Version:  2.0.40 2.2.26 2.4.37 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10

Linux/net/netfilter/Kconfig

  1 menu "Core Netfilter Configuration"
  2         depends on NET && INET && NETFILTER
  3 
  4 config NETFILTER_INGRESS
  5         bool "Netfilter ingress support"
  6         default y
  7         select NET_INGRESS
  8         help
  9           This allows you to classify packets from ingress using the Netfilter
 10           infrastructure.
 11 
 12 config NETFILTER_NETLINK
 13         tristate
 14 
 15 config NETFILTER_NETLINK_ACCT
 16 tristate "Netfilter NFACCT over NFNETLINK interface"
 17         depends on NETFILTER_ADVANCED
 18         select NETFILTER_NETLINK
 19         help
 20           If this option is enabled, the kernel will include support
 21           for extended accounting via NFNETLINK.
 22 
 23 config NETFILTER_NETLINK_QUEUE
 24         tristate "Netfilter NFQUEUE over NFNETLINK interface"
 25         depends on NETFILTER_ADVANCED
 26         select NETFILTER_NETLINK
 27         help
 28           If this option is enabled, the kernel will include support
 29           for queueing packets via NFNETLINK.
 30           
 31 config NETFILTER_NETLINK_LOG
 32         tristate "Netfilter LOG over NFNETLINK interface"
 33         default m if NETFILTER_ADVANCED=n
 34         select NETFILTER_NETLINK
 35         help
 36           If this option is enabled, the kernel will include support
 37           for logging packets via NFNETLINK.
 38 
 39           This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
 40           and is also scheduled to replace the old syslog-based ipt_LOG
 41           and ip6t_LOG modules.
 42 
 43 config NF_CONNTRACK
 44         tristate "Netfilter connection tracking support"
 45         default m if NETFILTER_ADVANCED=n
 46         help
 47           Connection tracking keeps a record of what packets have passed
 48           through your machine, in order to figure out how they are related
 49           into connections.
 50 
 51           This is required to do Masquerading or other kinds of Network
 52           Address Translation.  It can also be used to enhance packet
 53           filtering (see `Connection state match support' below).
 54 
 55           To compile it as a module, choose M here.  If unsure, say N.
 56 
 57 config NF_LOG_COMMON
 58         tristate
 59 
 60 config NF_LOG_NETDEV
 61         tristate "Netdev packet logging"
 62         select NF_LOG_COMMON
 63 
 64 if NF_CONNTRACK
 65 
 66 config NF_CONNTRACK_MARK
 67         bool  'Connection mark tracking support'
 68         depends on NETFILTER_ADVANCED
 69         help
 70           This option enables support for connection marks, used by the
 71           `CONNMARK' target and `connmark' match. Similar to the mark value
 72           of packets, but this mark value is kept in the conntrack session
 73           instead of the individual packets.
 74 
 75 config NF_CONNTRACK_SECMARK
 76         bool  'Connection tracking security mark support'
 77         depends on NETWORK_SECMARK
 78         default m if NETFILTER_ADVANCED=n
 79         help
 80           This option enables security markings to be applied to
 81           connections.  Typically they are copied to connections from
 82           packets using the CONNSECMARK target and copied back from
 83           connections to packets with the same target, with the packets
 84           being originally labeled via SECMARK.
 85 
 86           If unsure, say 'N'.
 87 
 88 config NF_CONNTRACK_ZONES
 89         bool  'Connection tracking zones'
 90         depends on NETFILTER_ADVANCED
 91         depends on NETFILTER_XT_TARGET_CT
 92         help
 93           This option enables support for connection tracking zones.
 94           Normally, each connection needs to have a unique system wide
 95           identity. Connection tracking zones allow to have multiple
 96           connections using the same identity, as long as they are
 97           contained in different zones.
 98 
 99           If unsure, say `N'.
100 
101 config NF_CONNTRACK_PROCFS
102         bool "Supply CT list in procfs (OBSOLETE)"
103         default y
104         depends on PROC_FS
105         ---help---
106         This option enables for the list of known conntrack entries
107         to be shown in procfs under net/netfilter/nf_conntrack. This
108         is considered obsolete in favor of using the conntrack(8)
109         tool which uses Netlink.
110 
111 config NF_CONNTRACK_EVENTS
112         bool "Connection tracking events"
113         depends on NETFILTER_ADVANCED
114         help
115           If this option is enabled, the connection tracking code will
116           provide a notifier chain that can be used by other kernel code
117           to get notified about changes in the connection tracking state.
118 
119           If unsure, say `N'.
120 
121 config NF_CONNTRACK_TIMEOUT
122         bool  'Connection tracking timeout'
123         depends on NETFILTER_ADVANCED
124         help
125           This option enables support for connection tracking timeout
126           extension. This allows you to attach timeout policies to flow
127           via the CT target.
128 
129           If unsure, say `N'.
130 
131 config NF_CONNTRACK_TIMESTAMP
132         bool  'Connection tracking timestamping'
133         depends on NETFILTER_ADVANCED
134         help
135           This option enables support for connection tracking timestamping.
136           This allows you to store the flow start-time and to obtain
137           the flow-stop time (once it has been destroyed) via Connection
138           tracking events.
139 
140           If unsure, say `N'.
141 
142 config NF_CONNTRACK_LABELS
143         bool
144         help
145           This option enables support for assigning user-defined flag bits
146           to connection tracking entries.  It selected by the connlabel match.
147 
148 config NF_CT_PROTO_DCCP
149         bool 'DCCP protocol connection tracking support'
150         depends on NETFILTER_ADVANCED
151         default y
152         help
153           With this option enabled, the layer 3 independent connection
154           tracking code will be able to do state tracking on DCCP connections.
