1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate 6 7config NETFILTER_NETLINK_QUEUE 8 tristate "Netfilter NFQUEUE over NFNETLINK interface" 9 depends on NETFILTER_ADVANCED 10 select NETFILTER_NETLINK 11 help 12 If this option is enabled, the kernel will include support 13 for queueing packets via NFNETLINK. 14 15config NETFILTER_NETLINK_LOG 16 tristate "Netfilter LOG over NFNETLINK interface" 17 default m if NETFILTER_ADVANCED=n 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for logging packets via NFNETLINK. 22 23 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 24 and is also scheduled to replace the old syslog-based ipt_LOG 25 and ip6t_LOG modules. 26 27config NF_CONNTRACK 28 tristate "Netfilter connection tracking support" 29 default m if NETFILTER_ADVANCED=n 30 help 31 Connection tracking keeps a record of what packets have passed 32 through your machine, in order to figure out how they are related 33 into connections. 34 35 This is required to do Masquerading or other kinds of Network 36 Address Translation (except for Fast NAT). It can also be used to 37 enhance packet filtering (see `Connection state match support' 38 below). 39 40 To compile it as a module, choose M here. If unsure, say N. 41 42config NF_CT_ACCT 43 bool "Connection tracking flow accounting" 44 depends on NETFILTER_ADVANCED 45 depends on NF_CONNTRACK 46 help 47 If this option is enabled, the connection tracking code will 48 keep per-flow packet and byte counters. 49 50 Those counters can be used for flow-based accounting or the 51 `connbytes' match. 52 53 If unsure, say `N'. 54 55config NF_CONNTRACK_MARK 56 bool 'Connection mark tracking support' 57 depends on NETFILTER_ADVANCED 58 depends on NF_CONNTRACK 59 help 60 This option enables support for connection marks, used by the 61 `CONNMARK' target and `connmark' match. Similar to the mark value 62 of packets, but this mark value is kept in the conntrack session 63 instead of the individual packets. 64 65config NF_CONNTRACK_SECMARK 66 bool 'Connection tracking security mark support' 67 depends on NF_CONNTRACK && NETWORK_SECMARK 68 default m if NETFILTER_ADVANCED=n 69 help 70 This option enables security markings to be applied to 71 connections. Typically they are copied to connections from 72 packets using the CONNSECMARK target and copied back from 73 connections to packets with the same target, with the packets 74 being originally labeled via SECMARK. 75 76 If unsure, say 'N'. 77 78config NF_CONNTRACK_EVENTS 79 bool "Connection tracking events" 80 depends on NF_CONNTRACK 81 depends on NETFILTER_ADVANCED 82 help 83 If this option is enabled, the connection tracking code will 84 provide a notifier chain that can be used by other kernel code 85 to get notified about changes in the connection tracking state. 86 87 If unsure, say `N'. 88 89config NF_CT_PROTO_DCCP 90 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' 91 depends on EXPERIMENTAL && NF_CONNTRACK 92 depends on NETFILTER_ADVANCED 93 help 94 With this option enabled, the layer 3 independent connection 95 tracking code will be able to do state tracking on DCCP connections. 96 97 If unsure, say 'N'. 98 99config NF_CT_PROTO_GRE 100 tristate 101 depends on NF_CONNTRACK 102 103config NF_CT_PROTO_SCTP 104 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 105 depends on EXPERIMENTAL && NF_CONNTRACK 106 depends on NETFILTER_ADVANCED 107 help 108 With this option enabled, the layer 3 independent connection 109 tracking code will be able to do state tracking on SCTP connections. 110 111 If you want to compile it as a module, say M here and read 112 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 113 114config NF_CT_PROTO_UDPLITE 115 tristate 'UDP-Lite protocol connection tracking support' 116 depends on NF_CONNTRACK 117 depends on NETFILTER_ADVANCED 118 help 119 With this option enabled, the layer 3 independent connection 120 tracking code will be able to do state tracking on UDP-Lite 121 connections. 122 123 To compile it as a module, choose M here. If unsure, say N. 124 125config NF_CONNTRACK_AMANDA 126 tristate "Amanda backup protocol support" 127 depends on NF_CONNTRACK 128 depends on NETFILTER_ADVANCED 129 select TEXTSEARCH 130 select TEXTSEARCH_KMP 131 help 132 If you are running the Amanda backup package <http://www.amanda.org/> 133 on this machine or machines that will be MASQUERADED through this 134 machine, then you may want to enable this feature. This allows the 135 connection tracking and natting code to allow the sub-channels that 136 Amanda requires for communication of the backup data, messages and 137 index. 