|author||laforge <laforge>||2002-08-07 09:52:22 +0000|
|committer||laforge <laforge>||2002-08-07 09:52:22 +0000|
include sections for 2.4.20-pending matches/targets
1 files changed, 90 insertions, 3 deletions
@@ -176,7 +176,10 @@ It is legal to specify the
(zero) option as well, in which case the chain(s) will be atomically
listed and zeroed. The exact output is affected by the other
+arguments given. The exact rules are suppressed until you use
+ iptables -L -v
.BR "-F, --flush " "[\fIchain\fP]"
Flush the selected chain (all the chains in the table if none is given).
@@ -317,7 +320,7 @@ The following additional options can be specified:
.B "-v, --verbose"
Verbose output. This option makes the list command show the interface
-address, the rule options (if any), and the TOS masks. The packet and
+name, the rule options (if any), and the TOS masks. The packet and
byte counters are also listed, with the suffix 'K', 'M' or 'G' for
1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
@@ -552,6 +555,71 @@ directions, and
meaning that the packet is starting a new connection, but is
associated with an existing connection, such as an FTP data transfer,
or an ICMP error.
+This module, when combined with connection tracking, allows access to
+more connection tracking information than the "state" match.
+(this module is present only if iptables was compiled under a kernel
+supporting this feature)
+.BI "--ctstate " "state"
+Where state is a comma separated list of the connection states to
+match. Possible states are
+meaning that the packet is associated with no known connection,
+meaning that the packet is associated with a connection which has seen
+packets in both directions,
+meaning that the packet has started a new connection, or otherwise
+associated with a connection which has not seen packets in both
+meaning that the packet is starting a new connection, but is
+associated with an existing connection, such as an FTP data transfer,
+or an ICMP error.
+A virtual state, matching if the original source address differs from
+the reply destination.
+A virtual state, matching if the original destination differs from the
+.BI "--ctproto " "proto"
+Protocol to match (by number or name)
+.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]"
+Match against original source address
+.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]"
+Match against original destination address
+.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]"
+Match against reply source address
+.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]"
+Match against reply destination address
+.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]"
+Match against internal conntrack states
+.BI "--ctexpire " "\fItime\fP[\fI:time\fP]"
+Match remaining lifetime in seconds against given value
+or range of values (inclusive)
+This module matches the 6 bit DSCP field within the TOS field in the
+IP header. DSCP has superseded TOS within the IETF.
+.BI "--dscp " "value"
+Match against a numeric (decimal or hex) value [0-32].
+.BI "--dscp-class " "\fIDiffServ Class\fP"
+Match the DiffServ class. This value may be any of the
+BE, EF, AFxx or CSx classes. It will then be converted
+into it's according numeric value.
+This module matches the link-layer packet type.
+.BI "--pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]"
This module matches the 8 bits of Type of Service field in the IP
header (ie. including the precedence bits).
@@ -832,6 +900,25 @@ Explicitly set MSS option to specified value.
Automatically clamp MSS value to (path_MTU - 40).
These options are mutually exclusive.
+This target allows to alter the value of the DSCP bits within the TOS
+header of the IPv4 packet. As this manipulates a packet, it can only
+be used in the mangle table.
+.BI "--set-dscp " "value"
+Set the DSCP field to a numerical value (can be decimal or hex)
+.BI "--set-dscp-class " "class"
+Set the DSCP field to a DiffServ class.
+This target allows to selectively work around known ECN blackholes.
+It can only be used in the mangle table.
+Remove all ECN bits from the TCP header. Of course, it can only be used
+in conjunction with
+.BR "-p tcp" .
Various error messages are printed to standard error. The exit code
is 0 for correct functioning. Errors which appear to be caused by
@@ -902,7 +989,7 @@ James Morris wrote the TOS target, and tos match.
Jozsef Kadlecsik wrote the REJECT target.
-Harald Welte wrote the ULOG target, TTL match+target and libipulog.
+Harald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets.
The Netfilter Core Team is: Marc Boucher, Jozsef Kadlecsik, James Morris,
Harald Welte and Rusty Russell.