1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate 6 7config NETFILTER_NETLINK_QUEUE 8 tristate "Netfilter NFQUEUE over NFNETLINK interface" 9 depends on NETFILTER_ADVANCED 10 select NETFILTER_NETLINK 11 help 12 If this option is enabled, the kernel will include support 13 for queueing packets via NFNETLINK. 14 15config NETFILTER_NETLINK_LOG 16 tristate "Netfilter LOG over NFNETLINK interface" 17 default m if NETFILTER_ADVANCED=n 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for logging packets via NFNETLINK. 22 23 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 24 and is also scheduled to replace the old syslog-based ipt_LOG 25 and ip6t_LOG modules. 26 27config NF_CONNTRACK 28 tristate "Netfilter connection tracking support" 29 default m if NETFILTER_ADVANCED=n 30 help 31 Connection tracking keeps a record of what packets have passed 32 through your machine, in order to figure out how they are related 33 into connections. 34 35 This is required to do Masquerading or other kinds of Network 36 Address Translation (except for Fast NAT). It can also be used to 37 enhance packet filtering (see `Connection state match support' 38 below). 39 40 To compile it as a module, choose M here. If unsure, say N. 41 42config NF_CT_ACCT 43 bool "Connection tracking flow accounting" 44 depends on NETFILTER_ADVANCED 45 depends on NF_CONNTRACK 46 help 47 If this option is enabled, the connection tracking code will 48 keep per-flow packet and byte counters. 49 50 Those counters can be used for flow-based accounting or the 51 `connbytes' match. 52 53 If unsure, say `N'. 54 55config NF_CONNTRACK_MARK 56 bool 'Connection mark tracking support' 57 depends on NETFILTER_ADVANCED 58 depends on NF_CONNTRACK 59 help 60 This option enables support for connection marks, used by the 61 `CONNMARK' target and `connmark' match. Similar to the mark value 62 of packets, but this mark value is kept in the conntrack session 63 instead of the individual packets. 64 65config NF_CONNTRACK_SECMARK 66 bool 'Connection tracking security mark support' 67 depends on NF_CONNTRACK && NETWORK_SECMARK 68 default m if NETFILTER_ADVANCED=n 69 help 70 This option enables security markings to be applied to 71 connections. Typically they are copied to connections from 72 packets using the CONNSECMARK target and copied back from 73 connections to packets with the same target, with the packets 74 being originally labeled via SECMARK. 75 76 If unsure, say 'N'. 77 78config NF_CONNTRACK_EVENTS 79 bool "Connection tracking events" 80 depends on NF_CONNTRACK 81 depends on NETFILTER_ADVANCED 82 help 83 If this option is enabled, the connection tracking code will 84 provide a notifier chain that can be used by other kernel code 85 to get notified about changes in the connection tracking state. 86 87 If unsure, say `N'. 88 89config NF_CT_PROTO_GRE 90 tristate 91 depends on NF_CONNTRACK 92 93config NF_CT_PROTO_SCTP 94 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 95 depends on EXPERIMENTAL && NF_CONNTRACK 96 depends on NETFILTER_ADVANCED 97 help 98 With this option enabled, the layer 3 independent connection 99 tracking code will be able to do state tracking on SCTP connections. 100 101 If you want to compile it as a module, say M here and read 102 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 103 104config NF_CT_PROTO_UDPLITE 105 tristate 'UDP-Lite protocol connection tracking support' 106 depends on NF_CONNTRACK 107 depends on NETFILTER_ADVANCED 108 help 109 With this option enabled, the layer 3 independent connection 110 tracking code will be able to do state tracking on UDP-Lite 111 connections. 112 113 To compile it as a module, choose M here. If unsure, say N. 114 115config NF_CONNTRACK_AMANDA 116 tristate "Amanda backup protocol support" 117 depends on NF_CONNTRACK 118 depends on NETFILTER_ADVANCED 119 select TEXTSEARCH 120 select TEXTSEARCH_KMP 121 help 122 If you are running the Amanda backup package <http://www.amanda.org/> 123 on this machine or machines that will be MASQUERADED through this 124 machine, then you may want to enable this feature. This allows the 125 connection tracking and natting code to allow the sub-channels that 126 Amanda requires for communication of the backup data, messages and 127 index. 