Cluster I/O Protocols (CIP) Configuration and Management Manual (H06.16+, J06.05+)

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

331

332

333

334

335

336

337

338

339

340

Matches the SPIs in Authentication header of IPsec packets.

[!] --ahspi spi[:spi]

comment

Allows you to add comments (up to 256 characters) to any rule.

--comment comment

Example:

iptables -A INPUT -s 192.168.0.0/16 -m comment

--comment 'A privatized IP block'

connbytes

Matches by how many bytes/packets a connection has transferred.

[!] --connbytes from:[to]

Matches packets from a connection whose packets/bytes/average packet size is more than

FROM and less than TO bytes/packets. If TO is omitted, only a FROM check is done. "!" is

used to match packets not falling in the range:

--connbytes-dir {original|reply|both}

--connbytes-mode {packets|bytes|avgpkt}

Example:

iptables .. -m connbytes --connbytes 10000:100000

--connbytes-dir both

--connbytes-mode bytes ...

connlimit

Allows you to restrict the number of parallel TCP connections to a server per client IP address

(or address block).

[!] --connlimit-above n

--connlimit-mask bits

Examples:

# allow 2 telnet connections per client host

iptables -p tcp --syn --dport 23 -m connlimit

--connlimit-above 2 -j REJECT

connmark *

Matches packets in connections with value set by CONNMARK target.

Not supported because it is valid only in the mangle table.

conntrack

Matches additional connection tracking information.

[!] --ctstate statelist

statelist is a comma-separated list of the connection states to match.

[!] --ctproto l4proto

[!] --ctorigsrc address[/mask]

[!] --ctorigdst address[/mask]

[!] --ctreplsrc address[/mask]

[!] --ctrepldst address[/mask]

Matches against original/reply source/destination address.

[!] --ctorigsrcport port

[!] --ctorigdstport port

339