1menu "Core Netfilter Configuration" 2 depends on NET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate "Netfilter netlink interface" 6 help 7 If this option is enabled, the kernel will include support 8 for the new netfilter netlink interface. 9 10config NETFILTER_NETLINK_QUEUE 11 tristate "Netfilter NFQUEUE over NFNETLINK interface" 12 depends on NETFILTER_NETLINK 13 help 14 If this option is enabled, the kernel will include support 15 for queueing packets via NFNETLINK. 16 17config NETFILTER_NETLINK_LOG 18 tristate "Netfilter LOG over NFNETLINK interface" 19 depends on NETFILTER_NETLINK 20 help 21 If this option is enabled, the kernel will include support 22 for logging packets via NFNETLINK. 23 24 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 25 and is also scheduled to replace the old syslog-based ipt_LOG 26 and ip6t_LOG modules. 27 28config NF_CONNTRACK_ENABLED 29 tristate "Netfilter connection tracking support" 30 help 31 Connection tracking keeps a record of what packets have passed 32 through your machine, in order to figure out how they are related 33 into connections. 34 35 This is required to do Masquerading or other kinds of Network 36 Address Translation (except for Fast NAT). It can also be used to 37 enhance packet filtering (see `Connection state match support' 38 below). 39 40 To compile it as a module, choose M here. If unsure, say N. 41 42choice 43 prompt "Netfilter connection tracking support" 44 depends on NF_CONNTRACK_ENABLED 45 46config NF_CONNTRACK_SUPPORT 47 bool "Layer 3 Independent Connection tracking (EXPERIMENTAL)" 48 depends on EXPERIMENTAL 49 help 50 Layer 3 independent connection tracking is experimental scheme 51 which generalize ip_conntrack to support other layer 3 protocols. 52 53 This is required to do Masquerading or other kinds of Network 54 Address Translation (except for Fast NAT). It can also be used to 55 enhance packet filtering (see `Connection state match support' 56 below). 57 58config IP_NF_CONNTRACK_SUPPORT 59 bool "Layer 3 Dependent Connection tracking (OBSOLETE)" 60 help 61 The old, Layer 3 dependent ip_conntrack subsystem of netfilter. 62 63 This is required to do Masquerading or other kinds of Network 64 Address Translation (except for Fast NAT). It can also be used to 65 enhance packet filtering (see `Connection state match support' 66 below). 67 68endchoice 69 70config NF_CONNTRACK 71 tristate 72 default m if NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=m 73 default y if NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=y 74 75config IP_NF_CONNTRACK 76 tristate 77 default m if IP_NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=m 78 default y if IP_NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=y 79 80config NF_CT_ACCT 81 bool "Connection tracking flow accounting" 82 depends on NF_CONNTRACK 83 help 84 If this option is enabled, the connection tracking code will 85 keep per-flow packet and byte counters. 86 87 Those counters can be used for flow-based accounting or the 88 `connbytes' match. 89 90 If unsure, say `N'. 91 92config NF_CONNTRACK_MARK 93 bool 'Connection mark tracking support' 94 depends on NF_CONNTRACK 95 help 96 This option enables support for connection marks, used by the 97 `CONNMARK' target and `connmark' match. Similar to the mark value 98 of packets, but this mark value is kept in the conntrack session 99 instead of the individual packets. 100 101config NF_CONNTRACK_SECMARK 102 bool 'Connection tracking security mark support' 103 depends on NF_CONNTRACK && NETWORK_SECMARK 104 help 105 This option enables security markings to be applied to 106 connections. Typically they are copied to connections from 107 packets using the CONNSECMARK target and copied back from 108 connections to packets with the same target, with the packets 109 being originally labeled via SECMARK. 110 111 If unsure, say 'N'. 