1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate 6 7config NETFILTER_NETLINK_QUEUE 8 tristate "Netfilter NFQUEUE over NFNETLINK interface" 9 depends on NETFILTER_ADVANCED 10 select NETFILTER_NETLINK 11 help 12 If this option is enabled, the kernel will include support 13 for queueing packets via NFNETLINK. 14 15config NETFILTER_NETLINK_LOG 16 tristate "Netfilter LOG over NFNETLINK interface" 17 default m if NETFILTER_ADVANCED=n 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for logging packets via NFNETLINK. 22 23 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 24 and is also scheduled to replace the old syslog-based ipt_LOG 25 and ip6t_LOG modules. 26 27config NF_CONNTRACK 28 tristate "Netfilter connection tracking support" 29 default m if NETFILTER_ADVANCED=n 30 help 31 Connection tracking keeps a record of what packets have passed 32 through your machine, in order to figure out how they are related 33 into connections. 34 35 This is required to do Masquerading or other kinds of Network 36 Address Translation. It can also be used to enhance packet 37 filtering (see `Connection state match support' below). 38 39 To compile it as a module, choose M here. If unsure, say N. 40 41if NF_CONNTRACK 42 43config NF_CONNTRACK_MARK 44 bool 'Connection mark tracking support' 45 depends on NETFILTER_ADVANCED 46 help 47 This option enables support for connection marks, used by the 48 `CONNMARK' target and `connmark' match. Similar to the mark value 49 of packets, but this mark value is kept in the conntrack session 50 instead of the individual packets. 51 52config NF_CONNTRACK_SECMARK 53 bool 'Connection tracking security mark support' 54 depends on NETWORK_SECMARK 55 default m if NETFILTER_ADVANCED=n 56 help 57 This option enables security markings to be applied to 58 connections. Typically they are copied to connections from 59 packets using the CONNSECMARK target and copied back from 60 connections to packets with the same target, with the packets 61 being originally labeled via SECMARK. 62 63 If unsure, say 'N'. 64 65config NF_CONNTRACK_ZONES 66 bool 'Connection tracking zones' 67 depends on NETFILTER_ADVANCED 68 depends on NETFILTER_XT_TARGET_CT 69 help 70 This option enables support for connection tracking zones. 71 Normally, each connection needs to have a unique system wide 72 identity. Connection tracking zones allow to have multiple 73 connections using the same identity, as long as they are 74 contained in different zones. 75 76 If unsure, say `N'. 77 78config NF_CONNTRACK_EVENTS 79 bool "Connection tracking events" 80 depends on NETFILTER_ADVANCED 81 help 82 If this option is enabled, the connection tracking code will 83 provide a notifier chain that can be used by other kernel code 84 to get notified about changes in the connection tracking state. 85 86 If unsure, say `N'. 87 88config NF_CT_PROTO_DCCP 89 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' 90 depends on EXPERIMENTAL 91 depends on NETFILTER_ADVANCED 92 default IP_DCCP 93 help 94 With this option enabled, the layer 3 independent connection 95 tracking code will be able to do state tracking on DCCP connections. 96 97 If unsure, say 'N'. 98 99config NF_CT_PROTO_GRE 100 tristate 101 102config NF_CT_PROTO_SCTP 103 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 104 depends on EXPERIMENTAL 105 depends on NETFILTER_ADVANCED 106 default IP_SCTP 107 help 108 With this option enabled, the layer 3 independent connection 109 tracking code will be able to do state tracking on SCTP connections. 110 111 If you want to compile it as a module, say M here and read 112 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 113 114config NF_CT_PROTO_UDPLITE 115 tristate 'UDP-Lite protocol connection tracking support' 116 depends on NETFILTER_ADVANCED 117 help 118 With this option enabled, the layer 3 independent connection 119 tracking code will be able to do state tracking on UDP-Lite 120 connections. 121 122 To compile it as a module, choose M here. If unsure, say N. 123 124config NF_CONNTRACK_AMANDA 125 tristate "Amanda backup protocol support" 126 depends on NETFILTER_ADVANCED 127 select TEXTSEARCH 128 select TEXTSEARCH_KMP 129 help 130 If you are running the Amanda backup package <http://www.amanda.org/> 131 on this machine or machines that will be MASQUERADED through this 132 machine, then you may want to enable this feature. This allows the 133 connection tracking and natting code to allow the sub-channels that 134 Amanda requires for communication of the backup data, messages and 135 index. 136 137 To compile it as a module, choose M here. If unsure, say N. 138 139config NF_CONNTRACK_FTP 140 tristate "FTP protocol support" 141 default m if NETFILTER_ADVANCED=n 142 help 143 Tracking FTP connections is problematic: special helpers are 144 required for tracking them, and doing masquerading and other forms 145 of Network Address Translation on them. 146 147 This is FTP support on Layer 3 independent connection tracking. 148 Layer 3 independent connection tracking is experimental scheme 149 which generalize ip_conntrack to support other layer 3 protocols. 