Version:  2.6.34 2.6.35 2.6.36 2.6.37 2.6.38 2.6.39 3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14

Linux/net/netfilter/Kconfig

  1 menu "Core Netfilter Configuration"
  2         depends on NET && INET && NETFILTER
  3 
  4 config NETFILTER_NETLINK
  5         tristate
  6 
  7 config NETFILTER_NETLINK_ACCT
  8 tristate "Netfilter NFACCT over NFNETLINK interface"
  9         depends on NETFILTER_ADVANCED
 10         select NETFILTER_NETLINK
 11         help
 12           If this option is enabled, the kernel will include support
 13           for extended accounting via NFNETLINK.
 14 
 15 config NETFILTER_NETLINK_QUEUE
 16         tristate "Netfilter NFQUEUE over NFNETLINK interface"
 17         depends on NETFILTER_ADVANCED
 18         select NETFILTER_NETLINK
 19         help
 20           If this option is enabled, the kernel will include support
 21           for queueing packets via NFNETLINK.
 22           
 23 config NETFILTER_NETLINK_LOG
 24         tristate "Netfilter LOG over NFNETLINK interface"
 25         default m if NETFILTER_ADVANCED=n
 26         select NETFILTER_NETLINK
 27         help
 28           If this option is enabled, the kernel will include support
 29           for logging packets via NFNETLINK.
 30 
 31           This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
 32           and is also scheduled to replace the old syslog-based ipt_LOG
 33           and ip6t_LOG modules.
 34 
 35 config NF_CONNTRACK
 36         tristate "Netfilter connection tracking support"
 37         default m if NETFILTER_ADVANCED=n
 38         help
 39           Connection tracking keeps a record of what packets have passed
 40           through your machine, in order to figure out how they are related
 41           into connections.
 42 
 43           This is required to do Masquerading or other kinds of Network
 44           Address Translation.  It can also be used to enhance packet
 45           filtering (see `Connection state match support' below).
 46 
 47           To compile it as a module, choose M here.  If unsure, say N.
 48 
 49 if NF_CONNTRACK
 50 
 51 config NF_CONNTRACK_MARK
 52         bool  'Connection mark tracking support'
 53         depends on NETFILTER_ADVANCED
 54         help
 55           This option enables support for connection marks, used by the
 56           `CONNMARK' target and `connmark' match. Similar to the mark value
 57           of packets, but this mark value is kept in the conntrack session
 58           instead of the individual packets.
 59 
 60 config NF_CONNTRACK_SECMARK
 61         bool  'Connection tracking security mark support'
 62         depends on NETWORK_SECMARK
 63         default m if NETFILTER_ADVANCED=n
 64         help
 65           This option enables security markings to be applied to
 66           connections.  Typically they are copied to connections from
 67           packets using the CONNSECMARK target and copied back from
 68           connections to packets with the same target, with the packets
 69           being originally labeled via SECMARK.
 70 
 71           If unsure, say 'N'.
 72 
 73 config NF_CONNTRACK_ZONES
 74         bool  'Connection tracking zones'
 75         depends on NETFILTER_ADVANCED
 76         depends on NETFILTER_XT_TARGET_CT
 77         help
 78           This option enables support for connection tracking zones.
 79           Normally, each connection needs to have a unique system wide
 80           identity. Connection tracking zones allow to have multiple
 81           connections using the same identity, as long as they are
 82           contained in different zones.
 83 
 84           If unsure, say `N'.
 85 
 86 config NF_CONNTRACK_PROCFS
 87         bool "Supply CT list in procfs (OBSOLETE)"
 88         default y
 89         depends on PROC_FS
 90         ---help---
 91         This option enables for the list of known conntrack entries
 92         to be shown in procfs under net/netfilter/nf_conntrack. This
 93         is considered obsolete in favor of using the conntrack(8)
 94         tool which uses Netlink.
 95 
 96 config NF_CONNTRACK_EVENTS
 97         bool "Connection tracking events"
 98         depends on NETFILTER_ADVANCED
 99         help
100           If this option is enabled, the connection tracking code will
101           provide a notifier chain that can be used by other kernel code
102           to get notified about changes in the connection tracking state.
103 
104           If unsure, say `N'.
105 
106 config NF_CONNTRACK_TIMEOUT
107         bool  'Connection tracking timeout'
108         depends on NETFILTER_ADVANCED
109         help
110           This option enables support for connection tracking timeout
111           extension. This allows you to attach timeout policies to flow
112           via the CT target.
113 
114           If unsure, say `N'.
115 
116 config NF_CONNTRACK_TIMESTAMP
117         bool  'Connection tracking timestamping'
118         depends on NETFILTER_ADVANCED
119         help
120           This option enables support for connection tracking timestamping.
121           This allows you to store the flow start-time and to obtain
122           the flow-stop time (once it has been destroyed) via Connection
123           tracking events.
124 
125           If unsure, say `N'.
126 
127 config NF_CONNTRACK_LABELS
128         bool
129         help
130           This option enables support for assigning user-defined flag bits
131           to connection tracking entries.  It selected by the connlabel match.
132 
133 config NF_CT_PROTO_DCCP
134         tristate 'DCCP protocol connection tracking support'
135         depends on NETFILTER_ADVANCED
136         default IP_DCCP
137         help
138           With this option enabled, the layer 3 independent connection
139           tracking code will be able to do state tracking on DCCP connections.
140 
141           If unsure, say 'N'.
142 
143 config NF_CT_PROTO_GRE
144         tristate
145 
146 config NF_CT_PROTO_SCTP
147         tristate 'SCTP protocol connection tracking support'
148         depends on NETFILTER_ADVANCED
149         default IP_SCTP
150         help
151           With this option enabled, the layer 3 independent connection
152           tracking code will be able to do state tracking on SCTP connections.
153 
154           If you want to compile it as a module, say M here and read
155           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
156 
157 config NF_CT_PROTO_UDPLITE
158         tristate 'UDP-Lite protocol connection tracking support'
159         depends on NETFILTER_ADVANCED
160         help
161           With this option enabled, the layer 3 independent connection
162           tracking code will be able to do state tracking on UDP-Lite
163           connections.
164 
165           To compile it as a module, choose M here.  If unsure, say N.
166 
167 config NF_CONNTRACK_AMANDA
168         tristate "Amanda backup protocol support"
169         depends on NETFILTER_ADVANCED
170         select TEXTSEARCH
171         select TEXTSEARCH_KMP
172         help
173           If you are running the Amanda backup package <http://www.amanda.org/>
174           on this machine or machines that will be MASQUERADED through this
175           machine, then you may want to enable this feature.  This allows the
176           connection tracking and natting code to allow the sub-channels that
177           Amanda requires for communication of the backup data, messages and
178           index.
