Version:  2.0.40 2.2.26 2.4.37 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1 4.2 4.3 4.4

Linux/net/netfilter/Kconfig

  1 menu "Core Netfilter Configuration"
  2         depends on NET && INET && NETFILTER
  3 
  4 config NETFILTER_INGRESS
  5         bool "Netfilter ingress support"
  6         default y
  7         select NET_INGRESS
  8         help
  9           This allows you to classify packets from ingress using the Netfilter
 10           infrastructure.
 11 
 12 config NETFILTER_NETLINK
 13         tristate
 14 
 15 config NETFILTER_NETLINK_ACCT
 16 tristate "Netfilter NFACCT over NFNETLINK interface"
 17         depends on NETFILTER_ADVANCED
 18         select NETFILTER_NETLINK
 19         help
 20           If this option is enabled, the kernel will include support
 21           for extended accounting via NFNETLINK.
 22 
 23 config NETFILTER_NETLINK_QUEUE
 24         tristate "Netfilter NFQUEUE over NFNETLINK interface"
 25         depends on NETFILTER_ADVANCED
 26         select NETFILTER_NETLINK
 27         help
 28           If this option is enabled, the kernel will include support
 29           for queueing packets via NFNETLINK.
 30           
 31 config NETFILTER_NETLINK_LOG
 32         tristate "Netfilter LOG over NFNETLINK interface"
 33         default m if NETFILTER_ADVANCED=n
 34         select NETFILTER_NETLINK
 35         help
 36           If this option is enabled, the kernel will include support
 37           for logging packets via NFNETLINK.
 38 
 39           This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
 40           and is also scheduled to replace the old syslog-based ipt_LOG
 41           and ip6t_LOG modules.
 42 
 43 config NF_CONNTRACK
 44         tristate "Netfilter connection tracking support"
 45         default m if NETFILTER_ADVANCED=n
 46         help
 47           Connection tracking keeps a record of what packets have passed
 48           through your machine, in order to figure out how they are related
 49           into connections.
 50 
 51           This is required to do Masquerading or other kinds of Network
 52           Address Translation.  It can also be used to enhance packet
 53           filtering (see `Connection state match support' below).
 54 
 55           To compile it as a module, choose M here.  If unsure, say N.
 56 
 57 config NF_LOG_COMMON
 58         tristate
 59 
 60 if NF_CONNTRACK
 61 
 62 config NF_CONNTRACK_MARK
 63         bool  'Connection mark tracking support'
 64         depends on NETFILTER_ADVANCED
 65         help
 66           This option enables support for connection marks, used by the
 67           `CONNMARK' target and `connmark' match. Similar to the mark value
 68           of packets, but this mark value is kept in the conntrack session
 69           instead of the individual packets.
 70 
 71 config NF_CONNTRACK_SECMARK
 72         bool  'Connection tracking security mark support'
 73         depends on NETWORK_SECMARK
 74         default m if NETFILTER_ADVANCED=n
 75         help
 76           This option enables security markings to be applied to
 77           connections.  Typically they are copied to connections from
 78           packets using the CONNSECMARK target and copied back from
 79           connections to packets with the same target, with the packets
 80           being originally labeled via SECMARK.
 81 
 82           If unsure, say 'N'.
 83 
 84 config NF_CONNTRACK_ZONES
 85         bool  'Connection tracking zones'
 86         depends on NETFILTER_ADVANCED
 87         depends on NETFILTER_XT_TARGET_CT
 88         help
 89           This option enables support for connection tracking zones.
 90           Normally, each connection needs to have a unique system wide
 91           identity. Connection tracking zones allow to have multiple
 92           connections using the same identity, as long as they are
 93           contained in different zones.
 94 
 95           If unsure, say `N'.
 96 
 97 config NF_CONNTRACK_PROCFS
 98         bool "Supply CT list in procfs (OBSOLETE)"
 99         default y
100         depends on PROC_FS
101         ---help---
102         This option enables for the list of known conntrack entries
103         to be shown in procfs under net/netfilter/nf_conntrack. This
104         is considered obsolete in favor of using the conntrack(8)
105         tool which uses Netlink.
106 
107 config NF_CONNTRACK_EVENTS
108         bool "Connection tracking events"
109         depends on NETFILTER_ADVANCED
110         help
111           If this option is enabled, the connection tracking code will
112           provide a notifier chain that can be used by other kernel code
113           to get notified about changes in the connection tracking state.
114 
115           If unsure, say `N'.
116 
117 config NF_CONNTRACK_TIMEOUT
118         bool  'Connection tracking timeout'
119         depends on NETFILTER_ADVANCED
120         help
121           This option enables support for connection tracking timeout
122           extension. This allows you to attach timeout policies to flow
123           via the CT target.
124 
125           If unsure, say `N'.
126 
127 config NF_CONNTRACK_TIMESTAMP
128         bool  'Connection tracking timestamping'
129         depends on NETFILTER_ADVANCED
130         help
131           This option enables support for connection tracking timestamping.
132           This allows you to store the flow start-time and to obtain
133           the flow-stop time (once it has been destroyed) via Connection
134           tracking events.
135 
136           If unsure, say `N'.
137 
138 config NF_CONNTRACK_LABELS
139         bool
140         help
141           This option enables support for assigning user-defined flag bits
142           to connection tracking entries.  It selected by the connlabel match.
143 
144 config NF_CT_PROTO_DCCP
145         tristate 'DCCP protocol connection tracking support'
146         depends on NETFILTER_ADVANCED
147         default IP_DCCP
148         help
149           With this option enabled, the layer 3 independent connection
150           tracking code will be able to do state tracking on DCCP connections.
151 
152           If unsure, say 'N'.
153 
154 config NF_CT_PROTO_GRE
155         tristate
156 
157 config NF_CT_PROTO_SCTP
158         tristate 'SCTP protocol connection tracking support'
159         depends on NETFILTER_ADVANCED
160         default IP_SCTP
161         help
162           With this option enabled, the layer 3 independent connection
163           tracking code will be able to do state tracking on SCTP connections.
164 
165           If you want to compile it as a module, say M here and read
166           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
167 
168 config NF_CT_PROTO_UDPLITE
169         tristate 'UDP-Lite protocol connection tracking support'
170         depends on NETFILTER_ADVANCED
171         help
172           With this option enabled, the layer 3 independent connection
173           tracking code will be able to do state tracking on UDP-Lite
174           connections.
175 
176           To compile it as a module, choose M here.  If unsure, say N.
177 
178 config NF_CONNTRACK_AMANDA
179         tristate "Amanda backup protocol support"
180         depends on NETFILTER_ADVANCED
181         select TEXTSEARCH
182         select TEXTSEARCH_KMP
183         help
184           If you are running the Amanda backup package <http://www.amanda.org/>
185           on this machine or machines that will be MASQUERADED through this
186           machine, then you may want to enable this feature.  This allows the
187           connection tracking and natting code to allow the sub-channels that
188           Amanda requires for communication of the backup data, messages and
189           index.
