1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_INGRESS 5 bool "Netfilter ingress support" 6 default y 7 select NET_INGRESS 8 help 9 This allows you to classify packets from ingress using the Netfilter 10 infrastructure. 11 12config NETFILTER_NETLINK 13 tristate 14 15config NETFILTER_FAMILY_BRIDGE 16 bool 17 18config NETFILTER_FAMILY_ARP 19 bool 20 21config NETFILTER_NETLINK_ACCT 22tristate "Netfilter NFACCT over NFNETLINK interface" 23 depends on NETFILTER_ADVANCED 24 select NETFILTER_NETLINK 25 help 26 If this option is enabled, the kernel will include support 27 for extended accounting via NFNETLINK. 28 29config NETFILTER_NETLINK_QUEUE 30 tristate "Netfilter NFQUEUE over NFNETLINK interface" 31 depends on NETFILTER_ADVANCED 32 select NETFILTER_NETLINK 33 help 34 If this option is enabled, the kernel will include support 35 for queueing packets via NFNETLINK. 36 37config NETFILTER_NETLINK_LOG 38 tristate "Netfilter LOG over NFNETLINK interface" 39 default m if NETFILTER_ADVANCED=n 40 select NETFILTER_NETLINK 41 help 42 If this option is enabled, the kernel will include support 43 for logging packets via NFNETLINK. 44 45 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 46 and is also scheduled to replace the old syslog-based ipt_LOG 47 and ip6t_LOG modules. 48 49config NF_CONNTRACK 50 tristate "Netfilter connection tracking support" 51 default m if NETFILTER_ADVANCED=n 52 select NF_DEFRAG_IPV4 53 select NF_DEFRAG_IPV6 if IPV6 != n 54 help 55 Connection tracking keeps a record of what packets have passed 56 through your machine, in order to figure out how they are related 57 into connections. 58 59 This is required to do Masquerading or other kinds of Network 60 Address Translation. It can also be used to enhance packet 61 filtering (see `Connection state match support' below). 62 63 To compile it as a module, choose M here. If unsure, say N. 64 65config NF_LOG_COMMON 66 tristate 67 68config NF_LOG_NETDEV 69 tristate "Netdev packet logging" 70 select NF_LOG_COMMON 71 72if NF_CONNTRACK 73config NETFILTER_CONNCOUNT 74 tristate 75 76config NF_CONNTRACK_MARK 77 bool 'Connection mark tracking support' 78 depends on NETFILTER_ADVANCED 79 help 80 This option enables support for connection marks, used by the 81 `CONNMARK' target and `connmark' match. Similar to the mark value 82 of packets, but this mark value is kept in the conntrack session 83 instead of the individual packets. 84 85config NF_CONNTRACK_SECMARK 86 bool 'Connection tracking security mark support' 87 depends on NETWORK_SECMARK 88 default m if NETFILTER_ADVANCED=n 89 help 90 This option enables security markings to be applied to 91 connections. Typically they are copied to connections from 92 packets using the CONNSECMARK target and copied back from 93 connections to packets with the same target, with the packets 94 being originally labeled via SECMARK. 95 96 If unsure, say 'N'. 97 98config NF_CONNTRACK_ZONES 99 bool 'Connection tracking zones' 100 depends on NETFILTER_ADVANCED 101 depends on NETFILTER_XT_TARGET_CT 102 help 103 This option enables support for connection tracking zones. 104 Normally, each connection needs to have a unique system wide 105 identity. Connection tracking zones allow to have multiple 106 connections using the same identity, as long as they are 107 contained in different zones. 108 109 If unsure, say `N'. 110 111config NF_CONNTRACK_PROCFS 112 bool "Supply CT list in procfs (OBSOLETE)" 113 default y 114 depends on PROC_FS 115 ---help--- 116 This option enables for the list of known conntrack entries 117 to be shown in procfs under net/netfilter/nf_conntrack. This 118 is considered obsolete in favor of using the conntrack(8) 119 tool which uses Netlink. 120 121config NF_CONNTRACK_EVENTS 122 bool "Connection tracking events" 123 depends on NETFILTER_ADVANCED 124 help 125 If this option is enabled, the connection tracking code will 126 provide a notifier chain that can be used by other kernel code 127 to get notified about changes in the connection tracking state. 128 129 If unsure, say `N'. 130 131config NF_CONNTRACK_TIMEOUT 132 bool 'Connection tracking timeout' 133 depends on NETFILTER_ADVANCED 134 help 135 This option enables support for connection tracking timeout 136 extension. This allows you to attach timeout policies to flow 137 via the CT target. 138 139 If unsure, say `N'. 140 141config NF_CONNTRACK_TIMESTAMP 142 bool 'Connection tracking timestamping' 143 depends on NETFILTER_ADVANCED 144 help 145 This option enables support for connection tracking timestamping. 146 This allows you to store the flow start-time and to obtain 147 the flow-stop time (once it has been destroyed) via Connection 148 tracking events. 149 150 If unsure, say `N'. 151 152config NF_CONNTRACK_LABELS 153 bool 154 help 155 This option enables support for assigning user-defined flag bits 156 to connection tracking entries. It selected by the connlabel match. 157 158config NF_CT_PROTO_DCCP 159 bool 'DCCP protocol connection tracking support' 160 depends on NETFILTER_ADVANCED 161 default y 162 help 163 With this option enabled, the layer 3 independent connection 164 tracking code will be able to do state tracking on DCCP connections. 165 166 If unsure, say Y. 167 168config NF_CT_PROTO_GRE 169 tristate 170 171config NF_CT_PROTO_SCTP 172 bool 'SCTP protocol connection tracking support' 173 depends on NETFILTER_ADVANCED 174 default y 175 select LIBCRC32C 176 help 177 With this option enabled, the layer 3 independent connection 178 tracking code will be able to do state tracking on SCTP connections. 179 180 If unsure, say Y. 181 182config NF_CT_PROTO_UDPLITE 183 bool 'UDP-Lite protocol connection tracking support' 184 depends on NETFILTER_ADVANCED 185 default y 186 help 187 With this option enabled, the layer 3 independent connection 188 tracking code will be able to do state tracking on UDP-Lite 189 connections. 190 191 If unsure, say Y. 192 193config NF_CONNTRACK_AMANDA 194 tristate "Amanda backup protocol support" 195 depends on NETFILTER_ADVANCED 196 select TEXTSEARCH 197 select TEXTSEARCH_KMP 198 help 199 If you are running the Amanda backup package <http://www.amanda.org/> 200 on this machine or machines that will be MASQUERADED through this 201 machine, then you may want to enable this feature. This allows the 202 connection tracking and natting code to allow the sub-channels that 203 Amanda requires for communication of the backup data, messages and 204 index. 205 206 To compile it as a module, choose M here. If unsure, say N. 207 208config NF_CONNTRACK_FTP 209 tristate "FTP protocol support" 210 default m if NETFILTER_ADVANCED=n 211 help 212 Tracking FTP connections is problematic: special helpers are 213 required for tracking them, and doing masquerading and other forms 214 of Network Address Translation on them. 215 216 This is FTP support on Layer 3 independent connection tracking. 