1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate 6 7config NETFILTER_NETLINK_QUEUE 8 tristate "Netfilter NFQUEUE over NFNETLINK interface" 9 depends on NETFILTER_ADVANCED 10 select NETFILTER_NETLINK 11 help 12 If this option is enabled, the kernel will include support 13 for queueing packets via NFNETLINK. 14 15config NETFILTER_NETLINK_LOG 16 tristate "Netfilter LOG over NFNETLINK interface" 17 default m if NETFILTER_ADVANCED=n 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for logging packets via NFNETLINK. 22 23 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 24 and is also scheduled to replace the old syslog-based ipt_LOG 25 and ip6t_LOG modules. 26 27config NF_CONNTRACK 28 tristate "Netfilter connection tracking support" 29 default m if NETFILTER_ADVANCED=n 30 help 31 Connection tracking keeps a record of what packets have passed 32 through your machine, in order to figure out how they are related 33 into connections. 34 35 This is required to do Masquerading or other kinds of Network 36 Address Translation. It can also be used to enhance packet 37 filtering (see `Connection state match support' below). 38 39 To compile it as a module, choose M here. If unsure, say N. 40 41if NF_CONNTRACK 42 43config NF_CONNTRACK_MARK 44 bool 'Connection mark tracking support' 45 depends on NETFILTER_ADVANCED 46 help 47 This option enables support for connection marks, used by the 48 `CONNMARK' target and `connmark' match. Similar to the mark value 49 of packets, but this mark value is kept in the conntrack session 50 instead of the individual packets. 51 52config NF_CONNTRACK_SECMARK 53 bool 'Connection tracking security mark support' 54 depends on NETWORK_SECMARK 55 default m if NETFILTER_ADVANCED=n 56 help 57 This option enables security markings to be applied to 58 connections. Typically they are copied to connections from 59 packets using the CONNSECMARK target and copied back from 60 connections to packets with the same target, with the packets 61 being originally labeled via SECMARK. 62 63 If unsure, say 'N'. 64 65config NF_CONNTRACK_ZONES 66 bool 'Connection tracking zones' 67 depends on NETFILTER_ADVANCED 68 depends on NETFILTER_XT_TARGET_CT 69 help 70 This option enables support for connection tracking zones. 71 Normally, each connection needs to have a unique system wide 72 identity. Connection tracking zones allow to have multiple 73 connections using the same identity, as long as they are 74 contained in different zones. 75 76 If unsure, say `N'. 77 78config NF_CONNTRACK_EVENTS 79 bool "Connection tracking events" 80 depends on NETFILTER_ADVANCED 81 help 82 If this option is enabled, the connection tracking code will 83 provide a notifier chain that can be used by other kernel code 84 to get notified about changes in the connection tracking state. 85 86 If unsure, say `N'. 87 88config NF_CT_PROTO_DCCP 89 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' 90 depends on EXPERIMENTAL 91 depends on NETFILTER_ADVANCED 92 default IP_DCCP 93 help 94 With this option enabled, the layer 3 independent connection 95 tracking code will be able to do state tracking on DCCP connections. 96 97 If unsure, say 'N'. 98 99config NF_CT_PROTO_GRE 100 tristate 101 102config NF_CT_PROTO_SCTP 103 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 104 depends on EXPERIMENTAL 105 depends on NETFILTER_ADVANCED 106 default IP_SCTP 107 help 108 With this option enabled, the layer 3 independent connection 109 tracking code will be able to do state tracking on SCTP connections. 110 111 If you want to compile it as a module, say M here and read 112 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 113 114config NF_CT_PROTO_UDPLITE 115 tristate 'UDP-Lite protocol connection tracking support' 116 depends on NETFILTER_ADVANCED 117 help 118 With this option enabled, the layer 3 independent connection 119 tracking code will be able to do state tracking on UDP-Lite 120 connections. 121 122 To compile it as a module, choose M here. If unsure, say N. 123 124config NF_CONNTRACK_AMANDA 125 tristate "Amanda backup protocol support" 126 depends on NETFILTER_ADVANCED 127 select TEXTSEARCH 128 select TEXTSEARCH_KMP 129 help 130 If you are running the Amanda backup package <http://www.amanda.org/> 131 on this machine or machines that will be MASQUERADED through this 132 machine, then you may want to enable this feature. This allows the 133 connection tracking and natting code to allow the sub-channels that 134 Amanda requires for communication of the backup data, messages and 135 index. 