Version:  2.0.40 2.2.26 2.4.37 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0

Linux/net/netfilter/Kconfig

  1 menu "Core Netfilter Configuration"
  2         depends on NET && INET && NETFILTER
  3 
  4 config NETFILTER_NETLINK
  5         tristate
  6 
  7 config NETFILTER_NETLINK_ACCT
  8 tristate "Netfilter NFACCT over NFNETLINK interface"
  9         depends on NETFILTER_ADVANCED
 10         select NETFILTER_NETLINK
 11         help
 12           If this option is enabled, the kernel will include support
 13           for extended accounting via NFNETLINK.
 14 
 15 config NETFILTER_NETLINK_QUEUE
 16         tristate "Netfilter NFQUEUE over NFNETLINK interface"
 17         depends on NETFILTER_ADVANCED
 18         select NETFILTER_NETLINK
 19         help
 20           If this option is enabled, the kernel will include support
 21           for queueing packets via NFNETLINK.
 22           
 23 config NETFILTER_NETLINK_LOG
 24         tristate "Netfilter LOG over NFNETLINK interface"
 25         default m if NETFILTER_ADVANCED=n
 26         select NETFILTER_NETLINK
 27         help
 28           If this option is enabled, the kernel will include support
 29           for logging packets via NFNETLINK.
 30 
 31           This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
 32           and is also scheduled to replace the old syslog-based ipt_LOG
 33           and ip6t_LOG modules.
 34 
 35 config NF_CONNTRACK
 36         tristate "Netfilter connection tracking support"
 37         default m if NETFILTER_ADVANCED=n
 38         help
 39           Connection tracking keeps a record of what packets have passed
 40           through your machine, in order to figure out how they are related
 41           into connections.
 42 
 43           This is required to do Masquerading or other kinds of Network
 44           Address Translation.  It can also be used to enhance packet
 45           filtering (see `Connection state match support' below).
 46 
 47           To compile it as a module, choose M here.  If unsure, say N.
 48 
 49 config NF_LOG_COMMON
 50         tristate
 51 
 52 if NF_CONNTRACK
 53 
 54 config NF_CONNTRACK_MARK
 55         bool  'Connection mark tracking support'
 56         depends on NETFILTER_ADVANCED
 57         help
 58           This option enables support for connection marks, used by the
 59           `CONNMARK' target and `connmark' match. Similar to the mark value
 60           of packets, but this mark value is kept in the conntrack session
 61           instead of the individual packets.
 62 
 63 config NF_CONNTRACK_SECMARK
 64         bool  'Connection tracking security mark support'
 65         depends on NETWORK_SECMARK
 66         default m if NETFILTER_ADVANCED=n
 67         help
 68           This option enables security markings to be applied to
 69           connections.  Typically they are copied to connections from
 70           packets using the CONNSECMARK target and copied back from
 71           connections to packets with the same target, with the packets
 72           being originally labeled via SECMARK.
 73 
 74           If unsure, say 'N'.
 75 
 76 config NF_CONNTRACK_ZONES
 77         bool  'Connection tracking zones'
 78         depends on NETFILTER_ADVANCED
 79         depends on NETFILTER_XT_TARGET_CT
 80         help
 81           This option enables support for connection tracking zones.
 82           Normally, each connection needs to have a unique system wide
 83           identity. Connection tracking zones allow to have multiple
 84           connections using the same identity, as long as they are
 85           contained in different zones.
 86 
 87           If unsure, say `N'.
 88 
 89 config NF_CONNTRACK_PROCFS
 90         bool "Supply CT list in procfs (OBSOLETE)"
 91         default y
 92         depends on PROC_FS
 93         ---help---
 94         This option enables for the list of known conntrack entries
 95         to be shown in procfs under net/netfilter/nf_conntrack. This
 96         is considered obsolete in favor of using the conntrack(8)
 97         tool which uses Netlink.
 98 
 99 config NF_CONNTRACK_EVENTS
100         bool "Connection tracking events"
101         depends on NETFILTER_ADVANCED
102         help
103           If this option is enabled, the connection tracking code will
104           provide a notifier chain that can be used by other kernel code
105           to get notified about changes in the connection tracking state.
106 
107           If unsure, say `N'.
108 
109 config NF_CONNTRACK_TIMEOUT
110         bool  'Connection tracking timeout'
111         depends on NETFILTER_ADVANCED
112         help
113           This option enables support for connection tracking timeout
114           extension. This allows you to attach timeout policies to flow
115           via the CT target.
116 
117           If unsure, say `N'.
118 
119 config NF_CONNTRACK_TIMESTAMP
120         bool  'Connection tracking timestamping'
121         depends on NETFILTER_ADVANCED
122         help
123           This option enables support for connection tracking timestamping.
124           This allows you to store the flow start-time and to obtain
125           the flow-stop time (once it has been destroyed) via Connection
126           tracking events.
127 
128           If unsure, say `N'.
129 
130 config NF_CONNTRACK_LABELS
131         bool
132         help
133           This option enables support for assigning user-defined flag bits
134           to connection tracking entries.  It selected by the connlabel match.
135 
136 config NF_CT_PROTO_DCCP
137         tristate 'DCCP protocol connection tracking support'
138         depends on NETFILTER_ADVANCED
139         default IP_DCCP
140         help
141           With this option enabled, the layer 3 independent connection
142           tracking code will be able to do state tracking on DCCP connections.
143 
144           If unsure, say 'N'.
145 
146 config NF_CT_PROTO_GRE
147         tristate
148 
149 config NF_CT_PROTO_SCTP
150         tristate 'SCTP protocol connection tracking support'
151         depends on NETFILTER_ADVANCED
152         default IP_SCTP
153         help
154           With this option enabled, the layer 3 independent connection
155           tracking code will be able to do state tracking on SCTP connections.
156 
157           If you want to compile it as a module, say M here and read
158           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
159 
160 config NF_CT_PROTO_UDPLITE
161         tristate 'UDP-Lite protocol connection tracking support'
162         depends on NETFILTER_ADVANCED
163         help
164           With this option enabled, the layer 3 independent connection
165           tracking code will be able to do state tracking on UDP-Lite
166           connections.
167 
168           To compile it as a module, choose M here.  If unsure, say N.
169 
170 config NF_CONNTRACK_AMANDA
171         tristate "Amanda backup protocol support"
172         depends on NETFILTER_ADVANCED
173         select TEXTSEARCH
174         select TEXTSEARCH_KMP
175         help
176           If you are running the Amanda backup package <http://www.amanda.org/>
177           on this machine or machines that will be MASQUERADED through this
178           machine, then you may want to enable this feature.  This allows the
179           connection tracking and natting code to allow the sub-channels that
180           Amanda requires for communication of the backup data, messages and
181           index.
