1menu "Core Netfilter Configuration" 2 depends on NET && INET && NETFILTER 3 4config NETFILTER_NETLINK 5 tristate 6 7config NETFILTER_NETLINK_QUEUE 8 tristate "Netfilter NFQUEUE over NFNETLINK interface" 9 depends on NETFILTER_ADVANCED 10 select NETFILTER_NETLINK 11 help 12 If this option is enabled, the kernel will include support 13 for queueing packets via NFNETLINK. 14 15config NETFILTER_NETLINK_LOG 16 tristate "Netfilter LOG over NFNETLINK interface" 17 default m if NETFILTER_ADVANCED=n 18 select NETFILTER_NETLINK 19 help 20 If this option is enabled, the kernel will include support 21 for logging packets via NFNETLINK. 22 23 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 24 and is also scheduled to replace the old syslog-based ipt_LOG 25 and ip6t_LOG modules. 26 27config NF_CONNTRACK 28 tristate "Netfilter connection tracking support" 29 default m if NETFILTER_ADVANCED=n 30 help 31 Connection tracking keeps a record of what packets have passed 32 through your machine, in order to figure out how they are related 33 into connections. 34 35 This is required to do Masquerading or other kinds of Network 36 Address Translation. It can also be used to enhance packet 37 filtering (see `Connection state match support' below). 38 39 To compile it as a module, choose M here. If unsure, say N. 40 41if NF_CONNTRACK 42 43config NF_CONNTRACK_MARK 44 bool 'Connection mark tracking support' 45 depends on NETFILTER_ADVANCED 46 help 47 This option enables support for connection marks, used by the 48 `CONNMARK' target and `connmark' match. Similar to the mark value 49 of packets, but this mark value is kept in the conntrack session 50 instead of the individual packets. 51 52config NF_CONNTRACK_SECMARK 53 bool 'Connection tracking security mark support' 54 depends on NETWORK_SECMARK 55 default m if NETFILTER_ADVANCED=n 56 help 57 This option enables security markings to be applied to 58 connections. Typically they are copied to connections from 59 packets using the CONNSECMARK target and copied back from 60 connections to packets with the same target, with the packets 61 being originally labeled via SECMARK. 62 63 If unsure, say 'N'. 64 65config NF_CONNTRACK_ZONES 66 bool 'Connection tracking zones' 67 depends on NETFILTER_ADVANCED 68 depends on NETFILTER_XT_TARGET_CT 69 help 70 This option enables support for connection tracking zones. 71 Normally, each connection needs to have a unique system wide 72 identity. Connection tracking zones allow to have multiple 73 connections using the same identity, as long as they are 74 contained in different zones. 75 76 If unsure, say `N'. 77 78config NF_CONNTRACK_EVENTS 79 bool "Connection tracking events" 80 depends on NETFILTER_ADVANCED 81 help 82 If this option is enabled, the connection tracking code will 83 provide a notifier chain that can be used by other kernel code 84 to get notified about changes in the connection tracking state. 85 86 If unsure, say `N'. 87 88config NF_CONNTRACK_TIMESTAMP 89 bool 'Connection tracking timestamping' 90 depends on NETFILTER_ADVANCED 91 help 92 This option enables support for connection tracking timestamping. 93 This allows you to store the flow start-time and to obtain 94 the flow-stop time (once it has been destroyed) via Connection 95 tracking events. 96 97 If unsure, say `N'. 98 99config NF_CT_PROTO_DCCP 100 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' 101 depends on EXPERIMENTAL 102 depends on NETFILTER_ADVANCED 103 default IP_DCCP 104 help 105 With this option enabled, the layer 3 independent connection 106 tracking code will be able to do state tracking on DCCP connections. 107 108 If unsure, say 'N'. 109 110config NF_CT_PROTO_GRE 111 tristate 112 113config NF_CT_PROTO_SCTP 114 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 115 depends on EXPERIMENTAL 116 depends on NETFILTER_ADVANCED 117 default IP_SCTP 118 help 119 With this option enabled, the layer 3 independent connection 120 tracking code will be able to do state tracking on SCTP connections. 121 122 If you want to compile it as a module, say M here and read 123 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 124 125config NF_CT_PROTO_UDPLITE 126 tristate 'UDP-Lite protocol connection tracking support' 127 depends on NETFILTER_ADVANCED 128 help 129 With this option enabled, the layer 3 independent connection 130 tracking code will be able to do state tracking on UDP-Lite 131 connections. 132 133 To compile it as a module, choose M here. If unsure, say N. 134 135config NF_CONNTRACK_AMANDA 136 tristate "Amanda backup protocol support" 137 depends on NETFILTER_ADVANCED 138 select TEXTSEARCH 139 select TEXTSEARCH_KMP 140 help 141 If you are running the Amanda backup package <http://www.amanda.org/> 142 on this machine or machines that will be MASQUERADED through this 143 machine, then you may want to enable this feature. This allows the 144 connection tracking and natting code to allow the sub-channels that 145 Amanda requires for communication of the backup data, messages and 146 index. 