xref: /linux/net/netfilter/Kconfig (revision 0883c2c06fb5bcf5b9e008270827e63c09a88c1e)
1menu "Core Netfilter Configuration"
2	depends on NET && INET && NETFILTER
3
4config NETFILTER_INGRESS
5	bool "Netfilter ingress support"
6	default y
7	select NET_INGRESS
8	help
9	  This allows you to classify packets from ingress using the Netfilter
10	  infrastructure.
11
12config NETFILTER_NETLINK
13	tristate
14
15config NETFILTER_NETLINK_ACCT
16tristate "Netfilter NFACCT over NFNETLINK interface"
17	depends on NETFILTER_ADVANCED
18	select NETFILTER_NETLINK
19	help
20	  If this option is enabled, the kernel will include support
21	  for extended accounting via NFNETLINK.
22
23config NETFILTER_NETLINK_QUEUE
24	tristate "Netfilter NFQUEUE over NFNETLINK interface"
25	depends on NETFILTER_ADVANCED
26	select NETFILTER_NETLINK
27	help
28	  If this option is enabled, the kernel will include support
29	  for queueing packets via NFNETLINK.
30
31config NETFILTER_NETLINK_LOG
32	tristate "Netfilter LOG over NFNETLINK interface"
33	default m if NETFILTER_ADVANCED=n
34	select NETFILTER_NETLINK
35	help
36	  If this option is enabled, the kernel will include support
37	  for logging packets via NFNETLINK.
38
39	  This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
40	  and is also scheduled to replace the old syslog-based ipt_LOG
41	  and ip6t_LOG modules.
42
43config NF_CONNTRACK
44	tristate "Netfilter connection tracking support"
45	default m if NETFILTER_ADVANCED=n
46	help
47	  Connection tracking keeps a record of what packets have passed
48	  through your machine, in order to figure out how they are related
49	  into connections.
50
51	  This is required to do Masquerading or other kinds of Network
52	  Address Translation.  It can also be used to enhance packet
53	  filtering (see `Connection state match support' below).
54
55	  To compile it as a module, choose M here.  If unsure, say N.
56
57config NF_LOG_COMMON
58	tristate
59
60if NF_CONNTRACK
61
62config NF_CONNTRACK_MARK
63	bool  'Connection mark tracking support'
64	depends on NETFILTER_ADVANCED
65	help
66	  This option enables support for connection marks, used by the
67	  `CONNMARK' target and `connmark' match. Similar to the mark value
68	  of packets, but this mark value is kept in the conntrack session
69	  instead of the individual packets.
70
71config NF_CONNTRACK_SECMARK
72	bool  'Connection tracking security mark support'
73	depends on NETWORK_SECMARK
74	default m if NETFILTER_ADVANCED=n
75	help
76	  This option enables security markings to be applied to
77	  connections.  Typically they are copied to connections from
78	  packets using the CONNSECMARK target and copied back from
79	  connections to packets with the same target, with the packets
80	  being originally labeled via SECMARK.
81
82	  If unsure, say 'N'.
83
84config NF_CONNTRACK_ZONES
85	bool  'Connection tracking zones'
86	depends on NETFILTER_ADVANCED
87	depends on NETFILTER_XT_TARGET_CT
88	help
89	  This option enables support for connection tracking zones.
90	  Normally, each connection needs to have a unique system wide
91	  identity. Connection tracking zones allow to have multiple
92	  connections using the same identity, as long as they are
93	  contained in different zones.
94
95	  If unsure, say `N'.
96
97config NF_CONNTRACK_PROCFS
98	bool "Supply CT list in procfs (OBSOLETE)"
99	default y
100	depends on PROC_FS
101	---help---
102	This option enables for the list of known conntrack entries
103	to be shown in procfs under net/netfilter/nf_conntrack. This
104	is considered obsolete in favor of using the conntrack(8)
105	tool which uses Netlink.
106
107config NF_CONNTRACK_EVENTS
108	bool "Connection tracking events"
109	depends on NETFILTER_ADVANCED
110	help
111	  If this option is enabled, the connection tracking code will
112	  provide a notifier chain that can be used by other kernel code
113	  to get notified about changes in the connection tracking state.
114
115	  If unsure, say `N'.
116
117config NF_CONNTRACK_TIMEOUT
118	bool  'Connection tracking timeout'
119	depends on NETFILTER_ADVANCED
120	help
121	  This option enables support for connection tracking timeout
122	  extension. This allows you to attach timeout policies to flow
123	  via the CT target.
124
125	  If unsure, say `N'.
126
127config NF_CONNTRACK_TIMESTAMP
128	bool  'Connection tracking timestamping'
129	depends on NETFILTER_ADVANCED
130	help
131	  This option enables support for connection tracking timestamping.
132	  This allows you to store the flow start-time and to obtain
133	  the flow-stop time (once it has been destroyed) via Connection
134	  tracking events.
135
136	  If unsure, say `N'.
137
138config NF_CONNTRACK_LABELS
139	bool
140	help
141	  This option enables support for assigning user-defined flag bits
142	  to connection tracking entries.  It selected by the connlabel match.
143
144config NF_CT_PROTO_DCCP
145	tristate 'DCCP protocol connection tracking support'
146	depends on NETFILTER_ADVANCED
147	default IP_DCCP
148	help
149	  With this option enabled, the layer 3 independent connection
150	  tracking code will be able to do state tracking on DCCP connections.
151
152	  If unsure, say 'N'.
153
154config NF_CT_PROTO_GRE
155	tristate
156
157config NF_CT_PROTO_SCTP
158	tristate 'SCTP protocol connection tracking support'
159	depends on NETFILTER_ADVANCED
160	default IP_SCTP
161	help
162	  With this option enabled, the layer 3 independent connection
163	  tracking code will be able to do state tracking on SCTP connections.
164
165	  If you want to compile it as a module, say M here and read
166	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
167
168config NF_CT_PROTO_UDPLITE
169	tristate 'UDP-Lite protocol connection tracking support'
170	depends on NETFILTER_ADVANCED
171	help
172	  With this option enabled, the layer 3 independent connection
173	  tracking code will be able to do state tracking on UDP-Lite
174	  connections.
175
176	  To compile it as a module, choose M here.  If unsure, say N.
177
178config NF_CONNTRACK_AMANDA
179	tristate "Amanda backup protocol support"
180	depends on NETFILTER_ADVANCED
181	select TEXTSEARCH
182	select TEXTSEARCH_KMP
183	help
184	  If you are running the Amanda backup package <http://www.amanda.org/>
185	  on this machine or machines that will be MASQUERADED through this
186	  machine, then you may want to enable this feature.  This allows the
187	  connection tracking and natting code to allow the sub-channels that
188	  Amanda requires for communication of the backup data, messages and
189	  index.