182 
183           To compile it as a module, choose M here.  If unsure, say N.
184 
185 config NF_CONNTRACK_FTP
186         tristate "FTP protocol support"
187         default m if NETFILTER_ADVANCED=n
188         help
189           Tracking FTP connections is problematic: special helpers are
190           required for tracking them, and doing masquerading and other forms
191           of Network Address Translation on them.
192 
193           This is FTP support on Layer 3 independent connection tracking.
194           Layer 3 independent connection tracking is experimental scheme
195           which generalize ip_conntrack to support other layer 3 protocols.
196 
197           To compile it as a module, choose M here.  If unsure, say N.
198 
199 config NF_CONNTRACK_H323
200         tristate "H.323 protocol support"
201         depends on (IPV6 || IPV6=n)
202         depends on NETFILTER_ADVANCED
203         help
204           H.323 is a VoIP signalling protocol from ITU-T. As one of the most
205           important VoIP protocols, it is widely used by voice hardware and
206           software including voice gateways, IP phones, Netmeeting, OpenPhone,
207           Gnomemeeting, etc.
208 
209           With this module you can support H.323 on a connection tracking/NAT
210           firewall.
211 
212           This module supports RAS, Fast Start, H.245 Tunnelling, Call
213           Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
214           whiteboard, file transfer, etc. For more information, please
215           visit http://nath323.sourceforge.net/.
216 
217           To compile it as a module, choose M here.  If unsure, say N.
218 
219 config NF_CONNTRACK_IRC
220         tristate "IRC protocol support"
221         default m if NETFILTER_ADVANCED=n
222         help
223           There is a commonly-used extension to IRC called
224           Direct Client-to-Client Protocol (DCC).  This enables users to send
225           files to each other, and also chat to each other without the need
226           of a server.  DCC Sending is used anywhere you send files over IRC,
227           and DCC Chat is most commonly used by Eggdrop bots.  If you are
228           using NAT, this extension will enable you to send files and initiate
229           chats.  Note that you do NOT need this extension to get files or
230           have others initiate chats, or everything else in IRC.
231 
232           To compile it as a module, choose M here.  If unsure, say N.
233 
234 config NF_CONNTRACK_BROADCAST
235         tristate
236 
237 config NF_CONNTRACK_NETBIOS_NS
238         tristate "NetBIOS name service protocol support"
239         select NF_CONNTRACK_BROADCAST
240         help
241           NetBIOS name service requests are sent as broadcast messages from an
242           unprivileged port and responded to with unicast messages to the
243           same port. This make them hard to firewall properly because connection
244           tracking doesn't deal with broadcasts. This helper tracks locally
245           originating NetBIOS name service requests and the corresponding
246           responses. It relies on correct IP address configuration, specifically
247           netmask and broadcast address. When properly configured, the output
248           of "ip address show" should look similar to this:
249 
250           $ ip -4 address show eth0
251           4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
252               inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
253 
254           To compile it as a module, choose M here.  If unsure, say N.
255 
256 config NF_CONNTRACK_SNMP
257         tristate "SNMP service protocol support"
258         depends on NETFILTER_ADVANCED
259         select NF_CONNTRACK_BROADCAST
260         help
261           SNMP service requests are sent as broadcast messages from an
262           unprivileged port and responded to with unicast messages to the
263           same port. This make them hard to firewall properly because connection
264           tracking doesn't deal with broadcasts. This helper tracks locally
265           originating SNMP service requests and the corresponding
266           responses. It relies on correct IP address configuration, specifically
267           netmask and broadcast address.
268 
269           To compile it as a module, choose M here.  If unsure, say N.
270 
271 config NF_CONNTRACK_PPTP
272         tristate "PPtP protocol support"
273         depends on NETFILTER_ADVANCED
274         select NF_CT_PROTO_GRE
275         help
276           This module adds support for PPTP (Point to Point Tunnelling
277           Protocol, RFC2637) connection tracking and NAT.
278 
279           If you are running PPTP sessions over a stateful firewall or NAT
280           box, you may want to enable this feature.
281 
282           Please note that not all PPTP modes of operation are supported yet.
283           Specifically these limitations exist:
284             - Blindly assumes that control connections are always established
285               in PNS->PAC direction. This is a violation of RFC2637.
286             - Only supports a single call within each session
287 
288           To compile it as a module, choose M here.  If unsure, say N.
289 
290 config NF_CONNTRACK_SANE
291         tristate "SANE protocol support"
292         depends on NETFILTER_ADVANCED
293         help
294           SANE is a protocol for remote access to scanners as implemented
295           by the 'saned' daemon. Like FTP, it uses separate control and
296           data connections.
297 
298           With this module you can support SANE on a connection tracking
299           firewall.
300 
301           To compile it as a module, choose M here.  If unsure, say N.
302 
303 config NF_CONNTRACK_SIP
304         tristate "SIP protocol support"
305         default m if NETFILTER_ADVANCED=n
306         help
307           SIP is an application-layer control protocol that can establish,
308           modify, and terminate multimedia sessions (conferences) such as
309           Internet telephony calls. With the ip_conntrack_sip and
310           the nf_nat_sip modules you can support the protocol on a connection
311           tracking/NATing firewall.
312 
313           To compile it as a module, choose M here.  If unsure, say N.
314 
315 config NF_CONNTRACK_TFTP
316         tristate "TFTP protocol support"
317         depends on NETFILTER_ADVANCED
318         help
319           TFTP connection tracking helper, this is required depending
320           on how restrictive your ruleset is.
321           If you are using a tftp client behind -j SNAT or -j MASQUERADING
322           you will need this.
323 
324           To compile it as a module, choose M here.  If unsure, say N.
325 
326 config NF_CT_NETLINK
327         tristate 'Connection tracking netlink interface'
328         select NETFILTER_NETLINK
329         default m if NETFILTER_ADVANCED=n
330         help
331           This option enables support for a netlink-based userspace interface
332 
333 config NF_CT_NETLINK_TIMEOUT
334         tristate  'Connection tracking timeout tuning via Netlink'
335         select NETFILTER_NETLINK
336         depends on NETFILTER_ADVANCED
337         help
338           This option enables support for connection tracking timeout
339           fine-grain tuning. This allows you to attach specific timeout
340           policies to flows, instead of using the global timeout policy.
341 
342           If unsure, say `N'.
343 
344 config NF_CT_NETLINK_HELPER
345         tristate 'Connection tracking helpers in user-space via Netlink'
346         select NETFILTER_NETLINK
347         depends on NF_CT_NETLINK
348         depends on NETFILTER_NETLINK_QUEUE
349         depends on NETFILTER_NETLINK_QUEUE_CT
350         depends on NETFILTER_ADVANCED
351         help
352           This option enables the user-space connection tracking helpers
353           infrastructure.
354 
355           If unsure, say `N'.
356 
357 config NETFILTER_NETLINK_QUEUE_CT
358         bool "NFQUEUE integration with Connection Tracking"
359         default n
360         depends on NETFILTER_NETLINK_QUEUE
361         help
362           If this option is enabled, NFQUEUE can include Connection Tracking
363           information together with the packet is the enqueued via NFNETLINK.
