1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_INGRESS 5 bool "Netfilter ingress support" 6 default y 7 select NET_INGRESS 8 help 9 This allows you to classify packets from ingress using the Netfilter 10 infrastructure. 11 12config NETFILTER_NETLINK 13 tristate 14 15config NETFILTER_NETLINK_ACCT 16tristate "Netfilter NFACCT over NFNETLINK interface" 17 depends on NETFILTER_ADVANCED 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for extended accounting via NFNETLINK. 22 23config NETFILTER_NETLINK_QUEUE 24 tristate "Netfilter NFQUEUE over NFNETLINK interface" 25 depends on NETFILTER_ADVANCED 26 select NETFILTER_NETLINK 27 help 28 If this option is enabled, the kernel will include support 29 for queueing packets via NFNETLINK. 30 31config NETFILTER_NETLINK_LOG 32 tristate "Netfilter LOG over NFNETLINK interface" 33 default m if NETFILTER_ADVANCED=n 34 select NETFILTER_NETLINK 35 help 36 If this option is enabled, the kernel will include support 37 for logging packets via NFNETLINK. 38 39 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 40 and is also scheduled to replace the old syslog-based ipt_LOG 41 and ip6t_LOG modules. 42 43config NF_CONNTRACK 44 tristate "Netfilter connection tracking support" 45 default m if NETFILTER_ADVANCED=n 46 help 47 Connection tracking keeps a record of what packets have passed 48 through your machine, in order to figure out how they are related 49 into connections. 50 51 This is required to do Masquerading or other kinds of Network 52 Address Translation. It can also be used to enhance packet 53 filtering (see `Connection state match support' below). 54 55 To compile it as a module, choose M here. If unsure, say N. 56 57config NF_LOG_COMMON 58 tristate 59 60if NF_CONNTRACK 61 62config NF_CONNTRACK_MARK 63 bool 'Connection mark tracking support' 64 depends on NETFILTER_ADVANCED 65 help 66 This option enables support for connection marks, used by the 67 `CONNMARK' target and `connmark' match. Similar to the mark value 68 of packets, but this mark value is kept in the conntrack session 69 instead of the individual packets. 70 71config NF_CONNTRACK_SECMARK 72 bool 'Connection tracking security mark support' 73 depends on NETWORK_SECMARK 74 default m if NETFILTER_ADVANCED=n 75 help 76 This option enables security markings to be applied to 77 connections. Typically they are copied to connections from 78 packets using the CONNSECMARK target and copied back from 79 connections to packets with the same target, with the packets 80 being originally labeled via SECMARK. 81 82 If unsure, say 'N'. 83 84config NF_CONNTRACK_ZONES 85 bool 'Connection tracking zones' 86 depends on NETFILTER_ADVANCED 87 depends on NETFILTER_XT_TARGET_CT 88 help 89 This option enables support for connection tracking zones. 90 Normally, each connection needs to have a unique system wide 91 identity. Connection tracking zones allow to have multiple 92 connections using the same identity, as long as they are 93 contained in different zones. 94 95 If unsure, say `N'. 96 97config NF_CONNTRACK_PROCFS 98 bool "Supply CT list in procfs (OBSOLETE)" 99 default y 100 depends on PROC_FS 101 ---help--- 102 This option enables for the list of known conntrack entries 103 to be shown in procfs under net/netfilter/nf_conntrack. This 104 is considered obsolete in favor of using the conntrack(8) 105 tool which uses Netlink. 106 107config NF_CONNTRACK_EVENTS 108 bool "Connection tracking events" 109 depends on NETFILTER_ADVANCED 110 help 111 If this option is enabled, the connection tracking code will 112 provide a notifier chain that can be used by other kernel code 113 to get notified about changes in the connection tracking state. 114 115 If unsure, say `N'. 116 117config NF_CONNTRACK_TIMEOUT 118 bool 'Connection tracking timeout' 119 depends on NETFILTER_ADVANCED 120 help 121 This option enables support for connection tracking timeout 122 extension. This allows you to attach timeout policies to flow 123 via the CT target. 124 125 If unsure, say `N'. 126 127config NF_CONNTRACK_TIMESTAMP 128 bool 'Connection tracking timestamping' 129 depends on NETFILTER_ADVANCED 130 help 131 This option enables support for connection tracking timestamping. 132 This allows you to store the flow start-time and to obtain 133 the flow-stop time (once it has been destroyed) via Connection 134 tracking events. 135 136 If unsure, say `N'. 137 138config NF_CONNTRACK_LABELS 139 bool 140 help 141 This option enables support for assigning user-defined flag bits 142 to connection tracking entries. It selected by the connlabel match. 143 144config NF_CT_PROTO_DCCP 145 tristate 'DCCP protocol connection tracking support' 146 depends on NETFILTER_ADVANCED 147 default IP_DCCP 148 help 149 With this option enabled, the layer 3 independent connection 150 tracking code will be able to do state tracking on DCCP connections. 151 152 If unsure, say 'N'. 153 154config NF_CT_PROTO_GRE 155 tristate 156 157config NF_CT_PROTO_SCTP 158 tristate 'SCTP protocol connection tracking support' 159 depends on NETFILTER_ADVANCED 160 default IP_SCTP 161 help 162 With this option enabled, the layer 3 independent connection 163 tracking code will be able to do state tracking on SCTP connections. 164 165 If you want to compile it as a module, say M here and read 166 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 167 168config NF_CT_PROTO_UDPLITE 169 tristate 'UDP-Lite protocol connection tracking support' 170 depends on NETFILTER_ADVANCED 171 help 172 With this option enabled, the layer 3 independent connection 173 tracking code will be able to do state tracking on UDP-Lite 174 connections. 175 176 To compile it as a module, choose M here. If unsure, say N. 177 178config NF_CONNTRACK_AMANDA 179 tristate "Amanda backup protocol support" 180 depends on NETFILTER_ADVANCED 181 select TEXTSEARCH 182 select TEXTSEARCH_KMP 183 help 184 If you are running the Amanda backup package <http://www.amanda.org/> 185 on this machine or machines that will be MASQUERADED through this 186 machine, then you may want to enable this feature. This allows the 187 connection tracking and natting code to allow the sub-channels that 188 Amanda requires for communication of the backup data, messages and 189 index. 190 191 To compile it as a module, choose M here. If unsure, say N. 192 193config NF_CONNTRACK_FTP 194 tristate "FTP protocol support" 195 default m if NETFILTER_ADVANCED=n 196 help 197 Tracking FTP connections is problematic: special helpers are 198 required for tracking them, and doing masquerading and other forms 199 of Network Address Translation on them. 200 201 This is FTP support on Layer 3 independent connection tracking. 