150 151 To compile it as a module, choose M here. If unsure, say N. 152 153config NF_CONNTRACK_H323 154 tristate "H.323 protocol support" 155 depends on (IPV6 || IPV6=n) 156 depends on NETFILTER_ADVANCED 157 help 158 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 159 important VoIP protocols, it is widely used by voice hardware and 160 software including voice gateways, IP phones, Netmeeting, OpenPhone, 161 Gnomemeeting, etc. 162 163 With this module you can support H.323 on a connection tracking/NAT 164 firewall. 165 166 This module supports RAS, Fast Start, H.245 Tunnelling, Call 167 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 168 whiteboard, file transfer, etc. For more information, please 169 visit http://nath323.sourceforge.net/. 170 171 To compile it as a module, choose M here. If unsure, say N. 172 173config NF_CONNTRACK_IRC 174 tristate "IRC protocol support" 175 default m if NETFILTER_ADVANCED=n 176 help 177 There is a commonly-used extension to IRC called 178 Direct Client-to-Client Protocol (DCC). This enables users to send 179 files to each other, and also chat to each other without the need 180 of a server. DCC Sending is used anywhere you send files over IRC, 181 and DCC Chat is most commonly used by Eggdrop bots. If you are 182 using NAT, this extension will enable you to send files and initiate 183 chats. Note that you do NOT need this extension to get files or 184 have others initiate chats, or everything else in IRC. 185 186 To compile it as a module, choose M here. If unsure, say N. 187 188config NF_CONNTRACK_NETBIOS_NS 189 tristate "NetBIOS name service protocol support" 190 depends on NETFILTER_ADVANCED 191 help 192 NetBIOS name service requests are sent as broadcast messages from an 193 unprivileged port and responded to with unicast messages to the 194 same port. This make them hard to firewall properly because connection 195 tracking doesn't deal with broadcasts. This helper tracks locally 196 originating NetBIOS name service requests and the corresponding 197 responses. It relies on correct IP address configuration, specifically 198 netmask and broadcast address. When properly configured, the output 199 of "ip address show" should look similar to this: 200 201 $ ip -4 address show eth0 202 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 203 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 204 205 To compile it as a module, choose M here. If unsure, say N. 206 207config NF_CONNTRACK_PPTP 208 tristate "PPtP protocol support" 209 depends on NETFILTER_ADVANCED 210 select NF_CT_PROTO_GRE 211 help 212 This module adds support for PPTP (Point to Point Tunnelling 213 Protocol, RFC2637) connection tracking and NAT. 214 215 If you are running PPTP sessions over a stateful firewall or NAT 216 box, you may want to enable this feature. 217 218 Please note that not all PPTP modes of operation are supported yet. 219 Specifically these limitations exist: 220 - Blindly assumes that control connections are always established 221 in PNS->PAC direction. This is a violation of RFC2637. 222 - Only supports a single call within each session 223 224 To compile it as a module, choose M here. If unsure, say N. 225 226config NF_CONNTRACK_RTSP 227 tristate "RTSP protocol support" 228 depends on NETFILTER_ADVANCED 229 help 230 Support the RTSP protocol. This allows UDP transports to be setup 231 properly, including RTP and RDT. 232 233 If you want to compile it as a module, say 'M' here and read 234 Documentation/modules.txt. If unsure, say 'Y'. 235 236config NF_CONNTRACK_SANE 237 tristate "SANE protocol support (EXPERIMENTAL)" 238 depends on EXPERIMENTAL 239 depends on NETFILTER_ADVANCED 240 help 241 SANE is a protocol for remote access to scanners as implemented 242 by the 'saned' daemon. Like FTP, it uses separate control and 243 data connections. 244 245 With this module you can support SANE on a connection tracking 246 firewall. 247 248 To compile it as a module, choose M here. If unsure, say N. 249 250config NF_CONNTRACK_SIP 251 tristate "SIP protocol support" 252 default m if NETFILTER_ADVANCED=n 253 help 254 SIP is an application-layer control protocol that can establish, 255 modify, and terminate multimedia sessions (conferences) such as 256 Internet telephony calls. With the ip_conntrack_sip and 257 the nf_nat_sip modules you can support the protocol on a connection 258 tracking/NATing firewall. 259 260 To compile it as a module, choose M here. If unsure, say N. 261 262config NF_CONNTRACK_TFTP 263 tristate "TFTP protocol support" 264 depends on NETFILTER_ADVANCED 265 help 266 TFTP connection tracking helper, this is required depending 267 on how restrictive your ruleset is. 268 If you are using a tftp client behind -j SNAT or -j MASQUERADING 269 you will need this. 270 271 To compile it as a module, choose M here. If unsure, say N. 272 273config NF_CT_NETLINK 274 tristate 'Connection tracking netlink interface' 275 select NETFILTER_NETLINK 276 default m if NETFILTER_ADVANCED=n 277 help 278 This option enables support for a netlink-based userspace interface 279 280endif # NF_CONNTRACK 281 282# transparent proxy support 283config NETFILTER_TPROXY 284 tristate "Transparent proxying support (EXPERIMENTAL)" 285 depends on EXPERIMENTAL 286 depends on IP_NF_MANGLE 287 depends on NETFILTER_ADVANCED 288 help 289 This option enables transparent proxying support, that is, 290 support for handling non-locally bound IPv4 TCP and UDP sockets. 