1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate 6 7config NETFILTER_NETLINK_QUEUE 8 tristate "Netfilter NFQUEUE over NFNETLINK interface" 9 depends on NETFILTER_ADVANCED 10 select NETFILTER_NETLINK 11 help 12 If this option is enabled, the kernel will include support 13 for queueing packets via NFNETLINK. 14 15config NETFILTER_NETLINK_LOG 16 tristate "Netfilter LOG over NFNETLINK interface" 17 default m if NETFILTER_ADVANCED=n 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for logging packets via NFNETLINK. 22 23 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 24 and is also scheduled to replace the old syslog-based ipt_LOG 25 and ip6t_LOG modules. 26 27config NF_CONNTRACK 28 tristate "Netfilter connection tracking support" 29 default m if NETFILTER_ADVANCED=n 30 help 31 Connection tracking keeps a record of what packets have passed 32 through your machine, in order to figure out how they are related 33 into connections. 34 35 This is required to do Masquerading or other kinds of Network 36 Address Translation. It can also be used to enhance packet 37 filtering (see `Connection state match support' below). 38 39 To compile it as a module, choose M here. If unsure, say N. 40 41if NF_CONNTRACK 42 43config NF_CONNTRACK_MARK 44 bool 'Connection mark tracking support' 45 depends on NETFILTER_ADVANCED 46 help 47 This option enables support for connection marks, used by the 48 `CONNMARK' target and `connmark' match. Similar to the mark value 49 of packets, but this mark value is kept in the conntrack session 50 instead of the individual packets. 51 52config NF_CONNTRACK_SECMARK 53 bool 'Connection tracking security mark support' 54 depends on NETWORK_SECMARK 55 default m if NETFILTER_ADVANCED=n 56 help 57 This option enables security markings to be applied to 58 connections. Typically they are copied to connections from 59 packets using the CONNSECMARK target and copied back from 60 connections to packets with the same target, with the packets 61 being originally labeled via SECMARK. 62 63 If unsure, say 'N'. 64 65config NF_CONNTRACK_ZONES 66 bool 'Connection tracking zones' 67 depends on NETFILTER_ADVANCED 68 depends on NETFILTER_XT_TARGET_CT 69 help 70 This option enables support for connection tracking zones. 71 Normally, each connection needs to have a unique system wide 72 identity. Connection tracking zones allow to have multiple 73 connections using the same identity, as long as they are 74 contained in different zones. 75 76 If unsure, say `N'. 77 78config NF_CONNTRACK_EVENTS 79 bool "Connection tracking events" 80 depends on NETFILTER_ADVANCED 81 help 82 If this option is enabled, the connection tracking code will 83 provide a notifier chain that can be used by other kernel code 84 to get notified about changes in the connection tracking state. 85 86 If unsure, say `N'. 87 88config NF_CONNTRACK_TIMESTAMP 89 bool 'Connection tracking timestamping' 90 depends on NETFILTER_ADVANCED 91 help 92 This option enables support for connection tracking timestamping. 93 This allows you to store the flow start-time and to obtain 94 the flow-stop time (once it has been destroyed) via Connection 95 tracking events. 96 97 If unsure, say `N'. 98 99config NF_CT_PROTO_DCCP 100 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' 101 depends on EXPERIMENTAL 102 depends on NETFILTER_ADVANCED 103 default IP_DCCP 104 help 105 With this option enabled, the layer 3 independent connection 106 tracking code will be able to do state tracking on DCCP connections. 107 108 If unsure, say 'N'. 109 110config NF_CT_PROTO_GRE 111 tristate 112 113config NF_CT_PROTO_SCTP 114 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 115 depends on EXPERIMENTAL 116 depends on NETFILTER_ADVANCED 117 default IP_SCTP 118 help 119 With this option enabled, the layer 3 independent connection 120 tracking code will be able to do state tracking on SCTP connections. 121 122 If you want to compile it as a module, say M here and read 123 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 124 125config NF_CT_PROTO_UDPLITE 126 tristate 'UDP-Lite protocol connection tracking support' 127 depends on NETFILTER_ADVANCED 128 help 129 With this option enabled, the layer 3 independent connection 130 tracking code will be able to do state tracking on UDP-Lite 131 connections. 132 133 To compile it as a module, choose M here. If unsure, say N. 134 135config NF_CONNTRACK_AMANDA 136 tristate "Amanda backup protocol support" 137 depends on NETFILTER_ADVANCED 138 select TEXTSEARCH 139 select TEXTSEARCH_KMP 140 help 141 If you are running the Amanda backup package <http://www.amanda.org/> 142 on this machine or machines that will be MASQUERADED through this 143 machine, then you may want to enable this feature. This allows the 144 connection tracking and natting code to allow the sub-channels that 145 Amanda requires for communication of the backup data, messages and 146 index. 