1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_INGRESS 5 bool "Netfilter ingress support" 6 default y 7 select NET_INGRESS 8 help 9 This allows you to classify packets from ingress using the Netfilter 10 infrastructure. 11 12config NETFILTER_NETLINK 13 tristate 14 15config NETFILTER_NETLINK_ACCT 16tristate "Netfilter NFACCT over NFNETLINK interface" 17 depends on NETFILTER_ADVANCED 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for extended accounting via NFNETLINK. 22 23config NETFILTER_NETLINK_QUEUE 24 tristate "Netfilter NFQUEUE over NFNETLINK interface" 25 depends on NETFILTER_ADVANCED 26 select NETFILTER_NETLINK 27 help 28 If this option is enabled, the kernel will include support 29 for queueing packets via NFNETLINK. 30 31config NETFILTER_NETLINK_LOG 32 tristate "Netfilter LOG over NFNETLINK interface" 33 default m if NETFILTER_ADVANCED=n 34 select NETFILTER_NETLINK 35 help 36 If this option is enabled, the kernel will include support 37 for logging packets via NFNETLINK. 38 39 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 40 and is also scheduled to replace the old syslog-based ipt_LOG 41 and ip6t_LOG modules. 42 43config NF_CONNTRACK 44 tristate "Netfilter connection tracking support" 45 default m if NETFILTER_ADVANCED=n 46 help 47 Connection tracking keeps a record of what packets have passed 48 through your machine, in order to figure out how they are related 49 into connections. 50 51 This is required to do Masquerading or other kinds of Network 52 Address Translation. It can also be used to enhance packet 53 filtering (see `Connection state match support' below). 54 55 To compile it as a module, choose M here. If unsure, say N. 56 57config NF_LOG_COMMON 58 tristate 59 60if NF_CONNTRACK 61 62config NF_CONNTRACK_MARK 63 bool 'Connection mark tracking support' 64 depends on NETFILTER_ADVANCED 65 help 66 This option enables support for connection marks, used by the 67 `CONNMARK' target and `connmark' match. Similar to the mark value 68 of packets, but this mark value is kept in the conntrack session 69 instead of the individual packets. 70 71config NF_CONNTRACK_SECMARK 72 bool 'Connection tracking security mark support' 73 depends on NETWORK_SECMARK 74 default m if NETFILTER_ADVANCED=n 75 help 76 This option enables security markings to be applied to 77 connections. Typically they are copied to connections from 78 packets using the CONNSECMARK target and copied back from 79 connections to packets with the same target, with the packets 80 being originally labeled via SECMARK. 81 82 If unsure, say 'N'. 83 84config NF_CONNTRACK_ZONES 85 bool 'Connection tracking zones' 86 depends on NETFILTER_ADVANCED 87 depends on NETFILTER_XT_TARGET_CT 88 help 89 This option enables support for connection tracking zones. 90 Normally, each connection needs to have a unique system wide 91 identity. Connection tracking zones allow to have multiple 92 connections using the same identity, as long as they are 93 contained in different zones. 94 95 If unsure, say `N'. 96 97config NF_CONNTRACK_PROCFS 98 bool "Supply CT list in procfs (OBSOLETE)" 99 default y 100 depends on PROC_FS 101 ---help--- 102 This option enables for the list of known conntrack entries 103 to be shown in procfs under net/netfilter/nf_conntrack. This 104 is considered obsolete in favor of using the conntrack(8) 105 tool which uses Netlink. 106 107config NF_CONNTRACK_EVENTS 108 bool "Connection tracking events" 109 depends on NETFILTER_ADVANCED 110 help 111 If this option is enabled, the connection tracking code will 112 provide a notifier chain that can be used by other kernel code 113 to get notified about changes in the connection tracking state. 114 115 If unsure, say `N'. 116 117config NF_CONNTRACK_TIMEOUT 118 bool 'Connection tracking timeout' 119 depends on NETFILTER_ADVANCED 120 help 121 This option enables support for connection tracking timeout 122 extension. This allows you to attach timeout policies to flow 123 via the CT target. 124 125 If unsure, say `N'. 126 127config NF_CONNTRACK_TIMESTAMP 128 bool 'Connection tracking timestamping' 129 depends on NETFILTER_ADVANCED 130 help 131 This option enables support for connection tracking timestamping. 132 This allows you to store the flow start-time and to obtain 133 the flow-stop time (once it has been destroyed) via Connection 134 tracking events. 135 136 If unsure, say `N'. 137 138config NF_CONNTRACK_LABELS 139 bool 140 help 141 This option enables support for assigning user-defined flag bits 142 to connection tracking entries. It selected by the connlabel match. 143 144config NF_CT_PROTO_DCCP 145 tristate 'DCCP protocol connection tracking support' 146 depends on NETFILTER_ADVANCED 147 default IP_DCCP 148 help 149 With this option enabled, the layer 3 independent connection 150 tracking code will be able to do state tracking on DCCP connections. 151 152 If unsure, say 'N'. 153 154config NF_CT_PROTO_GRE 155 tristate 156 157config NF_CT_PROTO_SCTP 158 tristate 'SCTP protocol connection tracking support' 159 depends on NETFILTER_ADVANCED 160 default IP_SCTP 161 help 162 With this option enabled, the layer 3 independent connection 163 tracking code will be able to do state tracking on SCTP connections. 164 165 If you want to compile it as a module, say M here and read 166 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 167 168config NF_CT_PROTO_UDPLITE 169 tristate 'UDP-Lite protocol connection tracking support' 170 depends on NETFILTER_ADVANCED 171 help 172 With this option enabled, the layer 3 independent connection 173 tracking code will be able to do state tracking on UDP-Lite 174 connections. 175 176 To compile it as a module, choose M here. If unsure, say N. 177 178config NF_CONNTRACK_AMANDA 179 tristate "Amanda backup protocol support" 180 depends on NETFILTER_ADVANCED 181 select TEXTSEARCH 182 select TEXTSEARCH_KMP 183 help 184 If you are running the Amanda backup package <http://www.amanda.org/> 185 on this machine or machines that will be MASQUERADED through this 186 machine, then you may want to enable this feature. This allows the 187 connection tracking and natting code to allow the sub-channels that 188 Amanda requires for communication of the backup data, messages and 189 index. 190 191 To compile it as a module, choose M here. If unsure, say N. 192 193config NF_CONNTRACK_FTP 194 tristate "FTP protocol support" 195 default m if NETFILTER_ADVANCED=n 196 help 197 Tracking FTP connections is problematic: special helpers are 198 required for tracking them, and doing masquerading and other forms 199 of Network Address Translation on them. 200 201 This is FTP support on Layer 3 independent connection tracking. 