190 
191           To compile it as a module, choose M here.  If unsure, say N.
192 
193 config NF_CONNTRACK_FTP
194         tristate "FTP protocol support"
195         default m if NETFILTER_ADVANCED=n
196         help
197           Tracking FTP connections is problematic: special helpers are
198           required for tracking them, and doing masquerading and other forms
199           of Network Address Translation on them.
200 
201           This is FTP support on Layer 3 independent connection tracking.
202           Layer 3 independent connection tracking is experimental scheme
203           which generalize ip_conntrack to support other layer 3 protocols.
204 
205           To compile it as a module, choose M here.  If unsure, say N.
206 
207 config NF_CONNTRACK_H323
208         tristate "H.323 protocol support"
209         depends on IPV6 || IPV6=n
210         depends on NETFILTER_ADVANCED
211         help
212           H.323 is a VoIP signalling protocol from ITU-T. As one of the most
213           important VoIP protocols, it is widely used by voice hardware and
214           software including voice gateways, IP phones, Netmeeting, OpenPhone,
215           Gnomemeeting, etc.
216 
217           With this module you can support H.323 on a connection tracking/NAT
218           firewall.
219 
220           This module supports RAS, Fast Start, H.245 Tunnelling, Call
221           Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
222           whiteboard, file transfer, etc. For more information, please
223           visit http://nath323.sourceforge.net/.
224 
225           To compile it as a module, choose M here.  If unsure, say N.
226 
227 config NF_CONNTRACK_IRC
228         tristate "IRC protocol support"
229         default m if NETFILTER_ADVANCED=n
230         help
231           There is a commonly-used extension to IRC called
232           Direct Client-to-Client Protocol (DCC).  This enables users to send
233           files to each other, and also chat to each other without the need
234           of a server.  DCC Sending is used anywhere you send files over IRC,
235           and DCC Chat is most commonly used by Eggdrop bots.  If you are
236           using NAT, this extension will enable you to send files and initiate
237           chats.  Note that you do NOT need this extension to get files or
238           have others initiate chats, or everything else in IRC.
239 
240           To compile it as a module, choose M here.  If unsure, say N.
241 
242 config NF_CONNTRACK_BROADCAST
243         tristate
244 
245 config NF_CONNTRACK_NETBIOS_NS
246         tristate "NetBIOS name service protocol support"
247         select NF_CONNTRACK_BROADCAST
248         help
249           NetBIOS name service requests are sent as broadcast messages from an
250           unprivileged port and responded to with unicast messages to the
251           same port. This make them hard to firewall properly because connection
252           tracking doesn't deal with broadcasts. This helper tracks locally
253           originating NetBIOS name service requests and the corresponding
254           responses. It relies on correct IP address configuration, specifically
255           netmask and broadcast address. When properly configured, the output
256           of "ip address show" should look similar to this:
257 
258           $ ip -4 address show eth0
259           4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
260               inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
261 
262           To compile it as a module, choose M here.  If unsure, say N.
263 
264 config NF_CONNTRACK_SNMP
265         tristate "SNMP service protocol support"
266         depends on NETFILTER_ADVANCED
267         select NF_CONNTRACK_BROADCAST
268         help
269           SNMP service requests are sent as broadcast messages from an
270           unprivileged port and responded to with unicast messages to the
271           same port. This make them hard to firewall properly because connection
272           tracking doesn't deal with broadcasts. This helper tracks locally
273           originating SNMP service requests and the corresponding
274           responses. It relies on correct IP address configuration, specifically
275           netmask and broadcast address.
276 
277           To compile it as a module, choose M here.  If unsure, say N.
278 
279 config NF_CONNTRACK_PPTP
280         tristate "PPtP protocol support"
281         depends on NETFILTER_ADVANCED
282         select NF_CT_PROTO_GRE
283         help
284           This module adds support for PPTP (Point to Point Tunnelling
285           Protocol, RFC2637) connection tracking and NAT.
286 
287           If you are running PPTP sessions over a stateful firewall or NAT
288           box, you may want to enable this feature.
289 
290           Please note that not all PPTP modes of operation are supported yet.
291           Specifically these limitations exist:
292             - Blindly assumes that control connections are always established
293               in PNS->PAC direction. This is a violation of RFC2637.
294             - Only supports a single call within each session
295 
296           To compile it as a module, choose M here.  If unsure, say N.
297 
298 config NF_CONNTRACK_SANE
299         tristate "SANE protocol support"
300         depends on NETFILTER_ADVANCED
301         help
302           SANE is a protocol for remote access to scanners as implemented
303           by the 'saned' daemon. Like FTP, it uses separate control and
304           data connections.
305 
306           With this module you can support SANE on a connection tracking
307           firewall.
308 
309           To compile it as a module, choose M here.  If unsure, say N.
310 
311 config NF_CONNTRACK_SIP
312         tristate "SIP protocol support"
313         default m if NETFILTER_ADVANCED=n
314         help
315           SIP is an application-layer control protocol that can establish,
316           modify, and terminate multimedia sessions (conferences) such as
317           Internet telephony calls. With the ip_conntrack_sip and
318           the nf_nat_sip modules you can support the protocol on a connection
319           tracking/NATing firewall.
320 
321           To compile it as a module, choose M here.  If unsure, say N.
322 
323 config NF_CONNTRACK_TFTP
324         tristate "TFTP protocol support"
325         depends on NETFILTER_ADVANCED
326         help
327           TFTP connection tracking helper, this is required depending
328           on how restrictive your ruleset is.
329           If you are using a tftp client behind -j SNAT or -j MASQUERADING
330           you will need this.
331 
332           To compile it as a module, choose M here.  If unsure, say N.
333 
334 config NF_CT_NETLINK
335         tristate 'Connection tracking netlink interface'
336         select NETFILTER_NETLINK
337         default m if NETFILTER_ADVANCED=n
338         help
339           This option enables support for a netlink-based userspace interface
340 
341 config NF_CT_NETLINK_TIMEOUT
342         tristate  'Connection tracking timeout tuning via Netlink'
343         select NETFILTER_NETLINK
344         depends on NETFILTER_ADVANCED
345         help
346           This option enables support for connection tracking timeout
347           fine-grain tuning. This allows you to attach specific timeout
348           policies to flows, instead of using the global timeout policy.
349 
350           If unsure, say `N'.
351 
352 config NF_CT_NETLINK_HELPER
353         tristate 'Connection tracking helpers in user-space via Netlink'
354         select NETFILTER_NETLINK
355         depends on NF_CT_NETLINK
356         depends on NETFILTER_NETLINK_QUEUE
357         depends on NETFILTER_NETLINK_GLUE_CT
358         depends on NETFILTER_ADVANCED
359         help
360           This option enables the user-space connection tracking helpers
361           infrastructure.