138 139 To compile it as a module, choose M here. If unsure, say N. 140 141config NF_CONNTRACK_FTP 142 tristate "FTP protocol support" 143 depends on NF_CONNTRACK 144 default m if NETFILTER_ADVANCED=n 145 help 146 Tracking FTP connections is problematic: special helpers are 147 required for tracking them, and doing masquerading and other forms 148 of Network Address Translation on them. 149 150 This is FTP support on Layer 3 independent connection tracking. 151 Layer 3 independent connection tracking is experimental scheme 152 which generalize ip_conntrack to support other layer 3 protocols. 153 154 To compile it as a module, choose M here. If unsure, say N. 155 156config NF_CONNTRACK_H323 157 tristate "H.323 protocol support" 158 depends on NF_CONNTRACK && (IPV6 || IPV6=n) 159 depends on NETFILTER_ADVANCED 160 help 161 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 162 important VoIP protocols, it is widely used by voice hardware and 163 software including voice gateways, IP phones, Netmeeting, OpenPhone, 164 Gnomemeeting, etc. 165 166 With this module you can support H.323 on a connection tracking/NAT 167 firewall. 168 169 This module supports RAS, Fast Start, H.245 Tunnelling, Call 170 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 171 whiteboard, file transfer, etc. For more information, please 172 visit http://nath323.sourceforge.net/. 173 174 To compile it as a module, choose M here. If unsure, say N. 175 176config NF_CONNTRACK_IRC 177 tristate "IRC protocol support" 178 depends on NF_CONNTRACK 179 default m if NETFILTER_ADVANCED=n 180 help 181 There is a commonly-used extension to IRC called 182 Direct Client-to-Client Protocol (DCC). This enables users to send 183 files to each other, and also chat to each other without the need 184 of a server. DCC Sending is used anywhere you send files over IRC, 185 and DCC Chat is most commonly used by Eggdrop bots. If you are 186 using NAT, this extension will enable you to send files and initiate 187 chats. Note that you do NOT need this extension to get files or 188 have others initiate chats, or everything else in IRC. 189 190 To compile it as a module, choose M here. If unsure, say N. 191 192config NF_CONNTRACK_NETBIOS_NS 193 tristate "NetBIOS name service protocol support" 194 depends on NF_CONNTRACK 195 depends on NETFILTER_ADVANCED 196 help 197 NetBIOS name service requests are sent as broadcast messages from an 198 unprivileged port and responded to with unicast messages to the 199 same port. This make them hard to firewall properly because connection 200 tracking doesn't deal with broadcasts. This helper tracks locally 201 originating NetBIOS name service requests and the corresponding 202 responses. It relies on correct IP address configuration, specifically 203 netmask and broadcast address. When properly configured, the output 204 of "ip address show" should look similar to this: 205 206 $ ip -4 address show eth0 207 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 208 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 209 210 To compile it as a module, choose M here. If unsure, say N. 211 212config NF_CONNTRACK_PPTP 213 tristate "PPtP protocol support" 214 depends on NF_CONNTRACK 215 depends on NETFILTER_ADVANCED 216 select NF_CT_PROTO_GRE 217 help 218 This module adds support for PPTP (Point to Point Tunnelling 219 Protocol, RFC2637) connection tracking and NAT. 220 221 If you are running PPTP sessions over a stateful firewall or NAT 222 box, you may want to enable this feature. 223 224 Please note that not all PPTP modes of operation are supported yet. 225 Specifically these limitations exist: 226 - Blindly assumes that control connections are always established 227 in PNS->PAC direction. This is a violation of RFC2637. 228 - Only supports a single call within each session 229 230 To compile it as a module, choose M here. If unsure, say N. 231 232config NF_CONNTRACK_SANE 233 tristate "SANE protocol support (EXPERIMENTAL)" 234 depends on EXPERIMENTAL && NF_CONNTRACK 235 depends on NETFILTER_ADVANCED 236 help 237 SANE is a protocol for remote access to scanners as implemented 238 by the 'saned' daemon. Like FTP, it uses separate control and 239 data connections. 