Version:  2.0.40 2.2.26 2.4.37 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1

Linux/net/netfilter/Kconfig

  1 menu "Core Netfilter Configuration"
  2         depends on NET && INET && NETFILTER
  3 
  4 config NETFILTER_NETLINK
  5         tristate
  6 
  7 config NETFILTER_NETLINK_ACCT
  8 tristate "Netfilter NFACCT over NFNETLINK interface"
  9         depends on NETFILTER_ADVANCED
 10         select NETFILTER_NETLINK
 11         help
 12           If this option is enabled, the kernel will include support
 13           for extended accounting via NFNETLINK.
 14 
 15 config NETFILTER_NETLINK_QUEUE
 16         tristate "Netfilter NFQUEUE over NFNETLINK interface"
 17         depends on NETFILTER_ADVANCED
 18         select NETFILTER_NETLINK
 19         help
 20           If this option is enabled, the kernel will include support
 21           for queueing packets via NFNETLINK.
 22           
 23 config NETFILTER_NETLINK_LOG
 24         tristate "Netfilter LOG over NFNETLINK interface"
 25         default m if NETFILTER_ADVANCED=n
 26         select NETFILTER_NETLINK
 27         help
 28           If this option is enabled, the kernel will include support
 29           for logging packets via NFNETLINK.
 30 
 31           This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
 32           and is also scheduled to replace the old syslog-based ipt_LOG
 33           and ip6t_LOG modules.
 34 
 35 config NF_CONNTRACK
 36         tristate "Netfilter connection tracking support"
 37         default m if NETFILTER_ADVANCED=n
 38         help
 39           Connection tracking keeps a record of what packets have passed
 40           through your machine, in order to figure out how they are related
 41           into connections.
 42 
 43           This is required to do Masquerading or other kinds of Network
 44           Address Translation.  It can also be used to enhance packet
 45           filtering (see `Connection state match support' below).
 46 
 47           To compile it as a module, choose M here.  If unsure, say N.
 48 
 49 config NF_LOG_COMMON
 50         tristate
 51 
 52 if NF_CONNTRACK
 53 
 54 config NF_CONNTRACK_MARK
 55         bool  'Connection mark tracking support'
 56         depends on NETFILTER_ADVANCED
 57         help
 58           This option enables support for connection marks, used by the
 59           `CONNMARK' target and `connmark' match. Similar to the mark value
 60           of packets, but this mark value is kept in the conntrack session
 61           instead of the individual packets.
 62 
 63 config NF_CONNTRACK_SECMARK
 64         bool  'Connection tracking security mark support'
 65         depends on NETWORK_SECMARK
 66         default m if NETFILTER_ADVANCED=n
 67         help
 68           This option enables security markings to be applied to
 69           connections.  Typically they are copied to connections from
 70           packets using the CONNSECMARK target and copied back from
 71           connections to packets with the same target, with the packets
 72           being originally labeled via SECMARK.
 73 
 74           If unsure, say 'N'.
 75 
 76 config NF_CONNTRACK_ZONES
 77         bool  'Connection tracking zones'
 78         depends on NETFILTER_ADVANCED
 79         depends on NETFILTER_XT_TARGET_CT
 80         help
 81           This option enables support for connection tracking zones.
 82           Normally, each connection needs to have a unique system wide
 83           identity. Connection tracking zones allow to have multiple
 84           connections using the same identity, as long as they are
 85           contained in different zones.
 86 
 87           If unsure, say `N'.
 88 
 89 config NF_CONNTRACK_PROCFS
 90         bool "Supply CT list in procfs (OBSOLETE)"
 91         default y
 92         depends on PROC_FS
 93         ---help---
 94         This option enables for the list of known conntrack entries
 95         to be shown in procfs under net/netfilter/nf_conntrack. This
 96         is considered obsolete in favor of using the conntrack(8)
 97         tool which uses Netlink.
 98 
 99 config NF_CONNTRACK_EVENTS
100         bool "Connection tracking events"
101         depends on NETFILTER_ADVANCED
102         help
103           If this option is enabled, the connection tracking code will
104           provide a notifier chain that can be used by other kernel code
105           to get notified about changes in the connection tracking state.
106 
107           If unsure, say `N'.
108 
109 config NF_CONNTRACK_TIMEOUT
110         bool  'Connection tracking timeout'
111         depends on NETFILTER_ADVANCED
112         help
113           This option enables support for connection tracking timeout
114           extension. This allows you to attach timeout policies to flow
115           via the CT target.
116 
117           If unsure, say `N'.
118 
119 config NF_CONNTRACK_TIMESTAMP
120         bool  'Connection tracking timestamping'
121         depends on NETFILTER_ADVANCED
122         help
123           This option enables support for connection tracking timestamping.
124           This allows you to store the flow start-time and to obtain
125           the flow-stop time (once it has been destroyed) via Connection
126           tracking events.
127 
128           If unsure, say `N'.
129 
130 config NF_CONNTRACK_LABELS
131         bool
132         help
133           This option enables support for assigning user-defined flag bits
134           to connection tracking entries.  It selected by the connlabel match.
135 
136 config NF_CT_PROTO_DCCP
137         tristate 'DCCP protocol connection tracking support'
138         depends on NETFILTER_ADVANCED
139         default IP_DCCP
140         help
141           With this option enabled, the layer 3 independent connection
142           tracking code will be able to do state tracking on DCCP connections.
143 
144           If unsure, say 'N'.
145 
146 config NF_CT_PROTO_GRE
147         tristate
148 
149 config NF_CT_PROTO_SCTP
150         tristate 'SCTP protocol connection tracking support'
151         depends on NETFILTER_ADVANCED
152         default IP_SCTP
153         help
154           With this option enabled, the layer 3 independent connection
155           tracking code will be able to do state tracking on SCTP connections.
156 
157           If you want to compile it as a module, say M here and read
158           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
159 
160 config NF_CT_PROTO_UDPLITE
161         tristate 'UDP-Lite protocol connection tracking support'
162         depends on NETFILTER_ADVANCED
163         help
164           With this option enabled, the layer 3 independent connection
165           tracking code will be able to do state tracking on UDP-Lite
166           connections.
167 
168           To compile it as a module, choose M here.  If unsure, say N.
169 
170 config NF_CONNTRACK_AMANDA
171         tristate "Amanda backup protocol support"
172         depends on NETFILTER_ADVANCED
173         select TEXTSEARCH
174         select TEXTSEARCH_KMP
175         help
176           If you are running the Amanda backup package <http://www.amanda.org/>
177           on this machine or machines that will be MASQUERADED through this
178           machine, then you may want to enable this feature.  This allows the
179           connection tracking and natting code to allow the sub-channels that
180           Amanda requires for communication of the backup data, messages and
181           index.
