1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate 6 7config NETFILTER_NETLINK_ACCT 8tristate "Netfilter NFACCT over NFNETLINK interface" 9 depends on NETFILTER_ADVANCED 10 select NETFILTER_NETLINK 11 help 12 If this option is enabled, the kernel will include support 13 for extended accounting via NFNETLINK. 14 15config NETFILTER_NETLINK_QUEUE 16 tristate "Netfilter NFQUEUE over NFNETLINK interface" 17 depends on NETFILTER_ADVANCED 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for queueing packets via NFNETLINK. 22 23config NETFILTER_NETLINK_LOG 24 tristate "Netfilter LOG over NFNETLINK interface" 25 default m if NETFILTER_ADVANCED=n 26 select NETFILTER_NETLINK 27 help 28 If this option is enabled, the kernel will include support 29 for logging packets via NFNETLINK. 30 31 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 32 and is also scheduled to replace the old syslog-based ipt_LOG 33 and ip6t_LOG modules. 34 35config NF_CONNTRACK 36 tristate "Netfilter connection tracking support" 37 default m if NETFILTER_ADVANCED=n 38 help 39 Connection tracking keeps a record of what packets have passed 40 through your machine, in order to figure out how they are related 41 into connections. 42 43 This is required to do Masquerading or other kinds of Network 44 Address Translation. It can also be used to enhance packet 45 filtering (see `Connection state match support' below). 46 47 To compile it as a module, choose M here. If unsure, say N. 48 49if NF_CONNTRACK 50 51config NF_CONNTRACK_MARK 52 bool 'Connection mark tracking support' 53 depends on NETFILTER_ADVANCED 54 help 55 This option enables support for connection marks, used by the 56 `CONNMARK' target and `connmark' match. Similar to the mark value 57 of packets, but this mark value is kept in the conntrack session 58 instead of the individual packets. 59 60config NF_CONNTRACK_SECMARK 61 bool 'Connection tracking security mark support' 62 depends on NETWORK_SECMARK 63 default m if NETFILTER_ADVANCED=n 64 help 65 This option enables security markings to be applied to 66 connections. Typically they are copied to connections from 67 packets using the CONNSECMARK target and copied back from 68 connections to packets with the same target, with the packets 69 being originally labeled via SECMARK. 70 71 If unsure, say 'N'. 72 73config NF_CONNTRACK_ZONES 74 bool 'Connection tracking zones' 75 depends on NETFILTER_ADVANCED 76 depends on NETFILTER_XT_TARGET_CT 77 help 78 This option enables support for connection tracking zones. 79 Normally, each connection needs to have a unique system wide 80 identity. Connection tracking zones allow to have multiple 81 connections using the same identity, as long as they are 82 contained in different zones. 83 84 If unsure, say `N'. 85 86config NF_CONNTRACK_PROCFS 87 bool "Supply CT list in procfs (OBSOLETE)" 88 default y 89 depends on PROC_FS 90 ---help--- 91 This option enables for the list of known conntrack entries 92 to be shown in procfs under net/netfilter/nf_conntrack. This 93 is considered obsolete in favor of using the conntrack(8) 94 tool which uses Netlink. 95 96config NF_CONNTRACK_EVENTS 97 bool "Connection tracking events" 98 depends on NETFILTER_ADVANCED 99 help 100 If this option is enabled, the connection tracking code will 101 provide a notifier chain that can be used by other kernel code 102 to get notified about changes in the connection tracking state. 103 104 If unsure, say `N'. 105 106config NF_CONNTRACK_TIMEOUT 107 bool 'Connection tracking timeout' 108 depends on NETFILTER_ADVANCED 109 help 110 This option enables support for connection tracking timeout 111 extension. This allows you to attach timeout policies to flow 112 via the CT target. 113 114 If unsure, say `N'. 115 116config NF_CONNTRACK_TIMESTAMP 117 bool 'Connection tracking timestamping' 118 depends on NETFILTER_ADVANCED 119 help 120 This option enables support for connection tracking timestamping. 121 This allows you to store the flow start-time and to obtain 122 the flow-stop time (once it has been destroyed) via Connection 123 tracking events. 124 125 If unsure, say `N'. 126 127config NF_CT_PROTO_DCCP 128 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' 129 depends on EXPERIMENTAL 130 depends on NETFILTER_ADVANCED 131 default IP_DCCP 132 help 133 With this option enabled, the layer 3 independent connection 134 tracking code will be able to do state tracking on DCCP connections. 135 136 If unsure, say 'N'. 137 138config NF_CT_PROTO_GRE 139 tristate 140 141config NF_CT_PROTO_SCTP 142 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 143 depends on EXPERIMENTAL 144 depends on NETFILTER_ADVANCED 145 default IP_SCTP 146 help 147 With this option enabled, the layer 3 independent connection 148 tracking code will be able to do state tracking on SCTP connections. 149 150 If you want to compile it as a module, say M here and read 151 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 152 153config NF_CT_PROTO_UDPLITE 154 tristate 'UDP-Lite protocol connection tracking support' 155 depends on NETFILTER_ADVANCED 156 help 157 With this option enabled, the layer 3 independent connection 158 tracking code will be able to do state tracking on UDP-Lite 159 connections. 160 161 To compile it as a module, choose M here. If unsure, say N. 162 163config NF_CONNTRACK_AMANDA 164 tristate "Amanda backup protocol support" 165 depends on NETFILTER_ADVANCED 166 select TEXTSEARCH 167 select TEXTSEARCH_KMP 168 help 169 If you are running the Amanda backup package <http://www.amanda.org/> 170 on this machine or machines that will be MASQUERADED through this 171 machine, then you may want to enable this feature. This allows the 172 connection tracking and natting code to allow the sub-channels that 173 Amanda requires for communication of the backup data, messages and 174 index. 