1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_INGRESS 5 bool "Netfilter ingress support" 6 default y 7 select NET_INGRESS 8 help 9 This allows you to classify packets from ingress using the Netfilter 10 infrastructure. 11 12config NETFILTER_NETLINK 13 tristate 14 15config NETFILTER_NETLINK_ACCT 16tristate "Netfilter NFACCT over NFNETLINK interface" 17 depends on NETFILTER_ADVANCED 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for extended accounting via NFNETLINK. 22 23config NETFILTER_NETLINK_QUEUE 24 tristate "Netfilter NFQUEUE over NFNETLINK interface" 25 depends on NETFILTER_ADVANCED 26 select NETFILTER_NETLINK 27 help 28 If this option is enabled, the kernel will include support 29 for queueing packets via NFNETLINK. 30 31config NETFILTER_NETLINK_LOG 32 tristate "Netfilter LOG over NFNETLINK interface" 33 default m if NETFILTER_ADVANCED=n 34 select NETFILTER_NETLINK 35 help 36 If this option is enabled, the kernel will include support 37 for logging packets via NFNETLINK. 38 39 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 40 and is also scheduled to replace the old syslog-based ipt_LOG 41 and ip6t_LOG modules. 42 43config NF_CONNTRACK 44 tristate "Netfilter connection tracking support" 45 default m if NETFILTER_ADVANCED=n 46 help 47 Connection tracking keeps a record of what packets have passed 48 through your machine, in order to figure out how they are related 49 into connections. 50 51 This is required to do Masquerading or other kinds of Network 52 Address Translation. It can also be used to enhance packet 53 filtering (see `Connection state match support' below). 54 55 To compile it as a module, choose M here. If unsure, say N. 56 57config NF_LOG_COMMON 58 tristate 59 60config NF_LOG_NETDEV 61 tristate "Netdev packet logging" 62 select NF_LOG_COMMON 63 64if NF_CONNTRACK 65 66config NF_CONNTRACK_MARK 67 bool 'Connection mark tracking support' 68 depends on NETFILTER_ADVANCED 69 help 70 This option enables support for connection marks, used by the 71 `CONNMARK' target and `connmark' match. Similar to the mark value 72 of packets, but this mark value is kept in the conntrack session 73 instead of the individual packets. 74 75config NF_CONNTRACK_SECMARK 76 bool 'Connection tracking security mark support' 77 depends on NETWORK_SECMARK 78 default m if NETFILTER_ADVANCED=n 79 help 80 This option enables security markings to be applied to 81 connections. Typically they are copied to connections from 82 packets using the CONNSECMARK target and copied back from 83 connections to packets with the same target, with the packets 84 being originally labeled via SECMARK. 85 86 If unsure, say 'N'. 87 88config NF_CONNTRACK_ZONES 89 bool 'Connection tracking zones' 90 depends on NETFILTER_ADVANCED 91 depends on NETFILTER_XT_TARGET_CT 92 help 93 This option enables support for connection tracking zones. 94 Normally, each connection needs to have a unique system wide 95 identity. Connection tracking zones allow to have multiple 96 connections using the same identity, as long as they are 97 contained in different zones. 98 99 If unsure, say `N'. 100 101config NF_CONNTRACK_PROCFS 102 bool "Supply CT list in procfs (OBSOLETE)" 103 default y 104 depends on PROC_FS 105 ---help--- 106 This option enables for the list of known conntrack entries 107 to be shown in procfs under net/netfilter/nf_conntrack. This 108 is considered obsolete in favor of using the conntrack(8) 109 tool which uses Netlink. 110 111config NF_CONNTRACK_EVENTS 112 bool "Connection tracking events" 113 depends on NETFILTER_ADVANCED 114 help 115 If this option is enabled, the connection tracking code will 116 provide a notifier chain that can be used by other kernel code 117 to get notified about changes in the connection tracking state. 118 119 If unsure, say `N'. 120 121config NF_CONNTRACK_TIMEOUT 122 bool 'Connection tracking timeout' 123 depends on NETFILTER_ADVANCED 124 help 125 This option enables support for connection tracking timeout 126 extension. This allows you to attach timeout policies to flow 127 via the CT target. 128 129 If unsure, say `N'. 130 131config NF_CONNTRACK_TIMESTAMP 132 bool 'Connection tracking timestamping' 133 depends on NETFILTER_ADVANCED 134 help 135 This option enables support for connection tracking timestamping. 136 This allows you to store the flow start-time and to obtain 137 the flow-stop time (once it has been destroyed) via Connection 138 tracking events. 139 140 If unsure, say `N'. 141 142config NF_CONNTRACK_LABELS 143 bool 144 help 145 This option enables support for assigning user-defined flag bits 146 to connection tracking entries. It selected by the connlabel match. 147 148config NF_CT_PROTO_DCCP 149 bool 'DCCP protocol connection tracking support' 150 depends on NETFILTER_ADVANCED 151 default y 152 help 153 With this option enabled, the layer 3 independent connection 154 tracking code will be able to do state tracking on DCCP connections. 155 156 If unsure, say Y. 157 158config NF_CT_PROTO_GRE 159 tristate 160 161config NF_CT_PROTO_SCTP 162 bool 'SCTP protocol connection tracking support' 163 depends on NETFILTER_ADVANCED 164 default y 165 help 166 With this option enabled, the layer 3 independent connection 167 tracking code will be able to do state tracking on SCTP connections. 168 169 If unsure, say Y. 170 171config NF_CT_PROTO_UDPLITE 172 tristate 'UDP-Lite protocol connection tracking support' 173 depends on NETFILTER_ADVANCED 174 help 175 With this option enabled, the layer 3 independent connection 176 tracking code will be able to do state tracking on UDP-Lite 177 connections. 178 179 To compile it as a module, choose M here. If unsure, say N. 180 181config NF_CONNTRACK_AMANDA 182 tristate "Amanda backup protocol support" 183 depends on NETFILTER_ADVANCED 184 select TEXTSEARCH 185 select TEXTSEARCH_KMP 186 help 187 If you are running the Amanda backup package <http://www.amanda.org/> 188 on this machine or machines that will be MASQUERADED through this 189 machine, then you may want to enable this feature. This allows the 190 connection tracking and natting code to allow the sub-channels that 191 Amanda requires for communication of the backup data, messages and 192 index. 193 194 To compile it as a module, choose M here. If unsure, say N. 195 196config NF_CONNTRACK_FTP 197 tristate "FTP protocol support" 198 default m if NETFILTER_ADVANCED=n 199 help 200 Tracking FTP connections is problematic: special helpers are 201 required for tracking them, and doing masquerading and other forms 202 of Network Address Translation on them. 203 204 This is FTP support on Layer 3 independent connection tracking. 