128 129 To compile it as a module, choose M here. If unsure, say N. 130 131config NF_CONNTRACK_FTP 132 tristate "FTP protocol support" 133 depends on NF_CONNTRACK 134 default m if NETFILTER_ADVANCED=n 135 help 136 Tracking FTP connections is problematic: special helpers are 137 required for tracking them, and doing masquerading and other forms 138 of Network Address Translation on them. 139 140 This is FTP support on Layer 3 independent connection tracking. 141 Layer 3 independent connection tracking is experimental scheme 142 which generalize ip_conntrack to support other layer 3 protocols. 143 144 To compile it as a module, choose M here. If unsure, say N. 145 146config NF_CONNTRACK_H323 147 tristate "H.323 protocol support" 148 depends on NF_CONNTRACK && (IPV6 || IPV6=n) 149 depends on NETFILTER_ADVANCED 150 help 151 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 152 important VoIP protocols, it is widely used by voice hardware and 153 software including voice gateways, IP phones, Netmeeting, OpenPhone, 154 Gnomemeeting, etc. 155 156 With this module you can support H.323 on a connection tracking/NAT 157 firewall. 158 159 This module supports RAS, Fast Start, H.245 Tunnelling, Call 160 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 161 whiteboard, file transfer, etc. For more information, please 162 visit http://nath323.sourceforge.net/. 163 164 To compile it as a module, choose M here. If unsure, say N. 165 166config NF_CONNTRACK_IRC 167 tristate "IRC protocol support" 168 depends on NF_CONNTRACK 169 default m if NETFILTER_ADVANCED=n 170 help 171 There is a commonly-used extension to IRC called 172 Direct Client-to-Client Protocol (DCC). This enables users to send 173 files to each other, and also chat to each other without the need 174 of a server. DCC Sending is used anywhere you send files over IRC, 175 and DCC Chat is most commonly used by Eggdrop bots. If you are 176 using NAT, this extension will enable you to send files and initiate 177 chats. Note that you do NOT need this extension to get files or 178 have others initiate chats, or everything else in IRC. 179 180 To compile it as a module, choose M here. If unsure, say N. 181 182config NF_CONNTRACK_NETBIOS_NS 183 tristate "NetBIOS name service protocol support" 184 depends on NF_CONNTRACK 185 depends on NETFILTER_ADVANCED 186 help 187 NetBIOS name service requests are sent as broadcast messages from an 188 unprivileged port and responded to with unicast messages to the 189 same port. This make them hard to firewall properly because connection 190 tracking doesn't deal with broadcasts. This helper tracks locally 191 originating NetBIOS name service requests and the corresponding 192 responses. It relies on correct IP address configuration, specifically 193 netmask and broadcast address. When properly configured, the output 194 of "ip address show" should look similar to this: 195 196 $ ip -4 address show eth0 197 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 198 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 199 200 To compile it as a module, choose M here. If unsure, say N. 201 202config NF_CONNTRACK_PPTP 203 tristate "PPtP protocol support" 204 depends on NF_CONNTRACK 205 depends on NETFILTER_ADVANCED 206 select NF_CT_PROTO_GRE 207 help 208 This module adds support for PPTP (Point to Point Tunnelling 209 Protocol, RFC2637) connection tracking and NAT. 210 211 If you are running PPTP sessions over a stateful firewall or NAT 212 box, you may want to enable this feature. 213 214 Please note that not all PPTP modes of operation are supported yet. 215 Specifically these limitations exist: 216 - Blindly assumes that control connections are always established 217 in PNS->PAC direction. This is a violation of RFC2637. 218 - Only supports a single call within each session 219 220 To compile it as a module, choose M here. If unsure, say N. 221 222config NF_CONNTRACK_SANE 223 tristate "SANE protocol support (EXPERIMENTAL)" 224 depends on EXPERIMENTAL && NF_CONNTRACK 225 depends on NETFILTER_ADVANCED 226 help 227 SANE is a protocol for remote access to scanners as implemented 228 by the 'saned' daemon. Like FTP, it uses separate control and 229 data connections. 230 231 With this module you can support SANE on a connection tracking 232 firewall. 