291 For it to work you will have to configure certain iptables rules 292 and use policy routing. For more information on how to set it up 293 see Documentation/networking/tproxy.txt. 294 295 To compile it as a module, choose M here. If unsure, say N. 296 297config NETFILTER_XTABLES 298 tristate "Netfilter Xtables support (required for ip_tables)" 299 default m if NETFILTER_ADVANCED=n 300 help 301 This is required if you intend to use any of ip_tables, 302 ip6_tables or arp_tables. 303 304if NETFILTER_XTABLES 305 306comment "Xtables combined modules" 307 308config NETFILTER_XT_MARK 309 tristate 'nfmark target and match support' 310 default m if NETFILTER_ADVANCED=n 311 ---help--- 312 This option adds the "MARK" target and "mark" match. 313 314 Netfilter mark matching allows you to match packets based on the 315 "nfmark" value in the packet. 316 The target allows you to create rules in the "mangle" table which alter 317 the netfilter mark (nfmark) field associated with the packet. 318 319 Prior to routing, the nfmark can influence the routing method (see 320 "Use netfilter MARK value as routing key") and can also be used by 321 other subsystems to change their behavior. 322 323config NETFILTER_XT_CONNMARK 324 tristate 'ctmark target and match support' 325 depends on NF_CONNTRACK 326 depends on NETFILTER_ADVANCED 327 select NF_CONNTRACK_MARK 328 ---help--- 329 This option adds the "CONNMARK" target and "connmark" match. 330 331 Netfilter allows you to store a mark value per connection (a.k.a. 332 ctmark), similarly to the packet mark (nfmark). Using this 333 target and match, you can set and match on this mark. 334 335# alphabetically ordered list of targets 336 337comment "Xtables targets" 338 339config NETFILTER_XT_TARGET_CHECKSUM 340 tristate "CHECKSUM target support" 341 depends on IP_NF_MANGLE || IP6_NF_MANGLE 342 depends on NETFILTER_ADVANCED 343 ---help--- 344 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 345 table. 346 347 You can use this target to compute and fill in the checksum in 348 a packet that lacks a checksum. This is particularly useful, 349 if you need to work around old applications such as dhcp clients, 350 that do not work well with checksum offloads, but don't want to disable 351 checksum offload in your device. 352 353 To compile it as a module, choose M here. If unsure, say N. 354 355config NETFILTER_XT_TARGET_CLASSIFY 356 tristate '"CLASSIFY" target support' 357 depends on NETFILTER_ADVANCED 358 help 359 This option adds a `CLASSIFY' target, which enables the user to set 360 the priority of a packet. Some qdiscs can use this value for 361 classification, among these are: 362 363 atm, cbq, dsmark, pfifo_fast, htb, prio 364 365 To compile it as a module, choose M here. If unsure, say N. 366 367config NETFILTER_XT_TARGET_CONNMARK 368 tristate '"CONNMARK" target support' 369 depends on NF_CONNTRACK 370 depends on NETFILTER_ADVANCED 371 select NETFILTER_XT_CONNMARK 372 ---help--- 373 This is a backwards-compat option for the user's convenience 374 (e.g. when running oldconfig). It selects 375 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 376 377config NETFILTER_XT_TARGET_CONNSECMARK 378 tristate '"CONNSECMARK" target support' 379 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 380 default m if NETFILTER_ADVANCED=n 381 help 382 The CONNSECMARK target copies security markings from packets 383 to connections, and restores security markings from connections 384 to packets (if the packets are not already marked). This would 385 normally be used in conjunction with the SECMARK target. 386 387 To compile it as a module, choose M here. If unsure, say N. 388 389config NETFILTER_XT_TARGET_CT 390 tristate '"CT" target support' 391 depends on NF_CONNTRACK 392 depends on IP_NF_RAW || IP6_NF_RAW 393 depends on NETFILTER_ADVANCED 394 help 395 This options adds a `CT' target, which allows to specify initial 396 connection tracking parameters like events to be delivered and 397 the helper to be used. 398 399 To compile it as a module, choose M here. If unsure, say N. 400 401config NETFILTER_XT_TARGET_DSCP 402 tristate '"DSCP" and "TOS" target support' 403 depends on IP_NF_MANGLE || IP6_NF_MANGLE 404 depends on NETFILTER_ADVANCED 405 help 406 This option adds a `DSCP' target, which allows you to manipulate 407 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 408 409 The DSCP field can have any value between 0x0 and 0x3f inclusive. 410 411 It also adds the "TOS" target, which allows you to create rules in 412 the "mangle" table which alter the Type Of Service field of an IPv4 413 or the Priority field of an IPv6 packet, prior to routing. 