1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate 6 7config NETFILTER_NETLINK_QUEUE 8 tristate "Netfilter NFQUEUE over NFNETLINK interface" 9 depends on NETFILTER_ADVANCED 10 select NETFILTER_NETLINK 11 help 12 If this option is enabled, the kernel will include support 13 for queueing packets via NFNETLINK. 14 15config NETFILTER_NETLINK_LOG 16 tristate "Netfilter LOG over NFNETLINK interface" 17 default m if NETFILTER_ADVANCED=n 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for logging packets via NFNETLINK. 22 23 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 24 and is also scheduled to replace the old syslog-based ipt_LOG 25 and ip6t_LOG modules. 26 27config NF_CONNTRACK 28 tristate "Netfilter connection tracking support" 29 default m if NETFILTER_ADVANCED=n 30 help 31 Connection tracking keeps a record of what packets have passed 32 through your machine, in order to figure out how they are related 33 into connections. 34 35 This is required to do Masquerading or other kinds of Network 36 Address Translation. It can also be used to enhance packet 37 filtering (see `Connection state match support' below). 38 39 To compile it as a module, choose M here. If unsure, say N. 40 41if NF_CONNTRACK 42 43config NF_CONNTRACK_MARK 44 bool 'Connection mark tracking support' 45 depends on NETFILTER_ADVANCED 46 help 47 This option enables support for connection marks, used by the 48 `CONNMARK' target and `connmark' match. Similar to the mark value 49 of packets, but this mark value is kept in the conntrack session 50 instead of the individual packets. 51 52config NF_CONNTRACK_SECMARK 53 bool 'Connection tracking security mark support' 54 depends on NETWORK_SECMARK 55 default m if NETFILTER_ADVANCED=n 56 help 57 This option enables security markings to be applied to 58 connections. Typically they are copied to connections from 59 packets using the CONNSECMARK target and copied back from 60 connections to packets with the same target, with the packets 61 being originally labeled via SECMARK. 62 63 If unsure, say 'N'. 64 65config NF_CONNTRACK_ZONES 66 bool 'Connection tracking zones' 67 depends on NETFILTER_ADVANCED 68 depends on NETFILTER_XT_TARGET_CT 69 help 70 This option enables support for connection tracking zones. 71 Normally, each connection needs to have a unique system wide 72 identity. Connection tracking zones allow to have multiple 73 connections using the same identity, as long as they are 74 contained in different zones. 75 76 If unsure, say `N'. 77 78config NF_CONNTRACK_EVENTS 79 bool "Connection tracking events" 80 depends on NETFILTER_ADVANCED 81 help 82 If this option is enabled, the connection tracking code will 83 provide a notifier chain that can be used by other kernel code 84 to get notified about changes in the connection tracking state. 85 86 If unsure, say `N'. 87 88config NF_CT_PROTO_DCCP 89 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' 90 depends on EXPERIMENTAL 91 depends on NETFILTER_ADVANCED 92 default IP_DCCP 93 help 94 With this option enabled, the layer 3 independent connection 95 tracking code will be able to do state tracking on DCCP connections. 96 97 If unsure, say 'N'. 98 99config NF_CT_PROTO_GRE 100 tristate 101 102config NF_CT_PROTO_SCTP 103 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 104 depends on EXPERIMENTAL 105 depends on NETFILTER_ADVANCED 106 default IP_SCTP 107 help 108 With this option enabled, the layer 3 independent connection 109 tracking code will be able to do state tracking on SCTP connections. 110 111 If you want to compile it as a module, say M here and read 112 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 113 114config NF_CT_PROTO_UDPLITE 115 tristate 'UDP-Lite protocol connection tracking support' 116 depends on NETFILTER_ADVANCED 117 help 118 With this option enabled, the layer 3 independent connection 119 tracking code will be able to do state tracking on UDP-Lite 120 connections. 121 122 To compile it as a module, choose M here. If unsure, say N. 123 124config NF_CONNTRACK_AMANDA 125 tristate "Amanda backup protocol support" 126 depends on NETFILTER_ADVANCED 127 select TEXTSEARCH 128 select TEXTSEARCH_KMP 129 help 130 If you are running the Amanda backup package <http://www.amanda.org/> 131 on this machine or machines that will be MASQUERADED through this 132 machine, then you may want to enable this feature. This allows the 133 connection tracking and natting code to allow the sub-channels that 134 Amanda requires for communication of the backup data, messages and 135 index. 