Version:  2.0.40 2.2.26 2.4.37 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8

Linux/net/netfilter/Kconfig

  1 menu "Core Netfilter Configuration"
  2         depends on NET && INET && NETFILTER
  3 
  4 config NETFILTER_INGRESS
  5         bool "Netfilter ingress support"
  6         default y
  7         select NET_INGRESS
  8         help
  9           This allows you to classify packets from ingress using the Netfilter
 10           infrastructure.
 11 
 12 config NETFILTER_NETLINK
 13         tristate
 14 
 15 config NETFILTER_NETLINK_ACCT
 16 tristate "Netfilter NFACCT over NFNETLINK interface"
 17         depends on NETFILTER_ADVANCED
 18         select NETFILTER_NETLINK
 19         help
 20           If this option is enabled, the kernel will include support
 21           for extended accounting via NFNETLINK.
 22 
 23 config NETFILTER_NETLINK_QUEUE
 24         tristate "Netfilter NFQUEUE over NFNETLINK interface"
 25         depends on NETFILTER_ADVANCED
 26         select NETFILTER_NETLINK
 27         help
 28           If this option is enabled, the kernel will include support
 29           for queueing packets via NFNETLINK.
 30           
 31 config NETFILTER_NETLINK_LOG
 32         tristate "Netfilter LOG over NFNETLINK interface"
 33         default m if NETFILTER_ADVANCED=n
 34         select NETFILTER_NETLINK
 35         help
 36           If this option is enabled, the kernel will include support
 37           for logging packets via NFNETLINK.
 38 
 39           This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
 40           and is also scheduled to replace the old syslog-based ipt_LOG
 41           and ip6t_LOG modules.
 42 
 43 config NF_CONNTRACK
 44         tristate "Netfilter connection tracking support"
 45         default m if NETFILTER_ADVANCED=n
 46         help
 47           Connection tracking keeps a record of what packets have passed
 48           through your machine, in order to figure out how they are related
 49           into connections.
 50 
 51           This is required to do Masquerading or other kinds of Network
 52           Address Translation.  It can also be used to enhance packet
 53           filtering (see `Connection state match support' below).
 54 
 55           To compile it as a module, choose M here.  If unsure, say N.
 56 
 57 config NF_LOG_COMMON
 58         tristate
 59 
 60 if NF_CONNTRACK
 61 
 62 config NF_CONNTRACK_MARK
 63         bool  'Connection mark tracking support'
 64         depends on NETFILTER_ADVANCED
 65         help
 66           This option enables support for connection marks, used by the
 67           `CONNMARK' target and `connmark' match. Similar to the mark value
 68           of packets, but this mark value is kept in the conntrack session
 69           instead of the individual packets.
 70 
 71 config NF_CONNTRACK_SECMARK
 72         bool  'Connection tracking security mark support'
 73         depends on NETWORK_SECMARK
 74         default m if NETFILTER_ADVANCED=n
 75         help
 76           This option enables security markings to be applied to
 77           connections.  Typically they are copied to connections from
 78           packets using the CONNSECMARK target and copied back from
 79           connections to packets with the same target, with the packets
 80           being originally labeled via SECMARK.
 81 
 82           If unsure, say 'N'.
 83 
 84 config NF_CONNTRACK_ZONES
 85         bool  'Connection tracking zones'
 86         depends on NETFILTER_ADVANCED
 87         depends on NETFILTER_XT_TARGET_CT
 88         help
 89           This option enables support for connection tracking zones.
 90           Normally, each connection needs to have a unique system wide
 91           identity. Connection tracking zones allow to have multiple
 92           connections using the same identity, as long as they are
 93           contained in different zones.
 94 
 95           If unsure, say `N'.
 96 
 97 config NF_CONNTRACK_PROCFS
 98         bool "Supply CT list in procfs (OBSOLETE)"
 99         default y
100         depends on PROC_FS
101         ---help---
102         This option enables for the list of known conntrack entries
103         to be shown in procfs under net/netfilter/nf_conntrack. This
104         is considered obsolete in favor of using the conntrack(8)
105         tool which uses Netlink.
106 
107 config NF_CONNTRACK_EVENTS
108         bool "Connection tracking events"
109         depends on NETFILTER_ADVANCED
110         help
111           If this option is enabled, the connection tracking code will
112           provide a notifier chain that can be used by other kernel code
113           to get notified about changes in the connection tracking state.
114 
115           If unsure, say `N'.
116 
117 config NF_CONNTRACK_TIMEOUT
118         bool  'Connection tracking timeout'
119         depends on NETFILTER_ADVANCED
120         help
121           This option enables support for connection tracking timeout
122           extension. This allows you to attach timeout policies to flow
123           via the CT target.
124 
125           If unsure, say `N'.
126 
127 config NF_CONNTRACK_TIMESTAMP
128         bool  'Connection tracking timestamping'
129         depends on NETFILTER_ADVANCED
130         help
131           This option enables support for connection tracking timestamping.
132           This allows you to store the flow start-time and to obtain
133           the flow-stop time (once it has been destroyed) via Connection
134           tracking events.
135 
136           If unsure, say `N'.
137 
138 config NF_CONNTRACK_LABELS
139         bool
140         help
141           This option enables support for assigning user-defined flag bits
142           to connection tracking entries.  It selected by the connlabel match.
143 
144 config NF_CT_PROTO_DCCP
145         tristate 'DCCP protocol connection tracking support'
146         depends on NETFILTER_ADVANCED
147         default IP_DCCP
148         help
149           With this option enabled, the layer 3 independent connection
150           tracking code will be able to do state tracking on DCCP connections.
151 
152           If unsure, say 'N'.
153 
154 config NF_CT_PROTO_GRE
155         tristate
156 
157 config NF_CT_PROTO_SCTP
158         tristate 'SCTP protocol connection tracking support'
159         depends on NETFILTER_ADVANCED
160         default IP_SCTP
161         help
162           With this option enabled, the layer 3 independent connection
163           tracking code will be able to do state tracking on SCTP connections.
164 
165           If you want to compile it as a module, say M here and read
166           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
167 
168 config NF_CT_PROTO_UDPLITE
169         tristate 'UDP-Lite protocol connection tracking support'
170         depends on NETFILTER_ADVANCED
171         help
172           With this option enabled, the layer 3 independent connection
173           tracking code will be able to do state tracking on UDP-Lite
174           connections.
175 
176           To compile it as a module, choose M here.  If unsure, say N.
177 
178 config NF_CONNTRACK_AMANDA
179         tristate "Amanda backup protocol support"
180         depends on NETFILTER_ADVANCED
181         select TEXTSEARCH
182         select TEXTSEARCH_KMP
183         help
184           If you are running the Amanda backup package <http://www.amanda.org/>
185           on this machine or machines that will be MASQUERADED through this
186           machine, then you may want to enable this feature.  This allows the
187           connection tracking and natting code to allow the sub-channels that
188           Amanda requires for communication of the backup data, messages and
189           index.
