1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate 6 7config NETFILTER_NETLINK_ACCT 8tristate "Netfilter NFACCT over NFNETLINK interface" 9 depends on NETFILTER_ADVANCED 10 select NETFILTER_NETLINK 11 help 12 If this option is enabled, the kernel will include support 13 for extended accounting via NFNETLINK. 14 15config NETFILTER_NETLINK_QUEUE 16 tristate "Netfilter NFQUEUE over NFNETLINK interface" 17 depends on NETFILTER_ADVANCED 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for queueing packets via NFNETLINK. 22 23config NETFILTER_NETLINK_LOG 24 tristate "Netfilter LOG over NFNETLINK interface" 25 default m if NETFILTER_ADVANCED=n 26 select NETFILTER_NETLINK 27 help 28 If this option is enabled, the kernel will include support 29 for logging packets via NFNETLINK. 30 31 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 32 and is also scheduled to replace the old syslog-based ipt_LOG 33 and ip6t_LOG modules. 34 35config NF_CONNTRACK 36 tristate "Netfilter connection tracking support" 37 default m if NETFILTER_ADVANCED=n 38 help 39 Connection tracking keeps a record of what packets have passed 40 through your machine, in order to figure out how they are related 41 into connections. 42 43 This is required to do Masquerading or other kinds of Network 44 Address Translation. It can also be used to enhance packet 45 filtering (see `Connection state match support' below). 46 47 To compile it as a module, choose M here. If unsure, say N. 48 49if NF_CONNTRACK 50 51config NF_CONNTRACK_MARK 52 bool 'Connection mark tracking support' 53 depends on NETFILTER_ADVANCED 54 help 55 This option enables support for connection marks, used by the 56 `CONNMARK' target and `connmark' match. Similar to the mark value 57 of packets, but this mark value is kept in the conntrack session 58 instead of the individual packets. 59 60config NF_CONNTRACK_SECMARK 61 bool 'Connection tracking security mark support' 62 depends on NETWORK_SECMARK 63 default m if NETFILTER_ADVANCED=n 64 help 65 This option enables security markings to be applied to 66 connections. Typically they are copied to connections from 67 packets using the CONNSECMARK target and copied back from 68 connections to packets with the same target, with the packets 69 being originally labeled via SECMARK. 70 71 If unsure, say 'N'. 72 73config NF_CONNTRACK_ZONES 74 bool 'Connection tracking zones' 75 depends on NETFILTER_ADVANCED 76 depends on NETFILTER_XT_TARGET_CT 77 help 78 This option enables support for connection tracking zones. 79 Normally, each connection needs to have a unique system wide 80 identity. Connection tracking zones allow to have multiple 81 connections using the same identity, as long as they are 82 contained in different zones. 83 84 If unsure, say `N'. 85 86config NF_CONNTRACK_PROCFS 87 bool "Supply CT list in procfs (OBSOLETE)" 88 default y 89 depends on PROC_FS 90 ---help--- 91 This option enables for the list of known conntrack entries 92 to be shown in procfs under net/netfilter/nf_conntrack. This 93 is considered obsolete in favor of using the conntrack(8) 94 tool which uses Netlink. 95 96config NF_CONNTRACK_EVENTS 97 bool "Connection tracking events" 98 depends on NETFILTER_ADVANCED 99 help 100 If this option is enabled, the connection tracking code will 101 provide a notifier chain that can be used by other kernel code 102 to get notified about changes in the connection tracking state. 103 104 If unsure, say `N'. 105 106config NF_CONNTRACK_TIMEOUT 107 bool 'Connection tracking timeout' 108 depends on NETFILTER_ADVANCED 109 help 110 This option enables support for connection tracking timeout 111 extension. This allows you to attach timeout policies to flow 112 via the CT target. 113 114 If unsure, say `N'. 115 116config NF_CONNTRACK_TIMESTAMP 117 bool 'Connection tracking timestamping' 118 depends on NETFILTER_ADVANCED 119 help 120 This option enables support for connection tracking timestamping. 121 This allows you to store the flow start-time and to obtain 122 the flow-stop time (once it has been destroyed) via Connection 123 tracking events. 124 125 If unsure, say `N'. 126 127config NF_CT_PROTO_DCCP 128 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' 129 depends on EXPERIMENTAL 130 depends on NETFILTER_ADVANCED 131 default IP_DCCP 132 help 133 With this option enabled, the layer 3 independent connection 134 tracking code will be able to do state tracking on DCCP connections. 135 136 If unsure, say 'N'. 137 138config NF_CT_PROTO_GRE 139 tristate 140 141config NF_CT_PROTO_SCTP 142 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 143 depends on EXPERIMENTAL 144 depends on NETFILTER_ADVANCED 145 default IP_SCTP 146 help 147 With this option enabled, the layer 3 independent connection 148 tracking code will be able to do state tracking on SCTP connections. 149 150 If you want to compile it as a module, say M here and read 151 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 152 153config NF_CT_PROTO_UDPLITE 154 tristate 'UDP-Lite protocol connection tracking support' 155 depends on NETFILTER_ADVANCED 156 help 157 With this option enabled, the layer 3 independent connection 158 tracking code will be able to do state tracking on UDP-Lite 159 connections. 