1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate "Netfilter netlink interface" 6 help 7 If this option is enabled, the kernel will include support 8 for the new netfilter netlink interface. 9 10config NETFILTER_NETLINK_QUEUE 11 tristate "Netfilter NFQUEUE over NFNETLINK interface" 12 depends on NETFILTER_NETLINK 13 help 14 If this option is enabled, the kernel will include support 15 for queueing packets via NFNETLINK. 16 17config NETFILTER_NETLINK_LOG 18 tristate "Netfilter LOG over NFNETLINK interface" 19 depends on NETFILTER_NETLINK 20 help 21 If this option is enabled, the kernel will include support 22 for logging packets via NFNETLINK. 23 24 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 25 and is also scheduled to replace the old syslog-based ipt_LOG 26 and ip6t_LOG modules. 27 28# Rename this to NF_CONNTRACK in a 2.6.25 29config NF_CONNTRACK_ENABLED 30 tristate "Netfilter connection tracking support" 31 help 32 Connection tracking keeps a record of what packets have passed 33 through your machine, in order to figure out how they are related 34 into connections. 35 36 This is required to do Masquerading or other kinds of Network 37 Address Translation (except for Fast NAT). It can also be used to 38 enhance packet filtering (see `Connection state match support' 39 below). 40 41 To compile it as a module, choose M here. If unsure, say N. 42 43config NF_CONNTRACK 44 tristate 45 default NF_CONNTRACK_ENABLED 46 47config NF_CT_ACCT 48 bool "Connection tracking flow accounting" 49 depends on NF_CONNTRACK 50 help 51 If this option is enabled, the connection tracking code will 52 keep per-flow packet and byte counters. 53 54 Those counters can be used for flow-based accounting or the 55 `connbytes' match. 56 57 If unsure, say `N'. 58 59config NF_CONNTRACK_MARK 60 bool 'Connection mark tracking support' 61 depends on NF_CONNTRACK 62 help 63 This option enables support for connection marks, used by the 64 `CONNMARK' target and `connmark' match. Similar to the mark value 65 of packets, but this mark value is kept in the conntrack session 66 instead of the individual packets. 67 68config NF_CONNTRACK_SECMARK 69 bool 'Connection tracking security mark support' 70 depends on NF_CONNTRACK && NETWORK_SECMARK 71 help 72 This option enables security markings to be applied to 73 connections. Typically they are copied to connections from 74 packets using the CONNSECMARK target and copied back from 75 connections to packets with the same target, with the packets 76 being originally labeled via SECMARK. 77 78 If unsure, say 'N'. 79 80config NF_CONNTRACK_EVENTS 81 bool "Connection tracking events (EXPERIMENTAL)" 82 depends on EXPERIMENTAL && NF_CONNTRACK 83 help 84 If this option is enabled, the connection tracking code will 85 provide a notifier chain that can be used by other kernel code 86 to get notified about changes in the connection tracking state. 87 88 If unsure, say `N'. 89 90config NF_CT_PROTO_GRE 91 tristate 92 depends on NF_CONNTRACK 93 94config NF_CT_PROTO_SCTP 95 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 96 depends on EXPERIMENTAL && NF_CONNTRACK 97 default n 98 help 99 With this option enabled, the layer 3 independent connection 100 tracking code will be able to do state tracking on SCTP connections. 101 102 If you want to compile it as a module, say M here and read 103 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 104 105config NF_CT_PROTO_UDPLITE 106 tristate 'UDP-Lite protocol connection tracking support (EXPERIMENTAL)' 107 depends on EXPERIMENTAL && NF_CONNTRACK 108 help 109 With this option enabled, the layer 3 independent connection 110 tracking code will be able to do state tracking on UDP-Lite 111 connections. 112 113 To compile it as a module, choose M here. If unsure, say N. 114 115config NF_CONNTRACK_AMANDA 116 tristate "Amanda backup protocol support" 117 depends on NF_CONNTRACK 118 select TEXTSEARCH 119 select TEXTSEARCH_KMP 120 help 121 If you are running the Amanda backup package <http://www.amanda.org/> 122 on this machine or machines that will be MASQUERADED through this 123 machine, then you may want to enable this feature. This allows the 124 connection tracking and natting code to allow the sub-channels that 125 Amanda requires for communication of the backup data, messages and 126 index. 