1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate 6 7config NETFILTER_NETLINK_QUEUE 8 tristate "Netfilter NFQUEUE over NFNETLINK interface" 9 depends on NETFILTER_ADVANCED 10 select NETFILTER_NETLINK 11 help 12 If this option is enabled, the kernel will include support 13 for queueing packets via NFNETLINK. 14 15config NETFILTER_NETLINK_LOG 16 tristate "Netfilter LOG over NFNETLINK interface" 17 default m if NETFILTER_ADVANCED=n 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for logging packets via NFNETLINK. 22 23 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 24 and is also scheduled to replace the old syslog-based ipt_LOG 25 and ip6t_LOG modules. 26 27config NF_CONNTRACK 28 tristate "Netfilter connection tracking support" 29 default m if NETFILTER_ADVANCED=n 30 help 31 Connection tracking keeps a record of what packets have passed 32 through your machine, in order to figure out how they are related 33 into connections. 34 35 This is required to do Masquerading or other kinds of Network 36 Address Translation. It can also be used to enhance packet 37 filtering (see `Connection state match support' below). 38 39 To compile it as a module, choose M here. If unsure, say N. 40 41if NF_CONNTRACK 42 43config NF_CONNTRACK_MARK 44 bool 'Connection mark tracking support' 45 depends on NETFILTER_ADVANCED 46 help 47 This option enables support for connection marks, used by the 48 `CONNMARK' target and `connmark' match. Similar to the mark value 49 of packets, but this mark value is kept in the conntrack session 50 instead of the individual packets. 51 52config NF_CONNTRACK_SECMARK 53 bool 'Connection tracking security mark support' 54 depends on NETWORK_SECMARK 55 default m if NETFILTER_ADVANCED=n 56 help 57 This option enables security markings to be applied to 58 connections. Typically they are copied to connections from 59 packets using the CONNSECMARK target and copied back from 60 connections to packets with the same target, with the packets 61 being originally labeled via SECMARK. 62 63 If unsure, say 'N'. 64 65config NF_CONNTRACK_ZONES 66 bool 'Connection tracking zones' 67 depends on NETFILTER_ADVANCED 68 depends on NETFILTER_XT_TARGET_CT 69 help 70 This option enables support for connection tracking zones. 71 Normally, each connection needs to have a unique system wide 72 identity. Connection tracking zones allow to have multiple 73 connections using the same identity, as long as they are 74 contained in different zones. 75 76 If unsure, say `N'. 77 78config NF_CONNTRACK_EVENTS 79 bool "Connection tracking events" 80 depends on NETFILTER_ADVANCED 81 help 82 If this option is enabled, the connection tracking code will 83 provide a notifier chain that can be used by other kernel code 84 to get notified about changes in the connection tracking state. 85 86 If unsure, say `N'. 87 88config NF_CONNTRACK_TIMESTAMP 89 bool 'Connection tracking timestamping' 90 depends on NETFILTER_ADVANCED 91 help 92 This option enables support for connection tracking timestamping. 93 This allows you to store the flow start-time and to obtain 94 the flow-stop time (once it has been destroyed) via Connection 95 tracking events. 96 97 If unsure, say `N'. 98 99config NF_CT_PROTO_DCCP 100 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' 101 depends on EXPERIMENTAL 102 depends on NETFILTER_ADVANCED 103 default IP_DCCP 104 help 105 With this option enabled, the layer 3 independent connection 106 tracking code will be able to do state tracking on DCCP connections. 107 108 If unsure, say 'N'. 109 110config NF_CT_PROTO_GRE 111 tristate 112 113config NF_CT_PROTO_SCTP 114 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 115 depends on EXPERIMENTAL 116 depends on NETFILTER_ADVANCED 117 default IP_SCTP 118 help 119 With this option enabled, the layer 3 independent connection 120 tracking code will be able to do state tracking on SCTP connections. 121 122 If you want to compile it as a module, say M here and read 123 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 124 125config NF_CT_PROTO_UDPLITE 126 tristate 'UDP-Lite protocol connection tracking support' 127 depends on NETFILTER_ADVANCED 128 help 129 With this option enabled, the layer 3 independent connection 130 tracking code will be able to do state tracking on UDP-Lite 131 connections. 132 133 To compile it as a module, choose M here. If unsure, say N. 134 135config NF_CONNTRACK_AMANDA 136 tristate "Amanda backup protocol support" 137 depends on NETFILTER_ADVANCED 138 select TEXTSEARCH 139 select TEXTSEARCH_KMP 140 help 141 If you are running the Amanda backup package <http://www.amanda.org/> 142 on this machine or machines that will be MASQUERADED through this 143 machine, then you may want to enable this feature. This allows the 144 connection tracking and natting code to allow the sub-channels that 145 Amanda requires for communication of the backup data, messages and 146 index. 