160 161 To compile it as a module, choose M here. If unsure, say N. 162 163config NF_CONNTRACK_AMANDA 164 tristate "Amanda backup protocol support" 165 depends on NETFILTER_ADVANCED 166 select TEXTSEARCH 167 select TEXTSEARCH_KMP 168 help 169 If you are running the Amanda backup package <http://www.amanda.org/> 170 on this machine or machines that will be MASQUERADED through this 171 machine, then you may want to enable this feature. This allows the 172 connection tracking and natting code to allow the sub-channels that 173 Amanda requires for communication of the backup data, messages and 174 index. 175 176 To compile it as a module, choose M here. If unsure, say N. 177 178config NF_CONNTRACK_FTP 179 tristate "FTP protocol support" 180 default m if NETFILTER_ADVANCED=n 181 help 182 Tracking FTP connections is problematic: special helpers are 183 required for tracking them, and doing masquerading and other forms 184 of Network Address Translation on them. 185 186 This is FTP support on Layer 3 independent connection tracking. 187 Layer 3 independent connection tracking is experimental scheme 188 which generalize ip_conntrack to support other layer 3 protocols. 189 190 To compile it as a module, choose M here. If unsure, say N. 191 192config NF_CONNTRACK_H323 193 tristate "H.323 protocol support" 194 depends on (IPV6 || IPV6=n) 195 depends on NETFILTER_ADVANCED 196 help 197 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 198 important VoIP protocols, it is widely used by voice hardware and 199 software including voice gateways, IP phones, Netmeeting, OpenPhone, 200 Gnomemeeting, etc. 201 202 With this module you can support H.323 on a connection tracking/NAT 203 firewall. 204 205 This module supports RAS, Fast Start, H.245 Tunnelling, Call 206 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 207 whiteboard, file transfer, etc. For more information, please 208 visit http://nath323.sourceforge.net/. 209 210 To compile it as a module, choose M here. If unsure, say N. 211 212config NF_CONNTRACK_IRC 213 tristate "IRC protocol support" 214 default m if NETFILTER_ADVANCED=n 215 help 216 There is a commonly-used extension to IRC called 217 Direct Client-to-Client Protocol (DCC). This enables users to send 218 files to each other, and also chat to each other without the need 219 of a server. DCC Sending is used anywhere you send files over IRC, 220 and DCC Chat is most commonly used by Eggdrop bots. If you are 221 using NAT, this extension will enable you to send files and initiate 222 chats. Note that you do NOT need this extension to get files or 223 have others initiate chats, or everything else in IRC. 224 225 To compile it as a module, choose M here. If unsure, say N. 226 227config NF_CONNTRACK_BROADCAST 228 tristate 229 230config NF_CONNTRACK_NETBIOS_NS 231 tristate "NetBIOS name service protocol support" 232 select NF_CONNTRACK_BROADCAST 233 help 234 NetBIOS name service requests are sent as broadcast messages from an 235 unprivileged port and responded to with unicast messages to the 236 same port. This make them hard to firewall properly because connection 237 tracking doesn't deal with broadcasts. This helper tracks locally 238 originating NetBIOS name service requests and the corresponding 239 responses. It relies on correct IP address configuration, specifically 240 netmask and broadcast address. When properly configured, the output 241 of "ip address show" should look similar to this: 242 243 $ ip -4 address show eth0 244 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 245 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 246 247 To compile it as a module, choose M here. If unsure, say N. 248 249config NF_CONNTRACK_SNMP 250 tristate "SNMP service protocol support" 251 depends on NETFILTER_ADVANCED 252 select NF_CONNTRACK_BROADCAST 253 help 254 SNMP service requests are sent as broadcast messages from an 255 unprivileged port and responded to with unicast messages to the 256 same port. This make them hard to firewall properly because connection 257 tracking doesn't deal with broadcasts. This helper tracks locally 258 originating SNMP service requests and the corresponding 259 responses. It relies on correct IP address configuration, specifically 260 netmask and broadcast address. 261 262 To compile it as a module, choose M here. If unsure, say N. 263 264config NF_CONNTRACK_PPTP 265 tristate "PPtP protocol support" 266 depends on NETFILTER_ADVANCED 267 select NF_CT_PROTO_GRE 268 help 269 This module adds support for PPTP (Point to Point Tunnelling 270 Protocol, RFC2637) connection tracking and NAT. 271 272 If you are running PPTP sessions over a stateful firewall or NAT 273 box, you may want to enable this feature. 274 275 Please note that not all PPTP modes of operation are supported yet. 276 Specifically these limitations exist: 277 - Blindly assumes that control connections are always established 278 in PNS->PAC direction. This is a violation of RFC2637. 279 - Only supports a single call within each session 280 281 To compile it as a module, choose M here. If unsure, say N. 282 283config NF_CONNTRACK_SANE 284 tristate "SANE protocol support (EXPERIMENTAL)" 285 depends on EXPERIMENTAL 286 depends on NETFILTER_ADVANCED 287 help 288 SANE is a protocol for remote access to scanners as implemented 289 by the 'saned' daemon. Like FTP, it uses separate control and 290 data connections. 