179 
180           To compile it as a module, choose M here.  If unsure, say N.
181 
182 config NF_CONNTRACK_FTP
183         tristate "FTP protocol support"
184         default m if NETFILTER_ADVANCED=n
185         help
186           Tracking FTP connections is problematic: special helpers are
187           required for tracking them, and doing masquerading and other forms
188           of Network Address Translation on them.
189 
190           This is FTP support on Layer 3 independent connection tracking.
191           Layer 3 independent connection tracking is experimental scheme
192           which generalize ip_conntrack to support other layer 3 protocols.
193 
194           To compile it as a module, choose M here.  If unsure, say N.
195 
196 config NF_CONNTRACK_H323
197         tristate "H.323 protocol support"
198         depends on (IPV6 || IPV6=n)
199         depends on NETFILTER_ADVANCED
200         help
201           H.323 is a VoIP signalling protocol from ITU-T. As one of the most
202           important VoIP protocols, it is widely used by voice hardware and
203           software including voice gateways, IP phones, Netmeeting, OpenPhone,
204           Gnomemeeting, etc.
205 
206           With this module you can support H.323 on a connection tracking/NAT
207           firewall.
208 
209           This module supports RAS, Fast Start, H.245 Tunnelling, Call
210           Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
211           whiteboard, file transfer, etc. For more information, please
212           visit http://nath323.sourceforge.net/.
213 
214           To compile it as a module, choose M here.  If unsure, say N.
215 
216 config NF_CONNTRACK_IRC
217         tristate "IRC protocol support"
218         default m if NETFILTER_ADVANCED=n
219         help
220           There is a commonly-used extension to IRC called
221           Direct Client-to-Client Protocol (DCC).  This enables users to send
222           files to each other, and also chat to each other without the need
223           of a server.  DCC Sending is used anywhere you send files over IRC,
224           and DCC Chat is most commonly used by Eggdrop bots.  If you are
225           using NAT, this extension will enable you to send files and initiate
226           chats.  Note that you do NOT need this extension to get files or
227           have others initiate chats, or everything else in IRC.
228 
229           To compile it as a module, choose M here.  If unsure, say N.
230 
231 config NF_CONNTRACK_BROADCAST
232         tristate
233 
234 config NF_CONNTRACK_NETBIOS_NS
235         tristate "NetBIOS name service protocol support"
236         select NF_CONNTRACK_BROADCAST
237         help
238           NetBIOS name service requests are sent as broadcast messages from an
239           unprivileged port and responded to with unicast messages to the
240           same port. This make them hard to firewall properly because connection
241           tracking doesn't deal with broadcasts. This helper tracks locally
242           originating NetBIOS name service requests and the corresponding
243           responses. It relies on correct IP address configuration, specifically
244           netmask and broadcast address. When properly configured, the output
245           of "ip address show" should look similar to this:
246 
247           $ ip -4 address show eth0
248           4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
249               inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
250 
251           To compile it as a module, choose M here.  If unsure, say N.
252 
253 config NF_CONNTRACK_SNMP
254         tristate "SNMP service protocol support"
255         depends on NETFILTER_ADVANCED
256         select NF_CONNTRACK_BROADCAST
257         help
258           SNMP service requests are sent as broadcast messages from an
259           unprivileged port and responded to with unicast messages to the
260           same port. This make them hard to firewall properly because connection
261           tracking doesn't deal with broadcasts. This helper tracks locally
262           originating SNMP service requests and the corresponding
263           responses. It relies on correct IP address configuration, specifically
264           netmask and broadcast address.
265 
266           To compile it as a module, choose M here.  If unsure, say N.
267 
268 config NF_CONNTRACK_PPTP
269         tristate "PPtP protocol support"
270         depends on NETFILTER_ADVANCED
271         select NF_CT_PROTO_GRE
272         help
273           This module adds support for PPTP (Point to Point Tunnelling
274           Protocol, RFC2637) connection tracking and NAT.
275 
276           If you are running PPTP sessions over a stateful firewall or NAT
277           box, you may want to enable this feature.
278 
279           Please note that not all PPTP modes of operation are supported yet.
280           Specifically these limitations exist:
281             - Blindly assumes that control connections are always established
282               in PNS->PAC direction. This is a violation of RFC2637.
283             - Only supports a single call within each session
284 
285           To compile it as a module, choose M here.  If unsure, say N.
286 
287 config NF_CONNTRACK_SANE
288         tristate "SANE protocol support"
289         depends on NETFILTER_ADVANCED
290         help
291           SANE is a protocol for remote access to scanners as implemented
292           by the 'saned' daemon. Like FTP, it uses separate control and
293           data connections.
294 
295           With this module you can support SANE on a connection tracking
296           firewall.
297 
298           To compile it as a module, choose M here.  If unsure, say N.
299 
300 config NF_CONNTRACK_SIP
301         tristate "SIP protocol support"
302         default m if NETFILTER_ADVANCED=n
303         help
304           SIP is an application-layer control protocol that can establish,
305           modify, and terminate multimedia sessions (conferences) such as
306           Internet telephony calls. With the ip_conntrack_sip and
307           the nf_nat_sip modules you can support the protocol on a connection
308           tracking/NATing firewall.
309 
310           To compile it as a module, choose M here.  If unsure, say N.
311 
312 config NF_CONNTRACK_TFTP
313         tristate "TFTP protocol support"
314         depends on NETFILTER_ADVANCED
315         help
316           TFTP connection tracking helper, this is required depending
317           on how restrictive your ruleset is.
318           If you are using a tftp client behind -j SNAT or -j MASQUERADING
319           you will need this.
320 
321           To compile it as a module, choose M here.  If unsure, say N.
322 
323 config NF_CT_NETLINK
324         tristate 'Connection tracking netlink interface'
325         select NETFILTER_NETLINK
326         default m if NETFILTER_ADVANCED=n
327         help
328           This option enables support for a netlink-based userspace interface
329 
330 config NF_CT_NETLINK_TIMEOUT
331         tristate  'Connection tracking timeout tuning via Netlink'
332         select NETFILTER_NETLINK
333         depends on NETFILTER_ADVANCED
334         help
335           This option enables support for connection tracking timeout
336           fine-grain tuning. This allows you to attach specific timeout
337           policies to flows, instead of using the global timeout policy.
338 
339           If unsure, say `N'.
340 
341 config NF_CT_NETLINK_HELPER
342         tristate 'Connection tracking helpers in user-space via Netlink'
343         select NETFILTER_NETLINK
344         depends on NF_CT_NETLINK
345         depends on NETFILTER_NETLINK_QUEUE
346         depends on NETFILTER_NETLINK_QUEUE_CT
347         depends on NETFILTER_ADVANCED
348         help
349           This option enables the user-space connection tracking helpers
350           infrastructure.