112 113config NF_CONNTRACK_EVENTS 114 bool "Connection tracking events (EXPERIMENTAL)" 115 depends on EXPERIMENTAL && NF_CONNTRACK 116 help 117 If this option is enabled, the connection tracking code will 118 provide a notifier chain that can be used by other kernel code 119 to get notified about changes in the connection tracking state. 120 121 If unsure, say `N'. 122 123config NF_CT_PROTO_GRE 124 tristate 125 depends on EXPERIMENTAL && NF_CONNTRACK 126 127config NF_CT_PROTO_SCTP 128 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 129 depends on EXPERIMENTAL && NF_CONNTRACK 130 default n 131 help 132 With this option enabled, the layer 3 independent connection 133 tracking code will be able to do state tracking on SCTP connections. 134 135 If you want to compile it as a module, say M here and read 136 Documentation/modules.txt. If unsure, say `N'. 137 138config NF_CONNTRACK_AMANDA 139 tristate "Amanda backup protocol support (EXPERIMENTAL)" 140 depends on EXPERIMENTAL && NF_CONNTRACK 141 select TEXTSEARCH 142 select TEXTSEARCH_KMP 143 help 144 If you are running the Amanda backup package <http://www.amanda.org/> 145 on this machine or machines that will be MASQUERADED through this 146 machine, then you may want to enable this feature. This allows the 147 connection tracking and natting code to allow the sub-channels that 148 Amanda requires for communication of the backup data, messages and 149 index. 150 151 To compile it as a module, choose M here. If unsure, say N. 152 153config NF_CONNTRACK_FTP 154 tristate "FTP protocol support (EXPERIMENTAL)" 155 depends on EXPERIMENTAL && NF_CONNTRACK 156 help 157 Tracking FTP connections is problematic: special helpers are 158 required for tracking them, and doing masquerading and other forms 159 of Network Address Translation on them. 160 161 This is FTP support on Layer 3 independent connection tracking. 162 Layer 3 independent connection tracking is experimental scheme 163 which generalize ip_conntrack to support other layer 3 protocols. 164 165 To compile it as a module, choose M here. If unsure, say N. 166 167config NF_CONNTRACK_H323 168 tristate "H.323 protocol support (EXPERIMENTAL)" 169 depends on EXPERIMENTAL && NF_CONNTRACK 170 help 171 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 172 important VoIP protocols, it is widely used by voice hardware and 173 software including voice gateways, IP phones, Netmeeting, OpenPhone, 174 Gnomemeeting, etc. 175 176 With this module you can support H.323 on a connection tracking/NAT 177 firewall. 178 179 This module supports RAS, Fast Start, H.245 Tunnelling, Call 180 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 181 whiteboard, file transfer, etc. For more information, please 182 visit http://nath323.sourceforge.net/. 183 184 To compile it as a module, choose M here. If unsure, say N. 185 186config NF_CONNTRACK_IRC 187 tristate "IRC protocol support (EXPERIMENTAL)" 188 depends on EXPERIMENTAL && NF_CONNTRACK 189 help 190 There is a commonly-used extension to IRC called 191 Direct Client-to-Client Protocol (DCC). This enables users to send 192 files to each other, and also chat to each other without the need 193 of a server. DCC Sending is used anywhere you send files over IRC, 194 and DCC Chat is most commonly used by Eggdrop bots. If you are 195 using NAT, this extension will enable you to send files and initiate 196 chats. Note that you do NOT need this extension to get files or 197 have others initiate chats, or everything else in IRC. 198 199 To compile it as a module, choose M here. If unsure, say N. 200 201config NF_CONNTRACK_NETBIOS_NS 202 tristate "NetBIOS name service protocol support (EXPERIMENTAL)" 203 depends on EXPERIMENTAL && NF_CONNTRACK 204 help 205 NetBIOS name service requests are sent as broadcast messages from an 206 unprivileged port and responded to with unicast messages to the 207 same port. This make them hard to firewall properly because connection 208 tracking doesn't deal with broadcasts. This helper tracks locally 209 originating NetBIOS name service requests and the corresponding 210 responses. It relies on correct IP address configuration, specifically 