.I DROP
means to drop the packet on the floor.
.I QUEUE
-means to pass the packet to userspace (if supported by the kernel).
+means to pass the packet to userspace. (How the packet can be received
+by a userspace process differs by the particular queue handler. 2.4.x
+and 2.6.x kernels up to 2.6.13 include the
+.B
+ip_queue
+queue handler. Kernels 2.6.14 and later additionally include the
+.B
+nfnetlink_queue
+queue handler. Packets with a target of QUEUE will be sent to queue number '0'
+in this case. Please also see the
+.B
+NFQUEUE
+target as described later in this man page.)
.I RETURN
means stop traversing this chain and resume at the next rule in the
previous (calling) chain. If the end of a built-in chain is reached
.TP
.BR "-X, --delete-chain " "[\fIchain\fP]"
Delete the optional user-defined chain specified. There must be no references
-to the chain. If there are, you must delete or replace the referring
-rules before the chain can be deleted. If no argument is given, it
-will attempt to delete every non-builtin chain in the table.
+to the chain. If there are, you must delete or replace the referring rules
+before the chain can be deleted. The chain must be empty, i.e. not contain
+any rules. If no argument is given, it will attempt to delete every
+non-builtin chain in the table.
.TP
.BI "-P, --policy " "chain target"
Set the policy for the chain to the given target. See the section
the fate of the packet immediately, or an extension (see
.B EXTENSIONS
below). If this
-option is omitted in a rule, then matching the rule will have no
+option is omitted in a rule (and
+.B -g
+is not used), then matching the rule will have no
effect on the packet's fate, but the counters on the rule will be
incremented.
.TP
+.BI "-g, --goto " "chain"
+This specifies that the processing should continue in a user
+specified chain. Unlike the --jump option return will not continue
+processing in this chain but instead in the chain that called us via
+--jump.
+.TP
.BR "-i, --in-interface " "[!] \fIname\fP"
Name of an interface via which a packet was received (only for
packets entering the
.BI "--dst-type " "type"
Matches if the destination address is of given type
.SS ah
-This module matches the SPIs in AH header of IPSec packets.
+This module matches the SPIs in Authentication header of IPsec packets.
.TP
.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
.SS childlevel
.SS condition
This matches if a specific /proc filename is '0' or '1'.
.TP
-.BI "--condition " "[!] filename"
+.BI "--condition " "[!] \fIfilename\fP"
Match on boolean value stored in /proc/net/ipt_condition/filename file
.SS connbytes
Match by how many bytes or packets a connection (or one of the two
.BI "--ctexpire " "\fItime\fP[\fI:time\fP]"
Match remaining lifetime in seconds against given value
or range of values (inclusive)
+.SS dccp
+.TP
+\fB--source-port\fR,\fB--sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
+.TP
+\fB--destination-port\fR,\fB--dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
+.TP
+\fB--dccp-types\fR [\fB!\fR] \fImask\fP
+Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated
+list of packet types. Packet types are:
+.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" .
+.TP
+\fB--dccp-option\fR [\fB!\fR\] \fInumber\fP
+Match if DCP option set.
.SS dscp
This module matches the 6 bit DSCP field within the TOS field in the
IP header. DSCP has superseded TOS within the IETF.
destination IP or per destination port base. As opposed to the `limit' match,
every destination ip / destination port has it's own limit.
.TP
+THIS MODULE IS DEPRECATED AND HAS BEEN REPLACED BY ``hashlimit''
+.TP
.BI "--dstlimit " "avg"
Maximum average match rate (packets per second unless followed by /sec /minute /hour /day postfixes).
.TP
This matches a particular IPv4 ECT (ECN-Capable Transport). You have to specify
a number between `0' and `3'.
.SS esp
-This module matches the SPIs in ESP header of IPSec packets.
+This module matches the SPIs in ESP header of IPsec packets.