147 148 To compile it as a module, choose M here. If unsure, say N. 149 150config NF_CONNTRACK_FTP 151 tristate "FTP protocol support" 152 default m if NETFILTER_ADVANCED=n 153 help 154 Tracking FTP connections is problematic: special helpers are 155 required for tracking them, and doing masquerading and other forms 156 of Network Address Translation on them. 157 158 This is FTP support on Layer 3 independent connection tracking. 159 Layer 3 independent connection tracking is experimental scheme 160 which generalize ip_conntrack to support other layer 3 protocols. 161 162 To compile it as a module, choose M here. If unsure, say N. 163 164config NF_CONNTRACK_H323 165 tristate "H.323 protocol support" 166 depends on (IPV6 || IPV6=n) 167 depends on NETFILTER_ADVANCED 168 help 169 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 170 important VoIP protocols, it is widely used by voice hardware and 171 software including voice gateways, IP phones, Netmeeting, OpenPhone, 172 Gnomemeeting, etc. 173 174 With this module you can support H.323 on a connection tracking/NAT 175 firewall. 176 177 This module supports RAS, Fast Start, H.245 Tunnelling, Call 178 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 179 whiteboard, file transfer, etc. For more information, please 180 visit http://nath323.sourceforge.net/. 181 182 To compile it as a module, choose M here. If unsure, say N. 183 184config NF_CONNTRACK_IRC 185 tristate "IRC protocol support" 186 default m if NETFILTER_ADVANCED=n 187 help 188 There is a commonly-used extension to IRC called 189 Direct Client-to-Client Protocol (DCC). This enables users to send 190 files to each other, and also chat to each other without the need 191 of a server. DCC Sending is used anywhere you send files over IRC, 192 and DCC Chat is most commonly used by Eggdrop bots. If you are 193 using NAT, this extension will enable you to send files and initiate 194 chats. Note that you do NOT need this extension to get files or 195 have others initiate chats, or everything else in IRC. 196 197 To compile it as a module, choose M here. If unsure, say N. 198 199config NF_CONNTRACK_BROADCAST 200 tristate 201 202config NF_CONNTRACK_NETBIOS_NS 203 tristate "NetBIOS name service protocol support" 204 depends on NETFILTER_ADVANCED 205 select NF_CONNTRACK_BROADCAST 206 help 207 NetBIOS name service requests are sent as broadcast messages from an 208 unprivileged port and responded to with unicast messages to the 209 same port. This make them hard to firewall properly because connection 210 tracking doesn't deal with broadcasts. This helper tracks locally 211 originating NetBIOS name service requests and the corresponding 212 responses. It relies on correct IP address configuration, specifically 213 netmask and broadcast address. When properly configured, the output 214 of "ip address show" should look similar to this: 215 216 $ ip -4 address show eth0 217 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 218 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 219 220 To compile it as a module, choose M here. If unsure, say N. 221 222config NF_CONNTRACK_SNMP 223 tristate "SNMP service protocol support" 224 depends on NETFILTER_ADVANCED 225 select NF_CONNTRACK_BROADCAST 226 help 227 SNMP service requests are sent as broadcast messages from an 228 unprivileged port and responded to with unicast messages to the 229 same port. This make them hard to firewall properly because connection 230 tracking doesn't deal with broadcasts. This helper tracks locally 231 originating SNMP service requests and the corresponding 232 responses. It relies on correct IP address configuration, specifically 233 netmask and broadcast address. 234 235 To compile it as a module, choose M here. If unsure, say N. 236 237config NF_CONNTRACK_PPTP 238 tristate "PPtP protocol support" 239 depends on NETFILTER_ADVANCED 240 select NF_CT_PROTO_GRE 241 help 242 This module adds support for PPTP (Point to Point Tunnelling 243 Protocol, RFC2637) connection tracking and NAT. 244 245 If you are running PPTP sessions over a stateful firewall or NAT 246 box, you may want to enable this feature. 247 248 Please note that not all PPTP modes of operation are supported yet. 249 Specifically these limitations exist: 250 - Blindly assumes that control connections are always established 251 in PNS->PAC direction. This is a violation of RFC2637. 252 - Only supports a single call within each session 253 254 To compile it as a module, choose M here. If unsure, say N. 255 256config NF_CONNTRACK_SANE 257 tristate "SANE protocol support (EXPERIMENTAL)" 258 depends on EXPERIMENTAL 259 depends on NETFILTER_ADVANCED 260 help 261 SANE is a protocol for remote access to scanners as implemented 262 by the 'saned' daemon. Like FTP, it uses separate control and 263 data connections. 264 265 With this module you can support SANE on a connection tracking 266 firewall. 