205 Layer 3 independent connection tracking is experimental scheme 206 which generalize ip_conntrack to support other layer 3 protocols. 207 208 To compile it as a module, choose M here. If unsure, say N. 209 210config NF_CONNTRACK_H323 211 tristate "H.323 protocol support" 212 depends on IPV6 || IPV6=n 213 depends on NETFILTER_ADVANCED 214 help 215 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 216 important VoIP protocols, it is widely used by voice hardware and 217 software including voice gateways, IP phones, Netmeeting, OpenPhone, 218 Gnomemeeting, etc. 219 220 With this module you can support H.323 on a connection tracking/NAT 221 firewall. 222 223 This module supports RAS, Fast Start, H.245 Tunnelling, Call 224 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 225 whiteboard, file transfer, etc. For more information, please 226 visit http://nath323.sourceforge.net/. 227 228 To compile it as a module, choose M here. If unsure, say N. 229 230config NF_CONNTRACK_IRC 231 tristate "IRC protocol support" 232 default m if NETFILTER_ADVANCED=n 233 help 234 There is a commonly-used extension to IRC called 235 Direct Client-to-Client Protocol (DCC). This enables users to send 236 files to each other, and also chat to each other without the need 237 of a server. DCC Sending is used anywhere you send files over IRC, 238 and DCC Chat is most commonly used by Eggdrop bots. If you are 239 using NAT, this extension will enable you to send files and initiate 240 chats. Note that you do NOT need this extension to get files or 241 have others initiate chats, or everything else in IRC. 242 243 To compile it as a module, choose M here. If unsure, say N. 244 245config NF_CONNTRACK_BROADCAST 246 tristate 247 248config NF_CONNTRACK_NETBIOS_NS 249 tristate "NetBIOS name service protocol support" 250 select NF_CONNTRACK_BROADCAST 251 help 252 NetBIOS name service requests are sent as broadcast messages from an 253 unprivileged port and responded to with unicast messages to the 254 same port. This make them hard to firewall properly because connection 255 tracking doesn't deal with broadcasts. This helper tracks locally 256 originating NetBIOS name service requests and the corresponding 257 responses. It relies on correct IP address configuration, specifically 258 netmask and broadcast address. When properly configured, the output 259 of "ip address show" should look similar to this: 260 261 $ ip -4 address show eth0 262 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 263 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 264 265 To compile it as a module, choose M here. If unsure, say N. 266 267config NF_CONNTRACK_SNMP 268 tristate "SNMP service protocol support" 269 depends on NETFILTER_ADVANCED 270 select NF_CONNTRACK_BROADCAST 271 help 272 SNMP service requests are sent as broadcast messages from an 273 unprivileged port and responded to with unicast messages to the 274 same port. This make them hard to firewall properly because connection 275 tracking doesn't deal with broadcasts. This helper tracks locally 276 originating SNMP service requests and the corresponding 277 responses. It relies on correct IP address configuration, specifically 278 netmask and broadcast address. 279 280 To compile it as a module, choose M here. If unsure, say N. 281 282config NF_CONNTRACK_PPTP 283 tristate "PPtP protocol support" 284 depends on NETFILTER_ADVANCED 285 select NF_CT_PROTO_GRE 286 help 287 This module adds support for PPTP (Point to Point Tunnelling 288 Protocol, RFC2637) connection tracking and NAT. 289 290 If you are running PPTP sessions over a stateful firewall or NAT 291 box, you may want to enable this feature. 292 293 Please note that not all PPTP modes of operation are supported yet. 294 Specifically these limitations exist: 295 - Blindly assumes that control connections are always established 296 in PNS->PAC direction. This is a violation of RFC2637. 297 - Only supports a single call within each session 298 299 To compile it as a module, choose M here. If unsure, say N. 300 301config NF_CONNTRACK_SANE 302 tristate "SANE protocol support" 303 depends on NETFILTER_ADVANCED 304 help 305 SANE is a protocol for remote access to scanners as implemented 306 by the 'saned' daemon. Like FTP, it uses separate control and 307 data connections. 308 309 With this module you can support SANE on a connection tracking 310 firewall. 311 312 To compile it as a module, choose M here. If unsure, say N. 313 314config NF_CONNTRACK_SIP 315 tristate "SIP protocol support" 316 default m if NETFILTER_ADVANCED=n 317 help 318 SIP is an application-layer control protocol that can establish, 319 modify, and terminate multimedia sessions (conferences) such as 320 Internet telephony calls. With the ip_conntrack_sip and 321 the nf_nat_sip modules you can support the protocol on a connection 322 tracking/NATing firewall. 323 324 To compile it as a module, choose M here. If unsure, say N. 325 326config NF_CONNTRACK_TFTP 327 tristate "TFTP protocol support" 328 depends on NETFILTER_ADVANCED 329 help 330 TFTP connection tracking helper, this is required depending 331 on how restrictive your ruleset is. 332 If you are using a tftp client behind -j SNAT or -j MASQUERADING 333 you will need this. 334 335 To compile it as a module, choose M here. If unsure, say N. 336 337config NF_CT_NETLINK 338 tristate 'Connection tracking netlink interface' 339 select NETFILTER_NETLINK 340 default m if NETFILTER_ADVANCED=n 341 help 342 This option enables support for a netlink-based userspace interface 343 344config NF_CT_NETLINK_TIMEOUT 345 tristate 'Connection tracking timeout tuning via Netlink' 346 select NETFILTER_NETLINK 347 depends on NETFILTER_ADVANCED 348 help 349 This option enables support for connection tracking timeout 350 fine-grain tuning. This allows you to attach specific timeout 351 policies to flows, instead of using the global timeout policy. 352 353 If unsure, say `N'. 354 355config NF_CT_NETLINK_HELPER 356 tristate 'Connection tracking helpers in user-space via Netlink' 357 select NETFILTER_NETLINK 358 depends on NF_CT_NETLINK 359 depends on NETFILTER_NETLINK_QUEUE 360 depends on NETFILTER_NETLINK_GLUE_CT 361 depends on NETFILTER_ADVANCED 362 help 363 This option enables the user-space connection tracking helpers 364 infrastructure. 365 366 If unsure, say `N'. 367 368config NETFILTER_NETLINK_GLUE_CT 369 bool "NFQUEUE and NFLOG integration with Connection Tracking" 370 default n 371 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 372 help 373 If this option is enabled, NFQUEUE and NFLOG can include 374 Connection Tracking information together with the packet is 375 the enqueued via NFNETLINK. 