xref: /openbmc/linux/net/netfilter/Kconfig (revision ba61bb17)
1menu "Core Netfilter Configuration"
2	depends on NET && INET && NETFILTER
3
4config NETFILTER_INGRESS
5	bool "Netfilter ingress support"
6	default y
7	select NET_INGRESS
8	help
9	  This allows you to classify packets from ingress using the Netfilter
10	  infrastructure.
11
12config NETFILTER_NETLINK
13	tristate
14
15config NETFILTER_FAMILY_BRIDGE
16	bool
17
18config NETFILTER_FAMILY_ARP
19	bool
20
21config NETFILTER_NETLINK_ACCT
22tristate "Netfilter NFACCT over NFNETLINK interface"
23	depends on NETFILTER_ADVANCED
24	select NETFILTER_NETLINK
25	help
26	  If this option is enabled, the kernel will include support
27	  for extended accounting via NFNETLINK.
28
29config NETFILTER_NETLINK_QUEUE
30	tristate "Netfilter NFQUEUE over NFNETLINK interface"
31	depends on NETFILTER_ADVANCED
32	select NETFILTER_NETLINK
33	help
34	  If this option is enabled, the kernel will include support
35	  for queueing packets via NFNETLINK.
36
37config NETFILTER_NETLINK_LOG
38	tristate "Netfilter LOG over NFNETLINK interface"
39	default m if NETFILTER_ADVANCED=n
40	select NETFILTER_NETLINK
41	help
42	  If this option is enabled, the kernel will include support
43	  for logging packets via NFNETLINK.
44
45	  This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
46	  and is also scheduled to replace the old syslog-based ipt_LOG
47	  and ip6t_LOG modules.
48
49config NF_CONNTRACK
50	tristate "Netfilter connection tracking support"
51	default m if NETFILTER_ADVANCED=n
52	help
53	  Connection tracking keeps a record of what packets have passed
54	  through your machine, in order to figure out how they are related
55	  into connections.
56
57	  This is required to do Masquerading or other kinds of Network
58	  Address Translation.  It can also be used to enhance packet
59	  filtering (see `Connection state match support' below).
60
61	  To compile it as a module, choose M here.  If unsure, say N.
62
63config NF_LOG_COMMON
64	tristate
65
66config NF_LOG_NETDEV
67	tristate "Netdev packet logging"
68	select NF_LOG_COMMON
69
70if NF_CONNTRACK
71config NETFILTER_CONNCOUNT
72	tristate
73
74config NF_CONNTRACK_MARK
75	bool  'Connection mark tracking support'
76	depends on NETFILTER_ADVANCED
77	help
78	  This option enables support for connection marks, used by the
79	  `CONNMARK' target and `connmark' match. Similar to the mark value
80	  of packets, but this mark value is kept in the conntrack session
81	  instead of the individual packets.
82
83config NF_CONNTRACK_SECMARK
84	bool  'Connection tracking security mark support'
85	depends on NETWORK_SECMARK
86	default m if NETFILTER_ADVANCED=n
87	help
88	  This option enables security markings to be applied to
89	  connections.  Typically they are copied to connections from
90	  packets using the CONNSECMARK target and copied back from
91	  connections to packets with the same target, with the packets
92	  being originally labeled via SECMARK.
93
94	  If unsure, say 'N'.
95
96config NF_CONNTRACK_ZONES
97	bool  'Connection tracking zones'
98	depends on NETFILTER_ADVANCED
99	depends on NETFILTER_XT_TARGET_CT
100	help
101	  This option enables support for connection tracking zones.
102	  Normally, each connection needs to have a unique system wide
103	  identity. Connection tracking zones allow to have multiple
104	  connections using the same identity, as long as they are
105	  contained in different zones.
106
107	  If unsure, say `N'.
108
109config NF_CONNTRACK_PROCFS
110	bool "Supply CT list in procfs (OBSOLETE)"
111	default y
112	depends on PROC_FS
113	---help---
114	This option enables for the list of known conntrack entries
115	to be shown in procfs under net/netfilter/nf_conntrack. This
116	is considered obsolete in favor of using the conntrack(8)
117	tool which uses Netlink.
118
119config NF_CONNTRACK_EVENTS
120	bool "Connection tracking events"
121	depends on NETFILTER_ADVANCED
122	help
123	  If this option is enabled, the connection tracking code will
124	  provide a notifier chain that can be used by other kernel code
125	  to get notified about changes in the connection tracking state.
126
127	  If unsure, say `N'.
128
129config NF_CONNTRACK_TIMEOUT
130	bool  'Connection tracking timeout'
131	depends on NETFILTER_ADVANCED
132	help
133	  This option enables support for connection tracking timeout
134	  extension. This allows you to attach timeout policies to flow
135	  via the CT target.
136
137	  If unsure, say `N'.
138
139config NF_CONNTRACK_TIMESTAMP
140	bool  'Connection tracking timestamping'
141	depends on NETFILTER_ADVANCED
142	help
143	  This option enables support for connection tracking timestamping.
144	  This allows you to store the flow start-time and to obtain
145	  the flow-stop time (once it has been destroyed) via Connection
146	  tracking events.
147
148	  If unsure, say `N'.
149
150config NF_CONNTRACK_LABELS
151	bool
152	help
153	  This option enables support for assigning user-defined flag bits
154	  to connection tracking entries.  It selected by the connlabel match.
155
156config NF_CT_PROTO_DCCP
157	bool 'DCCP protocol connection tracking support'
158	depends on NETFILTER_ADVANCED
159	default y
160	help
161	  With this option enabled, the layer 3 independent connection
162	  tracking code will be able to do state tracking on DCCP connections.
163
164	  If unsure, say Y.
165
166config NF_CT_PROTO_GRE
167	tristate
168
169config NF_CT_PROTO_SCTP
170	bool 'SCTP protocol connection tracking support'
171	depends on NETFILTER_ADVANCED
172	default y
173	select LIBCRC32C
174	help
175	  With this option enabled, the layer 3 independent connection
176	  tracking code will be able to do state tracking on SCTP connections.
177
178	  If unsure, say Y.
179
180config NF_CT_PROTO_UDPLITE
181	bool 'UDP-Lite protocol connection tracking support'
182	depends on NETFILTER_ADVANCED
183	default y
184	help
185	  With this option enabled, the layer 3 independent connection
186	  tracking code will be able to do state tracking on UDP-Lite
187	  connections.
188
189	  If unsure, say Y.
190
191config NF_CONNTRACK_AMANDA
192	tristate "Amanda backup protocol support"
193	depends on NETFILTER_ADVANCED
194	select TEXTSEARCH
195	select TEXTSEARCH_KMP
196	help
197	  If you are running the Amanda backup package <http://www.amanda.org/>
198	  on this machine or machines that will be MASQUERADED through this
199	  machine, then you may want to enable this feature.  This allows the
200	  connection tracking and natting code to allow the sub-channels that
201	  Amanda requires for communication of the backup data, messages and
202	  index.
203
204	  To compile it as a module, choose M here.  If unsure, say N.
205
206config NF_CONNTRACK_FTP
207	tristate "FTP protocol support"
208	default m if NETFILTER_ADVANCED=n
209	help
210	  Tracking FTP connections is problematic: special helpers are
211	  required for tracking them, and doing masquerading and other forms
212	  of Network Address Translation on them.