147 148 To compile it as a module, choose M here. If unsure, say N. 149 150config NF_CONNTRACK_FTP 151 tristate "FTP protocol support" 152 default m if NETFILTER_ADVANCED=n 153 help 154 Tracking FTP connections is problematic: special helpers are 155 required for tracking them, and doing masquerading and other forms 156 of Network Address Translation on them. 157 158 This is FTP support on Layer 3 independent connection tracking. 159 Layer 3 independent connection tracking is experimental scheme 160 which generalize ip_conntrack to support other layer 3 protocols. 161 162 To compile it as a module, choose M here. If unsure, say N. 163 164config NF_CONNTRACK_H323 165 tristate "H.323 protocol support" 166 depends on (IPV6 || IPV6=n) 167 depends on NETFILTER_ADVANCED 168 help 169 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 170 important VoIP protocols, it is widely used by voice hardware and 171 software including voice gateways, IP phones, Netmeeting, OpenPhone, 172 Gnomemeeting, etc. 173 174 With this module you can support H.323 on a connection tracking/NAT 175 firewall. 176 177 This module supports RAS, Fast Start, H.245 Tunnelling, Call 178 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 179 whiteboard, file transfer, etc. For more information, please 180 visit http://nath323.sourceforge.net/. 181 182 To compile it as a module, choose M here. If unsure, say N. 183 184config NF_CONNTRACK_IRC 185 tristate "IRC protocol support" 186 default m if NETFILTER_ADVANCED=n 187 help 188 There is a commonly-used extension to IRC called 189 Direct Client-to-Client Protocol (DCC). This enables users to send 190 files to each other, and also chat to each other without the need 191 of a server. DCC Sending is used anywhere you send files over IRC, 192 and DCC Chat is most commonly used by Eggdrop bots. If you are 193 using NAT, this extension will enable you to send files and initiate 194 chats. Note that you do NOT need this extension to get files or 195 have others initiate chats, or everything else in IRC. 196 197 To compile it as a module, choose M here. If unsure, say N. 198 199config NF_CONNTRACK_BROADCAST 200 tristate 201 202config NF_CONNTRACK_NETBIOS_NS 203 tristate "NetBIOS name service protocol support" 204 select NF_CONNTRACK_BROADCAST 205 help 206 NetBIOS name service requests are sent as broadcast messages from an 207 unprivileged port and responded to with unicast messages to the 208 same port. This make them hard to firewall properly because connection 209 tracking doesn't deal with broadcasts. This helper tracks locally 210 originating NetBIOS name service requests and the corresponding 211 responses. It relies on correct IP address configuration, specifically 212 netmask and broadcast address. When properly configured, the output 213 of "ip address show" should look similar to this: 214 215 $ ip -4 address show eth0 216 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 217 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 218 219 To compile it as a module, choose M here. If unsure, say N. 220 221config NF_CONNTRACK_SNMP 222 tristate "SNMP service protocol support" 223 depends on NETFILTER_ADVANCED 224 select NF_CONNTRACK_BROADCAST 225 help 226 SNMP service requests are sent as broadcast messages from an 227 unprivileged port and responded to with unicast messages to the 228 same port. This make them hard to firewall properly because connection 229 tracking doesn't deal with broadcasts. This helper tracks locally 230 originating SNMP service requests and the corresponding 231 responses. It relies on correct IP address configuration, specifically 232 netmask and broadcast address. 233 234 To compile it as a module, choose M here. If unsure, say N. 235 236config NF_CONNTRACK_PPTP 237 tristate "PPtP protocol support" 238 depends on NETFILTER_ADVANCED 239 select NF_CT_PROTO_GRE 240 help 241 This module adds support for PPTP (Point to Point Tunnelling 242 Protocol, RFC2637) connection tracking and NAT. 243 244 If you are running PPTP sessions over a stateful firewall or NAT 245 box, you may want to enable this feature. 246 247 Please note that not all PPTP modes of operation are supported yet. 248 Specifically these limitations exist: 249 - Blindly assumes that control connections are always established 250 in PNS->PAC direction. This is a violation of RFC2637. 251 - Only supports a single call within each session 252 253 To compile it as a module, choose M here. If unsure, say N. 254 255config NF_CONNTRACK_SANE 256 tristate "SANE protocol support (EXPERIMENTAL)" 257 depends on EXPERIMENTAL 258 depends on NETFILTER_ADVANCED 259 help 260 SANE is a protocol for remote access to scanners as implemented 261 by the 'saned' daemon. Like FTP, it uses separate control and 262 data connections. 263 264 With this module you can support SANE on a connection tracking 265 firewall. 