376 377config NF_NAT 378 tristate 379 380config NF_NAT_NEEDED 381 bool 382 depends on NF_NAT 383 default y 384 385config NF_NAT_PROTO_DCCP 386 bool 387 depends on NF_NAT && NF_CT_PROTO_DCCP 388 default NF_NAT && NF_CT_PROTO_DCCP 389 390config NF_NAT_PROTO_UDPLITE 391 bool 392 depends on NF_NAT && NF_CT_PROTO_UDPLITE 393 default NF_NAT && NF_CT_PROTO_UDPLITE 394 395config NF_NAT_PROTO_SCTP 396 bool 397 default NF_NAT && NF_CT_PROTO_SCTP 398 depends on NF_NAT && NF_CT_PROTO_SCTP 399 select LIBCRC32C 400 401config NF_NAT_AMANDA 402 tristate 403 depends on NF_CONNTRACK && NF_NAT 404 default NF_NAT && NF_CONNTRACK_AMANDA 405 406config NF_NAT_FTP 407 tristate 408 depends on NF_CONNTRACK && NF_NAT 409 default NF_NAT && NF_CONNTRACK_FTP 410 411config NF_NAT_IRC 412 tristate 413 depends on NF_CONNTRACK && NF_NAT 414 default NF_NAT && NF_CONNTRACK_IRC 415 416config NF_NAT_SIP 417 tristate 418 depends on NF_CONNTRACK && NF_NAT 419 default NF_NAT && NF_CONNTRACK_SIP 420 421config NF_NAT_TFTP 422 tristate 423 depends on NF_CONNTRACK && NF_NAT 424 default NF_NAT && NF_CONNTRACK_TFTP 425 426config NF_NAT_REDIRECT 427 tristate "IPv4/IPv6 redirect support" 428 depends on NF_NAT 429 help 430 This is the kernel functionality to redirect packets to local 431 machine through NAT. 432 433config NETFILTER_SYNPROXY 434 tristate 435 436endif # NF_CONNTRACK 437 438config NF_TABLES 439 select NETFILTER_NETLINK 440 tristate "Netfilter nf_tables support" 441 help 442 nftables is the new packet classification framework that intends to 443 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 444 provides a pseudo-state machine with an extensible instruction-set 445 (also known as expressions) that the userspace 'nft' utility 446 (http://www.netfilter.org/projects/nftables) uses to build the 447 rule-set. It also comes with the generic set infrastructure that 448 allows you to construct mappings between matchings and actions 449 for performance lookups. 450 451 To compile it as a module, choose M here. 452 453if NF_TABLES 454 455config NF_TABLES_INET 456 depends on IPV6 457 select NF_TABLES_IPV4 458 select NF_TABLES_IPV6 459 tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support" 460 help 461 This option enables support for a mixed IPv4/IPv6 "inet" table. 462 463config NF_TABLES_NETDEV 464 tristate "Netfilter nf_tables netdev tables support" 465 help 466 This option enables support for the "netdev" table. 467 468config NFT_EXTHDR 469 tristate "Netfilter nf_tables IPv6 exthdr module" 470 help 471 This option adds the "exthdr" expression that you can use to match 472 IPv6 extension headers. 473 474config NFT_META 475 tristate "Netfilter nf_tables meta module" 476 help 477 This option adds the "meta" expression that you can use to match and 478 to set packet metainformation such as the packet mark. 479 480config NFT_RT 481 tristate "Netfilter nf_tables routing module" 482 help 483 This option adds the "rt" expression that you can use to match 484 packet routing information such as the packet nexthop. 485 486config NFT_NUMGEN 487 tristate "Netfilter nf_tables number generator module" 488 help 489 This option adds the number generator expression used to perform 490 incremental counting and random numbers bound to a upper limit. 491 492config NFT_CT 493 depends on NF_CONNTRACK 494 tristate "Netfilter nf_tables conntrack module" 495 help 496 This option adds the "meta" expression that you can use to match 497 connection tracking information such as the flow state. 498 499config NFT_SET_RBTREE 500 tristate "Netfilter nf_tables rbtree set module" 501 help 502 This option adds the "rbtree" set type (Red Black tree) that is used 503 to build interval-based sets. 504 505config NFT_SET_HASH 506 tristate "Netfilter nf_tables hash set module" 507 help 508 This option adds the "hash" set type that is used to build one-way 509 mappings between matchings and actions. 510 511config NFT_COUNTER 512 tristate "Netfilter nf_tables counter module" 513 help 514 This option adds the "counter" expression that you can use to 515 include packet and byte counters in a rule. 516 517config NFT_LOG 518 tristate "Netfilter nf_tables log module" 519 help 520 This option adds the "log" expression that you can use to log 521 packets matching some criteria. 522 523config NFT_LIMIT 524 tristate "Netfilter nf_tables limit module" 525 help 526 This option adds the "limit" expression that you can use to 527 ratelimit rule matchings. 528 529config NFT_MASQ 530 depends on NF_CONNTRACK 531 depends on NF_NAT 532 tristate "Netfilter nf_tables masquerade support" 533 help 534 This option adds the "masquerade" expression that you can use 535 to perform NAT in the masquerade flavour. 536 537config NFT_REDIR 538 depends on NF_CONNTRACK 539 depends on NF_NAT 540 tristate "Netfilter nf_tables redirect support" 541 help 542 This options adds the "redirect" expression that you can use 543 to perform NAT in the redirect flavour. 544 545config NFT_NAT 546 depends on NF_CONNTRACK 547 select NF_NAT 548 tristate "Netfilter nf_tables nat module" 549 help 550 This option adds the "nat" expression that you can use to perform 551 typical Network Address Translation (NAT) packet transformations. 552 553config NFT_QUEUE 554 depends on NETFILTER_NETLINK_QUEUE 555 tristate "Netfilter nf_tables queue module" 556 help 557 This is required if you intend to use the userspace queueing 558 infrastructure (also known as NFQUEUE) from nftables. 559 560config NFT_QUOTA 561 tristate "Netfilter nf_tables quota module" 562 help 563 This option adds the "quota" expression that you can use to match 564 enforce bytes quotas. 565 566config NFT_REJECT 567 default m if NETFILTER_ADVANCED=n 568 tristate "Netfilter nf_tables reject support" 569 help 570 This option adds the "reject" expression that you can use to 571 explicitly deny and notify via TCP reset/ICMP informational errors 572 unallowed traffic. 573 574config NFT_REJECT_INET 575 depends on NF_TABLES_INET 576 default NFT_REJECT 577 tristate 578 579config NFT_COMPAT 580 depends on NETFILTER_XTABLES 581 tristate "Netfilter x_tables over nf_tables module" 582 help 583 This is required if you intend to use any of existing 584 x_tables match/target extensions over the nf_tables 585 framework. 586 587config NFT_HASH 588 tristate "Netfilter nf_tables hash module" 589 help 590 This option adds the "hash" expression that you can use to perform 591 a hash operation on registers. 592 593config NFT_FIB 594 tristate 595 596config NFT_FIB_INET 597 depends on NF_TABLES_INET 598 depends on NFT_FIB_IPV4 599 depends on NFT_FIB_IPV6 600 tristate "Netfilter nf_tables fib inet support" 601 help 602 This option allows using the FIB expression from the inet table. 603 The lookup will be delegated to the IPv4 or IPv6 FIB depending 604 on the protocol of the packet. 