213
214	  This is FTP support on Layer 3 independent connection tracking.
215	  Layer 3 independent connection tracking is experimental scheme
216	  which generalize ip_conntrack to support other layer 3 protocols.
217
218	  To compile it as a module, choose M here.  If unsure, say N.
219
220config NF_CONNTRACK_H323
221	tristate "H.323 protocol support"
222	depends on IPV6 || IPV6=n
223	depends on NETFILTER_ADVANCED
224	help
225	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
226	  important VoIP protocols, it is widely used by voice hardware and
227	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
228	  Gnomemeeting, etc.
229
230	  With this module you can support H.323 on a connection tracking/NAT
231	  firewall.
232
233	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
234	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
235	  whiteboard, file transfer, etc. For more information, please
236	  visit http://nath323.sourceforge.net/.
237
238	  To compile it as a module, choose M here.  If unsure, say N.
239
240config NF_CONNTRACK_IRC
241	tristate "IRC protocol support"
242	default m if NETFILTER_ADVANCED=n
243	help
244	  There is a commonly-used extension to IRC called
245	  Direct Client-to-Client Protocol (DCC).  This enables users to send
246	  files to each other, and also chat to each other without the need
247	  of a server.  DCC Sending is used anywhere you send files over IRC,
248	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
249	  using NAT, this extension will enable you to send files and initiate
250	  chats.  Note that you do NOT need this extension to get files or
251	  have others initiate chats, or everything else in IRC.
252
253	  To compile it as a module, choose M here.  If unsure, say N.
254
255config NF_CONNTRACK_BROADCAST
256	tristate
257
258config NF_CONNTRACK_NETBIOS_NS
259	tristate "NetBIOS name service protocol support"
260	select NF_CONNTRACK_BROADCAST
261	help
262	  NetBIOS name service requests are sent as broadcast messages from an
263	  unprivileged port and responded to with unicast messages to the
264	  same port. This make them hard to firewall properly because connection
265	  tracking doesn't deal with broadcasts. This helper tracks locally
266	  originating NetBIOS name service requests and the corresponding
267	  responses. It relies on correct IP address configuration, specifically
268	  netmask and broadcast address. When properly configured, the output
269	  of "ip address show" should look similar to this:
270
271	  $ ip -4 address show eth0
272	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
273	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
274
275	  To compile it as a module, choose M here.  If unsure, say N.
276
277config NF_CONNTRACK_SNMP
278	tristate "SNMP service protocol support"
279	depends on NETFILTER_ADVANCED
280	select NF_CONNTRACK_BROADCAST
281	help
282	  SNMP service requests are sent as broadcast messages from an
283	  unprivileged port and responded to with unicast messages to the
284	  same port. This make them hard to firewall properly because connection
285	  tracking doesn't deal with broadcasts. This helper tracks locally
286	  originating SNMP service requests and the corresponding
287	  responses. It relies on correct IP address configuration, specifically
288	  netmask and broadcast address.
289
290	  To compile it as a module, choose M here.  If unsure, say N.
291
292config NF_CONNTRACK_PPTP
293	tristate "PPtP protocol support"
294	depends on NETFILTER_ADVANCED
295	select NF_CT_PROTO_GRE
296	help
297	  This module adds support for PPTP (Point to Point Tunnelling
298	  Protocol, RFC2637) connection tracking and NAT.
299
300	  If you are running PPTP sessions over a stateful firewall or NAT
301	  box, you may want to enable this feature.
302
303	  Please note that not all PPTP modes of operation are supported yet.
304	  Specifically these limitations exist:
305	    - Blindly assumes that control connections are always established
306	      in PNS->PAC direction. This is a violation of RFC2637.
307	    - Only supports a single call within each session
308
309	  To compile it as a module, choose M here.  If unsure, say N.
310
311config NF_CONNTRACK_SANE
312	tristate "SANE protocol support"
313	depends on NETFILTER_ADVANCED
314	help
315	  SANE is a protocol for remote access to scanners as implemented
316	  by the 'saned' daemon. Like FTP, it uses separate control and
317	  data connections.
318
319	  With this module you can support SANE on a connection tracking
320	  firewall.
321
322	  To compile it as a module, choose M here.  If unsure, say N.
323
324config NF_CONNTRACK_SIP
325	tristate "SIP protocol support"
326	default m if NETFILTER_ADVANCED=n
327	help
328	  SIP is an application-layer control protocol that can establish,
329	  modify, and terminate multimedia sessions (conferences) such as
330	  Internet telephony calls. With the ip_conntrack_sip and
331	  the nf_nat_sip modules you can support the protocol on a connection
332	  tracking/NATing firewall.
333
334	  To compile it as a module, choose M here.  If unsure, say N.
335
336config NF_CONNTRACK_TFTP
337	tristate "TFTP protocol support"
338	depends on NETFILTER_ADVANCED
339	help
340	  TFTP connection tracking helper, this is required depending
341	  on how restrictive your ruleset is.
342	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
343	  you will need this.
344
345	  To compile it as a module, choose M here.  If unsure, say N.
346
347config NF_CT_NETLINK
348	tristate 'Connection tracking netlink interface'
349	select NETFILTER_NETLINK
350	default m if NETFILTER_ADVANCED=n
351	help
352	  This option enables support for a netlink-based userspace interface
353
354config NF_CT_NETLINK_TIMEOUT
355	tristate  'Connection tracking timeout tuning via Netlink'
356	select NETFILTER_NETLINK
357	depends on NETFILTER_ADVANCED
358	help
359	  This option enables support for connection tracking timeout
360	  fine-grain tuning. This allows you to attach specific timeout
361	  policies to flows, instead of using the global timeout policy.
362
363	  If unsure, say `N'.
364
365config NF_CT_NETLINK_HELPER
366	tristate 'Connection tracking helpers in user-space via Netlink'
367	select NETFILTER_NETLINK
368	depends on NF_CT_NETLINK
369	depends on NETFILTER_NETLINK_QUEUE
370	depends on NETFILTER_NETLINK_GLUE_CT
371	depends on NETFILTER_ADVANCED
372	help
373	  This option enables the user-space connection tracking helpers
374	  infrastructure.
375
376	  If unsure, say `N'.
377
378config NETFILTER_NETLINK_GLUE_CT
379	bool "NFQUEUE and NFLOG integration with Connection Tracking"
380	default n
381	depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
382	help
383	  If this option is enabled, NFQUEUE and NFLOG can include
384	  Connection Tracking information together with the packet is
385	  the enqueued via NFNETLINK.