175 176 To compile it as a module, choose M here. If unsure, say N. 177 178config NF_CONNTRACK_FTP 179 tristate "FTP protocol support" 180 default m if NETFILTER_ADVANCED=n 181 help 182 Tracking FTP connections is problematic: special helpers are 183 required for tracking them, and doing masquerading and other forms 184 of Network Address Translation on them. 185 186 This is FTP support on Layer 3 independent connection tracking. 187 Layer 3 independent connection tracking is experimental scheme 188 which generalize ip_conntrack to support other layer 3 protocols. 189 190 To compile it as a module, choose M here. If unsure, say N. 191 192config NF_CONNTRACK_H323 193 tristate "H.323 protocol support" 194 depends on (IPV6 || IPV6=n) 195 depends on NETFILTER_ADVANCED 196 help 197 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 198 important VoIP protocols, it is widely used by voice hardware and 199 software including voice gateways, IP phones, Netmeeting, OpenPhone, 200 Gnomemeeting, etc. 201 202 With this module you can support H.323 on a connection tracking/NAT 203 firewall. 204 205 This module supports RAS, Fast Start, H.245 Tunnelling, Call 206 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 207 whiteboard, file transfer, etc. For more information, please 208 visit http://nath323.sourceforge.net/. 209 210 To compile it as a module, choose M here. If unsure, say N. 211 212config NF_CONNTRACK_IRC 213 tristate "IRC protocol support" 214 default m if NETFILTER_ADVANCED=n 215 help 216 There is a commonly-used extension to IRC called 217 Direct Client-to-Client Protocol (DCC). This enables users to send 218 files to each other, and also chat to each other without the need 219 of a server. DCC Sending is used anywhere you send files over IRC, 220 and DCC Chat is most commonly used by Eggdrop bots. If you are 221 using NAT, this extension will enable you to send files and initiate 222 chats. Note that you do NOT need this extension to get files or 223 have others initiate chats, or everything else in IRC. 224 225 To compile it as a module, choose M here. If unsure, say N. 226 227config NF_CONNTRACK_BROADCAST 228 tristate 229 230config NF_CONNTRACK_NETBIOS_NS 231 tristate "NetBIOS name service protocol support" 232 select NF_CONNTRACK_BROADCAST 233 help 234 NetBIOS name service requests are sent as broadcast messages from an 235 unprivileged port and responded to with unicast messages to the 236 same port. This make them hard to firewall properly because connection 237 tracking doesn't deal with broadcasts. This helper tracks locally 238 originating NetBIOS name service requests and the corresponding 239 responses. It relies on correct IP address configuration, specifically 240 netmask and broadcast address. When properly configured, the output 241 of "ip address show" should look similar to this: 242 243 $ ip -4 address show eth0 244 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 245 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 246 247 To compile it as a module, choose M here. If unsure, say N. 248 249config NF_CONNTRACK_SNMP 250 tristate "SNMP service protocol support" 251 depends on NETFILTER_ADVANCED 252 select NF_CONNTRACK_BROADCAST 253 help 254 SNMP service requests are sent as broadcast messages from an 255 unprivileged port and responded to with unicast messages to the 256 same port. This make them hard to firewall properly because connection 257 tracking doesn't deal with broadcasts. This helper tracks locally 258 originating SNMP service requests and the corresponding 259 responses. It relies on correct IP address configuration, specifically 260 netmask and broadcast address. 261 262 To compile it as a module, choose M here. If unsure, say N. 263 264config NF_CONNTRACK_PPTP 265 tristate "PPtP protocol support" 266 depends on NETFILTER_ADVANCED 267 select NF_CT_PROTO_GRE 268 help 269 This module adds support for PPTP (Point to Point Tunnelling 270 Protocol, RFC2637) connection tracking and NAT. 271 272 If you are running PPTP sessions over a stateful firewall or NAT 273 box, you may want to enable this feature. 274 275 Please note that not all PPTP modes of operation are supported yet. 276 Specifically these limitations exist: 277 - Blindly assumes that control connections are always established 278 in PNS->PAC direction. This is a violation of RFC2637. 279 - Only supports a single call within each session 280 281 To compile it as a module, choose M here. If unsure, say N. 282 283config NF_CONNTRACK_SANE 284 tristate "SANE protocol support (EXPERIMENTAL)" 285 depends on EXPERIMENTAL 286 depends on NETFILTER_ADVANCED 287 help 288 SANE is a protocol for remote access to scanners as implemented 289 by the 'saned' daemon. Like FTP, it uses separate control and 290 data connections. 291 292 With this module you can support SANE on a connection tracking 293 firewall. 294 295 To compile it as a module, choose M here. If unsure, say N. 296 297config NF_CONNTRACK_SIP 298 tristate "SIP protocol support" 299 default m if NETFILTER_ADVANCED=n 300 help 301 SIP is an application-layer control protocol that can establish, 302 modify, and terminate multimedia sessions (conferences) such as 303 Internet telephony calls. With the ip_conntrack_sip and 304 the nf_nat_sip modules you can support the protocol on a connection 305 tracking/NATing firewall. 