1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_INGRESS 5 bool "Netfilter ingress support" 6 default y 7 select NET_INGRESS 8 help 9 This allows you to classify packets from ingress using the Netfilter 10 infrastructure. 11 12config NETFILTER_NETLINK 13 tristate 14 15config NETFILTER_FAMILY_BRIDGE 16 bool 17 18config NETFILTER_FAMILY_ARP 19 bool 20 21config NETFILTER_NETLINK_ACCT 22tristate "Netfilter NFACCT over NFNETLINK interface" 23 depends on NETFILTER_ADVANCED 24 select NETFILTER_NETLINK 25 help 26 If this option is enabled, the kernel will include support 27 for extended accounting via NFNETLINK. 28 29config NETFILTER_NETLINK_QUEUE 30 tristate "Netfilter NFQUEUE over NFNETLINK interface" 31 depends on NETFILTER_ADVANCED 32 select NETFILTER_NETLINK 33 help 34 If this option is enabled, the kernel will include support 35 for queueing packets via NFNETLINK. 36 37config NETFILTER_NETLINK_LOG 38 tristate "Netfilter LOG over NFNETLINK interface" 39 default m if NETFILTER_ADVANCED=n 40 select NETFILTER_NETLINK 41 help 42 If this option is enabled, the kernel will include support 43 for logging packets via NFNETLINK. 44 45 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 46 and is also scheduled to replace the old syslog-based ipt_LOG 47 and ip6t_LOG modules. 48 49config NF_CONNTRACK 50 tristate "Netfilter connection tracking support" 51 default m if NETFILTER_ADVANCED=n 52 help 53 Connection tracking keeps a record of what packets have passed 54 through your machine, in order to figure out how they are related 55 into connections. 56 57 This is required to do Masquerading or other kinds of Network 58 Address Translation. It can also be used to enhance packet 59 filtering (see `Connection state match support' below). 60 61 To compile it as a module, choose M here. If unsure, say N. 62 63config NF_LOG_COMMON 64 tristate 65 66config NF_LOG_NETDEV 67 tristate "Netdev packet logging" 68 select NF_LOG_COMMON 69 70if NF_CONNTRACK 71config NETFILTER_CONNCOUNT 72 tristate 73 74config NF_CONNTRACK_MARK 75 bool 'Connection mark tracking support' 76 depends on NETFILTER_ADVANCED 77 help 78 This option enables support for connection marks, used by the 79 `CONNMARK' target and `connmark' match. Similar to the mark value 80 of packets, but this mark value is kept in the conntrack session 81 instead of the individual packets. 82 83config NF_CONNTRACK_SECMARK 84 bool 'Connection tracking security mark support' 85 depends on NETWORK_SECMARK 86 default m if NETFILTER_ADVANCED=n 87 help 88 This option enables security markings to be applied to 89 connections. Typically they are copied to connections from 90 packets using the CONNSECMARK target and copied back from 91 connections to packets with the same target, with the packets 92 being originally labeled via SECMARK. 93 94 If unsure, say 'N'. 95 96config NF_CONNTRACK_ZONES 97 bool 'Connection tracking zones' 98 depends on NETFILTER_ADVANCED 99 depends on NETFILTER_XT_TARGET_CT 100 help 101 This option enables support for connection tracking zones. 102 Normally, each connection needs to have a unique system wide 103 identity. Connection tracking zones allow to have multiple 104 connections using the same identity, as long as they are 105 contained in different zones. 106 107 If unsure, say `N'. 108 109config NF_CONNTRACK_PROCFS 110 bool "Supply CT list in procfs (OBSOLETE)" 111 default y 112 depends on PROC_FS 113 ---help--- 114 This option enables for the list of known conntrack entries 115 to be shown in procfs under net/netfilter/nf_conntrack. This 116 is considered obsolete in favor of using the conntrack(8) 117 tool which uses Netlink. 118 119config NF_CONNTRACK_EVENTS 120 bool "Connection tracking events" 121 depends on NETFILTER_ADVANCED 122 help 123 If this option is enabled, the connection tracking code will 124 provide a notifier chain that can be used by other kernel code 125 to get notified about changes in the connection tracking state. 126 127 If unsure, say `N'. 128 129config NF_CONNTRACK_TIMEOUT 130 bool 'Connection tracking timeout' 131 depends on NETFILTER_ADVANCED 132 help 133 This option enables support for connection tracking timeout 134 extension. This allows you to attach timeout policies to flow 135 via the CT target. 136 137 If unsure, say `N'. 138 139config NF_CONNTRACK_TIMESTAMP 140 bool 'Connection tracking timestamping' 141 depends on NETFILTER_ADVANCED 142 help 143 This option enables support for connection tracking timestamping. 144 This allows you to store the flow start-time and to obtain 145 the flow-stop time (once it has been destroyed) via Connection 146 tracking events. 147 148 If unsure, say `N'. 149 150config NF_CONNTRACK_LABELS 151 bool 152 help 153 This option enables support for assigning user-defined flag bits 154 to connection tracking entries. It selected by the connlabel match. 155 156config NF_CT_PROTO_DCCP 157 bool 'DCCP protocol connection tracking support' 158 depends on NETFILTER_ADVANCED 159 default y 160 help 161 With this option enabled, the layer 3 independent connection 162 tracking code will be able to do state tracking on DCCP connections. 163 164 If unsure, say Y. 165 166config NF_CT_PROTO_GRE 167 tristate 168 169config NF_CT_PROTO_SCTP 170 bool 'SCTP protocol connection tracking support' 171 depends on NETFILTER_ADVANCED 172 default y 173 select LIBCRC32C 174 help 175 With this option enabled, the layer 3 independent connection 176 tracking code will be able to do state tracking on SCTP connections. 177 178 If unsure, say Y. 179 180config NF_CT_PROTO_UDPLITE 181 bool 'UDP-Lite protocol connection tracking support' 182 depends on NETFILTER_ADVANCED 183 default y 184 help 185 With this option enabled, the layer 3 independent connection 186 tracking code will be able to do state tracking on UDP-Lite 187 connections. 188 189 If unsure, say Y. 190 191config NF_CONNTRACK_AMANDA 192 tristate "Amanda backup protocol support" 193 depends on NETFILTER_ADVANCED 194 select TEXTSEARCH 195 select TEXTSEARCH_KMP 196 help 197 If you are running the Amanda backup package <http://www.amanda.org/> 198 on this machine or machines that will be MASQUERADED through this 199 machine, then you may want to enable this feature. This allows the 200 connection tracking and natting code to allow the sub-channels that 201 Amanda requires for communication of the backup data, messages and 202 index. 203 204 To compile it as a module, choose M here. If unsure, say N. 205 206config NF_CONNTRACK_FTP 207 tristate "FTP protocol support" 208 default m if NETFILTER_ADVANCED=n 209 help 210 Tracking FTP connections is problematic: special helpers are 211 required for tracking them, and doing masquerading and other forms 212 of Network Address Translation on them. 213 214 This is FTP support on Layer 3 independent connection tracking. 