1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate 6 7config NETFILTER_NETLINK_QUEUE 8 tristate "Netfilter NFQUEUE over NFNETLINK interface" 9 depends on NETFILTER_ADVANCED 10 select NETFILTER_NETLINK 11 help 12 If this option is enabled, the kernel will include support 13 for queueing packets via NFNETLINK. 14 15config NETFILTER_NETLINK_LOG 16 tristate "Netfilter LOG over NFNETLINK interface" 17 default m if NETFILTER_ADVANCED=n 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for logging packets via NFNETLINK. 22 23 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 24 and is also scheduled to replace the old syslog-based ipt_LOG 25 and ip6t_LOG modules. 26 27config NF_CONNTRACK 28 tristate "Netfilter connection tracking support" 29 default m if NETFILTER_ADVANCED=n 30 help 31 Connection tracking keeps a record of what packets have passed 32 through your machine, in order to figure out how they are related 33 into connections. 34 35 This is required to do Masquerading or other kinds of Network 36 Address Translation. It can also be used to enhance packet 37 filtering (see `Connection state match support' below). 38 39 To compile it as a module, choose M here. If unsure, say N. 40 41config NF_CT_ACCT 42 bool "Connection tracking flow accounting" 43 depends on NETFILTER_ADVANCED 44 depends on NF_CONNTRACK 45 help 46 If this option is enabled, the connection tracking code will 47 keep per-flow packet and byte counters. 48 49 Those counters can be used for flow-based accounting or the 50 `connbytes' match. 51 52 Please note that currently this option only sets a default state. 53 You may change it at boot time with nf_conntrack.acct=0/1 kernel 54 paramater or by loading the nf_conntrack module with acct=0/1. 55 56 You may also disable/enable it on a running system with: 57 sysctl net.netfilter.nf_conntrack_acct=0/1 58 59 This option will be removed in 2.6.29. 60 61 If unsure, say `N'. 62 63config NF_CONNTRACK_MARK 64 bool 'Connection mark tracking support' 65 depends on NETFILTER_ADVANCED 66 depends on NF_CONNTRACK 67 help 68 This option enables support for connection marks, used by the 69 `CONNMARK' target and `connmark' match. Similar to the mark value 70 of packets, but this mark value is kept in the conntrack session 71 instead of the individual packets. 72 73config NF_CONNTRACK_SECMARK 74 bool 'Connection tracking security mark support' 75 depends on NF_CONNTRACK && NETWORK_SECMARK 76 default m if NETFILTER_ADVANCED=n 77 help 78 This option enables security markings to be applied to 79 connections. Typically they are copied to connections from 80 packets using the CONNSECMARK target and copied back from 81 connections to packets with the same target, with the packets 82 being originally labeled via SECMARK. 83 84 If unsure, say 'N'. 85 86config NF_CONNTRACK_EVENTS 87 bool "Connection tracking events" 88 depends on NF_CONNTRACK 89 depends on NETFILTER_ADVANCED 90 help 91 If this option is enabled, the connection tracking code will 92 provide a notifier chain that can be used by other kernel code 93 to get notified about changes in the connection tracking state. 94 95 If unsure, say `N'. 96 97config NF_CT_PROTO_DCCP 98 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' 99 depends on EXPERIMENTAL && NF_CONNTRACK 100 depends on NETFILTER_ADVANCED 101 default IP_DCCP 102 help 103 With this option enabled, the layer 3 independent connection 104 tracking code will be able to do state tracking on DCCP connections. 105 106 If unsure, say 'N'. 107 108config NF_CT_PROTO_GRE 109 tristate 110 depends on NF_CONNTRACK 111 112config NF_CT_PROTO_SCTP 113 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 114 depends on EXPERIMENTAL && NF_CONNTRACK 115 depends on NETFILTER_ADVANCED 116 default IP_SCTP 117 help 118 With this option enabled, the layer 3 independent connection 119 tracking code will be able to do state tracking on SCTP connections. 