605 606if NF_TABLES_NETDEV 607 608config NF_DUP_NETDEV 609 tristate "Netfilter packet duplication support" 610 help 611 This option enables the generic packet duplication infrastructure 612 for Netfilter. 613 614config NFT_DUP_NETDEV 615 tristate "Netfilter nf_tables netdev packet duplication support" 616 select NF_DUP_NETDEV 617 help 618 This option enables packet duplication for the "netdev" family. 619 620config NFT_FWD_NETDEV 621 tristate "Netfilter nf_tables netdev packet forwarding support" 622 select NF_DUP_NETDEV 623 help 624 This option enables packet forwarding for the "netdev" family. 625 626endif # NF_TABLES_NETDEV 627 628endif # NF_TABLES 629 630config NETFILTER_XTABLES 631 tristate "Netfilter Xtables support (required for ip_tables)" 632 default m if NETFILTER_ADVANCED=n 633 help 634 This is required if you intend to use any of ip_tables, 635 ip6_tables or arp_tables. 636 637if NETFILTER_XTABLES 638 639comment "Xtables combined modules" 640 641config NETFILTER_XT_MARK 642 tristate 'nfmark target and match support' 643 default m if NETFILTER_ADVANCED=n 644 ---help--- 645 This option adds the "MARK" target and "mark" match. 646 647 Netfilter mark matching allows you to match packets based on the 648 "nfmark" value in the packet. 649 The target allows you to create rules in the "mangle" table which alter 650 the netfilter mark (nfmark) field associated with the packet. 651 652 Prior to routing, the nfmark can influence the routing method and can 653 also be used by other subsystems to change their behavior. 654 655config NETFILTER_XT_CONNMARK 656 tristate 'ctmark target and match support' 657 depends on NF_CONNTRACK 658 depends on NETFILTER_ADVANCED 659 select NF_CONNTRACK_MARK 660 ---help--- 661 This option adds the "CONNMARK" target and "connmark" match. 662 663 Netfilter allows you to store a mark value per connection (a.k.a. 664 ctmark), similarly to the packet mark (nfmark). Using this 665 target and match, you can set and match on this mark. 666 667config NETFILTER_XT_SET 668 tristate 'set target and match support' 669 depends on IP_SET 670 depends on NETFILTER_ADVANCED 671 help 672 This option adds the "SET" target and "set" match. 673 674 Using this target and match, you can add/delete and match 675 elements in the sets created by ipset(8). 676 677 To compile it as a module, choose M here. If unsure, say N. 678 679# alphabetically ordered list of targets 680 681comment "Xtables targets" 682 683config NETFILTER_XT_TARGET_AUDIT 684 tristate "AUDIT target support" 685 depends on AUDIT 686 depends on NETFILTER_ADVANCED 687 ---help--- 688 This option adds a 'AUDIT' target, which can be used to create 689 audit records for packets dropped/accepted. 690 691 To compileit as a module, choose M here. If unsure, say N. 692 693config NETFILTER_XT_TARGET_CHECKSUM 694 tristate "CHECKSUM target support" 695 depends on IP_NF_MANGLE || IP6_NF_MANGLE 696 depends on NETFILTER_ADVANCED 697 ---help--- 698 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 699 table. 700 701 You can use this target to compute and fill in the checksum in 702 a packet that lacks a checksum. This is particularly useful, 703 if you need to work around old applications such as dhcp clients, 704 that do not work well with checksum offloads, but don't want to disable 705 checksum offload in your device. 706 707 To compile it as a module, choose M here. If unsure, say N. 708 709config NETFILTER_XT_TARGET_CLASSIFY 710 tristate '"CLASSIFY" target support' 711 depends on NETFILTER_ADVANCED 712 help 713 This option adds a `CLASSIFY' target, which enables the user to set 714 the priority of a packet. Some qdiscs can use this value for 715 classification, among these are: 716 717 atm, cbq, dsmark, pfifo_fast, htb, prio 718 719 To compile it as a module, choose M here. If unsure, say N. 720 721config NETFILTER_XT_TARGET_CONNMARK 722 tristate '"CONNMARK" target support' 723 depends on NF_CONNTRACK 724 depends on NETFILTER_ADVANCED 725 select NETFILTER_XT_CONNMARK 726 ---help--- 727 This is a backwards-compat option for the user's convenience 728 (e.g. when running oldconfig). It selects 729 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 730 731config NETFILTER_XT_TARGET_CONNSECMARK 732 tristate '"CONNSECMARK" target support' 733 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 734 default m if NETFILTER_ADVANCED=n 735 help 736 The CONNSECMARK target copies security markings from packets 737 to connections, and restores security markings from connections 738 to packets (if the packets are not already marked). This would 739 normally be used in conjunction with the SECMARK target. 740 741 To compile it as a module, choose M here. If unsure, say N. 742 743config NETFILTER_XT_TARGET_CT 744 tristate '"CT" target support' 745 depends on NF_CONNTRACK 746 depends on IP_NF_RAW || IP6_NF_RAW 747 depends on NETFILTER_ADVANCED 748 help 749 This options adds a `CT' target, which allows to specify initial 750 connection tracking parameters like events to be delivered and 751 the helper to be used. 752 753 To compile it as a module, choose M here. If unsure, say N. 754 755config NETFILTER_XT_TARGET_DSCP 756 tristate '"DSCP" and "TOS" target support' 757 depends on IP_NF_MANGLE || IP6_NF_MANGLE 758 depends on NETFILTER_ADVANCED 759 help 760 This option adds a `DSCP' target, which allows you to manipulate 761 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 762 763 The DSCP field can have any value between 0x0 and 0x3f inclusive. 764 765 It also adds the "TOS" target, which allows you to create rules in 766 the "mangle" table which alter the Type Of Service field of an IPv4 767 or the Priority field of an IPv6 packet, prior to routing. 768 769 To compile it as a module, choose M here. If unsure, say N. 770 771config NETFILTER_XT_TARGET_HL 772 tristate '"HL" hoplimit target support' 773 depends on IP_NF_MANGLE || IP6_NF_MANGLE 774 depends on NETFILTER_ADVANCED 775 ---help--- 776 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 777 targets, which enable the user to change the 778 hoplimit/time-to-live value of the IP header. 779 780 While it is safe to decrement the hoplimit/TTL value, the 781 modules also allow to increment and set the hoplimit value of 782 the header to arbitrary values. This is EXTREMELY DANGEROUS 783 since you can easily create immortal packets that loop 784 forever on the network. 785 786config NETFILTER_XT_TARGET_HMARK 787 tristate '"HMARK" target support' 788 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 789 depends on NETFILTER_ADVANCED 790 ---help--- 791 This option adds the "HMARK" target. 