136 137 To compile it as a module, choose M here. If unsure, say N. 138 139config NF_CONNTRACK_FTP 140 tristate "FTP protocol support" 141 default m if NETFILTER_ADVANCED=n 142 help 143 Tracking FTP connections is problematic: special helpers are 144 required for tracking them, and doing masquerading and other forms 145 of Network Address Translation on them. 146 147 This is FTP support on Layer 3 independent connection tracking. 148 Layer 3 independent connection tracking is experimental scheme 149 which generalize ip_conntrack to support other layer 3 protocols. 150 151 To compile it as a module, choose M here. If unsure, say N. 152 153config NF_CONNTRACK_H323 154 tristate "H.323 protocol support" 155 depends on (IPV6 || IPV6=n) 156 depends on NETFILTER_ADVANCED 157 help 158 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 159 important VoIP protocols, it is widely used by voice hardware and 160 software including voice gateways, IP phones, Netmeeting, OpenPhone, 161 Gnomemeeting, etc. 162 163 With this module you can support H.323 on a connection tracking/NAT 164 firewall. 165 166 This module supports RAS, Fast Start, H.245 Tunnelling, Call 167 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 168 whiteboard, file transfer, etc. For more information, please 169 visit http://nath323.sourceforge.net/. 170 171 To compile it as a module, choose M here. If unsure, say N. 172 173config NF_CONNTRACK_IRC 174 tristate "IRC protocol support" 175 default m if NETFILTER_ADVANCED=n 176 help 177 There is a commonly-used extension to IRC called 178 Direct Client-to-Client Protocol (DCC). This enables users to send 179 files to each other, and also chat to each other without the need 180 of a server. DCC Sending is used anywhere you send files over IRC, 181 and DCC Chat is most commonly used by Eggdrop bots. If you are 182 using NAT, this extension will enable you to send files and initiate 183 chats. Note that you do NOT need this extension to get files or 184 have others initiate chats, or everything else in IRC. 185 186 To compile it as a module, choose M here. If unsure, say N. 187 188config NF_CONNTRACK_NETBIOS_NS 189 tristate "NetBIOS name service protocol support" 190 depends on NETFILTER_ADVANCED 191 help 192 NetBIOS name service requests are sent as broadcast messages from an 193 unprivileged port and responded to with unicast messages to the 194 same port. This make them hard to firewall properly because connection 195 tracking doesn't deal with broadcasts. This helper tracks locally 196 originating NetBIOS name service requests and the corresponding 197 responses. It relies on correct IP address configuration, specifically 198 netmask and broadcast address. When properly configured, the output 199 of "ip address show" should look similar to this: 200 201 $ ip -4 address show eth0 202 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 203 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 204 205 To compile it as a module, choose M here. If unsure, say N. 206 207config NF_CONNTRACK_PPTP 208 tristate "PPtP protocol support" 209 depends on NETFILTER_ADVANCED 210 select NF_CT_PROTO_GRE 211 help 212 This module adds support for PPTP (Point to Point Tunnelling 213 Protocol, RFC2637) connection tracking and NAT. 214 215 If you are running PPTP sessions over a stateful firewall or NAT 216 box, you may want to enable this feature. 217 218 Please note that not all PPTP modes of operation are supported yet. 219 Specifically these limitations exist: 220 - Blindly assumes that control connections are always established 221 in PNS->PAC direction. This is a violation of RFC2637. 222 - Only supports a single call within each session 223 224 To compile it as a module, choose M here. If unsure, say N. 225 226config NF_CONNTRACK_SANE 227 tristate "SANE protocol support (EXPERIMENTAL)" 228 depends on EXPERIMENTAL 229 depends on NETFILTER_ADVANCED 230 help 231 SANE is a protocol for remote access to scanners as implemented 232 by the 'saned' daemon. Like FTP, it uses separate control and 233 data connections. 234 235 With this module you can support SANE on a connection tracking 236 firewall. 237 238 To compile it as a module, choose M here. If unsure, say N. 239 240config NF_CONNTRACK_SIP 241 tristate "SIP protocol support" 242 default m if NETFILTER_ADVANCED=n 243 help 244 SIP is an application-layer control protocol that can establish, 245 modify, and terminate multimedia sessions (conferences) such as 246 Internet telephony calls. With the ip_conntrack_sip and 247 the nf_nat_sip modules you can support the protocol on a connection 248 tracking/NATing firewall. 