1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_INGRESS 5 bool "Netfilter ingress support" 6 default y 7 select NET_INGRESS 8 help 9 This allows you to classify packets from ingress using the Netfilter 10 infrastructure. 11 12config NETFILTER_NETLINK 13 tristate 14 15config NETFILTER_FAMILY_BRIDGE 16 bool 17 18config NETFILTER_FAMILY_ARP 19 bool 20 21config NETFILTER_NETLINK_ACCT 22tristate "Netfilter NFACCT over NFNETLINK interface" 23 depends on NETFILTER_ADVANCED 24 select NETFILTER_NETLINK 25 help 26 If this option is enabled, the kernel will include support 27 for extended accounting via NFNETLINK. 28 29config NETFILTER_NETLINK_QUEUE 30 tristate "Netfilter NFQUEUE over NFNETLINK interface" 31 depends on NETFILTER_ADVANCED 32 select NETFILTER_NETLINK 33 help 34 If this option is enabled, the kernel will include support 35 for queueing packets via NFNETLINK. 36 37config NETFILTER_NETLINK_LOG 38 tristate "Netfilter LOG over NFNETLINK interface" 39 default m if NETFILTER_ADVANCED=n 40 select NETFILTER_NETLINK 41 help 42 If this option is enabled, the kernel will include support 43 for logging packets via NFNETLINK. 44 45 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 46 and is also scheduled to replace the old syslog-based ipt_LOG 47 and ip6t_LOG modules. 48 49config NF_CONNTRACK 50 tristate "Netfilter connection tracking support" 51 default m if NETFILTER_ADVANCED=n 52 help 53 Connection tracking keeps a record of what packets have passed 54 through your machine, in order to figure out how they are related 55 into connections. 56 57 This is required to do Masquerading or other kinds of Network 58 Address Translation. It can also be used to enhance packet 59 filtering (see `Connection state match support' below). 60 61 To compile it as a module, choose M here. If unsure, say N. 62 63config NF_LOG_COMMON 64 tristate 65 66config NF_LOG_NETDEV 67 tristate "Netdev packet logging" 68 select NF_LOG_COMMON 69 70if NF_CONNTRACK 71config NETFILTER_CONNCOUNT 72 tristate 73 74config NF_CONNTRACK_MARK 75 bool 'Connection mark tracking support' 76 depends on NETFILTER_ADVANCED 77 help 78 This option enables support for connection marks, used by the 79 `CONNMARK' target and `connmark' match. Similar to the mark value 80 of packets, but this mark value is kept in the conntrack session 81 instead of the individual packets. 82 83config NF_CONNTRACK_SECMARK 84 bool 'Connection tracking security mark support' 85 depends on NETWORK_SECMARK 86 default m if NETFILTER_ADVANCED=n 87 help 88 This option enables security markings to be applied to 89 connections. Typically they are copied to connections from 90 packets using the CONNSECMARK target and copied back from 91 connections to packets with the same target, with the packets 92 being originally labeled via SECMARK. 93 94 If unsure, say 'N'. 95 96config NF_CONNTRACK_ZONES 97 bool 'Connection tracking zones' 98 depends on NETFILTER_ADVANCED 99 depends on NETFILTER_XT_TARGET_CT 100 help 101 This option enables support for connection tracking zones. 102 Normally, each connection needs to have a unique system wide 103 identity. Connection tracking zones allow to have multiple 104 connections using the same identity, as long as they are 105 contained in different zones. 106 107 If unsure, say `N'. 108 109config NF_CONNTRACK_PROCFS 110 bool "Supply CT list in procfs (OBSOLETE)" 111 default y 112 depends on PROC_FS 113 ---help--- 114 This option enables for the list of known conntrack entries 115 to be shown in procfs under net/netfilter/nf_conntrack. This 116 is considered obsolete in favor of using the conntrack(8) 117 tool which uses Netlink. 118 119config NF_CONNTRACK_EVENTS 120 bool "Connection tracking events" 121 depends on NETFILTER_ADVANCED 122 help 123 If this option is enabled, the connection tracking code will 124 provide a notifier chain that can be used by other kernel code 125 to get notified about changes in the connection tracking state. 126 127 If unsure, say `N'. 128 129config NF_CONNTRACK_TIMEOUT 130 bool 'Connection tracking timeout' 131 depends on NETFILTER_ADVANCED 132 help 133 This option enables support for connection tracking timeout 134 extension. This allows you to attach timeout policies to flow 135 via the CT target. 136 137 If unsure, say `N'. 138 139config NF_CONNTRACK_TIMESTAMP 140 bool 'Connection tracking timestamping' 141 depends on NETFILTER_ADVANCED 142 help 143 This option enables support for connection tracking timestamping. 144 This allows you to store the flow start-time and to obtain 145 the flow-stop time (once it has been destroyed) via Connection 146 tracking events. 147 148 If unsure, say `N'. 149 150config NF_CONNTRACK_LABELS 151 bool 152 help 153 This option enables support for assigning user-defined flag bits 154 to connection tracking entries. It selected by the connlabel match. 155 156config NF_CT_PROTO_DCCP 157 bool 'DCCP protocol connection tracking support' 158 depends on NETFILTER_ADVANCED 159 default y 160 help 161 With this option enabled, the layer 3 independent connection 162 tracking code will be able to do state tracking on DCCP connections. 163 164 If unsure, say Y. 165 166config NF_CT_PROTO_GRE 167 tristate 168 169config NF_CT_PROTO_SCTP 170 bool 'SCTP protocol connection tracking support' 171 depends on NETFILTER_ADVANCED 172 default y 173 select LIBCRC32C 174 help 175 With this option enabled, the layer 3 independent connection 176 tracking code will be able to do state tracking on SCTP connections. 177 178 If unsure, say Y. 179 180config NF_CT_PROTO_UDPLITE 181 bool 'UDP-Lite protocol connection tracking support' 182 depends on NETFILTER_ADVANCED 183 default y 184 help 185 With this option enabled, the layer 3 independent connection 186 tracking code will be able to do state tracking on UDP-Lite 187 connections. 188 189 If unsure, say Y. 190 191config NF_CONNTRACK_AMANDA 192 tristate "Amanda backup protocol support" 193 depends on NETFILTER_ADVANCED 194 select TEXTSEARCH 195 select TEXTSEARCH_KMP 196 help 197 If you are running the Amanda backup package <http://www.amanda.org/> 198 on this machine or machines that will be MASQUERADED through this 199 machine, then you may want to enable this feature. This allows the 200 connection tracking and natting code to allow the sub-channels that 201 Amanda requires for communication of the backup data, messages and 202 index. 203 204 To compile it as a module, choose M here. If unsure, say N. 205 206config NF_CONNTRACK_FTP 207 tristate "FTP protocol support" 208 default m if NETFILTER_ADVANCED=n 209 help 210 Tracking FTP connections is problematic: special helpers are 211 required for tracking them, and doing masquerading and other forms 212 of Network Address Translation on them. 213 214 This is FTP support on Layer 3 independent connection tracking. 215 Layer 3 independent connection tracking is experimental scheme 216 which generalize ip_conntrack to support other layer 3 protocols. 