155 
156           If unsure, say Y.
157 
158 config NF_CT_PROTO_GRE
159         tristate
160 
161 config NF_CT_PROTO_SCTP
162         bool 'SCTP protocol connection tracking support'
163         depends on NETFILTER_ADVANCED
164         default y
165         help
166           With this option enabled, the layer 3 independent connection
167           tracking code will be able to do state tracking on SCTP connections.
168 
169           If unsure, say Y.
170 
171 config NF_CT_PROTO_UDPLITE
172         bool 'UDP-Lite protocol connection tracking support'
173         depends on NETFILTER_ADVANCED
174         default y
175         help
176           With this option enabled, the layer 3 independent connection
177           tracking code will be able to do state tracking on UDP-Lite
178           connections.
179 
180           If unsure, say Y.
181 
182 config NF_CONNTRACK_AMANDA
183         tristate "Amanda backup protocol support"
184         depends on NETFILTER_ADVANCED
185         select TEXTSEARCH
186         select TEXTSEARCH_KMP
187         help
188           If you are running the Amanda backup package <http://www.amanda.org/>
189           on this machine or machines that will be MASQUERADED through this
190           machine, then you may want to enable this feature.  This allows the
191           connection tracking and natting code to allow the sub-channels that
192           Amanda requires for communication of the backup data, messages and
193           index.
194 
195           To compile it as a module, choose M here.  If unsure, say N.
196 
197 config NF_CONNTRACK_FTP
198         tristate "FTP protocol support"
199         default m if NETFILTER_ADVANCED=n
200         help
201           Tracking FTP connections is problematic: special helpers are
202           required for tracking them, and doing masquerading and other forms
203           of Network Address Translation on them.
204 
205           This is FTP support on Layer 3 independent connection tracking.
206           Layer 3 independent connection tracking is experimental scheme
207           which generalize ip_conntrack to support other layer 3 protocols.
208 
209           To compile it as a module, choose M here.  If unsure, say N.
210 
211 config NF_CONNTRACK_H323
212         tristate "H.323 protocol support"
213         depends on IPV6 || IPV6=n
214         depends on NETFILTER_ADVANCED
215         help
216           H.323 is a VoIP signalling protocol from ITU-T. As one of the most
217           important VoIP protocols, it is widely used by voice hardware and
218           software including voice gateways, IP phones, Netmeeting, OpenPhone,
219           Gnomemeeting, etc.
220 
221           With this module you can support H.323 on a connection tracking/NAT
222           firewall.
223 
224           This module supports RAS, Fast Start, H.245 Tunnelling, Call
225           Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
226           whiteboard, file transfer, etc. For more information, please
227           visit http://nath323.sourceforge.net/.
228 
229           To compile it as a module, choose M here.  If unsure, say N.
230 
231 config NF_CONNTRACK_IRC
232         tristate "IRC protocol support"
233         default m if NETFILTER_ADVANCED=n
234         help
235           There is a commonly-used extension to IRC called
236           Direct Client-to-Client Protocol (DCC).  This enables users to send
237           files to each other, and also chat to each other without the need
238           of a server.  DCC Sending is used anywhere you send files over IRC,
239           and DCC Chat is most commonly used by Eggdrop bots.  If you are
240           using NAT, this extension will enable you to send files and initiate
241           chats.  Note that you do NOT need this extension to get files or
242           have others initiate chats, or everything else in IRC.
243 
244           To compile it as a module, choose M here.  If unsure, say N.
245 
246 config NF_CONNTRACK_BROADCAST
247         tristate
248 
249 config NF_CONNTRACK_NETBIOS_NS
250         tristate "NetBIOS name service protocol support"
251         select NF_CONNTRACK_BROADCAST
252         help
253           NetBIOS name service requests are sent as broadcast messages from an
254           unprivileged port and responded to with unicast messages to the
255           same port. This make them hard to firewall properly because connection
256           tracking doesn't deal with broadcasts. This helper tracks locally
257           originating NetBIOS name service requests and the corresponding
258           responses. It relies on correct IP address configuration, specifically
259           netmask and broadcast address. When properly configured, the output
260           of "ip address show" should look similar to this:
261 
262           $ ip -4 address show eth0
263           4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
264               inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
265 
266           To compile it as a module, choose M here.  If unsure, say N.
267 
268 config NF_CONNTRACK_SNMP
269         tristate "SNMP service protocol support"
270         depends on NETFILTER_ADVANCED
271         select NF_CONNTRACK_BROADCAST
272         help
273           SNMP service requests are sent as broadcast messages from an
274           unprivileged port and responded to with unicast messages to the
275           same port. This make them hard to firewall properly because connection
276           tracking doesn't deal with broadcasts. This helper tracks locally
277           originating SNMP service requests and the corresponding
278           responses. It relies on correct IP address configuration, specifically
279           netmask and broadcast address.
280 
281           To compile it as a module, choose M here.  If unsure, say N.
282 
283 config NF_CONNTRACK_PPTP
284         tristate "PPtP protocol support"
285         depends on NETFILTER_ADVANCED
286         select NF_CT_PROTO_GRE
287         help
288           This module adds support for PPTP (Point to Point Tunnelling
289           Protocol, RFC2637) connection tracking and NAT.
290 
291           If you are running PPTP sessions over a stateful firewall or NAT
292           box, you may want to enable this feature.
293 
294           Please note that not all PPTP modes of operation are supported yet.
295           Specifically these limitations exist:
296             - Blindly assumes that control connections are always established
297               in PNS->PAC direction. This is a violation of RFC2637.