182 
183           To compile it as a module, choose M here.  If unsure, say N.
184 
185 config NF_CONNTRACK_FTP
186         tristate "FTP protocol support"
187         default m if NETFILTER_ADVANCED=n
188         help
189           Tracking FTP connections is problematic: special helpers are
190           required for tracking them, and doing masquerading and other forms
191           of Network Address Translation on them.
192 
193           This is FTP support on Layer 3 independent connection tracking.
194           Layer 3 independent connection tracking is experimental scheme
195           which generalize ip_conntrack to support other layer 3 protocols.
196 
197           To compile it as a module, choose M here.  If unsure, say N.
198 
199 config NF_CONNTRACK_H323
200         tristate "H.323 protocol support"
201         depends on (IPV6 || IPV6=n)
202         depends on NETFILTER_ADVANCED
203         help
204           H.323 is a VoIP signalling protocol from ITU-T. As one of the most
205           important VoIP protocols, it is widely used by voice hardware and
206           software including voice gateways, IP phones, Netmeeting, OpenPhone,
207           Gnomemeeting, etc.
208 
209           With this module you can support H.323 on a connection tracking/NAT
210           firewall.
211 
212           This module supports RAS, Fast Start, H.245 Tunnelling, Call
213           Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
214           whiteboard, file transfer, etc. For more information, please
215           visit http://nath323.sourceforge.net/.
216 
217           To compile it as a module, choose M here.  If unsure, say N.
218 
219 config NF_CONNTRACK_IRC
220         tristate "IRC protocol support"
221         default m if NETFILTER_ADVANCED=n
222         help
223           There is a commonly-used extension to IRC called
224           Direct Client-to-Client Protocol (DCC).  This enables users to send
225           files to each other, and also chat to each other without the need
226           of a server.  DCC Sending is used anywhere you send files over IRC,
227           and DCC Chat is most commonly used by Eggdrop bots.  If you are
228           using NAT, this extension will enable you to send files and initiate
229           chats.  Note that you do NOT need this extension to get files or
230           have others initiate chats, or everything else in IRC.
231 
232           To compile it as a module, choose M here.  If unsure, say N.
233 
234 config NF_CONNTRACK_BROADCAST
235         tristate
236 
237 config NF_CONNTRACK_NETBIOS_NS
238         tristate "NetBIOS name service protocol support"
239         select NF_CONNTRACK_BROADCAST
240         help
241           NetBIOS name service requests are sent as broadcast messages from an
242           unprivileged port and responded to with unicast messages to the
243           same port. This make them hard to firewall properly because connection
244           tracking doesn't deal with broadcasts. This helper tracks locally
245           originating NetBIOS name service requests and the corresponding
246           responses. It relies on correct IP address configuration, specifically
247           netmask and broadcast address. When properly configured, the output
248           of "ip address show" should look similar to this:
249 
250           $ ip -4 address show eth0
251           4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
252               inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
253 
254           To compile it as a module, choose M here.  If unsure, say N.
255 
256 config NF_CONNTRACK_SNMP
257         tristate "SNMP service protocol support"
258         depends on NETFILTER_ADVANCED
259         select NF_CONNTRACK_BROADCAST
260         help
261           SNMP service requests are sent as broadcast messages from an
262           unprivileged port and responded to with unicast messages to the
263           same port. This make them hard to firewall properly because connection
264           tracking doesn't deal with broadcasts. This helper tracks locally
265           originating SNMP service requests and the corresponding
266           responses. It relies on correct IP address configuration, specifically
267           netmask and broadcast address.
268 
269           To compile it as a module, choose M here.  If unsure, say N.
270 
271 config NF_CONNTRACK_PPTP
272         tristate "PPtP protocol support"
273         depends on NETFILTER_ADVANCED
274         select NF_CT_PROTO_GRE
275         help
276           This module adds support for PPTP (Point to Point Tunnelling
277           Protocol, RFC2637) connection tracking and NAT.
278 
279           If you are running PPTP sessions over a stateful firewall or NAT
280           box, you may want to enable this feature.
281 
282           Please note that not all PPTP modes of operation are supported yet.
283           Specifically these limitations exist:
284             - Blindly assumes that control connections are always established
285               in PNS->PAC direction. This is a violation of RFC2637.
286             - Only supports a single call within each session
287 
288           To compile it as a module, choose M here.  If unsure, say N.
289 
290 config NF_CONNTRACK_SANE
291         tristate "SANE protocol support"
292         depends on NETFILTER_ADVANCED
293         help
294           SANE is a protocol for remote access to scanners as implemented
295           by the 'saned' daemon. Like FTP, it uses separate control and
296           data connections.
297 
298           With this module you can support SANE on a connection tracking
299           firewall.
300 
301           To compile it as a module, choose M here.  If unsure, say N.
302 
303 config NF_CONNTRACK_SIP
304         tristate "SIP protocol support"
305         default m if NETFILTER_ADVANCED=n
306         help
307           SIP is an application-layer control protocol that can establish,
308           modify, and terminate multimedia sessions (conferences) such as
309           Internet telephony calls. With the ip_conntrack_sip and
310           the nf_nat_sip modules you can support the protocol on a connection
311           tracking/NATing firewall.
312 
313           To compile it as a module, choose M here.  If unsure, say N.
314 
315 config NF_CONNTRACK_TFTP
316         tristate "TFTP protocol support"
317         depends on NETFILTER_ADVANCED
318         help
319           TFTP connection tracking helper, this is required depending
320           on how restrictive your ruleset is.
321           If you are using a tftp client behind -j SNAT or -j MASQUERADING
322           you will need this.
323 
324           To compile it as a module, choose M here.  If unsure, say N.
325 
326 config NF_CT_NETLINK
327         tristate 'Connection tracking netlink interface'
328         select NETFILTER_NETLINK
329         default m if NETFILTER_ADVANCED=n
330         help
331           This option enables support for a netlink-based userspace interface
332 
333 config NF_CT_NETLINK_TIMEOUT
334         tristate  'Connection tracking timeout tuning via Netlink'
335         select NETFILTER_NETLINK
336         depends on NETFILTER_ADVANCED
337         help
338           This option enables support for connection tracking timeout
339           fine-grain tuning. This allows you to attach specific timeout
340           policies to flows, instead of using the global timeout policy.
341 
342           If unsure, say `N'.
343 
344 config NF_CT_NETLINK_HELPER
345         tristate 'Connection tracking helpers in user-space via Netlink'
346         select NETFILTER_NETLINK
347         depends on NF_CT_NETLINK
348         depends on NETFILTER_NETLINK_QUEUE
349         depends on NETFILTER_NETLINK_QUEUE_CT
350         depends on NETFILTER_ADVANCED
351         help
352           This option enables the user-space connection tracking helpers
353           infrastructure.