202 Layer 3 independent connection tracking is experimental scheme 203 which generalize ip_conntrack to support other layer 3 protocols. 204 205 To compile it as a module, choose M here. If unsure, say N. 206 207config NF_CONNTRACK_H323 208 tristate "H.323 protocol support" 209 depends on IPV6 || IPV6=n 210 depends on NETFILTER_ADVANCED 211 help 212 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 213 important VoIP protocols, it is widely used by voice hardware and 214 software including voice gateways, IP phones, Netmeeting, OpenPhone, 215 Gnomemeeting, etc. 216 217 With this module you can support H.323 on a connection tracking/NAT 218 firewall. 219 220 This module supports RAS, Fast Start, H.245 Tunnelling, Call 221 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 222 whiteboard, file transfer, etc. For more information, please 223 visit http://nath323.sourceforge.net/. 224 225 To compile it as a module, choose M here. If unsure, say N. 226 227config NF_CONNTRACK_IRC 228 tristate "IRC protocol support" 229 default m if NETFILTER_ADVANCED=n 230 help 231 There is a commonly-used extension to IRC called 232 Direct Client-to-Client Protocol (DCC). This enables users to send 233 files to each other, and also chat to each other without the need 234 of a server. DCC Sending is used anywhere you send files over IRC, 235 and DCC Chat is most commonly used by Eggdrop bots. If you are 236 using NAT, this extension will enable you to send files and initiate 237 chats. Note that you do NOT need this extension to get files or 238 have others initiate chats, or everything else in IRC. 239 240 To compile it as a module, choose M here. If unsure, say N. 241 242config NF_CONNTRACK_BROADCAST 243 tristate 244 245config NF_CONNTRACK_NETBIOS_NS 246 tristate "NetBIOS name service protocol support" 247 select NF_CONNTRACK_BROADCAST 248 help 249 NetBIOS name service requests are sent as broadcast messages from an 250 unprivileged port and responded to with unicast messages to the 251 same port. This make them hard to firewall properly because connection 252 tracking doesn't deal with broadcasts. This helper tracks locally 253 originating NetBIOS name service requests and the corresponding 254 responses. It relies on correct IP address configuration, specifically 255 netmask and broadcast address. When properly configured, the output 256 of "ip address show" should look similar to this: 257 258 $ ip -4 address show eth0 259 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 260 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 261 262 To compile it as a module, choose M here. If unsure, say N. 263 264config NF_CONNTRACK_SNMP 265 tristate "SNMP service protocol support" 266 depends on NETFILTER_ADVANCED 267 select NF_CONNTRACK_BROADCAST 268 help 269 SNMP service requests are sent as broadcast messages from an 270 unprivileged port and responded to with unicast messages to the 271 same port. This make them hard to firewall properly because connection 272 tracking doesn't deal with broadcasts. This helper tracks locally 273 originating SNMP service requests and the corresponding 274 responses. It relies on correct IP address configuration, specifically 275 netmask and broadcast address. 276 277 To compile it as a module, choose M here. If unsure, say N. 278 279config NF_CONNTRACK_PPTP 280 tristate "PPtP protocol support" 281 depends on NETFILTER_ADVANCED 282 select NF_CT_PROTO_GRE 283 help 284 This module adds support for PPTP (Point to Point Tunnelling 285 Protocol, RFC2637) connection tracking and NAT. 286 287 If you are running PPTP sessions over a stateful firewall or NAT 288 box, you may want to enable this feature. 289 290 Please note that not all PPTP modes of operation are supported yet. 291 Specifically these limitations exist: 292 - Blindly assumes that control connections are always established 293 in PNS->PAC direction. This is a violation of RFC2637. 294 - Only supports a single call within each session 295 296 To compile it as a module, choose M here. If unsure, say N. 297 298config NF_CONNTRACK_SANE 299 tristate "SANE protocol support" 300 depends on NETFILTER_ADVANCED 301 help 302 SANE is a protocol for remote access to scanners as implemented 303 by the 'saned' daemon. Like FTP, it uses separate control and 304 data connections. 305 306 With this module you can support SANE on a connection tracking 307 firewall. 308 309 To compile it as a module, choose M here. If unsure, say N. 310 311config NF_CONNTRACK_SIP 312 tristate "SIP protocol support" 313 default m if NETFILTER_ADVANCED=n 314 help 315 SIP is an application-layer control protocol that can establish, 316 modify, and terminate multimedia sessions (conferences) such as 317 Internet telephony calls. With the ip_conntrack_sip and 318 the nf_nat_sip modules you can support the protocol on a connection 319 tracking/NATing firewall. 320 321 To compile it as a module, choose M here. If unsure, say N. 322 323config NF_CONNTRACK_TFTP 324 tristate "TFTP protocol support" 325 depends on NETFILTER_ADVANCED 326 help 327 TFTP connection tracking helper, this is required depending 328 on how restrictive your ruleset is. 329 If you are using a tftp client behind -j SNAT or -j MASQUERADING 330 you will need this. 331 332 To compile it as a module, choose M here. If unsure, say N. 333 334config NF_CT_NETLINK 335 tristate 'Connection tracking netlink interface' 336 select NETFILTER_NETLINK 337 default m if NETFILTER_ADVANCED=n 338 help 339 This option enables support for a netlink-based userspace interface 340 341config NF_CT_NETLINK_TIMEOUT 342 tristate 'Connection tracking timeout tuning via Netlink' 343 select NETFILTER_NETLINK 344 depends on NETFILTER_ADVANCED 345 help 346 This option enables support for connection tracking timeout 347 fine-grain tuning. This allows you to attach specific timeout 348 policies to flows, instead of using the global timeout policy. 349 350 If unsure, say `N'. 351 352config NF_CT_NETLINK_HELPER 353 tristate 'Connection tracking helpers in user-space via Netlink' 354 select NETFILTER_NETLINK 355 depends on NF_CT_NETLINK 356 depends on NETFILTER_NETLINK_QUEUE 357 depends on NETFILTER_NETLINK_GLUE_CT 358 depends on NETFILTER_ADVANCED 359 help 360 This option enables the user-space connection tracking helpers 361 infrastructure. 362 363 If unsure, say `N'. 364 365config NETFILTER_NETLINK_GLUE_CT 366 bool "NFQUEUE and NFLOG integration with Connection Tracking" 367 default n 368 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 369 help 370 If this option is enabled, NFQUEUE and NFLOG can include 371 Connection Tracking information together with the packet is 372 the enqueued via NFNETLINK. 