249 250 To compile it as a module, choose M here. If unsure, say N. 251 252config NF_CONNTRACK_TFTP 253 tristate "TFTP protocol support" 254 depends on NETFILTER_ADVANCED 255 help 256 TFTP connection tracking helper, this is required depending 257 on how restrictive your ruleset is. 258 If you are using a tftp client behind -j SNAT or -j MASQUERADING 259 you will need this. 260 261 To compile it as a module, choose M here. If unsure, say N. 262 263config NF_CT_NETLINK 264 tristate 'Connection tracking netlink interface' 265 select NETFILTER_NETLINK 266 default m if NETFILTER_ADVANCED=n 267 help 268 This option enables support for a netlink-based userspace interface 269 270endif # NF_CONNTRACK 271 272# transparent proxy support 273config NETFILTER_TPROXY 274 tristate "Transparent proxying support (EXPERIMENTAL)" 275 depends on EXPERIMENTAL 276 depends on IP_NF_MANGLE 277 depends on NETFILTER_ADVANCED 278 help 279 This option enables transparent proxying support, that is, 280 support for handling non-locally bound IPv4 TCP and UDP sockets. 281 For it to work you will have to configure certain iptables rules 282 and use policy routing. For more information on how to set it up 283 see Documentation/networking/tproxy.txt. 284 285 To compile it as a module, choose M here. If unsure, say N. 286 287config NETFILTER_XTABLES 288 tristate "Netfilter Xtables support (required for ip_tables)" 289 default m if NETFILTER_ADVANCED=n 290 help 291 This is required if you intend to use any of ip_tables, 292 ip6_tables or arp_tables. 293 294if NETFILTER_XTABLES 295 296comment "Xtables combined modules" 297 298config NETFILTER_XT_MARK 299 tristate 'nfmark target and match support' 300 default m if NETFILTER_ADVANCED=n 301 ---help--- 302 This option adds the "MARK" target and "mark" match. 303 304 Netfilter mark matching allows you to match packets based on the 305 "nfmark" value in the packet. 306 The target allows you to create rules in the "mangle" table which alter 307 the netfilter mark (nfmark) field associated with the packet. 308 309 Prior to routing, the nfmark can influence the routing method (see 310 "Use netfilter MARK value as routing key") and can also be used by 311 other subsystems to change their behavior. 312 313config NETFILTER_XT_CONNMARK 314 tristate 'ctmark target and match support' 315 depends on NF_CONNTRACK 316 depends on NETFILTER_ADVANCED 317 select NF_CONNTRACK_MARK 318 ---help--- 319 This option adds the "CONNMARK" target and "connmark" match. 320 321 Netfilter allows you to store a mark value per connection (a.k.a. 322 ctmark), similarly to the packet mark (nfmark). Using this 323 target and match, you can set and match on this mark. 324 325# alphabetically ordered list of targets 326 327comment "Xtables targets" 328 329config NETFILTER_XT_TARGET_CHECKSUM 330 tristate "CHECKSUM target support" 331 depends on IP_NF_MANGLE || IP6_NF_MANGLE 332 depends on NETFILTER_ADVANCED 333 ---help--- 334 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 335 table. 336 337 You can use this target to compute and fill in the checksum in 338 a packet that lacks a checksum. This is particularly useful, 339 if you need to work around old applications such as dhcp clients, 340 that do not work well with checksum offloads, but don't want to disable 341 checksum offload in your device. 342 343 To compile it as a module, choose M here. If unsure, say N. 344 345config NETFILTER_XT_TARGET_CLASSIFY 346 tristate '"CLASSIFY" target support' 347 depends on NETFILTER_ADVANCED 348 help 349 This option adds a `CLASSIFY' target, which enables the user to set 350 the priority of a packet. Some qdiscs can use this value for 351 classification, among these are: 352 353 atm, cbq, dsmark, pfifo_fast, htb, prio 354 355 To compile it as a module, choose M here. If unsure, say N. 356 357config NETFILTER_XT_TARGET_CONNMARK 358 tristate '"CONNMARK" target support' 359 depends on NF_CONNTRACK 360 depends on NETFILTER_ADVANCED 361 select NETFILTER_XT_CONNMARK 362 ---help--- 363 This is a backwards-compat option for the user's convenience 364 (e.g. when running oldconfig). It selects 365 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 366 367config NETFILTER_XT_TARGET_CONNSECMARK 368 tristate '"CONNSECMARK" target support' 369 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 370 default m if NETFILTER_ADVANCED=n 371 help 372 The CONNSECMARK target copies security markings from packets 373 to connections, and restores security markings from connections 374 to packets (if the packets are not already marked). This would 375 normally be used in conjunction with the SECMARK target. 