1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate "Netfilter netlink interface" 6 help 7 If this option is enabled, the kernel will include support 8 for the new netfilter netlink interface. 9 10config NETFILTER_NETLINK_QUEUE 11 tristate "Netfilter NFQUEUE over NFNETLINK interface" 12 depends on NETFILTER_NETLINK 13 help 14 If this option is enabled, the kernel will include support 15 for queueing packets via NFNETLINK. 16 17config NETFILTER_NETLINK_LOG 18 tristate "Netfilter LOG over NFNETLINK interface" 19 depends on NETFILTER_NETLINK 20 help 21 If this option is enabled, the kernel will include support 22 for logging packets via NFNETLINK. 23 24 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 25 and is also scheduled to replace the old syslog-based ipt_LOG 26 and ip6t_LOG modules. 27 28config NF_CONNTRACK_ENABLED 29 tristate "Netfilter connection tracking support" 30 help 31 Connection tracking keeps a record of what packets have passed 32 through your machine, in order to figure out how they are related 33 into connections. 34 35 This is required to do Masquerading or other kinds of Network 36 Address Translation (except for Fast NAT). It can also be used to 37 enhance packet filtering (see `Connection state match support' 38 below). 39 40 To compile it as a module, choose M here. If unsure, say N. 41 42choice 43 prompt "Netfilter connection tracking support" 44 depends on NF_CONNTRACK_ENABLED 45 46config NF_CONNTRACK_SUPPORT 47 bool "Layer 3 Independent Connection tracking" 48 help 49 Layer 3 independent connection tracking is experimental scheme 50 which generalize ip_conntrack to support other layer 3 protocols. 51 52 This is required to do Masquerading or other kinds of Network 53 Address Translation (except for Fast NAT). It can also be used to 54 enhance packet filtering (see `Connection state match support' 55 below). 56 57config IP_NF_CONNTRACK_SUPPORT 58 bool "Layer 3 Dependent Connection tracking (OBSOLETE)" 59 help 60 The old, Layer 3 dependent ip_conntrack subsystem of netfilter. 61 62 This is required to do Masquerading or other kinds of Network 63 Address Translation (except for Fast NAT). It can also be used to 64 enhance packet filtering (see `Connection state match support' 65 below). 66 67endchoice 68 69config NF_CONNTRACK 70 tristate 71 default m if NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=m 72 default y if NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=y 73 74config IP_NF_CONNTRACK 75 tristate 76 default m if IP_NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=m 77 default y if IP_NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=y 78 79config NF_CT_ACCT 80 bool "Connection tracking flow accounting" 81 depends on NF_CONNTRACK 82 help 83 If this option is enabled, the connection tracking code will 84 keep per-flow packet and byte counters. 85 86 Those counters can be used for flow-based accounting or the 87 `connbytes' match. 88 89 If unsure, say `N'. 90 91config NF_CONNTRACK_MARK 92 bool 'Connection mark tracking support' 93 depends on NF_CONNTRACK 94 help 95 This option enables support for connection marks, used by the 96 `CONNMARK' target and `connmark' match. Similar to the mark value 97 of packets, but this mark value is kept in the conntrack session 98 instead of the individual packets. 99 100config NF_CONNTRACK_SECMARK 101 bool 'Connection tracking security mark support' 102 depends on NF_CONNTRACK && NETWORK_SECMARK 103 help 104 This option enables security markings to be applied to 105 connections. Typically they are copied to connections from 106 packets using the CONNSECMARK target and copied back from 107 connections to packets with the same target, with the packets 108 being originally labeled via SECMARK. 109 110 If unsure, say 'N'. 111 112config NF_CONNTRACK_EVENTS 113 bool "Connection tracking events (EXPERIMENTAL)" 114 depends on EXPERIMENTAL && NF_CONNTRACK 115 help 116 If this option is enabled, the connection tracking code will 117 provide a notifier chain that can be used by other kernel code 118 to get notified about changes in the connection tracking state. 119 120 If unsure, say `N'. 