190
191	  To compile it as a module, choose M here.  If unsure, say N.
192
193config NF_CONNTRACK_FTP
194	tristate "FTP protocol support"
195	default m if NETFILTER_ADVANCED=n
196	help
197	  Tracking FTP connections is problematic: special helpers are
198	  required for tracking them, and doing masquerading and other forms
199	  of Network Address Translation on them.
200
201	  This is FTP support on Layer 3 independent connection tracking.
202	  Layer 3 independent connection tracking is experimental scheme
203	  which generalize ip_conntrack to support other layer 3 protocols.
204
205	  To compile it as a module, choose M here.  If unsure, say N.
206
207config NF_CONNTRACK_H323
208	tristate "H.323 protocol support"
209	depends on IPV6 || IPV6=n
210	depends on NETFILTER_ADVANCED
211	help
212	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
213	  important VoIP protocols, it is widely used by voice hardware and
214	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
215	  Gnomemeeting, etc.
216
217	  With this module you can support H.323 on a connection tracking/NAT
218	  firewall.
219
220	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
221	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
222	  whiteboard, file transfer, etc. For more information, please
223	  visit http://nath323.sourceforge.net/.
224
225	  To compile it as a module, choose M here.  If unsure, say N.
226
227config NF_CONNTRACK_IRC
228	tristate "IRC protocol support"
229	default m if NETFILTER_ADVANCED=n
230	help
231	  There is a commonly-used extension to IRC called
232	  Direct Client-to-Client Protocol (DCC).  This enables users to send
233	  files to each other, and also chat to each other without the need
234	  of a server.  DCC Sending is used anywhere you send files over IRC,
235	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
236	  using NAT, this extension will enable you to send files and initiate
237	  chats.  Note that you do NOT need this extension to get files or
238	  have others initiate chats, or everything else in IRC.
239
240	  To compile it as a module, choose M here.  If unsure, say N.
241
242config NF_CONNTRACK_BROADCAST
243	tristate
244
245config NF_CONNTRACK_NETBIOS_NS
246	tristate "NetBIOS name service protocol support"
247	select NF_CONNTRACK_BROADCAST
248	help
249	  NetBIOS name service requests are sent as broadcast messages from an
250	  unprivileged port and responded to with unicast messages to the
251	  same port. This make them hard to firewall properly because connection
252	  tracking doesn't deal with broadcasts. This helper tracks locally
253	  originating NetBIOS name service requests and the corresponding
254	  responses. It relies on correct IP address configuration, specifically
255	  netmask and broadcast address. When properly configured, the output
256	  of "ip address show" should look similar to this:
257
258	  $ ip -4 address show eth0
259	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
260	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
261
262	  To compile it as a module, choose M here.  If unsure, say N.
263
264config NF_CONNTRACK_SNMP
265	tristate "SNMP service protocol support"
266	depends on NETFILTER_ADVANCED
267	select NF_CONNTRACK_BROADCAST
268	help
269	  SNMP service requests are sent as broadcast messages from an
270	  unprivileged port and responded to with unicast messages to the
271	  same port. This make them hard to firewall properly because connection
272	  tracking doesn't deal with broadcasts. This helper tracks locally
273	  originating SNMP service requests and the corresponding
274	  responses. It relies on correct IP address configuration, specifically
275	  netmask and broadcast address.
276
277	  To compile it as a module, choose M here.  If unsure, say N.
278
279config NF_CONNTRACK_PPTP
280	tristate "PPtP protocol support"
281	depends on NETFILTER_ADVANCED
282	select NF_CT_PROTO_GRE
283	help
284	  This module adds support for PPTP (Point to Point Tunnelling
285	  Protocol, RFC2637) connection tracking and NAT.
286
287	  If you are running PPTP sessions over a stateful firewall or NAT
288	  box, you may want to enable this feature.
289
290	  Please note that not all PPTP modes of operation are supported yet.
291	  Specifically these limitations exist:
292	    - Blindly assumes that control connections are always established
293	      in PNS->PAC direction. This is a violation of RFC2637.
294	    - Only supports a single call within each session
295
296	  To compile it as a module, choose M here.  If unsure, say N.
297
298config NF_CONNTRACK_SANE
299	tristate "SANE protocol support"
300	depends on NETFILTER_ADVANCED
301	help
302	  SANE is a protocol for remote access to scanners as implemented
303	  by the 'saned' daemon. Like FTP, it uses separate control and
304	  data connections.
305
306	  With this module you can support SANE on a connection tracking
307	  firewall.
308
309	  To compile it as a module, choose M here.  If unsure, say N.
310
311config NF_CONNTRACK_SIP
312	tristate "SIP protocol support"
313	default m if NETFILTER_ADVANCED=n
314	help
315	  SIP is an application-layer control protocol that can establish,
316	  modify, and terminate multimedia sessions (conferences) such as
317	  Internet telephony calls. With the ip_conntrack_sip and
318	  the nf_nat_sip modules you can support the protocol on a connection
319	  tracking/NATing firewall.
320
321	  To compile it as a module, choose M here.  If unsure, say N.
322
323config NF_CONNTRACK_TFTP
324	tristate "TFTP protocol support"
325	depends on NETFILTER_ADVANCED
326	help
327	  TFTP connection tracking helper, this is required depending
328	  on how restrictive your ruleset is.
329	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
330	  you will need this.
331
332	  To compile it as a module, choose M here.  If unsure, say N.
333
334config NF_CT_NETLINK
335	tristate 'Connection tracking netlink interface'
336	select NETFILTER_NETLINK
337	default m if NETFILTER_ADVANCED=n
338	help
339	  This option enables support for a netlink-based userspace interface
340
341config NF_CT_NETLINK_TIMEOUT
342	tristate  'Connection tracking timeout tuning via Netlink'
343	select NETFILTER_NETLINK
344	depends on NETFILTER_ADVANCED
345	help
346	  This option enables support for connection tracking timeout
347	  fine-grain tuning. This allows you to attach specific timeout
348	  policies to flows, instead of using the global timeout policy.
349
350	  If unsure, say `N'.
351
352config NF_CT_NETLINK_HELPER
353	tristate 'Connection tracking helpers in user-space via Netlink'
354	select NETFILTER_NETLINK
355	depends on NF_CT_NETLINK
356	depends on NETFILTER_NETLINK_QUEUE
357	depends on NETFILTER_NETLINK_GLUE_CT
358	depends on NETFILTER_ADVANCED
359	help
360	  This option enables the user-space connection tracking helpers
361	  infrastructure.
362
363	  If unsure, say `N'.
364
365config NETFILTER_NETLINK_GLUE_CT
366	bool "NFQUEUE and NFLOG integration with Connection Tracking"
367	default n
368	depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
369	help
370	  If this option is enabled, NFQUEUE and NFLOG can include
371	  Connection Tracking information together with the packet is
372	  the enqueued via NFNETLINK.
