1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate "Netfilter netlink interface" 6 help 7 If this option is enabled, the kernel will include support 8 for the new netfilter netlink interface. 9 10config NETFILTER_NETLINK_QUEUE 11 tristate "Netfilter NFQUEUE over NFNETLINK interface" 12 depends on NETFILTER_NETLINK 13 help 14 If this option is enabled, the kernel will include support 15 for queueing packets via NFNETLINK. 16 17config NETFILTER_NETLINK_LOG 18 tristate "Netfilter LOG over NFNETLINK interface" 19 depends on NETFILTER_NETLINK 20 help 21 If this option is enabled, the kernel will include support 22 for logging packets via NFNETLINK. 23 24 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 25 and is also scheduled to replace the old syslog-based ipt_LOG 26 and ip6t_LOG modules. 27 28config NF_CONNTRACK_ENABLED 29 tristate "Netfilter connection tracking support" 30 help 31 Connection tracking keeps a record of what packets have passed 32 through your machine, in order to figure out how they are related 33 into connections. 34 35 This is required to do Masquerading or other kinds of Network 36 Address Translation (except for Fast NAT). It can also be used to 37 enhance packet filtering (see `Connection state match support' 38 below). 39 40 To compile it as a module, choose M here. If unsure, say N. 41 42choice 43 prompt "Netfilter connection tracking support" 44 depends on NF_CONNTRACK_ENABLED 45 46config NF_CONNTRACK_SUPPORT 47 bool "Layer 3 Independent Connection tracking" 48 help 49 Layer 3 independent connection tracking is experimental scheme 50 which generalize ip_conntrack to support other layer 3 protocols. 51 52 This is required to do Masquerading or other kinds of Network 53 Address Translation (except for Fast NAT). It can also be used to 54 enhance packet filtering (see `Connection state match support' 55 below). 56 57config IP_NF_CONNTRACK_SUPPORT 58 bool "Layer 3 Dependent Connection tracking (OBSOLETE)" 59 help 60 The old, Layer 3 dependent ip_conntrack subsystem of netfilter. 61 62 This is required to do Masquerading or other kinds of Network 63 Address Translation (except for Fast NAT). It can also be used to 64 enhance packet filtering (see `Connection state match support' 65 below). 66 67endchoice 68 69config NF_CONNTRACK 70 tristate 71 default m if NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=m 72 default y if NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=y 73 74config IP_NF_CONNTRACK 75 tristate 76 default m if IP_NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=m 77 default y if IP_NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=y 78 79config NF_CT_ACCT 80 bool "Connection tracking flow accounting" 81 depends on NF_CONNTRACK 82 help 83 If this option is enabled, the connection tracking code will 84 keep per-flow packet and byte counters. 85 86 Those counters can be used for flow-based accounting or the 87 `connbytes' match. 88 89 If unsure, say `N'. 90 91config NF_CONNTRACK_MARK 92 bool 'Connection mark tracking support' 93 depends on NF_CONNTRACK 94 help 95 This option enables support for connection marks, used by the 96 `CONNMARK' target and `connmark' match. Similar to the mark value 97 of packets, but this mark value is kept in the conntrack session 98 instead of the individual packets. 99 100config NF_CONNTRACK_SECMARK 101 bool 'Connection tracking security mark support' 102 depends on NF_CONNTRACK && NETWORK_SECMARK 103 help 104 This option enables security markings to be applied to 105 connections. Typically they are copied to connections from 106 packets using the CONNSECMARK target and copied back from 107 connections to packets with the same target, with the packets 108 being originally labeled via SECMARK. 109 110 If unsure, say 'N'. 111 112config NF_CONNTRACK_EVENTS 113 bool "Connection tracking events (EXPERIMENTAL)" 114 depends on EXPERIMENTAL && NF_CONNTRACK 115 help 116 If this option is enabled, the connection tracking code will 117 provide a notifier chain that can be used by other kernel code 118 to get notified about changes in the connection tracking state. 119 120 If unsure, say `N'. 