options-most.rules revision bc3aeaafcf33e3e6a51948568f4f7a16304f619b 
1762bb9d0ad20320b9f97a841dce57ba5e8e48b07Richard Smith*filter
2575d2a30f288ddab2f24a77dfcc71f6f7f808394Douglas Gregor:INPUT ACCEPT [0:0]
3575d2a30f288ddab2f24a77dfcc71f6f7f808394Douglas Gregor:FORWARD ACCEPT [0:0]
4575d2a30f288ddab2f24a77dfcc71f6f7f808394Douglas Gregor:OUTPUT ACCEPT [0:0]
5575d2a30f288ddab2f24a77dfcc71f6f7f808394Douglas Gregor:matches - -
6575d2a30f288ddab2f24a77dfcc71f6f7f808394Douglas Gregor:ntarg - -
7575d2a30f288ddab2f24a77dfcc71f6f7f808394Douglas Gregor:zmatches - -
8575d2a30f288ddab2f24a77dfcc71f6f7f808394Douglas Gregor-A INPUT -j matches
941cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1" -j ntarg
1041cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -j zmatches
11575d2a30f288ddab2f24a77dfcc71f6f7f808394Douglas Gregor-A INPUT -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY 
12575d2a30f288ddab2f24a77dfcc71f6f7f808394Douglas Gregor-A INPUT -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 -m comment --comment foo -m connbytes --connbytes 1:2 --connbytes-mode packets --connbytes-dir both -m connlimit --connlimit-upto 1 --connlimit-mask 8 --connlimit-saddr -m connlimit --connlimit-above 1 --connlimit-mask 9 --connlimit-daddr -m connmark --mark 0x99 -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY -m cpu --cpu 2 -m dscp --dscp 0x04 -m dscp --dscp 0x00 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name f1 --hashlimit-htable-size 64 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 60 --hashlimit-htable-expire 120 --hashlimit-srcmask 24 --hashlimit-dstmask 24 -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 5 --hashlimit-name f1 -m helper --helper ftp -m iprange --src-range ::1-::2 --dst-range ::1-::2 -m ipvs --vaddr fe80::/64 --vport 1 --vdir REPLY --vmethod GATE --vportctl 21 -m length --length 1:2 -m limit --limit 1/sec -m mac --mac-source 01:02:03:04:05:06 -m mark --mark 0x1 -m physdev --physdev-in eth0 -m pkttype --pkt-type unicast -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst fe80::/64 --tunnel-src fe80::/64 --next --reqid 2 -m quota --quota 0 -m recent --rcheck --name DEFAULT --rsource -m socket --transparent -m string --string "foobar" --algo kmp --from 1 --to 2 --icase -m time --timestart 01:02:03 --timestop 03:04:05 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --utc -m tos --tos 0xff/0x01 -m u32 --u32 "0x0=0x0" -m u32 --u32 "0x0=0x0" -m hbh -m hbh -m hl --hl-eq 1
13575d2a30f288ddab2f24a77dfcc71f6f7f808394Douglas Gregor-A INPUT -m ipv6header --header hop-by-hop --soft
14575d2a30f288ddab2f24a77dfcc71f6f7f808394Douglas Gregor-A INPUT -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001
1541cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001
1641cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -p tcp -m comment --comment foo
1741cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -p tcp -m connbytes --connbytes 1:2 --connbytes-mode packets --connbytes-dir both
1841cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -p tcp -m connlimit --connlimit-upto 1 --connlimit-mask 8 --connlimit-saddr
1941cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -p tcp -m connlimit --connlimit-above 1 --connlimit-mask 9 --connlimit-daddr
2041cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -p tcp -m connmark --mark 0x99
2141cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -p tcp -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY
2241cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -p tcp -m cpu --cpu 2
2341cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -p tcp -m dscp --dscp 0x04
2441cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -p tcp -m dscp --dscp 0x00
2541cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -p tcp -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name f1 --hashlimit-htable-size 64 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 60 --hashlimit-htable-expire 120 --hashlimit-srcmask 24 --hashlimit-dstmask 24
2641cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -p tcp -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 5 --hashlimit-name f1
