1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate 6 7config NETFILTER_NETLINK_QUEUE 8 tristate "Netfilter NFQUEUE over NFNETLINK interface" 9 depends on NETFILTER_ADVANCED 10 select NETFILTER_NETLINK 11 help 12 If this option is enabled, the kernel will include support 13 for queueing packets via NFNETLINK. 14 15config NETFILTER_NETLINK_LOG 16 tristate "Netfilter LOG over NFNETLINK interface" 17 default m if NETFILTER_ADVANCED=n 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for logging packets via NFNETLINK. 22 23 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 24 and is also scheduled to replace the old syslog-based ipt_LOG 25 and ip6t_LOG modules. 26 27config NF_CONNTRACK 28 tristate "Netfilter connection tracking support" 29 default m if NETFILTER_ADVANCED=n 30 help 31 Connection tracking keeps a record of what packets have passed 32 through your machine, in order to figure out how they are related 33 into connections. 34 35 This is required to do Masquerading or other kinds of Network 36 Address Translation. It can also be used to enhance packet 37 filtering (see `Connection state match support' below). 38 39 To compile it as a module, choose M here. If unsure, say N. 40 41if NF_CONNTRACK 42 43config NF_CT_ACCT 44 bool "Connection tracking flow accounting" 45 depends on NETFILTER_ADVANCED 46 help 47 If this option is enabled, the connection tracking code will 48 keep per-flow packet and byte counters. 49 50 Those counters can be used for flow-based accounting or the 51 `connbytes' match. 52 53 Please note that currently this option only sets a default state. 54 You may change it at boot time with nf_conntrack.acct=0/1 kernel 55 parameter or by loading the nf_conntrack module with acct=0/1. 56 57 You may also disable/enable it on a running system with: 58 sysctl net.netfilter.nf_conntrack_acct=0/1 59 60 This option will be removed in 2.6.29. 61 62 If unsure, say `N'. 63 64config NF_CONNTRACK_MARK 65 bool 'Connection mark tracking support' 66 depends on NETFILTER_ADVANCED 67 help 68 This option enables support for connection marks, used by the 69 `CONNMARK' target and `connmark' match. Similar to the mark value 70 of packets, but this mark value is kept in the conntrack session 71 instead of the individual packets. 72 73config NF_CONNTRACK_SECMARK 74 bool 'Connection tracking security mark support' 75 depends on NETWORK_SECMARK 76 default m if NETFILTER_ADVANCED=n 77 help 78 This option enables security markings to be applied to 79 connections. Typically they are copied to connections from 80 packets using the CONNSECMARK target and copied back from 81 connections to packets with the same target, with the packets 82 being originally labeled via SECMARK. 83 84 If unsure, say 'N'. 85 86config NF_CONNTRACK_ZONES 87 bool 'Connection tracking zones' 88 depends on NETFILTER_ADVANCED 89 depends on NETFILTER_XT_TARGET_CT 90 help 91 This option enables support for connection tracking zones. 92 Normally, each connection needs to have a unique system wide 93 identity. Connection tracking zones allow to have multiple 94 connections using the same identity, as long as they are 95 contained in different zones. 96 97 If unsure, say `N'. 98 99config NF_CONNTRACK_EVENTS 100 bool "Connection tracking events" 101 depends on NETFILTER_ADVANCED 102 help 103 If this option is enabled, the connection tracking code will 104 provide a notifier chain that can be used by other kernel code 105 to get notified about changes in the connection tracking state. 106 107 If unsure, say `N'. 108 109config NF_CT_PROTO_DCCP 110 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' 111 depends on EXPERIMENTAL 112 depends on NETFILTER_ADVANCED 113 default IP_DCCP 114 help 115 With this option enabled, the layer 3 independent connection 116 tracking code will be able to do state tracking on DCCP connections. 117 118 If unsure, say 'N'. 119 120config NF_CT_PROTO_GRE 121 tristate 122 123config NF_CT_PROTO_SCTP 124 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 125 depends on EXPERIMENTAL 126 depends on NETFILTER_ADVANCED 127 default IP_SCTP 128 help 129 With this option enabled, the layer 3 independent connection 130 tracking code will be able to do state tracking on SCTP connections. 131 132 If you want to compile it as a module, say M here and read 133 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 134 135config NF_CT_PROTO_UDPLITE 136 tristate 'UDP-Lite protocol connection tracking support' 137 depends on NETFILTER_ADVANCED 138 help 139 With this option enabled, the layer 3 independent connection 140 tracking code will be able to do state tracking on UDP-Lite 141 connections. 