215 Layer 3 independent connection tracking is experimental scheme 216 which generalize ip_conntrack to support other layer 3 protocols. 217 218 To compile it as a module, choose M here. If unsure, say N. 219 220config NF_CONNTRACK_H323 221 tristate "H.323 protocol support" 222 depends on IPV6 || IPV6=n 223 depends on NETFILTER_ADVANCED 224 help 225 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 226 important VoIP protocols, it is widely used by voice hardware and 227 software including voice gateways, IP phones, Netmeeting, OpenPhone, 228 Gnomemeeting, etc. 229 230 With this module you can support H.323 on a connection tracking/NAT 231 firewall. 232 233 This module supports RAS, Fast Start, H.245 Tunnelling, Call 234 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 235 whiteboard, file transfer, etc. For more information, please 236 visit http://nath323.sourceforge.net/. 237 238 To compile it as a module, choose M here. If unsure, say N. 239 240config NF_CONNTRACK_IRC 241 tristate "IRC protocol support" 242 default m if NETFILTER_ADVANCED=n 243 help 244 There is a commonly-used extension to IRC called 245 Direct Client-to-Client Protocol (DCC). This enables users to send 246 files to each other, and also chat to each other without the need 247 of a server. DCC Sending is used anywhere you send files over IRC, 248 and DCC Chat is most commonly used by Eggdrop bots. If you are 249 using NAT, this extension will enable you to send files and initiate 250 chats. Note that you do NOT need this extension to get files or 251 have others initiate chats, or everything else in IRC. 252 253 To compile it as a module, choose M here. If unsure, say N. 254 255config NF_CONNTRACK_BROADCAST 256 tristate 257 258config NF_CONNTRACK_NETBIOS_NS 259 tristate "NetBIOS name service protocol support" 260 select NF_CONNTRACK_BROADCAST 261 help 262 NetBIOS name service requests are sent as broadcast messages from an 263 unprivileged port and responded to with unicast messages to the 264 same port. This make them hard to firewall properly because connection 265 tracking doesn't deal with broadcasts. This helper tracks locally 266 originating NetBIOS name service requests and the corresponding 267 responses. It relies on correct IP address configuration, specifically 268 netmask and broadcast address. When properly configured, the output 269 of "ip address show" should look similar to this: 270 271 $ ip -4 address show eth0 272 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 273 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 274 275 To compile it as a module, choose M here. If unsure, say N. 276 277config NF_CONNTRACK_SNMP 278 tristate "SNMP service protocol support" 279 depends on NETFILTER_ADVANCED 280 select NF_CONNTRACK_BROADCAST 281 help 282 SNMP service requests are sent as broadcast messages from an 283 unprivileged port and responded to with unicast messages to the 284 same port. This make them hard to firewall properly because connection 285 tracking doesn't deal with broadcasts. This helper tracks locally 286 originating SNMP service requests and the corresponding 287 responses. It relies on correct IP address configuration, specifically 288 netmask and broadcast address. 289 290 To compile it as a module, choose M here. If unsure, say N. 291 292config NF_CONNTRACK_PPTP 293 tristate "PPtP protocol support" 294 depends on NETFILTER_ADVANCED 295 select NF_CT_PROTO_GRE 296 help 297 This module adds support for PPTP (Point to Point Tunnelling 298 Protocol, RFC2637) connection tracking and NAT. 299 300 If you are running PPTP sessions over a stateful firewall or NAT 301 box, you may want to enable this feature. 302 303 Please note that not all PPTP modes of operation are supported yet. 304 Specifically these limitations exist: 305 - Blindly assumes that control connections are always established 306 in PNS->PAC direction. This is a violation of RFC2637. 307 - Only supports a single call within each session 308 309 To compile it as a module, choose M here. If unsure, say N. 310 311config NF_CONNTRACK_SANE 312 tristate "SANE protocol support" 313 depends on NETFILTER_ADVANCED 314 help 315 SANE is a protocol for remote access to scanners as implemented 316 by the 'saned' daemon. Like FTP, it uses separate control and 317 data connections. 318 319 With this module you can support SANE on a connection tracking 320 firewall. 321 322 To compile it as a module, choose M here. If unsure, say N. 323 324config NF_CONNTRACK_SIP 325 tristate "SIP protocol support" 326 default m if NETFILTER_ADVANCED=n 327 help 328 SIP is an application-layer control protocol that can establish, 329 modify, and terminate multimedia sessions (conferences) such as 330 Internet telephony calls. With the ip_conntrack_sip and 331 the nf_nat_sip modules you can support the protocol on a connection 332 tracking/NATing firewall. 333 334 To compile it as a module, choose M here. If unsure, say N. 335 336config NF_CONNTRACK_TFTP 337 tristate "TFTP protocol support" 338 depends on NETFILTER_ADVANCED 339 help 340 TFTP connection tracking helper, this is required depending 341 on how restrictive your ruleset is. 342 If you are using a tftp client behind -j SNAT or -j MASQUERADING 343 you will need this. 344 345 To compile it as a module, choose M here. If unsure, say N. 346 347config NF_CT_NETLINK 348 tristate 'Connection tracking netlink interface' 349 select NETFILTER_NETLINK 350 default m if NETFILTER_ADVANCED=n 351 help 352 This option enables support for a netlink-based userspace interface 353 354config NF_CT_NETLINK_TIMEOUT 355 tristate 'Connection tracking timeout tuning via Netlink' 356 select NETFILTER_NETLINK 357 depends on NETFILTER_ADVANCED 358 help 359 This option enables support for connection tracking timeout 360 fine-grain tuning. This allows you to attach specific timeout 361 policies to flows, instead of using the global timeout policy. 362 363 If unsure, say `N'. 364 365config NF_CT_NETLINK_HELPER 366 tristate 'Connection tracking helpers in user-space via Netlink' 367 select NETFILTER_NETLINK 368 depends on NF_CT_NETLINK 369 depends on NETFILTER_NETLINK_QUEUE 370 depends on NETFILTER_NETLINK_GLUE_CT 371 depends on NETFILTER_ADVANCED 372 help 373 This option enables the user-space connection tracking helpers 374 infrastructure. 375 376 If unsure, say `N'. 377 378config NETFILTER_NETLINK_GLUE_CT 379 bool "NFQUEUE and NFLOG integration with Connection Tracking" 380 default n 381 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 382 help 383 If this option is enabled, NFQUEUE and NFLOG can include 384 Connection Tracking information together with the packet is 385 the enqueued via NFNETLINK. 