291 292 With this module you can support SANE on a connection tracking 293 firewall. 294 295 To compile it as a module, choose M here. If unsure, say N. 296 297config NF_CONNTRACK_SIP 298 tristate "SIP protocol support" 299 default m if NETFILTER_ADVANCED=n 300 help 301 SIP is an application-layer control protocol that can establish, 302 modify, and terminate multimedia sessions (conferences) such as 303 Internet telephony calls. With the ip_conntrack_sip and 304 the nf_nat_sip modules you can support the protocol on a connection 305 tracking/NATing firewall. 306 307 To compile it as a module, choose M here. If unsure, say N. 308 309config NF_CONNTRACK_TFTP 310 tristate "TFTP protocol support" 311 depends on NETFILTER_ADVANCED 312 help 313 TFTP connection tracking helper, this is required depending 314 on how restrictive your ruleset is. 315 If you are using a tftp client behind -j SNAT or -j MASQUERADING 316 you will need this. 317 318 To compile it as a module, choose M here. If unsure, say N. 319 320config NF_CT_NETLINK 321 tristate 'Connection tracking netlink interface' 322 select NETFILTER_NETLINK 323 default m if NETFILTER_ADVANCED=n 324 help 325 This option enables support for a netlink-based userspace interface 326 327config NF_CT_NETLINK_TIMEOUT 328 tristate 'Connection tracking timeout tuning via Netlink' 329 select NETFILTER_NETLINK 330 depends on NETFILTER_ADVANCED 331 help 332 This option enables support for connection tracking timeout 333 fine-grain tuning. This allows you to attach specific timeout 334 policies to flows, instead of using the global timeout policy. 335 336 If unsure, say `N'. 337 338endif # NF_CONNTRACK 339 340# transparent proxy support 341config NETFILTER_TPROXY 342 tristate "Transparent proxying support (EXPERIMENTAL)" 343 depends on EXPERIMENTAL 344 depends on IP_NF_MANGLE 345 depends on NETFILTER_ADVANCED 346 help 347 This option enables transparent proxying support, that is, 348 support for handling non-locally bound IPv4 TCP and UDP sockets. 349 For it to work you will have to configure certain iptables rules 350 and use policy routing. For more information on how to set it up 351 see Documentation/networking/tproxy.txt. 352 353 To compile it as a module, choose M here. If unsure, say N. 354 355config NETFILTER_XTABLES 356 tristate "Netfilter Xtables support (required for ip_tables)" 357 default m if NETFILTER_ADVANCED=n 358 help 359 This is required if you intend to use any of ip_tables, 360 ip6_tables or arp_tables. 361 362if NETFILTER_XTABLES 363 364comment "Xtables combined modules" 365 366config NETFILTER_XT_MARK 367 tristate 'nfmark target and match support' 368 default m if NETFILTER_ADVANCED=n 369 ---help--- 370 This option adds the "MARK" target and "mark" match. 371 372 Netfilter mark matching allows you to match packets based on the 373 "nfmark" value in the packet. 374 The target allows you to create rules in the "mangle" table which alter 375 the netfilter mark (nfmark) field associated with the packet. 376 377 Prior to routing, the nfmark can influence the routing method (see 378 "Use netfilter MARK value as routing key") and can also be used by 379 other subsystems to change their behavior. 380 381config NETFILTER_XT_CONNMARK 382 tristate 'ctmark target and match support' 383 depends on NF_CONNTRACK 384 depends on NETFILTER_ADVANCED 385 select NF_CONNTRACK_MARK 386 ---help--- 387 This option adds the "CONNMARK" target and "connmark" match. 388 389 Netfilter allows you to store a mark value per connection (a.k.a. 390 ctmark), similarly to the packet mark (nfmark). Using this 391 target and match, you can set and match on this mark. 392 393config NETFILTER_XT_SET 394 tristate 'set target and match support' 395 depends on IP_SET 396 depends on NETFILTER_ADVANCED 397 help 398 This option adds the "SET" target and "set" match. 399 400 Using this target and match, you can add/delete and match 401 elements in the sets created by ipset(8). 402 403 To compile it as a module, choose M here. If unsure, say N. 404 405# alphabetically ordered list of targets 406 407comment "Xtables targets" 408 409config NETFILTER_XT_TARGET_AUDIT 410 tristate "AUDIT target support" 411 depends on AUDIT 412 depends on NETFILTER_ADVANCED 413 ---help--- 414 This option adds a 'AUDIT' target, which can be used to create 415 audit records for packets dropped/accepted. 416 417 To compileit as a module, choose M here. If unsure, say N. 418 419config NETFILTER_XT_TARGET_CHECKSUM 420 tristate "CHECKSUM target support" 421 depends on IP_NF_MANGLE || IP6_NF_MANGLE 422 depends on NETFILTER_ADVANCED 423 ---help--- 424 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 425 table. 426 427 You can use this target to compute and fill in the checksum in 428 a packet that lacks a checksum. This is particularly useful, 429 if you need to work around old applications such as dhcp clients, 430 that do not work well with checksum offloads, but don't want to disable 431 checksum offload in your device. 