1menu "Core Netfilter Configuration" 2 depends on NET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate "Netfilter netlink interface" 6 help 7 If this option is enabled, the kernel will include support 8 for the new netfilter netlink interface. 9 10config NETFILTER_NETLINK_QUEUE 11 tristate "Netfilter NFQUEUE over NFNETLINK interface" 12 depends on NETFILTER_NETLINK 13 help 14 If this option is enabled, the kernel will include support 15 for queueing packets via NFNETLINK. 16 17config NETFILTER_NETLINK_LOG 18 tristate "Netfilter LOG over NFNETLINK interface" 19 depends on NETFILTER_NETLINK 20 help 21 If this option is enabled, the kernel will include support 22 for logging packets via NFNETLINK. 23 24 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 25 and is also scheduled to replace the old syslog-based ipt_LOG 26 and ip6t_LOG modules. 27 28config NF_CONNTRACK 29 tristate "Layer 3 Independent Connection tracking (EXPERIMENTAL)" 30 depends on EXPERIMENTAL && IP_NF_CONNTRACK=n 31 default n 32 ---help--- 33 Connection tracking keeps a record of what packets have passed 34 through your machine, in order to figure out how they are related 35 into connections. 36 37 Layer 3 independent connection tracking is experimental scheme 38 which generalize ip_conntrack to support other layer 3 protocols. 39 40 To compile it as a module, choose M here. If unsure, say N. 41 42config NF_CT_ACCT 43 bool "Connection tracking flow accounting" 44 depends on NF_CONNTRACK 45 help 46 If this option is enabled, the connection tracking code will 47 keep per-flow packet and byte counters. 48 49 Those counters can be used for flow-based accounting or the 50 `connbytes' match. 51 52 If unsure, say `N'. 53 54config NF_CONNTRACK_MARK 55 bool 'Connection mark tracking support' 56 depends on NF_CONNTRACK 57 help 58 This option enables support for connection marks, used by the 59 `CONNMARK' target and `connmark' match. Similar to the mark value 60 of packets, but this mark value is kept in the conntrack session 61 instead of the individual packets. 62 63config NF_CONNTRACK_EVENTS 64 bool "Connection tracking events (EXPERIMENTAL)" 65 depends on EXPERIMENTAL && NF_CONNTRACK 66 help 67 If this option is enabled, the connection tracking code will 68 provide a notifier chain that can be used by other kernel code 69 to get notified about changes in the connection tracking state. 70 71 If unsure, say `N'. 72 73config NF_CT_PROTO_SCTP 74 tristate 'SCTP protocol on new connection tracking support (EXPERIMENTAL)' 75 depends on EXPERIMENTAL && NF_CONNTRACK 76 default n 77 help 78 With this option enabled, the layer 3 independent connection 79 tracking code will be able to do state tracking on SCTP connections. 80 81 If you want to compile it as a module, say M here and read 82 Documentation/modules.txt. If unsure, say `N'. 83 84config NF_CONNTRACK_FTP 85 tristate "FTP support on new connection tracking (EXPERIMENTAL)" 86 depends on EXPERIMENTAL && NF_CONNTRACK 87 help 88 Tracking FTP connections is problematic: special helpers are 89 required for tracking them, and doing masquerading and other forms 90 of Network Address Translation on them. 91 92 This is FTP support on Layer 3 independent connection tracking. 93 Layer 3 independent connection tracking is experimental scheme 94 which generalize ip_conntrack to support other layer 3 protocols. 95 96 To compile it as a module, choose M here. If unsure, say N. 97 98config NF_CT_NETLINK 99 tristate 'Connection tracking netlink interface (EXPERIMENTAL)' 100 depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK 101 depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m 102 help 103 This option enables support for a netlink-based userspace interface 104 105config NETFILTER_XTABLES 106 tristate "Netfilter Xtables support (required for ip_tables)" 107 help 108 This is required if you intend to use any of ip_tables, 109 ip6_tables or arp_tables. 110 111# alphabetically ordered list of targets 112 113config NETFILTER_XT_TARGET_CLASSIFY 114 tristate '"CLASSIFY" target support' 115 depends on NETFILTER_XTABLES 116 help 117 This option adds a `CLASSIFY' target, which enables the user to set 118 the priority of a packet. Some qdiscs can use this value for 119 classification, among these are: 120 121 atm, cbq, dsmark, pfifo_fast, htb, prio 122 123 To compile it as a module, choose M here. If unsure, say N. 124 125config NETFILTER_XT_TARGET_CONNMARK 126 tristate '"CONNMARK" target support' 127 depends on NETFILTER_XTABLES 128 depends on IP_NF_MANGLE || IP6_NF_MANGLE 129 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK) 130 help 131 This option adds a `CONNMARK' target, which allows one to manipulate 132 the connection mark value. Similar to the MARK target, but 133 affects the connection mark value rather than the packet mark value. 