120 121 If you want to compile it as a module, say M here and read 122 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 123 124config NF_CT_PROTO_UDPLITE 125 tristate 'UDP-Lite protocol connection tracking support' 126 depends on NF_CONNTRACK 127 depends on NETFILTER_ADVANCED 128 help 129 With this option enabled, the layer 3 independent connection 130 tracking code will be able to do state tracking on UDP-Lite 131 connections. 132 133 To compile it as a module, choose M here. If unsure, say N. 134 135config NF_CONNTRACK_AMANDA 136 tristate "Amanda backup protocol support" 137 depends on NF_CONNTRACK 138 depends on NETFILTER_ADVANCED 139 select TEXTSEARCH 140 select TEXTSEARCH_KMP 141 help 142 If you are running the Amanda backup package <http://www.amanda.org/> 143 on this machine or machines that will be MASQUERADED through this 144 machine, then you may want to enable this feature. This allows the 145 connection tracking and natting code to allow the sub-channels that 146 Amanda requires for communication of the backup data, messages and 147 index. 148 149 To compile it as a module, choose M here. If unsure, say N. 150 151config NF_CONNTRACK_FTP 152 tristate "FTP protocol support" 153 depends on NF_CONNTRACK 154 default m if NETFILTER_ADVANCED=n 155 help 156 Tracking FTP connections is problematic: special helpers are 157 required for tracking them, and doing masquerading and other forms 158 of Network Address Translation on them. 159 160 This is FTP support on Layer 3 independent connection tracking. 161 Layer 3 independent connection tracking is experimental scheme 162 which generalize ip_conntrack to support other layer 3 protocols. 163 164 To compile it as a module, choose M here. If unsure, say N. 165 166config NF_CONNTRACK_H323 167 tristate "H.323 protocol support" 168 depends on NF_CONNTRACK && (IPV6 || IPV6=n) 169 depends on NETFILTER_ADVANCED 170 help 171 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 172 important VoIP protocols, it is widely used by voice hardware and 173 software including voice gateways, IP phones, Netmeeting, OpenPhone, 174 Gnomemeeting, etc. 175 176 With this module you can support H.323 on a connection tracking/NAT 177 firewall. 178 179 This module supports RAS, Fast Start, H.245 Tunnelling, Call 180 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 181 whiteboard, file transfer, etc. For more information, please 182 visit http://nath323.sourceforge.net/. 183 184 To compile it as a module, choose M here. If unsure, say N. 185 186config NF_CONNTRACK_IRC 187 tristate "IRC protocol support" 188 depends on NF_CONNTRACK 189 default m if NETFILTER_ADVANCED=n 190 help 191 There is a commonly-used extension to IRC called 192 Direct Client-to-Client Protocol (DCC). This enables users to send 193 files to each other, and also chat to each other without the need 194 of a server. DCC Sending is used anywhere you send files over IRC, 195 and DCC Chat is most commonly used by Eggdrop bots. If you are 196 using NAT, this extension will enable you to send files and initiate 197 chats. Note that you do NOT need this extension to get files or 198 have others initiate chats, or everything else in IRC. 199 200 To compile it as a module, choose M here. If unsure, say N. 201 202config NF_CONNTRACK_NETBIOS_NS 203 tristate "NetBIOS name service protocol support" 204 depends on NF_CONNTRACK 205 depends on NETFILTER_ADVANCED 206 help 207 NetBIOS name service requests are sent as broadcast messages from an 208 unprivileged port and responded to with unicast messages to the 209 same port. This make them hard to firewall properly because connection 210 tracking doesn't deal with broadcasts. This helper tracks locally 211 originating NetBIOS name service requests and the