121 122config NF_CT_PROTO_GRE 123 tristate 124 depends on NF_CONNTRACK 125 126config NF_CT_PROTO_SCTP 127 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 128 depends on EXPERIMENTAL && NF_CONNTRACK 129 default n 130 help 131 With this option enabled, the layer 3 independent connection 132 tracking code will be able to do state tracking on SCTP connections. 133 134 If you want to compile it as a module, say M here and read 135 Documentation/modules.txt. If unsure, say `N'. 136 137config NF_CONNTRACK_AMANDA 138 tristate "Amanda backup protocol support" 139 depends on NF_CONNTRACK 140 select TEXTSEARCH 141 select TEXTSEARCH_KMP 142 help 143 If you are running the Amanda backup package <http://www.amanda.org/> 144 on this machine or machines that will be MASQUERADED through this 145 machine, then you may want to enable this feature. This allows the 146 connection tracking and natting code to allow the sub-channels that 147 Amanda requires for communication of the backup data, messages and 148 index. 149 150 To compile it as a module, choose M here. If unsure, say N. 151 152config NF_CONNTRACK_FTP 153 tristate "FTP protocol support" 154 depends on NF_CONNTRACK 155 help 156 Tracking FTP connections is problematic: special helpers are 157 required for tracking them, and doing masquerading and other forms 158 of Network Address Translation on them. 159 160 This is FTP support on Layer 3 independent connection tracking. 161 Layer 3 independent connection tracking is experimental scheme 162 which generalize ip_conntrack to support other layer 3 protocols. 163 164 To compile it as a module, choose M here. If unsure, say N. 165 166config NF_CONNTRACK_H323 167 tristate "H.323 protocol support (EXPERIMENTAL)" 168 depends on EXPERIMENTAL && NF_CONNTRACK && (IPV6 || IPV6=n) 169 help 170 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 171 important VoIP protocols, it is widely used by voice hardware and 172 software including voice gateways, IP phones, Netmeeting, OpenPhone, 173 Gnomemeeting, etc. 174 175 With this module you can support H.323 on a connection tracking/NAT 176 firewall. 177 178 This module supports RAS, Fast Start, H.245 Tunnelling, Call 179 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 180 whiteboard, file transfer, etc. For more information, please 181 visit http://nath323.sourceforge.net/. 182 183 To compile it as a module, choose M here. If unsure, say N. 184 185config NF_CONNTRACK_IRC 186 tristate "IRC protocol support" 187 depends on NF_CONNTRACK 188 help 189 There is a commonly-used extension to IRC called 190 Direct Client-to-Client Protocol (DCC). This enables users to send 191 files to each other, and also chat to each other without the need 192 of a server. DCC Sending is used anywhere you send files over IRC, 193 and DCC Chat is most commonly used by Eggdrop bots. If you are 194 using NAT, this extension will enable you to send files and initiate 195 chats. Note that you do NOT need this extension to get files or 196 have others initiate chats, or everything else in IRC. 197 198 To compile it as a module, choose M here. If unsure, say N. 199 200config NF_CONNTRACK_NETBIOS_NS 201 tristate "NetBIOS name service protocol support (EXPERIMENTAL)" 202 depends on EXPERIMENTAL && NF_CONNTRACK 203 help 204 NetBIOS name service requests are sent as broadcast messages from an 205 unprivileged port and responded to with unicast messages to the 206 same port. This make them hard to firewall properly because connection 207 tracking doesn't deal with broadcasts. This helper tracks locally 208 originating NetBIOS name service requests and the corresponding 209 responses. It relies on correct IP address configuration, specifically 210 netmask and broadcast address. When properly configured, the output 211 of "ip address show" should look similar to this: 212 213 $ ip -4 address show eth0 214 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 215 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 216 217 To compile it as a module, choose M here. If unsure, say N. 218 219config NF_CONNTRACK_PPTP 220 tristate "PPtP protocol support" 221 depends on NF_CONNTRACK 222 select NF_CT_PROTO_GRE 223 help 224 This module adds support for PPTP (Point to Point Tunnelling 225 Protocol, RFC2637) connection tracking and NAT. 226 227 If you are running PPTP sessions over a stateful firewall or NAT 228 box, you may want to enable this feature. 