Provided by: iptables_1.3.3-2ubuntu4_i386 bug

NAME

       ip6tables - IPv6 packet filter administration

SYNOPSIS

       ip6tables [-t table] -[AD] chain rule-specification [options]
       ip6tables [-t table] -I chain [rulenum] rule-specification [options]
       ip6tables [-t table] -R chain rulenum rule-specification [options]
       ip6tables [-t table] -D chain rulenum [options]
       ip6tables [-t table] -[LFZ] [chain] [options]
       ip6tables [-t table] -N chain
       ip6tables [-t table] -X [chain]
       ip6tables [-t table] -P chain target [options]
       ip6tables [-t table] -E old-chain-name new-chain-name

DESCRIPTION

       Ip6tables  is  used to set up, maintain, and inspect the tables of IPv6
       packet filter rules in the Linux kernel.  Several different tables  may
       be  defined.   Each  table contains a number of built-in chains and may
       also contain user-defined chains.

       Each chain is a list of rules which can match a set of  packets.   Each
       rule specifies what to do with a packet that matches.  This is called a
       ‘target’, which may be a jump to  a  user-defined  chain  in  the  same
       table.

TARGETS

       A  firewall rule specifies criteria for a packet, and a target.  If the
       packet does not match, the next rule in the chain is the  examined;  if
       it  does  match,  then  the  next rule is specified by the value of the
       target, which can be the name of a user-defined chain  or  one  of  the
       special values ACCEPT, DROP, QUEUE, or RETURN.

       ACCEPT  means to let the packet through.  DROP means to drop the packet
       on the floor.  QUEUE means to pass the packet to userspace.   (How  the
       packet can be received by a userspace process differs by the particular
       queue handler.  2.4.x and  2.6.x  kernels  up  to  2.6.13  include  the
       ip_queue  queue handler.  Kernels 2.6.14 and later additionally include
       the nfnetlink_queue queue handler.  Packets with a target of QUEUE will
       be  sent  to queue number ’0’ in this case. Please also see the NFQUEUE
       target as described  later  in  this  man  page.)   RETURN  means  stop
       traversing  this  chain  and  resume  at  the next rule in the previous
       (calling) chain.  If the end of a built-in chain is reached or  a  rule
       in a built-in chain with target RETURN is matched, the target specified
       by the chain policy determines the fate of the packet.

TABLES

       There are currently two independent tables (which tables are present at
       any  time depends on the kernel configuration options and which modules
       are present), as nat table has not been implemented yet.

       -t, --table table
              This option  specifies  the  packet  matching  table  which  the
              command  should  operate  on.   If the kernel is configured with
              automatic module loading, an attempt will be made  to  load  the
              appropriate module for that table if it is not already there.

              The tables are as follows:

              filter:
                  This  is  the default table (if no -t option is passed).  It
                  contains the built-in chains INPUT (for packets coming  into
                  the  box  itself), FORWARD (for packets being routed through
                  the box), and OUTPUT (for locally-generated packets).

              mangle:
                  This table is used for specialized packet alteration.  Until
                  kernel  2.4.17  it  had two built-in chains: PREROUTING (for
                  altering incoming packets before routing)  and  OUTPUT  (for
                  altering  locally-generated  packets before routing).  Since
                  kernel  2.4.18,  three  other  built-in  chains   are   also
                  supported:  INPUT  (for packets coming into the box itself),
                  FORWARD (for altering packets being routed through the box),
                  and  POSTROUTING  (for altering packets as they are about to
                  go out).

OPTIONS

       The options that are  recognized  by  ip6tables  can  be  divided  into
       several different groups.

   COMMANDS
       These options specify the specific action to perform.  Only one of them
       can be specified on the command line unless otherwise specified  below.
       For  all the long versions of the command and option names, you need to
       use only enough letters to ensure that ip6tables can  differentiate  it
       from all other options.

       -A, --append chain rule-specification
              Append one or more rules to the end of the selected chain.  When
              the source and/or destination names resolve  to  more  than  one
              address,  a  rule  will  be  added  for  each  possible  address
              combination.

       -D, --delete chain rule-specification
       -D, --delete chain rulenum
              Delete one or more rules from the selected chain.  There are two
              versions  of this command: the rule can be specified as a number
              in the chain (starting at 1 for the first rule)  or  a  rule  to
              match.