217 Layer 3 independent connection tracking is experimental scheme 218 which generalize ip_conntrack to support other layer 3 protocols. 219 220 To compile it as a module, choose M here. If unsure, say N. 221 222config NF_CONNTRACK_H323 223 tristate "H.323 protocol support" 224 depends on IPV6 || IPV6=n 225 depends on NETFILTER_ADVANCED 226 help 227 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 228 important VoIP protocols, it is widely used by voice hardware and 229 software including voice gateways, IP phones, Netmeeting, OpenPhone, 230 Gnomemeeting, etc. 231 232 With this module you can support H.323 on a connection tracking/NAT 233 firewall. 234 235 This module supports RAS, Fast Start, H.245 Tunnelling, Call 236 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 237 whiteboard, file transfer, etc. For more information, please 238 visit http://nath323.sourceforge.net/. 239 240 To compile it as a module, choose M here. If unsure, say N. 241 242config NF_CONNTRACK_IRC 243 tristate "IRC protocol support" 244 default m if NETFILTER_ADVANCED=n 245 help 246 There is a commonly-used extension to IRC called 247 Direct Client-to-Client Protocol (DCC). This enables users to send 248 files to each other, and also chat to each other without the need 249 of a server. DCC Sending is used anywhere you send files over IRC, 250 and DCC Chat is most commonly used by Eggdrop bots. If you are 251 using NAT, this extension will enable you to send files and initiate 252 chats. Note that you do NOT need this extension to get files or 253 have others initiate chats, or everything else in IRC. 254 255 To compile it as a module, choose M here. If unsure, say N. 256 257config NF_CONNTRACK_BROADCAST 258 tristate 259 260config NF_CONNTRACK_NETBIOS_NS 261 tristate "NetBIOS name service protocol support" 262 select NF_CONNTRACK_BROADCAST 263 help 264 NetBIOS name service requests are sent as broadcast messages from an 265 unprivileged port and responded to with unicast messages to the 266 same port. This make them hard to firewall properly because connection 267 tracking doesn't deal with broadcasts. This helper tracks locally 268 originating NetBIOS name service requests and the corresponding 269 responses. It relies on correct IP address configuration, specifically 270 netmask and broadcast address. When properly configured, the output 271 of "ip address show" should look similar to this: 272 273 $ ip -4 address show eth0 274 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 275 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 276 277 To compile it as a module, choose M here. If unsure, say N. 278 279config NF_CONNTRACK_SNMP 280 tristate "SNMP service protocol support" 281 depends on NETFILTER_ADVANCED 282 select NF_CONNTRACK_BROADCAST 283 help 284 SNMP service requests are sent as broadcast messages from an 285 unprivileged port and responded to with unicast messages to the 286 same port. This make them hard to firewall properly because connection 287 tracking doesn't deal with broadcasts. This helper tracks locally 288 originating SNMP service requests and the corresponding 289 responses. It relies on correct IP address configuration, specifically 290 netmask and broadcast address. 291 292 To compile it as a module, choose M here. If unsure, say N. 293 294config NF_CONNTRACK_PPTP 295 tristate "PPtP protocol support" 296 depends on NETFILTER_ADVANCED 297 select NF_CT_PROTO_GRE 298 help 299 This module adds support for PPTP (Point to Point Tunnelling 300 Protocol, RFC2637) connection tracking and NAT. 301 302 If you are running PPTP sessions over a stateful firewall or NAT 303 box, you may want to enable this feature. 304 305 Please note that not all PPTP modes of operation are supported yet. 306 Specifically these limitations exist: 307 - Blindly assumes that control connections are always established 308 in PNS->PAC direction. This is a violation of RFC2637. 309 - Only supports a single call within each session 310 311 To compile it as a module, choose M here. If unsure, say N. 312 313config NF_CONNTRACK_SANE 314 tristate "SANE protocol support" 315 depends on NETFILTER_ADVANCED 316 help 317 SANE is a protocol for remote access to scanners as implemented 318 by the 'saned' daemon. Like FTP, it uses separate control and 319 data connections. 320 321 With this module you can support SANE on a connection tracking 322 firewall. 323 324 To compile it as a module, choose M here. If unsure, say N. 325 326config NF_CONNTRACK_SIP 327 tristate "SIP protocol support" 328 default m if NETFILTER_ADVANCED=n 329 help 330 SIP is an application-layer control protocol that can establish, 331 modify, and terminate multimedia sessions (conferences) such as 332 Internet telephony calls. With the ip_conntrack_sip and 333 the nf_nat_sip modules you can support the protocol on a connection 334 tracking/NATing firewall. 335 336 To compile it as a module, choose M here. If unsure, say N. 337 338config NF_CONNTRACK_TFTP 339 tristate "TFTP protocol support" 340 depends on NETFILTER_ADVANCED 341 help 342 TFTP connection tracking helper, this is required depending 343 on how restrictive your ruleset is. 344 If you are using a tftp client behind -j SNAT or -j MASQUERADING 345 you will need this. 346 347 To compile it as a module, choose M here. If unsure, say N. 348 349config NF_CT_NETLINK 350 tristate 'Connection tracking netlink interface' 351 select NETFILTER_NETLINK 352 default m if NETFILTER_ADVANCED=n 353 help 354 This option enables support for a netlink-based userspace interface 355 356config NF_CT_NETLINK_TIMEOUT 357 tristate 'Connection tracking timeout tuning via Netlink' 358 select NETFILTER_NETLINK 359 depends on NETFILTER_ADVANCED 360 help 361 This option enables support for connection tracking timeout 362 fine-grain tuning. This allows you to attach specific timeout 363 policies to flows, instead of using the global timeout policy. 364 365 If unsure, say `N'. 366 367config NF_CT_NETLINK_HELPER 368 tristate 'Connection tracking helpers in user-space via Netlink' 369 select NETFILTER_NETLINK 370 depends on NF_CT_NETLINK 371 depends on NETFILTER_NETLINK_QUEUE 372 depends on NETFILTER_NETLINK_GLUE_CT 373 depends on NETFILTER_ADVANCED 374 help 375 This option enables the user-space connection tracking helpers 376 infrastructure. 377 378 If unsure, say `N'. 379 380config NETFILTER_NETLINK_GLUE_CT 381 bool "NFQUEUE and NFLOG integration with Connection Tracking" 382 default n 383 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 384 help 385 If this option is enabled, NFQUEUE and NFLOG can include 386 Connection Tracking information together with the packet is 387 the enqueued via NFNETLINK. 