376 377 To compile it as a module, choose M here. If unsure, say N. 378 379config NETFILTER_XT_TARGET_CT 380 tristate '"CT" target support' 381 depends on NF_CONNTRACK 382 depends on IP_NF_RAW || IP6_NF_RAW 383 depends on NETFILTER_ADVANCED 384 help 385 This options adds a `CT' target, which allows to specify initial 386 connection tracking parameters like events to be delivered and 387 the helper to be used. 388 389 To compile it as a module, choose M here. If unsure, say N. 390 391config NETFILTER_XT_TARGET_DSCP 392 tristate '"DSCP" and "TOS" target support' 393 depends on IP_NF_MANGLE || IP6_NF_MANGLE 394 depends on NETFILTER_ADVANCED 395 help 396 This option adds a `DSCP' target, which allows you to manipulate 397 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 398 399 The DSCP field can have any value between 0x0 and 0x3f inclusive. 400 401 It also adds the "TOS" target, which allows you to create rules in 402 the "mangle" table which alter the Type Of Service field of an IPv4 403 or the Priority field of an IPv6 packet, prior to routing. 404 405 To compile it as a module, choose M here. If unsure, say N. 406 407config NETFILTER_XT_TARGET_HL 408 tristate '"HL" hoplimit target support' 409 depends on IP_NF_MANGLE || IP6_NF_MANGLE 410 depends on NETFILTER_ADVANCED 411 ---help--- 412 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 413 targets, which enable the user to change the 414 hoplimit/time-to-live value of the IP header. 415 416 While it is safe to decrement the hoplimit/TTL value, the 417 modules also allow to increment and set the hoplimit value of 418 the header to arbitrary values. This is EXTREMELY DANGEROUS 419 since you can easily create immortal packets that loop 420 forever on the network. 421 422config NETFILTER_XT_TARGET_IDLETIMER 423 tristate "IDLETIMER target support" 424 depends on NETFILTER_ADVANCED 425 help 426 427 This option adds the `IDLETIMER' target. Each matching packet 428 resets the timer associated with label specified when the rule is 429 added. When the timer expires, it triggers a sysfs notification. 430 The remaining time for expiration can be read via sysfs. 431 432 To compile it as a module, choose M here. If unsure, say N. 433 434config NETFILTER_XT_TARGET_LED 435 tristate '"LED" target support' 436 depends on LEDS_CLASS && LEDS_TRIGGERS 437 depends on NETFILTER_ADVANCED 438 help 439 This option adds a `LED' target, which allows you to blink LEDs in 440 response to particular packets passing through your machine. 441 442 This can be used to turn a spare LED into a network activity LED, 443 which only flashes in response to FTP transfers, for example. Or 444 you could have an LED which lights up for a minute or two every time 445 somebody connects to your machine via SSH. 446 447 You will need support for the "led" class to make this work. 448 449 To create an LED trigger for incoming SSH traffic: 450 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 451 452 Then attach the new trigger to an LED on your system: 453 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 454 455 For more information on the LEDs available on your system, see 456 Documentation/leds-class.txt 457 458config NETFILTER_XT_TARGET_MARK 459 tristate '"MARK" target support' 460 depends on NETFILTER_ADVANCED 461 select NETFILTER_XT_MARK 462 ---help--- 463 This is a backwards-compat option for the user's convenience 464 (e.g. when running oldconfig). It selects 465 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 466 467config NETFILTER_XT_TARGET_NFLOG 468 tristate '"NFLOG" target support' 469 default m if NETFILTER_ADVANCED=n 470 select NETFILTER_NETLINK_LOG 471 help 472 This option enables the NFLOG target, which allows to LOG 473 messages through nfnetlink_log. 474 475 To compile it as a module, choose M here. If unsure, say N. 476 477config NETFILTER_XT_TARGET_NFQUEUE 478 tristate '"NFQUEUE" target Support' 479 depends on NETFILTER_ADVANCED 480 help 481 This target replaced the old obsolete QUEUE target. 482 483 As opposed to QUEUE, it supports 65535 different queues, 484 not just one. 485 486 To compile it as a module, choose M here. If unsure, say N. 487 488config NETFILTER_XT_TARGET_NOTRACK 489 tristate '"NOTRACK" target support' 490 depends on IP_NF_RAW || IP6_NF_RAW 491 depends on NF_CONNTRACK 492 depends on NETFILTER_ADVANCED 493 help 494 The NOTRACK target allows a select rule to specify 495 which packets *not* to enter the conntrack/NAT 496 subsystem with all the consequences (no ICMP error tracking, 497 no protocol helpers for the selected packets). 