1menu "Core Netfilter Configuration" 2 depends on NET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate "Netfilter netlink interface" 6 help 7 If this option is enabled, the kernel will include support 8 for the new netfilter netlink interface. 9 10config NETFILTER_NETLINK_QUEUE 11 tristate "Netfilter NFQUEUE over NFNETLINK interface" 12 depends on NETFILTER_NETLINK 13 help 14 If this option is enabled, the kernel will include support 15 for queueing packets via NFNETLINK. 16 17config NETFILTER_NETLINK_LOG 18 tristate "Netfilter LOG over NFNETLINK interface" 19 depends on NETFILTER_NETLINK 20 help 21 If this option is enabled, the kernel will include support 22 for logging packets via NFNETLINK. 23 24 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 25 and is also scheduled to replace the old syslog-based ipt_LOG 26 and ip6t_LOG modules. 27 28config NF_CONNTRACK 29 tristate "Layer 3 Independent Connection tracking (EXPERIMENTAL)" 30 depends on EXPERIMENTAL && IP_NF_CONNTRACK=n 31 default n 32 ---help--- 33 Connection tracking keeps a record of what packets have passed 34 through your machine, in order to figure out how they are related 35 into connections. 36 37 Layer 3 independent connection tracking is experimental scheme 38 which generalize ip_conntrack to support other layer 3 protocols. 39 40 To compile it as a module, choose M here. If unsure, say N. 41 42config NF_CT_ACCT 43 bool "Connection tracking flow accounting" 44 depends on NF_CONNTRACK 45 help 46 If this option is enabled, the connection tracking code will 47 keep per-flow packet and byte counters. 48 49 Those counters can be used for flow-based accounting or the 50 `connbytes' match. 51 52 If unsure, say `N'. 53 54config NF_CONNTRACK_MARK 55 bool 'Connection mark tracking support' 56 depends on NF_CONNTRACK 57 help 58 This option enables support for connection marks, used by the 59 `CONNMARK' target and `connmark' match. Similar to the mark value 60 of packets, but this mark value is kept in the conntrack session 61 instead of the individual packets. 62 63config NF_CONNTRACK_EVENTS 64 bool "Connection tracking events (EXPERIMENTAL)" 65 depends on EXPERIMENTAL && NF_CONNTRACK 66 help 67 If this option is enabled, the connection tracking code will 68 provide a notifier chain that can be used by other kernel code 69 to get notified about changes in the connection tracking state. 70 71 If unsure, say `N'. 72 73config NF_CT_PROTO_SCTP 74 tristate 'SCTP protocol on new connection tracking support (EXPERIMENTAL)' 75 depends on EXPERIMENTAL && NF_CONNTRACK 76 default n 77 help 78 With this option enabled, the layer 3 independent connection 79 tracking code will be able to do state tracking on SCTP connections. 80 81 If you want to compile it as a module, say M here and read 82 Documentation/modules.txt. If unsure, say `N'. 83 84config NF_CONNTRACK_FTP 85 tristate "FTP support on new connection tracking (EXPERIMENTAL)" 86 depends on EXPERIMENTAL && NF_CONNTRACK 87 help 88 Tracking FTP connections is problematic: special helpers are 89 required for tracking them, and doing masquerading and other forms 90 of Network Address Translation on them. 91 92 This is FTP support on Layer 3 independent connection tracking. 93 Layer 3 independent connection tracking is experimental scheme 94 which generalize ip_conntrack to support other layer 3 protocols. 95 96 To compile it as a module, choose M here. If unsure, say N. 97 98config NF_CT_NETLINK 99 tristate 'Connection tracking netlink interface (EXPERIMENTAL)' 100 depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK 101 depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m 102 help 103 This option enables support for a netlink-based userspace interface 104 105config NETFILTER_XTABLES 106 tristate "Netfilter Xtables support (required for ip_tables)" 107 help 108 This is required if you intend to use any of ip_tables, 109 ip6_tables or arp_tables. 110 111# alphabetically ordered list of targets 112 113config NETFILTER_XT_TARGET_CLASSIFY 114 tristate '"CLASSIFY" target support' 115 depends on NETFILTER_XTABLES 116 help 117 This option adds a `CLASSIFY' target, which enables the user to set 118 the priority of a packet. Some qdiscs can use this value for 119 classification, among these are: 120 121 atm, cbq, dsmark, pfifo_fast, htb, prio 122 123 To compile it as a module, choose M here. If unsure, say N. 124 125config NETFILTER_XT_TARGET_CONNMARK 126 tristate '"CONNMARK" target support' 127 depends on NETFILTER_XTABLES 128 depends on IP_NF_MANGLE || IP6_NF_MANGLE 129 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK) 130 help 131 This option adds a `CONNMARK' target, which allows one to manipulate 132 the connection mark value. Similar to the MARK target, but 133 affects the connection mark value rather than the packet mark value. 