266 267 To compile it as a module, choose M here. If unsure, say N. 268 269config NF_CONNTRACK_SIP 270 tristate "SIP protocol support" 271 default m if NETFILTER_ADVANCED=n 272 help 273 SIP is an application-layer control protocol that can establish, 274 modify, and terminate multimedia sessions (conferences) such as 275 Internet telephony calls. With the ip_conntrack_sip and 276 the nf_nat_sip modules you can support the protocol on a connection 277 tracking/NATing firewall. 278 279 To compile it as a module, choose M here. If unsure, say N. 280 281config NF_CONNTRACK_TFTP 282 tristate "TFTP protocol support" 283 depends on NETFILTER_ADVANCED 284 help 285 TFTP connection tracking helper, this is required depending 286 on how restrictive your ruleset is. 287 If you are using a tftp client behind -j SNAT or -j MASQUERADING 288 you will need this. 289 290 To compile it as a module, choose M here. If unsure, say N. 291 292config NF_CT_NETLINK 293 tristate 'Connection tracking netlink interface' 294 select NETFILTER_NETLINK 295 default m if NETFILTER_ADVANCED=n 296 help 297 This option enables support for a netlink-based userspace interface 298 299endif # NF_CONNTRACK 300 301# transparent proxy support 302config NETFILTER_TPROXY 303 tristate "Transparent proxying support (EXPERIMENTAL)" 304 depends on EXPERIMENTAL 305 depends on IP_NF_MANGLE 306 depends on NETFILTER_ADVANCED 307 help 308 This option enables transparent proxying support, that is, 309 support for handling non-locally bound IPv4 TCP and UDP sockets. 310 For it to work you will have to configure certain iptables rules 311 and use policy routing. For more information on how to set it up 312 see Documentation/networking/tproxy.txt. 313 314 To compile it as a module, choose M here. If unsure, say N. 315 316config NETFILTER_XTABLES 317 tristate "Netfilter Xtables support (required for ip_tables)" 318 default m if NETFILTER_ADVANCED=n 319 help 320 This is required if you intend to use any of ip_tables, 321 ip6_tables or arp_tables. 322 323if NETFILTER_XTABLES 324 325comment "Xtables combined modules" 326 327config NETFILTER_XT_MARK 328 tristate 'nfmark target and match support' 329 default m if NETFILTER_ADVANCED=n 330 ---help--- 331 This option adds the "MARK" target and "mark" match. 332 333 Netfilter mark matching allows you to match packets based on the 334 "nfmark" value in the packet. 335 The target allows you to create rules in the "mangle" table which alter 336 the netfilter mark (nfmark) field associated with the packet. 337 338 Prior to routing, the nfmark can influence the routing method (see 339 "Use netfilter MARK value as routing key") and can also be used by 340 other subsystems to change their behavior. 341 342config NETFILTER_XT_CONNMARK 343 tristate 'ctmark target and match support' 344 depends on NF_CONNTRACK 345 depends on NETFILTER_ADVANCED 346 select NF_CONNTRACK_MARK 347 ---help--- 348 This option adds the "CONNMARK" target and "connmark" match. 349 350 Netfilter allows you to store a mark value per connection (a.k.a. 351 ctmark), similarly to the packet mark (nfmark). Using this 352 target and match, you can set and match on this mark. 353 354config NETFILTER_XT_SET 355 tristate 'set target and match support' 356 depends on IP_SET 357 depends on NETFILTER_ADVANCED 358 help 359 This option adds the "SET" target and "set" match. 360 361 Using this target and match, you can add/delete and match 362 elements in the sets created by ipset(8). 363 364 To compile it as a module, choose M here. If unsure, say N. 365 366# alphabetically ordered list of targets 367 368comment "Xtables targets" 369 370config NETFILTER_XT_TARGET_AUDIT 371 tristate "AUDIT target support" 372 depends on AUDIT 373 depends on NETFILTER_ADVANCED 374 ---help--- 375 This option adds a 'AUDIT' target, which can be used to create 376 audit records for packets dropped/accepted. 377 378 To compileit as a module, choose M here. If unsure, say N. 379 380config NETFILTER_XT_TARGET_CHECKSUM 381 tristate "CHECKSUM target support" 382 depends on IP_NF_MANGLE || IP6_NF_MANGLE 383 depends on NETFILTER_ADVANCED 384 ---help--- 385 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 386 table. 387 388 You can use this target to compute and fill in the checksum in 389 a packet that lacks a checksum. This is particularly useful, 390 if you need to work around old applications such as dhcp clients, 391 that do not work well with checksum offloads, but don't want to disable 392 checksum offload in your device. 