373 374config NF_NAT 375 tristate 376 377config NF_NAT_NEEDED 378 bool 379 depends on NF_NAT 380 default y 381 382config NF_NAT_PROTO_DCCP 383 tristate 384 depends on NF_NAT && NF_CT_PROTO_DCCP 385 default NF_NAT && NF_CT_PROTO_DCCP 386 387config NF_NAT_PROTO_UDPLITE 388 tristate 389 depends on NF_NAT && NF_CT_PROTO_UDPLITE 390 default NF_NAT && NF_CT_PROTO_UDPLITE 391 392config NF_NAT_PROTO_SCTP 393 tristate 394 default NF_NAT && NF_CT_PROTO_SCTP 395 depends on NF_NAT && NF_CT_PROTO_SCTP 396 select LIBCRC32C 397 398config NF_NAT_AMANDA 399 tristate 400 depends on NF_CONNTRACK && NF_NAT 401 default NF_NAT && NF_CONNTRACK_AMANDA 402 403config NF_NAT_FTP 404 tristate 405 depends on NF_CONNTRACK && NF_NAT 406 default NF_NAT && NF_CONNTRACK_FTP 407 408config NF_NAT_IRC 409 tristate 410 depends on NF_CONNTRACK && NF_NAT 411 default NF_NAT && NF_CONNTRACK_IRC 412 413config NF_NAT_SIP 414 tristate 415 depends on NF_CONNTRACK && NF_NAT 416 default NF_NAT && NF_CONNTRACK_SIP 417 418config NF_NAT_TFTP 419 tristate 420 depends on NF_CONNTRACK && NF_NAT 421 default NF_NAT && NF_CONNTRACK_TFTP 422 423config NF_NAT_REDIRECT 424 tristate "IPv4/IPv6 redirect support" 425 depends on NF_NAT 426 help 427 This is the kernel functionality to redirect packets to local 428 machine through NAT. 429 430config NETFILTER_SYNPROXY 431 tristate 432 433endif # NF_CONNTRACK 434 435config NF_TABLES 436 select NETFILTER_NETLINK 437 tristate "Netfilter nf_tables support" 438 help 439 nftables is the new packet classification framework that intends to 440 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 441 provides a pseudo-state machine with an extensible instruction-set 442 (also known as expressions) that the userspace 'nft' utility 443 (http://www.netfilter.org/projects/nftables) uses to build the 444 rule-set. It also comes with the generic set infrastructure that 445 allows you to construct mappings between matchings and actions 446 for performance lookups. 447 448 To compile it as a module, choose M here. 449 450if NF_TABLES 451 452config NF_TABLES_INET 453 depends on IPV6 454 select NF_TABLES_IPV4 455 select NF_TABLES_IPV6 456 tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support" 457 help 458 This option enables support for a mixed IPv4/IPv6 "inet" table. 459 460config NF_TABLES_NETDEV 461 tristate "Netfilter nf_tables netdev tables support" 462 help 463 This option enables support for the "netdev" table. 464 465config NFT_EXTHDR 466 tristate "Netfilter nf_tables IPv6 exthdr module" 467 help 468 This option adds the "exthdr" expression that you can use to match 469 IPv6 extension headers. 470 471config NFT_META 472 tristate "Netfilter nf_tables meta module" 473 help 474 This option adds the "meta" expression that you can use to match and 475 to set packet metainformation such as the packet mark. 476 477config NFT_NUMGEN 478 tristate "Netfilter nf_tables number generator module" 479 help 480 This option adds the number generator expression used to perform 481 incremental counting and random numbers bound to a upper limit. 482 483config NFT_CT 484 depends on NF_CONNTRACK 485 tristate "Netfilter nf_tables conntrack module" 486 help 487 This option adds the "meta" expression that you can use to match 488 connection tracking information such as the flow state. 489 490config NFT_SET_RBTREE 491 tristate "Netfilter nf_tables rbtree set module" 492 help 493 This option adds the "rbtree" set type (Red Black tree) that is used 494 to build interval-based sets. 495 496config NFT_SET_HASH 497 tristate "Netfilter nf_tables hash set module" 498 help 499 This option adds the "hash" set type that is used to build one-way 500 mappings between matchings and actions. 501 502config NFT_COUNTER 503 tristate "Netfilter nf_tables counter module" 504 help 505 This option adds the "counter" expression that you can use to 506 include packet and byte counters in a rule. 507 508config NFT_LOG 509 tristate "Netfilter nf_tables log module" 510 help 511 This option adds the "log" expression that you can use to log 512 packets matching some criteria. 513 514config NFT_LIMIT 515 tristate "Netfilter nf_tables limit module" 516 help 517 This option adds the "limit" expression that you can use to 518 ratelimit rule matchings. 519 520config NFT_MASQ 521 depends on NF_CONNTRACK 522 depends on NF_NAT 523 tristate "Netfilter nf_tables masquerade support" 524 help 525 This option adds the "masquerade" expression that you can use 526 to perform NAT in the masquerade flavour. 527 528config NFT_REDIR 529 depends on NF_CONNTRACK 530 depends on NF_NAT 531 tristate "Netfilter nf_tables redirect support" 532 help 533 This options adds the "redirect" expression that you can use 534 to perform NAT in the redirect flavour. 535 536config NFT_NAT 537 depends on NF_CONNTRACK 538 select NF_NAT 539 tristate "Netfilter nf_tables nat module" 540 help 541 This option adds the "nat" expression that you can use to perform 542 typical Network Address Translation (NAT) packet transformations. 543 544config NFT_QUEUE 545 depends on NETFILTER_NETLINK_QUEUE 546 tristate "Netfilter nf_tables queue module" 547 help 548 This is required if you intend to use the userspace queueing 549 infrastructure (also known as NFQUEUE) from nftables. 550 551config NFT_QUOTA 552 tristate "Netfilter nf_tables quota module" 553 help 554 This option adds the "quota" expression that you can use to match 555 enforce bytes quotas. 556 557config NFT_REJECT 558 default m if NETFILTER_ADVANCED=n 559 tristate "Netfilter nf_tables reject support" 560 help 561 This option adds the "reject" expression that you can use to 562 explicitly deny and notify via TCP reset/ICMP informational errors 563 unallowed traffic. 564 565config NFT_REJECT_INET 566 depends on NF_TABLES_INET 567 default NFT_REJECT 568 tristate 569 570config NFT_COMPAT 571 depends on NETFILTER_XTABLES 572 tristate "Netfilter x_tables over nf_tables module" 573 help 574 This is required if you intend to use any of existing 575 x_tables match/target extensions over the nf_tables 576 framework. 577 578config NFT_HASH 579 tristate "Netfilter nf_tables hash module" 580 help 581 This option adds the "hash" expression that you can use to perform 582 a hash operation on registers. 583 584if NF_TABLES_NETDEV 585 586config NF_DUP_NETDEV 587 tristate "Netfilter packet duplication support" 588 help 589 This option enables the generic packet duplication infrastructure 590 for Netfilter. 