351 
352           If unsure, say `N'.
353 
354 config NETFILTER_NETLINK_QUEUE_CT
355         bool "NFQUEUE integration with Connection Tracking"
356         default n
357         depends on NETFILTER_NETLINK_QUEUE
358         help
359           If this option is enabled, NFQUEUE can include Connection Tracking
360           information together with the packet is the enqueued via NFNETLINK.
361 
362 config NF_NAT
363         tristate
364 
365 config NF_NAT_NEEDED
366         bool
367         depends on NF_NAT
368         default y
369 
370 config NF_NAT_PROTO_DCCP
371         tristate
372         depends on NF_NAT && NF_CT_PROTO_DCCP
373         default NF_NAT && NF_CT_PROTO_DCCP
374 
375 config NF_NAT_PROTO_UDPLITE
376         tristate
377         depends on NF_NAT && NF_CT_PROTO_UDPLITE
378         default NF_NAT && NF_CT_PROTO_UDPLITE
379 
380 config NF_NAT_PROTO_SCTP
381         tristate
382         default NF_NAT && NF_CT_PROTO_SCTP
383         depends on NF_NAT && NF_CT_PROTO_SCTP
384         select LIBCRC32C
385 
386 config NF_NAT_AMANDA
387         tristate
388         depends on NF_CONNTRACK && NF_NAT
389         default NF_NAT && NF_CONNTRACK_AMANDA
390 
391 config NF_NAT_FTP
392         tristate
393         depends on NF_CONNTRACK && NF_NAT
394         default NF_NAT && NF_CONNTRACK_FTP
395 
396 config NF_NAT_IRC
397         tristate
398         depends on NF_CONNTRACK && NF_NAT
399         default NF_NAT && NF_CONNTRACK_IRC
400 
401 config NF_NAT_SIP
402         tristate
403         depends on NF_CONNTRACK && NF_NAT
404         default NF_NAT && NF_CONNTRACK_SIP
405 
406 config NF_NAT_TFTP
407         tristate
408         depends on NF_CONNTRACK && NF_NAT
409         default NF_NAT && NF_CONNTRACK_TFTP
410 
411 config NETFILTER_SYNPROXY
412         tristate
413 
414 endif # NF_CONNTRACK
415 
416 config NF_TABLES
417         select NETFILTER_NETLINK
418         tristate "Netfilter nf_tables support"
419         help
420           nftables is the new packet classification framework that intends to
421           replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
422           provides a pseudo-state machine with an extensible instruction-set
423           (also known as expressions) that the userspace 'nft' utility
424           (http://www.netfilter.org/projects/nftables) uses to build the
425           rule-set. It also comes with the generic set infrastructure that
426           allows you to construct mappings between matchings and actions
427           for performance lookups.
428 
429           To compile it as a module, choose M here.
430 
431 config NF_TABLES_INET
432         depends on NF_TABLES && IPV6
433         select NF_TABLES_IPV4
434         select NF_TABLES_IPV6
435         tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
436         help
437           This option enables support for a mixed IPv4/IPv6 "inet" table.
438 
439 config NFT_EXTHDR
440         depends on NF_TABLES
441         tristate "Netfilter nf_tables IPv6 exthdr module"
442         help
443           This option adds the "exthdr" expression that you can use to match
444           IPv6 extension headers.
445 
446 config NFT_META
447         depends on NF_TABLES
448         tristate "Netfilter nf_tables meta module"
449         help
450           This option adds the "meta" expression that you can use to match and
451           to set packet metainformation such as the packet mark.
452 
453 config NFT_CT
454         depends on NF_TABLES
455         depends on NF_CONNTRACK
456         tristate "Netfilter nf_tables conntrack module"
457         help
458           This option adds the "meta" expression that you can use to match
459           connection tracking information such as the flow state.
460 
461 config NFT_RBTREE
462         depends on NF_TABLES
463         tristate "Netfilter nf_tables rbtree set module"
464         help
465           This option adds the "rbtree" set type (Red Black tree) that is used
466           to build interval-based sets.
467 
468 config NFT_HASH
469         depends on NF_TABLES
470         tristate "Netfilter nf_tables hash set module"
471         help
472           This option adds the "hash" set type that is used to build one-way
473           mappings between matchings and actions.
474 
475 config NFT_COUNTER
476         depends on NF_TABLES
477         tristate "Netfilter nf_tables counter module"
478         help
479           This option adds the "counter" expression that you can use to
480           include packet and byte counters in a rule.
481 
482 config NFT_LOG
483         depends on NF_TABLES
484         tristate "Netfilter nf_tables log module"
485         help
486           This option adds the "log" expression that you can use to log
487           packets matching some criteria.
488 
489 config NFT_LIMIT
490         depends on NF_TABLES
491         tristate "Netfilter nf_tables limit module"
492         help
493           This option adds the "limit" expression that you can use to
494           ratelimit rule matchings.
495 
496 config NFT_NAT
497         depends on NF_TABLES
498         depends on NF_CONNTRACK
499         depends on NF_NAT
500         tristate "Netfilter nf_tables nat module"
501         help
502           This option adds the "nat" expression that you can use to perform
503           typical Network Address Translation (NAT) packet transformations.
504 
505 config NFT_QUEUE
506         depends on NF_TABLES
507         depends on NETFILTER_XTABLES
508         depends on NETFILTER_NETLINK_QUEUE
509         tristate "Netfilter nf_tables queue module"
510         help
511           This is required if you intend to use the userspace queueing
512           infrastructure (also known as NFQUEUE) from nftables.
513 
514 config NFT_REJECT
515         depends on NF_TABLES
516         default m if NETFILTER_ADVANCED=n
517         tristate "Netfilter nf_tables reject support"
518         help
519           This option adds the "reject" expression that you can use to
520           explicitly deny and notify via TCP reset/ICMP informational errors
521           unallowed traffic.
522 
523 config NFT_REJECT_INET
524         depends on NF_TABLES_INET
525         default NFT_REJECT
526         tristate
527 
528 config NFT_COMPAT
529         depends on NF_TABLES
530         depends on NETFILTER_XTABLES
531         tristate "Netfilter x_tables over nf_tables module"
532         help
533           This is required if you intend to use any of existing
534           x_tables match/target extensions over the nf_tables
535           framework.
536 
537 config NETFILTER_XTABLES
538         tristate "Netfilter Xtables support (required for ip_tables)"
539         default m if NETFILTER_ADVANCED=n
540         help
541           This is required if you intend to use any of ip_tables,
542           ip6_tables or arp_tables.