498 499 If you want to compile it as a module, say M here and read 500 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 501 502config NETFILTER_XT_TARGET_RATEEST 503 tristate '"RATEEST" target support' 504 depends on NETFILTER_ADVANCED 505 help 506 This option adds a `RATEEST' target, which allows to measure 507 rates similar to TC estimators. The `rateest' match can be 508 used to match on the measured rates. 509 510 To compile it as a module, choose M here. If unsure, say N. 511 512config NETFILTER_XT_TARGET_TEE 513 tristate '"TEE" - packet cloning to alternate destination' 514 depends on NETFILTER_ADVANCED 515 depends on (IPV6 || IPV6=n) 516 depends on !NF_CONNTRACK || NF_CONNTRACK 517 ---help--- 518 This option adds a "TEE" target with which a packet can be cloned and 519 this clone be rerouted to another nexthop. 520 521config NETFILTER_XT_TARGET_TPROXY 522 tristate '"TPROXY" target support (EXPERIMENTAL)' 523 depends on EXPERIMENTAL 524 depends on NETFILTER_TPROXY 525 depends on NETFILTER_XTABLES 526 depends on NETFILTER_ADVANCED 527 select NF_DEFRAG_IPV4 528 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES 529 help 530 This option adds a `TPROXY' target, which is somewhat similar to 531 REDIRECT. It can only be used in the mangle table and is useful 532 to redirect traffic to a transparent proxy. It does _not_ depend 533 on Netfilter connection tracking and NAT, unlike REDIRECT. 534 535 To compile it as a module, choose M here. If unsure, say N. 536 537config NETFILTER_XT_TARGET_TRACE 538 tristate '"TRACE" target support' 539 depends on IP_NF_RAW || IP6_NF_RAW 540 depends on NETFILTER_ADVANCED 541 help 542 The TRACE target allows you to mark packets so that the kernel 543 will log every rule which match the packets as those traverse 544 the tables, chains, rules. 545 546 If you want to compile it as a module, say M here and read 547 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 548 549config NETFILTER_XT_TARGET_SECMARK 550 tristate '"SECMARK" target support' 551 depends on NETWORK_SECMARK 552 default m if NETFILTER_ADVANCED=n 553 help 554 The SECMARK target allows security marking of network 555 packets, for use with security subsystems. 556 557 To compile it as a module, choose M here. If unsure, say N. 558 559config NETFILTER_XT_TARGET_TCPMSS 560 tristate '"TCPMSS" target support' 561 depends on (IPV6 || IPV6=n) 562 default m if NETFILTER_ADVANCED=n 563 ---help--- 564 This option adds a `TCPMSS' target, which allows you to alter the 565 MSS value of TCP SYN packets, to control the maximum size for that 566 connection (usually limiting it to your outgoing interface's MTU 567 minus 40). 568 569 This is used to overcome criminally braindead ISPs or servers which 570 block ICMP Fragmentation Needed packets. The symptoms of this 571 problem are that everything works fine from your Linux 572 firewall/router, but machines behind it can never exchange large 573 packets: 574 1) Web browsers connect, then hang with no data received. 575 2) Small mail works fine, but large emails hang. 576 3) ssh works fine, but scp hangs after initial handshaking. 577 578 Workaround: activate this option and add a rule to your firewall 579 configuration like: 580 581 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 582 -j TCPMSS --clamp-mss-to-pmtu 583 584 To compile it as a module, choose M here. If unsure, say N. 585 586config NETFILTER_XT_TARGET_TCPOPTSTRIP 587 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' 588 depends on EXPERIMENTAL 589 depends on IP_NF_MANGLE || IP6_NF_MANGLE 590 depends on NETFILTER_ADVANCED 591 help 592 This option adds a "TCPOPTSTRIP" target, which allows you to strip 593 TCP options from TCP packets. 594 595# alphabetically ordered list of matches 596 597comment "Xtables matches" 598 599config NETFILTER_XT_MATCH_CLUSTER 600 tristate '"cluster" match support' 601 depends on NF_CONNTRACK 602 depends on NETFILTER_ADVANCED 603 ---help--- 604 This option allows you to build work-load-sharing clusters of 605 network servers/stateful firewalls without having a dedicated 606 load-balancing router/server/switch. Basically, this match returns 607 true when the packet must be handled by this cluster node. Thus, 608 all nodes see all packets and this match decides which node handles 609 what packets. The work-load sharing algorithm is based on source 610 address hashing. 611 612 If you say Y or M here, try `iptables -m cluster --help` for 613 more information. 614 615config NETFILTER_XT_MATCH_COMMENT 616 tristate '"comment" match support' 617 depends on NETFILTER_ADVANCED 618 help 619 This option adds a `comment' dummy-match, which allows you to put 620 comments in your iptables ruleset. 