       -I, --insert
              Insert one or more rules in the selected chain as the given rule
              number.  So, if the rule number is 1,  the  rule  or  rules  are
              inserted  at the head of the chain.  This is also the default if
              no rule number is specified.

       -R, --replace chain rulenum rule-specification
              Replace a rule in the selected  chain.   If  the  source  and/or
              destination  names  resolve  to  multiple addresses, the command
              will fail.  Rules are numbered starting at 1.

       -L, --list [chain]
              List all rules in the selected chain.  If no chain is  selected,
              all  chains  are  listed.   As  every other iptables command, it
              applies to the specified  table  (filter  is  the  default),  so
              mangle rules get listed by
               ip6tables -t mangle -n -L
              Please  note  that it is often used with the -n option, in order
              to avoid long reverse DNS lookups.  It is legal to  specify  the
              -Z  (zero)  option  as  well, in which case the chain(s) will be
              atomically listed and zeroed.  The exact output is  affected  by
              the  other arguments given. The exact rules are suppressed until
              you use
               ip6tables -L -v

       -F, --flush [chain]
              Flush the selected chain (all the chains in the table if none is
              given).   This  is  equivalent  to deleting all the rules one by
              one.

       -Z, --zero [chain]
              Zero the packet and byte counters in all chains.  It is legal to
              specify  the  -L,  --list  (list)  option  as  well,  to see the
              counters immediately before they are cleared. (See above.)

       -N, --new-chain chain
              Create a new user-defined chain by the given name.   There  must
              be no target of that name already.

       -X, --delete-chain [chain]
              Delete the optional user-defined chain specified.  There must be
              no references to the chain.  If there are, you  must  delete  or
              replace the referring rules before the chain can be deleted.  If
              no argument is given, it  will  attempt  to  delete  every  non-
              builtin chain in the table.

       -P, --policy chain target
              Set  the  policy  for  the  chain  to the given target.  See the
              section TARGETS for the legal targets.  Only built-in (non-user-
              defined)  chains  can  have  policies,  and neither built-in nor
              user-defined chains can be policy targets.

       -E, --rename-chain old-chain new-chain
              Rename the user specified chain to the user supplied name.  This
              is cosmetic, and has no effect on the structure of the table.

       -h     Help.   Give a (currently very brief) description of the command
              syntax.

   PARAMETERS
       The following parameters make up a rule specification (as used  in  the
       add, delete, insert, replace and append commands).

       -p, --protocol [!] protocol
              The  protocol  of  the  rule  or  of  the  packet to check.  The
              specified protocol can be one of tcp, udp, ipv6-icmp|icmpv6,  or
              all,  or  it  can  be a numeric value, representing one of these
              protocols  or  a  different   one.    A   protocol   name   from
              /etc/protocols  is  also  allowed.   A  "!"  argument before the
              protocol inverts the test.  The number  zero  is  equivalent  to
              all.  Protocol all will match with all protocols and is taken as
              default when this option is omitted.

       -s, --source [!] address[/mask]
              Source specification.  Address can be either a hostname  (please
              note that specifying any name to be resolved with a remote query
              such as DNS is a really bad idea), a network IPv6 address  (with
              /mask),  or  a  plain  IPv6  address.   (the  network name isn’t
              supported now).  The mask can be either  a  network  mask  or  a
              plain  number,  specifying the number of 1’s at the left side of
              the  network  mask.   Thus,  a  mask  of  64  is  equivalent  to
              ffff:ffff:ffff:ffff:0000:0000:0000:0000.   A "!" argument before
              the address specification inverts the sense of the address.  The
              flag --src is an alias for this option.

       -d, --destination [!] address[/mask]
              Destination  specification.   See  the  description  of  the  -s
              (source) flag for a detailed description  of  the  syntax.   The
              flag --dst is an alias for this option.

       -j, --jump target
              This  specifies  the target of the rule; i.e., what to do if the
              packet matches it.  The  target  can  be  a  user-defined  chain
              (other than the one this rule is in), one of the special builtin
              targets which decide the fate of the packet immediately,  or  an
              extension  (see EXTENSIONS below).  If this option is omitted in
              a rule, then matching the  rule  will  have  no  effect  on  the
              packet’s fate, but the counters on the rule will be incremented.