386
387config NF_NAT
388	tristate
389
390config NF_NAT_NEEDED
391	bool
392	depends on NF_NAT
393	default y
394
395config NF_NAT_PROTO_DCCP
396	bool
397	depends on NF_NAT && NF_CT_PROTO_DCCP
398	default NF_NAT && NF_CT_PROTO_DCCP
399
400config NF_NAT_PROTO_UDPLITE
401	bool
402	depends on NF_NAT && NF_CT_PROTO_UDPLITE
403	default NF_NAT && NF_CT_PROTO_UDPLITE
404
405config NF_NAT_PROTO_SCTP
406	bool
407	default NF_NAT && NF_CT_PROTO_SCTP
408	depends on NF_NAT && NF_CT_PROTO_SCTP
409
410config NF_NAT_AMANDA
411	tristate
412	depends on NF_CONNTRACK && NF_NAT
413	default NF_NAT && NF_CONNTRACK_AMANDA
414
415config NF_NAT_FTP
416	tristate
417	depends on NF_CONNTRACK && NF_NAT
418	default NF_NAT && NF_CONNTRACK_FTP
419
420config NF_NAT_IRC
421	tristate
422	depends on NF_CONNTRACK && NF_NAT
423	default NF_NAT && NF_CONNTRACK_IRC
424
425config NF_NAT_SIP
426	tristate
427	depends on NF_CONNTRACK && NF_NAT
428	default NF_NAT && NF_CONNTRACK_SIP
429
430config NF_NAT_TFTP
431	tristate
432	depends on NF_CONNTRACK && NF_NAT
433	default NF_NAT && NF_CONNTRACK_TFTP
434
435config NF_NAT_REDIRECT
436	bool
437
438config NETFILTER_SYNPROXY
439	tristate
440
441endif # NF_CONNTRACK
442
443config NF_OSF
444	tristate
445
446config NF_TABLES
447	select NETFILTER_NETLINK
448	tristate "Netfilter nf_tables support"
449	help
450	  nftables is the new packet classification framework that intends to
451	  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
452	  provides a pseudo-state machine with an extensible instruction-set
453	  (also known as expressions) that the userspace 'nft' utility
454	  (http://www.netfilter.org/projects/nftables) uses to build the
455	  rule-set. It also comes with the generic set infrastructure that
456	  allows you to construct mappings between matchings and actions
457	  for performance lookups.
458
459	  To compile it as a module, choose M here.
460
461if NF_TABLES
462
463config NF_TABLES_INET
464	depends on IPV6
465	select NF_TABLES_IPV4
466	select NF_TABLES_IPV6
467	bool "Netfilter nf_tables mixed IPv4/IPv6 tables support"
468	help
469	  This option enables support for a mixed IPv4/IPv6 "inet" table.
470
471config NF_TABLES_NETDEV
472	bool "Netfilter nf_tables netdev tables support"
473	help
474	  This option enables support for the "netdev" table.
475
476config NFT_NUMGEN
477	tristate "Netfilter nf_tables number generator module"
478	help
479	  This option adds the number generator expression used to perform
480	  incremental counting and random numbers bound to a upper limit.
481
482config NFT_CT
483	depends on NF_CONNTRACK
484	tristate "Netfilter nf_tables conntrack module"
485	help
486	  This option adds the "ct" expression that you can use to match
487	  connection tracking information such as the flow state.
488
489config NFT_FLOW_OFFLOAD
490	depends on NF_CONNTRACK && NF_FLOW_TABLE
491	tristate "Netfilter nf_tables hardware flow offload module"
492	help
493	  This option adds the "flow_offload" expression that you can use to
494	  choose what flows are placed into the hardware.
495
496config NFT_SET_RBTREE
497	tristate "Netfilter nf_tables rbtree set module"
498	help
499	  This option adds the "rbtree" set type (Red Black tree) that is used
500	  to build interval-based sets.
501
502config NFT_SET_HASH
503	tristate "Netfilter nf_tables hash set module"
504	help
505	  This option adds the "hash" set type that is used to build one-way
506	  mappings between matchings and actions.
507
508config NFT_SET_BITMAP
509	tristate "Netfilter nf_tables bitmap set module"
510	help
511	  This option adds the "bitmap" set type that is used to build sets
512	  whose keys are smaller or equal to 16 bits.
513
514config NFT_COUNTER
515	tristate "Netfilter nf_tables counter module"
516	help
517	  This option adds the "counter" expression that you can use to
518	  include packet and byte counters in a rule.
519
520config NFT_CONNLIMIT
521	tristate "Netfilter nf_tables connlimit module"
522	depends on NF_CONNTRACK
523	depends on NETFILTER_ADVANCED
524	select NETFILTER_CONNCOUNT
525	help
526	  This option adds the "connlimit" expression that you can use to
527	  ratelimit rule matchings per connections.
528
529config NFT_LOG
530	tristate "Netfilter nf_tables log module"
531	help
532	  This option adds the "log" expression that you can use to log
533	  packets matching some criteria.
534
535config NFT_LIMIT
536	tristate "Netfilter nf_tables limit module"
537	help
538	  This option adds the "limit" expression that you can use to
539	  ratelimit rule matchings.
540
541config NFT_MASQ
542	depends on NF_CONNTRACK
543	depends on NF_NAT
544	tristate "Netfilter nf_tables masquerade support"
545	help
546	  This option adds the "masquerade" expression that you can use
547	  to perform NAT in the masquerade flavour.
548
549config NFT_REDIR
550	depends on NF_CONNTRACK
551	depends on NF_NAT
552	tristate "Netfilter nf_tables redirect support"
553	help
554	  This options adds the "redirect" expression that you can use
555	  to perform NAT in the redirect flavour.
556
557config NFT_NAT
558	depends on NF_CONNTRACK
559	select NF_NAT
560	tristate "Netfilter nf_tables nat module"
561	help
562	  This option adds the "nat" expression that you can use to perform
563	  typical Network Address Translation (NAT) packet transformations.
564
565config NFT_OBJREF
566	tristate "Netfilter nf_tables stateful object reference module"
567	help
568	  This option adds the "objref" expression that allows you to refer to
569	  stateful objects, such as counters and quotas.
570
571config NFT_QUEUE
572	depends on NETFILTER_NETLINK_QUEUE
573	tristate "Netfilter nf_tables queue module"
574	help
575	  This is required if you intend to use the userspace queueing
576	  infrastructure (also known as NFQUEUE) from nftables.
577
578config NFT_QUOTA
579	tristate "Netfilter nf_tables quota module"
580	help
581	  This option adds the "quota" expression that you can use to match
582	  enforce bytes quotas.
583
584config NFT_REJECT
585	default m if NETFILTER_ADVANCED=n
586	tristate "Netfilter nf_tables reject support"
587	depends on !NF_TABLES_INET || (IPV6!=m || m)
588	help
589	  This option adds the "reject" expression that you can use to
590	  explicitly deny and notify via TCP reset/ICMP informational errors
591	  unallowed traffic.
592
593config NFT_REJECT_INET
594	depends on NF_TABLES_INET
595	default NFT_REJECT
596	tristate
597
598config NFT_COMPAT
599	depends on NETFILTER_XTABLES
600	tristate "Netfilter x_tables over nf_tables module"
601	help
602	  This is required if you intend to use any of existing
603	  x_tables match/target extensions over the nf_tables
604	  framework.
605
606config NFT_HASH
607	tristate "Netfilter nf_tables hash module"
608	help
609	  This option adds the "hash" expression that you can use to perform
610	  a hash operation on registers.
611
612config NFT_FIB
613	tristate
614
615config NFT_FIB_INET
616	depends on NF_TABLES_INET
617	depends on NFT_FIB_IPV4
618	depends on NFT_FIB_IPV6
619	tristate "Netfilter nf_tables fib inet support"
620	help
621	  This option allows using the FIB expression from the inet table.
622	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
623	  on the protocol of the packet.