298             - Only supports a single call within each session
299 
300           To compile it as a module, choose M here.  If unsure, say N.
301 
302 config NF_CONNTRACK_SANE
303         tristate "SANE protocol support"
304         depends on NETFILTER_ADVANCED
305         help
306           SANE is a protocol for remote access to scanners as implemented
307           by the 'saned' daemon. Like FTP, it uses separate control and
308           data connections.
309 
310           With this module you can support SANE on a connection tracking
311           firewall.
312 
313           To compile it as a module, choose M here.  If unsure, say N.
314 
315 config NF_CONNTRACK_SIP
316         tristate "SIP protocol support"
317         default m if NETFILTER_ADVANCED=n
318         help
319           SIP is an application-layer control protocol that can establish,
320           modify, and terminate multimedia sessions (conferences) such as
321           Internet telephony calls. With the ip_conntrack_sip and
322           the nf_nat_sip modules you can support the protocol on a connection
323           tracking/NATing firewall.
324 
325           To compile it as a module, choose M here.  If unsure, say N.
326 
327 config NF_CONNTRACK_TFTP
328         tristate "TFTP protocol support"
329         depends on NETFILTER_ADVANCED
330         help
331           TFTP connection tracking helper, this is required depending
332           on how restrictive your ruleset is.
333           If you are using a tftp client behind -j SNAT or -j MASQUERADING
334           you will need this.
335 
336           To compile it as a module, choose M here.  If unsure, say N.
337 
338 config NF_CT_NETLINK
339         tristate 'Connection tracking netlink interface'
340         select NETFILTER_NETLINK
341         default m if NETFILTER_ADVANCED=n
342         help
343           This option enables support for a netlink-based userspace interface
344 
345 config NF_CT_NETLINK_TIMEOUT
346         tristate  'Connection tracking timeout tuning via Netlink'
347         select NETFILTER_NETLINK
348         depends on NETFILTER_ADVANCED
349         help
350           This option enables support for connection tracking timeout
351           fine-grain tuning. This allows you to attach specific timeout
352           policies to flows, instead of using the global timeout policy.
353 
354           If unsure, say `N'.
355 
356 config NF_CT_NETLINK_HELPER
357         tristate 'Connection tracking helpers in user-space via Netlink'
358         select NETFILTER_NETLINK
359         depends on NF_CT_NETLINK
360         depends on NETFILTER_NETLINK_QUEUE
361         depends on NETFILTER_NETLINK_GLUE_CT
362         depends on NETFILTER_ADVANCED
363         help
364           This option enables the user-space connection tracking helpers
365           infrastructure.
366 
367           If unsure, say `N'.
368 
369 config NETFILTER_NETLINK_GLUE_CT
370         bool "NFQUEUE and NFLOG integration with Connection Tracking"
371         default n
372         depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
373         help
374           If this option is enabled, NFQUEUE and NFLOG can include
375           Connection Tracking information together with the packet is
376           the enqueued via NFNETLINK.
377 
378 config NF_NAT
379         tristate
380 
381 config NF_NAT_NEEDED
382         bool
383         depends on NF_NAT
384         default y
385 
386 config NF_NAT_PROTO_DCCP
387         bool
388         depends on NF_NAT && NF_CT_PROTO_DCCP
389         default NF_NAT && NF_CT_PROTO_DCCP
390 
391 config NF_NAT_PROTO_UDPLITE
392         bool
393         depends on NF_NAT && NF_CT_PROTO_UDPLITE
394         default NF_NAT && NF_CT_PROTO_UDPLITE
395 
396 config NF_NAT_PROTO_SCTP
397         bool
398         default NF_NAT && NF_CT_PROTO_SCTP
399         depends on NF_NAT && NF_CT_PROTO_SCTP
400         select LIBCRC32C
401 
402 config NF_NAT_AMANDA
403         tristate
404         depends on NF_CONNTRACK && NF_NAT
405         default NF_NAT && NF_CONNTRACK_AMANDA
406 
407 config NF_NAT_FTP
408         tristate
409         depends on NF_CONNTRACK && NF_NAT
410         default NF_NAT && NF_CONNTRACK_FTP
411 
412 config NF_NAT_IRC
413         tristate
414         depends on NF_CONNTRACK && NF_NAT
415         default NF_NAT && NF_CONNTRACK_IRC
416 
417 config NF_NAT_SIP
418         tristate
419         depends on NF_CONNTRACK && NF_NAT
420         default NF_NAT && NF_CONNTRACK_SIP
421 
422 config NF_NAT_TFTP
423         tristate
424         depends on NF_CONNTRACK && NF_NAT
425         default NF_NAT && NF_CONNTRACK_TFTP
426 
427 config NF_NAT_REDIRECT
428         tristate "IPv4/IPv6 redirect support"
429         depends on NF_NAT
430         help
431           This is the kernel functionality to redirect packets to local
432           machine through NAT.
433 
434 config NETFILTER_SYNPROXY
435         tristate
436 
437 endif # NF_CONNTRACK
438 
439 config NF_TABLES
440         select NETFILTER_NETLINK
441         tristate "Netfilter nf_tables support"
442         help
443           nftables is the new packet classification framework that intends to
444           replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
445           provides a pseudo-state machine with an extensible instruction-set
446           (also known as expressions) that the userspace 'nft' utility
447           (http://www.netfilter.org/projects/nftables) uses to build the
448           rule-set. It also comes with the generic set infrastructure that
449           allows you to construct mappings between matchings and actions
450           for performance lookups.