388 389config NF_NAT 390 tristate 391 392config NF_NAT_NEEDED 393 bool 394 depends on NF_NAT 395 default y 396 397config NF_NAT_PROTO_DCCP 398 bool 399 depends on NF_NAT && NF_CT_PROTO_DCCP 400 default NF_NAT && NF_CT_PROTO_DCCP 401 402config NF_NAT_PROTO_UDPLITE 403 bool 404 depends on NF_NAT && NF_CT_PROTO_UDPLITE 405 default NF_NAT && NF_CT_PROTO_UDPLITE 406 407config NF_NAT_PROTO_SCTP 408 bool 409 default NF_NAT && NF_CT_PROTO_SCTP 410 depends on NF_NAT && NF_CT_PROTO_SCTP 411 412config NF_NAT_AMANDA 413 tristate 414 depends on NF_CONNTRACK && NF_NAT 415 default NF_NAT && NF_CONNTRACK_AMANDA 416 417config NF_NAT_FTP 418 tristate 419 depends on NF_CONNTRACK && NF_NAT 420 default NF_NAT && NF_CONNTRACK_FTP 421 422config NF_NAT_IRC 423 tristate 424 depends on NF_CONNTRACK && NF_NAT 425 default NF_NAT && NF_CONNTRACK_IRC 426 427config NF_NAT_SIP 428 tristate 429 depends on NF_CONNTRACK && NF_NAT 430 default NF_NAT && NF_CONNTRACK_SIP 431 432config NF_NAT_TFTP 433 tristate 434 depends on NF_CONNTRACK && NF_NAT 435 default NF_NAT && NF_CONNTRACK_TFTP 436 437config NF_NAT_REDIRECT 438 bool 439 440config NETFILTER_SYNPROXY 441 tristate 442 443endif # NF_CONNTRACK 444 445config NF_OSF 446 tristate 447 448config NF_TABLES 449 select NETFILTER_NETLINK 450 tristate "Netfilter nf_tables support" 451 help 452 nftables is the new packet classification framework that intends to 453 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 454 provides a pseudo-state machine with an extensible instruction-set 455 (also known as expressions) that the userspace 'nft' utility 456 (http://www.netfilter.org/projects/nftables) uses to build the 457 rule-set. It also comes with the generic set infrastructure that 458 allows you to construct mappings between matchings and actions 459 for performance lookups. 460 461 To compile it as a module, choose M here. 462 463if NF_TABLES 464 465config NF_TABLES_SET 466 tristate "Netfilter nf_tables set infrastructure" 467 help 468 This option enables the nf_tables set infrastructure that allows to 469 look up for elements in a set and to build one-way mappings between 470 matchings and actions. 471 472config NF_TABLES_INET 473 depends on IPV6 474 select NF_TABLES_IPV4 475 select NF_TABLES_IPV6 476 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" 477 help 478 This option enables support for a mixed IPv4/IPv6 "inet" table. 479 480config NF_TABLES_NETDEV 481 bool "Netfilter nf_tables netdev tables support" 482 help 483 This option enables support for the "netdev" table. 484 485config NFT_NUMGEN 486 tristate "Netfilter nf_tables number generator module" 487 help 488 This option adds the number generator expression used to perform 489 incremental counting and random numbers bound to a upper limit. 490 491config NFT_CT 492 depends on NF_CONNTRACK 493 tristate "Netfilter nf_tables conntrack module" 494 help 495 This option adds the "ct" expression that you can use to match 496 connection tracking information such as the flow state. 497 498config NFT_FLOW_OFFLOAD 499 depends on NF_CONNTRACK && NF_FLOW_TABLE 500 tristate "Netfilter nf_tables hardware flow offload module" 501 help 502 This option adds the "flow_offload" expression that you can use to 503 choose what flows are placed into the hardware. 504 505config NFT_COUNTER 506 tristate "Netfilter nf_tables counter module" 507 help 508 This option adds the "counter" expression that you can use to 509 include packet and byte counters in a rule. 510 511config NFT_CONNLIMIT 512 tristate "Netfilter nf_tables connlimit module" 513 depends on NF_CONNTRACK 514 depends on NETFILTER_ADVANCED 515 select NETFILTER_CONNCOUNT 516 help 517 This option adds the "connlimit" expression that you can use to 518 ratelimit rule matchings per connections. 519 520config NFT_LOG 521 tristate "Netfilter nf_tables log module" 522 help 523 This option adds the "log" expression that you can use to log 524 packets matching some criteria. 525 526config NFT_LIMIT 527 tristate "Netfilter nf_tables limit module" 528 help 529 This option adds the "limit" expression that you can use to 530 ratelimit rule matchings. 531 532config NFT_MASQ 533 depends on NF_CONNTRACK 534 depends on NF_NAT 535 tristate "Netfilter nf_tables masquerade support" 536 help 537 This option adds the "masquerade" expression that you can use 538 to perform NAT in the masquerade flavour. 539 540config NFT_REDIR 541 depends on NF_CONNTRACK 542 depends on NF_NAT 543 tristate "Netfilter nf_tables redirect support" 544 help 545 This options adds the "redirect" expression that you can use 546 to perform NAT in the redirect flavour. 547 548config NFT_NAT 549 depends on NF_CONNTRACK 550 select NF_NAT 551 tristate "Netfilter nf_tables nat module" 552 help 553 This option adds the "nat" expression that you can use to perform 554 typical Network Address Translation (NAT) packet transformations. 555 556config NFT_OBJREF 557 tristate "Netfilter nf_tables stateful object reference module" 558 help 559 This option adds the "objref" expression that allows you to refer to 560 stateful objects, such as counters and quotas. 561 562config NFT_QUEUE 563 depends on NETFILTER_NETLINK_QUEUE 564 tristate "Netfilter nf_tables queue module" 565 help 566 This is required if you intend to use the userspace queueing 567 infrastructure (also known as NFQUEUE) from nftables. 568 569config NFT_QUOTA 570 tristate "Netfilter nf_tables quota module" 571 help 572 This option adds the "quota" expression that you can use to match 573 enforce bytes quotas. 574 575config NFT_REJECT 576 default m if NETFILTER_ADVANCED=n 577 tristate "Netfilter nf_tables reject support" 578 depends on !NF_TABLES_INET || (IPV6!=m || m) 579 help 580 This option adds the "reject" expression that you can use to 581 explicitly deny and notify via TCP reset/ICMP informational errors 582 unallowed traffic. 583 584config NFT_REJECT_INET 585 depends on NF_TABLES_INET 586 default NFT_REJECT 587 tristate 588 589config NFT_COMPAT 590 depends on NETFILTER_XTABLES 591 tristate "Netfilter x_tables over nf_tables module" 592 help 593 This is required if you intend to use any of existing 594 x_tables match/target extensions over the nf_tables 595 framework. 596 597config NFT_HASH 598 tristate "Netfilter nf_tables hash module" 599 help 600 This option adds the "hash" expression that you can use to perform 601 a hash operation on registers. 602 603config NFT_FIB 604 tristate 605 606config NFT_FIB_INET 607 depends on NF_TABLES_INET 608 depends on NFT_FIB_IPV4 609 depends on NFT_FIB_IPV6 610 tristate "Netfilter nf_tables fib inet support" 611 help 612 This option allows using the FIB expression from the inet table. 613 The lookup will be delegated to the IPv4 or IPv6 FIB depending 614 on the protocol of the packet. 615 616config NFT_SOCKET 617 tristate "Netfilter nf_tables socket match support" 618 depends on IPV6 || IPV6=n 619 select NF_SOCKET_IPV4 620 select NF_SOCKET_IPV6 if NF_TABLES_IPV6 621 help 622 This option allows matching for the presence or absence of a 623 corresponding socket and its attributes. 