624
625config NFT_SOCKET
626	tristate "Netfilter nf_tables socket match support"
627	depends on IPV6 || IPV6=n
628	select NF_SOCKET_IPV4
629	select NF_SOCKET_IPV6 if IPV6
630	help
631	  This option allows matching for the presence or absence of a
632	  corresponding socket and its attributes.
633
634if NF_TABLES_NETDEV
635
636config NF_DUP_NETDEV
637	tristate "Netfilter packet duplication support"
638	help
639	  This option enables the generic packet duplication infrastructure
640	  for Netfilter.
641
642config NFT_DUP_NETDEV
643	tristate "Netfilter nf_tables netdev packet duplication support"
644	select NF_DUP_NETDEV
645	help
646	  This option enables packet duplication for the "netdev" family.
647
648config NFT_FWD_NETDEV
649	tristate "Netfilter nf_tables netdev packet forwarding support"
650	select NF_DUP_NETDEV
651	help
652	  This option enables packet forwarding for the "netdev" family.
653
654config NFT_FIB_NETDEV
655	depends on NFT_FIB_IPV4
656	depends on NFT_FIB_IPV6
657	tristate "Netfilter nf_tables netdev fib lookups support"
658	help
659	  This option allows using the FIB expression from the netdev table.
660	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
661	  on the protocol of the packet.
662
663endif # NF_TABLES_NETDEV
664
665endif # NF_TABLES
666
667config NF_FLOW_TABLE_INET
668	tristate "Netfilter flow table mixed IPv4/IPv6 module"
669	depends on NF_FLOW_TABLE
670	help
671          This option adds the flow table mixed IPv4/IPv6 support.
672
673	  To compile it as a module, choose M here.
674
675config NF_FLOW_TABLE
676	tristate "Netfilter flow table module"
677	depends on NETFILTER_INGRESS
678	depends on NF_CONNTRACK
679	depends on NF_TABLES
680	help
681	  This option adds the flow table core infrastructure.
682
683	  To compile it as a module, choose M here.
684
685config NETFILTER_XTABLES
686	tristate "Netfilter Xtables support (required for ip_tables)"
687	default m if NETFILTER_ADVANCED=n
688	help
689	  This is required if you intend to use any of ip_tables,
690	  ip6_tables or arp_tables.
691
692if NETFILTER_XTABLES
693
694comment "Xtables combined modules"
695
696config NETFILTER_XT_MARK
697	tristate 'nfmark target and match support'
698	default m if NETFILTER_ADVANCED=n
699	---help---
700	This option adds the "MARK" target and "mark" match.
701
702	Netfilter mark matching allows you to match packets based on the
703	"nfmark" value in the packet.
704	The target allows you to create rules in the "mangle" table which alter
705	the netfilter mark (nfmark) field associated with the packet.
706
707	Prior to routing, the nfmark can influence the routing method and can
708	also be used by other subsystems to change their behavior.
709
710config NETFILTER_XT_CONNMARK
711	tristate 'ctmark target and match support'
712	depends on NF_CONNTRACK
713	depends on NETFILTER_ADVANCED
714	select NF_CONNTRACK_MARK
715	---help---
716	This option adds the "CONNMARK" target and "connmark" match.
717
718	Netfilter allows you to store a mark value per connection (a.k.a.
719	ctmark), similarly to the packet mark (nfmark). Using this
720	target and match, you can set and match on this mark.
721
722config NETFILTER_XT_SET
723	tristate 'set target and match support'
724	depends on IP_SET
725	depends on NETFILTER_ADVANCED
726	help
727	  This option adds the "SET" target and "set" match.
728
729	  Using this target and match, you can add/delete and match
730	  elements in the sets created by ipset(8).
731
732	  To compile it as a module, choose M here.  If unsure, say N.
733
734# alphabetically ordered list of targets
735
736comment "Xtables targets"
737
738config NETFILTER_XT_TARGET_AUDIT
739	tristate "AUDIT target support"
740	depends on AUDIT
741	depends on NETFILTER_ADVANCED
742	---help---
743	  This option adds a 'AUDIT' target, which can be used to create
744	  audit records for packets dropped/accepted.
745
746	  To compileit as a module, choose M here. If unsure, say N.
747
748config NETFILTER_XT_TARGET_CHECKSUM
749	tristate "CHECKSUM target support"
750	depends on IP_NF_MANGLE || IP6_NF_MANGLE
751	depends on NETFILTER_ADVANCED
752	---help---
753	  This option adds a `CHECKSUM' target, which can be used in the iptables mangle
754	  table.
755
756	  You can use this target to compute and fill in the checksum in
757	  a packet that lacks a checksum.  This is particularly useful,
758	  if you need to work around old applications such as dhcp clients,
759	  that do not work well with checksum offloads, but don't want to disable
760	  checksum offload in your device.
761
762	  To compile it as a module, choose M here.  If unsure, say N.
763
764config NETFILTER_XT_TARGET_CLASSIFY
765	tristate '"CLASSIFY" target support'
766	depends on NETFILTER_ADVANCED
767	help
768	  This option adds a `CLASSIFY' target, which enables the user to set
769	  the priority of a packet. Some qdiscs can use this value for
770	  classification, among these are:
771
772  	  atm, cbq, dsmark, pfifo_fast, htb, prio
773
774	  To compile it as a module, choose M here.  If unsure, say N.
775
776config NETFILTER_XT_TARGET_CONNMARK
777	tristate  '"CONNMARK" target support'
778	depends on NF_CONNTRACK
779	depends on NETFILTER_ADVANCED
780	select NETFILTER_XT_CONNMARK
781	---help---
782	This is a backwards-compat option for the user's convenience
783	(e.g. when running oldconfig). It selects
784	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
785
786config NETFILTER_XT_TARGET_CONNSECMARK
787	tristate '"CONNSECMARK" target support'
788	depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
789	default m if NETFILTER_ADVANCED=n
790	help
791	  The CONNSECMARK target copies security markings from packets
792	  to connections, and restores security markings from connections
793	  to packets (if the packets are not already marked).  This would
794	  normally be used in conjunction with the SECMARK target.
795
796	  To compile it as a module, choose M here.  If unsure, say N.
797
798config NETFILTER_XT_TARGET_CT
799	tristate '"CT" target support'
800	depends on NF_CONNTRACK
801	depends on IP_NF_RAW || IP6_NF_RAW
802	depends on NETFILTER_ADVANCED
803	help
804	  This options adds a `CT' target, which allows to specify initial
805	  connection tracking parameters like events to be delivered and
806	  the helper to be used.
807
808	  To compile it as a module, choose M here.  If unsure, say N.
809
810config NETFILTER_XT_TARGET_DSCP
811	tristate '"DSCP" and "TOS" target support'
812	depends on IP_NF_MANGLE || IP6_NF_MANGLE
813	depends on NETFILTER_ADVANCED
814	help
815	  This option adds a `DSCP' target, which allows you to manipulate
816	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
817
818	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
819
820	  It also adds the "TOS" target, which allows you to create rules in
821	  the "mangle" table which alter the Type Of Service field of an IPv4
822	  or the Priority field of an IPv6 packet, prior to routing.
823
824	  To compile it as a module, choose M here.  If unsure, say N.
825
826config NETFILTER_XT_TARGET_HL
827	tristate '"HL" hoplimit target support'
828	depends on IP_NF_MANGLE || IP6_NF_MANGLE
829	depends on NETFILTER_ADVANCED
830	---help---
831	This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
832	targets, which enable the user to change the
833	hoplimit/time-to-live value of the IP header.