543 
544 if NETFILTER_XTABLES
545 
546 comment "Xtables combined modules"
547 
548 config NETFILTER_XT_MARK
549         tristate 'nfmark target and match support'
550         default m if NETFILTER_ADVANCED=n
551         ---help---
552         This option adds the "MARK" target and "mark" match.
553 
554         Netfilter mark matching allows you to match packets based on the
555         "nfmark" value in the packet.
556         The target allows you to create rules in the "mangle" table which alter
557         the netfilter mark (nfmark) field associated with the packet.
558 
559         Prior to routing, the nfmark can influence the routing method (see
560         "Use netfilter MARK value as routing key") and can also be used by
561         other subsystems to change their behavior.
562 
563 config NETFILTER_XT_CONNMARK
564         tristate 'ctmark target and match support'
565         depends on NF_CONNTRACK
566         depends on NETFILTER_ADVANCED
567         select NF_CONNTRACK_MARK
568         ---help---
569         This option adds the "CONNMARK" target and "connmark" match.
570 
571         Netfilter allows you to store a mark value per connection (a.k.a.
572         ctmark), similarly to the packet mark (nfmark). Using this
573         target and match, you can set and match on this mark.
574 
575 config NETFILTER_XT_SET
576         tristate 'set target and match support'
577         depends on IP_SET
578         depends on NETFILTER_ADVANCED
579         help
580           This option adds the "SET" target and "set" match.
581 
582           Using this target and match, you can add/delete and match
583           elements in the sets created by ipset(8).
584 
585           To compile it as a module, choose M here.  If unsure, say N.
586 
587 # alphabetically ordered list of targets
588 
589 comment "Xtables targets"
590 
591 config NETFILTER_XT_TARGET_AUDIT
592         tristate "AUDIT target support"
593         depends on AUDIT
594         depends on NETFILTER_ADVANCED
595         ---help---
596           This option adds a 'AUDIT' target, which can be used to create
597           audit records for packets dropped/accepted.
598 
599           To compileit as a module, choose M here. If unsure, say N.
600 
601 config NETFILTER_XT_TARGET_CHECKSUM
602         tristate "CHECKSUM target support"
603         depends on IP_NF_MANGLE || IP6_NF_MANGLE
604         depends on NETFILTER_ADVANCED
605         ---help---
606           This option adds a `CHECKSUM' target, which can be used in the iptables mangle
607           table.
608 
609           You can use this target to compute and fill in the checksum in
610           a packet that lacks a checksum.  This is particularly useful,
611           if you need to work around old applications such as dhcp clients,
612           that do not work well with checksum offloads, but don't want to disable
613           checksum offload in your device.
614 
615           To compile it as a module, choose M here.  If unsure, say N.
616 
617 config NETFILTER_XT_TARGET_CLASSIFY
618         tristate '"CLASSIFY" target support'
619         depends on NETFILTER_ADVANCED
620         help
621           This option adds a `CLASSIFY' target, which enables the user to set
622           the priority of a packet. Some qdiscs can use this value for
623           classification, among these are:
624 
625           atm, cbq, dsmark, pfifo_fast, htb, prio
626 
627           To compile it as a module, choose M here.  If unsure, say N.
628 
629 config NETFILTER_XT_TARGET_CONNMARK
630         tristate  '"CONNMARK" target support'
631         depends on NF_CONNTRACK
632         depends on NETFILTER_ADVANCED
633         select NETFILTER_XT_CONNMARK
634         ---help---
635         This is a backwards-compat option for the user's convenience
636         (e.g. when running oldconfig). It selects
637         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
638 
639 config NETFILTER_XT_TARGET_CONNSECMARK
640         tristate '"CONNSECMARK" target support'
641         depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
642         default m if NETFILTER_ADVANCED=n
643         help
644           The CONNSECMARK target copies security markings from packets
645           to connections, and restores security markings from connections
646           to packets (if the packets are not already marked).  This would
647           normally be used in conjunction with the SECMARK target.
648 
649           To compile it as a module, choose M here.  If unsure, say N.
650 
651 config NETFILTER_XT_TARGET_CT
652         tristate '"CT" target support'
653         depends on NF_CONNTRACK
654         depends on IP_NF_RAW || IP6_NF_RAW
655         depends on NETFILTER_ADVANCED
656         help
657           This options adds a `CT' target, which allows to specify initial
658           connection tracking parameters like events to be delivered and
659           the helper to be used.
660 
661           To compile it as a module, choose M here.  If unsure, say N.
662 
663 config NETFILTER_XT_TARGET_DSCP
664         tristate '"DSCP" and "TOS" target support'
665         depends on IP_NF_MANGLE || IP6_NF_MANGLE
666         depends on NETFILTER_ADVANCED
667         help
668           This option adds a `DSCP' target, which allows you to manipulate
669           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
670 
671           The DSCP field can have any value between 0x0 and 0x3f inclusive.
672 
673           It also adds the "TOS" target, which allows you to create rules in
674           the "mangle" table which alter the Type Of Service field of an IPv4
675           or the Priority field of an IPv6 packet, prior to routing.
676 
677           To compile it as a module, choose M here.  If unsure, say N.
678 
679 config NETFILTER_XT_TARGET_HL
680         tristate '"HL" hoplimit target support'
681         depends on IP_NF_MANGLE || IP6_NF_MANGLE
682         depends on NETFILTER_ADVANCED
683         ---help---
684         This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
685         targets, which enable the user to change the
686         hoplimit/time-to-live value of the IP header.
687 
688         While it is safe to decrement the hoplimit/TTL value, the
689         modules also allow to increment and set the hoplimit value of
690         the header to arbitrary values. This is EXTREMELY DANGEROUS
691         since you can easily create immortal packets that loop
692         forever on the network.
693 
694 config NETFILTER_XT_TARGET_HMARK
695         tristate '"HMARK" target support'
696         depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
697         depends on NETFILTER_ADVANCED
698         ---help---
699         This option adds the "HMARK" target.
700 
701         The target allows you to create rules in the "raw" and "mangle" tables
702         which set the skbuff mark by means of hash calculation within a given
703         range. The nfmark can influence the routing method (see "Use netfilter
704         MARK value as routing key") and can also be used by other subsystems to
705         change their behaviour.
706 
707         To compile it as a module, choose M here. If unsure, say N.
708 
709 config NETFILTER_XT_TARGET_IDLETIMER
710         tristate  "IDLETIMER target support"
711         depends on NETFILTER_ADVANCED
712         help
713 
714           This option adds the `IDLETIMER' target.  Each matching packet
715           resets the timer associated with label specified when the rule is
716           added.  When the timer expires, it triggers a sysfs notification.
