1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate "Netfilter netlink interface" 6 help 7 If this option is enabled, the kernel will include support 8 for the new netfilter netlink interface. 9 10config NETFILTER_NETLINK_QUEUE 11 tristate "Netfilter NFQUEUE over NFNETLINK interface" 12 depends on NETFILTER_NETLINK 13 help 14 If this option is enabled, the kernel will include support 15 for queueing packets via NFNETLINK. 16 17config NETFILTER_NETLINK_LOG 18 tristate "Netfilter LOG over NFNETLINK interface" 19 depends on NETFILTER_NETLINK 20 help 21 If this option is enabled, the kernel will include support 22 for logging packets via NFNETLINK. 23 24 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 25 and is also scheduled to replace the old syslog-based ipt_LOG 26 and ip6t_LOG modules. 27 28config NF_CONNTRACK_ENABLED 29 tristate "Netfilter connection tracking support" 30 help 31 Connection tracking keeps a record of what packets have passed 32 through your machine, in order to figure out how they are related 33 into connections. 34 35 This is required to do Masquerading or other kinds of Network 36 Address Translation (except for Fast NAT). It can also be used to 37 enhance packet filtering (see `Connection state match support' 38 below). 39 40 To compile it as a module, choose M here. If unsure, say N. 41 42choice 43 prompt "Netfilter connection tracking support" 44 depends on NF_CONNTRACK_ENABLED 45 46config NF_CONNTRACK_SUPPORT 47 bool "Layer 3 Independent Connection tracking" 48 help 49 Layer 3 independent connection tracking is experimental scheme 50 which generalize ip_conntrack to support other layer 3 protocols. 51 52 This is required to do Masquerading or other kinds of Network 53 Address Translation (except for Fast NAT). It can also be used to 54 enhance packet filtering (see `Connection state match support' 55 below). 56 57config IP_NF_CONNTRACK_SUPPORT 58 bool "Layer 3 Dependent Connection tracking (OBSOLETE)" 59 help 60 The old, Layer 3 dependent ip_conntrack subsystem of netfilter. 61 62 This is required to do Masquerading or other kinds of Network 63 Address Translation (except for Fast NAT). It can also be used to 64 enhance packet filtering (see `Connection state match support' 65 below). 66 67endchoice 68 69config NF_CONNTRACK 70 tristate 71 default m if NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=m 72 default y if NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=y 73 74config IP_NF_CONNTRACK 75 tristate 76 default m if IP_NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=m 77 default y if IP_NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=y 78 79config NF_CT_ACCT 80 bool "Connection tracking flow accounting" 81 depends on NF_CONNTRACK 82 help 83 If this option is enabled, the connection tracking code will 84 keep per-flow packet and byte counters. 85 86 Those counters can be used for flow-based accounting or the 87 `connbytes' match. 88 89 If unsure, say `N'. 90 91config NF_CONNTRACK_MARK 92 bool 'Connection mark tracking support' 93 depends on NF_CONNTRACK 94 help 95 This option enables support for connection marks, used by the 96 `CONNMARK' target and `connmark' match. Similar to the mark value 97 of packets, but this mark value is kept in the conntrack session 98 instead of the individual packets. 99 100config NF_CONNTRACK_SECMARK 101 bool 'Connection tracking security mark support' 102 depends on NF_CONNTRACK && NETWORK_SECMARK 103 help 104 This option enables security markings to be applied to 105 connections. Typically they are copied to connections from 106 packets using the CONNSECMARK target and copied back from 107 connections to packets with the same target, with the packets 108 being originally labeled via SECMARK. 109 110 If unsure, say 'N'. 111 112config NF_CONNTRACK_EVENTS 113 bool "Connection tracking events (EXPERIMENTAL)" 114 depends on EXPERIMENTAL && NF_CONNTRACK 115 help 116 If this option is enabled, the connection tracking code will 117 provide a notifier chain that can be used by other kernel code 118 to get notified about changes in the connection tracking state. 