请参阅iptables man page以获得更好的理解和比较：

-p,–protocol [!] protocol

The protocol of the rule or of the packet to check. The specified@H_502_16@ protocol@H_502_16@ can be one of tcp,udp,icmp,or all, or it can be a numeric@H_502_16@ value,representing one of these protocols or a different one. A@H_502_16@ protocol name from /etc/protocols is also allowed. A “!” argument@H_502_16@ before the protocol inverts the test. The number zero is equivalent to@H_502_16@ all. Protocol all will match with all protocols and is taken as@H_502_16@ default when this option is omitted.

…

Match Extensions

iptables can use extended packet matching modules. These are loaded in@H_502_16@ two ways: implicitly,when -p or –protocol is specified,or with the@H_502_16@ -m or –match options,followed by the matching module name; after@H_502_16@ these,varIoUs extra command line options become available,depending@H_502_16@ on the specific module. You can specify multiple extended match@H_502_16@ modules in one line,and you can use the -h or –help options after@H_502_16@ the module has been specified to receive help specific to that module.

有关-p tcp的可用选项列表,请参见此处：

http://ipset.netfilter.org/iptables-extensions.man.html#lbCF

如上所述,通过使用-m选项,可以添加扩展模块,然后可以使用更多匹配选项.例如cpu module：

cpu

[!] –cpu number

Match cpu handling this packet. cpus are numbered from 0 to NR_cpuS-1 Can be used in combination with RPS (Remote Packet Steering)@H_502_16@ or multiqueue NICs to spread network traffic on different queues.

Example:

iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 -j@H_502_16@ REDIRECT --to-port 8080

iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 -j@H_502_16@ REDIRECT --to-port 8081

Available since Linux 2.6.36.

完整列表iptables-extensions.

OP的其他问题：我不明白-m匹配是什么.什么字符串？ -m tcp匹配什么？它试图找到“tcp”这个词在哪里？

答：-m用于匹配模块名称而不是字符串.通过使用特定模块,您可以获得某些匹配选项.请参阅上面的cpu模块示例.使用-m tcp加载模块tcp. tcp模块允许某些选项： – dport,–sport,– tcp-flags,– syn,– tcp-option在iptables规则中使用.但是使用-p tcp已经启用了tcp模块,这就是为什么即使不使用-m tcp也可以使用这些选项.希望它能清除你所有的困惑.