147 148 To compile it as a module, choose M here. If unsure, say N. 149 150config NF_CONNTRACK_FTP 151 tristate "FTP protocol support" 152 default m if NETFILTER_ADVANCED=n 153 help 154 Tracking FTP connections is problematic: special helpers are 155 required for tracking them, and doing masquerading and other forms 156 of Network Address Translation on them. 157 158 This is FTP support on Layer 3 independent connection tracking. 159 Layer 3 independent connection tracking is experimental scheme 160 which generalize ip_conntrack to support other layer 3 protocols. 161 162 To compile it as a module, choose M here. If unsure, say N. 163 164config NF_CONNTRACK_H323 165 tristate "H.323 protocol support" 166 depends on (IPV6 || IPV6=n) 167 depends on NETFILTER_ADVANCED 168 help 169 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 170 important VoIP protocols, it is widely used by voice hardware and 171 software including voice gateways, IP phones, Netmeeting, OpenPhone, 172 Gnomemeeting, etc. 173 174 With this module you can support H.323 on a connection tracking/NAT 175 firewall. 176 177 This module supports RAS, Fast Start, H.245 Tunnelling, Call 178 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 179 whiteboard, file transfer, etc. For more information, please 180 visit http://nath323.sourceforge.net/. 181 182 To compile it as a module, choose M here. If unsure, say N. 183 184config NF_CONNTRACK_IRC 185 tristate "IRC protocol support" 186 default m if NETFILTER_ADVANCED=n 187 help 188 There is a commonly-used extension to IRC called 189 Direct Client-to-Client Protocol (DCC). This enables users to send 190 files to each other, and also chat to each other without the need 191 of a server. DCC Sending is used anywhere you send files over IRC, 192 and DCC Chat is most commonly used by Eggdrop bots. If you are 193 using NAT, this extension will enable you to send files and initiate 194 chats. Note that you do NOT need this extension to get files or 195 have others initiate chats, or everything else in IRC. 196 197 To compile it as a module, choose M here. If unsure, say N. 198 199config NF_CONNTRACK_BROADCAST 200 tristate 201 202config NF_CONNTRACK_NETBIOS_NS 203 tristate "NetBIOS name service protocol support" 204 depends on NETFILTER_ADVANCED 205 select NF_CONNTRACK_BROADCAST 206 help 207 NetBIOS name service requests are sent as broadcast messages from an 208 unprivileged port and responded to with unicast messages to the 209 same port. This make them hard to firewall properly because connection 210 tracking doesn't deal with broadcasts. This helper tracks locally 211 originating NetBIOS name service requests and the corresponding 212 responses. It relies on correct IP address configuration, specifically 213 netmask and broadcast address. When properly configured, the output 214 of "ip address show" should look similar to this: 215 216 $ ip -4 address show eth0 217 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 218 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 219 220 To compile it as a module, choose M here. If unsure, say N. 221 222config NF_CONNTRACK_SNMP 223 tristate "SNMP service protocol support" 224 depends on NETFILTER_ADVANCED 225 select NF_CONNTRACK_BROADCAST 226 help 227 SNMP service requests are sent as broadcast messages from an 228 unprivileged port and responded to with unicast messages to the 229 same port. This make them hard to firewall properly because connection 230 tracking doesn't deal with broadcasts. This helper tracks locally 231 originating SNMP service requests and the corresponding 232 responses. It relies on correct IP address configuration, specifically 233 netmask and broadcast address. 234 235 To compile it as a module, choose M here. If unsure, say N. 236 237config NF_CONNTRACK_PPTP 238 tristate "PPtP protocol support" 239 depends on NETFILTER_ADVANCED 240 select NF_CT_PROTO_GRE 241 help 242 This module adds support for PPTP (Point to Point Tunnelling 243 Protocol, RFC2637) connection tracking and NAT. 244 245 If you are running PPTP sessions over a stateful firewall or NAT 246 box, you may want to enable this feature. 247 248 Please note that not all PPTP modes of operation are supported yet. 249 Specifically these limitations exist: 250 - Blindly assumes that control connections are always established 251 in PNS->PAC direction. This is a violation of RFC2637. 252 - Only supports a single call within each session 253 254 To compile it as a module, choose M here. If unsure, say N. 255 256config NF_CONNTRACK_SANE 257 tristate "SANE protocol support (EXPERIMENTAL)" 258 depends on EXPERIMENTAL 259 depends on NETFILTER_ADVANCED 260 help 261 SANE is a protocol for remote access to scanners as implemented 262 by the 'saned' daemon. Like FTP, it uses separate control and 263 data connections. 264 265 With this module you can support SANE on a connection tracking 266 firewall. 