373
374config NF_NAT
375	tristate
376
377config NF_NAT_NEEDED
378	bool
379	depends on NF_NAT
380	default y
381
382config NF_NAT_PROTO_DCCP
383	tristate
384	depends on NF_NAT && NF_CT_PROTO_DCCP
385	default NF_NAT && NF_CT_PROTO_DCCP
386
387config NF_NAT_PROTO_UDPLITE
388	tristate
389	depends on NF_NAT && NF_CT_PROTO_UDPLITE
390	default NF_NAT && NF_CT_PROTO_UDPLITE
391
392config NF_NAT_PROTO_SCTP
393	tristate
394	default NF_NAT && NF_CT_PROTO_SCTP
395	depends on NF_NAT && NF_CT_PROTO_SCTP
396	select LIBCRC32C
397
398config NF_NAT_AMANDA
399	tristate
400	depends on NF_CONNTRACK && NF_NAT
401	default NF_NAT && NF_CONNTRACK_AMANDA
402
403config NF_NAT_FTP
404	tristate
405	depends on NF_CONNTRACK && NF_NAT
406	default NF_NAT && NF_CONNTRACK_FTP
407
408config NF_NAT_IRC
409	tristate
410	depends on NF_CONNTRACK && NF_NAT
411	default NF_NAT && NF_CONNTRACK_IRC
412
413config NF_NAT_SIP
414	tristate
415	depends on NF_CONNTRACK && NF_NAT
416	default NF_NAT && NF_CONNTRACK_SIP
417
418config NF_NAT_TFTP
419	tristate
420	depends on NF_CONNTRACK && NF_NAT
421	default NF_NAT && NF_CONNTRACK_TFTP
422
423config NF_NAT_REDIRECT
424        tristate "IPv4/IPv6 redirect support"
425	depends on NF_NAT
426        help
427          This is the kernel functionality to redirect packets to local
428          machine through NAT.
429
430config NETFILTER_SYNPROXY
431	tristate
432
433endif # NF_CONNTRACK
434
435config NF_TABLES
436	select NETFILTER_NETLINK
437	tristate "Netfilter nf_tables support"
438	help
439	  nftables is the new packet classification framework that intends to
440	  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
441	  provides a pseudo-state machine with an extensible instruction-set
442	  (also known as expressions) that the userspace 'nft' utility
443	  (http://www.netfilter.org/projects/nftables) uses to build the
444	  rule-set. It also comes with the generic set infrastructure that
445	  allows you to construct mappings between matchings and actions
446	  for performance lookups.
447
448	  To compile it as a module, choose M here.
449
450if NF_TABLES
451
452config NF_TABLES_INET
453	depends on IPV6
454	select NF_TABLES_IPV4
455	select NF_TABLES_IPV6
456	tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
457	help
458	  This option enables support for a mixed IPv4/IPv6 "inet" table.
459
460config NF_TABLES_NETDEV
461	tristate "Netfilter nf_tables netdev tables support"
462	help
463	  This option enables support for the "netdev" table.
464
465config NFT_EXTHDR
466	tristate "Netfilter nf_tables IPv6 exthdr module"
467	help
468	  This option adds the "exthdr" expression that you can use to match
469	  IPv6 extension headers.
470
471config NFT_META
472	tristate "Netfilter nf_tables meta module"
473	help
474	  This option adds the "meta" expression that you can use to match and
475	  to set packet metainformation such as the packet mark.
476
477config NFT_CT
478	depends on NF_CONNTRACK
479	tristate "Netfilter nf_tables conntrack module"
480	help
481	  This option adds the "meta" expression that you can use to match
482	  connection tracking information such as the flow state.
483
484config NFT_RBTREE
485	tristate "Netfilter nf_tables rbtree set module"
486	help
487	  This option adds the "rbtree" set type (Red Black tree) that is used
488	  to build interval-based sets.
489
490config NFT_HASH
491	tristate "Netfilter nf_tables hash set module"
492	help
493	  This option adds the "hash" set type that is used to build one-way
494	  mappings between matchings and actions.
495
496config NFT_COUNTER
497	tristate "Netfilter nf_tables counter module"
498	help
499	  This option adds the "counter" expression that you can use to
500	  include packet and byte counters in a rule.
501
502config NFT_LOG
503	tristate "Netfilter nf_tables log module"
504	help
505	  This option adds the "log" expression that you can use to log
506	  packets matching some criteria.
507
508config NFT_LIMIT
509	tristate "Netfilter nf_tables limit module"
510	help
511	  This option adds the "limit" expression that you can use to
512	  ratelimit rule matchings.
513
514config NFT_MASQ
515	depends on NF_CONNTRACK
516	depends on NF_NAT
517	tristate "Netfilter nf_tables masquerade support"
518	help
519	  This option adds the "masquerade" expression that you can use
520	  to perform NAT in the masquerade flavour.
521
522config NFT_REDIR
523	depends on NF_CONNTRACK
524	depends on NF_NAT
525	tristate "Netfilter nf_tables redirect support"
526	help
527	  This options adds the "redirect" expression that you can use
528	  to perform NAT in the redirect flavour.
529
530config NFT_NAT
531	depends on NF_CONNTRACK
532	select NF_NAT
533	tristate "Netfilter nf_tables nat module"
534	help
535	  This option adds the "nat" expression that you can use to perform
536	  typical Network Address Translation (NAT) packet transformations.
537
538config NFT_QUEUE
539	depends on NETFILTER_NETLINK_QUEUE
540	tristate "Netfilter nf_tables queue module"
541	help
542	  This is required if you intend to use the userspace queueing
543	  infrastructure (also known as NFQUEUE) from nftables.
544
545config NFT_REJECT
546	default m if NETFILTER_ADVANCED=n
547	tristate "Netfilter nf_tables reject support"
548	help
549	  This option adds the "reject" expression that you can use to
550	  explicitly deny and notify via TCP reset/ICMP informational errors
551	  unallowed traffic.
552
553config NFT_REJECT_INET
554	depends on NF_TABLES_INET
555	default NFT_REJECT
556	tristate
557
558config NFT_COMPAT
559	depends on NETFILTER_XTABLES
560	tristate "Netfilter x_tables over nf_tables module"
561	help
562	  This is required if you intend to use any of existing
563	  x_tables match/target extensions over the nf_tables
564	  framework.
565
566if NF_TABLES_NETDEV
567
568config NF_DUP_NETDEV
569	tristate "Netfilter packet duplication support"
570	help
571	  This option enables the generic packet duplication infrastructure
572	  for Netfilter.
573
574config NFT_DUP_NETDEV
575	tristate "Netfilter nf_tables netdev packet duplication support"
576	select NF_DUP_NETDEV
577	help
578	  This option enables packet duplication for the "netdev" family.
579
580config NFT_FWD_NETDEV
581	tristate "Netfilter nf_tables netdev packet forwarding support"
582	select NF_DUP_NETDEV
583	help
584	  This option enables packet forwarding for the "netdev" family.
585
586endif # NF_TABLES_NETDEV
587
588endif # NF_TABLES
589
590config NETFILTER_XTABLES
591	tristate "Netfilter Xtables support (required for ip_tables)"
592	default m if NETFILTER_ADVANCED=n
593	help
594	  This is required if you intend to use any of ip_tables,
595	  ip6_tables or arp_tables.