229 230 Please note that not all PPTP modes of operation are supported yet. 231 Specifically these limitations exist: 232 - Blindy assumes that control connections are always established 233 in PNS->PAC direction. This is a violation of RFC2637. 234 - Only supports a single call within each session 235 236 To compile it as a module, choose M here. If unsure, say N. 237 238config NF_CONNTRACK_SANE 239 tristate "SANE protocol support (EXPERIMENTAL)" 240 depends on EXPERIMENTAL && NF_CONNTRACK 241 help 242 SANE is a protocol for remote access to scanners as implemented 243 by the 'saned' daemon. Like FTP, it uses separate control and 244 data connections. 245 246 With this module you can support SANE on a connection tracking 247 firewall. 248 249 To compile it as a module, choose M here. If unsure, say N. 250 251config NF_CONNTRACK_SIP 252 tristate "SIP protocol support (EXPERIMENTAL)" 253 depends on EXPERIMENTAL && NF_CONNTRACK 254 help 255 SIP is an application-layer control protocol that can establish, 256 modify, and terminate multimedia sessions (conferences) such as 257 Internet telephony calls. With the ip_conntrack_sip and 258 the nf_nat_sip modules you can support the protocol on a connection 259 tracking/NATing firewall. 260 261 To compile it as a module, choose M here. If unsure, say N. 262 263config NF_CONNTRACK_TFTP 264 tristate "TFTP protocol support" 265 depends on NF_CONNTRACK 266 help 267 TFTP connection tracking helper, this is required depending 268 on how restrictive your ruleset is. 269 If you are using a tftp client behind -j SNAT or -j MASQUERADING 270 you will need this. 271 272 To compile it as a module, choose M here. If unsure, say N. 273 274config NF_CT_NETLINK 275 tristate 'Connection tracking netlink interface (EXPERIMENTAL)' 276 depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK 277 depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m 278 depends on NF_NAT=n || NF_NAT 279 help 280 This option enables support for a netlink-based userspace interface 281 282config NETFILTER_XTABLES 283 tristate "Netfilter Xtables support (required for ip_tables)" 284 help 285 This is required if you intend to use any of ip_tables, 286 ip6_tables or arp_tables. 287 288# alphabetically ordered list of targets 289 290config NETFILTER_XT_TARGET_CLASSIFY 291 tristate '"CLASSIFY" target support' 292 depends on NETFILTER_XTABLES 293 help 294 This option adds a `CLASSIFY' target, which enables the user to set 295 the priority of a packet. Some qdiscs can use this value for 296 classification, among these are: 297 298 atm, cbq, dsmark, pfifo_fast, htb, prio 299 300 To compile it as a module, choose M here. If unsure, say N. 301 302config NETFILTER_XT_TARGET_CONNMARK 303 tristate '"CONNMARK" target support' 304 depends on NETFILTER_XTABLES 305 depends on IP_NF_MANGLE || IP6_NF_MANGLE 306 depends on IP_NF_CONNTRACK || NF_CONNTRACK 307 select IP_NF_CONNTRACK_MARK if IP_NF_CONNTRACK 308 select NF_CONNTRACK_MARK if NF_CONNTRACK 309 help 310 This option adds a `CONNMARK' target, which allows one to manipulate 311 the connection mark value. Similar to the MARK target, but 312 affects the connection mark value rather than the packet mark value. 313 314 If you want to compile it as a module, say M here and read 315 <file:Documentation/modules.txt>. The module will be called 316 ipt_CONNMARK.o. If unsure, say `N'. 317 318config NETFILTER_XT_TARGET_DSCP 319 tristate '"DSCP" target support' 320 depends on NETFILTER_XTABLES 321 depends on IP_NF_MANGLE || IP6_NF_MANGLE 322 help 323 This option adds a `DSCP' target, which allows you to manipulate 324 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 325 326 The DSCP field can have any value between 0x0 and 0x3f inclusive. 327 328 To compile it as a module, choose M here. If unsure, say N. 329 330config NETFILTER_XT_TARGET_MARK 331 tristate '"MARK" target support' 332 depends on NETFILTER_XTABLES 333 help 334 This option adds a `MARK' target, which allows you to create rules 335 in the `mangle' table which alter the netfilter mark (nfmark) field 336 associated with the packet prior to routing. This can change 337 the routing method (see `Use netfilter MARK value as routing 338 key') and can also be used by other subsystems to change their 339 behavior. 