364 
365 config NF_NAT
366         tristate
367 
368 config NF_NAT_NEEDED
369         bool
370         depends on NF_NAT
371         default y
372 
373 config NF_NAT_PROTO_DCCP
374         tristate
375         depends on NF_NAT && NF_CT_PROTO_DCCP
376         default NF_NAT && NF_CT_PROTO_DCCP
377 
378 config NF_NAT_PROTO_UDPLITE
379         tristate
380         depends on NF_NAT && NF_CT_PROTO_UDPLITE
381         default NF_NAT && NF_CT_PROTO_UDPLITE
382 
383 config NF_NAT_PROTO_SCTP
384         tristate
385         default NF_NAT && NF_CT_PROTO_SCTP
386         depends on NF_NAT && NF_CT_PROTO_SCTP
387         select LIBCRC32C
388 
389 config NF_NAT_AMANDA
390         tristate
391         depends on NF_CONNTRACK && NF_NAT
392         default NF_NAT && NF_CONNTRACK_AMANDA
393 
394 config NF_NAT_FTP
395         tristate
396         depends on NF_CONNTRACK && NF_NAT
397         default NF_NAT && NF_CONNTRACK_FTP
398 
399 config NF_NAT_IRC
400         tristate
401         depends on NF_CONNTRACK && NF_NAT
402         default NF_NAT && NF_CONNTRACK_IRC
403 
404 config NF_NAT_SIP
405         tristate
406         depends on NF_CONNTRACK && NF_NAT
407         default NF_NAT && NF_CONNTRACK_SIP
408 
409 config NF_NAT_TFTP
410         tristate
411         depends on NF_CONNTRACK && NF_NAT
412         default NF_NAT && NF_CONNTRACK_TFTP
413 
414 config NF_NAT_REDIRECT
415         tristate "IPv4/IPv6 redirect support"
416         depends on NF_NAT
417         help
418           This is the kernel functionality to redirect packets to local
419           machine through NAT.
420 
421 config NETFILTER_SYNPROXY
422         tristate
423 
424 endif # NF_CONNTRACK
425 
426 config NF_TABLES
427         select NETFILTER_NETLINK
428         tristate "Netfilter nf_tables support"
429         help
430           nftables is the new packet classification framework that intends to
431           replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
432           provides a pseudo-state machine with an extensible instruction-set
433           (also known as expressions) that the userspace 'nft' utility
434           (http://www.netfilter.org/projects/nftables) uses to build the
435           rule-set. It also comes with the generic set infrastructure that
436           allows you to construct mappings between matchings and actions
437           for performance lookups.
438 
439           To compile it as a module, choose M here.
440 
441 config NF_TABLES_INET
442         depends on NF_TABLES && IPV6
443         select NF_TABLES_IPV4
444         select NF_TABLES_IPV6
445         tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
446         help
447           This option enables support for a mixed IPv4/IPv6 "inet" table.
448 
449 config NFT_EXTHDR
450         depends on NF_TABLES
451         tristate "Netfilter nf_tables IPv6 exthdr module"
452         help
453           This option adds the "exthdr" expression that you can use to match
454           IPv6 extension headers.
455 
456 config NFT_META
457         depends on NF_TABLES
458         tristate "Netfilter nf_tables meta module"
459         help
460           This option adds the "meta" expression that you can use to match and
461           to set packet metainformation such as the packet mark.
462 
463 config NFT_CT
464         depends on NF_TABLES
465         depends on NF_CONNTRACK
466         tristate "Netfilter nf_tables conntrack module"
467         help
468           This option adds the "meta" expression that you can use to match
469           connection tracking information such as the flow state.
470 
471 config NFT_RBTREE
472         depends on NF_TABLES
473         tristate "Netfilter nf_tables rbtree set module"
474         help
475           This option adds the "rbtree" set type (Red Black tree) that is used
476           to build interval-based sets.
477 
478 config NFT_HASH
479         depends on NF_TABLES
480         tristate "Netfilter nf_tables hash set module"
481         help
482           This option adds the "hash" set type that is used to build one-way
483           mappings between matchings and actions.
484 
485 config NFT_COUNTER
486         depends on NF_TABLES
487         tristate "Netfilter nf_tables counter module"
488         help
489           This option adds the "counter" expression that you can use to
490           include packet and byte counters in a rule.
491 
492 config NFT_LOG
493         depends on NF_TABLES
494         tristate "Netfilter nf_tables log module"
495         help
496           This option adds the "log" expression that you can use to log
497           packets matching some criteria.
498 
499 config NFT_LIMIT
500         depends on NF_TABLES
501         tristate "Netfilter nf_tables limit module"
502         help
503           This option adds the "limit" expression that you can use to
504           ratelimit rule matchings.
505 
506 config NFT_MASQ
507         depends on NF_TABLES
508         depends on NF_CONNTRACK
509         depends on NF_NAT
510         tristate "Netfilter nf_tables masquerade support"
511         help
512           This option adds the "masquerade" expression that you can use
513           to perform NAT in the masquerade flavour.
514 
515 config NFT_REDIR
516         depends on NF_TABLES
517         depends on NF_CONNTRACK
518         depends on NF_NAT
519         tristate "Netfilter nf_tables redirect support"
520         help
521           This options adds the "redirect" expression that you can use
522           to perform NAT in the redirect flavour.
523 
524 config NFT_NAT
525         depends on NF_TABLES
526         depends on NF_CONNTRACK
527         select NF_NAT
528         tristate "Netfilter nf_tables nat module"
529         help
530           This option adds the "nat" expression that you can use to perform
531           typical Network Address Translation (NAT) packet transformations.
532 
533 config NFT_QUEUE
534         depends on NF_TABLES
535         depends on NETFILTER_XTABLES
536         depends on NETFILTER_NETLINK_QUEUE
537         tristate "Netfilter nf_tables queue module"
538         help
539           This is required if you intend to use the userspace queueing
540           infrastructure (also known as NFQUEUE) from nftables.
541 
542 config NFT_REJECT
543         depends on NF_TABLES
544         default m if NETFILTER_ADVANCED=n
545         tristate "Netfilter nf_tables reject support"
546         help
547           This option adds the "reject" expression that you can use to
548           explicitly deny and notify via TCP reset/ICMP informational errors
549           unallowed traffic.
550 
551 config NFT_REJECT_INET
552         depends on NF_TABLES_INET
553         default NFT_REJECT
554         tristate
555 
556 config NFT_COMPAT
557         depends on NF_TABLES
558         depends on NETFILTER_XTABLES
559         tristate "Netfilter x_tables over nf_tables module"
560         help
561           This is required if you intend to use any of existing
562           x_tables match/target extensions over the nf_tables
563           framework.