190 
191           To compile it as a module, choose M here.  If unsure, say N.
192 
193 config NF_CONNTRACK_FTP
194         tristate "FTP protocol support"
195         default m if NETFILTER_ADVANCED=n
196         help
197           Tracking FTP connections is problematic: special helpers are
198           required for tracking them, and doing masquerading and other forms
199           of Network Address Translation on them.
200 
201           This is FTP support on Layer 3 independent connection tracking.
202           Layer 3 independent connection tracking is experimental scheme
203           which generalize ip_conntrack to support other layer 3 protocols.
204 
205           To compile it as a module, choose M here.  If unsure, say N.
206 
207 config NF_CONNTRACK_H323
208         tristate "H.323 protocol support"
209         depends on IPV6 || IPV6=n
210         depends on NETFILTER_ADVANCED
211         help
212           H.323 is a VoIP signalling protocol from ITU-T. As one of the most
213           important VoIP protocols, it is widely used by voice hardware and
214           software including voice gateways, IP phones, Netmeeting, OpenPhone,
215           Gnomemeeting, etc.
216 
217           With this module you can support H.323 on a connection tracking/NAT
218           firewall.
219 
220           This module supports RAS, Fast Start, H.245 Tunnelling, Call
221           Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
222           whiteboard, file transfer, etc. For more information, please
223           visit http://nath323.sourceforge.net/.
224 
225           To compile it as a module, choose M here.  If unsure, say N.
226 
227 config NF_CONNTRACK_IRC
228         tristate "IRC protocol support"
229         default m if NETFILTER_ADVANCED=n
230         help
231           There is a commonly-used extension to IRC called
232           Direct Client-to-Client Protocol (DCC).  This enables users to send
233           files to each other, and also chat to each other without the need
234           of a server.  DCC Sending is used anywhere you send files over IRC,
235           and DCC Chat is most commonly used by Eggdrop bots.  If you are
236           using NAT, this extension will enable you to send files and initiate
237           chats.  Note that you do NOT need this extension to get files or
238           have others initiate chats, or everything else in IRC.
239 
240           To compile it as a module, choose M here.  If unsure, say N.
241 
242 config NF_CONNTRACK_BROADCAST
243         tristate
244 
245 config NF_CONNTRACK_NETBIOS_NS
246         tristate "NetBIOS name service protocol support"
247         select NF_CONNTRACK_BROADCAST
248         help
249           NetBIOS name service requests are sent as broadcast messages from an
250           unprivileged port and responded to with unicast messages to the
251           same port. This make them hard to firewall properly because connection
252           tracking doesn't deal with broadcasts. This helper tracks locally
253           originating NetBIOS name service requests and the corresponding
254           responses. It relies on correct IP address configuration, specifically
255           netmask and broadcast address. When properly configured, the output
256           of "ip address show" should look similar to this:
257 
258           $ ip -4 address show eth0
259           4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
260               inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
261 
262           To compile it as a module, choose M here.  If unsure, say N.
263 
264 config NF_CONNTRACK_SNMP
265         tristate "SNMP service protocol support"
266         depends on NETFILTER_ADVANCED
267         select NF_CONNTRACK_BROADCAST
268         help
269           SNMP service requests are sent as broadcast messages from an
270           unprivileged port and responded to with unicast messages to the
271           same port. This make them hard to firewall properly because connection
272           tracking doesn't deal with broadcasts. This helper tracks locally
273           originating SNMP service requests and the corresponding
274           responses. It relies on correct IP address configuration, specifically
275           netmask and broadcast address.
276 
277           To compile it as a module, choose M here.  If unsure, say N.
278 
279 config NF_CONNTRACK_PPTP
280         tristate "PPtP protocol support"
281         depends on NETFILTER_ADVANCED
282         select NF_CT_PROTO_GRE
283         help
284           This module adds support for PPTP (Point to Point Tunnelling
285           Protocol, RFC2637) connection tracking and NAT.
286 
287           If you are running PPTP sessions over a stateful firewall or NAT
288           box, you may want to enable this feature.
289 
290           Please note that not all PPTP modes of operation are supported yet.
291           Specifically these limitations exist:
292             - Blindly assumes that control connections are always established
293               in PNS->PAC direction. This is a violation of RFC2637.
294             - Only supports a single call within each session
295 
296           To compile it as a module, choose M here.  If unsure, say N.
297 
298 config NF_CONNTRACK_SANE
299         tristate "SANE protocol support"
300         depends on NETFILTER_ADVANCED
301         help
302           SANE is a protocol for remote access to scanners as implemented
303           by the 'saned' daemon. Like FTP, it uses separate control and
304           data connections.
305 
306           With this module you can support SANE on a connection tracking
307           firewall.
308 
309           To compile it as a module, choose M here.  If unsure, say N.
310 
311 config NF_CONNTRACK_SIP
312         tristate "SIP protocol support"
313         default m if NETFILTER_ADVANCED=n
314         help
315           SIP is an application-layer control protocol that can establish,
316           modify, and terminate multimedia sessions (conferences) such as
317           Internet telephony calls. With the ip_conntrack_sip and
318           the nf_nat_sip modules you can support the protocol on a connection
319           tracking/NATing firewall.
320 
321           To compile it as a module, choose M here.  If unsure, say N.
322 
323 config NF_CONNTRACK_TFTP
324         tristate "TFTP protocol support"
325         depends on NETFILTER_ADVANCED
326         help
327           TFTP connection tracking helper, this is required depending
328           on how restrictive your ruleset is.
329           If you are using a tftp client behind -j SNAT or -j MASQUERADING
330           you will need this.
331 
332           To compile it as a module, choose M here.  If unsure, say N.
333 
334 config NF_CT_NETLINK
335         tristate 'Connection tracking netlink interface'
336         select NETFILTER_NETLINK
337         default m if NETFILTER_ADVANCED=n
338         help
339           This option enables support for a netlink-based userspace interface
340 
341 config NF_CT_NETLINK_TIMEOUT
342         tristate  'Connection tracking timeout tuning via Netlink'
343         select NETFILTER_NETLINK
344         depends on NETFILTER_ADVANCED
345         help
346           This option enables support for connection tracking timeout
347           fine-grain tuning. This allows you to attach specific timeout
348           policies to flows, instead of using the global timeout policy.
349 
350           If unsure, say `N'.
351 
352 config NF_CT_NETLINK_HELPER
353         tristate 'Connection tracking helpers in user-space via Netlink'
354         select NETFILTER_NETLINK
355         depends on NF_CT_NETLINK
356         depends on NETFILTER_NETLINK_QUEUE
357         depends on NETFILTER_NETLINK_GLUE_CT
358         depends on NETFILTER_ADVANCED
359         help
360           This option enables the user-space connection tracking helpers
361           infrastructure.
362 
363           If unsure, say `N'.
364 
365 config NETFILTER_NETLINK_GLUE_CT
366         bool "NFQUEUE and NFLOG integration with Connection Tracking"
367         default n
368         depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
369         help
370           If this option is enabled, NFQUEUE and NFLOG can include
371           Connection Tracking information together with the packet is
372           the enqueued via NFNETLINK.
