Red Hat Enterprise Linux 5 Administration Unleashed

Using IPTables Match Extensions 481Using IPTables Match ExtensionsOptionally, packet matching modules, or match extensions can be loaded. Depending onthe module loaded, even more options are available. To find out what additional optionsare available, load the module, and then use the iptables -h command to learn moreabout the options.The meaning of most of the match extensions can be inverted by adding an exclamationpoint before it. Extensions with this functionality are noted with a [!] where the optionalexclamation point should go. Modules are loaded with the -m or -p options. Unless noted,the modules are loaded with the -m option. The following match extensionsare available:accountGather traffic statistics for all systems within a network defined by itsnetwork/netmask combination.--aaddr Network for which to gather statistics.--aname Name of the statistics table. If a name is not provided, DEFAULT will be used.--ashortRecord short statistics.24addrtypeMatch packets based on their source and/or destination address type. Address typecan be one of the following: UNSPEC, UNICAST, LOCAL, BROADCAST, ANYCAST,MULTICAST, BLACKHOLE, UNREACHABLE, PROHIBIT, THROW, NAT, and XRESOLVE.--src-type Type of source address used to match the rule.--dst-type Type of destination address used to match the rule.ahMatch based on SPIs in Authentication header of IPsec packets.--ahspi [!] :Define range of SPIs to match.childlevelSet connection level of packets to match. Most packets are level 0, with their childrenbeing level 1, and so on.--childlevel [!] Define connection level on which to match.