340 341 To compile it as a module, choose M here. If unsure, say N. 342 343config NETFILTER_XT_TARGET_NFQUEUE 344 tristate '"NFQUEUE" target Support' 345 depends on NETFILTER_XTABLES 346 help 347 This target replaced the old obsolete QUEUE target. 348 349 As opposed to QUEUE, it supports 65535 different queues, 350 not just one. 351 352 To compile it as a module, choose M here. If unsure, say N. 353 354config NETFILTER_XT_TARGET_NFLOG 355 tristate '"NFLOG" target support' 356 depends on NETFILTER_XTABLES 357 help 358 This option enables the NFLOG target, which allows to LOG 359 messages through the netfilter logging API, which can use 360 either the old LOG target, the old ULOG target or nfnetlink_log 361 as backend. 362 363 To compile it as a module, choose M here. If unsure, say N. 364 365config NETFILTER_XT_TARGET_NOTRACK 366 tristate '"NOTRACK" target support' 367 depends on NETFILTER_XTABLES 368 depends on IP_NF_RAW || IP6_NF_RAW 369 depends on IP_NF_CONNTRACK || NF_CONNTRACK 370 help 371 The NOTRACK target allows a select rule to specify 372 which packets *not* to enter the conntrack/NAT 373 subsystem with all the consequences (no ICMP error tracking, 374 no protocol helpers for the selected packets). 375 376 If you want to compile it as a module, say M here and read 377 <file:Documentation/modules.txt>. If unsure, say `N'. 378 379config NETFILTER_XT_TARGET_SECMARK 380 tristate '"SECMARK" target support' 381 depends on NETFILTER_XTABLES && NETWORK_SECMARK 382 help 383 The SECMARK target allows security marking of network 384 packets, for use with security subsystems. 385 386 To compile it as a module, choose M here. If unsure, say N. 387 388config NETFILTER_XT_TARGET_CONNSECMARK 389 tristate '"CONNSECMARK" target support' 390 depends on NETFILTER_XTABLES && \ 391 ((NF_CONNTRACK && NF_CONNTRACK_SECMARK) || \ 392 (IP_NF_CONNTRACK && IP_NF_CONNTRACK_SECMARK)) 393 help 394 The CONNSECMARK target copies security markings from packets 395 to connections, and restores security markings from connections 396 to packets (if the packets are not already marked). This would 397 normally be used in conjunction with the SECMARK target. 398 399 To compile it as a module, choose M here. If unsure, say N. 400 401config NETFILTER_XT_TARGET_TCPMSS 402 tristate '"TCPMSS" target support' 403 depends on NETFILTER_XTABLES && (IPV6 || IPV6=n) 404 ---help--- 405 This option adds a `TCPMSS' target, which allows you to alter the 406 MSS value of TCP SYN packets, to control the maximum size for that 407 connection (usually limiting it to your outgoing interface's MTU 408 minus 40). 409 410 This is used to overcome criminally braindead ISPs or servers which 411 block ICMP Fragmentation Needed packets. The symptoms of this 412 problem are that everything works fine from your Linux 413 firewall/router, but machines behind it can never exchange large 414 packets: 415 1) Web browsers connect, then hang with no data received. 416 2) Small mail works fine, but large emails hang. 417 3) ssh works fine, but scp hangs after initial handshaking. 418 419 Workaround: activate this option and add a rule to your firewall 420 configuration like: 421 422 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 423 -j TCPMSS --clamp-mss-to-pmtu 424 425 To compile it as a module, choose M here. If unsure, say N. 426 427config NETFILTER_XT_MATCH_COMMENT 428 tristate '"comment" match support' 429 depends on NETFILTER_XTABLES 430 help 431 This option adds a `comment' dummy-match, which allows you to put 432 comments in your iptables ruleset. 433 434 If you want to compile it as a module, say M here and read 435 <file:Documentation/modules.txt>. If unsure, say `N'. 436 437config NETFILTER_XT_MATCH_CONNBYTES 438 tristate '"connbytes" per-connection counter match support' 439 depends on NETFILTER_XTABLES 440 depends on IP_NF_CONNTRACK || NF_CONNTRACK 441 select IP_NF_CT_ACCT if IP_NF_CONNTRACK 442 select NF_CT_ACCT if NF_CONNTRACK 443 help 444 This option adds a `connbytes' match, which allows you to match the 445 number of bytes and/or packets for each direction within a connection. 446 447 If you want to compile it as a module, say M here and read 448 <file:Documentation/modules.txt>. If unsure, say `N'. 