1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate 6 7config NETFILTER_NETLINK_QUEUE 8 tristate "Netfilter NFQUEUE over NFNETLINK interface" 9 depends on NETFILTER_ADVANCED 10 select NETFILTER_NETLINK 11 help 12 If this option is enabled, the kernel will include support 13 for queueing packets via NFNETLINK. 14 15config NETFILTER_NETLINK_LOG 16 tristate "Netfilter LOG over NFNETLINK interface" 17 default m if NETFILTER_ADVANCED=n 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for logging packets via NFNETLINK. 22 23 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 24 and is also scheduled to replace the old syslog-based ipt_LOG 25 and ip6t_LOG modules. 26 27config NF_CONNTRACK 28 tristate "Netfilter connection tracking support" 29 default m if NETFILTER_ADVANCED=n 30 help 31 Connection tracking keeps a record of what packets have passed 32 through your machine, in order to figure out how they are related 33 into connections. 34 35 This is required to do Masquerading or other kinds of Network 36 Address Translation. It can also be used to enhance packet 37 filtering (see `Connection state match support' below). 38 39 To compile it as a module, choose M here. If unsure, say N. 40 41if NF_CONNTRACK 42 43config NF_CT_ACCT 44 bool "Connection tracking flow accounting" 45 depends on NETFILTER_ADVANCED 46 help 47 If this option is enabled, the connection tracking code will 48 keep per-flow packet and byte counters. 49 50 Those counters can be used for flow-based accounting or the 51 `connbytes' match. 52 53 Please note that currently this option only sets a default state. 54 You may change it at boot time with nf_conntrack.acct=0/1 kernel 55 parameter or by loading the nf_conntrack module with acct=0/1. 56 57 You may also disable/enable it on a running system with: 58 sysctl net.netfilter.nf_conntrack_acct=0/1 59 60 This option will be removed in 2.6.29. 61 62 If unsure, say `N'. 63 64config NF_CONNTRACK_MARK 65 bool 'Connection mark tracking support' 66 depends on NETFILTER_ADVANCED 67 help 68 This option enables support for connection marks, used by the 69 `CONNMARK' target and `connmark' match. Similar to the mark value 70 of packets, but this mark value is kept in the conntrack session 71 instead of the individual packets. 72 73config NF_CONNTRACK_SECMARK 74 bool 'Connection tracking security mark support' 75 depends on NETWORK_SECMARK 76 default m if NETFILTER_ADVANCED=n 77 help 78 This option enables security markings to be applied to 79 connections. Typically they are copied to connections from 80 packets using the CONNSECMARK target and copied back from 81 connections to packets with the same target, with the packets 82 being originally labeled via SECMARK. 83 84 If unsure, say 'N'. 85 86config NF_CONNTRACK_ZONES 87 bool 'Connection tracking zones' 88 depends on NETFILTER_ADVANCED 89 depends on NETFILTER_XT_TARGET_CT 90 help 91 This option enables support for connection tracking zones. 92 Normally, each connection needs to have a unique system wide 93 identity. Connection tracking zones allow to have multiple 94 connections using the same identity, as long as they are 95 contained in different zones. 96 97 If unsure, say `N'. 98 99config NF_CONNTRACK_EVENTS 100 bool "Connection tracking events" 101 depends on NETFILTER_ADVANCED 102 help 103 If this option is enabled, the connection tracking code will 104 provide a notifier chain that can be used by other kernel code 105 to get notified about changes in the connection tracking state. 106 107 If unsure, say `N'. 108 109config NF_CT_PROTO_DCCP 110 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' 111 depends on EXPERIMENTAL 112 depends on NETFILTER_ADVANCED 113 default IP_DCCP 114 help 115 With this option enabled, the layer 3 independent connection 116 tracking code will be able to do state tracking on DCCP connections. 117 118 If unsure, say 'N'. 119 120config NF_CT_PROTO_GRE 121 tristate 122 123config NF_CT_PROTO_SCTP 124 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 125 depends on EXPERIMENTAL 126 depends on NETFILTER_ADVANCED 127 default IP_SCTP 128 help 129 With this option enabled, the layer 3 independent connection 130 tracking code will be able to do state tracking on SCTP connections. 