       -i, --in-interface [!] name
              Name of an interface via which a packet is going to be  received
              (only  for  packets  entering  the INPUT, FORWARD and PREROUTING
              chains).  When the "!" argument is  used  before  the  interface
              name,  the  sense  is inverted.  If the interface name ends in a
              "+", then any interface which begins with this name will  match.
              If this option is omitted, any interface name will match.

       -o, --out-interface [!] name
              Name of an interface via which a packet is going to be sent (for
              packets entering the FORWARD and OUTPUT chains).  When  the  "!"
              argument  is  used  before  the  interface  name,  the  sense is
              inverted.  If the  interface  name  ends  in  a  "+",  then  any
              interface  which  begins  with  this  name  will match.  If this
              option is omitted, any interface name will match.

       -c, --set-counters  PKTS BYTES
              This enables the administrator to initialize the packet and byte
              counters  of a rule (during INSERT, APPEND, REPLACE operations).

   OTHER OPTIONS
       The following additional options can be specified:

       -v, --verbose
              Verbose output.  This option makes the  list  command  show  the
              interface  name,  the  rule options (if any), and the TOS masks.
              The packet and byte counters are also listed,  with  the  suffix
              ’K’,   ’M’   or   ’G’  for  1000,  1,000,000  and  1,000,000,000
              multipliers respectively (but see the -x flag to  change  this).
              For  appending, insertion, deletion and replacement, this causes
              detailed information on the rule or rules to be printed.

       -n, --numeric
              Numeric output.  IP addresses and port numbers will  be  printed
              in  numeric format.  By default, the program will try to display
              them  as  host  names,  network  names,  or  services  (whenever
              applicable).

       -x, --exact
              Expand  numbers.  Display the exact value of the packet and byte
              counters, instead of only the rounded number in  K’s  (multiples
              of  1000)  M’s (multiples of 1000K) or G’s (multiples of 1000M).
              This option is only relevant for the -L command.

       --line-numbers
              When listing rules, add line numbers to the  beginning  of  each
              rule, corresponding to that rule’s position in the chain.

       --modprobe=command
              When adding or inserting rules into a chain, use command to load
              any necessary modules (targets, match extensions, etc).

MATCH EXTENSIONS

       ip6tables can use extended packet matching modules.  These  are  loaded
       in  two  ways:  implicitly, when -p or --protocol is specified, or with
       the -m or --match options, followed by the matching module name;  after
       these,  various  extra command line options become available, depending
       on the specific  module.   You  can  specify  multiple  extended  match
       modules in one line, and you can use the -h or --help options after the
       module has been specified to receive help specific to that module.

       The following are included in the base package, and most of  these  can
       be preceded by a !  to invert the sense of the match.

   ah
       This module matches the SPIs in AH header of IPSec packets.

       --ahspi [!] spi[:spi]

   condition
       This matches if a specific /proc filename is ’0’ or ’1’.

       --condition [!] filename
              Match        on        boolean       value       stored       in
              /proc/net/ip6t_condition/filename file

   dst
       This module matches the IPv6 destination header options

       --dst-len[!]length
              Total length of this header

       --dst-opts TYPE[:LEN],[,TYPE[:LEN]...]
              Options and it’s length (List).

   esp
       This module matches the SPIs in ESP header of IPSec packets.

       --espspi [!] spi[:spi]

   eui64
       This module matches the EUI64 part of a stateless  autoconfigured  IPv6
       address.   It compares the source MAC address with the lower 64 bits of
       the IPv6 address.

   frag
       This module matches the time IPv6 fragmentathion header

       --fragid [!]id[:id]
              Matches the given fragmentation ID (range).

       --fraglen [!]length
              Matches the total length of this header.

       --fragres
              Matches the reserved field, too.

       --fragfirst
              Matches on the first fragment.

       [--fragmore]
              Matches if there are more fragments.

       [--fraglast]
              Matches if this is the last fragement.

   fuzzy
       This module matches a rate limit based  on  a  fuzzy  logic  controller
       [FLC]

       --lower-limit  number"
              Specifies the lower limit (in packets per second).

       --upper-limit number
              Specifies the upper limit (in packets per second).

   hbh
       This module matches the IPv6 hop-by-hop header options

       --hbh-len[!]length
              Total length of this header

       --hbh-opts TYPE[:LEN],[,TYPE[:LEN]...]
              Options and it’s length (List).

   hl
       This module matches the HOPLIMIT field in the IPv6 header.