393 394 To compile it as a module, choose M here. If unsure, say N. 395 396config NETFILTER_XT_TARGET_CLASSIFY 397 tristate '"CLASSIFY" target support' 398 depends on NETFILTER_ADVANCED 399 help 400 This option adds a `CLASSIFY' target, which enables the user to set 401 the priority of a packet. Some qdiscs can use this value for 402 classification, among these are: 403 404 atm, cbq, dsmark, pfifo_fast, htb, prio 405 406 To compile it as a module, choose M here. If unsure, say N. 407 408config NETFILTER_XT_TARGET_CONNMARK 409 tristate '"CONNMARK" target support' 410 depends on NF_CONNTRACK 411 depends on NETFILTER_ADVANCED 412 select NETFILTER_XT_CONNMARK 413 ---help--- 414 This is a backwards-compat option for the user's convenience 415 (e.g. when running oldconfig). It selects 416 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 417 418config NETFILTER_XT_TARGET_CONNSECMARK 419 tristate '"CONNSECMARK" target support' 420 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 421 default m if NETFILTER_ADVANCED=n 422 help 423 The CONNSECMARK target copies security markings from packets 424 to connections, and restores security markings from connections 425 to packets (if the packets are not already marked). This would 426 normally be used in conjunction with the SECMARK target. 427 428 To compile it as a module, choose M here. If unsure, say N. 429 430config NETFILTER_XT_TARGET_CT 431 tristate '"CT" target support' 432 depends on NF_CONNTRACK 433 depends on IP_NF_RAW || IP6_NF_RAW 434 depends on NETFILTER_ADVANCED 435 help 436 This options adds a `CT' target, which allows to specify initial 437 connection tracking parameters like events to be delivered and 438 the helper to be used. 439 440 To compile it as a module, choose M here. If unsure, say N. 441 442config NETFILTER_XT_TARGET_DSCP 443 tristate '"DSCP" and "TOS" target support' 444 depends on IP_NF_MANGLE || IP6_NF_MANGLE 445 depends on NETFILTER_ADVANCED 446 help 447 This option adds a `DSCP' target, which allows you to manipulate 448 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 449 450 The DSCP field can have any value between 0x0 and 0x3f inclusive. 451 452 It also adds the "TOS" target, which allows you to create rules in 453 the "mangle" table which alter the Type Of Service field of an IPv4 454 or the Priority field of an IPv6 packet, prior to routing. 455 456 To compile it as a module, choose M here. If unsure, say N. 457 458config NETFILTER_XT_TARGET_HL 459 tristate '"HL" hoplimit target support' 460 depends on IP_NF_MANGLE || IP6_NF_MANGLE 461 depends on NETFILTER_ADVANCED 462 ---help--- 463 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 464 targets, which enable the user to change the 465 hoplimit/time-to-live value of the IP header. 466 467 While it is safe to decrement the hoplimit/TTL value, the 468 modules also allow to increment and set the hoplimit value of 469 the header to arbitrary values. This is EXTREMELY DANGEROUS 470 since you can easily create immortal packets that loop 471 forever on the network. 472 473config NETFILTER_XT_TARGET_IDLETIMER 474 tristate "IDLETIMER target support" 475 depends on NETFILTER_ADVANCED 476 help 477 478 This option adds the `IDLETIMER' target. Each matching packet 479 resets the timer associated with label specified when the rule is 480 added. When the timer expires, it triggers a sysfs notification. 481 The remaining time for expiration can be read via sysfs. 482 483 To compile it as a module, choose M here. If unsure, say N. 484 485config NETFILTER_XT_TARGET_LED 486 tristate '"LED" target support' 487 depends on LEDS_CLASS && LEDS_TRIGGERS 488 depends on NETFILTER_ADVANCED 489 help 490 This option adds a `LED' target, which allows you to blink LEDs in 491 response to particular packets passing through your machine. 492 493 This can be used to turn a spare LED into a network activity LED, 494 which only flashes in response to FTP transfers, for example. Or 495 you could have an LED which lights up for a minute or two every time 496 somebody connects to your machine via SSH. 497 498 You will need support for the "led" class to make this work. 499 500 To create an LED trigger for incoming SSH traffic: 501 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 502 503 Then attach the new trigger to an LED on your system: 504 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 505 506 For more information on the LEDs available on your system, see 507 Documentation/leds/leds-class.txt 508 509config NETFILTER_XT_TARGET_MARK 510 tristate '"MARK" target support' 511 depends on NETFILTER_ADVANCED 512 select NETFILTER_XT_MARK 513 ---help--- 514 This is a backwards-compat option for the user's convenience 515 (e.g. when running oldconfig). It selects 516 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 517 518config NETFILTER_XT_TARGET_NFLOG 519 tristate '"NFLOG" target support' 520 default m if NETFILTER_ADVANCED=n 521 select NETFILTER_NETLINK_LOG 522 help 523 This option enables the NFLOG target, which allows to LOG 524 messages through nfnetlink_log. 525 526 To compile it as a module, choose M here. If unsure, say N. 527 528config NETFILTER_XT_TARGET_NFQUEUE 529 tristate '"NFQUEUE" target Support' 530 depends on NETFILTER_ADVANCED 531 select NETFILTER_NETLINK_QUEUE 532 help 533 This target replaced the old obsolete QUEUE target. 