127 128 To compile it as a module, choose M here. If unsure, say N. 129 130config NF_CONNTRACK_FTP 131 tristate "FTP protocol support" 132 depends on NF_CONNTRACK 133 help 134 Tracking FTP connections is problematic: special helpers are 135 required for tracking them, and doing masquerading and other forms 136 of Network Address Translation on them. 137 138 This is FTP support on Layer 3 independent connection tracking. 139 Layer 3 independent connection tracking is experimental scheme 140 which generalize ip_conntrack to support other layer 3 protocols. 141 142 To compile it as a module, choose M here. If unsure, say N. 143 144config NF_CONNTRACK_H323 145 tristate "H.323 protocol support (EXPERIMENTAL)" 146 depends on EXPERIMENTAL && NF_CONNTRACK && (IPV6 || IPV6=n) 147 help 148 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 149 important VoIP protocols, it is widely used by voice hardware and 150 software including voice gateways, IP phones, Netmeeting, OpenPhone, 151 Gnomemeeting, etc. 152 153 With this module you can support H.323 on a connection tracking/NAT 154 firewall. 155 156 This module supports RAS, Fast Start, H.245 Tunnelling, Call 157 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 158 whiteboard, file transfer, etc. For more information, please 159 visit http://nath323.sourceforge.net/. 160 161 To compile it as a module, choose M here. If unsure, say N. 162 163config NF_CONNTRACK_IRC 164 tristate "IRC protocol support" 165 depends on NF_CONNTRACK 166 help 167 There is a commonly-used extension to IRC called 168 Direct Client-to-Client Protocol (DCC). This enables users to send 169 files to each other, and also chat to each other without the need 170 of a server. DCC Sending is used anywhere you send files over IRC, 171 and DCC Chat is most commonly used by Eggdrop bots. If you are 172 using NAT, this extension will enable you to send files and initiate 173 chats. Note that you do NOT need this extension to get files or 174 have others initiate chats, or everything else in IRC. 175 176 To compile it as a module, choose M here. If unsure, say N. 177 178config NF_CONNTRACK_NETBIOS_NS 179 tristate "NetBIOS name service protocol support (EXPERIMENTAL)" 180 depends on EXPERIMENTAL && NF_CONNTRACK 181 help 182 NetBIOS name service requests are sent as broadcast messages from an 183 unprivileged port and responded to with unicast messages to the 184 same port. This make them hard to firewall properly because connection 185 tracking doesn't deal with broadcasts. This helper tracks locally 186 originating NetBIOS name service requests and the corresponding 187 responses. It relies on correct IP address configuration, specifically 188 netmask and broadcast address. When properly configured, the output 189 of "ip address show" should look similar to this: 190 191 $ ip -4 address show eth0 192 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 193 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 194 195 To compile it as a module, choose M here. If unsure, say N. 196 197config NF_CONNTRACK_PPTP 198 tristate "PPtP protocol support" 199 depends on NF_CONNTRACK 200 select NF_CT_PROTO_GRE 201 help 202 This module adds support for PPTP (Point to Point Tunnelling 203 Protocol, RFC2637) connection tracking and NAT. 204 205 If you are running PPTP sessions over a stateful firewall or NAT 206 box, you may want to enable this feature. 207 208 Please note that not all PPTP modes of operation are supported yet. 209 Specifically these limitations exist: 210 - Blindly assumes that control connections are always established 211 in PNS->PAC direction. This is a violation of RFC2637. 212 - Only supports a single call within each session 213 214 To compile it as a module, choose M here. If unsure, say N. 215 216config NF_CONNTRACK_SANE 217 tristate "SANE protocol support (EXPERIMENTAL)" 218 depends on EXPERIMENTAL && NF_CONNTRACK 219 help 220 SANE is a protocol for remote access to scanners as implemented 221 by the 'saned' daemon. Like FTP, it uses separate control and 222 data connections. 223 224 With this module you can support SANE on a connection tracking 225 firewall. 