240 241 With this module you can support SANE on a connection tracking 242 firewall. 243 244 To compile it as a module, choose M here. If unsure, say N. 245 246config NF_CONNTRACK_SIP 247 tristate "SIP protocol support" 248 depends on NF_CONNTRACK 249 default m if NETFILTER_ADVANCED=n 250 help 251 SIP is an application-layer control protocol that can establish, 252 modify, and terminate multimedia sessions (conferences) such as 253 Internet telephony calls. With the ip_conntrack_sip and 254 the nf_nat_sip modules you can support the protocol on a connection 255 tracking/NATing firewall. 256 257 To compile it as a module, choose M here. If unsure, say N. 258 259config NF_CONNTRACK_TFTP 260 tristate "TFTP protocol support" 261 depends on NF_CONNTRACK 262 depends on NETFILTER_ADVANCED 263 help 264 TFTP connection tracking helper, this is required depending 265 on how restrictive your ruleset is. 266 If you are using a tftp client behind -j SNAT or -j MASQUERADING 267 you will need this. 268 269 To compile it as a module, choose M here. If unsure, say N. 270 271config NF_CT_NETLINK 272 tristate 'Connection tracking netlink interface' 273 depends on NF_CONNTRACK 274 select NETFILTER_NETLINK 275 depends on NF_NAT=n || NF_NAT 276 default m if NETFILTER_ADVANCED=n 277 help 278 This option enables support for a netlink-based userspace interface 279 280config NETFILTER_XTABLES 281 tristate "Netfilter Xtables support (required for ip_tables)" 282 default m if NETFILTER_ADVANCED=n 283 help 284 This is required if you intend to use any of ip_tables, 285 ip6_tables or arp_tables. 286 287# alphabetically ordered list of targets 288 289config NETFILTER_XT_TARGET_CLASSIFY 290 tristate '"CLASSIFY" target support' 291 depends on NETFILTER_XTABLES 292 depends on NETFILTER_ADVANCED 293 help 294 This option adds a `CLASSIFY' target, which enables the user to set 295 the priority of a packet. Some qdiscs can use this value for 296 classification, among these are: 297 298 atm, cbq, dsmark, pfifo_fast, htb, prio 299 300 To compile it as a module, choose M here. If unsure, say N. 301 302config NETFILTER_XT_TARGET_CONNMARK 303 tristate '"CONNMARK" target support' 304 depends on NETFILTER_XTABLES 305 depends on IP_NF_MANGLE || IP6_NF_MANGLE 306 depends on NF_CONNTRACK 307 depends on NETFILTER_ADVANCED 308 select NF_CONNTRACK_MARK 309 help 310 This option adds a `CONNMARK' target, which allows one to manipulate 311 the connection mark value. Similar to the MARK target, but 312 affects the connection mark value rather than the packet mark value. 313 314 If you want to compile it as a module, say M here and read 315 <file:Documentation/kbuild/modules.txt>. The module will be called 316 ipt_CONNMARK.ko. If unsure, say `N'. 317 318config NETFILTER_XT_TARGET_DSCP 319 tristate '"DSCP" and "TOS" target support' 320 depends on NETFILTER_XTABLES 321 depends on IP_NF_MANGLE || IP6_NF_MANGLE 322 depends on NETFILTER_ADVANCED 323 help 324 This option adds a `DSCP' target, which allows you to manipulate 325 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 326 327 The DSCP field can have any value between 0x0 and 0x3f inclusive. 328 329 It also adds the "TOS" target, which allows you to create rules in 330 the "mangle" table which alter the Type Of Service field of an IPv4 331 or the Priority field of an IPv6 packet, prior to routing. 332 333 To compile it as a module, choose M here. If unsure, say N. 334 335config NETFILTER_XT_TARGET_MARK 336 tristate '"MARK" target support' 337 depends on NETFILTER_XTABLES 338 default m if NETFILTER_ADVANCED=n 339 help 340 This option adds a `MARK' target, which allows you to create rules 341 in the `mangle' table which alter the netfilter mark (nfmark) field 342 associated with the packet prior to routing. This can change 343 the routing method (see `Use netfilter MARK value as routing 344 key') and can also be used by other subsystems to change their 345 behavior. 346 347 To compile it as a module, choose M here. If unsure, say N. 348 349config NETFILTER_XT_TARGET_NFQUEUE 350 tristate '"NFQUEUE" target Support' 351 depends on NETFILTER_XTABLES 352 depends on NETFILTER_ADVANCED 353 help 354 This target replaced the old obsolete QUEUE target. 