1menu "Core Netfilter Configuration" 2 depends on NET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate "Netfilter netlink interface" 6 help 7 If this option is enabled, the kernel will include support 8 for the new netfilter netlink interface. 9 10config NETFILTER_NETLINK_QUEUE 11 tristate "Netfilter NFQUEUE over NFNETLINK interface" 12 depends on NETFILTER_NETLINK 13 help 14 If this option is enabled, the kernel will include support 15 for queueing packets via NFNETLINK. 16 17config NETFILTER_NETLINK_LOG 18 tristate "Netfilter LOG over NFNETLINK interface" 19 depends on NETFILTER_NETLINK 20 help 21 If this option is enabled, the kernel will include support 22 for logging packets via NFNETLINK. 23 24 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 25 and is also scheduled to replace the old syslog-based ipt_LOG 26 and ip6t_LOG modules. 27 28config NF_CONNTRACK 29 tristate "Layer 3 Independent Connection tracking (EXPERIMENTAL)" 30 depends on EXPERIMENTAL && IP_NF_CONNTRACK=n 31 default n 32 ---help--- 33 Connection tracking keeps a record of what packets have passed 34 through your machine, in order to figure out how they are related 35 into connections. 36 37 Layer 3 independent connection tracking is experimental scheme 38 which generalize ip_conntrack to support other layer 3 protocols. 39 40 To compile it as a module, choose M here. If unsure, say N. 41 42config NF_CT_ACCT 43 bool "Connection tracking flow accounting" 44 depends on NF_CONNTRACK 45 help 46 If this option is enabled, the connection tracking code will 47 keep per-flow packet and byte counters. 48 49 Those counters can be used for flow-based accounting or the 50 `connbytes' match. 51 52 If unsure, say `N'. 53 54config NF_CONNTRACK_MARK 55 bool 'Connection mark tracking support' 56 depends on NF_CONNTRACK 57 help 58 This option enables support for connection marks, used by the 59 `CONNMARK' target and `connmark' match. Similar to the mark value 60 of packets, but this mark value is kept in the conntrack session 61 instead of the individual packets. 62 63config NF_CONNTRACK_SECMARK 64 bool 'Connection tracking security mark support' 65 depends on NF_CONNTRACK && NETWORK_SECMARK 66 help 67 This option enables security markings to be applied to 68 connections. Typically they are copied to connections from 69 packets using the CONNSECMARK target and copied back from 70 connections to packets with the same target, with the packets 71 being originally labeled via SECMARK. 72 73 If unsure, say 'N'. 74 75config NF_CONNTRACK_EVENTS 76 bool "Connection tracking events (EXPERIMENTAL)" 77 depends on EXPERIMENTAL && NF_CONNTRACK 78 help 79 If this option is enabled, the connection tracking code will 80 provide a notifier chain that can be used by other kernel code 81 to get notified about changes in the connection tracking state. 82 83 If unsure, say `N'. 84 85config NF_CT_PROTO_SCTP 86 tristate 'SCTP protocol on new connection tracking support (EXPERIMENTAL)' 87 depends on EXPERIMENTAL && NF_CONNTRACK 88 default n 89 help 90 With this option enabled, the layer 3 independent connection 91 tracking code will be able to do state tracking on SCTP connections. 92 93 If you want to compile it as a module, say M here and read 94 Documentation/modules.txt. If unsure, say `N'. 95 96config NF_CONNTRACK_FTP 97 tristate "FTP support on new connection tracking (EXPERIMENTAL)" 98 depends on EXPERIMENTAL && NF_CONNTRACK 99 help 100 Tracking FTP connections is problematic: special helpers are 101 required for tracking them, and doing masquerading and other forms 102 of Network Address Translation on them. 103 104 This is FTP support on Layer 3 independent connection tracking. 105 Layer 3 independent connection tracking is experimental scheme 106 which generalize ip_conntrack to support other layer 3 protocols. 