624 625if NF_TABLES_NETDEV 626 627config NF_DUP_NETDEV 628 tristate "Netfilter packet duplication support" 629 help 630 This option enables the generic packet duplication infrastructure 631 for Netfilter. 632 633config NFT_DUP_NETDEV 634 tristate "Netfilter nf_tables netdev packet duplication support" 635 select NF_DUP_NETDEV 636 help 637 This option enables packet duplication for the "netdev" family. 638 639config NFT_FWD_NETDEV 640 tristate "Netfilter nf_tables netdev packet forwarding support" 641 select NF_DUP_NETDEV 642 help 643 This option enables packet forwarding for the "netdev" family. 644 645config NFT_FIB_NETDEV 646 depends on NFT_FIB_IPV4 647 depends on NFT_FIB_IPV6 648 tristate "Netfilter nf_tables netdev fib lookups support" 649 help 650 This option allows using the FIB expression from the netdev table. 651 The lookup will be delegated to the IPv4 or IPv6 FIB depending 652 on the protocol of the packet. 653 654endif # NF_TABLES_NETDEV 655 656endif # NF_TABLES 657 658config NF_FLOW_TABLE_INET 659 tristate "Netfilter flow table mixed IPv4/IPv6 module" 660 depends on NF_FLOW_TABLE 661 help 662 This option adds the flow table mixed IPv4/IPv6 support. 663 664 To compile it as a module, choose M here. 665 666config NF_FLOW_TABLE 667 tristate "Netfilter flow table module" 668 depends on NETFILTER_INGRESS 669 depends on NF_CONNTRACK 670 depends on NF_TABLES 671 help 672 This option adds the flow table core infrastructure. 673 674 To compile it as a module, choose M here. 675 676config NETFILTER_XTABLES 677 tristate "Netfilter Xtables support (required for ip_tables)" 678 default m if NETFILTER_ADVANCED=n 679 help 680 This is required if you intend to use any of ip_tables, 681 ip6_tables or arp_tables. 682 683if NETFILTER_XTABLES 684 685comment "Xtables combined modules" 686 687config NETFILTER_XT_MARK 688 tristate 'nfmark target and match support' 689 default m if NETFILTER_ADVANCED=n 690 ---help--- 691 This option adds the "MARK" target and "mark" match. 692 693 Netfilter mark matching allows you to match packets based on the 694 "nfmark" value in the packet. 695 The target allows you to create rules in the "mangle" table which alter 696 the netfilter mark (nfmark) field associated with the packet. 697 698 Prior to routing, the nfmark can influence the routing method and can 699 also be used by other subsystems to change their behavior. 700 701config NETFILTER_XT_CONNMARK 702 tristate 'ctmark target and match support' 703 depends on NF_CONNTRACK 704 depends on NETFILTER_ADVANCED 705 select NF_CONNTRACK_MARK 706 ---help--- 707 This option adds the "CONNMARK" target and "connmark" match. 708 709 Netfilter allows you to store a mark value per connection (a.k.a. 710 ctmark), similarly to the packet mark (nfmark). Using this 711 target and match, you can set and match on this mark. 712 713config NETFILTER_XT_SET 714 tristate 'set target and match support' 715 depends on IP_SET 716 depends on NETFILTER_ADVANCED 717 help 718 This option adds the "SET" target and "set" match. 719 720 Using this target and match, you can add/delete and match 721 elements in the sets created by ipset(8). 722 723 To compile it as a module, choose M here. If unsure, say N. 724 725# alphabetically ordered list of targets 726 727comment "Xtables targets" 728 729config NETFILTER_XT_TARGET_AUDIT 730 tristate "AUDIT target support" 731 depends on AUDIT 732 depends on NETFILTER_ADVANCED 733 ---help--- 734 This option adds a 'AUDIT' target, which can be used to create 735 audit records for packets dropped/accepted. 736 737 To compileit as a module, choose M here. If unsure, say N. 738 739config NETFILTER_XT_TARGET_CHECKSUM 740 tristate "CHECKSUM target support" 741 depends on IP_NF_MANGLE || IP6_NF_MANGLE 742 depends on NETFILTER_ADVANCED 743 ---help--- 744 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 745 table. 746 747 You can use this target to compute and fill in the checksum in 748 a packet that lacks a checksum. This is particularly useful, 749 if you need to work around old applications such as dhcp clients, 750 that do not work well with checksum offloads, but don't want to disable 751 checksum offload in your device. 752 753 To compile it as a module, choose M here. If unsure, say N. 754 755config NETFILTER_XT_TARGET_CLASSIFY 756 tristate '"CLASSIFY" target support' 757 depends on NETFILTER_ADVANCED 758 help 759 This option adds a `CLASSIFY' target, which enables the user to set 760 the priority of a packet. Some qdiscs can use this value for 761 classification, among these are: 762 763 atm, cbq, dsmark, pfifo_fast, htb, prio 764 765 To compile it as a module, choose M here. If unsure, say N. 766 767config NETFILTER_XT_TARGET_CONNMARK 768 tristate '"CONNMARK" target support' 769 depends on NF_CONNTRACK 770 depends on NETFILTER_ADVANCED 771 select NETFILTER_XT_CONNMARK 772 ---help--- 773 This is a backwards-compat option for the user's convenience 774 (e.g. when running oldconfig). It selects 775 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 776 777config NETFILTER_XT_TARGET_CONNSECMARK 778 tristate '"CONNSECMARK" target support' 779 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 780 default m if NETFILTER_ADVANCED=n 781 help 782 The CONNSECMARK target copies security markings from packets 783 to connections, and restores security markings from connections 784 to packets (if the packets are not already marked). This would 785 normally be used in conjunction with the SECMARK target. 786 787 To compile it as a module, choose M here. If unsure, say N. 788 789config NETFILTER_XT_TARGET_CT 790 tristate '"CT" target support' 791 depends on NF_CONNTRACK 792 depends on IP_NF_RAW || IP6_NF_RAW 793 depends on NETFILTER_ADVANCED 794 help 795 This options adds a `CT' target, which allows to specify initial 796 connection tracking parameters like events to be delivered and 797 the helper to be used. 798 799 To compile it as a module, choose M here. If unsure, say N. 800 801config NETFILTER_XT_TARGET_DSCP 802 tristate '"DSCP" and "TOS" target support' 803 depends on IP_NF_MANGLE || IP6_NF_MANGLE 804 depends on NETFILTER_ADVANCED 805 help 806 This option adds a `DSCP' target, which allows you to manipulate 807 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 808 809 The DSCP field can have any value between 0x0 and 0x3f inclusive. 810 811 It also adds the "TOS" target, which allows you to create rules in 812 the "mangle" table which alter the Type Of Service field of an IPv4 813 or the Priority field of an IPv6 packet, prior to routing. 814 815 To compile it as a module, choose M here. If unsure, say N. 816 817config NETFILTER_XT_TARGET_HL 818 tristate '"HL" hoplimit target support' 819 depends on IP_NF_MANGLE || IP6_NF_MANGLE 820 depends on NETFILTER_ADVANCED 821 ---help--- 822 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 823 targets, which enable the user to change the 824 hoplimit/time-to-live value of the IP header. 