.
1626 This option adds a `string' match, which allows you to look for
1629 To compile it as a module, choose M here. If unsure, say N.
1635 This option adds a `tcpmss' match, which allows you to examine the
1639 To compile it as a module, choose M here. If unsure, say N.
1645 This option adds a "time" match, which allows you to match based on
1652 If you want to compile it as a module, say M here.
1659 u32 allows you to extract quantities of up to 4 bytes from a packet,
1662 The specification of what to extract is general enough to skip over