564 
565 config NETFILTER_XTABLES
566         tristate "Netfilter Xtables support (required for ip_tables)"
567         default m if NETFILTER_ADVANCED=n
568         help
569           This is required if you intend to use any of ip_tables,
570           ip6_tables or arp_tables.
571 
572 if NETFILTER_XTABLES
573 
574 comment "Xtables combined modules"
575 
576 config NETFILTER_XT_MARK
577         tristate 'nfmark target and match support'
578         default m if NETFILTER_ADVANCED=n
579         ---help---
580         This option adds the "MARK" target and "mark" match.
581 
582         Netfilter mark matching allows you to match packets based on the
583         "nfmark" value in the packet.
584         The target allows you to create rules in the "mangle" table which alter
585         the netfilter mark (nfmark) field associated with the packet.
586 
587         Prior to routing, the nfmark can influence the routing method (see
588         "Use netfilter MARK value as routing key") and can also be used by
589         other subsystems to change their behavior.
590 
591 config NETFILTER_XT_CONNMARK
592         tristate 'ctmark target and match support'
593         depends on NF_CONNTRACK
594         depends on NETFILTER_ADVANCED
595         select NF_CONNTRACK_MARK
596         ---help---
597         This option adds the "CONNMARK" target and "connmark" match.
598 
599         Netfilter allows you to store a mark value per connection (a.k.a.
600         ctmark), similarly to the packet mark (nfmark). Using this
601         target and match, you can set and match on this mark.
602 
603 config NETFILTER_XT_SET
604         tristate 'set target and match support'
605         depends on IP_SET
606         depends on NETFILTER_ADVANCED
607         help
608           This option adds the "SET" target and "set" match.
609 
610           Using this target and match, you can add/delete and match
611           elements in the sets created by ipset(8).
612 
613           To compile it as a module, choose M here.  If unsure, say N.
614 
615 # alphabetically ordered list of targets
616 
617 comment "Xtables targets"
618 
619 config NETFILTER_XT_TARGET_AUDIT
620         tristate "AUDIT target support"
621         depends on AUDIT
622         depends on NETFILTER_ADVANCED
623         ---help---
624           This option adds a 'AUDIT' target, which can be used to create
625           audit records for packets dropped/accepted.
626 
627           To compileit as a module, choose M here. If unsure, say N.
628 
629 config NETFILTER_XT_TARGET_CHECKSUM
630         tristate "CHECKSUM target support"
631         depends on IP_NF_MANGLE || IP6_NF_MANGLE
632         depends on NETFILTER_ADVANCED
633         ---help---
634           This option adds a `CHECKSUM' target, which can be used in the iptables mangle
635           table.
636 
637           You can use this target to compute and fill in the checksum in
638           a packet that lacks a checksum.  This is particularly useful,
639           if you need to work around old applications such as dhcp clients,
640           that do not work well with checksum offloads, but don't want to disable
641           checksum offload in your device.
642 
643           To compile it as a module, choose M here.  If unsure, say N.
644 
645 config NETFILTER_XT_TARGET_CLASSIFY
646         tristate '"CLASSIFY" target support'
647         depends on NETFILTER_ADVANCED
648         help
649           This option adds a `CLASSIFY' target, which enables the user to set
650           the priority of a packet. Some qdiscs can use this value for
651           classification, among these are:
652 
653           atm, cbq, dsmark, pfifo_fast, htb, prio
654 
655           To compile it as a module, choose M here.  If unsure, say N.
656 
657 config NETFILTER_XT_TARGET_CONNMARK
658         tristate  '"CONNMARK" target support'
659         depends on NF_CONNTRACK
660         depends on NETFILTER_ADVANCED
661         select NETFILTER_XT_CONNMARK
662         ---help---
663         This is a backwards-compat option for the user's convenience
664         (e.g. when running oldconfig). It selects
665         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
666 
667 config NETFILTER_XT_TARGET_CONNSECMARK
668         tristate '"CONNSECMARK" target support'
669         depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
670         default m if NETFILTER_ADVANCED=n
671         help
672           The CONNSECMARK target copies security markings from packets
673           to connections, and restores security markings from connections
674           to packets (if the packets are not already marked).  This would
675           normally be used in conjunction with the SECMARK target.
676 
677           To compile it as a module, choose M here.  If unsure, say N.
678 
679 config NETFILTER_XT_TARGET_CT
680         tristate '"CT" target support'
681         depends on NF_CONNTRACK
682         depends on IP_NF_RAW || IP6_NF_RAW
683         depends on NETFILTER_ADVANCED
684         help
685           This options adds a `CT' target, which allows to specify initial
686           connection tracking parameters like events to be delivered and
687           the helper to be used.
688 
689           To compile it as a module, choose M here.  If unsure, say N.
690 
691 config NETFILTER_XT_TARGET_DSCP
692         tristate '"DSCP" and "TOS" target support'
693         depends on IP_NF_MANGLE || IP6_NF_MANGLE
694         depends on NETFILTER_ADVANCED
695         help
696           This option adds a `DSCP' target, which allows you to manipulate
697           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
698 
699           The DSCP field can have any value between 0x0 and 0x3f inclusive.
700 
701           It also adds the "TOS" target, which allows you to create rules in
702           the "mangle" table which alter the Type Of Service field of an IPv4
703           or the Priority field of an IPv6 packet, prior to routing.
704 
705           To compile it as a module, choose M here.  If unsure, say N.
706 
707 config NETFILTER_XT_TARGET_HL
708         tristate '"HL" hoplimit target support'
709         depends on IP_NF_MANGLE || IP6_NF_MANGLE
710         depends on NETFILTER_ADVANCED
711         ---help---
712         This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
713         targets, which enable the user to change the
714         hoplimit/time-to-live value of the IP header.
715 
716         While it is safe to decrement the hoplimit/TTL value, the
717         modules also allow to increment and set the hoplimit value of
718         the header to arbitrary values. This is EXTREMELY DANGEROUS
719         since you can easily create immortal packets that loop
720         forever on the network.
721 
722 config NETFILTER_XT_TARGET_HMARK
723         tristate '"HMARK" target support'
724         depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
725         depends on NETFILTER_ADVANCED
726         ---help---
727         This option adds the "HMARK" target.
728 
729         The target allows you to create rules in the "raw" and "mangle" tables
730         which set the skbuff mark by means of hash calculation within a given
731         range. The nfmark can influence the routing method (see "Use netfilter
732         MARK value as routing key") and can also be used by other subsystems to
733         change their behaviour.
734 
735         To compile it as a module, choose M here. If unsure, say N.
736 
737 config NETFILTER_XT_TARGET_IDLETIMER
738         tristate  "IDLETIMER target support"
739         depends on NETFILTER_ADVANCED
740         help
741 
742           This option adds the `IDLETIMER' target.  Each matching packet
743           resets the timer associated with label specified when the rule is
744           added.  When the timer expires, it triggers a sysfs notification.