362 
363           If unsure, say `N'.
364 
365 config NETFILTER_NETLINK_GLUE_CT
366         bool "NFQUEUE and NFLOG integration with Connection Tracking"
367         default n
368         depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
369         help
370           If this option is enabled, NFQUEUE and NFLOG can include
371           Connection Tracking information together with the packet is
372           the enqueued via NFNETLINK.
373 
374 config NF_NAT
375         tristate
376 
377 config NF_NAT_NEEDED
378         bool
379         depends on NF_NAT
380         default y
381 
382 config NF_NAT_PROTO_DCCP
383         tristate
384         depends on NF_NAT && NF_CT_PROTO_DCCP
385         default NF_NAT && NF_CT_PROTO_DCCP
386 
387 config NF_NAT_PROTO_UDPLITE
388         tristate
389         depends on NF_NAT && NF_CT_PROTO_UDPLITE
390         default NF_NAT && NF_CT_PROTO_UDPLITE
391 
392 config NF_NAT_PROTO_SCTP
393         tristate
394         default NF_NAT && NF_CT_PROTO_SCTP
395         depends on NF_NAT && NF_CT_PROTO_SCTP
396         select LIBCRC32C
397 
398 config NF_NAT_AMANDA
399         tristate
400         depends on NF_CONNTRACK && NF_NAT
401         default NF_NAT && NF_CONNTRACK_AMANDA
402 
403 config NF_NAT_FTP
404         tristate
405         depends on NF_CONNTRACK && NF_NAT
406         default NF_NAT && NF_CONNTRACK_FTP
407 
408 config NF_NAT_IRC
409         tristate
410         depends on NF_CONNTRACK && NF_NAT
411         default NF_NAT && NF_CONNTRACK_IRC
412 
413 config NF_NAT_SIP
414         tristate
415         depends on NF_CONNTRACK && NF_NAT
416         default NF_NAT && NF_CONNTRACK_SIP
417 
418 config NF_NAT_TFTP
419         tristate
420         depends on NF_CONNTRACK && NF_NAT
421         default NF_NAT && NF_CONNTRACK_TFTP
422 
423 config NF_NAT_REDIRECT
424         tristate "IPv4/IPv6 redirect support"
425         depends on NF_NAT
426         help
427           This is the kernel functionality to redirect packets to local
428           machine through NAT.
429 
430 config NETFILTER_SYNPROXY
431         tristate
432 
433 endif # NF_CONNTRACK
434 
435 config NF_TABLES
436         select NETFILTER_NETLINK
437         tristate "Netfilter nf_tables support"
438         help
439           nftables is the new packet classification framework that intends to
440           replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
441           provides a pseudo-state machine with an extensible instruction-set
442           (also known as expressions) that the userspace 'nft' utility
443           (http://www.netfilter.org/projects/nftables) uses to build the
444           rule-set. It also comes with the generic set infrastructure that
445           allows you to construct mappings between matchings and actions
446           for performance lookups.
447 
448           To compile it as a module, choose M here.
449 
450 if NF_TABLES
451 
452 config NF_TABLES_INET
453         depends on IPV6
454         select NF_TABLES_IPV4
455         select NF_TABLES_IPV6
456         tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
457         help
458           This option enables support for a mixed IPv4/IPv6 "inet" table.
459 
460 config NF_TABLES_NETDEV
461         tristate "Netfilter nf_tables netdev tables support"
462         help
463           This option enables support for the "netdev" table.
464 
465 config NFT_EXTHDR
466         tristate "Netfilter nf_tables IPv6 exthdr module"
467         help
468           This option adds the "exthdr" expression that you can use to match
469           IPv6 extension headers.
470 
471 config NFT_META
472         tristate "Netfilter nf_tables meta module"
473         help
474           This option adds the "meta" expression that you can use to match and
475           to set packet metainformation such as the packet mark.
476 
477 config NFT_CT
478         depends on NF_CONNTRACK
479         tristate "Netfilter nf_tables conntrack module"
480         help
481           This option adds the "meta" expression that you can use to match
482           connection tracking information such as the flow state.
483 
484 config NFT_RBTREE
485         tristate "Netfilter nf_tables rbtree set module"
486         help
487           This option adds the "rbtree" set type (Red Black tree) that is used
488           to build interval-based sets.
489 
490 config NFT_HASH
491         tristate "Netfilter nf_tables hash set module"
492         help
493           This option adds the "hash" set type that is used to build one-way
494           mappings between matchings and actions.
495 
496 config NFT_COUNTER
497         tristate "Netfilter nf_tables counter module"
498         help
499           This option adds the "counter" expression that you can use to
500           include packet and byte counters in a rule.
501 
502 config NFT_LOG
503         tristate "Netfilter nf_tables log module"
504         help
505           This option adds the "log" expression that you can use to log
506           packets matching some criteria.
507 
508 config NFT_LIMIT
509         tristate "Netfilter nf_tables limit module"
510         help
511           This option adds the "limit" expression that you can use to
512           ratelimit rule matchings.
513 
514 config NFT_MASQ
515         depends on NF_CONNTRACK
516         depends on NF_NAT
517         tristate "Netfilter nf_tables masquerade support"
518         help
519           This option adds the "masquerade" expression that you can use
520           to perform NAT in the masquerade flavour.
521 
522 config NFT_REDIR
523         depends on NF_CONNTRACK
524         depends on NF_NAT
525         tristate "Netfilter nf_tables redirect support"
526         help
527           This options adds the "redirect" expression that you can use
528           to perform NAT in the redirect flavour.
529 
530 config NFT_NAT
531         depends on NF_CONNTRACK
532         select NF_NAT
533         tristate "Netfilter nf_tables nat module"
534         help
535           This option adds the "nat" expression that you can use to perform
536           typical Network Address Translation (NAT) packet transformations.
537 
538 config NFT_QUEUE
539         depends on NETFILTER_NETLINK_QUEUE
540         tristate "Netfilter nf_tables queue module"
541         help
542           This is required if you intend to use the userspace queueing
543           infrastructure (also known as NFQUEUE) from nftables.
544 
545 config NFT_REJECT
546         default m if NETFILTER_ADVANCED=n
547         tristate "Netfilter nf_tables reject support"
548         help
549           This option adds the "reject" expression that you can use to
550           explicitly deny and notify via TCP reset/ICMP informational errors
551           unallowed traffic.
552 
553 config NFT_REJECT_INET
554         depends on NF_TABLES_INET
555         default NFT_REJECT
556         tristate
557 
558 config NFT_COMPAT
559         depends on NETFILTER_XTABLES
560         tristate "Netfilter x_tables over nf_tables module"
561         help
562           This is required if you intend to use any of existing
563           x_tables match/target extensions over the nf_tables
564           framework.