354 
355           If unsure, say `N'.
356 
357 config NETFILTER_NETLINK_QUEUE_CT
358         bool "NFQUEUE integration with Connection Tracking"
359         default n
360         depends on NETFILTER_NETLINK_QUEUE
361         help
362           If this option is enabled, NFQUEUE can include Connection Tracking
363           information together with the packet is the enqueued via NFNETLINK.
364 
365 config NF_NAT
366         tristate
367 
368 config NF_NAT_NEEDED
369         bool
370         depends on NF_NAT
371         default y
372 
373 config NF_NAT_PROTO_DCCP
374         tristate
375         depends on NF_NAT && NF_CT_PROTO_DCCP
376         default NF_NAT && NF_CT_PROTO_DCCP
377 
378 config NF_NAT_PROTO_UDPLITE
379         tristate
380         depends on NF_NAT && NF_CT_PROTO_UDPLITE
381         default NF_NAT && NF_CT_PROTO_UDPLITE
382 
383 config NF_NAT_PROTO_SCTP
384         tristate
385         default NF_NAT && NF_CT_PROTO_SCTP
386         depends on NF_NAT && NF_CT_PROTO_SCTP
387         select LIBCRC32C
388 
389 config NF_NAT_AMANDA
390         tristate
391         depends on NF_CONNTRACK && NF_NAT
392         default NF_NAT && NF_CONNTRACK_AMANDA
393 
394 config NF_NAT_FTP
395         tristate
396         depends on NF_CONNTRACK && NF_NAT
397         default NF_NAT && NF_CONNTRACK_FTP
398 
399 config NF_NAT_IRC
400         tristate
401         depends on NF_CONNTRACK && NF_NAT
402         default NF_NAT && NF_CONNTRACK_IRC
403 
404 config NF_NAT_SIP
405         tristate
406         depends on NF_CONNTRACK && NF_NAT
407         default NF_NAT && NF_CONNTRACK_SIP
408 
409 config NF_NAT_TFTP
410         tristate
411         depends on NF_CONNTRACK && NF_NAT
412         default NF_NAT && NF_CONNTRACK_TFTP
413 
414 config NF_NAT_REDIRECT
415         tristate "IPv4/IPv6 redirect support"
416         depends on NF_NAT
417         help
418           This is the kernel functionality to redirect packets to local
419           machine through NAT.
420 
421 config NETFILTER_SYNPROXY
422         tristate
423 
424 endif # NF_CONNTRACK
425 
426 config NF_TABLES
427         select NETFILTER_NETLINK
428         tristate "Netfilter nf_tables support"
429         help
430           nftables is the new packet classification framework that intends to
431           replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
432           provides a pseudo-state machine with an extensible instruction-set
433           (also known as expressions) that the userspace 'nft' utility
434           (http://www.netfilter.org/projects/nftables) uses to build the
435           rule-set. It also comes with the generic set infrastructure that
436           allows you to construct mappings between matchings and actions
437           for performance lookups.
438 
439           To compile it as a module, choose M here.
440 
441 if NF_TABLES
442 
443 config NF_TABLES_INET
444         depends on IPV6
445         select NF_TABLES_IPV4
446         select NF_TABLES_IPV6
447         tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
448         help
449           This option enables support for a mixed IPv4/IPv6 "inet" table.
450 
451 config NFT_EXTHDR
452         tristate "Netfilter nf_tables IPv6 exthdr module"
453         help
454           This option adds the "exthdr" expression that you can use to match
455           IPv6 extension headers.
456 
457 config NFT_META
458         tristate "Netfilter nf_tables meta module"
459         help
460           This option adds the "meta" expression that you can use to match and
461           to set packet metainformation such as the packet mark.
462 
463 config NFT_CT
464         depends on NF_CONNTRACK
465         tristate "Netfilter nf_tables conntrack module"
466         help
467           This option adds the "meta" expression that you can use to match
468           connection tracking information such as the flow state.
469 
470 config NFT_RBTREE
471         tristate "Netfilter nf_tables rbtree set module"
472         help
473           This option adds the "rbtree" set type (Red Black tree) that is used
474           to build interval-based sets.
475 
476 config NFT_HASH
477         tristate "Netfilter nf_tables hash set module"
478         help
479           This option adds the "hash" set type that is used to build one-way
480           mappings between matchings and actions.
481 
482 config NFT_COUNTER
483         tristate "Netfilter nf_tables counter module"
484         help
485           This option adds the "counter" expression that you can use to
486           include packet and byte counters in a rule.
487 
488 config NFT_LOG
489         tristate "Netfilter nf_tables log module"
490         help
491           This option adds the "log" expression that you can use to log
492           packets matching some criteria.
493 
494 config NFT_LIMIT
495         tristate "Netfilter nf_tables limit module"
496         help
497           This option adds the "limit" expression that you can use to
498           ratelimit rule matchings.
499 
500 config NFT_MASQ
501         depends on NF_CONNTRACK
502         depends on NF_NAT
503         tristate "Netfilter nf_tables masquerade support"
504         help
505           This option adds the "masquerade" expression that you can use
506           to perform NAT in the masquerade flavour.
507 
508 config NFT_REDIR
509         depends on NF_CONNTRACK
510         depends on NF_NAT
511         tristate "Netfilter nf_tables redirect support"
512         help
513           This options adds the "redirect" expression that you can use
514           to perform NAT in the redirect flavour.
515 
516 config NFT_NAT
517         depends on NF_CONNTRACK
518         select NF_NAT
519         tristate "Netfilter nf_tables nat module"
520         help
521           This option adds the "nat" expression that you can use to perform
522           typical Network Address Translation (NAT) packet transformations.
523 
524 config NFT_QUEUE
525         depends on NETFILTER_NETLINK_QUEUE
526         tristate "Netfilter nf_tables queue module"
527         help
528           This is required if you intend to use the userspace queueing
529           infrastructure (also known as NFQUEUE) from nftables.
530 
531 config NFT_REJECT
532         default m if NETFILTER_ADVANCED=n
533         tristate "Netfilter nf_tables reject support"
534         help
535           This option adds the "reject" expression that you can use to
536           explicitly deny and notify via TCP reset/ICMP informational errors
537           unallowed traffic.
538 
539 config NFT_REJECT_INET
540         depends on NF_TABLES_INET
541         default NFT_REJECT
542         tristate
543 
544 config NFT_COMPAT
545         depends on NETFILTER_XTABLES
546         tristate "Netfilter x_tables over nf_tables module"
547         help
548           This is required if you intend to use any of existing
549           x_tables match/target extensions over the nf_tables
550           framework.
551 
552 endif # NF_TABLES
553 
554 config NETFILTER_XTABLES
555         tristate "Netfilter Xtables support (required for ip_tables)"
556         default m if NETFILTER_ADVANCED=n
557         help
558           This is required if you intend to use any of ip_tables,
559           ip6_tables or arp_tables.