corresponding 212 responses. It relies on correct IP address configuration, specifically 213 netmask and broadcast address. When properly configured, the output 214 of "ip address show" should look similar to this: 215 216 $ ip -4 address show eth0 217 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 218 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 219 220 To compile it as a module, choose M here. If unsure, say N. 221 222config NF_CONNTRACK_PPTP 223 tristate "PPtP protocol support" 224 depends on NF_CONNTRACK 225 depends on NETFILTER_ADVANCED 226 select NF_CT_PROTO_GRE 227 help 228 This module adds support for PPTP (Point to Point Tunnelling 229 Protocol, RFC2637) connection tracking and NAT. 230 231 If you are running PPTP sessions over a stateful firewall or NAT 232 box, you may want to enable this feature. 233 234 Please note that not all PPTP modes of operation are supported yet. 235 Specifically these limitations exist: 236 - Blindly assumes that control connections are always established 237 in PNS->PAC direction. This is a violation of RFC2637. 238 - Only supports a single call within each session 239 240 To compile it as a module, choose M here. If unsure, say N. 241 242config NF_CONNTRACK_SANE 243 tristate "SANE protocol support (EXPERIMENTAL)" 244 depends on EXPERIMENTAL && NF_CONNTRACK 245 depends on NETFILTER_ADVANCED 246 help 247 SANE is a protocol for remote access to scanners as implemented 248 by the 'saned' daemon. Like FTP, it uses separate control and 249 data connections. 250 251 With this module you can support SANE on a connection tracking 252 firewall. 253 254 To compile it as a module, choose M here. If unsure, say N. 255 256config NF_CONNTRACK_SIP 257 tristate "SIP protocol support" 258 depends on NF_CONNTRACK 259 default m if NETFILTER_ADVANCED=n 260 help 261 SIP is an application-layer control protocol that can establish, 262 modify, and terminate multimedia sessions (conferences) such as 263 Internet telephony calls. With the ip_conntrack_sip and 264 the nf_nat_sip modules you can support the protocol on a connection 265 tracking/NATing firewall. 266 267 To compile it as a module, choose M here. If unsure, say N. 268 269config NF_CONNTRACK_TFTP 270 tristate "TFTP protocol support" 271 depends on NF_CONNTRACK 272 depends on NETFILTER_ADVANCED 273 help 274 TFTP connection tracking helper, this is required depending 275 on how restrictive your ruleset is. 276 If you are using a tftp client behind -j SNAT or -j MASQUERADING 277 you will need this. 278 279 To compile it as a module, choose M here. If unsure, say N. 280 281config NF_CT_NETLINK 282 tristate 'Connection tracking netlink interface' 283 depends on NF_CONNTRACK 284 select NETFILTER_NETLINK 285 depends on NF_NAT=n || NF_NAT 286 default m if NETFILTER_ADVANCED=n 287 help 288 This option enables support for a netlink-based userspace interface 289 290config NETFILTER_XTABLES 291 tristate "Netfilter Xtables support (required for ip_tables)" 292 default m if NETFILTER_ADVANCED=n 293 help 294 This is required if you intend to use any of ip_tables, 295 ip6_tables or arp_tables. 296 297# alphabetically ordered list of targets 298 299config NETFILTER_XT_TARGET_CLASSIFY 300 tristate '"CLASSIFY" target support' 301 depends on NETFILTER_XTABLES 302 depends on NETFILTER_ADVANCED 303 help 304 This option adds a `CLASSIFY' target, which enables the user to set 305 the priority of a packet. Some qdiscs can use this value for 306 classification, among these are: 307 308 atm, cbq, dsmark, pfifo_fast, htb, prio 309 310 To compile it as a module, choose M here. If unsure, say N. 311 312config NETFILTER_XT_TARGET_CONNMARK 313 tristate '"CONNMARK" target support' 314 depends on NETFILTER_XTABLES 315 depends on IP_NF_MANGLE || IP6_NF_MANGLE 316 depends on NF_CONNTRACK 317 depends on NETFILTER_ADVANCED 318 select NF_CONNTRACK_MARK 319 help 320 This option adds a `CONNMARK' target, which allows one to manipulate 321 the connection mark value. Similar to the MARK target, but 322 affects the connection mark value rather than the packet mark value. 