217 218 To compile it as a module, choose M here. If unsure, say N. 219 220config NF_CONNTRACK_H323 221 tristate "H.323 protocol support" 222 depends on IPV6 || IPV6=n 223 depends on NETFILTER_ADVANCED 224 help 225 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 226 important VoIP protocols, it is widely used by voice hardware and 227 software including voice gateways, IP phones, Netmeeting, OpenPhone, 228 Gnomemeeting, etc. 229 230 With this module you can support H.323 on a connection tracking/NAT 231 firewall. 232 233 This module supports RAS, Fast Start, H.245 Tunnelling, Call 234 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 235 whiteboard, file transfer, etc. For more information, please 236 visit http://nath323.sourceforge.net/. 237 238 To compile it as a module, choose M here. If unsure, say N. 239 240config NF_CONNTRACK_IRC 241 tristate "IRC protocol support" 242 default m if NETFILTER_ADVANCED=n 243 help 244 There is a commonly-used extension to IRC called 245 Direct Client-to-Client Protocol (DCC). This enables users to send 246 files to each other, and also chat to each other without the need 247 of a server. DCC Sending is used anywhere you send files over IRC, 248 and DCC Chat is most commonly used by Eggdrop bots. If you are 249 using NAT, this extension will enable you to send files and initiate 250 chats. Note that you do NOT need this extension to get files or 251 have others initiate chats, or everything else in IRC. 252 253 To compile it as a module, choose M here. If unsure, say N. 254 255config NF_CONNTRACK_BROADCAST 256 tristate 257 258config NF_CONNTRACK_NETBIOS_NS 259 tristate "NetBIOS name service protocol support" 260 select NF_CONNTRACK_BROADCAST 261 help 262 NetBIOS name service requests are sent as broadcast messages from an 263 unprivileged port and responded to with unicast messages to the 264 same port. This make them hard to firewall properly because connection 265 tracking doesn't deal with broadcasts. This helper tracks locally 266 originating NetBIOS name service requests and the corresponding 267 responses. It relies on correct IP address configuration, specifically 268 netmask and broadcast address. When properly configured, the output 269 of "ip address show" should look similar to this: 270 271 $ ip -4 address show eth0 272 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 273 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 274 275 To compile it as a module, choose M here. If unsure, say N. 276 277config NF_CONNTRACK_SNMP 278 tristate "SNMP service protocol support" 279 depends on NETFILTER_ADVANCED 280 select NF_CONNTRACK_BROADCAST 281 help 282 SNMP service requests are sent as broadcast messages from an 283 unprivileged port and responded to with unicast messages to the 284 same port. This make them hard to firewall properly because connection 285 tracking doesn't deal with broadcasts. This helper tracks locally 286 originating SNMP service requests and the corresponding 287 responses. It relies on correct IP address configuration, specifically 288 netmask and broadcast address. 289 290 To compile it as a module, choose M here. If unsure, say N. 291 292config NF_CONNTRACK_PPTP 293 tristate "PPtP protocol support" 294 depends on NETFILTER_ADVANCED 295 select NF_CT_PROTO_GRE 296 help 297 This module adds support for PPTP (Point to Point Tunnelling 298 Protocol, RFC2637) connection tracking and NAT. 299 300 If you are running PPTP sessions over a stateful firewall or NAT 301 box, you may want to enable this feature. 302 303 Please note that not all PPTP modes of operation are supported yet. 304 Specifically these limitations exist: 305 - Blindly assumes that control connections are always established 306 in PNS->PAC direction. This is a violation of RFC2637. 307 - Only supports a single call within each session 308 309 To compile it as a module, choose M here. If unsure, say N. 310 311config NF_CONNTRACK_SANE 312 tristate "SANE protocol support" 313 depends on NETFILTER_ADVANCED 314 help 315 SANE is a protocol for remote access to scanners as implemented 316 by the 'saned' daemon. Like FTP, it uses separate control and 317 data connections. 318 319 With this module you can support SANE on a connection tracking 320 firewall. 321 322 To compile it as a module, choose M here. If unsure, say N. 323 324config NF_CONNTRACK_SIP 325 tristate "SIP protocol support" 326 default m if NETFILTER_ADVANCED=n 327 help 328 SIP is an application-layer control protocol that can establish, 329 modify, and terminate multimedia sessions (conferences) such as 330 Internet telephony calls. With the ip_conntrack_sip and 331 the nf_nat_sip modules you can support the protocol on a connection 332 tracking/NATing firewall. 333 334 To compile it as a module, choose M here. If unsure, say N. 335 336config NF_CONNTRACK_TFTP 337 tristate "TFTP protocol support" 338 depends on NETFILTER_ADVANCED 339 help 340 TFTP connection tracking helper, this is required depending 341 on how restrictive your ruleset is. 342 If you are using a tftp client behind -j SNAT or -j MASQUERADING 343 you will need this. 344 345 To compile it as a module, choose M here. If unsure, say N. 346 347config NF_CT_NETLINK 348 tristate 'Connection tracking netlink interface' 349 select NETFILTER_NETLINK 350 default m if NETFILTER_ADVANCED=n 351 help 352 This option enables support for a netlink-based userspace interface 353 354config NF_CT_NETLINK_TIMEOUT 355 tristate 'Connection tracking timeout tuning via Netlink' 356 select NETFILTER_NETLINK 357 depends on NETFILTER_ADVANCED 358 help 359 This option enables support for connection tracking timeout 360 fine-grain tuning. This allows you to attach specific timeout 361 policies to flows, instead of using the global timeout policy. 362 363 If unsure, say `N'. 364 365config NF_CT_NETLINK_HELPER 366 tristate 'Connection tracking helpers in user-space via Netlink' 367 select NETFILTER_NETLINK 368 depends on NF_CT_NETLINK 369 depends on NETFILTER_NETLINK_QUEUE 370 depends on NETFILTER_NETLINK_GLUE_CT 371 depends on NETFILTER_ADVANCED 372 help 373 This option enables the user-space connection tracking helpers 374 infrastructure. 375 376 If unsure, say `N'. 377 378config NETFILTER_NETLINK_GLUE_CT 379 bool "NFQUEUE and NFLOG integration with Connection Tracking" 380 default n 381 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 382 help 383 If this option is enabled, NFQUEUE and NFLOG can include 384 Connection Tracking information together with the packet is 385 the enqueued via NFNETLINK. 