如何列出 iptables 可加载的匹配模块

如何列出 iptables 可加载的匹配模块

如何列出iptables(在标志后给出-m)中的所有可加载模块?

这个帖子建议列出可加载模块

ls /lib*/iptables/

我的版本 ( ) 中没有此文件夹v1.6.0

答案1

您已获得链接帖子中描述的所有内容。

  1. 列出所有可用模块:
    :~# ls /lib/modules/`uname -r`/kernel/net/netfilter/
    
  2. 列出所有加载的模块(除非您在规则中使用特定模块,否则它将不会显示在此列表中):
    :~# cat /proc/net/ip_tables_matches
    comment
    addrtype
    mark
    conntrack
    conntrack
    conntrack
    recent
    recent
    addrtype
    udplite
    udp
    tcp
    multiport
    icmp
    
  3. 手册页iptables-extensions提供了标准 iptables 发行版中可用扩展的信息。
    :~# man 8 iptables-extensions
    

答案2

使用 gruntboy 的答案,可以编写以下输出的脚本;

bpf match options:
--bytecode <program>            : a bpf program as generated by
                                 $(nfbpf_compile RAW '<filter>')
--object-pinned <bpf object>    : a path to a pinned BPF object in bpf fs

cgroup match options:
[!] --path path                 Recursively match path relative to cgroup2 root
[!] --cgroup classid            Match cgroup classid, can't be used with --path

cluster match options:
  --cluster-total-nodes <num>       Set number of total nodes in cluster
  [!] --cluster-local-node <num>    Set the local node number
  [!] --cluster-local-nodemask <num>    Set the local node mask
  --cluster-hash-seed <num>     Set seed value of the Jenkins hash

comment match options:
--comment COMMENT             Attach a comment to a rule

connbytes match options:
 [!] --connbytes from:[to]
     --connbytes-dir [original, reply, both]
     --connbytes-mode [packets, bytes, avgpkt]

connlabel match options:
[!] --label name     Match if label has been set on connection
    --set            Set label on connection

connlimit match options:
  --connlimit-upto n     match if the number of existing connections is 0..n
  --connlimit-above n    match if the number of existing connections is >n
  --connlimit-mask n     group hosts using prefix length (default: max len)
  --connlimit-saddr      select source address for grouping
  --connlimit-daddr      select destination addresses for grouping

connmark match options:
[!] --mark value[/mask]    Match ctmark value with optional mask

conntrack match options:
[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]
                               State(s) to match
[!] --ctproto proto            Protocol to match; by number or name, e.g. "tcp"
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask]
                               Original/Reply source/destination address
[!] --ctorigsrcport port
[!] --ctorigdstport port
[!] --ctreplsrcport port
[!] --ctrepldstport port
                               TCP/UDP/SCTP orig./reply source/destination port
[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]
                               Status(es) to match
[!] --ctexpire time[:time]     Match remaining lifetime in seconds against
                               value or range of values (inclusive)
    --ctdir {ORIGINAL|REPLY}   Flow direction of packet

cpu match options:
[!] --cpu number   Match CPU number

devgroup match options:
[!] --src-group value[/mask]    Match device group of incoming device
[!] --dst-group value[/mask]    Match device group of outgoing device

esp match options:
[!] --espspi spi[:spi]
                match spi (range)

hashlimit match options:
  --hashlimit-upto <avg>           max average match rate
                                   [Packets per second unless followed by 
                                   /sec /minute /hour /day postfixes]
  --hashlimit-above <avg>          min average match rate
  --hashlimit-mode <mode>          mode is a comma-separated list of
                                   dstip,srcip,dstport,srcport (or none)
  --hashlimit-srcmask <length>     source address grouping prefix length
  --hashlimit-dstmask <length>     destination address grouping prefix length
  --hashlimit-name <name>          name for /proc/net/ipt_hashlimit
  --hashlimit-burst <num>       number to match in a burst, default 5
  --hashlimit-htable-size <num>    number of hashtable buckets
  --hashlimit-htable-max <num>     number of hashtable entries
  --hashlimit-htable-gcinterval    interval between garbage collection runs
  --hashlimit-htable-expire        after which time are idle entries expired?
  --hashlimit-rate-match           rate match the flow without rate-limiting it
  --hashlimit-rate-interval        interval in seconds for hashlimit-rate-match

helper match options:
[!] --helper string        Match helper identified by string

iprange match options:
[!] --src-range ip[-ip]    Match source IP in the specified range
[!] --dst-range ip[-ip]    Match destination IP in the specified range

length match options:
[!] --length length[:length]    Match packet length against value or range
                                of values (inclusive)

limit match options:
--limit avg         max average match rate: default 3/hour
                                [Packets per second unless followed by 
                                /sec /minute /hour /day postfixes]
--limit-burst number        number to match in a burst, default 5

mac match options:
[!] --mac-source XX:XX:XX:XX:XX:XX
                Match source MAC address

mark match options:
[!] --mark value[/mask]    Match nfmark value with optional mask

multiport match options:
[!] --source-ports port[,port:port,port...]
 --sports ...
                match source port(s)
[!] --destination-ports port[,port:port,port...]
 --dports ...
                match destination port(s)
[!] --ports port[,port:port,port]
                match both source and destination port(s)

nfacct match options:
 --nfacct-name STRING       Name of accouting area

owner match options:
[!] --uid-owner userid[-userid]      Match local UID
[!] --gid-owner groupid[-groupid]    Match local GID
[!] --socket-exists                  Match if socket exists
    --suppl-groups                   Also match supplementary groups set with --gid-owner