432 433 To compile it as a module, choose M here. If unsure, say N. 434 435config NETFILTER_XT_TARGET_CLASSIFY 436 tristate '"CLASSIFY" target support' 437 depends on NETFILTER_ADVANCED 438 help 439 This option adds a `CLASSIFY' target, which enables the user to set 440 the priority of a packet. Some qdiscs can use this value for 441 classification, among these are: 442 443 atm, cbq, dsmark, pfifo_fast, htb, prio 444 445 To compile it as a module, choose M here. If unsure, say N. 446 447config NETFILTER_XT_TARGET_CONNMARK 448 tristate '"CONNMARK" target support' 449 depends on NF_CONNTRACK 450 depends on NETFILTER_ADVANCED 451 select NETFILTER_XT_CONNMARK 452 ---help--- 453 This is a backwards-compat option for the user's convenience 454 (e.g. when running oldconfig). It selects 455 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 456 457config NETFILTER_XT_TARGET_CONNSECMARK 458 tristate '"CONNSECMARK" target support' 459 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 460 default m if NETFILTER_ADVANCED=n 461 help 462 The CONNSECMARK target copies security markings from packets 463 to connections, and restores security markings from connections 464 to packets (if the packets are not already marked). This would 465 normally be used in conjunction with the SECMARK target. 466 467 To compile it as a module, choose M here. If unsure, say N. 468 469config NETFILTER_XT_TARGET_CT 470 tristate '"CT" target support' 471 depends on NF_CONNTRACK 472 depends on IP_NF_RAW || IP6_NF_RAW 473 depends on NETFILTER_ADVANCED 474 help 475 This options adds a `CT' target, which allows to specify initial 476 connection tracking parameters like events to be delivered and 477 the helper to be used. 478 479 To compile it as a module, choose M here. If unsure, say N. 480 481config NETFILTER_XT_TARGET_DSCP 482 tristate '"DSCP" and "TOS" target support' 483 depends on IP_NF_MANGLE || IP6_NF_MANGLE 484 depends on NETFILTER_ADVANCED 485 help 486 This option adds a `DSCP' target, which allows you to manipulate 487 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 488 489 The DSCP field can have any value between 0x0 and 0x3f inclusive. 490 491 It also adds the "TOS" target, which allows you to create rules in 492 the "mangle" table which alter the Type Of Service field of an IPv4 493 or the Priority field of an IPv6 packet, prior to routing. 494 495 To compile it as a module, choose M here. If unsure, say N. 496 497config NETFILTER_XT_TARGET_HL 498 tristate '"HL" hoplimit target support' 499 depends on IP_NF_MANGLE || IP6_NF_MANGLE 500 depends on NETFILTER_ADVANCED 501 ---help--- 502 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 503 targets, which enable the user to change the 504 hoplimit/time-to-live value of the IP header. 505 506 While it is safe to decrement the hoplimit/TTL value, the 507 modules also allow to increment and set the hoplimit value of 508 the header to arbitrary values. This is EXTREMELY DANGEROUS 509 since you can easily create immortal packets that loop 510 forever on the network. 511 512config NETFILTER_XT_TARGET_IDLETIMER 513 tristate "IDLETIMER target support" 514 depends on NETFILTER_ADVANCED 515 help 516 517 This option adds the `IDLETIMER' target. Each matching packet 518 resets the timer associated with label specified when the rule is 519 added. When the timer expires, it triggers a sysfs notification. 520 The remaining time for expiration can be read via sysfs. 521 522 To compile it as a module, choose M here. If unsure, say N. 523 524config NETFILTER_XT_TARGET_LED 525 tristate '"LED" target support' 526 depends on LEDS_CLASS && LEDS_TRIGGERS 527 depends on NETFILTER_ADVANCED 528 help 529 This option adds a `LED' target, which allows you to blink LEDs in 530 response to particular packets passing through your machine. 531 532 This can be used to turn a spare LED into a network activity LED, 533 which only flashes in response to FTP transfers, for example. Or 534 you could have an LED which lights up for a minute or two every time 535 somebody connects to your machine via SSH. 536 537 You will need support for the "led" class to make this work. 538 539 To create an LED trigger for incoming SSH traffic: 540 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 541 542 Then attach the new trigger to an LED on your system: 543 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 544 545 For more information on the LEDs available on your system, see 546 Documentation/leds/leds-class.txt 547 548config NETFILTER_XT_TARGET_LOG 549 tristate "LOG target support" 550 default m if NETFILTER_ADVANCED=n 551 help 552 This option adds a `LOG' target, which allows you to create rules in 553 any iptables table which records the packet header to the syslog. 554 555 To compile it as a module, choose M here. If unsure, say N. 556 557config NETFILTER_XT_TARGET_MARK 558 tristate '"MARK" target support' 559 depends on NETFILTER_ADVANCED 560 select NETFILTER_XT_MARK 561 ---help--- 562 This is a backwards-compat option for the user's convenience 563 (e.g. when running oldconfig). It selects 564 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 565 566config NETFILTER_XT_TARGET_NFLOG 567 tristate '"NFLOG" target support' 568 default m if NETFILTER_ADVANCED=n 569 select NETFILTER_NETLINK_LOG 570 help 571 This option enables the NFLOG target, which allows to LOG 572 messages through nfnetlink_log. 573 574 To compile it as a module, choose M here. If unsure, say N. 575 576config NETFILTER_XT_TARGET_NFQUEUE 577 tristate '"NFQUEUE" target Support' 578 depends on NETFILTER_ADVANCED 579 select NETFILTER_NETLINK_QUEUE 580 help 581 This target replaced the old obsolete QUEUE target. 