621 622 If you want to compile it as a module, say M here and read 623 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 624 625config NETFILTER_XT_MATCH_CONNBYTES 626 tristate '"connbytes" per-connection counter match support' 627 depends on NF_CONNTRACK 628 depends on NETFILTER_ADVANCED 629 help 630 This option adds a `connbytes' match, which allows you to match the 631 number of bytes and/or packets for each direction within a connection. 632 633 If you want to compile it as a module, say M here and read 634 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 635 636config NETFILTER_XT_MATCH_CONNLIMIT 637 tristate '"connlimit" match support"' 638 depends on NF_CONNTRACK 639 depends on NETFILTER_ADVANCED 640 ---help--- 641 This match allows you to match against the number of parallel 642 connections to a server per client IP address (or address block). 643 644config NETFILTER_XT_MATCH_CONNMARK 645 tristate '"connmark" connection mark match support' 646 depends on NF_CONNTRACK 647 depends on NETFILTER_ADVANCED 648 select NETFILTER_XT_CONNMARK 649 ---help--- 650 This is a backwards-compat option for the user's convenience 651 (e.g. when running oldconfig). It selects 652 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 653 654config NETFILTER_XT_MATCH_CONNTRACK 655 tristate '"conntrack" connection tracking match support' 656 depends on NF_CONNTRACK 657 default m if NETFILTER_ADVANCED=n 658 help 659 This is a general conntrack match module, a superset of the state match. 660 661 It allows matching on additional conntrack information, which is 662 useful in complex configurations, such as NAT gateways with multiple 663 internet links or tunnels. 664 665 To compile it as a module, choose M here. If unsure, say N. 666 667config NETFILTER_XT_MATCH_CPU 668 tristate '"cpu" match support' 669 depends on NETFILTER_ADVANCED 670 help 671 CPU matching allows you to match packets based on the CPU 672 currently handling the packet. 673 674 To compile it as a module, choose M here. If unsure, say N. 675 676config NETFILTER_XT_MATCH_DCCP 677 tristate '"dccp" protocol match support' 678 depends on NETFILTER_ADVANCED 679 default IP_DCCP 680 help 681 With this option enabled, you will be able to use the iptables 682 `dccp' match in order to match on DCCP source/destination ports 683 and DCCP flags. 684 685 If you want to compile it as a module, say M here and read 686 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 687 688config NETFILTER_XT_MATCH_DSCP 689 tristate '"dscp" and "tos" match support' 690 depends on NETFILTER_ADVANCED 691 help 692 This option adds a `DSCP' match, which allows you to match against 693 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 694 695 The DSCP field can have any value between 0x0 and 0x3f inclusive. 696 697 It will also add a "tos" match, which allows you to match packets 698 based on the Type Of Service fields of the IPv4 packet (which share 699 the same bits as DSCP). 700 701 To compile it as a module, choose M here. If unsure, say N. 702 703config NETFILTER_XT_MATCH_ESP 704 tristate '"esp" match support' 705 depends on NETFILTER_ADVANCED 706 help 707 This match extension allows you to match a range of SPIs 708 inside ESP header of IPSec packets. 709 710 To compile it as a module, choose M here. If unsure, say N. 711 712config NETFILTER_XT_MATCH_HASHLIMIT 713 tristate '"hashlimit" match support' 714 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 715 depends on NETFILTER_ADVANCED 716 help 717 This option adds a `hashlimit' match. 718 719 As opposed to `limit', this match dynamically creates a hash table 720 of limit buckets, based on your selection of source/destination 721 addresses and/or ports. 722 723 It enables you to express policies like `10kpps for any given 724 destination address' or `500pps from any given source address' 725 with a single rule. 726 727config NETFILTER_XT_MATCH_HELPER 728 tristate '"helper" match support' 729 depends on NF_CONNTRACK 730 depends on NETFILTER_ADVANCED 731 help 732 Helper matching allows you to match packets in dynamic connections 733 tracked by a conntrack-helper, ie. ip_conntrack_ftp 734 735 To compile it as a module, choose M here. If unsure, say Y. 736 737config NETFILTER_XT_MATCH_HL 738 tristate '"hl" hoplimit/TTL match support' 739 depends on NETFILTER_ADVANCED 740 ---help--- 741 HL matching allows you to match packets based on the hoplimit 742 in the IPv6 header, or the time-to-live field in the IPv4 743 header of the packet. 