physdev match options:
 [!] --physdev-in inputname[+]      bridge port name ([+] for wildcard)
 [!] --physdev-out outputname[+]    bridge port name ([+] for wildcard)
 [!] --physdev-is-in            arrived on a bridge device
 [!] --physdev-is-out           will leave on a bridge device
 [!] --physdev-is-bridged       it's a bridged packet

pkttype match options:
[!] --pkt-type packettype    match packet type
Valid packet types:
    unicast             to us
    broadcast           to all
    multicast           to group

policy match options:
  --dir in|out          match policy applied during decapsulation/
                policy to be applied during encapsulation
  --pol none|ipsec      match policy
  --strict          match entire policy instead of single element
                at any position
These options may be used repeatedly, to describe policy elements:
[!] --reqid reqid       match reqid
[!] --spi spi           match SPI
[!] --proto proto       match protocol (ah/esp/ipcomp)
[!] --mode mode         match mode (transport/tunnel)
[!] --tunnel-src addr/mask  match tunnel source
[!] --tunnel-dst addr/mask  match tunnel destination
  --next            begin next element in policy

quota match options:
[!] --quota quota       quota (bytes)

rateest match options:
 --rateest1 name        Rate estimator name
 --rateest2 name        Rate estimator name
 --rateest-delta        Compare difference(s) to given rate(s)
 --rateest-bps1 [bps]       Compare bps
 --rateest-pps1 [pps]       Compare pps
 --rateest-bps2 [bps]       Compare bps
 --rateest-pps2 [pps]       Compare pps
 [!] --rateest-lt       Match if rate is less than given rate/estimator
 [!] --rateest-gt       Match if rate is greater than given rate/estimator
 [!] --rateest-eq       Match if rate is equal to given rate/estimator

realm match options:
[!] --realm value[/mask]
                Match realm

recent match options:
[!] --set                       Add source address to list, always matches.
[!] --rcheck                    Match if source address in list.
[!] --update                    Match if source address in list, also update last-seen time.
[!] --remove                    Match if source address in list, also removes that address from list.
    --seconds seconds           For check and update commands above.
                                Specifies that the match will only occur if source address last seen within
                                the last 'seconds' seconds.
    --reap                      Purge entries older then 'seconds'.
                                Can only be used in conjunction with the seconds option.
    --hitcount hits             For check and update commands above.
                                Specifies that the match will only occur if source address seen hits times.
                                May be used in conjunction with the seconds option.
    --rttl                      For check and update commands above.
                                Specifies that the match will only occur if the source address and the TTL
                                match between this packet and the one which was set.
                                Useful if you have problems with people spoofing their source address in order
                                to DoS you via this module.
    --name name                 Name of the recent list to be used.  DEFAULT used if none given.
    --rsource                   Match/Save the source address of each packet in the recent list table (default).
    --rdest                     Match/Save the destination address of each packet in the recent list table.
    --mask netmask              Netmask that will be applied to this recent list.
xt_recent by: Stephen Frost <[email protected]>.

set match options:
 [!] --match-set name flags [--return-nomatch]
   [! --update-counters] [! --update-subcounters]
   [[!] --packets-eq value | --packets-lt value | --packets-gt value
   [[!] --bytes-eq value | --bytes-lt value | --bytes-gt value
         'name' is the set name from to match,
         'flags' are the comma separated list of
         'src' and 'dst' specifications.

socket match options:
  --nowildcard     Do not ignore LISTEN sockets bound on INADDR_ANY
  --transparent    Ignore non-transparent sockets
  --restore-skmark Set the packet mark to the socket mark if
                   the socket matches and transparent / 
                   nowildcard conditions are satisfied

state match options:
 [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]
                State(s) to match

statistic match options:
 --mode mode                    Match mode (random, nth)
 random mode:
[!] --probability p      Probability
 nth mode:
[!] --every n            Match every nth packet
 --packet p          Initial counter value (0 <= p <= n-1, default 0)

string match options:
--from                       Offset to start searching from
--to                         Offset to stop searching
--algo                       Algorithm
--icase                      Ignore case (default: 0)
[!] --string string          Match a string in a packet
[!] --hex-string string      Match a hex string in a packet

tcp match options:
[!] --tcp-flags mask comp   match when TCP flags & mask == comp
                (Flags: SYN ACK FIN RST URG PSH ALL NONE)
[!] --syn           match when only SYN flag set
                (equivalent to --tcp-flags SYN,RST,ACK,FIN SYN)
[!] --source-port port[:port]
 --sport ...
                match source port(s)
[!] --destination-port port[:port]
 --dport ...
                match destination port(s)
[!] --tcp-option number        match if TCP option set

tcpmss match options:
[!] --mss value[:value] Match TCP MSS range.
                (only valid for TCP SYN or SYN/ACK packets)

time match options:
    --datestart time     Start and stop time, to be given in ISO 8601
    --datestop time      (YYYY[-MM[-DD[Thh[:mm[:ss]]]]])
    --timestart time     Start and stop daytime (hh:mm[:ss])
    --timestop time      (between 00:00:00 and 23:59:59)
[!] --monthdays value    List of days on which to match, separated by comma
                         (Possible days: 1 to 31; defaults to all)
[!] --weekdays value     List of weekdays on which to match, sep. by comma
                         (Possible days: Mon,Tue,Wed,Thu,Fri,Sat,Sun or 1 to 7
                         Defaults to all weekdays.)
    --kerneltz           Work with the kernel timezone instead of UTC

u32 match options:
[!] --u32 tests
        tests := location "=" value | tests "&&" location "=" value
        value := range | value "," range
        range := number | number ":" number
        location := number | location operator number
        operator := "&" | "<<" | ">>" | "@"

udp match options:
[!] --source-port port[:port]
 --sport ...
                match source port(s)
[!] --destination-port port[:port]
 --dport ...
                match destination port(s)

相关内容