834
835	While it is safe to decrement the hoplimit/TTL value, the
836	modules also allow to increment and set the hoplimit value of
837	the header to arbitrary values. This is EXTREMELY DANGEROUS
838	since you can easily create immortal packets that loop
839	forever on the network.
840
841config NETFILTER_XT_TARGET_HMARK
842	tristate '"HMARK" target support'
843	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
844	depends on NETFILTER_ADVANCED
845	---help---
846	This option adds the "HMARK" target.
847
848	The target allows you to create rules in the "raw" and "mangle" tables
849	which set the skbuff mark by means of hash calculation within a given
850	range. The nfmark can influence the routing method and can also be used
851	by other subsystems to change their behaviour.
852
853	To compile it as a module, choose M here. If unsure, say N.
854
855config NETFILTER_XT_TARGET_IDLETIMER
856	tristate  "IDLETIMER target support"
857	depends on NETFILTER_ADVANCED
858	help
859
860	  This option adds the `IDLETIMER' target.  Each matching packet
861	  resets the timer associated with label specified when the rule is
862	  added.  When the timer expires, it triggers a sysfs notification.
863	  The remaining time for expiration can be read via sysfs.
864
865	  To compile it as a module, choose M here.  If unsure, say N.
866
867config NETFILTER_XT_TARGET_LED
868	tristate '"LED" target support'
869	depends on LEDS_CLASS && LEDS_TRIGGERS
870	depends on NETFILTER_ADVANCED
871	help
872	  This option adds a `LED' target, which allows you to blink LEDs in
873	  response to particular packets passing through your machine.
874
875	  This can be used to turn a spare LED into a network activity LED,
876	  which only flashes in response to FTP transfers, for example.  Or
877	  you could have an LED which lights up for a minute or two every time
878	  somebody connects to your machine via SSH.
879
880	  You will need support for the "led" class to make this work.
881
882	  To create an LED trigger for incoming SSH traffic:
883	    iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
884
885	  Then attach the new trigger to an LED on your system:
886	    echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
887
888	  For more information on the LEDs available on your system, see
889	  Documentation/leds/leds-class.txt
890
891config NETFILTER_XT_TARGET_LOG
892	tristate "LOG target support"
893	select NF_LOG_COMMON
894	select NF_LOG_IPV4
895	select NF_LOG_IPV6 if IPV6
896	default m if NETFILTER_ADVANCED=n
897	help
898	  This option adds a `LOG' target, which allows you to create rules in
899	  any iptables table which records the packet header to the syslog.
900
901	  To compile it as a module, choose M here.  If unsure, say N.
902
903config NETFILTER_XT_TARGET_MARK
904	tristate '"MARK" target support'
905	depends on NETFILTER_ADVANCED
906	select NETFILTER_XT_MARK
907	---help---
908	This is a backwards-compat option for the user's convenience
909	(e.g. when running oldconfig). It selects
910	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
911
912config NETFILTER_XT_NAT
913	tristate '"SNAT and DNAT" targets support'
914	depends on NF_NAT
915	---help---
916	This option enables the SNAT and DNAT targets.
917
918	To compile it as a module, choose M here. If unsure, say N.
919
920config NETFILTER_XT_TARGET_NETMAP
921	tristate '"NETMAP" target support'
922	depends on NF_NAT
923	---help---
924	NETMAP is an implementation of static 1:1 NAT mapping of network
925	addresses. It maps the network address part, while keeping the host
926	address part intact.
927
928	To compile it as a module, choose M here. If unsure, say N.
929
930config NETFILTER_XT_TARGET_NFLOG
931	tristate '"NFLOG" target support'
932	default m if NETFILTER_ADVANCED=n
933	select NETFILTER_NETLINK_LOG
934	help
935	  This option enables the NFLOG target, which allows to LOG
936	  messages through nfnetlink_log.
937
938	  To compile it as a module, choose M here.  If unsure, say N.
939
940config NETFILTER_XT_TARGET_NFQUEUE
941	tristate '"NFQUEUE" target Support'
942	depends on NETFILTER_ADVANCED
943	select NETFILTER_NETLINK_QUEUE
944	help
945	  This target replaced the old obsolete QUEUE target.
946
947	  As opposed to QUEUE, it supports 65535 different queues,
948	  not just one.
949
950	  To compile it as a module, choose M here.  If unsure, say N.
951
952config NETFILTER_XT_TARGET_NOTRACK
953	tristate  '"NOTRACK" target support (DEPRECATED)'
954	depends on NF_CONNTRACK
955	depends on IP_NF_RAW || IP6_NF_RAW
956	depends on NETFILTER_ADVANCED
957	select NETFILTER_XT_TARGET_CT
958
959config NETFILTER_XT_TARGET_RATEEST
960	tristate '"RATEEST" target support'
961	depends on NETFILTER_ADVANCED
962	help
963	  This option adds a `RATEEST' target, which allows to measure
964	  rates similar to TC estimators. The `rateest' match can be
965	  used to match on the measured rates.
966
967	  To compile it as a module, choose M here.  If unsure, say N.
968
969config NETFILTER_XT_TARGET_REDIRECT
970	tristate "REDIRECT target support"
971	depends on NF_NAT
972	select NF_NAT_REDIRECT
973	---help---
974	REDIRECT is a special case of NAT: all incoming connections are
975	mapped onto the incoming interface's address, causing the packets to
976	come to the local machine instead of passing through. This is
977	useful for transparent proxies.
978
979	To compile it as a module, choose M here. If unsure, say N.
980
981config NETFILTER_XT_TARGET_TEE
982	tristate '"TEE" - packet cloning to alternate destination'
983	depends on NETFILTER_ADVANCED
984	depends on IPV6 || IPV6=n
985	depends on !NF_CONNTRACK || NF_CONNTRACK
986	select NF_DUP_IPV4
987	select NF_DUP_IPV6 if IPV6
988	---help---
989	This option adds a "TEE" target with which a packet can be cloned and
990	this clone be rerouted to another nexthop.
991
992config NETFILTER_XT_TARGET_TPROXY
993	tristate '"TPROXY" target transparent proxying support'
994	depends on NETFILTER_XTABLES
995	depends on NETFILTER_ADVANCED
996	depends on IPV6 || IPV6=n
997	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
998	depends on IP_NF_MANGLE
999	select NF_DEFRAG_IPV4
1000	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1001	select NF_TPROXY_IPV4
1002	select NF_TPROXY_IPV6 if IP6_NF_IPTABLES
1003	help
1004	  This option adds a `TPROXY' target, which is somewhat similar to
1005	  REDIRECT.  It can only be used in the mangle table and is useful
1006	  to redirect traffic to a transparent proxy.  It does _not_ depend
1007	  on Netfilter connection tracking and NAT, unlike REDIRECT.
1008	  For it to work you will have to configure certain iptables rules
1009	  and use policy routing. For more information on how to set it up
1010	  see Documentation/networking/tproxy.txt.