121 122config NF_CT_PROTO_GRE 123 tristate 124 depends on NF_CONNTRACK 125 126config NF_CT_PROTO_SCTP 127 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 128 depends on EXPERIMENTAL && NF_CONNTRACK 129 default n 130 help 131 With this option enabled, the layer 3 independent connection 132 tracking code will be able to do state tracking on SCTP connections. 133 134 If you want to compile it as a module, say M here and read 135 Documentation/modules.txt. If unsure, say `N'. 136 137config NF_CONNTRACK_AMANDA 138 tristate "Amanda backup protocol support" 139 depends on NF_CONNTRACK 140 select TEXTSEARCH 141 select TEXTSEARCH_KMP 142 help 143 If you are running the Amanda backup package <http://www.amanda.org/> 144 on this machine or machines that will be MASQUERADED through this 145 machine, then you may want to enable this feature. This allows the 146 connection tracking and natting code to allow the sub-channels that 147 Amanda requires for communication of the backup data, messages and 148 index. 149 150 To compile it as a module, choose M here. If unsure, say N. 151 152config NF_CONNTRACK_FTP 153 tristate "FTP protocol support" 154 depends on NF_CONNTRACK 155 help 156 Tracking FTP connections is problematic: special helpers are 157 required for tracking them, and doing masquerading and other forms 158 of Network Address Translation on them. 159 160 This is FTP support on Layer 3 independent connection tracking. 161 Layer 3 independent connection tracking is experimental scheme 162 which generalize ip_conntrack to support other layer 3 protocols. 163 164 To compile it as a module, choose M here. If unsure, say N. 165 166config NF_CONNTRACK_H323 167 tristate "H.323 protocol support (EXPERIMENTAL)" 168 depends on EXPERIMENTAL && NF_CONNTRACK && (IPV6 || IPV6=n) 169 help 170 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 171 important VoIP protocols, it is widely used by voice hardware and 172 software including voice gateways, IP phones, Netmeeting, OpenPhone, 173 Gnomemeeting, etc. 174 175 With this module you can support H.323 on a connection tracking/NAT 176 firewall. 177 178 This module supports RAS, Fast Start, H.245 Tunnelling, Call 179 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 180 whiteboard, file transfer, etc. For more information, please 181 visit http://nath323.sourceforge.net/. 182 183 To compile it as a module, choose M here. If unsure, say N. 184 185config NF_CONNTRACK_IRC 186 tristate "IRC protocol support" 187 depends on NF_CONNTRACK 188 help 189 There is a commonly-used extension to IRC called 190 Direct Client-to-Client Protocol (DCC). This enables users to send 191 files to each other, and also chat to each other without the need 192 of a server. DCC Sending is used anywhere you send files over IRC, 193 and DCC Chat is most commonly used by Eggdrop bots. If you are 194 using NAT, this extension will enable you to send files and initiate 195 chats. Note that you do NOT need this extension to get files or 196 have others initiate chats, or everything else in IRC. 197 198 To compile it as a module, choose M here. If unsure, say N. 199 200config NF_CONNTRACK_NETBIOS_NS 201 tristate "NetBIOS name service protocol support (EXPERIMENTAL)" 202 depends on EXPERIMENTAL && NF_CONNTRACK 203 help 204 NetBIOS name service requests are sent as broadcast messages from an 205 unprivileged port and responded to with unicast messages to the 206 same port. This make them hard to firewall properly because connection 207 tracking doesn't deal with broadcasts. This helper tracks locally 208 originating NetBIOS name service requests and the corresponding 209 responses. It relies on correct IP address configuration, specifically 210 netmask and broadcast address. When properly configured, the output 211 of "ip address show" should look similar to this: 212 213 $ ip -4 address show eth0 214 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 215 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 216 217 To compile it as a module, choose M here. If unsure, say N. 218 219config NF_CONNTRACK_PPTP 220 tristate "PPtP protocol support" 221 depends on NF_CONNTRACK 222 select NF_CT_PROTO_GRE 223 help 224 This module adds support for PPTP (Point to Point Tunnelling 225 Protocol, RFC2637) connection tracking and NAT. 226 227 If you are running PPTP sessions over a stateful firewall or NAT 228 box, you may want to enable this feature. 