386 387config NF_NAT 388 tristate 389 390config NF_NAT_NEEDED 391 bool 392 depends on NF_NAT 393 default y 394 395config NF_NAT_PROTO_DCCP 396 bool 397 depends on NF_NAT && NF_CT_PROTO_DCCP 398 default NF_NAT && NF_CT_PROTO_DCCP 399 400config NF_NAT_PROTO_UDPLITE 401 bool 402 depends on NF_NAT && NF_CT_PROTO_UDPLITE 403 default NF_NAT && NF_CT_PROTO_UDPLITE 404 405config NF_NAT_PROTO_SCTP 406 bool 407 default NF_NAT && NF_CT_PROTO_SCTP 408 depends on NF_NAT && NF_CT_PROTO_SCTP 409 410config NF_NAT_AMANDA 411 tristate 412 depends on NF_CONNTRACK && NF_NAT 413 default NF_NAT && NF_CONNTRACK_AMANDA 414 415config NF_NAT_FTP 416 tristate 417 depends on NF_CONNTRACK && NF_NAT 418 default NF_NAT && NF_CONNTRACK_FTP 419 420config NF_NAT_IRC 421 tristate 422 depends on NF_CONNTRACK && NF_NAT 423 default NF_NAT && NF_CONNTRACK_IRC 424 425config NF_NAT_SIP 426 tristate 427 depends on NF_CONNTRACK && NF_NAT 428 default NF_NAT && NF_CONNTRACK_SIP 429 430config NF_NAT_TFTP 431 tristate 432 depends on NF_CONNTRACK && NF_NAT 433 default NF_NAT && NF_CONNTRACK_TFTP 434 435config NF_NAT_REDIRECT 436 bool 437 438config NETFILTER_SYNPROXY 439 tristate 440 441endif # NF_CONNTRACK 442 443config NF_OSF 444 tristate 445 446config NF_TABLES 447 select NETFILTER_NETLINK 448 tristate "Netfilter nf_tables support" 449 help 450 nftables is the new packet classification framework that intends to 451 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 452 provides a pseudo-state machine with an extensible instruction-set 453 (also known as expressions) that the userspace 'nft' utility 454 (http://www.netfilter.org/projects/nftables) uses to build the 455 rule-set. It also comes with the generic set infrastructure that 456 allows you to construct mappings between matchings and actions 457 for performance lookups. 458 459 To compile it as a module, choose M here. 460 461if NF_TABLES 462 463config NF_TABLES_SET 464 tristate "Netfilter nf_tables set infrastructure" 465 help 466 This option enables the nf_tables set infrastructure that allows to 467 look up for elements in a set and to build one-way mappings between 468 matchings and actions. 469 470config NF_TABLES_INET 471 depends on IPV6 472 select NF_TABLES_IPV4 473 select NF_TABLES_IPV6 474 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" 475 help 476 This option enables support for a mixed IPv4/IPv6 "inet" table. 477 478config NF_TABLES_NETDEV 479 bool "Netfilter nf_tables netdev tables support" 480 help 481 This option enables support for the "netdev" table. 482 483config NFT_NUMGEN 484 tristate "Netfilter nf_tables number generator module" 485 help 486 This option adds the number generator expression used to perform 487 incremental counting and random numbers bound to a upper limit. 488 489config NFT_CT 490 depends on NF_CONNTRACK 491 tristate "Netfilter nf_tables conntrack module" 492 help 493 This option adds the "ct" expression that you can use to match 494 connection tracking information such as the flow state. 495 496config NFT_FLOW_OFFLOAD 497 depends on NF_CONNTRACK && NF_FLOW_TABLE 498 tristate "Netfilter nf_tables hardware flow offload module" 499 help 500 This option adds the "flow_offload" expression that you can use to 501 choose what flows are placed into the hardware. 502 503config NFT_COUNTER 504 tristate "Netfilter nf_tables counter module" 505 help 506 This option adds the "counter" expression that you can use to 507 include packet and byte counters in a rule. 508 509config NFT_CONNLIMIT 510 tristate "Netfilter nf_tables connlimit module" 511 depends on NF_CONNTRACK 512 depends on NETFILTER_ADVANCED 513 select NETFILTER_CONNCOUNT 514 help 515 This option adds the "connlimit" expression that you can use to 516 ratelimit rule matchings per connections. 517 518config NFT_LOG 519 tristate "Netfilter nf_tables log module" 520 help 521 This option adds the "log" expression that you can use to log 522 packets matching some criteria. 523 524config NFT_LIMIT 525 tristate "Netfilter nf_tables limit module" 526 help 527 This option adds the "limit" expression that you can use to 528 ratelimit rule matchings. 529 530config NFT_MASQ 531 depends on NF_CONNTRACK 532 depends on NF_NAT 533 tristate "Netfilter nf_tables masquerade support" 534 help 535 This option adds the "masquerade" expression that you can use 536 to perform NAT in the masquerade flavour. 537 538config NFT_REDIR 539 depends on NF_CONNTRACK 540 depends on NF_NAT 541 tristate "Netfilter nf_tables redirect support" 542 help 543 This options adds the "redirect" expression that you can use 544 to perform NAT in the redirect flavour. 545 546config NFT_NAT 547 depends on NF_CONNTRACK 548 select NF_NAT 549 tristate "Netfilter nf_tables nat module" 550 help 551 This option adds the "nat" expression that you can use to perform 552 typical Network Address Translation (NAT) packet transformations. 553 554config NFT_OBJREF 555 tristate "Netfilter nf_tables stateful object reference module" 556 help 557 This option adds the "objref" expression that allows you to refer to 558 stateful objects, such as counters and quotas. 559 560config NFT_QUEUE 561 depends on NETFILTER_NETLINK_QUEUE 562 tristate "Netfilter nf_tables queue module" 563 help 564 This is required if you intend to use the userspace queueing 565 infrastructure (also known as NFQUEUE) from nftables. 566 567config NFT_QUOTA 568 tristate "Netfilter nf_tables quota module" 569 help 570 This option adds the "quota" expression that you can use to match 571 enforce bytes quotas. 572 573config NFT_REJECT 574 default m if NETFILTER_ADVANCED=n 575 tristate "Netfilter nf_tables reject support" 576 depends on !NF_TABLES_INET || (IPV6!=m || m) 577 help 578 This option adds the "reject" expression that you can use to 579 explicitly deny and notify via TCP reset/ICMP informational errors 580 unallowed traffic. 581 582config NFT_REJECT_INET 583 depends on NF_TABLES_INET 584 default NFT_REJECT 585 tristate 586 587config NFT_COMPAT 588 depends on NETFILTER_XTABLES 589 tristate "Netfilter x_tables over nf_tables module" 590 help 591 This is required if you intend to use any of existing 592 x_tables match/target extensions over the nf_tables 593 framework. 594 595config NFT_HASH 596 tristate "Netfilter nf_tables hash module" 597 help 598 This option adds the "hash" expression that you can use to perform 599 a hash operation on registers. 600 601config NFT_FIB 602 tristate 603 604config NFT_FIB_INET 605 depends on NF_TABLES_INET 606 depends on NFT_FIB_IPV4 607 depends on NFT_FIB_IPV6 608 tristate "Netfilter nf_tables fib inet support" 609 help 610 This option allows using the FIB expression from the inet table. 611 The lookup will be delegated to the IPv4 or IPv6 FIB depending 612 on the protocol of the packet. 613 614config NFT_SOCKET 615 tristate "Netfilter nf_tables socket match support" 616 depends on IPV6 || IPV6=n 617 select NF_SOCKET_IPV4 618 select NF_SOCKET_IPV6 if IPV6 619 help 620 This option allows matching for the presence or absence of a 621 corresponding socket and its attributes. 