131 132 If you want to compile it as a module, say M here and read 133 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 134 135config NF_CT_PROTO_UDPLITE 136 tristate 'UDP-Lite protocol connection tracking support' 137 depends on NETFILTER_ADVANCED 138 help 139 With this option enabled, the layer 3 independent connection 140 tracking code will be able to do state tracking on UDP-Lite 141 connections. 142 143 To compile it as a module, choose M here. If unsure, say N. 144 145config NF_CONNTRACK_AMANDA 146 tristate "Amanda backup protocol support" 147 depends on NETFILTER_ADVANCED 148 select TEXTSEARCH 149 select TEXTSEARCH_KMP 150 help 151 If you are running the Amanda backup package <http://www.amanda.org/> 152 on this machine or machines that will be MASQUERADED through this 153 machine, then you may want to enable this feature. This allows the 154 connection tracking and natting code to allow the sub-channels that 155 Amanda requires for communication of the backup data, messages and 156 index. 157 158 To compile it as a module, choose M here. If unsure, say N. 159 160config NF_CONNTRACK_FTP 161 tristate "FTP protocol support" 162 default m if NETFILTER_ADVANCED=n 163 help 164 Tracking FTP connections is problematic: special helpers are 165 required for tracking them, and doing masquerading and other forms 166 of Network Address Translation on them. 167 168 This is FTP support on Layer 3 independent connection tracking. 169 Layer 3 independent connection tracking is experimental scheme 170 which generalize ip_conntrack to support other layer 3 protocols. 171 172 To compile it as a module, choose M here. If unsure, say N. 173 174config NF_CONNTRACK_H323 175 tristate "H.323 protocol support" 176 depends on (IPV6 || IPV6=n) 177 depends on NETFILTER_ADVANCED 178 help 179 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 180 important VoIP protocols, it is widely used by voice hardware and 181 software including voice gateways, IP phones, Netmeeting, OpenPhone, 182 Gnomemeeting, etc. 183 184 With this module you can support H.323 on a connection tracking/NAT 185 firewall. 186 187 This module supports RAS, Fast Start, H.245 Tunnelling, Call 188 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 189 whiteboard, file transfer, etc. For more information, please 190 visit http://nath323.sourceforge.net/. 191 192 To compile it as a module, choose M here. If unsure, say N. 193 194config NF_CONNTRACK_IRC 195 tristate "IRC protocol support" 196 default m if NETFILTER_ADVANCED=n 197 help 198 There is a commonly-used extension to IRC called 199 Direct Client-to-Client Protocol (DCC). This enables users to send 200 files to each other, and also chat to each other without the need 201 of a server. DCC Sending is used anywhere you send files over IRC, 202 and DCC Chat is most commonly used by Eggdrop bots. If you are 203 using NAT, this extension will enable you to send files and initiate 204 chats. Note that you do NOT need this extension to get files or 205 have others initiate chats, or everything else in IRC. 206 207 To compile it as a module, choose M here. If unsure, say N. 208 209config NF_CONNTRACK_NETBIOS_NS 210 tristate "NetBIOS name service protocol support" 211 depends on NETFILTER_ADVANCED 212 help 213 NetBIOS name service requests are sent as broadcast messages from an 214 unprivileged port and responded to with unicast messages to the 215 same port. This make them hard to firewall properly because connection 216 tracking doesn't deal with broadcasts. This helper tracks locally 217 originating NetBIOS name service requests and the corresponding 218 responses. It relies on correct IP address configuration, specifically 219 netmask and broadcast address. When properly configured, the output 220 of "ip address show" should look similar to this: 221 222 $ ip -4 address show eth0 223 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 224 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 225 226 To compile it as a module, choose M here. If unsure, say N. 227 228config NF_CONNTRACK_PPTP 229 tristate "PPtP protocol support" 230 depends on NETFILTER_ADVANCED 231 select NF_CT_PROTO_GRE 232 help 233 This module adds support for PPTP (Point to Point Tunnelling 234 Protocol, RFC2637) connection tracking and NAT. 235 236 If you are running PPTP sessions over a stateful firewall or NAT 237 box, you may want to enable this feature. 238 239 Please note that not all PPTP modes of operation are supported yet. 240 Specifically these limitations exist: 241 - Blindly assumes that control connections are always established 242 in PNS->PAC direction. This is a violation of RFC2637. 