373 
374 config NF_NAT
375         tristate
376 
377 config NF_NAT_NEEDED
378         bool
379         depends on NF_NAT
380         default y
381 
382 config NF_NAT_PROTO_DCCP
383         tristate
384         depends on NF_NAT && NF_CT_PROTO_DCCP
385         default NF_NAT && NF_CT_PROTO_DCCP
386 
387 config NF_NAT_PROTO_UDPLITE
388         tristate
389         depends on NF_NAT && NF_CT_PROTO_UDPLITE
390         default NF_NAT && NF_CT_PROTO_UDPLITE
391 
392 config NF_NAT_PROTO_SCTP
393         tristate
394         default NF_NAT && NF_CT_PROTO_SCTP
395         depends on NF_NAT && NF_CT_PROTO_SCTP
396         select LIBCRC32C
397 
398 config NF_NAT_AMANDA
399         tristate
400         depends on NF_CONNTRACK && NF_NAT
401         default NF_NAT && NF_CONNTRACK_AMANDA
402 
403 config NF_NAT_FTP
404         tristate
405         depends on NF_CONNTRACK && NF_NAT
406         default NF_NAT && NF_CONNTRACK_FTP
407 
408 config NF_NAT_IRC
409         tristate
410         depends on NF_CONNTRACK && NF_NAT
411         default NF_NAT && NF_CONNTRACK_IRC
412 
413 config NF_NAT_SIP
414         tristate
415         depends on NF_CONNTRACK && NF_NAT
416         default NF_NAT && NF_CONNTRACK_SIP
417 
418 config NF_NAT_TFTP
419         tristate
420         depends on NF_CONNTRACK && NF_NAT
421         default NF_NAT && NF_CONNTRACK_TFTP
422 
423 config NF_NAT_REDIRECT
424         tristate "IPv4/IPv6 redirect support"
425         depends on NF_NAT
426         help
427           This is the kernel functionality to redirect packets to local
428           machine through NAT.
429 
430 config NETFILTER_SYNPROXY
431         tristate
432 
433 endif # NF_CONNTRACK
434 
435 config NF_TABLES
436         select NETFILTER_NETLINK
437         tristate "Netfilter nf_tables support"
438         help
439           nftables is the new packet classification framework that intends to
440           replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
441           provides a pseudo-state machine with an extensible instruction-set
442           (also known as expressions) that the userspace 'nft' utility
443           (http://www.netfilter.org/projects/nftables) uses to build the
444           rule-set. It also comes with the generic set infrastructure that
445           allows you to construct mappings between matchings and actions
446           for performance lookups.
447 
448           To compile it as a module, choose M here.
449 
450 if NF_TABLES
451 
452 config NF_TABLES_INET
453         depends on IPV6
454         select NF_TABLES_IPV4
455         select NF_TABLES_IPV6
456         tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
457         help
458           This option enables support for a mixed IPv4/IPv6 "inet" table.
459 
460 config NF_TABLES_NETDEV
461         tristate "Netfilter nf_tables netdev tables support"
462         help
463           This option enables support for the "netdev" table.
464 
465 config NFT_EXTHDR
466         tristate "Netfilter nf_tables IPv6 exthdr module"
467         help
468           This option adds the "exthdr" expression that you can use to match
469           IPv6 extension headers.
470 
471 config NFT_META
472         tristate "Netfilter nf_tables meta module"
473         help
474           This option adds the "meta" expression that you can use to match and
475           to set packet metainformation such as the packet mark.
476 
477 config NFT_CT
478         depends on NF_CONNTRACK
479         tristate "Netfilter nf_tables conntrack module"
480         help
481           This option adds the "meta" expression that you can use to match
482           connection tracking information such as the flow state.
483 
484 config NFT_RBTREE
485         tristate "Netfilter nf_tables rbtree set module"
486         help
487           This option adds the "rbtree" set type (Red Black tree) that is used
488           to build interval-based sets.
489 
490 config NFT_HASH
491         tristate "Netfilter nf_tables hash set module"
492         help
493           This option adds the "hash" set type that is used to build one-way
494           mappings between matchings and actions.
495 
496 config NFT_COUNTER
497         tristate "Netfilter nf_tables counter module"
498         help
499           This option adds the "counter" expression that you can use to
500           include packet and byte counters in a rule.
501 
502 config NFT_LOG
503         tristate "Netfilter nf_tables log module"
504         help
505           This option adds the "log" expression that you can use to log
506           packets matching some criteria.
507 
508 config NFT_LIMIT
509         tristate "Netfilter nf_tables limit module"
510         help
511           This option adds the "limit" expression that you can use to
512           ratelimit rule matchings.
513 
514 config NFT_MASQ
515         depends on NF_CONNTRACK
516         depends on NF_NAT
517         tristate "Netfilter nf_tables masquerade support"
518         help
519           This option adds the "masquerade" expression that you can use
520           to perform NAT in the masquerade flavour.
521 
522 config NFT_REDIR
523         depends on NF_CONNTRACK
524         depends on NF_NAT
525         tristate "Netfilter nf_tables redirect support"
526         help
527           This options adds the "redirect" expression that you can use
528           to perform NAT in the redirect flavour.
529 
530 config NFT_NAT
531         depends on NF_CONNTRACK
532         select NF_NAT
533         tristate "Netfilter nf_tables nat module"
534         help
535           This option adds the "nat" expression that you can use to perform
536           typical Network Address Translation (NAT) packet transformations.
537 
538 config NFT_QUEUE
539         depends on NETFILTER_NETLINK_QUEUE
540         tristate "Netfilter nf_tables queue module"
541         help
542           This is required if you intend to use the userspace queueing
543           infrastructure (also known as NFQUEUE) from nftables.
544 
545 config NFT_REJECT
546         default m if NETFILTER_ADVANCED=n
547         tristate "Netfilter nf_tables reject support"
548         help
549           This option adds the "reject" expression that you can use to
550           explicitly deny and notify via TCP reset/ICMP informational errors
551           unallowed traffic.
552 
553 config NFT_REJECT_INET
554         depends on NF_TABLES_INET
555         default NFT_REJECT
556         tristate
557 
558 config NFT_COMPAT
559         depends on NETFILTER_XTABLES
560         tristate "Netfilter x_tables over nf_tables module"
561         help
562           This is required if you intend to use any of existing
563           x_tables match/target extensions over the nf_tables
564           framework.
565 
566 if NF_TABLES_NETDEV
567 
568 config NF_DUP_NETDEV
569         tristate "Netfilter packet duplication support"
570         help
571           This option enables the generic packet duplication infrastructure
572           for Netfilter.
