1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_INGRESS 5 bool "Netfilter ingress support" 6 default y 7 select NET_INGRESS 8 help 9 This allows you to classify packets from ingress using the Netfilter 10 infrastructure. 11 12config NETFILTER_NETLINK 13 tristate 14 15config NETFILTER_FAMILY_BRIDGE 16 bool 17 18config NETFILTER_FAMILY_ARP 19 bool 20 21config NETFILTER_NETLINK_ACCT 22tristate "Netfilter NFACCT over NFNETLINK interface" 23 depends on NETFILTER_ADVANCED 24 select NETFILTER_NETLINK 25 help 26 If this option is enabled, the kernel will include support 27 for extended accounting via NFNETLINK. 28 29config NETFILTER_NETLINK_QUEUE 30 tristate "Netfilter NFQUEUE over NFNETLINK interface" 31 depends on NETFILTER_ADVANCED 32 select NETFILTER_NETLINK 33 help 34 If this option is enabled, the kernel will include support 35 for queueing packets via NFNETLINK. 36 37config NETFILTER_NETLINK_LOG 38 tristate "Netfilter LOG over NFNETLINK interface" 39 default m if NETFILTER_ADVANCED=n 40 select NETFILTER_NETLINK 41 help 42 If this option is enabled, the kernel will include support 43 for logging packets via NFNETLINK. 44 45 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 46 and is also scheduled to replace the old syslog-based ipt_LOG 47 and ip6t_LOG modules. 48 49config NF_CONNTRACK 50 tristate "Netfilter connection tracking support" 51 default m if NETFILTER_ADVANCED=n 52 help 53 Connection tracking keeps a record of what packets have passed 54 through your machine, in order to figure out how they are related 55 into connections. 56 57 This is required to do Masquerading or other kinds of Network 58 Address Translation. It can also be used to enhance packet 59 filtering (see `Connection state match support' below). 60 61 To compile it as a module, choose M here. If unsure, say N. 62 63config NF_LOG_COMMON 64 tristate 65 66config NF_LOG_NETDEV 67 tristate "Netdev packet logging" 68 select NF_LOG_COMMON 69 70if NF_CONNTRACK 71config NETFILTER_CONNCOUNT 72 tristate 73 74config NF_CONNTRACK_MARK 75 bool 'Connection mark tracking support' 76 depends on NETFILTER_ADVANCED 77 help 78 This option enables support for connection marks, used by the 79 `CONNMARK' target and `connmark' match. Similar to the mark value 80 of packets, but this mark value is kept in the conntrack session 81 instead of the individual packets. 82 83config NF_CONNTRACK_SECMARK 84 bool 'Connection tracking security mark support' 85 depends on NETWORK_SECMARK 86 default m if NETFILTER_ADVANCED=n 87 help 88 This option enables security markings to be applied to 89 connections. Typically they are copied to connections from 90 packets using the CONNSECMARK target and copied back from 91 connections to packets with the same target, with the packets 92 being originally labeled via SECMARK. 93 94 If unsure, say 'N'. 95 96config NF_CONNTRACK_ZONES 97 bool 'Connection tracking zones' 98 depends on NETFILTER_ADVANCED 99 depends on NETFILTER_XT_TARGET_CT 100 help 101 This option enables support for connection tracking zones. 102 Normally, each connection needs to have a unique system wide 103 identity. Connection tracking zones allow to have multiple 104 connections using the same identity, as long as they are 105 contained in different zones. 106 107 If unsure, say `N'. 108 109config NF_CONNTRACK_PROCFS 110 bool "Supply CT list in procfs (OBSOLETE)" 111 default y 112 depends on PROC_FS 113 ---help--- 114 This option enables for the list of known conntrack entries 115 to be shown in procfs under net/netfilter/nf_conntrack. This 116 is considered obsolete in favor of using the conntrack(8) 117 tool which uses Netlink. 118 119config NF_CONNTRACK_EVENTS 120 bool "Connection tracking events" 121 depends on NETFILTER_ADVANCED 122 help 123 If this option is enabled, the connection tracking code will 124 provide a notifier chain that can be used by other kernel code 125 to get notified about changes in the connection tracking state. 126 127 If unsure, say `N'. 128 129config NF_CONNTRACK_TIMEOUT 130 bool 'Connection tracking timeout' 131 depends on NETFILTER_ADVANCED 132 help 133 This option enables support for connection tracking timeout 134 extension. This allows you to attach timeout policies to flow 135 via the CT target. 136 137 If unsure, say `N'. 138 139config NF_CONNTRACK_TIMESTAMP 140 bool 'Connection tracking timestamping' 141 depends on NETFILTER_ADVANCED 142 help 143 This option enables support for connection tracking timestamping. 144 This allows you to store the flow start-time and to obtain 145 the flow-stop time (once it has been destroyed) via Connection 146 tracking events. 147 148 If unsure, say `N'. 149 150config NF_CONNTRACK_LABELS 151 bool 152 help 153 This option enables support for assigning user-defined flag bits 154 to connection tracking entries. It selected by the connlabel match. 155 156config NF_CT_PROTO_DCCP 157 bool 'DCCP protocol connection tracking support' 158 depends on NETFILTER_ADVANCED 159 default y 160 help 161 With this option enabled, the layer 3 independent connection 162 tracking code will be able to do state tracking on DCCP connections. 163 164 If unsure, say Y. 165 166config NF_CT_PROTO_GRE 167 tristate 168 169config NF_CT_PROTO_SCTP 170 bool 'SCTP protocol connection tracking support' 171 depends on NETFILTER_ADVANCED 172 default y 173 select LIBCRC32C 174 help 175 With this option enabled, the layer 3 independent connection 176 tracking code will be able to do state tracking on SCTP connections. 177 178 If unsure, say Y. 179 180config NF_CT_PROTO_UDPLITE 181 bool 'UDP-Lite protocol connection tracking support' 182 depends on NETFILTER_ADVANCED 183 default y 184 help 185 With this option enabled, the layer 3 independent connection 186 tracking code will be able to do state tracking on UDP-Lite 187 connections. 188 189 If unsure, say Y. 190 191config NF_CONNTRACK_AMANDA 192 tristate "Amanda backup protocol support" 193 depends on NETFILTER_ADVANCED 194 select TEXTSEARCH 195 select TEXTSEARCH_KMP 196 help 197 If you are running the Amanda backup package <http://www.amanda.org/> 198 on this machine or machines that will be MASQUERADED through this 199 machine, then you may want to enable this feature. This allows the 200 connection tracking and natting code to allow the sub-channels that 201 Amanda requires for communication of the backup data, messages and 202 index. 203 204 To compile it as a module, choose M here. If unsure, say N. 205 206config NF_CONNTRACK_FTP 207 tristate "FTP protocol support" 208 default m if NETFILTER_ADVANCED=n 209 help 210 Tracking FTP connections is problematic: special helpers are 211 required for tracking them, and doing masquerading and other forms 212 of Network Address Translation on them. 213 214 This is FTP support on Layer 3 independent connection tracking. 215 Layer 3 independent connection tracking is experimental scheme 216 which generalize ip_conntrack to support other layer 3 protocols. 