451 
452           To compile it as a module, choose M here.
453 
454 if NF_TABLES
455 
456 config NF_TABLES_INET
457         depends on IPV6
458         select NF_TABLES_IPV4
459         select NF_TABLES_IPV6
460         tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
461         help
462           This option enables support for a mixed IPv4/IPv6 "inet" table.
463 
464 config NF_TABLES_NETDEV
465         tristate "Netfilter nf_tables netdev tables support"
466         help
467           This option enables support for the "netdev" table.
468 
469 config NFT_EXTHDR
470         tristate "Netfilter nf_tables IPv6 exthdr module"
471         help
472           This option adds the "exthdr" expression that you can use to match
473           IPv6 extension headers.
474 
475 config NFT_META
476         tristate "Netfilter nf_tables meta module"
477         help
478           This option adds the "meta" expression that you can use to match and
479           to set packet metainformation such as the packet mark.
480 
481 config NFT_RT
482         tristate "Netfilter nf_tables routing module"
483         help
484           This option adds the "rt" expression that you can use to match
485           packet routing information such as the packet nexthop.
486 
487 config NFT_NUMGEN
488         tristate "Netfilter nf_tables number generator module"
489         help
490           This option adds the number generator expression used to perform
491           incremental counting and random numbers bound to a upper limit.
492 
493 config NFT_CT
494         depends on NF_CONNTRACK
495         tristate "Netfilter nf_tables conntrack module"
496         help
497           This option adds the "ct" expression that you can use to match
498           connection tracking information such as the flow state.
499 
500 config NFT_SET_RBTREE
501         tristate "Netfilter nf_tables rbtree set module"
502         help
503           This option adds the "rbtree" set type (Red Black tree) that is used
504           to build interval-based sets.
505 
506 config NFT_SET_HASH
507         tristate "Netfilter nf_tables hash set module"
508         help
509           This option adds the "hash" set type that is used to build one-way
510           mappings between matchings and actions.
511 
512 config NFT_COUNTER
513         tristate "Netfilter nf_tables counter module"
514         help
515           This option adds the "counter" expression that you can use to
516           include packet and byte counters in a rule.
517 
518 config NFT_LOG
519         tristate "Netfilter nf_tables log module"
520         help
521           This option adds the "log" expression that you can use to log
522           packets matching some criteria.
523 
524 config NFT_LIMIT
525         tristate "Netfilter nf_tables limit module"
526         help
527           This option adds the "limit" expression that you can use to
528           ratelimit rule matchings.
529 
530 config NFT_MASQ
531         depends on NF_CONNTRACK
532         depends on NF_NAT
533         tristate "Netfilter nf_tables masquerade support"
534         help
535           This option adds the "masquerade" expression that you can use
536           to perform NAT in the masquerade flavour.
537 
538 config NFT_REDIR
539         depends on NF_CONNTRACK
540         depends on NF_NAT
541         tristate "Netfilter nf_tables redirect support"
542         help
543           This options adds the "redirect" expression that you can use
544           to perform NAT in the redirect flavour.
545 
546 config NFT_NAT
547         depends on NF_CONNTRACK
548         select NF_NAT
549         tristate "Netfilter nf_tables nat module"
550         help
551           This option adds the "nat" expression that you can use to perform
552           typical Network Address Translation (NAT) packet transformations.
553 
554 config NFT_OBJREF
555         tristate "Netfilter nf_tables stateful object reference module"
556         help
557           This option adds the "objref" expression that allows you to refer to
558           stateful objects, such as counters and quotas.
559 
560 config NFT_QUEUE
561         depends on NETFILTER_NETLINK_QUEUE
562         tristate "Netfilter nf_tables queue module"
563         help
564           This is required if you intend to use the userspace queueing
565           infrastructure (also known as NFQUEUE) from nftables.
566 
567 config NFT_QUOTA
568         tristate "Netfilter nf_tables quota module"
569         help
570           This option adds the "quota" expression that you can use to match
571           enforce bytes quotas.
572 
573 config NFT_REJECT
574         default m if NETFILTER_ADVANCED=n
575         tristate "Netfilter nf_tables reject support"
576         help
577           This option adds the "reject" expression that you can use to
578           explicitly deny and notify via TCP reset/ICMP informational errors
579           unallowed traffic.
580 
581 config NFT_REJECT_INET
582         depends on NF_TABLES_INET
583         default NFT_REJECT
584         tristate
585 
586 config NFT_COMPAT
587         depends on NETFILTER_XTABLES
588         tristate "Netfilter x_tables over nf_tables module"
589         help
590           This is required if you intend to use any of existing
591           x_tables match/target extensions over the nf_tables
592           framework.
593 
594 config NFT_HASH
595         tristate "Netfilter nf_tables hash module"
596         help
597           This option adds the "hash" expression that you can use to perform
598           a hash operation on registers.
599 
600 config NFT_FIB
601         tristate
602 
603 config NFT_FIB_INET
604         depends on NF_TABLES_INET
605         depends on NFT_FIB_IPV4
606         depends on NFT_FIB_IPV6
607         tristate "Netfilter nf_tables fib inet support"
608         help
609           This option allows using the FIB expression from the inet table.
610           The lookup will be delegated to the IPv4 or IPv6 FIB depending
611           on the protocol of the packet.
612 
613 if NF_TABLES_NETDEV
614 
615 config NF_DUP_NETDEV
616         tristate "Netfilter packet duplication support"
617         help
618           This option enables the generic packet duplication infrastructure
619           for Netfilter.
620 
621 config NFT_DUP_NETDEV
622         tristate "Netfilter nf_tables netdev packet duplication support"
623         select NF_DUP_NETDEV
624         help
625           This option enables packet duplication for the "netdev" family.
626 
627 config NFT_FWD_NETDEV
628         tristate "Netfilter nf_tables netdev packet forwarding support"
629         select NF_DUP_NETDEV
630         help
631           This option enables packet forwarding for the "netdev" family.
632 
633 endif # NF_TABLES_NETDEV
634 
635 endif # NF_TABLES
636 
637 config NETFILTER_XTABLES
638         tristate "Netfilter Xtables support (required for ip_tables)"
639         default m if NETFILTER_ADVANCED=n
640         help
641           This is required if you intend to use any of ip_tables,
642           ip6_tables or arp_tables.