745           The remaining time for expiration can be read via sysfs.
746 
747           To compile it as a module, choose M here.  If unsure, say N.
748 
749 config NETFILTER_XT_TARGET_LED
750         tristate '"LED" target support'
751         depends on LEDS_CLASS && LEDS_TRIGGERS
752         depends on NETFILTER_ADVANCED
753         help
754           This option adds a `LED' target, which allows you to blink LEDs in
755           response to particular packets passing through your machine.
756 
757           This can be used to turn a spare LED into a network activity LED,
758           which only flashes in response to FTP transfers, for example.  Or
759           you could have an LED which lights up for a minute or two every time
760           somebody connects to your machine via SSH.
761 
762           You will need support for the "led" class to make this work.
763 
764           To create an LED trigger for incoming SSH traffic:
765             iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
766 
767           Then attach the new trigger to an LED on your system:
768             echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
769 
770           For more information on the LEDs available on your system, see
771           Documentation/leds/leds-class.txt
772 
773 config NETFILTER_XT_TARGET_LOG
774         tristate "LOG target support"
775         select NF_LOG_COMMON
776         select NF_LOG_IPV4
777         select NF_LOG_IPV6 if IPV6
778         default m if NETFILTER_ADVANCED=n
779         help
780           This option adds a `LOG' target, which allows you to create rules in
781           any iptables table which records the packet header to the syslog.
782 
783           To compile it as a module, choose M here.  If unsure, say N.
784 
785 config NETFILTER_XT_TARGET_MARK
786         tristate '"MARK" target support'
787         depends on NETFILTER_ADVANCED
788         select NETFILTER_XT_MARK
789         ---help---
790         This is a backwards-compat option for the user's convenience
791         (e.g. when running oldconfig). It selects
792         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
793 
794 config NETFILTER_XT_NAT
795         tristate '"SNAT and DNAT" targets support'
796         depends on NF_NAT
797         ---help---
798         This option enables the SNAT and DNAT targets.
799 
800         To compile it as a module, choose M here. If unsure, say N.
801 
802 config NETFILTER_XT_TARGET_NETMAP
803         tristate '"NETMAP" target support'
804         depends on NF_NAT
805         ---help---
806         NETMAP is an implementation of static 1:1 NAT mapping of network
807         addresses. It maps the network address part, while keeping the host
808         address part intact.
809 
810         To compile it as a module, choose M here. If unsure, say N.
811 
812 config NETFILTER_XT_TARGET_NFLOG
813         tristate '"NFLOG" target support'
814         default m if NETFILTER_ADVANCED=n
815         select NETFILTER_NETLINK_LOG
816         help
817           This option enables the NFLOG target, which allows to LOG
818           messages through nfnetlink_log.
819 
820           To compile it as a module, choose M here.  If unsure, say N.
821 
822 config NETFILTER_XT_TARGET_NFQUEUE
823         tristate '"NFQUEUE" target Support'
824         depends on NETFILTER_ADVANCED
825         select NETFILTER_NETLINK_QUEUE
826         help
827           This target replaced the old obsolete QUEUE target.
828 
829           As opposed to QUEUE, it supports 65535 different queues,
830           not just one.
831 
832           To compile it as a module, choose M here.  If unsure, say N.
833 
834 config NETFILTER_XT_TARGET_NOTRACK
835         tristate  '"NOTRACK" target support (DEPRECATED)'
836         depends on NF_CONNTRACK
837         depends on IP_NF_RAW || IP6_NF_RAW
838         depends on NETFILTER_ADVANCED
839         select NETFILTER_XT_TARGET_CT
840 
841 config NETFILTER_XT_TARGET_RATEEST
842         tristate '"RATEEST" target support'
843         depends on NETFILTER_ADVANCED
844         help
845           This option adds a `RATEEST' target, which allows to measure
846           rates similar to TC estimators. The `rateest' match can be
847           used to match on the measured rates.
848 
849           To compile it as a module, choose M here.  If unsure, say N.
850 
851 config NETFILTER_XT_TARGET_REDIRECT
852         tristate "REDIRECT target support"
853         depends on NF_NAT
854         select NF_NAT_REDIRECT
855         ---help---
856         REDIRECT is a special case of NAT: all incoming connections are
857         mapped onto the incoming interface's address, causing the packets to
858         come to the local machine instead of passing through. This is
859         useful for transparent proxies.
860 
861         To compile it as a module, choose M here. If unsure, say N.
862 
863 config NETFILTER_XT_TARGET_TEE
864         tristate '"TEE" - packet cloning to alternate destination'
865         depends on NETFILTER_ADVANCED
866         depends on (IPV6 || IPV6=n)
867         depends on !NF_CONNTRACK || NF_CONNTRACK
868         ---help---
869         This option adds a "TEE" target with which a packet can be cloned and
870         this clone be rerouted to another nexthop.
871 
872 config NETFILTER_XT_TARGET_TPROXY
873         tristate '"TPROXY" target transparent proxying support'
874         depends on NETFILTER_XTABLES
875         depends on NETFILTER_ADVANCED
876         depends on (IPV6 || IPV6=n)
877         depends on IP_NF_MANGLE
878         select NF_DEFRAG_IPV4
879         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
880         help
881           This option adds a `TPROXY' target, which is somewhat similar to
882           REDIRECT.  It can only be used in the mangle table and is useful
883           to redirect traffic to a transparent proxy.  It does _not_ depend
884           on Netfilter connection tracking and NAT, unlike REDIRECT.
885           For it to work you will have to configure certain iptables rules
886           and use policy routing. For more information on how to set it up
887           see Documentation/networking/tproxy.txt.
888 
889           To compile it as a module, choose M here.  If unsure, say N.
890 
891 config NETFILTER_XT_TARGET_TRACE
892         tristate  '"TRACE" target support'
893         depends on IP_NF_RAW || IP6_NF_RAW
894         depends on NETFILTER_ADVANCED
895         help
896           The TRACE target allows you to mark packets so that the kernel
897           will log every rule which match the packets as those traverse
898           the tables, chains, rules.
899 
900           If you want to compile it as a module, say M here and read
901           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
902 
903 config NETFILTER_XT_TARGET_SECMARK
904         tristate '"SECMARK" target support'
905         depends on NETWORK_SECMARK
906         default m if NETFILTER_ADVANCED=n
907         help
908           The SECMARK target allows security marking of network
909           packets, for use with security subsystems.
910 
911           To compile it as a module, choose M here.  If unsure, say N.
912 
913 config NETFILTER_XT_TARGET_TCPMSS
914         tristate '"TCPMSS" target support'
915         depends on (IPV6 || IPV6=n)
916         default m if NETFILTER_ADVANCED=n
917         ---help---
918           This option adds a `TCPMSS' target, which allows you to alter the
919           MSS value of TCP SYN packets, to control the maximum size for that
920           connection (usually limiting it to your outgoing interface's MTU
921           minus 40).