414 415 To compile it as a module, choose M here. If unsure, say N. 416 417config NETFILTER_XT_TARGET_HL 418 tristate '"HL" hoplimit target support' 419 depends on IP_NF_MANGLE || IP6_NF_MANGLE 420 depends on NETFILTER_ADVANCED 421 ---help--- 422 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 423 targets, which enable the user to change the 424 hoplimit/time-to-live value of the IP header. 425 426 While it is safe to decrement the hoplimit/TTL value, the 427 modules also allow to increment and set the hoplimit value of 428 the header to arbitrary values. This is EXTREMELY DANGEROUS 429 since you can easily create immortal packets that loop 430 forever on the network. 431 432config NETFILTER_XT_TARGET_IDLETIMER 433 tristate "IDLETIMER target support" 434 depends on NETFILTER_ADVANCED 435 help 436 437 This option adds the `IDLETIMER' target. Each matching packet 438 resets the timer associated with label specified when the rule is 439 added. When the timer expires, it triggers a sysfs notification. 440 The remaining time for expiration can be read via sysfs. 441 442 To compile it as a module, choose M here. If unsure, say N. 443 444config NETFILTER_XT_TARGET_LED 445 tristate '"LED" target support' 446 depends on LEDS_CLASS && LEDS_TRIGGERS 447 depends on NETFILTER_ADVANCED 448 help 449 This option adds a `LED' target, which allows you to blink LEDs in 450 response to particular packets passing through your machine. 451 452 This can be used to turn a spare LED into a network activity LED, 453 which only flashes in response to FTP transfers, for example. Or 454 you could have an LED which lights up for a minute or two every time 455 somebody connects to your machine via SSH. 456 457 You will need support for the "led" class to make this work. 458 459 To create an LED trigger for incoming SSH traffic: 460 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 461 462 Then attach the new trigger to an LED on your system: 463 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 464 465 For more information on the LEDs available on your system, see 466 Documentation/leds-class.txt 467 468config NETFILTER_XT_TARGET_IMQ 469 tristate '"IMQ" target support' 470 depends on NETFILTER_XTABLES 471 depends on IP_NF_MANGLE || IP6_NF_MANGLE 472 select IMQ 473 default m if NETFILTER_ADVANCED=n 474 help 475 This option adds a `IMQ' target which is used to specify if and 476 to which imq device packets should get enqueued/dequeued. 477 478 To compile it as a module, choose M here. If unsure, say N. 479 480config NETFILTER_XT_TARGET_MARK 481 tristate '"MARK" target support' 482 depends on NETFILTER_ADVANCED 483 select NETFILTER_XT_MARK 484 ---help--- 485 This is a backwards-compat option for the user's convenience 486 (e.g. when running oldconfig). It selects 487 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 488 489config NETFILTER_XT_TARGET_NFLOG 490 tristate '"NFLOG" target support' 491 default m if NETFILTER_ADVANCED=n 492 select NETFILTER_NETLINK_LOG 493 help 494 This option enables the NFLOG target, which allows to LOG 495 messages through nfnetlink_log. 496 497 To compile it as a module, choose M here. If unsure, say N. 498 499config NETFILTER_XT_TARGET_NFQUEUE 500 tristate '"NFQUEUE" target Support' 501 depends on NETFILTER_ADVANCED 502 help 503 This target replaced the old obsolete QUEUE target. 504 505 As opposed to QUEUE, it supports 65535 different queues, 506 not just one. 507 508 To compile it as a module, choose M here. If unsure, say N. 509 510config NETFILTER_XT_TARGET_NOTRACK 511 tristate '"NOTRACK" target support' 512 depends on IP_NF_RAW || IP6_NF_RAW 513 depends on NF_CONNTRACK 514 depends on NETFILTER_ADVANCED 515 help 516 The NOTRACK target allows a select rule to specify 517 which packets *not* to enter the conntrack/NAT 518 subsystem with all the consequences (no ICMP error tracking, 519 no protocol helpers for the selected packets). 520 521 If you want to compile it as a module, say M here and read 522 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 523 524config NETFILTER_XT_TARGET_RATEEST 525 tristate '"RATEEST" target support' 526 depends on NETFILTER_ADVANCED 527 help 528 This option adds a `RATEEST' target, which allows to measure 529 rates similar to TC estimators. The `rateest' match can be 530 used to match on the measured rates. 531 532 To compile it as a module, choose M here. If unsure, say N. 533 534config NETFILTER_XT_TARGET_TEE 535 tristate '"TEE" - packet cloning to alternate destination' 536 depends on NETFILTER_ADVANCED 537 depends on (IPV6 || IPV6=n) 538 depends on !NF_CONNTRACK || NF_CONNTRACK 539 ---help--- 540 This option adds a "TEE" target with which a packet can be cloned and 541 this clone be rerouted to another nexthop. 542 543config NETFILTER_XT_TARGET_TPROXY 544 tristate '"TPROXY" target support (EXPERIMENTAL)' 545 depends on EXPERIMENTAL 546 depends on NETFILTER_TPROXY 547 depends on NETFILTER_XTABLES 548 depends on NETFILTER_ADVANCED 549 select NF_DEFRAG_IPV4 550 default m 551 help 552 This option adds a `TPROXY' target, which is somewhat similar to 553 REDIRECT. It can only be used in the mangle table and is useful 554 to redirect traffic to a transparent proxy. It does _not_ depend 555 on Netfilter connection tracking and NAT, unlike REDIRECT. 