202 Layer 3 independent connection tracking is experimental scheme 203 which generalize ip_conntrack to support other layer 3 protocols. 204 205 To compile it as a module, choose M here. If unsure, say N. 206 207config NF_CONNTRACK_H323 208 tristate "H.323 protocol support" 209 depends on IPV6 || IPV6=n 210 depends on NETFILTER_ADVANCED 211 help 212 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 213 important VoIP protocols, it is widely used by voice hardware and 214 software including voice gateways, IP phones, Netmeeting, OpenPhone, 215 Gnomemeeting, etc. 216 217 With this module you can support H.323 on a connection tracking/NAT 218 firewall. 219 220 This module supports RAS, Fast Start, H.245 Tunnelling, Call 221 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 222 whiteboard, file transfer, etc. For more information, please 223 visit http://nath323.sourceforge.net/. 224 225 To compile it as a module, choose M here. If unsure, say N. 226 227config NF_CONNTRACK_IRC 228 tristate "IRC protocol support" 229 default m if NETFILTER_ADVANCED=n 230 help 231 There is a commonly-used extension to IRC called 232 Direct Client-to-Client Protocol (DCC). This enables users to send 233 files to each other, and also chat to each other without the need 234 of a server. DCC Sending is used anywhere you send files over IRC, 235 and DCC Chat is most commonly used by Eggdrop bots. If you are 236 using NAT, this extension will enable you to send files and initiate 237 chats. Note that you do NOT need this extension to get files or 238 have others initiate chats, or everything else in IRC. 239 240 To compile it as a module, choose M here. If unsure, say N. 241 242config NF_CONNTRACK_BROADCAST 243 tristate 244 245config NF_CONNTRACK_NETBIOS_NS 246 tristate "NetBIOS name service protocol support" 247 select NF_CONNTRACK_BROADCAST 248 help 249 NetBIOS name service requests are sent as broadcast messages from an 250 unprivileged port and responded to with unicast messages to the 251 same port. This make them hard to firewall properly because connection 252 tracking doesn't deal with broadcasts. This helper tracks locally 253 originating NetBIOS name service requests and the corresponding 254 responses. It relies on correct IP address configuration, specifically 255 netmask and broadcast address. When properly configured, the output 256 of "ip address show" should look similar to this: 257 258 $ ip -4 address show eth0 259 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 260 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 261 262 To compile it as a module, choose M here. If unsure, say N. 263 264config NF_CONNTRACK_SNMP 265 tristate "SNMP service protocol support" 266 depends on NETFILTER_ADVANCED 267 select NF_CONNTRACK_BROADCAST 268 help 269 SNMP service requests are sent as broadcast messages from an 270 unprivileged port and responded to with unicast messages to the 271 same port. This make them hard to firewall properly because connection 272 tracking doesn't deal with broadcasts. This helper tracks locally 273 originating SNMP service requests and the corresponding 274 responses. It relies on correct IP address configuration, specifically 275 netmask and broadcast address. 276 277 To compile it as a module, choose M here. If unsure, say N. 278 279config NF_CONNTRACK_PPTP 280 tristate "PPtP protocol support" 281 depends on NETFILTER_ADVANCED 282 select NF_CT_PROTO_GRE 283 help 284 This module adds support for PPTP (Point to Point Tunnelling 285 Protocol, RFC2637) connection tracking and NAT. 286 287 If you are running PPTP sessions over a stateful firewall or NAT 288 box, you may want to enable this feature. 289 290 Please note that not all PPTP modes of operation are supported yet. 291 Specifically these limitations exist: 292 - Blindly assumes that control connections are always established 293 in PNS->PAC direction. This is a violation of RFC2637. 294 - Only supports a single call within each session 295 296 To compile it as a module, choose M here. If unsure, say N. 297 298config NF_CONNTRACK_SANE 299 tristate "SANE protocol support" 300 depends on NETFILTER_ADVANCED 301 help 302 SANE is a protocol for remote access to scanners as implemented 303 by the 'saned' daemon. Like FTP, it uses separate control and 304 data connections. 305 306 With this module you can support SANE on a connection tracking 307 firewall. 308 309 To compile it as a module, choose M here. If unsure, say N. 310 311config NF_CONNTRACK_SIP 312 tristate "SIP protocol support" 313 default m if NETFILTER_ADVANCED=n 314 help 315 SIP is an application-layer control protocol that can establish, 316 modify, and terminate multimedia sessions (conferences) such as 317 Internet telephony calls. With the ip_conntrack_sip and 318 the nf_nat_sip modules you can support the protocol on a connection 319 tracking/NATing firewall. 320 321 To compile it as a module, choose M here. If unsure, say N. 322 323config NF_CONNTRACK_TFTP 324 tristate "TFTP protocol support" 325 depends on NETFILTER_ADVANCED 326 help 327 TFTP connection tracking helper, this is required depending 328 on how restrictive your ruleset is. 329 If you are using a tftp client behind -j SNAT or -j MASQUERADING 330 you will need this. 331 332 To compile it as a module, choose M here. If unsure, say N. 333 334config NF_CT_NETLINK 335 tristate 'Connection tracking netlink interface' 336 select NETFILTER_NETLINK 337 default m if NETFILTER_ADVANCED=n 338 help 339 This option enables support for a netlink-based userspace interface 340 341config NF_CT_NETLINK_TIMEOUT 342 tristate 'Connection tracking timeout tuning via Netlink' 343 select NETFILTER_NETLINK 344 depends on NETFILTER_ADVANCED 345 help 346 This option enables support for connection tracking timeout 347 fine-grain tuning. This allows you to attach specific timeout 348 policies to flows, instead of using the global timeout policy. 349 350 If unsure, say `N'. 351 352config NF_CT_NETLINK_HELPER 353 tristate 'Connection tracking helpers in user-space via Netlink' 354 select NETFILTER_NETLINK 355 depends on NF_CT_NETLINK 356 depends on NETFILTER_NETLINK_QUEUE 357 depends on NETFILTER_NETLINK_GLUE_CT 358 depends on NETFILTER_ADVANCED 359 help 360 This option enables the user-space connection tracking helpers 361 infrastructure. 362 363 If unsure, say `N'. 