119 120 If unsure, say `N'. 121 122config NF_CT_PROTO_GRE 123 tristate 124 depends on NF_CONNTRACK 125 126config NF_CT_PROTO_SCTP 127 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 128 depends on EXPERIMENTAL && NF_CONNTRACK 129 default n 130 help 131 With this option enabled, the layer 3 independent connection 132 tracking code will be able to do state tracking on SCTP connections. 133 134 If you want to compile it as a module, say M here and read 135 Documentation/modules.txt. If unsure, say `N'. 136 137config NF_CONNTRACK_AMANDA 138 tristate "Amanda backup protocol support" 139 depends on NF_CONNTRACK 140 select TEXTSEARCH 141 select TEXTSEARCH_KMP 142 help 143 If you are running the Amanda backup package <http://www.amanda.org/> 144 on this machine or machines that will be MASQUERADED through this 145 machine, then you may want to enable this feature. This allows the 146 connection tracking and natting code to allow the sub-channels that 147 Amanda requires for communication of the backup data, messages and 148 index. 149 150 To compile it as a module, choose M here. If unsure, say N. 151 152config NF_CONNTRACK_FTP 153 tristate "FTP protocol support" 154 depends on NF_CONNTRACK 155 help 156 Tracking FTP connections is problematic: special helpers are 157 required for tracking them, and doing masquerading and other forms 158 of Network Address Translation on them. 159 160 This is FTP support on Layer 3 independent connection tracking. 161 Layer 3 independent connection tracking is experimental scheme 162 which generalize ip_conntrack to support other layer 3 protocols. 163 164 To compile it as a module, choose M here. If unsure, say N. 165 166config NF_CONNTRACK_H323 167 tristate "H.323 protocol support (EXPERIMENTAL)" 168 depends on EXPERIMENTAL && NF_CONNTRACK && (IPV6 || IPV6=n) 169 help 170 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 171 important VoIP protocols, it is widely used by voice hardware and 172 software including voice gateways, IP phones, Netmeeting, OpenPhone, 173 Gnomemeeting, etc. 174 175 With this module you can support H.323 on a connection tracking/NAT 176 firewall. 177 178 This module supports RAS, Fast Start, H.245 Tunnelling, Call 179 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 180 whiteboard, file transfer, etc. For more information, please 181 visit http://nath323.sourceforge.net/. 182 183 To compile it as a module, choose M here. If unsure, say N. 184 185config NF_CONNTRACK_IRC 186 tristate "IRC protocol support" 187 depends on NF_CONNTRACK 188 help 189 There is a commonly-used extension to IRC called 190 Direct Client-to-Client Protocol (DCC). This enables users to send 191 files to each other, and also chat to each other without the need 192 of a server. DCC Sending is used anywhere you send files over IRC, 193 and DCC Chat is most commonly used by Eggdrop bots. If you are 194 using NAT, this extension will enable you to send files and initiate 195 chats. Note that you do NOT need this extension to get files or 196 have others initiate chats, or everything else in IRC. 197 198 To compile it as a module, choose M here. If unsure, say N. 199 200config NF_CONNTRACK_NETBIOS_NS 201 tristate "NetBIOS name service protocol support (EXPERIMENTAL)" 202 depends on EXPERIMENTAL && NF_CONNTRACK 203 help 204 NetBIOS name service requests are sent as broadcast messages from an 205 unprivileged port and responded to with unicast messages to the 206 same port. This make them hard to firewall properly because connection 207 tracking doesn't deal with broadcasts. This helper tracks locally 208 originating NetBIOS name service requests and the corresponding 209 responses. It relies on correct IP address configuration, specifically 210 netmask and broadcast address. When properly configured, the output 211 of "ip address show" should look