744 745config NETFILTER_XT_MATCH_IPRANGE 746 tristate '"iprange" address range match support' 747 depends on NETFILTER_ADVANCED 748 ---help--- 749 This option adds a "iprange" match, which allows you to match based on 750 an IP address range. (Normal iptables only matches on single addresses 751 with an optional mask.) 752 753 If unsure, say M. 754 755config NETFILTER_XT_MATCH_IPVS 756 tristate '"ipvs" match support' 757 depends on IP_VS 758 depends on NETFILTER_ADVANCED 759 depends on NF_CONNTRACK 760 help 761 This option allows you to match against IPVS properties of a packet. 762 763 If unsure, say N. 764 765config NETFILTER_XT_MATCH_LENGTH 766 tristate '"length" match support' 767 depends on NETFILTER_ADVANCED 768 help 769 This option allows you to match the length of a packet against a 770 specific value or range of values. 771 772 To compile it as a module, choose M here. If unsure, say N. 773 774config NETFILTER_XT_MATCH_LIMIT 775 tristate '"limit" match support' 776 depends on NETFILTER_ADVANCED 777 help 778 limit matching allows you to control the rate at which a rule can be 779 matched: mainly useful in combination with the LOG target ("LOG 780 target support", below) and to avoid some Denial of Service attacks. 781 782 To compile it as a module, choose M here. If unsure, say N. 783 784config NETFILTER_XT_MATCH_MAC 785 tristate '"mac" address match support' 786 depends on NETFILTER_ADVANCED 787 help 788 MAC matching allows you to match packets based on the source 789 Ethernet address of the packet. 790 791 To compile it as a module, choose M here. If unsure, say N. 792 793config NETFILTER_XT_MATCH_MARK 794 tristate '"mark" match support' 795 depends on NETFILTER_ADVANCED 796 select NETFILTER_XT_MARK 797 ---help--- 798 This is a backwards-compat option for the user's convenience 799 (e.g. when running oldconfig). It selects 800 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 801 802config NETFILTER_XT_MATCH_MULTIPORT 803 tristate '"multiport" Multiple port match support' 804 depends on NETFILTER_ADVANCED 805 help 806 Multiport matching allows you to match TCP or UDP packets based on 807 a series of source or destination ports: normally a rule can only 808 match a single range of ports. 809 810 To compile it as a module, choose M here. If unsure, say N. 811 812config NETFILTER_XT_MATCH_OSF 813 tristate '"osf" Passive OS fingerprint match' 814 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 815 help 816 This option selects the Passive OS Fingerprinting match module 817 that allows to passively match the remote operating system by 818 analyzing incoming TCP SYN packets. 819 820 Rules and loading software can be downloaded from 821 http://www.ioremap.net/projects/osf 822 823 To compile it as a module, choose M here. If unsure, say N. 824 825config NETFILTER_XT_MATCH_OWNER 826 tristate '"owner" match support' 827 depends on NETFILTER_ADVANCED 828 ---help--- 829 Socket owner matching allows you to match locally-generated packets 830 based on who created the socket: the user or group. It is also 831 possible to check whether a socket actually exists. 832 833config NETFILTER_XT_MATCH_POLICY 834 tristate 'IPsec "policy" match support' 835 depends on XFRM 836 default m if NETFILTER_ADVANCED=n 837 help 838 Policy matching allows you to match packets based on the 839 IPsec policy that was used during decapsulation/will 840 be used during encapsulation. 841 842 To compile it as a module, choose M here. If unsure, say N. 843 844config NETFILTER_XT_MATCH_PHYSDEV 845 tristate '"physdev" match support' 846 depends on BRIDGE && BRIDGE_NETFILTER 847 depends on NETFILTER_ADVANCED 848 help 849 Physdev packet matching matches against the physical bridge ports 850 the IP packet arrived on or will leave by. 851 852 To compile it as a module, choose M here. If unsure, say N. 853 854config NETFILTER_XT_MATCH_PKTTYPE 855 tristate '"pkttype" packet type match support' 856 depends on NETFILTER_ADVANCED 857 help 858 Packet type matching allows you to match a packet by 859 its "class", eg. BROADCAST, MULTICAST, ... 860 861 Typical usage: 862 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 863 864 To compile it as a module, choose M here. If unsure, say N. 865 866config NETFILTER_XT_MATCH_QUOTA 867 tristate '"quota" match support' 868 depends on NETFILTER_ADVANCED 869 help 870 This option adds a `quota' match, which allows to match on a 871 byte counter. 872 873 If you want to compile it as a module, say M here and read 874 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 875 876config NETFILTER_XT_MATCH_RATEEST 877 tristate '"rateest" match support' 878 depends on NETFILTER_ADVANCED 879 select NETFILTER_XT_TARGET_RATEEST 880 help 881 This option adds a `rateest' match, which allows to match on the 882 rate estimated by the RATEEST target. 