573 
574 config NFT_DUP_NETDEV
575         tristate "Netfilter nf_tables netdev packet duplication support"
576         select NF_DUP_NETDEV
577         help
578           This option enables packet duplication for the "netdev" family.
579 
580 config NFT_FWD_NETDEV
581         tristate "Netfilter nf_tables netdev packet forwarding support"
582         select NF_DUP_NETDEV
583         help
584           This option enables packet forwarding for the "netdev" family.
585 
586 endif # NF_TABLES_NETDEV
587 
588 endif # NF_TABLES
589 
590 config NETFILTER_XTABLES
591         tristate "Netfilter Xtables support (required for ip_tables)"
592         default m if NETFILTER_ADVANCED=n
593         help
594           This is required if you intend to use any of ip_tables,
595           ip6_tables or arp_tables.
596 
597 if NETFILTER_XTABLES
598 
599 comment "Xtables combined modules"
600 
601 config NETFILTER_XT_MARK
602         tristate 'nfmark target and match support'
603         default m if NETFILTER_ADVANCED=n
604         ---help---
605         This option adds the "MARK" target and "mark" match.
606 
607         Netfilter mark matching allows you to match packets based on the
608         "nfmark" value in the packet.
609         The target allows you to create rules in the "mangle" table which alter
610         the netfilter mark (nfmark) field associated with the packet.
611 
612         Prior to routing, the nfmark can influence the routing method and can
613         also be used by other subsystems to change their behavior.
614 
615 config NETFILTER_XT_CONNMARK
616         tristate 'ctmark target and match support'
617         depends on NF_CONNTRACK
618         depends on NETFILTER_ADVANCED
619         select NF_CONNTRACK_MARK
620         ---help---
621         This option adds the "CONNMARK" target and "connmark" match.
622 
623         Netfilter allows you to store a mark value per connection (a.k.a.
624         ctmark), similarly to the packet mark (nfmark). Using this
625         target and match, you can set and match on this mark.
626 
627 config NETFILTER_XT_SET
628         tristate 'set target and match support'
629         depends on IP_SET
630         depends on NETFILTER_ADVANCED
631         help
632           This option adds the "SET" target and "set" match.
633 
634           Using this target and match, you can add/delete and match
635           elements in the sets created by ipset(8).
636 
637           To compile it as a module, choose M here.  If unsure, say N.
638 
639 # alphabetically ordered list of targets
640 
641 comment "Xtables targets"
642 
643 config NETFILTER_XT_TARGET_AUDIT
644         tristate "AUDIT target support"
645         depends on AUDIT
646         depends on NETFILTER_ADVANCED
647         ---help---
648           This option adds a 'AUDIT' target, which can be used to create
649           audit records for packets dropped/accepted.
650 
651           To compileit as a module, choose M here. If unsure, say N.
652 
653 config NETFILTER_XT_TARGET_CHECKSUM
654         tristate "CHECKSUM target support"
655         depends on IP_NF_MANGLE || IP6_NF_MANGLE
656         depends on NETFILTER_ADVANCED
657         ---help---
658           This option adds a `CHECKSUM' target, which can be used in the iptables mangle
659           table.
660 
661           You can use this target to compute and fill in the checksum in
662           a packet that lacks a checksum.  This is particularly useful,
663           if you need to work around old applications such as dhcp clients,
664           that do not work well with checksum offloads, but don't want to disable
665           checksum offload in your device.
666 
667           To compile it as a module, choose M here.  If unsure, say N.
668 
669 config NETFILTER_XT_TARGET_CLASSIFY
670         tristate '"CLASSIFY" target support'
671         depends on NETFILTER_ADVANCED
672         help
673           This option adds a `CLASSIFY' target, which enables the user to set
674           the priority of a packet. Some qdiscs can use this value for
675           classification, among these are:
676 
677           atm, cbq, dsmark, pfifo_fast, htb, prio
678 
679           To compile it as a module, choose M here.  If unsure, say N.
680 
681 config NETFILTER_XT_TARGET_CONNMARK
682         tristate  '"CONNMARK" target support'
683         depends on NF_CONNTRACK
684         depends on NETFILTER_ADVANCED
685         select NETFILTER_XT_CONNMARK
686         ---help---
687         This is a backwards-compat option for the user's convenience
688         (e.g. when running oldconfig). It selects
689         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
690 
691 config NETFILTER_XT_TARGET_CONNSECMARK
692         tristate '"CONNSECMARK" target support'
693         depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
694         default m if NETFILTER_ADVANCED=n
695         help
696           The CONNSECMARK target copies security markings from packets
697           to connections, and restores security markings from connections
698           to packets (if the packets are not already marked).  This would
699           normally be used in conjunction with the SECMARK target.
700 
701           To compile it as a module, choose M here.  If unsure, say N.
702 
703 config NETFILTER_XT_TARGET_CT
704         tristate '"CT" target support'
705         depends on NF_CONNTRACK
706         depends on IP_NF_RAW || IP6_NF_RAW
707         depends on NETFILTER_ADVANCED
708         help
709           This options adds a `CT' target, which allows to specify initial
710           connection tracking parameters like events to be delivered and
711           the helper to be used.
712 
713           To compile it as a module, choose M here.  If unsure, say N.
714 
715 config NETFILTER_XT_TARGET_DSCP
716         tristate '"DSCP" and "TOS" target support'
717         depends on IP_NF_MANGLE || IP6_NF_MANGLE
718         depends on NETFILTER_ADVANCED
719         help
720           This option adds a `DSCP' target, which allows you to manipulate
721           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
722 
723           The DSCP field can have any value between 0x0 and 0x3f inclusive.
724 
725           It also adds the "TOS" target, which allows you to create rules in
726           the "mangle" table which alter the Type Of Service field of an IPv4
727           or the Priority field of an IPv6 packet, prior to routing.
728 
729           To compile it as a module, choose M here.  If unsure, say N.
730 
731 config NETFILTER_XT_TARGET_HL
732         tristate '"HL" hoplimit target support'
733         depends on IP_NF_MANGLE || IP6_NF_MANGLE
734         depends on NETFILTER_ADVANCED
735         ---help---
736         This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
737         targets, which enable the user to change the
738         hoplimit/time-to-live value of the IP header.
739 
740         While it is safe to decrement the hoplimit/TTL value, the
741         modules also allow to increment and set the hoplimit value of
742         the header to arbitrary values. This is EXTREMELY DANGEROUS
743         since you can easily create immortal packets that loop
744         forever on the network.
745 
746 config NETFILTER_XT_TARGET_HMARK
747         tristate '"HMARK" target support'
748         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
749         depends on NETFILTER_ADVANCED
750         ---help---
751         This option adds the "HMARK" target.
752 
753         The target allows you to create rules in the "raw" and "mangle" tables
754         which set the skbuff mark by means of hash calculation within a given
755         range. The nfmark can influence the routing method and can also be used
756         by other subsystems to change their behaviour.