582 583 As opposed to QUEUE, it supports 65535 different queues, 584 not just one. 585 586 To compile it as a module, choose M here. If unsure, say N. 587 588config NETFILTER_XT_TARGET_NOTRACK 589 tristate '"NOTRACK" target support' 590 depends on IP_NF_RAW || IP6_NF_RAW 591 depends on NF_CONNTRACK 592 help 593 The NOTRACK target allows a select rule to specify 594 which packets *not* to enter the conntrack/NAT 595 subsystem with all the consequences (no ICMP error tracking, 596 no protocol helpers for the selected packets). 597 598 If you want to compile it as a module, say M here and read 599 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 600 601config NETFILTER_XT_TARGET_RATEEST 602 tristate '"RATEEST" target support' 603 depends on NETFILTER_ADVANCED 604 help 605 This option adds a `RATEEST' target, which allows to measure 606 rates similar to TC estimators. The `rateest' match can be 607 used to match on the measured rates. 608 609 To compile it as a module, choose M here. If unsure, say N. 610 611config NETFILTER_XT_TARGET_TEE 612 tristate '"TEE" - packet cloning to alternate destination' 613 depends on NETFILTER_ADVANCED 614 depends on (IPV6 || IPV6=n) 615 depends on !NF_CONNTRACK || NF_CONNTRACK 616 ---help--- 617 This option adds a "TEE" target with which a packet can be cloned and 618 this clone be rerouted to another nexthop. 619 620config NETFILTER_XT_TARGET_TPROXY 621 tristate '"TPROXY" target support (EXPERIMENTAL)' 622 depends on EXPERIMENTAL 623 depends on NETFILTER_TPROXY 624 depends on NETFILTER_XTABLES 625 depends on NETFILTER_ADVANCED 626 select NF_DEFRAG_IPV4 627 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES 628 help 629 This option adds a `TPROXY' target, which is somewhat similar to 630 REDIRECT. It can only be used in the mangle table and is useful 631 to redirect traffic to a transparent proxy. It does _not_ depend 632 on Netfilter connection tracking and NAT, unlike REDIRECT. 633 634 To compile it as a module, choose M here. If unsure, say N. 635 636config NETFILTER_XT_TARGET_TRACE 637 tristate '"TRACE" target support' 638 depends on IP_NF_RAW || IP6_NF_RAW 639 depends on NETFILTER_ADVANCED 640 help 641 The TRACE target allows you to mark packets so that the kernel 642 will log every rule which match the packets as those traverse 643 the tables, chains, rules. 644 645 If you want to compile it as a module, say M here and read 646 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 647 648config NETFILTER_XT_TARGET_SECMARK 649 tristate '"SECMARK" target support' 650 depends on NETWORK_SECMARK 651 default m if NETFILTER_ADVANCED=n 652 help 653 The SECMARK target allows security marking of network 654 packets, for use with security subsystems. 655 656 To compile it as a module, choose M here. If unsure, say N. 657 658config NETFILTER_XT_TARGET_TCPMSS 659 tristate '"TCPMSS" target support' 660 depends on (IPV6 || IPV6=n) 661 default m if NETFILTER_ADVANCED=n 662 ---help--- 663 This option adds a `TCPMSS' target, which allows you to alter the 664 MSS value of TCP SYN packets, to control the maximum size for that 665 connection (usually limiting it to your outgoing interface's MTU 666 minus 40). 667 668 This is used to overcome criminally braindead ISPs or servers which 669 block ICMP Fragmentation Needed packets. The symptoms of this 670 problem are that everything works fine from your Linux 671 firewall/router, but machines behind it can never exchange large 672 packets: 673 1) Web browsers connect, then hang with no data received. 674 2) Small mail works fine, but large emails hang. 675 3) ssh works fine, but scp hangs after initial handshaking. 676 677 Workaround: activate this option and add a rule to your firewall 678 configuration like: 679 680 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 681 -j TCPMSS --clamp-mss-to-pmtu 682 683 To compile it as a module, choose M here. If unsure, say N. 684 685config NETFILTER_XT_TARGET_TCPOPTSTRIP 686 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' 687 depends on EXPERIMENTAL 688 depends on IP_NF_MANGLE || IP6_NF_MANGLE 689 depends on NETFILTER_ADVANCED 690 help 691 This option adds a "TCPOPTSTRIP" target, which allows you to strip 692 TCP options from TCP packets. 693 694# alphabetically ordered list of matches 695 696comment "Xtables matches" 697 698config NETFILTER_XT_MATCH_ADDRTYPE 699 tristate '"addrtype" address type match support' 700 depends on NETFILTER_ADVANCED 701 ---help--- 702 This option allows you to match what routing thinks of an address, 703 eg. UNICAST, LOCAL, BROADCAST, ... 704 705 If you want to compile it as a module, say M here and read 706 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 707 708config NETFILTER_XT_MATCH_CLUSTER 709 tristate '"cluster" match support' 710 depends on NF_CONNTRACK 711 depends on NETFILTER_ADVANCED 712 ---help--- 713 This option allows you to build work-load-sharing clusters of 714 network servers/stateful firewalls without having a dedicated 715 load-balancing router/server/switch. Basically, this match returns 716 true when the packet must be handled by this cluster node. Thus, 717 all nodes see all packets and this match decides which node handles 718 what packets. The work-load sharing algorithm is based on source 719 address hashing. 