560 
561 if NETFILTER_XTABLES
562 
563 comment "Xtables combined modules"
564 
565 config NETFILTER_XT_MARK
566         tristate 'nfmark target and match support'
567         default m if NETFILTER_ADVANCED=n
568         ---help---
569         This option adds the "MARK" target and "mark" match.
570 
571         Netfilter mark matching allows you to match packets based on the
572         "nfmark" value in the packet.
573         The target allows you to create rules in the "mangle" table which alter
574         the netfilter mark (nfmark) field associated with the packet.
575 
576         Prior to routing, the nfmark can influence the routing method (see
577         "Use netfilter MARK value as routing key") and can also be used by
578         other subsystems to change their behavior.
579 
580 config NETFILTER_XT_CONNMARK
581         tristate 'ctmark target and match support'
582         depends on NF_CONNTRACK
583         depends on NETFILTER_ADVANCED
584         select NF_CONNTRACK_MARK
585         ---help---
586         This option adds the "CONNMARK" target and "connmark" match.
587 
588         Netfilter allows you to store a mark value per connection (a.k.a.
589         ctmark), similarly to the packet mark (nfmark). Using this
590         target and match, you can set and match on this mark.
591 
592 config NETFILTER_XT_SET
593         tristate 'set target and match support'
594         depends on IP_SET
595         depends on NETFILTER_ADVANCED
596         help
597           This option adds the "SET" target and "set" match.
598 
599           Using this target and match, you can add/delete and match
600           elements in the sets created by ipset(8).
601 
602           To compile it as a module, choose M here.  If unsure, say N.
603 
604 # alphabetically ordered list of targets
605 
606 comment "Xtables targets"
607 
608 config NETFILTER_XT_TARGET_AUDIT
609         tristate "AUDIT target support"
610         depends on AUDIT
611         depends on NETFILTER_ADVANCED
612         ---help---
613           This option adds a 'AUDIT' target, which can be used to create
614           audit records for packets dropped/accepted.
615 
616           To compileit as a module, choose M here. If unsure, say N.
617 
618 config NETFILTER_XT_TARGET_CHECKSUM
619         tristate "CHECKSUM target support"
620         depends on IP_NF_MANGLE || IP6_NF_MANGLE
621         depends on NETFILTER_ADVANCED
622         ---help---
623           This option adds a `CHECKSUM' target, which can be used in the iptables mangle
624           table.
625 
626           You can use this target to compute and fill in the checksum in
627           a packet that lacks a checksum.  This is particularly useful,
628           if you need to work around old applications such as dhcp clients,
629           that do not work well with checksum offloads, but don't want to disable
630           checksum offload in your device.
631 
632           To compile it as a module, choose M here.  If unsure, say N.
633 
634 config NETFILTER_XT_TARGET_CLASSIFY
635         tristate '"CLASSIFY" target support'
636         depends on NETFILTER_ADVANCED
637         help
638           This option adds a `CLASSIFY' target, which enables the user to set
639           the priority of a packet. Some qdiscs can use this value for
640           classification, among these are:
641 
642           atm, cbq, dsmark, pfifo_fast, htb, prio
643 
644           To compile it as a module, choose M here.  If unsure, say N.
645 
646 config NETFILTER_XT_TARGET_CONNMARK
647         tristate  '"CONNMARK" target support'
648         depends on NF_CONNTRACK
649         depends on NETFILTER_ADVANCED
650         select NETFILTER_XT_CONNMARK
651         ---help---
652         This is a backwards-compat option for the user's convenience
653         (e.g. when running oldconfig). It selects
654         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
655 
656 config NETFILTER_XT_TARGET_CONNSECMARK
657         tristate '"CONNSECMARK" target support'
658         depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
659         default m if NETFILTER_ADVANCED=n
660         help
661           The CONNSECMARK target copies security markings from packets
662           to connections, and restores security markings from connections
663           to packets (if the packets are not already marked).  This would
664           normally be used in conjunction with the SECMARK target.
665 
666           To compile it as a module, choose M here.  If unsure, say N.
667 
668 config NETFILTER_XT_TARGET_CT
669         tristate '"CT" target support'
670         depends on NF_CONNTRACK
671         depends on IP_NF_RAW || IP6_NF_RAW
672         depends on NETFILTER_ADVANCED
673         help
674           This options adds a `CT' target, which allows to specify initial
675           connection tracking parameters like events to be delivered and
676           the helper to be used.
677 
678           To compile it as a module, choose M here.  If unsure, say N.
679 
680 config NETFILTER_XT_TARGET_DSCP
681         tristate '"DSCP" and "TOS" target support'
682         depends on IP_NF_MANGLE || IP6_NF_MANGLE
683         depends on NETFILTER_ADVANCED
684         help
685           This option adds a `DSCP' target, which allows you to manipulate
686           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
687 
688           The DSCP field can have any value between 0x0 and 0x3f inclusive.
689 
690           It also adds the "TOS" target, which allows you to create rules in
691           the "mangle" table which alter the Type Of Service field of an IPv4
692           or the Priority field of an IPv6 packet, prior to routing.
693 
694           To compile it as a module, choose M here.  If unsure, say N.
695 
696 config NETFILTER_XT_TARGET_HL
697         tristate '"HL" hoplimit target support'
698         depends on IP_NF_MANGLE || IP6_NF_MANGLE
699         depends on NETFILTER_ADVANCED
700         ---help---
701         This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
702         targets, which enable the user to change the
703         hoplimit/time-to-live value of the IP header.
704 
705         While it is safe to decrement the hoplimit/TTL value, the
706         modules also allow to increment and set the hoplimit value of
707         the header to arbitrary values. This is EXTREMELY DANGEROUS
708         since you can easily create immortal packets that loop
709         forever on the network.
710 
711 config NETFILTER_XT_TARGET_HMARK
712         tristate '"HMARK" target support'
713         depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
714         depends on NETFILTER_ADVANCED
715         ---help---
716         This option adds the "HMARK" target.
717 
718         The target allows you to create rules in the "raw" and "mangle" tables
719         which set the skbuff mark by means of hash calculation within a given
720         range. The nfmark can influence the routing method (see "Use netfilter
721         MARK value as routing key") and can also be used by other subsystems to
722         change their behaviour.
723 
724         To compile it as a module, choose M here. If unsure, say N.
725 
726 config NETFILTER_XT_TARGET_IDLETIMER
727         tristate  "IDLETIMER target support"
728         depends on NETFILTER_ADVANCED
729         help
730 
731           This option adds the `IDLETIMER' target.  Each matching packet
732           resets the timer associated with label specified when the rule is
733           added.  When the timer expires, it triggers a sysfs notification.