211 netmask and broadcast address. When properly configured, the output 212 of "ip address show" should look similar to this: 213 214 $ ip -4 address show eth0 215 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 216 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 217 218 To compile it as a module, choose M here. If unsure, say N. 219 220config NF_CONNTRACK_PPTP 221 tristate "PPtP protocol support (EXPERIMENTAL)" 222 depends on EXPERIMENTAL && NF_CONNTRACK 223 select NF_CT_PROTO_GRE 224 help 225 This module adds support for PPTP (Point to Point Tunnelling 226 Protocol, RFC2637) connection tracking and NAT. 227 228 If you are running PPTP sessions over a stateful firewall or NAT 229 box, you may want to enable this feature. 230 231 Please note that not all PPTP modes of operation are supported yet. 232 Specifically these limitations exist: 233 - Blindy assumes that control connections are always established 234 in PNS->PAC direction. This is a violation of RFC2637. 235 - Only supports a single call within each session 236 237 To compile it as a module, choose M here. If unsure, say N. 238 239config NF_CONNTRACK_SIP 240 tristate "SIP protocol support (EXPERIMENTAL)" 241 depends on EXPERIMENTAL && NF_CONNTRACK 242 help 243 SIP is an application-layer control protocol that can establish, 244 modify, and terminate multimedia sessions (conferences) such as 245 Internet telephony calls. With the ip_conntrack_sip and 246 the nf_nat_sip modules you can support the protocol on a connection 247 tracking/NATing firewall. 248 249 To compile it as a module, choose M here. If unsure, say N. 250 251config NF_CONNTRACK_TFTP 252 tristate "TFTP protocol support (EXPERIMENTAL)" 253 depends on EXPERIMENTAL && NF_CONNTRACK 254 help 255 TFTP connection tracking helper, this is required depending 256 on how restrictive your ruleset is. 257 If you are using a tftp client behind -j SNAT or -j MASQUERADING 258 you will need this. 259 260 To compile it as a module, choose M here. If unsure, say N. 261 262config NF_CT_NETLINK 263 tristate 'Connection tracking netlink interface (EXPERIMENTAL)' 264 depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK 265 depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m 266 help 267 This option enables support for a netlink-based userspace interface 268 269config NETFILTER_XTABLES 270 tristate "Netfilter Xtables support (required for ip_tables)" 271 help 272 This is required if you intend to use any of ip_tables, 273 ip6_tables or arp_tables. 274 275# alphabetically ordered list of targets 276 277config NETFILTER_XT_TARGET_CLASSIFY 278 tristate '"CLASSIFY" target support' 279 depends on NETFILTER_XTABLES 280 help 281 This option adds a `CLASSIFY' target, which enables the user to set 282 the priority of a packet. Some qdiscs can use this value for 283 classification, among these are: 284 285 atm, cbq, dsmark, pfifo_fast, htb, prio 286 287 To compile it as a module, choose M here. If unsure, say N. 288 289config NETFILTER_XT_TARGET_CONNMARK 290 tristate '"CONNMARK" target support' 291 depends on NETFILTER_XTABLES 292 depends on IP_NF_MANGLE || IP6_NF_MANGLE 293 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK) 294 help 295 This option adds a `CONNMARK' target, which allows one to manipulate 296 the connection mark value. Similar to the MARK target, but 297 affects the connection mark value rather than the packet mark value. 298 299 If you want to compile it as a module, say M here and read 300 <file:Documentation/modules.txt>. The module will be called 301 ipt_CONNMARK.o. If unsure, say `N'. 302 303config NETFILTER_XT_TARGET_DSCP 304 tristate '"DSCP" target support' 305 depends on NETFILTER_XTABLES 306 depends on IP_NF_MANGLE || IP6_NF_MANGLE 307 help 308 This option adds a `DSCP' target, which allows you to manipulate 309 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 310 311 The DSCP field can have any value between 0x0 and 0x3f inclusive. 