792 793 The target allows you to create rules in the "raw" and "mangle" tables 794 which set the skbuff mark by means of hash calculation within a given 795 range. The nfmark can influence the routing method and can also be used 796 by other subsystems to change their behaviour. 797 798 To compile it as a module, choose M here. If unsure, say N. 799 800config NETFILTER_XT_TARGET_IDLETIMER 801 tristate "IDLETIMER target support" 802 depends on NETFILTER_ADVANCED 803 help 804 805 This option adds the `IDLETIMER' target. Each matching packet 806 resets the timer associated with label specified when the rule is 807 added. When the timer expires, it triggers a sysfs notification. 808 The remaining time for expiration can be read via sysfs. 809 810 To compile it as a module, choose M here. If unsure, say N. 811 812config NETFILTER_XT_TARGET_LED 813 tristate '"LED" target support' 814 depends on LEDS_CLASS && LEDS_TRIGGERS 815 depends on NETFILTER_ADVANCED 816 help 817 This option adds a `LED' target, which allows you to blink LEDs in 818 response to particular packets passing through your machine. 819 820 This can be used to turn a spare LED into a network activity LED, 821 which only flashes in response to FTP transfers, for example. Or 822 you could have an LED which lights up for a minute or two every time 823 somebody connects to your machine via SSH. 824 825 You will need support for the "led" class to make this work. 826 827 To create an LED trigger for incoming SSH traffic: 828 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 829 830 Then attach the new trigger to an LED on your system: 831 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 832 833 For more information on the LEDs available on your system, see 834 Documentation/leds/leds-class.txt 835 836config NETFILTER_XT_TARGET_LOG 837 tristate "LOG target support" 838 select NF_LOG_COMMON 839 select NF_LOG_IPV4 840 select NF_LOG_IPV6 if IPV6 841 default m if NETFILTER_ADVANCED=n 842 help 843 This option adds a `LOG' target, which allows you to create rules in 844 any iptables table which records the packet header to the syslog. 845 846 To compile it as a module, choose M here. If unsure, say N. 847 848config NETFILTER_XT_TARGET_MARK 849 tristate '"MARK" target support' 850 depends on NETFILTER_ADVANCED 851 select NETFILTER_XT_MARK 852 ---help--- 853 This is a backwards-compat option for the user's convenience 854 (e.g. when running oldconfig). It selects 855 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 856 857config NETFILTER_XT_NAT 858 tristate '"SNAT and DNAT" targets support' 859 depends on NF_NAT 860 ---help--- 861 This option enables the SNAT and DNAT targets. 862 863 To compile it as a module, choose M here. If unsure, say N. 864 865config NETFILTER_XT_TARGET_NETMAP 866 tristate '"NETMAP" target support' 867 depends on NF_NAT 868 ---help--- 869 NETMAP is an implementation of static 1:1 NAT mapping of network 870 addresses. It maps the network address part, while keeping the host 871 address part intact. 872 873 To compile it as a module, choose M here. If unsure, say N. 874 875config NETFILTER_XT_TARGET_NFLOG 876 tristate '"NFLOG" target support' 877 default m if NETFILTER_ADVANCED=n 878 select NETFILTER_NETLINK_LOG 879 help 880 This option enables the NFLOG target, which allows to LOG 881 messages through nfnetlink_log. 882 883 To compile it as a module, choose M here. If unsure, say N. 884 885config NETFILTER_XT_TARGET_NFQUEUE 886 tristate '"NFQUEUE" target Support' 887 depends on NETFILTER_ADVANCED 888 select NETFILTER_NETLINK_QUEUE 889 help 890 This target replaced the old obsolete QUEUE target. 891 892 As opposed to QUEUE, it supports 65535 different queues, 893 not just one. 894 895 To compile it as a module, choose M here. If unsure, say N. 896 897config NETFILTER_XT_TARGET_NOTRACK 898 tristate '"NOTRACK" target support (DEPRECATED)' 899 depends on NF_CONNTRACK 900 depends on IP_NF_RAW || IP6_NF_RAW 901 depends on NETFILTER_ADVANCED 902 select NETFILTER_XT_TARGET_CT 903 904config NETFILTER_XT_TARGET_RATEEST 905 tristate '"RATEEST" target support' 906 depends on NETFILTER_ADVANCED 907 help 908 This option adds a `RATEEST' target, which allows to measure 909 rates similar to TC estimators. The `rateest' match can be 910 used to match on the measured rates. 911 912 To compile it as a module, choose M here. If unsure, say N. 913 914config NETFILTER_XT_TARGET_REDIRECT 915 tristate "REDIRECT target support" 916 depends on NF_NAT 917 select NF_NAT_REDIRECT 918 ---help--- 919 REDIRECT is a special case of NAT: all incoming connections are 920 mapped onto the incoming interface's address, causing the packets to 921 come to the local machine instead of passing through. This is 922 useful for transparent proxies. 923 924 To compile it as a module, choose M here. If unsure, say N. 925 926config NETFILTER_XT_TARGET_TEE 927 tristate '"TEE" - packet cloning to alternate destination' 928 depends on NETFILTER_ADVANCED 929 depends on IPV6 || IPV6=n 930 depends on !NF_CONNTRACK || NF_CONNTRACK 931 select NF_DUP_IPV4 932 select NF_DUP_IPV6 if IPV6 933 ---help--- 934 This option adds a "TEE" target with which a packet can be cloned and 935 this clone be rerouted to another nexthop. 936 937config NETFILTER_XT_TARGET_TPROXY 938 tristate '"TPROXY" target transparent proxying support' 939 depends on NETFILTER_XTABLES 940 depends on NETFILTER_ADVANCED 941 depends on IPV6 || IPV6=n 942 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 943 depends on IP_NF_MANGLE 944 select NF_DEFRAG_IPV4 945 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 946 help 947 This option adds a `TPROXY' target, which is somewhat similar to 948 REDIRECT. It can only be used in the mangle table and is useful 949 to redirect traffic to a transparent proxy. It does _not_ depend 950 on Netfilter connection tracking and NAT, unlike REDIRECT. 951 For it to work you will have to configure certain iptables rules 952 and use policy routing. For more information on how to set it up 953 see Documentation/networking/tproxy.txt. 954 955 To compile it as a module, choose M here. If unsure, say N. 956 957config NETFILTER_XT_TARGET_TRACE 958 tristate '"TRACE" target support' 959 depends on IP_NF_RAW || IP6_NF_RAW 960 depends on NETFILTER_ADVANCED 961 help 962 The TRACE target allows you to mark packets so that the kernel 963 will log every rule which match the packets as those traverse 964 the tables, chains, rules. 965 966 If you want to compile it as a module, say M here and read 967 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 968 969config NETFILTER_XT_TARGET_SECMARK 970 tristate '"SECMARK" target support' 971 depends on NETWORK_SECMARK 972 default m if NETFILTER_ADVANCED=n 973 help 974 The SECMARK target allows security marking of network 975 packets, for use with security subsystems. 