142 143 To compile it as a module, choose M here. If unsure, say N. 144 145config NF_CONNTRACK_AMANDA 146 tristate "Amanda backup protocol support" 147 depends on NETFILTER_ADVANCED 148 select TEXTSEARCH 149 select TEXTSEARCH_KMP 150 help 151 If you are running the Amanda backup package <http://www.amanda.org/> 152 on this machine or machines that will be MASQUERADED through this 153 machine, then you may want to enable this feature. This allows the 154 connection tracking and natting code to allow the sub-channels that 155 Amanda requires for communication of the backup data, messages and 156 index. 157 158 To compile it as a module, choose M here. If unsure, say N. 159 160config NF_CONNTRACK_FTP 161 tristate "FTP protocol support" 162 default m if NETFILTER_ADVANCED=n 163 help 164 Tracking FTP connections is problematic: special helpers are 165 required for tracking them, and doing masquerading and other forms 166 of Network Address Translation on them. 167 168 This is FTP support on Layer 3 independent connection tracking. 169 Layer 3 independent connection tracking is experimental scheme 170 which generalize ip_conntrack to support other layer 3 protocols. 171 172 To compile it as a module, choose M here. If unsure, say N. 173 174config NF_CONNTRACK_H323 175 tristate "H.323 protocol support" 176 depends on (IPV6 || IPV6=n) 177 depends on NETFILTER_ADVANCED 178 help 179 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 180 important VoIP protocols, it is widely used by voice hardware and 181 software including voice gateways, IP phones, Netmeeting, OpenPhone, 182 Gnomemeeting, etc. 183 184 With this module you can support H.323 on a connection tracking/NAT 185 firewall. 186 187 This module supports RAS, Fast Start, H.245 Tunnelling, Call 188 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 189 whiteboard, file transfer, etc. For more information, please 190 visit http://nath323.sourceforge.net/. 191 192 To compile it as a module, choose M here. If unsure, say N. 193 194config NF_CONNTRACK_IRC 195 tristate "IRC protocol support" 196 default m if NETFILTER_ADVANCED=n 197 help 198 There is a commonly-used extension to IRC called 199 Direct Client-to-Client Protocol (DCC). This enables users to send 200 files to each other, and also chat to each other without the need 201 of a server. DCC Sending is used anywhere you send files over IRC, 202 and DCC Chat is most commonly used by Eggdrop bots. If you are 203 using NAT, this extension will enable you to send files and initiate 204 chats. Note that you do NOT need this extension to get files or 205 have others initiate chats, or everything else in IRC. 206 207 To compile it as a module, choose M here. If unsure, say N. 208 209config NF_CONNTRACK_NETBIOS_NS 210 tristate "NetBIOS name service protocol support" 211 depends on NETFILTER_ADVANCED 212 help 213 NetBIOS name service requests are sent as broadcast messages from an 214 unprivileged port and responded to with unicast messages to the 215 same port. This make them hard to firewall properly because connection 216 tracking doesn't deal with broadcasts. This helper tracks locally 217 originating NetBIOS name service requests and the corresponding 218 responses. It relies on correct IP address configuration, specifically 219 netmask and broadcast address. When properly configured, the output 220 of "ip address show" should look similar to this: 221 222 $ ip -4 address show eth0 223 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 224 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 225 226 To compile it as a module, choose M here. If unsure, say N. 227 228config NF_CONNTRACK_PPTP 229 tristate "PPtP protocol support" 230 depends on NETFILTER_ADVANCED 231 select NF_CT_PROTO_GRE 232 help 233 This module adds support for PPTP (Point to Point Tunnelling 234 Protocol, RFC2637) connection tracking and NAT. 235 236 If you are running PPTP sessions over a stateful firewall or NAT 237 box, you may want to enable this feature. 238 239 Please note that not all PPTP modes of operation are supported yet. 240 Specifically these limitations exist: 241 - Blindly assumes that control connections are always established 242 in PNS->PAC direction. This is a violation of RFC2637. 