• Rule
• Matchers
• tcp, udp, icmp, icmpv6
• sport, dport
• saddr, daddr
• mac_saddr, mac_daddr
• iifname, oifname
• ipv4, ipv6
• multicast, broadcast
• protocol
• sipsec, dipsec
• uid, gid
• mark_match
• mark_set
• priority_match
• priority_set
• ct_status
• cgroup
• time
• Statements
• accept, drop, reject
• continue
• return
• masquerade, snat to, dnat to
• queue
• Logging
• counter
• log
• log_level
• Rate limit
• global_rate
• saddr_rate, daddr_rate
• saddr_rate_mask, daddr_rate_mask
• saddr_rate_name, daddr_rate_name
• saddr_daddr_rate, saddr_daddr_rate_mask, saddr_daddr_rate_name
• Other
• template
• szone, dzone, new_szone, new_dzone
• helper
• mss
• conntrack, -conntrack
• nft