323 324 If you want to compile it as a module, say M here and read 325 <file:Documentation/kbuild/modules.txt>. The module will be called 326 ipt_CONNMARK.ko. If unsure, say `N'. 327 328config NETFILTER_XT_TARGET_DSCP 329 tristate '"DSCP" and "TOS" target support' 330 depends on NETFILTER_XTABLES 331 depends on IP_NF_MANGLE || IP6_NF_MANGLE 332 depends on NETFILTER_ADVANCED 333 help 334 This option adds a `DSCP' target, which allows you to manipulate 335 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 336 337 The DSCP field can have any value between 0x0 and 0x3f inclusive. 338 339 It also adds the "TOS" target, which allows you to create rules in 340 the "mangle" table which alter the Type Of Service field of an IPv4 341 or the Priority field of an IPv6 packet, prior to routing. 342 343 To compile it as a module, choose M here. If unsure, say N. 344 345config NETFILTER_XT_TARGET_MARK 346 tristate '"MARK" target support' 347 depends on NETFILTER_XTABLES 348 default m if NETFILTER_ADVANCED=n 349 help 350 This option adds a `MARK' target, which allows you to create rules 351 in the `mangle' table which alter the netfilter mark (nfmark) field 352 associated with the packet prior to routing. This can change 353 the routing method (see `Use netfilter MARK value as routing 354 key') and can also be used by other subsystems to change their 355 behavior. 356 357 To compile it as a module, choose M here. If unsure, say N. 358 359config NETFILTER_XT_TARGET_NFQUEUE 360 tristate '"NFQUEUE" target Support' 361 depends on NETFILTER_XTABLES 362 depends on NETFILTER_ADVANCED 363 help 364 This target replaced the old obsolete QUEUE target. 365 366 As opposed to QUEUE, it supports 65535 different queues, 367 not just one. 368 369 To compile it as a module, choose M here. If unsure, say N. 370 371config NETFILTER_XT_TARGET_NFLOG 372 tristate '"NFLOG" target support' 373 depends on NETFILTER_XTABLES 374 default m if NETFILTER_ADVANCED=n 375 help 376 This option enables the NFLOG target, which allows to LOG 377 messages through the netfilter logging API, which can use 378 either the old LOG target, the old ULOG target or nfnetlink_log 379 as backend. 380 381 To compile it as a module, choose M here. If unsure, say N. 382 383config NETFILTER_XT_TARGET_NOTRACK 384 tristate '"NOTRACK" target support' 385 depends on NETFILTER_XTABLES 386 depends on IP_NF_RAW || IP6_NF_RAW 387 depends on NF_CONNTRACK 388 depends on NETFILTER_ADVANCED 389 help 390 The NOTRACK target allows a select rule to specify 391 which packets *not* to enter the conntrack/NAT 392 subsystem with all the consequences (no ICMP error tracking, 393 no protocol helpers for the selected packets). 394 395 If you want to compile it as a module, say M here and read 396 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 397 398config NETFILTER_XT_TARGET_RATEEST 399 tristate '"RATEEST" target support' 400 depends on NETFILTER_XTABLES 401 depends on NETFILTER_ADVANCED 402 help 403 This option adds a `RATEEST' target, which allows to measure 404 rates similar to TC estimators. The `rateest' match can be 405 used to match on the measured rates. 406 407 To compile it as a module, choose M here. If unsure, say N. 408 409config NETFILTER_XT_TARGET_TRACE 410 tristate '"TRACE" target support' 411 depends on NETFILTER_XTABLES 412 depends on IP_NF_RAW || IP6_NF_RAW 413 depends on NETFILTER_ADVANCED 414 help 415 The TRACE target allows you to mark packets so that the kernel 416 will log every rule which match the packets as those traverse 417 the tables, chains, rules. 