717           The remaining time for expiration can be read via sysfs.
718 
719           To compile it as a module, choose M here.  If unsure, say N.
720 
721 config NETFILTER_XT_TARGET_LED
722         tristate '"LED" target support'
723         depends on LEDS_CLASS && LEDS_TRIGGERS
724         depends on NETFILTER_ADVANCED
725         help
726           This option adds a `LED' target, which allows you to blink LEDs in
727           response to particular packets passing through your machine.
728 
729           This can be used to turn a spare LED into a network activity LED,
730           which only flashes in response to FTP transfers, for example.  Or
731           you could have an LED which lights up for a minute or two every time
732           somebody connects to your machine via SSH.
733 
734           You will need support for the "led" class to make this work.
735 
736           To create an LED trigger for incoming SSH traffic:
737             iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
738 
739           Then attach the new trigger to an LED on your system:
740             echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
741 
742           For more information on the LEDs available on your system, see
743           Documentation/leds/leds-class.txt
744 
745 config NETFILTER_XT_TARGET_LOG
746         tristate "LOG target support"
747         default m if NETFILTER_ADVANCED=n
748         help
749           This option adds a `LOG' target, which allows you to create rules in
750           any iptables table which records the packet header to the syslog.
751 
752           To compile it as a module, choose M here.  If unsure, say N.
753 
754 config NETFILTER_XT_TARGET_MARK
755         tristate '"MARK" target support'
756         depends on NETFILTER_ADVANCED
757         select NETFILTER_XT_MARK
758         ---help---
759         This is a backwards-compat option for the user's convenience
760         (e.g. when running oldconfig). It selects
761         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
762 
763 config NETFILTER_XT_TARGET_NETMAP
764         tristate '"NETMAP" target support'
765         depends on NF_NAT
766         ---help---
767         NETMAP is an implementation of static 1:1 NAT mapping of network
768         addresses. It maps the network address part, while keeping the host
769         address part intact.
770 
771         To compile it as a module, choose M here. If unsure, say N.
772 
773 config NETFILTER_XT_TARGET_NFLOG
774         tristate '"NFLOG" target support'
775         default m if NETFILTER_ADVANCED=n
776         select NETFILTER_NETLINK_LOG
777         help
778           This option enables the NFLOG target, which allows to LOG
779           messages through nfnetlink_log.
780 
781           To compile it as a module, choose M here.  If unsure, say N.
782 
783 config NETFILTER_XT_TARGET_NFQUEUE
784         tristate '"NFQUEUE" target Support'
785         depends on NETFILTER_ADVANCED
786         select NETFILTER_NETLINK_QUEUE
787         help
788           This target replaced the old obsolete QUEUE target.
789 
790           As opposed to QUEUE, it supports 65535 different queues,
791           not just one.
792 
793           To compile it as a module, choose M here.  If unsure, say N.
794 
795 config NETFILTER_XT_TARGET_NOTRACK
796         tristate  '"NOTRACK" target support (DEPRECATED)'
797         depends on NF_CONNTRACK
798         depends on IP_NF_RAW || IP6_NF_RAW
799         depends on NETFILTER_ADVANCED
800         select NETFILTER_XT_TARGET_CT
801 
802 config NETFILTER_XT_TARGET_RATEEST
803         tristate '"RATEEST" target support'
804         depends on NETFILTER_ADVANCED
805         help
806           This option adds a `RATEEST' target, which allows to measure
807           rates similar to TC estimators. The `rateest' match can be
808           used to match on the measured rates.
809 
810           To compile it as a module, choose M here.  If unsure, say N.
811 
812 config NETFILTER_XT_TARGET_REDIRECT
813         tristate "REDIRECT target support"
814         depends on NF_NAT
815         ---help---
816         REDIRECT is a special case of NAT: all incoming connections are
817         mapped onto the incoming interface's address, causing the packets to
818         come to the local machine instead of passing through. This is
819         useful for transparent proxies.
820 
821         To compile it as a module, choose M here. If unsure, say N.
822 
823 config NETFILTER_XT_TARGET_TEE
824         tristate '"TEE" - packet cloning to alternate destination'
825         depends on NETFILTER_ADVANCED
826         depends on (IPV6 || IPV6=n)
827         depends on !NF_CONNTRACK || NF_CONNTRACK
828         ---help---
829         This option adds a "TEE" target with which a packet can be cloned and
830         this clone be rerouted to another nexthop.
831 
832 config NETFILTER_XT_TARGET_TPROXY
833         tristate '"TPROXY" target transparent proxying support'
834         depends on NETFILTER_XTABLES
835         depends on NETFILTER_ADVANCED
836         depends on IP_NF_MANGLE
837         select NF_DEFRAG_IPV4
838         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
839         help
840           This option adds a `TPROXY' target, which is somewhat similar to
841           REDIRECT.  It can only be used in the mangle table and is useful
842           to redirect traffic to a transparent proxy.  It does _not_ depend
843           on Netfilter connection tracking and NAT, unlike REDIRECT.
844           For it to work you will have to configure certain iptables rules
845           and use policy routing. For more information on how to set it up
846           see Documentation/networking/tproxy.txt.
847 
848           To compile it as a module, choose M here.  If unsure, say N.
849 
850 config NETFILTER_XT_TARGET_TRACE
851         tristate  '"TRACE" target support'
852         depends on IP_NF_RAW || IP6_NF_RAW
853         depends on NETFILTER_ADVANCED
854         help
855           The TRACE target allows you to mark packets so that the kernel
856           will log every rule which match the packets as those traverse
857           the tables, chains, rules.
858 
859           If you want to compile it as a module, say M here and read
860           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
861 
862 config NETFILTER_XT_TARGET_SECMARK
863         tristate '"SECMARK" target support'
864         depends on NETWORK_SECMARK
865         default m if NETFILTER_ADVANCED=n
866         help
867           The SECMARK target allows security marking of network
868           packets, for use with security subsystems.
869 
870           To compile it as a module, choose M here.  If unsure, say N.
871 
872 config NETFILTER_XT_TARGET_TCPMSS
873         tristate '"TCPMSS" target support'
874         depends on (IPV6 || IPV6=n)
875         default m if NETFILTER_ADVANCED=n
876         ---help---
877           This option adds a `TCPMSS' target, which allows you to alter the
878           MSS value of TCP SYN packets, to control the maximum size for that
879           connection (usually limiting it to your outgoing interface's MTU
880           minus 40).
881 
882           This is used to overcome criminally braindead ISPs or servers which
883           block ICMP Fragmentation Needed packets.  The symptoms of this
884           problem are that everything works fine from your Linux
885           firewall/router, but machines behind it can never exchange large
886           packets:
887                 1) Web browsers connect, then hang with no data received.
888                 2) Small mail works fine, but large emails hang.