534 535 As opposed to QUEUE, it supports 65535 different queues, 536 not just one. 537 538 To compile it as a module, choose M here. If unsure, say N. 539 540config NETFILTER_XT_TARGET_NOTRACK 541 tristate '"NOTRACK" target support' 542 depends on IP_NF_RAW || IP6_NF_RAW 543 depends on NF_CONNTRACK 544 help 545 The NOTRACK target allows a select rule to specify 546 which packets *not* to enter the conntrack/NAT 547 subsystem with all the consequences (no ICMP error tracking, 548 no protocol helpers for the selected packets). 549 550 If you want to compile it as a module, say M here and read 551 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 552 553config NETFILTER_XT_TARGET_RATEEST 554 tristate '"RATEEST" target support' 555 depends on NETFILTER_ADVANCED 556 help 557 This option adds a `RATEEST' target, which allows to measure 558 rates similar to TC estimators. The `rateest' match can be 559 used to match on the measured rates. 560 561 To compile it as a module, choose M here. If unsure, say N. 562 563config NETFILTER_XT_TARGET_TEE 564 tristate '"TEE" - packet cloning to alternate destination' 565 depends on NETFILTER_ADVANCED 566 depends on (IPV6 || IPV6=n) 567 depends on !NF_CONNTRACK || NF_CONNTRACK 568 ---help--- 569 This option adds a "TEE" target with which a packet can be cloned and 570 this clone be rerouted to another nexthop. 571 572config NETFILTER_XT_TARGET_TPROXY 573 tristate '"TPROXY" target support (EXPERIMENTAL)' 574 depends on EXPERIMENTAL 575 depends on NETFILTER_TPROXY 576 depends on NETFILTER_XTABLES 577 depends on NETFILTER_ADVANCED 578 select NF_DEFRAG_IPV4 579 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES 580 help 581 This option adds a `TPROXY' target, which is somewhat similar to 582 REDIRECT. It can only be used in the mangle table and is useful 583 to redirect traffic to a transparent proxy. It does _not_ depend 584 on Netfilter connection tracking and NAT, unlike REDIRECT. 585 586 To compile it as a module, choose M here. If unsure, say N. 587 588config NETFILTER_XT_TARGET_TRACE 589 tristate '"TRACE" target support' 590 depends on IP_NF_RAW || IP6_NF_RAW 591 depends on NETFILTER_ADVANCED 592 help 593 The TRACE target allows you to mark packets so that the kernel 594 will log every rule which match the packets as those traverse 595 the tables, chains, rules. 596 597 If you want to compile it as a module, say M here and read 598 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 599 600config NETFILTER_XT_TARGET_SECMARK 601 tristate '"SECMARK" target support' 602 depends on NETWORK_SECMARK 603 default m if NETFILTER_ADVANCED=n 604 help 605 The SECMARK target allows security marking of network 606 packets, for use with security subsystems. 607 608 To compile it as a module, choose M here. If unsure, say N. 609 610config NETFILTER_XT_TARGET_TCPMSS 611 tristate '"TCPMSS" target support' 612 depends on (IPV6 || IPV6=n) 613 default m if NETFILTER_ADVANCED=n 614 ---help--- 615 This option adds a `TCPMSS' target, which allows you to alter the 616 MSS value of TCP SYN packets, to control the maximum size for that 617 connection (usually limiting it to your outgoing interface's MTU 618 minus 40). 619 620 This is used to overcome criminally braindead ISPs or servers which 621 block ICMP Fragmentation Needed packets. The symptoms of this 622 problem are that everything works fine from your Linux 623 firewall/router, but machines behind it can never exchange large 624 packets: 625 1) Web browsers connect, then hang with no data received. 626 2) Small mail works fine, but large emails hang. 627 3) ssh works fine, but scp hangs after initial handshaking. 628 629 Workaround: activate this option and add a rule to your firewall 630 configuration like: 631 632 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 633 -j TCPMSS --clamp-mss-to-pmtu 634 635 To compile it as a module, choose M here. If unsure, say N. 636 637config NETFILTER_XT_TARGET_TCPOPTSTRIP 638 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' 639 depends on EXPERIMENTAL 640 depends on IP_NF_MANGLE || IP6_NF_MANGLE 641 depends on NETFILTER_ADVANCED 642 help 643 This option adds a "TCPOPTSTRIP" target, which allows you to strip 644 TCP options from TCP packets. 645 646# alphabetically ordered list of matches 647 648comment "Xtables matches" 649 650config NETFILTER_XT_MATCH_ADDRTYPE 651 tristate '"addrtype" address type match support' 652 depends on NETFILTER_ADVANCED 653 ---help--- 654 This option allows you to match what routing thinks of an address, 655 eg. UNICAST, LOCAL, BROADCAST, ... 656 657 If you want to compile it as a module, say M here and read 658 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 659 660config NETFILTER_XT_MATCH_CLUSTER 661 tristate '"cluster" match support' 662 depends on NF_CONNTRACK 663 depends on NETFILTER_ADVANCED 664 ---help--- 665 This option allows you to build work-load-sharing clusters of 666 network servers/stateful firewalls without having a dedicated 667 load-balancing router/server/switch. Basically, this match returns 668 true when the packet must be handled by this cluster node. Thus, 669 all nodes see all packets and this match decides which node handles 670 what packets. The work-load sharing algorithm is based on source 671 address hashing. 