556 557 To compile it as a module, choose M here. If unsure, say N. 558 559config NETFILTER_XT_TARGET_TRACE 560 tristate '"TRACE" target support' 561 depends on IP_NF_RAW || IP6_NF_RAW 562 depends on NETFILTER_ADVANCED 563 help 564 The TRACE target allows you to mark packets so that the kernel 565 will log every rule which match the packets as those traverse 566 the tables, chains, rules. 567 568 If you want to compile it as a module, say M here and read 569 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 570 571config NETFILTER_XT_TARGET_SECMARK 572 tristate '"SECMARK" target support' 573 depends on NETWORK_SECMARK 574 default m if NETFILTER_ADVANCED=n 575 help 576 The SECMARK target allows security marking of network 577 packets, for use with security subsystems. 578 579 To compile it as a module, choose M here. If unsure, say N. 580 581config NETFILTER_XT_TARGET_TCPMSS 582 tristate '"TCPMSS" target support' 583 depends on (IPV6 || IPV6=n) 584 default m if NETFILTER_ADVANCED=n 585 ---help--- 586 This option adds a `TCPMSS' target, which allows you to alter the 587 MSS value of TCP SYN packets, to control the maximum size for that 588 connection (usually limiting it to your outgoing interface's MTU 589 minus 40). 590 591 This is used to overcome criminally braindead ISPs or servers which 592 block ICMP Fragmentation Needed packets. The symptoms of this 593 problem are that everything works fine from your Linux 594 firewall/router, but machines behind it can never exchange large 595 packets: 596 1) Web browsers connect, then hang with no data received. 597 2) Small mail works fine, but large emails hang. 598 3) ssh works fine, but scp hangs after initial handshaking. 599 600 Workaround: activate this option and add a rule to your firewall 601 configuration like: 602 603 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 604 -j TCPMSS --clamp-mss-to-pmtu 605 606 To compile it as a module, choose M here. If unsure, say N. 607 608config NETFILTER_XT_TARGET_TCPOPTSTRIP 609 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' 610 depends on EXPERIMENTAL 611 depends on IP_NF_MANGLE || IP6_NF_MANGLE 612 depends on NETFILTER_ADVANCED 613 help 614 This option adds a "TCPOPTSTRIP" target, which allows you to strip 615 TCP options from TCP packets. 616 617# alphabetically ordered list of matches 618 619comment "Xtables matches" 620 621config NETFILTER_XT_MATCH_CLUSTER 622 tristate '"cluster" match support' 623 depends on NF_CONNTRACK 624 depends on NETFILTER_ADVANCED 625 ---help--- 626 This option allows you to build work-load-sharing clusters of 627 network servers/stateful firewalls without having a dedicated 628 load-balancing router/server/switch. Basically, this match returns 629 true when the packet must be handled by this cluster node. Thus, 630 all nodes see all packets and this match decides which node handles 631 what packets. The work-load sharing algorithm is based on source 632 address hashing. 633 634 If you say Y or M here, try `iptables -m cluster --help` for 635 more information. 636 637config NETFILTER_XT_MATCH_COMMENT 638 tristate '"comment" match support' 639 depends on NETFILTER_ADVANCED 640 help 641 This option adds a `comment' dummy-match, which allows you to put 642 comments in your iptables ruleset. 643 644 If you want to compile it as a module, say M here and read 645 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 646 647config NETFILTER_XT_MATCH_CONNBYTES 648 tristate '"connbytes" per-connection counter match support' 649 depends on NF_CONNTRACK 650 depends on NETFILTER_ADVANCED 651 help 652 This option adds a `connbytes' match, which allows you to match the 653 number of bytes and/or packets for each direction within a connection. 654 655 If you want to compile it as a module, say M here and read 656 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 657 658config NETFILTER_XT_MATCH_CONNLIMIT 659 tristate '"connlimit" match support"' 660 depends on NF_CONNTRACK 661 depends on NETFILTER_ADVANCED 662 ---help--- 663 This match allows you to match against the number of parallel 664 connections to a server per client IP address (or address block). 665 666config NETFILTER_XT_MATCH_CONNMARK 667 tristate '"connmark" connection mark match support' 668 depends on NF_CONNTRACK 669 depends on NETFILTER_ADVANCED 670 select NETFILTER_XT_CONNMARK 671 ---help--- 672 This is a backwards-compat option for the user's convenience 673 (e.g. when running oldconfig). It selects 674 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 675 676config NETFILTER_XT_MATCH_CONNTRACK 677 tristate '"conntrack" connection tracking match support' 678 depends on NF_CONNTRACK 679 default m if NETFILTER_ADVANCED=n 680 help 681 This is a general conntrack match module, a superset of the state match. 682 683 It allows matching on additional conntrack information, which is 684 useful in complex configurations, such as NAT gateways with multiple 685 internet links or tunnels. 