243 - Only supports a single call within each session 244 245 To compile it as a module, choose M here. If unsure, say N. 246 247config NF_CONNTRACK_SANE 248 tristate "SANE protocol support (EXPERIMENTAL)" 249 depends on EXPERIMENTAL 250 depends on NETFILTER_ADVANCED 251 help 252 SANE is a protocol for remote access to scanners as implemented 253 by the 'saned' daemon. Like FTP, it uses separate control and 254 data connections. 255 256 With this module you can support SANE on a connection tracking 257 firewall. 258 259 To compile it as a module, choose M here. If unsure, say N. 260 261config NF_CONNTRACK_SIP 262 tristate "SIP protocol support" 263 default m if NETFILTER_ADVANCED=n 264 help 265 SIP is an application-layer control protocol that can establish, 266 modify, and terminate multimedia sessions (conferences) such as 267 Internet telephony calls. With the ip_conntrack_sip and 268 the nf_nat_sip modules you can support the protocol on a connection 269 tracking/NATing firewall. 270 271 To compile it as a module, choose M here. If unsure, say N. 272 273config NF_CONNTRACK_TFTP 274 tristate "TFTP protocol support" 275 depends on NETFILTER_ADVANCED 276 help 277 TFTP connection tracking helper, this is required depending 278 on how restrictive your ruleset is. 279 If you are using a tftp client behind -j SNAT or -j MASQUERADING 280 you will need this. 281 282 To compile it as a module, choose M here. If unsure, say N. 283 284config NF_CT_NETLINK 285 tristate 'Connection tracking netlink interface' 286 select NETFILTER_NETLINK 287 default m if NETFILTER_ADVANCED=n 288 help 289 This option enables support for a netlink-based userspace interface 290 291endif # NF_CONNTRACK 292 293# transparent proxy support 294config NETFILTER_TPROXY 295 tristate "Transparent proxying support (EXPERIMENTAL)" 296 depends on EXPERIMENTAL 297 depends on IP_NF_MANGLE 298 depends on NETFILTER_ADVANCED 299 help 300 This option enables transparent proxying support, that is, 301 support for handling non-locally bound IPv4 TCP and UDP sockets. 302 For it to work you will have to configure certain iptables rules 303 and use policy routing. For more information on how to set it up 304 see Documentation/networking/tproxy.txt. 305 306 To compile it as a module, choose M here. If unsure, say N. 307 308config NETFILTER_XTABLES 309 tristate "Netfilter Xtables support (required for ip_tables)" 310 default m if NETFILTER_ADVANCED=n 311 help 312 This is required if you intend to use any of ip_tables, 313 ip6_tables or arp_tables. 314 315if NETFILTER_XTABLES 316 317comment "Xtables combined modules" 318 319config NETFILTER_XT_MARK 320 tristate 'nfmark target and match support' 321 default m if NETFILTER_ADVANCED=n 322 ---help--- 323 This option adds the "MARK" target and "mark" match. 324 325 Netfilter mark matching allows you to match packets based on the 326 "nfmark" value in the packet. 327 The target allows you to create rules in the "mangle" table which alter 328 the netfilter mark (nfmark) field associated with the packet. 329 330 Prior to routing, the nfmark can influence the routing method (see 331 "Use netfilter MARK value as routing key") and can also be used by 332 other subsystems to change their behavior. 333 334config NETFILTER_XT_CONNMARK 335 tristate 'ctmark target and match support' 336 depends on NF_CONNTRACK 337 depends on NETFILTER_ADVANCED 338 select NF_CONNTRACK_MARK 339 ---help--- 340 This option adds the "CONNMARK" target and "connmark" match. 341 342 Netfilter allows you to store a mark value per connection (a.k.a. 343 ctmark), similarly to the packet mark (nfmark). Using this 344 target and match, you can set and match on this mark. 345 346# alphabetically ordered list of targets 347 348comment "Xtables targets" 349 350config NETFILTER_XT_TARGET_CLASSIFY 351 tristate '"CLASSIFY" target support' 352 depends on NETFILTER_ADVANCED 353 help 354 This option adds a `CLASSIFY' target, which enables the user to set 355 the priority of a packet. Some qdiscs can use this value for 356 classification, among these are: 357 358 atm, cbq, dsmark, pfifo_fast, htb, prio 359 360 To compile it as a module, choose M here. If unsure, say N. 361 362config NETFILTER_XT_TARGET_CONNMARK 363 tristate '"CONNMARK" target support' 364 depends on NF_CONNTRACK 365 depends on NETFILTER_ADVANCED 366 select NETFILTER_XT_CONNMARK 367 ---help--- 368 This is a backwards-compat option for the user's convenience 369 (e.g. when running oldconfig). It selects 370 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 371 372config NETFILTER_XT_TARGET_CONNSECMARK 373 tristate '"CONNSECMARK" target support' 374 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 375 default m if NETFILTER_ADVANCED=n 376 help 377 The CONNSECMARK target copies security markings from packets 378 to connections, and restores security markings from connections 379 to packets (if the packets are not already marked). This would 380 normally be used in conjunction with the SECMARK target. 