243 - Only supports a single call within each session 244 245 To compile it as a module, choose M here. If unsure, say N. 246 247config NF_CONNTRACK_SANE 248 tristate "SANE protocol support (EXPERIMENTAL)" 249 depends on EXPERIMENTAL 250 depends on NETFILTER_ADVANCED 251 help 252 SANE is a protocol for remote access to scanners as implemented 253 by the 'saned' daemon. Like FTP, it uses separate control and 254 data connections. 255 256 With this module you can support SANE on a connection tracking 257 firewall. 258 259 To compile it as a module, choose M here. If unsure, say N. 260 261config NF_CONNTRACK_SIP 262 tristate "SIP protocol support" 263 default m if NETFILTER_ADVANCED=n 264 help 265 SIP is an application-layer control protocol that can establish, 266 modify, and terminate multimedia sessions (conferences) such as 267 Internet telephony calls. With the ip_conntrack_sip and 268 the nf_nat_sip modules you can support the protocol on a connection 269 tracking/NATing firewall. 270 271 To compile it as a module, choose M here. If unsure, say N. 272 273config NF_CONNTRACK_TFTP 274 tristate "TFTP protocol support" 275 depends on NETFILTER_ADVANCED 276 help 277 TFTP connection tracking helper, this is required depending 278 on how restrictive your ruleset is. 279 If you are using a tftp client behind -j SNAT or -j MASQUERADING 280 you will need this. 281 282 To compile it as a module, choose M here. If unsure, say N. 283 284config NF_CT_NETLINK 285 tristate 'Connection tracking netlink interface' 286 select NETFILTER_NETLINK 287 default m if NETFILTER_ADVANCED=n 288 help 289 This option enables support for a netlink-based userspace interface 290 291endif # NF_CONNTRACK 292 293# transparent proxy support 294config NETFILTER_TPROXY 295 tristate "Transparent proxying support (EXPERIMENTAL)" 296 depends on EXPERIMENTAL 297 depends on IP_NF_MANGLE 298 depends on NETFILTER_ADVANCED 299 help 300 This option enables transparent proxying support, that is, 301 support for handling non-locally bound IPv4 TCP and UDP sockets. 302 For it to work you will have to configure certain iptables rules 303 and use policy routing. For more information on how to set it up 304 see Documentation/networking/tproxy.txt. 305 306 To compile it as a module, choose M here. If unsure, say N. 307 308config NETFILTER_XTABLES 309 tristate "Netfilter Xtables support (required for ip_tables)" 310 default m if NETFILTER_ADVANCED=n 311 help 312 This is required if you intend to use any of ip_tables, 313 ip6_tables or arp_tables. 314 315if NETFILTER_XTABLES 316 317# alphabetically ordered list of targets 318 319config NETFILTER_XT_TARGET_CLASSIFY 320 tristate '"CLASSIFY" target support' 321 depends on NETFILTER_ADVANCED 322 help 323 This option adds a `CLASSIFY' target, which enables the user to set 324 the priority of a packet. Some qdiscs can use this value for 325 classification, among these are: 326 327 atm, cbq, dsmark, pfifo_fast, htb, prio 328 329 To compile it as a module, choose M here. If unsure, say N. 330 331config NETFILTER_XT_TARGET_CONNMARK 332 tristate '"CONNMARK" target support' 333 depends on NF_CONNTRACK 334 depends on NETFILTER_ADVANCED 335 select NF_CONNTRACK_MARK 336 help 337 This option adds a `CONNMARK' target, which allows one to manipulate 338 the connection mark value. Similar to the MARK target, but 339 affects the connection mark value rather than the packet mark value. 340 341 If you want to compile it as a module, say M here and read 342 <file:Documentation/kbuild/modules.txt>. The module will be called 343 ipt_CONNMARK. If unsure, say `N'. 344 345config NETFILTER_XT_TARGET_CONNSECMARK 346 tristate '"CONNSECMARK" target support' 347 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 348 default m if NETFILTER_ADVANCED=n 349 help 350 The CONNSECMARK target copies security markings from packets 351 to connections, and restores security markings from connections 352 to packets (if the packets are not already marked). This would 353 normally be used in conjunction with the SECMARK target. 