686 687 To compile it as a module, choose M here. If unsure, say N. 688 689config NETFILTER_XT_MATCH_CPU 690 tristate '"cpu" match support' 691 depends on NETFILTER_ADVANCED 692 help 693 CPU matching allows you to match packets based on the CPU 694 currently handling the packet. 695 696 To compile it as a module, choose M here. If unsure, say N. 697 698config NETFILTER_XT_MATCH_DCCP 699 tristate '"dccp" protocol match support' 700 depends on NETFILTER_ADVANCED 701 default IP_DCCP 702 help 703 With this option enabled, you will be able to use the iptables 704 `dccp' match in order to match on DCCP source/destination ports 705 and DCCP flags. 706 707 If you want to compile it as a module, say M here and read 708 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 709 710config NETFILTER_XT_MATCH_DSCP 711 tristate '"dscp" and "tos" match support' 712 depends on NETFILTER_ADVANCED 713 help 714 This option adds a `DSCP' match, which allows you to match against 715 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 716 717 The DSCP field can have any value between 0x0 and 0x3f inclusive. 718 719 It will also add a "tos" match, which allows you to match packets 720 based on the Type Of Service fields of the IPv4 packet (which share 721 the same bits as DSCP). 722 723 To compile it as a module, choose M here. If unsure, say N. 724 725config NETFILTER_XT_MATCH_ESP 726 tristate '"esp" match support' 727 depends on NETFILTER_ADVANCED 728 help 729 This match extension allows you to match a range of SPIs 730 inside ESP header of IPSec packets. 731 732 To compile it as a module, choose M here. If unsure, say N. 733 734config NETFILTER_XT_MATCH_HASHLIMIT 735 tristate '"hashlimit" match support' 736 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 737 depends on NETFILTER_ADVANCED 738 help 739 This option adds a `hashlimit' match. 740 741 As opposed to `limit', this match dynamically creates a hash table 742 of limit buckets, based on your selection of source/destination 743 addresses and/or ports. 744 745 It enables you to express policies like `10kpps for any given 746 destination address' or `500pps from any given source address' 747 with a single rule. 748 749config NETFILTER_XT_MATCH_HELPER 750 tristate '"helper" match support' 751 depends on NF_CONNTRACK 752 depends on NETFILTER_ADVANCED 753 help 754 Helper matching allows you to match packets in dynamic connections 755 tracked by a conntrack-helper, ie. ip_conntrack_ftp 756 757 To compile it as a module, choose M here. If unsure, say Y. 758 759config NETFILTER_XT_MATCH_HL 760 tristate '"hl" hoplimit/TTL match support' 761 depends on NETFILTER_ADVANCED 762 ---help--- 763 HL matching allows you to match packets based on the hoplimit 764 in the IPv6 header, or the time-to-live field in the IPv4 765 header of the packet. 766 767config NETFILTER_XT_MATCH_IPRANGE 768 tristate '"iprange" address range match support' 769 depends on NETFILTER_ADVANCED 770 ---help--- 771 This option adds a "iprange" match, which allows you to match based on 772 an IP address range. (Normal iptables only matches on single addresses 773 with an optional mask.) 774 775 If unsure, say M. 776 777config NETFILTER_XT_MATCH_IPVS 778 tristate '"ipvs" match support' 779 depends on IP_VS 780 depends on NETFILTER_ADVANCED 781 depends on NF_CONNTRACK 782 help 783 This option allows you to match against IPVS properties of a packet. 784 785 If unsure, say N. 786 787config NETFILTER_XT_MATCH_LENGTH 788 tristate '"length" match support' 789 depends on NETFILTER_ADVANCED 790 help 791 This option allows you to match the length of a packet against a 792 specific value or range of values. 793 794 To compile it as a module, choose M here. If unsure, say N. 795 796config NETFILTER_XT_MATCH_LIMIT 797 tristate '"limit" match support' 798 depends on NETFILTER_ADVANCED 799 help 800 limit matching allows you to control the rate at which a rule can be 801 matched: mainly useful in combination with the LOG target ("LOG 802 target support", below) and to avoid some Denial of Service attacks. 803 804 To compile it as a module, choose M here. If unsure, say N. 805 806config NETFILTER_XT_MATCH_MAC 807 tristate '"mac" address match support' 808 depends on NETFILTER_ADVANCED 809 help 810 MAC matching allows you to match packets based on the source 811 Ethernet address of the packet. 812 813 To compile it as a module, choose M here. If unsure, say N. 814 815config NETFILTER_XT_MATCH_MARK 816 tristate '"mark" match support' 817 depends on NETFILTER_ADVANCED 818 select NETFILTER_XT_MARK 819 ---help--- 820 This is a backwards-compat option for the user's convenience 821 (e.g. when running oldconfig). It selects 822 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 823 824config NETFILTER_XT_MATCH_MULTIPORT 825 tristate '"multiport" Multiple port match support' 826 depends on NETFILTER_ADVANCED 827 help 828 Multiport matching allows you to match TCP or UDP packets based on 829 a series of source or destination ports: normally a rule can only 830 match a single range of ports. 