565 
566 endif # NF_TABLES
567 
568 config NETFILTER_XTABLES
569         tristate "Netfilter Xtables support (required for ip_tables)"
570         default m if NETFILTER_ADVANCED=n
571         help
572           This is required if you intend to use any of ip_tables,
573           ip6_tables or arp_tables.
574 
575 if NETFILTER_XTABLES
576 
577 comment "Xtables combined modules"
578 
579 config NETFILTER_XT_MARK
580         tristate 'nfmark target and match support'
581         default m if NETFILTER_ADVANCED=n
582         ---help---
583         This option adds the "MARK" target and "mark" match.
584 
585         Netfilter mark matching allows you to match packets based on the
586         "nfmark" value in the packet.
587         The target allows you to create rules in the "mangle" table which alter
588         the netfilter mark (nfmark) field associated with the packet.
589 
590         Prior to routing, the nfmark can influence the routing method (see
591         "Use netfilter MARK value as routing key") and can also be used by
592         other subsystems to change their behavior.
593 
594 config NETFILTER_XT_CONNMARK
595         tristate 'ctmark target and match support'
596         depends on NF_CONNTRACK
597         depends on NETFILTER_ADVANCED
598         select NF_CONNTRACK_MARK
599         ---help---
600         This option adds the "CONNMARK" target and "connmark" match.
601 
602         Netfilter allows you to store a mark value per connection (a.k.a.
603         ctmark), similarly to the packet mark (nfmark). Using this
604         target and match, you can set and match on this mark.
605 
606 config NETFILTER_XT_SET
607         tristate 'set target and match support'
608         depends on IP_SET
609         depends on NETFILTER_ADVANCED
610         help
611           This option adds the "SET" target and "set" match.
612 
613           Using this target and match, you can add/delete and match
614           elements in the sets created by ipset(8).
615 
616           To compile it as a module, choose M here.  If unsure, say N.
617 
618 # alphabetically ordered list of targets
619 
620 comment "Xtables targets"
621 
622 config NETFILTER_XT_TARGET_AUDIT
623         tristate "AUDIT target support"
624         depends on AUDIT
625         depends on NETFILTER_ADVANCED
626         ---help---
627           This option adds a 'AUDIT' target, which can be used to create
628           audit records for packets dropped/accepted.
629 
630           To compileit as a module, choose M here. If unsure, say N.
631 
632 config NETFILTER_XT_TARGET_CHECKSUM
633         tristate "CHECKSUM target support"
634         depends on IP_NF_MANGLE || IP6_NF_MANGLE
635         depends on NETFILTER_ADVANCED
636         ---help---
637           This option adds a `CHECKSUM' target, which can be used in the iptables mangle
638           table.
639 
640           You can use this target to compute and fill in the checksum in
641           a packet that lacks a checksum.  This is particularly useful,
642           if you need to work around old applications such as dhcp clients,
643           that do not work well with checksum offloads, but don't want to disable
644           checksum offload in your device.
645 
646           To compile it as a module, choose M here.  If unsure, say N.
647 
648 config NETFILTER_XT_TARGET_CLASSIFY
649         tristate '"CLASSIFY" target support'
650         depends on NETFILTER_ADVANCED
651         help
652           This option adds a `CLASSIFY' target, which enables the user to set
653           the priority of a packet. Some qdiscs can use this value for
654           classification, among these are:
655 
656           atm, cbq, dsmark, pfifo_fast, htb, prio
657 
658           To compile it as a module, choose M here.  If unsure, say N.
659 
660 config NETFILTER_XT_TARGET_CONNMARK
661         tristate  '"CONNMARK" target support'
662         depends on NF_CONNTRACK
663         depends on NETFILTER_ADVANCED
664         select NETFILTER_XT_CONNMARK
665         ---help---
666         This is a backwards-compat option for the user's convenience
667         (e.g. when running oldconfig). It selects
668         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
669 
670 config NETFILTER_XT_TARGET_CONNSECMARK
671         tristate '"CONNSECMARK" target support'
672         depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
673         default m if NETFILTER_ADVANCED=n
674         help
675           The CONNSECMARK target copies security markings from packets
676           to connections, and restores security markings from connections
677           to packets (if the packets are not already marked).  This would
678           normally be used in conjunction with the SECMARK target.
679 
680           To compile it as a module, choose M here.  If unsure, say N.
681 
682 config NETFILTER_XT_TARGET_CT
683         tristate '"CT" target support'
684         depends on NF_CONNTRACK
685         depends on IP_NF_RAW || IP6_NF_RAW
686         depends on NETFILTER_ADVANCED
687         help
688           This options adds a `CT' target, which allows to specify initial
689           connection tracking parameters like events to be delivered and
690           the helper to be used.
691 
692           To compile it as a module, choose M here.  If unsure, say N.
693 
694 config NETFILTER_XT_TARGET_DSCP
695         tristate '"DSCP" and "TOS" target support'
696         depends on IP_NF_MANGLE || IP6_NF_MANGLE
697         depends on NETFILTER_ADVANCED
698         help
699           This option adds a `DSCP' target, which allows you to manipulate
700           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
701 
702           The DSCP field can have any value between 0x0 and 0x3f inclusive.
703 
704           It also adds the "TOS" target, which allows you to create rules in
705           the "mangle" table which alter the Type Of Service field of an IPv4
706           or the Priority field of an IPv6 packet, prior to routing.
707 
708           To compile it as a module, choose M here.  If unsure, say N.
709 
710 config NETFILTER_XT_TARGET_HL
711         tristate '"HL" hoplimit target support'
712         depends on IP_NF_MANGLE || IP6_NF_MANGLE
713         depends on NETFILTER_ADVANCED
714         ---help---
715         This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
716         targets, which enable the user to change the
717         hoplimit/time-to-live value of the IP header.
718 
719         While it is safe to decrement the hoplimit/TTL value, the
720         modules also allow to increment and set the hoplimit value of
721         the header to arbitrary values. This is EXTREMELY DANGEROUS
722         since you can easily create immortal packets that loop
723         forever on the network.
724 
725 config NETFILTER_XT_TARGET_HMARK
726         tristate '"HMARK" target support'
727         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
728         depends on NETFILTER_ADVANCED
729         ---help---
730         This option adds the "HMARK" target.
731 
732         The target allows you to create rules in the "raw" and "mangle" tables
733         which set the skbuff mark by means of hash calculation within a given
734         range. The nfmark can influence the routing method (see "Use netfilter
735         MARK value as routing key") and can also be used by other subsystems to
736         change their behaviour.
737 
738         To compile it as a module, choose M here. If unsure, say N.
739 
740 config NETFILTER_XT_TARGET_IDLETIMER
741         tristate  "IDLETIMER target support"
742         depends on NETFILTER_ADVANCED
743         help
744 
745           This option adds the `IDLETIMER' target.  Each matching packet
746           resets the timer associated with label specified when the rule is
747           added.  When the timer expires, it triggers a sysfs notification.