354 355 To compile it as a module, choose M here. If unsure, say N. 356 357config NETFILTER_XT_TARGET_CT 358 tristate '"CT" target support' 359 depends on NF_CONNTRACK 360 depends on IP_NF_RAW || IP6_NF_RAW 361 depends on NETFILTER_ADVANCED 362 help 363 This options adds a `CT' target, which allows to specify initial 364 connection tracking parameters like events to be delivered and 365 the helper to be used. 366 367 To compile it as a module, choose M here. If unsure, say N. 368 369config NETFILTER_XT_TARGET_DSCP 370 tristate '"DSCP" and "TOS" target support' 371 depends on IP_NF_MANGLE || IP6_NF_MANGLE 372 depends on NETFILTER_ADVANCED 373 help 374 This option adds a `DSCP' target, which allows you to manipulate 375 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 376 377 The DSCP field can have any value between 0x0 and 0x3f inclusive. 378 379 It also adds the "TOS" target, which allows you to create rules in 380 the "mangle" table which alter the Type Of Service field of an IPv4 381 or the Priority field of an IPv6 packet, prior to routing. 382 383 To compile it as a module, choose M here. If unsure, say N. 384 385config NETFILTER_XT_TARGET_HL 386 tristate '"HL" hoplimit target support' 387 depends on IP_NF_MANGLE || IP6_NF_MANGLE 388 depends on NETFILTER_ADVANCED 389 ---help--- 390 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 391 targets, which enable the user to change the 392 hoplimit/time-to-live value of the IP header. 393 394 While it is safe to decrement the hoplimit/TTL value, the 395 modules also allow to increment and set the hoplimit value of 396 the header to arbitrary values. This is EXTREMELY DANGEROUS 397 since you can easily create immortal packets that loop 398 forever on the network. 399 400config NETFILTER_XT_TARGET_LED 401 tristate '"LED" target support' 402 depends on LEDS_CLASS && LEDS_TRIGGERS 403 depends on NETFILTER_ADVANCED 404 help 405 This option adds a `LED' target, which allows you to blink LEDs in 406 response to particular packets passing through your machine. 407 408 This can be used to turn a spare LED into a network activity LED, 409 which only flashes in response to FTP transfers, for example. Or 410 you could have an LED which lights up for a minute or two every time 411 somebody connects to your machine via SSH. 412 413 You will need support for the "led" class to make this work. 414 415 To create an LED trigger for incoming SSH traffic: 416 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 417 418 Then attach the new trigger to an LED on your system: 419 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 420 421 For more information on the LEDs available on your system, see 422 Documentation/leds-class.txt 423 424config NETFILTER_XT_TARGET_MARK 425 tristate '"MARK" target support' 426 default m if NETFILTER_ADVANCED=n 427 help 428 This option adds a `MARK' target, which allows you to create rules 429 in the `mangle' table which alter the netfilter mark (nfmark) field 430 associated with the packet prior to routing. This can change 431 the routing method (see `Use netfilter MARK value as routing 432 key') and can also be used by other subsystems to change their 433 behavior. 434 435 To compile it as a module, choose M here. If unsure, say N. 436 437config NETFILTER_XT_TARGET_NFLOG 438 tristate '"NFLOG" target support' 439 default m if NETFILTER_ADVANCED=n 440 select NETFILTER_NETLINK_LOG 441 help 442 This option enables the NFLOG target, which allows to LOG 443 messages through nfnetlink_log. 444 445 To compile it as a module, choose M here. If unsure, say N. 446 447config NETFILTER_XT_TARGET_NFQUEUE 448 tristate '"NFQUEUE" target Support' 449 depends on NETFILTER_ADVANCED 450 help 451 This target replaced the old obsolete QUEUE target. 452 453 As opposed to QUEUE, it supports 65535 different queues, 454 not just one. 455 456 To compile it as a module, choose M here. If unsure, say N. 457 458config NETFILTER_XT_TARGET_NOTRACK 459 tristate '"NOTRACK" target support' 460 depends on IP_NF_RAW || IP6_NF_RAW 461 depends on NF_CONNTRACK 462 depends on NETFILTER_ADVANCED 463 help 464 The NOTRACK target allows a select rule to specify 465 which packets *not* to enter the conntrack/NAT 466 subsystem with all the consequences (no ICMP error tracking, 467 no protocol helpers for the selected packets). 468 469 If you want to compile it as a module, say M here and read 470 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 471 472config NETFILTER_XT_TARGET_RATEEST 473 tristate '"RATEEST" target support' 474 depends on NETFILTER_ADVANCED 475 help 476 This option adds a `RATEEST' target, which allows to measure 477 rates similar to TC estimators. The `rateest' match can be 478 used to match on the measured rates. 