xref: /linux/net/netfilter/Kconfig (revision ca55b2fef3a9373fcfc30f82fd26bc7fccbda732)
1menu "Core Netfilter Configuration"
2	depends on NET && INET && NETFILTER
3
4config NETFILTER_INGRESS
5	bool "Netfilter ingress support"
6	default y
7	select NET_INGRESS
8	help
9	  This allows you to classify packets from ingress using the Netfilter
10	  infrastructure.
11
12config NETFILTER_NETLINK
13	tristate
14
15config NETFILTER_NETLINK_ACCT
16tristate "Netfilter NFACCT over NFNETLINK interface"
17	depends on NETFILTER_ADVANCED
18	select NETFILTER_NETLINK
19	help
20	  If this option is enabled, the kernel will include support
21	  for extended accounting via NFNETLINK.
22
23config NETFILTER_NETLINK_QUEUE
24	tristate "Netfilter NFQUEUE over NFNETLINK interface"
25	depends on NETFILTER_ADVANCED
26	select NETFILTER_NETLINK
27	help
28	  If this option is enabled, the kernel will include support
29	  for queueing packets via NFNETLINK.
30
31config NETFILTER_NETLINK_LOG
32	tristate "Netfilter LOG over NFNETLINK interface"
33	default m if NETFILTER_ADVANCED=n
34	select NETFILTER_NETLINK
35	help
36	  If this option is enabled, the kernel will include support
37	  for logging packets via NFNETLINK.
38
39	  This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
40	  and is also scheduled to replace the old syslog-based ipt_LOG
41	  and ip6t_LOG modules.
42
43config NF_CONNTRACK
44	tristate "Netfilter connection tracking support"
45	default m if NETFILTER_ADVANCED=n
46	help
47	  Connection tracking keeps a record of what packets have passed
48	  through your machine, in order to figure out how they are related
49	  into connections.
50
51	  This is required to do Masquerading or other kinds of Network
52	  Address Translation.  It can also be used to enhance packet
53	  filtering (see `Connection state match support' below).
54
55	  To compile it as a module, choose M here.  If unsure, say N.
56
57config NF_LOG_COMMON
58	tristate
59
60if NF_CONNTRACK
61
62config NF_CONNTRACK_MARK
63	bool  'Connection mark tracking support'
64	depends on NETFILTER_ADVANCED
65	help
66	  This option enables support for connection marks, used by the
67	  `CONNMARK' target and `connmark' match. Similar to the mark value
68	  of packets, but this mark value is kept in the conntrack session
69	  instead of the individual packets.
70
71config NF_CONNTRACK_SECMARK
72	bool  'Connection tracking security mark support'
73	depends on NETWORK_SECMARK
74	default m if NETFILTER_ADVANCED=n
75	help
76	  This option enables security markings to be applied to
77	  connections.  Typically they are copied to connections from
78	  packets using the CONNSECMARK target and copied back from
79	  connections to packets with the same target, with the packets
80	  being originally labeled via SECMARK.
81
82	  If unsure, say 'N'.
83
84config NF_CONNTRACK_ZONES
85	bool  'Connection tracking zones'
86	depends on NETFILTER_ADVANCED
87	depends on NETFILTER_XT_TARGET_CT
88	help
89	  This option enables support for connection tracking zones.
90	  Normally, each connection needs to have a unique system wide
91	  identity. Connection tracking zones allow to have multiple
92	  connections using the same identity, as long as they are
93	  contained in different zones.
94
95	  If unsure, say `N'.
96
97config NF_CONNTRACK_PROCFS
98	bool "Supply CT list in procfs (OBSOLETE)"
99	default y
100	depends on PROC_FS
101	---help---
102	This option enables for the list of known conntrack entries
103	to be shown in procfs under net/netfilter/nf_conntrack. This
104	is considered obsolete in favor of using the conntrack(8)
105	tool which uses Netlink.
106
107config NF_CONNTRACK_EVENTS
108	bool "Connection tracking events"
109	depends on NETFILTER_ADVANCED
110	help
111	  If this option is enabled, the connection tracking code will
112	  provide a notifier chain that can be used by other kernel code
113	  to get notified about changes in the connection tracking state.
114
115	  If unsure, say `N'.
116
117config NF_CONNTRACK_TIMEOUT
118	bool  'Connection tracking timeout'
119	depends on NETFILTER_ADVANCED
120	help
121	  This option enables support for connection tracking timeout
122	  extension. This allows you to attach timeout policies to flow
123	  via the CT target.
124
125	  If unsure, say `N'.
126
127config NF_CONNTRACK_TIMESTAMP
128	bool  'Connection tracking timestamping'
129	depends on NETFILTER_ADVANCED
130	help
131	  This option enables support for connection tracking timestamping.
132	  This allows you to store the flow start-time and to obtain
133	  the flow-stop time (once it has been destroyed) via Connection
134	  tracking events.
135
136	  If unsure, say `N'.
137
138config NF_CONNTRACK_LABELS
139	bool
140	help
141	  This option enables support for assigning user-defined flag bits
142	  to connection tracking entries.  It selected by the connlabel match.
143
144config NF_CT_PROTO_DCCP
145	tristate 'DCCP protocol connection tracking support'
146	depends on NETFILTER_ADVANCED
147	default IP_DCCP
148	help
149	  With this option enabled, the layer 3 independent connection
150	  tracking code will be able to do state tracking on DCCP connections.
151
152	  If unsure, say 'N'.
153
154config NF_CT_PROTO_GRE
155	tristate
156
157config NF_CT_PROTO_SCTP
158	tristate 'SCTP protocol connection tracking support'
159	depends on NETFILTER_ADVANCED
160	default IP_SCTP
161	help
162	  With this option enabled, the layer 3 independent connection
163	  tracking code will be able to do state tracking on SCTP connections.
164
165	  If you want to compile it as a module, say M here and read
166	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
167
168config NF_CT_PROTO_UDPLITE
169	tristate 'UDP-Lite protocol connection tracking support'
170	depends on NETFILTER_ADVANCED
171	help
172	  With this option enabled, the layer 3 independent connection
173	  tracking code will be able to do state tracking on UDP-Lite
174	  connections.
175
176	  To compile it as a module, choose M here.  If unsure, say N.
177
178config NF_CONNTRACK_AMANDA
179	tristate "Amanda backup protocol support"
180	depends on NETFILTER_ADVANCED
181	select TEXTSEARCH
182	select TEXTSEARCH_KMP
183	help
184	  If you are running the Amanda backup package <http://www.amanda.org/>
185	  on this machine or machines that will be MASQUERADED through this
186	  machine, then you may want to enable this feature.  This allows the
187	  connection tracking and natting code to allow the sub-channels that
188	  Amanda requires for communication of the backup data, messages and
189	  index.