1011
1012	  To compile it as a module, choose M here.  If unsure, say N.
1013
1014config NETFILTER_XT_TARGET_TRACE
1015	tristate  '"TRACE" target support'
1016	depends on IP_NF_RAW || IP6_NF_RAW
1017	depends on NETFILTER_ADVANCED
1018	help
1019	  The TRACE target allows you to mark packets so that the kernel
1020	  will log every rule which match the packets as those traverse
1021	  the tables, chains, rules.
1022
1023	  If you want to compile it as a module, say M here and read
1024	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1025
1026config NETFILTER_XT_TARGET_SECMARK
1027	tristate '"SECMARK" target support'
1028	depends on NETWORK_SECMARK
1029	default m if NETFILTER_ADVANCED=n
1030	help
1031	  The SECMARK target allows security marking of network
1032	  packets, for use with security subsystems.
1033
1034	  To compile it as a module, choose M here.  If unsure, say N.
1035
1036config NETFILTER_XT_TARGET_TCPMSS
1037	tristate '"TCPMSS" target support'
1038	depends on IPV6 || IPV6=n
1039	default m if NETFILTER_ADVANCED=n
1040	---help---
1041	  This option adds a `TCPMSS' target, which allows you to alter the
1042	  MSS value of TCP SYN packets, to control the maximum size for that
1043	  connection (usually limiting it to your outgoing interface's MTU
1044	  minus 40).
1045
1046	  This is used to overcome criminally braindead ISPs or servers which
1047	  block ICMP Fragmentation Needed packets.  The symptoms of this
1048	  problem are that everything works fine from your Linux
1049	  firewall/router, but machines behind it can never exchange large
1050	  packets:
1051	        1) Web browsers connect, then hang with no data received.
1052	        2) Small mail works fine, but large emails hang.
1053	        3) ssh works fine, but scp hangs after initial handshaking.
1054
1055	  Workaround: activate this option and add a rule to your firewall
1056	  configuration like:
1057
1058	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1059	                 -j TCPMSS --clamp-mss-to-pmtu
1060
1061	  To compile it as a module, choose M here.  If unsure, say N.
1062
1063config NETFILTER_XT_TARGET_TCPOPTSTRIP
1064	tristate '"TCPOPTSTRIP" target support'
1065	depends on IP_NF_MANGLE || IP6_NF_MANGLE
1066	depends on NETFILTER_ADVANCED
1067	help
1068	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
1069	  TCP options from TCP packets.
1070
1071# alphabetically ordered list of matches
1072
1073comment "Xtables matches"
1074
1075config NETFILTER_XT_MATCH_ADDRTYPE
1076	tristate '"addrtype" address type match support'
1077	default m if NETFILTER_ADVANCED=n
1078	---help---
1079	  This option allows you to match what routing thinks of an address,
1080	  eg. UNICAST, LOCAL, BROADCAST, ...
1081
1082	  If you want to compile it as a module, say M here and read
1083	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1084
1085config NETFILTER_XT_MATCH_BPF
1086	tristate '"bpf" match support'
1087	depends on NETFILTER_ADVANCED
1088	help
1089	  BPF matching applies a linux socket filter to each packet and
1090	  accepts those for which the filter returns non-zero.
1091
1092	  To compile it as a module, choose M here.  If unsure, say N.
1093
1094config NETFILTER_XT_MATCH_CGROUP
1095	tristate '"control group" match support'
1096	depends on NETFILTER_ADVANCED
1097	depends on CGROUPS
1098	select CGROUP_NET_CLASSID
1099	---help---
1100	Socket/process control group matching allows you to match locally
1101	generated packets based on which net_cls control group processes
1102	belong to.
1103
1104config NETFILTER_XT_MATCH_CLUSTER
1105	tristate '"cluster" match support'
1106	depends on NF_CONNTRACK
1107	depends on NETFILTER_ADVANCED
1108	---help---
1109	  This option allows you to build work-load-sharing clusters of
1110	  network servers/stateful firewalls without having a dedicated
1111	  load-balancing router/server/switch. Basically, this match returns
1112	  true when the packet must be handled by this cluster node. Thus,
1113	  all nodes see all packets and this match decides which node handles
1114	  what packets. The work-load sharing algorithm is based on source
1115	  address hashing.
1116
1117	  If you say Y or M here, try `iptables -m cluster --help` for
1118	  more information.
1119
1120config NETFILTER_XT_MATCH_COMMENT
1121	tristate  '"comment" match support'
1122	depends on NETFILTER_ADVANCED
1123	help
1124	  This option adds a `comment' dummy-match, which allows you to put
1125	  comments in your iptables ruleset.
1126
1127	  If you want to compile it as a module, say M here and read
1128	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1129
1130config NETFILTER_XT_MATCH_CONNBYTES
1131	tristate  '"connbytes" per-connection counter match support'
1132	depends on NF_CONNTRACK
1133	depends on NETFILTER_ADVANCED
1134	help
1135	  This option adds a `connbytes' match, which allows you to match the
1136	  number of bytes and/or packets for each direction within a connection.
1137
1138	  If you want to compile it as a module, say M here and read
1139	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1140
1141config NETFILTER_XT_MATCH_CONNLABEL
1142	tristate '"connlabel" match support'
1143	select NF_CONNTRACK_LABELS
1144	depends on NF_CONNTRACK
1145	depends on NETFILTER_ADVANCED
1146	---help---
1147	  This match allows you to test and assign userspace-defined labels names
1148	  to a connection.  The kernel only stores bit values - mapping
1149	  names to bits is done by userspace.
1150
1151	  Unlike connmark, more than 32 flag bits may be assigned to a
1152	  connection simultaneously.
1153
1154config NETFILTER_XT_MATCH_CONNLIMIT
1155	tristate '"connlimit" match support'
1156	depends on NF_CONNTRACK
1157	depends on NETFILTER_ADVANCED
1158	select NETFILTER_CONNCOUNT
1159	---help---
1160	  This match allows you to match against the number of parallel
1161	  connections to a server per client IP address (or address block).
1162
1163config NETFILTER_XT_MATCH_CONNMARK
1164	tristate  '"connmark" connection mark match support'
1165	depends on NF_CONNTRACK
1166	depends on NETFILTER_ADVANCED
1167	select NETFILTER_XT_CONNMARK
1168	---help---
1169	This is a backwards-compat option for the user's convenience
1170	(e.g. when running oldconfig). It selects
1171	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1172
1173config NETFILTER_XT_MATCH_CONNTRACK
1174	tristate '"conntrack" connection tracking match support'
1175	depends on NF_CONNTRACK
1176	default m if NETFILTER_ADVANCED=n
1177	help
1178	  This is a general conntrack match module, a superset of the state match.
1179
1180	  It allows matching on additional conntrack information, which is
1181	  useful in complex configurations, such as NAT gateways with multiple
1182	  internet links or tunnels.
1183
1184	  To compile it as a module, choose M here.  If unsure, say N.
1185
1186config NETFILTER_XT_MATCH_CPU
1187	tristate '"cpu" match support'
1188	depends on NETFILTER_ADVANCED
1189	help
1190	  CPU matching allows you to match packets based on the CPU
1191	  currently handling the packet.
1192
1193	  To compile it as a module, choose M here.  If unsure, say N.
1194
1195config NETFILTER_XT_MATCH_DCCP
1196	tristate '"dccp" protocol match support'
1197	depends on NETFILTER_ADVANCED
1198	default IP_DCCP
1199	help
1200	  With this option enabled, you will be able to use the iptables
1201	  `dccp' match in order to match on DCCP source/destination ports
1202	  and DCCP flags.