479 480 To compile it as a module, choose M here. If unsure, say N. 481 482config NETFILTER_XT_TARGET_TPROXY 483 tristate '"TPROXY" target support (EXPERIMENTAL)' 484 depends on EXPERIMENTAL 485 depends on NETFILTER_TPROXY 486 depends on NETFILTER_XTABLES 487 depends on NETFILTER_ADVANCED 488 select NF_DEFRAG_IPV4 489 help 490 This option adds a `TPROXY' target, which is somewhat similar to 491 REDIRECT. It can only be used in the mangle table and is useful 492 to redirect traffic to a transparent proxy. It does _not_ depend 493 on Netfilter connection tracking and NAT, unlike REDIRECT. 494 495 To compile it as a module, choose M here. If unsure, say N. 496 497config NETFILTER_XT_TARGET_TRACE 498 tristate '"TRACE" target support' 499 depends on IP_NF_RAW || IP6_NF_RAW 500 depends on NETFILTER_ADVANCED 501 help 502 The TRACE target allows you to mark packets so that the kernel 503 will log every rule which match the packets as those traverse 504 the tables, chains, rules. 505 506 If you want to compile it as a module, say M here and read 507 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 508 509config NETFILTER_XT_TARGET_SECMARK 510 tristate '"SECMARK" target support' 511 depends on NETWORK_SECMARK 512 default m if NETFILTER_ADVANCED=n 513 help 514 The SECMARK target allows security marking of network 515 packets, for use with security subsystems. 516 517 To compile it as a module, choose M here. If unsure, say N. 518 519config NETFILTER_XT_TARGET_TCPMSS 520 tristate '"TCPMSS" target support' 521 depends on (IPV6 || IPV6=n) 522 default m if NETFILTER_ADVANCED=n 523 ---help--- 524 This option adds a `TCPMSS' target, which allows you to alter the 525 MSS value of TCP SYN packets, to control the maximum size for that 526 connection (usually limiting it to your outgoing interface's MTU 527 minus 40). 528 529 This is used to overcome criminally braindead ISPs or servers which 530 block ICMP Fragmentation Needed packets. The symptoms of this 531 problem are that everything works fine from your Linux 532 firewall/router, but machines behind it can never exchange large 533 packets: 534 1) Web browsers connect, then hang with no data received. 535 2) Small mail works fine, but large emails hang. 536 3) ssh works fine, but scp hangs after initial handshaking. 537 538 Workaround: activate this option and add a rule to your firewall 539 configuration like: 540 541 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 542 -j TCPMSS --clamp-mss-to-pmtu 543 544 To compile it as a module, choose M here. If unsure, say N. 545 546config NETFILTER_XT_TARGET_TCPOPTSTRIP 547 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' 548 depends on EXPERIMENTAL 549 depends on IP_NF_MANGLE || IP6_NF_MANGLE 550 depends on NETFILTER_ADVANCED 551 help 552 This option adds a "TCPOPTSTRIP" target, which allows you to strip 553 TCP options from TCP packets. 554 555config NETFILTER_XT_MATCH_CLUSTER 556 tristate '"cluster" match support' 557 depends on NF_CONNTRACK 558 depends on NETFILTER_ADVANCED 559 ---help--- 560 This option allows you to build work-load-sharing clusters of 561 network servers/stateful firewalls without having a dedicated 562 load-balancing router/server/switch. Basically, this match returns 563 true when the packet must be handled by this cluster node. Thus, 564 all nodes see all packets and this match decides which node handles 565 what packets. The work-load sharing algorithm is based on source 566 address hashing. 567 568 If you say Y or M here, try `iptables -m cluster --help` for 569 more information. 570 571config NETFILTER_XT_MATCH_COMMENT 572 tristate '"comment" match support' 573 depends on NETFILTER_ADVANCED 574 help 575 This option adds a `comment' dummy-match, which allows you to put 576 comments in your iptables ruleset. 577 578 If you want to compile it as a module, say M here and read 579 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 580 581config NETFILTER_XT_MATCH_CONNBYTES 582 tristate '"connbytes" per-connection counter match support' 583 depends on NF_CONNTRACK 584 depends on NETFILTER_ADVANCED 585 select NF_CT_ACCT 586 help 587 This option adds a `connbytes' match, which allows you to match the 588 number of bytes and/or packets for each direction within a connection. 