364 365config NETFILTER_NETLINK_GLUE_CT 366 bool "NFQUEUE and NFLOG integration with Connection Tracking" 367 default n 368 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 369 help 370 If this option is enabled, NFQUEUE and NFLOG can include 371 Connection Tracking information together with the packet is 372 the enqueued via NFNETLINK. 373 374config NF_NAT 375 tristate 376 377config NF_NAT_NEEDED 378 bool 379 depends on NF_NAT 380 default y 381 382config NF_NAT_PROTO_DCCP 383 tristate 384 depends on NF_NAT && NF_CT_PROTO_DCCP 385 default NF_NAT && NF_CT_PROTO_DCCP 386 387config NF_NAT_PROTO_UDPLITE 388 tristate 389 depends on NF_NAT && NF_CT_PROTO_UDPLITE 390 default NF_NAT && NF_CT_PROTO_UDPLITE 391 392config NF_NAT_PROTO_SCTP 393 tristate 394 default NF_NAT && NF_CT_PROTO_SCTP 395 depends on NF_NAT && NF_CT_PROTO_SCTP 396 select LIBCRC32C 397 398config NF_NAT_AMANDA 399 tristate 400 depends on NF_CONNTRACK && NF_NAT 401 default NF_NAT && NF_CONNTRACK_AMANDA 402 403config NF_NAT_FTP 404 tristate 405 depends on NF_CONNTRACK && NF_NAT 406 default NF_NAT && NF_CONNTRACK_FTP 407 408config NF_NAT_IRC 409 tristate 410 depends on NF_CONNTRACK && NF_NAT 411 default NF_NAT && NF_CONNTRACK_IRC 412 413config NF_NAT_SIP 414 tristate 415 depends on NF_CONNTRACK && NF_NAT 416 default NF_NAT && NF_CONNTRACK_SIP 417 418config NF_NAT_TFTP 419 tristate 420 depends on NF_CONNTRACK && NF_NAT 421 default NF_NAT && NF_CONNTRACK_TFTP 422 423config NF_NAT_REDIRECT 424 tristate "IPv4/IPv6 redirect support" 425 depends on NF_NAT 426 help 427 This is the kernel functionality to redirect packets to local 428 machine through NAT. 429 430config NETFILTER_SYNPROXY 431 tristate 432 433endif # NF_CONNTRACK 434 435config NF_TABLES 436 select NETFILTER_NETLINK 437 tristate "Netfilter nf_tables support" 438 help 439 nftables is the new packet classification framework that intends to 440 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 441 provides a pseudo-state machine with an extensible instruction-set 442 (also known as expressions) that the userspace 'nft' utility 443 (http://www.netfilter.org/projects/nftables) uses to build the 444 rule-set. It also comes with the generic set infrastructure that 445 allows you to construct mappings between matchings and actions 446 for performance lookups. 447 448 To compile it as a module, choose M here. 449 450if NF_TABLES 451 452config NF_TABLES_INET 453 depends on IPV6 454 select NF_TABLES_IPV4 455 select NF_TABLES_IPV6 456 tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support" 457 help 458 This option enables support for a mixed IPv4/IPv6 "inet" table. 459 460config NF_TABLES_NETDEV 461 tristate "Netfilter nf_tables netdev tables support" 462 help 463 This option enables support for the "netdev" table. 464 465config NFT_EXTHDR 466 tristate "Netfilter nf_tables IPv6 exthdr module" 467 help 468 This option adds the "exthdr" expression that you can use to match 469 IPv6 extension headers. 470 471config NFT_META 472 tristate "Netfilter nf_tables meta module" 473 help 474 This option adds the "meta" expression that you can use to match and 475 to set packet metainformation such as the packet mark. 476 477config NFT_CT 478 depends on NF_CONNTRACK 479 tristate "Netfilter nf_tables conntrack module" 480 help 481 This option adds the "meta" expression that you can use to match 482 connection tracking information such as the flow state. 483 484config NFT_RBTREE 485 tristate "Netfilter nf_tables rbtree set module" 486 help 487 This option adds the "rbtree" set type (Red Black tree) that is used 488 to build interval-based sets. 489 490config NFT_HASH 491 tristate "Netfilter nf_tables hash set module" 492 help 493 This option adds the "hash" set type that is used to build one-way 494 mappings between matchings and actions. 495 496config NFT_COUNTER 497 tristate "Netfilter nf_tables counter module" 498 help 499 This option adds the "counter" expression that you can use to 500 include packet and byte counters in a rule. 501 502config NFT_LOG 503 tristate "Netfilter nf_tables log module" 504 help 505 This option adds the "log" expression that you can use to log 506 packets matching some criteria. 507 508config NFT_LIMIT 509 tristate "Netfilter nf_tables limit module" 510 help 511 This option adds the "limit" expression that you can use to 512 ratelimit rule matchings. 513 514config NFT_MASQ 515 depends on NF_CONNTRACK 516 depends on NF_NAT 517 tristate "Netfilter nf_tables masquerade support" 518 help 519 This option adds the "masquerade" expression that you can use 520 to perform NAT in the masquerade flavour. 521 522config NFT_REDIR 523 depends on NF_CONNTRACK 524 depends on NF_NAT 525 tristate "Netfilter nf_tables redirect support" 526 help 527 This options adds the "redirect" expression that you can use 528 to perform NAT in the redirect flavour. 529 530config NFT_NAT 531 depends on NF_CONNTRACK 532 select NF_NAT 533 tristate "Netfilter nf_tables nat module" 534 help 535 This option adds the "nat" expression that you can use to perform 536 typical Network Address Translation (NAT) packet transformations. 537 538config NFT_QUEUE 539 depends on NETFILTER_NETLINK_QUEUE 540 tristate "Netfilter nf_tables queue module" 541 help 542 This is required if you intend to use the userspace queueing 543 infrastructure (also known as NFQUEUE) from nftables. 544 545config NFT_REJECT 546 default m if NETFILTER_ADVANCED=n 547 tristate "Netfilter nf_tables reject support" 548 help 549 This option adds the "reject" expression that you can use to 550 explicitly deny and notify via TCP reset/ICMP informational errors 551 unallowed traffic. 552 553config NFT_REJECT_INET 554 depends on NF_TABLES_INET 555 default NFT_REJECT 556 tristate 557 558config NFT_COMPAT 559 depends on NETFILTER_XTABLES 560 tristate "Netfilter x_tables over nf_tables module" 561 help 562 This is required if you intend to use any of existing 563 x_tables match/target extensions over the nf_tables 564 framework. 565 566if NF_TABLES_NETDEV 567 568config NF_DUP_NETDEV 569 tristate "Netfilter packet duplication support" 570 help 571 This option enables the generic packet duplication infrastructure 572 for Netfilter. 573 574config NFT_DUP_NETDEV 575 tristate "Netfilter nf_tables netdev packet duplication support" 576 select NF_DUP_NETDEV 577 help 578 This option enables packet duplication for the "netdev" family. 579 580config NFT_FWD_NETDEV 581 tristate "Netfilter nf_tables netdev packet forwarding support" 582 select NF_DUP_NETDEV 583 help 584 This option enables packet forwarding for the "netdev" family. 