.TP
.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]"
.SS fuzzy
This module matches a rate limit based on a fuzzy logic controller [FLC]
.TP
-.BI "--lower-limit "number"
+.BI "--lower-limit " "number"
Specifies the lower limit (in packets per second).
.TP
.BI "--upper-limit " "number"
This module matches the length of a packet against a specific value
or range of values.
.TP
-.BR "--length " "\fIlength\fP[:\fIlength\fP]"
+.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
.SS limit
This module matches at a limited rate using a token bucket filter.
A rule using this extension will match until this limit is reached
target below).
.TP
.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
-Matches packets with the given unsigned mark value (if a mask is
-specified, this is logically ANDed with the mask before the
+Matches packets with the given unsigned mark value (if a \fImask\fP is
+specified, this is logically ANDed with the \fImask\fP before the
comparison).
.SS mport
This module matches a set of source or destination ports. Up to 15
a transparent bridging IP firewall and is only useful for kernel versions
above version 2.5.44.
.TP
-.B --physdev-in name
+.BR --physdev-in " [!] \fIname\fP"
Name of a bridge port via which a packet is received (only for
packets entering the
.BR INPUT ,
interface which begins with this name will match. If the packet didn't arrive
through a bridge device, this packet won't match this option, unless '!' is used.
.TP
-.B --physdev-out name
+.BR --physdev-out " [!] \fIname\fP"
Name of a bridge port via which a packet is going to be sent (for packets
entering the
.BR FORWARD ,
the output device will be, then the packet won't match this option, unless
'!' is used.
.TP
-.B --physdev-is-in
+.RB "[!] " --physdev-is-in
Matches if the packet has entered through a bridge interface.
.TP
-.B --physdev-is-out
+.RB "[!] " --physdev-is-out
Matches if the packet will leave through a bridge interface.
.TP
-.B --physdev-is-bridged
+.RB "[!] " --physdev-is-bridged
Matches if the packet is being bridged and therefore is not being routed.
This is only useful in the FORWARD and POSTROUTING chains.
.SS pkttype
This module matches the link-layer packet type.
.TP
.BI "--pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]"
+.SS policy
+This modules matches the policy used by IPsec for handling a packet.
+.TP
+.BI "--dir " "in|out"
+Used to select whether to match the policy used for decapsulation or the
+policy that will be used for encapsulation.
+.B in
+is valid in the
+.B PREROUTING, INPUT and FORWARD
+chains,
+.B out
+is valid in the
+.B POSTROUTING, OUTPUT and FORWARD
+chains.
+.TP
+.BI "--pol " "none|ipsec"
+Matches if the packet is subject to IPsec processing.
+.TP
+.BI "--strict"
+Selects whether to match the exact policy or match if any rule of
+the policy matches the given policy.
+.TP
+.BI "--reqid " "id"
+Matches the reqid of the policy rule. The reqid can be specified with
+.B setkey(8)
+using
+.B unique:id
+as level.
+.TP
+.BI "--spi " "spi"
+Matches the SPI of the SA.
+.TP
+.BI "--proto " "ah|esp|ipcomp"
+Matches the encapsulation protocol.
+.TP
+.BI "--mode " "tunnel|transport"
+Matches the encapsulation mode.
+.TP
+.BI "--tunnel-src " "addr[/mask]"
+Matches the source end-point address of a tunnel mode SA.
+Only valid with --mode tunnel.
+.TP
+.BI "--tunnel-dst " "addr[/mask]"
+Matches the destination end-point address of a tunnel mode SA.
+Only valid with --mode tunnel.
+.TP
+.BI "--next"
+Start the next element in the policy specification. Can only be used with
+--strict
.SS psd
Attempt to detect TCP and UDP port scans. This match was derived from
Solar Designer's scanlogd.
meaning that the packet is starting a new connection, but is
associated with an existing connection, such as an FTP data transfer,
or an ICMP error.
+.SS string
+This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
+.TP
+.BI "--algo " "bm|kmp"
+Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
+.TP
+.BI "--from " "offset"
+Set the offset from which it starts looking for any matching. If not passed, default is 0.