306 307 To compile it as a module, choose M here. If unsure, say N. 308 309config NF_CONNTRACK_TFTP 310 tristate "TFTP protocol support" 311 depends on NETFILTER_ADVANCED 312 help 313 TFTP connection tracking helper, this is required depending 314 on how restrictive your ruleset is. 315 If you are using a tftp client behind -j SNAT or -j MASQUERADING 316 you will need this. 317 318 To compile it as a module, choose M here. If unsure, say N. 319 320config NF_CT_NETLINK 321 tristate 'Connection tracking netlink interface' 322 select NETFILTER_NETLINK 323 default m if NETFILTER_ADVANCED=n 324 help 325 This option enables support for a netlink-based userspace interface 326 327config NF_CT_NETLINK_TIMEOUT 328 tristate 'Connection tracking timeout tuning via Netlink' 329 select NETFILTER_NETLINK 330 depends on NETFILTER_ADVANCED 331 help 332 This option enables support for connection tracking timeout 333 fine-grain tuning. This allows you to attach specific timeout 334 policies to flows, instead of using the global timeout policy. 335 336 If unsure, say `N'. 337 338config NF_CT_NETLINK_HELPER 339 tristate 'Connection tracking helpers in user-space via Netlink' 340 select NETFILTER_NETLINK 341 depends on NF_CT_NETLINK 342 depends on NETFILTER_NETLINK_QUEUE 343 depends on NETFILTER_NETLINK_QUEUE_CT 344 depends on NETFILTER_ADVANCED 345 help 346 This option enables the user-space connection tracking helpers 347 infrastructure. 348 349 If unsure, say `N'. 350 351config NETFILTER_NETLINK_QUEUE_CT 352 bool "NFQUEUE integration with Connection Tracking" 353 default n 354 depends on NETFILTER_NETLINK_QUEUE 355 help 356 If this option is enabled, NFQUEUE can include Connection Tracking 357 information together with the packet is the enqueued via NFNETLINK. 358 359config NF_NAT 360 tristate 361 362config NF_NAT_NEEDED 363 bool 364 depends on NF_NAT 365 default y 366 367config NF_NAT_PROTO_DCCP 368 tristate 369 depends on NF_NAT && NF_CT_PROTO_DCCP 370 default NF_NAT && NF_CT_PROTO_DCCP 371 372config NF_NAT_PROTO_UDPLITE 373 tristate 374 depends on NF_NAT && NF_CT_PROTO_UDPLITE 375 default NF_NAT && NF_CT_PROTO_UDPLITE 376 377config NF_NAT_PROTO_SCTP 378 tristate 379 default NF_NAT && NF_CT_PROTO_SCTP 380 depends on NF_NAT && NF_CT_PROTO_SCTP 381 select LIBCRC32C 382 383config NF_NAT_AMANDA 384 tristate 385 depends on NF_CONNTRACK && NF_NAT 386 default NF_NAT && NF_CONNTRACK_AMANDA 387 388config NF_NAT_FTP 389 tristate 390 depends on NF_CONNTRACK && NF_NAT 391 default NF_NAT && NF_CONNTRACK_FTP 392 393config NF_NAT_IRC 394 tristate 395 depends on NF_CONNTRACK && NF_NAT 396 default NF_NAT && NF_CONNTRACK_IRC 397 398config NF_NAT_SIP 399 tristate 400 depends on NF_CONNTRACK && NF_NAT 401 default NF_NAT && NF_CONNTRACK_SIP 402 403config NF_NAT_TFTP 404 tristate 405 depends on NF_CONNTRACK && NF_NAT 406 default NF_NAT && NF_CONNTRACK_TFTP 407 408endif # NF_CONNTRACK 409 410# transparent proxy support 411config NETFILTER_TPROXY 412 tristate "Transparent proxying support (EXPERIMENTAL)" 413 depends on EXPERIMENTAL 414 depends on IP_NF_MANGLE 415 depends on NETFILTER_ADVANCED 416 help 417 This option enables transparent proxying support, that is, 418 support for handling non-locally bound IPv4 TCP and UDP sockets. 419 For it to work you will have to configure certain iptables rules 420 and use policy routing. For more information on how to set it up 421 see Documentation/networking/tproxy.txt. 422 423 To compile it as a module, choose M here. If unsure, say N. 424 425config NETFILTER_XTABLES 426 tristate "Netfilter Xtables support (required for ip_tables)" 427 default m if NETFILTER_ADVANCED=n 428 help 429 This is required if you intend to use any of ip_tables, 430 ip6_tables or arp_tables. 431 432if NETFILTER_XTABLES 433 434comment "Xtables combined modules" 435 436config NETFILTER_XT_MARK 437 tristate 'nfmark target and match support' 438 default m if NETFILTER_ADVANCED=n 439 ---help--- 440 This option adds the "MARK" target and "mark" match. 441 442 Netfilter mark matching allows you to match packets based on the 443 "nfmark" value in the packet. 444 The target allows you to create rules in the "mangle" table which alter 445 the netfilter mark (nfmark) field associated with the packet. 446 447 Prior to routing, the nfmark can influence the routing method (see 448 "Use netfilter MARK value as routing key") and can also be used by 449 other subsystems to change their behavior. 450 451config NETFILTER_XT_CONNMARK 452 tristate 'ctmark target and match support' 453 depends on NF_CONNTRACK 454 depends on NETFILTER_ADVANCED 455 select NF_CONNTRACK_MARK 456 ---help--- 457 This option adds the "CONNMARK" target and "connmark" match. 458 459 Netfilter allows you to store a mark value per connection (a.k.a. 460 ctmark), similarly to the packet mark (nfmark). Using this 461 target and match, you can set and match on this mark. 462 463config NETFILTER_XT_SET 464 tristate 'set target and match support' 465 depends on IP_SET 466 depends on NETFILTER_ADVANCED 467 help 468 This option adds the "SET" target and "set" match. 469 470 Using this target and match, you can add/delete and match 471 elements in the sets created by ipset(8). 472 473 To compile it as a module, choose M here. If unsure, say N. 474 475# alphabetically ordered list of targets 476 477comment "Xtables targets" 478 479config NETFILTER_XT_TARGET_AUDIT 480 tristate "AUDIT target support" 481 depends on AUDIT 482 depends on NETFILTER_ADVANCED 483 ---help--- 484 This option adds a 'AUDIT' target, which can be used to create 485 audit records for packets dropped/accepted. 