226 227 To compile it as a module, choose M here. If unsure, say N. 228 229config NF_CONNTRACK_SIP 230 tristate "SIP protocol support (EXPERIMENTAL)" 231 depends on EXPERIMENTAL && NF_CONNTRACK 232 help 233 SIP is an application-layer control protocol that can establish, 234 modify, and terminate multimedia sessions (conferences) such as 235 Internet telephony calls. With the ip_conntrack_sip and 236 the nf_nat_sip modules you can support the protocol on a connection 237 tracking/NATing firewall. 238 239 To compile it as a module, choose M here. If unsure, say N. 240 241config NF_CONNTRACK_TFTP 242 tristate "TFTP protocol support" 243 depends on NF_CONNTRACK 244 help 245 TFTP connection tracking helper, this is required depending 246 on how restrictive your ruleset is. 247 If you are using a tftp client behind -j SNAT or -j MASQUERADING 248 you will need this. 249 250 To compile it as a module, choose M here. If unsure, say N. 251 252config NF_CT_NETLINK 253 tristate 'Connection tracking netlink interface (EXPERIMENTAL)' 254 depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK 255 depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m 256 depends on NF_NAT=n || NF_NAT 257 help 258 This option enables support for a netlink-based userspace interface 259 260config NETFILTER_XTABLES 261 tristate "Netfilter Xtables support (required for ip_tables)" 262 help 263 This is required if you intend to use any of ip_tables, 264 ip6_tables or arp_tables. 265 266# alphabetically ordered list of targets 267 268config NETFILTER_XT_TARGET_CLASSIFY 269 tristate '"CLASSIFY" target support' 270 depends on NETFILTER_XTABLES 271 help 272 This option adds a `CLASSIFY' target, which enables the user to set 273 the priority of a packet. Some qdiscs can use this value for 274 classification, among these are: 275 276 atm, cbq, dsmark, pfifo_fast, htb, prio 277 278 To compile it as a module, choose M here. If unsure, say N. 279 280config NETFILTER_XT_TARGET_CONNMARK 281 tristate '"CONNMARK" target support' 282 depends on NETFILTER_XTABLES 283 depends on IP_NF_MANGLE || IP6_NF_MANGLE 284 depends on NF_CONNTRACK 285 select NF_CONNTRACK_MARK 286 help 287 This option adds a `CONNMARK' target, which allows one to manipulate 288 the connection mark value. Similar to the MARK target, but 289 affects the connection mark value rather than the packet mark value. 290 291 If you want to compile it as a module, say M here and read 292 <file:Documentation/kbuild/modules.txt>. The module will be called 293 ipt_CONNMARK.ko. If unsure, say `N'. 294 295config NETFILTER_XT_TARGET_DSCP 296 tristate '"DSCP" target support' 297 depends on NETFILTER_XTABLES 298 depends on IP_NF_MANGLE || IP6_NF_MANGLE 299 help 300 This option adds a `DSCP' target, which allows you to manipulate 301 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 302 303 The DSCP field can have any value between 0x0 and 0x3f inclusive. 304 305 To compile it as a module, choose M here. If unsure, say N. 306 307config NETFILTER_XT_TARGET_MARK 308 tristate '"MARK" target support' 309 depends on NETFILTER_XTABLES 310 help 311 This option adds a `MARK' target, which allows you to create rules 312 in the `mangle' table which alter the netfilter mark (nfmark) field 313 associated with the packet prior to routing. This can change 314 the routing method (see `Use netfilter MARK value as routing 315 key') and can also be used by other subsystems to change their 316 behavior. 317 318 To compile it as a module, choose M here. If unsure, say N. 319 320config NETFILTER_XT_TARGET_NFQUEUE 321 tristate '"NFQUEUE" target Support' 322 depends on NETFILTER_XTABLES 323 help 324 This target replaced the old obsolete QUEUE target. 325 326 As opposed to QUEUE, it supports 65535 different queues, 327 not just one. 328 329 To compile it as a module, choose M here. If unsure, say N. 330 331config NETFILTER_XT_TARGET_NFLOG 332 tristate '"NFLOG" target support' 333 depends on NETFILTER_XTABLES 334 help 335 This option enables the NFLOG target, which allows to LOG 336 messages through the netfilter logging API, which can use 337 either the old LOG target, the old ULOG target or nfnetlink_log 338 as backend. 