591 592config NFT_DUP_NETDEV 593 tristate "Netfilter nf_tables netdev packet duplication support" 594 select NF_DUP_NETDEV 595 help 596 This option enables packet duplication for the "netdev" family. 597 598config NFT_FWD_NETDEV 599 tristate "Netfilter nf_tables netdev packet forwarding support" 600 select NF_DUP_NETDEV 601 help 602 This option enables packet forwarding for the "netdev" family. 603 604endif # NF_TABLES_NETDEV 605 606endif # NF_TABLES 607 608config NETFILTER_XTABLES 609 tristate "Netfilter Xtables support (required for ip_tables)" 610 default m if NETFILTER_ADVANCED=n 611 help 612 This is required if you intend to use any of ip_tables, 613 ip6_tables or arp_tables. 614 615if NETFILTER_XTABLES 616 617comment "Xtables combined modules" 618 619config NETFILTER_XT_MARK 620 tristate 'nfmark target and match support' 621 default m if NETFILTER_ADVANCED=n 622 ---help--- 623 This option adds the "MARK" target and "mark" match. 624 625 Netfilter mark matching allows you to match packets based on the 626 "nfmark" value in the packet. 627 The target allows you to create rules in the "mangle" table which alter 628 the netfilter mark (nfmark) field associated with the packet. 629 630 Prior to routing, the nfmark can influence the routing method and can 631 also be used by other subsystems to change their behavior. 632 633config NETFILTER_XT_CONNMARK 634 tristate 'ctmark target and match support' 635 depends on NF_CONNTRACK 636 depends on NETFILTER_ADVANCED 637 select NF_CONNTRACK_MARK 638 ---help--- 639 This option adds the "CONNMARK" target and "connmark" match. 640 641 Netfilter allows you to store a mark value per connection (a.k.a. 642 ctmark), similarly to the packet mark (nfmark). Using this 643 target and match, you can set and match on this mark. 644 645config NETFILTER_XT_SET 646 tristate 'set target and match support' 647 depends on IP_SET 648 depends on NETFILTER_ADVANCED 649 help 650 This option adds the "SET" target and "set" match. 651 652 Using this target and match, you can add/delete and match 653 elements in the sets created by ipset(8). 654 655 To compile it as a module, choose M here. If unsure, say N. 656 657# alphabetically ordered list of targets 658 659comment "Xtables targets" 660 661config NETFILTER_XT_TARGET_AUDIT 662 tristate "AUDIT target support" 663 depends on AUDIT 664 depends on NETFILTER_ADVANCED 665 ---help--- 666 This option adds a 'AUDIT' target, which can be used to create 667 audit records for packets dropped/accepted. 668 669 To compileit as a module, choose M here. If unsure, say N. 670 671config NETFILTER_XT_TARGET_CHECKSUM 672 tristate "CHECKSUM target support" 673 depends on IP_NF_MANGLE || IP6_NF_MANGLE 674 depends on NETFILTER_ADVANCED 675 ---help--- 676 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 677 table. 678 679 You can use this target to compute and fill in the checksum in 680 a packet that lacks a checksum. This is particularly useful, 681 if you need to work around old applications such as dhcp clients, 682 that do not work well with checksum offloads, but don't want to disable 683 checksum offload in your device. 684 685 To compile it as a module, choose M here. If unsure, say N. 686 687config NETFILTER_XT_TARGET_CLASSIFY 688 tristate '"CLASSIFY" target support' 689 depends on NETFILTER_ADVANCED 690 help 691 This option adds a `CLASSIFY' target, which enables the user to set 692 the priority of a packet. Some qdiscs can use this value for 693 classification, among these are: 694 695 atm, cbq, dsmark, pfifo_fast, htb, prio 696 697 To compile it as a module, choose M here. If unsure, say N. 698 699config NETFILTER_XT_TARGET_CONNMARK 700 tristate '"CONNMARK" target support' 701 depends on NF_CONNTRACK 702 depends on NETFILTER_ADVANCED 703 select NETFILTER_XT_CONNMARK 704 ---help--- 705 This is a backwards-compat option for the user's convenience 706 (e.g. when running oldconfig). It selects 707 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 708 709config NETFILTER_XT_TARGET_CONNSECMARK 710 tristate '"CONNSECMARK" target support' 711 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 712 default m if NETFILTER_ADVANCED=n 713 help 714 The CONNSECMARK target copies security markings from packets 715 to connections, and restores security markings from connections 716 to packets (if the packets are not already marked). This would 717 normally be used in conjunction with the SECMARK target. 718 719 To compile it as a module, choose M here. If unsure, say N. 720 721config NETFILTER_XT_TARGET_CT 722 tristate '"CT" target support' 723 depends on NF_CONNTRACK 724 depends on IP_NF_RAW || IP6_NF_RAW 725 depends on NETFILTER_ADVANCED 726 help 727 This options adds a `CT' target, which allows to specify initial 728 connection tracking parameters like events to be delivered and 729 the helper to be used. 730 731 To compile it as a module, choose M here. If unsure, say N. 732 733config NETFILTER_XT_TARGET_DSCP 734 tristate '"DSCP" and "TOS" target support' 735 depends on IP_NF_MANGLE || IP6_NF_MANGLE 736 depends on NETFILTER_ADVANCED 737 help 738 This option adds a `DSCP' target, which allows you to manipulate 739 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 740 741 The DSCP field can have any value between 0x0 and 0x3f inclusive. 742 743 It also adds the "TOS" target, which allows you to create rules in 744 the "mangle" table which alter the Type Of Service field of an IPv4 745 or the Priority field of an IPv6 packet, prior to routing. 746 747 To compile it as a module, choose M here. If unsure, say N. 748 749config NETFILTER_XT_TARGET_HL 750 tristate '"HL" hoplimit target support' 751 depends on IP_NF_MANGLE || IP6_NF_MANGLE 752 depends on NETFILTER_ADVANCED 753 ---help--- 754 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 755 targets, which enable the user to change the 756 hoplimit/time-to-live value of the IP header. 757 758 While it is safe to decrement the hoplimit/TTL value, the 759 modules also allow to increment and set the hoplimit value of 760 the header to arbitrary values. This is EXTREMELY DANGEROUS 761 since you can easily create immortal packets that loop 762 forever on the network. 763 764config NETFILTER_XT_TARGET_HMARK 765 tristate '"HMARK" target support' 766 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 767 depends on NETFILTER_ADVANCED 768 ---help--- 769 This option adds the "HMARK" target. 770 771 The target allows you to create rules in the "raw" and "mangle" tables 772 which set the skbuff mark by means of hash calculation within a given 773 range. The nfmark can influence the routing method and can also be used 774 by other subsystems to change their behaviour. 