136 137 To compile it as a module, choose M here. If unsure, say N. 138 139config NF_CONNTRACK_FTP 140 tristate "FTP protocol support" 141 default m if NETFILTER_ADVANCED=n 142 help 143 Tracking FTP connections is problematic: special helpers are 144 required for tracking them, and doing masquerading and other forms 145 of Network Address Translation on them. 146 147 This is FTP support on Layer 3 independent connection tracking. 148 Layer 3 independent connection tracking is experimental scheme 149 which generalize ip_conntrack to support other layer 3 protocols. 150 151 To compile it as a module, choose M here. If unsure, say N. 152 153config NF_CONNTRACK_H323 154 tristate "H.323 protocol support" 155 depends on (IPV6 || IPV6=n) 156 depends on NETFILTER_ADVANCED 157 help 158 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 159 important VoIP protocols, it is widely used by voice hardware and 160 software including voice gateways, IP phones, Netmeeting, OpenPhone, 161 Gnomemeeting, etc. 162 163 With this module you can support H.323 on a connection tracking/NAT 164 firewall. 165 166 This module supports RAS, Fast Start, H.245 Tunnelling, Call 167 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 168 whiteboard, file transfer, etc. For more information, please 169 visit http://nath323.sourceforge.net/. 170 171 To compile it as a module, choose M here. If unsure, say N. 172 173config NF_CONNTRACK_IRC 174 tristate "IRC protocol support" 175 default m if NETFILTER_ADVANCED=n 176 help 177 There is a commonly-used extension to IRC called 178 Direct Client-to-Client Protocol (DCC). This enables users to send 179 files to each other, and also chat to each other without the need 180 of a server. DCC Sending is used anywhere you send files over IRC, 181 and DCC Chat is most commonly used by Eggdrop bots. If you are 182 using NAT, this extension will enable you to send files and initiate 183 chats. Note that you do NOT need this extension to get files or 184 have others initiate chats, or everything else in IRC. 185 186 To compile it as a module, choose M here. If unsure, say N. 187 188config NF_CONNTRACK_NETBIOS_NS 189 tristate "NetBIOS name service protocol support" 190 depends on NETFILTER_ADVANCED 191 help 192 NetBIOS name service requests are sent as broadcast messages from an 193 unprivileged port and responded to with unicast messages to the 194 same port. This make them hard to firewall properly because connection 195 tracking doesn't deal with broadcasts. This helper tracks locally 196 originating NetBIOS name service requests and the corresponding 197 responses. It relies on correct IP address configuration, specifically 198 netmask and broadcast address. When properly configured, the output 199 of "ip address show" should look similar to this: 200 201 $ ip -4 address show eth0 202 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 203 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 204 205 To compile it as a module, choose M here. If unsure, say N. 206 207config NF_CONNTRACK_PPTP 208 tristate "PPtP protocol support" 209 depends on NETFILTER_ADVANCED 210 select NF_CT_PROTO_GRE 211 help 212 This module adds support for PPTP (Point to Point Tunnelling 213 Protocol, RFC2637) connection tracking and NAT. 214 215 If you are running PPTP sessions over a stateful firewall or NAT 216 box, you may want to enable this feature. 217 218 Please note that not all PPTP modes of operation are supported yet. 219 Specifically these limitations exist: 220 - Blindly assumes that control connections are always established 221 in PNS->PAC direction. This is a violation of RFC2637. 222 - Only supports a single call within each session 223 224 To compile it as a module, choose M here. If unsure, say N. 225 226config NF_CONNTRACK_SANE 227 tristate "SANE protocol support (EXPERIMENTAL)" 228 depends on EXPERIMENTAL 229 depends on NETFILTER_ADVANCED 230 help 231 SANE is a protocol for remote access to scanners as implemented 232 by the 'saned' daemon. Like FTP, it uses separate control and 233 data connections. 234 235 With this module you can support SANE on a connection tracking 236 firewall. 237 238 To compile it as a module, choose M here. If unsure, say N. 239 240config NF_CONNTRACK_SIP 241 tristate "SIP protocol support" 242 default m if NETFILTER_ADVANCED=n 243 help 244 SIP is an application-layer control protocol that can establish, 245 modify, and terminate multimedia sessions (conferences) such as 246 Internet telephony calls. With the ip_conntrack_sip and 247 the nf_nat_sip modules you can support the protocol on a connection 248 tracking/NATing firewall. 