312 313 To compile it as a module, choose M here. If unsure, say N. 314 315config NETFILTER_XT_TARGET_MARK 316 tristate '"MARK" target support' 317 depends on NETFILTER_XTABLES 318 help 319 This option adds a `MARK' target, which allows you to create rules 320 in the `mangle' table which alter the netfilter mark (nfmark) field 321 associated with the packet prior to routing. This can change 322 the routing method (see `Use netfilter MARK value as routing 323 key') and can also be used by other subsystems to change their 324 behavior. 325 326 To compile it as a module, choose M here. If unsure, say N. 327 328config NETFILTER_XT_TARGET_NFQUEUE 329 tristate '"NFQUEUE" target Support' 330 depends on NETFILTER_XTABLES 331 help 332 This target replaced the old obsolete QUEUE target. 333 334 As opposed to QUEUE, it supports 65535 different queues, 335 not just one. 336 337 To compile it as a module, choose M here. If unsure, say N. 338 339config NETFILTER_XT_TARGET_NFLOG 340 tristate '"NFLOG" target support' 341 depends on NETFILTER_XTABLES 342 help 343 This option enables the NFLOG target, which allows to LOG 344 messages through the netfilter logging API, which can use 345 either the old LOG target, the old ULOG target or nfnetlink_log 346 as backend. 347 348 To compile it as a module, choose M here. If unsure, say N. 349 350config NETFILTER_XT_TARGET_NOTRACK 351 tristate '"NOTRACK" target support' 352 depends on NETFILTER_XTABLES 353 depends on IP_NF_RAW || IP6_NF_RAW 354 depends on IP_NF_CONNTRACK || NF_CONNTRACK 355 help 356 The NOTRACK target allows a select rule to specify 357 which packets *not* to enter the conntrack/NAT 358 subsystem with all the consequences (no ICMP error tracking, 359 no protocol helpers for the selected packets). 360 361 If you want to compile it as a module, say M here and read 362 <file:Documentation/modules.txt>. If unsure, say `N'. 363 364config NETFILTER_XT_TARGET_SECMARK 365 tristate '"SECMARK" target support' 366 depends on NETFILTER_XTABLES && NETWORK_SECMARK 367 help 368 The SECMARK target allows security marking of network 369 packets, for use with security subsystems. 370 371 To compile it as a module, choose M here. If unsure, say N. 372 373config NETFILTER_XT_TARGET_CONNSECMARK 374 tristate '"CONNSECMARK" target support' 375 depends on NETFILTER_XTABLES && \ 376 ((NF_CONNTRACK && NF_CONNTRACK_SECMARK) || \ 377 (IP_NF_CONNTRACK && IP_NF_CONNTRACK_SECMARK)) 378 help 379 The CONNSECMARK target copies security markings from packets 380 to connections, and restores security markings from connections 381 to packets (if the packets are not already marked). This would 382 normally be used in conjunction with the SECMARK target. 383 384 To compile it as a module, choose M here. If unsure, say N. 385 386config NETFILTER_XT_MATCH_COMMENT 387 tristate '"comment" match support' 388 depends on NETFILTER_XTABLES 389 help 390 This option adds a `comment' dummy-match, which allows you to put 391 comments in your iptables ruleset. 392 393 If you want to compile it as a module, say M here and read 394 <file:Documentation/modules.txt>. If unsure, say `N'. 395 396config NETFILTER_XT_MATCH_CONNBYTES 397 tristate '"connbytes" per-connection counter match support' 398 depends on NETFILTER_XTABLES 399 depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || (NF_CT_ACCT && NF_CONNTRACK) 400 help 401 This option adds a `connbytes' match, which allows you to match the 402 number of bytes and/or packets for each direction within a connection. 403 404 If you want to compile it as a module, say M here and read 405 <file:Documentation/modules.txt>. If unsure, say `N'. 406 407config NETFILTER_XT_MATCH_CONNMARK 408 tristate '"connmark" connection mark match support' 409 depends on NETFILTER_XTABLES 410 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK) 411 help 412 This option adds a `connmark' match, which allows you to match the 413 connection mark value previously set for the session by `CONNMARK'. 414 415 If you want to compile it as a module, say M here and read 416 <file:Documentation/modules.txt>. The module will be called 417 ipt_connmark.o. If unsure, say `N'. 