229 230 Please note that not all PPTP modes of operation are supported yet. 231 Specifically these limitations exist: 232 - Blindy assumes that control connections are always established 233 in PNS->PAC direction. This is a violation of RFC2637. 234 - Only supports a single call within each session 235 236 To compile it as a module, choose M here. If unsure, say N. 237 238config NF_CONNTRACK_SANE 239 tristate "SANE protocol support (EXPERIMENTAL)" 240 depends on EXPERIMENTAL && NF_CONNTRACK 241 help 242 SANE is a protocol for remote access to scanners as implemented 243 by the 'saned' daemon. Like FTP, it uses separate control and 244 data connections. 245 246 With this module you can support SANE on a connection tracking 247 firewall. 248 249 To compile it as a module, choose M here. If unsure, say N. 250 251config NF_CONNTRACK_SIP 252 tristate "SIP protocol support (EXPERIMENTAL)" 253 depends on EXPERIMENTAL && NF_CONNTRACK 254 help 255 SIP is an application-layer control protocol that can establish, 256 modify, and terminate multimedia sessions (conferences) such as 257 Internet telephony calls. With the ip_conntrack_sip and 258 the nf_nat_sip modules you can support the protocol on a connection 259 tracking/NATing firewall. 260 261 To compile it as a module, choose M here. If unsure, say N. 262 263config NF_CONNTRACK_TFTP 264 tristate "TFTP protocol support" 265 depends on NF_CONNTRACK 266 help 267 TFTP connection tracking helper, this is required depending 268 on how restrictive your ruleset is. 269 If you are using a tftp client behind -j SNAT or -j MASQUERADING 270 you will need this. 271 272 To compile it as a module, choose M here. If unsure, say N. 273 274config NF_CT_NETLINK 275 tristate 'Connection tracking netlink interface (EXPERIMENTAL)' 276 depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK 277 depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m 278 help 279 This option enables support for a netlink-based userspace interface 280 281config NETFILTER_XTABLES 282 tristate "Netfilter Xtables support (required for ip_tables)" 283 help 284 This is required if you intend to use any of ip_tables, 285 ip6_tables or arp_tables. 286 287# alphabetically ordered list of targets 288 289config NETFILTER_XT_TARGET_CLASSIFY 290 tristate '"CLASSIFY" target support' 291 depends on NETFILTER_XTABLES 292 help 293 This option adds a `CLASSIFY' target, which enables the user to set 294 the priority of a packet. Some qdiscs can use this value for 295 classification, among these are: 296 297 atm, cbq, dsmark, pfifo_fast, htb, prio 298 299 To compile it as a module, choose M here. If unsure, say N. 300 301config NETFILTER_XT_TARGET_CONNMARK 302 tristate '"CONNMARK" target support' 303 depends on NETFILTER_XTABLES 304 depends on IP_NF_MANGLE || IP6_NF_MANGLE 305 depends on IP_NF_CONNTRACK || NF_CONNTRACK 306 select IP_NF_CONNTRACK_MARK if IP_NF_CONNTRACK 307 select NF_CONNTRACK_MARK if NF_CONNTRACK 308 help 309 This option adds a `CONNMARK' target, which allows one to manipulate 310 the connection mark value. Similar to the MARK target, but 311 affects the connection mark value rather than the packet mark value. 312 313 If you want to compile it as a module, say M here and read 314 <file:Documentation/modules.txt>. The module will be called 315 ipt_CONNMARK.o. If unsure, say `N'. 316 317config NETFILTER_XT_TARGET_DSCP 318 tristate '"DSCP" target support' 319 depends on NETFILTER_XTABLES 320 depends on IP_NF_MANGLE || IP6_NF_MANGLE 321 help 322 This option adds a `DSCP' target, which allows you to manipulate 323 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 324 325 The DSCP field can have any value between 0x0 and 0x3f inclusive. 326 327 To compile it as a module, choose M here. If unsure, say N. 328 329config NETFILTER_XT_TARGET_MARK 330 tristate '"MARK" target support' 331 depends on NETFILTER_XTABLES 332 help 333 This option adds a `MARK' target, which allows you to create rules 334 in the `mangle' table which alter the netfilter mark (nfmark) field 335 associated with the packet prior to routing. This can change 336 the routing method (see `Use netfilter MARK value as routing 337 key') and can also be used by other subsystems to change their 338 behavior. 