249 250 To compile it as a module, choose M here. If unsure, say N. 251 252config NF_CONNTRACK_TFTP 253 tristate "TFTP protocol support" 254 depends on NETFILTER_ADVANCED 255 help 256 TFTP connection tracking helper, this is required depending 257 on how restrictive your ruleset is. 258 If you are using a tftp client behind -j SNAT or -j MASQUERADING 259 you will need this. 260 261 To compile it as a module, choose M here. If unsure, say N. 262 263config NF_CT_NETLINK 264 tristate 'Connection tracking netlink interface' 265 select NETFILTER_NETLINK 266 default m if NETFILTER_ADVANCED=n 267 help 268 This option enables support for a netlink-based userspace interface 269 270endif # NF_CONNTRACK 271 272# transparent proxy support 273config NETFILTER_TPROXY 274 tristate "Transparent proxying support (EXPERIMENTAL)" 275 depends on EXPERIMENTAL 276 depends on IP_NF_MANGLE 277 depends on NETFILTER_ADVANCED 278 help 279 This option enables transparent proxying support, that is, 280 support for handling non-locally bound IPv4 TCP and UDP sockets. 281 For it to work you will have to configure certain iptables rules 282 and use policy routing. For more information on how to set it up 283 see Documentation/networking/tproxy.txt. 284 285 To compile it as a module, choose M here. If unsure, say N. 286 287config NETFILTER_XTABLES 288 tristate "Netfilter Xtables support (required for ip_tables)" 289 default m if NETFILTER_ADVANCED=n 290 help 291 This is required if you intend to use any of ip_tables, 292 ip6_tables or arp_tables. 293 294if NETFILTER_XTABLES 295 296comment "Xtables combined modules" 297 298config NETFILTER_XT_MARK 299 tristate 'nfmark target and match support' 300 default m if NETFILTER_ADVANCED=n 301 ---help--- 302 This option adds the "MARK" target and "mark" match. 303 304 Netfilter mark matching allows you to match packets based on the 305 "nfmark" value in the packet. 306 The target allows you to create rules in the "mangle" table which alter 307 the netfilter mark (nfmark) field associated with the packet. 308 309 Prior to routing, the nfmark can influence the routing method (see 310 "Use netfilter MARK value as routing key") and can also be used by 311 other subsystems to change their behavior. 312 313config NETFILTER_XT_CONNMARK 314 tristate 'ctmark target and match support' 315 depends on NF_CONNTRACK 316 depends on NETFILTER_ADVANCED 317 select NF_CONNTRACK_MARK 318 ---help--- 319 This option adds the "CONNMARK" target and "connmark" match. 320 321 Netfilter allows you to store a mark value per connection (a.k.a. 322 ctmark), similarly to the packet mark (nfmark). Using this 323 target and match, you can set and match on this mark. 324 325# alphabetically ordered list of targets 326 327comment "Xtables targets" 328 329config NETFILTER_XT_TARGET_CHECKSUM 330 tristate "CHECKSUM target support" 331 depends on IP_NF_MANGLE || IP6_NF_MANGLE 332 depends on NETFILTER_ADVANCED 333 ---help--- 334 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 335 table. 336 337 You can use this target to compute and fill in the checksum in 338 a packet that lacks a checksum. This is particularly useful, 339 if you need to work around old applications such as dhcp clients, 340 that do not work well with checksum offloads, but don't want to disable 341 checksum offload in your device. 342 343 To compile it as a module, choose M here. If unsure, say N. 344 345config NETFILTER_XT_TARGET_CLASSIFY 346 tristate '"CLASSIFY" target support' 347 depends on NETFILTER_ADVANCED 348 help 349 This option adds a `CLASSIFY' target, which enables the user to set 350 the priority of a packet. Some qdiscs can use this value for 351 classification, among these are: 352 353 atm, cbq, dsmark, pfifo_fast, htb, prio 354 355 To compile it as a module, choose M here. If unsure, say N. 356 357config NETFILTER_XT_TARGET_CONNMARK 358 tristate '"CONNMARK" target support' 359 depends on NF_CONNTRACK 360 depends on NETFILTER_ADVANCED 361 select NETFILTER_XT_CONNMARK 362 ---help--- 363 This is a backwards-compat option for the user's convenience 364 (e.g. when running oldconfig). It selects 365 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 366 367config NETFILTER_XT_TARGET_CONNSECMARK 368 tristate '"CONNSECMARK" target support' 369 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 370 default m if NETFILTER_ADVANCED=n 371 help 372 The CONNSECMARK target copies security markings from packets 373 to connections, and restores security markings from connections 374 to packets (if the packets are not already marked). This would 375 normally be used in conjunction with the SECMARK target. 