720 721 If you say Y or M here, try `iptables -m cluster --help` for 722 more information. 723 724config NETFILTER_XT_MATCH_COMMENT 725 tristate '"comment" match support' 726 depends on NETFILTER_ADVANCED 727 help 728 This option adds a `comment' dummy-match, which allows you to put 729 comments in your iptables ruleset. 730 731 If you want to compile it as a module, say M here and read 732 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 733 734config NETFILTER_XT_MATCH_CONNBYTES 735 tristate '"connbytes" per-connection counter match support' 736 depends on NF_CONNTRACK 737 depends on NETFILTER_ADVANCED 738 help 739 This option adds a `connbytes' match, which allows you to match the 740 number of bytes and/or packets for each direction within a connection. 741 742 If you want to compile it as a module, say M here and read 743 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 744 745config NETFILTER_XT_MATCH_CONNLIMIT 746 tristate '"connlimit" match support"' 747 depends on NF_CONNTRACK 748 depends on NETFILTER_ADVANCED 749 ---help--- 750 This match allows you to match against the number of parallel 751 connections to a server per client IP address (or address block). 752 753config NETFILTER_XT_MATCH_CONNMARK 754 tristate '"connmark" connection mark match support' 755 depends on NF_CONNTRACK 756 depends on NETFILTER_ADVANCED 757 select NETFILTER_XT_CONNMARK 758 ---help--- 759 This is a backwards-compat option for the user's convenience 760 (e.g. when running oldconfig). It selects 761 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 762 763config NETFILTER_XT_MATCH_CONNTRACK 764 tristate '"conntrack" connection tracking match support' 765 depends on NF_CONNTRACK 766 default m if NETFILTER_ADVANCED=n 767 help 768 This is a general conntrack match module, a superset of the state match. 769 770 It allows matching on additional conntrack information, which is 771 useful in complex configurations, such as NAT gateways with multiple 772 internet links or tunnels. 773 774 To compile it as a module, choose M here. If unsure, say N. 775 776config NETFILTER_XT_MATCH_CPU 777 tristate '"cpu" match support' 778 depends on NETFILTER_ADVANCED 779 help 780 CPU matching allows you to match packets based on the CPU 781 currently handling the packet. 782 783 To compile it as a module, choose M here. If unsure, say N. 784 785config NETFILTER_XT_MATCH_DCCP 786 tristate '"dccp" protocol match support' 787 depends on NETFILTER_ADVANCED 788 default IP_DCCP 789 help 790 With this option enabled, you will be able to use the iptables 791 `dccp' match in order to match on DCCP source/destination ports 792 and DCCP flags. 793 794 If you want to compile it as a module, say M here and read 795 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 796 797config NETFILTER_XT_MATCH_DEVGROUP 798 tristate '"devgroup" match support' 799 depends on NETFILTER_ADVANCED 800 help 801 This options adds a `devgroup' match, which allows to match on the 802 device group a network device is assigned to. 803 804 To compile it as a module, choose M here. If unsure, say N. 805 806config NETFILTER_XT_MATCH_DSCP 807 tristate '"dscp" and "tos" match support' 808 depends on NETFILTER_ADVANCED 809 help 810 This option adds a `DSCP' match, which allows you to match against 811 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 812 813 The DSCP field can have any value between 0x0 and 0x3f inclusive. 814 815 It will also add a "tos" match, which allows you to match packets 816 based on the Type Of Service fields of the IPv4 packet (which share 817 the same bits as DSCP). 818 819 To compile it as a module, choose M here. If unsure, say N. 820 821config NETFILTER_XT_MATCH_ECN 822 tristate '"ecn" match support' 823 depends on NETFILTER_ADVANCED 824 ---help--- 825 This option adds an "ECN" match, which allows you to match against 826 the IPv4 and TCP header ECN fields. 827 828 To compile it as a module, choose M here. If unsure, say N. 829 830config NETFILTER_XT_MATCH_ESP 831 tristate '"esp" match support' 832 depends on NETFILTER_ADVANCED 833 help 834 This match extension allows you to match a range of SPIs 835 inside ESP header of IPSec packets. 836 837 To compile it as a module, choose M here. If unsure, say N. 838 839config NETFILTER_XT_MATCH_HASHLIMIT 840 tristate '"hashlimit" match support' 841 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 842 depends on NETFILTER_ADVANCED 843 help 844 This option adds a `hashlimit' match. 845 846 As opposed to `limit', this match dynamically creates a hash table 847 of limit buckets, based on your selection of source/destination 848 addresses and/or ports. 