233 234 To compile it as a module, choose M here. If unsure, say N. 235 236config NF_CONNTRACK_SIP 237 tristate "SIP protocol support" 238 depends on NF_CONNTRACK 239 default m if NETFILTER_ADVANCED=n 240 help 241 SIP is an application-layer control protocol that can establish, 242 modify, and terminate multimedia sessions (conferences) such as 243 Internet telephony calls. With the ip_conntrack_sip and 244 the nf_nat_sip modules you can support the protocol on a connection 245 tracking/NATing firewall. 246 247 To compile it as a module, choose M here. If unsure, say N. 248 249config NF_CONNTRACK_TFTP 250 tristate "TFTP protocol support" 251 depends on NF_CONNTRACK 252 depends on NETFILTER_ADVANCED 253 help 254 TFTP connection tracking helper, this is required depending 255 on how restrictive your ruleset is. 256 If you are using a tftp client behind -j SNAT or -j MASQUERADING 257 you will need this. 258 259 To compile it as a module, choose M here. If unsure, say N. 260 261config NF_CT_NETLINK 262 tristate 'Connection tracking netlink interface' 263 depends on NF_CONNTRACK 264 select NETFILTER_NETLINK 265 depends on NF_NAT=n || NF_NAT 266 default m if NETFILTER_ADVANCED=n 267 help 268 This option enables support for a netlink-based userspace interface 269 270config NETFILTER_XTABLES 271 tristate "Netfilter Xtables support (required for ip_tables)" 272 default m if NETFILTER_ADVANCED=n 273 help 274 This is required if you intend to use any of ip_tables, 275 ip6_tables or arp_tables. 276 277# alphabetically ordered list of targets 278 279config NETFILTER_XT_TARGET_CLASSIFY 280 tristate '"CLASSIFY" target support' 281 depends on NETFILTER_XTABLES 282 depends on NETFILTER_ADVANCED 283 help 284 This option adds a `CLASSIFY' target, which enables the user to set 285 the priority of a packet. Some qdiscs can use this value for 286 classification, among these are: 287 288 atm, cbq, dsmark, pfifo_fast, htb, prio 289 290 To compile it as a module, choose M here. If unsure, say N. 291 292config NETFILTER_XT_TARGET_CONNMARK 293 tristate '"CONNMARK" target support' 294 depends on NETFILTER_XTABLES 295 depends on IP_NF_MANGLE || IP6_NF_MANGLE 296 depends on NF_CONNTRACK 297 depends on NETFILTER_ADVANCED 298 select NF_CONNTRACK_MARK 299 help 300 This option adds a `CONNMARK' target, which allows one to manipulate 301 the connection mark value. Similar to the MARK target, but 302 affects the connection mark value rather than the packet mark value. 303 304 If you want to compile it as a module, say M here and read 305 <file:Documentation/kbuild/modules.txt>. The module will be called 306 ipt_CONNMARK.ko. If unsure, say `N'. 307 308config NETFILTER_XT_TARGET_DSCP 309 tristate '"DSCP" and "TOS" target support' 310 depends on NETFILTER_XTABLES 311 depends on IP_NF_MANGLE || IP6_NF_MANGLE 312 depends on NETFILTER_ADVANCED 313 help 314 This option adds a `DSCP' target, which allows you to manipulate 315 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 316 317 The DSCP field can have any value between 0x0 and 0x3f inclusive. 318 319 It also adds the "TOS" target, which allows you to create rules in 320 the "mangle" table which alter the Type Of Service field of an IPv4 321 or the Priority field of an IPv6 packet, prior to routing. 322 323 To compile it as a module, choose M here. If unsure, say N. 324 325config NETFILTER_XT_TARGET_MARK 326 tristate '"MARK" target support' 327 depends on NETFILTER_XTABLES 328 default m if NETFILTER_ADVANCED=n 329 help 330 This option adds a `MARK' target, which allows you to create rules 331 in the `mangle' table which alter the netfilter mark (nfmark) field 332 associated with the packet prior to routing. This can change 333 the routing method (see `Use netfilter MARK value as routing 334 key') and can also be used by other subsystems to change their 335 behavior. 336 337 To compile it as a module, choose M here. If unsure, say N. 338 339config NETFILTER_XT_TARGET_NFQUEUE 340 tristate '"NFQUEUE" target Support' 341 depends on NETFILTER_XTABLES 342 depends on NETFILTER_ADVANCED 343 help 344 This target replaced the old obsolete QUEUE target. 