376 377 To compile it as a module, choose M here. If unsure, say N. 378 379config NETFILTER_XT_TARGET_CT 380 tristate '"CT" target support' 381 depends on NF_CONNTRACK 382 depends on IP_NF_RAW || IP6_NF_RAW 383 depends on NETFILTER_ADVANCED 384 help 385 This options adds a `CT' target, which allows to specify initial 386 connection tracking parameters like events to be delivered and 387 the helper to be used. 388 389 To compile it as a module, choose M here. If unsure, say N. 390 391config NETFILTER_XT_TARGET_DSCP 392 tristate '"DSCP" and "TOS" target support' 393 depends on IP_NF_MANGLE || IP6_NF_MANGLE 394 depends on NETFILTER_ADVANCED 395 help 396 This option adds a `DSCP' target, which allows you to manipulate 397 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 398 399 The DSCP field can have any value between 0x0 and 0x3f inclusive. 400 401 It also adds the "TOS" target, which allows you to create rules in 402 the "mangle" table which alter the Type Of Service field of an IPv4 403 or the Priority field of an IPv6 packet, prior to routing. 404 405 To compile it as a module, choose M here. If unsure, say N. 406 407config NETFILTER_XT_TARGET_HL 408 tristate '"HL" hoplimit target support' 409 depends on IP_NF_MANGLE || IP6_NF_MANGLE 410 depends on NETFILTER_ADVANCED 411 ---help--- 412 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 413 targets, which enable the user to change the 414 hoplimit/time-to-live value of the IP header. 415 416 While it is safe to decrement the hoplimit/TTL value, the 417 modules also allow to increment and set the hoplimit value of 418 the header to arbitrary values. This is EXTREMELY DANGEROUS 419 since you can easily create immortal packets that loop 420 forever on the network. 421 422config NETFILTER_XT_TARGET_IDLETIMER 423 tristate "IDLETIMER target support" 424 depends on NETFILTER_ADVANCED 425 help 426 427 This option adds the `IDLETIMER' target. Each matching packet 428 resets the timer associated with label specified when the rule is 429 added. When the timer expires, it triggers a sysfs notification. 430 The remaining time for expiration can be read via sysfs. 431 432 To compile it as a module, choose M here. If unsure, say N. 433 434config NETFILTER_XT_TARGET_LED 435 tristate '"LED" target support' 436 depends on LEDS_CLASS && LEDS_TRIGGERS 437 depends on NETFILTER_ADVANCED 438 help 439 This option adds a `LED' target, which allows you to blink LEDs in 440 response to particular packets passing through your machine. 441 442 This can be used to turn a spare LED into a network activity LED, 443 which only flashes in response to FTP transfers, for example. Or 444 you could have an LED which lights up for a minute or two every time 445 somebody connects to your machine via SSH. 446 447 You will need support for the "led" class to make this work. 448 449 To create an LED trigger for incoming SSH traffic: 450 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 451 452 Then attach the new trigger to an LED on your system: 453 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 454 455 For more information on the LEDs available on your system, see 456 Documentation/leds-class.txt 457 458config NETFILTER_XT_TARGET_MARK 459 tristate '"MARK" target support' 460 depends on NETFILTER_ADVANCED 461 select NETFILTER_XT_MARK 462 ---help--- 463 This is a backwards-compat option for the user's convenience 464 (e.g. when running oldconfig). It selects 465 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 466 467config NETFILTER_XT_TARGET_NFLOG 468 tristate '"NFLOG" target support' 469 default m if NETFILTER_ADVANCED=n 470 select NETFILTER_NETLINK_LOG 471 help 472 This option enables the NFLOG target, which allows to LOG 473 messages through nfnetlink_log. 474 475 To compile it as a module, choose M here. If unsure, say N. 476 477config NETFILTER_XT_TARGET_NFQUEUE 478 tristate '"NFQUEUE" target Support' 479 depends on NETFILTER_ADVANCED 480 help 481 This target replaced the old obsolete QUEUE target. 482 483 As opposed to QUEUE, it supports 65535 different queues, 484 not just one. 485 486 To compile it as a module, choose M here. If unsure, say N. 487 488config NETFILTER_XT_TARGET_NOTRACK 489 tristate '"NOTRACK" target support' 490 depends on IP_NF_RAW || IP6_NF_RAW 491 depends on NF_CONNTRACK 492 depends on NETFILTER_ADVANCED 493 help 494 The NOTRACK target allows a select rule to specify 495 which packets *not* to enter the conntrack/NAT 496 subsystem with all the consequences (no ICMP error tracking, 497 no protocol helpers for the selected packets). 