849 850 It enables you to express policies like `10kpps for any given 851 destination address' or `500pps from any given source address' 852 with a single rule. 853 854config NETFILTER_XT_MATCH_HELPER 855 tristate '"helper" match support' 856 depends on NF_CONNTRACK 857 depends on NETFILTER_ADVANCED 858 help 859 Helper matching allows you to match packets in dynamic connections 860 tracked by a conntrack-helper, ie. ip_conntrack_ftp 861 862 To compile it as a module, choose M here. If unsure, say Y. 863 864config NETFILTER_XT_MATCH_HL 865 tristate '"hl" hoplimit/TTL match support' 866 depends on NETFILTER_ADVANCED 867 ---help--- 868 HL matching allows you to match packets based on the hoplimit 869 in the IPv6 header, or the time-to-live field in the IPv4 870 header of the packet. 871 872config NETFILTER_XT_MATCH_IPRANGE 873 tristate '"iprange" address range match support' 874 depends on NETFILTER_ADVANCED 875 ---help--- 876 This option adds a "iprange" match, which allows you to match based on 877 an IP address range. (Normal iptables only matches on single addresses 878 with an optional mask.) 879 880 If unsure, say M. 881 882config NETFILTER_XT_MATCH_IPVS 883 tristate '"ipvs" match support' 884 depends on IP_VS 885 depends on NETFILTER_ADVANCED 886 depends on NF_CONNTRACK 887 help 888 This option allows you to match against IPVS properties of a packet. 889 890 If unsure, say N. 891 892config NETFILTER_XT_MATCH_LENGTH 893 tristate '"length" match support' 894 depends on NETFILTER_ADVANCED 895 help 896 This option allows you to match the length of a packet against a 897 specific value or range of values. 898 899 To compile it as a module, choose M here. If unsure, say N. 900 901config NETFILTER_XT_MATCH_LIMIT 902 tristate '"limit" match support' 903 depends on NETFILTER_ADVANCED 904 help 905 limit matching allows you to control the rate at which a rule can be 906 matched: mainly useful in combination with the LOG target ("LOG 907 target support", below) and to avoid some Denial of Service attacks. 908 909 To compile it as a module, choose M here. If unsure, say N. 910 911config NETFILTER_XT_MATCH_MAC 912 tristate '"mac" address match support' 913 depends on NETFILTER_ADVANCED 914 help 915 MAC matching allows you to match packets based on the source 916 Ethernet address of the packet. 917 918 To compile it as a module, choose M here. If unsure, say N. 919 920config NETFILTER_XT_MATCH_MARK 921 tristate '"mark" match support' 922 depends on NETFILTER_ADVANCED 923 select NETFILTER_XT_MARK 924 ---help--- 925 This is a backwards-compat option for the user's convenience 926 (e.g. when running oldconfig). It selects 927 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 928 929config NETFILTER_XT_MATCH_MULTIPORT 930 tristate '"multiport" Multiple port match support' 931 depends on NETFILTER_ADVANCED 932 help 933 Multiport matching allows you to match TCP or UDP packets based on 934 a series of source or destination ports: normally a rule can only 935 match a single range of ports. 936 937 To compile it as a module, choose M here. If unsure, say N. 938 939config NETFILTER_XT_MATCH_NFACCT 940 tristate '"nfacct" match support' 941 depends on NETFILTER_ADVANCED 942 select NETFILTER_NETLINK_ACCT 943 help 944 This option allows you to use the extended accounting through 945 nfnetlink_acct. 946 947 To compile it as a module, choose M here. If unsure, say N. 948 949config NETFILTER_XT_MATCH_OSF 950 tristate '"osf" Passive OS fingerprint match' 951 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 952 help 953 This option selects the Passive OS Fingerprinting match module 954 that allows to passively match the remote operating system by 955 analyzing incoming TCP SYN packets. 956 957 Rules and loading software can be downloaded from 958 http://www.ioremap.net/projects/osf 959 960 To compile it as a module, choose M here. If unsure, say N. 961 962config NETFILTER_XT_MATCH_OWNER 963 tristate '"owner" match support' 964 depends on NETFILTER_ADVANCED 965 ---help--- 966 Socket owner matching allows you to match locally-generated packets 967 based on who created the socket: the user or group. It is also 968 possible to check whether a socket actually exists. 969 970config NETFILTER_XT_MATCH_POLICY 971 tristate 'IPsec "policy" match support' 972 depends on XFRM 973 default m if NETFILTER_ADVANCED=n 974 help 975 Policy matching allows you to match packets based on the 976 IPsec policy that was used during decapsulation/will 977 be used during encapsulation. 978 979 To compile it as a module, choose M here. If unsure, say N. 980 981config NETFILTER_XT_MATCH_PHYSDEV 982 tristate '"physdev" match support' 983 depends on BRIDGE && BRIDGE_NETFILTER 984 depends on NETFILTER_ADVANCED 985 help 986 Physdev packet matching matches against the physical bridge ports 987 the IP packet arrived on or will leave by. 988 989 To compile it as a module, choose M here. If unsure, say N. 990 991config NETFILTER_XT_MATCH_PKTTYPE 992 tristate '"pkttype" packet type match support' 993 depends on NETFILTER_ADVANCED 994 help 995 Packet type matching allows you to match a packet by 996 its "class", eg. BROADCAST, MULTICAST, ... 997 998 Typical usage: 999 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1000 1001 To compile it as a module, choose M here. If unsure, say N. 1002 1003config NETFILTER_XT_MATCH_QUOTA 1004 tristate '"quota" match support' 1005 depends on NETFILTER_ADVANCED 1006 help 1007 This option adds a `quota' match, which allows to match on a 1008 byte counter. 