922 
923           This is used to overcome criminally braindead ISPs or servers which
924           block ICMP Fragmentation Needed packets.  The symptoms of this
925           problem are that everything works fine from your Linux
926           firewall/router, but machines behind it can never exchange large
927           packets:
928                 1) Web browsers connect, then hang with no data received.
929                 2) Small mail works fine, but large emails hang.
930                 3) ssh works fine, but scp hangs after initial handshaking.
931 
932           Workaround: activate this option and add a rule to your firewall
933           configuration like:
934 
935           iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
936                          -j TCPMSS --clamp-mss-to-pmtu
937 
938           To compile it as a module, choose M here.  If unsure, say N.
939 
940 config NETFILTER_XT_TARGET_TCPOPTSTRIP
941         tristate '"TCPOPTSTRIP" target support'
942         depends on IP_NF_MANGLE || IP6_NF_MANGLE
943         depends on NETFILTER_ADVANCED
944         help
945           This option adds a "TCPOPTSTRIP" target, which allows you to strip
946           TCP options from TCP packets.
947 
948 # alphabetically ordered list of matches
949 
950 comment "Xtables matches"
951 
952 config NETFILTER_XT_MATCH_ADDRTYPE
953         tristate '"addrtype" address type match support'
954         depends on NETFILTER_ADVANCED
955         ---help---
956           This option allows you to match what routing thinks of an address,
957           eg. UNICAST, LOCAL, BROADCAST, ...
958 
959           If you want to compile it as a module, say M here and read
960           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
961 
962 config NETFILTER_XT_MATCH_BPF
963         tristate '"bpf" match support'
964         depends on NETFILTER_ADVANCED
965         help
966           BPF matching applies a linux socket filter to each packet and
967           accepts those for which the filter returns non-zero.
968 
969           To compile it as a module, choose M here.  If unsure, say N.
970 
971 config NETFILTER_XT_MATCH_CGROUP
972         tristate '"control group" match support'
973         depends on NETFILTER_ADVANCED
974         depends on CGROUPS
975         select CGROUP_NET_CLASSID
976         ---help---
977         Socket/process control group matching allows you to match locally
978         generated packets based on which net_cls control group processes
979         belong to.
980 
981 config NETFILTER_XT_MATCH_CLUSTER
982         tristate '"cluster" match support'
983         depends on NF_CONNTRACK
984         depends on NETFILTER_ADVANCED
985         ---help---
986           This option allows you to build work-load-sharing clusters of
987           network servers/stateful firewalls without having a dedicated
988           load-balancing router/server/switch. Basically, this match returns
989           true when the packet must be handled by this cluster node. Thus,
990           all nodes see all packets and this match decides which node handles
991           what packets. The work-load sharing algorithm is based on source
992           address hashing.
993 
994           If you say Y or M here, try `iptables -m cluster --help` for
995           more information.
996 
997 config NETFILTER_XT_MATCH_COMMENT
998         tristate  '"comment" match support'
999         depends on NETFILTER_ADVANCED
1000         help
1001           This option adds a `comment' dummy-match, which allows you to put
1002           comments in your iptables ruleset.
1003 
1004           If you want to compile it as a module, say M here and read
1005           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1006 
1007 config NETFILTER_XT_MATCH_CONNBYTES
1008         tristate  '"connbytes" per-connection counter match support'
1009         depends on NF_CONNTRACK
1010         depends on NETFILTER_ADVANCED
1011         help
1012           This option adds a `connbytes' match, which allows you to match the
1013           number of bytes and/or packets for each direction within a connection.
1014 
1015           If you want to compile it as a module, say M here and read
1016           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1017 
1018 config NETFILTER_XT_MATCH_CONNLABEL
1019         tristate '"connlabel" match support'
1020         select NF_CONNTRACK_LABELS
1021         depends on NF_CONNTRACK
1022         depends on NETFILTER_ADVANCED
1023         ---help---
1024           This match allows you to test and assign userspace-defined labels names
1025           to a connection.  The kernel only stores bit values - mapping
1026           names to bits is done by userspace.
1027 
1028           Unlike connmark, more than 32 flag bits may be assigned to a
1029           connection simultaneously.
1030 
1031 config NETFILTER_XT_MATCH_CONNLIMIT
1032         tristate '"connlimit" match support'
1033         depends on NF_CONNTRACK
1034         depends on NETFILTER_ADVANCED
1035         ---help---
1036           This match allows you to match against the number of parallel
1037           connections to a server per client IP address (or address block).
1038 
1039 config NETFILTER_XT_MATCH_CONNMARK
1040         tristate  '"connmark" connection mark match support'
1041         depends on NF_CONNTRACK
1042         depends on NETFILTER_ADVANCED
1043         select NETFILTER_XT_CONNMARK
1044         ---help---
1045         This is a backwards-compat option for the user's convenience
1046         (e.g. when running oldconfig). It selects
1047         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1048 
1049 config NETFILTER_XT_MATCH_CONNTRACK
1050         tristate '"conntrack" connection tracking match support'
1051         depends on NF_CONNTRACK
1052         default m if NETFILTER_ADVANCED=n
1053         help
1054           This is a general conntrack match module, a superset of the state match.
1055 
1056           It allows matching on additional conntrack information, which is
1057           useful in complex configurations, such as NAT gateways with multiple
1058           internet links or tunnels.
1059 
1060           To compile it as a module, choose M here.  If unsure, say N.
1061 
1062 config NETFILTER_XT_MATCH_CPU
1063         tristate '"cpu" match support'
1064         depends on NETFILTER_ADVANCED
1065         help
1066           CPU matching allows you to match packets based on the CPU
1067           currently handling the packet.
1068 
1069           To compile it as a module, choose M here.  If unsure, say N.
1070 
1071 config NETFILTER_XT_MATCH_DCCP
1072         tristate '"dccp" protocol match support'
1073         depends on NETFILTER_ADVANCED
1074         default IP_DCCP
1075         help
1076           With this option enabled, you will be able to use the iptables
1077           `dccp' match in order to match on DCCP source/destination ports
1078           and DCCP flags.
1079 
1080           If you want to compile it as a module, say M here and read
1081           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1082 
1083 config NETFILTER_XT_MATCH_DEVGROUP
1084         tristate '"devgroup" match support'
1085         depends on NETFILTER_ADVANCED
1086         help
1087           This options adds a `devgroup' match, which allows to match on the
1088           device group a network device is assigned to.
1089 
1090           To compile it as a module, choose M here.  If unsure, say N.
1091 
1092 config NETFILTER_XT_MATCH_DSCP
1093         tristate '"dscp" and "tos" match support'
1094         depends on NETFILTER_ADVANCED
1095         help
1096           This option adds a `DSCP' match, which allows you to match against
1097           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1098 
1099           The DSCP field can have any value between 0x0 and 0x3f inclusive.
1100 
1101           It will also add a "tos" match, which allows you to match packets
1102           based on the Type Of Service fields of the IPv4 packet (which share
1103           the same bits as DSCP).