498 499 If you want to compile it as a module, say M here and read 500 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 501 502config NETFILTER_XT_TARGET_RATEEST 503 tristate '"RATEEST" target support' 504 depends on NETFILTER_ADVANCED 505 help 506 This option adds a `RATEEST' target, which allows to measure 507 rates similar to TC estimators. The `rateest' match can be 508 used to match on the measured rates. 509 510 To compile it as a module, choose M here. If unsure, say N. 511 512config NETFILTER_XT_TARGET_TEE 513 tristate '"TEE" - packet cloning to alternate destination' 514 depends on NETFILTER_ADVANCED 515 depends on (IPV6 || IPV6=n) 516 depends on !NF_CONNTRACK || NF_CONNTRACK 517 ---help--- 518 This option adds a "TEE" target with which a packet can be cloned and 519 this clone be rerouted to another nexthop. 520 521config NETFILTER_XT_TARGET_TPROXY 522 tristate '"TPROXY" target support (EXPERIMENTAL)' 523 depends on EXPERIMENTAL 524 depends on NETFILTER_TPROXY 525 depends on NETFILTER_XTABLES 526 depends on NETFILTER_ADVANCED 527 select NF_DEFRAG_IPV4 528 help 529 This option adds a `TPROXY' target, which is somewhat similar to 530 REDIRECT. It can only be used in the mangle table and is useful 531 to redirect traffic to a transparent proxy. It does _not_ depend 532 on Netfilter connection tracking and NAT, unlike REDIRECT. 533 534 To compile it as a module, choose M here. If unsure, say N. 535 536config NETFILTER_XT_TARGET_TRACE 537 tristate '"TRACE" target support' 538 depends on IP_NF_RAW || IP6_NF_RAW 539 depends on NETFILTER_ADVANCED 540 help 541 The TRACE target allows you to mark packets so that the kernel 542 will log every rule which match the packets as those traverse 543 the tables, chains, rules. 544 545 If you want to compile it as a module, say M here and read 546 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 547 548config NETFILTER_XT_TARGET_SECMARK 549 tristate '"SECMARK" target support' 550 depends on NETWORK_SECMARK 551 default m if NETFILTER_ADVANCED=n 552 help 553 The SECMARK target allows security marking of network 554 packets, for use with security subsystems. 555 556 To compile it as a module, choose M here. If unsure, say N. 557 558config NETFILTER_XT_TARGET_TCPMSS 559 tristate '"TCPMSS" target support' 560 depends on (IPV6 || IPV6=n) 561 default m if NETFILTER_ADVANCED=n 562 ---help--- 563 This option adds a `TCPMSS' target, which allows you to alter the 564 MSS value of TCP SYN packets, to control the maximum size for that 565 connection (usually limiting it to your outgoing interface's MTU 566 minus 40). 567 568 This is used to overcome criminally braindead ISPs or servers which 569 block ICMP Fragmentation Needed packets. The symptoms of this 570 problem are that everything works fine from your Linux 571 firewall/router, but machines behind it can never exchange large 572 packets: 573 1) Web browsers connect, then hang with no data received. 574 2) Small mail works fine, but large emails hang. 575 3) ssh works fine, but scp hangs after initial handshaking. 576 577 Workaround: activate this option and add a rule to your firewall 578 configuration like: 579 580 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 581 -j TCPMSS --clamp-mss-to-pmtu 582 583 To compile it as a module, choose M here. If unsure, say N. 584 585config NETFILTER_XT_TARGET_TCPOPTSTRIP 586 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' 587 depends on EXPERIMENTAL 588 depends on IP_NF_MANGLE || IP6_NF_MANGLE 589 depends on NETFILTER_ADVANCED 590 help 591 This option adds a "TCPOPTSTRIP" target, which allows you to strip 592 TCP options from TCP packets. 593 594# alphabetically ordered list of matches 595 596comment "Xtables matches" 597 598config NETFILTER_XT_MATCH_CLUSTER 599 tristate '"cluster" match support' 600 depends on NF_CONNTRACK 601 depends on NETFILTER_ADVANCED 602 ---help--- 603 This option allows you to build work-load-sharing clusters of 604 network servers/stateful firewalls without having a dedicated 605 load-balancing router/server/switch. Basically, this match returns 606 true when the packet must be handled by this cluster node. Thus, 607 all nodes see all packets and this match decides which node handles 608 what packets. The work-load sharing algorithm is based on source 609 address hashing. 610 611 If you say Y or M here, try `iptables -m cluster --help` for 612 more information. 613 614config NETFILTER_XT_MATCH_COMMENT 615 tristate '"comment" match support' 616 depends on NETFILTER_ADVANCED 617 help 618 This option adds a `comment' dummy-match, which allows you to put 619 comments in your iptables ruleset. 