190
191	  To compile it as a module, choose M here.  If unsure, say N.
192
193config NF_CONNTRACK_FTP
194	tristate "FTP protocol support"
195	default m if NETFILTER_ADVANCED=n
196	help
197	  Tracking FTP connections is problematic: special helpers are
198	  required for tracking them, and doing masquerading and other forms
199	  of Network Address Translation on them.
200
201	  This is FTP support on Layer 3 independent connection tracking.
202	  Layer 3 independent connection tracking is experimental scheme
203	  which generalize ip_conntrack to support other layer 3 protocols.
204
205	  To compile it as a module, choose M here.  If unsure, say N.
206
207config NF_CONNTRACK_H323
208	tristate "H.323 protocol support"
209	depends on IPV6 || IPV6=n
210	depends on NETFILTER_ADVANCED
211	help
212	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
213	  important VoIP protocols, it is widely used by voice hardware and
214	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
215	  Gnomemeeting, etc.
216
217	  With this module you can support H.323 on a connection tracking/NAT
218	  firewall.
219
220	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
221	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
222	  whiteboard, file transfer, etc. For more information, please
223	  visit http://nath323.sourceforge.net/.
224
225	  To compile it as a module, choose M here.  If unsure, say N.
226
227config NF_CONNTRACK_IRC
228	tristate "IRC protocol support"
229	default m if NETFILTER_ADVANCED=n
230	help
231	  There is a commonly-used extension to IRC called
232	  Direct Client-to-Client Protocol (DCC).  This enables users to send
233	  files to each other, and also chat to each other without the need
234	  of a server.  DCC Sending is used anywhere you send files over IRC,
235	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
236	  using NAT, this extension will enable you to send files and initiate
237	  chats.  Note that you do NOT need this extension to get files or
238	  have others initiate chats, or everything else in IRC.
239
240	  To compile it as a module, choose M here.  If unsure, say N.
241
242config NF_CONNTRACK_BROADCAST
243	tristate
244
245config NF_CONNTRACK_NETBIOS_NS
246	tristate "NetBIOS name service protocol support"
247	select NF_CONNTRACK_BROADCAST
248	help
249	  NetBIOS name service requests are sent as broadcast messages from an
250	  unprivileged port and responded to with unicast messages to the
251	  same port. This make them hard to firewall properly because connection
252	  tracking doesn't deal with broadcasts. This helper tracks locally
253	  originating NetBIOS name service requests and the corresponding
254	  responses. It relies on correct IP address configuration, specifically
255	  netmask and broadcast address. When properly configured, the output
256	  of "ip address show" should look similar to this:
257
258	  $ ip -4 address show eth0
259	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
260	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
261
262	  To compile it as a module, choose M here.  If unsure, say N.
263
264config NF_CONNTRACK_SNMP
265	tristate "SNMP service protocol support"
266	depends on NETFILTER_ADVANCED
267	select NF_CONNTRACK_BROADCAST
268	help
269	  SNMP service requests are sent as broadcast messages from an
270	  unprivileged port and responded to with unicast messages to the
271	  same port. This make them hard to firewall properly because connection
272	  tracking doesn't deal with broadcasts. This helper tracks locally
273	  originating SNMP service requests and the corresponding
274	  responses. It relies on correct IP address configuration, specifically
275	  netmask and broadcast address.
276
277	  To compile it as a module, choose M here.  If unsure, say N.
278
279config NF_CONNTRACK_PPTP
280	tristate "PPtP protocol support"
281	depends on NETFILTER_ADVANCED
282	select NF_CT_PROTO_GRE
283	help
284	  This module adds support for PPTP (Point to Point Tunnelling
285	  Protocol, RFC2637) connection tracking and NAT.
286
287	  If you are running PPTP sessions over a stateful firewall or NAT
288	  box, you may want to enable this feature.
289
290	  Please note that not all PPTP modes of operation are supported yet.
291	  Specifically these limitations exist:
292	    - Blindly assumes that control connections are always established
293	      in PNS->PAC direction. This is a violation of RFC2637.
294	    - Only supports a single call within each session
295
296	  To compile it as a module, choose M here.  If unsure, say N.
297
298config NF_CONNTRACK_SANE
299	tristate "SANE protocol support"
300	depends on NETFILTER_ADVANCED
301	help
302	  SANE is a protocol for remote access to scanners as implemented
303	  by the 'saned' daemon. Like FTP, it uses separate control and
304	  data connections.
305
306	  With this module you can support SANE on a connection tracking
307	  firewall.
308
309	  To compile it as a module, choose M here.  If unsure, say N.
310
311config NF_CONNTRACK_SIP
312	tristate "SIP protocol support"
313	default m if NETFILTER_ADVANCED=n
314	help
315	  SIP is an application-layer control protocol that can establish,
316	  modify, and terminate multimedia sessions (conferences) such as
317	  Internet telephony calls. With the ip_conntrack_sip and
318	  the nf_nat_sip modules you can support the protocol on a connection
319	  tracking/NATing firewall.
320
321	  To compile it as a module, choose M here.  If unsure, say N.
322
323config NF_CONNTRACK_TFTP
324	tristate "TFTP protocol support"
325	depends on NETFILTER_ADVANCED
326	help
327	  TFTP connection tracking helper, this is required depending
328	  on how restrictive your ruleset is.
329	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
330	  you will need this.
331
332	  To compile it as a module, choose M here.  If unsure, say N.
333
334config NF_CT_NETLINK
335	tristate 'Connection tracking netlink interface'
336	select NETFILTER_NETLINK
337	default m if NETFILTER_ADVANCED=n
338	help
339	  This option enables support for a netlink-based userspace interface
340
341config NF_CT_NETLINK_TIMEOUT
342	tristate  'Connection tracking timeout tuning via Netlink'
343	select NETFILTER_NETLINK
344	depends on NETFILTER_ADVANCED
345	help
346	  This option enables support for connection tracking timeout
347	  fine-grain tuning. This allows you to attach specific timeout
348	  policies to flows, instead of using the global timeout policy.
349
350	  If unsure, say `N'.
351
352config NF_CT_NETLINK_HELPER
353	tristate 'Connection tracking helpers in user-space via Netlink'
354	select NETFILTER_NETLINK
355	depends on NF_CT_NETLINK
356	depends on NETFILTER_NETLINK_QUEUE
357	depends on NETFILTER_NETLINK_QUEUE_CT
358	depends on NETFILTER_ADVANCED
359	help
360	  This option enables the user-space connection tracking helpers
361	  infrastructure.
362
363	  If unsure, say `N'.
364
365config NETFILTER_NETLINK_QUEUE_CT
366        bool "NFQUEUE integration with Connection Tracking"
367        default n
368        depends on NETFILTER_NETLINK_QUEUE
369	help
370	  If this option is enabled, NFQUEUE can include Connection Tracking
371	  information together with the packet is the enqueued via NFNETLINK.