217 218 To compile it as a module, choose M here. If unsure, say N. 219 220config NF_CONNTRACK_H323 221 tristate "H.323 protocol support" 222 depends on IPV6 || IPV6=n 223 depends on NETFILTER_ADVANCED 224 help 225 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 226 important VoIP protocols, it is widely used by voice hardware and 227 software including voice gateways, IP phones, Netmeeting, OpenPhone, 228 Gnomemeeting, etc. 229 230 With this module you can support H.323 on a connection tracking/NAT 231 firewall. 232 233 This module supports RAS, Fast Start, H.245 Tunnelling, Call 234 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 235 whiteboard, file transfer, etc. For more information, please 236 visit http://nath323.sourceforge.net/. 237 238 To compile it as a module, choose M here. If unsure, say N. 239 240config NF_CONNTRACK_IRC 241 tristate "IRC protocol support" 242 default m if NETFILTER_ADVANCED=n 243 help 244 There is a commonly-used extension to IRC called 245 Direct Client-to-Client Protocol (DCC). This enables users to send 246 files to each other, and also chat to each other without the need 247 of a server. DCC Sending is used anywhere you send files over IRC, 248 and DCC Chat is most commonly used by Eggdrop bots. If you are 249 using NAT, this extension will enable you to send files and initiate 250 chats. Note that you do NOT need this extension to get files or 251 have others initiate chats, or everything else in IRC. 252 253 To compile it as a module, choose M here. If unsure, say N. 254 255config NF_CONNTRACK_BROADCAST 256 tristate 257 258config NF_CONNTRACK_NETBIOS_NS 259 tristate "NetBIOS name service protocol support" 260 select NF_CONNTRACK_BROADCAST 261 help 262 NetBIOS name service requests are sent as broadcast messages from an 263 unprivileged port and responded to with unicast messages to the 264 same port. This make them hard to firewall properly because connection 265 tracking doesn't deal with broadcasts. This helper tracks locally 266 originating NetBIOS name service requests and the corresponding 267 responses. It relies on correct IP address configuration, specifically 268 netmask and broadcast address. When properly configured, the output 269 of "ip address show" should look similar to this: 270 271 $ ip -4 address show eth0 272 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 273 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 274 275 To compile it as a module, choose M here. If unsure, say N. 276 277config NF_CONNTRACK_SNMP 278 tristate "SNMP service protocol support" 279 depends on NETFILTER_ADVANCED 280 select NF_CONNTRACK_BROADCAST 281 help 282 SNMP service requests are sent as broadcast messages from an 283 unprivileged port and responded to with unicast messages to the 284 same port. This make them hard to firewall properly because connection 285 tracking doesn't deal with broadcasts. This helper tracks locally 286 originating SNMP service requests and the corresponding 287 responses. It relies on correct IP address configuration, specifically 288 netmask and broadcast address. 289 290 To compile it as a module, choose M here. If unsure, say N. 291 292config NF_CONNTRACK_PPTP 293 tristate "PPtP protocol support" 294 depends on NETFILTER_ADVANCED 295 select NF_CT_PROTO_GRE 296 help 297 This module adds support for PPTP (Point to Point Tunnelling 298 Protocol, RFC2637) connection tracking and NAT. 299 300 If you are running PPTP sessions over a stateful firewall or NAT 301 box, you may want to enable this feature. 302 303 Please note that not all PPTP modes of operation are supported yet. 304 Specifically these limitations exist: 305 - Blindly assumes that control connections are always established 306 in PNS->PAC direction. This is a violation of RFC2637. 307 - Only supports a single call within each session 308 309 To compile it as a module, choose M here. If unsure, say N. 310 311config NF_CONNTRACK_SANE 312 tristate "SANE protocol support" 313 depends on NETFILTER_ADVANCED 314 help 315 SANE is a protocol for remote access to scanners as implemented 316 by the 'saned' daemon. Like FTP, it uses separate control and 317 data connections. 318 319 With this module you can support SANE on a connection tracking 320 firewall. 321 322 To compile it as a module, choose M here. If unsure, say N. 323 324config NF_CONNTRACK_SIP 325 tristate "SIP protocol support" 326 default m if NETFILTER_ADVANCED=n 327 help 328 SIP is an application-layer control protocol that can establish, 329 modify, and terminate multimedia sessions (conferences) such as 330 Internet telephony calls. With the ip_conntrack_sip and 331 the nf_nat_sip modules you can support the protocol on a connection 332 tracking/NATing firewall. 333 334 To compile it as a module, choose M here. If unsure, say N. 335 336config NF_CONNTRACK_TFTP 337 tristate "TFTP protocol support" 338 depends on NETFILTER_ADVANCED 339 help 340 TFTP connection tracking helper, this is required depending 341 on how restrictive your ruleset is. 342 If you are using a tftp client behind -j SNAT or -j MASQUERADING 343 you will need this. 344 345 To compile it as a module, choose M here. If unsure, say N. 346 347config NF_CT_NETLINK 348 tristate 'Connection tracking netlink interface' 349 select NETFILTER_NETLINK 350 default m if NETFILTER_ADVANCED=n 351 help 352 This option enables support for a netlink-based userspace interface 353 354config NF_CT_NETLINK_TIMEOUT 355 tristate 'Connection tracking timeout tuning via Netlink' 356 select NETFILTER_NETLINK 357 depends on NETFILTER_ADVANCED 358 help 359 This option enables support for connection tracking timeout 360 fine-grain tuning. This allows you to attach specific timeout 361 policies to flows, instead of using the global timeout policy. 362 363 If unsure, say `N'. 364 365config NF_CT_NETLINK_HELPER 366 tristate 'Connection tracking helpers in user-space via Netlink' 367 select NETFILTER_NETLINK 368 depends on NF_CT_NETLINK 369 depends on NETFILTER_NETLINK_QUEUE 370 depends on NETFILTER_NETLINK_GLUE_CT 371 depends on NETFILTER_ADVANCED 372 help 373 This option enables the user-space connection tracking helpers 374 infrastructure. 375 376 If unsure, say `N'. 377 378config NETFILTER_NETLINK_GLUE_CT 379 bool "NFQUEUE and NFLOG integration with Connection Tracking" 380 default n 381 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 382 help 383 If this option is enabled, NFQUEUE and NFLOG can include 384 Connection Tracking information together with the packet is 385 the enqueued via NFNETLINK. 