267 268 To compile it as a module, choose M here. If unsure, say N. 269 270config NF_CONNTRACK_SIP 271 tristate "SIP protocol support" 272 default m if NETFILTER_ADVANCED=n 273 help 274 SIP is an application-layer control protocol that can establish, 275 modify, and terminate multimedia sessions (conferences) such as 276 Internet telephony calls. With the ip_conntrack_sip and 277 the nf_nat_sip modules you can support the protocol on a connection 278 tracking/NATing firewall. 279 280 To compile it as a module, choose M here. If unsure, say N. 281 282config NF_CONNTRACK_TFTP 283 tristate "TFTP protocol support" 284 depends on NETFILTER_ADVANCED 285 help 286 TFTP connection tracking helper, this is required depending 287 on how restrictive your ruleset is. 288 If you are using a tftp client behind -j SNAT or -j MASQUERADING 289 you will need this. 290 291 To compile it as a module, choose M here. If unsure, say N. 292 293config NF_CT_NETLINK 294 tristate 'Connection tracking netlink interface' 295 select NETFILTER_NETLINK 296 default m if NETFILTER_ADVANCED=n 297 help 298 This option enables support for a netlink-based userspace interface 299 300endif # NF_CONNTRACK 301 302# transparent proxy support 303config NETFILTER_TPROXY 304 tristate "Transparent proxying support (EXPERIMENTAL)" 305 depends on EXPERIMENTAL 306 depends on IP_NF_MANGLE 307 depends on NETFILTER_ADVANCED 308 help 309 This option enables transparent proxying support, that is, 310 support for handling non-locally bound IPv4 TCP and UDP sockets. 311 For it to work you will have to configure certain iptables rules 312 and use policy routing. For more information on how to set it up 313 see Documentation/networking/tproxy.txt. 314 315 To compile it as a module, choose M here. If unsure, say N. 316 317config NETFILTER_XTABLES 318 tristate "Netfilter Xtables support (required for ip_tables)" 319 default m if NETFILTER_ADVANCED=n 320 help 321 This is required if you intend to use any of ip_tables, 322 ip6_tables or arp_tables. 323 324if NETFILTER_XTABLES 325 326comment "Xtables combined modules" 327 328config NETFILTER_XT_MARK 329 tristate 'nfmark target and match support' 330 default m if NETFILTER_ADVANCED=n 331 ---help--- 332 This option adds the "MARK" target and "mark" match. 333 334 Netfilter mark matching allows you to match packets based on the 335 "nfmark" value in the packet. 336 The target allows you to create rules in the "mangle" table which alter 337 the netfilter mark (nfmark) field associated with the packet. 338 339 Prior to routing, the nfmark can influence the routing method (see 340 "Use netfilter MARK value as routing key") and can also be used by 341 other subsystems to change their behavior. 342 343config NETFILTER_XT_CONNMARK 344 tristate 'ctmark target and match support' 345 depends on NF_CONNTRACK 346 depends on NETFILTER_ADVANCED 347 select NF_CONNTRACK_MARK 348 ---help--- 349 This option adds the "CONNMARK" target and "connmark" match. 350 351 Netfilter allows you to store a mark value per connection (a.k.a. 352 ctmark), similarly to the packet mark (nfmark). Using this 353 target and match, you can set and match on this mark. 354 355config NETFILTER_XT_SET 356 tristate 'set target and match support' 357 depends on IP_SET 358 depends on NETFILTER_ADVANCED 359 help 360 This option adds the "SET" target and "set" match. 361 362 Using this target and match, you can add/delete and match 363 elements in the sets created by ipset(8). 364 365 To compile it as a module, choose M here. If unsure, say N. 366 367# alphabetically ordered list of targets 368 369comment "Xtables targets" 370 371config NETFILTER_XT_TARGET_AUDIT 372 tristate "AUDIT target support" 373 depends on AUDIT 374 depends on NETFILTER_ADVANCED 375 ---help--- 376 This option adds a 'AUDIT' target, which can be used to create 377 audit records for packets dropped/accepted. 378 379 To compileit as a module, choose M here. If unsure, say N. 380 381config NETFILTER_XT_TARGET_CHECKSUM 382 tristate "CHECKSUM target support" 383 depends on IP_NF_MANGLE || IP6_NF_MANGLE 384 depends on NETFILTER_ADVANCED 385 ---help--- 386 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 387 table. 388 389 You can use this target to compute and fill in the checksum in 390 a packet that lacks a checksum. This is particularly useful, 391 if you need to work around old applications such as dhcp clients, 392 that do not work well with checksum offloads, but don't want to disable 393 checksum offload in your device. 