339 340 To compile it as a module, choose M here. If unsure, say N. 341 342config NETFILTER_XT_TARGET_NOTRACK 343 tristate '"NOTRACK" target support' 344 depends on NETFILTER_XTABLES 345 depends on IP_NF_RAW || IP6_NF_RAW 346 depends on NF_CONNTRACK 347 help 348 The NOTRACK target allows a select rule to specify 349 which packets *not* to enter the conntrack/NAT 350 subsystem with all the consequences (no ICMP error tracking, 351 no protocol helpers for the selected packets). 352 353 If you want to compile it as a module, say M here and read 354 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 355 356config NETFILTER_XT_TARGET_TRACE 357 tristate '"TRACE" target support' 358 depends on NETFILTER_XTABLES 359 depends on IP_NF_RAW || IP6_NF_RAW 360 help 361 The TRACE target allows you to mark packets so that the kernel 362 will log every rule which match the packets as those traverse 363 the tables, chains, rules. 364 365 If you want to compile it as a module, say M here and read 366 <file:Documentation/modules.txt>. If unsure, say `N'. 367 368config NETFILTER_XT_TARGET_SECMARK 369 tristate '"SECMARK" target support' 370 depends on NETFILTER_XTABLES && NETWORK_SECMARK 371 help 372 The SECMARK target allows security marking of network 373 packets, for use with security subsystems. 374 375 To compile it as a module, choose M here. If unsure, say N. 376 377config NETFILTER_XT_TARGET_CONNSECMARK 378 tristate '"CONNSECMARK" target support' 379 depends on NETFILTER_XTABLES && NF_CONNTRACK && NF_CONNTRACK_SECMARK 380 help 381 The CONNSECMARK target copies security markings from packets 382 to connections, and restores security markings from connections 383 to packets (if the packets are not already marked). This would 384 normally be used in conjunction with the SECMARK target. 385 386 To compile it as a module, choose M here. If unsure, say N. 387 388config NETFILTER_XT_TARGET_TCPMSS 389 tristate '"TCPMSS" target support' 390 depends on NETFILTER_XTABLES && (IPV6 || IPV6=n) 391 ---help--- 392 This option adds a `TCPMSS' target, which allows you to alter the 393 MSS value of TCP SYN packets, to control the maximum size for that 394 connection (usually limiting it to your outgoing interface's MTU 395 minus 40). 396 397 This is used to overcome criminally braindead ISPs or servers which 398 block ICMP Fragmentation Needed packets. The symptoms of this 399 problem are that everything works fine from your Linux 400 firewall/router, but machines behind it can never exchange large 401 packets: 402 1) Web browsers connect, then hang with no data received. 403 2) Small mail works fine, but large emails hang. 404 3) ssh works fine, but scp hangs after initial handshaking. 405 406 Workaround: activate this option and add a rule to your firewall 407 configuration like: 408 409 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 410 -j TCPMSS --clamp-mss-to-pmtu 411 412 To compile it as a module, choose M here. If unsure, say N. 413 414config NETFILTER_XT_MATCH_COMMENT 415 tristate '"comment" match support' 416 depends on NETFILTER_XTABLES 417 help 418 This option adds a `comment' dummy-match, which allows you to put 419 comments in your iptables ruleset. 420 421 If you want to compile it as a module, say M here and read 422 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 423 424config NETFILTER_XT_MATCH_CONNBYTES 425 tristate '"connbytes" per-connection counter match support' 426 depends on NETFILTER_XTABLES 427 depends on NF_CONNTRACK 428 select NF_CT_ACCT 429 help 430 This option adds a `connbytes' match, which allows you to match the 431 number of bytes and/or packets for each direction within a connection. 432 433 If you want to compile it as a module, say M here and read 434 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 435 436config NETFILTER_XT_MATCH_CONNLIMIT 437 tristate '"connlimit" match support"' 438 depends on NETFILTER_XTABLES 439 depends on NF_CONNTRACK 440 ---help--- 441 This match allows you to match against the number of parallel 442 connections to a server per client IP address (or address block). 443 444config NETFILTER_XT_MATCH_CONNMARK 445 tristate '"connmark" connection mark match support' 446 depends on NETFILTER_XTABLES 447 depends on NF_CONNTRACK 448 select NF_CONNTRACK_MARK 449 help 450 This option adds a `connmark' match, which allows you to match the 451 connection mark value previously set for the session by `CONNMARK'. 