1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate 6 7config NETFILTER_NETLINK_ACCT 8tristate "Netfilter NFACCT over NFNETLINK interface" 9 depends on NETFILTER_ADVANCED 10 select NETFILTER_NETLINK 11 help 12 If this option is enabled, the kernel will include support 13 for extended accounting via NFNETLINK. 14 15config NETFILTER_NETLINK_QUEUE 16 tristate "Netfilter NFQUEUE over NFNETLINK interface" 17 depends on NETFILTER_ADVANCED 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for queueing packets via NFNETLINK. 22 23config NETFILTER_NETLINK_LOG 24 tristate "Netfilter LOG over NFNETLINK interface" 25 default m if NETFILTER_ADVANCED=n 26 select NETFILTER_NETLINK 27 help 28 If this option is enabled, the kernel will include support 29 for logging packets via NFNETLINK. 30 31 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 32 and is also scheduled to replace the old syslog-based ipt_LOG 33 and ip6t_LOG modules. 34 35config NF_CONNTRACK 36 tristate "Netfilter connection tracking support" 37 default m if NETFILTER_ADVANCED=n 38 help 39 Connection tracking keeps a record of what packets have passed 40 through your machine, in order to figure out how they are related 41 into connections. 42 43 This is required to do Masquerading or other kinds of Network 44 Address Translation. It can also be used to enhance packet 45 filtering (see `Connection state match support' below). 46 47 To compile it as a module, choose M here. If unsure, say N. 48 49if NF_CONNTRACK 50 51config NF_CONNTRACK_MARK 52 bool 'Connection mark tracking support' 53 depends on NETFILTER_ADVANCED 54 help 55 This option enables support for connection marks, used by the 56 `CONNMARK' target and `connmark' match. Similar to the mark value 57 of packets, but this mark value is kept in the conntrack session 58 instead of the individual packets. 59 60config NF_CONNTRACK_SECMARK 61 bool 'Connection tracking security mark support' 62 depends on NETWORK_SECMARK 63 default m if NETFILTER_ADVANCED=n 64 help 65 This option enables security markings to be applied to 66 connections. Typically they are copied to connections from 67 packets using the CONNSECMARK target and copied back from 68 connections to packets with the same target, with the packets 69 being originally labeled via SECMARK. 70 71 If unsure, say 'N'. 72 73config NF_CONNTRACK_ZONES 74 bool 'Connection tracking zones' 75 depends on NETFILTER_ADVANCED 76 depends on NETFILTER_XT_TARGET_CT 77 help 78 This option enables support for connection tracking zones. 79 Normally, each connection needs to have a unique system wide 80 identity. Connection tracking zones allow to have multiple 81 connections using the same identity, as long as they are 82 contained in different zones. 83 84 If unsure, say `N'. 85 86config NF_CONNTRACK_PROCFS 87 bool "Supply CT list in procfs (OBSOLETE)" 88 default y 89 depends on PROC_FS 90 ---help--- 91 This option enables for the list of known conntrack entries 92 to be shown in procfs under net/netfilter/nf_conntrack. This 93 is considered obsolete in favor of using the conntrack(8) 94 tool which uses Netlink. 95 96config NF_CONNTRACK_EVENTS 97 bool "Connection tracking events" 98 depends on NETFILTER_ADVANCED 99 help 100 If this option is enabled, the connection tracking code will 101 provide a notifier chain that can be used by other kernel code 102 to get notified about changes in the connection tracking state. 103 104 If unsure, say `N'. 105 106config NF_CONNTRACK_TIMEOUT 107 bool 'Connection tracking timeout' 108 depends on NETFILTER_ADVANCED 109 help 110 This option enables support for connection tracking timeout 111 extension. This allows you to attach timeout policies to flow 112 via the CT target. 113 114 If unsure, say `N'. 115 116config NF_CONNTRACK_TIMESTAMP 117 bool 'Connection tracking timestamping' 118 depends on NETFILTER_ADVANCED 119 help 120 This option enables support for connection tracking timestamping. 121 This allows you to store the flow start-time and to obtain 122 the flow-stop time (once it has been destroyed) via Connection 123 tracking events. 124 125 If unsure, say `N'. 126 127config NF_CT_PROTO_DCCP 128 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' 129 depends on EXPERIMENTAL 130 depends on NETFILTER_ADVANCED 131 default IP_DCCP 132 help 133 With this option enabled, the layer 3 independent connection 134 tracking code will be able to do state tracking on DCCP connections. 135 136 If unsure, say 'N'. 137 138config NF_CT_PROTO_GRE 139 tristate 140 141config NF_CT_PROTO_SCTP 142 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 143 depends on EXPERIMENTAL 144 depends on NETFILTER_ADVANCED 145 default IP_SCTP 146 help 147 With this option enabled, the layer 3 independent connection 148 tracking code will be able to do state tracking on SCTP connections. 149 150 If you want to compile it as a module, say M here and read 151 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 152 153config NF_CT_PROTO_UDPLITE 154 tristate 'UDP-Lite protocol connection tracking support' 155 depends on NETFILTER_ADVANCED 156 help 157 With this option enabled, the layer 3 independent connection 158 tracking code will be able to do state tracking on UDP-Lite 159 connections. 160 161 To compile it as a module, choose M here. If unsure, say N. 162 163config NF_CONNTRACK_AMANDA 164 tristate "Amanda backup protocol support" 165 depends on NETFILTER_ADVANCED 166 select TEXTSEARCH 167 select TEXTSEARCH_KMP 168 help 169 If you are running the Amanda backup package <http://www.amanda.org/> 170 on this machine or machines that will be MASQUERADED through this 171 machine, then you may want to enable this feature. This allows the 172 connection tracking and natting code to allow the sub-channels that 173 Amanda requires for communication of the backup data, messages and 174 index. 