486 487 To compileit as a module, choose M here. If unsure, say N. 488 489config NETFILTER_XT_TARGET_CHECKSUM 490 tristate "CHECKSUM target support" 491 depends on IP_NF_MANGLE || IP6_NF_MANGLE 492 depends on NETFILTER_ADVANCED 493 ---help--- 494 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 495 table. 496 497 You can use this target to compute and fill in the checksum in 498 a packet that lacks a checksum. This is particularly useful, 499 if you need to work around old applications such as dhcp clients, 500 that do not work well with checksum offloads, but don't want to disable 501 checksum offload in your device. 502 503 To compile it as a module, choose M here. If unsure, say N. 504 505config NETFILTER_XT_TARGET_CLASSIFY 506 tristate '"CLASSIFY" target support' 507 depends on NETFILTER_ADVANCED 508 help 509 This option adds a `CLASSIFY' target, which enables the user to set 510 the priority of a packet. Some qdiscs can use this value for 511 classification, among these are: 512 513 atm, cbq, dsmark, pfifo_fast, htb, prio 514 515 To compile it as a module, choose M here. If unsure, say N. 516 517config NETFILTER_XT_TARGET_CONNMARK 518 tristate '"CONNMARK" target support' 519 depends on NF_CONNTRACK 520 depends on NETFILTER_ADVANCED 521 select NETFILTER_XT_CONNMARK 522 ---help--- 523 This is a backwards-compat option for the user's convenience 524 (e.g. when running oldconfig). It selects 525 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 526 527config NETFILTER_XT_TARGET_CONNSECMARK 528 tristate '"CONNSECMARK" target support' 529 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 530 default m if NETFILTER_ADVANCED=n 531 help 532 The CONNSECMARK target copies security markings from packets 533 to connections, and restores security markings from connections 534 to packets (if the packets are not already marked). This would 535 normally be used in conjunction with the SECMARK target. 536 537 To compile it as a module, choose M here. If unsure, say N. 538 539config NETFILTER_XT_TARGET_CT 540 tristate '"CT" target support' 541 depends on NF_CONNTRACK 542 depends on IP_NF_RAW || IP6_NF_RAW 543 depends on NETFILTER_ADVANCED 544 help 545 This options adds a `CT' target, which allows to specify initial 546 connection tracking parameters like events to be delivered and 547 the helper to be used. 548 549 To compile it as a module, choose M here. If unsure, say N. 550 551config NETFILTER_XT_TARGET_DSCP 552 tristate '"DSCP" and "TOS" target support' 553 depends on IP_NF_MANGLE || IP6_NF_MANGLE 554 depends on NETFILTER_ADVANCED 555 help 556 This option adds a `DSCP' target, which allows you to manipulate 557 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 558 559 The DSCP field can have any value between 0x0 and 0x3f inclusive. 560 561 It also adds the "TOS" target, which allows you to create rules in 562 the "mangle" table which alter the Type Of Service field of an IPv4 563 or the Priority field of an IPv6 packet, prior to routing. 564 565 To compile it as a module, choose M here. If unsure, say N. 566 567config NETFILTER_XT_TARGET_HL 568 tristate '"HL" hoplimit target support' 569 depends on IP_NF_MANGLE || IP6_NF_MANGLE 570 depends on NETFILTER_ADVANCED 571 ---help--- 572 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 573 targets, which enable the user to change the 574 hoplimit/time-to-live value of the IP header. 575 576 While it is safe to decrement the hoplimit/TTL value, the 577 modules also allow to increment and set the hoplimit value of 578 the header to arbitrary values. This is EXTREMELY DANGEROUS 579 since you can easily create immortal packets that loop 580 forever on the network. 581 582config NETFILTER_XT_TARGET_HMARK 583 tristate '"HMARK" target support' 584 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 585 depends on NETFILTER_ADVANCED 586 ---help--- 587 This option adds the "HMARK" target. 588 589 The target allows you to create rules in the "raw" and "mangle" tables 590 which set the skbuff mark by means of hash calculation within a given 591 range. The nfmark can influence the routing method (see "Use netfilter 592 MARK value as routing key") and can also be used by other subsystems to 593 change their behaviour. 594 595 To compile it as a module, choose M here. If unsure, say N. 596 597config NETFILTER_XT_TARGET_IDLETIMER 598 tristate "IDLETIMER target support" 599 depends on NETFILTER_ADVANCED 600 help 601 602 This option adds the `IDLETIMER' target. Each matching packet 603 resets the timer associated with label specified when the rule is 604 added. When the timer expires, it triggers a sysfs notification. 605 The remaining time for expiration can be read via sysfs. 606 607 To compile it as a module, choose M here. If unsure, say N. 608 609config NETFILTER_XT_TARGET_LED 610 tristate '"LED" target support' 611 depends on LEDS_CLASS && LEDS_TRIGGERS 612 depends on NETFILTER_ADVANCED 613 help 614 This option adds a `LED' target, which allows you to blink LEDs in 615 response to particular packets passing through your machine. 616 617 This can be used to turn a spare LED into a network activity LED, 618 which only flashes in response to FTP transfers, for example. Or 619 you could have an LED which lights up for a minute or two every time 620 somebody connects to your machine via SSH. 621 622 You will need support for the "led" class to make this work. 623 624 To create an LED trigger for incoming SSH traffic: 625 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 626 627 Then attach the new trigger to an LED on your system: 628 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 629 630 For more information on the LEDs available on your system, see 631 Documentation/leds/leds-class.txt 632 633config NETFILTER_XT_TARGET_LOG 634 tristate "LOG target support" 635 default m if NETFILTER_ADVANCED=n 636 help 637 This option adds a `LOG' target, which allows you to create rules in 638 any iptables table which records the packet header to the syslog. 