386 387config NF_NAT 388 tristate 389 390config NF_NAT_NEEDED 391 bool 392 depends on NF_NAT 393 default y 394 395config NF_NAT_PROTO_DCCP 396 bool 397 depends on NF_NAT && NF_CT_PROTO_DCCP 398 default NF_NAT && NF_CT_PROTO_DCCP 399 400config NF_NAT_PROTO_UDPLITE 401 bool 402 depends on NF_NAT && NF_CT_PROTO_UDPLITE 403 default NF_NAT && NF_CT_PROTO_UDPLITE 404 405config NF_NAT_PROTO_SCTP 406 bool 407 default NF_NAT && NF_CT_PROTO_SCTP 408 depends on NF_NAT && NF_CT_PROTO_SCTP 409 410config NF_NAT_AMANDA 411 tristate 412 depends on NF_CONNTRACK && NF_NAT 413 default NF_NAT && NF_CONNTRACK_AMANDA 414 415config NF_NAT_FTP 416 tristate 417 depends on NF_CONNTRACK && NF_NAT 418 default NF_NAT && NF_CONNTRACK_FTP 419 420config NF_NAT_IRC 421 tristate 422 depends on NF_CONNTRACK && NF_NAT 423 default NF_NAT && NF_CONNTRACK_IRC 424 425config NF_NAT_SIP 426 tristate 427 depends on NF_CONNTRACK && NF_NAT 428 default NF_NAT && NF_CONNTRACK_SIP 429 430config NF_NAT_TFTP 431 tristate 432 depends on NF_CONNTRACK && NF_NAT 433 default NF_NAT && NF_CONNTRACK_TFTP 434 435config NF_NAT_REDIRECT 436 bool 437 438config NETFILTER_SYNPROXY 439 tristate 440 441endif # NF_CONNTRACK 442 443config NF_OSF 444 tristate 445 446config NF_TABLES 447 select NETFILTER_NETLINK 448 tristate "Netfilter nf_tables support" 449 help 450 nftables is the new packet classification framework that intends to 451 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 452 provides a pseudo-state machine with an extensible instruction-set 453 (also known as expressions) that the userspace 'nft' utility 454 (http://www.netfilter.org/projects/nftables) uses to build the 455 rule-set. It also comes with the generic set infrastructure that 456 allows you to construct mappings between matchings and actions 457 for performance lookups. 458 459 To compile it as a module, choose M here. 460 461if NF_TABLES 462 463config NF_TABLES_INET 464 depends on IPV6 465 select NF_TABLES_IPV4 466 select NF_TABLES_IPV6 467 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" 468 help 469 This option enables support for a mixed IPv4/IPv6 "inet" table. 470 471config NF_TABLES_NETDEV 472 bool "Netfilter nf_tables netdev tables support" 473 help 474 This option enables support for the "netdev" table. 475 476config NFT_NUMGEN 477 tristate "Netfilter nf_tables number generator module" 478 help 479 This option adds the number generator expression used to perform 480 incremental counting and random numbers bound to a upper limit. 481 482config NFT_CT 483 depends on NF_CONNTRACK 484 tristate "Netfilter nf_tables conntrack module" 485 help 486 This option adds the "ct" expression that you can use to match 487 connection tracking information such as the flow state. 488 489config NFT_FLOW_OFFLOAD 490 depends on NF_CONNTRACK && NF_FLOW_TABLE 491 tristate "Netfilter nf_tables hardware flow offload module" 492 help 493 This option adds the "flow_offload" expression that you can use to 494 choose what flows are placed into the hardware. 495 496config NFT_SET_RBTREE 497 tristate "Netfilter nf_tables rbtree set module" 498 help 499 This option adds the "rbtree" set type (Red Black tree) that is used 500 to build interval-based sets. 501 502config NFT_SET_HASH 503 tristate "Netfilter nf_tables hash set module" 504 help 505 This option adds the "hash" set type that is used to build one-way 506 mappings between matchings and actions. 507 508config NFT_SET_BITMAP 509 tristate "Netfilter nf_tables bitmap set module" 510 help 511 This option adds the "bitmap" set type that is used to build sets 512 whose keys are smaller or equal to 16 bits. 513 514config NFT_COUNTER 515 tristate "Netfilter nf_tables counter module" 516 help 517 This option adds the "counter" expression that you can use to 518 include packet and byte counters in a rule. 519 520config NFT_CONNLIMIT 521 tristate "Netfilter nf_tables connlimit module" 522 depends on NF_CONNTRACK 523 depends on NETFILTER_ADVANCED 524 select NETFILTER_CONNCOUNT 525 help 526 This option adds the "connlimit" expression that you can use to 527 ratelimit rule matchings per connections. 528 529config NFT_LOG 530 tristate "Netfilter nf_tables log module" 531 help 532 This option adds the "log" expression that you can use to log 533 packets matching some criteria. 534 535config NFT_LIMIT 536 tristate "Netfilter nf_tables limit module" 537 help 538 This option adds the "limit" expression that you can use to 539 ratelimit rule matchings. 540 541config NFT_MASQ 542 depends on NF_CONNTRACK 543 depends on NF_NAT 544 tristate "Netfilter nf_tables masquerade support" 545 help 546 This option adds the "masquerade" expression that you can use 547 to perform NAT in the masquerade flavour. 548 549config NFT_REDIR 550 depends on NF_CONNTRACK 551 depends on NF_NAT 552 tristate "Netfilter nf_tables redirect support" 553 help 554 This options adds the "redirect" expression that you can use 555 to perform NAT in the redirect flavour. 556 557config NFT_NAT 558 depends on NF_CONNTRACK 559 select NF_NAT 560 tristate "Netfilter nf_tables nat module" 561 help 562 This option adds the "nat" expression that you can use to perform 563 typical Network Address Translation (NAT) packet transformations. 564 565config NFT_OBJREF 566 tristate "Netfilter nf_tables stateful object reference module" 567 help 568 This option adds the "objref" expression that allows you to refer to 569 stateful objects, such as counters and quotas. 570 571config NFT_QUEUE 572 depends on NETFILTER_NETLINK_QUEUE 573 tristate "Netfilter nf_tables queue module" 574 help 575 This is required if you intend to use the userspace queueing 576 infrastructure (also known as NFQUEUE) from nftables. 577 578config NFT_QUOTA 579 tristate "Netfilter nf_tables quota module" 580 help 581 This option adds the "quota" expression that you can use to match 582 enforce bytes quotas. 583 584config NFT_REJECT 585 default m if NETFILTER_ADVANCED=n 586 tristate "Netfilter nf_tables reject support" 587 depends on !NF_TABLES_INET || (IPV6!=m || m) 588 help 589 This option adds the "reject" expression that you can use to 590 explicitly deny and notify via TCP reset/ICMP informational errors 591 unallowed traffic. 592 593config NFT_REJECT_INET 594 depends on NF_TABLES_INET 595 default NFT_REJECT 596 tristate 597 598config NFT_COMPAT 599 depends on NETFILTER_XTABLES 600 tristate "Netfilter x_tables over nf_tables module" 601 help 602 This is required if you intend to use any of existing 603 x_tables match/target extensions over the nf_tables 604 framework. 605 606config NFT_HASH 607 tristate "Netfilter nf_tables hash module" 608 help 609 This option adds the "hash" expression that you can use to perform 610 a hash operation on registers. 611 612config NFT_FIB 613 tristate 614 615config NFT_FIB_INET 616 depends on NF_TABLES_INET 617 depends on NFT_FIB_IPV4 618 depends on NFT_FIB_IPV6 619 tristate "Netfilter nf_tables fib inet support" 620 help 621 This option allows using the FIB expression from the inet table. 622 The lookup will be delegated to the IPv4 or IPv6 FIB depending 623 on the protocol of the packet. 624 625config NFT_SOCKET 626 tristate "Netfilter nf_tables socket match support" 627 depends on IPV6 || IPV6=n 628 select NF_SOCKET_IPV4 629 select NF_SOCKET_IPV6 if IPV6 630 help 631 This option allows matching for the presence or absence of a 632 corresponding socket and its attributes. 