175 176 To compile it as a module, choose M here. If unsure, say N. 177 178config NF_CONNTRACK_FTP 179 tristate "FTP protocol support" 180 default m if NETFILTER_ADVANCED=n 181 help 182 Tracking FTP connections is problematic: special helpers are 183 required for tracking them, and doing masquerading and other forms 184 of Network Address Translation on them. 185 186 This is FTP support on Layer 3 independent connection tracking. 187 Layer 3 independent connection tracking is experimental scheme 188 which generalize ip_conntrack to support other layer 3 protocols. 189 190 To compile it as a module, choose M here. If unsure, say N. 191 192config NF_CONNTRACK_H323 193 tristate "H.323 protocol support" 194 depends on (IPV6 || IPV6=n) 195 depends on NETFILTER_ADVANCED 196 help 197 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 198 important VoIP protocols, it is widely used by voice hardware and 199 software including voice gateways, IP phones, Netmeeting, OpenPhone, 200 Gnomemeeting, etc. 201 202 With this module you can support H.323 on a connection tracking/NAT 203 firewall. 204 205 This module supports RAS, Fast Start, H.245 Tunnelling, Call 206 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 207 whiteboard, file transfer, etc. For more information, please 208 visit http://nath323.sourceforge.net/. 209 210 To compile it as a module, choose M here. If unsure, say N. 211 212config NF_CONNTRACK_IRC 213 tristate "IRC protocol support" 214 default m if NETFILTER_ADVANCED=n 215 help 216 There is a commonly-used extension to IRC called 217 Direct Client-to-Client Protocol (DCC). This enables users to send 218 files to each other, and also chat to each other without the need 219 of a server. DCC Sending is used anywhere you send files over IRC, 220 and DCC Chat is most commonly used by Eggdrop bots. If you are 221 using NAT, this extension will enable you to send files and initiate 222 chats. Note that you do NOT need this extension to get files or 223 have others initiate chats, or everything else in IRC. 224 225 To compile it as a module, choose M here. If unsure, say N. 226 227config NF_CONNTRACK_BROADCAST 228 tristate 229 230config NF_CONNTRACK_NETBIOS_NS 231 tristate "NetBIOS name service protocol support" 232 select NF_CONNTRACK_BROADCAST 233 help 234 NetBIOS name service requests are sent as broadcast messages from an 235 unprivileged port and responded to with unicast messages to the 236 same port. This make them hard to firewall properly because connection 237 tracking doesn't deal with broadcasts. This helper tracks locally 238 originating NetBIOS name service requests and the corresponding 239 responses. It relies on correct IP address configuration, specifically 240 netmask and broadcast address. When properly configured, the output 241 of "ip address show" should look similar to this: 242 243 $ ip -4 address show eth0 244 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 245 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 246 247 To compile it as a module, choose M here. If unsure, say N. 248 249config NF_CONNTRACK_SNMP 250 tristate "SNMP service protocol support" 251 depends on NETFILTER_ADVANCED 252 select NF_CONNTRACK_BROADCAST 253 help 254 SNMP service requests are sent as broadcast messages from an 255 unprivileged port and responded to with unicast messages to the 256 same port. This make them hard to firewall properly because connection 257 tracking doesn't deal with broadcasts. This helper tracks locally 258 originating SNMP service requests and the corresponding 259 responses. It relies on correct IP address configuration, specifically 260 netmask and broadcast address. 261 262 To compile it as a module, choose M here. If unsure, say N. 263 264config NF_CONNTRACK_PPTP 265 tristate "PPtP protocol support" 266 depends on NETFILTER_ADVANCED 267 select NF_CT_PROTO_GRE 268 help 269 This module adds support for PPTP (Point to Point Tunnelling 270 Protocol, RFC2637) connection tracking and NAT. 271 272 If you are running PPTP sessions over a stateful firewall or NAT 273 box, you may want to enable this feature. 274 275 Please note that not all PPTP modes of operation are supported yet. 276 Specifically these limitations exist: 277 - Blindly assumes that control connections are always established 278 in PNS->PAC direction. This is a violation of RFC2637. 279 - Only supports a single call within each session 280 281 To compile it as a module, choose M here. If unsure, say N. 282 283config NF_CONNTRACK_SANE 284 tristate "SANE protocol support (EXPERIMENTAL)" 285 depends on EXPERIMENTAL 286 depends on NETFILTER_ADVANCED 287 help 288 SANE is a protocol for remote access to scanners as implemented 289 by the 'saned' daemon. Like FTP, it uses separate control and 290 data connections. 291 292 With this module you can support SANE on a connection tracking 293 firewall. 294 295 To compile it as a module, choose M here. If unsure, say N. 296 297config NF_CONNTRACK_SIP 298 tristate "SIP protocol support" 299 default m if NETFILTER_ADVANCED=n 300 help 301 SIP is an application-layer control protocol that can establish, 302 modify, and terminate multimedia sessions (conferences) such as 303 Internet telephony calls. With the ip_conntrack_sip and 304 the nf_nat_sip modules you can support the protocol on a connection 305 tracking/NATing firewall. 