1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate "Netfilter netlink interface" 6 help 7 If this option is enabled, the kernel will include support 8 for the new netfilter netlink interface. 9 10config NETFILTER_NETLINK_QUEUE 11 tristate "Netfilter NFQUEUE over NFNETLINK interface" 12 depends on NETFILTER_NETLINK 13 help 14 If this option is enabled, the kernel will include support 15 for queueing packets via NFNETLINK. 16 17config NETFILTER_NETLINK_LOG 18 tristate "Netfilter LOG over NFNETLINK interface" 19 depends on NETFILTER_NETLINK 20 help 21 If this option is enabled, the kernel will include support 22 for logging packets via NFNETLINK. 23 24 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 25 and is also scheduled to replace the old syslog-based ipt_LOG 26 and ip6t_LOG modules. 27 28# Rename this to NF_CONNTRACK in a 2.6.25 29config NF_CONNTRACK_ENABLED 30 tristate "Netfilter connection tracking support" 31 help 32 Connection tracking keeps a record of what packets have passed 33 through your machine, in order to figure out how they are related 34 into connections. 35 36 This is required to do Masquerading or other kinds of Network 37 Address Translation (except for Fast NAT). It can also be used to 38 enhance packet filtering (see `Connection state match support' 39 below). 40 41 To compile it as a module, choose M here. If unsure, say N. 42 43config NF_CONNTRACK 44 tristate 45 default NF_CONNTRACK_ENABLED 46 47config NF_CT_ACCT 48 bool "Connection tracking flow accounting" 49 depends on NF_CONNTRACK 50 help 51 If this option is enabled, the connection tracking code will 52 keep per-flow packet and byte counters. 53 54 Those counters can be used for flow-based accounting or the 55 `connbytes' match. 56 57 If unsure, say `N'. 58 59config NF_CONNTRACK_MARK 60 bool 'Connection mark tracking support' 61 depends on NF_CONNTRACK 62 help 63 This option enables support for connection marks, used by the 64 `CONNMARK' target and `connmark' match. Similar to the mark value 65 of packets, but this mark value is kept in the conntrack session 66 instead of the individual packets. 67 68config NF_CONNTRACK_SECMARK 69 bool 'Connection tracking security mark support' 70 depends on NF_CONNTRACK && NETWORK_SECMARK 71 help 72 This option enables security markings to be applied to 73 connections. Typically they are copied to connections from 74 packets using the CONNSECMARK target and copied back from 75 connections to packets with the same target, with the packets 76 being originally labeled via SECMARK. 77 78 If unsure, say 'N'. 79 80config NF_CONNTRACK_EVENTS 81 bool "Connection tracking events (EXPERIMENTAL)" 82 depends on EXPERIMENTAL && NF_CONNTRACK 83 help 84 If this option is enabled, the connection tracking code will 85 provide a notifier chain that can be used by other kernel code 86 to get notified about changes in the connection tracking state. 87 88 If unsure, say `N'. 89 90config NF_CT_PROTO_GRE 91 tristate 92 depends on NF_CONNTRACK 93 94config NF_CT_PROTO_SCTP 95 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 96 depends on EXPERIMENTAL && NF_CONNTRACK 97 default n 98 help 99 With this option enabled, the layer 3 independent connection 100 tracking code will be able to do state tracking on SCTP connections. 101 102 If you want to compile it as a module, say M here and read 103 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 104 105config NF_CT_PROTO_UDPLITE 106 tristate 'UDP-Lite protocol connection tracking support (EXPERIMENTAL)' 107 depends on EXPERIMENTAL && NF_CONNTRACK 108 help 109 With this option enabled, the layer 3 independent connection 110 tracking code will be able to do state tracking on UDP-Lite 111 connections. 112 113 To compile it as a module, choose M here. If unsure, say N. 114 115config NF_CONNTRACK_AMANDA 116 tristate "Amanda backup protocol support" 117 depends on NF_CONNTRACK 118 select TEXTSEARCH 119 select TEXTSEARCH_KMP 120 help 121 If you are running the Amanda backup package <http://www.amanda.org/> 122 on this machine or machines that will be MASQUERADED through this 123 machine, then you may want to enable this feature. This allows the 124 connection tracking and natting code to allow the sub-channels that 125 Amanda requires for communication of the backup data, messages and 126 index. 