355 356 As opposed to QUEUE, it supports 65535 different queues, 357 not just one. 358 359 To compile it as a module, choose M here. If unsure, say N. 360 361config NETFILTER_XT_TARGET_NFLOG 362 tristate '"NFLOG" target support' 363 depends on NETFILTER_XTABLES 364 default m if NETFILTER_ADVANCED=n 365 help 366 This option enables the NFLOG target, which allows to LOG 367 messages through the netfilter logging API, which can use 368 either the old LOG target, the old ULOG target or nfnetlink_log 369 as backend. 370 371 To compile it as a module, choose M here. If unsure, say N. 372 373config NETFILTER_XT_TARGET_NOTRACK 374 tristate '"NOTRACK" target support' 375 depends on NETFILTER_XTABLES 376 depends on IP_NF_RAW || IP6_NF_RAW 377 depends on NF_CONNTRACK 378 depends on NETFILTER_ADVANCED 379 help 380 The NOTRACK target allows a select rule to specify 381 which packets *not* to enter the conntrack/NAT 382 subsystem with all the consequences (no ICMP error tracking, 383 no protocol helpers for the selected packets). 384 385 If you want to compile it as a module, say M here and read 386 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 387 388config NETFILTER_XT_TARGET_RATEEST 389 tristate '"RATEEST" target support' 390 depends on NETFILTER_XTABLES 391 depends on NETFILTER_ADVANCED 392 help 393 This option adds a `RATEEST' target, which allows to measure 394 rates similar to TC estimators. The `rateest' match can be 395 used to match on the measured rates. 396 397 To compile it as a module, choose M here. If unsure, say N. 398 399config NETFILTER_XT_TARGET_TRACE 400 tristate '"TRACE" target support' 401 depends on NETFILTER_XTABLES 402 depends on IP_NF_RAW || IP6_NF_RAW 403 depends on NETFILTER_ADVANCED 404 help 405 The TRACE target allows you to mark packets so that the kernel 406 will log every rule which match the packets as those traverse 407 the tables, chains, rules. 408 409 If you want to compile it as a module, say M here and read 410 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 411 412config NETFILTER_XT_TARGET_SECMARK 413 tristate '"SECMARK" target support' 414 depends on NETFILTER_XTABLES && NETWORK_SECMARK 415 default m if NETFILTER_ADVANCED=n 416 help 417 The SECMARK target allows security marking of network 418 packets, for use with security subsystems. 419 420 To compile it as a module, choose M here. If unsure, say N. 421 422config NETFILTER_XT_TARGET_CONNSECMARK 423 tristate '"CONNSECMARK" target support' 424 depends on NETFILTER_XTABLES && NF_CONNTRACK && NF_CONNTRACK_SECMARK 425 default m if NETFILTER_ADVANCED=n 426 help 427 The CONNSECMARK target copies security markings from packets 428 to connections, and restores security markings from connections 429 to packets (if the packets are not already marked). This would 430 normally be used in conjunction with the SECMARK target. 431 432 To compile it as a module, choose M here. If unsure, say N. 433 434config NETFILTER_XT_TARGET_TCPMSS 435 tristate '"TCPMSS" target support' 436 depends on NETFILTER_XTABLES && (IPV6 || IPV6=n) 437 default m if NETFILTER_ADVANCED=n 438 ---help--- 439 This option adds a `TCPMSS' target, which allows you to alter the 440 MSS value of TCP SYN packets, to control the maximum size for that 441 connection (usually limiting it to your outgoing interface's MTU 442 minus 40). 443 444 This is used to overcome criminally braindead ISPs or servers which 445 block ICMP Fragmentation Needed packets. The symptoms of this 446 problem are that everything works fine from your Linux 447 firewall/router, but machines behind it can never exchange large 448 packets: 449 1) Web browsers connect, then hang with no data received. 450 2) Small mail works fine, but large emails hang. 451 3) ssh works fine, but scp hangs after initial handshaking. 452 453 Workaround: activate this option and add a rule to your firewall 454 configuration like: 455 456 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 457 -j TCPMSS --clamp-mss-to-pmtu 458 459 To compile it as a module, choose M here. If unsure, say N. 460 461config NETFILTER_XT_TARGET_TCPOPTSTRIP 462 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' 463 depends on EXPERIMENTAL && NETFILTER_XTABLES 464 depends on IP_NF_MANGLE || IP6_NF_MANGLE 465 depends on NETFILTER_ADVANCED 466 help 467 This option adds a "TCPOPTSTRIP" target, which allows you to strip 468 TCP options from TCP packets. 