386 387config NF_NAT 388 tristate 389 390config NF_NAT_NEEDED 391 bool 392 depends on NF_NAT 393 default y 394 395config NF_NAT_PROTO_DCCP 396 bool 397 depends on NF_NAT && NF_CT_PROTO_DCCP 398 default NF_NAT && NF_CT_PROTO_DCCP 399 400config NF_NAT_PROTO_UDPLITE 401 bool 402 depends on NF_NAT && NF_CT_PROTO_UDPLITE 403 default NF_NAT && NF_CT_PROTO_UDPLITE 404 405config NF_NAT_PROTO_SCTP 406 bool 407 default NF_NAT && NF_CT_PROTO_SCTP 408 depends on NF_NAT && NF_CT_PROTO_SCTP 409 410config NF_NAT_AMANDA 411 tristate 412 depends on NF_CONNTRACK && NF_NAT 413 default NF_NAT && NF_CONNTRACK_AMANDA 414 415config NF_NAT_FTP 416 tristate 417 depends on NF_CONNTRACK && NF_NAT 418 default NF_NAT && NF_CONNTRACK_FTP 419 420config NF_NAT_IRC 421 tristate 422 depends on NF_CONNTRACK && NF_NAT 423 default NF_NAT && NF_CONNTRACK_IRC 424 425config NF_NAT_SIP 426 tristate 427 depends on NF_CONNTRACK && NF_NAT 428 default NF_NAT && NF_CONNTRACK_SIP 429 430config NF_NAT_TFTP 431 tristate 432 depends on NF_CONNTRACK && NF_NAT 433 default NF_NAT && NF_CONNTRACK_TFTP 434 435config NF_NAT_REDIRECT 436 tristate "IPv4/IPv6 redirect support" 437 depends on NF_NAT 438 help 439 This is the kernel functionality to redirect packets to local 440 machine through NAT. 441 442config NETFILTER_SYNPROXY 443 tristate 444 445endif # NF_CONNTRACK 446 447config NF_TABLES 448 select NETFILTER_NETLINK 449 tristate "Netfilter nf_tables support" 450 help 451 nftables is the new packet classification framework that intends to 452 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 453 provides a pseudo-state machine with an extensible instruction-set 454 (also known as expressions) that the userspace 'nft' utility 455 (http://www.netfilter.org/projects/nftables) uses to build the 456 rule-set. It also comes with the generic set infrastructure that 457 allows you to construct mappings between matchings and actions 458 for performance lookups. 459 460 To compile it as a module, choose M here. 461 462if NF_TABLES 463 464config NF_TABLES_INET 465 depends on IPV6 466 select NF_TABLES_IPV4 467 select NF_TABLES_IPV6 468 tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support" 469 help 470 This option enables support for a mixed IPv4/IPv6 "inet" table. 471 472config NF_TABLES_NETDEV 473 tristate "Netfilter nf_tables netdev tables support" 474 help 475 This option enables support for the "netdev" table. 476 477config NFT_EXTHDR 478 tristate "Netfilter nf_tables exthdr module" 479 help 480 This option adds the "exthdr" expression that you can use to match 481 IPv6 extension headers and tcp options. 482 483config NFT_META 484 tristate "Netfilter nf_tables meta module" 485 help 486 This option adds the "meta" expression that you can use to match and 487 to set packet metainformation such as the packet mark. 488 489config NFT_RT 490 tristate "Netfilter nf_tables routing module" 491 help 492 This option adds the "rt" expression that you can use to match 493 packet routing information such as the packet nexthop. 494 495config NFT_NUMGEN 496 tristate "Netfilter nf_tables number generator module" 497 help 498 This option adds the number generator expression used to perform 499 incremental counting and random numbers bound to a upper limit. 500 501config NFT_CT 502 depends on NF_CONNTRACK 503 tristate "Netfilter nf_tables conntrack module" 504 help 505 This option adds the "ct" expression that you can use to match 506 connection tracking information such as the flow state. 507 508config NFT_FLOW_OFFLOAD 509 depends on NF_CONNTRACK && NF_FLOW_TABLE 510 tristate "Netfilter nf_tables hardware flow offload module" 511 help 512 This option adds the "flow_offload" expression that you can use to 513 choose what flows are placed into the hardware. 514 515config NFT_SET_RBTREE 516 tristate "Netfilter nf_tables rbtree set module" 517 help 518 This option adds the "rbtree" set type (Red Black tree) that is used 519 to build interval-based sets. 520 521config NFT_SET_HASH 522 tristate "Netfilter nf_tables hash set module" 523 help 524 This option adds the "hash" set type that is used to build one-way 525 mappings between matchings and actions. 526 527config NFT_SET_BITMAP 528 tristate "Netfilter nf_tables bitmap set module" 529 help 530 This option adds the "bitmap" set type that is used to build sets 531 whose keys are smaller or equal to 16 bits. 532 533config NFT_COUNTER 534 tristate "Netfilter nf_tables counter module" 535 help 536 This option adds the "counter" expression that you can use to 537 include packet and byte counters in a rule. 538 539config NFT_LOG 540 tristate "Netfilter nf_tables log module" 541 help 542 This option adds the "log" expression that you can use to log 543 packets matching some criteria. 544 545config NFT_LIMIT 546 tristate "Netfilter nf_tables limit module" 547 help 548 This option adds the "limit" expression that you can use to 549 ratelimit rule matchings. 550 551config NFT_MASQ 552 depends on NF_CONNTRACK 553 depends on NF_NAT 554 tristate "Netfilter nf_tables masquerade support" 555 help 556 This option adds the "masquerade" expression that you can use 557 to perform NAT in the masquerade flavour. 558 559config NFT_REDIR 560 depends on NF_CONNTRACK 561 depends on NF_NAT 562 tristate "Netfilter nf_tables redirect support" 563 help 564 This options adds the "redirect" expression that you can use 565 to perform NAT in the redirect flavour. 566 567config NFT_NAT 568 depends on NF_CONNTRACK 569 select NF_NAT 570 tristate "Netfilter nf_tables nat module" 571 help 572 This option adds the "nat" expression that you can use to perform 573 typical Network Address Translation (NAT) packet transformations. 574 575config NFT_OBJREF 576 tristate "Netfilter nf_tables stateful object reference module" 577 help 578 This option adds the "objref" expression that allows you to refer to 579 stateful objects, such as counters and quotas. 580 581config NFT_QUEUE 582 depends on NETFILTER_NETLINK_QUEUE 583 tristate "Netfilter nf_tables queue module" 584 help 585 This is required if you intend to use the userspace queueing 586 infrastructure (also known as NFQUEUE) from nftables. 587 588config NFT_QUOTA 589 tristate "Netfilter nf_tables quota module" 590 help 591 This option adds the "quota" expression that you can use to match 592 enforce bytes quotas. 593 594config NFT_REJECT 595 default m if NETFILTER_ADVANCED=n 596 tristate "Netfilter nf_tables reject support" 597 help 598 This option adds the "reject" expression that you can use to 599 explicitly deny and notify via TCP reset/ICMP informational errors 600 unallowed traffic. 601 602config NFT_REJECT_INET 603 depends on NF_TABLES_INET 604 default NFT_REJECT 605 tristate 606 607config NFT_COMPAT 608 depends on NETFILTER_XTABLES 609 tristate "Netfilter x_tables over nf_tables module" 610 help 611 This is required if you intend to use any of existing 612 x_tables match/target extensions over the nf_tables 613 framework. 614 615config NFT_HASH 616 tristate "Netfilter nf_tables hash module" 617 help 618 This option adds the "hash" expression that you can use to perform 619 a hash operation on registers. 620 621config NFT_FIB 622 tristate 623 624config NFT_FIB_INET 625 depends on NF_TABLES_INET 626 depends on NFT_FIB_IPV4 627 depends on NFT_FIB_IPV6 628 tristate "Netfilter nf_tables fib inet support" 629 help 630 This option allows using the FIB expression from the inet table. 