622 623if NF_TABLES_NETDEV 624 625config NF_DUP_NETDEV 626 tristate "Netfilter packet duplication support" 627 help 628 This option enables the generic packet duplication infrastructure 629 for Netfilter. 630 631config NFT_DUP_NETDEV 632 tristate "Netfilter nf_tables netdev packet duplication support" 633 select NF_DUP_NETDEV 634 help 635 This option enables packet duplication for the "netdev" family. 636 637config NFT_FWD_NETDEV 638 tristate "Netfilter nf_tables netdev packet forwarding support" 639 select NF_DUP_NETDEV 640 help 641 This option enables packet forwarding for the "netdev" family. 642 643config NFT_FIB_NETDEV 644 depends on NFT_FIB_IPV4 645 depends on NFT_FIB_IPV6 646 tristate "Netfilter nf_tables netdev fib lookups support" 647 help 648 This option allows using the FIB expression from the netdev table. 649 The lookup will be delegated to the IPv4 or IPv6 FIB depending 650 on the protocol of the packet. 651 652endif # NF_TABLES_NETDEV 653 654endif # NF_TABLES 655 656config NF_FLOW_TABLE_INET 657 tristate "Netfilter flow table mixed IPv4/IPv6 module" 658 depends on NF_FLOW_TABLE 659 help 660 This option adds the flow table mixed IPv4/IPv6 support. 661 662 To compile it as a module, choose M here. 663 664config NF_FLOW_TABLE 665 tristate "Netfilter flow table module" 666 depends on NETFILTER_INGRESS 667 depends on NF_CONNTRACK 668 depends on NF_TABLES 669 help 670 This option adds the flow table core infrastructure. 671 672 To compile it as a module, choose M here. 673 674config NETFILTER_XTABLES 675 tristate "Netfilter Xtables support (required for ip_tables)" 676 default m if NETFILTER_ADVANCED=n 677 help 678 This is required if you intend to use any of ip_tables, 679 ip6_tables or arp_tables. 680 681if NETFILTER_XTABLES 682 683comment "Xtables combined modules" 684 685config NETFILTER_XT_MARK 686 tristate 'nfmark target and match support' 687 default m if NETFILTER_ADVANCED=n 688 ---help--- 689 This option adds the "MARK" target and "mark" match. 690 691 Netfilter mark matching allows you to match packets based on the 692 "nfmark" value in the packet. 693 The target allows you to create rules in the "mangle" table which alter 694 the netfilter mark (nfmark) field associated with the packet. 695 696 Prior to routing, the nfmark can influence the routing method and can 697 also be used by other subsystems to change their behavior. 698 699config NETFILTER_XT_CONNMARK 700 tristate 'ctmark target and match support' 701 depends on NF_CONNTRACK 702 depends on NETFILTER_ADVANCED 703 select NF_CONNTRACK_MARK 704 ---help--- 705 This option adds the "CONNMARK" target and "connmark" match. 706 707 Netfilter allows you to store a mark value per connection (a.k.a. 708 ctmark), similarly to the packet mark (nfmark). Using this 709 target and match, you can set and match on this mark. 710 711config NETFILTER_XT_SET 712 tristate 'set target and match support' 713 depends on IP_SET 714 depends on NETFILTER_ADVANCED 715 help 716 This option adds the "SET" target and "set" match. 717 718 Using this target and match, you can add/delete and match 719 elements in the sets created by ipset(8). 720 721 To compile it as a module, choose M here. If unsure, say N. 722 723# alphabetically ordered list of targets 724 725comment "Xtables targets" 726 727config NETFILTER_XT_TARGET_AUDIT 728 tristate "AUDIT target support" 729 depends on AUDIT 730 depends on NETFILTER_ADVANCED 731 ---help--- 732 This option adds a 'AUDIT' target, which can be used to create 733 audit records for packets dropped/accepted. 734 735 To compileit as a module, choose M here. If unsure, say N. 736 737config NETFILTER_XT_TARGET_CHECKSUM 738 tristate "CHECKSUM target support" 739 depends on IP_NF_MANGLE || IP6_NF_MANGLE 740 depends on NETFILTER_ADVANCED 741 ---help--- 742 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 743 table. 744 745 You can use this target to compute and fill in the checksum in 746 a packet that lacks a checksum. This is particularly useful, 747 if you need to work around old applications such as dhcp clients, 748 that do not work well with checksum offloads, but don't want to disable 749 checksum offload in your device. 750 751 To compile it as a module, choose M here. If unsure, say N. 752 753config NETFILTER_XT_TARGET_CLASSIFY 754 tristate '"CLASSIFY" target support' 755 depends on NETFILTER_ADVANCED 756 help 757 This option adds a `CLASSIFY' target, which enables the user to set 758 the priority of a packet. Some qdiscs can use this value for 759 classification, among these are: 760 761 atm, cbq, dsmark, pfifo_fast, htb, prio 762 763 To compile it as a module, choose M here. If unsure, say N. 764 765config NETFILTER_XT_TARGET_CONNMARK 766 tristate '"CONNMARK" target support' 767 depends on NF_CONNTRACK 768 depends on NETFILTER_ADVANCED 769 select NETFILTER_XT_CONNMARK 770 ---help--- 771 This is a backwards-compat option for the user's convenience 772 (e.g. when running oldconfig). It selects 773 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 774 775config NETFILTER_XT_TARGET_CONNSECMARK 776 tristate '"CONNSECMARK" target support' 777 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 778 default m if NETFILTER_ADVANCED=n 779 help 780 The CONNSECMARK target copies security markings from packets 781 to connections, and restores security markings from connections 782 to packets (if the packets are not already marked). This would 783 normally be used in conjunction with the SECMARK target. 784 785 To compile it as a module, choose M here. If unsure, say N. 786 787config NETFILTER_XT_TARGET_CT 788 tristate '"CT" target support' 789 depends on NF_CONNTRACK 790 depends on IP_NF_RAW || IP6_NF_RAW 791 depends on NETFILTER_ADVANCED 792 help 793 This options adds a `CT' target, which allows to specify initial 794 connection tracking parameters like events to be delivered and 795 the helper to be used. 796 797 To compile it as a module, choose M here. If unsure, say N. 798 799config NETFILTER_XT_TARGET_DSCP 800 tristate '"DSCP" and "TOS" target support' 801 depends on IP_NF_MANGLE || IP6_NF_MANGLE 802 depends on NETFILTER_ADVANCED 803 help 804 This option adds a `DSCP' target, which allows you to manipulate 805 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 806 807 The DSCP field can have any value between 0x0 and 0x3f inclusive. 808 809 It also adds the "TOS" target, which allows you to create rules in 810 the "mangle" table which alter the Type Of Service field of an IPv4 811 or the Priority field of an IPv6 packet, prior to routing. 812 813 To compile it as a module, choose M here. If unsure, say N. 814 815config NETFILTER_XT_TARGET_HL 816 tristate '"HL" hoplimit target support' 817 depends on IP_NF_MANGLE || IP6_NF_MANGLE 818 depends on NETFILTER_ADVANCED 819 ---help--- 820 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 821 targets, which enable the user to change the 822 hoplimit/time-to-live value of the IP header. 