107 108 To compile it as a module, choose M here. If unsure, say N. 109 110config NF_CT_NETLINK 111 tristate 'Connection tracking netlink interface (EXPERIMENTAL)' 112 depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK 113 depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m 114 help 115 This option enables support for a netlink-based userspace interface 116 117config NETFILTER_XTABLES 118 tristate "Netfilter Xtables support (required for ip_tables)" 119 help 120 This is required if you intend to use any of ip_tables, 121 ip6_tables or arp_tables. 122 123# alphabetically ordered list of targets 124 125config NETFILTER_XT_TARGET_CLASSIFY 126 tristate '"CLASSIFY" target support' 127 depends on NETFILTER_XTABLES 128 help 129 This option adds a `CLASSIFY' target, which enables the user to set 130 the priority of a packet. Some qdiscs can use this value for 131 classification, among these are: 132 133 atm, cbq, dsmark, pfifo_fast, htb, prio 134 135 To compile it as a module, choose M here. If unsure, say N. 136 137config NETFILTER_XT_TARGET_CONNMARK 138 tristate '"CONNMARK" target support' 139 depends on NETFILTER_XTABLES 140 depends on IP_NF_MANGLE || IP6_NF_MANGLE 141 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK) 142 help 143 This option adds a `CONNMARK' target, which allows one to manipulate 144 the connection mark value. Similar to the MARK target, but 145 affects the connection mark value rather than the packet mark value. 146 147 If you want to compile it as a module, say M here and read 148 <file:Documentation/modules.txt>. The module will be called 149 ipt_CONNMARK.o. If unsure, say `N'. 150 151config NETFILTER_XT_TARGET_MARK 152 tristate '"MARK" target support' 153 depends on NETFILTER_XTABLES 154 help 155 This option adds a `MARK' target, which allows you to create rules 156 in the `mangle' table which alter the netfilter mark (nfmark) field 157 associated with the packet prior to routing. This can change 158 the routing method (see `Use netfilter MARK value as routing 159 key') and can also be used by other subsystems to change their 160 behavior. 161 162 To compile it as a module, choose M here. If unsure, say N. 163 164config NETFILTER_XT_TARGET_NFQUEUE 165 tristate '"NFQUEUE" target Support' 166 depends on NETFILTER_XTABLES 167 help 168 This target replaced the old obsolete QUEUE target. 169 170 As opposed to QUEUE, it supports 65535 different queues, 171 not just one. 172 173 To compile it as a module, choose M here. If unsure, say N. 174 175config NETFILTER_XT_TARGET_NOTRACK 176 tristate '"NOTRACK" target support' 177 depends on NETFILTER_XTABLES 178 depends on IP_NF_RAW || IP6_NF_RAW 179 depends on IP_NF_CONNTRACK || NF_CONNTRACK 180 help 181 The NOTRACK target allows a select rule to specify 182 which packets *not* to enter the conntrack/NAT 183 subsystem with all the consequences (no ICMP error tracking, 184 no protocol helpers for the selected packets). 185 186 If you want to compile it as a module, say M here and read 187 <file:Documentation/modules.txt>. If unsure, say `N'. 188 189config NETFILTER_XT_TARGET_SECMARK 190 tristate '"SECMARK" target support' 191 depends on NETFILTER_XTABLES && NETWORK_SECMARK 192 help 193 The SECMARK target allows security marking of network 194 packets, for use with security subsystems. 195 196 To compile it as a module, choose M here. If unsure, say N. 197 198config NETFILTER_XT_TARGET_CONNSECMARK 199 tristate '"CONNSECMARK" target support' 200 depends on NETFILTER_XTABLES && (NF_CONNTRACK_SECMARK || IP_NF_CONNTRACK_SECMARK) 201 help 202 The CONNSECMARK target copies security markings from packets 203 to connections, and restores security markings from connections 204 to packets (if the packets are not already marked). This would 205 normally be used in conjunction with the SECMARK target. 206 207 To compile it as a module, choose M here. If unsure, say N. 208 209config NETFILTER_XT_MATCH_COMMENT 210 tristate '"comment" match support' 211 depends on NETFILTER_XTABLES 212 help 213 This option adds a `comment' dummy-match, which allows you to put 214 comments in your iptables ruleset. 