469 470config NETFILTER_XT_MATCH_COMMENT 471 tristate '"comment" match support' 472 depends on NETFILTER_XTABLES 473 depends on NETFILTER_ADVANCED 474 help 475 This option adds a `comment' dummy-match, which allows you to put 476 comments in your iptables ruleset. 477 478 If you want to compile it as a module, say M here and read 479 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 480 481config NETFILTER_XT_MATCH_CONNBYTES 482 tristate '"connbytes" per-connection counter match support' 483 depends on NETFILTER_XTABLES 484 depends on NF_CONNTRACK 485 depends on NETFILTER_ADVANCED 486 select NF_CT_ACCT 487 help 488 This option adds a `connbytes' match, which allows you to match the 489 number of bytes and/or packets for each direction within a connection. 490 491 If you want to compile it as a module, say M here and read 492 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 493 494config NETFILTER_XT_MATCH_CONNLIMIT 495 tristate '"connlimit" match support"' 496 depends on NETFILTER_XTABLES 497 depends on NF_CONNTRACK 498 depends on NETFILTER_ADVANCED 499 ---help--- 500 This match allows you to match against the number of parallel 501 connections to a server per client IP address (or address block). 502 503config NETFILTER_XT_MATCH_CONNMARK 504 tristate '"connmark" connection mark match support' 505 depends on NETFILTER_XTABLES 506 depends on NF_CONNTRACK 507 depends on NETFILTER_ADVANCED 508 select NF_CONNTRACK_MARK 509 help 510 This option adds a `connmark' match, which allows you to match the 511 connection mark value previously set for the session by `CONNMARK'. 512 513 If you want to compile it as a module, say M here and read 514 <file:Documentation/kbuild/modules.txt>. The module will be called 515 ipt_connmark.ko. If unsure, say `N'. 516 517config NETFILTER_XT_MATCH_CONNTRACK 518 tristate '"conntrack" connection tracking match support' 519 depends on NETFILTER_XTABLES 520 depends on NF_CONNTRACK 521 default m if NETFILTER_ADVANCED=n 522 help 523 This is a general conntrack match module, a superset of the state match. 524 525 It allows matching on additional conntrack information, which is 526 useful in complex configurations, such as NAT gateways with multiple 527 internet links or tunnels. 528 529 To compile it as a module, choose M here. If unsure, say N. 530 531config NETFILTER_XT_MATCH_DCCP 532 tristate '"dccp" protocol match support' 533 depends on NETFILTER_XTABLES 534 depends on NETFILTER_ADVANCED 535 help 536 With this option enabled, you will be able to use the iptables 537 `dccp' match in order to match on DCCP source/destination ports 538 and DCCP flags. 539 540 If you want to compile it as a module, say M here and read 541 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 542 543config NETFILTER_XT_MATCH_DSCP 544 tristate '"dscp" and "tos" match support' 545 depends on NETFILTER_XTABLES 546 depends on NETFILTER_ADVANCED 547 help 548 This option adds a `DSCP' match, which allows you to match against 549 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 550 551 The DSCP field can have any value between 0x0 and 0x3f inclusive. 552 553 It will also add a "tos" match, which allows you to match packets 554 based on the Type Of Service fields of the IPv4 packet (which share 555 the same bits as DSCP). 556 557 To compile it as a module, choose M here. If unsure, say N. 558 559config NETFILTER_XT_MATCH_ESP 560 tristate '"esp" match support' 561 depends on NETFILTER_XTABLES 562 depends on NETFILTER_ADVANCED 563 help 564 This match extension allows you to match a range of SPIs 565 inside ESP header of IPSec packets. 566 567 To compile it as a module, choose M here. If unsure, say N. 568 569config NETFILTER_XT_MATCH_HELPER 570 tristate '"helper" match support' 571 depends on NETFILTER_XTABLES 572 depends on NF_CONNTRACK 573 depends on NETFILTER_ADVANCED 574 help 575 Helper matching allows you to match packets in dynamic connections 576 tracked by a conntrack-helper, ie. ip_conntrack_ftp 577 578 To compile it as a module, choose M here. If unsure, say Y. 579 580config NETFILTER_XT_MATCH_IPRANGE 581 tristate '"iprange" address range match support' 582 depends on NETFILTER_XTABLES 583 depends on NETFILTER_ADVANCED 584 ---help--- 585 This option adds a "iprange" match, which allows you to match based on 586 an IP address range. (Normal iptables only matches on single addresses 587 with an optional mask.) 588 589 If unsure, say M. 590 591config NETFILTER_XT_MATCH_LENGTH 592 tristate '"length" match support' 593 depends on NETFILTER_XTABLES 594 depends on NETFILTER_ADVANCED 595 help 596 This option allows you to match the length of a packet against a 597 specific value or range of values. 