589 590 If you want to compile it as a module, say M here and read 591 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 592 593config NETFILTER_XT_MATCH_CONNLIMIT 594 tristate '"connlimit" match support"' 595 depends on NF_CONNTRACK 596 depends on NETFILTER_ADVANCED 597 ---help--- 598 This match allows you to match against the number of parallel 599 connections to a server per client IP address (or address block). 600 601config NETFILTER_XT_MATCH_CONNMARK 602 tristate '"connmark" connection mark match support' 603 depends on NF_CONNTRACK 604 depends on NETFILTER_ADVANCED 605 select NF_CONNTRACK_MARK 606 help 607 This option adds a `connmark' match, which allows you to match the 608 connection mark value previously set for the session by `CONNMARK'. 609 610 If you want to compile it as a module, say M here and read 611 <file:Documentation/kbuild/modules.txt>. The module will be called 612 ipt_connmark. If unsure, say `N'. 613 614config NETFILTER_XT_MATCH_CONNTRACK 615 tristate '"conntrack" connection tracking match support' 616 depends on NF_CONNTRACK 617 default m if NETFILTER_ADVANCED=n 618 help 619 This is a general conntrack match module, a superset of the state match. 620 621 It allows matching on additional conntrack information, which is 622 useful in complex configurations, such as NAT gateways with multiple 623 internet links or tunnels. 624 625 To compile it as a module, choose M here. If unsure, say N. 626 627config NETFILTER_XT_MATCH_DCCP 628 tristate '"dccp" protocol match support' 629 depends on NETFILTER_ADVANCED 630 default IP_DCCP 631 help 632 With this option enabled, you will be able to use the iptables 633 `dccp' match in order to match on DCCP source/destination ports 634 and DCCP flags. 635 636 If you want to compile it as a module, say M here and read 637 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 638 639config NETFILTER_XT_MATCH_DSCP 640 tristate '"dscp" and "tos" match support' 641 depends on NETFILTER_ADVANCED 642 help 643 This option adds a `DSCP' match, which allows you to match against 644 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 645 646 The DSCP field can have any value between 0x0 and 0x3f inclusive. 647 648 It will also add a "tos" match, which allows you to match packets 649 based on the Type Of Service fields of the IPv4 packet (which share 650 the same bits as DSCP). 651 652 To compile it as a module, choose M here. If unsure, say N. 653 654config NETFILTER_XT_MATCH_ESP 655 tristate '"esp" match support' 656 depends on NETFILTER_ADVANCED 657 help 658 This match extension allows you to match a range of SPIs 659 inside ESP header of IPSec packets. 660 661 To compile it as a module, choose M here. If unsure, say N. 662 663config NETFILTER_XT_MATCH_HASHLIMIT 664 tristate '"hashlimit" match support' 665 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 666 depends on NETFILTER_ADVANCED 667 help 668 This option adds a `hashlimit' match. 669 670 As opposed to `limit', this match dynamically creates a hash table 671 of limit buckets, based on your selection of source/destination 672 addresses and/or ports. 673 674 It enables you to express policies like `10kpps for any given 675 destination address' or `500pps from any given source address' 676 with a single rule. 677 678config NETFILTER_XT_MATCH_HELPER 679 tristate '"helper" match support' 680 depends on NF_CONNTRACK 681 depends on NETFILTER_ADVANCED 682 help 683 Helper matching allows you to match packets in dynamic connections 684 tracked by a conntrack-helper, ie. ip_conntrack_ftp 685 686 To compile it as a module, choose M here. If unsure, say Y. 687 688config NETFILTER_XT_MATCH_HL 689 tristate '"hl" hoplimit/TTL match support' 690 depends on NETFILTER_ADVANCED 691 ---help--- 692 HL matching allows you to match packets based on the hoplimit 693 in the IPv6 header, or the time-to-live field in the IPv4 694 header of the packet. 695 696config NETFILTER_XT_MATCH_IPRANGE 697 tristate '"iprange" address range match support' 698 depends on NETFILTER_ADVANCED 699 ---help--- 700 This option adds a "iprange" match, which allows you to match based on 701 an IP address range. (Normal iptables only matches on single addresses 702 with an optional mask.) 703 704 If unsure, say M. 705 706config NETFILTER_XT_MATCH_LENGTH 707 tristate '"length" match support' 708 depends on NETFILTER_ADVANCED 709 help 710 This option allows you to match the length of a packet against a 711 specific value or range of values. 