889                 3) ssh works fine, but scp hangs after initial handshaking.
890 
891           Workaround: activate this option and add a rule to your firewall
892           configuration like:
893 
894           iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
895                          -j TCPMSS --clamp-mss-to-pmtu
896 
897           To compile it as a module, choose M here.  If unsure, say N.
898 
899 config NETFILTER_XT_TARGET_TCPOPTSTRIP
900         tristate '"TCPOPTSTRIP" target support'
901         depends on IP_NF_MANGLE || IP6_NF_MANGLE
902         depends on NETFILTER_ADVANCED
903         help
904           This option adds a "TCPOPTSTRIP" target, which allows you to strip
905           TCP options from TCP packets.
906 
907 # alphabetically ordered list of matches
908 
909 comment "Xtables matches"
910 
911 config NETFILTER_XT_MATCH_ADDRTYPE
912         tristate '"addrtype" address type match support'
913         depends on NETFILTER_ADVANCED
914         ---help---
915           This option allows you to match what routing thinks of an address,
916           eg. UNICAST, LOCAL, BROADCAST, ...
917 
918           If you want to compile it as a module, say M here and read
919           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
920 
921 config NETFILTER_XT_MATCH_BPF
922         tristate '"bpf" match support'
923         depends on NETFILTER_ADVANCED
924         help
925           BPF matching applies a linux socket filter to each packet and
926           accepts those for which the filter returns non-zero.
927 
928           To compile it as a module, choose M here.  If unsure, say N.
929 
930 config NETFILTER_XT_MATCH_CGROUP
931         tristate '"control group" match support'
932         depends on NETFILTER_ADVANCED
933         depends on CGROUPS
934         select CGROUP_NET_CLASSID
935         ---help---
936         Socket/process control group matching allows you to match locally
937         generated packets based on which net_cls control group processes
938         belong to.
939 
940 config NETFILTER_XT_MATCH_CLUSTER
941         tristate '"cluster" match support'
942         depends on NF_CONNTRACK
943         depends on NETFILTER_ADVANCED
944         ---help---
945           This option allows you to build work-load-sharing clusters of
946           network servers/stateful firewalls without having a dedicated
947           load-balancing router/server/switch. Basically, this match returns
948           true when the packet must be handled by this cluster node. Thus,
949           all nodes see all packets and this match decides which node handles
950           what packets. The work-load sharing algorithm is based on source
951           address hashing.
952 
953           If you say Y or M here, try `iptables -m cluster --help` for
954           more information.
955 
956 config NETFILTER_XT_MATCH_COMMENT
957         tristate  '"comment" match support'
958         depends on NETFILTER_ADVANCED
959         help
960           This option adds a `comment' dummy-match, which allows you to put
961           comments in your iptables ruleset.
962 
963           If you want to compile it as a module, say M here and read
964           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
965 
966 config NETFILTER_XT_MATCH_CONNBYTES
967         tristate  '"connbytes" per-connection counter match support'
968         depends on NF_CONNTRACK
969         depends on NETFILTER_ADVANCED
970         help
971           This option adds a `connbytes' match, which allows you to match the
972           number of bytes and/or packets for each direction within a connection.
973 
974           If you want to compile it as a module, say M here and read
975           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
976 
977 config NETFILTER_XT_MATCH_CONNLABEL
978         tristate '"connlabel" match support'
979         select NF_CONNTRACK_LABELS
980         depends on NF_CONNTRACK
981         depends on NETFILTER_ADVANCED
982         ---help---
983           This match allows you to test and assign userspace-defined labels names
984           to a connection.  The kernel only stores bit values - mapping
985           names to bits is done by userspace.
986 
987           Unlike connmark, more than 32 flag bits may be assigned to a
988           connection simultaneously.
989 
990 config NETFILTER_XT_MATCH_CONNLIMIT
991         tristate '"connlimit" match support'
992         depends on NF_CONNTRACK
993         depends on NETFILTER_ADVANCED
994         ---help---
995           This match allows you to match against the number of parallel
996           connections to a server per client IP address (or address block).
997 
998 config NETFILTER_XT_MATCH_CONNMARK
999         tristate  '"connmark" connection mark match support'
1000         depends on NF_CONNTRACK
1001         depends on NETFILTER_ADVANCED
1002         select NETFILTER_XT_CONNMARK
1003         ---help---
1004         This is a backwards-compat option for the user's convenience
1005         (e.g. when running oldconfig). It selects
1006         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1007 
1008 config NETFILTER_XT_MATCH_CONNTRACK
1009         tristate '"conntrack" connection tracking match support'
1010         depends on NF_CONNTRACK
1011         default m if NETFILTER_ADVANCED=n
1012         help
1013           This is a general conntrack match module, a superset of the state match.
1014 
1015           It allows matching on additional conntrack information, which is
1016           useful in complex configurations, such as NAT gateways with multiple
1017           internet links or tunnels.
1018 
1019           To compile it as a module, choose M here.  If unsure, say N.
1020 
1021 config NETFILTER_XT_MATCH_CPU
1022         tristate '"cpu" match support'
1023         depends on NETFILTER_ADVANCED
1024         help
1025           CPU matching allows you to match packets based on the CPU
1026           currently handling the packet.
1027 
1028           To compile it as a module, choose M here.  If unsure, say N.
1029 
1030 config NETFILTER_XT_MATCH_DCCP
1031         tristate '"dccp" protocol match support'
1032         depends on NETFILTER_ADVANCED
1033         default IP_DCCP
1034         help
1035           With this option enabled, you will be able to use the iptables
1036           `dccp' match in order to match on DCCP source/destination ports
1037           and DCCP flags.
1038 
1039           If you want to compile it as a module, say M here and read
1040           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1041 
1042 config NETFILTER_XT_MATCH_DEVGROUP
1043         tristate '"devgroup" match support'
1044         depends on NETFILTER_ADVANCED
1045         help
1046           This options adds a `devgroup' match, which allows to match on the
1047           device group a network device is assigned to.
1048 
1049           To compile it as a module, choose M here.  If unsure, say N.
1050 
1051 config NETFILTER_XT_MATCH_DSCP
1052         tristate '"dscp" and "tos" match support'
1053         depends on NETFILTER_ADVANCED
1054         help
1055           This option adds a `DSCP' match, which allows you to match against
1056           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1057 
1058           The DSCP field can have any value between 0x0 and 0x3f inclusive.
1059 
1060           It will also add a "tos" match, which allows you to match packets
1061           based on the Type Of Service fields of the IPv4 packet (which share
1062           the same bits as DSCP).