267 268 To compile it as a module, choose M here. If unsure, say N. 269 270config NF_CONNTRACK_SIP 271 tristate "SIP protocol support" 272 default m if NETFILTER_ADVANCED=n 273 help 274 SIP is an application-layer control protocol that can establish, 275 modify, and terminate multimedia sessions (conferences) such as 276 Internet telephony calls. With the ip_conntrack_sip and 277 the nf_nat_sip modules you can support the protocol on a connection 278 tracking/NATing firewall. 279 280 To compile it as a module, choose M here. If unsure, say N. 281 282config NF_CONNTRACK_TFTP 283 tristate "TFTP protocol support" 284 depends on NETFILTER_ADVANCED 285 help 286 TFTP connection tracking helper, this is required depending 287 on how restrictive your ruleset is. 288 If you are using a tftp client behind -j SNAT or -j MASQUERADING 289 you will need this. 290 291 To compile it as a module, choose M here. If unsure, say N. 292 293config NF_CT_NETLINK 294 tristate 'Connection tracking netlink interface' 295 select NETFILTER_NETLINK 296 default m if NETFILTER_ADVANCED=n 297 help 298 This option enables support for a netlink-based userspace interface 299 300endif # NF_CONNTRACK 301 302# transparent proxy support 303config NETFILTER_TPROXY 304 tristate "Transparent proxying support (EXPERIMENTAL)" 305 depends on EXPERIMENTAL 306 depends on IP_NF_MANGLE 307 depends on NETFILTER_ADVANCED 308 help 309 This option enables transparent proxying support, that is, 310 support for handling non-locally bound IPv4 TCP and UDP sockets. 311 For it to work you will have to configure certain iptables rules 312 and use policy routing. For more information on how to set it up 313 see Documentation/networking/tproxy.txt. 314 315 To compile it as a module, choose M here. If unsure, say N. 316 317config NETFILTER_XTABLES 318 tristate "Netfilter Xtables support (required for ip_tables)" 319 default m if NETFILTER_ADVANCED=n 320 help 321 This is required if you intend to use any of ip_tables, 322 ip6_tables or arp_tables. 323 324if NETFILTER_XTABLES 325 326comment "Xtables combined modules" 327 328config NETFILTER_XT_MARK 329 tristate 'nfmark target and match support' 330 default m if NETFILTER_ADVANCED=n 331 ---help--- 332 This option adds the "MARK" target and "mark" match. 333 334 Netfilter mark matching allows you to match packets based on the 335 "nfmark" value in the packet. 336 The target allows you to create rules in the "mangle" table which alter 337 the netfilter mark (nfmark) field associated with the packet. 338 339 Prior to routing, the nfmark can influence the routing method (see 340 "Use netfilter MARK value as routing key") and can also be used by 341 other subsystems to change their behavior. 342 343config NETFILTER_XT_CONNMARK 344 tristate 'ctmark target and match support' 345 depends on NF_CONNTRACK 346 depends on NETFILTER_ADVANCED 347 select NF_CONNTRACK_MARK 348 ---help--- 349 This option adds the "CONNMARK" target and "connmark" match. 350 351 Netfilter allows you to store a mark value per connection (a.k.a. 352 ctmark), similarly to the packet mark (nfmark). Using this 353 target and match, you can set and match on this mark. 354 355config NETFILTER_XT_SET 356 tristate 'set target and match support' 357 depends on IP_SET 358 depends on NETFILTER_ADVANCED 359 help 360 This option adds the "SET" target and "set" match. 361 362 Using this target and match, you can add/delete and match 363 elements in the sets created by ipset(8). 364 365 To compile it as a module, choose M here. If unsure, say N. 366 367# alphabetically ordered list of targets 368 369comment "Xtables targets" 370 371config NETFILTER_XT_TARGET_AUDIT 372 tristate "AUDIT target support" 373 depends on AUDIT 374 depends on NETFILTER_ADVANCED 375 ---help--- 376 This option adds a 'AUDIT' target, which can be used to create 377 audit records for packets dropped/accepted. 378 379 To compileit as a module, choose M here. If unsure, say N. 380 381config NETFILTER_XT_TARGET_CHECKSUM 382 tristate "CHECKSUM target support" 383 depends on IP_NF_MANGLE || IP6_NF_MANGLE 384 depends on NETFILTER_ADVANCED 385 ---help--- 386 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 387 table. 388 389 You can use this target to compute and fill in the checksum in 390 a packet that lacks a checksum. This is particularly useful, 391 if you need to work around old applications such as dhcp clients, 392 that do not work well with checksum offloads, but don't want to disable 393 checksum offload in your device. 