345 346 As opposed to QUEUE, it supports 65535 different queues, 347 not just one. 348 349 To compile it as a module, choose M here. If unsure, say N. 350 351config NETFILTER_XT_TARGET_NFLOG 352 tristate '"NFLOG" target support' 353 depends on NETFILTER_XTABLES 354 default m if NETFILTER_ADVANCED=n 355 help 356 This option enables the NFLOG target, which allows to LOG 357 messages through the netfilter logging API, which can use 358 either the old LOG target, the old ULOG target or nfnetlink_log 359 as backend. 360 361 To compile it as a module, choose M here. If unsure, say N. 362 363config NETFILTER_XT_TARGET_NOTRACK 364 tristate '"NOTRACK" target support' 365 depends on NETFILTER_XTABLES 366 depends on IP_NF_RAW || IP6_NF_RAW 367 depends on NF_CONNTRACK 368 depends on NETFILTER_ADVANCED 369 help 370 The NOTRACK target allows a select rule to specify 371 which packets *not* to enter the conntrack/NAT 372 subsystem with all the consequences (no ICMP error tracking, 373 no protocol helpers for the selected packets). 374 375 If you want to compile it as a module, say M here and read 376 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 377 378config NETFILTER_XT_TARGET_RATEEST 379 tristate '"RATEEST" target support' 380 depends on NETFILTER_XTABLES 381 depends on NETFILTER_ADVANCED 382 help 383 This option adds a `RATEEST' target, which allows to measure 384 rates similar to TC estimators. The `rateest' match can be 385 used to match on the measured rates. 386 387 To compile it as a module, choose M here. If unsure, say N. 388 389config NETFILTER_XT_TARGET_TRACE 390 tristate '"TRACE" target support' 391 depends on NETFILTER_XTABLES 392 depends on IP_NF_RAW || IP6_NF_RAW 393 depends on NETFILTER_ADVANCED 394 help 395 The TRACE target allows you to mark packets so that the kernel 396 will log every rule which match the packets as those traverse 397 the tables, chains, rules. 398 399 If you want to compile it as a module, say M here and read 400 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 401 402config NETFILTER_XT_TARGET_SECMARK 403 tristate '"SECMARK" target support' 404 depends on NETFILTER_XTABLES && NETWORK_SECMARK 405 default m if NETFILTER_ADVANCED=n 406 help 407 The SECMARK target allows security marking of network 408 packets, for use with security subsystems. 409 410 To compile it as a module, choose M here. If unsure, say N. 411 412config NETFILTER_XT_TARGET_CONNSECMARK 413 tristate '"CONNSECMARK" target support' 414 depends on NETFILTER_XTABLES && NF_CONNTRACK && NF_CONNTRACK_SECMARK 415 default m if NETFILTER_ADVANCED=n 416 help 417 The CONNSECMARK target copies security markings from packets 418 to connections, and restores security markings from connections 419 to packets (if the packets are not already marked). This would 420 normally be used in conjunction with the SECMARK target. 421 422 To compile it as a module, choose M here. If unsure, say N. 423 424config NETFILTER_XT_TARGET_TCPMSS 425 tristate '"TCPMSS" target support' 426 depends on NETFILTER_XTABLES && (IPV6 || IPV6=n) 427 default m if NETFILTER_ADVANCED=n 428 ---help--- 429 This option adds a `TCPMSS' target, which allows you to alter the 430 MSS value of TCP SYN packets, to control the maximum size for that 431 connection (usually limiting it to your outgoing interface's MTU 432 minus 40). 433 434 This is used to overcome criminally braindead ISPs or servers which 435 block ICMP Fragmentation Needed packets. The symptoms of this 436 problem are that everything works fine from your Linux 437 firewall/router, but machines behind it can never exchange large 438 packets: 439 1) Web browsers connect, then hang with no data received. 440 2) Small mail works fine, but large emails hang. 441 3) ssh works fine, but scp hangs after initial handshaking. 442 443 Workaround: activate this option and add a rule to your firewall 444 configuration like: 445 446 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 447 -j TCPMSS --clamp-mss-to-pmtu 448 449 To compile it as a module, choose M here. If unsure, say N. 450 451config NETFILTER_XT_TARGET_TCPOPTSTRIP 452 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' 453 depends on EXPERIMENTAL && NETFILTER_XTABLES 454 depends on IP_NF_MANGLE || IP6_NF_MANGLE 455 depends on NETFILTER_ADVANCED 456 help 457 This option adds a "TCPOPTSTRIP" target, which allows you to strip 458 TCP options from TCP packets. 