394 395 To compile it as a module, choose M here. If unsure, say N. 396 397config NETFILTER_XT_TARGET_CLASSIFY 398 tristate '"CLASSIFY" target support' 399 depends on NETFILTER_ADVANCED 400 help 401 This option adds a `CLASSIFY' target, which enables the user to set 402 the priority of a packet. Some qdiscs can use this value for 403 classification, among these are: 404 405 atm, cbq, dsmark, pfifo_fast, htb, prio 406 407 To compile it as a module, choose M here. If unsure, say N. 408 409config NETFILTER_XT_TARGET_CONNMARK 410 tristate '"CONNMARK" target support' 411 depends on NF_CONNTRACK 412 depends on NETFILTER_ADVANCED 413 select NETFILTER_XT_CONNMARK 414 ---help--- 415 This is a backwards-compat option for the user's convenience 416 (e.g. when running oldconfig). It selects 417 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 418 419config NETFILTER_XT_TARGET_CONNSECMARK 420 tristate '"CONNSECMARK" target support' 421 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 422 default m if NETFILTER_ADVANCED=n 423 help 424 The CONNSECMARK target copies security markings from packets 425 to connections, and restores security markings from connections 426 to packets (if the packets are not already marked). This would 427 normally be used in conjunction with the SECMARK target. 428 429 To compile it as a module, choose M here. If unsure, say N. 430 431config NETFILTER_XT_TARGET_CT 432 tristate '"CT" target support' 433 depends on NF_CONNTRACK 434 depends on IP_NF_RAW || IP6_NF_RAW 435 depends on NETFILTER_ADVANCED 436 help 437 This options adds a `CT' target, which allows to specify initial 438 connection tracking parameters like events to be delivered and 439 the helper to be used. 440 441 To compile it as a module, choose M here. If unsure, say N. 442 443config NETFILTER_XT_TARGET_DSCP 444 tristate '"DSCP" and "TOS" target support' 445 depends on IP_NF_MANGLE || IP6_NF_MANGLE 446 depends on NETFILTER_ADVANCED 447 help 448 This option adds a `DSCP' target, which allows you to manipulate 449 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 450 451 The DSCP field can have any value between 0x0 and 0x3f inclusive. 452 453 It also adds the "TOS" target, which allows you to create rules in 454 the "mangle" table which alter the Type Of Service field of an IPv4 455 or the Priority field of an IPv6 packet, prior to routing. 456 457 To compile it as a module, choose M here. If unsure, say N. 458 459config NETFILTER_XT_TARGET_HL 460 tristate '"HL" hoplimit target support' 461 depends on IP_NF_MANGLE || IP6_NF_MANGLE 462 depends on NETFILTER_ADVANCED 463 ---help--- 464 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 465 targets, which enable the user to change the 466 hoplimit/time-to-live value of the IP header. 467 468 While it is safe to decrement the hoplimit/TTL value, the 469 modules also allow to increment and set the hoplimit value of 470 the header to arbitrary values. This is EXTREMELY DANGEROUS 471 since you can easily create immortal packets that loop 472 forever on the network. 473 474config NETFILTER_XT_TARGET_IDLETIMER 475 tristate "IDLETIMER target support" 476 depends on NETFILTER_ADVANCED 477 help 478 479 This option adds the `IDLETIMER' target. Each matching packet 480 resets the timer associated with label specified when the rule is 481 added. When the timer expires, it triggers a sysfs notification. 482 The remaining time for expiration can be read via sysfs. 483 484 To compile it as a module, choose M here. If unsure, say N. 485 486config NETFILTER_XT_TARGET_LED 487 tristate '"LED" target support' 488 depends on LEDS_CLASS && LEDS_TRIGGERS 489 depends on NETFILTER_ADVANCED 490 help 491 This option adds a `LED' target, which allows you to blink LEDs in 492 response to particular packets passing through your machine. 493 494 This can be used to turn a spare LED into a network activity LED, 495 which only flashes in response to FTP transfers, for example. Or 496 you could have an LED which lights up for a minute or two every time 497 somebody connects to your machine via SSH. 498 499 You will need support for the "led" class to make this work. 500 501 To create an LED trigger for incoming SSH traffic: 502 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 503 504 Then attach the new trigger to an LED on your system: 505 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 506 507 For more information on the LEDs available on your system, see 508 Documentation/leds-class.txt 509 510config NETFILTER_XT_TARGET_MARK 511 tristate '"MARK" target support' 512 depends on NETFILTER_ADVANCED 513 select NETFILTER_XT_MARK 514 ---help--- 515 This is a backwards-compat option for the user's convenience 516 (e.g. when running oldconfig). It selects 517 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 518 519config NETFILTER_XT_TARGET_NFLOG 520 tristate '"NFLOG" target support' 521 default m if NETFILTER_ADVANCED=n 522 select NETFILTER_NETLINK_LOG 523 help 524 This option enables the NFLOG target, which allows to LOG 525 messages through nfnetlink_log. 526 527 To compile it as a module, choose M here. If unsure, say N. 528 529config NETFILTER_XT_TARGET_NFQUEUE 530 tristate '"NFQUEUE" target Support' 531 depends on NETFILTER_ADVANCED 532 select NETFILTER_NETLINK_QUEUE 533 help 534 This target replaced the old obsolete QUEUE target. 