633 634if NF_TABLES_NETDEV 635 636config NF_DUP_NETDEV 637 tristate "Netfilter packet duplication support" 638 help 639 This option enables the generic packet duplication infrastructure 640 for Netfilter. 641 642config NFT_DUP_NETDEV 643 tristate "Netfilter nf_tables netdev packet duplication support" 644 select NF_DUP_NETDEV 645 help 646 This option enables packet duplication for the "netdev" family. 647 648config NFT_FWD_NETDEV 649 tristate "Netfilter nf_tables netdev packet forwarding support" 650 select NF_DUP_NETDEV 651 help 652 This option enables packet forwarding for the "netdev" family. 653 654config NFT_FIB_NETDEV 655 depends on NFT_FIB_IPV4 656 depends on NFT_FIB_IPV6 657 tristate "Netfilter nf_tables netdev fib lookups support" 658 help 659 This option allows using the FIB expression from the netdev table. 660 The lookup will be delegated to the IPv4 or IPv6 FIB depending 661 on the protocol of the packet. 662 663endif # NF_TABLES_NETDEV 664 665endif # NF_TABLES 666 667config NF_FLOW_TABLE_INET 668 tristate "Netfilter flow table mixed IPv4/IPv6 module" 669 depends on NF_FLOW_TABLE 670 help 671 This option adds the flow table mixed IPv4/IPv6 support. 672 673 To compile it as a module, choose M here. 674 675config NF_FLOW_TABLE 676 tristate "Netfilter flow table module" 677 depends on NETFILTER_INGRESS 678 depends on NF_CONNTRACK 679 depends on NF_TABLES 680 help 681 This option adds the flow table core infrastructure. 682 683 To compile it as a module, choose M here. 684 685config NETFILTER_XTABLES 686 tristate "Netfilter Xtables support (required for ip_tables)" 687 default m if NETFILTER_ADVANCED=n 688 help 689 This is required if you intend to use any of ip_tables, 690 ip6_tables or arp_tables. 691 692if NETFILTER_XTABLES 693 694comment "Xtables combined modules" 695 696config NETFILTER_XT_MARK 697 tristate 'nfmark target and match support' 698 default m if NETFILTER_ADVANCED=n 699 ---help--- 700 This option adds the "MARK" target and "mark" match. 701 702 Netfilter mark matching allows you to match packets based on the 703 "nfmark" value in the packet. 704 The target allows you to create rules in the "mangle" table which alter 705 the netfilter mark (nfmark) field associated with the packet. 706 707 Prior to routing, the nfmark can influence the routing method and can 708 also be used by other subsystems to change their behavior. 709 710config NETFILTER_XT_CONNMARK 711 tristate 'ctmark target and match support' 712 depends on NF_CONNTRACK 713 depends on NETFILTER_ADVANCED 714 select NF_CONNTRACK_MARK 715 ---help--- 716 This option adds the "CONNMARK" target and "connmark" match. 717 718 Netfilter allows you to store a mark value per connection (a.k.a. 719 ctmark), similarly to the packet mark (nfmark). Using this 720 target and match, you can set and match on this mark. 721 722config NETFILTER_XT_SET 723 tristate 'set target and match support' 724 depends on IP_SET 725 depends on NETFILTER_ADVANCED 726 help 727 This option adds the "SET" target and "set" match. 728 729 Using this target and match, you can add/delete and match 730 elements in the sets created by ipset(8). 731 732 To compile it as a module, choose M here. If unsure, say N. 733 734# alphabetically ordered list of targets 735 736comment "Xtables targets" 737 738config NETFILTER_XT_TARGET_AUDIT 739 tristate "AUDIT target support" 740 depends on AUDIT 741 depends on NETFILTER_ADVANCED 742 ---help--- 743 This option adds a 'AUDIT' target, which can be used to create 744 audit records for packets dropped/accepted. 745 746 To compileit as a module, choose M here. If unsure, say N. 747 748config NETFILTER_XT_TARGET_CHECKSUM 749 tristate "CHECKSUM target support" 750 depends on IP_NF_MANGLE || IP6_NF_MANGLE 751 depends on NETFILTER_ADVANCED 752 ---help--- 753 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 754 table. 755 756 You can use this target to compute and fill in the checksum in 757 a packet that lacks a checksum. This is particularly useful, 758 if you need to work around old applications such as dhcp clients, 759 that do not work well with checksum offloads, but don't want to disable 760 checksum offload in your device. 761 762 To compile it as a module, choose M here. If unsure, say N. 763 764config NETFILTER_XT_TARGET_CLASSIFY 765 tristate '"CLASSIFY" target support' 766 depends on NETFILTER_ADVANCED 767 help 768 This option adds a `CLASSIFY' target, which enables the user to set 769 the priority of a packet. Some qdiscs can use this value for 770 classification, among these are: 771 772 atm, cbq, dsmark, pfifo_fast, htb, prio 773 774 To compile it as a module, choose M here. If unsure, say N. 775 776config NETFILTER_XT_TARGET_CONNMARK 777 tristate '"CONNMARK" target support' 778 depends on NF_CONNTRACK 779 depends on NETFILTER_ADVANCED 780 select NETFILTER_XT_CONNMARK 781 ---help--- 782 This is a backwards-compat option for the user's convenience 783 (e.g. when running oldconfig). It selects 784 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 785 786config NETFILTER_XT_TARGET_CONNSECMARK 787 tristate '"CONNSECMARK" target support' 788 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 789 default m if NETFILTER_ADVANCED=n 790 help 791 The CONNSECMARK target copies security markings from packets 792 to connections, and restores security markings from connections 793 to packets (if the packets are not already marked). This would 794 normally be used in conjunction with the SECMARK target. 795 796 To compile it as a module, choose M here. If unsure, say N. 797 798config NETFILTER_XT_TARGET_CT 799 tristate '"CT" target support' 800 depends on NF_CONNTRACK 801 depends on IP_NF_RAW || IP6_NF_RAW 802 depends on NETFILTER_ADVANCED 803 help 804 This options adds a `CT' target, which allows to specify initial 805 connection tracking parameters like events to be delivered and 806 the helper to be used. 807 808 To compile it as a module, choose M here. If unsure, say N. 809 810config NETFILTER_XT_TARGET_DSCP 811 tristate '"DSCP" and "TOS" target support' 812 depends on IP_NF_MANGLE || IP6_NF_MANGLE 813 depends on NETFILTER_ADVANCED 814 help 815 This option adds a `DSCP' target, which allows you to manipulate 816 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 817 818 The DSCP field can have any value between 0x0 and 0x3f inclusive. 819 820 It also adds the "TOS" target, which allows you to create rules in 821 the "mangle" table which alter the Type Of Service field of an IPv4 822 or the Priority field of an IPv6 packet, prior to routing. 823 824 To compile it as a module, choose M here. If unsure, say N. 825 826config NETFILTER_XT_TARGET_HL 827 tristate '"HL" hoplimit target support' 828 depends on IP_NF_MANGLE || IP6_NF_MANGLE 829 depends on NETFILTER_ADVANCED 830 ---help--- 831 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 832 targets, which enable the user to change the 833 hoplimit/time-to-live value of the IP header. 