       --hl-eq value
              Matches if HOPLIMIT equals the given value.

       --hl-lt ttl
              Matches if HOPLIMIT is less than the given value.

       --hl-gt ttl
              Matches if HOPLIMIT is greater than the given value.

   icmpv6
       This  extension  is  loaded  if  ‘--protocol  ipv6-icmp’ or ‘--protocol
       icmpv6’ is specified. It provides the following option:

       --icmpv6-type [!] typename
              This allows specification of the  ICMP  type,  which  can  be  a
              numeric IPv6-ICMP type, or one of the IPv6-ICMP type names shown
              by the command
               ip6tables -p ipv6-icmp -h

   ipv6header
       This module matches on IPv6 option headers

       --header [!]headers
              Matches    the    given     type     of     headers.      Names:
              hop,dst,route,frag,auth,esp,none,proto   Long   Names:   hop-by-
              hop,ipv6-opts,ipv6-route,ipv6-frag,ah,esp,ipv6-nonxt,protocol
              Numbers: 0,60,43,44,51,50,59

       --soft The header CONTAINS the specified extensions.

   length
       This  module matches the length of a packet against a specific value or
       range of values.

       --length length[:length]

   limit
       This module matches at a limited rate using a token bucket  filter.   A
       rule  using  this  extension  will  match  until  this limit is reached
       (unless the ‘!’ flag is used).  It can be used in combination with  the
       LOG target to give limited logging, for example.

       --limit rate
              Maximum  average  matching  rate: specified as a number, with an
              optional ‘/second’, ‘/minute’, ‘/hour’, or  ‘/day’  suffix;  the
              default is 3/hour.

       --limit-burst number
              Maximum  initial  number  of  packets to match: this number gets
              recharged by one every time the limit  specified  above  is  not
              reached, up to this number; the default is 5.

   mac
       --mac-source [!] address
              Match   source   MAC   address.    It   must   be  of  the  form
              XX:XX:XX:XX:XX:XX.  Note that this only makes sense for  packets
              coming  from  an  Ethernet  device  and entering the PREROUTING,
              FORWARD or INPUT chains.

   mark
       This module matches the netfilter mark field associated with  a  packet
       (which can be set using the MARK target below).

       --mark value[/mask]
              Matches packets with the given unsigned mark value (if a mask is
              specified, this is logically ANDed  with  the  mask  before  the
              comparison).

   multiport
       This  module  matches  a  set of source or destination ports.  Up to 15
       ports can be specified.  A port range (port:port) counts as two  ports.
       It can only be used in conjunction with -p tcp or -p udp.

       --source-ports [!] port[,port[,port:port...]]
              Match  if  the  source port is one of the given ports.  The flag
              --sports is a convenient alias for this option.

       --destination-ports [!] port[,port[,port:port...]]
              Match if the destination port is one of the  given  ports.   The
              flag --dports is a convenient alias for this option.

       --ports [!] port[,port[,port:port...]]
              Match  if the both the source and destination ports are equal to
              each other and to one of the given ports.

   nth
       This module matches every ‘n’th packet

       --every value
              Match every ‘value’ packet

       [--counter num]
              Use internal counter number ‘num’.  Default is ‘0’.

       [--start num]
              Initialize the counter at the number ‘num’ insetad of ‘0’.  Most
              between ‘0’ and ‘value’-1.

       [--packet num]
              Match on ‘num’ packet.  Most be between ‘0’ and ‘value’-1.

   owner
       This  module  attempts  to  match various characteristics of the packet
       creator, for locally-generated packets.  It is only valid in the OUTPUT
       chain,  and  even  this  some packets (such as ICMP ping responses) may
       have  no  owner,  and  hence  never  match.   This   is   regarded   as
       experimental.

       --uid-owner userid
              Matches  if  the  packet was created by a process with the given
              effective user id.

       --gid-owner groupid
              Matches if the packet was created by a process  with  the  given
              effective group id.

       --pid-owner processid
              Matches  if  the  packet was created by a process with the given
              process id.

       --sid-owner sessionid
              Matches if the packet was created by  a  process  in  the  given
              session group.