535 536 As opposed to QUEUE, it supports 65535 different queues, 537 not just one. 538 539 To compile it as a module, choose M here. If unsure, say N. 540 541config NETFILTER_XT_TARGET_NOTRACK 542 tristate '"NOTRACK" target support' 543 depends on IP_NF_RAW || IP6_NF_RAW 544 depends on NF_CONNTRACK 545 depends on NETFILTER_ADVANCED 546 help 547 The NOTRACK target allows a select rule to specify 548 which packets *not* to enter the conntrack/NAT 549 subsystem with all the consequences (no ICMP error tracking, 550 no protocol helpers for the selected packets). 551 552 If you want to compile it as a module, say M here and read 553 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 554 555config NETFILTER_XT_TARGET_RATEEST 556 tristate '"RATEEST" target support' 557 depends on NETFILTER_ADVANCED 558 help 559 This option adds a `RATEEST' target, which allows to measure 560 rates similar to TC estimators. The `rateest' match can be 561 used to match on the measured rates. 562 563 To compile it as a module, choose M here. If unsure, say N. 564 565config NETFILTER_XT_TARGET_TEE 566 tristate '"TEE" - packet cloning to alternate destination' 567 depends on NETFILTER_ADVANCED 568 depends on (IPV6 || IPV6=n) 569 depends on !NF_CONNTRACK || NF_CONNTRACK 570 ---help--- 571 This option adds a "TEE" target with which a packet can be cloned and 572 this clone be rerouted to another nexthop. 573 574config NETFILTER_XT_TARGET_TPROXY 575 tristate '"TPROXY" target support (EXPERIMENTAL)' 576 depends on EXPERIMENTAL 577 depends on NETFILTER_TPROXY 578 depends on NETFILTER_XTABLES 579 depends on NETFILTER_ADVANCED 580 select NF_DEFRAG_IPV4 581 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES 582 help 583 This option adds a `TPROXY' target, which is somewhat similar to 584 REDIRECT. It can only be used in the mangle table and is useful 585 to redirect traffic to a transparent proxy. It does _not_ depend 586 on Netfilter connection tracking and NAT, unlike REDIRECT. 587 588 To compile it as a module, choose M here. If unsure, say N. 589 590config NETFILTER_XT_TARGET_TRACE 591 tristate '"TRACE" target support' 592 depends on IP_NF_RAW || IP6_NF_RAW 593 depends on NETFILTER_ADVANCED 594 help 595 The TRACE target allows you to mark packets so that the kernel 596 will log every rule which match the packets as those traverse 597 the tables, chains, rules. 598 599 If you want to compile it as a module, say M here and read 600 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 601 602config NETFILTER_XT_TARGET_SECMARK 603 tristate '"SECMARK" target support' 604 depends on NETWORK_SECMARK 605 default m if NETFILTER_ADVANCED=n 606 help 607 The SECMARK target allows security marking of network 608 packets, for use with security subsystems. 609 610 To compile it as a module, choose M here. If unsure, say N. 611 612config NETFILTER_XT_TARGET_TCPMSS 613 tristate '"TCPMSS" target support' 614 depends on (IPV6 || IPV6=n) 615 default m if NETFILTER_ADVANCED=n 616 ---help--- 617 This option adds a `TCPMSS' target, which allows you to alter the 618 MSS value of TCP SYN packets, to control the maximum size for that 619 connection (usually limiting it to your outgoing interface's MTU 620 minus 40). 621 622 This is used to overcome criminally braindead ISPs or servers which 623 block ICMP Fragmentation Needed packets. The symptoms of this 624 problem are that everything works fine from your Linux 625 firewall/router, but machines behind it can never exchange large 626 packets: 627 1) Web browsers connect, then hang with no data received. 628 2) Small mail works fine, but large emails hang. 629 3) ssh works fine, but scp hangs after initial handshaking. 630 631 Workaround: activate this option and add a rule to your firewall 632 configuration like: 633 634 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 635 -j TCPMSS --clamp-mss-to-pmtu 636 637 To compile it as a module, choose M here. If unsure, say N. 638 639config NETFILTER_XT_TARGET_TCPOPTSTRIP 640 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' 641 depends on EXPERIMENTAL 642 depends on IP_NF_MANGLE || IP6_NF_MANGLE 643 depends on NETFILTER_ADVANCED 644 help 645 This option adds a "TCPOPTSTRIP" target, which allows you to strip 646 TCP options from TCP packets. 647 648# alphabetically ordered list of matches 649 650comment "Xtables matches" 651 652config NETFILTER_XT_MATCH_ADDRTYPE 653 tristate '"addrtype" address type match support' 654 depends on NETFILTER_ADVANCED 655 depends on (IPV6 || IPV6=n) 656 ---help--- 657 This option allows you to match what routing thinks of an address, 658 eg. UNICAST, LOCAL, BROADCAST, ... 659 660 If you want to compile it as a module, say M here and read 661 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 662 663config NETFILTER_XT_MATCH_CLUSTER 664 tristate '"cluster" match support' 665 depends on NF_CONNTRACK 666 depends on NETFILTER_ADVANCED 667 ---help--- 668 This option allows you to build work-load-sharing clusters of 669 network servers/stateful firewalls without having a dedicated 670 load-balancing router/server/switch. Basically, this match returns 671 true when the packet must be handled by this cluster node. Thus, 672 all nodes see all packets and this match decides which node handles 673 what packets. The work-load sharing algorithm is based on source 674 address hashing. 