596
597if NETFILTER_XTABLES
598
599comment "Xtables combined modules"
600
601config NETFILTER_XT_MARK
602	tristate 'nfmark target and match support'
603	default m if NETFILTER_ADVANCED=n
604	---help---
605	This option adds the "MARK" target and "mark" match.
606
607	Netfilter mark matching allows you to match packets based on the
608	"nfmark" value in the packet.
609	The target allows you to create rules in the "mangle" table which alter
610	the netfilter mark (nfmark) field associated with the packet.
611
612	Prior to routing, the nfmark can influence the routing method (see
613	"Use netfilter MARK value as routing key") and can also be used by
614	other subsystems to change their behavior.
615
616config NETFILTER_XT_CONNMARK
617	tristate 'ctmark target and match support'
618	depends on NF_CONNTRACK
619	depends on NETFILTER_ADVANCED
620	select NF_CONNTRACK_MARK
621	---help---
622	This option adds the "CONNMARK" target and "connmark" match.
623
624	Netfilter allows you to store a mark value per connection (a.k.a.
625	ctmark), similarly to the packet mark (nfmark). Using this
626	target and match, you can set and match on this mark.
627
628config NETFILTER_XT_SET
629	tristate 'set target and match support'
630	depends on IP_SET
631	depends on NETFILTER_ADVANCED
632	help
633	  This option adds the "SET" target and "set" match.
634
635	  Using this target and match, you can add/delete and match
636	  elements in the sets created by ipset(8).
637
638	  To compile it as a module, choose M here.  If unsure, say N.
639
640# alphabetically ordered list of targets
641
642comment "Xtables targets"
643
644config NETFILTER_XT_TARGET_AUDIT
645	tristate "AUDIT target support"
646	depends on AUDIT
647	depends on NETFILTER_ADVANCED
648	---help---
649	  This option adds a 'AUDIT' target, which can be used to create
650	  audit records for packets dropped/accepted.
651
652	  To compileit as a module, choose M here. If unsure, say N.
653
654config NETFILTER_XT_TARGET_CHECKSUM
655	tristate "CHECKSUM target support"
656	depends on IP_NF_MANGLE || IP6_NF_MANGLE
657	depends on NETFILTER_ADVANCED
658	---help---
659	  This option adds a `CHECKSUM' target, which can be used in the iptables mangle
660	  table.
661
662	  You can use this target to compute and fill in the checksum in
663	  a packet that lacks a checksum.  This is particularly useful,
664	  if you need to work around old applications such as dhcp clients,
665	  that do not work well with checksum offloads, but don't want to disable
666	  checksum offload in your device.
667
668	  To compile it as a module, choose M here.  If unsure, say N.
669
670config NETFILTER_XT_TARGET_CLASSIFY
671	tristate '"CLASSIFY" target support'
672	depends on NETFILTER_ADVANCED
673	help
674	  This option adds a `CLASSIFY' target, which enables the user to set
675	  the priority of a packet. Some qdiscs can use this value for
676	  classification, among these are:
677
678  	  atm, cbq, dsmark, pfifo_fast, htb, prio
679
680	  To compile it as a module, choose M here.  If unsure, say N.
681
682config NETFILTER_XT_TARGET_CONNMARK
683	tristate  '"CONNMARK" target support'
684	depends on NF_CONNTRACK
685	depends on NETFILTER_ADVANCED
686	select NETFILTER_XT_CONNMARK
687	---help---
688	This is a backwards-compat option for the user's convenience
689	(e.g. when running oldconfig). It selects
690	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
691
692config NETFILTER_XT_TARGET_CONNSECMARK
693	tristate '"CONNSECMARK" target support'
694	depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
695	default m if NETFILTER_ADVANCED=n
696	help
697	  The CONNSECMARK target copies security markings from packets
698	  to connections, and restores security markings from connections
699	  to packets (if the packets are not already marked).  This would
700	  normally be used in conjunction with the SECMARK target.
701
702	  To compile it as a module, choose M here.  If unsure, say N.
703
704config NETFILTER_XT_TARGET_CT
705	tristate '"CT" target support'
706	depends on NF_CONNTRACK
707	depends on IP_NF_RAW || IP6_NF_RAW
708	depends on NETFILTER_ADVANCED
709	help
710	  This options adds a `CT' target, which allows to specify initial
711	  connection tracking parameters like events to be delivered and
712	  the helper to be used.
713
714	  To compile it as a module, choose M here.  If unsure, say N.
715
716config NETFILTER_XT_TARGET_DSCP
717	tristate '"DSCP" and "TOS" target support'
718	depends on IP_NF_MANGLE || IP6_NF_MANGLE
719	depends on NETFILTER_ADVANCED
720	help
721	  This option adds a `DSCP' target, which allows you to manipulate
722	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
723
724	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
725
726	  It also adds the "TOS" target, which allows you to create rules in
727	  the "mangle" table which alter the Type Of Service field of an IPv4
728	  or the Priority field of an IPv6 packet, prior to routing.
729
730	  To compile it as a module, choose M here.  If unsure, say N.
731
732config NETFILTER_XT_TARGET_HL
733	tristate '"HL" hoplimit target support'
734	depends on IP_NF_MANGLE || IP6_NF_MANGLE
735	depends on NETFILTER_ADVANCED
736	---help---
737	This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
738	targets, which enable the user to change the
739	hoplimit/time-to-live value of the IP header.
740
741	While it is safe to decrement the hoplimit/TTL value, the
742	modules also allow to increment and set the hoplimit value of
743	the header to arbitrary values. This is EXTREMELY DANGEROUS
744	since you can easily create immortal packets that loop
745	forever on the network.
746
747config NETFILTER_XT_TARGET_HMARK
748	tristate '"HMARK" target support'
749	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
750	depends on NETFILTER_ADVANCED
751	---help---
752	This option adds the "HMARK" target.
753
754	The target allows you to create rules in the "raw" and "mangle" tables
755	which set the skbuff mark by means of hash calculation within a given
756	range. The nfmark can influence the routing method (see "Use netfilter
757	MARK value as routing key") and can also be used by other subsystems to
758	change their behaviour.
759
760	To compile it as a module, choose M here. If unsure, say N.
761
762config NETFILTER_XT_TARGET_IDLETIMER
763	tristate  "IDLETIMER target support"
764	depends on NETFILTER_ADVANCED
765	help
766
767	  This option adds the `IDLETIMER' target.  Each matching packet
768	  resets the timer associated with label specified when the rule is
769	  added.  When the timer expires, it triggers a sysfs notification.