1104 
1105           To compile it as a module, choose M here.  If unsure, say N.
1106 
1107 config NETFILTER_XT_MATCH_ECN
1108         tristate '"ecn" match support'
1109         depends on NETFILTER_ADVANCED
1110         ---help---
1111         This option adds an "ECN" match, which allows you to match against
1112         the IPv4 and TCP header ECN fields.
1113 
1114         To compile it as a module, choose M here. If unsure, say N.
1115 
1116 config NETFILTER_XT_MATCH_ESP
1117         tristate '"esp" match support'
1118         depends on NETFILTER_ADVANCED
1119         help
1120           This match extension allows you to match a range of SPIs
1121           inside ESP header of IPSec packets.
1122 
1123           To compile it as a module, choose M here.  If unsure, say N.
1124 
1125 config NETFILTER_XT_MATCH_HASHLIMIT
1126         tristate '"hashlimit" match support'
1127         depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
1128         depends on NETFILTER_ADVANCED
1129         help
1130           This option adds a `hashlimit' match.
1131 
1132           As opposed to `limit', this match dynamically creates a hash table
1133           of limit buckets, based on your selection of source/destination
1134           addresses and/or ports.
1135 
1136           It enables you to express policies like `10kpps for any given
1137           destination address' or `500pps from any given source address'
1138           with a single rule.
1139 
1140 config NETFILTER_XT_MATCH_HELPER
1141         tristate '"helper" match support'
1142         depends on NF_CONNTRACK
1143         depends on NETFILTER_ADVANCED
1144         help
1145           Helper matching allows you to match packets in dynamic connections
1146           tracked by a conntrack-helper, ie. ip_conntrack_ftp
1147 
1148           To compile it as a module, choose M here.  If unsure, say Y.
1149 
1150 config NETFILTER_XT_MATCH_HL
1151         tristate '"hl" hoplimit/TTL match support'
1152         depends on NETFILTER_ADVANCED
1153         ---help---
1154         HL matching allows you to match packets based on the hoplimit
1155         in the IPv6 header, or the time-to-live field in the IPv4
1156         header of the packet.
1157 
1158 config NETFILTER_XT_MATCH_IPCOMP
1159         tristate '"ipcomp" match support'
1160         depends on NETFILTER_ADVANCED
1161         help
1162           This match extension allows you to match a range of CPIs(16 bits)
1163           inside IPComp header of IPSec packets.
1164 
1165           To compile it as a module, choose M here.  If unsure, say N.
1166 
1167 config NETFILTER_XT_MATCH_IPRANGE
1168         tristate '"iprange" address range match support'
1169         depends on NETFILTER_ADVANCED
1170         ---help---
1171         This option adds a "iprange" match, which allows you to match based on
1172         an IP address range. (Normal iptables only matches on single addresses
1173         with an optional mask.)
1174 
1175         If unsure, say M.
1176 
1177 config NETFILTER_XT_MATCH_IPVS
1178         tristate '"ipvs" match support'
1179         depends on IP_VS
1180         depends on NETFILTER_ADVANCED
1181         depends on NF_CONNTRACK
1182         help
1183           This option allows you to match against IPVS properties of a packet.
1184 
1185           If unsure, say N.
1186 
1187 config NETFILTER_XT_MATCH_L2TP
1188         tristate '"l2tp" match support'
1189         depends on NETFILTER_ADVANCED
1190         default L2TP
1191         ---help---
1192         This option adds an "L2TP" match, which allows you to match against
1193         L2TP protocol header fields.
1194 
1195         To compile it as a module, choose M here. If unsure, say N.
1196 
1197 config NETFILTER_XT_MATCH_LENGTH
1198         tristate '"length" match support'
1199         depends on NETFILTER_ADVANCED
1200         help
1201           This option allows you to match the length of a packet against a
1202           specific value or range of values.
1203 
1204           To compile it as a module, choose M here.  If unsure, say N.
1205 
1206 config NETFILTER_XT_MATCH_LIMIT
1207         tristate '"limit" match support'
1208         depends on NETFILTER_ADVANCED
1209         help
1210           limit matching allows you to control the rate at which a rule can be
1211           matched: mainly useful in combination with the LOG target ("LOG
1212           target support", below) and to avoid some Denial of Service attacks.
1213 
1214           To compile it as a module, choose M here.  If unsure, say N.
1215 
1216 config NETFILTER_XT_MATCH_MAC
1217         tristate '"mac" address match support'
1218         depends on NETFILTER_ADVANCED
1219         help
1220           MAC matching allows you to match packets based on the source
1221           Ethernet address of the packet.
1222 
1223           To compile it as a module, choose M here.  If unsure, say N.
1224 
1225 config NETFILTER_XT_MATCH_MARK
1226         tristate '"mark" match support'
1227         depends on NETFILTER_ADVANCED
1228         select NETFILTER_XT_MARK
1229         ---help---
1230         This is a backwards-compat option for the user's convenience
1231         (e.g. when running oldconfig). It selects
1232         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1233 
1234 config NETFILTER_XT_MATCH_MULTIPORT
1235         tristate '"multiport" Multiple port match support'
1236         depends on NETFILTER_ADVANCED
1237         help
1238           Multiport matching allows you to match TCP or UDP packets based on
1239           a series of source or destination ports: normally a rule can only
1240           match a single range of ports.
1241 
1242           To compile it as a module, choose M here.  If unsure, say N.
1243 
1244 config NETFILTER_XT_MATCH_NFACCT
1245         tristate '"nfacct" match support'
1246         depends on NETFILTER_ADVANCED
1247         select NETFILTER_NETLINK_ACCT
1248         help
1249           This option allows you to use the extended accounting through
1250           nfnetlink_acct.
1251 
1252           To compile it as a module, choose M here.  If unsure, say N.
1253 
1254 config NETFILTER_XT_MATCH_OSF
1255         tristate '"osf" Passive OS fingerprint match'
1256         depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1257         help
1258           This option selects the Passive OS Fingerprinting match module
1259           that allows to passively match the remote operating system by
1260           analyzing incoming TCP SYN packets.
1261 
1262           Rules and loading software can be downloaded from
1263           http://www.ioremap.net/projects/osf
1264 
1265           To compile it as a module, choose M here.  If unsure, say N.
1266 
1267 config NETFILTER_XT_MATCH_OWNER
1268         tristate '"owner" match support'
1269         depends on NETFILTER_ADVANCED
1270         ---help---
1271         Socket owner matching allows you to match locally-generated packets
1272         based on who created the socket: the user or group. It is also
1273         possible to check whether a socket actually exists.