883 884 To compile it as a module, choose M here. If unsure, say N. 885 886config NETFILTER_XT_MATCH_REALM 887 tristate '"realm" match support' 888 depends on NETFILTER_ADVANCED 889 select NET_CLS_ROUTE 890 help 891 This option adds a `realm' match, which allows you to use the realm 892 key from the routing subsystem inside iptables. 893 894 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 895 in tc world. 896 897 If you want to compile it as a module, say M here and read 898 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 899 900config NETFILTER_XT_MATCH_RECENT 901 tristate '"recent" match support' 902 depends on NETFILTER_ADVANCED 903 ---help--- 904 This match is used for creating one or many lists of recently 905 used addresses and then matching against that/those list(s). 906 907 Short options are available by using 'iptables -m recent -h' 908 Official Website: <http://snowman.net/projects/ipt_recent/> 909 910config NETFILTER_XT_MATCH_SCTP 911 tristate '"sctp" protocol match support (EXPERIMENTAL)' 912 depends on EXPERIMENTAL 913 depends on NETFILTER_ADVANCED 914 default IP_SCTP 915 help 916 With this option enabled, you will be able to use the 917 `sctp' match in order to match on SCTP source/destination ports 918 and SCTP chunk types. 919 920 If you want to compile it as a module, say M here and read 921 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 922 923config NETFILTER_XT_MATCH_SOCKET 924 tristate '"socket" match support (EXPERIMENTAL)' 925 depends on EXPERIMENTAL 926 depends on NETFILTER_TPROXY 927 depends on NETFILTER_XTABLES 928 depends on NETFILTER_ADVANCED 929 depends on !NF_CONNTRACK || NF_CONNTRACK 930 select NF_DEFRAG_IPV4 931 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES 932 help 933 This option adds a `socket' match, which can be used to match 934 packets for which a TCP or UDP socket lookup finds a valid socket. 935 It can be used in combination with the MARK target and policy 936 routing to implement full featured non-locally bound sockets. 937 938 To compile it as a module, choose M here. If unsure, say N. 939 940config NETFILTER_XT_MATCH_STATE 941 tristate '"state" match support' 942 depends on NF_CONNTRACK 943 default m if NETFILTER_ADVANCED=n 944 help 945 Connection state matching allows you to match packets based on their 946 relationship to a tracked connection (ie. previous packets). This 947 is a powerful tool for packet classification. 948 949 To compile it as a module, choose M here. If unsure, say N. 950 951config NETFILTER_XT_MATCH_STATISTIC 952 tristate '"statistic" match support' 953 depends on NETFILTER_ADVANCED 954 help 955 This option adds a `statistic' match, which allows you to match 956 on packets periodically or randomly with a given percentage. 957 958 To compile it as a module, choose M here. If unsure, say N. 959 960config NETFILTER_XT_MATCH_STRING 961 tristate '"string" match support' 962 depends on NETFILTER_ADVANCED 963 select TEXTSEARCH 964 select TEXTSEARCH_KMP 965 select TEXTSEARCH_BM 966 select TEXTSEARCH_FSM 967 help 968 This option adds a `string' match, which allows you to look for 969 pattern matchings in packets. 970 971 To compile it as a module, choose M here. If unsure, say N. 972 973config NETFILTER_XT_MATCH_TCPMSS 974 tristate '"tcpmss" match support' 975 depends on NETFILTER_ADVANCED 976 help 977 This option adds a `tcpmss' match, which allows you to examine the 978 MSS value of TCP SYN packets, which control the maximum packet size 979 for that connection. 980 981 To compile it as a module, choose M here. If unsure, say N. 982 983config NETFILTER_XT_MATCH_TIME 984 tristate '"time" match support' 985 depends on NETFILTER_ADVANCED 986 ---help--- 987 This option adds a "time" match, which allows you to match based on 988 the packet arrival time (at the machine which netfilter is running) 989 on) or departure time/date (for locally generated packets). 990 991 If you say Y here, try `iptables -m time --help` for 992 more information. 993 994 If you want to compile it as a module, say M here. 995 If unsure, say N. 996 997config NETFILTER_XT_MATCH_U32 998 tristate '"u32" match support' 999 depends on NETFILTER_ADVANCED 1000 ---help--- 1001 u32 allows you to extract quantities of up to 4 bytes from a packet, 1002 AND them with specified masks, shift them by specified amounts and 1003 test whether the results are in any of a set of specified ranges. 1004 The specification of what to extract is general enough to skip over 1005 headers with lengths stored in the packet, as in IP or TCP header 1006 lengths. 1007 1008 Details and examples are in the kernel module source. 1009 1010endif # NETFILTER_XTABLES 1011 1012endmenu 1013 1014source "net/netfilter/ipvs/Kconfig" 1015