834 835 While it is safe to decrement the hoplimit/TTL value, the 836 modules also allow to increment and set the hoplimit value of 837 the header to arbitrary values. This is EXTREMELY DANGEROUS 838 since you can easily create immortal packets that loop 839 forever on the network. 840 841config NETFILTER_XT_TARGET_HMARK 842 tristate '"HMARK" target support' 843 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 844 depends on NETFILTER_ADVANCED 845 ---help--- 846 This option adds the "HMARK" target. 847 848 The target allows you to create rules in the "raw" and "mangle" tables 849 which set the skbuff mark by means of hash calculation within a given 850 range. The nfmark can influence the routing method and can also be used 851 by other subsystems to change their behaviour. 852 853 To compile it as a module, choose M here. If unsure, say N. 854 855config NETFILTER_XT_TARGET_IDLETIMER 856 tristate "IDLETIMER target support" 857 depends on NETFILTER_ADVANCED 858 help 859 860 This option adds the `IDLETIMER' target. Each matching packet 861 resets the timer associated with label specified when the rule is 862 added. When the timer expires, it triggers a sysfs notification. 863 The remaining time for expiration can be read via sysfs. 864 865 To compile it as a module, choose M here. If unsure, say N. 866 867config NETFILTER_XT_TARGET_LED 868 tristate '"LED" target support' 869 depends on LEDS_CLASS && LEDS_TRIGGERS 870 depends on NETFILTER_ADVANCED 871 help 872 This option adds a `LED' target, which allows you to blink LEDs in 873 response to particular packets passing through your machine. 874 875 This can be used to turn a spare LED into a network activity LED, 876 which only flashes in response to FTP transfers, for example. Or 877 you could have an LED which lights up for a minute or two every time 878 somebody connects to your machine via SSH. 879 880 You will need support for the "led" class to make this work. 881 882 To create an LED trigger for incoming SSH traffic: 883 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 884 885 Then attach the new trigger to an LED on your system: 886 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 887 888 For more information on the LEDs available on your system, see 889 Documentation/leds/leds-class.txt 890 891config NETFILTER_XT_TARGET_LOG 892 tristate "LOG target support" 893 select NF_LOG_COMMON 894 select NF_LOG_IPV4 895 select NF_LOG_IPV6 if IPV6 896 default m if NETFILTER_ADVANCED=n 897 help 898 This option adds a `LOG' target, which allows you to create rules in 899 any iptables table which records the packet header to the syslog. 900 901 To compile it as a module, choose M here. If unsure, say N. 902 903config NETFILTER_XT_TARGET_MARK 904 tristate '"MARK" target support' 905 depends on NETFILTER_ADVANCED 906 select NETFILTER_XT_MARK 907 ---help--- 908 This is a backwards-compat option for the user's convenience 909 (e.g. when running oldconfig). It selects 910 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 911 912config NETFILTER_XT_NAT 913 tristate '"SNAT and DNAT" targets support' 914 depends on NF_NAT 915 ---help--- 916 This option enables the SNAT and DNAT targets. 917 918 To compile it as a module, choose M here. If unsure, say N. 919 920config NETFILTER_XT_TARGET_NETMAP 921 tristate '"NETMAP" target support' 922 depends on NF_NAT 923 ---help--- 924 NETMAP is an implementation of static 1:1 NAT mapping of network 925 addresses. It maps the network address part, while keeping the host 926 address part intact. 927 928 To compile it as a module, choose M here. If unsure, say N. 929 930config NETFILTER_XT_TARGET_NFLOG 931 tristate '"NFLOG" target support' 932 default m if NETFILTER_ADVANCED=n 933 select NETFILTER_NETLINK_LOG 934 help 935 This option enables the NFLOG target, which allows to LOG 936 messages through nfnetlink_log. 937 938 To compile it as a module, choose M here. If unsure, say N. 939 940config NETFILTER_XT_TARGET_NFQUEUE 941 tristate '"NFQUEUE" target Support' 942 depends on NETFILTER_ADVANCED 943 select NETFILTER_NETLINK_QUEUE 944 help 945 This target replaced the old obsolete QUEUE target. 946 947 As opposed to QUEUE, it supports 65535 different queues, 948 not just one. 949 950 To compile it as a module, choose M here. If unsure, say N. 951 952config NETFILTER_XT_TARGET_NOTRACK 953 tristate '"NOTRACK" target support (DEPRECATED)' 954 depends on NF_CONNTRACK 955 depends on IP_NF_RAW || IP6_NF_RAW 956 depends on NETFILTER_ADVANCED 957 select NETFILTER_XT_TARGET_CT 958 959config NETFILTER_XT_TARGET_RATEEST 960 tristate '"RATEEST" target support' 961 depends on NETFILTER_ADVANCED 962 help 963 This option adds a `RATEEST' target, which allows to measure 964 rates similar to TC estimators. The `rateest' match can be 965 used to match on the measured rates. 966 967 To compile it as a module, choose M here. If unsure, say N. 968 969config NETFILTER_XT_TARGET_REDIRECT 970 tristate "REDIRECT target support" 971 depends on NF_NAT 972 select NF_NAT_REDIRECT 973 ---help--- 974 REDIRECT is a special case of NAT: all incoming connections are 975 mapped onto the incoming interface's address, causing the packets to 976 come to the local machine instead of passing through. This is 977 useful for transparent proxies. 978 979 To compile it as a module, choose M here. If unsure, say N. 980 981config NETFILTER_XT_TARGET_TEE 982 tristate '"TEE" - packet cloning to alternate destination' 983 depends on NETFILTER_ADVANCED 984 depends on IPV6 || IPV6=n 985 depends on !NF_CONNTRACK || NF_CONNTRACK 986 select NF_DUP_IPV4 987 select NF_DUP_IPV6 if IPV6 988 ---help--- 989 This option adds a "TEE" target with which a packet can be cloned and 990 this clone be rerouted to another nexthop. 991 992config NETFILTER_XT_TARGET_TPROXY 993 tristate '"TPROXY" target transparent proxying support' 994 depends on NETFILTER_XTABLES 995 depends on NETFILTER_ADVANCED 996 depends on IPV6 || IPV6=n 997 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 998 depends on IP_NF_MANGLE 999 select NF_DEFRAG_IPV4 1000 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1001 select NF_TPROXY_IPV4 1002 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES 1003 help 1004 This option adds a `TPROXY' target, which is somewhat similar to 1005 REDIRECT. It can only be used in the mangle table and is useful 1006 to redirect traffic to a transparent proxy. It does _not_ depend 1007 on Netfilter connection tracking and NAT, unlike REDIRECT. 1008 For it to work you will have to configure certain iptables rules 1009 and use policy routing. For more information on how to set it up 1010 see Documentation/networking/tproxy.txt. 1011 1012 To compile it as a module, choose M here. If unsure, say N. 1013 1014config NETFILTER_XT_TARGET_TRACE 1015 tristate '"TRACE" target support' 1016 depends on IP_NF_RAW || IP6_NF_RAW 1017 depends on NETFILTER_ADVANCED 1018 help 1019 The TRACE target allows you to mark packets so that the kernel 1020 will log every rule which match the packets as those traverse 1021 the tables, chains, rules. 