585 586endif # NF_TABLES_NETDEV 587 588endif # NF_TABLES 589 590config NETFILTER_XTABLES 591 tristate "Netfilter Xtables support (required for ip_tables)" 592 default m if NETFILTER_ADVANCED=n 593 help 594 This is required if you intend to use any of ip_tables, 595 ip6_tables or arp_tables. 596 597if NETFILTER_XTABLES 598 599comment "Xtables combined modules" 600 601config NETFILTER_XT_MARK 602 tristate 'nfmark target and match support' 603 default m if NETFILTER_ADVANCED=n 604 ---help--- 605 This option adds the "MARK" target and "mark" match. 606 607 Netfilter mark matching allows you to match packets based on the 608 "nfmark" value in the packet. 609 The target allows you to create rules in the "mangle" table which alter 610 the netfilter mark (nfmark) field associated with the packet. 611 612 Prior to routing, the nfmark can influence the routing method and can 613 also be used by other subsystems to change their behavior. 614 615config NETFILTER_XT_CONNMARK 616 tristate 'ctmark target and match support' 617 depends on NF_CONNTRACK 618 depends on NETFILTER_ADVANCED 619 select NF_CONNTRACK_MARK 620 ---help--- 621 This option adds the "CONNMARK" target and "connmark" match. 622 623 Netfilter allows you to store a mark value per connection (a.k.a. 624 ctmark), similarly to the packet mark (nfmark). Using this 625 target and match, you can set and match on this mark. 626 627config NETFILTER_XT_SET 628 tristate 'set target and match support' 629 depends on IP_SET 630 depends on NETFILTER_ADVANCED 631 help 632 This option adds the "SET" target and "set" match. 633 634 Using this target and match, you can add/delete and match 635 elements in the sets created by ipset(8). 636 637 To compile it as a module, choose M here. If unsure, say N. 638 639# alphabetically ordered list of targets 640 641comment "Xtables targets" 642 643config NETFILTER_XT_TARGET_AUDIT 644 tristate "AUDIT target support" 645 depends on AUDIT 646 depends on NETFILTER_ADVANCED 647 ---help--- 648 This option adds a 'AUDIT' target, which can be used to create 649 audit records for packets dropped/accepted. 650 651 To compileit as a module, choose M here. If unsure, say N. 652 653config NETFILTER_XT_TARGET_CHECKSUM 654 tristate "CHECKSUM target support" 655 depends on IP_NF_MANGLE || IP6_NF_MANGLE 656 depends on NETFILTER_ADVANCED 657 ---help--- 658 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 659 table. 660 661 You can use this target to compute and fill in the checksum in 662 a packet that lacks a checksum. This is particularly useful, 663 if you need to work around old applications such as dhcp clients, 664 that do not work well with checksum offloads, but don't want to disable 665 checksum offload in your device. 666 667 To compile it as a module, choose M here. If unsure, say N. 668 669config NETFILTER_XT_TARGET_CLASSIFY 670 tristate '"CLASSIFY" target support' 671 depends on NETFILTER_ADVANCED 672 help 673 This option adds a `CLASSIFY' target, which enables the user to set 674 the priority of a packet. Some qdiscs can use this value for 675 classification, among these are: 676 677 atm, cbq, dsmark, pfifo_fast, htb, prio 678 679 To compile it as a module, choose M here. If unsure, say N. 680 681config NETFILTER_XT_TARGET_CONNMARK 682 tristate '"CONNMARK" target support' 683 depends on NF_CONNTRACK 684 depends on NETFILTER_ADVANCED 685 select NETFILTER_XT_CONNMARK 686 ---help--- 687 This is a backwards-compat option for the user's convenience 688 (e.g. when running oldconfig). It selects 689 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 690 691config NETFILTER_XT_TARGET_CONNSECMARK 692 tristate '"CONNSECMARK" target support' 693 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 694 default m if NETFILTER_ADVANCED=n 695 help 696 The CONNSECMARK target copies security markings from packets 697 to connections, and restores security markings from connections 698 to packets (if the packets are not already marked). This would 699 normally be used in conjunction with the SECMARK target. 700 701 To compile it as a module, choose M here. If unsure, say N. 702 703config NETFILTER_XT_TARGET_CT 704 tristate '"CT" target support' 705 depends on NF_CONNTRACK 706 depends on IP_NF_RAW || IP6_NF_RAW 707 depends on NETFILTER_ADVANCED 708 help 709 This options adds a `CT' target, which allows to specify initial 710 connection tracking parameters like events to be delivered and 711 the helper to be used. 712 713 To compile it as a module, choose M here. If unsure, say N. 714 715config NETFILTER_XT_TARGET_DSCP 716 tristate '"DSCP" and "TOS" target support' 717 depends on IP_NF_MANGLE || IP6_NF_MANGLE 718 depends on NETFILTER_ADVANCED 719 help 720 This option adds a `DSCP' target, which allows you to manipulate 721 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 722 723 The DSCP field can have any value between 0x0 and 0x3f inclusive. 724 725 It also adds the "TOS" target, which allows you to create rules in 726 the "mangle" table which alter the Type Of Service field of an IPv4 727 or the Priority field of an IPv6 packet, prior to routing. 728 729 To compile it as a module, choose M here. If unsure, say N. 730 731config NETFILTER_XT_TARGET_HL 732 tristate '"HL" hoplimit target support' 733 depends on IP_NF_MANGLE || IP6_NF_MANGLE 734 depends on NETFILTER_ADVANCED 735 ---help--- 736 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 737 targets, which enable the user to change the 738 hoplimit/time-to-live value of the IP header. 739 740 While it is safe to decrement the hoplimit/TTL value, the 741 modules also allow to increment and set the hoplimit value of 742 the header to arbitrary values. This is EXTREMELY DANGEROUS 743 since you can easily create immortal packets that loop 744 forever on the network. 745 746config NETFILTER_XT_TARGET_HMARK 747 tristate '"HMARK" target support' 748 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 749 depends on NETFILTER_ADVANCED 750 ---help--- 751 This option adds the "HMARK" target. 752 753 The target allows you to create rules in the "raw" and "mangle" tables 754 which set the skbuff mark by means of hash calculation within a given 755 range. The nfmark can influence the routing method and can also be used 756 by other subsystems to change their behaviour. 757 758 To compile it as a module, choose M here. If unsure, say N. 759 760config NETFILTER_XT_TARGET_IDLETIMER 761 tristate "IDLETIMER target support" 762 depends on NETFILTER_ADVANCED 763 help 764 765 This option adds the `IDLETIMER' target. Each matching packet 766 resets the timer associated with label specified when the rule is 767 added. When the timer expires, it triggers a sysfs notification. 