823 824 While it is safe to decrement the hoplimit/TTL value, the 825 modules also allow to increment and set the hoplimit value of 826 the header to arbitrary values. This is EXTREMELY DANGEROUS 827 since you can easily create immortal packets that loop 828 forever on the network. 829 830config NETFILTER_XT_TARGET_HMARK 831 tristate '"HMARK" target support' 832 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 833 depends on NETFILTER_ADVANCED 834 ---help--- 835 This option adds the "HMARK" target. 836 837 The target allows you to create rules in the "raw" and "mangle" tables 838 which set the skbuff mark by means of hash calculation within a given 839 range. The nfmark can influence the routing method and can also be used 840 by other subsystems to change their behaviour. 841 842 To compile it as a module, choose M here. If unsure, say N. 843 844config NETFILTER_XT_TARGET_IDLETIMER 845 tristate "IDLETIMER target support" 846 depends on NETFILTER_ADVANCED 847 help 848 849 This option adds the `IDLETIMER' target. Each matching packet 850 resets the timer associated with label specified when the rule is 851 added. When the timer expires, it triggers a sysfs notification. 852 The remaining time for expiration can be read via sysfs. 853 854 To compile it as a module, choose M here. If unsure, say N. 855 856config NETFILTER_XT_TARGET_LED 857 tristate '"LED" target support' 858 depends on LEDS_CLASS && LEDS_TRIGGERS 859 depends on NETFILTER_ADVANCED 860 help 861 This option adds a `LED' target, which allows you to blink LEDs in 862 response to particular packets passing through your machine. 863 864 This can be used to turn a spare LED into a network activity LED, 865 which only flashes in response to FTP transfers, for example. Or 866 you could have an LED which lights up for a minute or two every time 867 somebody connects to your machine via SSH. 868 869 You will need support for the "led" class to make this work. 870 871 To create an LED trigger for incoming SSH traffic: 872 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 873 874 Then attach the new trigger to an LED on your system: 875 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 876 877 For more information on the LEDs available on your system, see 878 Documentation/leds/leds-class.txt 879 880config NETFILTER_XT_TARGET_LOG 881 tristate "LOG target support" 882 select NF_LOG_COMMON 883 select NF_LOG_IPV4 884 select NF_LOG_IPV6 if IPV6 885 default m if NETFILTER_ADVANCED=n 886 help 887 This option adds a `LOG' target, which allows you to create rules in 888 any iptables table which records the packet header to the syslog. 889 890 To compile it as a module, choose M here. If unsure, say N. 891 892config NETFILTER_XT_TARGET_MARK 893 tristate '"MARK" target support' 894 depends on NETFILTER_ADVANCED 895 select NETFILTER_XT_MARK 896 ---help--- 897 This is a backwards-compat option for the user's convenience 898 (e.g. when running oldconfig). It selects 899 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 900 901config NETFILTER_XT_NAT 902 tristate '"SNAT and DNAT" targets support' 903 depends on NF_NAT 904 ---help--- 905 This option enables the SNAT and DNAT targets. 906 907 To compile it as a module, choose M here. If unsure, say N. 908 909config NETFILTER_XT_TARGET_NETMAP 910 tristate '"NETMAP" target support' 911 depends on NF_NAT 912 ---help--- 913 NETMAP is an implementation of static 1:1 NAT mapping of network 914 addresses. It maps the network address part, while keeping the host 915 address part intact. 916 917 To compile it as a module, choose M here. If unsure, say N. 918 919config NETFILTER_XT_TARGET_NFLOG 920 tristate '"NFLOG" target support' 921 default m if NETFILTER_ADVANCED=n 922 select NETFILTER_NETLINK_LOG 923 help 924 This option enables the NFLOG target, which allows to LOG 925 messages through nfnetlink_log. 926 927 To compile it as a module, choose M here. If unsure, say N. 928 929config NETFILTER_XT_TARGET_NFQUEUE 930 tristate '"NFQUEUE" target Support' 931 depends on NETFILTER_ADVANCED 932 select NETFILTER_NETLINK_QUEUE 933 help 934 This target replaced the old obsolete QUEUE target. 935 936 As opposed to QUEUE, it supports 65535 different queues, 937 not just one. 938 939 To compile it as a module, choose M here. If unsure, say N. 940 941config NETFILTER_XT_TARGET_NOTRACK 942 tristate '"NOTRACK" target support (DEPRECATED)' 943 depends on NF_CONNTRACK 944 depends on IP_NF_RAW || IP6_NF_RAW 945 depends on NETFILTER_ADVANCED 946 select NETFILTER_XT_TARGET_CT 947 948config NETFILTER_XT_TARGET_RATEEST 949 tristate '"RATEEST" target support' 950 depends on NETFILTER_ADVANCED 951 help 952 This option adds a `RATEEST' target, which allows to measure 953 rates similar to TC estimators. The `rateest' match can be 954 used to match on the measured rates. 955 956 To compile it as a module, choose M here. If unsure, say N. 957 958config NETFILTER_XT_TARGET_REDIRECT 959 tristate "REDIRECT target support" 960 depends on NF_NAT 961 select NF_NAT_REDIRECT 962 ---help--- 963 REDIRECT is a special case of NAT: all incoming connections are 964 mapped onto the incoming interface's address, causing the packets to 965 come to the local machine instead of passing through. This is 966 useful for transparent proxies. 967 968 To compile it as a module, choose M here. If unsure, say N. 969 970config NETFILTER_XT_TARGET_TEE 971 tristate '"TEE" - packet cloning to alternate destination' 972 depends on NETFILTER_ADVANCED 973 depends on IPV6 || IPV6=n 974 depends on !NF_CONNTRACK || NF_CONNTRACK 975 select NF_DUP_IPV4 976 select NF_DUP_IPV6 if IPV6 977 ---help--- 978 This option adds a "TEE" target with which a packet can be cloned and 979 this clone be rerouted to another nexthop. 980 981config NETFILTER_XT_TARGET_TPROXY 982 tristate '"TPROXY" target transparent proxying support' 983 depends on NETFILTER_XTABLES 984 depends on NETFILTER_ADVANCED 985 depends on IPV6 || IPV6=n 986 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 987 depends on IP_NF_MANGLE 988 select NF_DEFRAG_IPV4 989 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 990 select NF_TPROXY_IPV4 991 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES 992 help 993 This option adds a `TPROXY' target, which is somewhat similar to 994 REDIRECT. It can only be used in the mangle table and is useful 995 to redirect traffic to a transparent proxy. It does _not_ depend 996 on Netfilter connection tracking and NAT, unlike REDIRECT. 997 For it to work you will have to configure certain iptables rules 998 and use policy routing. For more information on how to set it up 999 see Documentation/networking/tproxy.txt. 1000 1001 To compile it as a module, choose M here. If unsure, say N. 1002 1003config NETFILTER_XT_TARGET_TRACE 1004 tristate '"TRACE" target support' 1005 depends on IP_NF_RAW || IP6_NF_RAW 1006 depends on NETFILTER_ADVANCED 1007 help 1008 The TRACE target allows you to mark packets so that the kernel 1009 will log every rule which match the packets as those traverse 1010 the tables, chains, rules. 