672 673 If you say Y or M here, try `iptables -m cluster --help` for 674 more information. 675 676config NETFILTER_XT_MATCH_COMMENT 677 tristate '"comment" match support' 678 depends on NETFILTER_ADVANCED 679 help 680 This option adds a `comment' dummy-match, which allows you to put 681 comments in your iptables ruleset. 682 683 If you want to compile it as a module, say M here and read 684 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 685 686config NETFILTER_XT_MATCH_CONNBYTES 687 tristate '"connbytes" per-connection counter match support' 688 depends on NF_CONNTRACK 689 depends on NETFILTER_ADVANCED 690 help 691 This option adds a `connbytes' match, which allows you to match the 692 number of bytes and/or packets for each direction within a connection. 693 694 If you want to compile it as a module, say M here and read 695 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 696 697config NETFILTER_XT_MATCH_CONNLIMIT 698 tristate '"connlimit" match support"' 699 depends on NF_CONNTRACK 700 depends on NETFILTER_ADVANCED 701 ---help--- 702 This match allows you to match against the number of parallel 703 connections to a server per client IP address (or address block). 704 705config NETFILTER_XT_MATCH_CONNMARK 706 tristate '"connmark" connection mark match support' 707 depends on NF_CONNTRACK 708 depends on NETFILTER_ADVANCED 709 select NETFILTER_XT_CONNMARK 710 ---help--- 711 This is a backwards-compat option for the user's convenience 712 (e.g. when running oldconfig). It selects 713 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 714 715config NETFILTER_XT_MATCH_CONNTRACK 716 tristate '"conntrack" connection tracking match support' 717 depends on NF_CONNTRACK 718 default m if NETFILTER_ADVANCED=n 719 help 720 This is a general conntrack match module, a superset of the state match. 721 722 It allows matching on additional conntrack information, which is 723 useful in complex configurations, such as NAT gateways with multiple 724 internet links or tunnels. 725 726 To compile it as a module, choose M here. If unsure, say N. 727 728config NETFILTER_XT_MATCH_CPU 729 tristate '"cpu" match support' 730 depends on NETFILTER_ADVANCED 731 help 732 CPU matching allows you to match packets based on the CPU 733 currently handling the packet. 734 735 To compile it as a module, choose M here. If unsure, say N. 736 737config NETFILTER_XT_MATCH_DCCP 738 tristate '"dccp" protocol match support' 739 depends on NETFILTER_ADVANCED 740 default IP_DCCP 741 help 742 With this option enabled, you will be able to use the iptables 743 `dccp' match in order to match on DCCP source/destination ports 744 and DCCP flags. 745 746 If you want to compile it as a module, say M here and read 747 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 748 749config NETFILTER_XT_MATCH_DEVGROUP 750 tristate '"devgroup" match support' 751 depends on NETFILTER_ADVANCED 752 help 753 This options adds a `devgroup' match, which allows to match on the 754 device group a network device is assigned to. 755 756 To compile it as a module, choose M here. If unsure, say N. 757 758config NETFILTER_XT_MATCH_DSCP 759 tristate '"dscp" and "tos" match support' 760 depends on NETFILTER_ADVANCED 761 help 762 This option adds a `DSCP' match, which allows you to match against 763 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 764 765 The DSCP field can have any value between 0x0 and 0x3f inclusive. 766 767 It will also add a "tos" match, which allows you to match packets 768 based on the Type Of Service fields of the IPv4 packet (which share 769 the same bits as DSCP). 770 771 To compile it as a module, choose M here. If unsure, say N. 772 773config NETFILTER_XT_MATCH_ESP 774 tristate '"esp" match support' 775 depends on NETFILTER_ADVANCED 776 help 777 This match extension allows you to match a range of SPIs 778 inside ESP header of IPSec packets. 779 780 To compile it as a module, choose M here. If unsure, say N. 781 782config NETFILTER_XT_MATCH_HASHLIMIT 783 tristate '"hashlimit" match support' 784 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 785 depends on NETFILTER_ADVANCED 786 help 787 This option adds a `hashlimit' match. 788 789 As opposed to `limit', this match dynamically creates a hash table 790 of limit buckets, based on your selection of source/destination 791 addresses and/or ports. 792 793 It enables you to express policies like `10kpps for any given 794 destination address' or `500pps from any given source address' 795 with a single rule. 796 797config NETFILTER_XT_MATCH_HELPER 798 tristate '"helper" match support' 799 depends on NF_CONNTRACK 800 depends on NETFILTER_ADVANCED 801 help 802 Helper matching allows you to match packets in dynamic connections 803 tracked by a conntrack-helper, ie. ip_conntrack_ftp 804 805 To compile it as a module, choose M here. If unsure, say Y. 806 807config NETFILTER_XT_MATCH_HL 808 tristate '"hl" hoplimit/TTL match support' 809 depends on NETFILTER_ADVANCED 810 ---help--- 811 HL matching allows you to match packets based on the hoplimit 812 in the IPv6 header, or the time-to-live field in the IPv4 813 header of the packet. 