734           The remaining time for expiration can be read via sysfs.
735 
736           To compile it as a module, choose M here.  If unsure, say N.
737 
738 config NETFILTER_XT_TARGET_LED
739         tristate '"LED" target support'
740         depends on LEDS_CLASS && LEDS_TRIGGERS
741         depends on NETFILTER_ADVANCED
742         help
743           This option adds a `LED' target, which allows you to blink LEDs in
744           response to particular packets passing through your machine.
745 
746           This can be used to turn a spare LED into a network activity LED,
747           which only flashes in response to FTP transfers, for example.  Or
748           you could have an LED which lights up for a minute or two every time
749           somebody connects to your machine via SSH.
750 
751           You will need support for the "led" class to make this work.
752 
753           To create an LED trigger for incoming SSH traffic:
754             iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
755 
756           Then attach the new trigger to an LED on your system:
757             echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
758 
759           For more information on the LEDs available on your system, see
760           Documentation/leds/leds-class.txt
761 
762 config NETFILTER_XT_TARGET_LOG
763         tristate "LOG target support"
764         select NF_LOG_COMMON
765         select NF_LOG_IPV4
766         select NF_LOG_IPV6 if IPV6
767         default m if NETFILTER_ADVANCED=n
768         help
769           This option adds a `LOG' target, which allows you to create rules in
770           any iptables table which records the packet header to the syslog.
771 
772           To compile it as a module, choose M here.  If unsure, say N.
773 
774 config NETFILTER_XT_TARGET_MARK
775         tristate '"MARK" target support'
776         depends on NETFILTER_ADVANCED
777         select NETFILTER_XT_MARK
778         ---help---
779         This is a backwards-compat option for the user's convenience
780         (e.g. when running oldconfig). It selects
781         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
782 
783 config NETFILTER_XT_NAT
784         tristate '"SNAT and DNAT" targets support'
785         depends on NF_NAT
786         ---help---
787         This option enables the SNAT and DNAT targets.
788 
789         To compile it as a module, choose M here. If unsure, say N.
790 
791 config NETFILTER_XT_TARGET_NETMAP
792         tristate '"NETMAP" target support'
793         depends on NF_NAT
794         ---help---
795         NETMAP is an implementation of static 1:1 NAT mapping of network
796         addresses. It maps the network address part, while keeping the host
797         address part intact.
798 
799         To compile it as a module, choose M here. If unsure, say N.
800 
801 config NETFILTER_XT_TARGET_NFLOG
802         tristate '"NFLOG" target support'
803         default m if NETFILTER_ADVANCED=n
804         select NETFILTER_NETLINK_LOG
805         help
806           This option enables the NFLOG target, which allows to LOG
807           messages through nfnetlink_log.
808 
809           To compile it as a module, choose M here.  If unsure, say N.
810 
811 config NETFILTER_XT_TARGET_NFQUEUE
812         tristate '"NFQUEUE" target Support'
813         depends on NETFILTER_ADVANCED
814         select NETFILTER_NETLINK_QUEUE
815         help
816           This target replaced the old obsolete QUEUE target.
817 
818           As opposed to QUEUE, it supports 65535 different queues,
819           not just one.
820 
821           To compile it as a module, choose M here.  If unsure, say N.
822 
823 config NETFILTER_XT_TARGET_NOTRACK
824         tristate  '"NOTRACK" target support (DEPRECATED)'
825         depends on NF_CONNTRACK
826         depends on IP_NF_RAW || IP6_NF_RAW
827         depends on NETFILTER_ADVANCED
828         select NETFILTER_XT_TARGET_CT
829 
830 config NETFILTER_XT_TARGET_RATEEST
831         tristate '"RATEEST" target support'
832         depends on NETFILTER_ADVANCED
833         help
834           This option adds a `RATEEST' target, which allows to measure
835           rates similar to TC estimators. The `rateest' match can be
836           used to match on the measured rates.
837 
838           To compile it as a module, choose M here.  If unsure, say N.
839 
840 config NETFILTER_XT_TARGET_REDIRECT
841         tristate "REDIRECT target support"
842         depends on NF_NAT
843         select NF_NAT_REDIRECT
844         ---help---
845         REDIRECT is a special case of NAT: all incoming connections are
846         mapped onto the incoming interface's address, causing the packets to
847         come to the local machine instead of passing through. This is
848         useful for transparent proxies.
849 
850         To compile it as a module, choose M here. If unsure, say N.
851 
852 config NETFILTER_XT_TARGET_TEE
853         tristate '"TEE" - packet cloning to alternate destination'
854         depends on NETFILTER_ADVANCED
855         depends on (IPV6 || IPV6=n)
856         depends on !NF_CONNTRACK || NF_CONNTRACK
857         ---help---
858         This option adds a "TEE" target with which a packet can be cloned and
859         this clone be rerouted to another nexthop.
860 
861 config NETFILTER_XT_TARGET_TPROXY
862         tristate '"TPROXY" target transparent proxying support'
863         depends on NETFILTER_XTABLES
864         depends on NETFILTER_ADVANCED
865         depends on (IPV6 || IPV6=n)
866         depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
867         depends on IP_NF_MANGLE
868         select NF_DEFRAG_IPV4
869         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
870         help
871           This option adds a `TPROXY' target, which is somewhat similar to
872           REDIRECT.  It can only be used in the mangle table and is useful
873           to redirect traffic to a transparent proxy.  It does _not_ depend
874           on Netfilter connection tracking and NAT, unlike REDIRECT.
875           For it to work you will have to configure certain iptables rules
876           and use policy routing. For more information on how to set it up
877           see Documentation/networking/tproxy.txt.
878 
879           To compile it as a module, choose M here.  If unsure, say N.
880 
881 config NETFILTER_XT_TARGET_TRACE
882         tristate  '"TRACE" target support'
883         depends on IP_NF_RAW || IP6_NF_RAW
884         depends on NETFILTER_ADVANCED
885         help
886           The TRACE target allows you to mark packets so that the kernel
887           will log every rule which match the packets as those traverse
888           the tables, chains, rules.
889 
890           If you want to compile it as a module, say M here and read
891           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
892 
893 config NETFILTER_XT_TARGET_SECMARK
894         tristate '"SECMARK" target support'
895         depends on NETWORK_SECMARK
896         default m if NETFILTER_ADVANCED=n
897         help
898           The SECMARK target allows security marking of network
899           packets, for use with security subsystems.
900 
901           To compile it as a module, choose M here.  If unsure, say N.
902 
903 config NETFILTER_XT_TARGET_TCPMSS
904         tristate '"TCPMSS" target support'
905         depends on (IPV6 || IPV6=n)
906         default m if NETFILTER_ADVANCED=n
907         ---help---
908           This option adds a `TCPMSS' target, which allows you to alter the
909           MSS value of TCP SYN packets, to control the maximum size for that
910           connection (usually limiting it to your outgoing interface's MTU
911           minus 40).