459 460config NETFILTER_XT_MATCH_COMMENT 461 tristate '"comment" match support' 462 depends on NETFILTER_XTABLES 463 depends on NETFILTER_ADVANCED 464 help 465 This option adds a `comment' dummy-match, which allows you to put 466 comments in your iptables ruleset. 467 468 If you want to compile it as a module, say M here and read 469 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 470 471config NETFILTER_XT_MATCH_CONNBYTES 472 tristate '"connbytes" per-connection counter match support' 473 depends on NETFILTER_XTABLES 474 depends on NF_CONNTRACK 475 depends on NETFILTER_ADVANCED 476 select NF_CT_ACCT 477 help 478 This option adds a `connbytes' match, which allows you to match the 479 number of bytes and/or packets for each direction within a connection. 480 481 If you want to compile it as a module, say M here and read 482 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 483 484config NETFILTER_XT_MATCH_CONNLIMIT 485 tristate '"connlimit" match support"' 486 depends on NETFILTER_XTABLES 487 depends on NF_CONNTRACK 488 depends on NETFILTER_ADVANCED 489 ---help--- 490 This match allows you to match against the number of parallel 491 connections to a server per client IP address (or address block). 492 493config NETFILTER_XT_MATCH_CONNMARK 494 tristate '"connmark" connection mark match support' 495 depends on NETFILTER_XTABLES 496 depends on NF_CONNTRACK 497 depends on NETFILTER_ADVANCED 498 select NF_CONNTRACK_MARK 499 help 500 This option adds a `connmark' match, which allows you to match the 501 connection mark value previously set for the session by `CONNMARK'. 502 503 If you want to compile it as a module, say M here and read 504 <file:Documentation/kbuild/modules.txt>. The module will be called 505 ipt_connmark.ko. If unsure, say `N'. 506 507config NETFILTER_XT_MATCH_CONNTRACK 508 tristate '"conntrack" connection tracking match support' 509 depends on NETFILTER_XTABLES 510 depends on NF_CONNTRACK 511 default m if NETFILTER_ADVANCED=n 512 help 513 This is a general conntrack match module, a superset of the state match. 514 515 It allows matching on additional conntrack information, which is 516 useful in complex configurations, such as NAT gateways with multiple 517 internet links or tunnels. 518 519 To compile it as a module, choose M here. If unsure, say N. 520 521config NETFILTER_XT_MATCH_DCCP 522 tristate '"dccp" protocol match support' 523 depends on NETFILTER_XTABLES 524 depends on NETFILTER_ADVANCED 525 help 526 With this option enabled, you will be able to use the iptables 527 `dccp' match in order to match on DCCP source/destination ports 528 and DCCP flags. 529 530 If you want to compile it as a module, say M here and read 531 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 532 533config NETFILTER_XT_MATCH_DSCP 534 tristate '"dscp" and "tos" match support' 535 depends on NETFILTER_XTABLES 536 depends on NETFILTER_ADVANCED 537 help 538 This option adds a `DSCP' match, which allows you to match against 539 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 540 541 The DSCP field can have any value between 0x0 and 0x3f inclusive. 542 543 It will also add a "tos" match, which allows you to match packets 544 based on the Type Of Service fields of the IPv4 packet (which share 545 the same bits as DSCP). 546 547 To compile it as a module, choose M here. If unsure, say N. 548 549config NETFILTER_XT_MATCH_ESP 550 tristate '"esp" match support' 551 depends on NETFILTER_XTABLES 552 depends on NETFILTER_ADVANCED 553 help 554 This match extension allows you to match a range of SPIs 555 inside ESP header of IPSec packets. 556 557 To compile it as a module, choose M here. If unsure, say N. 558 559config NETFILTER_XT_MATCH_HELPER 560 tristate '"helper" match support' 561 depends on NETFILTER_XTABLES 562 depends on NF_CONNTRACK 563 depends on NETFILTER_ADVANCED 564 help 565 Helper matching allows you to match packets in dynamic connections 566 tracked by a conntrack-helper, ie. ip_conntrack_ftp 567 568 To compile it as a module, choose M here. If unsure, say Y. 569 570config NETFILTER_XT_MATCH_IPRANGE 571 tristate '"iprange" address range match support' 572 depends on NETFILTER_XTABLES 573 depends on NETFILTER_ADVANCED 574 ---help--- 575 This option adds a "iprange" match, which allows you to match based on 576 an IP address range. (Normal iptables only matches on single addresses 577 with an optional mask.) 578 579 If unsure, say M. 580 581config NETFILTER_XT_MATCH_LENGTH 582 tristate '"length" match support' 583 depends on NETFILTER_XTABLES 584 depends on NETFILTER_ADVANCED 585 help 586 This option allows you to match the length of a packet against a 587 specific value or range of values. 