372
373config NF_NAT
374	tristate
375
376config NF_NAT_NEEDED
377	bool
378	depends on NF_NAT
379	default y
380
381config NF_NAT_PROTO_DCCP
382	tristate
383	depends on NF_NAT && NF_CT_PROTO_DCCP
384	default NF_NAT && NF_CT_PROTO_DCCP
385
386config NF_NAT_PROTO_UDPLITE
387	tristate
388	depends on NF_NAT && NF_CT_PROTO_UDPLITE
389	default NF_NAT && NF_CT_PROTO_UDPLITE
390
391config NF_NAT_PROTO_SCTP
392	tristate
393	default NF_NAT && NF_CT_PROTO_SCTP
394	depends on NF_NAT && NF_CT_PROTO_SCTP
395	select LIBCRC32C
396
397config NF_NAT_AMANDA
398	tristate
399	depends on NF_CONNTRACK && NF_NAT
400	default NF_NAT && NF_CONNTRACK_AMANDA
401
402config NF_NAT_FTP
403	tristate
404	depends on NF_CONNTRACK && NF_NAT
405	default NF_NAT && NF_CONNTRACK_FTP
406
407config NF_NAT_IRC
408	tristate
409	depends on NF_CONNTRACK && NF_NAT
410	default NF_NAT && NF_CONNTRACK_IRC
411
412config NF_NAT_SIP
413	tristate
414	depends on NF_CONNTRACK && NF_NAT
415	default NF_NAT && NF_CONNTRACK_SIP
416
417config NF_NAT_TFTP
418	tristate
419	depends on NF_CONNTRACK && NF_NAT
420	default NF_NAT && NF_CONNTRACK_TFTP
421
422config NF_NAT_REDIRECT
423        tristate "IPv4/IPv6 redirect support"
424	depends on NF_NAT
425        help
426          This is the kernel functionality to redirect packets to local
427          machine through NAT.
428
429config NETFILTER_SYNPROXY
430	tristate
431
432endif # NF_CONNTRACK
433
434config NF_TABLES
435	select NETFILTER_NETLINK
436	tristate "Netfilter nf_tables support"
437	help
438	  nftables is the new packet classification framework that intends to
439	  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
440	  provides a pseudo-state machine with an extensible instruction-set
441	  (also known as expressions) that the userspace 'nft' utility
442	  (http://www.netfilter.org/projects/nftables) uses to build the
443	  rule-set. It also comes with the generic set infrastructure that
444	  allows you to construct mappings between matchings and actions
445	  for performance lookups.
446
447	  To compile it as a module, choose M here.
448
449if NF_TABLES
450
451config NF_TABLES_INET
452	depends on IPV6
453	select NF_TABLES_IPV4
454	select NF_TABLES_IPV6
455	tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
456	help
457	  This option enables support for a mixed IPv4/IPv6 "inet" table.
458
459config NF_TABLES_NETDEV
460	tristate "Netfilter nf_tables netdev tables support"
461	help
462	  This option enables support for the "netdev" table.
463
464config NFT_EXTHDR
465	tristate "Netfilter nf_tables IPv6 exthdr module"
466	help
467	  This option adds the "exthdr" expression that you can use to match
468	  IPv6 extension headers.
469
470config NFT_META
471	tristate "Netfilter nf_tables meta module"
472	help
473	  This option adds the "meta" expression that you can use to match and
474	  to set packet metainformation such as the packet mark.
475
476config NFT_CT
477	depends on NF_CONNTRACK
478	tristate "Netfilter nf_tables conntrack module"
479	help
480	  This option adds the "meta" expression that you can use to match
481	  connection tracking information such as the flow state.
482
483config NFT_RBTREE
484	tristate "Netfilter nf_tables rbtree set module"
485	help
486	  This option adds the "rbtree" set type (Red Black tree) that is used
487	  to build interval-based sets.
488
489config NFT_HASH
490	tristate "Netfilter nf_tables hash set module"
491	help
492	  This option adds the "hash" set type that is used to build one-way
493	  mappings between matchings and actions.
494
495config NFT_COUNTER
496	tristate "Netfilter nf_tables counter module"
497	help
498	  This option adds the "counter" expression that you can use to
499	  include packet and byte counters in a rule.
500
501config NFT_LOG
502	tristate "Netfilter nf_tables log module"
503	help
504	  This option adds the "log" expression that you can use to log
505	  packets matching some criteria.
506
507config NFT_LIMIT
508	tristate "Netfilter nf_tables limit module"
509	help
510	  This option adds the "limit" expression that you can use to
511	  ratelimit rule matchings.
512
513config NFT_MASQ
514	depends on NF_CONNTRACK
515	depends on NF_NAT
516	tristate "Netfilter nf_tables masquerade support"
517	help
518	  This option adds the "masquerade" expression that you can use
519	  to perform NAT in the masquerade flavour.
520
521config NFT_REDIR
522	depends on NF_CONNTRACK
523	depends on NF_NAT
524	tristate "Netfilter nf_tables redirect support"
525	help
526	  This options adds the "redirect" expression that you can use
527	  to perform NAT in the redirect flavour.
528
529config NFT_NAT
530	depends on NF_CONNTRACK
531	select NF_NAT
532	tristate "Netfilter nf_tables nat module"
533	help
534	  This option adds the "nat" expression that you can use to perform
535	  typical Network Address Translation (NAT) packet transformations.
536
537config NFT_QUEUE
538	depends on NETFILTER_NETLINK_QUEUE
539	tristate "Netfilter nf_tables queue module"
540	help
541	  This is required if you intend to use the userspace queueing
542	  infrastructure (also known as NFQUEUE) from nftables.
543
544config NFT_REJECT
545	default m if NETFILTER_ADVANCED=n
546	tristate "Netfilter nf_tables reject support"
547	help
548	  This option adds the "reject" expression that you can use to
549	  explicitly deny and notify via TCP reset/ICMP informational errors
550	  unallowed traffic.
551
552config NFT_REJECT_INET
553	depends on NF_TABLES_INET
554	default NFT_REJECT
555	tristate
556
557config NFT_COMPAT
558	depends on NETFILTER_XTABLES
559	tristate "Netfilter x_tables over nf_tables module"
560	help
561	  This is required if you intend to use any of existing
562	  x_tables match/target extensions over the nf_tables
563	  framework.
564
565endif # NF_TABLES
566
567config NETFILTER_XTABLES
568	tristate "Netfilter Xtables support (required for ip_tables)"
569	default m if NETFILTER_ADVANCED=n
570	help
571	  This is required if you intend to use any of ip_tables,
572	  ip6_tables or arp_tables.