339 340 To compile it as a module, choose M here. If unsure, say N. 341 342config NETFILTER_XT_TARGET_NFQUEUE 343 tristate '"NFQUEUE" target Support' 344 depends on NETFILTER_XTABLES 345 help 346 This target replaced the old obsolete QUEUE target. 347 348 As opposed to QUEUE, it supports 65535 different queues, 349 not just one. 350 351 To compile it as a module, choose M here. If unsure, say N. 352 353config NETFILTER_XT_TARGET_NFLOG 354 tristate '"NFLOG" target support' 355 depends on NETFILTER_XTABLES 356 help 357 This option enables the NFLOG target, which allows to LOG 358 messages through the netfilter logging API, which can use 359 either the old LOG target, the old ULOG target or nfnetlink_log 360 as backend. 361 362 To compile it as a module, choose M here. If unsure, say N. 363 364config NETFILTER_XT_TARGET_NOTRACK 365 tristate '"NOTRACK" target support' 366 depends on NETFILTER_XTABLES 367 depends on IP_NF_RAW || IP6_NF_RAW 368 depends on IP_NF_CONNTRACK || NF_CONNTRACK 369 help 370 The NOTRACK target allows a select rule to specify 371 which packets *not* to enter the conntrack/NAT 372 subsystem with all the consequences (no ICMP error tracking, 373 no protocol helpers for the selected packets). 374 375 If you want to compile it as a module, say M here and read 376 <file:Documentation/modules.txt>. If unsure, say `N'. 377 378config NETFILTER_XT_TARGET_SECMARK 379 tristate '"SECMARK" target support' 380 depends on NETFILTER_XTABLES && NETWORK_SECMARK 381 help 382 The SECMARK target allows security marking of network 383 packets, for use with security subsystems. 384 385 To compile it as a module, choose M here. If unsure, say N. 386 387config NETFILTER_XT_TARGET_CONNSECMARK 388 tristate '"CONNSECMARK" target support' 389 depends on NETFILTER_XTABLES && \ 390 ((NF_CONNTRACK && NF_CONNTRACK_SECMARK) || \ 391 (IP_NF_CONNTRACK && IP_NF_CONNTRACK_SECMARK)) 392 help 393 The CONNSECMARK target copies security markings from packets 394 to connections, and restores security markings from connections 395 to packets (if the packets are not already marked). This would 396 normally be used in conjunction with the SECMARK target. 397 398 To compile it as a module, choose M here. If unsure, say N. 399 400config NETFILTER_XT_TARGET_TCPMSS 401 tristate '"TCPMSS" target support' 402 depends on NETFILTER_XTABLES && (IPV6 || IPV6=n) 403 ---help--- 404 This option adds a `TCPMSS' target, which allows you to alter the 405 MSS value of TCP SYN packets, to control the maximum size for that 406 connection (usually limiting it to your outgoing interface's MTU 407 minus 40). 408 409 This is used to overcome criminally braindead ISPs or servers which 410 block ICMP Fragmentation Needed packets. The symptoms of this 411 problem are that everything works fine from your Linux 412 firewall/router, but machines behind it can never exchange large 413 packets: 414 1) Web browsers connect, then hang with no data received. 415 2) Small mail works fine, but large emails hang. 416 3) ssh works fine, but scp hangs after initial handshaking. 417 418 Workaround: activate this option and add a rule to your firewall 419 configuration like: 420 421 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 422 -j TCPMSS --clamp-mss-to-pmtu 423 424 To compile it as a module, choose M here. If unsure, say N. 425 426config NETFILTER_XT_MATCH_COMMENT 427 tristate '"comment" match support' 428 depends on NETFILTER_XTABLES 429 help 430 This option adds a `comment' dummy-match, which allows you to put 431 comments in your iptables ruleset. 432 433 If you want to compile it as a module, say M here and read 434 <file:Documentation/modules.txt>. If unsure, say `N'. 435 436config NETFILTER_XT_MATCH_CONNBYTES 437 tristate '"connbytes" per-connection counter match support' 438 depends on NETFILTER_XTABLES 439 depends on IP_NF_CONNTRACK || NF_CONNTRACK 440 select IP_NF_CT_ACCT if IP_NF_CONNTRACK 441 select NF_CT_ACCT if NF_CONNTRACK 442 help 443 This option adds a `connbytes' match, which allows you to match the 444 number of bytes and/or packets for each direction within a connection. 445 446 If you want to compile it as a module, say M here and read 447 <file:Documentation/modules.txt>. If unsure, say `N'. 