       --cmd-owner name
              Matches  if  the  packet was created by a process with the given
              command name.  (this option is  present  only  if  iptables  was
              compiled under a kernel supporting this feature)

       NOTE: pid, sid and command matching are broken on SMP

   physdev
       This  module  matches  on  the  bridge  port  input  and output devices
       enslaved  to  a  bridge  device.  This  module  is  a   part   of   the
       infrastructure  that  enables a transparent bridging IP firewall and is
       only useful for kernel versions above version 2.5.44.

       --physdev-in name
              Name of a bridge port via which a packet is received  (only  for
              packets  entering  the INPUT, FORWARD and PREROUTING chains). If
              the interface name ends in  a  "+",  then  any  interface  which
              begins  with  this  name will match. If the packet didn’t arrive
              through a bridge device, this packet won’t  match  this  option,
              unless ’!’ is used.

       --physdev-out name
              Name  of  a  bridge  port via which a packet is going to be sent
              (for  packets  entering  the  FORWARD,  OUTPUT  and  POSTROUTING
              chains).   If  the  interface  name  ends  in  a  "+",  then any
              interface which begins with this name will match. Note  that  in
              the  nat and mangle OUTPUT chains one cannot match on the bridge
              output port, however one can in the filter OUTPUT chain. If  the
              packet  won’t leave by a bridge device or it is yet unknown what
              the output device will be, then  the  packet  won’t  match  this
              option, unless

       --physdev-is-in
              Matches if the packet has entered through a bridge interface.

       --physdev-is-out
              Matches if the packet will leave through a bridge interface.

       --physdev-is-bridged
              Matches  if  the  packet  is  being bridged and therefore is not
              being  routed.   This  is  only  useful  in  the   FORWARD   and
              POSTROUTING chains.

   policy
       This modules matches the policy used by IPsec for handling a packet.

       --dir in|out
              Used   to   select   whether   to  match  the  policy  used  for
              decapsulation or the policy that will be used for encapsulation.
              in  is valid in the PREROUTING, INPUT and FORWARD chains, out is
              valid in the POSTROUTING, OUTPUT and FORWARD chains.

       --pol none|ipsec
              Matches if the packet is subject to IPsec processing.

       --strict
              Selects whether to match the exact policy or match if  any  rule
              of the policy matches the given policy.

       --reqid id
              Matches the reqid of the policy rule. The reqid can be specified
              with setkey(8) using unique:id as level.

       --spi spi
              Matches the SPI of the SA.

       --proto ah|esp|ipcomp
              Matches the encapsulation protocol.

       --mode tunnel|transport
              Matches the encapsulation mode.

       --tunnel-src addr[/masklen]
              Matches the source address of a tunnel. Only valid  with  --mode
              tunnel.

       --tunnel-dst addr[/masklen]
              Matches  the  destination  address  of a tunnel. Only valid with
              --mode tunnel.

       --next Start the next element in the policy specification. Can only  be
              used with --strict

   random
       This module randomly matches a certain percentage of all packets.

       --average percent
              Matches  the given percentage.  If omitted, a probability of 50%
              is set.

   rt
       Match on IPv6 routing header

       --rt-type [!]type
              Match the type (numeric).

       --rt-segsleft[!]num[:num]
              Match the ‘segments left’ field (range).

       --rt-len[!]length
              Match the length of this header

       --rt-0-res
              Match the reserved field, too (type=0)

       --rt-0-addrs ADDR[,ADDR...]
              Match type=0 addresses (list).

       --rt-0-not-strict
              List of type=0 addresses is not a strict list.

   tcp
       These extensions are  loaded  if  ‘--protocol  tcp’  is  specified.  It
       provides the following options:

       --source-port [!] port[:port]
              Source  port  or  port range specification. This can either be a
              service name or a port number. An inclusive range  can  also  be
              specified,  using  the  format  port:port.  If the first port is
              omitted, "0" is assumed; if the  last  is  omitted,  "65535"  is
              assumed.  If the second port greater then the first they will be
              swapped.  The flag  --sport  is  a  convenient  alias  for  this
              option.

       --destination-port [!] port[:port]
              Destination  port or port range specification.  The flag --dport
              is a convenient alias for this option.