712 713 To compile it as a module, choose M here. If unsure, say N. 714 715config NETFILTER_XT_MATCH_LIMIT 716 tristate '"limit" match support' 717 depends on NETFILTER_ADVANCED 718 help 719 limit matching allows you to control the rate at which a rule can be 720 matched: mainly useful in combination with the LOG target ("LOG 721 target support", below) and to avoid some Denial of Service attacks. 722 723 To compile it as a module, choose M here. If unsure, say N. 724 725config NETFILTER_XT_MATCH_MAC 726 tristate '"mac" address match support' 727 depends on NETFILTER_ADVANCED 728 help 729 MAC matching allows you to match packets based on the source 730 Ethernet address of the packet. 731 732 To compile it as a module, choose M here. If unsure, say N. 733 734config NETFILTER_XT_MATCH_MARK 735 tristate '"mark" match support' 736 default m if NETFILTER_ADVANCED=n 737 help 738 Netfilter mark matching allows you to match packets based on the 739 `nfmark' value in the packet. This can be set by the MARK target 740 (see below). 741 742 To compile it as a module, choose M here. If unsure, say N. 743 744config NETFILTER_XT_MATCH_MULTIPORT 745 tristate '"multiport" Multiple port match support' 746 depends on NETFILTER_ADVANCED 747 help 748 Multiport matching allows you to match TCP or UDP packets based on 749 a series of source or destination ports: normally a rule can only 750 match a single range of ports. 751 752 To compile it as a module, choose M here. If unsure, say N. 753 754config NETFILTER_XT_MATCH_OWNER 755 tristate '"owner" match support' 756 depends on NETFILTER_ADVANCED 757 ---help--- 758 Socket owner matching allows you to match locally-generated packets 759 based on who created the socket: the user or group. It is also 760 possible to check whether a socket actually exists. 761 762config NETFILTER_XT_MATCH_POLICY 763 tristate 'IPsec "policy" match support' 764 depends on XFRM 765 default m if NETFILTER_ADVANCED=n 766 help 767 Policy matching allows you to match packets based on the 768 IPsec policy that was used during decapsulation/will 769 be used during encapsulation. 770 771 To compile it as a module, choose M here. If unsure, say N. 772 773config NETFILTER_XT_MATCH_PHYSDEV 774 tristate '"physdev" match support' 775 depends on BRIDGE && BRIDGE_NETFILTER 776 depends on NETFILTER_ADVANCED 777 help 778 Physdev packet matching matches against the physical bridge ports 779 the IP packet arrived on or will leave by. 780 781 To compile it as a module, choose M here. If unsure, say N. 782 783config NETFILTER_XT_MATCH_PKTTYPE 784 tristate '"pkttype" packet type match support' 785 depends on NETFILTER_ADVANCED 786 help 787 Packet type matching allows you to match a packet by 788 its "class", eg. BROADCAST, MULTICAST, ... 789 790 Typical usage: 791 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 792 793 To compile it as a module, choose M here. If unsure, say N. 794 795config NETFILTER_XT_MATCH_QUOTA 796 tristate '"quota" match support' 797 depends on NETFILTER_ADVANCED 798 help 799 This option adds a `quota' match, which allows to match on a 800 byte counter. 801 802 If you want to compile it as a module, say M here and read 803 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 804 805config NETFILTER_XT_MATCH_RATEEST 806 tristate '"rateest" match support' 807 depends on NETFILTER_ADVANCED 808 select NETFILTER_XT_TARGET_RATEEST 809 help 810 This option adds a `rateest' match, which allows to match on the 811 rate estimated by the RATEEST target. 812 813 To compile it as a module, choose M here. If unsure, say N. 814 815config NETFILTER_XT_MATCH_REALM 816 tristate '"realm" match support' 817 depends on NETFILTER_ADVANCED 818 select NET_CLS_ROUTE 819 help 820 This option adds a `realm' match, which allows you to use the realm 821 key from the routing subsystem inside iptables. 822 823 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 824 in tc world. 825 826 If you want to compile it as a module, say M here and read 827 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 828 829config NETFILTER_XT_MATCH_RECENT 830 tristate '"recent" match support' 831 depends on NETFILTER_ADVANCED 832 ---help--- 833 This match is used for creating one or many lists of recently 834 used addresses and then matching against that/those list(s). 835 836 Short options are available by using 'iptables -m recent -h' 837 Official Website: <http://snowman.net/projects/ipt_recent/> 838 839config NETFILTER_XT_MATCH_RECENT_PROC_COMPAT 840 bool 'Enable obsolete /proc/net/ipt_recent' 841 depends on NETFILTER_XT_MATCH_RECENT && PROC_FS 842 ---help--- 843 This option enables the old /proc/net/ipt_recent interface, 844 which has been obsoleted by /proc/net/xt_recent. 