1063 
1064           To compile it as a module, choose M here.  If unsure, say N.
1065 
1066 config NETFILTER_XT_MATCH_ECN
1067         tristate '"ecn" match support'
1068         depends on NETFILTER_ADVANCED
1069         ---help---
1070         This option adds an "ECN" match, which allows you to match against
1071         the IPv4 and TCP header ECN fields.
1072 
1073         To compile it as a module, choose M here. If unsure, say N.
1074 
1075 config NETFILTER_XT_MATCH_ESP
1076         tristate '"esp" match support'
1077         depends on NETFILTER_ADVANCED
1078         help
1079           This match extension allows you to match a range of SPIs
1080           inside ESP header of IPSec packets.
1081 
1082           To compile it as a module, choose M here.  If unsure, say N.
1083 
1084 config NETFILTER_XT_MATCH_HASHLIMIT
1085         tristate '"hashlimit" match support'
1086         depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
1087         depends on NETFILTER_ADVANCED
1088         help
1089           This option adds a `hashlimit' match.
1090 
1091           As opposed to `limit', this match dynamically creates a hash table
1092           of limit buckets, based on your selection of source/destination
1093           addresses and/or ports.
1094 
1095           It enables you to express policies like `10kpps for any given
1096           destination address' or `500pps from any given source address'
1097           with a single rule.
1098 
1099 config NETFILTER_XT_MATCH_HELPER
1100         tristate '"helper" match support'
1101         depends on NF_CONNTRACK
1102         depends on NETFILTER_ADVANCED
1103         help
1104           Helper matching allows you to match packets in dynamic connections
1105           tracked by a conntrack-helper, ie. ip_conntrack_ftp
1106 
1107           To compile it as a module, choose M here.  If unsure, say Y.
1108 
1109 config NETFILTER_XT_MATCH_HL
1110         tristate '"hl" hoplimit/TTL match support'
1111         depends on NETFILTER_ADVANCED
1112         ---help---
1113         HL matching allows you to match packets based on the hoplimit
1114         in the IPv6 header, or the time-to-live field in the IPv4
1115         header of the packet.
1116 
1117 config NETFILTER_XT_MATCH_IPCOMP
1118         tristate '"ipcomp" match support'
1119         depends on NETFILTER_ADVANCED
1120         help
1121           This match extension allows you to match a range of CPIs(16 bits)
1122           inside IPComp header of IPSec packets.
1123 
1124           To compile it as a module, choose M here.  If unsure, say N.
1125 
1126 config NETFILTER_XT_MATCH_IPRANGE
1127         tristate '"iprange" address range match support'
1128         depends on NETFILTER_ADVANCED
1129         ---help---
1130         This option adds a "iprange" match, which allows you to match based on
1131         an IP address range. (Normal iptables only matches on single addresses
1132         with an optional mask.)
1133 
1134         If unsure, say M.
1135 
1136 config NETFILTER_XT_MATCH_IPVS
1137         tristate '"ipvs" match support'
1138         depends on IP_VS
1139         depends on NETFILTER_ADVANCED
1140         depends on NF_CONNTRACK
1141         help
1142           This option allows you to match against IPVS properties of a packet.
1143 
1144           If unsure, say N.
1145 
1146 config NETFILTER_XT_MATCH_L2TP
1147         tristate '"l2tp" match support'
1148         depends on NETFILTER_ADVANCED
1149         default L2TP
1150         ---help---
1151         This option adds an "L2TP" match, which allows you to match against
1152         L2TP protocol header fields.
1153 
1154         To compile it as a module, choose M here. If unsure, say N.
1155 
1156 config NETFILTER_XT_MATCH_LENGTH
1157         tristate '"length" match support'
1158         depends on NETFILTER_ADVANCED
1159         help
1160           This option allows you to match the length of a packet against a
1161           specific value or range of values.
1162 
1163           To compile it as a module, choose M here.  If unsure, say N.
1164 
1165 config NETFILTER_XT_MATCH_LIMIT
1166         tristate '"limit" match support'
1167         depends on NETFILTER_ADVANCED
1168         help
1169           limit matching allows you to control the rate at which a rule can be
1170           matched: mainly useful in combination with the LOG target ("LOG
1171           target support", below) and to avoid some Denial of Service attacks.
1172 
1173           To compile it as a module, choose M here.  If unsure, say N.
1174 
1175 config NETFILTER_XT_MATCH_MAC
1176         tristate '"mac" address match support'
1177         depends on NETFILTER_ADVANCED
1178         help
1179           MAC matching allows you to match packets based on the source
1180           Ethernet address of the packet.
1181 
1182           To compile it as a module, choose M here.  If unsure, say N.
1183 
1184 config NETFILTER_XT_MATCH_MARK
1185         tristate '"mark" match support'
1186         depends on NETFILTER_ADVANCED
1187         select NETFILTER_XT_MARK
1188         ---help---
1189         This is a backwards-compat option for the user's convenience
1190         (e.g. when running oldconfig). It selects
1191         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1192 
1193 config NETFILTER_XT_MATCH_MULTIPORT
1194         tristate '"multiport" Multiple port match support'
1195         depends on NETFILTER_ADVANCED
1196         help
1197           Multiport matching allows you to match TCP or UDP packets based on
1198           a series of source or destination ports: normally a rule can only
1199           match a single range of ports.
1200 
1201           To compile it as a module, choose M here.  If unsure, say N.
1202 
1203 config NETFILTER_XT_MATCH_NFACCT
1204         tristate '"nfacct" match support'
1205         depends on NETFILTER_ADVANCED
1206         select NETFILTER_NETLINK_ACCT
1207         help
1208           This option allows you to use the extended accounting through
1209           nfnetlink_acct.
1210 
1211           To compile it as a module, choose M here.  If unsure, say N.
1212 
1213 config NETFILTER_XT_MATCH_OSF
1214         tristate '"osf" Passive OS fingerprint match'
1215         depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1216         help
1217           This option selects the Passive OS Fingerprinting match module
1218           that allows to passively match the remote operating system by
1219           analyzing incoming TCP SYN packets.
1220 
1221           Rules and loading software can be downloaded from
1222           http://www.ioremap.net/projects/osf
1223 
1224           To compile it as a module, choose M here.  If unsure, say N.
1225 
1226 config NETFILTER_XT_MATCH_OWNER
1227         tristate '"owner" match support'
1228         depends on NETFILTER_ADVANCED
1229         ---help---
1230         Socket owner matching allows you to match locally-generated packets
1231         based on who created the socket: the user or group. It is also
1232         possible to check whether a socket actually exists.
1233 
1234 config NETFILTER_XT_MATCH_POLICY
1235         tristate 'IPsec "policy" match support'
1236         depends on XFRM
1237         default m if NETFILTER_ADVANCED=n
1238         help
1239           Policy matching allows you to match packets based on the
1240           IPsec policy that was used during decapsulation/will
1241           be used during encapsulation.