675 676 If you say Y or M here, try `iptables -m cluster --help` for 677 more information. 678 679config NETFILTER_XT_MATCH_COMMENT 680 tristate '"comment" match support' 681 depends on NETFILTER_ADVANCED 682 help 683 This option adds a `comment' dummy-match, which allows you to put 684 comments in your iptables ruleset. 685 686 If you want to compile it as a module, say M here and read 687 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 688 689config NETFILTER_XT_MATCH_CONNBYTES 690 tristate '"connbytes" per-connection counter match support' 691 depends on NF_CONNTRACK 692 depends on NETFILTER_ADVANCED 693 help 694 This option adds a `connbytes' match, which allows you to match the 695 number of bytes and/or packets for each direction within a connection. 696 697 If you want to compile it as a module, say M here and read 698 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 699 700config NETFILTER_XT_MATCH_CONNLIMIT 701 tristate '"connlimit" match support"' 702 depends on NF_CONNTRACK 703 depends on NETFILTER_ADVANCED 704 ---help--- 705 This match allows you to match against the number of parallel 706 connections to a server per client IP address (or address block). 707 708config NETFILTER_XT_MATCH_CONNMARK 709 tristate '"connmark" connection mark match support' 710 depends on NF_CONNTRACK 711 depends on NETFILTER_ADVANCED 712 select NETFILTER_XT_CONNMARK 713 ---help--- 714 This is a backwards-compat option for the user's convenience 715 (e.g. when running oldconfig). It selects 716 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 717 718config NETFILTER_XT_MATCH_CONNTRACK 719 tristate '"conntrack" connection tracking match support' 720 depends on NF_CONNTRACK 721 default m if NETFILTER_ADVANCED=n 722 help 723 This is a general conntrack match module, a superset of the state match. 724 725 It allows matching on additional conntrack information, which is 726 useful in complex configurations, such as NAT gateways with multiple 727 internet links or tunnels. 728 729 To compile it as a module, choose M here. If unsure, say N. 730 731config NETFILTER_XT_MATCH_CPU 732 tristate '"cpu" match support' 733 depends on NETFILTER_ADVANCED 734 help 735 CPU matching allows you to match packets based on the CPU 736 currently handling the packet. 737 738 To compile it as a module, choose M here. If unsure, say N. 739 740config NETFILTER_XT_MATCH_DCCP 741 tristate '"dccp" protocol match support' 742 depends on NETFILTER_ADVANCED 743 default IP_DCCP 744 help 745 With this option enabled, you will be able to use the iptables 746 `dccp' match in order to match on DCCP source/destination ports 747 and DCCP flags. 748 749 If you want to compile it as a module, say M here and read 750 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 751 752config NETFILTER_XT_MATCH_DEVGROUP 753 tristate '"devgroup" match support' 754 depends on NETFILTER_ADVANCED 755 help 756 This options adds a `devgroup' match, which allows to match on the 757 device group a network device is assigned to. 758 759 To compile it as a module, choose M here. If unsure, say N. 760 761config NETFILTER_XT_MATCH_DSCP 762 tristate '"dscp" and "tos" match support' 763 depends on NETFILTER_ADVANCED 764 help 765 This option adds a `DSCP' match, which allows you to match against 766 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 767 768 The DSCP field can have any value between 0x0 and 0x3f inclusive. 769 770 It will also add a "tos" match, which allows you to match packets 771 based on the Type Of Service fields of the IPv4 packet (which share 772 the same bits as DSCP). 773 774 To compile it as a module, choose M here. If unsure, say N. 775 776config NETFILTER_XT_MATCH_ESP 777 tristate '"esp" match support' 778 depends on NETFILTER_ADVANCED 779 help 780 This match extension allows you to match a range of SPIs 781 inside ESP header of IPSec packets. 782 783 To compile it as a module, choose M here. If unsure, say N. 784 785config NETFILTER_XT_MATCH_HASHLIMIT 786 tristate '"hashlimit" match support' 787 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 788 depends on NETFILTER_ADVANCED 789 help 790 This option adds a `hashlimit' match. 791 792 As opposed to `limit', this match dynamically creates a hash table 793 of limit buckets, based on your selection of source/destination 794 addresses and/or ports. 795 796 It enables you to express policies like `10kpps for any given 797 destination address' or `500pps from any given source address' 798 with a single rule. 799 800config NETFILTER_XT_MATCH_HELPER 801 tristate '"helper" match support' 802 depends on NF_CONNTRACK 803 depends on NETFILTER_ADVANCED 804 help 805 Helper matching allows you to match packets in dynamic connections 806 tracked by a conntrack-helper, ie. ip_conntrack_ftp 807 808 To compile it as a module, choose M here. If unsure, say Y. 809 810config NETFILTER_XT_MATCH_HL 811 tristate '"hl" hoplimit/TTL match support' 812 depends on NETFILTER_ADVANCED 813 ---help--- 814 HL matching allows you to match packets based on the hoplimit 815 in the IPv6 header, or the time-to-live field in the IPv4 816 header of the packet. 