770	  The remaining time for expiration can be read via sysfs.
771
772	  To compile it as a module, choose M here.  If unsure, say N.
773
774config NETFILTER_XT_TARGET_LED
775	tristate '"LED" target support'
776	depends on LEDS_CLASS && LEDS_TRIGGERS
777	depends on NETFILTER_ADVANCED
778	help
779	  This option adds a `LED' target, which allows you to blink LEDs in
780	  response to particular packets passing through your machine.
781
782	  This can be used to turn a spare LED into a network activity LED,
783	  which only flashes in response to FTP transfers, for example.  Or
784	  you could have an LED which lights up for a minute or two every time
785	  somebody connects to your machine via SSH.
786
787	  You will need support for the "led" class to make this work.
788
789	  To create an LED trigger for incoming SSH traffic:
790	    iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
791
792	  Then attach the new trigger to an LED on your system:
793	    echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
794
795	  For more information on the LEDs available on your system, see
796	  Documentation/leds/leds-class.txt
797
798config NETFILTER_XT_TARGET_LOG
799	tristate "LOG target support"
800	select NF_LOG_COMMON
801	select NF_LOG_IPV4
802	select NF_LOG_IPV6 if IPV6
803	default m if NETFILTER_ADVANCED=n
804	help
805	  This option adds a `LOG' target, which allows you to create rules in
806	  any iptables table which records the packet header to the syslog.
807
808	  To compile it as a module, choose M here.  If unsure, say N.
809
810config NETFILTER_XT_TARGET_MARK
811	tristate '"MARK" target support'
812	depends on NETFILTER_ADVANCED
813	select NETFILTER_XT_MARK
814	---help---
815	This is a backwards-compat option for the user's convenience
816	(e.g. when running oldconfig). It selects
817	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
818
819config NETFILTER_XT_NAT
820	tristate '"SNAT and DNAT" targets support'
821	depends on NF_NAT
822	---help---
823	This option enables the SNAT and DNAT targets.
824
825	To compile it as a module, choose M here. If unsure, say N.
826
827config NETFILTER_XT_TARGET_NETMAP
828	tristate '"NETMAP" target support'
829	depends on NF_NAT
830	---help---
831	NETMAP is an implementation of static 1:1 NAT mapping of network
832	addresses. It maps the network address part, while keeping the host
833	address part intact.
834
835	To compile it as a module, choose M here. If unsure, say N.
836
837config NETFILTER_XT_TARGET_NFLOG
838	tristate '"NFLOG" target support'
839	default m if NETFILTER_ADVANCED=n
840	select NETFILTER_NETLINK_LOG
841	help
842	  This option enables the NFLOG target, which allows to LOG
843	  messages through nfnetlink_log.
844
845	  To compile it as a module, choose M here.  If unsure, say N.
846
847config NETFILTER_XT_TARGET_NFQUEUE
848	tristate '"NFQUEUE" target Support'
849	depends on NETFILTER_ADVANCED
850	select NETFILTER_NETLINK_QUEUE
851	help
852	  This target replaced the old obsolete QUEUE target.
853
854	  As opposed to QUEUE, it supports 65535 different queues,
855	  not just one.
856
857	  To compile it as a module, choose M here.  If unsure, say N.
858
859config NETFILTER_XT_TARGET_NOTRACK
860	tristate  '"NOTRACK" target support (DEPRECATED)'
861	depends on NF_CONNTRACK
862	depends on IP_NF_RAW || IP6_NF_RAW
863	depends on NETFILTER_ADVANCED
864	select NETFILTER_XT_TARGET_CT
865
866config NETFILTER_XT_TARGET_RATEEST
867	tristate '"RATEEST" target support'
868	depends on NETFILTER_ADVANCED
869	help
870	  This option adds a `RATEEST' target, which allows to measure
871	  rates similar to TC estimators. The `rateest' match can be
872	  used to match on the measured rates.
873
874	  To compile it as a module, choose M here.  If unsure, say N.
875
876config NETFILTER_XT_TARGET_REDIRECT
877	tristate "REDIRECT target support"
878	depends on NF_NAT
879	select NF_NAT_REDIRECT
880	---help---
881	REDIRECT is a special case of NAT: all incoming connections are
882	mapped onto the incoming interface's address, causing the packets to
883	come to the local machine instead of passing through. This is
884	useful for transparent proxies.
885
886	To compile it as a module, choose M here. If unsure, say N.
887
888config NETFILTER_XT_TARGET_TEE
889	tristate '"TEE" - packet cloning to alternate destination'
890	depends on NETFILTER_ADVANCED
891	depends on IPV6 || IPV6=n
892	depends on !NF_CONNTRACK || NF_CONNTRACK
893	select NF_DUP_IPV4
894	select NF_DUP_IPV6 if IPV6
895	---help---
896	This option adds a "TEE" target with which a packet can be cloned and
897	this clone be rerouted to another nexthop.
898
899config NETFILTER_XT_TARGET_TPROXY
900	tristate '"TPROXY" target transparent proxying support'
901	depends on NETFILTER_XTABLES
902	depends on NETFILTER_ADVANCED
903	depends on IPV6 || IPV6=n
904	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
905	depends on IP_NF_MANGLE
906	select NF_DEFRAG_IPV4
907	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
908	help
909	  This option adds a `TPROXY' target, which is somewhat similar to
910	  REDIRECT.  It can only be used in the mangle table and is useful
911	  to redirect traffic to a transparent proxy.  It does _not_ depend
912	  on Netfilter connection tracking and NAT, unlike REDIRECT.
913	  For it to work you will have to configure certain iptables rules
914	  and use policy routing. For more information on how to set it up
915	  see Documentation/networking/tproxy.txt.
916
917	  To compile it as a module, choose M here.  If unsure, say N.
918
919config NETFILTER_XT_TARGET_TRACE
920	tristate  '"TRACE" target support'
921	depends on IP_NF_RAW || IP6_NF_RAW
922	depends on NETFILTER_ADVANCED
923	help
924	  The TRACE target allows you to mark packets so that the kernel
925	  will log every rule which match the packets as those traverse
926	  the tables, chains, rules.
927
928	  If you want to compile it as a module, say M here and read
929	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
930
931config NETFILTER_XT_TARGET_SECMARK
932	tristate '"SECMARK" target support'
933	depends on NETWORK_SECMARK
934	default m if NETFILTER_ADVANCED=n
935	help
936	  The SECMARK target allows security marking of network
937	  packets, for use with security subsystems.
938
939	  To compile it as a module, choose M here.  If unsure, say N.
940
941config NETFILTER_XT_TARGET_TCPMSS
942	tristate '"TCPMSS" target support'
943	depends on IPV6 || IPV6=n
944	default m if NETFILTER_ADVANCED=n
945	---help---
946	  This option adds a `TCPMSS' target, which allows you to alter the
947	  MSS value of TCP SYN packets, to control the maximum size for that
948	  connection (usually limiting it to your outgoing interface's MTU
949	  minus 40).