1011 1012 If you want to compile it as a module, say M here and read 1013 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1014 1015config NETFILTER_XT_TARGET_SECMARK 1016 tristate '"SECMARK" target support' 1017 depends on NETWORK_SECMARK 1018 default m if NETFILTER_ADVANCED=n 1019 help 1020 The SECMARK target allows security marking of network 1021 packets, for use with security subsystems. 1022 1023 To compile it as a module, choose M here. If unsure, say N. 1024 1025config NETFILTER_XT_TARGET_TCPMSS 1026 tristate '"TCPMSS" target support' 1027 depends on IPV6 || IPV6=n 1028 default m if NETFILTER_ADVANCED=n 1029 ---help--- 1030 This option adds a `TCPMSS' target, which allows you to alter the 1031 MSS value of TCP SYN packets, to control the maximum size for that 1032 connection (usually limiting it to your outgoing interface's MTU 1033 minus 40). 1034 1035 This is used to overcome criminally braindead ISPs or servers which 1036 block ICMP Fragmentation Needed packets. The symptoms of this 1037 problem are that everything works fine from your Linux 1038 firewall/router, but machines behind it can never exchange large 1039 packets: 1040 1) Web browsers connect, then hang with no data received. 1041 2) Small mail works fine, but large emails hang. 1042 3) ssh works fine, but scp hangs after initial handshaking. 1043 1044 Workaround: activate this option and add a rule to your firewall 1045 configuration like: 1046 1047 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1048 -j TCPMSS --clamp-mss-to-pmtu 1049 1050 To compile it as a module, choose M here. If unsure, say N. 1051 1052config NETFILTER_XT_TARGET_TCPOPTSTRIP 1053 tristate '"TCPOPTSTRIP" target support' 1054 depends on IP_NF_MANGLE || IP6_NF_MANGLE 1055 depends on NETFILTER_ADVANCED 1056 help 1057 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1058 TCP options from TCP packets. 1059 1060# alphabetically ordered list of matches 1061 1062comment "Xtables matches" 1063 1064config NETFILTER_XT_MATCH_ADDRTYPE 1065 tristate '"addrtype" address type match support' 1066 default m if NETFILTER_ADVANCED=n 1067 ---help--- 1068 This option allows you to match what routing thinks of an address, 1069 eg. UNICAST, LOCAL, BROADCAST, ... 1070 1071 If you want to compile it as a module, say M here and read 1072 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1073 1074config NETFILTER_XT_MATCH_BPF 1075 tristate '"bpf" match support' 1076 depends on NETFILTER_ADVANCED 1077 help 1078 BPF matching applies a linux socket filter to each packet and 1079 accepts those for which the filter returns non-zero. 1080 1081 To compile it as a module, choose M here. If unsure, say N. 1082 1083config NETFILTER_XT_MATCH_CGROUP 1084 tristate '"control group" match support' 1085 depends on NETFILTER_ADVANCED 1086 depends on CGROUPS 1087 select CGROUP_NET_CLASSID 1088 ---help--- 1089 Socket/process control group matching allows you to match locally 1090 generated packets based on which net_cls control group processes 1091 belong to. 1092 1093config NETFILTER_XT_MATCH_CLUSTER 1094 tristate '"cluster" match support' 1095 depends on NF_CONNTRACK 1096 depends on NETFILTER_ADVANCED 1097 ---help--- 1098 This option allows you to build work-load-sharing clusters of 1099 network servers/stateful firewalls without having a dedicated 1100 load-balancing router/server/switch. Basically, this match returns 1101 true when the packet must be handled by this cluster node. Thus, 1102 all nodes see all packets and this match decides which node handles 1103 what packets. The work-load sharing algorithm is based on source 1104 address hashing. 1105 1106 If you say Y or M here, try `iptables -m cluster --help` for 1107 more information. 1108 1109config NETFILTER_XT_MATCH_COMMENT 1110 tristate '"comment" match support' 1111 depends on NETFILTER_ADVANCED 1112 help 1113 This option adds a `comment' dummy-match, which allows you to put 1114 comments in your iptables ruleset. 1115 1116 If you want to compile it as a module, say M here and read 1117 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1118 1119config NETFILTER_XT_MATCH_CONNBYTES 1120 tristate '"connbytes" per-connection counter match support' 1121 depends on NF_CONNTRACK 1122 depends on NETFILTER_ADVANCED 1123 help 1124 This option adds a `connbytes' match, which allows you to match the 1125 number of bytes and/or packets for each direction within a connection. 1126 1127 If you want to compile it as a module, say M here and read 1128 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1129 1130config NETFILTER_XT_MATCH_CONNLABEL 1131 tristate '"connlabel" match support' 1132 select NF_CONNTRACK_LABELS 1133 depends on NF_CONNTRACK 1134 depends on NETFILTER_ADVANCED 1135 ---help--- 1136 This match allows you to test and assign userspace-defined labels names 1137 to a connection. The kernel only stores bit values - mapping 1138 names to bits is done by userspace. 1139 1140 Unlike connmark, more than 32 flag bits may be assigned to a 1141 connection simultaneously. 1142 1143config NETFILTER_XT_MATCH_CONNLIMIT 1144 tristate '"connlimit" match support' 1145 depends on NF_CONNTRACK 1146 depends on NETFILTER_ADVANCED 1147 select NETFILTER_CONNCOUNT 1148 ---help--- 1149 This match allows you to match against the number of parallel 1150 connections to a server per client IP address (or address block). 1151 1152config NETFILTER_XT_MATCH_CONNMARK 1153 tristate '"connmark" connection mark match support' 1154 depends on NF_CONNTRACK 1155 depends on NETFILTER_ADVANCED 1156 select NETFILTER_XT_CONNMARK 1157 ---help--- 1158 This is a backwards-compat option for the user's convenience 1159 (e.g. when running oldconfig). It selects 1160 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1161 1162config NETFILTER_XT_MATCH_CONNTRACK 1163 tristate '"conntrack" connection tracking match support' 1164 depends on NF_CONNTRACK 1165 default m if NETFILTER_ADVANCED=n 1166 help 1167 This is a general conntrack match module, a superset of the state match. 1168 1169 It allows matching on additional conntrack information, which is 1170 useful in complex configurations, such as NAT gateways with multiple 1171 internet links or tunnels. 1172 1173 To compile it as a module, choose M here. If unsure, say N. 1174 1175config NETFILTER_XT_MATCH_CPU 1176 tristate '"cpu" match support' 1177 depends on NETFILTER_ADVANCED 1178 help 1179 CPU matching allows you to match packets based on the CPU 1180 currently handling the packet. 1181 1182 To compile it as a module, choose M here. If unsure, say N. 1183 1184config NETFILTER_XT_MATCH_DCCP 1185 tristate '"dccp" protocol match support' 1186 depends on NETFILTER_ADVANCED 1187 default IP_DCCP 1188 help 1189 With this option enabled, you will be able to use the iptables 1190 `dccp' match in order to match on DCCP source/destination ports 1191 and DCCP flags. 