1022 1023 If you want to compile it as a module, say M here and read 1024 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1025 1026config NETFILTER_XT_TARGET_SECMARK 1027 tristate '"SECMARK" target support' 1028 depends on NETWORK_SECMARK 1029 default m if NETFILTER_ADVANCED=n 1030 help 1031 The SECMARK target allows security marking of network 1032 packets, for use with security subsystems. 1033 1034 To compile it as a module, choose M here. If unsure, say N. 1035 1036config NETFILTER_XT_TARGET_TCPMSS 1037 tristate '"TCPMSS" target support' 1038 depends on IPV6 || IPV6=n 1039 default m if NETFILTER_ADVANCED=n 1040 ---help--- 1041 This option adds a `TCPMSS' target, which allows you to alter the 1042 MSS value of TCP SYN packets, to control the maximum size for that 1043 connection (usually limiting it to your outgoing interface's MTU 1044 minus 40). 1045 1046 This is used to overcome criminally braindead ISPs or servers which 1047 block ICMP Fragmentation Needed packets. The symptoms of this 1048 problem are that everything works fine from your Linux 1049 firewall/router, but machines behind it can never exchange large 1050 packets: 1051 1) Web browsers connect, then hang with no data received. 1052 2) Small mail works fine, but large emails hang. 1053 3) ssh works fine, but scp hangs after initial handshaking. 1054 1055 Workaround: activate this option and add a rule to your firewall 1056 configuration like: 1057 1058 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1059 -j TCPMSS --clamp-mss-to-pmtu 1060 1061 To compile it as a module, choose M here. If unsure, say N. 1062 1063config NETFILTER_XT_TARGET_TCPOPTSTRIP 1064 tristate '"TCPOPTSTRIP" target support' 1065 depends on IP_NF_MANGLE || IP6_NF_MANGLE 1066 depends on NETFILTER_ADVANCED 1067 help 1068 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1069 TCP options from TCP packets. 1070 1071# alphabetically ordered list of matches 1072 1073comment "Xtables matches" 1074 1075config NETFILTER_XT_MATCH_ADDRTYPE 1076 tristate '"addrtype" address type match support' 1077 default m if NETFILTER_ADVANCED=n 1078 ---help--- 1079 This option allows you to match what routing thinks of an address, 1080 eg. UNICAST, LOCAL, BROADCAST, ... 1081 1082 If you want to compile it as a module, say M here and read 1083 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1084 1085config NETFILTER_XT_MATCH_BPF 1086 tristate '"bpf" match support' 1087 depends on NETFILTER_ADVANCED 1088 help 1089 BPF matching applies a linux socket filter to each packet and 1090 accepts those for which the filter returns non-zero. 1091 1092 To compile it as a module, choose M here. If unsure, say N. 1093 1094config NETFILTER_XT_MATCH_CGROUP 1095 tristate '"control group" match support' 1096 depends on NETFILTER_ADVANCED 1097 depends on CGROUPS 1098 select CGROUP_NET_CLASSID 1099 ---help--- 1100 Socket/process control group matching allows you to match locally 1101 generated packets based on which net_cls control group processes 1102 belong to. 1103 1104config NETFILTER_XT_MATCH_CLUSTER 1105 tristate '"cluster" match support' 1106 depends on NF_CONNTRACK 1107 depends on NETFILTER_ADVANCED 1108 ---help--- 1109 This option allows you to build work-load-sharing clusters of 1110 network servers/stateful firewalls without having a dedicated 1111 load-balancing router/server/switch. Basically, this match returns 1112 true when the packet must be handled by this cluster node. Thus, 1113 all nodes see all packets and this match decides which node handles 1114 what packets. The work-load sharing algorithm is based on source 1115 address hashing. 1116 1117 If you say Y or M here, try `iptables -m cluster --help` for 1118 more information. 1119 1120config NETFILTER_XT_MATCH_COMMENT 1121 tristate '"comment" match support' 1122 depends on NETFILTER_ADVANCED 1123 help 1124 This option adds a `comment' dummy-match, which allows you to put 1125 comments in your iptables ruleset. 1126 1127 If you want to compile it as a module, say M here and read 1128 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1129 1130config NETFILTER_XT_MATCH_CONNBYTES 1131 tristate '"connbytes" per-connection counter match support' 1132 depends on NF_CONNTRACK 1133 depends on NETFILTER_ADVANCED 1134 help 1135 This option adds a `connbytes' match, which allows you to match the 1136 number of bytes and/or packets for each direction within a connection. 1137 1138 If you want to compile it as a module, say M here and read 1139 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1140 1141config NETFILTER_XT_MATCH_CONNLABEL 1142 tristate '"connlabel" match support' 1143 select NF_CONNTRACK_LABELS 1144 depends on NF_CONNTRACK 1145 depends on NETFILTER_ADVANCED 1146 ---help--- 1147 This match allows you to test and assign userspace-defined labels names 1148 to a connection. The kernel only stores bit values - mapping 1149 names to bits is done by userspace. 1150 1151 Unlike connmark, more than 32 flag bits may be assigned to a 1152 connection simultaneously. 1153 1154config NETFILTER_XT_MATCH_CONNLIMIT 1155 tristate '"connlimit" match support' 1156 depends on NF_CONNTRACK 1157 depends on NETFILTER_ADVANCED 1158 select NETFILTER_CONNCOUNT 1159 ---help--- 1160 This match allows you to match against the number of parallel 1161 connections to a server per client IP address (or address block). 1162 1163config NETFILTER_XT_MATCH_CONNMARK 1164 tristate '"connmark" connection mark match support' 1165 depends on NF_CONNTRACK 1166 depends on NETFILTER_ADVANCED 1167 select NETFILTER_XT_CONNMARK 1168 ---help--- 1169 This is a backwards-compat option for the user's convenience 1170 (e.g. when running oldconfig). It selects 1171 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1172 1173config NETFILTER_XT_MATCH_CONNTRACK 1174 tristate '"conntrack" connection tracking match support' 1175 depends on NF_CONNTRACK 1176 default m if NETFILTER_ADVANCED=n 1177 help 1178 This is a general conntrack match module, a superset of the state match. 1179 1180 It allows matching on additional conntrack information, which is 1181 useful in complex configurations, such as NAT gateways with multiple 1182 internet links or tunnels. 1183 1184 To compile it as a module, choose M here. If unsure, say N. 1185 1186config NETFILTER_XT_MATCH_CPU 1187 tristate '"cpu" match support' 1188 depends on NETFILTER_ADVANCED 1189 help 1190 CPU matching allows you to match packets based on the CPU 1191 currently handling the packet. 