757 
758         To compile it as a module, choose M here. If unsure, say N.
759 
760 config NETFILTER_XT_TARGET_IDLETIMER
761         tristate  "IDLETIMER target support"
762         depends on NETFILTER_ADVANCED
763         help
764 
765           This option adds the `IDLETIMER' target.  Each matching packet
766           resets the timer associated with label specified when the rule is
767           added.  When the timer expires, it triggers a sysfs notification.
768           The remaining time for expiration can be read via sysfs.
769 
770           To compile it as a module, choose M here.  If unsure, say N.
771 
772 config NETFILTER_XT_TARGET_LED
773         tristate '"LED" target support'
774         depends on LEDS_CLASS && LEDS_TRIGGERS
775         depends on NETFILTER_ADVANCED
776         help
777           This option adds a `LED' target, which allows you to blink LEDs in
778           response to particular packets passing through your machine.
779 
780           This can be used to turn a spare LED into a network activity LED,
781           which only flashes in response to FTP transfers, for example.  Or
782           you could have an LED which lights up for a minute or two every time
783           somebody connects to your machine via SSH.
784 
785           You will need support for the "led" class to make this work.
786 
787           To create an LED trigger for incoming SSH traffic:
788             iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
789 
790           Then attach the new trigger to an LED on your system:
791             echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
792 
793           For more information on the LEDs available on your system, see
794           Documentation/leds/leds-class.txt
795 
796 config NETFILTER_XT_TARGET_LOG
797         tristate "LOG target support"
798         select NF_LOG_COMMON
799         select NF_LOG_IPV4
800         select NF_LOG_IPV6 if IPV6
801         default m if NETFILTER_ADVANCED=n
802         help
803           This option adds a `LOG' target, which allows you to create rules in
804           any iptables table which records the packet header to the syslog.
805 
806           To compile it as a module, choose M here.  If unsure, say N.
807 
808 config NETFILTER_XT_TARGET_MARK
809         tristate '"MARK" target support'
810         depends on NETFILTER_ADVANCED
811         select NETFILTER_XT_MARK
812         ---help---
813         This is a backwards-compat option for the user's convenience
814         (e.g. when running oldconfig). It selects
815         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
816 
817 config NETFILTER_XT_NAT
818         tristate '"SNAT and DNAT" targets support'
819         depends on NF_NAT
820         ---help---
821         This option enables the SNAT and DNAT targets.
822 
823         To compile it as a module, choose M here. If unsure, say N.
824 
825 config NETFILTER_XT_TARGET_NETMAP
826         tristate '"NETMAP" target support'
827         depends on NF_NAT
828         ---help---
829         NETMAP is an implementation of static 1:1 NAT mapping of network
830         addresses. It maps the network address part, while keeping the host
831         address part intact.
832 
833         To compile it as a module, choose M here. If unsure, say N.
834 
835 config NETFILTER_XT_TARGET_NFLOG
836         tristate '"NFLOG" target support'
837         default m if NETFILTER_ADVANCED=n
838         select NETFILTER_NETLINK_LOG
839         help
840           This option enables the NFLOG target, which allows to LOG
841           messages through nfnetlink_log.
842 
843           To compile it as a module, choose M here.  If unsure, say N.
844 
845 config NETFILTER_XT_TARGET_NFQUEUE
846         tristate '"NFQUEUE" target Support'
847         depends on NETFILTER_ADVANCED
848         select NETFILTER_NETLINK_QUEUE
849         help
850           This target replaced the old obsolete QUEUE target.
851 
852           As opposed to QUEUE, it supports 65535 different queues,
853           not just one.
854 
855           To compile it as a module, choose M here.  If unsure, say N.
856 
857 config NETFILTER_XT_TARGET_NOTRACK
858         tristate  '"NOTRACK" target support (DEPRECATED)'
859         depends on NF_CONNTRACK
860         depends on IP_NF_RAW || IP6_NF_RAW
861         depends on NETFILTER_ADVANCED
862         select NETFILTER_XT_TARGET_CT
863 
864 config NETFILTER_XT_TARGET_RATEEST
865         tristate '"RATEEST" target support'
866         depends on NETFILTER_ADVANCED
867         help
868           This option adds a `RATEEST' target, which allows to measure
869           rates similar to TC estimators. The `rateest' match can be
870           used to match on the measured rates.
871 
872           To compile it as a module, choose M here.  If unsure, say N.
873 
874 config NETFILTER_XT_TARGET_REDIRECT
875         tristate "REDIRECT target support"
876         depends on NF_NAT
877         select NF_NAT_REDIRECT
878         ---help---
879         REDIRECT is a special case of NAT: all incoming connections are
880         mapped onto the incoming interface's address, causing the packets to
881         come to the local machine instead of passing through. This is
882         useful for transparent proxies.
883 
884         To compile it as a module, choose M here. If unsure, say N.
885 
886 config NETFILTER_XT_TARGET_TEE
887         tristate '"TEE" - packet cloning to alternate destination'
888         depends on NETFILTER_ADVANCED
889         depends on IPV6 || IPV6=n
890         depends on !NF_CONNTRACK || NF_CONNTRACK
891         select NF_DUP_IPV4
892         select NF_DUP_IPV6 if IPV6
893         ---help---
894         This option adds a "TEE" target with which a packet can be cloned and
895         this clone be rerouted to another nexthop.
896 
897 config NETFILTER_XT_TARGET_TPROXY
898         tristate '"TPROXY" target transparent proxying support'
899         depends on NETFILTER_XTABLES
900         depends on NETFILTER_ADVANCED
901         depends on IPV6 || IPV6=n
902         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
903         depends on IP_NF_MANGLE
904         select NF_DEFRAG_IPV4
905         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
906         help
907           This option adds a `TPROXY' target, which is somewhat similar to
908           REDIRECT.  It can only be used in the mangle table and is useful
909           to redirect traffic to a transparent proxy.  It does _not_ depend
910           on Netfilter connection tracking and NAT, unlike REDIRECT.
911           For it to work you will have to configure certain iptables rules
912           and use policy routing. For more information on how to set it up
913           see Documentation/networking/tproxy.txt.
914 
915           To compile it as a module, choose M here.  If unsure, say N.
916 
917 config NETFILTER_XT_TARGET_TRACE
918         tristate  '"TRACE" target support'
919         depends on IP_NF_RAW || IP6_NF_RAW
920         depends on NETFILTER_ADVANCED
921         help
922           The TRACE target allows you to mark packets so that the kernel
923           will log every rule which match the packets as those traverse
924           the tables, chains, rules.
925 
926           If you want to compile it as a module, say M here and read
927           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
928 
929 config NETFILTER_XT_TARGET_SECMARK
930         tristate '"SECMARK" target support'
931         depends on NETWORK_SECMARK
932         default m if NETFILTER_ADVANCED=n
933         help
934           The SECMARK target allows security marking of network
935           packets, for use with security subsystems.
936 
937           To compile it as a module, choose M here.  If unsure, say N.
938 
939 config NETFILTER_XT_TARGET_TCPMSS
940         tristate '"TCPMSS" target support'
941         depends on IPV6 || IPV6=n
942         default m if NETFILTER_ADVANCED=n
943         ---help---
944           This option adds a `TCPMSS' target, which allows you to alter the
945           MSS value of TCP SYN packets, to control the maximum size for that
946           connection (usually limiting it to your outgoing interface's MTU
947           minus 40).