598 599 To compile it as a module, choose M here. If unsure, say N. 600 601config NETFILTER_XT_MATCH_LIMIT 602 tristate '"limit" match support' 603 depends on NETFILTER_XTABLES 604 depends on NETFILTER_ADVANCED 605 help 606 limit matching allows you to control the rate at which a rule can be 607 matched: mainly useful in combination with the LOG target ("LOG 608 target support", below) and to avoid some Denial of Service attacks. 609 610 To compile it as a module, choose M here. If unsure, say N. 611 612config NETFILTER_XT_MATCH_MAC 613 tristate '"mac" address match support' 614 depends on NETFILTER_XTABLES 615 depends on NETFILTER_ADVANCED 616 help 617 MAC matching allows you to match packets based on the source 618 Ethernet address of the packet. 619 620 To compile it as a module, choose M here. If unsure, say N. 621 622config NETFILTER_XT_MATCH_MARK 623 tristate '"mark" match support' 624 depends on NETFILTER_XTABLES 625 default m if NETFILTER_ADVANCED=n 626 help 627 Netfilter mark matching allows you to match packets based on the 628 `nfmark' value in the packet. This can be set by the MARK target 629 (see below). 630 631 To compile it as a module, choose M here. If unsure, say N. 632 633config NETFILTER_XT_MATCH_OWNER 634 tristate '"owner" match support' 635 depends on NETFILTER_XTABLES 636 depends on NETFILTER_ADVANCED 637 ---help--- 638 Socket owner matching allows you to match locally-generated packets 639 based on who created the socket: the user or group. It is also 640 possible to check whether a socket actually exists. 641 642config NETFILTER_XT_MATCH_POLICY 643 tristate 'IPsec "policy" match support' 644 depends on NETFILTER_XTABLES && XFRM 645 default m if NETFILTER_ADVANCED=n 646 help 647 Policy matching allows you to match packets based on the 648 IPsec policy that was used during decapsulation/will 649 be used during encapsulation. 650 651 To compile it as a module, choose M here. If unsure, say N. 652 653config NETFILTER_XT_MATCH_MULTIPORT 654 tristate '"multiport" Multiple port match support' 655 depends on NETFILTER_XTABLES 656 depends on NETFILTER_ADVANCED 657 help 658 Multiport matching allows you to match TCP or UDP packets based on 659 a series of source or destination ports: normally a rule can only 660 match a single range of ports. 661 662 To compile it as a module, choose M here. If unsure, say N. 663 664config NETFILTER_XT_MATCH_PHYSDEV 665 tristate '"physdev" match support' 666 depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER 667 depends on NETFILTER_ADVANCED 668 help 669 Physdev packet matching matches against the physical bridge ports 670 the IP packet arrived on or will leave by. 671 672 To compile it as a module, choose M here. If unsure, say N. 673 674config NETFILTER_XT_MATCH_PKTTYPE 675 tristate '"pkttype" packet type match support' 676 depends on NETFILTER_XTABLES 677 depends on NETFILTER_ADVANCED 678 help 679 Packet type matching allows you to match a packet by 680 its "class", eg. BROADCAST, MULTICAST, ... 681 682 Typical usage: 683 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 684 685 To compile it as a module, choose M here. If unsure, say N. 686 687config NETFILTER_XT_MATCH_QUOTA 688 tristate '"quota" match support' 689 depends on NETFILTER_XTABLES 690 depends on NETFILTER_ADVANCED 691 help 692 This option adds a `quota' match, which allows to match on a 693 byte counter. 694 695 If you want to compile it as a module, say M here and read 696 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 697 698config NETFILTER_XT_MATCH_RATEEST 699 tristate '"rateest" match support' 700 depends on NETFILTER_XTABLES 701 depends on NETFILTER_ADVANCED 702 select NETFILTER_XT_TARGET_RATEEST 703 help 704 This option adds a `rateest' match, which allows to match on the 705 rate estimated by the RATEEST target. 