path: root/extensions/
diff options
authorHenrik Nordstrom <>2004-01-22 15:04:24 +0000
committerHarald Welte <>2004-01-22 15:04:24 +0000
commitc2794131b445ebccba184066af6d3fb2f38d1f38 (patch)
treea24f57a9be5a8364b53dfa102705d270f36b440a /extensions/
parent0113fe75ff05e09e6f3d251534d9ae32e9aa717c (diff)
split manpages into per-extension manpage snippet (Henrik Nordstrom)
add lots of missing manpage snippets (Harald Welte)
Diffstat (limited to 'extensions/')
1 files changed, 49 insertions, 0 deletions
diff --git a/extensions/ b/extensions/
new file mode 100644
index 00000000..48a068fa
--- /dev/null
+++ b/extensions/
@@ -0,0 +1,49 @@
+These extensions are loaded if `--protocol tcp' is specified. It
+provides the following options:
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+Source port or port range specification. This can either be a service
+name or a port number. An inclusive range can also be specified,
+using the format
+.IR port : port .
+If the first port is omitted, "0" is assumed; if the last is omitted,
+"65535" is assumed.
+If the second port greater then the first they will be swapped.
+The flag
+.B --sport
+is a convenient alias for this option.
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+Destination port or port range specification. The flag
+.B --dport
+is a convenient alias for this option.
+.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
+Match when the TCP flags are as specified. The first argument is the
+flags which we should examine, written as a comma-separated list, and
+the second argument is a comma-separated list of flags which must be
+set. Flags are:
+Hence the command
+ iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
+will only match packets with the SYN flag set, and the ACK, FIN and
+RST flags unset.
+.B "[!] --syn"
+Only match TCP packets with the SYN bit set and the ACK and RST bits
+cleared. Such packets are used to request TCP connection initiation;
+for example, blocking such packets coming in an interface will prevent
+incoming TCP connections, but outgoing TCP connections will be
+It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP.
+If the "!" flag precedes the "--syn", the sense of the
+option is inverted.
+.BR "--tcp-option " "[!] \fInumber\fP"
+Match if TCP option set.
+.BR "--mss " "\fIvalue\fP[:\fIvalue\fP]"
+Match TCP SYN or SYN/ACK packets with the specified MSS value (or range),
+which control the maximum packet size for that connection.