573
574if NETFILTER_XTABLES
575
576comment "Xtables combined modules"
577
578config NETFILTER_XT_MARK
579	tristate 'nfmark target and match support'
580	default m if NETFILTER_ADVANCED=n
581	---help---
582	This option adds the "MARK" target and "mark" match.
583
584	Netfilter mark matching allows you to match packets based on the
585	"nfmark" value in the packet.
586	The target allows you to create rules in the "mangle" table which alter
587	the netfilter mark (nfmark) field associated with the packet.
588
589	Prior to routing, the nfmark can influence the routing method (see
590	"Use netfilter MARK value as routing key") and can also be used by
591	other subsystems to change their behavior.
592
593config NETFILTER_XT_CONNMARK
594	tristate 'ctmark target and match support'
595	depends on NF_CONNTRACK
596	depends on NETFILTER_ADVANCED
597	select NF_CONNTRACK_MARK
598	---help---
599	This option adds the "CONNMARK" target and "connmark" match.
600
601	Netfilter allows you to store a mark value per connection (a.k.a.
602	ctmark), similarly to the packet mark (nfmark). Using this
603	target and match, you can set and match on this mark.
604
605config NETFILTER_XT_SET
606	tristate 'set target and match support'
607	depends on IP_SET
608	depends on NETFILTER_ADVANCED
609	help
610	  This option adds the "SET" target and "set" match.
611
612	  Using this target and match, you can add/delete and match
613	  elements in the sets created by ipset(8).
614
615	  To compile it as a module, choose M here.  If unsure, say N.
616
617# alphabetically ordered list of targets
618
619comment "Xtables targets"
620
621config NETFILTER_XT_TARGET_AUDIT
622	tristate "AUDIT target support"
623	depends on AUDIT
624	depends on NETFILTER_ADVANCED
625	---help---
626	  This option adds a 'AUDIT' target, which can be used to create
627	  audit records for packets dropped/accepted.
628
629	  To compileit as a module, choose M here. If unsure, say N.
630
631config NETFILTER_XT_TARGET_CHECKSUM
632	tristate "CHECKSUM target support"
633	depends on IP_NF_MANGLE || IP6_NF_MANGLE
634	depends on NETFILTER_ADVANCED
635	---help---
636	  This option adds a `CHECKSUM' target, which can be used in the iptables mangle
637	  table.
638
639	  You can use this target to compute and fill in the checksum in
640	  a packet that lacks a checksum.  This is particularly useful,
641	  if you need to work around old applications such as dhcp clients,
642	  that do not work well with checksum offloads, but don't want to disable
643	  checksum offload in your device.
644
645	  To compile it as a module, choose M here.  If unsure, say N.
646
647config NETFILTER_XT_TARGET_CLASSIFY
648	tristate '"CLASSIFY" target support'
649	depends on NETFILTER_ADVANCED
650	help
651	  This option adds a `CLASSIFY' target, which enables the user to set
652	  the priority of a packet. Some qdiscs can use this value for
653	  classification, among these are:
654
655  	  atm, cbq, dsmark, pfifo_fast, htb, prio
656
657	  To compile it as a module, choose M here.  If unsure, say N.
658
659config NETFILTER_XT_TARGET_CONNMARK
660	tristate  '"CONNMARK" target support'
661	depends on NF_CONNTRACK
662	depends on NETFILTER_ADVANCED
663	select NETFILTER_XT_CONNMARK
664	---help---
665	This is a backwards-compat option for the user's convenience
666	(e.g. when running oldconfig). It selects
667	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
668
669config NETFILTER_XT_TARGET_CONNSECMARK
670	tristate '"CONNSECMARK" target support'
671	depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
672	default m if NETFILTER_ADVANCED=n
673	help
674	  The CONNSECMARK target copies security markings from packets
675	  to connections, and restores security markings from connections
676	  to packets (if the packets are not already marked).  This would
677	  normally be used in conjunction with the SECMARK target.
678
679	  To compile it as a module, choose M here.  If unsure, say N.
680
681config NETFILTER_XT_TARGET_CT
682	tristate '"CT" target support'
683	depends on NF_CONNTRACK
684	depends on IP_NF_RAW || IP6_NF_RAW
685	depends on NETFILTER_ADVANCED
686	help
687	  This options adds a `CT' target, which allows to specify initial
688	  connection tracking parameters like events to be delivered and
689	  the helper to be used.
690
691	  To compile it as a module, choose M here.  If unsure, say N.
692
693config NETFILTER_XT_TARGET_DSCP
694	tristate '"DSCP" and "TOS" target support'
695	depends on IP_NF_MANGLE || IP6_NF_MANGLE
696	depends on NETFILTER_ADVANCED
697	help
698	  This option adds a `DSCP' target, which allows you to manipulate
699	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
700
701	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
702
703	  It also adds the "TOS" target, which allows you to create rules in
704	  the "mangle" table which alter the Type Of Service field of an IPv4
705	  or the Priority field of an IPv6 packet, prior to routing.
706
707	  To compile it as a module, choose M here.  If unsure, say N.
708
709config NETFILTER_XT_TARGET_HL
710	tristate '"HL" hoplimit target support'
711	depends on IP_NF_MANGLE || IP6_NF_MANGLE
712	depends on NETFILTER_ADVANCED
713	---help---
714	This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
715	targets, which enable the user to change the
716	hoplimit/time-to-live value of the IP header.
717
718	While it is safe to decrement the hoplimit/TTL value, the
719	modules also allow to increment and set the hoplimit value of
720	the header to arbitrary values. This is EXTREMELY DANGEROUS
721	since you can easily create immortal packets that loop
722	forever on the network.
723
724config NETFILTER_XT_TARGET_HMARK
725	tristate '"HMARK" target support'
726	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
727	depends on NETFILTER_ADVANCED
728	---help---
729	This option adds the "HMARK" target.
730
731	The target allows you to create rules in the "raw" and "mangle" tables
732	which set the skbuff mark by means of hash calculation within a given
733	range. The nfmark can influence the routing method (see "Use netfilter
734	MARK value as routing key") and can also be used by other subsystems to
735	change their behaviour.
736
737	To compile it as a module, choose M here. If unsure, say N.
738
739config NETFILTER_XT_TARGET_IDLETIMER
740	tristate  "IDLETIMER target support"
741	depends on NETFILTER_ADVANCED
742	help
743
744	  This option adds the `IDLETIMER' target.  Each matching packet
745	  resets the timer associated with label specified when the rule is
746	  added.  When the timer expires, it triggers a sysfs notification.
747	  The remaining time for expiration can be read via sysfs.
748
749	  To compile it as a module, choose M here.  If unsure, say N.
750
751config NETFILTER_XT_TARGET_LED
752	tristate '"LED" target support'
753	depends on LEDS_CLASS && LEDS_TRIGGERS
754	depends on NETFILTER_ADVANCED
755	help
756	  This option adds a `LED' target, which allows you to blink LEDs in
757	  response to particular packets passing through your machine.