825 826 While it is safe to decrement the hoplimit/TTL value, the 827 modules also allow to increment and set the hoplimit value of 828 the header to arbitrary values. This is EXTREMELY DANGEROUS 829 since you can easily create immortal packets that loop 830 forever on the network. 831 832config NETFILTER_XT_TARGET_HMARK 833 tristate '"HMARK" target support' 834 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 835 depends on NETFILTER_ADVANCED 836 ---help--- 837 This option adds the "HMARK" target. 838 839 The target allows you to create rules in the "raw" and "mangle" tables 840 which set the skbuff mark by means of hash calculation within a given 841 range. The nfmark can influence the routing method and can also be used 842 by other subsystems to change their behaviour. 843 844 To compile it as a module, choose M here. If unsure, say N. 845 846config NETFILTER_XT_TARGET_IDLETIMER 847 tristate "IDLETIMER target support" 848 depends on NETFILTER_ADVANCED 849 help 850 851 This option adds the `IDLETIMER' target. Each matching packet 852 resets the timer associated with label specified when the rule is 853 added. When the timer expires, it triggers a sysfs notification. 854 The remaining time for expiration can be read via sysfs. 855 856 To compile it as a module, choose M here. If unsure, say N. 857 858config NETFILTER_XT_TARGET_LED 859 tristate '"LED" target support' 860 depends on LEDS_CLASS && LEDS_TRIGGERS 861 depends on NETFILTER_ADVANCED 862 help 863 This option adds a `LED' target, which allows you to blink LEDs in 864 response to particular packets passing through your machine. 865 866 This can be used to turn a spare LED into a network activity LED, 867 which only flashes in response to FTP transfers, for example. Or 868 you could have an LED which lights up for a minute or two every time 869 somebody connects to your machine via SSH. 870 871 You will need support for the "led" class to make this work. 872 873 To create an LED trigger for incoming SSH traffic: 874 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 875 876 Then attach the new trigger to an LED on your system: 877 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 878 879 For more information on the LEDs available on your system, see 880 Documentation/leds/leds-class.txt 881 882config NETFILTER_XT_TARGET_LOG 883 tristate "LOG target support" 884 select NF_LOG_COMMON 885 select NF_LOG_IPV4 886 select NF_LOG_IPV6 if IP6_NF_IPTABLES 887 default m if NETFILTER_ADVANCED=n 888 help 889 This option adds a `LOG' target, which allows you to create rules in 890 any iptables table which records the packet header to the syslog. 891 892 To compile it as a module, choose M here. If unsure, say N. 893 894config NETFILTER_XT_TARGET_MARK 895 tristate '"MARK" target support' 896 depends on NETFILTER_ADVANCED 897 select NETFILTER_XT_MARK 898 ---help--- 899 This is a backwards-compat option for the user's convenience 900 (e.g. when running oldconfig). It selects 901 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 902 903config NETFILTER_XT_NAT 904 tristate '"SNAT and DNAT" targets support' 905 depends on NF_NAT 906 ---help--- 907 This option enables the SNAT and DNAT targets. 908 909 To compile it as a module, choose M here. If unsure, say N. 910 911config NETFILTER_XT_TARGET_NETMAP 912 tristate '"NETMAP" target support' 913 depends on NF_NAT 914 ---help--- 915 NETMAP is an implementation of static 1:1 NAT mapping of network 916 addresses. It maps the network address part, while keeping the host 917 address part intact. 918 919 To compile it as a module, choose M here. If unsure, say N. 920 921config NETFILTER_XT_TARGET_NFLOG 922 tristate '"NFLOG" target support' 923 default m if NETFILTER_ADVANCED=n 924 select NETFILTER_NETLINK_LOG 925 help 926 This option enables the NFLOG target, which allows to LOG 927 messages through nfnetlink_log. 928 929 To compile it as a module, choose M here. If unsure, say N. 930 931config NETFILTER_XT_TARGET_NFQUEUE 932 tristate '"NFQUEUE" target Support' 933 depends on NETFILTER_ADVANCED 934 select NETFILTER_NETLINK_QUEUE 935 help 936 This target replaced the old obsolete QUEUE target. 937 938 As opposed to QUEUE, it supports 65535 different queues, 939 not just one. 940 941 To compile it as a module, choose M here. If unsure, say N. 942 943config NETFILTER_XT_TARGET_NOTRACK 944 tristate '"NOTRACK" target support (DEPRECATED)' 945 depends on NF_CONNTRACK 946 depends on IP_NF_RAW || IP6_NF_RAW 947 depends on NETFILTER_ADVANCED 948 select NETFILTER_XT_TARGET_CT 949 950config NETFILTER_XT_TARGET_RATEEST 951 tristate '"RATEEST" target support' 952 depends on NETFILTER_ADVANCED 953 help 954 This option adds a `RATEEST' target, which allows to measure 955 rates similar to TC estimators. The `rateest' match can be 956 used to match on the measured rates. 957 958 To compile it as a module, choose M here. If unsure, say N. 959 960config NETFILTER_XT_TARGET_REDIRECT 961 tristate "REDIRECT target support" 962 depends on NF_NAT 963 select NF_NAT_REDIRECT 964 ---help--- 965 REDIRECT is a special case of NAT: all incoming connections are 966 mapped onto the incoming interface's address, causing the packets to 967 come to the local machine instead of passing through. This is 968 useful for transparent proxies. 969 970 To compile it as a module, choose M here. If unsure, say N. 971 972config NETFILTER_XT_TARGET_TEE 973 tristate '"TEE" - packet cloning to alternate destination' 974 depends on NETFILTER_ADVANCED 975 depends on IPV6 || IPV6=n 976 depends on !NF_CONNTRACK || NF_CONNTRACK 977 select NF_DUP_IPV4 978 select NF_DUP_IPV6 if IP6_NF_IPTABLES 979 ---help--- 980 This option adds a "TEE" target with which a packet can be cloned and 981 this clone be rerouted to another nexthop. 982 983config NETFILTER_XT_TARGET_TPROXY 984 tristate '"TPROXY" target transparent proxying support' 985 depends on NETFILTER_XTABLES 986 depends on NETFILTER_ADVANCED 987 depends on IPV6 || IPV6=n 988 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 989 depends on IP_NF_MANGLE 990 select NF_DEFRAG_IPV4 991 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 992 select NF_TPROXY_IPV4 993 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES 994 help 995 This option adds a `TPROXY' target, which is somewhat similar to 996 REDIRECT. It can only be used in the mangle table and is useful 997 to redirect traffic to a transparent proxy. It does _not_ depend 998 on Netfilter connection tracking and NAT, unlike REDIRECT. 999 For it to work you will have to configure certain iptables rules 1000 and use policy routing. For more information on how to set it up 1001 see Documentation/networking/tproxy.txt. 1002 1003 To compile it as a module, choose M here. If unsure, say N. 1004 1005config NETFILTER_XT_TARGET_TRACE 1006 tristate '"TRACE" target support' 1007 depends on IP_NF_RAW || IP6_NF_RAW 1008 depends on NETFILTER_ADVANCED 1009 help 1010 The TRACE target allows you to mark packets so that the kernel 1011 will log every rule which match the packets as those traverse 1012 the tables, chains, rules. 