706 707 To compile it as a module, choose M here. If unsure, say N. 708 709config NETFILTER_XT_MATCH_REALM 710 tristate '"realm" match support' 711 depends on NETFILTER_XTABLES 712 depends on NETFILTER_ADVANCED 713 select NET_CLS_ROUTE 714 help 715 This option adds a `realm' match, which allows you to use the realm 716 key from the routing subsystem inside iptables. 717 718 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 719 in tc world. 720 721 If you want to compile it as a module, say M here and read 722 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 723 724config NETFILTER_XT_MATCH_SCTP 725 tristate '"sctp" protocol match support (EXPERIMENTAL)' 726 depends on NETFILTER_XTABLES && EXPERIMENTAL 727 depends on NETFILTER_ADVANCED 728 help 729 With this option enabled, you will be able to use the 730 `sctp' match in order to match on SCTP source/destination ports 731 and SCTP chunk types. 732 733 If you want to compile it as a module, say M here and read 734 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 735 736config NETFILTER_XT_MATCH_STATE 737 tristate '"state" match support' 738 depends on NETFILTER_XTABLES 739 depends on NF_CONNTRACK 740 default m if NETFILTER_ADVANCED=n 741 help 742 Connection state matching allows you to match packets based on their 743 relationship to a tracked connection (ie. previous packets). This 744 is a powerful tool for packet classification. 745 746 To compile it as a module, choose M here. If unsure, say N. 747 748config NETFILTER_XT_MATCH_STATISTIC 749 tristate '"statistic" match support' 750 depends on NETFILTER_XTABLES 751 depends on NETFILTER_ADVANCED 752 help 753 This option adds a `statistic' match, which allows you to match 754 on packets periodically or randomly with a given percentage. 755 756 To compile it as a module, choose M here. If unsure, say N. 757 758config NETFILTER_XT_MATCH_STRING 759 tristate '"string" match support' 760 depends on NETFILTER_XTABLES 761 depends on NETFILTER_ADVANCED 762 select TEXTSEARCH 763 select TEXTSEARCH_KMP 764 select TEXTSEARCH_BM 765 select TEXTSEARCH_FSM 766 help 767 This option adds a `string' match, which allows you to look for 768 pattern matchings in packets. 769 770 To compile it as a module, choose M here. If unsure, say N. 771 772config NETFILTER_XT_MATCH_TCPMSS 773 tristate '"tcpmss" match support' 774 depends on NETFILTER_XTABLES 775 depends on NETFILTER_ADVANCED 776 help 777 This option adds a `tcpmss' match, which allows you to examine the 778 MSS value of TCP SYN packets, which control the maximum packet size 779 for that connection. 780 781 To compile it as a module, choose M here. If unsure, say N. 782 783config NETFILTER_XT_MATCH_TIME 784 tristate '"time" match support' 785 depends on NETFILTER_XTABLES 786 depends on NETFILTER_ADVANCED 787 ---help--- 788 This option adds a "time" match, which allows you to match based on 789 the packet arrival time (at the machine which netfilter is running) 790 on) or departure time/date (for locally generated packets). 791 792 If you say Y here, try `iptables -m time --help` for 793 more information. 794 795 If you want to compile it as a module, say M here. 796 If unsure, say N. 797 798config NETFILTER_XT_MATCH_U32 799 tristate '"u32" match support' 800 depends on NETFILTER_XTABLES 801 depends on NETFILTER_ADVANCED 802 ---help--- 803 u32 allows you to extract quantities of up to 4 bytes from a packet, 804 AND them with specified masks, shift them by specified amounts and 805 test whether the results are in any of a set of specified ranges. 806 The specification of what to extract is general enough to skip over 807 headers with lengths stored in the packet, as in IP or TCP header 808 lengths. 809 810 Details and examples are in the kernel module source. 811 812config NETFILTER_XT_MATCH_HASHLIMIT 813 tristate '"hashlimit" match support' 814 depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 815 depends on NETFILTER_ADVANCED 816 help 817 This option adds a `hashlimit' match. 818 819 As opposed to `limit', this match dynamically creates a hash table 820 of limit buckets, based on your selection of source/destination 821 addresses and/or ports. 822 823 It enables you to express policies like `10kpps for any given 824 destination address' or `500pps from any given source address' 825 with a single rule. 826 827endmenu 828 829