748           The remaining time for expiration can be read via sysfs.
749 
750           To compile it as a module, choose M here.  If unsure, say N.
751 
752 config NETFILTER_XT_TARGET_LED
753         tristate '"LED" target support'
754         depends on LEDS_CLASS && LEDS_TRIGGERS
755         depends on NETFILTER_ADVANCED
756         help
757           This option adds a `LED' target, which allows you to blink LEDs in
758           response to particular packets passing through your machine.
759 
760           This can be used to turn a spare LED into a network activity LED,
761           which only flashes in response to FTP transfers, for example.  Or
762           you could have an LED which lights up for a minute or two every time
763           somebody connects to your machine via SSH.
764 
765           You will need support for the "led" class to make this work.
766 
767           To create an LED trigger for incoming SSH traffic:
768             iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
769 
770           Then attach the new trigger to an LED on your system:
771             echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
772 
773           For more information on the LEDs available on your system, see
774           Documentation/leds/leds-class.txt
775 
776 config NETFILTER_XT_TARGET_LOG
777         tristate "LOG target support"
778         select NF_LOG_COMMON
779         select NF_LOG_IPV4
780         select NF_LOG_IPV6 if IPV6
781         default m if NETFILTER_ADVANCED=n
782         help
783           This option adds a `LOG' target, which allows you to create rules in
784           any iptables table which records the packet header to the syslog.
785 
786           To compile it as a module, choose M here.  If unsure, say N.
787 
788 config NETFILTER_XT_TARGET_MARK
789         tristate '"MARK" target support'
790         depends on NETFILTER_ADVANCED
791         select NETFILTER_XT_MARK
792         ---help---
793         This is a backwards-compat option for the user's convenience
794         (e.g. when running oldconfig). It selects
795         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
796 
797 config NETFILTER_XT_NAT
798         tristate '"SNAT and DNAT" targets support'
799         depends on NF_NAT
800         ---help---
801         This option enables the SNAT and DNAT targets.
802 
803         To compile it as a module, choose M here. If unsure, say N.
804 
805 config NETFILTER_XT_TARGET_NETMAP
806         tristate '"NETMAP" target support'
807         depends on NF_NAT
808         ---help---
809         NETMAP is an implementation of static 1:1 NAT mapping of network
810         addresses. It maps the network address part, while keeping the host
811         address part intact.
812 
813         To compile it as a module, choose M here. If unsure, say N.
814 
815 config NETFILTER_XT_TARGET_NFLOG
816         tristate '"NFLOG" target support'
817         default m if NETFILTER_ADVANCED=n
818         select NETFILTER_NETLINK_LOG
819         help
820           This option enables the NFLOG target, which allows to LOG
821           messages through nfnetlink_log.
822 
823           To compile it as a module, choose M here.  If unsure, say N.
824 
825 config NETFILTER_XT_TARGET_NFQUEUE
826         tristate '"NFQUEUE" target Support'
827         depends on NETFILTER_ADVANCED
828         select NETFILTER_NETLINK_QUEUE
829         help
830           This target replaced the old obsolete QUEUE target.
831 
832           As opposed to QUEUE, it supports 65535 different queues,
833           not just one.
834 
835           To compile it as a module, choose M here.  If unsure, say N.
836 
837 config NETFILTER_XT_TARGET_NOTRACK
838         tristate  '"NOTRACK" target support (DEPRECATED)'
839         depends on NF_CONNTRACK
840         depends on IP_NF_RAW || IP6_NF_RAW
841         depends on NETFILTER_ADVANCED
842         select NETFILTER_XT_TARGET_CT
843 
844 config NETFILTER_XT_TARGET_RATEEST
845         tristate '"RATEEST" target support'
846         depends on NETFILTER_ADVANCED
847         help
848           This option adds a `RATEEST' target, which allows to measure
849           rates similar to TC estimators. The `rateest' match can be
850           used to match on the measured rates.
851 
852           To compile it as a module, choose M here.  If unsure, say N.
853 
854 config NETFILTER_XT_TARGET_REDIRECT
855         tristate "REDIRECT target support"
856         depends on NF_NAT
857         select NF_NAT_REDIRECT
858         ---help---
859         REDIRECT is a special case of NAT: all incoming connections are
860         mapped onto the incoming interface's address, causing the packets to
861         come to the local machine instead of passing through. This is
862         useful for transparent proxies.
863 
864         To compile it as a module, choose M here. If unsure, say N.
865 
866 config NETFILTER_XT_TARGET_TEE
867         tristate '"TEE" - packet cloning to alternate destination'
868         depends on NETFILTER_ADVANCED
869         depends on IPV6 || IPV6=n
870         depends on !NF_CONNTRACK || NF_CONNTRACK
871         select NF_DUP_IPV4
872         select NF_DUP_IPV6 if IP6_NF_IPTABLES != n
873         ---help---
874         This option adds a "TEE" target with which a packet can be cloned and
875         this clone be rerouted to another nexthop.
876 
877 config NETFILTER_XT_TARGET_TPROXY
878         tristate '"TPROXY" target transparent proxying support'
879         depends on NETFILTER_XTABLES
880         depends on NETFILTER_ADVANCED
881         depends on IPV6 || IPV6=n
882         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
883         depends on IP_NF_MANGLE
884         select NF_DEFRAG_IPV4
885         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
886         help
887           This option adds a `TPROXY' target, which is somewhat similar to
888           REDIRECT.  It can only be used in the mangle table and is useful
889           to redirect traffic to a transparent proxy.  It does _not_ depend
890           on Netfilter connection tracking and NAT, unlike REDIRECT.
891           For it to work you will have to configure certain iptables rules
892           and use policy routing. For more information on how to set it up
893           see Documentation/networking/tproxy.txt.
894 
895           To compile it as a module, choose M here.  If unsure, say N.
896 
897 config NETFILTER_XT_TARGET_TRACE
898         tristate  '"TRACE" target support'
899         depends on IP_NF_RAW || IP6_NF_RAW
900         depends on NETFILTER_ADVANCED
901         help
902           The TRACE target allows you to mark packets so that the kernel
903           will log every rule which match the packets as those traverse
904           the tables, chains, rules.
905 
906           If you want to compile it as a module, say M here and read
907           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
908 
909 config NETFILTER_XT_TARGET_SECMARK
910         tristate '"SECMARK" target support'
911         depends on NETWORK_SECMARK
912         default m if NETFILTER_ADVANCED=n
913         help
914           The SECMARK target allows security marking of network
915           packets, for use with security subsystems.
916 
917           To compile it as a module, choose M here.  If unsure, say N.
918 
919 config NETFILTER_XT_TARGET_TCPMSS
920         tristate '"TCPMSS" target support'
921         depends on IPV6 || IPV6=n
922         default m if NETFILTER_ADVANCED=n
923         ---help---
924           This option adds a `TCPMSS' target, which allows you to alter the
925           MSS value of TCP SYN packets, to control the maximum size for that
926           connection (usually limiting it to your outgoing interface's MTU
927           minus 40).