620 621 If you want to compile it as a module, say M here and read 622 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 623 624config NETFILTER_XT_MATCH_CONNBYTES 625 tristate '"connbytes" per-connection counter match support' 626 depends on NF_CONNTRACK 627 depends on NETFILTER_ADVANCED 628 help 629 This option adds a `connbytes' match, which allows you to match the 630 number of bytes and/or packets for each direction within a connection. 631 632 If you want to compile it as a module, say M here and read 633 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 634 635config NETFILTER_XT_MATCH_CONNLIMIT 636 tristate '"connlimit" match support"' 637 depends on NF_CONNTRACK 638 depends on NETFILTER_ADVANCED 639 ---help--- 640 This match allows you to match against the number of parallel 641 connections to a server per client IP address (or address block). 642 643config NETFILTER_XT_MATCH_CONNMARK 644 tristate '"connmark" connection mark match support' 645 depends on NF_CONNTRACK 646 depends on NETFILTER_ADVANCED 647 select NETFILTER_XT_CONNMARK 648 ---help--- 649 This is a backwards-compat option for the user's convenience 650 (e.g. when running oldconfig). It selects 651 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 652 653config NETFILTER_XT_MATCH_CONNTRACK 654 tristate '"conntrack" connection tracking match support' 655 depends on NF_CONNTRACK 656 default m if NETFILTER_ADVANCED=n 657 help 658 This is a general conntrack match module, a superset of the state match. 659 660 It allows matching on additional conntrack information, which is 661 useful in complex configurations, such as NAT gateways with multiple 662 internet links or tunnels. 663 664 To compile it as a module, choose M here. If unsure, say N. 665 666config NETFILTER_XT_MATCH_CPU 667 tristate '"cpu" match support' 668 depends on NETFILTER_ADVANCED 669 help 670 CPU matching allows you to match packets based on the CPU 671 currently handling the packet. 672 673 To compile it as a module, choose M here. If unsure, say N. 674 675config NETFILTER_XT_MATCH_DCCP 676 tristate '"dccp" protocol match support' 677 depends on NETFILTER_ADVANCED 678 default IP_DCCP 679 help 680 With this option enabled, you will be able to use the iptables 681 `dccp' match in order to match on DCCP source/destination ports 682 and DCCP flags. 683 684 If you want to compile it as a module, say M here and read 685 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 686 687config NETFILTER_XT_MATCH_DSCP 688 tristate '"dscp" and "tos" match support' 689 depends on NETFILTER_ADVANCED 690 help 691 This option adds a `DSCP' match, which allows you to match against 692 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 693 694 The DSCP field can have any value between 0x0 and 0x3f inclusive. 695 696 It will also add a "tos" match, which allows you to match packets 697 based on the Type Of Service fields of the IPv4 packet (which share 698 the same bits as DSCP). 699 700 To compile it as a module, choose M here. If unsure, say N. 701 702config NETFILTER_XT_MATCH_ESP 703 tristate '"esp" match support' 704 depends on NETFILTER_ADVANCED 705 help 706 This match extension allows you to match a range of SPIs 707 inside ESP header of IPSec packets. 708 709 To compile it as a module, choose M here. If unsure, say N. 710 711config NETFILTER_XT_MATCH_HASHLIMIT 712 tristate '"hashlimit" match support' 713 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 714 depends on NETFILTER_ADVANCED 715 help 716 This option adds a `hashlimit' match. 717 718 As opposed to `limit', this match dynamically creates a hash table 719 of limit buckets, based on your selection of source/destination 720 addresses and/or ports. 721 722 It enables you to express policies like `10kpps for any given 723 destination address' or `500pps from any given source address' 724 with a single rule. 725 726config NETFILTER_XT_MATCH_HELPER 727 tristate '"helper" match support' 728 depends on NF_CONNTRACK 729 depends on NETFILTER_ADVANCED 730 help 731 Helper matching allows you to match packets in dynamic connections 732 tracked by a conntrack-helper, ie. ip_conntrack_ftp 733 734 To compile it as a module, choose M here. If unsure, say Y. 735 736config NETFILTER_XT_MATCH_HL 737 tristate '"hl" hoplimit/TTL match support' 738 depends on NETFILTER_ADVANCED 739 ---help--- 740 HL matching allows you to match packets based on the hoplimit 741 in the IPv6 header, or the time-to-live field in the IPv4 742 header of the packet. 