306 307 To compile it as a module, choose M here. If unsure, say N. 308 309config NF_CONNTRACK_TFTP 310 tristate "TFTP protocol support" 311 depends on NETFILTER_ADVANCED 312 help 313 TFTP connection tracking helper, this is required depending 314 on how restrictive your ruleset is. 315 If you are using a tftp client behind -j SNAT or -j MASQUERADING 316 you will need this. 317 318 To compile it as a module, choose M here. If unsure, say N. 319 320config NF_CT_NETLINK 321 tristate 'Connection tracking netlink interface' 322 select NETFILTER_NETLINK 323 default m if NETFILTER_ADVANCED=n 324 help 325 This option enables support for a netlink-based userspace interface 326 327config NF_CT_NETLINK_TIMEOUT 328 tristate 'Connection tracking timeout tuning via Netlink' 329 select NETFILTER_NETLINK 330 depends on NETFILTER_ADVANCED 331 help 332 This option enables support for connection tracking timeout 333 fine-grain tuning. This allows you to attach specific timeout 334 policies to flows, instead of using the global timeout policy. 335 336 If unsure, say `N'. 337 338config NF_CT_NETLINK_HELPER 339 tristate 'Connection tracking helpers in user-space via Netlink' 340 select NETFILTER_NETLINK 341 depends on NF_CT_NETLINK 342 depends on NETFILTER_NETLINK_QUEUE 343 depends on NETFILTER_NETLINK_QUEUE_CT 344 depends on NETFILTER_ADVANCED 345 help 346 This option enables the user-space connection tracking helpers 347 infrastructure. 348 349 If unsure, say `N'. 350 351config NETFILTER_NETLINK_QUEUE_CT 352 bool "NFQUEUE integration with Connection Tracking" 353 default n 354 depends on NETFILTER_NETLINK_QUEUE 355 help 356 If this option is enabled, NFQUEUE can include Connection Tracking 357 information together with the packet is the enqueued via NFNETLINK. 358 359config NF_NAT 360 tristate 361 362config NF_NAT_NEEDED 363 bool 364 depends on NF_NAT 365 default y 366 367config NF_NAT_PROTO_DCCP 368 tristate 369 depends on NF_NAT && NF_CT_PROTO_DCCP 370 default NF_NAT && NF_CT_PROTO_DCCP 371 372config NF_NAT_PROTO_UDPLITE 373 tristate 374 depends on NF_NAT && NF_CT_PROTO_UDPLITE 375 default NF_NAT && NF_CT_PROTO_UDPLITE 376 377config NF_NAT_PROTO_SCTP 378 tristate 379 default NF_NAT && NF_CT_PROTO_SCTP 380 depends on NF_NAT && NF_CT_PROTO_SCTP 381 select LIBCRC32C 382 383config NF_NAT_AMANDA 384 tristate 385 depends on NF_CONNTRACK && NF_NAT 386 default NF_NAT && NF_CONNTRACK_AMANDA 387 388config NF_NAT_FTP 389 tristate 390 depends on NF_CONNTRACK && NF_NAT 391 default NF_NAT && NF_CONNTRACK_FTP 392 393config NF_NAT_IRC 394 tristate 395 depends on NF_CONNTRACK && NF_NAT 396 default NF_NAT && NF_CONNTRACK_IRC 397 398config NF_NAT_SIP 399 tristate 400 depends on NF_CONNTRACK && NF_NAT 401 default NF_NAT && NF_CONNTRACK_SIP 402 403config NF_NAT_TFTP 404 tristate 405 depends on NF_CONNTRACK && NF_NAT 406 default NF_NAT && NF_CONNTRACK_TFTP 407 408endif # NF_CONNTRACK 409 410# transparent proxy support 411config NETFILTER_TPROXY 412 tristate "Transparent proxying support (EXPERIMENTAL)" 413 depends on EXPERIMENTAL 414 depends on IP_NF_MANGLE 415 depends on NETFILTER_ADVANCED 416 help 417 This option enables transparent proxying support, that is, 418 support for handling non-locally bound IPv4 TCP and UDP sockets. 419 For it to work you will have to configure certain iptables rules 420 and use policy routing. For more information on how to set it up 421 see Documentation/networking/tproxy.txt. 422 423 To compile it as a module, choose M here. If unsure, say N. 424 425config NETFILTER_XTABLES 426 tristate "Netfilter Xtables support (required for ip_tables)" 427 default m if NETFILTER_ADVANCED=n 428 help 429 This is required if you intend to use any of ip_tables, 430 ip6_tables or arp_tables. 431 432if NETFILTER_XTABLES 433 434comment "Xtables combined modules" 435 436config NETFILTER_XT_MARK 437 tristate 'nfmark target and match support' 438 default m if NETFILTER_ADVANCED=n 439 ---help--- 440 This option adds the "MARK" target and "mark" match. 441 442 Netfilter mark matching allows you to match packets based on the 443 "nfmark" value in the packet. 444 The target allows you to create rules in the "mangle" table which alter 445 the netfilter mark (nfmark) field associated with the packet. 446 447 Prior to routing, the nfmark can influence the routing method (see 448 "Use netfilter MARK value as routing key") and can also be used by 449 other subsystems to change their behavior. 450 451config NETFILTER_XT_CONNMARK 452 tristate 'ctmark target and match support' 453 depends on NF_CONNTRACK 454 depends on NETFILTER_ADVANCED 455 select NF_CONNTRACK_MARK 456 ---help--- 457 This option adds the "CONNMARK" target and "connmark" match. 458 459 Netfilter allows you to store a mark value per connection (a.k.a. 460 ctmark), similarly to the packet mark (nfmark). Using this 461 target and match, you can set and match on this mark. 462 463config NETFILTER_XT_SET 464 tristate 'set target and match support' 465 depends on IP_SET 466 depends on NETFILTER_ADVANCED 467 help 468 This option adds the "SET" target and "set" match. 469 470 Using this target and match, you can add/delete and match 471 elements in the sets created by ipset(8). 472 473 To compile it as a module, choose M here. If unsure, say N. 474 475# alphabetically ordered list of targets 476 477comment "Xtables targets" 478 479config NETFILTER_XT_TARGET_AUDIT 480 tristate "AUDIT target support" 481 depends on AUDIT 482 depends on NETFILTER_ADVANCED 483 ---help--- 484 This option adds a 'AUDIT' target, which can be used to create 485 audit records for packets dropped/accepted. 