       --tcp-flags [!] mask comp
              Match when the TCP flags are as specified.  The  first  argument
              is  the  flags  which  we  should  examine,  written as a comma-
              separated list, and the second  argument  is  a  comma-separated
              list of flags which must be set.  Flags are: SYN ACK FIN RST URG
              PSH ALL NONE.  Hence the command
               ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
              will only match packets with the SYN flag set, and the ACK,  FIN
              and RST flags unset.

       [!] --syn
              Only  match TCP packets with the SYN bit set and the ACK and RST
              bits cleared.  Such packets are used to request  TCP  connection
              initiation;  for  example,  blocking  such  packets coming in an
              interface will prevent incoming TCP  connections,  but  outgoing
              TCP  connections will be unaffected.  It is equivalent to --tcp-
              flags SYN,RST,ACK SYN.  If the "!" flag  precedes  the  "--syn",
              the sense of the option is inverted.

       --tcp-option [!] number
              Match if TCP option set.

   udp
       These  extensions  are  loaded  if  ‘--protocol  udp’ is specified.  It
       provides the following options:

       --source-port [!] port[:port]
              Source port or port range specification.  See the description of
              the --source-port option of the TCP extension for details.

       --destination-port [!] port[:port]
              Destination   port   or   port  range  specification.   See  the
              description  of  the  --destination-port  option  of   the   TCP
              extension for details.

TARGET EXTENSIONS

       ip6tables  can  use extended target modules: the following are included
       in the standard distribution.

   HL
       This is used to modify the IPv6 HOPLIMIT header  field.   The  HOPLIMIT
       field  is  similar  to  what is known as TTL value in IPv4.  Setting or
       incrementing the HOPLIMIT field can potentially be very  dangerous,  so
       it should be avoided at any cost.

       Dont  ever set or increment the value on packets that leave your local
       network!
              mangle table.

       --hl-set value
              Set the HOPLIMIT value to ‘value’.

       --hl-dec value
              Decrement the HOPLIMIT value ‘value’ times.

       --hl-inc value
              Increment the HOPLIMIT value ‘value’ times.

   LOG
       Turn  on  kernel  logging of matching packets.  When this option is set
       for a rule, the  Linux  kernel  will  print  some  information  on  all
       matching packets (like most IPv6 IPv6-header fields) via the kernel log
       (where it can be read with dmesg  or  syslogd(8)).   This  is  a  "non-
       terminating  target",  i.e.  rule traversal continues at the next rule.
       So if you want to LOG the packets you refuse, use  two  separate  rules
       with  the  same matching criteria, first using target LOG then DROP (or
       REJECT).

       --log-level level
              Level of logging (numeric or see syslog.conf(5)).

       --log-prefix prefix
              Prefix log messages with the specified prefix; up to 29  letters
              long, and useful for distinguishing messages in the logs.

       --log-tcp-sequence
              Log  TCP sequence numbers. This is a security risk if the log is
              readable by users.

       --log-tcp-options
              Log options from the TCP packet header.

       --log-ip-options
              Log options from the IPv6 packet header.

       --log-uid
              Log the userid of the process which generated the packet.

   MARK
       This is used to set  the  netfilter  mark  value  associated  with  the
       packet.  It is only valid in the mangle table.

       --set-mark mark

   NFQUEUE
       This  target  is an extension of the QUEUE target. As opposed to QUEUE,
       it allows you to put a packet into any specific  queue,  identified  by
       its 16-bit queue number.

       It  can  only  be  used  with Kernel versions 2.6.14 or later, since it
       requires
              the nfnetlink_queue kernel support.

   REJECT
       This  is  used  to send back an error packet in response to the matched
       packet: otherwise it is equivalent to  DROP  so  it  is  a  terminating
       TARGET, ending rule traversal.  This target is only valid in the INPUT,
       FORWARD and OUTPUT chains,  and  user-defined  chains  which  are  only
       called  from those chains.  The following option controls the nature of
       the error packet returned:

       --reject-with type
              The type given can be
               icmp6-no-route
               no-route
               icmp6-adm-prohibited
               adm-prohibited
               icmp6-addr-unreachable
               addr-unreach
               icmp6-port-unreachable
               port-unreach
              which return the  appropriate  IPv6-ICMP  error  message  (port-
              unreach  is  the  default). Finally, the option tcp-reset can be
              used on rules which only match the TCP protocol: this  causes  a
              TCP  RST  packet  to  be  sent  back.  This is mainly useful for
              blocking ident (113/tcp)  probes  which  frequently  occur  when
              sending  mail to broken mail hosts (which won’t accept your mail
              otherwise).