912 
913           This is used to overcome criminally braindead ISPs or servers which
914           block ICMP Fragmentation Needed packets.  The symptoms of this
915           problem are that everything works fine from your Linux
916           firewall/router, but machines behind it can never exchange large
917           packets:
918                 1) Web browsers connect, then hang with no data received.
919                 2) Small mail works fine, but large emails hang.
920                 3) ssh works fine, but scp hangs after initial handshaking.
921 
922           Workaround: activate this option and add a rule to your firewall
923           configuration like:
924 
925           iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
926                          -j TCPMSS --clamp-mss-to-pmtu
927 
928           To compile it as a module, choose M here.  If unsure, say N.
929 
930 config NETFILTER_XT_TARGET_TCPOPTSTRIP
931         tristate '"TCPOPTSTRIP" target support'
932         depends on IP_NF_MANGLE || IP6_NF_MANGLE
933         depends on NETFILTER_ADVANCED
934         help
935           This option adds a "TCPOPTSTRIP" target, which allows you to strip
936           TCP options from TCP packets.
937 
938 # alphabetically ordered list of matches
939 
940 comment "Xtables matches"
941 
942 config NETFILTER_XT_MATCH_ADDRTYPE
943         tristate '"addrtype" address type match support'
944         default m if NETFILTER_ADVANCED=n
945         ---help---
946           This option allows you to match what routing thinks of an address,
947           eg. UNICAST, LOCAL, BROADCAST, ...
948 
949           If you want to compile it as a module, say M here and read
950           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
951 
952 config NETFILTER_XT_MATCH_BPF
953         tristate '"bpf" match support'
954         depends on NETFILTER_ADVANCED
955         help
956           BPF matching applies a linux socket filter to each packet and
957           accepts those for which the filter returns non-zero.
958 
959           To compile it as a module, choose M here.  If unsure, say N.
960 
961 config NETFILTER_XT_MATCH_CGROUP
962         tristate '"control group" match support'
963         depends on NETFILTER_ADVANCED
964         depends on CGROUPS
965         select CGROUP_NET_CLASSID
966         ---help---
967         Socket/process control group matching allows you to match locally
968         generated packets based on which net_cls control group processes
969         belong to.
970 
971 config NETFILTER_XT_MATCH_CLUSTER
972         tristate '"cluster" match support'
973         depends on NF_CONNTRACK
974         depends on NETFILTER_ADVANCED
975         ---help---
976           This option allows you to build work-load-sharing clusters of
977           network servers/stateful firewalls without having a dedicated
978           load-balancing router/server/switch. Basically, this match returns
979           true when the packet must be handled by this cluster node. Thus,
980           all nodes see all packets and this match decides which node handles
981           what packets. The work-load sharing algorithm is based on source
982           address hashing.
983 
984           If you say Y or M here, try `iptables -m cluster --help` for
985           more information.
986 
987 config NETFILTER_XT_MATCH_COMMENT
988         tristate  '"comment" match support'
989         depends on NETFILTER_ADVANCED
990         help
991           This option adds a `comment' dummy-match, which allows you to put
992           comments in your iptables ruleset.
993 
994           If you want to compile it as a module, say M here and read
995           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
996 
997 config NETFILTER_XT_MATCH_CONNBYTES
998         tristate  '"connbytes" per-connection counter match support'
999         depends on NF_CONNTRACK
1000         depends on NETFILTER_ADVANCED
1001         help
1002           This option adds a `connbytes' match, which allows you to match the
1003           number of bytes and/or packets for each direction within a connection.
1004 
1005           If you want to compile it as a module, say M here and read
1006           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1007 
1008 config NETFILTER_XT_MATCH_CONNLABEL
1009         tristate '"connlabel" match support'
1010         select NF_CONNTRACK_LABELS
1011         depends on NF_CONNTRACK
1012         depends on NETFILTER_ADVANCED
1013         ---help---
1014           This match allows you to test and assign userspace-defined labels names
1015           to a connection.  The kernel only stores bit values - mapping
1016           names to bits is done by userspace.
1017 
1018           Unlike connmark, more than 32 flag bits may be assigned to a
1019           connection simultaneously.
1020 
1021 config NETFILTER_XT_MATCH_CONNLIMIT
1022         tristate '"connlimit" match support'
1023         depends on NF_CONNTRACK
1024         depends on NETFILTER_ADVANCED
1025         ---help---
1026           This match allows you to match against the number of parallel
1027           connections to a server per client IP address (or address block).
1028 
1029 config NETFILTER_XT_MATCH_CONNMARK
1030         tristate  '"connmark" connection mark match support'
1031         depends on NF_CONNTRACK
1032         depends on NETFILTER_ADVANCED
1033         select NETFILTER_XT_CONNMARK
1034         ---help---
1035         This is a backwards-compat option for the user's convenience
1036         (e.g. when running oldconfig). It selects
1037         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1038 
1039 config NETFILTER_XT_MATCH_CONNTRACK
1040         tristate '"conntrack" connection tracking match support'
1041         depends on NF_CONNTRACK
1042         default m if NETFILTER_ADVANCED=n
1043         help
1044           This is a general conntrack match module, a superset of the state match.
1045 
1046           It allows matching on additional conntrack information, which is
1047           useful in complex configurations, such as NAT gateways with multiple
1048           internet links or tunnels.
1049 
1050           To compile it as a module, choose M here.  If unsure, say N.
1051 
1052 config NETFILTER_XT_MATCH_CPU
1053         tristate '"cpu" match support'
1054         depends on NETFILTER_ADVANCED
1055         help
1056           CPU matching allows you to match packets based on the CPU
1057           currently handling the packet.
1058 
1059           To compile it as a module, choose M here.  If unsure, say N.
1060 
1061 config NETFILTER_XT_MATCH_DCCP
1062         tristate '"dccp" protocol match support'
1063         depends on NETFILTER_ADVANCED
1064         default IP_DCCP
1065         help
1066           With this option enabled, you will be able to use the iptables
1067           `dccp' match in order to match on DCCP source/destination ports
1068           and DCCP flags.
1069 
1070           If you want to compile it as a module, say M here and read
1071           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1072 
1073 config NETFILTER_XT_MATCH_DEVGROUP
1074         tristate '"devgroup" match support'
1075         depends on NETFILTER_ADVANCED
1076         help
1077           This options adds a `devgroup' match, which allows to match on the
1078           device group a network device is assigned to.
1079 
1080           To compile it as a module, choose M here.  If unsure, say N.
1081 
1082 config NETFILTER_XT_MATCH_DSCP
1083         tristate '"dscp" and "tos" match support'
1084         depends on NETFILTER_ADVANCED
1085         help
1086           This option adds a `DSCP' match, which allows you to match against
1087           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1088 
1089           The DSCP field can have any value between 0x0 and 0x3f inclusive.
1090 
1091           It will also add a "tos" match, which allows you to match packets
1092           based on the Type Of Service fields of the IPv4 packet (which share
1093           the same bits as DSCP).
