--espspi, AH/ESP match

--fragment, Generic matches

--gid-owner, Owner match

--hash-init, CLUSTERIP target

--hashlimit, Hashlimit match

--hashlimit-burst, Hashlimit match

--hashlimit-htable-expire, Hashlimit match

--hashlimit-htable-expire match, Hashlimit match

--hashlimit-htable-gcinterval, Hashlimit match

--hashlimit-htable-max, Hashlimit match

--hashlimit-htable-size, Hashlimit match

--hashlimit-mode, Hashlimit match

--hashlimit-name, Hashlimit match

--hashmode, CLUSTERIP target

--helper, Helper match

--hitcount, Recent match

--icmp-type, ICMP matches

--in-interface, Generic matches

--length, Length match

--limit, Limit match

--limit-burst, Limit match

--local-node, CLUSTERIP target

--log-ip-options, LOG target options

--log-level, LOG target options

--log-prefix, LOG target options

--log-tcp-options, LOG target options

--log-tcp-sequence, LOG target options

--mac-source, Mac match

--mark, Connmark match, Mark match

--mask, CONNMARK target

--match, Implicit matches

--mss, Tcpmss match

--name, Recent match

--new, CLUSTERIP target

--nodst, SAME target

--out-interface, Generic matches

--pid-owner, Owner match

--pkt-type, Packet type match

--pkt-type match, Packet type match

--port, Multiport match

--protocol, Generic matches

--queue-num, NFQUEUE target

--rcheck, Recent match

--rdest, Recent match

--realm, Realm match

--reject-with, REJECT target

--remove, Recent match

--restore, CONNSECMARK target

--restore-mark, CONNMARK target

--rsource, Recent match

--rttl, Recent match

--save, CONNSECMARK target

--save-mark, CONNMARK target

--seconds, Recent match

--selctx, SECMARK target

--set, Recent match

--set-class, CLASSIFY target

--set-dscp, DSCP target

--set-dscp-class, DSCP target

--set-mark, CONNMARK target, MARK target

--set-mss, TCPMSS target