486 487 To compileit as a module, choose M here. If unsure, say N. 488 489config NETFILTER_XT_TARGET_CHECKSUM 490 tristate "CHECKSUM target support" 491 depends on IP_NF_MANGLE || IP6_NF_MANGLE 492 depends on NETFILTER_ADVANCED 493 ---help--- 494 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 495 table. 496 497 You can use this target to compute and fill in the checksum in 498 a packet that lacks a checksum. This is particularly useful, 499 if you need to work around old applications such as dhcp clients, 500 that do not work well with checksum offloads, but don't want to disable 501 checksum offload in your device. 502 503 To compile it as a module, choose M here. If unsure, say N. 504 505config NETFILTER_XT_TARGET_CLASSIFY 506 tristate '"CLASSIFY" target support' 507 depends on NETFILTER_ADVANCED 508 help 509 This option adds a `CLASSIFY' target, which enables the user to set 510 the priority of a packet. Some qdiscs can use this value for 511 classification, among these are: 512 513 atm, cbq, dsmark, pfifo_fast, htb, prio 514 515 To compile it as a module, choose M here. If unsure, say N. 516 517config NETFILTER_XT_TARGET_CONNMARK 518 tristate '"CONNMARK" target support' 519 depends on NF_CONNTRACK 520 depends on NETFILTER_ADVANCED 521 select NETFILTER_XT_CONNMARK 522 ---help--- 523 This is a backwards-compat option for the user's convenience 524 (e.g. when running oldconfig). It selects 525 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 526 527config NETFILTER_XT_TARGET_CONNSECMARK 528 tristate '"CONNSECMARK" target support' 529 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 530 default m if NETFILTER_ADVANCED=n 531 help 532 The CONNSECMARK target copies security markings from packets 533 to connections, and restores security markings from connections 534 to packets (if the packets are not already marked). This would 535 normally be used in conjunction with the SECMARK target. 536 537 To compile it as a module, choose M here. If unsure, say N. 538 539config NETFILTER_XT_TARGET_CT 540 tristate '"CT" target support' 541 depends on NF_CONNTRACK 542 depends on IP_NF_RAW || IP6_NF_RAW 543 depends on NETFILTER_ADVANCED 544 help 545 This options adds a `CT' target, which allows to specify initial 546 connection tracking parameters like events to be delivered and 547 the helper to be used. 548 549 To compile it as a module, choose M here. If unsure, say N. 550 551config NETFILTER_XT_TARGET_DSCP 552 tristate '"DSCP" and "TOS" target support' 553 depends on IP_NF_MANGLE || IP6_NF_MANGLE 554 depends on NETFILTER_ADVANCED 555 help 556 This option adds a `DSCP' target, which allows you to manipulate 557 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 558 559 The DSCP field can have any value between 0x0 and 0x3f inclusive. 560 561 It also adds the "TOS" target, which allows you to create rules in 562 the "mangle" table which alter the Type Of Service field of an IPv4 563 or the Priority field of an IPv6 packet, prior to routing. 564 565 To compile it as a module, choose M here. If unsure, say N. 566 567config NETFILTER_XT_TARGET_HL 568 tristate '"HL" hoplimit target support' 569 depends on IP_NF_MANGLE || IP6_NF_MANGLE 570 depends on NETFILTER_ADVANCED 571 ---help--- 572 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 573 targets, which enable the user to change the 574 hoplimit/time-to-live value of the IP header. 575 576 While it is safe to decrement the hoplimit/TTL value, the 577 modules also allow to increment and set the hoplimit value of 578 the header to arbitrary values. This is EXTREMELY DANGEROUS 579 since you can easily create immortal packets that loop 580 forever on the network. 581 582config NETFILTER_XT_TARGET_HMARK 583 tristate '"HMARK" target support' 584 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 585 depends on NETFILTER_ADVANCED 586 ---help--- 587 This option adds the "HMARK" target. 588 589 The target allows you to create rules in the "raw" and "mangle" tables 590 which set the skbuff mark by means of hash calculation within a given 591 range. The nfmark can influence the routing method (see "Use netfilter 592 MARK value as routing key") and can also be used by other subsystems to 593 change their behaviour. 594 595 To compile it as a module, choose M here. If unsure, say N. 596 597config NETFILTER_XT_TARGET_IDLETIMER 598 tristate "IDLETIMER target support" 599 depends on NETFILTER_ADVANCED 600 help 601 602 This option adds the `IDLETIMER' target. Each matching packet 603 resets the timer associated with label specified when the rule is 604 added. When the timer expires, it triggers a sysfs notification. 605 The remaining time for expiration can be read via sysfs. 606 607 To compile it as a module, choose M here. If unsure, say N. 608 609config NETFILTER_XT_TARGET_LED 610 tristate '"LED" target support' 611 depends on LEDS_CLASS && LEDS_TRIGGERS 612 depends on NETFILTER_ADVANCED 613 help 614 This option adds a `LED' target, which allows you to blink LEDs in 615 response to particular packets passing through your machine. 616 617 This can be used to turn a spare LED into a network activity LED, 618 which only flashes in response to FTP transfers, for example. Or 619 you could have an LED which lights up for a minute or two every time 620 somebody connects to your machine via SSH. 621 622 You will need support for the "led" class to make this work. 623 624 To create an LED trigger for incoming SSH traffic: 625 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 626 627 Then attach the new trigger to an LED on your system: 628 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 629 630 For more information on the LEDs available on your system, see 631 Documentation/leds/leds-class.txt 632 633config NETFILTER_XT_TARGET_LOG 634 tristate "LOG target support" 635 default m if NETFILTER_ADVANCED=n 636 help 637 This option adds a `LOG' target, which allows you to create rules in 638 any iptables table which records the packet header to the syslog. 