768 The remaining time for expiration can be read via sysfs. 769 770 To compile it as a module, choose M here. If unsure, say N. 771 772config NETFILTER_XT_TARGET_LED 773 tristate '"LED" target support' 774 depends on LEDS_CLASS && LEDS_TRIGGERS 775 depends on NETFILTER_ADVANCED 776 help 777 This option adds a `LED' target, which allows you to blink LEDs in 778 response to particular packets passing through your machine. 779 780 This can be used to turn a spare LED into a network activity LED, 781 which only flashes in response to FTP transfers, for example. Or 782 you could have an LED which lights up for a minute or two every time 783 somebody connects to your machine via SSH. 784 785 You will need support for the "led" class to make this work. 786 787 To create an LED trigger for incoming SSH traffic: 788 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 789 790 Then attach the new trigger to an LED on your system: 791 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 792 793 For more information on the LEDs available on your system, see 794 Documentation/leds/leds-class.txt 795 796config NETFILTER_XT_TARGET_LOG 797 tristate "LOG target support" 798 select NF_LOG_COMMON 799 select NF_LOG_IPV4 800 select NF_LOG_IPV6 if IPV6 801 default m if NETFILTER_ADVANCED=n 802 help 803 This option adds a `LOG' target, which allows you to create rules in 804 any iptables table which records the packet header to the syslog. 805 806 To compile it as a module, choose M here. If unsure, say N. 807 808config NETFILTER_XT_TARGET_MARK 809 tristate '"MARK" target support' 810 depends on NETFILTER_ADVANCED 811 select NETFILTER_XT_MARK 812 ---help--- 813 This is a backwards-compat option for the user's convenience 814 (e.g. when running oldconfig). It selects 815 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 816 817config NETFILTER_XT_NAT 818 tristate '"SNAT and DNAT" targets support' 819 depends on NF_NAT 820 ---help--- 821 This option enables the SNAT and DNAT targets. 822 823 To compile it as a module, choose M here. If unsure, say N. 824 825config NETFILTER_XT_TARGET_NETMAP 826 tristate '"NETMAP" target support' 827 depends on NF_NAT 828 ---help--- 829 NETMAP is an implementation of static 1:1 NAT mapping of network 830 addresses. It maps the network address part, while keeping the host 831 address part intact. 832 833 To compile it as a module, choose M here. If unsure, say N. 834 835config NETFILTER_XT_TARGET_NFLOG 836 tristate '"NFLOG" target support' 837 default m if NETFILTER_ADVANCED=n 838 select NETFILTER_NETLINK_LOG 839 help 840 This option enables the NFLOG target, which allows to LOG 841 messages through nfnetlink_log. 842 843 To compile it as a module, choose M here. If unsure, say N. 844 845config NETFILTER_XT_TARGET_NFQUEUE 846 tristate '"NFQUEUE" target Support' 847 depends on NETFILTER_ADVANCED 848 select NETFILTER_NETLINK_QUEUE 849 help 850 This target replaced the old obsolete QUEUE target. 851 852 As opposed to QUEUE, it supports 65535 different queues, 853 not just one. 854 855 To compile it as a module, choose M here. If unsure, say N. 856 857config NETFILTER_XT_TARGET_NOTRACK 858 tristate '"NOTRACK" target support (DEPRECATED)' 859 depends on NF_CONNTRACK 860 depends on IP_NF_RAW || IP6_NF_RAW 861 depends on NETFILTER_ADVANCED 862 select NETFILTER_XT_TARGET_CT 863 864config NETFILTER_XT_TARGET_RATEEST 865 tristate '"RATEEST" target support' 866 depends on NETFILTER_ADVANCED 867 help 868 This option adds a `RATEEST' target, which allows to measure 869 rates similar to TC estimators. The `rateest' match can be 870 used to match on the measured rates. 871 872 To compile it as a module, choose M here. If unsure, say N. 873 874config NETFILTER_XT_TARGET_REDIRECT 875 tristate "REDIRECT target support" 876 depends on NF_NAT 877 select NF_NAT_REDIRECT 878 ---help--- 879 REDIRECT is a special case of NAT: all incoming connections are 880 mapped onto the incoming interface's address, causing the packets to 881 come to the local machine instead of passing through. This is 882 useful for transparent proxies. 883 884 To compile it as a module, choose M here. If unsure, say N. 885 886config NETFILTER_XT_TARGET_TEE 887 tristate '"TEE" - packet cloning to alternate destination' 888 depends on NETFILTER_ADVANCED 889 depends on IPV6 || IPV6=n 890 depends on !NF_CONNTRACK || NF_CONNTRACK 891 select NF_DUP_IPV4 892 select NF_DUP_IPV6 if IPV6 893 ---help--- 894 This option adds a "TEE" target with which a packet can be cloned and 895 this clone be rerouted to another nexthop. 896 897config NETFILTER_XT_TARGET_TPROXY 898 tristate '"TPROXY" target transparent proxying support' 899 depends on NETFILTER_XTABLES 900 depends on NETFILTER_ADVANCED 901 depends on IPV6 || IPV6=n 902 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 903 depends on IP_NF_MANGLE 904 select NF_DEFRAG_IPV4 905 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 906 help 907 This option adds a `TPROXY' target, which is somewhat similar to 908 REDIRECT. It can only be used in the mangle table and is useful 909 to redirect traffic to a transparent proxy. It does _not_ depend 910 on Netfilter connection tracking and NAT, unlike REDIRECT. 911 For it to work you will have to configure certain iptables rules 912 and use policy routing. For more information on how to set it up 913 see Documentation/networking/tproxy.txt. 914 915 To compile it as a module, choose M here. If unsure, say N. 916 917config NETFILTER_XT_TARGET_TRACE 918 tristate '"TRACE" target support' 919 depends on IP_NF_RAW || IP6_NF_RAW 920 depends on NETFILTER_ADVANCED 921 help 922 The TRACE target allows you to mark packets so that the kernel 923 will log every rule which match the packets as those traverse 924 the tables, chains, rules. 925 926 If you want to compile it as a module, say M here and read 927 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 928 929config NETFILTER_XT_TARGET_SECMARK 930 tristate '"SECMARK" target support' 931 depends on NETWORK_SECMARK 932 default m if NETFILTER_ADVANCED=n 933 help 934 The SECMARK target allows security marking of network 935 packets, for use with security subsystems. 936 937 To compile it as a module, choose M here. If unsure, say N. 938 939config NETFILTER_XT_TARGET_TCPMSS 940 tristate '"TCPMSS" target support' 941 depends on IPV6 || IPV6=n 942 default m if NETFILTER_ADVANCED=n 943 ---help--- 944 This option adds a `TCPMSS' target, which allows you to alter the 945 MSS value of TCP SYN packets, to control the maximum size for that 946 connection (usually limiting it to your outgoing interface's MTU 947 minus 40). 