639 640 To compile it as a module, choose M here. If unsure, say N. 641 642config NETFILTER_XT_TARGET_MARK 643 tristate '"MARK" target support' 644 depends on NETFILTER_ADVANCED 645 select NETFILTER_XT_MARK 646 ---help--- 647 This is a backwards-compat option for the user's convenience 648 (e.g. when running oldconfig). It selects 649 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 650 651config NETFILTER_XT_TARGET_NETMAP 652 tristate '"NETMAP" target support' 653 depends on NF_NAT 654 ---help--- 655 NETMAP is an implementation of static 1:1 NAT mapping of network 656 addresses. It maps the network address part, while keeping the host 657 address part intact. 658 659 To compile it as a module, choose M here. If unsure, say N. 660 661config NETFILTER_XT_TARGET_NFLOG 662 tristate '"NFLOG" target support' 663 default m if NETFILTER_ADVANCED=n 664 select NETFILTER_NETLINK_LOG 665 help 666 This option enables the NFLOG target, which allows to LOG 667 messages through nfnetlink_log. 668 669 To compile it as a module, choose M here. If unsure, say N. 670 671config NETFILTER_XT_TARGET_NFQUEUE 672 tristate '"NFQUEUE" target Support' 673 depends on NETFILTER_ADVANCED 674 select NETFILTER_NETLINK_QUEUE 675 help 676 This target replaced the old obsolete QUEUE target. 677 678 As opposed to QUEUE, it supports 65535 different queues, 679 not just one. 680 681 To compile it as a module, choose M here. If unsure, say N. 682 683config NETFILTER_XT_TARGET_RATEEST 684 tristate '"RATEEST" target support' 685 depends on NETFILTER_ADVANCED 686 help 687 This option adds a `RATEEST' target, which allows to measure 688 rates similar to TC estimators. The `rateest' match can be 689 used to match on the measured rates. 690 691 To compile it as a module, choose M here. If unsure, say N. 692 693config NETFILTER_XT_TARGET_REDIRECT 694 tristate "REDIRECT target support" 695 depends on NF_NAT 696 ---help--- 697 REDIRECT is a special case of NAT: all incoming connections are 698 mapped onto the incoming interface's address, causing the packets to 699 come to the local machine instead of passing through. This is 700 useful for transparent proxies. 701 702 To compile it as a module, choose M here. If unsure, say N. 703 704config NETFILTER_XT_TARGET_TEE 705 tristate '"TEE" - packet cloning to alternate destination' 706 depends on NETFILTER_ADVANCED 707 depends on (IPV6 || IPV6=n) 708 depends on !NF_CONNTRACK || NF_CONNTRACK 709 ---help--- 710 This option adds a "TEE" target with which a packet can be cloned and 711 this clone be rerouted to another nexthop. 712 713config NETFILTER_XT_TARGET_TPROXY 714 tristate '"TPROXY" target support (EXPERIMENTAL)' 715 depends on EXPERIMENTAL 716 depends on NETFILTER_TPROXY 717 depends on NETFILTER_XTABLES 718 depends on NETFILTER_ADVANCED 719 select NF_DEFRAG_IPV4 720 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES 721 help 722 This option adds a `TPROXY' target, which is somewhat similar to 723 REDIRECT. It can only be used in the mangle table and is useful 724 to redirect traffic to a transparent proxy. It does _not_ depend 725 on Netfilter connection tracking and NAT, unlike REDIRECT. 726 727 To compile it as a module, choose M here. If unsure, say N. 728 729config NETFILTER_XT_TARGET_TRACE 730 tristate '"TRACE" target support' 731 depends on IP_NF_RAW || IP6_NF_RAW 732 depends on NETFILTER_ADVANCED 733 help 734 The TRACE target allows you to mark packets so that the kernel 735 will log every rule which match the packets as those traverse 736 the tables, chains, rules. 737 738 If you want to compile it as a module, say M here and read 739 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 740 741config NETFILTER_XT_TARGET_SECMARK 742 tristate '"SECMARK" target support' 743 depends on NETWORK_SECMARK 744 default m if NETFILTER_ADVANCED=n 745 help 746 The SECMARK target allows security marking of network 747 packets, for use with security subsystems. 748 749 To compile it as a module, choose M here. If unsure, say N. 750 751config NETFILTER_XT_TARGET_TCPMSS 752 tristate '"TCPMSS" target support' 753 depends on (IPV6 || IPV6=n) 754 default m if NETFILTER_ADVANCED=n 755 ---help--- 756 This option adds a `TCPMSS' target, which allows you to alter the 757 MSS value of TCP SYN packets, to control the maximum size for that 758 connection (usually limiting it to your outgoing interface's MTU 759 minus 40). 760 761 This is used to overcome criminally braindead ISPs or servers which 762 block ICMP Fragmentation Needed packets. The symptoms of this 763 problem are that everything works fine from your Linux 764 firewall/router, but machines behind it can never exchange large 765 packets: 766 1) Web browsers connect, then hang with no data received. 767 2) Small mail works fine, but large emails hang. 768 3) ssh works fine, but scp hangs after initial handshaking. 769 770 Workaround: activate this option and add a rule to your firewall 771 configuration like: 772 773 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 774 -j TCPMSS --clamp-mss-to-pmtu 775 776 To compile it as a module, choose M here. If unsure, say N. 777 778config NETFILTER_XT_TARGET_TCPOPTSTRIP 779 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' 780 depends on EXPERIMENTAL 781 depends on IP_NF_MANGLE || IP6_NF_MANGLE 782 depends on NETFILTER_ADVANCED 783 help 784 This option adds a "TCPOPTSTRIP" target, which allows you to strip 785 TCP options from TCP packets. 