   ROUTE
       This is used to explicitly override the core  network  stack’s  routing
       decision.  mangle table.

       --oif ifname
              Route the packet through ‘ifname’ network interface

       --gw IPv6_address
              Route the packet via this gateway

       --continue
              Behave like a non-terminating target and continue traversing the
              rules. Not valid in combination with ‘--tee’

       --tee  Make a copy of the packet, and route  that  copy  to  the  given
              destination.  For  the  original, uncopied packet, behave like a
              non-terminating target and continue traversing the  rules.   Not
              valid in combination with ‘--continue’

   TRACE
       This  target  has  no options.  It just turns on packet tracing for all
       packets that match this rule.

   ULOG
       This target provides userspace logging of matching packets.  When  this
       target  is  set for a rule, the Linux kernel will multicast this packet
       through a netlink socket. One or  more  userspace  processes  may  then
       subscribe  to  various  multicast groups and receive the packets.  Like
       LOG, this is a "non-terminating target", i.e. rule traversal  continues
       at the next rule.

       --ulog-nlgroup nlgroup
              This  specifies  the netlink group (1-32) to which the packet is
              sent.  Default value is 1.

       --ulog-prefix prefix
              Prefix  log  messages  with  the  specified  prefix;  up  to  32
              characters  long,  and useful for distinguishing messages in the
              logs.

       --ulog-cprange size
              Number of bytes to be copied to userspace.  A value of 0  always
              copies the entire packet, regardless of its size.  Default is 0.

       --ulog-qthreshold size
              Number of packet to queue inside kernel.  Setting this value to,
              e.g.  10 accumulates ten packets inside the kernel and transmits
              them as one netlink multipart message to userspace.  Default  is
              1 (for backwards compatibility).

DIAGNOSTICS

       Various error messages are printed to standard error.  The exit code is
       0 for correct functioning.  Errors which appear to be caused by invalid
       or  abused  command  line parameters cause an exit code of 2, and other
       errors cause an exit code of 1.

BUGS

       Bugs?  What’s this? ;-)  Well...  the  counters  are  not  reliable  on
       sparc64.

COMPATIBILITY WITH IPCHAINS

       This  ip6tables is very similar to ipchains by Rusty Russell.  The main
       difference is that the chains INPUT and OUTPUT are only  traversed  for
       packets  coming into the local host and originating from the local host
       respectively.  Hence every packet only passes through one of the  three
       chains  (except  loopback traffic, which involves both INPUT and OUTPUT
       chains); previously a forwarded packet would pass through all three.

       The other main difference is that -i refers to the input interface;  -o
       refers  to  the  output  interface,  and both are available for packets
       entering the  FORWARD  chain.   There  are  several  other  changes  in
       ip6tables.

SEE ALSO

       ip6tables-save(8), ip6tables-restore(8), iptables(8), iptables-save(8),
       iptables-restore(8), libipq(3).

       The packet-filtering-HOWTO details iptables usage for packet filtering,
       the  NAT-HOWTO  details NAT, the netfilter-extensions-HOWTO details the
       extensions  that  are  not  in  the  standard  distribution,  and   the
       netfilter-hacking-HOWTO details the netfilter internals.
       See http://www.netfilter.org/.

AUTHORS

       Rusty  Russell  wrote  iptables,  in  early  consultation  with Michael
       Neuling.

       Marc Boucher made Rusty abandon ipnatctl  by  lobbying  for  a  generic
       packet  selection  framework  in iptables, then wrote the mangle table,
       the owner match, the mark  stuff,  and  ran  around  doing  cool  stuff
       everywhere.

       James Morris wrote the TOS target, and tos match.

       Jozsef Kadlecsik wrote the REJECT target.

       Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, aswell
       as TTL match+target and libipulog.

       The Netfilter Core Team is:  Marc  Boucher,  Martin  Josefsson,  Jozsef
       Kadlecsik, James Morris, Harald Welte and Rusty Russell.

       ip6tables  man  page created by Andras Kis-Szabo, based on iptables man
       page written by Herve Eychenne <rv@wallfire.org>.

                                 Mar 09, 2002                     IP6TABLES(8)