639 640 To compile it as a module, choose M here. If unsure, say N. 641 642config NETFILTER_XT_TARGET_MARK 643 tristate '"MARK" target support' 644 depends on NETFILTER_ADVANCED 645 select NETFILTER_XT_MARK 646 ---help--- 647 This is a backwards-compat option for the user's convenience 648 (e.g. when running oldconfig). It selects 649 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 650 651config NETFILTER_XT_TARGET_NETMAP 652 tristate '"NETMAP" target support' 653 depends on NF_NAT 654 ---help--- 655 NETMAP is an implementation of static 1:1 NAT mapping of network 656 addresses. It maps the network address part, while keeping the host 657 address part intact. 658 659 To compile it as a module, choose M here. If unsure, say N. 660 661config NETFILTER_XT_TARGET_NFLOG 662 tristate '"NFLOG" target support' 663 default m if NETFILTER_ADVANCED=n 664 select NETFILTER_NETLINK_LOG 665 help 666 This option enables the NFLOG target, which allows to LOG 667 messages through nfnetlink_log. 668 669 To compile it as a module, choose M here. If unsure, say N. 670 671config NETFILTER_XT_TARGET_NFQUEUE 672 tristate '"NFQUEUE" target Support' 673 depends on NETFILTER_ADVANCED 674 select NETFILTER_NETLINK_QUEUE 675 help 676 This target replaced the old obsolete QUEUE target. 677 678 As opposed to QUEUE, it supports 65535 different queues, 679 not just one. 680 681 To compile it as a module, choose M here. If unsure, say N. 682 683config NETFILTER_XT_TARGET_NOTRACK 684 tristate '"NOTRACK" target support (DEPRECATED)' 685 depends on NF_CONNTRACK 686 depends on IP_NF_RAW || IP6_NF_RAW 687 depends on NETFILTER_ADVANCED 688 select NETFILTER_XT_TARGET_CT 689 690config NETFILTER_XT_TARGET_RATEEST 691 tristate '"RATEEST" target support' 692 depends on NETFILTER_ADVANCED 693 help 694 This option adds a `RATEEST' target, which allows to measure 695 rates similar to TC estimators. The `rateest' match can be 696 used to match on the measured rates. 697 698 To compile it as a module, choose M here. If unsure, say N. 699 700config NETFILTER_XT_TARGET_REDIRECT 701 tristate "REDIRECT target support" 702 depends on NF_NAT 703 ---help--- 704 REDIRECT is a special case of NAT: all incoming connections are 705 mapped onto the incoming interface's address, causing the packets to 706 come to the local machine instead of passing through. This is 707 useful for transparent proxies. 708 709 To compile it as a module, choose M here. If unsure, say N. 710 711config NETFILTER_XT_TARGET_TEE 712 tristate '"TEE" - packet cloning to alternate destination' 713 depends on NETFILTER_ADVANCED 714 depends on (IPV6 || IPV6=n) 715 depends on !NF_CONNTRACK || NF_CONNTRACK 716 ---help--- 717 This option adds a "TEE" target with which a packet can be cloned and 718 this clone be rerouted to another nexthop. 719 720config NETFILTER_XT_TARGET_TPROXY 721 tristate '"TPROXY" target support (EXPERIMENTAL)' 722 depends on EXPERIMENTAL 723 depends on NETFILTER_TPROXY 724 depends on NETFILTER_XTABLES 725 depends on NETFILTER_ADVANCED 726 select NF_DEFRAG_IPV4 727 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES 728 help 729 This option adds a `TPROXY' target, which is somewhat similar to 730 REDIRECT. It can only be used in the mangle table and is useful 731 to redirect traffic to a transparent proxy. It does _not_ depend 732 on Netfilter connection tracking and NAT, unlike REDIRECT. 733 734 To compile it as a module, choose M here. If unsure, say N. 735 736config NETFILTER_XT_TARGET_TRACE 737 tristate '"TRACE" target support' 738 depends on IP_NF_RAW || IP6_NF_RAW 739 depends on NETFILTER_ADVANCED 740 help 741 The TRACE target allows you to mark packets so that the kernel 742 will log every rule which match the packets as those traverse 743 the tables, chains, rules. 744 745 If you want to compile it as a module, say M here and read 746 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 747 748config NETFILTER_XT_TARGET_SECMARK 749 tristate '"SECMARK" target support' 750 depends on NETWORK_SECMARK 751 default m if NETFILTER_ADVANCED=n 752 help 753 The SECMARK target allows security marking of network 754 packets, for use with security subsystems. 755 756 To compile it as a module, choose M here. If unsure, say N. 757 758config NETFILTER_XT_TARGET_TCPMSS 759 tristate '"TCPMSS" target support' 760 depends on (IPV6 || IPV6=n) 761 default m if NETFILTER_ADVANCED=n 762 ---help--- 763 This option adds a `TCPMSS' target, which allows you to alter the 764 MSS value of TCP SYN packets, to control the maximum size for that 765 connection (usually limiting it to your outgoing interface's MTU 766 minus 40). 767 768 This is used to overcome criminally braindead ISPs or servers which 769 block ICMP Fragmentation Needed packets. The symptoms of this 770 problem are that everything works fine from your Linux 771 firewall/router, but machines behind it can never exchange large 772 packets: 773 1) Web browsers connect, then hang with no data received. 774 2) Small mail works fine, but large emails hang. 775 3) ssh works fine, but scp hangs after initial handshaking. 776 777 Workaround: activate this option and add a rule to your firewall 778 configuration like: 779 780 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 781 -j TCPMSS --clamp-mss-to-pmtu 782 783 To compile it as a module, choose M here. If unsure, say N. 784 785config NETFILTER_XT_TARGET_TCPOPTSTRIP 786 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' 787 depends on EXPERIMENTAL 788 depends on IP_NF_MANGLE || IP6_NF_MANGLE 789 depends on NETFILTER_ADVANCED 790 help 791 This option adds a "TCPOPTSTRIP" target, which allows you to strip 792 TCP options from TCP packets. 