775 776 To compile it as a module, choose M here. If unsure, say N. 777 778config NETFILTER_XT_TARGET_IDLETIMER 779 tristate "IDLETIMER target support" 780 depends on NETFILTER_ADVANCED 781 help 782 783 This option adds the `IDLETIMER' target. Each matching packet 784 resets the timer associated with label specified when the rule is 785 added. When the timer expires, it triggers a sysfs notification. 786 The remaining time for expiration can be read via sysfs. 787 788 To compile it as a module, choose M here. If unsure, say N. 789 790config NETFILTER_XT_TARGET_LED 791 tristate '"LED" target support' 792 depends on LEDS_CLASS && LEDS_TRIGGERS 793 depends on NETFILTER_ADVANCED 794 help 795 This option adds a `LED' target, which allows you to blink LEDs in 796 response to particular packets passing through your machine. 797 798 This can be used to turn a spare LED into a network activity LED, 799 which only flashes in response to FTP transfers, for example. Or 800 you could have an LED which lights up for a minute or two every time 801 somebody connects to your machine via SSH. 802 803 You will need support for the "led" class to make this work. 804 805 To create an LED trigger for incoming SSH traffic: 806 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 807 808 Then attach the new trigger to an LED on your system: 809 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 810 811 For more information on the LEDs available on your system, see 812 Documentation/leds/leds-class.txt 813 814config NETFILTER_XT_TARGET_LOG 815 tristate "LOG target support" 816 select NF_LOG_COMMON 817 select NF_LOG_IPV4 818 select NF_LOG_IPV6 if IPV6 819 default m if NETFILTER_ADVANCED=n 820 help 821 This option adds a `LOG' target, which allows you to create rules in 822 any iptables table which records the packet header to the syslog. 823 824 To compile it as a module, choose M here. If unsure, say N. 825 826config NETFILTER_XT_TARGET_MARK 827 tristate '"MARK" target support' 828 depends on NETFILTER_ADVANCED 829 select NETFILTER_XT_MARK 830 ---help--- 831 This is a backwards-compat option for the user's convenience 832 (e.g. when running oldconfig). It selects 833 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 834 835config NETFILTER_XT_NAT 836 tristate '"SNAT and DNAT" targets support' 837 depends on NF_NAT 838 ---help--- 839 This option enables the SNAT and DNAT targets. 840 841 To compile it as a module, choose M here. If unsure, say N. 842 843config NETFILTER_XT_TARGET_NETMAP 844 tristate '"NETMAP" target support' 845 depends on NF_NAT 846 ---help--- 847 NETMAP is an implementation of static 1:1 NAT mapping of network 848 addresses. It maps the network address part, while keeping the host 849 address part intact. 850 851 To compile it as a module, choose M here. If unsure, say N. 852 853config NETFILTER_XT_TARGET_NFLOG 854 tristate '"NFLOG" target support' 855 default m if NETFILTER_ADVANCED=n 856 select NETFILTER_NETLINK_LOG 857 help 858 This option enables the NFLOG target, which allows to LOG 859 messages through nfnetlink_log. 860 861 To compile it as a module, choose M here. If unsure, say N. 862 863config NETFILTER_XT_TARGET_NFQUEUE 864 tristate '"NFQUEUE" target Support' 865 depends on NETFILTER_ADVANCED 866 select NETFILTER_NETLINK_QUEUE 867 help 868 This target replaced the old obsolete QUEUE target. 869 870 As opposed to QUEUE, it supports 65535 different queues, 871 not just one. 872 873 To compile it as a module, choose M here. If unsure, say N. 874 875config NETFILTER_XT_TARGET_NOTRACK 876 tristate '"NOTRACK" target support (DEPRECATED)' 877 depends on NF_CONNTRACK 878 depends on IP_NF_RAW || IP6_NF_RAW 879 depends on NETFILTER_ADVANCED 880 select NETFILTER_XT_TARGET_CT 881 882config NETFILTER_XT_TARGET_RATEEST 883 tristate '"RATEEST" target support' 884 depends on NETFILTER_ADVANCED 885 help 886 This option adds a `RATEEST' target, which allows to measure 887 rates similar to TC estimators. The `rateest' match can be 888 used to match on the measured rates. 889 890 To compile it as a module, choose M here. If unsure, say N. 891 892config NETFILTER_XT_TARGET_REDIRECT 893 tristate "REDIRECT target support" 894 depends on NF_NAT 895 select NF_NAT_REDIRECT 896 ---help--- 897 REDIRECT is a special case of NAT: all incoming connections are 898 mapped onto the incoming interface's address, causing the packets to 899 come to the local machine instead of passing through. This is 900 useful for transparent proxies. 901 902 To compile it as a module, choose M here. If unsure, say N. 903 904config NETFILTER_XT_TARGET_TEE 905 tristate '"TEE" - packet cloning to alternate destination' 906 depends on NETFILTER_ADVANCED 907 depends on IPV6 || IPV6=n 908 depends on !NF_CONNTRACK || NF_CONNTRACK 909 select NF_DUP_IPV4 910 select NF_DUP_IPV6 if IPV6 911 ---help--- 912 This option adds a "TEE" target with which a packet can be cloned and 913 this clone be rerouted to another nexthop. 914 915config NETFILTER_XT_TARGET_TPROXY 916 tristate '"TPROXY" target transparent proxying support' 917 depends on NETFILTER_XTABLES 918 depends on NETFILTER_ADVANCED 919 depends on IPV6 || IPV6=n 920 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 921 depends on IP_NF_MANGLE 922 select NF_DEFRAG_IPV4 923 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 924 help 925 This option adds a `TPROXY' target, which is somewhat similar to 926 REDIRECT. It can only be used in the mangle table and is useful 927 to redirect traffic to a transparent proxy. It does _not_ depend 928 on Netfilter connection tracking and NAT, unlike REDIRECT. 929 For it to work you will have to configure certain iptables rules 930 and use policy routing. For more information on how to set it up 931 see Documentation/networking/tproxy.txt. 932 933 To compile it as a module, choose M here. If unsure, say N. 934 935config NETFILTER_XT_TARGET_TRACE 936 tristate '"TRACE" target support' 937 depends on IP_NF_RAW || IP6_NF_RAW 938 depends on NETFILTER_ADVANCED 939 help 940 The TRACE target allows you to mark packets so that the kernel 941 will log every rule which match the packets as those traverse 942 the tables, chains, rules. 943 944 If you want to compile it as a module, say M here and read 945 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 946 947config NETFILTER_XT_TARGET_SECMARK 948 tristate '"SECMARK" target support' 949 depends on NETWORK_SECMARK 950 default m if NETFILTER_ADVANCED=n 951 help 952 The SECMARK target allows security marking of network 953 packets, for use with security subsystems. 