2741cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -p tcp -m helper --helper ftp
2841cb3d90c2114a7df7aa04f80c8be4b62994fb0dRichard Smith-A INPUT -p tcp -m iprange --src-range ::1-::2 --dst-range ::1-::2
29575d2a30f288ddab2f24a77dfcc71f6f7f808394Douglas Gregor-A INPUT -p tcp -m length --length 1:2
30993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -p tcp -m limit --limit 1/sec
31993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -p tcp -m mac --mac-source 01:02:03:04:05:06
32993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -p tcp -m mark --mark 0x1
33993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -p tcp -m physdev --physdev-in eth0
34993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -p tcp -m pkttype --pkt-type unicast
35993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -p tcp -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst fe80::/64 --tunnel-src fe80::/64 --next --reqid 2
36993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -p tcp -m quota --quota 0
37993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -p tcp -m recent --rcheck --name DEFAULT --rsource
38993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -p tcp -m socket --transparent
39993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -p tcp -m string --string "foobar" --algo kmp --from 1 --to 2 --icase
40993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN
41993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
42993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -p tcp -m tos --tos 0xff/0x01
43993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -p tcp -m u32 ! --u32 "0x0=0x0" -m u32 ! --u32 "0x0=0x0"
44993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -p tcp -m hbh -m hbh -m hl --hl-eq 1 -m ipv6header --header hop-by-hop --soft
45993f43f24d7a45a5cd4678a3316b0852261fc5d4John McCall-A INPUT -m ipv6header --header hop-by-hop --soft -m rt --rt-type 2 --rt-segsleft 2 --rt-len 5 -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1 --rt-0-not-strict -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1,::2 --rt-0-not-strict
46-A INPUT -p tcp -m cpu --cpu 1 -m tcp --sport 1:2 --dport 1:2 --tcp-option 1 --tcp-flags FIN,SYN,RST,ACK SYN -m cpu --cpu 1
47-A INPUT -p dccp -m cpu --cpu 1 -m dccp --sport 1:2 --dport 3:4 -m cpu --cpu 1
48-A INPUT -p udp -m cpu --cpu 1 -m udp --sport 1:2 --dport 3:4 -m cpu --cpu 1
49-A INPUT -p sctp -m cpu --cpu 1 -m sctp --sport 1:2 --dport 3:4 --chunk-types all INIT,SACK -m cpu --cpu 1
50-A INPUT -p esp -m esp --espspi 1:2
51-A INPUT -p tcp -m multiport --dports 1,2 -m multiport --dports 1,2
52-A INPUT -p tcp -m tcpmss --mss 1:2 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
53-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4/0
54-A INPUT
55-A INPUT -p mobility
56-A INPUT -p mobility -m mh --mh-type 3
57-A OUTPUT -m owner --socket-exists --uid-owner 1-2 --gid-owner 2-3
58-A matches -m connbytes --connbytes 1 --connbytes-mode bytes --connbytes-dir both
59-A matches
60-A matches -m connbytes --connbytes :2 --connbytes-mode bytes --connbytes-dir both
61-A matches
62-A matches -m connbytes --connbytes 0:3 --connbytes-mode bytes --connbytes-dir both
63-A matches
64-A matches -m connbytes --connbytes 4: --connbytes-mode bytes --connbytes-dir both
65-A matches
66-A matches -m connbytes --connbytes 5:18446744073709551615 --connbytes-mode bytes --connbytes-dir both
67-A matches
68-A matches -m conntrack --ctexpire 1
69-A matches
70-A matches -m conntrack --ctexpire :2
71-A matches
72-A matches -m conntrack --ctexpire 0:3
73-A matches
74-A matches -m conntrack --ctexpire 4:
75-A matches
76-A matches -m conntrack --ctexpire 5:4294967295
77-A matches
78-A matches -m conntrack ! --ctstate NEW ! --ctproto tcp ! --ctorigsrc ::1/127 ! --ctorigdst ::2/127 ! --ctreplsrc ::2/127 ! --ctrepldst ::2/127 ! --ctorigsrcport 3 ! --ctorigdstport 4 ! --ctreplsrcport 5 ! --ctrepldstport 6 ! --ctstatus ASSURED ! --ctexpire 8:9
79-A matches
80-A matches -p esp -m esp --espspi 1