452 453 If you want to compile it as a module, say M here and read 454 <file:Documentation/kbuild/modules.txt>. The module will be called 455 ipt_connmark.ko. If unsure, say `N'. 456 457config NETFILTER_XT_MATCH_CONNTRACK 458 tristate '"conntrack" connection tracking match support' 459 depends on NETFILTER_XTABLES 460 depends on NF_CONNTRACK 461 help 462 This is a general conntrack match module, a superset of the state match. 463 464 It allows matching on additional conntrack information, which is 465 useful in complex configurations, such as NAT gateways with multiple 466 internet links or tunnels. 467 468 To compile it as a module, choose M here. If unsure, say N. 469 470config NETFILTER_XT_MATCH_DCCP 471 tristate '"DCCP" protocol match support' 472 depends on NETFILTER_XTABLES 473 help 474 With this option enabled, you will be able to use the iptables 475 `dccp' match in order to match on DCCP source/destination ports 476 and DCCP flags. 477 478 If you want to compile it as a module, say M here and read 479 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 480 481config NETFILTER_XT_MATCH_DSCP 482 tristate '"DSCP" match support' 483 depends on NETFILTER_XTABLES 484 help 485 This option adds a `DSCP' match, which allows you to match against 486 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 487 488 The DSCP field can have any value between 0x0 and 0x3f inclusive. 489 490 To compile it as a module, choose M here. If unsure, say N. 491 492config NETFILTER_XT_MATCH_ESP 493 tristate '"ESP" match support' 494 depends on NETFILTER_XTABLES 495 help 496 This match extension allows you to match a range of SPIs 497 inside ESP header of IPSec packets. 498 499 To compile it as a module, choose M here. If unsure, say N. 500 501config NETFILTER_XT_MATCH_HELPER 502 tristate '"helper" match support' 503 depends on NETFILTER_XTABLES 504 depends on NF_CONNTRACK 505 help 506 Helper matching allows you to match packets in dynamic connections 507 tracked by a conntrack-helper, ie. ip_conntrack_ftp 508 509 To compile it as a module, choose M here. If unsure, say Y. 510 511config NETFILTER_XT_MATCH_LENGTH 512 tristate '"length" match support' 513 depends on NETFILTER_XTABLES 514 help 515 This option allows you to match the length of a packet against a 516 specific value or range of values. 517 518 To compile it as a module, choose M here. If unsure, say N. 519 520config NETFILTER_XT_MATCH_LIMIT 521 tristate '"limit" match support' 522 depends on NETFILTER_XTABLES 523 help 524 limit matching allows you to control the rate at which a rule can be 525 matched: mainly useful in combination with the LOG target ("LOG 526 target support", below) and to avoid some Denial of Service attacks. 527 528 To compile it as a module, choose M here. If unsure, say N. 529 530config NETFILTER_XT_MATCH_MAC 531 tristate '"mac" address match support' 532 depends on NETFILTER_XTABLES 533 help 534 MAC matching allows you to match packets based on the source 535 Ethernet address of the packet. 536 537 To compile it as a module, choose M here. If unsure, say N. 538 539config NETFILTER_XT_MATCH_MARK 540 tristate '"mark" match support' 541 depends on NETFILTER_XTABLES 542 help 543 Netfilter mark matching allows you to match packets based on the 544 `nfmark' value in the packet. This can be set by the MARK target 545 (see below). 546 547 To compile it as a module, choose M here. If unsure, say N. 548 549config NETFILTER_XT_MATCH_POLICY 550 tristate 'IPsec "policy" match support' 551 depends on NETFILTER_XTABLES && XFRM 552 help 553 Policy matching allows you to match packets based on the 554 IPsec policy that was used during decapsulation/will 555 be used during encapsulation. 556 557 To compile it as a module, choose M here. If unsure, say N. 558 559config NETFILTER_XT_MATCH_MULTIPORT 560 tristate "Multiple port match support" 561 depends on NETFILTER_XTABLES 562 help 563 Multiport matching allows you to match TCP or UDP packets based on 564 a series of source or destination ports: normally a rule can only 565 match a single range of ports. 