127 128 To compile it as a module, choose M here. If unsure, say N. 129 130config NF_CONNTRACK_FTP 131 tristate "FTP protocol support" 132 depends on NF_CONNTRACK 133 help 134 Tracking FTP connections is problematic: special helpers are 135 required for tracking them, and doing masquerading and other forms 136 of Network Address Translation on them. 137 138 This is FTP support on Layer 3 independent connection tracking. 139 Layer 3 independent connection tracking is experimental scheme 140 which generalize ip_conntrack to support other layer 3 protocols. 141 142 To compile it as a module, choose M here. If unsure, say N. 143 144config NF_CONNTRACK_H323 145 tristate "H.323 protocol support (EXPERIMENTAL)" 146 depends on EXPERIMENTAL && NF_CONNTRACK && (IPV6 || IPV6=n) 147 help 148 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 149 important VoIP protocols, it is widely used by voice hardware and 150 software including voice gateways, IP phones, Netmeeting, OpenPhone, 151 Gnomemeeting, etc. 152 153 With this module you can support H.323 on a connection tracking/NAT 154 firewall. 155 156 This module supports RAS, Fast Start, H.245 Tunnelling, Call 157 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 158 whiteboard, file transfer, etc. For more information, please 159 visit http://nath323.sourceforge.net/. 160 161 To compile it as a module, choose M here. If unsure, say N. 162 163config NF_CONNTRACK_IRC 164 tristate "IRC protocol support" 165 depends on NF_CONNTRACK 166 help 167 There is a commonly-used extension to IRC called 168 Direct Client-to-Client Protocol (DCC). This enables users to send 169 files to each other, and also chat to each other without the need 170 of a server. DCC Sending is used anywhere you send files over IRC, 171 and DCC Chat is most commonly used by Eggdrop bots. If you are 172 using NAT, this extension will enable you to send files and initiate 173 chats. Note that you do NOT need this extension to get files or 174 have others initiate chats, or everything else in IRC. 175 176 To compile it as a module, choose M here. If unsure, say N. 177 178config NF_CONNTRACK_NETBIOS_NS 179 tristate "NetBIOS name service protocol support (EXPERIMENTAL)" 180 depends on EXPERIMENTAL && NF_CONNTRACK 181 help 182 NetBIOS name service requests are sent as broadcast messages from an 183 unprivileged port and responded to with unicast messages to the 184 same port. This make them hard to firewall properly because connection 185 tracking doesn't deal with broadcasts. This helper tracks locally 186 originating NetBIOS name service requests and the corresponding 187 responses. It relies on correct IP address configuration, specifically 188 netmask and broadcast address. When properly configured, the output 189 of "ip address show" should look similar to this: 190 191 $ ip -4 address show eth0 192 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 193 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 194 195 To compile it as a module, choose M here. If unsure, say N. 196 197config NF_CONNTRACK_PPTP 198 tristate "PPtP protocol support" 199 depends on NF_CONNTRACK 200 select NF_CT_PROTO_GRE 201 help 202 This module adds support for PPTP (Point to Point Tunnelling 203 Protocol, RFC2637) connection tracking and NAT. 204 205 If you are running PPTP sessions over a stateful firewall or NAT 206 box, you may want to enable this feature. 207 208 Please note that not all PPTP modes of operation are supported yet. 209 Specifically these limitations exist: 210 - Blindly assumes that control connections are always established 211 in PNS->PAC direction. This is a violation of RFC2637. 212 - Only supports a single call within each session 213 214 To compile it as a module, choose M here. If unsure, say N. 215 216config NF_CONNTRACK_SANE 217 tristate "SANE protocol support (EXPERIMENTAL)" 218 depends on EXPERIMENTAL && NF_CONNTRACK 219 help 220 SANE is a protocol for remote access to scanners as implemented 221 by the 'saned' daemon. Like FTP, it uses separate control and 222 data connections. 223 224 With this module you can support SANE on a connection tracking 225 firewall. 