954 955 To compile it as a module, choose M here. If unsure, say N. 956 957config NETFILTER_XT_TARGET_TCPMSS 958 tristate '"TCPMSS" target support' 959 depends on IPV6 || IPV6=n 960 default m if NETFILTER_ADVANCED=n 961 ---help--- 962 This option adds a `TCPMSS' target, which allows you to alter the 963 MSS value of TCP SYN packets, to control the maximum size for that 964 connection (usually limiting it to your outgoing interface's MTU 965 minus 40). 966 967 This is used to overcome criminally braindead ISPs or servers which 968 block ICMP Fragmentation Needed packets. The symptoms of this 969 problem are that everything works fine from your Linux 970 firewall/router, but machines behind it can never exchange large 971 packets: 972 1) Web browsers connect, then hang with no data received. 973 2) Small mail works fine, but large emails hang. 974 3) ssh works fine, but scp hangs after initial handshaking. 975 976 Workaround: activate this option and add a rule to your firewall 977 configuration like: 978 979 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 980 -j TCPMSS --clamp-mss-to-pmtu 981 982 To compile it as a module, choose M here. If unsure, say N. 983 984config NETFILTER_XT_TARGET_TCPOPTSTRIP 985 tristate '"TCPOPTSTRIP" target support' 986 depends on IP_NF_MANGLE || IP6_NF_MANGLE 987 depends on NETFILTER_ADVANCED 988 help 989 This option adds a "TCPOPTSTRIP" target, which allows you to strip 990 TCP options from TCP packets. 991 992# alphabetically ordered list of matches 993 994comment "Xtables matches" 995 996config NETFILTER_XT_MATCH_ADDRTYPE 997 tristate '"addrtype" address type match support' 998 default m if NETFILTER_ADVANCED=n 999 ---help--- 1000 This option allows you to match what routing thinks of an address, 1001 eg. UNICAST, LOCAL, BROADCAST, ... 1002 1003 If you want to compile it as a module, say M here and read 1004 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1005 1006config NETFILTER_XT_MATCH_BPF 1007 tristate '"bpf" match support' 1008 depends on NETFILTER_ADVANCED 1009 help 1010 BPF matching applies a linux socket filter to each packet and 1011 accepts those for which the filter returns non-zero. 1012 1013 To compile it as a module, choose M here. If unsure, say N. 1014 1015config NETFILTER_XT_MATCH_CGROUP 1016 tristate '"control group" match support' 1017 depends on NETFILTER_ADVANCED 1018 depends on CGROUPS 1019 select CGROUP_NET_CLASSID 1020 ---help--- 1021 Socket/process control group matching allows you to match locally 1022 generated packets based on which net_cls control group processes 1023 belong to. 1024 1025config NETFILTER_XT_MATCH_CLUSTER 1026 tristate '"cluster" match support' 1027 depends on NF_CONNTRACK 1028 depends on NETFILTER_ADVANCED 1029 ---help--- 1030 This option allows you to build work-load-sharing clusters of 1031 network servers/stateful firewalls without having a dedicated 1032 load-balancing router/server/switch. Basically, this match returns 1033 true when the packet must be handled by this cluster node. Thus, 1034 all nodes see all packets and this match decides which node handles 1035 what packets. The work-load sharing algorithm is based on source 1036 address hashing. 1037 1038 If you say Y or M here, try `iptables -m cluster --help` for 1039 more information. 1040 1041config NETFILTER_XT_MATCH_COMMENT 1042 tristate '"comment" match support' 1043 depends on NETFILTER_ADVANCED 1044 help 1045 This option adds a `comment' dummy-match, which allows you to put 1046 comments in your iptables ruleset. 1047 1048 If you want to compile it as a module, say M here and read 1049 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1050 1051config NETFILTER_XT_MATCH_CONNBYTES 1052 tristate '"connbytes" per-connection counter match support' 1053 depends on NF_CONNTRACK 1054 depends on NETFILTER_ADVANCED 1055 help 1056 This option adds a `connbytes' match, which allows you to match the 1057 number of bytes and/or packets for each direction within a connection. 1058 1059 If you want to compile it as a module, say M here and read 1060 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1061 1062config NETFILTER_XT_MATCH_CONNLABEL 1063 tristate '"connlabel" match support' 1064 select NF_CONNTRACK_LABELS 1065 depends on NF_CONNTRACK 1066 depends on NETFILTER_ADVANCED 1067 ---help--- 1068 This match allows you to test and assign userspace-defined labels names 1069 to a connection. The kernel only stores bit values - mapping 1070 names to bits is done by userspace. 1071 1072 Unlike connmark, more than 32 flag bits may be assigned to a 1073 connection simultaneously. 1074 1075config NETFILTER_XT_MATCH_CONNLIMIT 1076 tristate '"connlimit" match support' 1077 depends on NF_CONNTRACK 1078 depends on NETFILTER_ADVANCED 1079 ---help--- 1080 This match allows you to match against the number of parallel 1081 connections to a server per client IP address (or address block). 1082 1083config NETFILTER_XT_MATCH_CONNMARK 1084 tristate '"connmark" connection mark match support' 1085 depends on NF_CONNTRACK 1086 depends on NETFILTER_ADVANCED 1087 select NETFILTER_XT_CONNMARK 1088 ---help--- 1089 This is a backwards-compat option for the user's convenience 1090 (e.g. when running oldconfig). It selects 1091 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1092 1093config NETFILTER_XT_MATCH_CONNTRACK 1094 tristate '"conntrack" connection tracking match support' 1095 depends on NF_CONNTRACK 1096 default m if NETFILTER_ADVANCED=n 1097 help 1098 This is a general conntrack match module, a superset of the state match. 1099 1100 It allows matching on additional conntrack information, which is 1101 useful in complex configurations, such as NAT gateways with multiple 1102 internet links or tunnels. 1103 1104 To compile it as a module, choose M here. If unsure, say N. 1105 1106config NETFILTER_XT_MATCH_CPU 1107 tristate '"cpu" match support' 1108 depends on NETFILTER_ADVANCED 1109 help 1110 CPU matching allows you to match packets based on the CPU 1111 currently handling the packet. 1112 1113 To compile it as a module, choose M here. If unsure, say N. 1114 1115config NETFILTER_XT_MATCH_DCCP 1116 tristate '"dccp" protocol match support' 1117 depends on NETFILTER_ADVANCED 1118 default IP_DCCP 1119 help 1120 With this option enabled, you will be able to use the iptables 1121 `dccp' match in order to match on DCCP source/destination ports 1122 and DCCP flags. 