588 589 To compile it as a module, choose M here. If unsure, say N. 590 591config NETFILTER_XT_MATCH_LIMIT 592 tristate '"limit" match support' 593 depends on NETFILTER_XTABLES 594 depends on NETFILTER_ADVANCED 595 help 596 limit matching allows you to control the rate at which a rule can be 597 matched: mainly useful in combination with the LOG target ("LOG 598 target support", below) and to avoid some Denial of Service attacks. 599 600 To compile it as a module, choose M here. If unsure, say N. 601 602config NETFILTER_XT_MATCH_MAC 603 tristate '"mac" address match support' 604 depends on NETFILTER_XTABLES 605 depends on NETFILTER_ADVANCED 606 help 607 MAC matching allows you to match packets based on the source 608 Ethernet address of the packet. 609 610 To compile it as a module, choose M here. If unsure, say N. 611 612config NETFILTER_XT_MATCH_MARK 613 tristate '"mark" match support' 614 depends on NETFILTER_XTABLES 615 default m if NETFILTER_ADVANCED=n 616 help 617 Netfilter mark matching allows you to match packets based on the 618 `nfmark' value in the packet. This can be set by the MARK target 619 (see below). 620 621 To compile it as a module, choose M here. If unsure, say N. 622 623config NETFILTER_XT_MATCH_OWNER 624 tristate '"owner" match support' 625 depends on NETFILTER_XTABLES 626 depends on NETFILTER_ADVANCED 627 ---help--- 628 Socket owner matching allows you to match locally-generated packets 629 based on who created the socket: the user or group. It is also 630 possible to check whether a socket actually exists. 631 632config NETFILTER_XT_MATCH_POLICY 633 tristate 'IPsec "policy" match support' 634 depends on NETFILTER_XTABLES && XFRM 635 default m if NETFILTER_ADVANCED=n 636 help 637 Policy matching allows you to match packets based on the 638 IPsec policy that was used during decapsulation/will 639 be used during encapsulation. 640 641 To compile it as a module, choose M here. If unsure, say N. 642 643config NETFILTER_XT_MATCH_MULTIPORT 644 tristate '"multiport" Multiple port match support' 645 depends on NETFILTER_XTABLES 646 depends on NETFILTER_ADVANCED 647 help 648 Multiport matching allows you to match TCP or UDP packets based on 649 a series of source or destination ports: normally a rule can only 650 match a single range of ports. 651 652 To compile it as a module, choose M here. If unsure, say N. 653 654config NETFILTER_XT_MATCH_PHYSDEV 655 tristate '"physdev" match support' 656 depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER 657 depends on NETFILTER_ADVANCED 658 help 659 Physdev packet matching matches against the physical bridge ports 660 the IP packet arrived on or will leave by. 661 662 To compile it as a module, choose M here. If unsure, say N. 663 664config NETFILTER_XT_MATCH_PKTTYPE 665 tristate '"pkttype" packet type match support' 666 depends on NETFILTER_XTABLES 667 depends on NETFILTER_ADVANCED 668 help 669 Packet type matching allows you to match a packet by 670 its "class", eg. BROADCAST, MULTICAST, ... 671 672 Typical usage: 673 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 674 675 To compile it as a module, choose M here. If unsure, say N. 676 677config NETFILTER_XT_MATCH_QUOTA 678 tristate '"quota" match support' 679 depends on NETFILTER_XTABLES 680 depends on NETFILTER_ADVANCED 681 help 682 This option adds a `quota' match, which allows to match on a 683 byte counter. 684 685 If you want to compile it as a module, say M here and read 686 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 687 688config NETFILTER_XT_MATCH_RATEEST 689 tristate '"rateest" match support' 690 depends on NETFILTER_XTABLES 691 depends on NETFILTER_ADVANCED 692 select NETFILTER_XT_TARGET_RATEEST 693 help 694 This option adds a `rateest' match, which allows to match on the 695 rate estimated by the RATEEST target. 