950
951	  This is used to overcome criminally braindead ISPs or servers which
952	  block ICMP Fragmentation Needed packets.  The symptoms of this
953	  problem are that everything works fine from your Linux
954	  firewall/router, but machines behind it can never exchange large
955	  packets:
956	        1) Web browsers connect, then hang with no data received.
957	        2) Small mail works fine, but large emails hang.
958	        3) ssh works fine, but scp hangs after initial handshaking.
959
960	  Workaround: activate this option and add a rule to your firewall
961	  configuration like:
962
963	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
964	                 -j TCPMSS --clamp-mss-to-pmtu
965
966	  To compile it as a module, choose M here.  If unsure, say N.
967
968config NETFILTER_XT_TARGET_TCPOPTSTRIP
969	tristate '"TCPOPTSTRIP" target support'
970	depends on IP_NF_MANGLE || IP6_NF_MANGLE
971	depends on NETFILTER_ADVANCED
972	help
973	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
974	  TCP options from TCP packets.
975
976# alphabetically ordered list of matches
977
978comment "Xtables matches"
979
980config NETFILTER_XT_MATCH_ADDRTYPE
981	tristate '"addrtype" address type match support'
982	default m if NETFILTER_ADVANCED=n
983	---help---
984	  This option allows you to match what routing thinks of an address,
985	  eg. UNICAST, LOCAL, BROADCAST, ...
986
987	  If you want to compile it as a module, say M here and read
988	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
989
990config NETFILTER_XT_MATCH_BPF
991	tristate '"bpf" match support'
992	depends on NETFILTER_ADVANCED
993	help
994	  BPF matching applies a linux socket filter to each packet and
995	  accepts those for which the filter returns non-zero.
996
997	  To compile it as a module, choose M here.  If unsure, say N.
998
999config NETFILTER_XT_MATCH_CGROUP
1000	tristate '"control group" match support'
1001	depends on NETFILTER_ADVANCED
1002	depends on CGROUPS
1003	select CGROUP_NET_CLASSID
1004	---help---
1005	Socket/process control group matching allows you to match locally
1006	generated packets based on which net_cls control group processes
1007	belong to.
1008
1009config NETFILTER_XT_MATCH_CLUSTER
1010	tristate '"cluster" match support'
1011	depends on NF_CONNTRACK
1012	depends on NETFILTER_ADVANCED
1013	---help---
1014	  This option allows you to build work-load-sharing clusters of
1015	  network servers/stateful firewalls without having a dedicated
1016	  load-balancing router/server/switch. Basically, this match returns
1017	  true when the packet must be handled by this cluster node. Thus,
1018	  all nodes see all packets and this match decides which node handles
1019	  what packets. The work-load sharing algorithm is based on source
1020	  address hashing.
1021
1022	  If you say Y or M here, try `iptables -m cluster --help` for
1023	  more information.
1024
1025config NETFILTER_XT_MATCH_COMMENT
1026	tristate  '"comment" match support'
1027	depends on NETFILTER_ADVANCED
1028	help
1029	  This option adds a `comment' dummy-match, which allows you to put
1030	  comments in your iptables ruleset.
1031
1032	  If you want to compile it as a module, say M here and read
1033	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1034
1035config NETFILTER_XT_MATCH_CONNBYTES
1036	tristate  '"connbytes" per-connection counter match support'
1037	depends on NF_CONNTRACK
1038	depends on NETFILTER_ADVANCED
1039	help
1040	  This option adds a `connbytes' match, which allows you to match the
1041	  number of bytes and/or packets for each direction within a connection.
1042
1043	  If you want to compile it as a module, say M here and read
1044	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1045
1046config NETFILTER_XT_MATCH_CONNLABEL
1047	tristate '"connlabel" match support'
1048	select NF_CONNTRACK_LABELS
1049	depends on NF_CONNTRACK
1050	depends on NETFILTER_ADVANCED
1051	---help---
1052	  This match allows you to test and assign userspace-defined labels names
1053	  to a connection.  The kernel only stores bit values - mapping
1054	  names to bits is done by userspace.
1055
1056	  Unlike connmark, more than 32 flag bits may be assigned to a
1057	  connection simultaneously.
1058
1059config NETFILTER_XT_MATCH_CONNLIMIT
1060	tristate '"connlimit" match support'
1061	depends on NF_CONNTRACK
1062	depends on NETFILTER_ADVANCED
1063	---help---
1064	  This match allows you to match against the number of parallel
1065	  connections to a server per client IP address (or address block).
1066
1067config NETFILTER_XT_MATCH_CONNMARK
1068	tristate  '"connmark" connection mark match support'
1069	depends on NF_CONNTRACK
1070	depends on NETFILTER_ADVANCED
1071	select NETFILTER_XT_CONNMARK
1072	---help---
1073	This is a backwards-compat option for the user's convenience
1074	(e.g. when running oldconfig). It selects
1075	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1076
1077config NETFILTER_XT_MATCH_CONNTRACK
1078	tristate '"conntrack" connection tracking match support'
1079	depends on NF_CONNTRACK
1080	default m if NETFILTER_ADVANCED=n
1081	help
1082	  This is a general conntrack match module, a superset of the state match.
1083
1084	  It allows matching on additional conntrack information, which is
1085	  useful in complex configurations, such as NAT gateways with multiple
1086	  internet links or tunnels.
1087
1088	  To compile it as a module, choose M here.  If unsure, say N.
1089
1090config NETFILTER_XT_MATCH_CPU
1091	tristate '"cpu" match support'
1092	depends on NETFILTER_ADVANCED
1093	help
1094	  CPU matching allows you to match packets based on the CPU
1095	  currently handling the packet.
1096
1097	  To compile it as a module, choose M here.  If unsure, say N.
1098
1099config NETFILTER_XT_MATCH_DCCP
1100	tristate '"dccp" protocol match support'
1101	depends on NETFILTER_ADVANCED
1102	default IP_DCCP
1103	help
1104	  With this option enabled, you will be able to use the iptables
1105	  `dccp' match in order to match on DCCP source/destination ports
1106	  and DCCP flags.
1107
1108	  If you want to compile it as a module, say M here and read
1109	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1110
1111config NETFILTER_XT_MATCH_DEVGROUP
1112	tristate '"devgroup" match support'
1113	depends on NETFILTER_ADVANCED
1114	help
1115	  This options adds a `devgroup' match, which allows to match on the
1116	  device group a network device is assigned to.
1117
1118	  To compile it as a module, choose M here.  If unsure, say N.
1119
1120config NETFILTER_XT_MATCH_DSCP
1121	tristate '"dscp" and "tos" match support'
1122	depends on NETFILTER_ADVANCED
1123	help
1124	  This option adds a `DSCP' match, which allows you to match against
1125	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1126
1127	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
1128
1129	  It will also add a "tos" match, which allows you to match packets
1130	  based on the Type Of Service fields of the IPv4 packet (which share
1131	  the same bits as DSCP).