449 450config NETFILTER_XT_MATCH_CONNMARK 451 tristate '"connmark" connection mark match support' 452 depends on NETFILTER_XTABLES 453 depends on IP_NF_CONNTRACK || NF_CONNTRACK 454 select IP_NF_CONNTRACK_MARK if IP_NF_CONNTRACK 455 select NF_CONNTRACK_MARK if NF_CONNTRACK 456 help 457 This option adds a `connmark' match, which allows you to match the 458 connection mark value previously set for the session by `CONNMARK'. 459 460 If you want to compile it as a module, say M here and read 461 <file:Documentation/modules.txt>. The module will be called 462 ipt_connmark.o. If unsure, say `N'. 463 464config NETFILTER_XT_MATCH_CONNTRACK 465 tristate '"conntrack" connection tracking match support' 466 depends on NETFILTER_XTABLES 467 depends on IP_NF_CONNTRACK || NF_CONNTRACK 468 help 469 This is a general conntrack match module, a superset of the state match. 470 471 It allows matching on additional conntrack information, which is 472 useful in complex configurations, such as NAT gateways with multiple 473 internet links or tunnels. 474 475 To compile it as a module, choose M here. If unsure, say N. 476 477config NETFILTER_XT_MATCH_DCCP 478 tristate '"DCCP" protocol match support' 479 depends on NETFILTER_XTABLES 480 help 481 With this option enabled, you will be able to use the iptables 482 `dccp' match in order to match on DCCP source/destination ports 483 and DCCP flags. 484 485 If you want to compile it as a module, say M here and read 486 <file:Documentation/modules.txt>. If unsure, say `N'. 487 488config NETFILTER_XT_MATCH_DSCP 489 tristate '"DSCP" match support' 490 depends on NETFILTER_XTABLES 491 help 492 This option adds a `DSCP' match, which allows you to match against 493 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 494 495 The DSCP field can have any value between 0x0 and 0x3f inclusive. 496 497 To compile it as a module, choose M here. If unsure, say N. 498 499config NETFILTER_XT_MATCH_ESP 500 tristate '"ESP" match support' 501 depends on NETFILTER_XTABLES 502 help 503 This match extension allows you to match a range of SPIs 504 inside ESP header of IPSec packets. 505 506 To compile it as a module, choose M here. If unsure, say N. 507 508config NETFILTER_XT_MATCH_HELPER 509 tristate '"helper" match support' 510 depends on NETFILTER_XTABLES 511 depends on IP_NF_CONNTRACK || NF_CONNTRACK 512 help 513 Helper matching allows you to match packets in dynamic connections 514 tracked by a conntrack-helper, ie. ip_conntrack_ftp 515 516 To compile it as a module, choose M here. If unsure, say Y. 517 518config NETFILTER_XT_MATCH_LENGTH 519 tristate '"length" match support' 520 depends on NETFILTER_XTABLES 521 help 522 This option allows you to match the length of a packet against a 523 specific value or range of values. 524 525 To compile it as a module, choose M here. If unsure, say N. 526 527config NETFILTER_XT_MATCH_LIMIT 528 tristate '"limit" match support' 529 depends on NETFILTER_XTABLES 530 help 531 limit matching allows you to control the rate at which a rule can be 532 matched: mainly useful in combination with the LOG target ("LOG 533 target support", below) and to avoid some Denial of Service attacks. 534 535 To compile it as a module, choose M here. If unsure, say N. 536 537config NETFILTER_XT_MATCH_MAC 538 tristate '"mac" address match support' 539 depends on NETFILTER_XTABLES 540 help 541 MAC matching allows you to match packets based on the source 542 Ethernet address of the packet. 543 544 To compile it as a module, choose M here. If unsure, say N. 545 546config NETFILTER_XT_MATCH_MARK 547 tristate '"mark" match support' 548 depends on NETFILTER_XTABLES 549 help 550 Netfilter mark matching allows you to match packets based on the 551 `nfmark' value in the packet. This can be set by the MARK target 552 (see below). 553 554 To compile it as a module, choose M here. If unsure, say N. 555 556config NETFILTER_XT_MATCH_POLICY 557 tristate 'IPsec "policy" match support' 558 depends on NETFILTER_XTABLES && XFRM 559 help 560 Policy matching allows you to match packets based on the 561 IPsec policy that was used during decapsulation/will 562 be used during encapsulation. 