948 
949           This is used to overcome criminally braindead ISPs or servers which
950           block ICMP Fragmentation Needed packets.  The symptoms of this
951           problem are that everything works fine from your Linux
952           firewall/router, but machines behind it can never exchange large
953           packets:
954                 1) Web browsers connect, then hang with no data received.
955                 2) Small mail works fine, but large emails hang.
956                 3) ssh works fine, but scp hangs after initial handshaking.
957 
958           Workaround: activate this option and add a rule to your firewall
959           configuration like:
960 
961           iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
962                          -j TCPMSS --clamp-mss-to-pmtu
963 
964           To compile it as a module, choose M here.  If unsure, say N.
965 
966 config NETFILTER_XT_TARGET_TCPOPTSTRIP
967         tristate '"TCPOPTSTRIP" target support'
968         depends on IP_NF_MANGLE || IP6_NF_MANGLE
969         depends on NETFILTER_ADVANCED
970         help
971           This option adds a "TCPOPTSTRIP" target, which allows you to strip
972           TCP options from TCP packets.
973 
974 # alphabetically ordered list of matches
975 
976 comment "Xtables matches"
977 
978 config NETFILTER_XT_MATCH_ADDRTYPE
979         tristate '"addrtype" address type match support'
980         default m if NETFILTER_ADVANCED=n
981         ---help---
982           This option allows you to match what routing thinks of an address,
983           eg. UNICAST, LOCAL, BROADCAST, ...
984 
985           If you want to compile it as a module, say M here and read
986           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
987 
988 config NETFILTER_XT_MATCH_BPF
989         tristate '"bpf" match support'
990         depends on NETFILTER_ADVANCED
991         help
992           BPF matching applies a linux socket filter to each packet and
993           accepts those for which the filter returns non-zero.
994 
995           To compile it as a module, choose M here.  If unsure, say N.
996 
997 config NETFILTER_XT_MATCH_CGROUP
998         tristate '"control group" match support'
999         depends on NETFILTER_ADVANCED
1000         depends on CGROUPS
1001         select CGROUP_NET_CLASSID
1002         ---help---
1003         Socket/process control group matching allows you to match locally
1004         generated packets based on which net_cls control group processes
1005         belong to.
1006 
1007 config NETFILTER_XT_MATCH_CLUSTER
1008         tristate '"cluster" match support'
1009         depends on NF_CONNTRACK
1010         depends on NETFILTER_ADVANCED
1011         ---help---
1012           This option allows you to build work-load-sharing clusters of
1013           network servers/stateful firewalls without having a dedicated
1014           load-balancing router/server/switch. Basically, this match returns
1015           true when the packet must be handled by this cluster node. Thus,
1016           all nodes see all packets and this match decides which node handles
1017           what packets. The work-load sharing algorithm is based on source
1018           address hashing.
1019 
1020           If you say Y or M here, try `iptables -m cluster --help` for
1021           more information.
1022 
1023 config NETFILTER_XT_MATCH_COMMENT
1024         tristate  '"comment" match support'
1025         depends on NETFILTER_ADVANCED
1026         help
1027           This option adds a `comment' dummy-match, which allows you to put
1028           comments in your iptables ruleset.
1029 
1030           If you want to compile it as a module, say M here and read
1031           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1032 
1033 config NETFILTER_XT_MATCH_CONNBYTES
1034         tristate  '"connbytes" per-connection counter match support'
1035         depends on NF_CONNTRACK
1036         depends on NETFILTER_ADVANCED
1037         help
1038           This option adds a `connbytes' match, which allows you to match the
1039           number of bytes and/or packets for each direction within a connection.
1040 
1041           If you want to compile it as a module, say M here and read
1042           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1043 
1044 config NETFILTER_XT_MATCH_CONNLABEL
1045         tristate '"connlabel" match support'
1046         select NF_CONNTRACK_LABELS
1047         depends on NF_CONNTRACK
1048         depends on NETFILTER_ADVANCED
1049         ---help---
1050           This match allows you to test and assign userspace-defined labels names
1051           to a connection.  The kernel only stores bit values - mapping
1052           names to bits is done by userspace.
1053 
1054           Unlike connmark, more than 32 flag bits may be assigned to a
1055           connection simultaneously.
1056 
1057 config NETFILTER_XT_MATCH_CONNLIMIT
1058         tristate '"connlimit" match support'
1059         depends on NF_CONNTRACK
1060         depends on NETFILTER_ADVANCED
1061         ---help---
1062           This match allows you to match against the number of parallel
1063           connections to a server per client IP address (or address block).
1064 
1065 config NETFILTER_XT_MATCH_CONNMARK
1066         tristate  '"connmark" connection mark match support'
1067         depends on NF_CONNTRACK
1068         depends on NETFILTER_ADVANCED
1069         select NETFILTER_XT_CONNMARK
1070         ---help---
1071         This is a backwards-compat option for the user's convenience
1072         (e.g. when running oldconfig). It selects
1073         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1074 
1075 config NETFILTER_XT_MATCH_CONNTRACK
1076         tristate '"conntrack" connection tracking match support'
1077         depends on NF_CONNTRACK
1078         default m if NETFILTER_ADVANCED=n
1079         help
1080           This is a general conntrack match module, a superset of the state match.
1081 
1082           It allows matching on additional conntrack information, which is
1083           useful in complex configurations, such as NAT gateways with multiple
1084           internet links or tunnels.
1085 
1086           To compile it as a module, choose M here.  If unsure, say N.
1087 
1088 config NETFILTER_XT_MATCH_CPU
1089         tristate '"cpu" match support'
1090         depends on NETFILTER_ADVANCED
1091         help
1092           CPU matching allows you to match packets based on the CPU
1093           currently handling the packet.
1094 
1095           To compile it as a module, choose M here.  If unsure, say N.
1096 
1097 config NETFILTER_XT_MATCH_DCCP
1098         tristate '"dccp" protocol match support'
1099         depends on NETFILTER_ADVANCED
1100         default IP_DCCP
1101         help
1102           With this option enabled, you will be able to use the iptables
1103           `dccp' match in order to match on DCCP source/destination ports
1104           and DCCP flags.
1105 
1106           If you want to compile it as a module, say M here and read
1107           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1108 
1109 config NETFILTER_XT_MATCH_DEVGROUP
1110         tristate '"devgroup" match support'
1111         depends on NETFILTER_ADVANCED
1112         help
1113           This options adds a `devgroup' match, which allows to match on the
1114           device group a network device is assigned to.