134 135 If you want to compile it as a module, say M here and read 136 <file:Documentation/modules.txt>. The module will be called 137 ipt_CONNMARK.o. If unsure, say `N'. 138 139config NETFILTER_XT_TARGET_MARK 140 tristate '"MARK" target support' 141 depends on NETFILTER_XTABLES 142 help 143 This option adds a `MARK' target, which allows you to create rules 144 in the `mangle' table which alter the netfilter mark (nfmark) field 145 associated with the packet prior to routing. This can change 146 the routing method (see `Use netfilter MARK value as routing 147 key') and can also be used by other subsystems to change their 148 behavior. 149 150 To compile it as a module, choose M here. If unsure, say N. 151 152config NETFILTER_XT_TARGET_NFQUEUE 153 tristate '"NFQUEUE" target Support' 154 depends on NETFILTER_XTABLES 155 help 156 This target replaced the old obsolete QUEUE target. 157 158 As opposed to QUEUE, it supports 65535 different queues, 159 not just one. 160 161 To compile it as a module, choose M here. If unsure, say N. 162 163config NETFILTER_XT_TARGET_NOTRACK 164 tristate '"NOTRACK" target support' 165 depends on NETFILTER_XTABLES 166 depends on IP_NF_RAW || IP6_NF_RAW 167 depends on IP_NF_CONNTRACK || NF_CONNTRACK 168 help 169 The NOTRACK target allows a select rule to specify 170 which packets *not* to enter the conntrack/NAT 171 subsystem with all the consequences (no ICMP error tracking, 172 no protocol helpers for the selected packets). 173 174 If you want to compile it as a module, say M here and read 175 <file:Documentation/modules.txt>. If unsure, say `N'. 176 177config NETFILTER_XT_MATCH_COMMENT 178 tristate '"comment" match support' 179 depends on NETFILTER_XTABLES 180 help 181 This option adds a `comment' dummy-match, which allows you to put 182 comments in your iptables ruleset. 183 184 If you want to compile it as a module, say M here and read 185 <file:Documentation/modules.txt>. If unsure, say `N'. 186 187config NETFILTER_XT_MATCH_CONNBYTES 188 tristate '"connbytes" per-connection counter match support' 189 depends on NETFILTER_XTABLES 190 depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || (NF_CT_ACCT && NF_CONNTRACK) 191 help 192 This option adds a `connbytes' match, which allows you to match the 193 number of bytes and/or packets for each direction within a connection. 194 195 If you want to compile it as a module, say M here and read 196 <file:Documentation/modules.txt>. If unsure, say `N'. 197 198config NETFILTER_XT_MATCH_CONNMARK 199 tristate '"connmark" connection mark match support' 200 depends on NETFILTER_XTABLES 201 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK) 202 help 203 This option adds a `connmark' match, which allows you to match the 204 connection mark value previously set for the session by `CONNMARK'. 205 206 If you want to compile it as a module, say M here and read 207 <file:Documentation/modules.txt>. The module will be called 208 ipt_connmark.o. If unsure, say `N'. 209 210config NETFILTER_XT_MATCH_CONNTRACK 211 tristate '"conntrack" connection tracking match support' 212 depends on NETFILTER_XTABLES 213 depends on IP_NF_CONNTRACK || NF_CONNTRACK 214 help 215 This is a general conntrack match module, a superset of the state match. 216 217 It allows matching on additional conntrack information, which is 218 useful in complex configurations, such as NAT gateways with multiple 219 internet links or tunnels. 220 221 To compile it as a module, choose M here. If unsure, say N. 222 223config NETFILTER_XT_MATCH_DCCP 224 tristate '"DCCP" protocol match support' 225 depends on NETFILTER_XTABLES 226 help 227 With this option enabled, you will be able to use the iptables 228 `dccp' match in order to match on DCCP source/destination ports 229 and DCCP flags. 230 231 If you want to compile it as a module, say M here and read 232 <file:Documentation/modules.txt>. If unsure, say `N'. 233 234config NETFILTER_XT_MATCH_ESP 235 tristate '"ESP" match support' 236 depends on NETFILTER_XTABLES 237 help 238 This match extension allows you to match a range of SPIs 239 inside ESP header of IPSec packets. 240 241 To compile it as a module, choose M here. If unsure, say N. 242 243config NETFILTER_XT_MATCH_HELPER 244 tristate '"helper" match support' 245 depends on NETFILTER_XTABLES 246 depends on IP_NF_CONNTRACK || NF_CONNTRACK 247 help 248 Helper matching allows you to match packets in dynamic connections 249 tracked by a conntrack-helper, ie. ip_conntrack_ftp 250 251 To compile it as a module, choose M here. If unsure, say Y. 252 253config NETFILTER_XT_MATCH_LENGTH 254 tristate '"length" match support' 255 depends on NETFILTER_XTABLES 256 help 257 This option allows you to match the length of a packet against a 258 specific value or range of values. 