81-A matches
82-A matches -p esp -m esp --espspi :2
83-A matches
84-A matches -p esp -m esp --espspi 0:3
85-A matches
86-A matches -p esp -m esp --espspi 4:
87-A matches
88-A matches -p esp -m esp --espspi 5:4294967295
89-A matches
90-A matches -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1
91-A matches -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 1 --hashlimit-name mini2
92-A matches -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-name mini3
93-A matches -m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini4
94-A matches
95-A matches -m ipvs --vaddr fe80::/64 --vport 1 --vdir REPLY --vmethod GATE --vportctl 21
96-A matches
97-A matches -m length --length 1
98-A matches
99-A matches -m length --length :2
100-A matches
101-A matches -m length --length 0:3
102-A matches
103-A matches -m length --length 4:
104-A matches
105-A matches -m length --length 5:65535
106-A matches
107-A matches -p tcp -m tcpmss --mss 1
108-A matches
109-A matches -p tcp -m tcpmss --mss :2
110-A matches
111-A matches -p tcp -m tcpmss --mss 0:3
112-A matches
113-A matches -p tcp -m tcpmss --mss 4:
114-A matches
115-A matches -p tcp -m tcpmss --mss 5:65535
116-A matches
117-A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --localtz
118-A matches
119-A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz
120-A matches
121-A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05
122-A matches
123-A matches -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00
124-A matches
125-A matches -m ah --ahspi 1
126-A matches
127-A matches -m ah --ahspi :2
128-A matches
129-A matches -m ah --ahspi 0:3
130-A matches
131-A matches -m ah --ahspi 4:
132-A matches
133-A matches -m ah --ahspi 5:4294967295
134-A matches
135-A matches -m frag --fragid 1
136-A matches
137-A matches -m frag --fragid :2
138-A matches
139-A matches -m frag --fragid 0:3
140-A matches
141-A matches -m frag --fragid 4:
142-A matches
143-A matches -m frag --fragid 5:4294967295
144-A matches
145-A matches -m rt --rt-segsleft 1
146-A matches
147-A matches -m rt --rt-segsleft :2
148-A matches
149-A matches -m rt --rt-segsleft 0:3
150-A matches
151-A matches -m rt --rt-segsleft 4:
152-A matches
153-A matches -m rt --rt-segsleft 5:4294967295
154-A matches
155-A ntarg -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options
156-A ntarg
157-A ntarg -j NFQUEUE --queue-num 1
158-A ntarg
159-A ntarg -j NFQUEUE --queue-balance 8:99
160-A ntarg
161-A ntarg -j RATEEST --rateest-name RE1 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
162-A ntarg
163-A ntarg -j RATEEST --rateest-name RE2 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
164-A ntarg
165#-A zmatches -m rateest --rateest RE1 --rateest-lt --rateest-bps 8bit
166#-A zmatches -m rateest --rateest RE1 --rateest-eq --rateest-bps 8bit
167#-A zmatches -m rateest --rateest RE1 --rateest-gt --rateest-bps 8bit
168#-A zmatches -m rateest --rateest RE1 --rateest-lt --rateest-pps 5
169#-A zmatches -m rateest --rateest RE1 --rateest-eq --rateest-pps 5
170#-A zmatches -m rateest --rateest RE1 --rateest-gt --rateest-pps 5
171#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-lt --rateest-bps2 16bit
172#-A zmatches -m rateest --rateest1 RE1 --rateest-lt --rateest2 RE2 --bytes
173#-A zmatches -m rateest --rateest1 RE1 --rateest-lt --rateest2 RE2 --packets
174#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-eq --rateest-bps2 16bit
175#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-gt --rateest-bps2 16bit
176#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-lt --rateest-pps2 9
177#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-eq --rateest-pps2 9
178#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-gt --rateest-pps2 9
179COMMIT
180*mangle
181:PREROUTING ACCEPT [0:0]
182:INPUT ACCEPT [0:0]
183:FORWARD ACCEPT [0:0]
184:OUTPUT ACCEPT [0:0]
185:POSTROUTING ACCEPT [0:0]
186:matches - -
187:ntarg - -
188:zmatches - -
189-A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1" -j ntarg
190-A ntarg -j HL --hl-inc 1
191-A ntarg -j HL --hl-dec 1
192-A ntarg
193COMMIT
194