Allied Telesis AT-WR4500 manual

dst-limit(integer/time{0,1},integer,dst-address dst-port src-address{+},time{0,1}) - limits the packet per second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match, every destination IP address / destination port has it's own limit. The options are as follows (in order of appearance):

count - maximum average packet rate, measured in packets per second (pps), unless followed by time option

time - specifies the time interval over which the packet rate is measured burst - number of packets to match in a burst

mode - the classifier(-s) for packet rate limiting

expire - specifies interval after which recorded IP addresses / ports will be deleted dst-port(integer: 0..65535-integer: 0..65535{*}) - destination port number or range fragment (yes no) - whether the packet is a fragment of an IP packet. Starting packet (i.e., first fragment) does not count. Note that is the connection tracking is enabled, there will be no fragments as the system automatically assembles every packet

hotspot (multiple choice: auth from-client http local-dst to-client) - matches packets received from clients against various HotSpot conditions. All values can be negated

auth - true, if a packet comes from an authenticted HotSpotclient from-client- true, if a packet comes from any HotSpot client

http - true, if a HotSpot client sends a packet to the address and port previously detected as his proxy server (Universal Proxy technique) or if the destination port is 80 and transparent proxying is enabled for that particular client

local-dst- true, if a packet has local destination IP address to-client- true, if a packet is sent to a client icmp-options(integer:integer) - matches ICMP Type:Code fields

in-bridge-port(name) - actual interface the packet has entered the router through (if bridged, this property matches the actual bridge port, while in-interface- the bridge itself)

in-interface(name) - interface the packet has entered the router through (if the interface is bridged, then the packet will appear to come from the bridge interface itself)

ingress-priority(integer: 0..63) - INGRESS (received) priority of the packet, if set (0 otherwise). The priority may be derived from either VLAN or WMM priority

ipv4-options(any loose-source-routing no-record-route no-router-alert no-source-routing no- timestamp none record-route router-alert strict-source-routing timestamp) - match ipv4 header options

any - match packet with at least one of the ipv4 options

loose-source-routing- match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source

no-record-route- match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source

no-router-alert- match packets with no router alter option no-source-routing- match packets with no source routing option no-timestamp- match packets with no timestamp option record-route- match packets with record route option router-alert- match packets with router alter option strict-source-routing- match packets with strict source routing option timestamp - match packets with timestamp

jump-target(dstnat srcnatname) - name of the target chain to jump to, if the action=jump is used layer7-protocol(name) - Layer 7 filter name as set in the /ip firewall layer7-protocolmenu. Caution: this matcher needs high computational power

limit (integer/time{0,1},integer) - restricts packet match rate to a given limit. Usefull to reduce the amount of log messages

count - maximum average packet rate, measured in packets per second (pps), unless followed by time option

time - specifies the time interval over which the packet rate is measured burst - number of packets to match in a burst

log-prefix(text) - all messages written to logs will contain the prefix specified herein. Used in conjunction with action=log

nth (integer,integer: 0..15,integer{0,1}) - match a particular Nth packet received by the rule. One of 16 available counters can be used to count packets