643 
644 if NETFILTER_XTABLES
645 
646 comment "Xtables combined modules"
647 
648 config NETFILTER_XT_MARK
649         tristate 'nfmark target and match support'
650         default m if NETFILTER_ADVANCED=n
651         ---help---
652         This option adds the "MARK" target and "mark" match.
653 
654         Netfilter mark matching allows you to match packets based on the
655         "nfmark" value in the packet.
656         The target allows you to create rules in the "mangle" table which alter
657         the netfilter mark (nfmark) field associated with the packet.
658 
659         Prior to routing, the nfmark can influence the routing method and can
660         also be used by other subsystems to change their behavior.
661 
662 config NETFILTER_XT_CONNMARK
663         tristate 'ctmark target and match support'
664         depends on NF_CONNTRACK
665         depends on NETFILTER_ADVANCED
666         select NF_CONNTRACK_MARK
667         ---help---
668         This option adds the "CONNMARK" target and "connmark" match.
669 
670         Netfilter allows you to store a mark value per connection (a.k.a.
671         ctmark), similarly to the packet mark (nfmark). Using this
672         target and match, you can set and match on this mark.
673 
674 config NETFILTER_XT_SET
675         tristate 'set target and match support'
676         depends on IP_SET
677         depends on NETFILTER_ADVANCED
678         help
679           This option adds the "SET" target and "set" match.
680 
681           Using this target and match, you can add/delete and match
682           elements in the sets created by ipset(8).
683 
684           To compile it as a module, choose M here.  If unsure, say N.
685 
686 # alphabetically ordered list of targets
687 
688 comment "Xtables targets"
689 
690 config NETFILTER_XT_TARGET_AUDIT
691         tristate "AUDIT target support"
692         depends on AUDIT
693         depends on NETFILTER_ADVANCED
694         ---help---
695           This option adds a 'AUDIT' target, which can be used to create
696           audit records for packets dropped/accepted.
697 
698           To compileit as a module, choose M here. If unsure, say N.
699 
700 config NETFILTER_XT_TARGET_CHECKSUM
701         tristate "CHECKSUM target support"
702         depends on IP_NF_MANGLE || IP6_NF_MANGLE
703         depends on NETFILTER_ADVANCED
704         ---help---
705           This option adds a `CHECKSUM' target, which can be used in the iptables mangle
706           table.
707 
708           You can use this target to compute and fill in the checksum in
709           a packet that lacks a checksum.  This is particularly useful,
710           if you need to work around old applications such as dhcp clients,
711           that do not work well with checksum offloads, but don't want to disable
712           checksum offload in your device.
713 
714           To compile it as a module, choose M here.  If unsure, say N.
715 
716 config NETFILTER_XT_TARGET_CLASSIFY
717         tristate '"CLASSIFY" target support'
718         depends on NETFILTER_ADVANCED
719         help
720           This option adds a `CLASSIFY' target, which enables the user to set
721           the priority of a packet. Some qdiscs can use this value for
722           classification, among these are:
723 
724           atm, cbq, dsmark, pfifo_fast, htb, prio
725 
726           To compile it as a module, choose M here.  If unsure, say N.
727 
728 config NETFILTER_XT_TARGET_CONNMARK
729         tristate  '"CONNMARK" target support'
730         depends on NF_CONNTRACK
731         depends on NETFILTER_ADVANCED
732         select NETFILTER_XT_CONNMARK
733         ---help---
734         This is a backwards-compat option for the user's convenience
735         (e.g. when running oldconfig). It selects
736         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
737 
738 config NETFILTER_XT_TARGET_CONNSECMARK
739         tristate '"CONNSECMARK" target support'
740         depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
741         default m if NETFILTER_ADVANCED=n
742         help
743           The CONNSECMARK target copies security markings from packets
744           to connections, and restores security markings from connections
745           to packets (if the packets are not already marked).  This would
746           normally be used in conjunction with the SECMARK target.
747 
748           To compile it as a module, choose M here.  If unsure, say N.
749 
750 config NETFILTER_XT_TARGET_CT
751         tristate '"CT" target support'
752         depends on NF_CONNTRACK
753         depends on IP_NF_RAW || IP6_NF_RAW
754         depends on NETFILTER_ADVANCED
755         help
756           This options adds a `CT' target, which allows to specify initial
757           connection tracking parameters like events to be delivered and
758           the helper to be used.
759 
760           To compile it as a module, choose M here.  If unsure, say N.
761 
762 config NETFILTER_XT_TARGET_DSCP
763         tristate '"DSCP" and "TOS" target support'
764         depends on IP_NF_MANGLE || IP6_NF_MANGLE
765         depends on NETFILTER_ADVANCED
766         help
767           This option adds a `DSCP' target, which allows you to manipulate
768           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
769 
770           The DSCP field can have any value between 0x0 and 0x3f inclusive.
771 
772           It also adds the "TOS" target, which allows you to create rules in
773           the "mangle" table which alter the Type Of Service field of an IPv4
774           or the Priority field of an IPv6 packet, prior to routing.
775 
776           To compile it as a module, choose M here.  If unsure, say N.
777 
778 config NETFILTER_XT_TARGET_HL
779         tristate '"HL" hoplimit target support'
780         depends on IP_NF_MANGLE || IP6_NF_MANGLE
781         depends on NETFILTER_ADVANCED
782         ---help---
783         This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
784         targets, which enable the user to change the
785         hoplimit/time-to-live value of the IP header.