743 744config NETFILTER_XT_MATCH_IPRANGE 745 tristate '"iprange" address range match support' 746 depends on NETFILTER_ADVANCED 747 ---help--- 748 This option adds a "iprange" match, which allows you to match based on 749 an IP address range. (Normal iptables only matches on single addresses 750 with an optional mask.) 751 752 If unsure, say M. 753 754config NETFILTER_XT_MATCH_IPVS 755 tristate '"ipvs" match support' 756 depends on IP_VS 757 depends on NETFILTER_ADVANCED 758 depends on NF_CONNTRACK 759 help 760 This option allows you to match against IPVS properties of a packet. 761 762 If unsure, say N. 763 764config NETFILTER_XT_MATCH_LENGTH 765 tristate '"length" match support' 766 depends on NETFILTER_ADVANCED 767 help 768 This option allows you to match the length of a packet against a 769 specific value or range of values. 770 771 To compile it as a module, choose M here. If unsure, say N. 772 773config NETFILTER_XT_MATCH_LIMIT 774 tristate '"limit" match support' 775 depends on NETFILTER_ADVANCED 776 help 777 limit matching allows you to control the rate at which a rule can be 778 matched: mainly useful in combination with the LOG target ("LOG 779 target support", below) and to avoid some Denial of Service attacks. 780 781 To compile it as a module, choose M here. If unsure, say N. 782 783config NETFILTER_XT_MATCH_MAC 784 tristate '"mac" address match support' 785 depends on NETFILTER_ADVANCED 786 help 787 MAC matching allows you to match packets based on the source 788 Ethernet address of the packet. 789 790 To compile it as a module, choose M here. If unsure, say N. 791 792config NETFILTER_XT_MATCH_MARK 793 tristate '"mark" match support' 794 depends on NETFILTER_ADVANCED 795 select NETFILTER_XT_MARK 796 ---help--- 797 This is a backwards-compat option for the user's convenience 798 (e.g. when running oldconfig). It selects 799 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 800 801config NETFILTER_XT_MATCH_MULTIPORT 802 tristate '"multiport" Multiple port match support' 803 depends on NETFILTER_ADVANCED 804 help 805 Multiport matching allows you to match TCP or UDP packets based on 806 a series of source or destination ports: normally a rule can only 807 match a single range of ports. 808 809 To compile it as a module, choose M here. If unsure, say N. 810 811config NETFILTER_XT_MATCH_OSF 812 tristate '"osf" Passive OS fingerprint match' 813 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 814 help 815 This option selects the Passive OS Fingerprinting match module 816 that allows to passively match the remote operating system by 817 analyzing incoming TCP SYN packets. 818 819 Rules and loading software can be downloaded from 820 http://www.ioremap.net/projects/osf 821 822 To compile it as a module, choose M here. If unsure, say N. 823 824config NETFILTER_XT_MATCH_OWNER 825 tristate '"owner" match support' 826 depends on NETFILTER_ADVANCED 827 ---help--- 828 Socket owner matching allows you to match locally-generated packets 829 based on who created the socket: the user or group. It is also 830 possible to check whether a socket actually exists. 831 832config NETFILTER_XT_MATCH_POLICY 833 tristate 'IPsec "policy" match support' 834 depends on XFRM 835 default m if NETFILTER_ADVANCED=n 836 help 837 Policy matching allows you to match packets based on the 838 IPsec policy that was used during decapsulation/will 839 be used during encapsulation. 840 841 To compile it as a module, choose M here. If unsure, say N. 842 843config NETFILTER_XT_MATCH_PHYSDEV 844 tristate '"physdev" match support' 845 depends on BRIDGE && BRIDGE_NETFILTER 846 depends on NETFILTER_ADVANCED 847 help 848 Physdev packet matching matches against the physical bridge ports 849 the IP packet arrived on or will leave by. 850 851 To compile it as a module, choose M here. If unsure, say N. 852 853config NETFILTER_XT_MATCH_PKTTYPE 854 tristate '"pkttype" packet type match support' 855 depends on NETFILTER_ADVANCED 856 help 857 Packet type matching allows you to match a packet by 858 its "class", eg. BROADCAST, MULTICAST, ... 859 860 Typical usage: 861 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 862 863 To compile it as a module, choose M here. If unsure, say N. 864 865config NETFILTER_XT_MATCH_QUOTA 866 tristate '"quota" match support' 867 depends on NETFILTER_ADVANCED 868 help 869 This option adds a `quota' match, which allows to match on a 870 byte counter. 871 872 If you want to compile it as a module, say M here and read 873 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 874 875config NETFILTER_XT_MATCH_RATEEST 876 tristate '"rateest" match support' 877 depends on NETFILTER_ADVANCED 878 select NETFILTER_XT_TARGET_RATEEST 879 help 880 This option adds a `rateest' match, which allows to match on the 881 rate estimated by the RATEEST target. 