381 382 To compile it as a module, choose M here. If unsure, say N. 383 384config NETFILTER_XT_TARGET_CT 385 tristate '"CT" target support' 386 depends on NF_CONNTRACK 387 depends on IP_NF_RAW || IP6_NF_RAW 388 depends on NETFILTER_ADVANCED 389 help 390 This options adds a `CT' target, which allows to specify initial 391 connection tracking parameters like events to be delivered and 392 the helper to be used. 393 394 To compile it as a module, choose M here. If unsure, say N. 395 396config NETFILTER_XT_TARGET_DSCP 397 tristate '"DSCP" and "TOS" target support' 398 depends on IP_NF_MANGLE || IP6_NF_MANGLE 399 depends on NETFILTER_ADVANCED 400 help 401 This option adds a `DSCP' target, which allows you to manipulate 402 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 403 404 The DSCP field can have any value between 0x0 and 0x3f inclusive. 405 406 It also adds the "TOS" target, which allows you to create rules in 407 the "mangle" table which alter the Type Of Service field of an IPv4 408 or the Priority field of an IPv6 packet, prior to routing. 409 410 To compile it as a module, choose M here. If unsure, say N. 411 412config NETFILTER_XT_TARGET_HL 413 tristate '"HL" hoplimit target support' 414 depends on IP_NF_MANGLE || IP6_NF_MANGLE 415 depends on NETFILTER_ADVANCED 416 ---help--- 417 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 418 targets, which enable the user to change the 419 hoplimit/time-to-live value of the IP header. 420 421 While it is safe to decrement the hoplimit/TTL value, the 422 modules also allow to increment and set the hoplimit value of 423 the header to arbitrary values. This is EXTREMELY DANGEROUS 424 since you can easily create immortal packets that loop 425 forever on the network. 426 427config NETFILTER_XT_TARGET_LED 428 tristate '"LED" target support' 429 depends on LEDS_CLASS && LEDS_TRIGGERS 430 depends on NETFILTER_ADVANCED 431 help 432 This option adds a `LED' target, which allows you to blink LEDs in 433 response to particular packets passing through your machine. 434 435 This can be used to turn a spare LED into a network activity LED, 436 which only flashes in response to FTP transfers, for example. Or 437 you could have an LED which lights up for a minute or two every time 438 somebody connects to your machine via SSH. 439 440 You will need support for the "led" class to make this work. 441 442 To create an LED trigger for incoming SSH traffic: 443 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 444 445 Then attach the new trigger to an LED on your system: 446 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 447 448 For more information on the LEDs available on your system, see 449 Documentation/leds-class.txt 450 451config NETFILTER_XT_TARGET_MARK 452 tristate '"MARK" target support' 453 depends on NETFILTER_ADVANCED 454 select NETFILTER_XT_MARK 455 ---help--- 456 This is a backwards-compat option for the user's convenience 457 (e.g. when running oldconfig). It selects 458 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 459 460config NETFILTER_XT_TARGET_NFLOG 461 tristate '"NFLOG" target support' 462 default m if NETFILTER_ADVANCED=n 463 select NETFILTER_NETLINK_LOG 464 help 465 This option enables the NFLOG target, which allows to LOG 466 messages through nfnetlink_log. 467 468 To compile it as a module, choose M here. If unsure, say N. 469 470config NETFILTER_XT_TARGET_NFQUEUE 471 tristate '"NFQUEUE" target Support' 472 depends on NETFILTER_ADVANCED 473 help 474 This target replaced the old obsolete QUEUE target. 475 476 As opposed to QUEUE, it supports 65535 different queues, 477 not just one. 478 479 To compile it as a module, choose M here. If unsure, say N. 480 481config NETFILTER_XT_TARGET_NOTRACK 482 tristate '"NOTRACK" target support' 483 depends on IP_NF_RAW || IP6_NF_RAW 484 depends on NF_CONNTRACK 485 depends on NETFILTER_ADVANCED 486 help 487 The NOTRACK target allows a select rule to specify 488 which packets *not* to enter the conntrack/NAT 489 subsystem with all the consequences (no ICMP error tracking, 490 no protocol helpers for the selected packets). 