831 832 To compile it as a module, choose M here. If unsure, say N. 833 834config NETFILTER_XT_MATCH_OSF 835 tristate '"osf" Passive OS fingerprint match' 836 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 837 help 838 This option selects the Passive OS Fingerprinting match module 839 that allows to passively match the remote operating system by 840 analyzing incoming TCP SYN packets. 841 842 Rules and loading software can be downloaded from 843 http://www.ioremap.net/projects/osf 844 845 To compile it as a module, choose M here. If unsure, say N. 846 847config NETFILTER_XT_MATCH_OWNER 848 tristate '"owner" match support' 849 depends on NETFILTER_ADVANCED 850 ---help--- 851 Socket owner matching allows you to match locally-generated packets 852 based on who created the socket: the user or group. It is also 853 possible to check whether a socket actually exists. 854 855config NETFILTER_XT_MATCH_POLICY 856 tristate 'IPsec "policy" match support' 857 depends on XFRM 858 default m if NETFILTER_ADVANCED=n 859 help 860 Policy matching allows you to match packets based on the 861 IPsec policy that was used during decapsulation/will 862 be used during encapsulation. 863 864 To compile it as a module, choose M here. If unsure, say N. 865 866config NETFILTER_XT_MATCH_PHYSDEV 867 tristate '"physdev" match support' 868 depends on BRIDGE && BRIDGE_NETFILTER 869 depends on NETFILTER_ADVANCED 870 help 871 Physdev packet matching matches against the physical bridge ports 872 the IP packet arrived on or will leave by. 873 874 To compile it as a module, choose M here. If unsure, say N. 875 876config NETFILTER_XT_MATCH_PKTTYPE 877 tristate '"pkttype" packet type match support' 878 depends on NETFILTER_ADVANCED 879 help 880 Packet type matching allows you to match a packet by 881 its "class", eg. BROADCAST, MULTICAST, ... 882 883 Typical usage: 884 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 885 886 To compile it as a module, choose M here. If unsure, say N. 887 888config NETFILTER_XT_MATCH_QUOTA 889 tristate '"quota" match support' 890 depends on NETFILTER_ADVANCED 891 help 892 This option adds a `quota' match, which allows to match on a 893 byte counter. 894 895 If you want to compile it as a module, say M here and read 896 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 897 898config NETFILTER_XT_MATCH_RATEEST 899 tristate '"rateest" match support' 900 depends on NETFILTER_ADVANCED 901 select NETFILTER_XT_TARGET_RATEEST 902 help 903 This option adds a `rateest' match, which allows to match on the 904 rate estimated by the RATEEST target. 905 906 To compile it as a module, choose M here. If unsure, say N. 907 908config NETFILTER_XT_MATCH_REALM 909 tristate '"realm" match support' 910 depends on NETFILTER_ADVANCED 911 select NET_CLS_ROUTE 912 help 913 This option adds a `realm' match, which allows you to use the realm 914 key from the routing subsystem inside iptables. 915 916 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 917 in tc world. 918 919 If you want to compile it as a module, say M here and read 920 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 921 922config NETFILTER_XT_MATCH_RECENT 923 tristate '"recent" match support' 924 depends on NETFILTER_ADVANCED 925 ---help--- 926 This match is used for creating one or many lists of recently 927 used addresses and then matching against that/those list(s). 928 929 Short options are available by using 'iptables -m recent -h' 930 Official Website: <http://snowman.net/projects/ipt_recent/> 931 932config NETFILTER_XT_MATCH_SCTP 933 tristate '"sctp" protocol match support (EXPERIMENTAL)' 934 depends on EXPERIMENTAL 935 depends on NETFILTER_ADVANCED 936 default IP_SCTP 937 help 938 With this option enabled, you will be able to use the 939 `sctp' match in order to match on SCTP source/destination ports 940 and SCTP chunk types. 941 942 If you want to compile it as a module, say M here and read 943 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 944 945config NETFILTER_XT_MATCH_SOCKET 946 tristate '"socket" match support (EXPERIMENTAL)' 947 depends on EXPERIMENTAL 948 depends on NETFILTER_TPROXY 949 depends on NETFILTER_XTABLES 950 depends on NETFILTER_ADVANCED 951 depends on !NF_CONNTRACK || NF_CONNTRACK 952 select NF_DEFRAG_IPV4 953 help 954 This option adds a `socket' match, which can be used to match 955 packets for which a TCP or UDP socket lookup finds a valid socket. 956 It can be used in combination with the MARK target and policy 957 routing to implement full featured non-locally bound sockets. 958 959 To compile it as a module, choose M here. If unsure, say N. 960 961config NETFILTER_XT_MATCH_STATE 962 tristate '"state" match support' 963 depends on NF_CONNTRACK 964 default m if NETFILTER_ADVANCED=n 965 help 966 Connection state matching allows you to match packets based on their 967 relationship to a tracked connection (ie. previous packets). This 968 is a powerful tool for packet classification. 