1094 
1095           To compile it as a module, choose M here.  If unsure, say N.
1096 
1097 config NETFILTER_XT_MATCH_ECN
1098         tristate '"ecn" match support'
1099         depends on NETFILTER_ADVANCED
1100         ---help---
1101         This option adds an "ECN" match, which allows you to match against
1102         the IPv4 and TCP header ECN fields.
1103 
1104         To compile it as a module, choose M here. If unsure, say N.
1105 
1106 config NETFILTER_XT_MATCH_ESP
1107         tristate '"esp" match support'
1108         depends on NETFILTER_ADVANCED
1109         help
1110           This match extension allows you to match a range of SPIs
1111           inside ESP header of IPSec packets.
1112 
1113           To compile it as a module, choose M here.  If unsure, say N.
1114 
1115 config NETFILTER_XT_MATCH_HASHLIMIT
1116         tristate '"hashlimit" match support'
1117         depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
1118         depends on NETFILTER_ADVANCED
1119         help
1120           This option adds a `hashlimit' match.
1121 
1122           As opposed to `limit', this match dynamically creates a hash table
1123           of limit buckets, based on your selection of source/destination
1124           addresses and/or ports.
1125 
1126           It enables you to express policies like `10kpps for any given
1127           destination address' or `500pps from any given source address'
1128           with a single rule.
1129 
1130 config NETFILTER_XT_MATCH_HELPER
1131         tristate '"helper" match support'
1132         depends on NF_CONNTRACK
1133         depends on NETFILTER_ADVANCED
1134         help
1135           Helper matching allows you to match packets in dynamic connections
1136           tracked by a conntrack-helper, ie. ip_conntrack_ftp
1137 
1138           To compile it as a module, choose M here.  If unsure, say Y.
1139 
1140 config NETFILTER_XT_MATCH_HL
1141         tristate '"hl" hoplimit/TTL match support'
1142         depends on NETFILTER_ADVANCED
1143         ---help---
1144         HL matching allows you to match packets based on the hoplimit
1145         in the IPv6 header, or the time-to-live field in the IPv4
1146         header of the packet.
1147 
1148 config NETFILTER_XT_MATCH_IPCOMP
1149         tristate '"ipcomp" match support'
1150         depends on NETFILTER_ADVANCED
1151         help
1152           This match extension allows you to match a range of CPIs(16 bits)
1153           inside IPComp header of IPSec packets.
1154 
1155           To compile it as a module, choose M here.  If unsure, say N.
1156 
1157 config NETFILTER_XT_MATCH_IPRANGE
1158         tristate '"iprange" address range match support'
1159         depends on NETFILTER_ADVANCED
1160         ---help---
1161         This option adds a "iprange" match, which allows you to match based on
1162         an IP address range. (Normal iptables only matches on single addresses
1163         with an optional mask.)
1164 
1165         If unsure, say M.
1166 
1167 config NETFILTER_XT_MATCH_IPVS
1168         tristate '"ipvs" match support'
1169         depends on IP_VS
1170         depends on NETFILTER_ADVANCED
1171         depends on NF_CONNTRACK
1172         help
1173           This option allows you to match against IPVS properties of a packet.
1174 
1175           If unsure, say N.
1176 
1177 config NETFILTER_XT_MATCH_L2TP
1178         tristate '"l2tp" match support'
1179         depends on NETFILTER_ADVANCED
1180         default L2TP
1181         ---help---
1182         This option adds an "L2TP" match, which allows you to match against
1183         L2TP protocol header fields.
1184 
1185         To compile it as a module, choose M here. If unsure, say N.
1186 
1187 config NETFILTER_XT_MATCH_LENGTH
1188         tristate '"length" match support'
1189         depends on NETFILTER_ADVANCED
1190         help
1191           This option allows you to match the length of a packet against a
1192           specific value or range of values.
1193 
1194           To compile it as a module, choose M here.  If unsure, say N.
1195 
1196 config NETFILTER_XT_MATCH_LIMIT
1197         tristate '"limit" match support'
1198         depends on NETFILTER_ADVANCED
1199         help
1200           limit matching allows you to control the rate at which a rule can be
1201           matched: mainly useful in combination with the LOG target ("LOG
1202           target support", below) and to avoid some Denial of Service attacks.
1203 
1204           To compile it as a module, choose M here.  If unsure, say N.
1205 
1206 config NETFILTER_XT_MATCH_MAC
1207         tristate '"mac" address match support'
1208         depends on NETFILTER_ADVANCED
1209         help
1210           MAC matching allows you to match packets based on the source
1211           Ethernet address of the packet.
1212 
1213           To compile it as a module, choose M here.  If unsure, say N.
1214 
1215 config NETFILTER_XT_MATCH_MARK
1216         tristate '"mark" match support'
1217         depends on NETFILTER_ADVANCED
1218         select NETFILTER_XT_MARK
1219         ---help---
1220         This is a backwards-compat option for the user's convenience
1221         (e.g. when running oldconfig). It selects
1222         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1223 
1224 config NETFILTER_XT_MATCH_MULTIPORT
1225         tristate '"multiport" Multiple port match support'
1226         depends on NETFILTER_ADVANCED
1227         help
1228           Multiport matching allows you to match TCP or UDP packets based on
1229           a series of source or destination ports: normally a rule can only
1230           match a single range of ports.
1231 
1232           To compile it as a module, choose M here.  If unsure, say N.
1233 
1234 config NETFILTER_XT_MATCH_NFACCT
1235         tristate '"nfacct" match support'
1236         depends on NETFILTER_ADVANCED
1237         select NETFILTER_NETLINK_ACCT
1238         help
1239           This option allows you to use the extended accounting through
1240           nfnetlink_acct.
1241 
1242           To compile it as a module, choose M here.  If unsure, say N.
1243 
1244 config NETFILTER_XT_MATCH_OSF
1245         tristate '"osf" Passive OS fingerprint match'
1246         depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1247         help
1248           This option selects the Passive OS Fingerprinting match module
1249           that allows to passively match the remote operating system by
1250           analyzing incoming TCP SYN packets.
1251 
1252           Rules and loading software can be downloaded from
1253           http://www.ioremap.net/projects/osf
1254 
1255           To compile it as a module, choose M here.  If unsure, say N.
1256 
1257 config NETFILTER_XT_MATCH_OWNER
1258         tristate '"owner" match support'
1259         depends on NETFILTER_ADVANCED
1260         ---help---
1261         Socket owner matching allows you to match locally-generated packets
1262         based on who created the socket: the user or group. It is also
1263         possible to check whether a socket actually exists.
1264 
1265 config NETFILTER_XT_MATCH_POLICY
1266         tristate 'IPsec "policy" match support'
1267         depends on XFRM
1268         default m if NETFILTER_ADVANCED=n
1269         help
1270           Policy matching allows you to match packets based on the
1271           IPsec policy that was used during decapsulation/will
1272           be used during encapsulation.