786 787# alphabetically ordered list of matches 788 789comment "Xtables matches" 790 791config NETFILTER_XT_MATCH_ADDRTYPE 792 tristate '"addrtype" address type match support' 793 depends on NETFILTER_ADVANCED 794 ---help--- 795 This option allows you to match what routing thinks of an address, 796 eg. UNICAST, LOCAL, BROADCAST, ... 797 798 If you want to compile it as a module, say M here and read 799 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 800 801config NETFILTER_XT_MATCH_CLUSTER 802 tristate '"cluster" match support' 803 depends on NF_CONNTRACK 804 depends on NETFILTER_ADVANCED 805 ---help--- 806 This option allows you to build work-load-sharing clusters of 807 network servers/stateful firewalls without having a dedicated 808 load-balancing router/server/switch. Basically, this match returns 809 true when the packet must be handled by this cluster node. Thus, 810 all nodes see all packets and this match decides which node handles 811 what packets. The work-load sharing algorithm is based on source 812 address hashing. 813 814 If you say Y or M here, try `iptables -m cluster --help` for 815 more information. 816 817config NETFILTER_XT_MATCH_COMMENT 818 tristate '"comment" match support' 819 depends on NETFILTER_ADVANCED 820 help 821 This option adds a `comment' dummy-match, which allows you to put 822 comments in your iptables ruleset. 823 824 If you want to compile it as a module, say M here and read 825 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 826 827config NETFILTER_XT_MATCH_CONNBYTES 828 tristate '"connbytes" per-connection counter match support' 829 depends on NF_CONNTRACK 830 depends on NETFILTER_ADVANCED 831 help 832 This option adds a `connbytes' match, which allows you to match the 833 number of bytes and/or packets for each direction within a connection. 834 835 If you want to compile it as a module, say M here and read 836 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 837 838config NETFILTER_XT_MATCH_CONNLIMIT 839 tristate '"connlimit" match support"' 840 depends on NF_CONNTRACK 841 depends on NETFILTER_ADVANCED 842 ---help--- 843 This match allows you to match against the number of parallel 844 connections to a server per client IP address (or address block). 845 846config NETFILTER_XT_MATCH_CONNMARK 847 tristate '"connmark" connection mark match support' 848 depends on NF_CONNTRACK 849 depends on NETFILTER_ADVANCED 850 select NETFILTER_XT_CONNMARK 851 ---help--- 852 This is a backwards-compat option for the user's convenience 853 (e.g. when running oldconfig). It selects 854 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 855 856config NETFILTER_XT_MATCH_CONNTRACK 857 tristate '"conntrack" connection tracking match support' 858 depends on NF_CONNTRACK 859 default m if NETFILTER_ADVANCED=n 860 help 861 This is a general conntrack match module, a superset of the state match. 862 863 It allows matching on additional conntrack information, which is 864 useful in complex configurations, such as NAT gateways with multiple 865 internet links or tunnels. 866 867 To compile it as a module, choose M here. If unsure, say N. 868 869config NETFILTER_XT_MATCH_CPU 870 tristate '"cpu" match support' 871 depends on NETFILTER_ADVANCED 872 help 873 CPU matching allows you to match packets based on the CPU 874 currently handling the packet. 875 876 To compile it as a module, choose M here. If unsure, say N. 877 878config NETFILTER_XT_MATCH_DCCP 879 tristate '"dccp" protocol match support' 880 depends on NETFILTER_ADVANCED 881 default IP_DCCP 882 help 883 With this option enabled, you will be able to use the iptables 884 `dccp' match in order to match on DCCP source/destination ports 885 and DCCP flags. 886 887 If you want to compile it as a module, say M here and read 888 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 889 890config NETFILTER_XT_MATCH_DEVGROUP 891 tristate '"devgroup" match support' 892 depends on NETFILTER_ADVANCED 893 help 894 This options adds a `devgroup' match, which allows to match on the 895 device group a network device is assigned to. 896 897 To compile it as a module, choose M here. If unsure, say N. 898 899config NETFILTER_XT_MATCH_DSCP 900 tristate '"dscp" and "tos" match support' 901 depends on NETFILTER_ADVANCED 902 help 903 This option adds a `DSCP' match, which allows you to match against 904 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 905 906 The DSCP field can have any value between 0x0 and 0x3f inclusive. 907 908 It will also add a "tos" match, which allows you to match packets 909 based on the Type Of Service fields of the IPv4 packet (which share 910 the same bits as DSCP). 911 912 To compile it as a module, choose M here. If unsure, say N. 913 914config NETFILTER_XT_MATCH_ECN 915 tristate '"ecn" match support' 916 depends on NETFILTER_ADVANCED 917 ---help--- 918 This option adds an "ECN" match, which allows you to match against 919 the IPv4 and TCP header ECN fields. 920 921 To compile it as a module, choose M here. If unsure, say N. 922 923config NETFILTER_XT_MATCH_ESP 924 tristate '"esp" match support' 925 depends on NETFILTER_ADVANCED 926 help 927 This match extension allows you to match a range of SPIs 928 inside ESP header of IPSec packets. 929 930 To compile it as a module, choose M here. If unsure, say N. 931 932config NETFILTER_XT_MATCH_HASHLIMIT 933 tristate '"hashlimit" match support' 934 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 935 depends on NETFILTER_ADVANCED 936 help 937 This option adds a `hashlimit' match. 