817 818config NETFILTER_XT_MATCH_IPRANGE 819 tristate '"iprange" address range match support' 820 depends on NETFILTER_ADVANCED 821 ---help--- 822 This option adds a "iprange" match, which allows you to match based on 823 an IP address range. (Normal iptables only matches on single addresses 824 with an optional mask.) 825 826 If unsure, say M. 827 828config NETFILTER_XT_MATCH_IPVS 829 tristate '"ipvs" match support' 830 depends on IP_VS 831 depends on NETFILTER_ADVANCED 832 depends on NF_CONNTRACK 833 help 834 This option allows you to match against IPVS properties of a packet. 835 836 If unsure, say N. 837 838config NETFILTER_XT_MATCH_LENGTH 839 tristate '"length" match support' 840 depends on NETFILTER_ADVANCED 841 help 842 This option allows you to match the length of a packet against a 843 specific value or range of values. 844 845 To compile it as a module, choose M here. If unsure, say N. 846 847config NETFILTER_XT_MATCH_LIMIT 848 tristate '"limit" match support' 849 depends on NETFILTER_ADVANCED 850 help 851 limit matching allows you to control the rate at which a rule can be 852 matched: mainly useful in combination with the LOG target ("LOG 853 target support", below) and to avoid some Denial of Service attacks. 854 855 To compile it as a module, choose M here. If unsure, say N. 856 857config NETFILTER_XT_MATCH_MAC 858 tristate '"mac" address match support' 859 depends on NETFILTER_ADVANCED 860 help 861 MAC matching allows you to match packets based on the source 862 Ethernet address of the packet. 863 864 To compile it as a module, choose M here. If unsure, say N. 865 866config NETFILTER_XT_MATCH_MARK 867 tristate '"mark" match support' 868 depends on NETFILTER_ADVANCED 869 select NETFILTER_XT_MARK 870 ---help--- 871 This is a backwards-compat option for the user's convenience 872 (e.g. when running oldconfig). It selects 873 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 874 875config NETFILTER_XT_MATCH_MULTIPORT 876 tristate '"multiport" Multiple port match support' 877 depends on NETFILTER_ADVANCED 878 help 879 Multiport matching allows you to match TCP or UDP packets based on 880 a series of source or destination ports: normally a rule can only 881 match a single range of ports. 882 883 To compile it as a module, choose M here. If unsure, say N. 884 885config NETFILTER_XT_MATCH_OSF 886 tristate '"osf" Passive OS fingerprint match' 887 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 888 help 889 This option selects the Passive OS Fingerprinting match module 890 that allows to passively match the remote operating system by 891 analyzing incoming TCP SYN packets. 892 893 Rules and loading software can be downloaded from 894 http://www.ioremap.net/projects/osf 895 896 To compile it as a module, choose M here. If unsure, say N. 897 898config NETFILTER_XT_MATCH_OWNER 899 tristate '"owner" match support' 900 depends on NETFILTER_ADVANCED 901 ---help--- 902 Socket owner matching allows you to match locally-generated packets 903 based on who created the socket: the user or group. It is also 904 possible to check whether a socket actually exists. 905 906config NETFILTER_XT_MATCH_POLICY 907 tristate 'IPsec "policy" match support' 908 depends on XFRM 909 default m if NETFILTER_ADVANCED=n 910 help 911 Policy matching allows you to match packets based on the 912 IPsec policy that was used during decapsulation/will 913 be used during encapsulation. 914 915 To compile it as a module, choose M here. If unsure, say N. 916 917config NETFILTER_XT_MATCH_PHYSDEV 918 tristate '"physdev" match support' 919 depends on BRIDGE && BRIDGE_NETFILTER 920 depends on NETFILTER_ADVANCED 921 help 922 Physdev packet matching matches against the physical bridge ports 923 the IP packet arrived on or will leave by. 924 925 To compile it as a module, choose M here. If unsure, say N. 926 927config NETFILTER_XT_MATCH_PKTTYPE 928 tristate '"pkttype" packet type match support' 929 depends on NETFILTER_ADVANCED 930 help 931 Packet type matching allows you to match a packet by 932 its "class", eg. BROADCAST, MULTICAST, ... 933 934 Typical usage: 935 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 936 937 To compile it as a module, choose M here. If unsure, say N. 938 939config NETFILTER_XT_MATCH_QUOTA 940 tristate '"quota" match support' 941 depends on NETFILTER_ADVANCED 942 help 943 This option adds a `quota' match, which allows to match on a 944 byte counter. 945 946 If you want to compile it as a module, say M here and read 947 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 948 949config NETFILTER_XT_MATCH_RATEEST 950 tristate '"rateest" match support' 951 depends on NETFILTER_ADVANCED 952 select NETFILTER_XT_TARGET_RATEEST 953 help 954 This option adds a `rateest' match, which allows to match on the 955 rate estimated by the RATEEST target. 