1192 1193 If you want to compile it as a module, say M here and read 1194 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1195 1196config NETFILTER_XT_MATCH_DEVGROUP 1197 tristate '"devgroup" match support' 1198 depends on NETFILTER_ADVANCED 1199 help 1200 This options adds a `devgroup' match, which allows to match on the 1201 device group a network device is assigned to. 1202 1203 To compile it as a module, choose M here. If unsure, say N. 1204 1205config NETFILTER_XT_MATCH_DSCP 1206 tristate '"dscp" and "tos" match support' 1207 depends on NETFILTER_ADVANCED 1208 help 1209 This option adds a `DSCP' match, which allows you to match against 1210 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1211 1212 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1213 1214 It will also add a "tos" match, which allows you to match packets 1215 based on the Type Of Service fields of the IPv4 packet (which share 1216 the same bits as DSCP). 1217 1218 To compile it as a module, choose M here. If unsure, say N. 1219 1220config NETFILTER_XT_MATCH_ECN 1221 tristate '"ecn" match support' 1222 depends on NETFILTER_ADVANCED 1223 ---help--- 1224 This option adds an "ECN" match, which allows you to match against 1225 the IPv4 and TCP header ECN fields. 1226 1227 To compile it as a module, choose M here. If unsure, say N. 1228 1229config NETFILTER_XT_MATCH_ESP 1230 tristate '"esp" match support' 1231 depends on NETFILTER_ADVANCED 1232 help 1233 This match extension allows you to match a range of SPIs 1234 inside ESP header of IPSec packets. 1235 1236 To compile it as a module, choose M here. If unsure, say N. 1237 1238config NETFILTER_XT_MATCH_HASHLIMIT 1239 tristate '"hashlimit" match support' 1240 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1241 depends on NETFILTER_ADVANCED 1242 help 1243 This option adds a `hashlimit' match. 1244 1245 As opposed to `limit', this match dynamically creates a hash table 1246 of limit buckets, based on your selection of source/destination 1247 addresses and/or ports. 1248 1249 It enables you to express policies like `10kpps for any given 1250 destination address' or `500pps from any given source address' 1251 with a single rule. 1252 1253config NETFILTER_XT_MATCH_HELPER 1254 tristate '"helper" match support' 1255 depends on NF_CONNTRACK 1256 depends on NETFILTER_ADVANCED 1257 help 1258 Helper matching allows you to match packets in dynamic connections 1259 tracked by a conntrack-helper, ie. ip_conntrack_ftp 1260 1261 To compile it as a module, choose M here. If unsure, say Y. 1262 1263config NETFILTER_XT_MATCH_HL 1264 tristate '"hl" hoplimit/TTL match support' 1265 depends on NETFILTER_ADVANCED 1266 ---help--- 1267 HL matching allows you to match packets based on the hoplimit 1268 in the IPv6 header, or the time-to-live field in the IPv4 1269 header of the packet. 1270 1271config NETFILTER_XT_MATCH_IPCOMP 1272 tristate '"ipcomp" match support' 1273 depends on NETFILTER_ADVANCED 1274 help 1275 This match extension allows you to match a range of CPIs(16 bits) 1276 inside IPComp header of IPSec packets. 1277 1278 To compile it as a module, choose M here. If unsure, say N. 1279 1280config NETFILTER_XT_MATCH_IPRANGE 1281 tristate '"iprange" address range match support' 1282 depends on NETFILTER_ADVANCED 1283 ---help--- 1284 This option adds a "iprange" match, which allows you to match based on 1285 an IP address range. (Normal iptables only matches on single addresses 1286 with an optional mask.) 1287 1288 If unsure, say M. 1289 1290config NETFILTER_XT_MATCH_IPVS 1291 tristate '"ipvs" match support' 1292 depends on IP_VS 1293 depends on NETFILTER_ADVANCED 1294 depends on NF_CONNTRACK 1295 help 1296 This option allows you to match against IPVS properties of a packet. 1297 1298 If unsure, say N. 1299 1300config NETFILTER_XT_MATCH_L2TP 1301 tristate '"l2tp" match support' 1302 depends on NETFILTER_ADVANCED 1303 default L2TP 1304 ---help--- 1305 This option adds an "L2TP" match, which allows you to match against 1306 L2TP protocol header fields. 1307 1308 To compile it as a module, choose M here. If unsure, say N. 1309 1310config NETFILTER_XT_MATCH_LENGTH 1311 tristate '"length" match support' 1312 depends on NETFILTER_ADVANCED 1313 help 1314 This option allows you to match the length of a packet against a 1315 specific value or range of values. 1316 1317 To compile it as a module, choose M here. If unsure, say N. 1318 1319config NETFILTER_XT_MATCH_LIMIT 1320 tristate '"limit" match support' 1321 depends on NETFILTER_ADVANCED 1322 help 1323 limit matching allows you to control the rate at which a rule can be 1324 matched: mainly useful in combination with the LOG target ("LOG 1325 target support", below) and to avoid some Denial of Service attacks. 1326 1327 To compile it as a module, choose M here. If unsure, say N. 1328 1329config NETFILTER_XT_MATCH_MAC 1330 tristate '"mac" address match support' 1331 depends on NETFILTER_ADVANCED 1332 help 1333 MAC matching allows you to match packets based on the source 1334 Ethernet address of the packet. 1335 1336 To compile it as a module, choose M here. If unsure, say N. 1337 1338config NETFILTER_XT_MATCH_MARK 1339 tristate '"mark" match support' 1340 depends on NETFILTER_ADVANCED 1341 select NETFILTER_XT_MARK 1342 ---help--- 1343 This is a backwards-compat option for the user's convenience 1344 (e.g. when running oldconfig). It selects 1345 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1346 1347config NETFILTER_XT_MATCH_MULTIPORT 1348 tristate '"multiport" Multiple port match support' 1349 depends on NETFILTER_ADVANCED 1350 help 1351 Multiport matching allows you to match TCP or UDP packets based on 1352 a series of source or destination ports: normally a rule can only 1353 match a single range of ports. 1354 1355 To compile it as a module, choose M here. If unsure, say N. 1356 1357config NETFILTER_XT_MATCH_NFACCT 1358 tristate '"nfacct" match support' 1359 depends on NETFILTER_ADVANCED 1360 select NETFILTER_NETLINK_ACCT 1361 help 1362 This option allows you to use the extended accounting through 1363 nfnetlink_acct. 1364 1365 To compile it as a module, choose M here. If unsure, say N. 1366 1367config NETFILTER_XT_MATCH_OSF 1368 tristate '"osf" Passive OS fingerprint match' 1369 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 1370 select NF_OSF 1371 help 1372 This option selects the Passive OS Fingerprinting match module 1373 that allows to passively match the remote operating system by 1374 analyzing incoming TCP SYN packets. 