Determines the protocol for the desired connection: "tcp", "TCP", "udp", or "UDP".

The local listening port for the connection. A service name, or a numerical port value, is acceptable.

The remote host with whom the connection is desired. Resolvable host names and IPv4/IPv6 addresses are equally usable. As a special case, assigning "0" to rhost will insert the kernel's knowledge of the targeted host address, in a situation where a netfilter rule is redirecting traffic. This happens when running a transparent proxy service.

The remote port to connect to. A service name, or a numerical port value, is acceptable. Also here a value "0" will be acceptable to arrange a transparent proxy service, as the kernel's tracking will provide the intended remote port number.

At least one replacement rule is mandatory. The general syntax for this is: The effect is to replace the text that matches pat1 with the expansion of pat2. The optional parameter num is a numerical value limiting the maximal number of times the rule can be applied. One could say that the rule expires after num occurrences. The rules are applied in succession to all passing packets, flowing in either direction. As soon as a rule has been expired, it is removed from the collection of active rules for the current connection. Observe that any counter is started as the connection is initiated, running as long as the connection is alive. This holds directly for TCP connections, whereas for UDP a connection is considered to consist of incoming data on fixed address and fixed port together with any response from a remote server. When no datagrams have been transmitted for a period of 30 seconds, the UPD connection is seen as closed. A single rule is limited to act on individual packets; a pattern can not match across packet boundaries. Using HTTP-like escape sequences for hexadecimal values, all eight-bit characters are viable in the patterns. Thus the standard character pair CRNL would code as "%0a%0d". In a pattern, the percentage sign itself must be escaped by duplication. Thus a string "%%" is interpreted in a pattern as a literal percentage sign.

Replace every occurrence of the string "andrew" with "mike", in every passing packet.

Replace only the first occurrence of the string "andrew" for "mike" in each packet. Any repetition is unaltered, unless a further rule specifies some replacement.

Replace in each packet every occurrence of the string "andrew" with "mike\x00\x00" . The padding with two null bytes ensures an unaltered packet length, which might be essential at times.

Replace the first twenty occurrences of the percentage character '%' with slashes '/'.