215 216 If you want to compile it as a module, say M here and read 217 <file:Documentation/modules.txt>. If unsure, say `N'. 218 219config NETFILTER_XT_MATCH_CONNBYTES 220 tristate '"connbytes" per-connection counter match support' 221 depends on NETFILTER_XTABLES 222 depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || (NF_CT_ACCT && NF_CONNTRACK) 223 help 224 This option adds a `connbytes' match, which allows you to match the 225 number of bytes and/or packets for each direction within a connection. 226 227 If you want to compile it as a module, say M here and read 228 <file:Documentation/modules.txt>. If unsure, say `N'. 229 230config NETFILTER_XT_MATCH_CONNMARK 231 tristate '"connmark" connection mark match support' 232 depends on NETFILTER_XTABLES 233 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK) 234 help 235 This option adds a `connmark' match, which allows you to match the 236 connection mark value previously set for the session by `CONNMARK'. 237 238 If you want to compile it as a module, say M here and read 239 <file:Documentation/modules.txt>. The module will be called 240 ipt_connmark.o. If unsure, say `N'. 241 242config NETFILTER_XT_MATCH_CONNTRACK 243 tristate '"conntrack" connection tracking match support' 244 depends on NETFILTER_XTABLES 245 depends on IP_NF_CONNTRACK || NF_CONNTRACK 246 help 247 This is a general conntrack match module, a superset of the state match. 248 249 It allows matching on additional conntrack information, which is 250 useful in complex configurations, such as NAT gateways with multiple 251 internet links or tunnels. 252 253 To compile it as a module, choose M here. If unsure, say N. 254 255config NETFILTER_XT_MATCH_DCCP 256 tristate '"DCCP" protocol match support' 257 depends on NETFILTER_XTABLES 258 help 259 With this option enabled, you will be able to use the iptables 260 `dccp' match in order to match on DCCP source/destination ports 261 and DCCP flags. 262 263 If you want to compile it as a module, say M here and read 264 <file:Documentation/modules.txt>. If unsure, say `N'. 265 266config NETFILTER_XT_MATCH_ESP 267 tristate '"ESP" match support' 268 depends on NETFILTER_XTABLES 269 help 270 This match extension allows you to match a range of SPIs 271 inside ESP header of IPSec packets. 272 273 To compile it as a module, choose M here. If unsure, say N. 274 275config NETFILTER_XT_MATCH_HELPER 276 tristate '"helper" match support' 277 depends on NETFILTER_XTABLES 278 depends on IP_NF_CONNTRACK || NF_CONNTRACK 279 help 280 Helper matching allows you to match packets in dynamic connections 281 tracked by a conntrack-helper, ie. ip_conntrack_ftp 282 283 To compile it as a module, choose M here. If unsure, say Y. 284 285config NETFILTER_XT_MATCH_LENGTH 286 tristate '"length" match support' 287 depends on NETFILTER_XTABLES 288 help 289 This option allows you to match the length of a packet against a 290 specific value or range of values. 291 292 To compile it as a module, choose M here. If unsure, say N. 293 294config NETFILTER_XT_MATCH_LIMIT 295 tristate '"limit" match support' 296 depends on NETFILTER_XTABLES 297 help 298 limit matching allows you to control the rate at which a rule can be 299 matched: mainly useful in combination with the LOG target ("LOG 300 target support", below) and to avoid some Denial of Service attacks. 301 302 To compile it as a module, choose M here. If unsure, say N. 303 304config NETFILTER_XT_MATCH_MAC 305 tristate '"mac" address match support' 306 depends on NETFILTER_XTABLES 307 help 308 MAC matching allows you to match packets based on the source 309 Ethernet address of the packet. 310 311 To compile it as a module, choose M here. If unsure, say N. 312 313config NETFILTER_XT_MATCH_MARK 314 tristate '"mark" match support' 315 depends on NETFILTER_XTABLES 316 help 317 Netfilter mark matching allows you to match packets based on the 318 `nfmark' value in the packet. This can be set by the MARK target 319 (see below). 