1013 1014 If you want to compile it as a module, say M here and read 1015 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1016 1017config NETFILTER_XT_TARGET_SECMARK 1018 tristate '"SECMARK" target support' 1019 depends on NETWORK_SECMARK 1020 default m if NETFILTER_ADVANCED=n 1021 help 1022 The SECMARK target allows security marking of network 1023 packets, for use with security subsystems. 1024 1025 To compile it as a module, choose M here. If unsure, say N. 1026 1027config NETFILTER_XT_TARGET_TCPMSS 1028 tristate '"TCPMSS" target support' 1029 depends on IPV6 || IPV6=n 1030 default m if NETFILTER_ADVANCED=n 1031 ---help--- 1032 This option adds a `TCPMSS' target, which allows you to alter the 1033 MSS value of TCP SYN packets, to control the maximum size for that 1034 connection (usually limiting it to your outgoing interface's MTU 1035 minus 40). 1036 1037 This is used to overcome criminally braindead ISPs or servers which 1038 block ICMP Fragmentation Needed packets. The symptoms of this 1039 problem are that everything works fine from your Linux 1040 firewall/router, but machines behind it can never exchange large 1041 packets: 1042 1) Web browsers connect, then hang with no data received. 1043 2) Small mail works fine, but large emails hang. 1044 3) ssh works fine, but scp hangs after initial handshaking. 1045 1046 Workaround: activate this option and add a rule to your firewall 1047 configuration like: 1048 1049 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1050 -j TCPMSS --clamp-mss-to-pmtu 1051 1052 To compile it as a module, choose M here. If unsure, say N. 1053 1054config NETFILTER_XT_TARGET_TCPOPTSTRIP 1055 tristate '"TCPOPTSTRIP" target support' 1056 depends on IP_NF_MANGLE || IP6_NF_MANGLE 1057 depends on NETFILTER_ADVANCED 1058 help 1059 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1060 TCP options from TCP packets. 1061 1062# alphabetically ordered list of matches 1063 1064comment "Xtables matches" 1065 1066config NETFILTER_XT_MATCH_ADDRTYPE 1067 tristate '"addrtype" address type match support' 1068 default m if NETFILTER_ADVANCED=n 1069 ---help--- 1070 This option allows you to match what routing thinks of an address, 1071 eg. UNICAST, LOCAL, BROADCAST, ... 1072 1073 If you want to compile it as a module, say M here and read 1074 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1075 1076config NETFILTER_XT_MATCH_BPF 1077 tristate '"bpf" match support' 1078 depends on NETFILTER_ADVANCED 1079 help 1080 BPF matching applies a linux socket filter to each packet and 1081 accepts those for which the filter returns non-zero. 1082 1083 To compile it as a module, choose M here. If unsure, say N. 1084 1085config NETFILTER_XT_MATCH_CGROUP 1086 tristate '"control group" match support' 1087 depends on NETFILTER_ADVANCED 1088 depends on CGROUPS 1089 select CGROUP_NET_CLASSID 1090 ---help--- 1091 Socket/process control group matching allows you to match locally 1092 generated packets based on which net_cls control group processes 1093 belong to. 1094 1095config NETFILTER_XT_MATCH_CLUSTER 1096 tristate '"cluster" match support' 1097 depends on NF_CONNTRACK 1098 depends on NETFILTER_ADVANCED 1099 ---help--- 1100 This option allows you to build work-load-sharing clusters of 1101 network servers/stateful firewalls without having a dedicated 1102 load-balancing router/server/switch. Basically, this match returns 1103 true when the packet must be handled by this cluster node. Thus, 1104 all nodes see all packets and this match decides which node handles 1105 what packets. The work-load sharing algorithm is based on source 1106 address hashing. 1107 1108 If you say Y or M here, try `iptables -m cluster --help` for 1109 more information. 1110 1111config NETFILTER_XT_MATCH_COMMENT 1112 tristate '"comment" match support' 1113 depends on NETFILTER_ADVANCED 1114 help 1115 This option adds a `comment' dummy-match, which allows you to put 1116 comments in your iptables ruleset. 1117 1118 If you want to compile it as a module, say M here and read 1119 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1120 1121config NETFILTER_XT_MATCH_CONNBYTES 1122 tristate '"connbytes" per-connection counter match support' 1123 depends on NF_CONNTRACK 1124 depends on NETFILTER_ADVANCED 1125 help 1126 This option adds a `connbytes' match, which allows you to match the 1127 number of bytes and/or packets for each direction within a connection. 1128 1129 If you want to compile it as a module, say M here and read 1130 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1131 1132config NETFILTER_XT_MATCH_CONNLABEL 1133 tristate '"connlabel" match support' 1134 select NF_CONNTRACK_LABELS 1135 depends on NF_CONNTRACK 1136 depends on NETFILTER_ADVANCED 1137 ---help--- 1138 This match allows you to test and assign userspace-defined labels names 1139 to a connection. The kernel only stores bit values - mapping 1140 names to bits is done by userspace. 1141 1142 Unlike connmark, more than 32 flag bits may be assigned to a 1143 connection simultaneously. 1144 1145config NETFILTER_XT_MATCH_CONNLIMIT 1146 tristate '"connlimit" match support' 1147 depends on NF_CONNTRACK 1148 depends on NETFILTER_ADVANCED 1149 select NETFILTER_CONNCOUNT 1150 ---help--- 1151 This match allows you to match against the number of parallel 1152 connections to a server per client IP address (or address block). 1153 1154config NETFILTER_XT_MATCH_CONNMARK 1155 tristate '"connmark" connection mark match support' 1156 depends on NF_CONNTRACK 1157 depends on NETFILTER_ADVANCED 1158 select NETFILTER_XT_CONNMARK 1159 ---help--- 1160 This is a backwards-compat option for the user's convenience 1161 (e.g. when running oldconfig). It selects 1162 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1163 1164config NETFILTER_XT_MATCH_CONNTRACK 1165 tristate '"conntrack" connection tracking match support' 1166 depends on NF_CONNTRACK 1167 default m if NETFILTER_ADVANCED=n 1168 help 1169 This is a general conntrack match module, a superset of the state match. 1170 1171 It allows matching on additional conntrack information, which is 1172 useful in complex configurations, such as NAT gateways with multiple 1173 internet links or tunnels. 1174 1175 To compile it as a module, choose M here. If unsure, say N. 1176 1177config NETFILTER_XT_MATCH_CPU 1178 tristate '"cpu" match support' 1179 depends on NETFILTER_ADVANCED 1180 help 1181 CPU matching allows you to match packets based on the CPU 1182 currently handling the packet. 1183 1184 To compile it as a module, choose M here. If unsure, say N. 1185 1186config NETFILTER_XT_MATCH_DCCP 1187 tristate '"dccp" protocol match support' 1188 depends on NETFILTER_ADVANCED 1189 default IP_DCCP 1190 help 1191 With this option enabled, you will be able to use the iptables 1192 `dccp' match in order to match on DCCP source/destination ports 1193 and DCCP flags. 