226 227 To compile it as a module, choose M here. If unsure, say N. 228 229config NF_CONNTRACK_SIP 230 tristate "SIP protocol support (EXPERIMENTAL)" 231 depends on EXPERIMENTAL && NF_CONNTRACK 232 help 233 SIP is an application-layer control protocol that can establish, 234 modify, and terminate multimedia sessions (conferences) such as 235 Internet telephony calls. With the ip_conntrack_sip and 236 the nf_nat_sip modules you can support the protocol on a connection 237 tracking/NATing firewall. 238 239 To compile it as a module, choose M here. If unsure, say N. 240 241config NF_CONNTRACK_TFTP 242 tristate "TFTP protocol support" 243 depends on NF_CONNTRACK 244 help 245 TFTP connection tracking helper, this is required depending 246 on how restrictive your ruleset is. 247 If you are using a tftp client behind -j SNAT or -j MASQUERADING 248 you will need this. 249 250 To compile it as a module, choose M here. If unsure, say N. 251 252config NF_CT_NETLINK 253 tristate 'Connection tracking netlink interface (EXPERIMENTAL)' 254 depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK 255 depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m 256 depends on NF_NAT=n || NF_NAT 257 help 258 This option enables support for a netlink-based userspace interface 259 260config NETFILTER_XTABLES 261 tristate "Netfilter Xtables support (required for ip_tables)" 262 help 263 This is required if you intend to use any of ip_tables, 264 ip6_tables or arp_tables. 265 266# alphabetically ordered list of targets 267 268config NETFILTER_XT_TARGET_CLASSIFY 269 tristate '"CLASSIFY" target support' 270 depends on NETFILTER_XTABLES 271 help 272 This option adds a `CLASSIFY' target, which enables the user to set 273 the priority of a packet. Some qdiscs can use this value for 274 classification, among these are: 275 276 atm, cbq, dsmark, pfifo_fast, htb, prio 277 278 To compile it as a module, choose M here. If unsure, say N. 279 280config NETFILTER_XT_TARGET_CONNMARK 281 tristate '"CONNMARK" target support' 282 depends on NETFILTER_XTABLES 283 depends on IP_NF_MANGLE || IP6_NF_MANGLE 284 depends on NF_CONNTRACK 285 select NF_CONNTRACK_MARK 286 help 287 This option adds a `CONNMARK' target, which allows one to manipulate 288 the connection mark value. Similar to the MARK target, but 289 affects the connection mark value rather than the packet mark value. 290 291 If you want to compile it as a module, say M here and read 292 <file:Documentation/kbuild/modules.txt>. The module will be called 293 ipt_CONNMARK.ko. If unsure, say `N'. 294 295config NETFILTER_XT_TARGET_DSCP 296 tristate '"DSCP" target support' 297 depends on NETFILTER_XTABLES 298 depends on IP_NF_MANGLE || IP6_NF_MANGLE 299 help 300 This option adds a `DSCP' target, which allows you to manipulate 301 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 302 303 The DSCP field can have any value between 0x0 and 0x3f inclusive. 304 305 To compile it as a module, choose M here. If unsure, say N. 306 307config NETFILTER_XT_TARGET_MARK 308 tristate '"MARK" target support' 309 depends on NETFILTER_XTABLES 310 help 311 This option adds a `MARK' target, which allows you to create rules 312 in the `mangle' table which alter the netfilter mark (nfmark) field 313 associated with the packet prior to routing. This can change 314 the routing method (see `Use netfilter MARK value as routing 315 key') and can also be used by other subsystems to change their 316 behavior. 317 318 To compile it as a module, choose M here. If unsure, say N. 319 320config NETFILTER_XT_TARGET_NFQUEUE 321 tristate '"NFQUEUE" target Support' 322 depends on NETFILTER_XTABLES 323 help 324 This target replaced the old obsolete QUEUE target. 325 326 As opposed to QUEUE, it supports 65535 different queues, 327 not just one. 328 329 To compile it as a module, choose M here. If unsure, say N. 330 331config NETFILTER_XT_TARGET_NFLOG 332 tristate '"NFLOG" target support' 333 depends on NETFILTER_XTABLES 334 help 335 This option enables the NFLOG target, which allows to LOG 336 messages through the netfilter logging API, which can use 337 either the old LOG target, the old ULOG target or nfnetlink_log 338 as backend. 