418 419config NETFILTER_XT_MATCH_CONNTRACK 420 tristate '"conntrack" connection tracking match support' 421 depends on NETFILTER_XTABLES 422 depends on IP_NF_CONNTRACK || NF_CONNTRACK 423 help 424 This is a general conntrack match module, a superset of the state match. 425 426 It allows matching on additional conntrack information, which is 427 useful in complex configurations, such as NAT gateways with multiple 428 internet links or tunnels. 429 430 To compile it as a module, choose M here. If unsure, say N. 431 432config NETFILTER_XT_MATCH_DCCP 433 tristate '"DCCP" protocol match support' 434 depends on NETFILTER_XTABLES 435 help 436 With this option enabled, you will be able to use the iptables 437 `dccp' match in order to match on DCCP source/destination ports 438 and DCCP flags. 439 440 If you want to compile it as a module, say M here and read 441 <file:Documentation/modules.txt>. If unsure, say `N'. 442 443config NETFILTER_XT_MATCH_DSCP 444 tristate '"DSCP" match support' 445 depends on NETFILTER_XTABLES 446 help 447 This option adds a `DSCP' match, which allows you to match against 448 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 449 450 The DSCP field can have any value between 0x0 and 0x3f inclusive. 451 452 To compile it as a module, choose M here. If unsure, say N. 453 454config NETFILTER_XT_MATCH_ESP 455 tristate '"ESP" match support' 456 depends on NETFILTER_XTABLES 457 help 458 This match extension allows you to match a range of SPIs 459 inside ESP header of IPSec packets. 460 461 To compile it as a module, choose M here. If unsure, say N. 462 463config NETFILTER_XT_MATCH_HELPER 464 tristate '"helper" match support' 465 depends on NETFILTER_XTABLES 466 depends on IP_NF_CONNTRACK || NF_CONNTRACK 467 help 468 Helper matching allows you to match packets in dynamic connections 469 tracked by a conntrack-helper, ie. ip_conntrack_ftp 470 471 To compile it as a module, choose M here. If unsure, say Y. 472 473config NETFILTER_XT_MATCH_LENGTH 474 tristate '"length" match support' 475 depends on NETFILTER_XTABLES 476 help 477 This option allows you to match the length of a packet against a 478 specific value or range of values. 479 480 To compile it as a module, choose M here. If unsure, say N. 481 482config NETFILTER_XT_MATCH_LIMIT 483 tristate '"limit" match support' 484 depends on NETFILTER_XTABLES 485 help 486 limit matching allows you to control the rate at which a rule can be 487 matched: mainly useful in combination with the LOG target ("LOG 488 target support", below) and to avoid some Denial of Service attacks. 489 490 To compile it as a module, choose M here. If unsure, say N. 491 492config NETFILTER_XT_MATCH_MAC 493 tristate '"mac" address match support' 494 depends on NETFILTER_XTABLES 495 help 496 MAC matching allows you to match packets based on the source 497 Ethernet address of the packet. 498 499 To compile it as a module, choose M here. If unsure, say N. 500 501config NETFILTER_XT_MATCH_MARK 502 tristate '"mark" match support' 503 depends on NETFILTER_XTABLES 504 help 505 Netfilter mark matching allows you to match packets based on the 506 `nfmark' value in the packet. This can be set by the MARK target 507 (see below). 508 509 To compile it as a module, choose M here. If unsure, say N. 510 511config NETFILTER_XT_MATCH_POLICY 512 tristate 'IPsec "policy" match support' 513 depends on NETFILTER_XTABLES && XFRM 514 help 515 Policy matching allows you to match packets based on the 516 IPsec policy that was used during decapsulation/will 517 be used during encapsulation. 518 519 To compile it as a module, choose M here. If unsure, say N. 520 521config NETFILTER_XT_MATCH_MULTIPORT 522 tristate "Multiple port match support" 523 depends on NETFILTER_XTABLES 524 help 525 Multiport matching allows you to match TCP or UDP packets based on 526 a series of source or destination ports: normally a rule can only 527 match a single range of ports. 