1115 
1116           To compile it as a module, choose M here.  If unsure, say N.
1117 
1118 config NETFILTER_XT_MATCH_DSCP
1119         tristate '"dscp" and "tos" match support'
1120         depends on NETFILTER_ADVANCED
1121         help
1122           This option adds a `DSCP' match, which allows you to match against
1123           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1124 
1125           The DSCP field can have any value between 0x0 and 0x3f inclusive.
1126 
1127           It will also add a "tos" match, which allows you to match packets
1128           based on the Type Of Service fields of the IPv4 packet (which share
1129           the same bits as DSCP).
1130 
1131           To compile it as a module, choose M here.  If unsure, say N.
1132 
1133 config NETFILTER_XT_MATCH_ECN
1134         tristate '"ecn" match support'
1135         depends on NETFILTER_ADVANCED
1136         ---help---
1137         This option adds an "ECN" match, which allows you to match against
1138         the IPv4 and TCP header ECN fields.
1139 
1140         To compile it as a module, choose M here. If unsure, say N.
1141 
1142 config NETFILTER_XT_MATCH_ESP
1143         tristate '"esp" match support'
1144         depends on NETFILTER_ADVANCED
1145         help
1146           This match extension allows you to match a range of SPIs
1147           inside ESP header of IPSec packets.
1148 
1149           To compile it as a module, choose M here.  If unsure, say N.
1150 
1151 config NETFILTER_XT_MATCH_HASHLIMIT
1152         tristate '"hashlimit" match support'
1153         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1154         depends on NETFILTER_ADVANCED
1155         help
1156           This option adds a `hashlimit' match.
1157 
1158           As opposed to `limit', this match dynamically creates a hash table
1159           of limit buckets, based on your selection of source/destination
1160           addresses and/or ports.
1161 
1162           It enables you to express policies like `10kpps for any given
1163           destination address' or `500pps from any given source address'
1164           with a single rule.
1165 
1166 config NETFILTER_XT_MATCH_HELPER
1167         tristate '"helper" match support'
1168         depends on NF_CONNTRACK
1169         depends on NETFILTER_ADVANCED
1170         help
1171           Helper matching allows you to match packets in dynamic connections
1172           tracked by a conntrack-helper, ie. ip_conntrack_ftp
1173 
1174           To compile it as a module, choose M here.  If unsure, say Y.
1175 
1176 config NETFILTER_XT_MATCH_HL
1177         tristate '"hl" hoplimit/TTL match support'
1178         depends on NETFILTER_ADVANCED
1179         ---help---
1180         HL matching allows you to match packets based on the hoplimit
1181         in the IPv6 header, or the time-to-live field in the IPv4
1182         header of the packet.
1183 
1184 config NETFILTER_XT_MATCH_IPCOMP
1185         tristate '"ipcomp" match support'
1186         depends on NETFILTER_ADVANCED
1187         help
1188           This match extension allows you to match a range of CPIs(16 bits)
1189           inside IPComp header of IPSec packets.
1190 
1191           To compile it as a module, choose M here.  If unsure, say N.
1192 
1193 config NETFILTER_XT_MATCH_IPRANGE
1194         tristate '"iprange" address range match support'
1195         depends on NETFILTER_ADVANCED
1196         ---help---
1197         This option adds a "iprange" match, which allows you to match based on
1198         an IP address range. (Normal iptables only matches on single addresses
1199         with an optional mask.)
1200 
1201         If unsure, say M.
1202 
1203 config NETFILTER_XT_MATCH_IPVS
1204         tristate '"ipvs" match support'
1205         depends on IP_VS
1206         depends on NETFILTER_ADVANCED
1207         depends on NF_CONNTRACK
1208         help
1209           This option allows you to match against IPVS properties of a packet.
1210 
1211           If unsure, say N.
1212 
1213 config NETFILTER_XT_MATCH_L2TP
1214         tristate '"l2tp" match support'
1215         depends on NETFILTER_ADVANCED
1216         default L2TP
1217         ---help---
1218         This option adds an "L2TP" match, which allows you to match against
1219         L2TP protocol header fields.
1220 
1221         To compile it as a module, choose M here. If unsure, say N.
1222 
1223 config NETFILTER_XT_MATCH_LENGTH
1224         tristate '"length" match support'
1225         depends on NETFILTER_ADVANCED
1226         help
1227           This option allows you to match the length of a packet against a
1228           specific value or range of values.
1229 
1230           To compile it as a module, choose M here.  If unsure, say N.
1231 
1232 config NETFILTER_XT_MATCH_LIMIT
1233         tristate '"limit" match support'
1234         depends on NETFILTER_ADVANCED
1235         help
1236           limit matching allows you to control the rate at which a rule can be
1237           matched: mainly useful in combination with the LOG target ("LOG
1238           target support", below) and to avoid some Denial of Service attacks.
1239 
1240           To compile it as a module, choose M here.  If unsure, say N.
1241 
1242 config NETFILTER_XT_MATCH_MAC
1243         tristate '"mac" address match support'
1244         depends on NETFILTER_ADVANCED
1245         help
1246           MAC matching allows you to match packets based on the source
1247           Ethernet address of the packet.
1248 
1249           To compile it as a module, choose M here.  If unsure, say N.
1250 
1251 config NETFILTER_XT_MATCH_MARK
1252         tristate '"mark" match support'
1253         depends on NETFILTER_ADVANCED
1254         select NETFILTER_XT_MARK
1255         ---help---
1256         This is a backwards-compat option for the user's convenience
1257         (e.g. when running oldconfig). It selects
1258         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1259 
1260 config NETFILTER_XT_MATCH_MULTIPORT
1261         tristate '"multiport" Multiple port match support'
1262         depends on NETFILTER_ADVANCED
1263         help
1264           Multiport matching allows you to match TCP or UDP packets based on
1265           a series of source or destination ports: normally a rule can only
1266           match a single range of ports.
1267 
1268           To compile it as a module, choose M here.  If unsure, say N.
1269 
1270 config NETFILTER_XT_MATCH_NFACCT
1271         tristate '"nfacct" match support'
1272         depends on NETFILTER_ADVANCED
1273         select NETFILTER_NETLINK_ACCT
1274         help
1275           This option allows you to use the extended accounting through
1276           nfnetlink_acct.
1277 
1278           To compile it as a module, choose M here.  If unsure, say N.
1279 
1280 config NETFILTER_XT_MATCH_OSF
1281         tristate '"osf" Passive OS fingerprint match'
1282         depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1283         help
1284           This option selects the Passive OS Fingerprinting match module
1285           that allows to passively match the remote operating system by
1286           analyzing incoming TCP SYN packets.
1287 
1288           Rules and loading software can be downloaded from
1289           http://www.ioremap.net/projects/osf
1290 
1291           To compile it as a module, choose M here.  If unsure, say N.
1292 
1293 config NETFILTER_XT_MATCH_OWNER
1294         tristate '"owner" match support'
1295         depends on NETFILTER_ADVANCED
1296         ---help---
1297         Socket owner matching allows you to match locally-generated packets
1298         based on who created the socket: the user or group. It is also
1299         possible to check whether a socket actually exists.