1009 1010 If you want to compile it as a module, say M here and read 1011 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1012 1013config NETFILTER_XT_MATCH_RATEEST 1014 tristate '"rateest" match support' 1015 depends on NETFILTER_ADVANCED 1016 select NETFILTER_XT_TARGET_RATEEST 1017 help 1018 This option adds a `rateest' match, which allows to match on the 1019 rate estimated by the RATEEST target. 1020 1021 To compile it as a module, choose M here. If unsure, say N. 1022 1023config NETFILTER_XT_MATCH_REALM 1024 tristate '"realm" match support' 1025 depends on NETFILTER_ADVANCED 1026 select IP_ROUTE_CLASSID 1027 help 1028 This option adds a `realm' match, which allows you to use the realm 1029 key from the routing subsystem inside iptables. 1030 1031 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1032 in tc world. 1033 1034 If you want to compile it as a module, say M here and read 1035 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1036 1037config NETFILTER_XT_MATCH_RECENT 1038 tristate '"recent" match support' 1039 depends on NETFILTER_ADVANCED 1040 ---help--- 1041 This match is used for creating one or many lists of recently 1042 used addresses and then matching against that/those list(s). 1043 1044 Short options are available by using 'iptables -m recent -h' 1045 Official Website: <http://snowman.net/projects/ipt_recent/> 1046 1047config NETFILTER_XT_MATCH_SCTP 1048 tristate '"sctp" protocol match support (EXPERIMENTAL)' 1049 depends on EXPERIMENTAL 1050 depends on NETFILTER_ADVANCED 1051 default IP_SCTP 1052 help 1053 With this option enabled, you will be able to use the 1054 `sctp' match in order to match on SCTP source/destination ports 1055 and SCTP chunk types. 1056 1057 If you want to compile it as a module, say M here and read 1058 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1059 1060config NETFILTER_XT_MATCH_SOCKET 1061 tristate '"socket" match support (EXPERIMENTAL)' 1062 depends on EXPERIMENTAL 1063 depends on NETFILTER_TPROXY 1064 depends on NETFILTER_XTABLES 1065 depends on NETFILTER_ADVANCED 1066 depends on !NF_CONNTRACK || NF_CONNTRACK 1067 select NF_DEFRAG_IPV4 1068 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES 1069 help 1070 This option adds a `socket' match, which can be used to match 1071 packets for which a TCP or UDP socket lookup finds a valid socket. 1072 It can be used in combination with the MARK target and policy 1073 routing to implement full featured non-locally bound sockets. 1074 1075 To compile it as a module, choose M here. If unsure, say N. 1076 1077config NETFILTER_XT_MATCH_STATE 1078 tristate '"state" match support' 1079 depends on NF_CONNTRACK 1080 default m if NETFILTER_ADVANCED=n 1081 help 1082 Connection state matching allows you to match packets based on their 1083 relationship to a tracked connection (ie. previous packets). This 1084 is a powerful tool for packet classification. 1085 1086 To compile it as a module, choose M here. If unsure, say N. 1087 1088config NETFILTER_XT_MATCH_STATISTIC 1089 tristate '"statistic" match support' 1090 depends on NETFILTER_ADVANCED 1091 help 1092 This option adds a `statistic' match, which allows you to match 1093 on packets periodically or randomly with a given percentage. 1094 1095 To compile it as a module, choose M here. If unsure, say N. 1096 1097config NETFILTER_XT_MATCH_STRING 1098 tristate '"string" match support' 1099 depends on NETFILTER_ADVANCED 1100 select TEXTSEARCH 1101 select TEXTSEARCH_KMP 1102 select TEXTSEARCH_BM 1103 select TEXTSEARCH_FSM 1104 help 1105 This option adds a `string' match, which allows you to look for 1106 pattern matchings in packets. 1107 1108 To compile it as a module, choose M here. If unsure, say N. 1109 1110config NETFILTER_XT_MATCH_TCPMSS 1111 tristate '"tcpmss" match support' 1112 depends on NETFILTER_ADVANCED 1113 help 1114 This option adds a `tcpmss' match, which allows you to examine the 1115 MSS value of TCP SYN packets, which control the maximum packet size 1116 for that connection. 1117 1118 To compile it as a module, choose M here. If unsure, say N. 1119 1120config NETFILTER_XT_MATCH_TIME 1121 tristate '"time" match support' 1122 depends on NETFILTER_ADVANCED 1123 ---help--- 1124 This option adds a "time" match, which allows you to match based on 1125 the packet arrival time (at the machine which netfilter is running) 1126 on) or departure time/date (for locally generated packets). 1127 1128 If you say Y here, try `iptables -m time --help` for 1129 more information. 1130 1131 If you want to compile it as a module, say M here. 1132 If unsure, say N. 1133 1134config NETFILTER_XT_MATCH_U32 1135 tristate '"u32" match support' 1136 depends on NETFILTER_ADVANCED 1137 ---help--- 1138 u32 allows you to extract quantities of up to 4 bytes from a packet, 1139 AND them with specified masks, shift them by specified amounts and 1140 test whether the results are in any of a set of specified ranges. 1141 The specification of what to extract is general enough to skip over 1142 headers with lengths stored in the packet, as in IP or TCP header 1143 lengths. 1144 1145 Details and examples are in the kernel module source. 1146 1147endif # NETFILTER_XTABLES 1148 1149endmenu 1150 1151source "net/netfilter/ipset/Kconfig" 1152 1153source "net/netfilter/ipvs/Kconfig" 1154