similar to this: 212 213 $ ip -4 address show eth0 214 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 215 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 216 217 To compile it as a module, choose M here. If unsure, say N. 218 219config NF_CONNTRACK_PPTP 220 tristate "PPtP protocol support" 221 depends on NF_CONNTRACK 222 select NF_CT_PROTO_GRE 223 help 224 This module adds support for PPTP (Point to Point Tunnelling 225 Protocol, RFC2637) connection tracking and NAT. 226 227 If you are running PPTP sessions over a stateful firewall or NAT 228 box, you may want to enable this feature. 229 230 Please note that not all PPTP modes of operation are supported yet. 231 Specifically these limitations exist: 232 - Blindy assumes that control connections are always established 233 in PNS->PAC direction. This is a violation of RFC2637. 234 - Only supports a single call within each session 235 236 To compile it as a module, choose M here. If unsure, say N. 237 238config NF_CONNTRACK_SIP 239 tristate "SIP protocol support (EXPERIMENTAL)" 240 depends on EXPERIMENTAL && NF_CONNTRACK 241 help 242 SIP is an application-layer control protocol that can establish, 243 modify, and terminate multimedia sessions (conferences) such as 244 Internet telephony calls. With the ip_conntrack_sip and 245 the nf_nat_sip modules you can support the protocol on a connection 246 tracking/NATing firewall. 247 248 To compile it as a module, choose M here. If unsure, say N. 249 250config NF_CONNTRACK_TFTP 251 tristate "TFTP protocol support" 252 depends on NF_CONNTRACK 253 help 254 TFTP connection tracking helper, this is required depending 255 on how restrictive your ruleset is. 256 If you are using a tftp client behind -j SNAT or -j MASQUERADING 257 you will need this. 258 259 To compile it as a module, choose M here. If unsure, say N. 260 261config NF_CT_NETLINK 262 tristate 'Connection tracking netlink interface (EXPERIMENTAL)' 263 depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK 264 depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m 265 help 266 This option enables support for a netlink-based userspace interface 267 268config NETFILTER_XTABLES 269 tristate "Netfilter Xtables support (required for ip_tables)" 270 help 271 This is required if you intend to use any of ip_tables, 272 ip6_tables or arp_tables. 273 274# alphabetically ordered list of targets 275 276config NETFILTER_XT_TARGET_CLASSIFY 277 tristate '"CLASSIFY" target support' 278 depends on NETFILTER_XTABLES 279 help 280 This option adds a `CLASSIFY' target, which enables the user to set 281 the priority of a packet. Some qdiscs can use this value for 282 classification, among these are: 283 284 atm, cbq, dsmark, pfifo_fast, htb, prio 285 286 To compile it as a module, choose M here. If unsure, say N. 287 288config NETFILTER_XT_TARGET_CONNMARK 289 tristate '"CONNMARK" target support' 290 depends on NETFILTER_XTABLES 291 depends on IP_NF_MANGLE || IP6_NF_MANGLE 292 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK) 293 help 294 This option adds a `CONNMARK' target, which allows one to manipulate 295 the connection mark value. Similar to the MARK target, but 296 affects the connection mark value rather than the packet mark value. 297 298 If you want to compile it as a module, say M here and read 299 <file:Documentation/modules.txt>. The module will be called 300 ipt_CONNMARK.o. If unsure, say `N'. 301 302config NETFILTER_XT_TARGET_DSCP 303 tristate '"DSCP" target support' 304 depends on NETFILTER_XTABLES 305 depends on IP_NF_MANGLE || IP6_NF_MANGLE 306 help 307 This option adds a `DSCP' target, which allows you to manipulate 308 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 309 310 The DSCP field can have any value between 0x0 and 0x3f inclusive. 