938 939 As opposed to `limit', this match dynamically creates a hash table 940 of limit buckets, based on your selection of source/destination 941 addresses and/or ports. 942 943 It enables you to express policies like `10kpps for any given 944 destination address' or `500pps from any given source address' 945 with a single rule. 946 947config NETFILTER_XT_MATCH_HELPER 948 tristate '"helper" match support' 949 depends on NF_CONNTRACK 950 depends on NETFILTER_ADVANCED 951 help 952 Helper matching allows you to match packets in dynamic connections 953 tracked by a conntrack-helper, ie. ip_conntrack_ftp 954 955 To compile it as a module, choose M here. If unsure, say Y. 956 957config NETFILTER_XT_MATCH_HL 958 tristate '"hl" hoplimit/TTL match support' 959 depends on NETFILTER_ADVANCED 960 ---help--- 961 HL matching allows you to match packets based on the hoplimit 962 in the IPv6 header, or the time-to-live field in the IPv4 963 header of the packet. 964 965config NETFILTER_XT_MATCH_IPRANGE 966 tristate '"iprange" address range match support' 967 depends on NETFILTER_ADVANCED 968 ---help--- 969 This option adds a "iprange" match, which allows you to match based on 970 an IP address range. (Normal iptables only matches on single addresses 971 with an optional mask.) 972 973 If unsure, say M. 974 975config NETFILTER_XT_MATCH_IPVS 976 tristate '"ipvs" match support' 977 depends on IP_VS 978 depends on NETFILTER_ADVANCED 979 depends on NF_CONNTRACK 980 help 981 This option allows you to match against IPVS properties of a packet. 982 983 If unsure, say N. 984 985config NETFILTER_XT_MATCH_LENGTH 986 tristate '"length" match support' 987 depends on NETFILTER_ADVANCED 988 help 989 This option allows you to match the length of a packet against a 990 specific value or range of values. 991 992 To compile it as a module, choose M here. If unsure, say N. 993 994config NETFILTER_XT_MATCH_LIMIT 995 tristate '"limit" match support' 996 depends on NETFILTER_ADVANCED 997 help 998 limit matching allows you to control the rate at which a rule can be 999 matched: mainly useful in combination with the LOG target ("LOG 1000 target support", below) and to avoid some Denial of Service attacks. 1001 1002 To compile it as a module, choose M here. If unsure, say N. 1003 1004config NETFILTER_XT_MATCH_MAC 1005 tristate '"mac" address match support' 1006 depends on NETFILTER_ADVANCED 1007 help 1008 MAC matching allows you to match packets based on the source 1009 Ethernet address of the packet. 1010 1011 To compile it as a module, choose M here. If unsure, say N. 1012 1013config NETFILTER_XT_MATCH_MARK 1014 tristate '"mark" match support' 1015 depends on NETFILTER_ADVANCED 1016 select NETFILTER_XT_MARK 1017 ---help--- 1018 This is a backwards-compat option for the user's convenience 1019 (e.g. when running oldconfig). It selects 1020 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1021 1022config NETFILTER_XT_MATCH_MULTIPORT 1023 tristate '"multiport" Multiple port match support' 1024 depends on NETFILTER_ADVANCED 1025 help 1026 Multiport matching allows you to match TCP or UDP packets based on 1027 a series of source or destination ports: normally a rule can only 1028 match a single range of ports. 1029 1030 To compile it as a module, choose M here. If unsure, say N. 1031 1032config NETFILTER_XT_MATCH_NFACCT 1033 tristate '"nfacct" match support' 1034 depends on NETFILTER_ADVANCED 1035 select NETFILTER_NETLINK_ACCT 1036 help 1037 This option allows you to use the extended accounting through 1038 nfnetlink_acct. 1039 1040 To compile it as a module, choose M here. If unsure, say N. 1041 1042config NETFILTER_XT_MATCH_OSF 1043 tristate '"osf" Passive OS fingerprint match' 1044 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 1045 help 1046 This option selects the Passive OS Fingerprinting match module 1047 that allows to passively match the remote operating system by 1048 analyzing incoming TCP SYN packets. 1049 1050 Rules and loading software can be downloaded from 1051 http://www.ioremap.net/projects/osf 1052 1053 To compile it as a module, choose M here. If unsure, say N. 1054 1055config NETFILTER_XT_MATCH_OWNER 1056 tristate '"owner" match support' 1057 depends on NETFILTER_ADVANCED 1058 ---help--- 1059 Socket owner matching allows you to match locally-generated packets 1060 based on who created the socket: the user or group. It is also 1061 possible to check whether a socket actually exists. 1062 1063config NETFILTER_XT_MATCH_POLICY 1064 tristate 'IPsec "policy" match support' 1065 depends on XFRM 1066 default m if NETFILTER_ADVANCED=n 1067 help 1068 Policy matching allows you to match packets based on the 1069 IPsec policy that was used during decapsulation/will 1070 be used during encapsulation. 1071 1072 To compile it as a module, choose M here. If unsure, say N. 1073 1074config NETFILTER_XT_MATCH_PHYSDEV 1075 tristate '"physdev" match support' 1076 depends on BRIDGE && BRIDGE_NETFILTER 1077 depends on NETFILTER_ADVANCED 1078 help 1079 Physdev packet matching matches against the physical bridge ports 1080 the IP packet arrived on or will leave by. 1081 1082 To compile it as a module, choose M here. If unsure, say N. 1083 1084config NETFILTER_XT_MATCH_PKTTYPE 1085 tristate '"pkttype" packet type match support' 1086 depends on NETFILTER_ADVANCED 1087 help 1088 Packet type matching allows you to match a packet by 1089 its "class", eg. BROADCAST, MULTICAST, ... 