1194 1195 If you want to compile it as a module, say M here and read 1196 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1197 1198config NETFILTER_XT_MATCH_DEVGROUP 1199 tristate '"devgroup" match support' 1200 depends on NETFILTER_ADVANCED 1201 help 1202 This options adds a `devgroup' match, which allows to match on the 1203 device group a network device is assigned to. 1204 1205 To compile it as a module, choose M here. If unsure, say N. 1206 1207config NETFILTER_XT_MATCH_DSCP 1208 tristate '"dscp" and "tos" match support' 1209 depends on NETFILTER_ADVANCED 1210 help 1211 This option adds a `DSCP' match, which allows you to match against 1212 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1213 1214 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1215 1216 It will also add a "tos" match, which allows you to match packets 1217 based on the Type Of Service fields of the IPv4 packet (which share 1218 the same bits as DSCP). 1219 1220 To compile it as a module, choose M here. If unsure, say N. 1221 1222config NETFILTER_XT_MATCH_ECN 1223 tristate '"ecn" match support' 1224 depends on NETFILTER_ADVANCED 1225 ---help--- 1226 This option adds an "ECN" match, which allows you to match against 1227 the IPv4 and TCP header ECN fields. 1228 1229 To compile it as a module, choose M here. If unsure, say N. 1230 1231config NETFILTER_XT_MATCH_ESP 1232 tristate '"esp" match support' 1233 depends on NETFILTER_ADVANCED 1234 help 1235 This match extension allows you to match a range of SPIs 1236 inside ESP header of IPSec packets. 1237 1238 To compile it as a module, choose M here. If unsure, say N. 1239 1240config NETFILTER_XT_MATCH_HASHLIMIT 1241 tristate '"hashlimit" match support' 1242 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1243 depends on NETFILTER_ADVANCED 1244 help 1245 This option adds a `hashlimit' match. 1246 1247 As opposed to `limit', this match dynamically creates a hash table 1248 of limit buckets, based on your selection of source/destination 1249 addresses and/or ports. 1250 1251 It enables you to express policies like `10kpps for any given 1252 destination address' or `500pps from any given source address' 1253 with a single rule. 1254 1255config NETFILTER_XT_MATCH_HELPER 1256 tristate '"helper" match support' 1257 depends on NF_CONNTRACK 1258 depends on NETFILTER_ADVANCED 1259 help 1260 Helper matching allows you to match packets in dynamic connections 1261 tracked by a conntrack-helper, ie. ip_conntrack_ftp 1262 1263 To compile it as a module, choose M here. If unsure, say Y. 1264 1265config NETFILTER_XT_MATCH_HL 1266 tristate '"hl" hoplimit/TTL match support' 1267 depends on NETFILTER_ADVANCED 1268 ---help--- 1269 HL matching allows you to match packets based on the hoplimit 1270 in the IPv6 header, or the time-to-live field in the IPv4 1271 header of the packet. 1272 1273config NETFILTER_XT_MATCH_IPCOMP 1274 tristate '"ipcomp" match support' 1275 depends on NETFILTER_ADVANCED 1276 help 1277 This match extension allows you to match a range of CPIs(16 bits) 1278 inside IPComp header of IPSec packets. 1279 1280 To compile it as a module, choose M here. If unsure, say N. 1281 1282config NETFILTER_XT_MATCH_IPRANGE 1283 tristate '"iprange" address range match support' 1284 depends on NETFILTER_ADVANCED 1285 ---help--- 1286 This option adds a "iprange" match, which allows you to match based on 1287 an IP address range. (Normal iptables only matches on single addresses 1288 with an optional mask.) 1289 1290 If unsure, say M. 1291 1292config NETFILTER_XT_MATCH_IPVS 1293 tristate '"ipvs" match support' 1294 depends on IP_VS 1295 depends on NETFILTER_ADVANCED 1296 depends on NF_CONNTRACK 1297 help 1298 This option allows you to match against IPVS properties of a packet. 1299 1300 If unsure, say N. 1301 1302config NETFILTER_XT_MATCH_L2TP 1303 tristate '"l2tp" match support' 1304 depends on NETFILTER_ADVANCED 1305 default L2TP 1306 ---help--- 1307 This option adds an "L2TP" match, which allows you to match against 1308 L2TP protocol header fields. 1309 1310 To compile it as a module, choose M here. If unsure, say N. 1311 1312config NETFILTER_XT_MATCH_LENGTH 1313 tristate '"length" match support' 1314 depends on NETFILTER_ADVANCED 1315 help 1316 This option allows you to match the length of a packet against a 1317 specific value or range of values. 1318 1319 To compile it as a module, choose M here. If unsure, say N. 1320 1321config NETFILTER_XT_MATCH_LIMIT 1322 tristate '"limit" match support' 1323 depends on NETFILTER_ADVANCED 1324 help 1325 limit matching allows you to control the rate at which a rule can be 1326 matched: mainly useful in combination with the LOG target ("LOG 1327 target support", below) and to avoid some Denial of Service attacks. 1328 1329 To compile it as a module, choose M here. If unsure, say N. 1330 1331config NETFILTER_XT_MATCH_MAC 1332 tristate '"mac" address match support' 1333 depends on NETFILTER_ADVANCED 1334 help 1335 MAC matching allows you to match packets based on the source 1336 Ethernet address of the packet. 1337 1338 To compile it as a module, choose M here. If unsure, say N. 1339 1340config NETFILTER_XT_MATCH_MARK 1341 tristate '"mark" match support' 1342 depends on NETFILTER_ADVANCED 1343 select NETFILTER_XT_MARK 1344 ---help--- 1345 This is a backwards-compat option for the user's convenience 1346 (e.g. when running oldconfig). It selects 1347 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1348 1349config NETFILTER_XT_MATCH_MULTIPORT 1350 tristate '"multiport" Multiple port match support' 1351 depends on NETFILTER_ADVANCED 1352 help 1353 Multiport matching allows you to match TCP or UDP packets based on 1354 a series of source or destination ports: normally a rule can only 1355 match a single range of ports. 1356 1357 To compile it as a module, choose M here. If unsure, say N. 1358 1359config NETFILTER_XT_MATCH_NFACCT 1360 tristate '"nfacct" match support' 1361 depends on NETFILTER_ADVANCED 1362 select NETFILTER_NETLINK_ACCT 1363 help 1364 This option allows you to use the extended accounting through 1365 nfnetlink_acct. 1366 1367 To compile it as a module, choose M here. If unsure, say N. 1368 1369config NETFILTER_XT_MATCH_OSF 1370 tristate '"osf" Passive OS fingerprint match' 1371 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 1372 select NF_OSF 1373 help 1374 This option selects the Passive OS Fingerprinting match module 1375 that allows to passively match the remote operating system by 1376 analyzing incoming TCP SYN packets. 1377 1378 Rules and loading software can be downloaded from 1379 http://www.ioremap.net/projects/osf 1380 1381 To compile it as a module, choose M here. If unsure, say N. 1382 1383config NETFILTER_XT_MATCH_OWNER 1384 tristate '"owner" match support' 1385 depends on NETFILTER_ADVANCED 1386 ---help--- 1387 Socket owner matching allows you to match locally-generated packets 1388 based on who created the socket: the user or group. It is also 1389 possible to check whether a socket actually exists. 