491 492 If you want to compile it as a module, say M here and read 493 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 494 495config NETFILTER_XT_TARGET_RATEEST 496 tristate '"RATEEST" target support' 497 depends on NETFILTER_ADVANCED 498 help 499 This option adds a `RATEEST' target, which allows to measure 500 rates similar to TC estimators. The `rateest' match can be 501 used to match on the measured rates. 502 503 To compile it as a module, choose M here. If unsure, say N. 504 505config NETFILTER_XT_TARGET_TEE 506 tristate '"TEE" - packet cloning to alternate destiantion' 507 depends on NETFILTER_ADVANCED 508 depends on (IPV6 || IPV6=n) 509 depends on !NF_CONNTRACK || NF_CONNTRACK 510 ---help--- 511 This option adds a "TEE" target with which a packet can be cloned and 512 this clone be rerouted to another nexthop. 513 514config NETFILTER_XT_TARGET_TPROXY 515 tristate '"TPROXY" target support (EXPERIMENTAL)' 516 depends on EXPERIMENTAL 517 depends on NETFILTER_TPROXY 518 depends on NETFILTER_XTABLES 519 depends on NETFILTER_ADVANCED 520 select NF_DEFRAG_IPV4 521 help 522 This option adds a `TPROXY' target, which is somewhat similar to 523 REDIRECT. It can only be used in the mangle table and is useful 524 to redirect traffic to a transparent proxy. It does _not_ depend 525 on Netfilter connection tracking and NAT, unlike REDIRECT. 526 527 To compile it as a module, choose M here. If unsure, say N. 528 529config NETFILTER_XT_TARGET_TRACE 530 tristate '"TRACE" target support' 531 depends on IP_NF_RAW || IP6_NF_RAW 532 depends on NETFILTER_ADVANCED 533 help 534 The TRACE target allows you to mark packets so that the kernel 535 will log every rule which match the packets as those traverse 536 the tables, chains, rules. 537 538 If you want to compile it as a module, say M here and read 539 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 540 541config NETFILTER_XT_TARGET_SECMARK 542 tristate '"SECMARK" target support' 543 depends on NETWORK_SECMARK 544 default m if NETFILTER_ADVANCED=n 545 help 546 The SECMARK target allows security marking of network 547 packets, for use with security subsystems. 548 549 To compile it as a module, choose M here. If unsure, say N. 550 551config NETFILTER_XT_TARGET_TCPMSS 552 tristate '"TCPMSS" target support' 553 depends on (IPV6 || IPV6=n) 554 default m if NETFILTER_ADVANCED=n 555 ---help--- 556 This option adds a `TCPMSS' target, which allows you to alter the 557 MSS value of TCP SYN packets, to control the maximum size for that 558 connection (usually limiting it to your outgoing interface's MTU 559 minus 40). 560 561 This is used to overcome criminally braindead ISPs or servers which 562 block ICMP Fragmentation Needed packets. The symptoms of this 563 problem are that everything works fine from your Linux 564 firewall/router, but machines behind it can never exchange large 565 packets: 566 1) Web browsers connect, then hang with no data received. 567 2) Small mail works fine, but large emails hang. 568 3) ssh works fine, but scp hangs after initial handshaking. 569 570 Workaround: activate this option and add a rule to your firewall 571 configuration like: 572 573 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 574 -j TCPMSS --clamp-mss-to-pmtu 575 576 To compile it as a module, choose M here. If unsure, say N. 577 578config NETFILTER_XT_TARGET_TCPOPTSTRIP 579 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' 580 depends on EXPERIMENTAL 581 depends on IP_NF_MANGLE || IP6_NF_MANGLE 582 depends on NETFILTER_ADVANCED 583 help 584 This option adds a "TCPOPTSTRIP" target, which allows you to strip 585 TCP options from TCP packets. 586 587# alphabetically ordered list of matches 588 589comment "Xtables matches" 590 591config NETFILTER_XT_MATCH_CLUSTER 592 tristate '"cluster" match support' 593 depends on NF_CONNTRACK 594 depends on NETFILTER_ADVANCED 595 ---help--- 596 This option allows you to build work-load-sharing clusters of 597 network servers/stateful firewalls without having a dedicated 598 load-balancing router/server/switch. Basically, this match returns 599 true when the packet must be handled by this cluster node. Thus, 600 all nodes see all packets and this match decides which node handles 601 what packets. The work-load sharing algorithm is based on source 602 address hashing. 603 604 If you say Y or M here, try `iptables -m cluster --help` for 605 more information. 606 607config NETFILTER_XT_MATCH_COMMENT 608 tristate '"comment" match support' 609 depends on NETFILTER_ADVANCED 610 help 611 This option adds a `comment' dummy-match, which allows you to put 612 comments in your iptables ruleset. 