394 395 To compile it as a module, choose M here. If unsure, say N. 396 397config NETFILTER_XT_TARGET_CLASSIFY 398 tristate '"CLASSIFY" target support' 399 depends on NETFILTER_ADVANCED 400 help 401 This option adds a `CLASSIFY' target, which enables the user to set 402 the priority of a packet. Some qdiscs can use this value for 403 classification, among these are: 404 405 atm, cbq, dsmark, pfifo_fast, htb, prio 406 407 To compile it as a module, choose M here. If unsure, say N. 408 409config NETFILTER_XT_TARGET_CONNMARK 410 tristate '"CONNMARK" target support' 411 depends on NF_CONNTRACK 412 depends on NETFILTER_ADVANCED 413 select NETFILTER_XT_CONNMARK 414 ---help--- 415 This is a backwards-compat option for the user's convenience 416 (e.g. when running oldconfig). It selects 417 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 418 419config NETFILTER_XT_TARGET_CONNSECMARK 420 tristate '"CONNSECMARK" target support' 421 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 422 default m if NETFILTER_ADVANCED=n 423 help 424 The CONNSECMARK target copies security markings from packets 425 to connections, and restores security markings from connections 426 to packets (if the packets are not already marked). This would 427 normally be used in conjunction with the SECMARK target. 428 429 To compile it as a module, choose M here. If unsure, say N. 430 431config NETFILTER_XT_TARGET_CT 432 tristate '"CT" target support' 433 depends on NF_CONNTRACK 434 depends on IP_NF_RAW || IP6_NF_RAW 435 depends on NETFILTER_ADVANCED 436 help 437 This options adds a `CT' target, which allows to specify initial 438 connection tracking parameters like events to be delivered and 439 the helper to be used. 440 441 To compile it as a module, choose M here. If unsure, say N. 442 443config NETFILTER_XT_TARGET_DSCP 444 tristate '"DSCP" and "TOS" target support' 445 depends on IP_NF_MANGLE || IP6_NF_MANGLE 446 depends on NETFILTER_ADVANCED 447 help 448 This option adds a `DSCP' target, which allows you to manipulate 449 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 450 451 The DSCP field can have any value between 0x0 and 0x3f inclusive. 452 453 It also adds the "TOS" target, which allows you to create rules in 454 the "mangle" table which alter the Type Of Service field of an IPv4 455 or the Priority field of an IPv6 packet, prior to routing. 456 457 To compile it as a module, choose M here. If unsure, say N. 458 459config NETFILTER_XT_TARGET_HL 460 tristate '"HL" hoplimit target support' 461 depends on IP_NF_MANGLE || IP6_NF_MANGLE 462 depends on NETFILTER_ADVANCED 463 ---help--- 464 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 465 targets, which enable the user to change the 466 hoplimit/time-to-live value of the IP header. 467 468 While it is safe to decrement the hoplimit/TTL value, the 469 modules also allow to increment and set the hoplimit value of 470 the header to arbitrary values. This is EXTREMELY DANGEROUS 471 since you can easily create immortal packets that loop 472 forever on the network. 473 474config NETFILTER_XT_TARGET_IDLETIMER 475 tristate "IDLETIMER target support" 476 depends on NETFILTER_ADVANCED 477 help 478 479 This option adds the `IDLETIMER' target. Each matching packet 480 resets the timer associated with label specified when the rule is 481 added. When the timer expires, it triggers a sysfs notification. 482 The remaining time for expiration can be read via sysfs. 483 484 To compile it as a module, choose M here. If unsure, say N. 485 486config NETFILTER_XT_TARGET_LED 487 tristate '"LED" target support' 488 depends on LEDS_CLASS && LEDS_TRIGGERS 489 depends on NETFILTER_ADVANCED 490 help 491 This option adds a `LED' target, which allows you to blink LEDs in 492 response to particular packets passing through your machine. 493 494 This can be used to turn a spare LED into a network activity LED, 495 which only flashes in response to FTP transfers, for example. Or 496 you could have an LED which lights up for a minute or two every time 497 somebody connects to your machine via SSH. 498 499 You will need support for the "led" class to make this work. 500 501 To create an LED trigger for incoming SSH traffic: 502 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 503 504 Then attach the new trigger to an LED on your system: 505 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 506 507 For more information on the LEDs available on your system, see 508 Documentation/leds-class.txt 509 510config NETFILTER_XT_TARGET_MARK 511 tristate '"MARK" target support' 512 depends on NETFILTER_ADVANCED 513 select NETFILTER_XT_MARK 514 ---help--- 515 This is a backwards-compat option for the user's convenience 516 (e.g. when running oldconfig). It selects 517 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 518 519config NETFILTER_XT_TARGET_NFLOG 520 tristate '"NFLOG" target support' 521 default m if NETFILTER_ADVANCED=n 522 select NETFILTER_NETLINK_LOG 523 help 524 This option enables the NFLOG target, which allows to LOG 525 messages through nfnetlink_log. 526 527 To compile it as a module, choose M here. If unsure, say N. 528 529config NETFILTER_XT_TARGET_NFQUEUE 530 tristate '"NFQUEUE" target Support' 531 depends on NETFILTER_ADVANCED 532 select NETFILTER_NETLINK_QUEUE 533 help 534 This target replaced the old obsolete QUEUE target. 