758
759	  This can be used to turn a spare LED into a network activity LED,
760	  which only flashes in response to FTP transfers, for example.  Or
761	  you could have an LED which lights up for a minute or two every time
762	  somebody connects to your machine via SSH.
763
764	  You will need support for the "led" class to make this work.
765
766	  To create an LED trigger for incoming SSH traffic:
767	    iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
768
769	  Then attach the new trigger to an LED on your system:
770	    echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
771
772	  For more information on the LEDs available on your system, see
773	  Documentation/leds/leds-class.txt
774
775config NETFILTER_XT_TARGET_LOG
776	tristate "LOG target support"
777	select NF_LOG_COMMON
778	select NF_LOG_IPV4
779	select NF_LOG_IPV6 if IPV6
780	default m if NETFILTER_ADVANCED=n
781	help
782	  This option adds a `LOG' target, which allows you to create rules in
783	  any iptables table which records the packet header to the syslog.
784
785	  To compile it as a module, choose M here.  If unsure, say N.
786
787config NETFILTER_XT_TARGET_MARK
788	tristate '"MARK" target support'
789	depends on NETFILTER_ADVANCED
790	select NETFILTER_XT_MARK
791	---help---
792	This is a backwards-compat option for the user's convenience
793	(e.g. when running oldconfig). It selects
794	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
795
796config NETFILTER_XT_NAT
797	tristate '"SNAT and DNAT" targets support'
798	depends on NF_NAT
799	---help---
800	This option enables the SNAT and DNAT targets.
801
802	To compile it as a module, choose M here. If unsure, say N.
803
804config NETFILTER_XT_TARGET_NETMAP
805	tristate '"NETMAP" target support'
806	depends on NF_NAT
807	---help---
808	NETMAP is an implementation of static 1:1 NAT mapping of network
809	addresses. It maps the network address part, while keeping the host
810	address part intact.
811
812	To compile it as a module, choose M here. If unsure, say N.
813
814config NETFILTER_XT_TARGET_NFLOG
815	tristate '"NFLOG" target support'
816	default m if NETFILTER_ADVANCED=n
817	select NETFILTER_NETLINK_LOG
818	help
819	  This option enables the NFLOG target, which allows to LOG
820	  messages through nfnetlink_log.
821
822	  To compile it as a module, choose M here.  If unsure, say N.
823
824config NETFILTER_XT_TARGET_NFQUEUE
825	tristate '"NFQUEUE" target Support'
826	depends on NETFILTER_ADVANCED
827	select NETFILTER_NETLINK_QUEUE
828	help
829	  This target replaced the old obsolete QUEUE target.
830
831	  As opposed to QUEUE, it supports 65535 different queues,
832	  not just one.
833
834	  To compile it as a module, choose M here.  If unsure, say N.
835
836config NETFILTER_XT_TARGET_NOTRACK
837	tristate  '"NOTRACK" target support (DEPRECATED)'
838	depends on NF_CONNTRACK
839	depends on IP_NF_RAW || IP6_NF_RAW
840	depends on NETFILTER_ADVANCED
841	select NETFILTER_XT_TARGET_CT
842
843config NETFILTER_XT_TARGET_RATEEST
844	tristate '"RATEEST" target support'
845	depends on NETFILTER_ADVANCED
846	help
847	  This option adds a `RATEEST' target, which allows to measure
848	  rates similar to TC estimators. The `rateest' match can be
849	  used to match on the measured rates.
850
851	  To compile it as a module, choose M here.  If unsure, say N.
852
853config NETFILTER_XT_TARGET_REDIRECT
854	tristate "REDIRECT target support"
855	depends on NF_NAT
856	select NF_NAT_REDIRECT
857	---help---
858	REDIRECT is a special case of NAT: all incoming connections are
859	mapped onto the incoming interface's address, causing the packets to
860	come to the local machine instead of passing through. This is
861	useful for transparent proxies.
862
863	To compile it as a module, choose M here. If unsure, say N.
864
865config NETFILTER_XT_TARGET_TEE
866	tristate '"TEE" - packet cloning to alternate destination'
867	depends on NETFILTER_ADVANCED
868	depends on IPV6 || IPV6=n
869	depends on !NF_CONNTRACK || NF_CONNTRACK
870	select NF_DUP_IPV4
871	select NF_DUP_IPV6 if IP6_NF_IPTABLES
872	---help---
873	This option adds a "TEE" target with which a packet can be cloned and
874	this clone be rerouted to another nexthop.
875
876config NETFILTER_XT_TARGET_TPROXY
877	tristate '"TPROXY" target transparent proxying support'
878	depends on NETFILTER_XTABLES
879	depends on NETFILTER_ADVANCED
880	depends on IPV6 || IPV6=n
881	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
882	depends on IP_NF_MANGLE
883	select NF_DEFRAG_IPV4
884	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
885	help
886	  This option adds a `TPROXY' target, which is somewhat similar to
887	  REDIRECT.  It can only be used in the mangle table and is useful
888	  to redirect traffic to a transparent proxy.  It does _not_ depend
889	  on Netfilter connection tracking and NAT, unlike REDIRECT.
890	  For it to work you will have to configure certain iptables rules
891	  and use policy routing. For more information on how to set it up
892	  see Documentation/networking/tproxy.txt.
893
894	  To compile it as a module, choose M here.  If unsure, say N.
895
896config NETFILTER_XT_TARGET_TRACE
897	tristate  '"TRACE" target support'
898	depends on IP_NF_RAW || IP6_NF_RAW
899	depends on NETFILTER_ADVANCED
900	help
901	  The TRACE target allows you to mark packets so that the kernel
902	  will log every rule which match the packets as those traverse
903	  the tables, chains, rules.
904
905	  If you want to compile it as a module, say M here and read
906	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
907
908config NETFILTER_XT_TARGET_SECMARK
909	tristate '"SECMARK" target support'
910	depends on NETWORK_SECMARK
911	default m if NETFILTER_ADVANCED=n
912	help
913	  The SECMARK target allows security marking of network
914	  packets, for use with security subsystems.
915
916	  To compile it as a module, choose M here.  If unsure, say N.
917
918config NETFILTER_XT_TARGET_TCPMSS
919	tristate '"TCPMSS" target support'
920	depends on IPV6 || IPV6=n
921	default m if NETFILTER_ADVANCED=n
922	---help---
923	  This option adds a `TCPMSS' target, which allows you to alter the
924	  MSS value of TCP SYN packets, to control the maximum size for that
925	  connection (usually limiting it to your outgoing interface's MTU
926	  minus 40).