1203
1204	  If you want to compile it as a module, say M here and read
1205	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1206
1207config NETFILTER_XT_MATCH_DEVGROUP
1208	tristate '"devgroup" match support'
1209	depends on NETFILTER_ADVANCED
1210	help
1211	  This options adds a `devgroup' match, which allows to match on the
1212	  device group a network device is assigned to.
1213
1214	  To compile it as a module, choose M here.  If unsure, say N.
1215
1216config NETFILTER_XT_MATCH_DSCP
1217	tristate '"dscp" and "tos" match support'
1218	depends on NETFILTER_ADVANCED
1219	help
1220	  This option adds a `DSCP' match, which allows you to match against
1221	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1222
1223	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
1224
1225	  It will also add a "tos" match, which allows you to match packets
1226	  based on the Type Of Service fields of the IPv4 packet (which share
1227	  the same bits as DSCP).
1228
1229	  To compile it as a module, choose M here.  If unsure, say N.
1230
1231config NETFILTER_XT_MATCH_ECN
1232	tristate '"ecn" match support'
1233	depends on NETFILTER_ADVANCED
1234	---help---
1235	This option adds an "ECN" match, which allows you to match against
1236	the IPv4 and TCP header ECN fields.
1237
1238	To compile it as a module, choose M here. If unsure, say N.
1239
1240config NETFILTER_XT_MATCH_ESP
1241	tristate '"esp" match support'
1242	depends on NETFILTER_ADVANCED
1243	help
1244	  This match extension allows you to match a range of SPIs
1245	  inside ESP header of IPSec packets.
1246
1247	  To compile it as a module, choose M here.  If unsure, say N.
1248
1249config NETFILTER_XT_MATCH_HASHLIMIT
1250	tristate '"hashlimit" match support'
1251	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1252	depends on NETFILTER_ADVANCED
1253	help
1254	  This option adds a `hashlimit' match.
1255
1256	  As opposed to `limit', this match dynamically creates a hash table
1257	  of limit buckets, based on your selection of source/destination
1258	  addresses and/or ports.
1259
1260	  It enables you to express policies like `10kpps for any given
1261	  destination address' or `500pps from any given source address'
1262	  with a single rule.
1263
1264config NETFILTER_XT_MATCH_HELPER
1265	tristate '"helper" match support'
1266	depends on NF_CONNTRACK
1267	depends on NETFILTER_ADVANCED
1268	help
1269	  Helper matching allows you to match packets in dynamic connections
1270	  tracked by a conntrack-helper, ie. ip_conntrack_ftp
1271
1272	  To compile it as a module, choose M here.  If unsure, say Y.
1273
1274config NETFILTER_XT_MATCH_HL
1275	tristate '"hl" hoplimit/TTL match support'
1276	depends on NETFILTER_ADVANCED
1277	---help---
1278	HL matching allows you to match packets based on the hoplimit
1279	in the IPv6 header, or the time-to-live field in the IPv4
1280	header of the packet.
1281
1282config NETFILTER_XT_MATCH_IPCOMP
1283	tristate '"ipcomp" match support'
1284	depends on NETFILTER_ADVANCED
1285	help
1286	  This match extension allows you to match a range of CPIs(16 bits)
1287	  inside IPComp header of IPSec packets.
1288
1289	  To compile it as a module, choose M here.  If unsure, say N.
1290
1291config NETFILTER_XT_MATCH_IPRANGE
1292	tristate '"iprange" address range match support'
1293	depends on NETFILTER_ADVANCED
1294	---help---
1295	This option adds a "iprange" match, which allows you to match based on
1296	an IP address range. (Normal iptables only matches on single addresses
1297	with an optional mask.)
1298
1299	If unsure, say M.
1300
1301config NETFILTER_XT_MATCH_IPVS
1302	tristate '"ipvs" match support'
1303	depends on IP_VS
1304	depends on NETFILTER_ADVANCED
1305	depends on NF_CONNTRACK
1306	help
1307	  This option allows you to match against IPVS properties of a packet.
1308
1309	  If unsure, say N.
1310
1311config NETFILTER_XT_MATCH_L2TP
1312	tristate '"l2tp" match support'
1313	depends on NETFILTER_ADVANCED
1314	default L2TP
1315	---help---
1316	This option adds an "L2TP" match, which allows you to match against
1317	L2TP protocol header fields.
1318
1319	To compile it as a module, choose M here. If unsure, say N.
1320
1321config NETFILTER_XT_MATCH_LENGTH
1322	tristate '"length" match support'
1323	depends on NETFILTER_ADVANCED
1324	help
1325	  This option allows you to match the length of a packet against a
1326	  specific value or range of values.
1327
1328	  To compile it as a module, choose M here.  If unsure, say N.
1329
1330config NETFILTER_XT_MATCH_LIMIT
1331	tristate '"limit" match support'
1332	depends on NETFILTER_ADVANCED
1333	help
1334	  limit matching allows you to control the rate at which a rule can be
1335	  matched: mainly useful in combination with the LOG target ("LOG
1336	  target support", below) and to avoid some Denial of Service attacks.
1337
1338	  To compile it as a module, choose M here.  If unsure, say N.
1339
1340config NETFILTER_XT_MATCH_MAC
1341	tristate '"mac" address match support'
1342	depends on NETFILTER_ADVANCED
1343	help
1344	  MAC matching allows you to match packets based on the source
1345	  Ethernet address of the packet.
1346
1347	  To compile it as a module, choose M here.  If unsure, say N.
1348
1349config NETFILTER_XT_MATCH_MARK
1350	tristate '"mark" match support'
1351	depends on NETFILTER_ADVANCED
1352	select NETFILTER_XT_MARK
1353	---help---
1354	This is a backwards-compat option for the user's convenience
1355	(e.g. when running oldconfig). It selects
1356	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1357
1358config NETFILTER_XT_MATCH_MULTIPORT
1359	tristate '"multiport" Multiple port match support'
1360	depends on NETFILTER_ADVANCED
1361	help
1362	  Multiport matching allows you to match TCP or UDP packets based on
1363	  a series of source or destination ports: normally a rule can only
1364	  match a single range of ports.
1365
1366	  To compile it as a module, choose M here.  If unsure, say N.
1367
1368config NETFILTER_XT_MATCH_NFACCT
1369	tristate '"nfacct" match support'
1370	depends on NETFILTER_ADVANCED
1371	select NETFILTER_NETLINK_ACCT
1372	help
1373	  This option allows you to use the extended accounting through
1374	  nfnetlink_acct.
1375
1376	  To compile it as a module, choose M here.  If unsure, say N.
1377
1378config NETFILTER_XT_MATCH_OSF
1379	tristate '"osf" Passive OS fingerprint match'
1380	depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1381	select NF_OSF
1382	help
1383	  This option selects the Passive OS Fingerprinting match module
1384	  that allows to passively match the remote operating system by
1385	  analyzing incoming TCP SYN packets.