845 846config NETFILTER_XT_MATCH_SCTP 847 tristate '"sctp" protocol match support (EXPERIMENTAL)' 848 depends on EXPERIMENTAL 849 depends on NETFILTER_ADVANCED 850 default IP_SCTP 851 help 852 With this option enabled, you will be able to use the 853 `sctp' match in order to match on SCTP source/destination ports 854 and SCTP chunk types. 855 856 If you want to compile it as a module, say M here and read 857 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 858 859config NETFILTER_XT_MATCH_SOCKET 860 tristate '"socket" match support (EXPERIMENTAL)' 861 depends on EXPERIMENTAL 862 depends on NETFILTER_TPROXY 863 depends on NETFILTER_XTABLES 864 depends on NETFILTER_ADVANCED 865 depends on !NF_CONNTRACK || NF_CONNTRACK 866 select NF_DEFRAG_IPV4 867 help 868 This option adds a `socket' match, which can be used to match 869 packets for which a TCP or UDP socket lookup finds a valid socket. 870 It can be used in combination with the MARK target and policy 871 routing to implement full featured non-locally bound sockets. 872 873 To compile it as a module, choose M here. If unsure, say N. 874 875config NETFILTER_XT_MATCH_STATE 876 tristate '"state" match support' 877 depends on NF_CONNTRACK 878 default m if NETFILTER_ADVANCED=n 879 help 880 Connection state matching allows you to match packets based on their 881 relationship to a tracked connection (ie. previous packets). This 882 is a powerful tool for packet classification. 883 884 To compile it as a module, choose M here. If unsure, say N. 885 886config NETFILTER_XT_MATCH_STATISTIC 887 tristate '"statistic" match support' 888 depends on NETFILTER_ADVANCED 889 help 890 This option adds a `statistic' match, which allows you to match 891 on packets periodically or randomly with a given percentage. 892 893 To compile it as a module, choose M here. If unsure, say N. 894 895config NETFILTER_XT_MATCH_STRING 896 tristate '"string" match support' 897 depends on NETFILTER_ADVANCED 898 select TEXTSEARCH 899 select TEXTSEARCH_KMP 900 select TEXTSEARCH_BM 901 select TEXTSEARCH_FSM 902 help 903 This option adds a `string' match, which allows you to look for 904 pattern matchings in packets. 905 906 To compile it as a module, choose M here. If unsure, say N. 907 908config NETFILTER_XT_MATCH_TCPMSS 909 tristate '"tcpmss" match support' 910 depends on NETFILTER_ADVANCED 911 help 912 This option adds a `tcpmss' match, which allows you to examine the 913 MSS value of TCP SYN packets, which control the maximum packet size 914 for that connection. 915 916 To compile it as a module, choose M here. If unsure, say N. 917 918config NETFILTER_XT_MATCH_TIME 919 tristate '"time" match support' 920 depends on NETFILTER_ADVANCED 921 ---help--- 922 This option adds a "time" match, which allows you to match based on 923 the packet arrival time (at the machine which netfilter is running) 924 on) or departure time/date (for locally generated packets). 925 926 If you say Y here, try `iptables -m time --help` for 927 more information. 928 929 If you want to compile it as a module, say M here. 930 If unsure, say N. 931 932config NETFILTER_XT_MATCH_U32 933 tristate '"u32" match support' 934 depends on NETFILTER_ADVANCED 935 ---help--- 936 u32 allows you to extract quantities of up to 4 bytes from a packet, 937 AND them with specified masks, shift them by specified amounts and 938 test whether the results are in any of a set of specified ranges. 939 The specification of what to extract is general enough to skip over 940 headers with lengths stored in the packet, as in IP or TCP header 941 lengths. 942 943 Details and examples are in the kernel module source. 944 945config NETFILTER_XT_MATCH_OSF 946 tristate '"osf" Passive OS fingerprint match' 947 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 948 help 949 This option selects the Passive OS Fingerprinting match module 950 that allows to passively match the remote operating system by 951 analyzing incoming TCP SYN packets. 952 953 Rules and loading software can be downloaded from 954 http://www.ioremap.net/projects/osf 955 956 To compile it as a module, choose M here. If unsure, say N. 957 958endif # NETFILTER_XTABLES 959 960endmenu 961 962source "net/netfilter/ipvs/Kconfig" 963