418 419 If you want to compile it as a module, say M here and read 420 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 421 422config NETFILTER_XT_TARGET_SECMARK 423 tristate '"SECMARK" target support' 424 depends on NETFILTER_XTABLES && NETWORK_SECMARK 425 default m if NETFILTER_ADVANCED=n 426 help 427 The SECMARK target allows security marking of network 428 packets, for use with security subsystems. 429 430 To compile it as a module, choose M here. If unsure, say N. 431 432config NETFILTER_XT_TARGET_CONNSECMARK 433 tristate '"CONNSECMARK" target support' 434 depends on NETFILTER_XTABLES && NF_CONNTRACK && NF_CONNTRACK_SECMARK 435 default m if NETFILTER_ADVANCED=n 436 help 437 The CONNSECMARK target copies security markings from packets 438 to connections, and restores security markings from connections 439 to packets (if the packets are not already marked). This would 440 normally be used in conjunction with the SECMARK target. 441 442 To compile it as a module, choose M here. If unsure, say N. 443 444config NETFILTER_XT_TARGET_TCPMSS 445 tristate '"TCPMSS" target support' 446 depends on NETFILTER_XTABLES && (IPV6 || IPV6=n) 447 default m if NETFILTER_ADVANCED=n 448 ---help--- 449 This option adds a `TCPMSS' target, which allows you to alter the 450 MSS value of TCP SYN packets, to control the maximum size for that 451 connection (usually limiting it to your outgoing interface's MTU 452 minus 40). 453 454 This is used to overcome criminally braindead ISPs or servers which 455 block ICMP Fragmentation Needed packets. The symptoms of this 456 problem are that everything works fine from your Linux 457 firewall/router, but machines behind it can never exchange large 458 packets: 459 1) Web browsers connect, then hang with no data received. 460 2) Small mail works fine, but large emails hang. 461 3) ssh works fine, but scp hangs after initial handshaking. 462 463 Workaround: activate this option and add a rule to your firewall 464 configuration like: 465 466 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 467 -j TCPMSS --clamp-mss-to-pmtu 468 469 To compile it as a module, choose M here. If unsure, say N. 470 471config NETFILTER_XT_TARGET_TCPOPTSTRIP 472 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' 473 depends on EXPERIMENTAL && NETFILTER_XTABLES 474 depends on IP_NF_MANGLE || IP6_NF_MANGLE 475 depends on NETFILTER_ADVANCED 476 help 477 This option adds a "TCPOPTSTRIP" target, which allows you to strip 478 TCP options from TCP packets. 479 480config NETFILTER_XT_MATCH_COMMENT 481 tristate '"comment" match support' 482 depends on NETFILTER_XTABLES 483 depends on NETFILTER_ADVANCED 484 help 485 This option adds a `comment' dummy-match, which allows you to put 486 comments in your iptables ruleset. 487 488 If you want to compile it as a module, say M here and read 489 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 490 491config NETFILTER_XT_MATCH_CONNBYTES 492 tristate '"connbytes" per-connection counter match support' 493 depends on NETFILTER_XTABLES 494 depends on NF_CONNTRACK 495 depends on NETFILTER_ADVANCED 496 select NF_CT_ACCT 497 help 498 This option adds a `connbytes' match, which allows you to match the 499 number of bytes and/or packets for each direction within a connection. 500 501 If you want to compile it as a module, say M here and read 502 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 503 504config NETFILTER_XT_MATCH_CONNLIMIT 505 tristate '"connlimit" match support"' 506 depends on NETFILTER_XTABLES 507 depends on NF_CONNTRACK 508 depends on NETFILTER_ADVANCED 509 ---help--- 510 This match allows you to match against the number of parallel 511 connections to a server per client IP address (or address block). 