1132
1133	  To compile it as a module, choose M here.  If unsure, say N.
1134
1135config NETFILTER_XT_MATCH_ECN
1136	tristate '"ecn" match support'
1137	depends on NETFILTER_ADVANCED
1138	---help---
1139	This option adds an "ECN" match, which allows you to match against
1140	the IPv4 and TCP header ECN fields.
1141
1142	To compile it as a module, choose M here. If unsure, say N.
1143
1144config NETFILTER_XT_MATCH_ESP
1145	tristate '"esp" match support'
1146	depends on NETFILTER_ADVANCED
1147	help
1148	  This match extension allows you to match a range of SPIs
1149	  inside ESP header of IPSec packets.
1150
1151	  To compile it as a module, choose M here.  If unsure, say N.
1152
1153config NETFILTER_XT_MATCH_HASHLIMIT
1154	tristate '"hashlimit" match support'
1155	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1156	depends on NETFILTER_ADVANCED
1157	help
1158	  This option adds a `hashlimit' match.
1159
1160	  As opposed to `limit', this match dynamically creates a hash table
1161	  of limit buckets, based on your selection of source/destination
1162	  addresses and/or ports.
1163
1164	  It enables you to express policies like `10kpps for any given
1165	  destination address' or `500pps from any given source address'
1166	  with a single rule.
1167
1168config NETFILTER_XT_MATCH_HELPER
1169	tristate '"helper" match support'
1170	depends on NF_CONNTRACK
1171	depends on NETFILTER_ADVANCED
1172	help
1173	  Helper matching allows you to match packets in dynamic connections
1174	  tracked by a conntrack-helper, ie. ip_conntrack_ftp
1175
1176	  To compile it as a module, choose M here.  If unsure, say Y.
1177
1178config NETFILTER_XT_MATCH_HL
1179	tristate '"hl" hoplimit/TTL match support'
1180	depends on NETFILTER_ADVANCED
1181	---help---
1182	HL matching allows you to match packets based on the hoplimit
1183	in the IPv6 header, or the time-to-live field in the IPv4
1184	header of the packet.
1185
1186config NETFILTER_XT_MATCH_IPCOMP
1187	tristate '"ipcomp" match support'
1188	depends on NETFILTER_ADVANCED
1189	help
1190	  This match extension allows you to match a range of CPIs(16 bits)
1191	  inside IPComp header of IPSec packets.
1192
1193	  To compile it as a module, choose M here.  If unsure, say N.
1194
1195config NETFILTER_XT_MATCH_IPRANGE
1196	tristate '"iprange" address range match support'
1197	depends on NETFILTER_ADVANCED
1198	---help---
1199	This option adds a "iprange" match, which allows you to match based on
1200	an IP address range. (Normal iptables only matches on single addresses
1201	with an optional mask.)
1202
1203	If unsure, say M.
1204
1205config NETFILTER_XT_MATCH_IPVS
1206	tristate '"ipvs" match support'
1207	depends on IP_VS
1208	depends on NETFILTER_ADVANCED
1209	depends on NF_CONNTRACK
1210	help
1211	  This option allows you to match against IPVS properties of a packet.
1212
1213	  If unsure, say N.
1214
1215config NETFILTER_XT_MATCH_L2TP
1216	tristate '"l2tp" match support'
1217	depends on NETFILTER_ADVANCED
1218	default L2TP
1219	---help---
1220	This option adds an "L2TP" match, which allows you to match against
1221	L2TP protocol header fields.
1222
1223	To compile it as a module, choose M here. If unsure, say N.
1224
1225config NETFILTER_XT_MATCH_LENGTH
1226	tristate '"length" match support'
1227	depends on NETFILTER_ADVANCED
1228	help
1229	  This option allows you to match the length of a packet against a
1230	  specific value or range of values.
1231
1232	  To compile it as a module, choose M here.  If unsure, say N.
1233
1234config NETFILTER_XT_MATCH_LIMIT
1235	tristate '"limit" match support'
1236	depends on NETFILTER_ADVANCED
1237	help
1238	  limit matching allows you to control the rate at which a rule can be
1239	  matched: mainly useful in combination with the LOG target ("LOG
1240	  target support", below) and to avoid some Denial of Service attacks.
1241
1242	  To compile it as a module, choose M here.  If unsure, say N.
1243
1244config NETFILTER_XT_MATCH_MAC
1245	tristate '"mac" address match support'
1246	depends on NETFILTER_ADVANCED
1247	help
1248	  MAC matching allows you to match packets based on the source
1249	  Ethernet address of the packet.
1250
1251	  To compile it as a module, choose M here.  If unsure, say N.
1252
1253config NETFILTER_XT_MATCH_MARK
1254	tristate '"mark" match support'
1255	depends on NETFILTER_ADVANCED
1256	select NETFILTER_XT_MARK
1257	---help---
1258	This is a backwards-compat option for the user's convenience
1259	(e.g. when running oldconfig). It selects
1260	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1261
1262config NETFILTER_XT_MATCH_MULTIPORT
1263	tristate '"multiport" Multiple port match support'
1264	depends on NETFILTER_ADVANCED
1265	help
1266	  Multiport matching allows you to match TCP or UDP packets based on
1267	  a series of source or destination ports: normally a rule can only
1268	  match a single range of ports.
1269
1270	  To compile it as a module, choose M here.  If unsure, say N.
1271
1272config NETFILTER_XT_MATCH_NFACCT
1273	tristate '"nfacct" match support'
1274	depends on NETFILTER_ADVANCED
1275	select NETFILTER_NETLINK_ACCT
1276	help
1277	  This option allows you to use the extended accounting through
1278	  nfnetlink_acct.
1279
1280	  To compile it as a module, choose M here.  If unsure, say N.
1281
1282config NETFILTER_XT_MATCH_OSF
1283	tristate '"osf" Passive OS fingerprint match'
1284	depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1285	help
1286	  This option selects the Passive OS Fingerprinting match module
1287	  that allows to passively match the remote operating system by
1288	  analyzing incoming TCP SYN packets.
1289
1290	  Rules and loading software can be downloaded from
1291	  http://www.ioremap.net/projects/osf
1292
1293	  To compile it as a module, choose M here.  If unsure, say N.
1294
1295config NETFILTER_XT_MATCH_OWNER
1296	tristate '"owner" match support'
1297	depends on NETFILTER_ADVANCED
1298	---help---
1299	Socket owner matching allows you to match locally-generated packets
1300	based on who created the socket: the user or group. It is also
1301	possible to check whether a socket actually exists.