696 697 To compile it as a module, choose M here. If unsure, say N. 698 699config NETFILTER_XT_MATCH_REALM 700 tristate '"realm" match support' 701 depends on NETFILTER_XTABLES 702 depends on NETFILTER_ADVANCED 703 select NET_CLS_ROUTE 704 help 705 This option adds a `realm' match, which allows you to use the realm 706 key from the routing subsystem inside iptables. 707 708 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 709 in tc world. 710 711 If you want to compile it as a module, say M here and read 712 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 713 714config NETFILTER_XT_MATCH_SCTP 715 tristate '"sctp" protocol match support (EXPERIMENTAL)' 716 depends on NETFILTER_XTABLES && EXPERIMENTAL 717 depends on NETFILTER_ADVANCED 718 help 719 With this option enabled, you will be able to use the 720 `sctp' match in order to match on SCTP source/destination ports 721 and SCTP chunk types. 722 723 If you want to compile it as a module, say M here and read 724 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 725 726config NETFILTER_XT_MATCH_STATE 727 tristate '"state" match support' 728 depends on NETFILTER_XTABLES 729 depends on NF_CONNTRACK 730 default m if NETFILTER_ADVANCED=n 731 help 732 Connection state matching allows you to match packets based on their 733 relationship to a tracked connection (ie. previous packets). This 734 is a powerful tool for packet classification. 735 736 To compile it as a module, choose M here. If unsure, say N. 737 738config NETFILTER_XT_MATCH_STATISTIC 739 tristate '"statistic" match support' 740 depends on NETFILTER_XTABLES 741 depends on NETFILTER_ADVANCED 742 help 743 This option adds a `statistic' match, which allows you to match 744 on packets periodically or randomly with a given percentage. 745 746 To compile it as a module, choose M here. If unsure, say N. 747 748config NETFILTER_XT_MATCH_STRING 749 tristate '"string" match support' 750 depends on NETFILTER_XTABLES 751 depends on NETFILTER_ADVANCED 752 select TEXTSEARCH 753 select TEXTSEARCH_KMP 754 select TEXTSEARCH_BM 755 select TEXTSEARCH_FSM 756 help 757 This option adds a `string' match, which allows you to look for 758 pattern matchings in packets. 759 760 To compile it as a module, choose M here. If unsure, say N. 761 762config NETFILTER_XT_MATCH_TCPMSS 763 tristate '"tcpmss" match support' 764 depends on NETFILTER_XTABLES 765 depends on NETFILTER_ADVANCED 766 help 767 This option adds a `tcpmss' match, which allows you to examine the 768 MSS value of TCP SYN packets, which control the maximum packet size 769 for that connection. 770 771 To compile it as a module, choose M here. If unsure, say N. 772 773config NETFILTER_XT_MATCH_TIME 774 tristate '"time" match support' 775 depends on NETFILTER_XTABLES 776 depends on NETFILTER_ADVANCED 777 ---help--- 778 This option adds a "time" match, which allows you to match based on 779 the packet arrival time (at the machine which netfilter is running) 780 on) or departure time/date (for locally generated packets). 781 782 If you say Y here, try `iptables -m time --help` for 783 more information. 784 785 If you want to compile it as a module, say M here. 786 If unsure, say N. 787 788config NETFILTER_XT_MATCH_U32 789 tristate '"u32" match support' 790 depends on NETFILTER_XTABLES 791 depends on NETFILTER_ADVANCED 792 ---help--- 793 u32 allows you to extract quantities of up to 4 bytes from a packet, 794 AND them with specified masks, shift them by specified amounts and 795 test whether the results are in any of a set of specified ranges. 796 The specification of what to extract is general enough to skip over 797 headers with lengths stored in the packet, as in IP or TCP header 798 lengths. 799 800 Details and examples are in the kernel module source. 801 802config NETFILTER_XT_MATCH_HASHLIMIT 803 tristate '"hashlimit" match support' 804 depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 805 depends on NETFILTER_ADVANCED 806 help 807 This option adds a `hashlimit' match. 808 809 As opposed to `limit', this match dynamically creates a hash table 810 of limit buckets, based on your selection of source/destination 811 addresses and/or ports. 812 813 It enables you to express policies like `10kpps for any given 814 destination address' or `500pps from any given source address' 815 with a single rule. 816 817endmenu 818 819