535 536 As opposed to QUEUE, it supports 65535 different queues, 537 not just one. 538 539 To compile it as a module, choose M here. If unsure, say N. 540 541config NETFILTER_XT_TARGET_NOTRACK 542 tristate '"NOTRACK" target support' 543 depends on IP_NF_RAW || IP6_NF_RAW 544 depends on NF_CONNTRACK 545 depends on NETFILTER_ADVANCED 546 help 547 The NOTRACK target allows a select rule to specify 548 which packets *not* to enter the conntrack/NAT 549 subsystem with all the consequences (no ICMP error tracking, 550 no protocol helpers for the selected packets). 551 552 If you want to compile it as a module, say M here and read 553 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 554 555config NETFILTER_XT_TARGET_RATEEST 556 tristate '"RATEEST" target support' 557 depends on NETFILTER_ADVANCED 558 help 559 This option adds a `RATEEST' target, which allows to measure 560 rates similar to TC estimators. The `rateest' match can be 561 used to match on the measured rates. 562 563 To compile it as a module, choose M here. If unsure, say N. 564 565config NETFILTER_XT_TARGET_TEE 566 tristate '"TEE" - packet cloning to alternate destination' 567 depends on NETFILTER_ADVANCED 568 depends on (IPV6 || IPV6=n) 569 depends on !NF_CONNTRACK || NF_CONNTRACK 570 ---help--- 571 This option adds a "TEE" target with which a packet can be cloned and 572 this clone be rerouted to another nexthop. 573 574config NETFILTER_XT_TARGET_TPROXY 575 tristate '"TPROXY" target support (EXPERIMENTAL)' 576 depends on EXPERIMENTAL 577 depends on NETFILTER_TPROXY 578 depends on NETFILTER_XTABLES 579 depends on NETFILTER_ADVANCED 580 select NF_DEFRAG_IPV4 581 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES 582 help 583 This option adds a `TPROXY' target, which is somewhat similar to 584 REDIRECT. It can only be used in the mangle table and is useful 585 to redirect traffic to a transparent proxy. It does _not_ depend 586 on Netfilter connection tracking and NAT, unlike REDIRECT. 587 588 To compile it as a module, choose M here. If unsure, say N. 589 590config NETFILTER_XT_TARGET_TRACE 591 tristate '"TRACE" target support' 592 depends on IP_NF_RAW || IP6_NF_RAW 593 depends on NETFILTER_ADVANCED 594 help 595 The TRACE target allows you to mark packets so that the kernel 596 will log every rule which match the packets as those traverse 597 the tables, chains, rules. 598 599 If you want to compile it as a module, say M here and read 600 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 601 602config NETFILTER_XT_TARGET_SECMARK 603 tristate '"SECMARK" target support' 604 depends on NETWORK_SECMARK 605 default m if NETFILTER_ADVANCED=n 606 help 607 The SECMARK target allows security marking of network 608 packets, for use with security subsystems. 609 610 To compile it as a module, choose M here. If unsure, say N. 611 612config NETFILTER_XT_TARGET_TCPMSS 613 tristate '"TCPMSS" target support' 614 depends on (IPV6 || IPV6=n) 615 default m if NETFILTER_ADVANCED=n 616 ---help--- 617 This option adds a `TCPMSS' target, which allows you to alter the 618 MSS value of TCP SYN packets, to control the maximum size for that 619 connection (usually limiting it to your outgoing interface's MTU 620 minus 40). 621 622 This is used to overcome criminally braindead ISPs or servers which 623 block ICMP Fragmentation Needed packets. The symptoms of this 624 problem are that everything works fine from your Linux 625 firewall/router, but machines behind it can never exchange large 626 packets: 627 1) Web browsers connect, then hang with no data received. 628 2) Small mail works fine, but large emails hang. 629 3) ssh works fine, but scp hangs after initial handshaking. 630 631 Workaround: activate this option and add a rule to your firewall 632 configuration like: 633 634 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 635 -j TCPMSS --clamp-mss-to-pmtu 636 637 To compile it as a module, choose M here. If unsure, say N. 638 639config NETFILTER_XT_TARGET_TCPOPTSTRIP 640 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' 641 depends on EXPERIMENTAL 642 depends on IP_NF_MANGLE || IP6_NF_MANGLE 643 depends on NETFILTER_ADVANCED 644 help 645 This option adds a "TCPOPTSTRIP" target, which allows you to strip 646 TCP options from TCP packets. 647 648# alphabetically ordered list of matches 649 650comment "Xtables matches" 651 652config NETFILTER_XT_MATCH_ADDRTYPE 653 tristate '"addrtype" address type match support' 654 depends on NETFILTER_ADVANCED 655 ---help--- 656 This option allows you to match what routing thinks of an address, 657 eg. UNICAST, LOCAL, BROADCAST, ... 658 659 If you want to compile it as a module, say M here and read 660 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 661 662config NETFILTER_XT_MATCH_CLUSTER 663 tristate '"cluster" match support' 664 depends on NF_CONNTRACK 665 depends on NETFILTER_ADVANCED 666 ---help--- 667 This option allows you to build work-load-sharing clusters of 668 network servers/stateful firewalls without having a dedicated 669 load-balancing router/server/switch. Basically, this match returns 670 true when the packet must be handled by this cluster node. Thus, 671 all nodes see all packets and this match decides which node handles 672 what packets. The work-load sharing algorithm is based on source 673 address hashing. 