311 312 To compile it as a module, choose M here. If unsure, say N. 313 314config NETFILTER_XT_TARGET_MARK 315 tristate '"MARK" target support' 316 depends on NETFILTER_XTABLES 317 help 318 This option adds a `MARK' target, which allows you to create rules 319 in the `mangle' table which alter the netfilter mark (nfmark) field 320 associated with the packet prior to routing. This can change 321 the routing method (see `Use netfilter MARK value as routing 322 key') and can also be used by other subsystems to change their 323 behavior. 324 325 To compile it as a module, choose M here. If unsure, say N. 326 327config NETFILTER_XT_TARGET_NFQUEUE 328 tristate '"NFQUEUE" target Support' 329 depends on NETFILTER_XTABLES 330 help 331 This target replaced the old obsolete QUEUE target. 332 333 As opposed to QUEUE, it supports 65535 different queues, 334 not just one. 335 336 To compile it as a module, choose M here. If unsure, say N. 337 338config NETFILTER_XT_TARGET_NFLOG 339 tristate '"NFLOG" target support' 340 depends on NETFILTER_XTABLES 341 help 342 This option enables the NFLOG target, which allows to LOG 343 messages through the netfilter logging API, which can use 344 either the old LOG target, the old ULOG target or nfnetlink_log 345 as backend. 346 347 To compile it as a module, choose M here. If unsure, say N. 348 349config NETFILTER_XT_TARGET_NOTRACK 350 tristate '"NOTRACK" target support' 351 depends on NETFILTER_XTABLES 352 depends on IP_NF_RAW || IP6_NF_RAW 353 depends on IP_NF_CONNTRACK || NF_CONNTRACK 354 help 355 The NOTRACK target allows a select rule to specify 356 which packets *not* to enter the conntrack/NAT 357 subsystem with all the consequences (no ICMP error tracking, 358 no protocol helpers for the selected packets). 359 360 If you want to compile it as a module, say M here and read 361 <file:Documentation/modules.txt>. If unsure, say `N'. 362 363config NETFILTER_XT_TARGET_SECMARK 364 tristate '"SECMARK" target support' 365 depends on NETFILTER_XTABLES && NETWORK_SECMARK 366 help 367 The SECMARK target allows security marking of network 368 packets, for use with security subsystems. 369 370 To compile it as a module, choose M here. If unsure, say N. 371 372config NETFILTER_XT_TARGET_CONNSECMARK 373 tristate '"CONNSECMARK" target support' 374 depends on NETFILTER_XTABLES && \ 375 ((NF_CONNTRACK && NF_CONNTRACK_SECMARK) || \ 376 (IP_NF_CONNTRACK && IP_NF_CONNTRACK_SECMARK)) 377 help 378 The CONNSECMARK target copies security markings from packets 379 to connections, and restores security markings from connections 380 to packets (if the packets are not already marked). This would 381 normally be used in conjunction with the SECMARK target. 382 383 To compile it as a module, choose M here. If unsure, say N. 384 385config NETFILTER_XT_MATCH_COMMENT 386 tristate '"comment" match support' 387 depends on NETFILTER_XTABLES 388 help 389 This option adds a `comment' dummy-match, which allows you to put 390 comments in your iptables ruleset. 391 392 If you want to compile it as a module, say M here and read 393 <file:Documentation/modules.txt>. If unsure, say `N'. 394 395config NETFILTER_XT_MATCH_CONNBYTES 396 tristate '"connbytes" per-connection counter match support' 397 depends on NETFILTER_XTABLES 398 depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || (NF_CT_ACCT && NF_CONNTRACK) 399 help 400 This option adds a `connbytes' match, which allows you to match the 401 number of bytes and/or packets for each direction within a connection. 402 403 If you want to compile it as a module, say M here and read 404 <file:Documentation/modules.txt>. If unsure, say `N'. 405 406config NETFILTER_XT_MATCH_CONNMARK 407 tristate '"connmark" connection mark match support' 408 depends on NETFILTER_XTABLES 409 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK) 410 help 411 This option adds a `connmark' match, which allows you to match the 412 connection mark value previously set for the session by `CONNMARK'. 413 414 If you want to compile it as a module, say M here and read 415 <file:Documentation/modules.txt>. The module will be called 416 ipt_connmark.o. If unsure, say `N'. 