448 449config NETFILTER_XT_MATCH_CONNMARK 450 tristate '"connmark" connection mark match support' 451 depends on NETFILTER_XTABLES 452 depends on IP_NF_CONNTRACK || NF_CONNTRACK 453 select IP_NF_CONNTRACK_MARK if IP_NF_CONNTRACK 454 select NF_CONNTRACK_MARK if NF_CONNTRACK 455 help 456 This option adds a `connmark' match, which allows you to match the 457 connection mark value previously set for the session by `CONNMARK'. 458 459 If you want to compile it as a module, say M here and read 460 <file:Documentation/modules.txt>. The module will be called 461 ipt_connmark.o. If unsure, say `N'. 462 463config NETFILTER_XT_MATCH_CONNTRACK 464 tristate '"conntrack" connection tracking match support' 465 depends on NETFILTER_XTABLES 466 depends on IP_NF_CONNTRACK || NF_CONNTRACK 467 help 468 This is a general conntrack match module, a superset of the state match. 469 470 It allows matching on additional conntrack information, which is 471 useful in complex configurations, such as NAT gateways with multiple 472 internet links or tunnels. 473 474 To compile it as a module, choose M here. If unsure, say N. 475 476config NETFILTER_XT_MATCH_DCCP 477 tristate '"DCCP" protocol match support' 478 depends on NETFILTER_XTABLES 479 help 480 With this option enabled, you will be able to use the iptables 481 `dccp' match in order to match on DCCP source/destination ports 482 and DCCP flags. 483 484 If you want to compile it as a module, say M here and read 485 <file:Documentation/modules.txt>. If unsure, say `N'. 486 487config NETFILTER_XT_MATCH_DSCP 488 tristate '"DSCP" match support' 489 depends on NETFILTER_XTABLES 490 help 491 This option adds a `DSCP' match, which allows you to match against 492 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 493 494 The DSCP field can have any value between 0x0 and 0x3f inclusive. 495 496 To compile it as a module, choose M here. If unsure, say N. 497 498config NETFILTER_XT_MATCH_ESP 499 tristate '"ESP" match support' 500 depends on NETFILTER_XTABLES 501 help 502 This match extension allows you to match a range of SPIs 503 inside ESP header of IPSec packets. 504 505 To compile it as a module, choose M here. If unsure, say N. 506 507config NETFILTER_XT_MATCH_HELPER 508 tristate '"helper" match support' 509 depends on NETFILTER_XTABLES 510 depends on IP_NF_CONNTRACK || NF_CONNTRACK 511 help 512 Helper matching allows you to match packets in dynamic connections 513 tracked by a conntrack-helper, ie. ip_conntrack_ftp 514 515 To compile it as a module, choose M here. If unsure, say Y. 516 517config NETFILTER_XT_MATCH_LENGTH 518 tristate '"length" match support' 519 depends on NETFILTER_XTABLES 520 help 521 This option allows you to match the length of a packet against a 522 specific value or range of values. 523 524 To compile it as a module, choose M here. If unsure, say N. 525 526config NETFILTER_XT_MATCH_LIMIT 527 tristate '"limit" match support' 528 depends on NETFILTER_XTABLES 529 help 530 limit matching allows you to control the rate at which a rule can be 531 matched: mainly useful in combination with the LOG target ("LOG 532 target support", below) and to avoid some Denial of Service attacks. 533 534 To compile it as a module, choose M here. If unsure, say N. 535 536config NETFILTER_XT_MATCH_MAC 537 tristate '"mac" address match support' 538 depends on NETFILTER_XTABLES 539 help 540 MAC matching allows you to match packets based on the source 541 Ethernet address of the packet. 542 543 To compile it as a module, choose M here. If unsure, say N. 544 545config NETFILTER_XT_MATCH_MARK 546 tristate '"mark" match support' 547 depends on NETFILTER_XTABLES 548 help 549 Netfilter mark matching allows you to match packets based on the 550 `nfmark' value in the packet. This can be set by the MARK target 551 (see below). 552 553 To compile it as a module, choose M here. If unsure, say N. 554 555config NETFILTER_XT_MATCH_POLICY 556 tristate 'IPsec "policy" match support' 557 depends on NETFILTER_XTABLES && XFRM 558 help 559 Policy matching allows you to match packets based on the 560 IPsec policy that was used during decapsulation/will 561 be used during encapsulation. 