674 675 If you say Y or M here, try `iptables -m cluster --help` for 676 more information. 677 678config NETFILTER_XT_MATCH_COMMENT 679 tristate '"comment" match support' 680 depends on NETFILTER_ADVANCED 681 help 682 This option adds a `comment' dummy-match, which allows you to put 683 comments in your iptables ruleset. 684 685 If you want to compile it as a module, say M here and read 686 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 687 688config NETFILTER_XT_MATCH_CONNBYTES 689 tristate '"connbytes" per-connection counter match support' 690 depends on NF_CONNTRACK 691 depends on NETFILTER_ADVANCED 692 help 693 This option adds a `connbytes' match, which allows you to match the 694 number of bytes and/or packets for each direction within a connection. 695 696 If you want to compile it as a module, say M here and read 697 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 698 699config NETFILTER_XT_MATCH_CONNLIMIT 700 tristate '"connlimit" match support"' 701 depends on NF_CONNTRACK 702 depends on NETFILTER_ADVANCED 703 ---help--- 704 This match allows you to match against the number of parallel 705 connections to a server per client IP address (or address block). 706 707config NETFILTER_XT_MATCH_CONNMARK 708 tristate '"connmark" connection mark match support' 709 depends on NF_CONNTRACK 710 depends on NETFILTER_ADVANCED 711 select NETFILTER_XT_CONNMARK 712 ---help--- 713 This is a backwards-compat option for the user's convenience 714 (e.g. when running oldconfig). It selects 715 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 716 717config NETFILTER_XT_MATCH_CONNTRACK 718 tristate '"conntrack" connection tracking match support' 719 depends on NF_CONNTRACK 720 default m if NETFILTER_ADVANCED=n 721 help 722 This is a general conntrack match module, a superset of the state match. 723 724 It allows matching on additional conntrack information, which is 725 useful in complex configurations, such as NAT gateways with multiple 726 internet links or tunnels. 727 728 To compile it as a module, choose M here. If unsure, say N. 729 730config NETFILTER_XT_MATCH_CPU 731 tristate '"cpu" match support' 732 depends on NETFILTER_ADVANCED 733 help 734 CPU matching allows you to match packets based on the CPU 735 currently handling the packet. 736 737 To compile it as a module, choose M here. If unsure, say N. 738 739config NETFILTER_XT_MATCH_DCCP 740 tristate '"dccp" protocol match support' 741 depends on NETFILTER_ADVANCED 742 default IP_DCCP 743 help 744 With this option enabled, you will be able to use the iptables 745 `dccp' match in order to match on DCCP source/destination ports 746 and DCCP flags. 747 748 If you want to compile it as a module, say M here and read 749 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 750 751config NETFILTER_XT_MATCH_DEVGROUP 752 tristate '"devgroup" match support' 753 depends on NETFILTER_ADVANCED 754 help 755 This options adds a `devgroup' match, which allows to match on the 756 device group a network device is assigned to. 757 758 To compile it as a module, choose M here. If unsure, say N. 759 760config NETFILTER_XT_MATCH_DSCP 761 tristate '"dscp" and "tos" match support' 762 depends on NETFILTER_ADVANCED 763 help 764 This option adds a `DSCP' match, which allows you to match against 765 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 766 767 The DSCP field can have any value between 0x0 and 0x3f inclusive. 768 769 It will also add a "tos" match, which allows you to match packets 770 based on the Type Of Service fields of the IPv4 packet (which share 771 the same bits as DSCP). 772 773 To compile it as a module, choose M here. If unsure, say N. 774 775config NETFILTER_XT_MATCH_ESP 776 tristate '"esp" match support' 777 depends on NETFILTER_ADVANCED 778 help 779 This match extension allows you to match a range of SPIs 780 inside ESP header of IPSec packets. 781 782 To compile it as a module, choose M here. If unsure, say N. 783 784config NETFILTER_XT_MATCH_HASHLIMIT 785 tristate '"hashlimit" match support' 786 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 787 depends on NETFILTER_ADVANCED 788 help 789 This option adds a `hashlimit' match. 790 791 As opposed to `limit', this match dynamically creates a hash table 792 of limit buckets, based on your selection of source/destination 793 addresses and/or ports. 794 795 It enables you to express policies like `10kpps for any given 796 destination address' or `500pps from any given source address' 797 with a single rule. 798 799config NETFILTER_XT_MATCH_HELPER 800 tristate '"helper" match support' 801 depends on NF_CONNTRACK 802 depends on NETFILTER_ADVANCED 803 help 804 Helper matching allows you to match packets in dynamic connections 805 tracked by a conntrack-helper, ie. ip_conntrack_ftp 806 807 To compile it as a module, choose M here. If unsure, say Y. 808 809config NETFILTER_XT_MATCH_HL 810 tristate '"hl" hoplimit/TTL match support' 811 depends on NETFILTER_ADVANCED 812 ---help--- 813 HL matching allows you to match packets based on the hoplimit 814 in the IPv6 header, or the time-to-live field in the IPv4 815 header of the packet. 