793 794# alphabetically ordered list of matches 795 796comment "Xtables matches" 797 798config NETFILTER_XT_MATCH_ADDRTYPE 799 tristate '"addrtype" address type match support' 800 depends on NETFILTER_ADVANCED 801 ---help--- 802 This option allows you to match what routing thinks of an address, 803 eg. UNICAST, LOCAL, BROADCAST, ... 804 805 If you want to compile it as a module, say M here and read 806 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 807 808config NETFILTER_XT_MATCH_CLUSTER 809 tristate '"cluster" match support' 810 depends on NF_CONNTRACK 811 depends on NETFILTER_ADVANCED 812 ---help--- 813 This option allows you to build work-load-sharing clusters of 814 network servers/stateful firewalls without having a dedicated 815 load-balancing router/server/switch. Basically, this match returns 816 true when the packet must be handled by this cluster node. Thus, 817 all nodes see all packets and this match decides which node handles 818 what packets. The work-load sharing algorithm is based on source 819 address hashing. 820 821 If you say Y or M here, try `iptables -m cluster --help` for 822 more information. 823 824config NETFILTER_XT_MATCH_COMMENT 825 tristate '"comment" match support' 826 depends on NETFILTER_ADVANCED 827 help 828 This option adds a `comment' dummy-match, which allows you to put 829 comments in your iptables ruleset. 830 831 If you want to compile it as a module, say M here and read 832 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 833 834config NETFILTER_XT_MATCH_CONNBYTES 835 tristate '"connbytes" per-connection counter match support' 836 depends on NF_CONNTRACK 837 depends on NETFILTER_ADVANCED 838 help 839 This option adds a `connbytes' match, which allows you to match the 840 number of bytes and/or packets for each direction within a connection. 841 842 If you want to compile it as a module, say M here and read 843 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 844 845config NETFILTER_XT_MATCH_CONNLIMIT 846 tristate '"connlimit" match support"' 847 depends on NF_CONNTRACK 848 depends on NETFILTER_ADVANCED 849 ---help--- 850 This match allows you to match against the number of parallel 851 connections to a server per client IP address (or address block). 852 853config NETFILTER_XT_MATCH_CONNMARK 854 tristate '"connmark" connection mark match support' 855 depends on NF_CONNTRACK 856 depends on NETFILTER_ADVANCED 857 select NETFILTER_XT_CONNMARK 858 ---help--- 859 This is a backwards-compat option for the user's convenience 860 (e.g. when running oldconfig). It selects 861 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 862 863config NETFILTER_XT_MATCH_CONNTRACK 864 tristate '"conntrack" connection tracking match support' 865 depends on NF_CONNTRACK 866 default m if NETFILTER_ADVANCED=n 867 help 868 This is a general conntrack match module, a superset of the state match. 869 870 It allows matching on additional conntrack information, which is 871 useful in complex configurations, such as NAT gateways with multiple 872 internet links or tunnels. 873 874 To compile it as a module, choose M here. If unsure, say N. 875 876config NETFILTER_XT_MATCH_CPU 877 tristate '"cpu" match support' 878 depends on NETFILTER_ADVANCED 879 help 880 CPU matching allows you to match packets based on the CPU 881 currently handling the packet. 882 883 To compile it as a module, choose M here. If unsure, say N. 884 885config NETFILTER_XT_MATCH_DCCP 886 tristate '"dccp" protocol match support' 887 depends on NETFILTER_ADVANCED 888 default IP_DCCP 889 help 890 With this option enabled, you will be able to use the iptables 891 `dccp' match in order to match on DCCP source/destination ports 892 and DCCP flags. 893 894 If you want to compile it as a module, say M here and read 895 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 896 897config NETFILTER_XT_MATCH_DEVGROUP 898 tristate '"devgroup" match support' 899 depends on NETFILTER_ADVANCED 900 help 901 This options adds a `devgroup' match, which allows to match on the 902 device group a network device is assigned to. 903 904 To compile it as a module, choose M here. If unsure, say N. 905 906config NETFILTER_XT_MATCH_DSCP 907 tristate '"dscp" and "tos" match support' 908 depends on NETFILTER_ADVANCED 909 help 910 This option adds a `DSCP' match, which allows you to match against 911 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 912 913 The DSCP field can have any value between 0x0 and 0x3f inclusive. 914 915 It will also add a "tos" match, which allows you to match packets 916 based on the Type Of Service fields of the IPv4 packet (which share 917 the same bits as DSCP). 918 919 To compile it as a module, choose M here. If unsure, say N. 920 921config NETFILTER_XT_MATCH_ECN 922 tristate '"ecn" match support' 923 depends on NETFILTER_ADVANCED 924 ---help--- 925 This option adds an "ECN" match, which allows you to match against 926 the IPv4 and TCP header ECN fields. 927 928 To compile it as a module, choose M here. If unsure, say N. 929 930config NETFILTER_XT_MATCH_ESP 931 tristate '"esp" match support' 932 depends on NETFILTER_ADVANCED 933 help 934 This match extension allows you to match a range of SPIs 935 inside ESP header of IPSec packets. 