563 564 To compile it as a module, choose M here. If unsure, say N. 565 566config NETFILTER_XT_MATCH_MULTIPORT 567 tristate "Multiple port match support" 568 depends on NETFILTER_XTABLES 569 help 570 Multiport matching allows you to match TCP or UDP packets based on 571 a series of source or destination ports: normally a rule can only 572 match a single range of ports. 573 574 To compile it as a module, choose M here. If unsure, say N. 575 576config NETFILTER_XT_MATCH_PHYSDEV 577 tristate '"physdev" match support' 578 depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER 579 help 580 Physdev packet matching matches against the physical bridge ports 581 the IP packet arrived on or will leave by. 582 583 To compile it as a module, choose M here. If unsure, say N. 584 585config NETFILTER_XT_MATCH_PKTTYPE 586 tristate '"pkttype" packet type match support' 587 depends on NETFILTER_XTABLES 588 help 589 Packet type matching allows you to match a packet by 590 its "class", eg. BROADCAST, MULTICAST, ... 591 592 Typical usage: 593 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 594 595 To compile it as a module, choose M here. If unsure, say N. 596 597config NETFILTER_XT_MATCH_QUOTA 598 tristate '"quota" match support' 599 depends on NETFILTER_XTABLES 600 help 601 This option adds a `quota' match, which allows to match on a 602 byte counter. 603 604 If you want to compile it as a module, say M here and read 605 <file:Documentation/modules.txt>. If unsure, say `N'. 606 607config NETFILTER_XT_MATCH_REALM 608 tristate '"realm" match support' 609 depends on NETFILTER_XTABLES 610 select NET_CLS_ROUTE 611 help 612 This option adds a `realm' match, which allows you to use the realm 613 key from the routing subsystem inside iptables. 614 615 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 616 in tc world. 617 618 If you want to compile it as a module, say M here and read 619 <file:Documentation/modules.txt>. If unsure, say `N'. 620 621config NETFILTER_XT_MATCH_SCTP 622 tristate '"sctp" protocol match support (EXPERIMENTAL)' 623 depends on NETFILTER_XTABLES && EXPERIMENTAL 624 help 625 With this option enabled, you will be able to use the 626 `sctp' match in order to match on SCTP source/destination ports 627 and SCTP chunk types. 628 629 If you want to compile it as a module, say M here and read 630 <file:Documentation/modules.txt>. If unsure, say `N'. 631 632config NETFILTER_XT_MATCH_STATE 633 tristate '"state" match support' 634 depends on NETFILTER_XTABLES 635 depends on IP_NF_CONNTRACK || NF_CONNTRACK 636 help 637 Connection state matching allows you to match packets based on their 638 relationship to a tracked connection (ie. previous packets). This 639 is a powerful tool for packet classification. 640 641 To compile it as a module, choose M here. If unsure, say N. 642 643config NETFILTER_XT_MATCH_STATISTIC 644 tristate '"statistic" match support' 645 depends on NETFILTER_XTABLES 646 help 647 This option adds a `statistic' match, which allows you to match 648 on packets periodically or randomly with a given percentage. 649 650 To compile it as a module, choose M here. If unsure, say N. 651 652config NETFILTER_XT_MATCH_STRING 653 tristate '"string" match support' 654 depends on NETFILTER_XTABLES 655 select TEXTSEARCH 656 select TEXTSEARCH_KMP 657 select TEXTSEARCH_BM 658 select TEXTSEARCH_FSM 659 help 660 This option adds a `string' match, which allows you to look for 661 pattern matchings in packets. 662 663 To compile it as a module, choose M here. If unsure, say N. 664 665config NETFILTER_XT_MATCH_TCPMSS 666 tristate '"tcpmss" match support' 667 depends on NETFILTER_XTABLES 668 help 669 This option adds a `tcpmss' match, which allows you to examine the 670 MSS value of TCP SYN packets, which control the maximum packet size 671 for that connection. 672 673 To compile it as a module, choose M here. If unsure, say N. 674 675config NETFILTER_XT_MATCH_HASHLIMIT 676 tristate '"hashlimit" match support' 677 depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 678 help 679 This option adds a `hashlimit' match. 680 681 As opposed to `limit', this match dynamically creates a hash table 682 of limit buckets, based on your selection of source/destination 683 addresses and/or ports. 684 685 It enables you to express policies like `10kpps for any given 686 destination address' or `500pps from any given source address' 687 with a single rule. 688 689endmenu 690 691