786 
787         While it is safe to decrement the hoplimit/TTL value, the
788         modules also allow to increment and set the hoplimit value of
789         the header to arbitrary values. This is EXTREMELY DANGEROUS
790         since you can easily create immortal packets that loop
791         forever on the network.
792 
793 config NETFILTER_XT_TARGET_HMARK
794         tristate '"HMARK" target support'
795         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
796         depends on NETFILTER_ADVANCED
797         ---help---
798         This option adds the "HMARK" target.
799 
800         The target allows you to create rules in the "raw" and "mangle" tables
801         which set the skbuff mark by means of hash calculation within a given
802         range. The nfmark can influence the routing method and can also be used
803         by other subsystems to change their behaviour.
804 
805         To compile it as a module, choose M here. If unsure, say N.
806 
807 config NETFILTER_XT_TARGET_IDLETIMER
808         tristate  "IDLETIMER target support"
809         depends on NETFILTER_ADVANCED
810         help
811 
812           This option adds the `IDLETIMER' target.  Each matching packet
813           resets the timer associated with label specified when the rule is
814           added.  When the timer expires, it triggers a sysfs notification.
815           The remaining time for expiration can be read via sysfs.
816 
817           To compile it as a module, choose M here.  If unsure, say N.
818 
819 config NETFILTER_XT_TARGET_LED
820         tristate '"LED" target support'
821         depends on LEDS_CLASS && LEDS_TRIGGERS
822         depends on NETFILTER_ADVANCED
823         help
824           This option adds a `LED' target, which allows you to blink LEDs in
825           response to particular packets passing through your machine.
826 
827           This can be used to turn a spare LED into a network activity LED,
828           which only flashes in response to FTP transfers, for example.  Or
829           you could have an LED which lights up for a minute or two every time
830           somebody connects to your machine via SSH.
831 
832           You will need support for the "led" class to make this work.
833 
834           To create an LED trigger for incoming SSH traffic:
835             iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
836 
837           Then attach the new trigger to an LED on your system:
838             echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
839 
840           For more information on the LEDs available on your system, see
841           Documentation/leds/leds-class.txt
842 
843 config NETFILTER_XT_TARGET_LOG
844         tristate "LOG target support"
845         select NF_LOG_COMMON
846         select NF_LOG_IPV4
847         select NF_LOG_IPV6 if IPV6
848         default m if NETFILTER_ADVANCED=n
849         help
850           This option adds a `LOG' target, which allows you to create rules in
851           any iptables table which records the packet header to the syslog.
852 
853           To compile it as a module, choose M here.  If unsure, say N.
854 
855 config NETFILTER_XT_TARGET_MARK
856         tristate '"MARK" target support'
857         depends on NETFILTER_ADVANCED
858         select NETFILTER_XT_MARK
859         ---help---
860         This is a backwards-compat option for the user's convenience
861         (e.g. when running oldconfig). It selects
862         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
863 
864 config NETFILTER_XT_NAT
865         tristate '"SNAT and DNAT" targets support'
866         depends on NF_NAT
867         ---help---
868         This option enables the SNAT and DNAT targets.
869 
870         To compile it as a module, choose M here. If unsure, say N.
871 
872 config NETFILTER_XT_TARGET_NETMAP
873         tristate '"NETMAP" target support'
874         depends on NF_NAT
875         ---help---
876         NETMAP is an implementation of static 1:1 NAT mapping of network
877         addresses. It maps the network address part, while keeping the host
878         address part intact.
879 
880         To compile it as a module, choose M here. If unsure, say N.
881 
882 config NETFILTER_XT_TARGET_NFLOG
883         tristate '"NFLOG" target support'
884         default m if NETFILTER_ADVANCED=n
885         select NETFILTER_NETLINK_LOG
886         help
887           This option enables the NFLOG target, which allows to LOG
888           messages through nfnetlink_log.
889 
890           To compile it as a module, choose M here.  If unsure, say N.
891 
892 config NETFILTER_XT_TARGET_NFQUEUE
893         tristate '"NFQUEUE" target Support'
894         depends on NETFILTER_ADVANCED
895         select NETFILTER_NETLINK_QUEUE
896         help
897           This target replaced the old obsolete QUEUE target.
898 
899           As opposed to QUEUE, it supports 65535 different queues,
900           not just one.
901 
902           To compile it as a module, choose M here.  If unsure, say N.
903 
904 config NETFILTER_XT_TARGET_NOTRACK
905         tristate  '"NOTRACK" target support (DEPRECATED)'
906         depends on NF_CONNTRACK
907         depends on IP_NF_RAW || IP6_NF_RAW
908         depends on NETFILTER_ADVANCED
909         select NETFILTER_XT_TARGET_CT
910 
911 config NETFILTER_XT_TARGET_RATEEST
912         tristate '"RATEEST" target support'
913         depends on NETFILTER_ADVANCED
914         help
915           This option adds a `RATEEST' target, which allows to measure
916           rates similar to TC estimators. The `rateest' match can be
917           used to match on the measured rates.
918 
919           To compile it as a module, choose M here.  If unsure, say N.
920 
921 config NETFILTER_XT_TARGET_REDIRECT
922         tristate "REDIRECT target support"
923         depends on NF_NAT
924         select NF_NAT_REDIRECT
925         ---help---
926         REDIRECT is a special case of NAT: all incoming connections are
927         mapped onto the incoming interface's address, causing the packets to
928         come to the local machine instead of passing through. This is
929         useful for transparent proxies.