631 The lookup will be delegated to the IPv4 or IPv6 FIB depending 632 on the protocol of the packet. 633 634if NF_TABLES_NETDEV 635 636config NF_DUP_NETDEV 637 tristate "Netfilter packet duplication support" 638 help 639 This option enables the generic packet duplication infrastructure 640 for Netfilter. 641 642config NFT_DUP_NETDEV 643 tristate "Netfilter nf_tables netdev packet duplication support" 644 select NF_DUP_NETDEV 645 help 646 This option enables packet duplication for the "netdev" family. 647 648config NFT_FWD_NETDEV 649 tristate "Netfilter nf_tables netdev packet forwarding support" 650 select NF_DUP_NETDEV 651 help 652 This option enables packet forwarding for the "netdev" family. 653 654config NFT_FIB_NETDEV 655 depends on NFT_FIB_IPV4 656 depends on NFT_FIB_IPV6 657 tristate "Netfilter nf_tables netdev fib lookups support" 658 help 659 This option allows using the FIB expression from the netdev table. 660 The lookup will be delegated to the IPv4 or IPv6 FIB depending 661 on the protocol of the packet. 662 663endif # NF_TABLES_NETDEV 664 665endif # NF_TABLES 666 667config NF_FLOW_TABLE_INET 668 tristate "Netfilter flow table mixed IPv4/IPv6 module" 669 depends on NF_FLOW_TABLE_IPV4 && NF_FLOW_TABLE_IPV6 670 select NF_FLOW_TABLE 671 help 672 This option adds the flow table mixed IPv4/IPv6 support. 673 674 To compile it as a module, choose M here. 675 676config NF_FLOW_TABLE 677 tristate "Netfilter flow table module" 678 depends on NF_CONNTRACK && NF_TABLES 679 help 680 This option adds the flow table core infrastructure. 681 682 To compile it as a module, choose M here. 683 684config NETFILTER_XTABLES 685 tristate "Netfilter Xtables support (required for ip_tables)" 686 default m if NETFILTER_ADVANCED=n 687 help 688 This is required if you intend to use any of ip_tables, 689 ip6_tables or arp_tables. 690 691if NETFILTER_XTABLES 692 693comment "Xtables combined modules" 694 695config NETFILTER_XT_MARK 696 tristate 'nfmark target and match support' 697 default m if NETFILTER_ADVANCED=n 698 ---help--- 699 This option adds the "MARK" target and "mark" match. 700 701 Netfilter mark matching allows you to match packets based on the 702 "nfmark" value in the packet. 703 The target allows you to create rules in the "mangle" table which alter 704 the netfilter mark (nfmark) field associated with the packet. 705 706 Prior to routing, the nfmark can influence the routing method and can 707 also be used by other subsystems to change their behavior. 708 709config NETFILTER_XT_CONNMARK 710 tristate 'ctmark target and match support' 711 depends on NF_CONNTRACK 712 depends on NETFILTER_ADVANCED 713 select NF_CONNTRACK_MARK 714 ---help--- 715 This option adds the "CONNMARK" target and "connmark" match. 716 717 Netfilter allows you to store a mark value per connection (a.k.a. 718 ctmark), similarly to the packet mark (nfmark). Using this 719 target and match, you can set and match on this mark. 720 721config NETFILTER_XT_SET 722 tristate 'set target and match support' 723 depends on IP_SET 724 depends on NETFILTER_ADVANCED 725 help 726 This option adds the "SET" target and "set" match. 727 728 Using this target and match, you can add/delete and match 729 elements in the sets created by ipset(8). 730 731 To compile it as a module, choose M here. If unsure, say N. 732 733# alphabetically ordered list of targets 734 735comment "Xtables targets" 736 737config NETFILTER_XT_TARGET_AUDIT 738 tristate "AUDIT target support" 739 depends on AUDIT 740 depends on NETFILTER_ADVANCED 741 ---help--- 742 This option adds a 'AUDIT' target, which can be used to create 743 audit records for packets dropped/accepted. 744 745 To compileit as a module, choose M here. If unsure, say N. 746 747config NETFILTER_XT_TARGET_CHECKSUM 748 tristate "CHECKSUM target support" 749 depends on IP_NF_MANGLE || IP6_NF_MANGLE 750 depends on NETFILTER_ADVANCED 751 ---help--- 752 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 753 table. 754 755 You can use this target to compute and fill in the checksum in 756 a packet that lacks a checksum. This is particularly useful, 757 if you need to work around old applications such as dhcp clients, 758 that do not work well with checksum offloads, but don't want to disable 759 checksum offload in your device. 760 761 To compile it as a module, choose M here. If unsure, say N. 762 763config NETFILTER_XT_TARGET_CLASSIFY 764 tristate '"CLASSIFY" target support' 765 depends on NETFILTER_ADVANCED 766 help 767 This option adds a `CLASSIFY' target, which enables the user to set 768 the priority of a packet. Some qdiscs can use this value for 769 classification, among these are: 770 771 atm, cbq, dsmark, pfifo_fast, htb, prio 772 773 To compile it as a module, choose M here. If unsure, say N. 774 775config NETFILTER_XT_TARGET_CONNMARK 776 tristate '"CONNMARK" target support' 777 depends on NF_CONNTRACK 778 depends on NETFILTER_ADVANCED 779 select NETFILTER_XT_CONNMARK 780 ---help--- 781 This is a backwards-compat option for the user's convenience 782 (e.g. when running oldconfig). It selects 783 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 784 785config NETFILTER_XT_TARGET_CONNSECMARK 786 tristate '"CONNSECMARK" target support' 787 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 788 default m if NETFILTER_ADVANCED=n 789 help 790 The CONNSECMARK target copies security markings from packets 791 to connections, and restores security markings from connections 792 to packets (if the packets are not already marked). This would 793 normally be used in conjunction with the SECMARK target. 794 795 To compile it as a module, choose M here. If unsure, say N. 796 797config NETFILTER_XT_TARGET_CT 798 tristate '"CT" target support' 799 depends on NF_CONNTRACK 800 depends on IP_NF_RAW || IP6_NF_RAW 801 depends on NETFILTER_ADVANCED 802 help 803 This options adds a `CT' target, which allows to specify initial 804 connection tracking parameters like events to be delivered and 805 the helper to be used. 806 807 To compile it as a module, choose M here. If unsure, say N. 808 809config NETFILTER_XT_TARGET_DSCP 810 tristate '"DSCP" and "TOS" target support' 811 depends on IP_NF_MANGLE || IP6_NF_MANGLE 812 depends on NETFILTER_ADVANCED 813 help 814 This option adds a `DSCP' target, which allows you to manipulate 815 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 816 817 The DSCP field can have any value between 0x0 and 0x3f inclusive. 818 819 It also adds the "TOS" target, which allows you to create rules in 820 the "mangle" table which alter the Type Of Service field of an IPv4 821 or the Priority field of an IPv6 packet, prior to routing. 