1390 1391config NETFILTER_XT_MATCH_POLICY 1392 tristate 'IPsec "policy" match support' 1393 depends on XFRM 1394 default m if NETFILTER_ADVANCED=n 1395 help 1396 Policy matching allows you to match packets based on the 1397 IPsec policy that was used during decapsulation/will 1398 be used during encapsulation. 1399 1400 To compile it as a module, choose M here. If unsure, say N. 1401 1402config NETFILTER_XT_MATCH_PHYSDEV 1403 tristate '"physdev" match support' 1404 depends on BRIDGE && BRIDGE_NETFILTER 1405 depends on NETFILTER_ADVANCED 1406 help 1407 Physdev packet matching matches against the physical bridge ports 1408 the IP packet arrived on or will leave by. 1409 1410 To compile it as a module, choose M here. If unsure, say N. 1411 1412config NETFILTER_XT_MATCH_PKTTYPE 1413 tristate '"pkttype" packet type match support' 1414 depends on NETFILTER_ADVANCED 1415 help 1416 Packet type matching allows you to match a packet by 1417 its "class", eg. BROADCAST, MULTICAST, ... 1418 1419 Typical usage: 1420 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1421 1422 To compile it as a module, choose M here. If unsure, say N. 1423 1424config NETFILTER_XT_MATCH_QUOTA 1425 tristate '"quota" match support' 1426 depends on NETFILTER_ADVANCED 1427 help 1428 This option adds a `quota' match, which allows to match on a 1429 byte counter. 1430 1431 If you want to compile it as a module, say M here and read 1432 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1433 1434config NETFILTER_XT_MATCH_RATEEST 1435 tristate '"rateest" match support' 1436 depends on NETFILTER_ADVANCED 1437 select NETFILTER_XT_TARGET_RATEEST 1438 help 1439 This option adds a `rateest' match, which allows to match on the 1440 rate estimated by the RATEEST target. 1441 1442 To compile it as a module, choose M here. If unsure, say N. 1443 1444config NETFILTER_XT_MATCH_REALM 1445 tristate '"realm" match support' 1446 depends on NETFILTER_ADVANCED 1447 select IP_ROUTE_CLASSID 1448 help 1449 This option adds a `realm' match, which allows you to use the realm 1450 key from the routing subsystem inside iptables. 1451 1452 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1453 in tc world. 1454 1455 If you want to compile it as a module, say M here and read 1456 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1457 1458config NETFILTER_XT_MATCH_RECENT 1459 tristate '"recent" match support' 1460 depends on NETFILTER_ADVANCED 1461 ---help--- 1462 This match is used for creating one or many lists of recently 1463 used addresses and then matching against that/those list(s). 1464 1465 Short options are available by using 'iptables -m recent -h' 1466 Official Website: <http://snowman.net/projects/ipt_recent/> 1467 1468config NETFILTER_XT_MATCH_SCTP 1469 tristate '"sctp" protocol match support' 1470 depends on NETFILTER_ADVANCED 1471 default IP_SCTP 1472 help 1473 With this option enabled, you will be able to use the 1474 `sctp' match in order to match on SCTP source/destination ports 1475 and SCTP chunk types. 1476 1477 If you want to compile it as a module, say M here and read 1478 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1479 1480config NETFILTER_XT_MATCH_SOCKET 1481 tristate '"socket" match support' 1482 depends on NETFILTER_XTABLES 1483 depends on NETFILTER_ADVANCED 1484 depends on IPV6 || IPV6=n 1485 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1486 select NF_SOCKET_IPV4 1487 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES 1488 select NF_DEFRAG_IPV4 1489 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1490 help 1491 This option adds a `socket' match, which can be used to match 1492 packets for which a TCP or UDP socket lookup finds a valid socket. 1493 It can be used in combination with the MARK target and policy 1494 routing to implement full featured non-locally bound sockets. 1495 1496 To compile it as a module, choose M here. If unsure, say N. 1497 1498config NETFILTER_XT_MATCH_STATE 1499 tristate '"state" match support' 1500 depends on NF_CONNTRACK 1501 default m if NETFILTER_ADVANCED=n 1502 help 1503 Connection state matching allows you to match packets based on their 1504 relationship to a tracked connection (ie. previous packets). This 1505 is a powerful tool for packet classification. 1506 1507 To compile it as a module, choose M here. If unsure, say N. 1508 1509config NETFILTER_XT_MATCH_STATISTIC 1510 tristate '"statistic" match support' 1511 depends on NETFILTER_ADVANCED 1512 help 1513 This option adds a `statistic' match, which allows you to match 1514 on packets periodically or randomly with a given percentage. 1515 1516 To compile it as a module, choose M here. If unsure, say N. 1517 1518config NETFILTER_XT_MATCH_STRING 1519 tristate '"string" match support' 1520 depends on NETFILTER_ADVANCED 1521 select TEXTSEARCH 1522 select TEXTSEARCH_KMP 1523 select TEXTSEARCH_BM 1524 select TEXTSEARCH_FSM 1525 help 1526 This option adds a `string' match, which allows you to look for 1527 pattern matchings in packets. 1528 1529 To compile it as a module, choose M here. If unsure, say N. 1530 1531config NETFILTER_XT_MATCH_TCPMSS 1532 tristate '"tcpmss" match support' 1533 depends on NETFILTER_ADVANCED 1534 help 1535 This option adds a `tcpmss' match, which allows you to examine the 1536 MSS value of TCP SYN packets, which control the maximum packet size 1537 for that connection. 1538 1539 To compile it as a module, choose M here. If unsure, say N. 1540 1541config NETFILTER_XT_MATCH_TIME 1542 tristate '"time" match support' 1543 depends on NETFILTER_ADVANCED 1544 ---help--- 1545 This option adds a "time" match, which allows you to match based on 1546 the packet arrival time (at the machine which netfilter is running) 1547 on) or departure time/date (for locally generated packets). 1548 1549 If you say Y here, try `iptables -m time --help` for 1550 more information. 1551 1552 If you want to compile it as a module, say M here. 1553 If unsure, say N. 1554 1555config NETFILTER_XT_MATCH_U32 1556 tristate '"u32" match support' 1557 depends on NETFILTER_ADVANCED 1558 ---help--- 1559 u32 allows you to extract quantities of up to 4 bytes from a packet, 1560 AND them with specified masks, shift them by specified amounts and 1561 test whether the results are in any of a set of specified ranges. 1562 The specification of what to extract is general enough to skip over 1563 headers with lengths stored in the packet, as in IP or TCP header 1564 lengths. 1565 1566 Details and examples are in the kernel module source. 1567 1568endif # NETFILTER_XTABLES 1569 1570endmenu 1571 1572source "net/netfilter/ipset/Kconfig" 1573 1574source "net/netfilter/ipvs/Kconfig" 1575