927
928	  This is used to overcome criminally braindead ISPs or servers which
929	  block ICMP Fragmentation Needed packets.  The symptoms of this
930	  problem are that everything works fine from your Linux
931	  firewall/router, but machines behind it can never exchange large
932	  packets:
933	        1) Web browsers connect, then hang with no data received.
934	        2) Small mail works fine, but large emails hang.
935	        3) ssh works fine, but scp hangs after initial handshaking.
936
937	  Workaround: activate this option and add a rule to your firewall
938	  configuration like:
939
940	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
941	                 -j TCPMSS --clamp-mss-to-pmtu
942
943	  To compile it as a module, choose M here.  If unsure, say N.
944
945config NETFILTER_XT_TARGET_TCPOPTSTRIP
946	tristate '"TCPOPTSTRIP" target support'
947	depends on IP_NF_MANGLE || IP6_NF_MANGLE
948	depends on NETFILTER_ADVANCED
949	help
950	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
951	  TCP options from TCP packets.
952
953# alphabetically ordered list of matches
954
955comment "Xtables matches"
956
957config NETFILTER_XT_MATCH_ADDRTYPE
958	tristate '"addrtype" address type match support'
959	default m if NETFILTER_ADVANCED=n
960	---help---
961	  This option allows you to match what routing thinks of an address,
962	  eg. UNICAST, LOCAL, BROADCAST, ...
963
964	  If you want to compile it as a module, say M here and read
965	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
966
967config NETFILTER_XT_MATCH_BPF
968	tristate '"bpf" match support'
969	depends on NETFILTER_ADVANCED
970	help
971	  BPF matching applies a linux socket filter to each packet and
972	  accepts those for which the filter returns non-zero.
973
974	  To compile it as a module, choose M here.  If unsure, say N.
975
976config NETFILTER_XT_MATCH_CGROUP
977	tristate '"control group" match support'
978	depends on NETFILTER_ADVANCED
979	depends on CGROUPS
980	select CGROUP_NET_CLASSID
981	---help---
982	Socket/process control group matching allows you to match locally
983	generated packets based on which net_cls control group processes
984	belong to.
985
986config NETFILTER_XT_MATCH_CLUSTER
987	tristate '"cluster" match support'
988	depends on NF_CONNTRACK
989	depends on NETFILTER_ADVANCED
990	---help---
991	  This option allows you to build work-load-sharing clusters of
992	  network servers/stateful firewalls without having a dedicated
993	  load-balancing router/server/switch. Basically, this match returns
994	  true when the packet must be handled by this cluster node. Thus,
995	  all nodes see all packets and this match decides which node handles
996	  what packets. The work-load sharing algorithm is based on source
997	  address hashing.
998
999	  If you say Y or M here, try `iptables -m cluster --help` for
1000	  more information.
1001
1002config NETFILTER_XT_MATCH_COMMENT
1003	tristate  '"comment" match support'
1004	depends on NETFILTER_ADVANCED
1005	help
1006	  This option adds a `comment' dummy-match, which allows you to put
1007	  comments in your iptables ruleset.
1008
1009	  If you want to compile it as a module, say M here and read
1010	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1011
1012config NETFILTER_XT_MATCH_CONNBYTES
1013	tristate  '"connbytes" per-connection counter match support'
1014	depends on NF_CONNTRACK
1015	depends on NETFILTER_ADVANCED
1016	help
1017	  This option adds a `connbytes' match, which allows you to match the
1018	  number of bytes and/or packets for each direction within a connection.
1019
1020	  If you want to compile it as a module, say M here and read
1021	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1022
1023config NETFILTER_XT_MATCH_CONNLABEL
1024	tristate '"connlabel" match support'
1025	select NF_CONNTRACK_LABELS
1026	depends on NF_CONNTRACK
1027	depends on NETFILTER_ADVANCED
1028	---help---
1029	  This match allows you to test and assign userspace-defined labels names
1030	  to a connection.  The kernel only stores bit values - mapping
1031	  names to bits is done by userspace.
1032
1033	  Unlike connmark, more than 32 flag bits may be assigned to a
1034	  connection simultaneously.
1035
1036config NETFILTER_XT_MATCH_CONNLIMIT
1037	tristate '"connlimit" match support'
1038	depends on NF_CONNTRACK
1039	depends on NETFILTER_ADVANCED
1040	---help---
1041	  This match allows you to match against the number of parallel
1042	  connections to a server per client IP address (or address block).
1043
1044config NETFILTER_XT_MATCH_CONNMARK
1045	tristate  '"connmark" connection mark match support'
1046	depends on NF_CONNTRACK
1047	depends on NETFILTER_ADVANCED
1048	select NETFILTER_XT_CONNMARK
1049	---help---
1050	This is a backwards-compat option for the user's convenience
1051	(e.g. when running oldconfig). It selects
1052	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1053
1054config NETFILTER_XT_MATCH_CONNTRACK
1055	tristate '"conntrack" connection tracking match support'
1056	depends on NF_CONNTRACK
1057	default m if NETFILTER_ADVANCED=n
1058	help
1059	  This is a general conntrack match module, a superset of the state match.
1060
1061	  It allows matching on additional conntrack information, which is
1062	  useful in complex configurations, such as NAT gateways with multiple
1063	  internet links or tunnels.
1064
1065	  To compile it as a module, choose M here.  If unsure, say N.
1066
1067config NETFILTER_XT_MATCH_CPU
1068	tristate '"cpu" match support'
1069	depends on NETFILTER_ADVANCED
1070	help
1071	  CPU matching allows you to match packets based on the CPU
1072	  currently handling the packet.
1073
1074	  To compile it as a module, choose M here.  If unsure, say N.
1075
1076config NETFILTER_XT_MATCH_DCCP
1077	tristate '"dccp" protocol match support'
1078	depends on NETFILTER_ADVANCED
1079	default IP_DCCP
1080	help
1081	  With this option enabled, you will be able to use the iptables
1082	  `dccp' match in order to match on DCCP source/destination ports
1083	  and DCCP flags.
1084
1085	  If you want to compile it as a module, say M here and read
1086	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1087
1088config NETFILTER_XT_MATCH_DEVGROUP
1089	tristate '"devgroup" match support'
1090	depends on NETFILTER_ADVANCED
1091	help
1092	  This options adds a `devgroup' match, which allows to match on the
1093	  device group a network device is assigned to.
1094
1095	  To compile it as a module, choose M here.  If unsure, say N.
1096
1097config NETFILTER_XT_MATCH_DSCP
1098	tristate '"dscp" and "tos" match support'
1099	depends on NETFILTER_ADVANCED
1100	help
1101	  This option adds a `DSCP' match, which allows you to match against
1102	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1103
1104	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
1105
1106	  It will also add a "tos" match, which allows you to match packets
1107	  based on the Type Of Service fields of the IPv4 packet (which share
1108	  the same bits as DSCP).