1300 
1301 config NETFILTER_XT_MATCH_POLICY
1302         tristate 'IPsec "policy" match support'
1303         depends on XFRM
1304         default m if NETFILTER_ADVANCED=n
1305         help
1306           Policy matching allows you to match packets based on the
1307           IPsec policy that was used during decapsulation/will
1308           be used during encapsulation.
1309 
1310           To compile it as a module, choose M here.  If unsure, say N.
1311 
1312 config NETFILTER_XT_MATCH_PHYSDEV
1313         tristate '"physdev" match support'
1314         depends on BRIDGE && BRIDGE_NETFILTER
1315         depends on NETFILTER_ADVANCED
1316         help
1317           Physdev packet matching matches against the physical bridge ports
1318           the IP packet arrived on or will leave by.
1319 
1320           To compile it as a module, choose M here.  If unsure, say N.
1321 
1322 config NETFILTER_XT_MATCH_PKTTYPE
1323         tristate '"pkttype" packet type match support'
1324         depends on NETFILTER_ADVANCED
1325         help
1326           Packet type matching allows you to match a packet by
1327           its "class", eg. BROADCAST, MULTICAST, ...
1328 
1329           Typical usage:
1330           iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1331 
1332           To compile it as a module, choose M here.  If unsure, say N.
1333 
1334 config NETFILTER_XT_MATCH_QUOTA
1335         tristate '"quota" match support'
1336         depends on NETFILTER_ADVANCED
1337         help
1338           This option adds a `quota' match, which allows to match on a
1339           byte counter.
1340 
1341           If you want to compile it as a module, say M here and read
1342           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1343 
1344 config NETFILTER_XT_MATCH_RATEEST
1345         tristate '"rateest" match support'
1346         depends on NETFILTER_ADVANCED
1347         select NETFILTER_XT_TARGET_RATEEST
1348         help
1349           This option adds a `rateest' match, which allows to match on the
1350           rate estimated by the RATEEST target.
1351 
1352           To compile it as a module, choose M here.  If unsure, say N.
1353 
1354 config NETFILTER_XT_MATCH_REALM
1355         tristate  '"realm" match support'
1356         depends on NETFILTER_ADVANCED
1357         select IP_ROUTE_CLASSID
1358         help
1359           This option adds a `realm' match, which allows you to use the realm
1360           key from the routing subsystem inside iptables.
1361 
1362           This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
1363           in tc world.
1364 
1365           If you want to compile it as a module, say M here and read
1366           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1367 
1368 config NETFILTER_XT_MATCH_RECENT
1369         tristate '"recent" match support'
1370         depends on NETFILTER_ADVANCED
1371         ---help---
1372         This match is used for creating one or many lists of recently
1373         used addresses and then matching against that/those list(s).
1374 
1375         Short options are available by using 'iptables -m recent -h'
1376         Official Website: <http://snowman.net/projects/ipt_recent/>
1377 
1378 config NETFILTER_XT_MATCH_SCTP
1379         tristate  '"sctp" protocol match support'
1380         depends on NETFILTER_ADVANCED
1381         default IP_SCTP
1382         help
1383           With this option enabled, you will be able to use the 
1384           `sctp' match in order to match on SCTP source/destination ports
1385           and SCTP chunk types.
1386 
1387           If you want to compile it as a module, say M here and read
1388           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1389 
1390 config NETFILTER_XT_MATCH_SOCKET
1391         tristate '"socket" match support'
1392         depends on NETFILTER_XTABLES
1393         depends on NETFILTER_ADVANCED
1394         depends on !NF_CONNTRACK || NF_CONNTRACK
1395         depends on IPV6 || IPV6=n
1396         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1397         select NF_DEFRAG_IPV4
1398         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1399         help
1400           This option adds a `socket' match, which can be used to match
1401           packets for which a TCP or UDP socket lookup finds a valid socket.
1402           It can be used in combination with the MARK target and policy
1403           routing to implement full featured non-locally bound sockets.
1404 
1405           To compile it as a module, choose M here.  If unsure, say N.
1406 
1407 config NETFILTER_XT_MATCH_STATE
1408         tristate '"state" match support'
1409         depends on NF_CONNTRACK
1410         default m if NETFILTER_ADVANCED=n
1411         help
1412           Connection state matching allows you to match packets based on their
1413           relationship to a tracked connection (ie. previous packets).  This
1414           is a powerful tool for packet classification.
1415 
1416           To compile it as a module, choose M here.  If unsure, say N.
1417 
1418 config NETFILTER_XT_MATCH_STATISTIC
1419         tristate '"statistic" match support'
1420         depends on NETFILTER_ADVANCED
1421         help
1422           This option adds a `statistic' match, which allows you to match
1423           on packets periodically or randomly with a given percentage.
1424 
1425           To compile it as a module, choose M here.  If unsure, say N.
1426 
1427 config NETFILTER_XT_MATCH_STRING
1428         tristate  '"string" match support'
1429         depends on NETFILTER_ADVANCED
1430         select TEXTSEARCH
1431         select TEXTSEARCH_KMP
1432         select TEXTSEARCH_BM
1433         select TEXTSEARCH_FSM
1434         help
1435           This option adds a `string' match, which allows you to look for
1436           pattern matchings in packets.
1437 
1438           To compile it as a module, choose M here.  If unsure, say N.
1439 
1440 config NETFILTER_XT_MATCH_TCPMSS
1441         tristate '"tcpmss" match support'
1442         depends on NETFILTER_ADVANCED
1443         help
1444           This option adds a `tcpmss' match, which allows you to examine the
1445           MSS value of TCP SYN packets, which control the maximum packet size
1446           for that connection.
1447 
1448           To compile it as a module, choose M here.  If unsure, say N.
1449 
1450 config NETFILTER_XT_MATCH_TIME
1451         tristate '"time" match support'
1452         depends on NETFILTER_ADVANCED
1453         ---help---
1454           This option adds a "time" match, which allows you to match based on
1455           the packet arrival time (at the machine which netfilter is running)
1456           on) or departure time/date (for locally generated packets).
1457 
1458           If you say Y here, try `iptables -m time --help` for
1459           more information.
1460 
1461           If you want to compile it as a module, say M here.
1462           If unsure, say N.
1463 
1464 config NETFILTER_XT_MATCH_U32
1465         tristate '"u32" match support'
1466         depends on NETFILTER_ADVANCED
1467         ---help---
1468           u32 allows you to extract quantities of up to 4 bytes from a packet,
1469           AND them with specified masks, shift them by specified amounts and
1470           test whether the results are in any of a set of specified ranges.
1471           The specification of what to extract is general enough to skip over
1472           headers with lengths stored in the packet, as in IP or TCP header
1473           lengths.
1474 
1475           Details and examples are in the kernel module source.
1476 
1477 endif # NETFILTER_XTABLES
1478 
1479 endmenu
1480 
1481 source "net/netfilter/ipset/Kconfig"
1482 
1483 source "net/netfilter/ipvs/Kconfig"

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us