+.TP
+.BI "--to " "offset"
+Set the offset from which it starts looking for any matching. If not passed, default is the packet size.
+.TP
+.BI "--string " "pattern"
+Matches the given pattern.
+.BI "--hex-string " "pattern"
+Matches the given pattern in hex notation.
.SS tcp
These extensions are loaded if `--protocol tcp' is specified. It
provides the following options:
modified.
.RS
.PP
-You can add several --to-destination options. If you specify more
-than one destination address, either via an address range or multiple
---to-destination options, a simple round-robin (one after another in
-cycle) load balancing takes place between these adresses.
+In Kernels up to 2.6.10 you can add several --to-destination options. For
+those kernels, if you specify more than one destination address, either via an
+address range or multiple --to-destination options, a simple round-robin (one
+after another in cycle) load balancing takes place between these addresses.
+Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
+anymore.
+
.SS DSCP
This target allows to alter the value of the DSCP bits within the TOS
header of the IPv4 packet. As this manipulates a packet, it can only
Network address to map to. The resulting address will be constructed in the
following way: All 'one' bits in the mask are filled in from the new `address'.
All bits that are zero in the mask are filled in from the original address.
+.SS NFQUEUE
+This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
+you to put a packet into any specific queue, identified by its 16-bit queue
+number.
+.TP
+.BR "--queue-num " "\fIvalue"
+This specifies the QUEUE number to use. Valud queue numbers are 0 to 65535. The default value is 0.
+.TP
+It can only be used with Kernel versions 2.6.14 or later, since it requires
+the
+.B
+nfnetlink_queue
+kernel support.
.SS NOTRACK
This target disables connection tracking for all packets matching that rule.
.TP
1024 or above. Where possible, no port alteration will occur.
.RS
.PP
-You can add several --to-source options. If you specify more
-than one source address, either via an address range or multiple
---to-source options, a simple round-robin (one after another in
-cycle) takes place between these adresses.
+In Kernels up to 2.6.10, you can add several --to-source options. For those
+kernels, if you specify more than one source address, either via an address
+range or multiple --to-source options, a simple round-robin (one after another
+in cycle) takes place between these addresses.
+Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
+anymore.
.SS TARPIT
Captures and holds incoming TCP connections using no local
per-connection resources. Connections are accepted, but immediately
outgoing interface's MTU minus 40). Of course, it can only be used
in conjunction with
.BR "-p tcp" .
+It is only valid in the
+.BR mangle
+table.
.br
This target is used to overcome criminally braindead ISPs or servers
which block ICMP Fragmentation Needed packets. The symptoms of this
Workaround: activate this option and add a rule to your firewall
configuration like:
.nf
- iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
+ iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
-j TCPMSS --clamp-mss-to-pmtu
.fi
.TP
.BR iptables-restore (8),
.BR ip6tables (8),
.BR ip6tables-save (8),
-.BR ip6tables-restore (8).
+.BR ip6tables-restore (8),
+.BR libipq (3).
.P
The packet-filtering-HOWTO details iptables usage for
packet filtering, the NAT-HOWTO details NAT,
See
.BR "http://www.netfilter.org/" .
.SH AUTHORS
-Rusty Russell wrote iptables, in early consultation with Michael
+Rusty Russell originally wrote iptables, in early consultation with Michael
Neuling.
.PP
Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
.PP
Jozsef Kadlecsik wrote the REJECT target.
.PP
-Harald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets.
+Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as the TTL, DSCP, ECN matches and targets.
.PP
The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
Patrick McHardy, James Morris, Harald Welte and Rusty Russell.
.PP
-Man page written by Herve Eychenne <rv@wallfire.org>.
+Man page originally written by Herve Eychenne <rv@wallfire.org>.
.\" .. and did I mention that we are incredibly cool people?
.\" .. sexy, too ..
.\" .. witty, charming, powerful ..