1109
1110	  To compile it as a module, choose M here.  If unsure, say N.
1111
1112config NETFILTER_XT_MATCH_ECN
1113	tristate '"ecn" match support'
1114	depends on NETFILTER_ADVANCED
1115	---help---
1116	This option adds an "ECN" match, which allows you to match against
1117	the IPv4 and TCP header ECN fields.
1118
1119	To compile it as a module, choose M here. If unsure, say N.
1120
1121config NETFILTER_XT_MATCH_ESP
1122	tristate '"esp" match support'
1123	depends on NETFILTER_ADVANCED
1124	help
1125	  This match extension allows you to match a range of SPIs
1126	  inside ESP header of IPSec packets.
1127
1128	  To compile it as a module, choose M here.  If unsure, say N.
1129
1130config NETFILTER_XT_MATCH_HASHLIMIT
1131	tristate '"hashlimit" match support'
1132	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1133	depends on NETFILTER_ADVANCED
1134	help
1135	  This option adds a `hashlimit' match.
1136
1137	  As opposed to `limit', this match dynamically creates a hash table
1138	  of limit buckets, based on your selection of source/destination
1139	  addresses and/or ports.
1140
1141	  It enables you to express policies like `10kpps for any given
1142	  destination address' or `500pps from any given source address'
1143	  with a single rule.
1144
1145config NETFILTER_XT_MATCH_HELPER
1146	tristate '"helper" match support'
1147	depends on NF_CONNTRACK
1148	depends on NETFILTER_ADVANCED
1149	help
1150	  Helper matching allows you to match packets in dynamic connections
1151	  tracked by a conntrack-helper, ie. ip_conntrack_ftp
1152
1153	  To compile it as a module, choose M here.  If unsure, say Y.
1154
1155config NETFILTER_XT_MATCH_HL
1156	tristate '"hl" hoplimit/TTL match support'
1157	depends on NETFILTER_ADVANCED
1158	---help---
1159	HL matching allows you to match packets based on the hoplimit
1160	in the IPv6 header, or the time-to-live field in the IPv4
1161	header of the packet.
1162
1163config NETFILTER_XT_MATCH_IPCOMP
1164	tristate '"ipcomp" match support'
1165	depends on NETFILTER_ADVANCED
1166	help
1167	  This match extension allows you to match a range of CPIs(16 bits)
1168	  inside IPComp header of IPSec packets.
1169
1170	  To compile it as a module, choose M here.  If unsure, say N.
1171
1172config NETFILTER_XT_MATCH_IPRANGE
1173	tristate '"iprange" address range match support'
1174	depends on NETFILTER_ADVANCED
1175	---help---
1176	This option adds a "iprange" match, which allows you to match based on
1177	an IP address range. (Normal iptables only matches on single addresses
1178	with an optional mask.)
1179
1180	If unsure, say M.
1181
1182config NETFILTER_XT_MATCH_IPVS
1183	tristate '"ipvs" match support'
1184	depends on IP_VS
1185	depends on NETFILTER_ADVANCED
1186	depends on NF_CONNTRACK
1187	help
1188	  This option allows you to match against IPVS properties of a packet.
1189
1190	  If unsure, say N.
1191
1192config NETFILTER_XT_MATCH_L2TP
1193	tristate '"l2tp" match support'
1194	depends on NETFILTER_ADVANCED
1195	default L2TP
1196	---help---
1197	This option adds an "L2TP" match, which allows you to match against
1198	L2TP protocol header fields.
1199
1200	To compile it as a module, choose M here. If unsure, say N.
1201
1202config NETFILTER_XT_MATCH_LENGTH
1203	tristate '"length" match support'
1204	depends on NETFILTER_ADVANCED
1205	help
1206	  This option allows you to match the length of a packet against a
1207	  specific value or range of values.
1208
1209	  To compile it as a module, choose M here.  If unsure, say N.
1210
1211config NETFILTER_XT_MATCH_LIMIT
1212	tristate '"limit" match support'
1213	depends on NETFILTER_ADVANCED
1214	help
1215	  limit matching allows you to control the rate at which a rule can be
1216	  matched: mainly useful in combination with the LOG target ("LOG
1217	  target support", below) and to avoid some Denial of Service attacks.
1218
1219	  To compile it as a module, choose M here.  If unsure, say N.
1220
1221config NETFILTER_XT_MATCH_MAC
1222	tristate '"mac" address match support'
1223	depends on NETFILTER_ADVANCED
1224	help
1225	  MAC matching allows you to match packets based on the source
1226	  Ethernet address of the packet.
1227
1228	  To compile it as a module, choose M here.  If unsure, say N.
1229
1230config NETFILTER_XT_MATCH_MARK
1231	tristate '"mark" match support'
1232	depends on NETFILTER_ADVANCED
1233	select NETFILTER_XT_MARK
1234	---help---
1235	This is a backwards-compat option for the user's convenience
1236	(e.g. when running oldconfig). It selects
1237	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1238
1239config NETFILTER_XT_MATCH_MULTIPORT
1240	tristate '"multiport" Multiple port match support'
1241	depends on NETFILTER_ADVANCED
1242	help
1243	  Multiport matching allows you to match TCP or UDP packets based on
1244	  a series of source or destination ports: normally a rule can only
1245	  match a single range of ports.
1246
1247	  To compile it as a module, choose M here.  If unsure, say N.
1248
1249config NETFILTER_XT_MATCH_NFACCT
1250	tristate '"nfacct" match support'
1251	depends on NETFILTER_ADVANCED
1252	select NETFILTER_NETLINK_ACCT
1253	help
1254	  This option allows you to use the extended accounting through
1255	  nfnetlink_acct.
1256
1257	  To compile it as a module, choose M here.  If unsure, say N.
1258
1259config NETFILTER_XT_MATCH_OSF
1260	tristate '"osf" Passive OS fingerprint match'
1261	depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1262	help
1263	  This option selects the Passive OS Fingerprinting match module
1264	  that allows to passively match the remote operating system by
1265	  analyzing incoming TCP SYN packets.
1266
1267	  Rules and loading software can be downloaded from
1268	  http://www.ioremap.net/projects/osf
1269
1270	  To compile it as a module, choose M here.  If unsure, say N.
1271
1272config NETFILTER_XT_MATCH_OWNER
1273	tristate '"owner" match support'
1274	depends on NETFILTER_ADVANCED
1275	---help---
1276	Socket owner matching allows you to match locally-generated packets
1277	based on who created the socket: the user or group. It is also
1278	possible to check whether a socket actually exists.
1279
1280config NETFILTER_XT_MATCH_POLICY
1281	tristate 'IPsec "policy" match support'
1282	depends on XFRM
1283	default m if NETFILTER_ADVANCED=n
1284	help
1285	  Policy matching allows you to match packets based on the
1286	  IPsec policy that was used during decapsulation/will
1287	  be used during encapsulation.
