The following match options are available for the Internet Control Message Protocol (ICMP) (-picmp):•--icmp-type— Sets the name or number of the ICMP type to match with the rule. A list ofvalid ICMP names can be retrieved by typing theiptables -p icmp -hcommand.3.4.4. Additional Match Option ModulesAdditional match options are also available through modules loaded by theiptablescommand.To use a match option module, load the module by name using the-moption, such as-m(replacingwith the name of the module).A large number of modules are available by default. It is even possible to create modules thatprovide additional functionality.The following is a partial list of the most commonly used modules:•limitmodule — Places limits on how many packets are matched to a particular rule. This isespecially beneficial when used in conjunction with theLOGtarget as it can prevent a flood ofmatching packets from filling up the system log with repetitive messages or using up systemresources. Refer toSection 3.5, “Target Options”for more information about theLOGtarget.Thelimitmodule enables the following options:•--limit— Sets the number of matches for a particular range of time, specified with anumber and time modifier arranged in a/format. For example, using--limit 5/houronly lets a rule match5times in a single hour.If a number and time modifier are not used, the default value of3/houris assumed.•--limit-burst— Sets a limit on the number of packets able to match a rule at one time.This option should be used in conjunction with the--limitoption, and it accepts a numberto set the burst threshold.If no number is specified, only five packets are initially able to match the rule.•statemodule — Enables state matching.Thestatemodule enables the following options:•--state— match a packet with the following connection states:•ESTABLISHED— The matching packet is associated with other packets in an establishedconnection.•INVALID— The matching packet cannot be tied to a known connection.•NEW— The matching packet is either creating a new connection or is part of a two-wayiptablesMatch Options335