822 823 To compile it as a module, choose M here. If unsure, say N. 824 825config NETFILTER_XT_TARGET_HL 826 tristate '"HL" hoplimit target support' 827 depends on IP_NF_MANGLE || IP6_NF_MANGLE 828 depends on NETFILTER_ADVANCED 829 ---help--- 830 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 831 targets, which enable the user to change the 832 hoplimit/time-to-live value of the IP header. 833 834 While it is safe to decrement the hoplimit/TTL value, the 835 modules also allow to increment and set the hoplimit value of 836 the header to arbitrary values. This is EXTREMELY DANGEROUS 837 since you can easily create immortal packets that loop 838 forever on the network. 839 840config NETFILTER_XT_TARGET_HMARK 841 tristate '"HMARK" target support' 842 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 843 depends on NETFILTER_ADVANCED 844 ---help--- 845 This option adds the "HMARK" target. 846 847 The target allows you to create rules in the "raw" and "mangle" tables 848 which set the skbuff mark by means of hash calculation within a given 849 range. The nfmark can influence the routing method and can also be used 850 by other subsystems to change their behaviour. 851 852 To compile it as a module, choose M here. If unsure, say N. 853 854config NETFILTER_XT_TARGET_IDLETIMER 855 tristate "IDLETIMER target support" 856 depends on NETFILTER_ADVANCED 857 help 858 859 This option adds the `IDLETIMER' target. Each matching packet 860 resets the timer associated with label specified when the rule is 861 added. When the timer expires, it triggers a sysfs notification. 862 The remaining time for expiration can be read via sysfs. 863 864 To compile it as a module, choose M here. If unsure, say N. 865 866config NETFILTER_XT_TARGET_LED 867 tristate '"LED" target support' 868 depends on LEDS_CLASS && LEDS_TRIGGERS 869 depends on NETFILTER_ADVANCED 870 help 871 This option adds a `LED' target, which allows you to blink LEDs in 872 response to particular packets passing through your machine. 873 874 This can be used to turn a spare LED into a network activity LED, 875 which only flashes in response to FTP transfers, for example. Or 876 you could have an LED which lights up for a minute or two every time 877 somebody connects to your machine via SSH. 878 879 You will need support for the "led" class to make this work. 880 881 To create an LED trigger for incoming SSH traffic: 882 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 883 884 Then attach the new trigger to an LED on your system: 885 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 886 887 For more information on the LEDs available on your system, see 888 Documentation/leds/leds-class.txt 889 890config NETFILTER_XT_TARGET_LOG 891 tristate "LOG target support" 892 select NF_LOG_COMMON 893 select NF_LOG_IPV4 894 select NF_LOG_IPV6 if IPV6 895 default m if NETFILTER_ADVANCED=n 896 help 897 This option adds a `LOG' target, which allows you to create rules in 898 any iptables table which records the packet header to the syslog. 899 900 To compile it as a module, choose M here. If unsure, say N. 901 902config NETFILTER_XT_TARGET_MARK 903 tristate '"MARK" target support' 904 depends on NETFILTER_ADVANCED 905 select NETFILTER_XT_MARK 906 ---help--- 907 This is a backwards-compat option for the user's convenience 908 (e.g. when running oldconfig). It selects 909 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 910 911config NETFILTER_XT_NAT 912 tristate '"SNAT and DNAT" targets support' 913 depends on NF_NAT 914 ---help--- 915 This option enables the SNAT and DNAT targets. 916 917 To compile it as a module, choose M here. If unsure, say N. 918 919config NETFILTER_XT_TARGET_NETMAP 920 tristate '"NETMAP" target support' 921 depends on NF_NAT 922 ---help--- 923 NETMAP is an implementation of static 1:1 NAT mapping of network 924 addresses. It maps the network address part, while keeping the host 925 address part intact. 926 927 To compile it as a module, choose M here. If unsure, say N. 928 929config NETFILTER_XT_TARGET_NFLOG 930 tristate '"NFLOG" target support' 931 default m if NETFILTER_ADVANCED=n 932 select NETFILTER_NETLINK_LOG 933 help 934 This option enables the NFLOG target, which allows to LOG 935 messages through nfnetlink_log. 936 937 To compile it as a module, choose M here. If unsure, say N. 938 939config NETFILTER_XT_TARGET_NFQUEUE 940 tristate '"NFQUEUE" target Support' 941 depends on NETFILTER_ADVANCED 942 select NETFILTER_NETLINK_QUEUE 943 help 944 This target replaced the old obsolete QUEUE target. 945 946 As opposed to QUEUE, it supports 65535 different queues, 947 not just one. 948 949 To compile it as a module, choose M here. If unsure, say N. 950 951config NETFILTER_XT_TARGET_NOTRACK 952 tristate '"NOTRACK" target support (DEPRECATED)' 953 depends on NF_CONNTRACK 954 depends on IP_NF_RAW || IP6_NF_RAW 955 depends on NETFILTER_ADVANCED 956 select NETFILTER_XT_TARGET_CT 957 958config NETFILTER_XT_TARGET_RATEEST 959 tristate '"RATEEST" target support' 960 depends on NETFILTER_ADVANCED 961 help 962 This option adds a `RATEEST' target, which allows to measure 963 rates similar to TC estimators. The `rateest' match can be 964 used to match on the measured rates. 965 966 To compile it as a module, choose M here. If unsure, say N. 967 968config NETFILTER_XT_TARGET_REDIRECT 969 tristate "REDIRECT target support" 970 depends on NF_NAT 971 select NF_NAT_REDIRECT 972 ---help--- 973 REDIRECT is a special case of NAT: all incoming connections are 974 mapped onto the incoming interface's address, causing the packets to 975 come to the local machine instead of passing through. This is 976 useful for transparent proxies. 977 978 To compile it as a module, choose M here. If unsure, say N. 979 980config NETFILTER_XT_TARGET_TEE 981 tristate '"TEE" - packet cloning to alternate destination' 982 depends on NETFILTER_ADVANCED 983 depends on IPV6 || IPV6=n 984 depends on !NF_CONNTRACK || NF_CONNTRACK 985 select NF_DUP_IPV4 986 select NF_DUP_IPV6 if IPV6 987 ---help--- 988 This option adds a "TEE" target with which a packet can be cloned and 989 this clone be rerouted to another nexthop. 990 991config NETFILTER_XT_TARGET_TPROXY 992 tristate '"TPROXY" target transparent proxying support' 993 depends on NETFILTER_XTABLES 994 depends on NETFILTER_ADVANCED 995 depends on IPV6 || IPV6=n 996 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 997 depends on IP_NF_MANGLE 998 select NF_DEFRAG_IPV4 999 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1000 help 1001 This option adds a `TPROXY' target, which is somewhat similar to 1002 REDIRECT. It can only be used in the mangle table and is useful 1003 to redirect traffic to a transparent proxy. It does _not_ depend 1004 on Netfilter connection tracking and NAT, unlike REDIRECT. 