512 513config NETFILTER_XT_MATCH_CONNMARK 514 tristate '"connmark" connection mark match support' 515 depends on NETFILTER_XTABLES 516 depends on NF_CONNTRACK 517 depends on NETFILTER_ADVANCED 518 select NF_CONNTRACK_MARK 519 help 520 This option adds a `connmark' match, which allows you to match the 521 connection mark value previously set for the session by `CONNMARK'. 522 523 If you want to compile it as a module, say M here and read 524 <file:Documentation/kbuild/modules.txt>. The module will be called 525 ipt_connmark.ko. If unsure, say `N'. 526 527config NETFILTER_XT_MATCH_CONNTRACK 528 tristate '"conntrack" connection tracking match support' 529 depends on NETFILTER_XTABLES 530 depends on NF_CONNTRACK 531 default m if NETFILTER_ADVANCED=n 532 help 533 This is a general conntrack match module, a superset of the state match. 534 535 It allows matching on additional conntrack information, which is 536 useful in complex configurations, such as NAT gateways with multiple 537 internet links or tunnels. 538 539 To compile it as a module, choose M here. If unsure, say N. 540 541config NETFILTER_XT_MATCH_DCCP 542 tristate '"dccp" protocol match support' 543 depends on NETFILTER_XTABLES 544 depends on NETFILTER_ADVANCED 545 default IP_DCCP 546 help 547 With this option enabled, you will be able to use the iptables 548 `dccp' match in order to match on DCCP source/destination ports 549 and DCCP flags. 550 551 If you want to compile it as a module, say M here and read 552 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 553 554config NETFILTER_XT_MATCH_DSCP 555 tristate '"dscp" and "tos" match support' 556 depends on NETFILTER_XTABLES 557 depends on NETFILTER_ADVANCED 558 help 559 This option adds a `DSCP' match, which allows you to match against 560 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 561 562 The DSCP field can have any value between 0x0 and 0x3f inclusive. 563 564 It will also add a "tos" match, which allows you to match packets 565 based on the Type Of Service fields of the IPv4 packet (which share 566 the same bits as DSCP). 567 568 To compile it as a module, choose M here. If unsure, say N. 569 570config NETFILTER_XT_MATCH_ESP 571 tristate '"esp" match support' 572 depends on NETFILTER_XTABLES 573 depends on NETFILTER_ADVANCED 574 help 575 This match extension allows you to match a range of SPIs 576 inside ESP header of IPSec packets. 577 578 To compile it as a module, choose M here. If unsure, say N. 579 580config NETFILTER_XT_MATCH_HELPER 581 tristate '"helper" match support' 582 depends on NETFILTER_XTABLES 583 depends on NF_CONNTRACK 584 depends on NETFILTER_ADVANCED 585 help 586 Helper matching allows you to match packets in dynamic connections 587 tracked by a conntrack-helper, ie. ip_conntrack_ftp 588 589 To compile it as a module, choose M here. If unsure, say Y. 590 591config NETFILTER_XT_MATCH_IPRANGE 592 tristate '"iprange" address range match support' 593 depends on NETFILTER_XTABLES 594 depends on NETFILTER_ADVANCED 595 ---help--- 596 This option adds a "iprange" match, which allows you to match based on 597 an IP address range. (Normal iptables only matches on single addresses 598 with an optional mask.) 599 600 If unsure, say M. 601 602config NETFILTER_XT_MATCH_LENGTH 603 tristate '"length" match support' 604 depends on NETFILTER_XTABLES 605 depends on NETFILTER_ADVANCED 606 help 607 This option allows you to match the length of a packet against a 608 specific value or range of values. 609 610 To compile it as a module, choose M here. If unsure, say N. 611 612config NETFILTER_XT_MATCH_LIMIT 613 tristate '"limit" match support' 614 depends on NETFILTER_XTABLES 615 depends on NETFILTER_ADVANCED 616 help 617 limit matching allows you to control the rate at which a rule can be 618 matched: mainly useful in combination with the LOG target ("LOG 619 target support", below) and to avoid some Denial of Service attacks. 