928 
929           This is used to overcome criminally braindead ISPs or servers which
930           block ICMP Fragmentation Needed packets.  The symptoms of this
931           problem are that everything works fine from your Linux
932           firewall/router, but machines behind it can never exchange large
933           packets:
934                 1) Web browsers connect, then hang with no data received.
935                 2) Small mail works fine, but large emails hang.
936                 3) ssh works fine, but scp hangs after initial handshaking.
937 
938           Workaround: activate this option and add a rule to your firewall
939           configuration like:
940 
941           iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
942                          -j TCPMSS --clamp-mss-to-pmtu
943 
944           To compile it as a module, choose M here.  If unsure, say N.
945 
946 config NETFILTER_XT_TARGET_TCPOPTSTRIP
947         tristate '"TCPOPTSTRIP" target support'
948         depends on IP_NF_MANGLE || IP6_NF_MANGLE
949         depends on NETFILTER_ADVANCED
950         help
951           This option adds a "TCPOPTSTRIP" target, which allows you to strip
952           TCP options from TCP packets.
953 
954 # alphabetically ordered list of matches
955 
956 comment "Xtables matches"
957 
958 config NETFILTER_XT_MATCH_ADDRTYPE
959         tristate '"addrtype" address type match support'
960         default m if NETFILTER_ADVANCED=n
961         ---help---
962           This option allows you to match what routing thinks of an address,
963           eg. UNICAST, LOCAL, BROADCAST, ...
964 
965           If you want to compile it as a module, say M here and read
966           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
967 
968 config NETFILTER_XT_MATCH_BPF
969         tristate '"bpf" match support'
970         depends on NETFILTER_ADVANCED
971         help
972           BPF matching applies a linux socket filter to each packet and
973           accepts those for which the filter returns non-zero.
974 
975           To compile it as a module, choose M here.  If unsure, say N.
976 
977 config NETFILTER_XT_MATCH_CGROUP
978         tristate '"control group" match support'
979         depends on NETFILTER_ADVANCED
980         depends on CGROUPS
981         select CGROUP_NET_CLASSID
982         ---help---
983         Socket/process control group matching allows you to match locally
984         generated packets based on which net_cls control group processes
985         belong to.
986 
987 config NETFILTER_XT_MATCH_CLUSTER
988         tristate '"cluster" match support'
989         depends on NF_CONNTRACK
990         depends on NETFILTER_ADVANCED
991         ---help---
992           This option allows you to build work-load-sharing clusters of
993           network servers/stateful firewalls without having a dedicated
994           load-balancing router/server/switch. Basically, this match returns
995           true when the packet must be handled by this cluster node. Thus,
996           all nodes see all packets and this match decides which node handles
997           what packets. The work-load sharing algorithm is based on source
998           address hashing.
999 
1000           If you say Y or M here, try `iptables -m cluster --help` for
1001           more information.
1002 
1003 config NETFILTER_XT_MATCH_COMMENT
1004         tristate  '"comment" match support'
1005         depends on NETFILTER_ADVANCED
1006         help
1007           This option adds a `comment' dummy-match, which allows you to put
1008           comments in your iptables ruleset.
1009 
1010           If you want to compile it as a module, say M here and read
1011           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1012 
1013 config NETFILTER_XT_MATCH_CONNBYTES
1014         tristate  '"connbytes" per-connection counter match support'
1015         depends on NF_CONNTRACK
1016         depends on NETFILTER_ADVANCED
1017         help
1018           This option adds a `connbytes' match, which allows you to match the
1019           number of bytes and/or packets for each direction within a connection.
1020 
1021           If you want to compile it as a module, say M here and read
1022           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1023 
1024 config NETFILTER_XT_MATCH_CONNLABEL
1025         tristate '"connlabel" match support'
1026         select NF_CONNTRACK_LABELS
1027         depends on NF_CONNTRACK
1028         depends on NETFILTER_ADVANCED
1029         ---help---
1030           This match allows you to test and assign userspace-defined labels names
1031           to a connection.  The kernel only stores bit values - mapping
1032           names to bits is done by userspace.
1033 
1034           Unlike connmark, more than 32 flag bits may be assigned to a
1035           connection simultaneously.
1036 
1037 config NETFILTER_XT_MATCH_CONNLIMIT
1038         tristate '"connlimit" match support'
1039         depends on NF_CONNTRACK
1040         depends on NETFILTER_ADVANCED
1041         ---help---
1042           This match allows you to match against the number of parallel
1043           connections to a server per client IP address (or address block).
1044 
1045 config NETFILTER_XT_MATCH_CONNMARK
1046         tristate  '"connmark" connection mark match support'
1047         depends on NF_CONNTRACK
1048         depends on NETFILTER_ADVANCED
1049         select NETFILTER_XT_CONNMARK
1050         ---help---
1051         This is a backwards-compat option for the user's convenience
1052         (e.g. when running oldconfig). It selects
1053         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1054 
1055 config NETFILTER_XT_MATCH_CONNTRACK
1056         tristate '"conntrack" connection tracking match support'
1057         depends on NF_CONNTRACK
1058         default m if NETFILTER_ADVANCED=n
1059         help
1060           This is a general conntrack match module, a superset of the state match.
1061 
1062           It allows matching on additional conntrack information, which is
1063           useful in complex configurations, such as NAT gateways with multiple
1064           internet links or tunnels.
1065 
1066           To compile it as a module, choose M here.  If unsure, say N.
1067 
1068 config NETFILTER_XT_MATCH_CPU
1069         tristate '"cpu" match support'
1070         depends on NETFILTER_ADVANCED
1071         help
1072           CPU matching allows you to match packets based on the CPU
1073           currently handling the packet.
1074 
1075           To compile it as a module, choose M here.  If unsure, say N.
1076 
1077 config NETFILTER_XT_MATCH_DCCP
1078         tristate '"dccp" protocol match support'
1079         depends on NETFILTER_ADVANCED
1080         default IP_DCCP
1081         help
1082           With this option enabled, you will be able to use the iptables
1083           `dccp' match in order to match on DCCP source/destination ports
1084           and DCCP flags.
1085 
1086           If you want to compile it as a module, say M here and read
1087           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1088 
1089 config NETFILTER_XT_MATCH_DEVGROUP
1090         tristate '"devgroup" match support'
1091         depends on NETFILTER_ADVANCED
1092         help
1093           This options adds a `devgroup' match, which allows to match on the
1094           device group a network device is assigned to.
1095 
1096           To compile it as a module, choose M here.  If unsure, say N.
1097 
1098 config NETFILTER_XT_MATCH_DSCP
1099         tristate '"dscp" and "tos" match support'
1100         depends on NETFILTER_ADVANCED
1101         help
1102           This option adds a `DSCP' match, which allows you to match against
1103           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1104 
1105           The DSCP field can have any value between 0x0 and 0x3f inclusive.
1106 
1107           It will also add a "tos" match, which allows you to match packets
1108           based on the Type Of Service fields of the IPv4 packet (which share
1109           the same bits as DSCP).