976 977 To compile it as a module, choose M here. If unsure, say N. 978 979config NETFILTER_XT_TARGET_TCPMSS 980 tristate '"TCPMSS" target support' 981 depends on IPV6 || IPV6=n 982 default m if NETFILTER_ADVANCED=n 983 ---help--- 984 This option adds a `TCPMSS' target, which allows you to alter the 985 MSS value of TCP SYN packets, to control the maximum size for that 986 connection (usually limiting it to your outgoing interface's MTU 987 minus 40). 988 989 This is used to overcome criminally braindead ISPs or servers which 990 block ICMP Fragmentation Needed packets. The symptoms of this 991 problem are that everything works fine from your Linux 992 firewall/router, but machines behind it can never exchange large 993 packets: 994 1) Web browsers connect, then hang with no data received. 995 2) Small mail works fine, but large emails hang. 996 3) ssh works fine, but scp hangs after initial handshaking. 997 998 Workaround: activate this option and add a rule to your firewall 999 configuration like: 1000 1001 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1002 -j TCPMSS --clamp-mss-to-pmtu 1003 1004 To compile it as a module, choose M here. If unsure, say N. 1005 1006config NETFILTER_XT_TARGET_TCPOPTSTRIP 1007 tristate '"TCPOPTSTRIP" target support' 1008 depends on IP_NF_MANGLE || IP6_NF_MANGLE 1009 depends on NETFILTER_ADVANCED 1010 help 1011 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1012 TCP options from TCP packets. 1013 1014# alphabetically ordered list of matches 1015 1016comment "Xtables matches" 1017 1018config NETFILTER_XT_MATCH_ADDRTYPE 1019 tristate '"addrtype" address type match support' 1020 default m if NETFILTER_ADVANCED=n 1021 ---help--- 1022 This option allows you to match what routing thinks of an address, 1023 eg. UNICAST, LOCAL, BROADCAST, ... 1024 1025 If you want to compile it as a module, say M here and read 1026 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1027 1028config NETFILTER_XT_MATCH_BPF 1029 tristate '"bpf" match support' 1030 depends on NETFILTER_ADVANCED 1031 help 1032 BPF matching applies a linux socket filter to each packet and 1033 accepts those for which the filter returns non-zero. 1034 1035 To compile it as a module, choose M here. If unsure, say N. 1036 1037config NETFILTER_XT_MATCH_CGROUP 1038 tristate '"control group" match support' 1039 depends on NETFILTER_ADVANCED 1040 depends on CGROUPS 1041 select CGROUP_NET_CLASSID 1042 ---help--- 1043 Socket/process control group matching allows you to match locally 1044 generated packets based on which net_cls control group processes 1045 belong to. 1046 1047config NETFILTER_XT_MATCH_CLUSTER 1048 tristate '"cluster" match support' 1049 depends on NF_CONNTRACK 1050 depends on NETFILTER_ADVANCED 1051 ---help--- 1052 This option allows you to build work-load-sharing clusters of 1053 network servers/stateful firewalls without having a dedicated 1054 load-balancing router/server/switch. Basically, this match returns 1055 true when the packet must be handled by this cluster node. Thus, 1056 all nodes see all packets and this match decides which node handles 1057 what packets. The work-load sharing algorithm is based on source 1058 address hashing. 1059 1060 If you say Y or M here, try `iptables -m cluster --help` for 1061 more information. 1062 1063config NETFILTER_XT_MATCH_COMMENT 1064 tristate '"comment" match support' 1065 depends on NETFILTER_ADVANCED 1066 help 1067 This option adds a `comment' dummy-match, which allows you to put 1068 comments in your iptables ruleset. 1069 1070 If you want to compile it as a module, say M here and read 1071 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1072 1073config NETFILTER_XT_MATCH_CONNBYTES 1074 tristate '"connbytes" per-connection counter match support' 1075 depends on NF_CONNTRACK 1076 depends on NETFILTER_ADVANCED 1077 help 1078 This option adds a `connbytes' match, which allows you to match the 1079 number of bytes and/or packets for each direction within a connection. 1080 1081 If you want to compile it as a module, say M here and read 1082 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1083 1084config NETFILTER_XT_MATCH_CONNLABEL 1085 tristate '"connlabel" match support' 1086 select NF_CONNTRACK_LABELS 1087 depends on NF_CONNTRACK 1088 depends on NETFILTER_ADVANCED 1089 ---help--- 1090 This match allows you to test and assign userspace-defined labels names 1091 to a connection. The kernel only stores bit values - mapping 1092 names to bits is done by userspace. 1093 1094 Unlike connmark, more than 32 flag bits may be assigned to a 1095 connection simultaneously. 1096 1097config NETFILTER_XT_MATCH_CONNLIMIT 1098 tristate '"connlimit" match support' 1099 depends on NF_CONNTRACK 1100 depends on NETFILTER_ADVANCED 1101 ---help--- 1102 This match allows you to match against the number of parallel 1103 connections to a server per client IP address (or address block). 1104 1105config NETFILTER_XT_MATCH_CONNMARK 1106 tristate '"connmark" connection mark match support' 1107 depends on NF_CONNTRACK 1108 depends on NETFILTER_ADVANCED 1109 select NETFILTER_XT_CONNMARK 1110 ---help--- 1111 This is a backwards-compat option for the user's convenience 1112 (e.g. when running oldconfig). It selects 1113 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1114 1115config NETFILTER_XT_MATCH_CONNTRACK 1116 tristate '"conntrack" connection tracking match support' 1117 depends on NF_CONNTRACK 1118 default m if NETFILTER_ADVANCED=n 1119 help 1120 This is a general conntrack match module, a superset of the state match. 1121 1122 It allows matching on additional conntrack information, which is 1123 useful in complex configurations, such as NAT gateways with multiple 1124 internet links or tunnels. 1125 1126 To compile it as a module, choose M here. If unsure, say N. 1127 1128config NETFILTER_XT_MATCH_CPU 1129 tristate '"cpu" match support' 1130 depends on NETFILTER_ADVANCED 1131 help 1132 CPU matching allows you to match packets based on the CPU 1133 currently handling the packet. 1134 1135 To compile it as a module, choose M here. If unsure, say N. 1136 1137config NETFILTER_XT_MATCH_DCCP 1138 tristate '"dccp" protocol match support' 1139 depends on NETFILTER_ADVANCED 1140 default IP_DCCP 1141 help 1142 With this option enabled, you will be able to use the iptables 1143 `dccp' match in order to match on DCCP source/destination ports 1144 and DCCP flags. 