1386
1387	  Rules and loading software can be downloaded from
1388	  http://www.ioremap.net/projects/osf
1389
1390	  To compile it as a module, choose M here.  If unsure, say N.
1391
1392config NETFILTER_XT_MATCH_OWNER
1393	tristate '"owner" match support'
1394	depends on NETFILTER_ADVANCED
1395	---help---
1396	Socket owner matching allows you to match locally-generated packets
1397	based on who created the socket: the user or group. It is also
1398	possible to check whether a socket actually exists.
1399
1400config NETFILTER_XT_MATCH_POLICY
1401	tristate 'IPsec "policy" match support'
1402	depends on XFRM
1403	default m if NETFILTER_ADVANCED=n
1404	help
1405	  Policy matching allows you to match packets based on the
1406	  IPsec policy that was used during decapsulation/will
1407	  be used during encapsulation.
1408
1409	  To compile it as a module, choose M here.  If unsure, say N.
1410
1411config NETFILTER_XT_MATCH_PHYSDEV
1412	tristate '"physdev" match support'
1413	depends on BRIDGE && BRIDGE_NETFILTER
1414	depends on NETFILTER_ADVANCED
1415	help
1416	  Physdev packet matching matches against the physical bridge ports
1417	  the IP packet arrived on or will leave by.
1418
1419	  To compile it as a module, choose M here.  If unsure, say N.
1420
1421config NETFILTER_XT_MATCH_PKTTYPE
1422	tristate '"pkttype" packet type match support'
1423	depends on NETFILTER_ADVANCED
1424	help
1425	  Packet type matching allows you to match a packet by
1426	  its "class", eg. BROADCAST, MULTICAST, ...
1427
1428	  Typical usage:
1429	  iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1430
1431	  To compile it as a module, choose M here.  If unsure, say N.
1432
1433config NETFILTER_XT_MATCH_QUOTA
1434	tristate '"quota" match support'
1435	depends on NETFILTER_ADVANCED
1436	help
1437	  This option adds a `quota' match, which allows to match on a
1438	  byte counter.
1439
1440	  If you want to compile it as a module, say M here and read
1441	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1442
1443config NETFILTER_XT_MATCH_RATEEST
1444	tristate '"rateest" match support'
1445	depends on NETFILTER_ADVANCED
1446	select NETFILTER_XT_TARGET_RATEEST
1447	help
1448	  This option adds a `rateest' match, which allows to match on the
1449	  rate estimated by the RATEEST target.
1450
1451	  To compile it as a module, choose M here.  If unsure, say N.
1452
1453config NETFILTER_XT_MATCH_REALM
1454	tristate  '"realm" match support'
1455	depends on NETFILTER_ADVANCED
1456	select IP_ROUTE_CLASSID
1457	help
1458	  This option adds a `realm' match, which allows you to use the realm
1459	  key from the routing subsystem inside iptables.
1460
1461	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1462	  in tc world.
1463
1464	  If you want to compile it as a module, say M here and read
1465	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1466
1467config NETFILTER_XT_MATCH_RECENT
1468	tristate '"recent" match support'
1469	depends on NETFILTER_ADVANCED
1470	---help---
1471	This match is used for creating one or many lists of recently
1472	used addresses and then matching against that/those list(s).
1473
1474	Short options are available by using 'iptables -m recent -h'
1475	Official Website: <http://snowman.net/projects/ipt_recent/>
1476
1477config NETFILTER_XT_MATCH_SCTP
1478	tristate  '"sctp" protocol match support'
1479	depends on NETFILTER_ADVANCED
1480	default IP_SCTP
1481	help
1482	  With this option enabled, you will be able to use the
1483	  `sctp' match in order to match on SCTP source/destination ports
1484	  and SCTP chunk types.
1485
1486	  If you want to compile it as a module, say M here and read
1487	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1488
1489config NETFILTER_XT_MATCH_SOCKET
1490	tristate '"socket" match support'
1491	depends on NETFILTER_XTABLES
1492	depends on NETFILTER_ADVANCED
1493	depends on IPV6 || IPV6=n
1494	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1495	depends on NF_SOCKET_IPV4
1496	depends on NF_SOCKET_IPV6
1497	select NF_DEFRAG_IPV4
1498	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1499	help
1500	  This option adds a `socket' match, which can be used to match
1501	  packets for which a TCP or UDP socket lookup finds a valid socket.
1502	  It can be used in combination with the MARK target and policy
1503	  routing to implement full featured non-locally bound sockets.
1504
1505	  To compile it as a module, choose M here.  If unsure, say N.
1506
1507config NETFILTER_XT_MATCH_STATE
1508	tristate '"state" match support'
1509	depends on NF_CONNTRACK
1510	default m if NETFILTER_ADVANCED=n
1511	help
1512	  Connection state matching allows you to match packets based on their
1513	  relationship to a tracked connection (ie. previous packets).  This
1514	  is a powerful tool for packet classification.
1515
1516	  To compile it as a module, choose M here.  If unsure, say N.
1517
1518config NETFILTER_XT_MATCH_STATISTIC
1519	tristate '"statistic" match support'
1520	depends on NETFILTER_ADVANCED
1521	help
1522	  This option adds a `statistic' match, which allows you to match
1523	  on packets periodically or randomly with a given percentage.
1524
1525	  To compile it as a module, choose M here.  If unsure, say N.
1526
1527config NETFILTER_XT_MATCH_STRING
1528	tristate  '"string" match support'
1529	depends on NETFILTER_ADVANCED
1530	select TEXTSEARCH
1531	select TEXTSEARCH_KMP
1532	select TEXTSEARCH_BM
1533	select TEXTSEARCH_FSM
1534	help
1535	  This option adds a `string' match, which allows you to look for
1536	  pattern matchings in packets.
1537
1538	  To compile it as a module, choose M here.  If unsure, say N.
1539
1540config NETFILTER_XT_MATCH_TCPMSS
1541	tristate '"tcpmss" match support'
1542	depends on NETFILTER_ADVANCED
1543	help
1544	  This option adds a `tcpmss' match, which allows you to examine the
1545	  MSS value of TCP SYN packets, which control the maximum packet size
1546	  for that connection.
1547
1548	  To compile it as a module, choose M here.  If unsure, say N.
1549
1550config NETFILTER_XT_MATCH_TIME
1551	tristate '"time" match support'
1552	depends on NETFILTER_ADVANCED
1553	---help---
1554	  This option adds a "time" match, which allows you to match based on
1555	  the packet arrival time (at the machine which netfilter is running)
1556	  on) or departure time/date (for locally generated packets).
1557
1558	  If you say Y here, try `iptables -m time --help` for
1559	  more information.
1560
1561	  If you want to compile it as a module, say M here.
1562	  If unsure, say N.
1563
1564config NETFILTER_XT_MATCH_U32
1565	tristate '"u32" match support'
1566	depends on NETFILTER_ADVANCED
1567	---help---
1568	  u32 allows you to extract quantities of up to 4 bytes from a packet,
1569	  AND them with specified masks, shift them by specified amounts and
1570	  test whether the results are in any of a set of specified ranges.
1571	  The specification of what to extract is general enough to skip over
1572	  headers with lengths stored in the packet, as in IP or TCP header
1573	  lengths.
1574
1575	  Details and examples are in the kernel module source.
1576
1577endif # NETFILTER_XTABLES
1578
1579endmenu
1580
1581source "net/netfilter/ipset/Kconfig"
1582
1583source "net/netfilter/ipvs/Kconfig"
1584