417 418config NETFILTER_XT_MATCH_CONNTRACK 419 tristate '"conntrack" connection tracking match support' 420 depends on NETFILTER_XTABLES 421 depends on IP_NF_CONNTRACK || NF_CONNTRACK 422 help 423 This is a general conntrack match module, a superset of the state match. 424 425 It allows matching on additional conntrack information, which is 426 useful in complex configurations, such as NAT gateways with multiple 427 internet links or tunnels. 428 429 To compile it as a module, choose M here. If unsure, say N. 430 431config NETFILTER_XT_MATCH_DCCP 432 tristate '"DCCP" protocol match support' 433 depends on NETFILTER_XTABLES 434 help 435 With this option enabled, you will be able to use the iptables 436 `dccp' match in order to match on DCCP source/destination ports 437 and DCCP flags. 438 439 If you want to compile it as a module, say M here and read 440 <file:Documentation/modules.txt>. If unsure, say `N'. 441 442config NETFILTER_XT_MATCH_DSCP 443 tristate '"DSCP" match support' 444 depends on NETFILTER_XTABLES 445 help 446 This option adds a `DSCP' match, which allows you to match against 447 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 448 449 The DSCP field can have any value between 0x0 and 0x3f inclusive. 450 451 To compile it as a module, choose M here. If unsure, say N. 452 453config NETFILTER_XT_MATCH_ESP 454 tristate '"ESP" match support' 455 depends on NETFILTER_XTABLES 456 help 457 This match extension allows you to match a range of SPIs 458 inside ESP header of IPSec packets. 459 460 To compile it as a module, choose M here. If unsure, say N. 461 462config NETFILTER_XT_MATCH_HELPER 463 tristate '"helper" match support' 464 depends on NETFILTER_XTABLES 465 depends on IP_NF_CONNTRACK || NF_CONNTRACK 466 help 467 Helper matching allows you to match packets in dynamic connections 468 tracked by a conntrack-helper, ie. ip_conntrack_ftp 469 470 To compile it as a module, choose M here. If unsure, say Y. 471 472config NETFILTER_XT_MATCH_LENGTH 473 tristate '"length" match support' 474 depends on NETFILTER_XTABLES 475 help 476 This option allows you to match the length of a packet against a 477 specific value or range of values. 478 479 To compile it as a module, choose M here. If unsure, say N. 480 481config NETFILTER_XT_MATCH_LIMIT 482 tristate '"limit" match support' 483 depends on NETFILTER_XTABLES 484 help 485 limit matching allows you to control the rate at which a rule can be 486 matched: mainly useful in combination with the LOG target ("LOG 487 target support", below) and to avoid some Denial of Service attacks. 488 489 To compile it as a module, choose M here. If unsure, say N. 490 491config NETFILTER_XT_MATCH_MAC 492 tristate '"mac" address match support' 493 depends on NETFILTER_XTABLES 494 help 495 MAC matching allows you to match packets based on the source 496 Ethernet address of the packet. 497 498 To compile it as a module, choose M here. If unsure, say N. 499 500config NETFILTER_XT_MATCH_MARK 501 tristate '"mark" match support' 502 depends on NETFILTER_XTABLES 503 help 504 Netfilter mark matching allows you to match packets based on the 505 `nfmark' value in the packet. This can be set by the MARK target 506 (see below). 507 508 To compile it as a module, choose M here. If unsure, say N. 509 510config NETFILTER_XT_MATCH_POLICY 511 tristate 'IPsec "policy" match support' 512 depends on NETFILTER_XTABLES && XFRM 513 help 514 Policy matching allows you to match packets based on the 515 IPsec policy that was used during decapsulation/will 516 be used during encapsulation. 517 518 To compile it as a module, choose M here. If unsure, say N. 519 520config NETFILTER_XT_MATCH_MULTIPORT 521 tristate "Multiple port match support" 522 depends on NETFILTER_XTABLES 523 help 524 Multiport matching allows you to match TCP or UDP packets based on 525 a series of source or destination ports: normally a rule can only 526 match a single range of ports. 