882 883 To compile it as a module, choose M here. If unsure, say N. 884 885config NETFILTER_XT_MATCH_REALM 886 tristate '"realm" match support' 887 depends on NETFILTER_ADVANCED 888 select NET_CLS_ROUTE 889 help 890 This option adds a `realm' match, which allows you to use the realm 891 key from the routing subsystem inside iptables. 892 893 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 894 in tc world. 895 896 If you want to compile it as a module, say M here and read 897 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 898 899config NETFILTER_XT_MATCH_RECENT 900 tristate '"recent" match support' 901 depends on NETFILTER_ADVANCED 902 ---help--- 903 This match is used for creating one or many lists of recently 904 used addresses and then matching against that/those list(s). 905 906 Short options are available by using 'iptables -m recent -h' 907 Official Website: <http://snowman.net/projects/ipt_recent/> 908 909config NETFILTER_XT_MATCH_SCTP 910 tristate '"sctp" protocol match support (EXPERIMENTAL)' 911 depends on EXPERIMENTAL 912 depends on NETFILTER_ADVANCED 913 default IP_SCTP 914 help 915 With this option enabled, you will be able to use the 916 `sctp' match in order to match on SCTP source/destination ports 917 and SCTP chunk types. 918 919 If you want to compile it as a module, say M here and read 920 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 921 922config NETFILTER_XT_MATCH_SOCKET 923 tristate '"socket" match support (EXPERIMENTAL)' 924 depends on EXPERIMENTAL 925 depends on NETFILTER_TPROXY 926 depends on NETFILTER_XTABLES 927 depends on NETFILTER_ADVANCED 928 depends on !NF_CONNTRACK || NF_CONNTRACK 929 select NF_DEFRAG_IPV4 930 help 931 This option adds a `socket' match, which can be used to match 932 packets for which a TCP or UDP socket lookup finds a valid socket. 933 It can be used in combination with the MARK target and policy 934 routing to implement full featured non-locally bound sockets. 935 936 To compile it as a module, choose M here. If unsure, say N. 937 938config NETFILTER_XT_MATCH_STATE 939 tristate '"state" match support' 940 depends on NF_CONNTRACK 941 default m if NETFILTER_ADVANCED=n 942 help 943 Connection state matching allows you to match packets based on their 944 relationship to a tracked connection (ie. previous packets). This 945 is a powerful tool for packet classification. 946 947 To compile it as a module, choose M here. If unsure, say N. 948 949config NETFILTER_XT_MATCH_STATISTIC 950 tristate '"statistic" match support' 951 depends on NETFILTER_ADVANCED 952 help 953 This option adds a `statistic' match, which allows you to match 954 on packets periodically or randomly with a given percentage. 955 956 To compile it as a module, choose M here. If unsure, say N. 957 958config NETFILTER_XT_MATCH_STRING 959 tristate '"string" match support' 960 depends on NETFILTER_ADVANCED 961 select TEXTSEARCH 962 select TEXTSEARCH_KMP 963 select TEXTSEARCH_BM 964 select TEXTSEARCH_FSM 965 help 966 This option adds a `string' match, which allows you to look for 967 pattern matchings in packets. 968 969 To compile it as a module, choose M here. If unsure, say N. 970 971config NETFILTER_XT_MATCH_TCPMSS 972 tristate '"tcpmss" match support' 973 depends on NETFILTER_ADVANCED 974 help 975 This option adds a `tcpmss' match, which allows you to examine the 976 MSS value of TCP SYN packets, which control the maximum packet size 977 for that connection. 978 979 To compile it as a module, choose M here. If unsure, say N. 980 981config NETFILTER_XT_MATCH_TIME 982 tristate '"time" match support' 983 depends on NETFILTER_ADVANCED 984 ---help--- 985 This option adds a "time" match, which allows you to match based on 986 the packet arrival time (at the machine which netfilter is running) 987 on) or departure time/date (for locally generated packets). 988 989 If you say Y here, try `iptables -m time --help` for 990 more information. 991 992 If you want to compile it as a module, say M here. 993 If unsure, say N. 994 995config NETFILTER_XT_MATCH_U32 996 tristate '"u32" match support' 997 depends on NETFILTER_ADVANCED 998 ---help--- 999 u32 allows you to extract quantities of up to 4 bytes from a packet, 1000 AND them with specified masks, shift them by specified amounts and 1001 test whether the results are in any of a set of specified ranges. 1002 The specification of what to extract is general enough to skip over 1003 headers with lengths stored in the packet, as in IP or TCP header 1004 lengths. 1005 1006 Details and examples are in the kernel module source. 1007 1008endif # NETFILTER_XTABLES 1009 1010endmenu 1011 1012source "net/netfilter/ipvs/Kconfig" 1013