930 
931         To compile it as a module, choose M here. If unsure, say N.
932 
933 config NETFILTER_XT_TARGET_TEE
934         tristate '"TEE" - packet cloning to alternate destination'
935         depends on NETFILTER_ADVANCED
936         depends on IPV6 || IPV6=n
937         depends on !NF_CONNTRACK || NF_CONNTRACK
938         select NF_DUP_IPV4
939         select NF_DUP_IPV6 if IPV6
940         ---help---
941         This option adds a "TEE" target with which a packet can be cloned and
942         this clone be rerouted to another nexthop.
943 
944 config NETFILTER_XT_TARGET_TPROXY
945         tristate '"TPROXY" target transparent proxying support'
946         depends on NETFILTER_XTABLES
947         depends on NETFILTER_ADVANCED
948         depends on IPV6 || IPV6=n
949         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
950         depends on IP_NF_MANGLE
951         select NF_DEFRAG_IPV4
952         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
953         help
954           This option adds a `TPROXY' target, which is somewhat similar to
955           REDIRECT.  It can only be used in the mangle table and is useful
956           to redirect traffic to a transparent proxy.  It does _not_ depend
957           on Netfilter connection tracking and NAT, unlike REDIRECT.
958           For it to work you will have to configure certain iptables rules
959           and use policy routing. For more information on how to set it up
960           see Documentation/networking/tproxy.txt.
961 
962           To compile it as a module, choose M here.  If unsure, say N.
963 
964 config NETFILTER_XT_TARGET_TRACE
965         tristate  '"TRACE" target support'
966         depends on IP_NF_RAW || IP6_NF_RAW
967         depends on NETFILTER_ADVANCED
968         help
969           The TRACE target allows you to mark packets so that the kernel
970           will log every rule which match the packets as those traverse
971           the tables, chains, rules.
972 
973           If you want to compile it as a module, say M here and read
974           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
975 
976 config NETFILTER_XT_TARGET_SECMARK
977         tristate '"SECMARK" target support'
978         depends on NETWORK_SECMARK
979         default m if NETFILTER_ADVANCED=n
980         help
981           The SECMARK target allows security marking of network
982           packets, for use with security subsystems.
983 
984           To compile it as a module, choose M here.  If unsure, say N.
985 
986 config NETFILTER_XT_TARGET_TCPMSS
987         tristate '"TCPMSS" target support'
988         depends on IPV6 || IPV6=n
989         default m if NETFILTER_ADVANCED=n
990         ---help---
991           This option adds a `TCPMSS' target, which allows you to alter the
992           MSS value of TCP SYN packets, to control the maximum size for that
993           connection (usually limiting it to your outgoing interface's MTU
994           minus 40).
995 
996           This is used to overcome criminally braindead ISPs or servers which
997           block ICMP Fragmentation Needed packets.  The symptoms of this
998           problem are that everything works fine from your Linux
999           firewall/router, but machines behind it can never exchange large
1000           packets:
1001                 1) Web browsers connect, then hang with no data received.
1002                 2) Small mail works fine, but large emails hang.
1003                 3) ssh works fine, but scp hangs after initial handshaking.
1004 
1005           Workaround: activate this option and add a rule to your firewall
1006           configuration like:
1007 
1008           iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1009                          -j TCPMSS --clamp-mss-to-pmtu
1010 
1011           To compile it as a module, choose M here.  If unsure, say N.
1012 
1013 config NETFILTER_XT_TARGET_TCPOPTSTRIP
1014         tristate '"TCPOPTSTRIP" target support'
1015         depends on IP_NF_MANGLE || IP6_NF_MANGLE
1016         depends on NETFILTER_ADVANCED
1017         help
1018           This option adds a "TCPOPTSTRIP" target, which allows you to strip
1019           TCP options from TCP packets.
1020 
1021 # alphabetically ordered list of matches
1022 
1023 comment "Xtables matches"
1024 
1025 config NETFILTER_XT_MATCH_ADDRTYPE
1026         tristate '"addrtype" address type match support'
1027         default m if NETFILTER_ADVANCED=n
1028         ---help---
1029           This option allows you to match what routing thinks of an address,
1030           eg. UNICAST, LOCAL, BROADCAST, ...
1031 
1032           If you want to compile it as a module, say M here and read
1033           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1034 
1035 config NETFILTER_XT_MATCH_BPF
1036         tristate '"bpf" match support'
1037         depends on NETFILTER_ADVANCED
1038         help
1039           BPF matching applies a linux socket filter to each packet and
1040           accepts those for which the filter returns non-zero.
1041 
1042           To compile it as a module, choose M here.  If unsure, say N.
1043 
1044 config NETFILTER_XT_MATCH_CGROUP
1045         tristate '"control group" match support'
1046         depends on NETFILTER_ADVANCED
1047         depends on CGROUPS
1048         select CGROUP_NET_CLASSID
1049         ---help---
1050         Socket/process control group matching allows you to match locally
1051         generated packets based on which net_cls control group processes
1052         belong to.
1053 
1054 config NETFILTER_XT_MATCH_CLUSTER
1055         tristate '"cluster" match support'
1056         depends on NF_CONNTRACK
1057         depends on NETFILTER_ADVANCED
1058         ---help---
1059           This option allows you to build work-load-sharing clusters of
1060           network servers/stateful firewalls without having a dedicated
1061           load-balancing router/server/switch. Basically, this match returns
1062           true when the packet must be handled by this cluster node. Thus,
1063           all nodes see all packets and this match decides which node handles
1064           what packets. The work-load sharing algorithm is based on source
1065           address hashing.
1066 
1067           If you say Y or M here, try `iptables -m cluster --help` for
1068           more information.
1069 
1070 config NETFILTER_XT_MATCH_COMMENT
1071         tristate  '"comment" match support'
1072         depends on NETFILTER_ADVANCED
1073         help
1074           This option adds a `comment' dummy-match, which allows you to put
1075           comments in your iptables ruleset.