1288
1289	  To compile it as a module, choose M here.  If unsure, say N.
1290
1291config NETFILTER_XT_MATCH_PHYSDEV
1292	tristate '"physdev" match support'
1293	depends on BRIDGE && BRIDGE_NETFILTER
1294	depends on NETFILTER_ADVANCED
1295	help
1296	  Physdev packet matching matches against the physical bridge ports
1297	  the IP packet arrived on or will leave by.
1298
1299	  To compile it as a module, choose M here.  If unsure, say N.
1300
1301config NETFILTER_XT_MATCH_PKTTYPE
1302	tristate '"pkttype" packet type match support'
1303	depends on NETFILTER_ADVANCED
1304	help
1305	  Packet type matching allows you to match a packet by
1306	  its "class", eg. BROADCAST, MULTICAST, ...
1307
1308	  Typical usage:
1309	  iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1310
1311	  To compile it as a module, choose M here.  If unsure, say N.
1312
1313config NETFILTER_XT_MATCH_QUOTA
1314	tristate '"quota" match support'
1315	depends on NETFILTER_ADVANCED
1316	help
1317	  This option adds a `quota' match, which allows to match on a
1318	  byte counter.
1319
1320	  If you want to compile it as a module, say M here and read
1321	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1322
1323config NETFILTER_XT_MATCH_RATEEST
1324	tristate '"rateest" match support'
1325	depends on NETFILTER_ADVANCED
1326	select NETFILTER_XT_TARGET_RATEEST
1327	help
1328	  This option adds a `rateest' match, which allows to match on the
1329	  rate estimated by the RATEEST target.
1330
1331	  To compile it as a module, choose M here.  If unsure, say N.
1332
1333config NETFILTER_XT_MATCH_REALM
1334	tristate  '"realm" match support'
1335	depends on NETFILTER_ADVANCED
1336	select IP_ROUTE_CLASSID
1337	help
1338	  This option adds a `realm' match, which allows you to use the realm
1339	  key from the routing subsystem inside iptables.
1340
1341	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1342	  in tc world.
1343
1344	  If you want to compile it as a module, say M here and read
1345	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1346
1347config NETFILTER_XT_MATCH_RECENT
1348	tristate '"recent" match support'
1349	depends on NETFILTER_ADVANCED
1350	---help---
1351	This match is used for creating one or many lists of recently
1352	used addresses and then matching against that/those list(s).
1353
1354	Short options are available by using 'iptables -m recent -h'
1355	Official Website: <http://snowman.net/projects/ipt_recent/>
1356
1357config NETFILTER_XT_MATCH_SCTP
1358	tristate  '"sctp" protocol match support'
1359	depends on NETFILTER_ADVANCED
1360	default IP_SCTP
1361	help
1362	  With this option enabled, you will be able to use the
1363	  `sctp' match in order to match on SCTP source/destination ports
1364	  and SCTP chunk types.
1365
1366	  If you want to compile it as a module, say M here and read
1367	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1368
1369config NETFILTER_XT_MATCH_SOCKET
1370	tristate '"socket" match support'
1371	depends on NETFILTER_XTABLES
1372	depends on NETFILTER_ADVANCED
1373	depends on !NF_CONNTRACK || NF_CONNTRACK
1374	depends on IPV6 || IPV6=n
1375	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1376	select NF_DEFRAG_IPV4
1377	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1378	help
1379	  This option adds a `socket' match, which can be used to match
1380	  packets for which a TCP or UDP socket lookup finds a valid socket.
1381	  It can be used in combination with the MARK target and policy
1382	  routing to implement full featured non-locally bound sockets.
1383
1384	  To compile it as a module, choose M here.  If unsure, say N.
1385
1386config NETFILTER_XT_MATCH_STATE
1387	tristate '"state" match support'
1388	depends on NF_CONNTRACK
1389	default m if NETFILTER_ADVANCED=n
1390	help
1391	  Connection state matching allows you to match packets based on their
1392	  relationship to a tracked connection (ie. previous packets).  This
1393	  is a powerful tool for packet classification.
1394
1395	  To compile it as a module, choose M here.  If unsure, say N.
1396
1397config NETFILTER_XT_MATCH_STATISTIC
1398	tristate '"statistic" match support'
1399	depends on NETFILTER_ADVANCED
1400	help
1401	  This option adds a `statistic' match, which allows you to match
1402	  on packets periodically or randomly with a given percentage.
1403
1404	  To compile it as a module, choose M here.  If unsure, say N.
1405
1406config NETFILTER_XT_MATCH_STRING
1407	tristate  '"string" match support'
1408	depends on NETFILTER_ADVANCED
1409	select TEXTSEARCH
1410	select TEXTSEARCH_KMP
1411	select TEXTSEARCH_BM
1412	select TEXTSEARCH_FSM
1413	help
1414	  This option adds a `string' match, which allows you to look for
1415	  pattern matchings in packets.
1416
1417	  To compile it as a module, choose M here.  If unsure, say N.
1418
1419config NETFILTER_XT_MATCH_TCPMSS
1420	tristate '"tcpmss" match support'
1421	depends on NETFILTER_ADVANCED
1422	help
1423	  This option adds a `tcpmss' match, which allows you to examine the
1424	  MSS value of TCP SYN packets, which control the maximum packet size
1425	  for that connection.
1426
1427	  To compile it as a module, choose M here.  If unsure, say N.
1428
1429config NETFILTER_XT_MATCH_TIME
1430	tristate '"time" match support'
1431	depends on NETFILTER_ADVANCED
1432	---help---
1433	  This option adds a "time" match, which allows you to match based on
1434	  the packet arrival time (at the machine which netfilter is running)
1435	  on) or departure time/date (for locally generated packets).
1436
1437	  If you say Y here, try `iptables -m time --help` for
1438	  more information.
1439
1440	  If you want to compile it as a module, say M here.
1441	  If unsure, say N.
1442
1443config NETFILTER_XT_MATCH_U32
1444	tristate '"u32" match support'
1445	depends on NETFILTER_ADVANCED
1446	---help---
1447	  u32 allows you to extract quantities of up to 4 bytes from a packet,
1448	  AND them with specified masks, shift them by specified amounts and
1449	  test whether the results are in any of a set of specified ranges.
1450	  The specification of what to extract is general enough to skip over
1451	  headers with lengths stored in the packet, as in IP or TCP header
1452	  lengths.
1453
1454	  Details and examples are in the kernel module source.
1455
1456endif # NETFILTER_XTABLES
1457
1458endmenu
1459
1460source "net/netfilter/ipset/Kconfig"
1461
1462source "net/netfilter/ipvs/Kconfig"
1463