936 937 To compile it as a module, choose M here. If unsure, say N. 938 939config NETFILTER_XT_MATCH_HASHLIMIT 940 tristate '"hashlimit" match support' 941 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 942 depends on NETFILTER_ADVANCED 943 help 944 This option adds a `hashlimit' match. 945 946 As opposed to `limit', this match dynamically creates a hash table 947 of limit buckets, based on your selection of source/destination 948 addresses and/or ports. 949 950 It enables you to express policies like `10kpps for any given 951 destination address' or `500pps from any given source address' 952 with a single rule. 953 954config NETFILTER_XT_MATCH_HELPER 955 tristate '"helper" match support' 956 depends on NF_CONNTRACK 957 depends on NETFILTER_ADVANCED 958 help 959 Helper matching allows you to match packets in dynamic connections 960 tracked by a conntrack-helper, ie. ip_conntrack_ftp 961 962 To compile it as a module, choose M here. If unsure, say Y. 963 964config NETFILTER_XT_MATCH_HL 965 tristate '"hl" hoplimit/TTL match support' 966 depends on NETFILTER_ADVANCED 967 ---help--- 968 HL matching allows you to match packets based on the hoplimit 969 in the IPv6 header, or the time-to-live field in the IPv4 970 header of the packet. 971 972config NETFILTER_XT_MATCH_IPRANGE 973 tristate '"iprange" address range match support' 974 depends on NETFILTER_ADVANCED 975 ---help--- 976 This option adds a "iprange" match, which allows you to match based on 977 an IP address range. (Normal iptables only matches on single addresses 978 with an optional mask.) 979 980 If unsure, say M. 981 982config NETFILTER_XT_MATCH_IPVS 983 tristate '"ipvs" match support' 984 depends on IP_VS 985 depends on NETFILTER_ADVANCED 986 depends on NF_CONNTRACK 987 help 988 This option allows you to match against IPVS properties of a packet. 989 990 If unsure, say N. 991 992config NETFILTER_XT_MATCH_LENGTH 993 tristate '"length" match support' 994 depends on NETFILTER_ADVANCED 995 help 996 This option allows you to match the length of a packet against a 997 specific value or range of values. 998 999 To compile it as a module, choose M here. If unsure, say N. 1000 1001config NETFILTER_XT_MATCH_LIMIT 1002 tristate '"limit" match support' 1003 depends on NETFILTER_ADVANCED 1004 help 1005 limit matching allows you to control the rate at which a rule can be 1006 matched: mainly useful in combination with the LOG target ("LOG 1007 target support", below) and to avoid some Denial of Service attacks. 1008 1009 To compile it as a module, choose M here. If unsure, say N. 1010 1011config NETFILTER_XT_MATCH_MAC 1012 tristate '"mac" address match support' 1013 depends on NETFILTER_ADVANCED 1014 help 1015 MAC matching allows you to match packets based on the source 1016 Ethernet address of the packet. 1017 1018 To compile it as a module, choose M here. If unsure, say N. 1019 1020config NETFILTER_XT_MATCH_MARK 1021 tristate '"mark" match support' 1022 depends on NETFILTER_ADVANCED 1023 select NETFILTER_XT_MARK 1024 ---help--- 1025 This is a backwards-compat option for the user's convenience 1026 (e.g. when running oldconfig). It selects 1027 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1028 1029config NETFILTER_XT_MATCH_MULTIPORT 1030 tristate '"multiport" Multiple port match support' 1031 depends on NETFILTER_ADVANCED 1032 help 1033 Multiport matching allows you to match TCP or UDP packets based on 1034 a series of source or destination ports: normally a rule can only 1035 match a single range of ports. 1036 1037 To compile it as a module, choose M here. If unsure, say N. 1038 1039config NETFILTER_XT_MATCH_NFACCT 1040 tristate '"nfacct" match support' 1041 depends on NETFILTER_ADVANCED 1042 select NETFILTER_NETLINK_ACCT 1043 help 1044 This option allows you to use the extended accounting through 1045 nfnetlink_acct. 1046 1047 To compile it as a module, choose M here. If unsure, say N. 1048 1049config NETFILTER_XT_MATCH_OSF 1050 tristate '"osf" Passive OS fingerprint match' 1051 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 1052 help 1053 This option selects the Passive OS Fingerprinting match module 1054 that allows to passively match the remote operating system by 1055 analyzing incoming TCP SYN packets. 1056 1057 Rules and loading software can be downloaded from 1058 http://www.ioremap.net/projects/osf 1059 1060 To compile it as a module, choose M here. If unsure, say N. 1061 1062config NETFILTER_XT_MATCH_OWNER 1063 tristate '"owner" match support' 1064 depends on NETFILTER_ADVANCED 1065 ---help--- 1066 Socket owner matching allows you to match locally-generated packets 1067 based on who created the socket: the user or group. It is also 1068 possible to check whether a socket actually exists. 1069 1070config NETFILTER_XT_MATCH_POLICY 1071 tristate 'IPsec "policy" match support' 1072 depends on XFRM 1073 default m if NETFILTER_ADVANCED=n 1074 help 1075 Policy matching allows you to match packets based on the 1076 IPsec policy that was used during decapsulation/will 1077 be used during encapsulation. 1078 1079 To compile it as a module, choose M here. If unsure, say N. 1080 1081config NETFILTER_XT_MATCH_PHYSDEV 1082 tristate '"physdev" match support' 1083 depends on BRIDGE && BRIDGE_NETFILTER 1084 depends on NETFILTER_ADVANCED 1085 help 1086 Physdev packet matching matches against the physical bridge ports 1087 the IP packet arrived on or will leave by. 1088 1089 To compile it as a module, choose M here. If unsure, say N. 1090 1091config NETFILTER_XT_MATCH_PKTTYPE 1092 tristate '"pkttype" packet type match support' 1093 depends on NETFILTER_ADVANCED 1094 help 1095 Packet type matching allows you to match a packet by 1096 its "class", eg. BROADCAST, MULTICAST, ... 