1302
1303config NETFILTER_XT_MATCH_POLICY
1304	tristate 'IPsec "policy" match support'
1305	depends on XFRM
1306	default m if NETFILTER_ADVANCED=n
1307	help
1308	  Policy matching allows you to match packets based on the
1309	  IPsec policy that was used during decapsulation/will
1310	  be used during encapsulation.
1311
1312	  To compile it as a module, choose M here.  If unsure, say N.
1313
1314config NETFILTER_XT_MATCH_PHYSDEV
1315	tristate '"physdev" match support'
1316	depends on BRIDGE && BRIDGE_NETFILTER
1317	depends on NETFILTER_ADVANCED
1318	help
1319	  Physdev packet matching matches against the physical bridge ports
1320	  the IP packet arrived on or will leave by.
1321
1322	  To compile it as a module, choose M here.  If unsure, say N.
1323
1324config NETFILTER_XT_MATCH_PKTTYPE
1325	tristate '"pkttype" packet type match support'
1326	depends on NETFILTER_ADVANCED
1327	help
1328	  Packet type matching allows you to match a packet by
1329	  its "class", eg. BROADCAST, MULTICAST, ...
1330
1331	  Typical usage:
1332	  iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1333
1334	  To compile it as a module, choose M here.  If unsure, say N.
1335
1336config NETFILTER_XT_MATCH_QUOTA
1337	tristate '"quota" match support'
1338	depends on NETFILTER_ADVANCED
1339	help
1340	  This option adds a `quota' match, which allows to match on a
1341	  byte counter.
1342
1343	  If you want to compile it as a module, say M here and read
1344	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1345
1346config NETFILTER_XT_MATCH_RATEEST
1347	tristate '"rateest" match support'
1348	depends on NETFILTER_ADVANCED
1349	select NETFILTER_XT_TARGET_RATEEST
1350	help
1351	  This option adds a `rateest' match, which allows to match on the
1352	  rate estimated by the RATEEST target.
1353
1354	  To compile it as a module, choose M here.  If unsure, say N.
1355
1356config NETFILTER_XT_MATCH_REALM
1357	tristate  '"realm" match support'
1358	depends on NETFILTER_ADVANCED
1359	select IP_ROUTE_CLASSID
1360	help
1361	  This option adds a `realm' match, which allows you to use the realm
1362	  key from the routing subsystem inside iptables.
1363
1364	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1365	  in tc world.
1366
1367	  If you want to compile it as a module, say M here and read
1368	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1369
1370config NETFILTER_XT_MATCH_RECENT
1371	tristate '"recent" match support'
1372	depends on NETFILTER_ADVANCED
1373	---help---
1374	This match is used for creating one or many lists of recently
1375	used addresses and then matching against that/those list(s).
1376
1377	Short options are available by using 'iptables -m recent -h'
1378	Official Website: <http://snowman.net/projects/ipt_recent/>
1379
1380config NETFILTER_XT_MATCH_SCTP
1381	tristate  '"sctp" protocol match support'
1382	depends on NETFILTER_ADVANCED
1383	default IP_SCTP
1384	help
1385	  With this option enabled, you will be able to use the
1386	  `sctp' match in order to match on SCTP source/destination ports
1387	  and SCTP chunk types.
1388
1389	  If you want to compile it as a module, say M here and read
1390	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1391
1392config NETFILTER_XT_MATCH_SOCKET
1393	tristate '"socket" match support'
1394	depends on NETFILTER_XTABLES
1395	depends on NETFILTER_ADVANCED
1396	depends on !NF_CONNTRACK || NF_CONNTRACK
1397	depends on IPV6 || IPV6=n
1398	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1399	select NF_DEFRAG_IPV4
1400	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1401	help
1402	  This option adds a `socket' match, which can be used to match
1403	  packets for which a TCP or UDP socket lookup finds a valid socket.
1404	  It can be used in combination with the MARK target and policy
1405	  routing to implement full featured non-locally bound sockets.
1406
1407	  To compile it as a module, choose M here.  If unsure, say N.
1408
1409config NETFILTER_XT_MATCH_STATE
1410	tristate '"state" match support'
1411	depends on NF_CONNTRACK
1412	default m if NETFILTER_ADVANCED=n
1413	help
1414	  Connection state matching allows you to match packets based on their
1415	  relationship to a tracked connection (ie. previous packets).  This
1416	  is a powerful tool for packet classification.
1417
1418	  To compile it as a module, choose M here.  If unsure, say N.
1419
1420config NETFILTER_XT_MATCH_STATISTIC
1421	tristate '"statistic" match support'
1422	depends on NETFILTER_ADVANCED
1423	help
1424	  This option adds a `statistic' match, which allows you to match
1425	  on packets periodically or randomly with a given percentage.
1426
1427	  To compile it as a module, choose M here.  If unsure, say N.
1428
1429config NETFILTER_XT_MATCH_STRING
1430	tristate  '"string" match support'
1431	depends on NETFILTER_ADVANCED
1432	select TEXTSEARCH
1433	select TEXTSEARCH_KMP
1434	select TEXTSEARCH_BM
1435	select TEXTSEARCH_FSM
1436	help
1437	  This option adds a `string' match, which allows you to look for
1438	  pattern matchings in packets.
1439
1440	  To compile it as a module, choose M here.  If unsure, say N.
1441
1442config NETFILTER_XT_MATCH_TCPMSS
1443	tristate '"tcpmss" match support'
1444	depends on NETFILTER_ADVANCED
1445	help
1446	  This option adds a `tcpmss' match, which allows you to examine the
1447	  MSS value of TCP SYN packets, which control the maximum packet size
1448	  for that connection.
1449
1450	  To compile it as a module, choose M here.  If unsure, say N.
1451
1452config NETFILTER_XT_MATCH_TIME
1453	tristate '"time" match support'
1454	depends on NETFILTER_ADVANCED
1455	---help---
1456	  This option adds a "time" match, which allows you to match based on
1457	  the packet arrival time (at the machine which netfilter is running)
1458	  on) or departure time/date (for locally generated packets).
1459
1460	  If you say Y here, try `iptables -m time --help` for
1461	  more information.
1462
1463	  If you want to compile it as a module, say M here.
1464	  If unsure, say N.
1465
1466config NETFILTER_XT_MATCH_U32
1467	tristate '"u32" match support'
1468	depends on NETFILTER_ADVANCED
1469	---help---
1470	  u32 allows you to extract quantities of up to 4 bytes from a packet,
1471	  AND them with specified masks, shift them by specified amounts and
1472	  test whether the results are in any of a set of specified ranges.
1473	  The specification of what to extract is general enough to skip over
1474	  headers with lengths stored in the packet, as in IP or TCP header
1475	  lengths.
1476
1477	  Details and examples are in the kernel module source.
1478
1479endif # NETFILTER_XTABLES
1480
1481endmenu
1482
1483source "net/netfilter/ipset/Kconfig"
1484
1485source "net/netfilter/ipvs/Kconfig"
1486