956 957 To compile it as a module, choose M here. If unsure, say N. 958 959config NETFILTER_XT_MATCH_REALM 960 tristate '"realm" match support' 961 depends on NETFILTER_ADVANCED 962 select IP_ROUTE_CLASSID 963 help 964 This option adds a `realm' match, which allows you to use the realm 965 key from the routing subsystem inside iptables. 966 967 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 968 in tc world. 969 970 If you want to compile it as a module, say M here and read 971 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 972 973config NETFILTER_XT_MATCH_RECENT 974 tristate '"recent" match support' 975 depends on NETFILTER_ADVANCED 976 ---help--- 977 This match is used for creating one or many lists of recently 978 used addresses and then matching against that/those list(s). 979 980 Short options are available by using 'iptables -m recent -h' 981 Official Website: <http://snowman.net/projects/ipt_recent/> 982 983config NETFILTER_XT_MATCH_SCTP 984 tristate '"sctp" protocol match support (EXPERIMENTAL)' 985 depends on EXPERIMENTAL 986 depends on NETFILTER_ADVANCED 987 default IP_SCTP 988 help 989 With this option enabled, you will be able to use the 990 `sctp' match in order to match on SCTP source/destination ports 991 and SCTP chunk types. 992 993 If you want to compile it as a module, say M here and read 994 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 995 996config NETFILTER_XT_MATCH_SOCKET 997 tristate '"socket" match support (EXPERIMENTAL)' 998 depends on EXPERIMENTAL 999 depends on NETFILTER_TPROXY 1000 depends on NETFILTER_XTABLES 1001 depends on NETFILTER_ADVANCED 1002 depends on !NF_CONNTRACK || NF_CONNTRACK 1003 select NF_DEFRAG_IPV4 1004 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES 1005 help 1006 This option adds a `socket' match, which can be used to match 1007 packets for which a TCP or UDP socket lookup finds a valid socket. 1008 It can be used in combination with the MARK target and policy 1009 routing to implement full featured non-locally bound sockets. 1010 1011 To compile it as a module, choose M here. If unsure, say N. 1012 1013config NETFILTER_XT_MATCH_STATE 1014 tristate '"state" match support' 1015 depends on NF_CONNTRACK 1016 default m if NETFILTER_ADVANCED=n 1017 help 1018 Connection state matching allows you to match packets based on their 1019 relationship to a tracked connection (ie. previous packets). This 1020 is a powerful tool for packet classification. 1021 1022 To compile it as a module, choose M here. If unsure, say N. 1023 1024config NETFILTER_XT_MATCH_STATISTIC 1025 tristate '"statistic" match support' 1026 depends on NETFILTER_ADVANCED 1027 help 1028 This option adds a `statistic' match, which allows you to match 1029 on packets periodically or randomly with a given percentage. 1030 1031 To compile it as a module, choose M here. If unsure, say N. 1032 1033config NETFILTER_XT_MATCH_STRING 1034 tristate '"string" match support' 1035 depends on NETFILTER_ADVANCED 1036 select TEXTSEARCH 1037 select TEXTSEARCH_KMP 1038 select TEXTSEARCH_BM 1039 select TEXTSEARCH_FSM 1040 help 1041 This option adds a `string' match, which allows you to look for 1042 pattern matchings in packets. 1043 1044 To compile it as a module, choose M here. If unsure, say N. 1045 1046config NETFILTER_XT_MATCH_TCPMSS 1047 tristate '"tcpmss" match support' 1048 depends on NETFILTER_ADVANCED 1049 help 1050 This option adds a `tcpmss' match, which allows you to examine the 1051 MSS value of TCP SYN packets, which control the maximum packet size 1052 for that connection. 1053 1054 To compile it as a module, choose M here. If unsure, say N. 1055 1056config NETFILTER_XT_MATCH_TIME 1057 tristate '"time" match support' 1058 depends on NETFILTER_ADVANCED 1059 ---help--- 1060 This option adds a "time" match, which allows you to match based on 1061 the packet arrival time (at the machine which netfilter is running) 1062 on) or departure time/date (for locally generated packets). 1063 1064 If you say Y here, try `iptables -m time --help` for 1065 more information. 1066 1067 If you want to compile it as a module, say M here. 1068 If unsure, say N. 1069 1070config NETFILTER_XT_MATCH_U32 1071 tristate '"u32" match support' 1072 depends on NETFILTER_ADVANCED 1073 ---help--- 1074 u32 allows you to extract quantities of up to 4 bytes from a packet, 1075 AND them with specified masks, shift them by specified amounts and 1076 test whether the results are in any of a set of specified ranges. 1077 The specification of what to extract is general enough to skip over 1078 headers with lengths stored in the packet, as in IP or TCP header 1079 lengths. 1080 1081 Details and examples are in the kernel module source. 1082 1083endif # NETFILTER_XTABLES 1084 1085endmenu 1086 1087source "net/netfilter/ipset/Kconfig" 1088 1089source "net/netfilter/ipvs/Kconfig" 1090