`--dest` `<string>` ::
-Restrict packet destination address. This can refer to a single IP address, an
-IP set ('+ipsetname') or an IP alias definition. You can also specify an
-address range like '20.34.101.207-201.3.9.99', or a list of IP addresses and
-networks (entries are separated by comma). Please do not mix IPv4 and IPv6
-addresses inside such lists.
+Restrict packet destination address. This can refer to a single IP address, an IP set ('+ipsetname') or an IP alias definition. You can also specify an address range like '20.34.101.207-201.3.9.99', or a list of IP addresses and networks (entries are separated by comma). Please do not mix IPv4 and IPv6 addresses inside such lists.
`--dport` `<string>` ::
-Restrict TCP/UDP destination port. You can use service names or simple numbers
-(0-65535), as defined in '/etc/services'. Port ranges can be specified with
-'\d+:\d+', for example '80:85', and you can use comma separated list to match
-several ports or ranges.
+Restrict TCP/UDP destination port. You can use service names or simple numbers (0-65535), as defined in '/etc/services'. Port ranges can be specified with '\d+:\d+', for example '80:85', and you can use comma separated list to match several ports or ranges.
`--icmp-type` `<string>` ::
-Restrict ICMP packets to specific types. You can either use the names as
-ip[6]tables ('ip[6]tables -p icmp[v6] -h') provides them, or use the
-Type[/Code] value, for example 'network-unreachable' which corresponds to
-'3/0'.
+Specify icmp-type. Only valid if proto equals 'icmp' or 'icmpv6'/'ipv6-icmp'.
`--iface` `<string>` ::
-Network interface name. You have to use network configuration key names for VMs
-and containers ('net\d+'). Host related rules can use arbitrary strings.
+Network interface name. You have to use network configuration key names for VMs and containers ('net\d+'). Host related rules can use arbitrary strings.
`--log` `<alert | crit | debug | emerg | err | info | nolog | notice | warning>` ::
`--proto` `<string>` ::
-IP protocol. You can use protocol names ('tcp'/'udp') or simple numbers, as
-defined in '/etc/protocols'.
+IP protocol. You can use protocol names ('tcp'/'udp') or simple numbers, as defined in '/etc/protocols'.
`--source` `<string>` ::
-Restrict packet source address. This can refer to a single IP address, an IP
-set ('+ipsetname') or an IP alias definition. You can also specify an address
-range like '20.34.101.207-201.3.9.99', or a list of IP addresses and networks
-(entries are separated by comma). Please do not mix IPv4 and IPv6 addresses
-inside such lists.
+Restrict packet source address. This can refer to a single IP address, an IP set ('+ipsetname') or an IP alias definition. You can also specify an address range like '20.34.101.207-201.3.9.99', or a list of IP addresses and networks (entries are separated by comma). Please do not mix IPv4 and IPv6 addresses inside such lists.
`--sport` `<string>` ::
-Restrict TCP/UDP source port. You can use service names or simple numbers
-(0-65535), as defined in '/etc/services'. Port ranges can be specified with
-'\d+:\d+', for example '80:85', and you can use comma separated list to match
-several ports or ranges.
+Restrict TCP/UDP source port. You can use service names or simple numbers (0-65535), as defined in '/etc/services'. Port ranges can be specified with '\d+:\d+', for example '80:85', and you can use comma separated list to match several ports or ranges.