320 321 To compile it as a module, choose M here. If unsure, say N. 322 323config NETFILTER_XT_MATCH_POLICY 324 tristate 'IPsec "policy" match support' 325 depends on NETFILTER_XTABLES && XFRM 326 help 327 Policy matching allows you to match packets based on the 328 IPsec policy that was used during decapsulation/will 329 be used during encapsulation. 330 331 To compile it as a module, choose M here. If unsure, say N. 332 333config NETFILTER_XT_MATCH_MULTIPORT 334 tristate "Multiple port match support" 335 depends on NETFILTER_XTABLES 336 help 337 Multiport matching allows you to match TCP or UDP packets based on 338 a series of source or destination ports: normally a rule can only 339 match a single range of ports. 340 341 To compile it as a module, choose M here. If unsure, say N. 342 343config NETFILTER_XT_MATCH_PHYSDEV 344 tristate '"physdev" match support' 345 depends on NETFILTER_XTABLES && BRIDGE_NETFILTER 346 help 347 Physdev packet matching matches against the physical bridge ports 348 the IP packet arrived on or will leave by. 349 350 To compile it as a module, choose M here. If unsure, say N. 351 352config NETFILTER_XT_MATCH_PKTTYPE 353 tristate '"pkttype" packet type match support' 354 depends on NETFILTER_XTABLES 355 help 356 Packet type matching allows you to match a packet by 357 its "class", eg. BROADCAST, MULTICAST, ... 358 359 Typical usage: 360 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 361 362 To compile it as a module, choose M here. If unsure, say N. 363 364config NETFILTER_XT_MATCH_QUOTA 365 tristate '"quota" match support' 366 depends on NETFILTER_XTABLES 367 help 368 This option adds a `quota' match, which allows to match on a 369 byte counter. 370 371 If you want to compile it as a module, say M here and read 372 <file:Documentation/modules.txt>. If unsure, say `N'. 373 374config NETFILTER_XT_MATCH_REALM 375 tristate '"realm" match support' 376 depends on NETFILTER_XTABLES 377 select NET_CLS_ROUTE 378 help 379 This option adds a `realm' match, which allows you to use the realm 380 key from the routing subsystem inside iptables. 381 382 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 383 in tc world. 384 385 If you want to compile it as a module, say M here and read 386 <file:Documentation/modules.txt>. If unsure, say `N'. 387 388config NETFILTER_XT_MATCH_SCTP 389 tristate '"sctp" protocol match support' 390 depends on NETFILTER_XTABLES 391 help 392 With this option enabled, you will be able to use the 393 `sctp' match in order to match on SCTP source/destination ports 394 and SCTP chunk types. 395 396 If you want to compile it as a module, say M here and read 397 <file:Documentation/modules.txt>. If unsure, say `N'. 398 399config NETFILTER_XT_MATCH_STATE 400 tristate '"state" match support' 401 depends on NETFILTER_XTABLES 402 depends on IP_NF_CONNTRACK || NF_CONNTRACK 403 help 404 Connection state matching allows you to match packets based on their 405 relationship to a tracked connection (ie. previous packets). This 406 is a powerful tool for packet classification. 407 408 To compile it as a module, choose M here. If unsure, say N. 409 410config NETFILTER_XT_MATCH_STATISTIC 411 tristate '"statistic" match support' 412 depends on NETFILTER_XTABLES 413 help 414 statistic module 415 416config NETFILTER_XT_MATCH_STRING 417 tristate '"string" match support' 418 depends on NETFILTER_XTABLES 419 select TEXTSEARCH 420 select TEXTSEARCH_KMP 421 select TEXTSEARCH_BM 422 select TEXTSEARCH_FSM 423 help 424 This option adds a `string' match, which allows you to look for 425 pattern matchings in packets. 426 427 To compile it as a module, choose M here. If unsure, say N. 428 429config NETFILTER_XT_MATCH_TCPMSS 430 tristate '"tcpmss" match support' 431 depends on NETFILTER_XTABLES 432 help 433 This option adds a `tcpmss' match, which allows you to examine the 434 MSS value of TCP SYN packets, which control the maximum packet size 435 for that connection. 436 437 To compile it as a module, choose M here. If unsure, say N. 438 439endmenu 440 441