1192 1193 To compile it as a module, choose M here. If unsure, say N. 1194 1195config NETFILTER_XT_MATCH_DCCP 1196 tristate '"dccp" protocol match support' 1197 depends on NETFILTER_ADVANCED 1198 default IP_DCCP 1199 help 1200 With this option enabled, you will be able to use the iptables 1201 `dccp' match in order to match on DCCP source/destination ports 1202 and DCCP flags. 1203 1204 If you want to compile it as a module, say M here and read 1205 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1206 1207config NETFILTER_XT_MATCH_DEVGROUP 1208 tristate '"devgroup" match support' 1209 depends on NETFILTER_ADVANCED 1210 help 1211 This options adds a `devgroup' match, which allows to match on the 1212 device group a network device is assigned to. 1213 1214 To compile it as a module, choose M here. If unsure, say N. 1215 1216config NETFILTER_XT_MATCH_DSCP 1217 tristate '"dscp" and "tos" match support' 1218 depends on NETFILTER_ADVANCED 1219 help 1220 This option adds a `DSCP' match, which allows you to match against 1221 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1222 1223 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1224 1225 It will also add a "tos" match, which allows you to match packets 1226 based on the Type Of Service fields of the IPv4 packet (which share 1227 the same bits as DSCP). 1228 1229 To compile it as a module, choose M here. If unsure, say N. 1230 1231config NETFILTER_XT_MATCH_ECN 1232 tristate '"ecn" match support' 1233 depends on NETFILTER_ADVANCED 1234 ---help--- 1235 This option adds an "ECN" match, which allows you to match against 1236 the IPv4 and TCP header ECN fields. 1237 1238 To compile it as a module, choose M here. If unsure, say N. 1239 1240config NETFILTER_XT_MATCH_ESP 1241 tristate '"esp" match support' 1242 depends on NETFILTER_ADVANCED 1243 help 1244 This match extension allows you to match a range of SPIs 1245 inside ESP header of IPSec packets. 1246 1247 To compile it as a module, choose M here. If unsure, say N. 1248 1249config NETFILTER_XT_MATCH_HASHLIMIT 1250 tristate '"hashlimit" match support' 1251 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1252 depends on NETFILTER_ADVANCED 1253 help 1254 This option adds a `hashlimit' match. 1255 1256 As opposed to `limit', this match dynamically creates a hash table 1257 of limit buckets, based on your selection of source/destination 1258 addresses and/or ports. 1259 1260 It enables you to express policies like `10kpps for any given 1261 destination address' or `500pps from any given source address' 1262 with a single rule. 1263 1264config NETFILTER_XT_MATCH_HELPER 1265 tristate '"helper" match support' 1266 depends on NF_CONNTRACK 1267 depends on NETFILTER_ADVANCED 1268 help 1269 Helper matching allows you to match packets in dynamic connections 1270 tracked by a conntrack-helper, ie. ip_conntrack_ftp 1271 1272 To compile it as a module, choose M here. If unsure, say Y. 1273 1274config NETFILTER_XT_MATCH_HL 1275 tristate '"hl" hoplimit/TTL match support' 1276 depends on NETFILTER_ADVANCED 1277 ---help--- 1278 HL matching allows you to match packets based on the hoplimit 1279 in the IPv6 header, or the time-to-live field in the IPv4 1280 header of the packet. 1281 1282config NETFILTER_XT_MATCH_IPCOMP 1283 tristate '"ipcomp" match support' 1284 depends on NETFILTER_ADVANCED 1285 help 1286 This match extension allows you to match a range of CPIs(16 bits) 1287 inside IPComp header of IPSec packets. 1288 1289 To compile it as a module, choose M here. If unsure, say N. 1290 1291config NETFILTER_XT_MATCH_IPRANGE 1292 tristate '"iprange" address range match support' 1293 depends on NETFILTER_ADVANCED 1294 ---help--- 1295 This option adds a "iprange" match, which allows you to match based on 1296 an IP address range. (Normal iptables only matches on single addresses 1297 with an optional mask.) 1298 1299 If unsure, say M. 1300 1301config NETFILTER_XT_MATCH_IPVS 1302 tristate '"ipvs" match support' 1303 depends on IP_VS 1304 depends on NETFILTER_ADVANCED 1305 depends on NF_CONNTRACK 1306 help 1307 This option allows you to match against IPVS properties of a packet. 1308 1309 If unsure, say N. 1310 1311config NETFILTER_XT_MATCH_L2TP 1312 tristate '"l2tp" match support' 1313 depends on NETFILTER_ADVANCED 1314 default L2TP 1315 ---help--- 1316 This option adds an "L2TP" match, which allows you to match against 1317 L2TP protocol header fields. 1318 1319 To compile it as a module, choose M here. If unsure, say N. 1320 1321config NETFILTER_XT_MATCH_LENGTH 1322 tristate '"length" match support' 1323 depends on NETFILTER_ADVANCED 1324 help 1325 This option allows you to match the length of a packet against a 1326 specific value or range of values. 1327 1328 To compile it as a module, choose M here. If unsure, say N. 1329 1330config NETFILTER_XT_MATCH_LIMIT 1331 tristate '"limit" match support' 1332 depends on NETFILTER_ADVANCED 1333 help 1334 limit matching allows you to control the rate at which a rule can be 1335 matched: mainly useful in combination with the LOG target ("LOG 1336 target support", below) and to avoid some Denial of Service attacks. 1337 1338 To compile it as a module, choose M here. If unsure, say N. 1339 1340config NETFILTER_XT_MATCH_MAC 1341 tristate '"mac" address match support' 1342 depends on NETFILTER_ADVANCED 1343 help 1344 MAC matching allows you to match packets based on the source 1345 Ethernet address of the packet. 1346 1347 To compile it as a module, choose M here. If unsure, say N. 1348 1349config NETFILTER_XT_MATCH_MARK 1350 tristate '"mark" match support' 1351 depends on NETFILTER_ADVANCED 1352 select NETFILTER_XT_MARK 1353 ---help--- 1354 This is a backwards-compat option for the user's convenience 1355 (e.g. when running oldconfig). It selects 1356 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1357 1358config NETFILTER_XT_MATCH_MULTIPORT 1359 tristate '"multiport" Multiple port match support' 1360 depends on NETFILTER_ADVANCED 1361 help 1362 Multiport matching allows you to match TCP or UDP packets based on 1363 a series of source or destination ports: normally a rule can only 1364 match a single range of ports. 1365 1366 To compile it as a module, choose M here. If unsure, say N. 1367 1368config NETFILTER_XT_MATCH_NFACCT 1369 tristate '"nfacct" match support' 1370 depends on NETFILTER_ADVANCED 1371 select NETFILTER_NETLINK_ACCT 1372 help 1373 This option allows you to use the extended accounting through 1374 nfnetlink_acct. 1375 1376 To compile it as a module, choose M here. If unsure, say N. 1377 1378config NETFILTER_XT_MATCH_OSF 1379 tristate '"osf" Passive OS fingerprint match' 1380 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 1381 select NF_OSF 1382 help 1383 This option selects the Passive OS Fingerprinting match module 1384 that allows to passively match the remote operating system by 1385 analyzing incoming TCP SYN packets. 