816 817config NETFILTER_XT_MATCH_IPRANGE 818 tristate '"iprange" address range match support' 819 depends on NETFILTER_ADVANCED 820 ---help--- 821 This option adds a "iprange" match, which allows you to match based on 822 an IP address range. (Normal iptables only matches on single addresses 823 with an optional mask.) 824 825 If unsure, say M. 826 827config NETFILTER_XT_MATCH_IPVS 828 tristate '"ipvs" match support' 829 depends on IP_VS 830 depends on NETFILTER_ADVANCED 831 depends on NF_CONNTRACK 832 help 833 This option allows you to match against IPVS properties of a packet. 834 835 If unsure, say N. 836 837config NETFILTER_XT_MATCH_LENGTH 838 tristate '"length" match support' 839 depends on NETFILTER_ADVANCED 840 help 841 This option allows you to match the length of a packet against a 842 specific value or range of values. 843 844 To compile it as a module, choose M here. If unsure, say N. 845 846config NETFILTER_XT_MATCH_LIMIT 847 tristate '"limit" match support' 848 depends on NETFILTER_ADVANCED 849 help 850 limit matching allows you to control the rate at which a rule can be 851 matched: mainly useful in combination with the LOG target ("LOG 852 target support", below) and to avoid some Denial of Service attacks. 853 854 To compile it as a module, choose M here. If unsure, say N. 855 856config NETFILTER_XT_MATCH_MAC 857 tristate '"mac" address match support' 858 depends on NETFILTER_ADVANCED 859 help 860 MAC matching allows you to match packets based on the source 861 Ethernet address of the packet. 862 863 To compile it as a module, choose M here. If unsure, say N. 864 865config NETFILTER_XT_MATCH_MARK 866 tristate '"mark" match support' 867 depends on NETFILTER_ADVANCED 868 select NETFILTER_XT_MARK 869 ---help--- 870 This is a backwards-compat option for the user's convenience 871 (e.g. when running oldconfig). It selects 872 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 873 874config NETFILTER_XT_MATCH_MULTIPORT 875 tristate '"multiport" Multiple port match support' 876 depends on NETFILTER_ADVANCED 877 help 878 Multiport matching allows you to match TCP or UDP packets based on 879 a series of source or destination ports: normally a rule can only 880 match a single range of ports. 881 882 To compile it as a module, choose M here. If unsure, say N. 883 884config NETFILTER_XT_MATCH_OSF 885 tristate '"osf" Passive OS fingerprint match' 886 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK 887 help 888 This option selects the Passive OS Fingerprinting match module 889 that allows to passively match the remote operating system by 890 analyzing incoming TCP SYN packets. 891 892 Rules and loading software can be downloaded from 893 http://www.ioremap.net/projects/osf 894 895 To compile it as a module, choose M here. If unsure, say N. 896 897config NETFILTER_XT_MATCH_OWNER 898 tristate '"owner" match support' 899 depends on NETFILTER_ADVANCED 900 ---help--- 901 Socket owner matching allows you to match locally-generated packets 902 based on who created the socket: the user or group. It is also 903 possible to check whether a socket actually exists. 904 905config NETFILTER_XT_MATCH_POLICY 906 tristate 'IPsec "policy" match support' 907 depends on XFRM 908 default m if NETFILTER_ADVANCED=n 909 help 910 Policy matching allows you to match packets based on the 911 IPsec policy that was used during decapsulation/will 912 be used during encapsulation. 913 914 To compile it as a module, choose M here. If unsure, say N. 915 916config NETFILTER_XT_MATCH_PHYSDEV 917 tristate '"physdev" match support' 918 depends on BRIDGE && BRIDGE_NETFILTER 919 depends on NETFILTER_ADVANCED 920 help 921 Physdev packet matching matches against the physical bridge ports 922 the IP packet arrived on or will leave by. 923 924 To compile it as a module, choose M here. If unsure, say N. 925 926config NETFILTER_XT_MATCH_PKTTYPE 927 tristate '"pkttype" packet type match support' 928 depends on NETFILTER_ADVANCED 929 help 930 Packet type matching allows you to match a packet by 931 its "class", eg. BROADCAST, MULTICAST, ... 932 933 Typical usage: 934 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 935 936 To compile it as a module, choose M here. If unsure, say N. 937 938config NETFILTER_XT_MATCH_QUOTA 939 tristate '"quota" match support' 940 depends on NETFILTER_ADVANCED 941 help 942 This option adds a `quota' match, which allows to match on a 943 byte counter. 944 945 If you want to compile it as a module, say M here and read 946 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 947 948config NETFILTER_XT_MATCH_RATEEST 949 tristate '"rateest" match support' 950 depends on NETFILTER_ADVANCED 951 select NETFILTER_XT_TARGET_RATEEST 952 help 953 This option adds a `rateest' match, which allows to match on the 954 rate estimated by the RATEEST target. 