948 949 This is used to overcome criminally braindead ISPs or servers which 950 block ICMP Fragmentation Needed packets. The symptoms of this 951 problem are that everything works fine from your Linux 952 firewall/router, but machines behind it can never exchange large 953 packets: 954 1) Web browsers connect, then hang with no data received. 955 2) Small mail works fine, but large emails hang. 956 3) ssh works fine, but scp hangs after initial handshaking. 957 958 Workaround: activate this option and add a rule to your firewall 959 configuration like: 960 961 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 962 -j TCPMSS --clamp-mss-to-pmtu 963 964 To compile it as a module, choose M here. If unsure, say N. 965 966config NETFILTER_XT_TARGET_TCPOPTSTRIP 967 tristate '"TCPOPTSTRIP" target support' 968 depends on IP_NF_MANGLE || IP6_NF_MANGLE 969 depends on NETFILTER_ADVANCED 970 help 971 This option adds a "TCPOPTSTRIP" target, which allows you to strip 972 TCP options from TCP packets. 973 974# alphabetically ordered list of matches 975 976comment "Xtables matches" 977 978config NETFILTER_XT_MATCH_ADDRTYPE 979 tristate '"addrtype" address type match support' 980 default m if NETFILTER_ADVANCED=n 981 ---help--- 982 This option allows you to match what routing thinks of an address, 983 eg. UNICAST, LOCAL, BROADCAST, ... 984 985 If you want to compile it as a module, say M here and read 986 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 987 988config NETFILTER_XT_MATCH_BPF 989 tristate '"bpf" match support' 990 depends on NETFILTER_ADVANCED 991 help 992 BPF matching applies a linux socket filter to each packet and 993 accepts those for which the filter returns non-zero. 994 995 To compile it as a module, choose M here. If unsure, say N. 996 997config NETFILTER_XT_MATCH_CGROUP 998 tristate '"control group" match support' 999 depends on NETFILTER_ADVANCED 1000 depends on CGROUPS 1001 select CGROUP_NET_CLASSID 1002 ---help--- 1003 Socket/process control group matching allows you to match locally 1004 generated packets based on which net_cls control group processes 1005 belong to. 1006 1007config NETFILTER_XT_MATCH_CLUSTER 1008 tristate '"cluster" match support' 1009 depends on NF_CONNTRACK 1010 depends on NETFILTER_ADVANCED 1011 ---help--- 1012 This option allows you to build work-load-sharing clusters of 1013 network servers/stateful firewalls without having a dedicated 1014 load-balancing router/server/switch. Basically, this match returns 1015 true when the packet must be handled by this cluster node. Thus, 1016 all nodes see all packets and this match decides which node handles 1017 what packets. The work-load sharing algorithm is based on source 1018 address hashing. 1019 1020 If you say Y or M here, try `iptables -m cluster --help` for 1021 more information. 1022 1023config NETFILTER_XT_MATCH_COMMENT 1024 tristate '"comment" match support' 1025 depends on NETFILTER_ADVANCED 1026 help 1027 This option adds a `comment' dummy-match, which allows you to put 1028 comments in your iptables ruleset. 1029 1030 If you want to compile it as a module, say M here and read 1031 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1032 1033config NETFILTER_XT_MATCH_CONNBYTES 1034 tristate '"connbytes" per-connection counter match support' 1035 depends on NF_CONNTRACK 1036 depends on NETFILTER_ADVANCED 1037 help 1038 This option adds a `connbytes' match, which allows you to match the 1039 number of bytes and/or packets for each direction within a connection. 1040 1041 If you want to compile it as a module, say M here and read 1042 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1043 1044config NETFILTER_XT_MATCH_CONNLABEL 1045 tristate '"connlabel" match support' 1046 select NF_CONNTRACK_LABELS 1047 depends on NF_CONNTRACK 1048 depends on NETFILTER_ADVANCED 1049 ---help--- 1050 This match allows you to test and assign userspace-defined labels names 1051 to a connection. The kernel only stores bit values - mapping 1052 names to bits is done by userspace. 1053 1054 Unlike connmark, more than 32 flag bits may be assigned to a 1055 connection simultaneously. 1056 1057config NETFILTER_XT_MATCH_CONNLIMIT 1058 tristate '"connlimit" match support' 1059 depends on NF_CONNTRACK 1060 depends on NETFILTER_ADVANCED 1061 ---help--- 1062 This match allows you to match against the number of parallel 1063 connections to a server per client IP address (or address block). 1064 1065config NETFILTER_XT_MATCH_CONNMARK 1066 tristate '"connmark" connection mark match support' 1067 depends on NF_CONNTRACK 1068 depends on NETFILTER_ADVANCED 1069 select NETFILTER_XT_CONNMARK 1070 ---help--- 1071 This is a backwards-compat option for the user's convenience 1072 (e.g. when running oldconfig). It selects 1073 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1074 1075config NETFILTER_XT_MATCH_CONNTRACK 1076 tristate '"conntrack" connection tracking match support' 1077 depends on NF_CONNTRACK 1078 default m if NETFILTER_ADVANCED=n 1079 help 1080 This is a general conntrack match module, a superset of the state match. 1081 1082 It allows matching on additional conntrack information, which is 1083 useful in complex configurations, such as NAT gateways with multiple 1084 internet links or tunnels. 1085 1086 To compile it as a module, choose M here. If unsure, say N. 1087 1088config NETFILTER_XT_MATCH_CPU 1089 tristate '"cpu" match support' 1090 depends on NETFILTER_ADVANCED 1091 help 1092 CPU matching allows you to match packets based on the CPU 1093 currently handling the packet. 1094 1095 To compile it as a module, choose M here. If unsure, say N. 1096 1097config NETFILTER_XT_MATCH_DCCP 1098 tristate '"dccp" protocol match support' 1099 depends on NETFILTER_ADVANCED 1100 default IP_DCCP 1101 help 1102 With this option enabled, you will be able to use the iptables 1103 `dccp' match in order to match on DCCP source/destination ports 1104 and DCCP flags. 1105 1106 If you want to compile it as a module, say M here and read 1107 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1108 1109config NETFILTER_XT_MATCH_DEVGROUP 1110 tristate '"devgroup" match support' 1111 depends on NETFILTER_ADVANCED 1112 help 1113 This options adds a `devgroup' match, which allows to match on the 1114 device group a network device is assigned to. 1115 1116 To compile it as a module, choose M here. If unsure, say N. 1117 1118config NETFILTER_XT_MATCH_DSCP 1119 tristate '"dscp" and "tos" match support' 1120 depends on NETFILTER_ADVANCED 1121 help 1122 This option adds a `DSCP' match, which allows you to match against 1123 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1124 1125 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1126 1127 It will also add a "tos" match, which allows you to match packets 1128 based on the Type Of Service fields of the IPv4 packet (which share 1129 the same bits as DSCP). 