134 135 If you want to compile it as a module, say M here and read 136 <file:Documentation/modules.txt>. The module will be called 137 ipt_CONNMARK.o. If unsure, say `N'. 138 139config NETFILTER_XT_TARGET_MARK 140 tristate '"MARK" target support' 141 depends on NETFILTER_XTABLES 142 help 143 This option adds a `MARK' target, which allows you to create rules 144 in the `mangle' table which alter the netfilter mark (nfmark) field 145 associated with the packet prior to routing. This can change 146 the routing method (see `Use netfilter MARK value as routing 147 key') and can also be used by other subsystems to change their 148 behavior. 149 150 To compile it as a module, choose M here. If unsure, say N. 151 152config NETFILTER_XT_TARGET_NFQUEUE 153 tristate '"NFQUEUE" target Support' 154 depends on NETFILTER_XTABLES 155 help 156 This target replaced the old obsolete QUEUE target. 157 158 As opposed to QUEUE, it supports 65535 different queues, 159 not just one. 160 161 To compile it as a module, choose M here. If unsure, say N. 162 163config NETFILTER_XT_TARGET_NOTRACK 164 tristate '"NOTRACK" target support' 165 depends on NETFILTER_XTABLES 166 depends on IP_NF_RAW || IP6_NF_RAW 167 depends on IP_NF_CONNTRACK || NF_CONNTRACK 168 help 169 The NOTRACK target allows a select rule to specify 170 which packets *not* to enter the conntrack/NAT 171 subsystem with all the consequences (no ICMP error tracking, 172 no protocol helpers for the selected packets). 173 174 If you want to compile it as a module, say M here and read 175 <file:Documentation/modules.txt>. If unsure, say `N'. 176 177config NETFILTER_XT_MATCH_COMMENT 178 tristate '"comment" match support' 179 depends on NETFILTER_XTABLES 180 help 181 This option adds a `comment' dummy-match, which allows you to put 182 comments in your iptables ruleset. 183 184 If you want to compile it as a module, say M here and read 185 <file:Documentation/modules.txt>. If unsure, say `N'. 186 187config NETFILTER_XT_MATCH_CONNBYTES 188 tristate '"connbytes" per-connection counter match support' 189 depends on NETFILTER_XTABLES 190 depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || (NF_CT_ACCT && NF_CONNTRACK) 191 help 192 This option adds a `connbytes' match, which allows you to match the 193 number of bytes and/or packets for each direction within a connection. 194 195 If you want to compile it as a module, say M here and read 196 <file:Documentation/modules.txt>. If unsure, say `N'. 197 198config NETFILTER_XT_MATCH_CONNMARK 199 tristate '"connmark" connection mark match support' 200 depends on NETFILTER_XTABLES 201 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK) 202 help 203 This option adds a `connmark' match, which allows you to match the 204 connection mark value previously set for the session by `CONNMARK'. 205 206 If you want to compile it as a module, say M here and read 207 <file:Documentation/modules.txt>. The module will be called 208 ipt_connmark.o. If unsure, say `N'. 209 210config NETFILTER_XT_MATCH_CONNTRACK 211 tristate '"conntrack" connection tracking match support' 212 depends on NETFILTER_XTABLES 213 depends on IP_NF_CONNTRACK || NF_CONNTRACK 214 help 215 This is a general conntrack match module, a superset of the state match. 216 217 It allows matching on additional conntrack information, which is 218 useful in complex configurations, such as NAT gateways with multiple 219 internet links or tunnels. 220 221 To compile it as a module, choose M here. If unsure, say N. 222 223config NETFILTER_XT_MATCH_DCCP 224 tristate '"DCCP" protocol match support' 225 depends on NETFILTER_XTABLES 226 help 227 With this option enabled, you will be able to use the iptables 228 `dccp' match in order to match on DCCP source/destination ports 229 and DCCP flags. 230 231 If you want to compile it as a module, say M here and read 232 <file:Documentation/modules.txt>. If unsure, say `N'. 233 234config NETFILTER_XT_MATCH_HELPER 235 tristate '"helper" match support' 236 depends on NETFILTER_XTABLES 237 depends on IP_NF_CONNTRACK || NF_CONNTRACK 238 help 239 Helper matching allows you to match packets in dynamic connections 240 tracked by a conntrack-helper, ie. ip_conntrack_ftp 241 242 To compile it as a module, choose M here. If unsure, say Y. 243 244config NETFILTER_XT_MATCH_LENGTH 245 tristate '"length" match support' 246 depends on NETFILTER_XTABLES 247 help 248 This option allows you to match the length of a packet against a 249 specific value or range of values. 