1097 1098 Typical usage: 1099 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1100 1101 To compile it as a module, choose M here. If unsure, say N. 1102 1103config NETFILTER_XT_MATCH_QUOTA 1104 tristate '"quota" match support' 1105 depends on NETFILTER_ADVANCED 1106 help 1107 This option adds a `quota' match, which allows to match on a 1108 byte counter. 1109 1110 If you want to compile it as a module, say M here and read 1111 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1112 1113config NETFILTER_XT_MATCH_RATEEST 1114 tristate '"rateest" match support' 1115 depends on NETFILTER_ADVANCED 1116 select NETFILTER_XT_TARGET_RATEEST 1117 help 1118 This option adds a `rateest' match, which allows to match on the 1119 rate estimated by the RATEEST target. 1120 1121 To compile it as a module, choose M here. If unsure, say N. 1122 1123config NETFILTER_XT_MATCH_REALM 1124 tristate '"realm" match support' 1125 depends on NETFILTER_ADVANCED 1126 select IP_ROUTE_CLASSID 1127 help 1128 This option adds a `realm' match, which allows you to use the realm 1129 key from the routing subsystem inside iptables. 1130 1131 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1132 in tc world. 1133 1134 If you want to compile it as a module, say M here and read 1135 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1136 1137config NETFILTER_XT_MATCH_RECENT 1138 tristate '"recent" match support' 1139 depends on NETFILTER_ADVANCED 1140 ---help--- 1141 This match is used for creating one or many lists of recently 1142 used addresses and then matching against that/those list(s). 1143 1144 Short options are available by using 'iptables -m recent -h' 1145 Official Website: <http://snowman.net/projects/ipt_recent/> 1146 1147config NETFILTER_XT_MATCH_SCTP 1148 tristate '"sctp" protocol match support (EXPERIMENTAL)' 1149 depends on EXPERIMENTAL 1150 depends on NETFILTER_ADVANCED 1151 default IP_SCTP 1152 help 1153 With this option enabled, you will be able to use the 1154 `sctp' match in order to match on SCTP source/destination ports 1155 and SCTP chunk types. 1156 1157 If you want to compile it as a module, say M here and read 1158 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1159 1160config NETFILTER_XT_MATCH_SOCKET 1161 tristate '"socket" match support (EXPERIMENTAL)' 1162 depends on EXPERIMENTAL 1163 depends on NETFILTER_TPROXY 1164 depends on NETFILTER_XTABLES 1165 depends on NETFILTER_ADVANCED 1166 depends on !NF_CONNTRACK || NF_CONNTRACK 1167 select NF_DEFRAG_IPV4 1168 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES 1169 help 1170 This option adds a `socket' match, which can be used to match 1171 packets for which a TCP or UDP socket lookup finds a valid socket. 1172 It can be used in combination with the MARK target and policy 1173 routing to implement full featured non-locally bound sockets. 1174 1175 To compile it as a module, choose M here. If unsure, say N. 1176 1177config NETFILTER_XT_MATCH_STATE 1178 tristate '"state" match support' 1179 depends on NF_CONNTRACK 1180 default m if NETFILTER_ADVANCED=n 1181 help 1182 Connection state matching allows you to match packets based on their 1183 relationship to a tracked connection (ie. previous packets). This 1184 is a powerful tool for packet classification. 1185 1186 To compile it as a module, choose M here. If unsure, say N. 1187 1188config NETFILTER_XT_MATCH_STATISTIC 1189 tristate '"statistic" match support' 1190 depends on NETFILTER_ADVANCED 1191 help 1192 This option adds a `statistic' match, which allows you to match 1193 on packets periodically or randomly with a given percentage. 1194 1195 To compile it as a module, choose M here. If unsure, say N. 1196 1197config NETFILTER_XT_MATCH_STRING 1198 tristate '"string" match support' 1199 depends on NETFILTER_ADVANCED 1200 select TEXTSEARCH 1201 select TEXTSEARCH_KMP 1202 select TEXTSEARCH_BM 1203 select TEXTSEARCH_FSM 1204 help 1205 This option adds a `string' match, which allows you to look for 1206 pattern matchings in packets. 1207 1208 To compile it as a module, choose M here. If unsure, say N. 1209 1210config NETFILTER_XT_MATCH_TCPMSS 1211 tristate '"tcpmss" match support' 1212 depends on NETFILTER_ADVANCED 1213 help 1214 This option adds a `tcpmss' match, which allows you to examine the 1215 MSS value of TCP SYN packets, which control the maximum packet size 1216 for that connection. 1217 1218 To compile it as a module, choose M here. If unsure, say N. 1219 1220config NETFILTER_XT_MATCH_TIME 1221 tristate '"time" match support' 1222 depends on NETFILTER_ADVANCED 1223 ---help--- 1224 This option adds a "time" match, which allows you to match based on 1225 the packet arrival time (at the machine which netfilter is running) 1226 on) or departure time/date (for locally generated packets). 1227 1228 If you say Y here, try `iptables -m time --help` for 1229 more information. 1230 1231 If you want to compile it as a module, say M here. 1232 If unsure, say N. 1233 1234config NETFILTER_XT_MATCH_U32 1235 tristate '"u32" match support' 1236 depends on NETFILTER_ADVANCED 1237 ---help--- 1238 u32 allows you to extract quantities of up to 4 bytes from a packet, 1239 AND them with specified masks, shift them by specified amounts and 1240 test whether the results are in any of a set of specified ranges. 1241 The specification of what to extract is general enough to skip over 1242 headers with lengths stored in the packet, as in IP or TCP header 1243 lengths. 1244 1245 Details and examples are in the kernel module source. 1246 1247endif # NETFILTER_XTABLES 1248 1249endmenu 1250 1251source "net/netfilter/ipset/Kconfig" 1252 1253source "net/netfilter/ipvs/Kconfig" 1254