1145 1146 If you want to compile it as a module, say M here and read 1147 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1148 1149config NETFILTER_XT_MATCH_DEVGROUP 1150 tristate '"devgroup" match support' 1151 depends on NETFILTER_ADVANCED 1152 help 1153 This options adds a `devgroup' match, which allows to match on the 1154 device group a network device is assigned to. 1155 1156 To compile it as a module, choose M here. If unsure, say N. 1157 1158config NETFILTER_XT_MATCH_DSCP 1159 tristate '"dscp" and "tos" match support' 1160 depends on NETFILTER_ADVANCED 1161 help 1162 This option adds a `DSCP' match, which allows you to match against 1163 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1164 1165 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1166 1167 It will also add a "tos" match, which allows you to match packets 1168 based on the Type Of Service fields of the IPv4 packet (which share 1169 the same bits as DSCP). 1170 1171 To compile it as a module, choose M here. If unsure, say N. 1172 1173config NETFILTER_XT_MATCH_ECN 1174 tristate '"ecn" match support' 1175 depends on NETFILTER_ADVANCED 1176 ---help--- 1177 This option adds an "ECN" match, which allows you to match against 1178 the IPv4 and TCP header ECN fields. 1179 1180 To compile it as a module, choose M here. If unsure, say N. 1181 1182config NETFILTER_XT_MATCH_ESP 1183 tristate '"esp" match support' 1184 depends on NETFILTER_ADVANCED 1185 help 1186 This match extension allows you to match a range of SPIs 1187 inside ESP header of IPSec packets. 1188 1189 To compile it as a module, choose M here. If unsure, say N. 1190 1191config NETFILTER_XT_MATCH_HASHLIMIT 1192 tristate '"hashlimit" match support' 1193 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1194 depends on NETFILTER_ADVANCED 1195 help 1196 This option adds a `hashlimit' match. 1197 1198 As opposed to `limit', this match dynamically creates a hash table 1199 of limit buckets, based on your selection of source/destination 1200 addresses and/or ports. 1201 1202 It enables you to express policies like `10kpps for any given 1203 destination address' or `500pps from any given source address' 1204 with a single rule. 1205 1206config NETFILTER_XT_MATCH_HELPER 1207 tristate '"helper" match support' 1208 depends on NF_CONNTRACK 1209 depends on NETFILTER_ADVANCED 1210 help 1211 Helper matching allows you to match packets in dynamic connections 1212 tracked by a conntrack-helper, ie. ip_conntrack_ftp 1213 1214 To compile it as a module, choose M here. If unsure, say Y. 1215 1216config NETFILTER_XT_MATCH_HL 1217 tristate '"hl" hoplimit/TTL match support' 1218 depends on NETFILTER_ADVANCED 1219 ---help--- 1220 HL matching allows you to match packets based on the hoplimit 1221 in the IPv6 header, or the time-to-live field in the IPv4 1222 header of the packet. 1223 1224config NETFILTER_XT_MATCH_IPCOMP 1225 tristate '"ipcomp" match support' 1226 depends on NETFILTER_ADVANCED 1227 help 1228 This match extension allows you to match a range of CPIs(16 bits) 1229 inside IPComp header of IPSec packets. 1230 1231 To compile it as a module, choose M here. If unsure, say N. 1232 1233config NETFILTER_XT_MATCH_IPRANGE 1234 tristate '"iprange" address range match support' 1235 depends on NETFILTER_ADVANCED 1236 ---help--- 1237 This option adds a "iprange" match, which allows you to match based on 1238 an IP address range. (Normal iptables only matches on single addresses 1239 with an optional mask.) 1240 1241 If unsure, say M. 1242 1243config NETFILTER_XT_MATCH_IPVS 1244 tristate '"ipvs" match support' 1245 depends on IP_VS 1246 depends on NETFILTER_ADVANCED 1247 depends on NF_CONNTRACK 1248 help 1249 This option allows you to match against IPVS properties of a packet. 1250 1251 If unsure, say N. 1252 1253config NETFILTER_XT_MATCH_L2TP 1254 tristate '"l2tp" match support' 1255 depends on NETFILTER_ADVANCED 1256 default L2TP 1257 ---help--- 1258 This option adds an "L2TP" match, which allows you to match against 1259 L2TP protocol header fields. 1260 1261 To compile it as a module, choose M here. If unsure, say N. 1262 1263config NETFILTER_XT_MATCH_LENGTH 1264 tristate '"length" match support' 1265 depends on NETFILTER_ADVANCED 1266 help 1267 This option allows you to match the length of a packet against a 1268 specific value or range of values. 1269 1270 To compile it as a module, choose M here. If unsure, say N. 1271 1272config NETFILTER_XT_MATCH_LIMIT 1273 tristate '"limit" match support' 1274 depends on NETFILTER_ADVANCED 1275 help 1276 limit matching allows you to control the rate at which a rule can be 1277 matched: mainly useful in combination with the LOG target ("LOG 1278 target support", below) and to avoid some Denial of Service attacks. 1279 1280 To compile it as a module, choose M here. If unsure, say N. 1281 1282config NETFILTER_XT_MATCH_MAC 1283 tristate '"mac" address match support' 1284 depends on NETFILTER_ADVANCED 1285 help 1286 MAC matching allows you to match packets based on the source 1287 Ethernet address of the packet. 1288 1289 To compile it as a module, choose M here. If unsure, say N. 1290 1291config NETFILTER_XT_MATCH_MARK 1292 tristate '"mark" match support' 1293 depends on NETFILTER_ADVANCED 1294 select NETFILTER_XT_MARK 1295 ---help--- 1296 This is a backwards-compat option for the user's convenience 1297 (e.g. when running oldconfig). It selects 1298 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1299 1300config NETFILTER_XT_MATCH_MULTIPORT 1301 tristate '"multiport" Multiple port match support' 1302 depends on NETFILTER_ADVANCED 1303 help 1304 Multiport matching allows you to match TCP or UDP packets based on 1305 a series of source or destination ports: normally a rule can only 1306 match a single range of ports. 1307 1308 To compile it as a module, choose M here. If unsure, say N. 1309 1310config NETFILTER_XT_MATCH_NFACCT 1311 tristate '"nfacct" match support' 1312 depends on NETFILTER_ADVANCED 1313 select NETFILTER_NETLINK_ACCT 1314 help 1315 This option allows you to use the extended accounting through 1316 nfnetlink_acct. 1317 1318 To compile it as a module, choose M here. If unsure, say N. 1319 1320config NETFILTER_XT_MATCH_OSF 1321 tristate '"osf" Passive OS fingerprint match' 1322 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 1323 help 1324 This option selects the Passive OS Fingerprinting match module 1325 that allows to passively match the remote operating system by 1326 analyzing incoming TCP SYN packets. 1327 1328 Rules and loading software can be downloaded from 1329 http://www.ioremap.net/projects/osf 1330 1331 To compile it as a module, choose M here. If unsure, say N. 1332 1333config NETFILTER_XT_MATCH_OWNER 1334 tristate '"owner" match support' 1335 depends on NETFILTER_ADVANCED 1336 ---help--- 1337 Socket owner matching allows you to match locally-generated packets 1338 based on who created the socket: the user or group. It is also 1339 possible to check whether a socket actually exists. 