1274 
1275 config NETFILTER_XT_MATCH_POLICY
1276         tristate 'IPsec "policy" match support'
1277         depends on XFRM
1278         default m if NETFILTER_ADVANCED=n
1279         help
1280           Policy matching allows you to match packets based on the
1281           IPsec policy that was used during decapsulation/will
1282           be used during encapsulation.
1283 
1284           To compile it as a module, choose M here.  If unsure, say N.
1285 
1286 config NETFILTER_XT_MATCH_PHYSDEV
1287         tristate '"physdev" match support'
1288         depends on BRIDGE && BRIDGE_NETFILTER
1289         depends on NETFILTER_ADVANCED
1290         help
1291           Physdev packet matching matches against the physical bridge ports
1292           the IP packet arrived on or will leave by.
1293 
1294           To compile it as a module, choose M here.  If unsure, say N.
1295 
1296 config NETFILTER_XT_MATCH_PKTTYPE
1297         tristate '"pkttype" packet type match support'
1298         depends on NETFILTER_ADVANCED
1299         help
1300           Packet type matching allows you to match a packet by
1301           its "class", eg. BROADCAST, MULTICAST, ...
1302 
1303           Typical usage:
1304           iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1305 
1306           To compile it as a module, choose M here.  If unsure, say N.
1307 
1308 config NETFILTER_XT_MATCH_QUOTA
1309         tristate '"quota" match support'
1310         depends on NETFILTER_ADVANCED
1311         help
1312           This option adds a `quota' match, which allows to match on a
1313           byte counter.
1314 
1315           If you want to compile it as a module, say M here and read
1316           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1317 
1318 config NETFILTER_XT_MATCH_RATEEST
1319         tristate '"rateest" match support'
1320         depends on NETFILTER_ADVANCED
1321         select NETFILTER_XT_TARGET_RATEEST
1322         help
1323           This option adds a `rateest' match, which allows to match on the
1324           rate estimated by the RATEEST target.
1325 
1326           To compile it as a module, choose M here.  If unsure, say N.
1327 
1328 config NETFILTER_XT_MATCH_REALM
1329         tristate  '"realm" match support'
1330         depends on NETFILTER_ADVANCED
1331         select IP_ROUTE_CLASSID
1332         help
1333           This option adds a `realm' match, which allows you to use the realm
1334           key from the routing subsystem inside iptables.
1335 
1336           This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
1337           in tc world.
1338 
1339           If you want to compile it as a module, say M here and read
1340           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1341 
1342 config NETFILTER_XT_MATCH_RECENT
1343         tristate '"recent" match support'
1344         depends on NETFILTER_ADVANCED
1345         ---help---
1346         This match is used for creating one or many lists of recently
1347         used addresses and then matching against that/those list(s).
1348 
1349         Short options are available by using 'iptables -m recent -h'
1350         Official Website: <http://snowman.net/projects/ipt_recent/>
1351 
1352 config NETFILTER_XT_MATCH_SCTP
1353         tristate  '"sctp" protocol match support'
1354         depends on NETFILTER_ADVANCED
1355         default IP_SCTP
1356         help
1357           With this option enabled, you will be able to use the 
1358           `sctp' match in order to match on SCTP source/destination ports
1359           and SCTP chunk types.
1360 
1361           If you want to compile it as a module, say M here and read
1362           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1363 
1364 config NETFILTER_XT_MATCH_SOCKET
1365         tristate '"socket" match support'
1366         depends on NETFILTER_XTABLES
1367         depends on NETFILTER_ADVANCED
1368         depends on !NF_CONNTRACK || NF_CONNTRACK
1369         depends on (IPV6 || IPV6=n)
1370         select NF_DEFRAG_IPV4
1371         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1372         help
1373           This option adds a `socket' match, which can be used to match
1374           packets for which a TCP or UDP socket lookup finds a valid socket.
1375           It can be used in combination with the MARK target and policy
1376           routing to implement full featured non-locally bound sockets.
1377 
1378           To compile it as a module, choose M here.  If unsure, say N.
1379 
1380 config NETFILTER_XT_MATCH_STATE
1381         tristate '"state" match support'
1382         depends on NF_CONNTRACK
1383         default m if NETFILTER_ADVANCED=n
1384         help
1385           Connection state matching allows you to match packets based on their
1386           relationship to a tracked connection (ie. previous packets).  This
1387           is a powerful tool for packet classification.
1388 
1389           To compile it as a module, choose M here.  If unsure, say N.
1390 
1391 config NETFILTER_XT_MATCH_STATISTIC
1392         tristate '"statistic" match support'
1393         depends on NETFILTER_ADVANCED
1394         help
1395           This option adds a `statistic' match, which allows you to match
1396           on packets periodically or randomly with a given percentage.
1397 
1398           To compile it as a module, choose M here.  If unsure, say N.
1399 
1400 config NETFILTER_XT_MATCH_STRING
1401         tristate  '"string" match support'
1402         depends on NETFILTER_ADVANCED
1403         select TEXTSEARCH
1404         select TEXTSEARCH_KMP
1405         select TEXTSEARCH_BM
1406         select TEXTSEARCH_FSM
1407         help
1408           This option adds a `string' match, which allows you to look for
1409           pattern matchings in packets.
1410 
1411           To compile it as a module, choose M here.  If unsure, say N.
1412 
1413 config NETFILTER_XT_MATCH_TCPMSS
1414         tristate '"tcpmss" match support'
1415         depends on NETFILTER_ADVANCED
1416         help
1417           This option adds a `tcpmss' match, which allows you to examine the
1418           MSS value of TCP SYN packets, which control the maximum packet size
1419           for that connection.
1420 
1421           To compile it as a module, choose M here.  If unsure, say N.
1422 
1423 config NETFILTER_XT_MATCH_TIME
1424         tristate '"time" match support'
1425         depends on NETFILTER_ADVANCED
1426         ---help---
1427           This option adds a "time" match, which allows you to match based on
1428           the packet arrival time (at the machine which netfilter is running)
1429           on) or departure time/date (for locally generated packets).
1430 
1431           If you say Y here, try `iptables -m time --help` for
1432           more information.
1433 
1434           If you want to compile it as a module, say M here.
1435           If unsure, say N.
1436 
1437 config NETFILTER_XT_MATCH_U32
1438         tristate '"u32" match support'
1439         depends on NETFILTER_ADVANCED
1440         ---help---
1441           u32 allows you to extract quantities of up to 4 bytes from a packet,
1442           AND them with specified masks, shift them by specified amounts and
1443           test whether the results are in any of a set of specified ranges.
1444           The specification of what to extract is general enough to skip over
1445           headers with lengths stored in the packet, as in IP or TCP header
1446           lengths.
1447 
1448           Details and examples are in the kernel module source.
1449 
1450 endif # NETFILTER_XTABLES
1451 
1452 endmenu
1453 
1454 source "net/netfilter/ipset/Kconfig"
1455 
1456 source "net/netfilter/ipvs/Kconfig"

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us