613 614 If you want to compile it as a module, say M here and read 615 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 616 617config NETFILTER_XT_MATCH_CONNBYTES 618 tristate '"connbytes" per-connection counter match support' 619 depends on NF_CONNTRACK 620 depends on NETFILTER_ADVANCED 621 select NF_CT_ACCT 622 help 623 This option adds a `connbytes' match, which allows you to match the 624 number of bytes and/or packets for each direction within a connection. 625 626 If you want to compile it as a module, say M here and read 627 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 628 629config NETFILTER_XT_MATCH_CONNLIMIT 630 tristate '"connlimit" match support"' 631 depends on NF_CONNTRACK 632 depends on NETFILTER_ADVANCED 633 ---help--- 634 This match allows you to match against the number of parallel 635 connections to a server per client IP address (or address block). 636 637config NETFILTER_XT_MATCH_CONNMARK 638 tristate '"connmark" connection mark match support' 639 depends on NF_CONNTRACK 640 depends on NETFILTER_ADVANCED 641 select NETFILTER_XT_CONNMARK 642 ---help--- 643 This is a backwards-compat option for the user's convenience 644 (e.g. when running oldconfig). It selects 645 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 646 647config NETFILTER_XT_MATCH_CONNTRACK 648 tristate '"conntrack" connection tracking match support' 649 depends on NF_CONNTRACK 650 default m if NETFILTER_ADVANCED=n 651 help 652 This is a general conntrack match module, a superset of the state match. 653 654 It allows matching on additional conntrack information, which is 655 useful in complex configurations, such as NAT gateways with multiple 656 internet links or tunnels. 657 658 To compile it as a module, choose M here. If unsure, say N. 659 660config NETFILTER_XT_MATCH_DCCP 661 tristate '"dccp" protocol match support' 662 depends on NETFILTER_ADVANCED 663 default IP_DCCP 664 help 665 With this option enabled, you will be able to use the iptables 666 `dccp' match in order to match on DCCP source/destination ports 667 and DCCP flags. 668 669 If you want to compile it as a module, say M here and read 670 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 671 672config NETFILTER_XT_MATCH_DSCP 673 tristate '"dscp" and "tos" match support' 674 depends on NETFILTER_ADVANCED 675 help 676 This option adds a `DSCP' match, which allows you to match against 677 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 678 679 The DSCP field can have any value between 0x0 and 0x3f inclusive. 680 681 It will also add a "tos" match, which allows you to match packets 682 based on the Type Of Service fields of the IPv4 packet (which share 683 the same bits as DSCP). 684 685 To compile it as a module, choose M here. If unsure, say N. 686 687config NETFILTER_XT_MATCH_ESP 688 tristate '"esp" match support' 689 depends on NETFILTER_ADVANCED 690 help 691 This match extension allows you to match a range of SPIs 692 inside ESP header of IPSec packets. 693 694 To compile it as a module, choose M here. If unsure, say N. 695 696config NETFILTER_XT_MATCH_HASHLIMIT 697 tristate '"hashlimit" match support' 698 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 699 depends on NETFILTER_ADVANCED 700 help 701 This option adds a `hashlimit' match. 702 703 As opposed to `limit', this match dynamically creates a hash table 704 of limit buckets, based on your selection of source/destination 705 addresses and/or ports. 706 707 It enables you to express policies like `10kpps for any given 708 destination address' or `500pps from any given source address' 709 with a single rule. 710 711config NETFILTER_XT_MATCH_HELPER 712 tristate '"helper" match support' 713 depends on NF_CONNTRACK 714 depends on NETFILTER_ADVANCED 715 help 716 Helper matching allows you to match packets in dynamic connections 717 tracked by a conntrack-helper, ie. ip_conntrack_ftp 718 719 To compile it as a module, choose M here. If unsure, say Y. 720 721config NETFILTER_XT_MATCH_HL 722 tristate '"hl" hoplimit/TTL match support' 723 depends on NETFILTER_ADVANCED 724 ---help--- 725 HL matching allows you to match packets based on the hoplimit 726 in the IPv6 header, or the time-to-live field in the IPv4 727 header of the packet. 