1110 
1111           To compile it as a module, choose M here.  If unsure, say N.
1112 
1113 config NETFILTER_XT_MATCH_ECN
1114         tristate '"ecn" match support'
1115         depends on NETFILTER_ADVANCED
1116         ---help---
1117         This option adds an "ECN" match, which allows you to match against
1118         the IPv4 and TCP header ECN fields.
1119 
1120         To compile it as a module, choose M here. If unsure, say N.
1121 
1122 config NETFILTER_XT_MATCH_ESP
1123         tristate '"esp" match support'
1124         depends on NETFILTER_ADVANCED
1125         help
1126           This match extension allows you to match a range of SPIs
1127           inside ESP header of IPSec packets.
1128 
1129           To compile it as a module, choose M here.  If unsure, say N.
1130 
1131 config NETFILTER_XT_MATCH_HASHLIMIT
1132         tristate '"hashlimit" match support'
1133         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1134         depends on NETFILTER_ADVANCED
1135         help
1136           This option adds a `hashlimit' match.
1137 
1138           As opposed to `limit', this match dynamically creates a hash table
1139           of limit buckets, based on your selection of source/destination
1140           addresses and/or ports.
1141 
1142           It enables you to express policies like `10kpps for any given
1143           destination address' or `500pps from any given source address'
1144           with a single rule.
1145 
1146 config NETFILTER_XT_MATCH_HELPER
1147         tristate '"helper" match support'
1148         depends on NF_CONNTRACK
1149         depends on NETFILTER_ADVANCED
1150         help
1151           Helper matching allows you to match packets in dynamic connections
1152           tracked by a conntrack-helper, ie. ip_conntrack_ftp
1153 
1154           To compile it as a module, choose M here.  If unsure, say Y.
1155 
1156 config NETFILTER_XT_MATCH_HL
1157         tristate '"hl" hoplimit/TTL match support'
1158         depends on NETFILTER_ADVANCED
1159         ---help---
1160         HL matching allows you to match packets based on the hoplimit
1161         in the IPv6 header, or the time-to-live field in the IPv4
1162         header of the packet.
1163 
1164 config NETFILTER_XT_MATCH_IPCOMP
1165         tristate '"ipcomp" match support'
1166         depends on NETFILTER_ADVANCED
1167         help
1168           This match extension allows you to match a range of CPIs(16 bits)
1169           inside IPComp header of IPSec packets.
1170 
1171           To compile it as a module, choose M here.  If unsure, say N.
1172 
1173 config NETFILTER_XT_MATCH_IPRANGE
1174         tristate '"iprange" address range match support'
1175         depends on NETFILTER_ADVANCED
1176         ---help---
1177         This option adds a "iprange" match, which allows you to match based on
1178         an IP address range. (Normal iptables only matches on single addresses
1179         with an optional mask.)
1180 
1181         If unsure, say M.
1182 
1183 config NETFILTER_XT_MATCH_IPVS
1184         tristate '"ipvs" match support'
1185         depends on IP_VS
1186         depends on NETFILTER_ADVANCED
1187         depends on NF_CONNTRACK
1188         help
1189           This option allows you to match against IPVS properties of a packet.
1190 
1191           If unsure, say N.
1192 
1193 config NETFILTER_XT_MATCH_L2TP
1194         tristate '"l2tp" match support'
1195         depends on NETFILTER_ADVANCED
1196         default L2TP
1197         ---help---
1198         This option adds an "L2TP" match, which allows you to match against
1199         L2TP protocol header fields.
1200 
1201         To compile it as a module, choose M here. If unsure, say N.
1202 
1203 config NETFILTER_XT_MATCH_LENGTH
1204         tristate '"length" match support'
1205         depends on NETFILTER_ADVANCED
1206         help
1207           This option allows you to match the length of a packet against a
1208           specific value or range of values.
1209 
1210           To compile it as a module, choose M here.  If unsure, say N.
1211 
1212 config NETFILTER_XT_MATCH_LIMIT
1213         tristate '"limit" match support'
1214         depends on NETFILTER_ADVANCED
1215         help
1216           limit matching allows you to control the rate at which a rule can be
1217           matched: mainly useful in combination with the LOG target ("LOG
1218           target support", below) and to avoid some Denial of Service attacks.
1219 
1220           To compile it as a module, choose M here.  If unsure, say N.
1221 
1222 config NETFILTER_XT_MATCH_MAC
1223         tristate '"mac" address match support'
1224         depends on NETFILTER_ADVANCED
1225         help
1226           MAC matching allows you to match packets based on the source
1227           Ethernet address of the packet.
1228 
1229           To compile it as a module, choose M here.  If unsure, say N.
1230 
1231 config NETFILTER_XT_MATCH_MARK
1232         tristate '"mark" match support'
1233         depends on NETFILTER_ADVANCED
1234         select NETFILTER_XT_MARK
1235         ---help---
1236         This is a backwards-compat option for the user's convenience
1237         (e.g. when running oldconfig). It selects
1238         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1239 
1240 config NETFILTER_XT_MATCH_MULTIPORT
1241         tristate '"multiport" Multiple port match support'
1242         depends on NETFILTER_ADVANCED
1243         help
1244           Multiport matching allows you to match TCP or UDP packets based on
1245           a series of source or destination ports: normally a rule can only
1246           match a single range of ports.
1247 
1248           To compile it as a module, choose M here.  If unsure, say N.
1249 
1250 config NETFILTER_XT_MATCH_NFACCT
1251         tristate '"nfacct" match support'
1252         depends on NETFILTER_ADVANCED
1253         select NETFILTER_NETLINK_ACCT
1254         help
1255           This option allows you to use the extended accounting through
1256           nfnetlink_acct.
1257 
1258           To compile it as a module, choose M here.  If unsure, say N.
1259 
1260 config NETFILTER_XT_MATCH_OSF
1261         tristate '"osf" Passive OS fingerprint match'
1262         depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1263         help
1264           This option selects the Passive OS Fingerprinting match module
1265           that allows to passively match the remote operating system by
1266           analyzing incoming TCP SYN packets.
1267 
1268           Rules and loading software can be downloaded from
1269           http://www.ioremap.net/projects/osf
1270 
1271           To compile it as a module, choose M here.  If unsure, say N.
1272 
1273 config NETFILTER_XT_MATCH_OWNER
1274         tristate '"owner" match support'
1275         depends on NETFILTER_ADVANCED
1276         ---help---
1277         Socket owner matching allows you to match locally-generated packets
1278         based on who created the socket: the user or group. It is also
1279         possible to check whether a socket actually exists.
