xref: /aosp_15_r20/external/iptables/extensions/libxt_tcp.man (revision a71a954618bbadd4a345637e5edcf36eec826889) 
1*a71a9546SAutomerger Merge WorkerThese extensions can be used if `\-\-protocol tcp' is specified. It
2*a71a9546SAutomerger Merge Workerprovides the following options:
3*a71a9546SAutomerger Merge Worker.TP
4*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
5*a71a9546SAutomerger Merge WorkerSource port or port range specification. This can either be a service
6*a71a9546SAutomerger Merge Workername or a port number. An inclusive range can also be specified,
7*a71a9546SAutomerger Merge Workerusing the format \fIfirst\fP\fB:\fP\fIlast\fP.
8*a71a9546SAutomerger Merge WorkerIf the first port is omitted, "0" is assumed; if the last is omitted,
9*a71a9546SAutomerger Merge Worker"65535" is assumed.
10*a71a9546SAutomerger Merge WorkerThe flag
11*a71a9546SAutomerger Merge Worker\fB\-\-sport\fP
12*a71a9546SAutomerger Merge Workeris a convenient alias for this option.
13*a71a9546SAutomerger Merge Worker.TP
14*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
15*a71a9546SAutomerger Merge WorkerDestination port or port range specification.  The flag
16*a71a9546SAutomerger Merge Worker\fB\-\-dport\fP
17*a71a9546SAutomerger Merge Workeris a convenient alias for this option.
18*a71a9546SAutomerger Merge Worker.TP
19*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-tcp\-flags\fP \fImask\fP \fIcomp\fP
20*a71a9546SAutomerger Merge WorkerMatch when the TCP flags are as specified.  The first argument \fImask\fP is the
21*a71a9546SAutomerger Merge Workerflags which we should examine, written as a comma-separated list, and
22*a71a9546SAutomerger Merge Workerthe second argument \fIcomp\fP is a comma-separated list of flags which must be
23*a71a9546SAutomerger Merge Workerset.  Flags are:
24*a71a9546SAutomerger Merge Worker.BR "SYN ACK FIN RST URG PSH ALL NONE" .
25*a71a9546SAutomerger Merge WorkerHence the command
26*a71a9546SAutomerger Merge Worker.nf
27*a71a9546SAutomerger Merge Worker iptables \-A FORWARD \-p tcp \-\-tcp\-flags SYN,ACK,FIN,RST SYN
28*a71a9546SAutomerger Merge Worker.fi
29*a71a9546SAutomerger Merge Workerwill only match packets with the SYN flag set, and the ACK, FIN and
30*a71a9546SAutomerger Merge WorkerRST flags unset.
31*a71a9546SAutomerger Merge Worker.TP
32*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-syn\fP
33*a71a9546SAutomerger Merge WorkerOnly match TCP packets with the SYN bit set and the ACK,RST and FIN bits
34*a71a9546SAutomerger Merge Workercleared.  Such packets are used to request TCP connection initiation;
35*a71a9546SAutomerger Merge Workerfor example, blocking such packets coming in an interface will prevent
36*a71a9546SAutomerger Merge Workerincoming TCP connections, but outgoing TCP connections will be
37*a71a9546SAutomerger Merge Workerunaffected.
38*a71a9546SAutomerger Merge WorkerIt is equivalent to \fB\-\-tcp\-flags SYN,RST,ACK,FIN SYN\fP.
39*a71a9546SAutomerger Merge WorkerIf the "!" flag precedes the "\-\-syn", the sense of the
40*a71a9546SAutomerger Merge Workeroption is inverted.
41*a71a9546SAutomerger Merge Worker.TP
42*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-tcp\-option\fP \fInumber\fP
43*a71a9546SAutomerger Merge WorkerMatch if TCP option set.
44