566 567 To compile it as a module, choose M here. If unsure, say N. 568 569config NETFILTER_XT_MATCH_PHYSDEV 570 tristate '"physdev" match support' 571 depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER 572 help 573 Physdev packet matching matches against the physical bridge ports 574 the IP packet arrived on or will leave by. 575 576 To compile it as a module, choose M here. If unsure, say N. 577 578config NETFILTER_XT_MATCH_PKTTYPE 579 tristate '"pkttype" packet type match support' 580 depends on NETFILTER_XTABLES 581 help 582 Packet type matching allows you to match a packet by 583 its "class", eg. BROADCAST, MULTICAST, ... 584 585 Typical usage: 586 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 587 588 To compile it as a module, choose M here. If unsure, say N. 589 590config NETFILTER_XT_MATCH_QUOTA 591 tristate '"quota" match support' 592 depends on NETFILTER_XTABLES 593 help 594 This option adds a `quota' match, which allows to match on a 595 byte counter. 596 597 If you want to compile it as a module, say M here and read 598 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 599 600config NETFILTER_XT_MATCH_REALM 601 tristate '"realm" match support' 602 depends on NETFILTER_XTABLES 603 select NET_CLS_ROUTE 604 help 605 This option adds a `realm' match, which allows you to use the realm 606 key from the routing subsystem inside iptables. 607 608 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 609 in tc world. 610 611 If you want to compile it as a module, say M here and read 612 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 613 614config NETFILTER_XT_MATCH_SCTP 615 tristate '"sctp" protocol match support (EXPERIMENTAL)' 616 depends on NETFILTER_XTABLES && EXPERIMENTAL 617 help 618 With this option enabled, you will be able to use the 619 `sctp' match in order to match on SCTP source/destination ports 620 and SCTP chunk types. 621 622 If you want to compile it as a module, say M here and read 623 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 624 625config NETFILTER_XT_MATCH_STATE 626 tristate '"state" match support' 627 depends on NETFILTER_XTABLES 628 depends on NF_CONNTRACK 629 help 630 Connection state matching allows you to match packets based on their 631 relationship to a tracked connection (ie. previous packets). This 632 is a powerful tool for packet classification. 633 634 To compile it as a module, choose M here. If unsure, say N. 635 636config NETFILTER_XT_MATCH_STATISTIC 637 tristate '"statistic" match support' 638 depends on NETFILTER_XTABLES 639 help 640 This option adds a `statistic' match, which allows you to match 641 on packets periodically or randomly with a given percentage. 642 643 To compile it as a module, choose M here. If unsure, say N. 644 645config NETFILTER_XT_MATCH_STRING 646 tristate '"string" match support' 647 depends on NETFILTER_XTABLES 648 select TEXTSEARCH 649 select TEXTSEARCH_KMP 650 select TEXTSEARCH_BM 651 select TEXTSEARCH_FSM 652 help 653 This option adds a `string' match, which allows you to look for 654 pattern matchings in packets. 655 656 To compile it as a module, choose M here. If unsure, say N. 657 658config NETFILTER_XT_MATCH_TCPMSS 659 tristate '"tcpmss" match support' 660 depends on NETFILTER_XTABLES 661 help 662 This option adds a `tcpmss' match, which allows you to examine the 663 MSS value of TCP SYN packets, which control the maximum packet size 664 for that connection. 665 666 To compile it as a module, choose M here. If unsure, say N. 667 668config NETFILTER_XT_MATCH_U32 669 tristate '"u32" match support' 670 depends on NETFILTER_XTABLES 671 ---help--- 672 u32 allows you to extract quantities of up to 4 bytes from a packet, 673 AND them with specified masks, shift them by specified amounts and 674 test whether the results are in any of a set of specified ranges. 675 The specification of what to extract is general enough to skip over 676 headers with lengths stored in the packet, as in IP or TCP header 677 lengths. 678 679 Details and examples are in the kernel module source. 680 681config NETFILTER_XT_MATCH_HASHLIMIT 682 tristate '"hashlimit" match support' 683 depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 684 help 685 This option adds a `hashlimit' match. 686 687 As opposed to `limit', this match dynamically creates a hash table 688 of limit buckets, based on your selection of source/destination 689 addresses and/or ports. 690 691 It enables you to express policies like `10kpps for any given 692 destination address' or `500pps from any given source address' 693 with a single rule. 694 695endmenu 696 697