339 340 To compile it as a module, choose M here. If unsure, say N. 341 342config NETFILTER_XT_TARGET_NOTRACK 343 tristate '"NOTRACK" target support' 344 depends on NETFILTER_XTABLES 345 depends on IP_NF_RAW || IP6_NF_RAW 346 depends on NF_CONNTRACK 347 help 348 The NOTRACK target allows a select rule to specify 349 which packets *not* to enter the conntrack/NAT 350 subsystem with all the consequences (no ICMP error tracking, 351 no protocol helpers for the selected packets). 352 353 If you want to compile it as a module, say M here and read 354 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 355 356config NETFILTER_XT_TARGET_TRACE 357 tristate '"TRACE" target support' 358 depends on NETFILTER_XTABLES 359 depends on IP_NF_RAW || IP6_NF_RAW 360 help 361 The TRACE target allows you to mark packets so that the kernel 362 will log every rule which match the packets as those traverse 363 the tables, chains, rules. 364 365 If you want to compile it as a module, say M here and read 366 <file:Documentation/modules.txt>. If unsure, say `N'. 367 368config NETFILTER_XT_TARGET_SECMARK 369 tristate '"SECMARK" target support' 370 depends on NETFILTER_XTABLES && NETWORK_SECMARK 371 help 372 The SECMARK target allows security marking of network 373 packets, for use with security subsystems. 374 375 To compile it as a module, choose M here. If unsure, say N. 376 377config NETFILTER_XT_TARGET_CONNSECMARK 378 tristate '"CONNSECMARK" target support' 379 depends on NETFILTER_XTABLES && NF_CONNTRACK && NF_CONNTRACK_SECMARK 380 help 381 The CONNSECMARK target copies security markings from packets 382 to connections, and restores security markings from connections 383 to packets (if the packets are not already marked). This would 384 normally be used in conjunction with the SECMARK target. 385 386 To compile it as a module, choose M here. If unsure, say N. 387 388config NETFILTER_XT_TARGET_TCPMSS 389 tristate '"TCPMSS" target support' 390 depends on NETFILTER_XTABLES && (IPV6 || IPV6=n) 391 ---help--- 392 This option adds a `TCPMSS' target, which allows you to alter the 393 MSS value of TCP SYN packets, to control the maximum size for that 394 connection (usually limiting it to your outgoing interface's MTU 395 minus 40). 396 397 This is used to overcome criminally braindead ISPs or servers which 398 block ICMP Fragmentation Needed packets. The symptoms of this 399 problem are that everything works fine from your Linux 400 firewall/router, but machines behind it can never exchange large 401 packets: 402 1) Web browsers connect, then hang with no data received. 403 2) Small mail works fine, but large emails hang. 404 3) ssh works fine, but scp hangs after initial handshaking. 405 406 Workaround: activate this option and add a rule to your firewall 407 configuration like: 408 409 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 410 -j TCPMSS --clamp-mss-to-pmtu 411 412 To compile it as a module, choose M here. If unsure, say N. 413 414config NETFILTER_XT_MATCH_COMMENT 415 tristate '"comment" match support' 416 depends on NETFILTER_XTABLES 417 help 418 This option adds a `comment' dummy-match, which allows you to put 419 comments in your iptables ruleset. 420 421 If you want to compile it as a module, say M here and read 422 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 423 424config NETFILTER_XT_MATCH_CONNBYTES 425 tristate '"connbytes" per-connection counter match support' 426 depends on NETFILTER_XTABLES 427 depends on NF_CONNTRACK 428 select NF_CT_ACCT 429 help 430 This option adds a `connbytes' match, which allows you to match the 431 number of bytes and/or packets for each direction within a connection. 432 433 If you want to compile it as a module, say M here and read 434 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 435 436config NETFILTER_XT_MATCH_CONNLIMIT 437 tristate '"connlimit" match support"' 438 depends on NETFILTER_XTABLES 439 ---help--- 440 This match allows you to match against the number of parallel 441 connections to a server per client IP address (or address block). 442 443config NETFILTER_XT_MATCH_CONNMARK 444 tristate '"connmark" connection mark match support' 445 depends on NETFILTER_XTABLES 446 depends on NF_CONNTRACK 447 select NF_CONNTRACK_MARK 448 help 449 This option adds a `connmark' match, which allows you to match the 450 connection mark value previously set for the session by `CONNMARK'. 451 452 If you want to compile it as a module, say M here and read 453 <file:Documentation/kbuild/modules.txt>. The module will be called 454 ipt_connmark.ko. If unsure, say `N'. 