1005 For it to work you will have to configure certain iptables rules 1006 and use policy routing. For more information on how to set it up 1007 see Documentation/networking/tproxy.txt. 1008 1009 To compile it as a module, choose M here. If unsure, say N. 1010 1011config NETFILTER_XT_TARGET_TRACE 1012 tristate '"TRACE" target support' 1013 depends on IP_NF_RAW || IP6_NF_RAW 1014 depends on NETFILTER_ADVANCED 1015 help 1016 The TRACE target allows you to mark packets so that the kernel 1017 will log every rule which match the packets as those traverse 1018 the tables, chains, rules. 1019 1020 If you want to compile it as a module, say M here and read 1021 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1022 1023config NETFILTER_XT_TARGET_SECMARK 1024 tristate '"SECMARK" target support' 1025 depends on NETWORK_SECMARK 1026 default m if NETFILTER_ADVANCED=n 1027 help 1028 The SECMARK target allows security marking of network 1029 packets, for use with security subsystems. 1030 1031 To compile it as a module, choose M here. If unsure, say N. 1032 1033config NETFILTER_XT_TARGET_TCPMSS 1034 tristate '"TCPMSS" target support' 1035 depends on IPV6 || IPV6=n 1036 default m if NETFILTER_ADVANCED=n 1037 ---help--- 1038 This option adds a `TCPMSS' target, which allows you to alter the 1039 MSS value of TCP SYN packets, to control the maximum size for that 1040 connection (usually limiting it to your outgoing interface's MTU 1041 minus 40). 1042 1043 This is used to overcome criminally braindead ISPs or servers which 1044 block ICMP Fragmentation Needed packets. The symptoms of this 1045 problem are that everything works fine from your Linux 1046 firewall/router, but machines behind it can never exchange large 1047 packets: 1048 1) Web browsers connect, then hang with no data received. 1049 2) Small mail works fine, but large emails hang. 1050 3) ssh works fine, but scp hangs after initial handshaking. 1051 1052 Workaround: activate this option and add a rule to your firewall 1053 configuration like: 1054 1055 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1056 -j TCPMSS --clamp-mss-to-pmtu 1057 1058 To compile it as a module, choose M here. If unsure, say N. 1059 1060config NETFILTER_XT_TARGET_TCPOPTSTRIP 1061 tristate '"TCPOPTSTRIP" target support' 1062 depends on IP_NF_MANGLE || IP6_NF_MANGLE 1063 depends on NETFILTER_ADVANCED 1064 help 1065 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1066 TCP options from TCP packets. 1067 1068# alphabetically ordered list of matches 1069 1070comment "Xtables matches" 1071 1072config NETFILTER_XT_MATCH_ADDRTYPE 1073 tristate '"addrtype" address type match support' 1074 default m if NETFILTER_ADVANCED=n 1075 ---help--- 1076 This option allows you to match what routing thinks of an address, 1077 eg. UNICAST, LOCAL, BROADCAST, ... 1078 1079 If you want to compile it as a module, say M here and read 1080 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1081 1082config NETFILTER_XT_MATCH_BPF 1083 tristate '"bpf" match support' 1084 depends on NETFILTER_ADVANCED 1085 help 1086 BPF matching applies a linux socket filter to each packet and 1087 accepts those for which the filter returns non-zero. 1088 1089 To compile it as a module, choose M here. If unsure, say N. 1090 1091config NETFILTER_XT_MATCH_CGROUP 1092 tristate '"control group" match support' 1093 depends on NETFILTER_ADVANCED 1094 depends on CGROUPS 1095 select CGROUP_NET_CLASSID 1096 ---help--- 1097 Socket/process control group matching allows you to match locally 1098 generated packets based on which net_cls control group processes 1099 belong to. 1100 1101config NETFILTER_XT_MATCH_CLUSTER 1102 tristate '"cluster" match support' 1103 depends on NF_CONNTRACK 1104 depends on NETFILTER_ADVANCED 1105 ---help--- 1106 This option allows you to build work-load-sharing clusters of 1107 network servers/stateful firewalls without having a dedicated 1108 load-balancing router/server/switch. Basically, this match returns 1109 true when the packet must be handled by this cluster node. Thus, 1110 all nodes see all packets and this match decides which node handles 1111 what packets. The work-load sharing algorithm is based on source 1112 address hashing. 1113 1114 If you say Y or M here, try `iptables -m cluster --help` for 1115 more information. 1116 1117config NETFILTER_XT_MATCH_COMMENT 1118 tristate '"comment" match support' 1119 depends on NETFILTER_ADVANCED 1120 help 1121 This option adds a `comment' dummy-match, which allows you to put 1122 comments in your iptables ruleset. 1123 1124 If you want to compile it as a module, say M here and read 1125 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1126 1127config NETFILTER_XT_MATCH_CONNBYTES 1128 tristate '"connbytes" per-connection counter match support' 1129 depends on NF_CONNTRACK 1130 depends on NETFILTER_ADVANCED 1131 help 1132 This option adds a `connbytes' match, which allows you to match the 1133 number of bytes and/or packets for each direction within a connection. 1134 1135 If you want to compile it as a module, say M here and read 1136 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1137 1138config NETFILTER_XT_MATCH_CONNLABEL 1139 tristate '"connlabel" match support' 1140 select NF_CONNTRACK_LABELS 1141 depends on NF_CONNTRACK 1142 depends on NETFILTER_ADVANCED 1143 ---help--- 1144 This match allows you to test and assign userspace-defined labels names 1145 to a connection. The kernel only stores bit values - mapping 1146 names to bits is done by userspace. 1147 1148 Unlike connmark, more than 32 flag bits may be assigned to a 1149 connection simultaneously. 1150 1151config NETFILTER_XT_MATCH_CONNLIMIT 1152 tristate '"connlimit" match support' 1153 depends on NF_CONNTRACK 1154 depends on NETFILTER_ADVANCED 1155 select NETFILTER_CONNCOUNT 1156 ---help--- 1157 This match allows you to match against the number of parallel 1158 connections to a server per client IP address (or address block). 1159 1160config NETFILTER_XT_MATCH_CONNMARK 1161 tristate '"connmark" connection mark match support' 1162 depends on NF_CONNTRACK 1163 depends on NETFILTER_ADVANCED 1164 select NETFILTER_XT_CONNMARK 1165 ---help--- 1166 This is a backwards-compat option for the user's convenience 1167 (e.g. when running oldconfig). It selects 1168 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1169 1170config NETFILTER_XT_MATCH_CONNTRACK 1171 tristate '"conntrack" connection tracking match support' 1172 depends on NF_CONNTRACK 1173 default m if NETFILTER_ADVANCED=n 1174 help 1175 This is a general conntrack match module, a superset of the state match. 1176 1177 It allows matching on additional conntrack information, which is 1178 useful in complex configurations, such as NAT gateways with multiple 1179 internet links or tunnels. 1180 1181 To compile it as a module, choose M here. If unsure, say N. 1182 1183config NETFILTER_XT_MATCH_CPU 1184 tristate '"cpu" match support' 1185 depends on NETFILTER_ADVANCED 1186 help 1187 CPU matching allows you to match packets based on the CPU 1188 currently handling the packet. 