620 621 To compile it as a module, choose M here. If unsure, say N. 622 623config NETFILTER_XT_MATCH_MAC 624 tristate '"mac" address match support' 625 depends on NETFILTER_XTABLES 626 depends on NETFILTER_ADVANCED 627 help 628 MAC matching allows you to match packets based on the source 629 Ethernet address of the packet. 630 631 To compile it as a module, choose M here. If unsure, say N. 632 633config NETFILTER_XT_MATCH_MARK 634 tristate '"mark" match support' 635 depends on NETFILTER_XTABLES 636 default m if NETFILTER_ADVANCED=n 637 help 638 Netfilter mark matching allows you to match packets based on the 639 `nfmark' value in the packet. This can be set by the MARK target 640 (see below). 641 642 To compile it as a module, choose M here. If unsure, say N. 643 644config NETFILTER_XT_MATCH_OWNER 645 tristate '"owner" match support' 646 depends on NETFILTER_XTABLES 647 depends on NETFILTER_ADVANCED 648 ---help--- 649 Socket owner matching allows you to match locally-generated packets 650 based on who created the socket: the user or group. It is also 651 possible to check whether a socket actually exists. 652 653config NETFILTER_XT_MATCH_POLICY 654 tristate 'IPsec "policy" match support' 655 depends on NETFILTER_XTABLES && XFRM 656 default m if NETFILTER_ADVANCED=n 657 help 658 Policy matching allows you to match packets based on the 659 IPsec policy that was used during decapsulation/will 660 be used during encapsulation. 661 662 To compile it as a module, choose M here. If unsure, say N. 663 664config NETFILTER_XT_MATCH_MULTIPORT 665 tristate '"multiport" Multiple port match support' 666 depends on NETFILTER_XTABLES 667 depends on NETFILTER_ADVANCED 668 help 669 Multiport matching allows you to match TCP or UDP packets based on 670 a series of source or destination ports: normally a rule can only 671 match a single range of ports. 672 673 To compile it as a module, choose M here. If unsure, say N. 674 675config NETFILTER_XT_MATCH_PHYSDEV 676 tristate '"physdev" match support' 677 depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER 678 depends on NETFILTER_ADVANCED 679 help 680 Physdev packet matching matches against the physical bridge ports 681 the IP packet arrived on or will leave by. 682 683 To compile it as a module, choose M here. If unsure, say N. 684 685config NETFILTER_XT_MATCH_PKTTYPE 686 tristate '"pkttype" packet type match support' 687 depends on NETFILTER_XTABLES 688 depends on NETFILTER_ADVANCED 689 help 690 Packet type matching allows you to match a packet by 691 its "class", eg. BROADCAST, MULTICAST, ... 692 693 Typical usage: 694 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 695 696 To compile it as a module, choose M here. If unsure, say N. 697 698config NETFILTER_XT_MATCH_QUOTA 699 tristate '"quota" match support' 700 depends on NETFILTER_XTABLES 701 depends on NETFILTER_ADVANCED 702 help 703 This option adds a `quota' match, which allows to match on a 704 byte counter. 705 706 If you want to compile it as a module, say M here and read 707 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 708 709config NETFILTER_XT_MATCH_RATEEST 710 tristate '"rateest" match support' 711 depends on NETFILTER_XTABLES 712 depends on NETFILTER_ADVANCED 713 select NETFILTER_XT_TARGET_RATEEST 714 help 715 This option adds a `rateest' match, which allows to match on the 716 rate estimated by the RATEEST target. 717 718 To compile it as a module, choose M here. If unsure, say N. 719 720config NETFILTER_XT_MATCH_REALM 721 tristate '"realm" match support' 722 depends on NETFILTER_XTABLES 723 depends on NETFILTER_ADVANCED 724 select NET_CLS_ROUTE 725 help 726 This option adds a `realm' match, which allows you to use the realm 727 key from the routing subsystem inside iptables. 728 729 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 730 in tc world. 