1386 1387 Rules and loading software can be downloaded from 1388 http://www.ioremap.net/projects/osf 1389 1390 To compile it as a module, choose M here. If unsure, say N. 1391 1392config NETFILTER_XT_MATCH_OWNER 1393 tristate '"owner" match support' 1394 depends on NETFILTER_ADVANCED 1395 ---help--- 1396 Socket owner matching allows you to match locally-generated packets 1397 based on who created the socket: the user or group. It is also 1398 possible to check whether a socket actually exists. 1399 1400config NETFILTER_XT_MATCH_POLICY 1401 tristate 'IPsec "policy" match support' 1402 depends on XFRM 1403 default m if NETFILTER_ADVANCED=n 1404 help 1405 Policy matching allows you to match packets based on the 1406 IPsec policy that was used during decapsulation/will 1407 be used during encapsulation. 1408 1409 To compile it as a module, choose M here. If unsure, say N. 1410 1411config NETFILTER_XT_MATCH_PHYSDEV 1412 tristate '"physdev" match support' 1413 depends on BRIDGE && BRIDGE_NETFILTER 1414 depends on NETFILTER_ADVANCED 1415 help 1416 Physdev packet matching matches against the physical bridge ports 1417 the IP packet arrived on or will leave by. 1418 1419 To compile it as a module, choose M here. If unsure, say N. 1420 1421config NETFILTER_XT_MATCH_PKTTYPE 1422 tristate '"pkttype" packet type match support' 1423 depends on NETFILTER_ADVANCED 1424 help 1425 Packet type matching allows you to match a packet by 1426 its "class", eg. BROADCAST, MULTICAST, ... 1427 1428 Typical usage: 1429 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1430 1431 To compile it as a module, choose M here. If unsure, say N. 1432 1433config NETFILTER_XT_MATCH_QUOTA 1434 tristate '"quota" match support' 1435 depends on NETFILTER_ADVANCED 1436 help 1437 This option adds a `quota' match, which allows to match on a 1438 byte counter. 1439 1440 If you want to compile it as a module, say M here and read 1441 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1442 1443config NETFILTER_XT_MATCH_RATEEST 1444 tristate '"rateest" match support' 1445 depends on NETFILTER_ADVANCED 1446 select NETFILTER_XT_TARGET_RATEEST 1447 help 1448 This option adds a `rateest' match, which allows to match on the 1449 rate estimated by the RATEEST target. 1450 1451 To compile it as a module, choose M here. If unsure, say N. 1452 1453config NETFILTER_XT_MATCH_REALM 1454 tristate '"realm" match support' 1455 depends on NETFILTER_ADVANCED 1456 select IP_ROUTE_CLASSID 1457 help 1458 This option adds a `realm' match, which allows you to use the realm 1459 key from the routing subsystem inside iptables. 1460 1461 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1462 in tc world. 1463 1464 If you want to compile it as a module, say M here and read 1465 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1466 1467config NETFILTER_XT_MATCH_RECENT 1468 tristate '"recent" match support' 1469 depends on NETFILTER_ADVANCED 1470 ---help--- 1471 This match is used for creating one or many lists of recently 1472 used addresses and then matching against that/those list(s). 1473 1474 Short options are available by using 'iptables -m recent -h' 1475 Official Website: <http://snowman.net/projects/ipt_recent/> 1476 1477config NETFILTER_XT_MATCH_SCTP 1478 tristate '"sctp" protocol match support' 1479 depends on NETFILTER_ADVANCED 1480 default IP_SCTP 1481 help 1482 With this option enabled, you will be able to use the 1483 `sctp' match in order to match on SCTP source/destination ports 1484 and SCTP chunk types. 1485 1486 If you want to compile it as a module, say M here and read 1487 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1488 1489config NETFILTER_XT_MATCH_SOCKET 1490 tristate '"socket" match support' 1491 depends on NETFILTER_XTABLES 1492 depends on NETFILTER_ADVANCED 1493 depends on IPV6 || IPV6=n 1494 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1495 depends on NF_SOCKET_IPV4 1496 depends on NF_SOCKET_IPV6 1497 select NF_DEFRAG_IPV4 1498 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1499 help 1500 This option adds a `socket' match, which can be used to match 1501 packets for which a TCP or UDP socket lookup finds a valid socket. 1502 It can be used in combination with the MARK target and policy 1503 routing to implement full featured non-locally bound sockets. 1504 1505 To compile it as a module, choose M here. If unsure, say N. 1506 1507config NETFILTER_XT_MATCH_STATE 1508 tristate '"state" match support' 1509 depends on NF_CONNTRACK 1510 default m if NETFILTER_ADVANCED=n 1511 help 1512 Connection state matching allows you to match packets based on their 1513 relationship to a tracked connection (ie. previous packets). This 1514 is a powerful tool for packet classification. 1515 1516 To compile it as a module, choose M here. If unsure, say N. 1517 1518config NETFILTER_XT_MATCH_STATISTIC 1519 tristate '"statistic" match support' 1520 depends on NETFILTER_ADVANCED 1521 help 1522 This option adds a `statistic' match, which allows you to match 1523 on packets periodically or randomly with a given percentage. 1524 1525 To compile it as a module, choose M here. If unsure, say N. 1526 1527config NETFILTER_XT_MATCH_STRING 1528 tristate '"string" match support' 1529 depends on NETFILTER_ADVANCED 1530 select TEXTSEARCH 1531 select TEXTSEARCH_KMP 1532 select TEXTSEARCH_BM 1533 select TEXTSEARCH_FSM 1534 help 1535 This option adds a `string' match, which allows you to look for 1536 pattern matchings in packets. 1537 1538 To compile it as a module, choose M here. If unsure, say N. 1539 1540config NETFILTER_XT_MATCH_TCPMSS 1541 tristate '"tcpmss" match support' 1542 depends on NETFILTER_ADVANCED 1543 help 1544 This option adds a `tcpmss' match, which allows you to examine the 1545 MSS value of TCP SYN packets, which control the maximum packet size 1546 for that connection. 1547 1548 To compile it as a module, choose M here. If unsure, say N. 1549 1550config NETFILTER_XT_MATCH_TIME 1551 tristate '"time" match support' 1552 depends on NETFILTER_ADVANCED 1553 ---help--- 1554 This option adds a "time" match, which allows you to match based on 1555 the packet arrival time (at the machine which netfilter is running) 1556 on) or departure time/date (for locally generated packets). 1557 1558 If you say Y here, try `iptables -m time --help` for 1559 more information. 1560 1561 If you want to compile it as a module, say M here. 1562 If unsure, say N. 1563 1564config NETFILTER_XT_MATCH_U32 1565 tristate '"u32" match support' 1566 depends on NETFILTER_ADVANCED 1567 ---help--- 1568 u32 allows you to extract quantities of up to 4 bytes from a packet, 1569 AND them with specified masks, shift them by specified amounts and 1570 test whether the results are in any of a set of specified ranges. 1571 The specification of what to extract is general enough to skip over 1572 headers with lengths stored in the packet, as in IP or TCP header 1573 lengths. 1574 1575 Details and examples are in the kernel module source. 1576 1577endif # NETFILTER_XTABLES 1578 1579endmenu 1580 1581source "net/netfilter/ipset/Kconfig" 1582 1583source "net/netfilter/ipvs/Kconfig" 1584