728 729config NETFILTER_XT_MATCH_IPRANGE 730 tristate '"iprange" address range match support' 731 depends on NETFILTER_ADVANCED 732 ---help--- 733 This option adds a "iprange" match, which allows you to match based on 734 an IP address range. (Normal iptables only matches on single addresses 735 with an optional mask.) 736 737 If unsure, say M. 738 739config NETFILTER_XT_MATCH_LENGTH 740 tristate '"length" match support' 741 depends on NETFILTER_ADVANCED 742 help 743 This option allows you to match the length of a packet against a 744 specific value or range of values. 745 746 To compile it as a module, choose M here. If unsure, say N. 747 748config NETFILTER_XT_MATCH_LIMIT 749 tristate '"limit" match support' 750 depends on NETFILTER_ADVANCED 751 help 752 limit matching allows you to control the rate at which a rule can be 753 matched: mainly useful in combination with the LOG target ("LOG 754 target support", below) and to avoid some Denial of Service attacks. 755 756 To compile it as a module, choose M here. If unsure, say N. 757 758config NETFILTER_XT_MATCH_MAC 759 tristate '"mac" address match support' 760 depends on NETFILTER_ADVANCED 761 help 762 MAC matching allows you to match packets based on the source 763 Ethernet address of the packet. 764 765 To compile it as a module, choose M here. If unsure, say N. 766 767config NETFILTER_XT_MATCH_MARK 768 tristate '"mark" match support' 769 depends on NETFILTER_ADVANCED 770 select NETFILTER_XT_MARK 771 ---help--- 772 This is a backwards-compat option for the user's convenience 773 (e.g. when running oldconfig). It selects 774 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 775 776config NETFILTER_XT_MATCH_MULTIPORT 777 tristate '"multiport" Multiple port match support' 778 depends on NETFILTER_ADVANCED 779 help 780 Multiport matching allows you to match TCP or UDP packets based on 781 a series of source or destination ports: normally a rule can only 782 match a single range of ports. 783 784 To compile it as a module, choose M here. If unsure, say N. 785 786config NETFILTER_XT_MATCH_OSF 787 tristate '"osf" Passive OS fingerprint match' 788 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 789 help 790 This option selects the Passive OS Fingerprinting match module 791 that allows to passively match the remote operating system by 792 analyzing incoming TCP SYN packets. 793 794 Rules and loading software can be downloaded from 795 http://www.ioremap.net/projects/osf 796 797 To compile it as a module, choose M here. If unsure, say N. 798 799config NETFILTER_XT_MATCH_OWNER 800 tristate '"owner" match support' 801 depends on NETFILTER_ADVANCED 802 ---help--- 803 Socket owner matching allows you to match locally-generated packets 804 based on who created the socket: the user or group. It is also 805 possible to check whether a socket actually exists. 806 807config NETFILTER_XT_MATCH_POLICY 808 tristate 'IPsec "policy" match support' 809 depends on XFRM 810 default m if NETFILTER_ADVANCED=n 811 help 812 Policy matching allows you to match packets based on the 813 IPsec policy that was used during decapsulation/will 814 be used during encapsulation. 815 816 To compile it as a module, choose M here. If unsure, say N. 817 818config NETFILTER_XT_MATCH_PHYSDEV 819 tristate '"physdev" match support' 820 depends on BRIDGE && BRIDGE_NETFILTER 821 depends on NETFILTER_ADVANCED 822 help 823 Physdev packet matching matches against the physical bridge ports 824 the IP packet arrived on or will leave by. 825 826 To compile it as a module, choose M here. If unsure, say N. 827 828config NETFILTER_XT_MATCH_PKTTYPE 829 tristate '"pkttype" packet type match support' 830 depends on NETFILTER_ADVANCED 831 help 832 Packet type matching allows you to match a packet by 833 its "class", eg. BROADCAST, MULTICAST, ... 834 835 Typical usage: 836 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 837 838 To compile it as a module, choose M here. If unsure, say N. 839 840config NETFILTER_XT_MATCH_QUOTA 841 tristate '"quota" match support' 842 depends on NETFILTER_ADVANCED 843 help 844 This option adds a `quota' match, which allows to match on a 845 byte counter. 846 847 If you want to compile it as a module, say M here and read 848 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 849 850config NETFILTER_XT_MATCH_RATEEST 851 tristate '"rateest" match support' 852 depends on NETFILTER_ADVANCED 853 select NETFILTER_XT_TARGET_RATEEST 854 help 855 This option adds a `rateest' match, which allows to match on the 856 rate estimated by the RATEEST target. 