731 732 If you want to compile it as a module, say M here and read 733 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 734 735config NETFILTER_XT_MATCH_SCTP 736 tristate '"sctp" protocol match support (EXPERIMENTAL)' 737 depends on NETFILTER_XTABLES && EXPERIMENTAL 738 depends on NETFILTER_ADVANCED 739 default IP_SCTP 740 help 741 With this option enabled, you will be able to use the 742 `sctp' match in order to match on SCTP source/destination ports 743 and SCTP chunk types. 744 745 If you want to compile it as a module, say M here and read 746 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 747 748config NETFILTER_XT_MATCH_STATE 749 tristate '"state" match support' 750 depends on NETFILTER_XTABLES 751 depends on NF_CONNTRACK 752 default m if NETFILTER_ADVANCED=n 753 help 754 Connection state matching allows you to match packets based on their 755 relationship to a tracked connection (ie. previous packets). This 756 is a powerful tool for packet classification. 757 758 To compile it as a module, choose M here. If unsure, say N. 759 760config NETFILTER_XT_MATCH_STATISTIC 761 tristate '"statistic" match support' 762 depends on NETFILTER_XTABLES 763 depends on NETFILTER_ADVANCED 764 help 765 This option adds a `statistic' match, which allows you to match 766 on packets periodically or randomly with a given percentage. 767 768 To compile it as a module, choose M here. If unsure, say N. 769 770config NETFILTER_XT_MATCH_STRING 771 tristate '"string" match support' 772 depends on NETFILTER_XTABLES 773 depends on NETFILTER_ADVANCED 774 select TEXTSEARCH 775 select TEXTSEARCH_KMP 776 select TEXTSEARCH_BM 777 select TEXTSEARCH_FSM 778 help 779 This option adds a `string' match, which allows you to look for 780 pattern matchings in packets. 781 782 To compile it as a module, choose M here. If unsure, say N. 783 784config NETFILTER_XT_MATCH_TCPMSS 785 tristate '"tcpmss" match support' 786 depends on NETFILTER_XTABLES 787 depends on NETFILTER_ADVANCED 788 help 789 This option adds a `tcpmss' match, which allows you to examine the 790 MSS value of TCP SYN packets, which control the maximum packet size 791 for that connection. 792 793 To compile it as a module, choose M here. If unsure, say N. 794 795config NETFILTER_XT_MATCH_TIME 796 tristate '"time" match support' 797 depends on NETFILTER_XTABLES 798 depends on NETFILTER_ADVANCED 799 ---help--- 800 This option adds a "time" match, which allows you to match based on 801 the packet arrival time (at the machine which netfilter is running) 802 on) or departure time/date (for locally generated packets). 803 804 If you say Y here, try `iptables -m time --help` for 805 more information. 806 807 If you want to compile it as a module, say M here. 808 If unsure, say N. 809 810config NETFILTER_XT_MATCH_U32 811 tristate '"u32" match support' 812 depends on NETFILTER_XTABLES 813 depends on NETFILTER_ADVANCED 814 ---help--- 815 u32 allows you to extract quantities of up to 4 bytes from a packet, 816 AND them with specified masks, shift them by specified amounts and 817 test whether the results are in any of a set of specified ranges. 818 The specification of what to extract is general enough to skip over 819 headers with lengths stored in the packet, as in IP or TCP header 820 lengths. 821 822 Details and examples are in the kernel module source. 823 824config NETFILTER_XT_MATCH_HASHLIMIT 825 tristate '"hashlimit" match support' 826 depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 827 depends on NETFILTER_ADVANCED 828 help 829 This option adds a `hashlimit' match. 830 831 As opposed to `limit', this match dynamically creates a hash table 832 of limit buckets, based on your selection of source/destination 833 addresses and/or ports. 834 835 It enables you to express policies like `10kpps for any given 836 destination address' or `500pps from any given source address' 837 with a single rule. 838 839endmenu 840 841