1123 1124 If you want to compile it as a module, say M here and read 1125 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1126 1127config NETFILTER_XT_MATCH_DEVGROUP 1128 tristate '"devgroup" match support' 1129 depends on NETFILTER_ADVANCED 1130 help 1131 This options adds a `devgroup' match, which allows to match on the 1132 device group a network device is assigned to. 1133 1134 To compile it as a module, choose M here. If unsure, say N. 1135 1136config NETFILTER_XT_MATCH_DSCP 1137 tristate '"dscp" and "tos" match support' 1138 depends on NETFILTER_ADVANCED 1139 help 1140 This option adds a `DSCP' match, which allows you to match against 1141 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1142 1143 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1144 1145 It will also add a "tos" match, which allows you to match packets 1146 based on the Type Of Service fields of the IPv4 packet (which share 1147 the same bits as DSCP). 1148 1149 To compile it as a module, choose M here. If unsure, say N. 1150 1151config NETFILTER_XT_MATCH_ECN 1152 tristate '"ecn" match support' 1153 depends on NETFILTER_ADVANCED 1154 ---help--- 1155 This option adds an "ECN" match, which allows you to match against 1156 the IPv4 and TCP header ECN fields. 1157 1158 To compile it as a module, choose M here. If unsure, say N. 1159 1160config NETFILTER_XT_MATCH_ESP 1161 tristate '"esp" match support' 1162 depends on NETFILTER_ADVANCED 1163 help 1164 This match extension allows you to match a range of SPIs 1165 inside ESP header of IPSec packets. 1166 1167 To compile it as a module, choose M here. If unsure, say N. 1168 1169config NETFILTER_XT_MATCH_HASHLIMIT 1170 tristate '"hashlimit" match support' 1171 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1172 depends on NETFILTER_ADVANCED 1173 help 1174 This option adds a `hashlimit' match. 1175 1176 As opposed to `limit', this match dynamically creates a hash table 1177 of limit buckets, based on your selection of source/destination 1178 addresses and/or ports. 1179 1180 It enables you to express policies like `10kpps for any given 1181 destination address' or `500pps from any given source address' 1182 with a single rule. 1183 1184config NETFILTER_XT_MATCH_HELPER 1185 tristate '"helper" match support' 1186 depends on NF_CONNTRACK 1187 depends on NETFILTER_ADVANCED 1188 help 1189 Helper matching allows you to match packets in dynamic connections 1190 tracked by a conntrack-helper, ie. ip_conntrack_ftp 1191 1192 To compile it as a module, choose M here. If unsure, say Y. 1193 1194config NETFILTER_XT_MATCH_HL 1195 tristate '"hl" hoplimit/TTL match support' 1196 depends on NETFILTER_ADVANCED 1197 ---help--- 1198 HL matching allows you to match packets based on the hoplimit 1199 in the IPv6 header, or the time-to-live field in the IPv4 1200 header of the packet. 1201 1202config NETFILTER_XT_MATCH_IPCOMP 1203 tristate '"ipcomp" match support' 1204 depends on NETFILTER_ADVANCED 1205 help 1206 This match extension allows you to match a range of CPIs(16 bits) 1207 inside IPComp header of IPSec packets. 1208 1209 To compile it as a module, choose M here. If unsure, say N. 1210 1211config NETFILTER_XT_MATCH_IPRANGE 1212 tristate '"iprange" address range match support' 1213 depends on NETFILTER_ADVANCED 1214 ---help--- 1215 This option adds a "iprange" match, which allows you to match based on 1216 an IP address range. (Normal iptables only matches on single addresses 1217 with an optional mask.) 1218 1219 If unsure, say M. 1220 1221config NETFILTER_XT_MATCH_IPVS 1222 tristate '"ipvs" match support' 1223 depends on IP_VS 1224 depends on NETFILTER_ADVANCED 1225 depends on NF_CONNTRACK 1226 help 1227 This option allows you to match against IPVS properties of a packet. 1228 1229 If unsure, say N. 1230 1231config NETFILTER_XT_MATCH_L2TP 1232 tristate '"l2tp" match support' 1233 depends on NETFILTER_ADVANCED 1234 default L2TP 1235 ---help--- 1236 This option adds an "L2TP" match, which allows you to match against 1237 L2TP protocol header fields. 1238 1239 To compile it as a module, choose M here. If unsure, say N. 1240 1241config NETFILTER_XT_MATCH_LENGTH 1242 tristate '"length" match support' 1243 depends on NETFILTER_ADVANCED 1244 help 1245 This option allows you to match the length of a packet against a 1246 specific value or range of values. 1247 1248 To compile it as a module, choose M here. If unsure, say N. 1249 1250config NETFILTER_XT_MATCH_LIMIT 1251 tristate '"limit" match support' 1252 depends on NETFILTER_ADVANCED 1253 help 1254 limit matching allows you to control the rate at which a rule can be 1255 matched: mainly useful in combination with the LOG target ("LOG 1256 target support", below) and to avoid some Denial of Service attacks. 1257 1258 To compile it as a module, choose M here. If unsure, say N. 1259 1260config NETFILTER_XT_MATCH_MAC 1261 tristate '"mac" address match support' 1262 depends on NETFILTER_ADVANCED 1263 help 1264 MAC matching allows you to match packets based on the source 1265 Ethernet address of the packet. 1266 1267 To compile it as a module, choose M here. If unsure, say N. 1268 1269config NETFILTER_XT_MATCH_MARK 1270 tristate '"mark" match support' 1271 depends on NETFILTER_ADVANCED 1272 select NETFILTER_XT_MARK 1273 ---help--- 1274 This is a backwards-compat option for the user's convenience 1275 (e.g. when running oldconfig). It selects 1276 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1277 1278config NETFILTER_XT_MATCH_MULTIPORT 1279 tristate '"multiport" Multiple port match support' 1280 depends on NETFILTER_ADVANCED 1281 help 1282 Multiport matching allows you to match TCP or UDP packets based on 1283 a series of source or destination ports: normally a rule can only 1284 match a single range of ports. 1285 1286 To compile it as a module, choose M here. If unsure, say N. 1287 1288config NETFILTER_XT_MATCH_NFACCT 1289 tristate '"nfacct" match support' 1290 depends on NETFILTER_ADVANCED 1291 select NETFILTER_NETLINK_ACCT 1292 help 1293 This option allows you to use the extended accounting through 1294 nfnetlink_acct. 1295 1296 To compile it as a module, choose M here. If unsure, say N. 1297 1298config NETFILTER_XT_MATCH_OSF 1299 tristate '"osf" Passive OS fingerprint match' 1300 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 1301 help 1302 This option selects the Passive OS Fingerprinting match module 1303 that allows to passively match the remote operating system by 1304 analyzing incoming TCP SYN packets. 1305 1306 Rules and loading software can be downloaded from 1307 http://www.ioremap.net/projects/osf 1308 1309 To compile it as a module, choose M here. If unsure, say N. 1310 1311config NETFILTER_XT_MATCH_OWNER 1312 tristate '"owner" match support' 1313 depends on NETFILTER_ADVANCED 1314 ---help--- 1315 Socket owner matching allows you to match locally-generated packets 1316 based on who created the socket: the user or group. It is also 1317 possible to check whether a socket actually exists. 