250 251 To compile it as a module, choose M here. If unsure, say N. 252 253config NETFILTER_XT_MATCH_LIMIT 254 tristate '"limit" match support' 255 depends on NETFILTER_XTABLES 256 help 257 limit matching allows you to control the rate at which a rule can be 258 matched: mainly useful in combination with the LOG target ("LOG 259 target support", below) and to avoid some Denial of Service attacks. 260 261 To compile it as a module, choose M here. If unsure, say N. 262 263config NETFILTER_XT_MATCH_MAC 264 tristate '"mac" address match support' 265 depends on NETFILTER_XTABLES 266 help 267 MAC matching allows you to match packets based on the source 268 Ethernet address of the packet. 269 270 To compile it as a module, choose M here. If unsure, say N. 271 272config NETFILTER_XT_MATCH_MARK 273 tristate '"mark" match support' 274 depends on NETFILTER_XTABLES 275 help 276 Netfilter mark matching allows you to match packets based on the 277 `nfmark' value in the packet. This can be set by the MARK target 278 (see below). 279 280 To compile it as a module, choose M here. If unsure, say N. 281 282config NETFILTER_XT_MATCH_POLICY 283 tristate 'IPsec "policy" match support' 284 depends on NETFILTER_XTABLES && XFRM 285 help 286 Policy matching allows you to match packets based on the 287 IPsec policy that was used during decapsulation/will 288 be used during encapsulation. 289 290 To compile it as a module, choose M here. If unsure, say N. 291 292config NETFILTER_XT_MATCH_PHYSDEV 293 tristate '"physdev" match support' 294 depends on NETFILTER_XTABLES && BRIDGE_NETFILTER 295 help 296 Physdev packet matching matches against the physical bridge ports 297 the IP packet arrived on or will leave by. 298 299 To compile it as a module, choose M here. If unsure, say N. 300 301config NETFILTER_XT_MATCH_PKTTYPE 302 tristate '"pkttype" packet type match support' 303 depends on NETFILTER_XTABLES 304 help 305 Packet type matching allows you to match a packet by 306 its "class", eg. BROADCAST, MULTICAST, ... 307 308 Typical usage: 309 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 310 311 To compile it as a module, choose M here. If unsure, say N. 312 313config NETFILTER_XT_MATCH_REALM 314 tristate '"realm" match support' 315 depends on NETFILTER_XTABLES 316 select NET_CLS_ROUTE 317 help 318 This option adds a `realm' match, which allows you to use the realm 319 key from the routing subsystem inside iptables. 320 321 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 322 in tc world. 323 324 If you want to compile it as a module, say M here and read 325 <file:Documentation/modules.txt>. If unsure, say `N'. 326 327config NETFILTER_XT_MATCH_SCTP 328 tristate '"sctp" protocol match support' 329 depends on NETFILTER_XTABLES 330 help 331 With this option enabled, you will be able to use the 332 `sctp' match in order to match on SCTP source/destination ports 333 and SCTP chunk types. 334 335 If you want to compile it as a module, say M here and read 336 <file:Documentation/modules.txt>. If unsure, say `N'. 337 338config NETFILTER_XT_MATCH_STATE 339 tristate '"state" match support' 340 depends on NETFILTER_XTABLES 341 depends on IP_NF_CONNTRACK || NF_CONNTRACK 342 help 343 Connection state matching allows you to match packets based on their 344 relationship to a tracked connection (ie. previous packets). This 345 is a powerful tool for packet classification. 346 347 To compile it as a module, choose M here. If unsure, say N. 348 349config NETFILTER_XT_MATCH_STRING 350 tristate '"string" match support' 351 depends on NETFILTER_XTABLES 352 select TEXTSEARCH 353 select TEXTSEARCH_KMP 354 select TEXTSEARCH_BM 355 select TEXTSEARCH_FSM 356 help 357 This option adds a `string' match, which allows you to look for 358 pattern matchings in packets. 359 360 To compile it as a module, choose M here. If unsure, say N. 361 362config NETFILTER_XT_MATCH_TCPMSS 363 tristate '"tcpmss" match support' 364 depends on NETFILTER_XTABLES 365 help 366 This option adds a `tcpmss' match, which allows you to examine the 367 MSS value of TCP SYN packets, which control the maximum packet size 368 for that connection. 369 370 To compile it as a module, choose M here. If unsure, say N. 371 372endmenu 373 374