814 815config NETFILTER_XT_MATCH_IPRANGE 816 tristate '"iprange" address range match support' 817 depends on NETFILTER_ADVANCED 818 ---help--- 819 This option adds a "iprange" match, which allows you to match based on 820 an IP address range. (Normal iptables only matches on single addresses 821 with an optional mask.) 822 823 If unsure, say M. 824 825config NETFILTER_XT_MATCH_IPVS 826 tristate '"ipvs" match support' 827 depends on IP_VS 828 depends on NETFILTER_ADVANCED 829 depends on NF_CONNTRACK 830 help 831 This option allows you to match against IPVS properties of a packet. 832 833 If unsure, say N. 834 835config NETFILTER_XT_MATCH_LENGTH 836 tristate '"length" match support' 837 depends on NETFILTER_ADVANCED 838 help 839 This option allows you to match the length of a packet against a 840 specific value or range of values. 841 842 To compile it as a module, choose M here. If unsure, say N. 843 844config NETFILTER_XT_MATCH_LIMIT 845 tristate '"limit" match support' 846 depends on NETFILTER_ADVANCED 847 help 848 limit matching allows you to control the rate at which a rule can be 849 matched: mainly useful in combination with the LOG target ("LOG 850 target support", below) and to avoid some Denial of Service attacks. 851 852 To compile it as a module, choose M here. If unsure, say N. 853 854config NETFILTER_XT_MATCH_MAC 855 tristate '"mac" address match support' 856 depends on NETFILTER_ADVANCED 857 help 858 MAC matching allows you to match packets based on the source 859 Ethernet address of the packet. 860 861 To compile it as a module, choose M here. If unsure, say N. 862 863config NETFILTER_XT_MATCH_MARK 864 tristate '"mark" match support' 865 depends on NETFILTER_ADVANCED 866 select NETFILTER_XT_MARK 867 ---help--- 868 This is a backwards-compat option for the user's convenience 869 (e.g. when running oldconfig). It selects 870 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 871 872config NETFILTER_XT_MATCH_MULTIPORT 873 tristate '"multiport" Multiple port match support' 874 depends on NETFILTER_ADVANCED 875 help 876 Multiport matching allows you to match TCP or UDP packets based on 877 a series of source or destination ports: normally a rule can only 878 match a single range of ports. 879 880 To compile it as a module, choose M here. If unsure, say N. 881 882config NETFILTER_XT_MATCH_OSF 883 tristate '"osf" Passive OS fingerprint match' 884 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 885 help 886 This option selects the Passive OS Fingerprinting match module 887 that allows to passively match the remote operating system by 888 analyzing incoming TCP SYN packets. 889 890 Rules and loading software can be downloaded from 891 http://www.ioremap.net/projects/osf 892 893 To compile it as a module, choose M here. If unsure, say N. 894 895config NETFILTER_XT_MATCH_OWNER 896 tristate '"owner" match support' 897 depends on NETFILTER_ADVANCED 898 ---help--- 899 Socket owner matching allows you to match locally-generated packets 900 based on who created the socket: the user or group. It is also 901 possible to check whether a socket actually exists. 902 903config NETFILTER_XT_MATCH_POLICY 904 tristate 'IPsec "policy" match support' 905 depends on XFRM 906 default m if NETFILTER_ADVANCED=n 907 help 908 Policy matching allows you to match packets based on the 909 IPsec policy that was used during decapsulation/will 910 be used during encapsulation. 911 912 To compile it as a module, choose M here. If unsure, say N. 913 914config NETFILTER_XT_MATCH_PHYSDEV 915 tristate '"physdev" match support' 916 depends on BRIDGE && BRIDGE_NETFILTER 917 depends on NETFILTER_ADVANCED 918 help 919 Physdev packet matching matches against the physical bridge ports 920 the IP packet arrived on or will leave by. 921 922 To compile it as a module, choose M here. If unsure, say N. 923 924config NETFILTER_XT_MATCH_PKTTYPE 925 tristate '"pkttype" packet type match support' 926 depends on NETFILTER_ADVANCED 927 help 928 Packet type matching allows you to match a packet by 929 its "class", eg. BROADCAST, MULTICAST, ... 930 931 Typical usage: 932 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 933 934 To compile it as a module, choose M here. If unsure, say N. 935 936config NETFILTER_XT_MATCH_QUOTA 937 tristate '"quota" match support' 938 depends on NETFILTER_ADVANCED 939 help 940 This option adds a `quota' match, which allows to match on a 941 byte counter. 942 943 If you want to compile it as a module, say M here and read 944 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 945 946config NETFILTER_XT_MATCH_RATEEST 947 tristate '"rateest" match support' 948 depends on NETFILTER_ADVANCED 949 select NETFILTER_XT_TARGET_RATEEST 950 help 951 This option adds a `rateest' match, which allows to match on the 952 rate estimated by the RATEEST target. 