969 970 To compile it as a module, choose M here. If unsure, say N. 971 972config NETFILTER_XT_MATCH_LAYER7 973 tristate '"layer7" match support' 974 depends on NETFILTER_XTABLES 975 depends on IP_NF_CONNTRACK || NF_CONNTRACK 976 depends on NF_CT_ACCT 977 help 978 Say Y if you want to be able to classify connections (and their 979 packets) based on regular expression matching of their application 980 layer data. This is one way to classify applications such as 981 peer-to-peer filesharing systems that do not always use the same 982 port. 983 984 To compile it as a module, choose M here. If unsure, say N. 985 986config NETFILTER_XT_MATCH_LAYER7_DEBUG 987 bool 'layer7 debugging output' 988 depends on NETFILTER_XT_MATCH_LAYER7 989 help 990 Say Y to get lots of debugging output. 991 992config NETFILTER_XT_MATCH_STATISTIC 993 tristate '"statistic" match support' 994 depends on NETFILTER_ADVANCED 995 help 996 This option adds a `statistic' match, which allows you to match 997 on packets periodically or randomly with a given percentage. 998 999 To compile it as a module, choose M here. If unsure, say N. 1000 1001config NETFILTER_XT_MATCH_STRING 1002 tristate '"string" match support' 1003 depends on NETFILTER_ADVANCED 1004 select TEXTSEARCH 1005 select TEXTSEARCH_KMP 1006 select TEXTSEARCH_BM 1007 select TEXTSEARCH_FSM 1008 help 1009 This option adds a `string' match, which allows you to look for 1010 pattern matchings in packets. 1011 1012 To compile it as a module, choose M here. If unsure, say N. 1013 1014config NETFILTER_XT_MATCH_TCPMSS 1015 tristate '"tcpmss" match support' 1016 depends on NETFILTER_ADVANCED 1017 help 1018 This option adds a `tcpmss' match, which allows you to examine the 1019 MSS value of TCP SYN packets, which control the maximum packet size 1020 for that connection. 1021 1022 To compile it as a module, choose M here. If unsure, say N. 1023 1024config NETFILTER_XT_MATCH_TIME 1025 tristate '"time" match support' 1026 depends on NETFILTER_ADVANCED 1027 ---help--- 1028 This option adds a "time" match, which allows you to match based on 1029 the packet arrival time (at the machine which netfilter is running) 1030 on) or departure time/date (for locally generated packets). 1031 1032 If you say Y here, try `iptables -m time --help` for 1033 more information. 1034 1035 If you want to compile it as a module, say M here. 1036 If unsure, say N. 1037 1038config NETFILTER_XT_MATCH_U32 1039 tristate '"u32" match support' 1040 depends on NETFILTER_ADVANCED 1041 ---help--- 1042 u32 allows you to extract quantities of up to 4 bytes from a packet, 1043 AND them with specified masks, shift them by specified amounts and 1044 test whether the results are in any of a set of specified ranges. 1045 The specification of what to extract is general enough to skip over 1046 headers with lengths stored in the packet, as in IP or TCP header 1047 lengths. 1048 1049 Details and examples are in the kernel module source. 1050 1051config NETFILTER_XT_MATCH_LAYER7 1052 tristate '"layer7" match support' 1053 depends on NETFILTER_XTABLES 1054 depends on IP_NF_CONNTRACK || NF_CONNTRACK 1055 depends on NF_CT_ACCT 1056 help 1057 Say Y if you want to be able to classify connections (and their 1058 packets) based on regular expression matching of their application 1059 layer data. This is one way to classify applications such as 1060 peer-to-peer filesharing systems that do not always use the same 1061 port. 1062 1063 To compile it as a module, choose M here. If unsure, say N. 1064 1065config NETFILTER_XT_MATCH_LAYER7_DEBUG 1066 bool 'layer7 debugging output' 1067 depends on NETFILTER_XT_MATCH_LAYER7 1068 help 1069 Say Y to get lots of debugging output. 1070 1071config NETFILTER_XT_MATCH_WEBSTR 1072 tristate '"webstr" match support' 1073 depends on NETFILTER_XTABLES 1074 help 1075 This option adds a `webstr' match, which allows you to look for 1076 pattern matchings in http stream. 1077 1078 To compile it as a module, choose M here. If unsure, say N. 1079 1080config NETFILTER_XT_MATCH_CONDITION 1081 tristate '"condition" match support' 1082 depends on NETFILTER_XTABLES 1083 help 1084 This option allows you to match firewall rules against condition 1085 variables stored in the /proc/net/nf_condition directory. 1086 1087 N.B.: older versions used /proc/net/ipt_condition. You can 1088 reenable it with "compat_dir_name". 1089 1090 If you want to compile it as a module, say M here and read 1091 Documentation/modules.txt. If unsure, say `N'. 1092 1093config NETFILTER_XT_MATCH_GEOIP 1094 tristate '"geoip" match support' 1095 depends on NETFILTER_XTABLES 1096 help 1097 This option allows you to match a packet by its source or 1098 destination country. Basically, you need a country's 1099 database containing all subnets and associated countries. 1100 1101 For the complete procedure and understanding, read : 1102 http://people.netfilter.org/acidfu/geoip/howto/geoip-HOWTO.html 1103 1104 If you want to compile it as a module, say M here and read 1105 <file:Documentation/modules.txt>. The module will be 1106 called `ipt_geoip'. If unsure, say `N'. 1107 1108endif # NETFILTER_XTABLES 1109 1110endmenu 1111 1112source "net/netfilter/ipvs/Kconfig" 1113