1375 1376 Rules and loading software can be downloaded from 1377 http://www.ioremap.net/projects/osf 1378 1379 To compile it as a module, choose M here. If unsure, say N. 1380 1381config NETFILTER_XT_MATCH_OWNER 1382 tristate '"owner" match support' 1383 depends on NETFILTER_ADVANCED 1384 ---help--- 1385 Socket owner matching allows you to match locally-generated packets 1386 based on who created the socket: the user or group. It is also 1387 possible to check whether a socket actually exists. 1388 1389config NETFILTER_XT_MATCH_POLICY 1390 tristate 'IPsec "policy" match support' 1391 depends on XFRM 1392 default m if NETFILTER_ADVANCED=n 1393 help 1394 Policy matching allows you to match packets based on the 1395 IPsec policy that was used during decapsulation/will 1396 be used during encapsulation. 1397 1398 To compile it as a module, choose M here. If unsure, say N. 1399 1400config NETFILTER_XT_MATCH_PHYSDEV 1401 tristate '"physdev" match support' 1402 depends on BRIDGE && BRIDGE_NETFILTER 1403 depends on NETFILTER_ADVANCED 1404 help 1405 Physdev packet matching matches against the physical bridge ports 1406 the IP packet arrived on or will leave by. 1407 1408 To compile it as a module, choose M here. If unsure, say N. 1409 1410config NETFILTER_XT_MATCH_PKTTYPE 1411 tristate '"pkttype" packet type match support' 1412 depends on NETFILTER_ADVANCED 1413 help 1414 Packet type matching allows you to match a packet by 1415 its "class", eg. BROADCAST, MULTICAST, ... 1416 1417 Typical usage: 1418 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1419 1420 To compile it as a module, choose M here. If unsure, say N. 1421 1422config NETFILTER_XT_MATCH_QUOTA 1423 tristate '"quota" match support' 1424 depends on NETFILTER_ADVANCED 1425 help 1426 This option adds a `quota' match, which allows to match on a 1427 byte counter. 1428 1429 If you want to compile it as a module, say M here and read 1430 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1431 1432config NETFILTER_XT_MATCH_RATEEST 1433 tristate '"rateest" match support' 1434 depends on NETFILTER_ADVANCED 1435 select NETFILTER_XT_TARGET_RATEEST 1436 help 1437 This option adds a `rateest' match, which allows to match on the 1438 rate estimated by the RATEEST target. 1439 1440 To compile it as a module, choose M here. If unsure, say N. 1441 1442config NETFILTER_XT_MATCH_REALM 1443 tristate '"realm" match support' 1444 depends on NETFILTER_ADVANCED 1445 select IP_ROUTE_CLASSID 1446 help 1447 This option adds a `realm' match, which allows you to use the realm 1448 key from the routing subsystem inside iptables. 1449 1450 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1451 in tc world. 1452 1453 If you want to compile it as a module, say M here and read 1454 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1455 1456config NETFILTER_XT_MATCH_RECENT 1457 tristate '"recent" match support' 1458 depends on NETFILTER_ADVANCED 1459 ---help--- 1460 This match is used for creating one or many lists of recently 1461 used addresses and then matching against that/those list(s). 1462 1463 Short options are available by using 'iptables -m recent -h' 1464 Official Website: <http://snowman.net/projects/ipt_recent/> 1465 1466config NETFILTER_XT_MATCH_SCTP 1467 tristate '"sctp" protocol match support' 1468 depends on NETFILTER_ADVANCED 1469 default IP_SCTP 1470 help 1471 With this option enabled, you will be able to use the 1472 `sctp' match in order to match on SCTP source/destination ports 1473 and SCTP chunk types. 1474 1475 If you want to compile it as a module, say M here and read 1476 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1477 1478config NETFILTER_XT_MATCH_SOCKET 1479 tristate '"socket" match support' 1480 depends on NETFILTER_XTABLES 1481 depends on NETFILTER_ADVANCED 1482 depends on IPV6 || IPV6=n 1483 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1484 depends on NF_SOCKET_IPV4 1485 depends on NF_SOCKET_IPV6 1486 select NF_DEFRAG_IPV4 1487 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1488 help 1489 This option adds a `socket' match, which can be used to match 1490 packets for which a TCP or UDP socket lookup finds a valid socket. 1491 It can be used in combination with the MARK target and policy 1492 routing to implement full featured non-locally bound sockets. 1493 1494 To compile it as a module, choose M here. If unsure, say N. 1495 1496config NETFILTER_XT_MATCH_STATE 1497 tristate '"state" match support' 1498 depends on NF_CONNTRACK 1499 default m if NETFILTER_ADVANCED=n 1500 help 1501 Connection state matching allows you to match packets based on their 1502 relationship to a tracked connection (ie. previous packets). This 1503 is a powerful tool for packet classification. 1504 1505 To compile it as a module, choose M here. If unsure, say N. 1506 1507config NETFILTER_XT_MATCH_STATISTIC 1508 tristate '"statistic" match support' 1509 depends on NETFILTER_ADVANCED 1510 help 1511 This option adds a `statistic' match, which allows you to match 1512 on packets periodically or randomly with a given percentage. 1513 1514 To compile it as a module, choose M here. If unsure, say N. 1515 1516config NETFILTER_XT_MATCH_STRING 1517 tristate '"string" match support' 1518 depends on NETFILTER_ADVANCED 1519 select TEXTSEARCH 1520 select TEXTSEARCH_KMP 1521 select TEXTSEARCH_BM 1522 select TEXTSEARCH_FSM 1523 help 1524 This option adds a `string' match, which allows you to look for 1525 pattern matchings in packets. 1526 1527 To compile it as a module, choose M here. If unsure, say N. 1528 1529config NETFILTER_XT_MATCH_TCPMSS 1530 tristate '"tcpmss" match support' 1531 depends on NETFILTER_ADVANCED 1532 help 1533 This option adds a `tcpmss' match, which allows you to examine the 1534 MSS value of TCP SYN packets, which control the maximum packet size 1535 for that connection. 1536 1537 To compile it as a module, choose M here. If unsure, say N. 1538 1539config NETFILTER_XT_MATCH_TIME 1540 tristate '"time" match support' 1541 depends on NETFILTER_ADVANCED 1542 ---help--- 1543 This option adds a "time" match, which allows you to match based on 1544 the packet arrival time (at the machine which netfilter is running) 1545 on) or departure time/date (for locally generated packets). 1546 1547 If you say Y here, try `iptables -m time --help` for 1548 more information. 1549 1550 If you want to compile it as a module, say M here. 1551 If unsure, say N. 1552 1553config NETFILTER_XT_MATCH_U32 1554 tristate '"u32" match support' 1555 depends on NETFILTER_ADVANCED 1556 ---help--- 1557 u32 allows you to extract quantities of up to 4 bytes from a packet, 1558 AND them with specified masks, shift them by specified amounts and 1559 test whether the results are in any of a set of specified ranges. 1560 The specification of what to extract is general enough to skip over 1561 headers with lengths stored in the packet, as in IP or TCP header 1562 lengths. 1563 1564 Details and examples are in the kernel module source. 1565 1566endif # NETFILTER_XTABLES 1567 1568endmenu 1569 1570source "net/netfilter/ipset/Kconfig" 1571 1572source "net/netfilter/ipvs/Kconfig" 1573