857 858 To compile it as a module, choose M here. If unsure, say N. 859 860config NETFILTER_XT_MATCH_REALM 861 tristate '"realm" match support' 862 depends on NETFILTER_ADVANCED 863 select NET_CLS_ROUTE 864 help 865 This option adds a `realm' match, which allows you to use the realm 866 key from the routing subsystem inside iptables. 867 868 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 869 in tc world. 870 871 If you want to compile it as a module, say M here and read 872 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 873 874config NETFILTER_XT_MATCH_RECENT 875 tristate '"recent" match support' 876 depends on NETFILTER_ADVANCED 877 ---help--- 878 This match is used for creating one or many lists of recently 879 used addresses and then matching against that/those list(s). 880 881 Short options are available by using 'iptables -m recent -h' 882 Official Website: <http://snowman.net/projects/ipt_recent/> 883 884config NETFILTER_XT_MATCH_SCTP 885 tristate '"sctp" protocol match support (EXPERIMENTAL)' 886 depends on EXPERIMENTAL 887 depends on NETFILTER_ADVANCED 888 default IP_SCTP 889 help 890 With this option enabled, you will be able to use the 891 `sctp' match in order to match on SCTP source/destination ports 892 and SCTP chunk types. 893 894 If you want to compile it as a module, say M here and read 895 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 896 897config NETFILTER_XT_MATCH_SOCKET 898 tristate '"socket" match support (EXPERIMENTAL)' 899 depends on EXPERIMENTAL 900 depends on NETFILTER_TPROXY 901 depends on NETFILTER_XTABLES 902 depends on NETFILTER_ADVANCED 903 depends on !NF_CONNTRACK || NF_CONNTRACK 904 select NF_DEFRAG_IPV4 905 help 906 This option adds a `socket' match, which can be used to match 907 packets for which a TCP or UDP socket lookup finds a valid socket. 908 It can be used in combination with the MARK target and policy 909 routing to implement full featured non-locally bound sockets. 910 911 To compile it as a module, choose M here. If unsure, say N. 912 913config NETFILTER_XT_MATCH_STATE 914 tristate '"state" match support' 915 depends on NF_CONNTRACK 916 default m if NETFILTER_ADVANCED=n 917 help 918 Connection state matching allows you to match packets based on their 919 relationship to a tracked connection (ie. previous packets). This 920 is a powerful tool for packet classification. 921 922 To compile it as a module, choose M here. If unsure, say N. 923 924config NETFILTER_XT_MATCH_STATISTIC 925 tristate '"statistic" match support' 926 depends on NETFILTER_ADVANCED 927 help 928 This option adds a `statistic' match, which allows you to match 929 on packets periodically or randomly with a given percentage. 930 931 To compile it as a module, choose M here. If unsure, say N. 932 933config NETFILTER_XT_MATCH_STRING 934 tristate '"string" match support' 935 depends on NETFILTER_ADVANCED 936 select TEXTSEARCH 937 select TEXTSEARCH_KMP 938 select TEXTSEARCH_BM 939 select TEXTSEARCH_FSM 940 help 941 This option adds a `string' match, which allows you to look for 942 pattern matchings in packets. 943 944 To compile it as a module, choose M here. If unsure, say N. 945 946config NETFILTER_XT_MATCH_TCPMSS 947 tristate '"tcpmss" match support' 948 depends on NETFILTER_ADVANCED 949 help 950 This option adds a `tcpmss' match, which allows you to examine the 951 MSS value of TCP SYN packets, which control the maximum packet size 952 for that connection. 953 954 To compile it as a module, choose M here. If unsure, say N. 955 956config NETFILTER_XT_MATCH_TIME 957 tristate '"time" match support' 958 depends on NETFILTER_ADVANCED 959 ---help--- 960 This option adds a "time" match, which allows you to match based on 961 the packet arrival time (at the machine which netfilter is running) 962 on) or departure time/date (for locally generated packets). 963 964 If you say Y here, try `iptables -m time --help` for 965 more information. 966 967 If you want to compile it as a module, say M here. 968 If unsure, say N. 969 970config NETFILTER_XT_MATCH_U32 971 tristate '"u32" match support' 972 depends on NETFILTER_ADVANCED 973 ---help--- 974 u32 allows you to extract quantities of up to 4 bytes from a packet, 975 AND them with specified masks, shift them by specified amounts and 976 test whether the results are in any of a set of specified ranges. 977 The specification of what to extract is general enough to skip over 978 headers with lengths stored in the packet, as in IP or TCP header 979 lengths. 980 981 Details and examples are in the kernel module source. 982 983endif # NETFILTER_XTABLES 984 985endmenu 986 987source "net/netfilter/ipvs/Kconfig" 988