953 954 To compile it as a module, choose M here. If unsure, say N. 955 956config NETFILTER_XT_MATCH_REALM 957 tristate '"realm" match support' 958 depends on NETFILTER_ADVANCED 959 select IP_ROUTE_CLASSID 960 help 961 This option adds a `realm' match, which allows you to use the realm 962 key from the routing subsystem inside iptables. 963 964 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 965 in tc world. 966 967 If you want to compile it as a module, say M here and read 968 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 969 970config NETFILTER_XT_MATCH_RECENT 971 tristate '"recent" match support' 972 depends on NETFILTER_ADVANCED 973 ---help--- 974 This match is used for creating one or many lists of recently 975 used addresses and then matching against that/those list(s). 976 977 Short options are available by using 'iptables -m recent -h' 978 Official Website: <http://snowman.net/projects/ipt_recent/> 979 980config NETFILTER_XT_MATCH_SCTP 981 tristate '"sctp" protocol match support (EXPERIMENTAL)' 982 depends on EXPERIMENTAL 983 depends on NETFILTER_ADVANCED 984 default IP_SCTP 985 help 986 With this option enabled, you will be able to use the 987 `sctp' match in order to match on SCTP source/destination ports 988 and SCTP chunk types. 989 990 If you want to compile it as a module, say M here and read 991 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 992 993config NETFILTER_XT_MATCH_SOCKET 994 tristate '"socket" match support (EXPERIMENTAL)' 995 depends on EXPERIMENTAL 996 depends on NETFILTER_TPROXY 997 depends on NETFILTER_XTABLES 998 depends on NETFILTER_ADVANCED 999 depends on !NF_CONNTRACK || NF_CONNTRACK 1000 select NF_DEFRAG_IPV4 1001 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES 1002 help 1003 This option adds a `socket' match, which can be used to match 1004 packets for which a TCP or UDP socket lookup finds a valid socket. 1005 It can be used in combination with the MARK target and policy 1006 routing to implement full featured non-locally bound sockets. 1007 1008 To compile it as a module, choose M here. If unsure, say N. 1009 1010config NETFILTER_XT_MATCH_STATE 1011 tristate '"state" match support' 1012 depends on NF_CONNTRACK 1013 default m if NETFILTER_ADVANCED=n 1014 help 1015 Connection state matching allows you to match packets based on their 1016 relationship to a tracked connection (ie. previous packets). This 1017 is a powerful tool for packet classification. 1018 1019 To compile it as a module, choose M here. If unsure, say N. 1020 1021config NETFILTER_XT_MATCH_STATISTIC 1022 tristate '"statistic" match support' 1023 depends on NETFILTER_ADVANCED 1024 help 1025 This option adds a `statistic' match, which allows you to match 1026 on packets periodically or randomly with a given percentage. 1027 1028 To compile it as a module, choose M here. If unsure, say N. 1029 1030config NETFILTER_XT_MATCH_STRING 1031 tristate '"string" match support' 1032 depends on NETFILTER_ADVANCED 1033 select TEXTSEARCH 1034 select TEXTSEARCH_KMP 1035 select TEXTSEARCH_BM 1036 select TEXTSEARCH_FSM 1037 help 1038 This option adds a `string' match, which allows you to look for 1039 pattern matchings in packets. 1040 1041 To compile it as a module, choose M here. If unsure, say N. 1042 1043config NETFILTER_XT_MATCH_TCPMSS 1044 tristate '"tcpmss" match support' 1045 depends on NETFILTER_ADVANCED 1046 help 1047 This option adds a `tcpmss' match, which allows you to examine the 1048 MSS value of TCP SYN packets, which control the maximum packet size 1049 for that connection. 1050 1051 To compile it as a module, choose M here. If unsure, say N. 1052 1053config NETFILTER_XT_MATCH_TIME 1054 tristate '"time" match support' 1055 depends on NETFILTER_ADVANCED 1056 ---help--- 1057 This option adds a "time" match, which allows you to match based on 1058 the packet arrival time (at the machine which netfilter is running) 1059 on) or departure time/date (for locally generated packets). 1060 1061 If you say Y here, try `iptables -m time --help` for 1062 more information. 1063 1064 If you want to compile it as a module, say M here. 1065 If unsure, say N. 1066 1067config NETFILTER_XT_MATCH_U32 1068 tristate '"u32" match support' 1069 depends on NETFILTER_ADVANCED 1070 ---help--- 1071 u32 allows you to extract quantities of up to 4 bytes from a packet, 1072 AND them with specified masks, shift them by specified amounts and 1073 test whether the results are in any of a set of specified ranges. 1074 The specification of what to extract is general enough to skip over 1075 headers with lengths stored in the packet, as in IP or TCP header 1076 lengths. 1077 1078 Details and examples are in the kernel module source. 1079 1080endif # NETFILTER_XTABLES 1081 1082endmenu 1083 1084source "net/netfilter/ipset/Kconfig" 1085 1086source "net/netfilter/ipvs/Kconfig" 1087