Linux Packet Filtering and iptables
Prev Chapter 10. Iptables matches Next
10.3. Explicit matchesExplicit matches are those that have to be specifically loaded with the -m or –match option. State matches, for example, demand the directive -m state prior to entering the actual match that you want to use. Some of these matches may be protocol specific . Some may be unconnected with any specific protocol - for example connection states. These might be
NEW (the first packet of an as yet unestablished connection),
ESTABLISHED (a connection that is already registered in the kernel),
RELATED (a new connection that was created by an older, established one) etc.A few may just have been evolved for testing or experimental purposes, or just to illustrate what iptables is capable of. This in turn means that not all of these matches may at first sight be of any use. Nevertheless, it may well be that you personally will find a use for specific explicit matches. And there are new ones coming along all the time, with each new iptables release. Whether you find a use for them or not depends on your imagination and your needs. The difference between implicitly loaded matches and explicitly loaded ones, is that the implicitly loaded matches will automatically be loaded when, for example, you match on the properties of TCP packets, while explicitly loaded matches will never be loaded automatically - it is up to you to discover and activate explicit matches.