528 529 To compile it as a module, choose M here. If unsure, say N. 530 531config NETFILTER_XT_MATCH_PHYSDEV 532 tristate '"physdev" match support' 533 depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER 534 help 535 Physdev packet matching matches against the physical bridge ports 536 the IP packet arrived on or will leave by. 537 538 To compile it as a module, choose M here. If unsure, say N. 539 540config NETFILTER_XT_MATCH_PKTTYPE 541 tristate '"pkttype" packet type match support' 542 depends on NETFILTER_XTABLES 543 help 544 Packet type matching allows you to match a packet by 545 its "class", eg. BROADCAST, MULTICAST, ... 546 547 Typical usage: 548 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 549 550 To compile it as a module, choose M here. If unsure, say N. 551 552config NETFILTER_XT_MATCH_QUOTA 553 tristate '"quota" match support' 554 depends on NETFILTER_XTABLES 555 help 556 This option adds a `quota' match, which allows to match on a 557 byte counter. 558 559 If you want to compile it as a module, say M here and read 560 <file:Documentation/modules.txt>. If unsure, say `N'. 561 562config NETFILTER_XT_MATCH_REALM 563 tristate '"realm" match support' 564 depends on NETFILTER_XTABLES 565 select NET_CLS_ROUTE 566 help 567 This option adds a `realm' match, which allows you to use the realm 568 key from the routing subsystem inside iptables. 569 570 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 571 in tc world. 572 573 If you want to compile it as a module, say M here and read 574 <file:Documentation/modules.txt>. If unsure, say `N'. 575 576config NETFILTER_XT_MATCH_SCTP 577 tristate '"sctp" protocol match support (EXPERIMENTAL)' 578 depends on NETFILTER_XTABLES && EXPERIMENTAL 579 help 580 With this option enabled, you will be able to use the 581 `sctp' match in order to match on SCTP source/destination ports 582 and SCTP chunk types. 583 584 If you want to compile it as a module, say M here and read 585 <file:Documentation/modules.txt>. If unsure, say `N'. 586 587config NETFILTER_XT_MATCH_STATE 588 tristate '"state" match support' 589 depends on NETFILTER_XTABLES 590 depends on IP_NF_CONNTRACK || NF_CONNTRACK 591 help 592 Connection state matching allows you to match packets based on their 593 relationship to a tracked connection (ie. previous packets). This 594 is a powerful tool for packet classification. 595 596 To compile it as a module, choose M here. If unsure, say N. 597 598config NETFILTER_XT_MATCH_STATISTIC 599 tristate '"statistic" match support' 600 depends on NETFILTER_XTABLES 601 help 602 This option adds a `statistic' match, which allows you to match 603 on packets periodically or randomly with a given percentage. 604 605 To compile it as a module, choose M here. If unsure, say N. 606 607config NETFILTER_XT_MATCH_STRING 608 tristate '"string" match support' 609 depends on NETFILTER_XTABLES 610 select TEXTSEARCH 611 select TEXTSEARCH_KMP 612 select TEXTSEARCH_BM 613 select TEXTSEARCH_FSM 614 help 615 This option adds a `string' match, which allows you to look for 616 pattern matchings in packets. 617 618 To compile it as a module, choose M here. If unsure, say N. 619 620config NETFILTER_XT_MATCH_TCPMSS 621 tristate '"tcpmss" match support' 622 depends on NETFILTER_XTABLES 623 help 624 This option adds a `tcpmss' match, which allows you to examine the 625 MSS value of TCP SYN packets, which control the maximum packet size 626 for that connection. 627 628 To compile it as a module, choose M here. If unsure, say N. 629 630config NETFILTER_XT_MATCH_HASHLIMIT 631 tristate '"hashlimit" match support' 632 depends on NETFILTER_XTABLES 633 help 634 This option adds a `hashlimit' match. 635 636 As opposed to `limit', this match dynamically creates a hash table 637 of limit buckets, based on your selection of source/destination 638 addresses and/or ports. 639 640 It enables you to express policies like `10kpps for any given 641 destination address' or `500pps from any given source address' 642 with a single rule. 643 644endmenu 645 646