955 956 To compile it as a module, choose M here. If unsure, say N. 957 958config NETFILTER_XT_MATCH_REALM 959 tristate '"realm" match support' 960 depends on NETFILTER_ADVANCED 961 select IP_ROUTE_CLASSID 962 help 963 This option adds a `realm' match, which allows you to use the realm 964 key from the routing subsystem inside iptables. 965 966 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 967 in tc world. 968 969 If you want to compile it as a module, say M here and read 970 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 971 972config NETFILTER_XT_MATCH_RECENT 973 tristate '"recent" match support' 974 depends on NETFILTER_ADVANCED 975 ---help--- 976 This match is used for creating one or many lists of recently 977 used addresses and then matching against that/those list(s). 978 979 Short options are available by using 'iptables -m recent -h' 980 Official Website: <http://snowman.net/projects/ipt_recent/> 981 982config NETFILTER_XT_MATCH_SCTP 983 tristate '"sctp" protocol match support (EXPERIMENTAL)' 984 depends on EXPERIMENTAL 985 depends on NETFILTER_ADVANCED 986 default IP_SCTP 987 help 988 With this option enabled, you will be able to use the 989 `sctp' match in order to match on SCTP source/destination ports 990 and SCTP chunk types. 991 992 If you want to compile it as a module, say M here and read 993 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 994 995config NETFILTER_XT_MATCH_SOCKET 996 tristate '"socket" match support (EXPERIMENTAL)' 997 depends on EXPERIMENTAL 998 depends on NETFILTER_TPROXY 999 depends on NETFILTER_XTABLES 1000 depends on NETFILTER_ADVANCED 1001 depends on !NF_CONNTRACK || NF_CONNTRACK 1002 select NF_DEFRAG_IPV4 1003 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES 1004 help 1005 This option adds a `socket' match, which can be used to match 1006 packets for which a TCP or UDP socket lookup finds a valid socket. 1007 It can be used in combination with the MARK target and policy 1008 routing to implement full featured non-locally bound sockets. 1009 1010 To compile it as a module, choose M here. If unsure, say N. 1011 1012config NETFILTER_XT_MATCH_STATE 1013 tristate '"state" match support' 1014 depends on NF_CONNTRACK 1015 default m if NETFILTER_ADVANCED=n 1016 help 1017 Connection state matching allows you to match packets based on their 1018 relationship to a tracked connection (ie. previous packets). This 1019 is a powerful tool for packet classification. 1020 1021 To compile it as a module, choose M here. If unsure, say N. 1022 1023config NETFILTER_XT_MATCH_STATISTIC 1024 tristate '"statistic" match support' 1025 depends on NETFILTER_ADVANCED 1026 help 1027 This option adds a `statistic' match, which allows you to match 1028 on packets periodically or randomly with a given percentage. 1029 1030 To compile it as a module, choose M here. If unsure, say N. 1031 1032config NETFILTER_XT_MATCH_STRING 1033 tristate '"string" match support' 1034 depends on NETFILTER_ADVANCED 1035 select TEXTSEARCH 1036 select TEXTSEARCH_KMP 1037 select TEXTSEARCH_BM 1038 select TEXTSEARCH_FSM 1039 help 1040 This option adds a `string' match, which allows you to look for 1041 pattern matchings in packets. 1042 1043 To compile it as a module, choose M here. If unsure, say N. 1044 1045config NETFILTER_XT_MATCH_TCPMSS 1046 tristate '"tcpmss" match support' 1047 depends on NETFILTER_ADVANCED 1048 help 1049 This option adds a `tcpmss' match, which allows you to examine the 1050 MSS value of TCP SYN packets, which control the maximum packet size 1051 for that connection. 1052 1053 To compile it as a module, choose M here. If unsure, say N. 1054 1055config NETFILTER_XT_MATCH_TIME 1056 tristate '"time" match support' 1057 depends on NETFILTER_ADVANCED 1058 ---help--- 1059 This option adds a "time" match, which allows you to match based on 1060 the packet arrival time (at the machine which netfilter is running) 1061 on) or departure time/date (for locally generated packets). 1062 1063 If you say Y here, try `iptables -m time --help` for 1064 more information. 1065 1066 If you want to compile it as a module, say M here. 1067 If unsure, say N. 1068 1069config NETFILTER_XT_MATCH_U32 1070 tristate '"u32" match support' 1071 depends on NETFILTER_ADVANCED 1072 ---help--- 1073 u32 allows you to extract quantities of up to 4 bytes from a packet, 1074 AND them with specified masks, shift them by specified amounts and 1075 test whether the results are in any of a set of specified ranges. 1076 The specification of what to extract is general enough to skip over 1077 headers with lengths stored in the packet, as in IP or TCP header 1078 lengths. 1079 1080 Details and examples are in the kernel module source. 1081 1082endif # NETFILTER_XTABLES 1083 1084endmenu 1085 1086source "net/netfilter/ipset/Kconfig" 1087 1088source "net/netfilter/ipvs/Kconfig" 1089