1189 1190 To compile it as a module, choose M here. If unsure, say N. 1191 1192config NETFILTER_XT_MATCH_DCCP 1193 tristate '"dccp" protocol match support' 1194 depends on NETFILTER_ADVANCED 1195 default IP_DCCP 1196 help 1197 With this option enabled, you will be able to use the iptables 1198 `dccp' match in order to match on DCCP source/destination ports 1199 and DCCP flags. 1200 1201 If you want to compile it as a module, say M here and read 1202 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1203 1204config NETFILTER_XT_MATCH_DEVGROUP 1205 tristate '"devgroup" match support' 1206 depends on NETFILTER_ADVANCED 1207 help 1208 This options adds a `devgroup' match, which allows to match on the 1209 device group a network device is assigned to. 1210 1211 To compile it as a module, choose M here. If unsure, say N. 1212 1213config NETFILTER_XT_MATCH_DSCP 1214 tristate '"dscp" and "tos" match support' 1215 depends on NETFILTER_ADVANCED 1216 help 1217 This option adds a `DSCP' match, which allows you to match against 1218 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1219 1220 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1221 1222 It will also add a "tos" match, which allows you to match packets 1223 based on the Type Of Service fields of the IPv4 packet (which share 1224 the same bits as DSCP). 1225 1226 To compile it as a module, choose M here. If unsure, say N. 1227 1228config NETFILTER_XT_MATCH_ECN 1229 tristate '"ecn" match support' 1230 depends on NETFILTER_ADVANCED 1231 ---help--- 1232 This option adds an "ECN" match, which allows you to match against 1233 the IPv4 and TCP header ECN fields. 1234 1235 To compile it as a module, choose M here. If unsure, say N. 1236 1237config NETFILTER_XT_MATCH_ESP 1238 tristate '"esp" match support' 1239 depends on NETFILTER_ADVANCED 1240 help 1241 This match extension allows you to match a range of SPIs 1242 inside ESP header of IPSec packets. 1243 1244 To compile it as a module, choose M here. If unsure, say N. 1245 1246config NETFILTER_XT_MATCH_HASHLIMIT 1247 tristate '"hashlimit" match support' 1248 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1249 depends on NETFILTER_ADVANCED 1250 help 1251 This option adds a `hashlimit' match. 1252 1253 As opposed to `limit', this match dynamically creates a hash table 1254 of limit buckets, based on your selection of source/destination 1255 addresses and/or ports. 1256 1257 It enables you to express policies like `10kpps for any given 1258 destination address' or `500pps from any given source address' 1259 with a single rule. 1260 1261config NETFILTER_XT_MATCH_HELPER 1262 tristate '"helper" match support' 1263 depends on NF_CONNTRACK 1264 depends on NETFILTER_ADVANCED 1265 help 1266 Helper matching allows you to match packets in dynamic connections 1267 tracked by a conntrack-helper, ie. ip_conntrack_ftp 1268 1269 To compile it as a module, choose M here. If unsure, say Y. 1270 1271config NETFILTER_XT_MATCH_HL 1272 tristate '"hl" hoplimit/TTL match support' 1273 depends on NETFILTER_ADVANCED 1274 ---help--- 1275 HL matching allows you to match packets based on the hoplimit 1276 in the IPv6 header, or the time-to-live field in the IPv4 1277 header of the packet. 1278 1279config NETFILTER_XT_MATCH_IPCOMP 1280 tristate '"ipcomp" match support' 1281 depends on NETFILTER_ADVANCED 1282 help 1283 This match extension allows you to match a range of CPIs(16 bits) 1284 inside IPComp header of IPSec packets. 1285 1286 To compile it as a module, choose M here. If unsure, say N. 1287 1288config NETFILTER_XT_MATCH_IPRANGE 1289 tristate '"iprange" address range match support' 1290 depends on NETFILTER_ADVANCED 1291 ---help--- 1292 This option adds a "iprange" match, which allows you to match based on 1293 an IP address range. (Normal iptables only matches on single addresses 1294 with an optional mask.) 1295 1296 If unsure, say M. 1297 1298config NETFILTER_XT_MATCH_IPVS 1299 tristate '"ipvs" match support' 1300 depends on IP_VS 1301 depends on NETFILTER_ADVANCED 1302 depends on NF_CONNTRACK 1303 help 1304 This option allows you to match against IPVS properties of a packet. 1305 1306 If unsure, say N. 1307 1308config NETFILTER_XT_MATCH_L2TP 1309 tristate '"l2tp" match support' 1310 depends on NETFILTER_ADVANCED 1311 default L2TP 1312 ---help--- 1313 This option adds an "L2TP" match, which allows you to match against 1314 L2TP protocol header fields. 1315 1316 To compile it as a module, choose M here. If unsure, say N. 1317 1318config NETFILTER_XT_MATCH_LENGTH 1319 tristate '"length" match support' 1320 depends on NETFILTER_ADVANCED 1321 help 1322 This option allows you to match the length of a packet against a 1323 specific value or range of values. 1324 1325 To compile it as a module, choose M here. If unsure, say N. 1326 1327config NETFILTER_XT_MATCH_LIMIT 1328 tristate '"limit" match support' 1329 depends on NETFILTER_ADVANCED 1330 help 1331 limit matching allows you to control the rate at which a rule can be 1332 matched: mainly useful in combination with the LOG target ("LOG 1333 target support", below) and to avoid some Denial of Service attacks. 1334 1335 To compile it as a module, choose M here. If unsure, say N. 1336 1337config NETFILTER_XT_MATCH_MAC 1338 tristate '"mac" address match support' 1339 depends on NETFILTER_ADVANCED 1340 help 1341 MAC matching allows you to match packets based on the source 1342 Ethernet address of the packet. 1343 1344 To compile it as a module, choose M here. If unsure, say N. 1345 1346config NETFILTER_XT_MATCH_MARK 1347 tristate '"mark" match support' 1348 depends on NETFILTER_ADVANCED 1349 select NETFILTER_XT_MARK 1350 ---help--- 1351 This is a backwards-compat option for the user's convenience 1352 (e.g. when running oldconfig). It selects 1353 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1354 1355config NETFILTER_XT_MATCH_MULTIPORT 1356 tristate '"multiport" Multiple port match support' 1357 depends on NETFILTER_ADVANCED 1358 help 1359 Multiport matching allows you to match TCP or UDP packets based on 1360 a series of source or destination ports: normally a rule can only 1361 match a single range of ports. 1362 1363 To compile it as a module, choose M here. If unsure, say N. 1364 1365config NETFILTER_XT_MATCH_NFACCT 1366 tristate '"nfacct" match support' 1367 depends on NETFILTER_ADVANCED 1368 select NETFILTER_NETLINK_ACCT 1369 help 1370 This option allows you to use the extended accounting through 1371 nfnetlink_acct. 1372 1373 To compile it as a module, choose M here. If unsure, say N. 1374 1375config NETFILTER_XT_MATCH_OSF 1376 tristate '"osf" Passive OS fingerprint match' 1377 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 1378 help 1379 This option selects the Passive OS Fingerprinting match module 1380 that allows to passively match the remote operating system by 1381 analyzing incoming TCP SYN packets. 