1273 
1274           To compile it as a module, choose M here.  If unsure, say N.
1275 
1276 config NETFILTER_XT_MATCH_PHYSDEV
1277         tristate '"physdev" match support'
1278         depends on BRIDGE && BRIDGE_NETFILTER
1279         depends on NETFILTER_ADVANCED
1280         help
1281           Physdev packet matching matches against the physical bridge ports
1282           the IP packet arrived on or will leave by.
1283 
1284           To compile it as a module, choose M here.  If unsure, say N.
1285 
1286 config NETFILTER_XT_MATCH_PKTTYPE
1287         tristate '"pkttype" packet type match support'
1288         depends on NETFILTER_ADVANCED
1289         help
1290           Packet type matching allows you to match a packet by
1291           its "class", eg. BROADCAST, MULTICAST, ...
1292 
1293           Typical usage:
1294           iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1295 
1296           To compile it as a module, choose M here.  If unsure, say N.
1297 
1298 config NETFILTER_XT_MATCH_QUOTA
1299         tristate '"quota" match support'
1300         depends on NETFILTER_ADVANCED
1301         help
1302           This option adds a `quota' match, which allows to match on a
1303           byte counter.
1304 
1305           If you want to compile it as a module, say M here and read
1306           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1307 
1308 config NETFILTER_XT_MATCH_RATEEST
1309         tristate '"rateest" match support'
1310         depends on NETFILTER_ADVANCED
1311         select NETFILTER_XT_TARGET_RATEEST
1312         help
1313           This option adds a `rateest' match, which allows to match on the
1314           rate estimated by the RATEEST target.
1315 
1316           To compile it as a module, choose M here.  If unsure, say N.
1317 
1318 config NETFILTER_XT_MATCH_REALM
1319         tristate  '"realm" match support'
1320         depends on NETFILTER_ADVANCED
1321         select IP_ROUTE_CLASSID
1322         help
1323           This option adds a `realm' match, which allows you to use the realm
1324           key from the routing subsystem inside iptables.
1325 
1326           This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
1327           in tc world.
1328 
1329           If you want to compile it as a module, say M here and read
1330           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1331 
1332 config NETFILTER_XT_MATCH_RECENT
1333         tristate '"recent" match support'
1334         depends on NETFILTER_ADVANCED
1335         ---help---
1336         This match is used for creating one or many lists of recently
1337         used addresses and then matching against that/those list(s).
1338 
1339         Short options are available by using 'iptables -m recent -h'
1340         Official Website: <http://snowman.net/projects/ipt_recent/>
1341 
1342 config NETFILTER_XT_MATCH_SCTP
1343         tristate  '"sctp" protocol match support'
1344         depends on NETFILTER_ADVANCED
1345         default IP_SCTP
1346         help
1347           With this option enabled, you will be able to use the 
1348           `sctp' match in order to match on SCTP source/destination ports
1349           and SCTP chunk types.
1350 
1351           If you want to compile it as a module, say M here and read
1352           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1353 
1354 config NETFILTER_XT_MATCH_SOCKET
1355         tristate '"socket" match support'
1356         depends on NETFILTER_XTABLES
1357         depends on NETFILTER_ADVANCED
1358         depends on !NF_CONNTRACK || NF_CONNTRACK
1359         depends on (IPV6 || IPV6=n)
1360         depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
1361         select NF_DEFRAG_IPV4
1362         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1363         help
1364           This option adds a `socket' match, which can be used to match
1365           packets for which a TCP or UDP socket lookup finds a valid socket.
1366           It can be used in combination with the MARK target and policy
1367           routing to implement full featured non-locally bound sockets.
1368 
1369           To compile it as a module, choose M here.  If unsure, say N.
1370 
1371 config NETFILTER_XT_MATCH_STATE
1372         tristate '"state" match support'
1373         depends on NF_CONNTRACK
1374         default m if NETFILTER_ADVANCED=n
1375         help
1376           Connection state matching allows you to match packets based on their
1377           relationship to a tracked connection (ie. previous packets).  This
1378           is a powerful tool for packet classification.
1379 
1380           To compile it as a module, choose M here.  If unsure, say N.
1381 
1382 config NETFILTER_XT_MATCH_STATISTIC
1383         tristate '"statistic" match support'
1384         depends on NETFILTER_ADVANCED
1385         help
1386           This option adds a `statistic' match, which allows you to match
1387           on packets periodically or randomly with a given percentage.
1388 
1389           To compile it as a module, choose M here.  If unsure, say N.
1390 
1391 config NETFILTER_XT_MATCH_STRING
1392         tristate  '"string" match support'
1393         depends on NETFILTER_ADVANCED
1394         select TEXTSEARCH
1395         select TEXTSEARCH_KMP
1396         select TEXTSEARCH_BM
1397         select TEXTSEARCH_FSM
1398         help
1399           This option adds a `string' match, which allows you to look for
1400           pattern matchings in packets.
1401 
1402           To compile it as a module, choose M here.  If unsure, say N.
1403 
1404 config NETFILTER_XT_MATCH_TCPMSS
1405         tristate '"tcpmss" match support'
1406         depends on NETFILTER_ADVANCED
1407         help
1408           This option adds a `tcpmss' match, which allows you to examine the
1409           MSS value of TCP SYN packets, which control the maximum packet size
1410           for that connection.
1411 
1412           To compile it as a module, choose M here.  If unsure, say N.
1413 
1414 config NETFILTER_XT_MATCH_TIME
1415         tristate '"time" match support'
1416         depends on NETFILTER_ADVANCED
1417         ---help---
1418           This option adds a "time" match, which allows you to match based on
1419           the packet arrival time (at the machine which netfilter is running)
1420           on) or departure time/date (for locally generated packets).
1421 
1422           If you say Y here, try `iptables -m time --help` for
1423           more information.
1424 
1425           If you want to compile it as a module, say M here.
1426           If unsure, say N.
1427 
1428 config NETFILTER_XT_MATCH_U32
1429         tristate '"u32" match support'
1430         depends on NETFILTER_ADVANCED
1431         ---help---
1432           u32 allows you to extract quantities of up to 4 bytes from a packet,
1433           AND them with specified masks, shift them by specified amounts and
1434           test whether the results are in any of a set of specified ranges.
1435           The specification of what to extract is general enough to skip over
1436           headers with lengths stored in the packet, as in IP or TCP header
1437           lengths.
1438 
1439           Details and examples are in the kernel module source.
1440 
1441 endif # NETFILTER_XTABLES
1442 
1443 endmenu
1444 
1445 source "net/netfilter/ipset/Kconfig"
1446 
1447 source "net/netfilter/ipvs/Kconfig"

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us