562 563 To compile it as a module, choose M here. If unsure, say N. 564 565config NETFILTER_XT_MATCH_MULTIPORT 566 tristate "Multiple port match support" 567 depends on NETFILTER_XTABLES 568 help 569 Multiport matching allows you to match TCP or UDP packets based on 570 a series of source or destination ports: normally a rule can only 571 match a single range of ports. 572 573 To compile it as a module, choose M here. If unsure, say N. 574 575config NETFILTER_XT_MATCH_PHYSDEV 576 tristate '"physdev" match support' 577 depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER 578 help 579 Physdev packet matching matches against the physical bridge ports 580 the IP packet arrived on or will leave by. 581 582 To compile it as a module, choose M here. If unsure, say N. 583 584config NETFILTER_XT_MATCH_PKTTYPE 585 tristate '"pkttype" packet type match support' 586 depends on NETFILTER_XTABLES 587 help 588 Packet type matching allows you to match a packet by 589 its "class", eg. BROADCAST, MULTICAST, ... 590 591 Typical usage: 592 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 593 594 To compile it as a module, choose M here. If unsure, say N. 595 596config NETFILTER_XT_MATCH_QUOTA 597 tristate '"quota" match support' 598 depends on NETFILTER_XTABLES 599 help 600 This option adds a `quota' match, which allows to match on a 601 byte counter. 602 603 If you want to compile it as a module, say M here and read 604 <file:Documentation/modules.txt>. If unsure, say `N'. 605 606config NETFILTER_XT_MATCH_REALM 607 tristate '"realm" match support' 608 depends on NETFILTER_XTABLES 609 select NET_CLS_ROUTE 610 help 611 This option adds a `realm' match, which allows you to use the realm 612 key from the routing subsystem inside iptables. 613 614 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 615 in tc world. 616 617 If you want to compile it as a module, say M here and read 618 <file:Documentation/modules.txt>. If unsure, say `N'. 619 620config NETFILTER_XT_MATCH_SCTP 621 tristate '"sctp" protocol match support (EXPERIMENTAL)' 622 depends on NETFILTER_XTABLES && EXPERIMENTAL 623 help 624 With this option enabled, you will be able to use the 625 `sctp' match in order to match on SCTP source/destination ports 626 and SCTP chunk types. 627 628 If you want to compile it as a module, say M here and read 629 <file:Documentation/modules.txt>. If unsure, say `N'. 630 631config NETFILTER_XT_MATCH_STATE 632 tristate '"state" match support' 633 depends on NETFILTER_XTABLES 634 depends on IP_NF_CONNTRACK || NF_CONNTRACK 635 help 636 Connection state matching allows you to match packets based on their 637 relationship to a tracked connection (ie. previous packets). This 638 is a powerful tool for packet classification. 639 640 To compile it as a module, choose M here. If unsure, say N. 641 642config NETFILTER_XT_MATCH_STATISTIC 643 tristate '"statistic" match support' 644 depends on NETFILTER_XTABLES 645 help 646 This option adds a `statistic' match, which allows you to match 647 on packets periodically or randomly with a given percentage. 648 649 To compile it as a module, choose M here. If unsure, say N. 650 651config NETFILTER_XT_MATCH_STRING 652 tristate '"string" match support' 653 depends on NETFILTER_XTABLES 654 select TEXTSEARCH 655 select TEXTSEARCH_KMP 656 select TEXTSEARCH_BM 657 select TEXTSEARCH_FSM 658 help 659 This option adds a `string' match, which allows you to look for 660 pattern matchings in packets. 661 662 To compile it as a module, choose M here. If unsure, say N. 663 664config NETFILTER_XT_MATCH_TCPMSS 665 tristate '"tcpmss" match support' 666 depends on NETFILTER_XTABLES 667 help 668 This option adds a `tcpmss' match, which allows you to examine the 669 MSS value of TCP SYN packets, which control the maximum packet size 670 for that connection. 671 672 To compile it as a module, choose M here. If unsure, say N. 673 674config NETFILTER_XT_MATCH_HASHLIMIT 675 tristate '"hashlimit" match support' 676 depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 677 help 678 This option adds a `hashlimit' match. 679 680 As opposed to `limit', this match dynamically creates a hash table 681 of limit buckets, based on your selection of source/destination 682 addresses and/or ports. 683 684 It enables you to express policies like `10kpps for any given 685 destination address' or `500pps from any given source address' 686 with a single rule. 687 688endmenu 689 690