455 456config NETFILTER_XT_MATCH_CONNTRACK 457 tristate '"conntrack" connection tracking match support' 458 depends on NETFILTER_XTABLES 459 depends on NF_CONNTRACK 460 help 461 This is a general conntrack match module, a superset of the state match. 462 463 It allows matching on additional conntrack information, which is 464 useful in complex configurations, such as NAT gateways with multiple 465 internet links or tunnels. 466 467 To compile it as a module, choose M here. If unsure, say N. 468 469config NETFILTER_XT_MATCH_DCCP 470 tristate '"DCCP" protocol match support' 471 depends on NETFILTER_XTABLES 472 help 473 With this option enabled, you will be able to use the iptables 474 `dccp' match in order to match on DCCP source/destination ports 475 and DCCP flags. 476 477 If you want to compile it as a module, say M here and read 478 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 479 480config NETFILTER_XT_MATCH_DSCP 481 tristate '"DSCP" match support' 482 depends on NETFILTER_XTABLES 483 help 484 This option adds a `DSCP' match, which allows you to match against 485 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 486 487 The DSCP field can have any value between 0x0 and 0x3f inclusive. 488 489 To compile it as a module, choose M here. If unsure, say N. 490 491config NETFILTER_XT_MATCH_ESP 492 tristate '"ESP" match support' 493 depends on NETFILTER_XTABLES 494 help 495 This match extension allows you to match a range of SPIs 496 inside ESP header of IPSec packets. 497 498 To compile it as a module, choose M here. If unsure, say N. 499 500config NETFILTER_XT_MATCH_HELPER 501 tristate '"helper" match support' 502 depends on NETFILTER_XTABLES 503 depends on NF_CONNTRACK 504 help 505 Helper matching allows you to match packets in dynamic connections 506 tracked by a conntrack-helper, ie. ip_conntrack_ftp 507 508 To compile it as a module, choose M here. If unsure, say Y. 509 510config NETFILTER_XT_MATCH_LENGTH 511 tristate '"length" match support' 512 depends on NETFILTER_XTABLES 513 help 514 This option allows you to match the length of a packet against a 515 specific value or range of values. 516 517 To compile it as a module, choose M here. If unsure, say N. 518 519config NETFILTER_XT_MATCH_LIMIT 520 tristate '"limit" match support' 521 depends on NETFILTER_XTABLES 522 help 523 limit matching allows you to control the rate at which a rule can be 524 matched: mainly useful in combination with the LOG target ("LOG 525 target support", below) and to avoid some Denial of Service attacks. 526 527 To compile it as a module, choose M here. If unsure, say N. 528 529config NETFILTER_XT_MATCH_MAC 530 tristate '"mac" address match support' 531 depends on NETFILTER_XTABLES 532 help 533 MAC matching allows you to match packets based on the source 534 Ethernet address of the packet. 535 536 To compile it as a module, choose M here. If unsure, say N. 537 538config NETFILTER_XT_MATCH_MARK 539 tristate '"mark" match support' 540 depends on NETFILTER_XTABLES 541 help 542 Netfilter mark matching allows you to match packets based on the 543 `nfmark' value in the packet. This can be set by the MARK target 544 (see below). 545 546 To compile it as a module, choose M here. If unsure, say N. 547 548config NETFILTER_XT_MATCH_POLICY 549 tristate 'IPsec "policy" match support' 550 depends on NETFILTER_XTABLES && XFRM 551 help 552 Policy matching allows you to match packets based on the 553 IPsec policy that was used during decapsulation/will 554 be used during encapsulation. 555 556 To compile it as a module, choose M here. If unsure, say N. 557 558config NETFILTER_XT_MATCH_MULTIPORT 559 tristate "Multiple port match support" 560 depends on NETFILTER_XTABLES 561 help 562 Multiport matching allows you to match TCP or UDP packets based on 563 a series of source or destination ports: normally a rule can only 564 match a single range of ports. 