527 528 To compile it as a module, choose M here. If unsure, say N. 529 530config NETFILTER_XT_MATCH_PHYSDEV 531 tristate '"physdev" match support' 532 depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER 533 help 534 Physdev packet matching matches against the physical bridge ports 535 the IP packet arrived on or will leave by. 536 537 To compile it as a module, choose M here. If unsure, say N. 538 539config NETFILTER_XT_MATCH_PKTTYPE 540 tristate '"pkttype" packet type match support' 541 depends on NETFILTER_XTABLES 542 help 543 Packet type matching allows you to match a packet by 544 its "class", eg. BROADCAST, MULTICAST, ... 545 546 Typical usage: 547 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 548 549 To compile it as a module, choose M here. If unsure, say N. 550 551config NETFILTER_XT_MATCH_QUOTA 552 tristate '"quota" match support' 553 depends on NETFILTER_XTABLES 554 help 555 This option adds a `quota' match, which allows to match on a 556 byte counter. 557 558 If you want to compile it as a module, say M here and read 559 <file:Documentation/modules.txt>. If unsure, say `N'. 560 561config NETFILTER_XT_MATCH_REALM 562 tristate '"realm" match support' 563 depends on NETFILTER_XTABLES 564 select NET_CLS_ROUTE 565 help 566 This option adds a `realm' match, which allows you to use the realm 567 key from the routing subsystem inside iptables. 568 569 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 570 in tc world. 571 572 If you want to compile it as a module, say M here and read 573 <file:Documentation/modules.txt>. If unsure, say `N'. 574 575config NETFILTER_XT_MATCH_SCTP 576 tristate '"sctp" protocol match support (EXPERIMENTAL)' 577 depends on NETFILTER_XTABLES && EXPERIMENTAL 578 help 579 With this option enabled, you will be able to use the 580 `sctp' match in order to match on SCTP source/destination ports 581 and SCTP chunk types. 582 583 If you want to compile it as a module, say M here and read 584 <file:Documentation/modules.txt>. If unsure, say `N'. 585 586config NETFILTER_XT_MATCH_STATE 587 tristate '"state" match support' 588 depends on NETFILTER_XTABLES 589 depends on IP_NF_CONNTRACK || NF_CONNTRACK 590 help 591 Connection state matching allows you to match packets based on their 592 relationship to a tracked connection (ie. previous packets). This 593 is a powerful tool for packet classification. 594 595 To compile it as a module, choose M here. If unsure, say N. 596 597config NETFILTER_XT_MATCH_STATISTIC 598 tristate '"statistic" match support' 599 depends on NETFILTER_XTABLES 600 help 601 This option adds a `statistic' match, which allows you to match 602 on packets periodically or randomly with a given percentage. 603 604 To compile it as a module, choose M here. If unsure, say N. 605 606config NETFILTER_XT_MATCH_STRING 607 tristate '"string" match support' 608 depends on NETFILTER_XTABLES 609 select TEXTSEARCH 610 select TEXTSEARCH_KMP 611 select TEXTSEARCH_BM 612 select TEXTSEARCH_FSM 613 help 614 This option adds a `string' match, which allows you to look for 615 pattern matchings in packets. 616 617 To compile it as a module, choose M here. If unsure, say N. 618 619config NETFILTER_XT_MATCH_TCPMSS 620 tristate '"tcpmss" match support' 621 depends on NETFILTER_XTABLES 622 help 623 This option adds a `tcpmss' match, which allows you to examine the 624 MSS value of TCP SYN packets, which control the maximum packet size 625 for that connection. 626 627 To compile it as a module, choose M here. If unsure, say N. 628 629config NETFILTER_XT_MATCH_HASHLIMIT 630 tristate '"hashlimit" match support' 631 depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 632 help 633 This option adds a `hashlimit' match. 634 635 As opposed to `limit', this match dynamically creates a hash table 636 of limit buckets, based on your selection of source/destination 637 addresses and/or ports. 638 639 It enables you to express policies like `10kpps for any given 640 destination address' or `500pps from any given source address' 641 with a single rule. 642 643endmenu 644 645