1280 
1281 config NETFILTER_XT_MATCH_POLICY
1282         tristate 'IPsec "policy" match support'
1283         depends on XFRM
1284         default m if NETFILTER_ADVANCED=n
1285         help
1286           Policy matching allows you to match packets based on the
1287           IPsec policy that was used during decapsulation/will
1288           be used during encapsulation.
1289 
1290           To compile it as a module, choose M here.  If unsure, say N.
1291 
1292 config NETFILTER_XT_MATCH_PHYSDEV
1293         tristate '"physdev" match support'
1294         depends on BRIDGE && BRIDGE_NETFILTER
1295         depends on NETFILTER_ADVANCED
1296         help
1297           Physdev packet matching matches against the physical bridge ports
1298           the IP packet arrived on or will leave by.
1299 
1300           To compile it as a module, choose M here.  If unsure, say N.
1301 
1302 config NETFILTER_XT_MATCH_PKTTYPE
1303         tristate '"pkttype" packet type match support'
1304         depends on NETFILTER_ADVANCED
1305         help
1306           Packet type matching allows you to match a packet by
1307           its "class", eg. BROADCAST, MULTICAST, ...
1308 
1309           Typical usage:
1310           iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1311 
1312           To compile it as a module, choose M here.  If unsure, say N.
1313 
1314 config NETFILTER_XT_MATCH_QUOTA
1315         tristate '"quota" match support'
1316         depends on NETFILTER_ADVANCED
1317         help
1318           This option adds a `quota' match, which allows to match on a
1319           byte counter.
1320 
1321           If you want to compile it as a module, say M here and read
1322           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1323 
1324 config NETFILTER_XT_MATCH_RATEEST
1325         tristate '"rateest" match support'
1326         depends on NETFILTER_ADVANCED
1327         select NETFILTER_XT_TARGET_RATEEST
1328         help
1329           This option adds a `rateest' match, which allows to match on the
1330           rate estimated by the RATEEST target.
1331 
1332           To compile it as a module, choose M here.  If unsure, say N.
1333 
1334 config NETFILTER_XT_MATCH_REALM
1335         tristate  '"realm" match support'
1336         depends on NETFILTER_ADVANCED
1337         select IP_ROUTE_CLASSID
1338         help
1339           This option adds a `realm' match, which allows you to use the realm
1340           key from the routing subsystem inside iptables.
1341 
1342           This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
1343           in tc world.
1344 
1345           If you want to compile it as a module, say M here and read
1346           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1347 
1348 config NETFILTER_XT_MATCH_RECENT
1349         tristate '"recent" match support'
1350         depends on NETFILTER_ADVANCED
1351         ---help---
1352         This match is used for creating one or many lists of recently
1353         used addresses and then matching against that/those list(s).
1354 
1355         Short options are available by using 'iptables -m recent -h'
1356         Official Website: <http://snowman.net/projects/ipt_recent/>
1357 
1358 config NETFILTER_XT_MATCH_SCTP
1359         tristate  '"sctp" protocol match support'
1360         depends on NETFILTER_ADVANCED
1361         default IP_SCTP
1362         help
1363           With this option enabled, you will be able to use the 
1364           `sctp' match in order to match on SCTP source/destination ports
1365           and SCTP chunk types.
1366 
1367           If you want to compile it as a module, say M here and read
1368           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1369 
1370 config NETFILTER_XT_MATCH_SOCKET
1371         tristate '"socket" match support'
1372         depends on NETFILTER_XTABLES
1373         depends on NETFILTER_ADVANCED
1374         depends on !NF_CONNTRACK || NF_CONNTRACK
1375         depends on IPV6 || IPV6=n
1376         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1377         select NF_DEFRAG_IPV4
1378         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1379         help
1380           This option adds a `socket' match, which can be used to match
1381           packets for which a TCP or UDP socket lookup finds a valid socket.
1382           It can be used in combination with the MARK target and policy
1383           routing to implement full featured non-locally bound sockets.
1384 
1385           To compile it as a module, choose M here.  If unsure, say N.
1386 
1387 config NETFILTER_XT_MATCH_STATE
1388         tristate '"state" match support'
1389         depends on NF_CONNTRACK
1390         default m if NETFILTER_ADVANCED=n
1391         help
1392           Connection state matching allows you to match packets based on their
1393           relationship to a tracked connection (ie. previous packets).  This
1394           is a powerful tool for packet classification.
1395 
1396           To compile it as a module, choose M here.  If unsure, say N.
1397 
1398 config NETFILTER_XT_MATCH_STATISTIC
1399         tristate '"statistic" match support'
1400         depends on NETFILTER_ADVANCED
1401         help
1402           This option adds a `statistic' match, which allows you to match
1403           on packets periodically or randomly with a given percentage.
1404 
1405           To compile it as a module, choose M here.  If unsure, say N.
1406 
1407 config NETFILTER_XT_MATCH_STRING
1408         tristate  '"string" match support'
1409         depends on NETFILTER_ADVANCED
1410         select TEXTSEARCH
1411         select TEXTSEARCH_KMP
1412         select TEXTSEARCH_BM
1413         select TEXTSEARCH_FSM
1414         help
1415           This option adds a `string' match, which allows you to look for
1416           pattern matchings in packets.
1417 
1418           To compile it as a module, choose M here.  If unsure, say N.
1419 
1420 config NETFILTER_XT_MATCH_TCPMSS
1421         tristate '"tcpmss" match support'
1422         depends on NETFILTER_ADVANCED
1423         help
1424           This option adds a `tcpmss' match, which allows you to examine the
1425           MSS value of TCP SYN packets, which control the maximum packet size
1426           for that connection.
1427 
1428           To compile it as a module, choose M here.  If unsure, say N.
1429 
1430 config NETFILTER_XT_MATCH_TIME
1431         tristate '"time" match support'
1432         depends on NETFILTER_ADVANCED
1433         ---help---
1434           This option adds a "time" match, which allows you to match based on
1435           the packet arrival time (at the machine which netfilter is running)
1436           on) or departure time/date (for locally generated packets).
1437 
1438           If you say Y here, try `iptables -m time --help` for
1439           more information.
1440 
1441           If you want to compile it as a module, say M here.
1442           If unsure, say N.
1443 
1444 config NETFILTER_XT_MATCH_U32
1445         tristate '"u32" match support'
1446         depends on NETFILTER_ADVANCED
1447         ---help---
1448           u32 allows you to extract quantities of up to 4 bytes from a packet,
1449           AND them with specified masks, shift them by specified amounts and
1450           test whether the results are in any of a set of specified ranges.
1451           The specification of what to extract is general enough to skip over
1452           headers with lengths stored in the packet, as in IP or TCP header
1453           lengths.
1454 
1455           Details and examples are in the kernel module source.
1456 
1457 endif # NETFILTER_XTABLES
1458 
1459 endmenu
1460 
1461 source "net/netfilter/ipset/Kconfig"
1462 
1463 source "net/netfilter/ipvs/Kconfig"

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us