1318 1319config NETFILTER_XT_MATCH_POLICY 1320 tristate 'IPsec "policy" match support' 1321 depends on XFRM 1322 default m if NETFILTER_ADVANCED=n 1323 help 1324 Policy matching allows you to match packets based on the 1325 IPsec policy that was used during decapsulation/will 1326 be used during encapsulation. 1327 1328 To compile it as a module, choose M here. If unsure, say N. 1329 1330config NETFILTER_XT_MATCH_PHYSDEV 1331 tristate '"physdev" match support' 1332 depends on BRIDGE && BRIDGE_NETFILTER 1333 depends on NETFILTER_ADVANCED 1334 help 1335 Physdev packet matching matches against the physical bridge ports 1336 the IP packet arrived on or will leave by. 1337 1338 To compile it as a module, choose M here. If unsure, say N. 1339 1340config NETFILTER_XT_MATCH_PKTTYPE 1341 tristate '"pkttype" packet type match support' 1342 depends on NETFILTER_ADVANCED 1343 help 1344 Packet type matching allows you to match a packet by 1345 its "class", eg. BROADCAST, MULTICAST, ... 1346 1347 Typical usage: 1348 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1349 1350 To compile it as a module, choose M here. If unsure, say N. 1351 1352config NETFILTER_XT_MATCH_QUOTA 1353 tristate '"quota" match support' 1354 depends on NETFILTER_ADVANCED 1355 help 1356 This option adds a `quota' match, which allows to match on a 1357 byte counter. 1358 1359 If you want to compile it as a module, say M here and read 1360 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1361 1362config NETFILTER_XT_MATCH_RATEEST 1363 tristate '"rateest" match support' 1364 depends on NETFILTER_ADVANCED 1365 select NETFILTER_XT_TARGET_RATEEST 1366 help 1367 This option adds a `rateest' match, which allows to match on the 1368 rate estimated by the RATEEST target. 1369 1370 To compile it as a module, choose M here. If unsure, say N. 1371 1372config NETFILTER_XT_MATCH_REALM 1373 tristate '"realm" match support' 1374 depends on NETFILTER_ADVANCED 1375 select IP_ROUTE_CLASSID 1376 help 1377 This option adds a `realm' match, which allows you to use the realm 1378 key from the routing subsystem inside iptables. 1379 1380 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1381 in tc world. 1382 1383 If you want to compile it as a module, say M here and read 1384 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1385 1386config NETFILTER_XT_MATCH_RECENT 1387 tristate '"recent" match support' 1388 depends on NETFILTER_ADVANCED 1389 ---help--- 1390 This match is used for creating one or many lists of recently 1391 used addresses and then matching against that/those list(s). 1392 1393 Short options are available by using 'iptables -m recent -h' 1394 Official Website: <http://snowman.net/projects/ipt_recent/> 1395 1396config NETFILTER_XT_MATCH_SCTP 1397 tristate '"sctp" protocol match support' 1398 depends on NETFILTER_ADVANCED 1399 default IP_SCTP 1400 help 1401 With this option enabled, you will be able to use the 1402 `sctp' match in order to match on SCTP source/destination ports 1403 and SCTP chunk types. 1404 1405 If you want to compile it as a module, say M here and read 1406 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1407 1408config NETFILTER_XT_MATCH_SOCKET 1409 tristate '"socket" match support' 1410 depends on NETFILTER_XTABLES 1411 depends on NETFILTER_ADVANCED 1412 depends on !NF_CONNTRACK || NF_CONNTRACK 1413 depends on IPV6 || IPV6=n 1414 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1415 select NF_DEFRAG_IPV4 1416 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1417 help 1418 This option adds a `socket' match, which can be used to match 1419 packets for which a TCP or UDP socket lookup finds a valid socket. 1420 It can be used in combination with the MARK target and policy 1421 routing to implement full featured non-locally bound sockets. 1422 1423 To compile it as a module, choose M here. If unsure, say N. 1424 1425config NETFILTER_XT_MATCH_STATE 1426 tristate '"state" match support' 1427 depends on NF_CONNTRACK 1428 default m if NETFILTER_ADVANCED=n 1429 help 1430 Connection state matching allows you to match packets based on their 1431 relationship to a tracked connection (ie. previous packets). This 1432 is a powerful tool for packet classification. 1433 1434 To compile it as a module, choose M here. If unsure, say N. 1435 1436config NETFILTER_XT_MATCH_STATISTIC 1437 tristate '"statistic" match support' 1438 depends on NETFILTER_ADVANCED 1439 help 1440 This option adds a `statistic' match, which allows you to match 1441 on packets periodically or randomly with a given percentage. 1442 1443 To compile it as a module, choose M here. If unsure, say N. 1444 1445config NETFILTER_XT_MATCH_STRING 1446 tristate '"string" match support' 1447 depends on NETFILTER_ADVANCED 1448 select TEXTSEARCH 1449 select TEXTSEARCH_KMP 1450 select TEXTSEARCH_BM 1451 select TEXTSEARCH_FSM 1452 help 1453 This option adds a `string' match, which allows you to look for 1454 pattern matchings in packets. 1455 1456 To compile it as a module, choose M here. If unsure, say N. 1457 1458config NETFILTER_XT_MATCH_TCPMSS 1459 tristate '"tcpmss" match support' 1460 depends on NETFILTER_ADVANCED 1461 help 1462 This option adds a `tcpmss' match, which allows you to examine the 1463 MSS value of TCP SYN packets, which control the maximum packet size 1464 for that connection. 1465 1466 To compile it as a module, choose M here. If unsure, say N. 1467 1468config NETFILTER_XT_MATCH_TIME 1469 tristate '"time" match support' 1470 depends on NETFILTER_ADVANCED 1471 ---help--- 1472 This option adds a "time" match, which allows you to match based on 1473 the packet arrival time (at the machine which netfilter is running) 1474 on) or departure time/date (for locally generated packets). 1475 1476 If you say Y here, try `iptables -m time --help` for 1477 more information. 1478 1479 If you want to compile it as a module, say M here. 1480 If unsure, say N. 1481 1482config NETFILTER_XT_MATCH_U32 1483 tristate '"u32" match support' 1484 depends on NETFILTER_ADVANCED 1485 ---help--- 1486 u32 allows you to extract quantities of up to 4 bytes from a packet, 1487 AND them with specified masks, shift them by specified amounts and 1488 test whether the results are in any of a set of specified ranges. 1489 The specification of what to extract is general enough to skip over 1490 headers with lengths stored in the packet, as in IP or TCP header 1491 lengths. 1492 1493 Details and examples are in the kernel module source. 1494 1495endif # NETFILTER_XTABLES 1496 1497endmenu 1498 1499source "net/netfilter/ipset/Kconfig" 1500 1501source "net/netfilter/ipvs/Kconfig" 1502