1130 1131 To compile it as a module, choose M here. If unsure, say N. 1132 1133config NETFILTER_XT_MATCH_ECN 1134 tristate '"ecn" match support' 1135 depends on NETFILTER_ADVANCED 1136 ---help--- 1137 This option adds an "ECN" match, which allows you to match against 1138 the IPv4 and TCP header ECN fields. 1139 1140 To compile it as a module, choose M here. If unsure, say N. 1141 1142config NETFILTER_XT_MATCH_ESP 1143 tristate '"esp" match support' 1144 depends on NETFILTER_ADVANCED 1145 help 1146 This match extension allows you to match a range of SPIs 1147 inside ESP header of IPSec packets. 1148 1149 To compile it as a module, choose M here. If unsure, say N. 1150 1151config NETFILTER_XT_MATCH_HASHLIMIT 1152 tristate '"hashlimit" match support' 1153 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1154 depends on NETFILTER_ADVANCED 1155 help 1156 This option adds a `hashlimit' match. 1157 1158 As opposed to `limit', this match dynamically creates a hash table 1159 of limit buckets, based on your selection of source/destination 1160 addresses and/or ports. 1161 1162 It enables you to express policies like `10kpps for any given 1163 destination address' or `500pps from any given source address' 1164 with a single rule. 1165 1166config NETFILTER_XT_MATCH_HELPER 1167 tristate '"helper" match support' 1168 depends on NF_CONNTRACK 1169 depends on NETFILTER_ADVANCED 1170 help 1171 Helper matching allows you to match packets in dynamic connections 1172 tracked by a conntrack-helper, ie. ip_conntrack_ftp 1173 1174 To compile it as a module, choose M here. If unsure, say Y. 1175 1176config NETFILTER_XT_MATCH_HL 1177 tristate '"hl" hoplimit/TTL match support' 1178 depends on NETFILTER_ADVANCED 1179 ---help--- 1180 HL matching allows you to match packets based on the hoplimit 1181 in the IPv6 header, or the time-to-live field in the IPv4 1182 header of the packet. 1183 1184config NETFILTER_XT_MATCH_IPCOMP 1185 tristate '"ipcomp" match support' 1186 depends on NETFILTER_ADVANCED 1187 help 1188 This match extension allows you to match a range of CPIs(16 bits) 1189 inside IPComp header of IPSec packets. 1190 1191 To compile it as a module, choose M here. If unsure, say N. 1192 1193config NETFILTER_XT_MATCH_IPRANGE 1194 tristate '"iprange" address range match support' 1195 depends on NETFILTER_ADVANCED 1196 ---help--- 1197 This option adds a "iprange" match, which allows you to match based on 1198 an IP address range. (Normal iptables only matches on single addresses 1199 with an optional mask.) 1200 1201 If unsure, say M. 1202 1203config NETFILTER_XT_MATCH_IPVS 1204 tristate '"ipvs" match support' 1205 depends on IP_VS 1206 depends on NETFILTER_ADVANCED 1207 depends on NF_CONNTRACK 1208 help 1209 This option allows you to match against IPVS properties of a packet. 1210 1211 If unsure, say N. 1212 1213config NETFILTER_XT_MATCH_L2TP 1214 tristate '"l2tp" match support' 1215 depends on NETFILTER_ADVANCED 1216 default L2TP 1217 ---help--- 1218 This option adds an "L2TP" match, which allows you to match against 1219 L2TP protocol header fields. 1220 1221 To compile it as a module, choose M here. If unsure, say N. 1222 1223config NETFILTER_XT_MATCH_LENGTH 1224 tristate '"length" match support' 1225 depends on NETFILTER_ADVANCED 1226 help 1227 This option allows you to match the length of a packet against a 1228 specific value or range of values. 1229 1230 To compile it as a module, choose M here. If unsure, say N. 1231 1232config NETFILTER_XT_MATCH_LIMIT 1233 tristate '"limit" match support' 1234 depends on NETFILTER_ADVANCED 1235 help 1236 limit matching allows you to control the rate at which a rule can be 1237 matched: mainly useful in combination with the LOG target ("LOG 1238 target support", below) and to avoid some Denial of Service attacks. 1239 1240 To compile it as a module, choose M here. If unsure, say N. 1241 1242config NETFILTER_XT_MATCH_MAC 1243 tristate '"mac" address match support' 1244 depends on NETFILTER_ADVANCED 1245 help 1246 MAC matching allows you to match packets based on the source 1247 Ethernet address of the packet. 1248 1249 To compile it as a module, choose M here. If unsure, say N. 1250 1251config NETFILTER_XT_MATCH_MARK 1252 tristate '"mark" match support' 1253 depends on NETFILTER_ADVANCED 1254 select NETFILTER_XT_MARK 1255 ---help--- 1256 This is a backwards-compat option for the user's convenience 1257 (e.g. when running oldconfig). It selects 1258 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1259 1260config NETFILTER_XT_MATCH_MULTIPORT 1261 tristate '"multiport" Multiple port match support' 1262 depends on NETFILTER_ADVANCED 1263 help 1264 Multiport matching allows you to match TCP or UDP packets based on 1265 a series of source or destination ports: normally a rule can only 1266 match a single range of ports. 1267 1268 To compile it as a module, choose M here. If unsure, say N. 1269 1270config NETFILTER_XT_MATCH_NFACCT 1271 tristate '"nfacct" match support' 1272 depends on NETFILTER_ADVANCED 1273 select NETFILTER_NETLINK_ACCT 1274 help 1275 This option allows you to use the extended accounting through 1276 nfnetlink_acct. 1277 1278 To compile it as a module, choose M here. If unsure, say N. 1279 1280config NETFILTER_XT_MATCH_OSF 1281 tristate '"osf" Passive OS fingerprint match' 1282 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 1283 help 1284 This option selects the Passive OS Fingerprinting match module 1285 that allows to passively match the remote operating system by 1286 analyzing incoming TCP SYN packets. 1287 1288 Rules and loading software can be downloaded from 1289 http://www.ioremap.net/projects/osf 1290 1291 To compile it as a module, choose M here. If unsure, say N. 1292 1293config NETFILTER_XT_MATCH_OWNER 1294 tristate '"owner" match support' 1295 depends on NETFILTER_ADVANCED 1296 ---help--- 1297 Socket owner matching allows you to match locally-generated packets 1298 based on who created the socket: the user or group. It is also 1299 possible to check whether a socket actually exists. 