1242 
1243           To compile it as a module, choose M here.  If unsure, say N.
1244 
1245 config NETFILTER_XT_MATCH_PHYSDEV
1246         tristate '"physdev" match support'
1247         depends on BRIDGE && BRIDGE_NETFILTER
1248         depends on NETFILTER_ADVANCED
1249         help
1250           Physdev packet matching matches against the physical bridge ports
1251           the IP packet arrived on or will leave by.
1252 
1253           To compile it as a module, choose M here.  If unsure, say N.
1254 
1255 config NETFILTER_XT_MATCH_PKTTYPE
1256         tristate '"pkttype" packet type match support'
1257         depends on NETFILTER_ADVANCED
1258         help
1259           Packet type matching allows you to match a packet by
1260           its "class", eg. BROADCAST, MULTICAST, ...
1261 
1262           Typical usage:
1263           iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1264 
1265           To compile it as a module, choose M here.  If unsure, say N.
1266 
1267 config NETFILTER_XT_MATCH_QUOTA
1268         tristate '"quota" match support'
1269         depends on NETFILTER_ADVANCED
1270         help
1271           This option adds a `quota' match, which allows to match on a
1272           byte counter.
1273 
1274           If you want to compile it as a module, say M here and read
1275           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1276 
1277 config NETFILTER_XT_MATCH_RATEEST
1278         tristate '"rateest" match support'
1279         depends on NETFILTER_ADVANCED
1280         select NETFILTER_XT_TARGET_RATEEST
1281         help
1282           This option adds a `rateest' match, which allows to match on the
1283           rate estimated by the RATEEST target.
1284 
1285           To compile it as a module, choose M here.  If unsure, say N.
1286 
1287 config NETFILTER_XT_MATCH_REALM
1288         tristate  '"realm" match support'
1289         depends on NETFILTER_ADVANCED
1290         select IP_ROUTE_CLASSID
1291         help
1292           This option adds a `realm' match, which allows you to use the realm
1293           key from the routing subsystem inside iptables.
1294 
1295           This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
1296           in tc world.
1297 
1298           If you want to compile it as a module, say M here and read
1299           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1300 
1301 config NETFILTER_XT_MATCH_RECENT
1302         tristate '"recent" match support'
1303         depends on NETFILTER_ADVANCED
1304         ---help---
1305         This match is used for creating one or many lists of recently
1306         used addresses and then matching against that/those list(s).
1307 
1308         Short options are available by using 'iptables -m recent -h'
1309         Official Website: <http://snowman.net/projects/ipt_recent/>
1310 
1311 config NETFILTER_XT_MATCH_SCTP
1312         tristate  '"sctp" protocol match support'
1313         depends on NETFILTER_ADVANCED
1314         default IP_SCTP
1315         help
1316           With this option enabled, you will be able to use the 
1317           `sctp' match in order to match on SCTP source/destination ports
1318           and SCTP chunk types.
1319 
1320           If you want to compile it as a module, say M here and read
1321           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1322 
1323 config NETFILTER_XT_MATCH_SOCKET
1324         tristate '"socket" match support'
1325         depends on NETFILTER_XTABLES
1326         depends on NETFILTER_ADVANCED
1327         depends on !NF_CONNTRACK || NF_CONNTRACK
1328         depends on (IPV6 || IPV6=n)
1329         select NF_DEFRAG_IPV4
1330         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1331         help
1332           This option adds a `socket' match, which can be used to match
1333           packets for which a TCP or UDP socket lookup finds a valid socket.
1334           It can be used in combination with the MARK target and policy
1335           routing to implement full featured non-locally bound sockets.
1336 
1337           To compile it as a module, choose M here.  If unsure, say N.
1338 
1339 config NETFILTER_XT_MATCH_STATE
1340         tristate '"state" match support'
1341         depends on NF_CONNTRACK
1342         default m if NETFILTER_ADVANCED=n
1343         help
1344           Connection state matching allows you to match packets based on their
1345           relationship to a tracked connection (ie. previous packets).  This
1346           is a powerful tool for packet classification.
1347 
1348           To compile it as a module, choose M here.  If unsure, say N.
1349 
1350 config NETFILTER_XT_MATCH_STATISTIC
1351         tristate '"statistic" match support'
1352         depends on NETFILTER_ADVANCED
1353         help
1354           This option adds a `statistic' match, which allows you to match
1355           on packets periodically or randomly with a given percentage.
1356 
1357           To compile it as a module, choose M here.  If unsure, say N.
1358 
1359 config NETFILTER_XT_MATCH_STRING
1360         tristate  '"string" match support'
1361         depends on NETFILTER_ADVANCED
1362         select TEXTSEARCH
1363         select TEXTSEARCH_KMP
1364         select TEXTSEARCH_BM
1365         select TEXTSEARCH_FSM
1366         help
1367           This option adds a `string' match, which allows you to look for
1368           pattern matchings in packets.
1369 
1370           To compile it as a module, choose M here.  If unsure, say N.
1371 
1372 config NETFILTER_XT_MATCH_TCPMSS
1373         tristate '"tcpmss" match support'
1374         depends on NETFILTER_ADVANCED
1375         help
1376           This option adds a `tcpmss' match, which allows you to examine the
1377           MSS value of TCP SYN packets, which control the maximum packet size
1378           for that connection.
1379 
1380           To compile it as a module, choose M here.  If unsure, say N.
1381 
1382 config NETFILTER_XT_MATCH_TIME
1383         tristate '"time" match support'
1384         depends on NETFILTER_ADVANCED
1385         ---help---
1386           This option adds a "time" match, which allows you to match based on
1387           the packet arrival time (at the machine which netfilter is running)
1388           on) or departure time/date (for locally generated packets).
1389 
1390           If you say Y here, try `iptables -m time --help` for
1391           more information.
1392 
1393           If you want to compile it as a module, say M here.
1394           If unsure, say N.
1395 
1396 config NETFILTER_XT_MATCH_U32
1397         tristate '"u32" match support'
1398         depends on NETFILTER_ADVANCED
1399         ---help---
1400           u32 allows you to extract quantities of up to 4 bytes from a packet,
1401           AND them with specified masks, shift them by specified amounts and
1402           test whether the results are in any of a set of specified ranges.
1403           The specification of what to extract is general enough to skip over
1404           headers with lengths stored in the packet, as in IP or TCP header
1405           lengths.
1406 
1407           Details and examples are in the kernel module source.
1408 
1409 endif # NETFILTER_XTABLES
1410 
1411 endmenu
1412 
1413 source "net/netfilter/ipset/Kconfig"
1414 
1415 source "net/netfilter/ipvs/Kconfig"

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us