1340 1341config NETFILTER_XT_MATCH_POLICY 1342 tristate 'IPsec "policy" match support' 1343 depends on XFRM 1344 default m if NETFILTER_ADVANCED=n 1345 help 1346 Policy matching allows you to match packets based on the 1347 IPsec policy that was used during decapsulation/will 1348 be used during encapsulation. 1349 1350 To compile it as a module, choose M here. If unsure, say N. 1351 1352config NETFILTER_XT_MATCH_PHYSDEV 1353 tristate '"physdev" match support' 1354 depends on BRIDGE && BRIDGE_NETFILTER 1355 depends on NETFILTER_ADVANCED 1356 help 1357 Physdev packet matching matches against the physical bridge ports 1358 the IP packet arrived on or will leave by. 1359 1360 To compile it as a module, choose M here. If unsure, say N. 1361 1362config NETFILTER_XT_MATCH_PKTTYPE 1363 tristate '"pkttype" packet type match support' 1364 depends on NETFILTER_ADVANCED 1365 help 1366 Packet type matching allows you to match a packet by 1367 its "class", eg. BROADCAST, MULTICAST, ... 1368 1369 Typical usage: 1370 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1371 1372 To compile it as a module, choose M here. If unsure, say N. 1373 1374config NETFILTER_XT_MATCH_QUOTA 1375 tristate '"quota" match support' 1376 depends on NETFILTER_ADVANCED 1377 help 1378 This option adds a `quota' match, which allows to match on a 1379 byte counter. 1380 1381 If you want to compile it as a module, say M here and read 1382 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1383 1384config NETFILTER_XT_MATCH_RATEEST 1385 tristate '"rateest" match support' 1386 depends on NETFILTER_ADVANCED 1387 select NETFILTER_XT_TARGET_RATEEST 1388 help 1389 This option adds a `rateest' match, which allows to match on the 1390 rate estimated by the RATEEST target. 1391 1392 To compile it as a module, choose M here. If unsure, say N. 1393 1394config NETFILTER_XT_MATCH_REALM 1395 tristate '"realm" match support' 1396 depends on NETFILTER_ADVANCED 1397 select IP_ROUTE_CLASSID 1398 help 1399 This option adds a `realm' match, which allows you to use the realm 1400 key from the routing subsystem inside iptables. 1401 1402 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1403 in tc world. 1404 1405 If you want to compile it as a module, say M here and read 1406 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1407 1408config NETFILTER_XT_MATCH_RECENT 1409 tristate '"recent" match support' 1410 depends on NETFILTER_ADVANCED 1411 ---help--- 1412 This match is used for creating one or many lists of recently 1413 used addresses and then matching against that/those list(s). 1414 1415 Short options are available by using 'iptables -m recent -h' 1416 Official Website: <http://snowman.net/projects/ipt_recent/> 1417 1418config NETFILTER_XT_MATCH_SCTP 1419 tristate '"sctp" protocol match support' 1420 depends on NETFILTER_ADVANCED 1421 default IP_SCTP 1422 help 1423 With this option enabled, you will be able to use the 1424 `sctp' match in order to match on SCTP source/destination ports 1425 and SCTP chunk types. 1426 1427 If you want to compile it as a module, say M here and read 1428 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1429 1430config NETFILTER_XT_MATCH_SOCKET 1431 tristate '"socket" match support' 1432 depends on NETFILTER_XTABLES 1433 depends on NETFILTER_ADVANCED 1434 depends on IPV6 || IPV6=n 1435 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1436 depends on NF_SOCKET_IPV4 1437 depends on NF_SOCKET_IPV6 1438 select NF_DEFRAG_IPV4 1439 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1440 help 1441 This option adds a `socket' match, which can be used to match 1442 packets for which a TCP or UDP socket lookup finds a valid socket. 1443 It can be used in combination with the MARK target and policy 1444 routing to implement full featured non-locally bound sockets. 1445 1446 To compile it as a module, choose M here. If unsure, say N. 1447 1448config NETFILTER_XT_MATCH_STATE 1449 tristate '"state" match support' 1450 depends on NF_CONNTRACK 1451 default m if NETFILTER_ADVANCED=n 1452 help 1453 Connection state matching allows you to match packets based on their 1454 relationship to a tracked connection (ie. previous packets). This 1455 is a powerful tool for packet classification. 1456 1457 To compile it as a module, choose M here. If unsure, say N. 1458 1459config NETFILTER_XT_MATCH_STATISTIC 1460 tristate '"statistic" match support' 1461 depends on NETFILTER_ADVANCED 1462 help 1463 This option adds a `statistic' match, which allows you to match 1464 on packets periodically or randomly with a given percentage. 1465 1466 To compile it as a module, choose M here. If unsure, say N. 1467 1468config NETFILTER_XT_MATCH_STRING 1469 tristate '"string" match support' 1470 depends on NETFILTER_ADVANCED 1471 select TEXTSEARCH 1472 select TEXTSEARCH_KMP 1473 select TEXTSEARCH_BM 1474 select TEXTSEARCH_FSM 1475 help 1476 This option adds a `string' match, which allows you to look for 1477 pattern matchings in packets. 1478 1479 To compile it as a module, choose M here. If unsure, say N. 1480 1481config NETFILTER_XT_MATCH_TCPMSS 1482 tristate '"tcpmss" match support' 1483 depends on NETFILTER_ADVANCED 1484 help 1485 This option adds a `tcpmss' match, which allows you to examine the 1486 MSS value of TCP SYN packets, which control the maximum packet size 1487 for that connection. 1488 1489 To compile it as a module, choose M here. If unsure, say N. 1490 1491config NETFILTER_XT_MATCH_TIME 1492 tristate '"time" match support' 1493 depends on NETFILTER_ADVANCED 1494 ---help--- 1495 This option adds a "time" match, which allows you to match based on 1496 the packet arrival time (at the machine which netfilter is running) 1497 on) or departure time/date (for locally generated packets). 1498 1499 If you say Y here, try `iptables -m time --help` for 1500 more information. 1501 1502 If you want to compile it as a module, say M here. 1503 If unsure, say N. 1504 1505config NETFILTER_XT_MATCH_U32 1506 tristate '"u32" match support' 1507 depends on NETFILTER_ADVANCED 1508 ---help--- 1509 u32 allows you to extract quantities of up to 4 bytes from a packet, 1510 AND them with specified masks, shift them by specified amounts and 1511 test whether the results are in any of a set of specified ranges. 1512 The specification of what to extract is general enough to skip over 1513 headers with lengths stored in the packet, as in IP or TCP header 1514 lengths. 1515 1516 Details and examples are in the kernel module source. 1517 1518endif # NETFILTER_XTABLES 1519 1520endmenu 1521 1522source "net/netfilter/ipset/Kconfig" 1523 1524source "net/netfilter/ipvs/Kconfig" 1525