1300 1301config NETFILTER_XT_MATCH_POLICY 1302 tristate 'IPsec "policy" match support' 1303 depends on XFRM 1304 default m if NETFILTER_ADVANCED=n 1305 help 1306 Policy matching allows you to match packets based on the 1307 IPsec policy that was used during decapsulation/will 1308 be used during encapsulation. 1309 1310 To compile it as a module, choose M here. If unsure, say N. 1311 1312config NETFILTER_XT_MATCH_PHYSDEV 1313 tristate '"physdev" match support' 1314 depends on BRIDGE && BRIDGE_NETFILTER 1315 depends on NETFILTER_ADVANCED 1316 help 1317 Physdev packet matching matches against the physical bridge ports 1318 the IP packet arrived on or will leave by. 1319 1320 To compile it as a module, choose M here. If unsure, say N. 1321 1322config NETFILTER_XT_MATCH_PKTTYPE 1323 tristate '"pkttype" packet type match support' 1324 depends on NETFILTER_ADVANCED 1325 help 1326 Packet type matching allows you to match a packet by 1327 its "class", eg. BROADCAST, MULTICAST, ... 1328 1329 Typical usage: 1330 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1331 1332 To compile it as a module, choose M here. If unsure, say N. 1333 1334config NETFILTER_XT_MATCH_QUOTA 1335 tristate '"quota" match support' 1336 depends on NETFILTER_ADVANCED 1337 help 1338 This option adds a `quota' match, which allows to match on a 1339 byte counter. 1340 1341 If you want to compile it as a module, say M here and read 1342 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1343 1344config NETFILTER_XT_MATCH_RATEEST 1345 tristate '"rateest" match support' 1346 depends on NETFILTER_ADVANCED 1347 select NETFILTER_XT_TARGET_RATEEST 1348 help 1349 This option adds a `rateest' match, which allows to match on the 1350 rate estimated by the RATEEST target. 1351 1352 To compile it as a module, choose M here. If unsure, say N. 1353 1354config NETFILTER_XT_MATCH_REALM 1355 tristate '"realm" match support' 1356 depends on NETFILTER_ADVANCED 1357 select IP_ROUTE_CLASSID 1358 help 1359 This option adds a `realm' match, which allows you to use the realm 1360 key from the routing subsystem inside iptables. 1361 1362 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1363 in tc world. 1364 1365 If you want to compile it as a module, say M here and read 1366 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1367 1368config NETFILTER_XT_MATCH_RECENT 1369 tristate '"recent" match support' 1370 depends on NETFILTER_ADVANCED 1371 ---help--- 1372 This match is used for creating one or many lists of recently 1373 used addresses and then matching against that/those list(s). 1374 1375 Short options are available by using 'iptables -m recent -h' 1376 Official Website: <http://snowman.net/projects/ipt_recent/> 1377 1378config NETFILTER_XT_MATCH_SCTP 1379 tristate '"sctp" protocol match support' 1380 depends on NETFILTER_ADVANCED 1381 default IP_SCTP 1382 help 1383 With this option enabled, you will be able to use the 1384 `sctp' match in order to match on SCTP source/destination ports 1385 and SCTP chunk types. 1386 1387 If you want to compile it as a module, say M here and read 1388 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1389 1390config NETFILTER_XT_MATCH_SOCKET 1391 tristate '"socket" match support' 1392 depends on NETFILTER_XTABLES 1393 depends on NETFILTER_ADVANCED 1394 depends on !NF_CONNTRACK || NF_CONNTRACK 1395 depends on IPV6 || IPV6=n 1396 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1397 select NF_DEFRAG_IPV4 1398 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1399 help 1400 This option adds a `socket' match, which can be used to match 1401 packets for which a TCP or UDP socket lookup finds a valid socket. 1402 It can be used in combination with the MARK target and policy 1403 routing to implement full featured non-locally bound sockets. 1404 1405 To compile it as a module, choose M here. If unsure, say N. 1406 1407config NETFILTER_XT_MATCH_STATE 1408 tristate '"state" match support' 1409 depends on NF_CONNTRACK 1410 default m if NETFILTER_ADVANCED=n 1411 help 1412 Connection state matching allows you to match packets based on their 1413 relationship to a tracked connection (ie. previous packets). This 1414 is a powerful tool for packet classification. 1415 1416 To compile it as a module, choose M here. If unsure, say N. 1417 1418config NETFILTER_XT_MATCH_STATISTIC 1419 tristate '"statistic" match support' 1420 depends on NETFILTER_ADVANCED 1421 help 1422 This option adds a `statistic' match, which allows you to match 1423 on packets periodically or randomly with a given percentage. 1424 1425 To compile it as a module, choose M here. If unsure, say N. 1426 1427config NETFILTER_XT_MATCH_STRING 1428 tristate '"string" match support' 1429 depends on NETFILTER_ADVANCED 1430 select TEXTSEARCH 1431 select TEXTSEARCH_KMP 1432 select TEXTSEARCH_BM 1433 select TEXTSEARCH_FSM 1434 help 1435 This option adds a `string' match, which allows you to look for 1436 pattern matchings in packets. 1437 1438 To compile it as a module, choose M here. If unsure, say N. 1439 1440config NETFILTER_XT_MATCH_TCPMSS 1441 tristate '"tcpmss" match support' 1442 depends on NETFILTER_ADVANCED 1443 help 1444 This option adds a `tcpmss' match, which allows you to examine the 1445 MSS value of TCP SYN packets, which control the maximum packet size 1446 for that connection. 1447 1448 To compile it as a module, choose M here. If unsure, say N. 1449 1450config NETFILTER_XT_MATCH_TIME 1451 tristate '"time" match support' 1452 depends on NETFILTER_ADVANCED 1453 ---help--- 1454 This option adds a "time" match, which allows you to match based on 1455 the packet arrival time (at the machine which netfilter is running) 1456 on) or departure time/date (for locally generated packets). 1457 1458 If you say Y here, try `iptables -m time --help` for 1459 more information. 1460 1461 If you want to compile it as a module, say M here. 1462 If unsure, say N. 1463 1464config NETFILTER_XT_MATCH_U32 1465 tristate '"u32" match support' 1466 depends on NETFILTER_ADVANCED 1467 ---help--- 1468 u32 allows you to extract quantities of up to 4 bytes from a packet, 1469 AND them with specified masks, shift them by specified amounts and 1470 test whether the results are in any of a set of specified ranges. 1471 The specification of what to extract is general enough to skip over 1472 headers with lengths stored in the packet, as in IP or TCP header 1473 lengths. 1474 1475 Details and examples are in the kernel module source. 1476 1477endif # NETFILTER_XTABLES 1478 1479endmenu 1480 1481source "net/netfilter/ipset/Kconfig" 1482 1483source "net/netfilter/ipvs/Kconfig" 1484