1382 1383 Rules and loading software can be downloaded from 1384 http://www.ioremap.net/projects/osf 1385 1386 To compile it as a module, choose M here. If unsure, say N. 1387 1388config NETFILTER_XT_MATCH_OWNER 1389 tristate '"owner" match support' 1390 depends on NETFILTER_ADVANCED 1391 ---help--- 1392 Socket owner matching allows you to match locally-generated packets 1393 based on who created the socket: the user or group. It is also 1394 possible to check whether a socket actually exists. 1395 1396config NETFILTER_XT_MATCH_POLICY 1397 tristate 'IPsec "policy" match support' 1398 depends on XFRM 1399 default m if NETFILTER_ADVANCED=n 1400 help 1401 Policy matching allows you to match packets based on the 1402 IPsec policy that was used during decapsulation/will 1403 be used during encapsulation. 1404 1405 To compile it as a module, choose M here. If unsure, say N. 1406 1407config NETFILTER_XT_MATCH_PHYSDEV 1408 tristate '"physdev" match support' 1409 depends on BRIDGE && BRIDGE_NETFILTER 1410 depends on NETFILTER_ADVANCED 1411 help 1412 Physdev packet matching matches against the physical bridge ports 1413 the IP packet arrived on or will leave by. 1414 1415 To compile it as a module, choose M here. If unsure, say N. 1416 1417config NETFILTER_XT_MATCH_PKTTYPE 1418 tristate '"pkttype" packet type match support' 1419 depends on NETFILTER_ADVANCED 1420 help 1421 Packet type matching allows you to match a packet by 1422 its "class", eg. BROADCAST, MULTICAST, ... 1423 1424 Typical usage: 1425 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1426 1427 To compile it as a module, choose M here. If unsure, say N. 1428 1429config NETFILTER_XT_MATCH_QUOTA 1430 tristate '"quota" match support' 1431 depends on NETFILTER_ADVANCED 1432 help 1433 This option adds a `quota' match, which allows to match on a 1434 byte counter. 1435 1436 If you want to compile it as a module, say M here and read 1437 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1438 1439config NETFILTER_XT_MATCH_RATEEST 1440 tristate '"rateest" match support' 1441 depends on NETFILTER_ADVANCED 1442 select NETFILTER_XT_TARGET_RATEEST 1443 help 1444 This option adds a `rateest' match, which allows to match on the 1445 rate estimated by the RATEEST target. 1446 1447 To compile it as a module, choose M here. If unsure, say N. 1448 1449config NETFILTER_XT_MATCH_REALM 1450 tristate '"realm" match support' 1451 depends on NETFILTER_ADVANCED 1452 select IP_ROUTE_CLASSID 1453 help 1454 This option adds a `realm' match, which allows you to use the realm 1455 key from the routing subsystem inside iptables. 1456 1457 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1458 in tc world. 1459 1460 If you want to compile it as a module, say M here and read 1461 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1462 1463config NETFILTER_XT_MATCH_RECENT 1464 tristate '"recent" match support' 1465 depends on NETFILTER_ADVANCED 1466 ---help--- 1467 This match is used for creating one or many lists of recently 1468 used addresses and then matching against that/those list(s). 1469 1470 Short options are available by using 'iptables -m recent -h' 1471 Official Website: <http://snowman.net/projects/ipt_recent/> 1472 1473config NETFILTER_XT_MATCH_SCTP 1474 tristate '"sctp" protocol match support' 1475 depends on NETFILTER_ADVANCED 1476 default IP_SCTP 1477 help 1478 With this option enabled, you will be able to use the 1479 `sctp' match in order to match on SCTP source/destination ports 1480 and SCTP chunk types. 1481 1482 If you want to compile it as a module, say M here and read 1483 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1484 1485config NETFILTER_XT_MATCH_SOCKET 1486 tristate '"socket" match support' 1487 depends on NETFILTER_XTABLES 1488 depends on NETFILTER_ADVANCED 1489 depends on IPV6 || IPV6=n 1490 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1491 depends on NF_SOCKET_IPV4 1492 depends on NF_SOCKET_IPV6 1493 select NF_DEFRAG_IPV4 1494 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1495 help 1496 This option adds a `socket' match, which can be used to match 1497 packets for which a TCP or UDP socket lookup finds a valid socket. 1498 It can be used in combination with the MARK target and policy 1499 routing to implement full featured non-locally bound sockets. 1500 1501 To compile it as a module, choose M here. If unsure, say N. 1502 1503config NETFILTER_XT_MATCH_STATE 1504 tristate '"state" match support' 1505 depends on NF_CONNTRACK 1506 default m if NETFILTER_ADVANCED=n 1507 help 1508 Connection state matching allows you to match packets based on their 1509 relationship to a tracked connection (ie. previous packets). This 1510 is a powerful tool for packet classification. 1511 1512 To compile it as a module, choose M here. If unsure, say N. 1513 1514config NETFILTER_XT_MATCH_STATISTIC 1515 tristate '"statistic" match support' 1516 depends on NETFILTER_ADVANCED 1517 help 1518 This option adds a `statistic' match, which allows you to match 1519 on packets periodically or randomly with a given percentage. 1520 1521 To compile it as a module, choose M here. If unsure, say N. 1522 1523config NETFILTER_XT_MATCH_STRING 1524 tristate '"string" match support' 1525 depends on NETFILTER_ADVANCED 1526 select TEXTSEARCH 1527 select TEXTSEARCH_KMP 1528 select TEXTSEARCH_BM 1529 select TEXTSEARCH_FSM 1530 help 1531 This option adds a `string' match, which allows you to look for 1532 pattern matchings in packets. 1533 1534 To compile it as a module, choose M here. If unsure, say N. 1535 1536config NETFILTER_XT_MATCH_TCPMSS 1537 tristate '"tcpmss" match support' 1538 depends on NETFILTER_ADVANCED 1539 help 1540 This option adds a `tcpmss' match, which allows you to examine the 1541 MSS value of TCP SYN packets, which control the maximum packet size 1542 for that connection. 1543 1544 To compile it as a module, choose M here. If unsure, say N. 1545 1546config NETFILTER_XT_MATCH_TIME 1547 tristate '"time" match support' 1548 depends on NETFILTER_ADVANCED 1549 ---help--- 1550 This option adds a "time" match, which allows you to match based on 1551 the packet arrival time (at the machine which netfilter is running) 1552 on) or departure time/date (for locally generated packets). 1553 1554 If you say Y here, try `iptables -m time --help` for 1555 more information. 1556 1557 If you want to compile it as a module, say M here. 1558 If unsure, say N. 1559 1560config NETFILTER_XT_MATCH_U32 1561 tristate '"u32" match support' 1562 depends on NETFILTER_ADVANCED 1563 ---help--- 1564 u32 allows you to extract quantities of up to 4 bytes from a packet, 1565 AND them with specified masks, shift them by specified amounts and 1566 test whether the results are in any of a set of specified ranges. 1567 The specification of what to extract is general enough to skip over 1568 headers with lengths stored in the packet, as in IP or TCP header 1569 lengths. 1570 1571 Details and examples are in the kernel module source. 1572 1573endif # NETFILTER_XTABLES 1574 1575endmenu 1576 1577source "net/netfilter/ipset/Kconfig" 1578 1579source "net/netfilter/ipvs/Kconfig" 1580