259 260 To compile it as a module, choose M here. If unsure, say N. 261 262config NETFILTER_XT_MATCH_LIMIT 263 tristate '"limit" match support' 264 depends on NETFILTER_XTABLES 265 help 266 limit matching allows you to control the rate at which a rule can be 267 matched: mainly useful in combination with the LOG target ("LOG 268 target support", below) and to avoid some Denial of Service attacks. 269 270 To compile it as a module, choose M here. If unsure, say N. 271 272config NETFILTER_XT_MATCH_MAC 273 tristate '"mac" address match support' 274 depends on NETFILTER_XTABLES 275 help 276 MAC matching allows you to match packets based on the source 277 Ethernet address of the packet. 278 279 To compile it as a module, choose M here. If unsure, say N. 280 281config NETFILTER_XT_MATCH_MARK 282 tristate '"mark" match support' 283 depends on NETFILTER_XTABLES 284 help 285 Netfilter mark matching allows you to match packets based on the 286 `nfmark' value in the packet. This can be set by the MARK target 287 (see below). 288 289 To compile it as a module, choose M here. If unsure, say N. 290 291config NETFILTER_XT_MATCH_POLICY 292 tristate 'IPsec "policy" match support' 293 depends on NETFILTER_XTABLES && XFRM 294 help 295 Policy matching allows you to match packets based on the 296 IPsec policy that was used during decapsulation/will 297 be used during encapsulation. 298 299 To compile it as a module, choose M here. If unsure, say N. 300 301config NETFILTER_XT_MATCH_MULTIPORT 302 tristate "Multiple port match support" 303 depends on NETFILTER_XTABLES 304 help 305 Multiport matching allows you to match TCP or UDP packets based on 306 a series of source or destination ports: normally a rule can only 307 match a single range of ports. 308 309 To compile it as a module, choose M here. If unsure, say N. 310 311config NETFILTER_XT_MATCH_PHYSDEV 312 tristate '"physdev" match support' 313 depends on NETFILTER_XTABLES && BRIDGE_NETFILTER 314 help 315 Physdev packet matching matches against the physical bridge ports 316 the IP packet arrived on or will leave by. 317 318 To compile it as a module, choose M here. If unsure, say N. 319 320config NETFILTER_XT_MATCH_PKTTYPE 321 tristate '"pkttype" packet type match support' 322 depends on NETFILTER_XTABLES 323 help 324 Packet type matching allows you to match a packet by 325 its "class", eg. BROADCAST, MULTICAST, ... 326 327 Typical usage: 328 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 329 330 To compile it as a module, choose M here. If unsure, say N. 331 332config NETFILTER_XT_MATCH_REALM 333 tristate '"realm" match support' 334 depends on NETFILTER_XTABLES 335 select NET_CLS_ROUTE 336 help 337 This option adds a `realm' match, which allows you to use the realm 338 key from the routing subsystem inside iptables. 339 340 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 341 in tc world. 342 343 If you want to compile it as a module, say M here and read 344 <file:Documentation/modules.txt>. If unsure, say `N'. 345 346config NETFILTER_XT_MATCH_SCTP 347 tristate '"sctp" protocol match support' 348 depends on NETFILTER_XTABLES 349 help 350 With this option enabled, you will be able to use the 351 `sctp' match in order to match on SCTP source/destination ports 352 and SCTP chunk types. 353 354 If you want to compile it as a module, say M here and read 355 <file:Documentation/modules.txt>. If unsure, say `N'. 356 357config NETFILTER_XT_MATCH_STATE 358 tristate '"state" match support' 359 depends on NETFILTER_XTABLES 360 depends on IP_NF_CONNTRACK || NF_CONNTRACK 361 help 362 Connection state matching allows you to match packets based on their 363 relationship to a tracked connection (ie. previous packets). This 364 is a powerful tool for packet classification. 365 366 To compile it as a module, choose M here. If unsure, say N. 367 368config NETFILTER_XT_MATCH_STRING 369 tristate '"string" match support' 370 depends on NETFILTER_XTABLES 371 select TEXTSEARCH 372 select TEXTSEARCH_KMP 373 select TEXTSEARCH_BM 374 select TEXTSEARCH_FSM 375 help 376 This option adds a `string' match, which allows you to look for 377 pattern matchings in packets. 378 379 To compile it as a module, choose M here. If unsure, say N. 380 381config NETFILTER_XT_MATCH_TCPMSS 382 tristate '"tcpmss" match support' 383 depends on NETFILTER_XTABLES 384 help 385 This option adds a `tcpmss' match, which allows you to examine the 386 MSS value of TCP SYN packets, which control the maximum packet size 387 for that connection. 388 389 To compile it as a module, choose M here. If unsure, say N. 390 391endmenu 392 393