565 566 To compile it as a module, choose M here. If unsure, say N. 567 568config NETFILTER_XT_MATCH_PHYSDEV 569 tristate '"physdev" match support' 570 depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER 571 help 572 Physdev packet matching matches against the physical bridge ports 573 the IP packet arrived on or will leave by. 574 575 To compile it as a module, choose M here. If unsure, say N. 576 577config NETFILTER_XT_MATCH_PKTTYPE 578 tristate '"pkttype" packet type match support' 579 depends on NETFILTER_XTABLES 580 help 581 Packet type matching allows you to match a packet by 582 its "class", eg. BROADCAST, MULTICAST, ... 583 584 Typical usage: 585 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 586 587 To compile it as a module, choose M here. If unsure, say N. 588 589config NETFILTER_XT_MATCH_QUOTA 590 tristate '"quota" match support' 591 depends on NETFILTER_XTABLES 592 help 593 This option adds a `quota' match, which allows to match on a 594 byte counter. 595 596 If you want to compile it as a module, say M here and read 597 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 598 599config NETFILTER_XT_MATCH_REALM 600 tristate '"realm" match support' 601 depends on NETFILTER_XTABLES 602 select NET_CLS_ROUTE 603 help 604 This option adds a `realm' match, which allows you to use the realm 605 key from the routing subsystem inside iptables. 606 607 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 608 in tc world. 609 610 If you want to compile it as a module, say M here and read 611 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 612 613config NETFILTER_XT_MATCH_SCTP 614 tristate '"sctp" protocol match support (EXPERIMENTAL)' 615 depends on NETFILTER_XTABLES && EXPERIMENTAL 616 help 617 With this option enabled, you will be able to use the 618 `sctp' match in order to match on SCTP source/destination ports 619 and SCTP chunk types. 620 621 If you want to compile it as a module, say M here and read 622 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 623 624config NETFILTER_XT_MATCH_STATE 625 tristate '"state" match support' 626 depends on NETFILTER_XTABLES 627 depends on NF_CONNTRACK 628 help 629 Connection state matching allows you to match packets based on their 630 relationship to a tracked connection (ie. previous packets). This 631 is a powerful tool for packet classification. 632 633 To compile it as a module, choose M here. If unsure, say N. 634 635config NETFILTER_XT_MATCH_STATISTIC 636 tristate '"statistic" match support' 637 depends on NETFILTER_XTABLES 638 help 639 This option adds a `statistic' match, which allows you to match 640 on packets periodically or randomly with a given percentage. 641 642 To compile it as a module, choose M here. If unsure, say N. 643 644config NETFILTER_XT_MATCH_STRING 645 tristate '"string" match support' 646 depends on NETFILTER_XTABLES 647 select TEXTSEARCH 648 select TEXTSEARCH_KMP 649 select TEXTSEARCH_BM 650 select TEXTSEARCH_FSM 651 help 652 This option adds a `string' match, which allows you to look for 653 pattern matchings in packets. 654 655 To compile it as a module, choose M here. If unsure, say N. 656 657config NETFILTER_XT_MATCH_TCPMSS 658 tristate '"tcpmss" match support' 659 depends on NETFILTER_XTABLES 660 help 661 This option adds a `tcpmss' match, which allows you to examine the 662 MSS value of TCP SYN packets, which control the maximum packet size 663 for that connection. 664 665 To compile it as a module, choose M here. If unsure, say N. 666 667config NETFILTER_XT_MATCH_U32 668 tristate '"u32" match support' 669 depends on NETFILTER_XTABLES 670 ---help--- 671 u32 allows you to extract quantities of up to 4 bytes from a packet, 672 AND them with specified masks, shift them by specified amounts and 673 test whether the results are in any of a set of specified ranges. 674 The specification of what to extract is general enough to skip over 675 headers with lengths stored in the packet, as in IP or TCP header 676 lengths. 677 678 Details and examples are in the kernel module source. 679 680config NETFILTER_XT_MATCH_HASHLIMIT 681 tristate '"hashlimit" match support' 682 depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 683 help 684 This option adds a `hashlimit' match. 685 686 As opposed to `limit', this match dynamically creates a hash table 687 of limit buckets, based on your selection of source/destination 688 addresses and/or ports. 689 690 It enables you to express policies like `10kpps for any given 691 destination address' or `500pps from any given source address' 692 with a single rule. 693 694endmenu 695 696