1090 1091 Typical usage: 1092 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1093 1094 To compile it as a module, choose M here. If unsure, say N. 1095 1096config NETFILTER_XT_MATCH_QUOTA 1097 tristate '"quota" match support' 1098 depends on NETFILTER_ADVANCED 1099 help 1100 This option adds a `quota' match, which allows to match on a 1101 byte counter. 1102 1103 If you want to compile it as a module, say M here and read 1104 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1105 1106config NETFILTER_XT_MATCH_RATEEST 1107 tristate '"rateest" match support' 1108 depends on NETFILTER_ADVANCED 1109 select NETFILTER_XT_TARGET_RATEEST 1110 help 1111 This option adds a `rateest' match, which allows to match on the 1112 rate estimated by the RATEEST target. 1113 1114 To compile it as a module, choose M here. If unsure, say N. 1115 1116config NETFILTER_XT_MATCH_REALM 1117 tristate '"realm" match support' 1118 depends on NETFILTER_ADVANCED 1119 select IP_ROUTE_CLASSID 1120 help 1121 This option adds a `realm' match, which allows you to use the realm 1122 key from the routing subsystem inside iptables. 1123 1124 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1125 in tc world. 1126 1127 If you want to compile it as a module, say M here and read 1128 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1129 1130config NETFILTER_XT_MATCH_RECENT 1131 tristate '"recent" match support' 1132 depends on NETFILTER_ADVANCED 1133 ---help--- 1134 This match is used for creating one or many lists of recently 1135 used addresses and then matching against that/those list(s). 1136 1137 Short options are available by using 'iptables -m recent -h' 1138 Official Website: <http://snowman.net/projects/ipt_recent/> 1139 1140config NETFILTER_XT_MATCH_SCTP 1141 tristate '"sctp" protocol match support (EXPERIMENTAL)' 1142 depends on EXPERIMENTAL 1143 depends on NETFILTER_ADVANCED 1144 default IP_SCTP 1145 help 1146 With this option enabled, you will be able to use the 1147 `sctp' match in order to match on SCTP source/destination ports 1148 and SCTP chunk types. 1149 1150 If you want to compile it as a module, say M here and read 1151 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1152 1153config NETFILTER_XT_MATCH_SOCKET 1154 tristate '"socket" match support (EXPERIMENTAL)' 1155 depends on EXPERIMENTAL 1156 depends on NETFILTER_TPROXY 1157 depends on NETFILTER_XTABLES 1158 depends on NETFILTER_ADVANCED 1159 depends on !NF_CONNTRACK || NF_CONNTRACK 1160 select NF_DEFRAG_IPV4 1161 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES 1162 help 1163 This option adds a `socket' match, which can be used to match 1164 packets for which a TCP or UDP socket lookup finds a valid socket. 1165 It can be used in combination with the MARK target and policy 1166 routing to implement full featured non-locally bound sockets. 1167 1168 To compile it as a module, choose M here. If unsure, say N. 1169 1170config NETFILTER_XT_MATCH_STATE 1171 tristate '"state" match support' 1172 depends on NF_CONNTRACK 1173 default m if NETFILTER_ADVANCED=n 1174 help 1175 Connection state matching allows you to match packets based on their 1176 relationship to a tracked connection (ie. previous packets). This 1177 is a powerful tool for packet classification. 1178 1179 To compile it as a module, choose M here. If unsure, say N. 1180 1181config NETFILTER_XT_MATCH_STATISTIC 1182 tristate '"statistic" match support' 1183 depends on NETFILTER_ADVANCED 1184 help 1185 This option adds a `statistic' match, which allows you to match 1186 on packets periodically or randomly with a given percentage. 1187 1188 To compile it as a module, choose M here. If unsure, say N. 1189 1190config NETFILTER_XT_MATCH_STRING 1191 tristate '"string" match support' 1192 depends on NETFILTER_ADVANCED 1193 select TEXTSEARCH 1194 select TEXTSEARCH_KMP 1195 select TEXTSEARCH_BM 1196 select TEXTSEARCH_FSM 1197 help 1198 This option adds a `string' match, which allows you to look for 1199 pattern matchings in packets. 1200 1201 To compile it as a module, choose M here. If unsure, say N. 1202 1203config NETFILTER_XT_MATCH_TCPMSS 1204 tristate '"tcpmss" match support' 1205 depends on NETFILTER_ADVANCED 1206 help 1207 This option adds a `tcpmss' match, which allows you to examine the 1208 MSS value of TCP SYN packets, which control the maximum packet size 1209 for that connection. 1210 1211 To compile it as a module, choose M here. If unsure, say N. 1212 1213config NETFILTER_XT_MATCH_TIME 1214 tristate '"time" match support' 1215 depends on NETFILTER_ADVANCED 1216 ---help--- 1217 This option adds a "time" match, which allows you to match based on 1218 the packet arrival time (at the machine which netfilter is running) 1219 on) or departure time/date (for locally generated packets). 1220 1221 If you say Y here, try `iptables -m time --help` for 1222 more information. 1223 1224 If you want to compile it as a module, say M here. 1225 If unsure, say N. 1226 1227config NETFILTER_XT_MATCH_U32 1228 tristate '"u32" match support' 1229 depends on NETFILTER_ADVANCED 1230 ---help--- 1231 u32 allows you to extract quantities of up to 4 bytes from a packet, 1232 AND them with specified masks, shift them by specified amounts and 1233 test whether the results are in any of a set of specified ranges. 1234 The specification of what to extract is general enough to skip over 1235 headers with lengths stored in the packet, as in IP or TCP header 1236 lengths. 1237 1238 Details and examples are in the kernel module source. 1239 1240endif # NETFILTER_XTABLES 1241 1242endmenu 1243 1244source "net/netfilter/ipset/Kconfig" 1245 1246source "net/netfilter/ipvs/Kconfig" 1247