1076 
1077           If you want to compile it as a module, say M here and read
1078           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1079 
1080 config NETFILTER_XT_MATCH_CONNBYTES
1081         tristate  '"connbytes" per-connection counter match support'
1082         depends on NF_CONNTRACK
1083         depends on NETFILTER_ADVANCED
1084         help
1085           This option adds a `connbytes' match, which allows you to match the
1086           number of bytes and/or packets for each direction within a connection.
1087 
1088           If you want to compile it as a module, say M here and read
1089           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1090 
1091 config NETFILTER_XT_MATCH_CONNLABEL
1092         tristate '"connlabel" match support'
1093         select NF_CONNTRACK_LABELS
1094         depends on NF_CONNTRACK
1095         depends on NETFILTER_ADVANCED
1096         ---help---
1097           This match allows you to test and assign userspace-defined labels names
1098           to a connection.  The kernel only stores bit values - mapping
1099           names to bits is done by userspace.
1100 
1101           Unlike connmark, more than 32 flag bits may be assigned to a
1102           connection simultaneously.
1103 
1104 config NETFILTER_XT_MATCH_CONNLIMIT
1105         tristate '"connlimit" match support'
1106         depends on NF_CONNTRACK
1107         depends on NETFILTER_ADVANCED
1108         ---help---
1109           This match allows you to match against the number of parallel
1110           connections to a server per client IP address (or address block).
1111 
1112 config NETFILTER_XT_MATCH_CONNMARK
1113         tristate  '"connmark" connection mark match support'
1114         depends on NF_CONNTRACK
1115         depends on NETFILTER_ADVANCED
1116         select NETFILTER_XT_CONNMARK
1117         ---help---
1118         This is a backwards-compat option for the user's convenience
1119         (e.g. when running oldconfig). It selects
1120         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1121 
1122 config NETFILTER_XT_MATCH_CONNTRACK
1123         tristate '"conntrack" connection tracking match support'
1124         depends on NF_CONNTRACK
1125         default m if NETFILTER_ADVANCED=n
1126         help
1127           This is a general conntrack match module, a superset of the state match.
1128 
1129           It allows matching on additional conntrack information, which is
1130           useful in complex configurations, such as NAT gateways with multiple
1131           internet links or tunnels.
1132 
1133           To compile it as a module, choose M here.  If unsure, say N.
1134 
1135 config NETFILTER_XT_MATCH_CPU
1136         tristate '"cpu" match support'
1137         depends on NETFILTER_ADVANCED
1138         help
1139           CPU matching allows you to match packets based on the CPU
1140           currently handling the packet.
1141 
1142           To compile it as a module, choose M here.  If unsure, say N.
1143 
1144 config NETFILTER_XT_MATCH_DCCP
1145         tristate '"dccp" protocol match support'
1146         depends on NETFILTER_ADVANCED
1147         default IP_DCCP
1148         help
1149           With this option enabled, you will be able to use the iptables
1150           `dccp' match in order to match on DCCP source/destination ports
1151           and DCCP flags.
1152 
1153           If you want to compile it as a module, say M here and read
1154           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1155 
1156 config NETFILTER_XT_MATCH_DEVGROUP
1157         tristate '"devgroup" match support'
1158         depends on NETFILTER_ADVANCED
1159         help
1160           This options adds a `devgroup' match, which allows to match on the
1161           device group a network device is assigned to.
1162 
1163           To compile it as a module, choose M here.  If unsure, say N.
1164 
1165 config NETFILTER_XT_MATCH_DSCP
1166         tristate '"dscp" and "tos" match support'
1167         depends on NETFILTER_ADVANCED
1168         help
1169           This option adds a `DSCP' match, which allows you to match against
1170           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1171 
1172           The DSCP field can have any value between 0x0 and 0x3f inclusive.
1173 
1174           It will also add a "tos" match, which allows you to match packets
1175           based on the Type Of Service fields of the IPv4 packet (which share
1176           the same bits as DSCP).
1177 
1178           To compile it as a module, choose M here.  If unsure, say N.
1179 
1180 config NETFILTER_XT_MATCH_ECN
1181         tristate '"ecn" match support'
1182         depends on NETFILTER_ADVANCED
1183         ---help---
1184         This option adds an "ECN" match, which allows you to match against
1185         the IPv4 and TCP header ECN fields.
1186 
1187         To compile it as a module, choose M here. If unsure, say N.
1188 
1189 config NETFILTER_XT_MATCH_ESP
1190         tristate '"esp" match support'
1191         depends on NETFILTER_ADVANCED
1192         help
1193           This match extension allows you to match a range of SPIs
1194           inside ESP header of IPSec packets.
1195 
1196           To compile it as a module, choose M here.  If unsure, say N.
1197 
1198 config NETFILTER_XT_MATCH_HASHLIMIT
1199         tristate '"hashlimit" match support'
1200         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1201         depends on NETFILTER_ADVANCED
1202         help
1203           This option adds a `hashlimit' match.
1204 
1205           As opposed to `limit', this match dynamically creates a hash table
1206           of limit buckets, based on your selection of source/destination
1207           addresses and/or ports.
1208 
1209           It enables you to express policies like `10kpps for any given
1210           destination address' or `500pps from any given source address'
1211           with a single rule.
1212 
1213 config NETFILTER_XT_MATCH_HELPER
1214         tristate '"helper" match support'
1215         depends on NF_CONNTRACK
1216         depends on NETFILTER_ADVANCED
1217         help
1218           Helper matching allows you to match packets in dynamic connections
1219           tracked by a conntrack-helper, ie. ip_conntrack_ftp
1220 
1221           To compile it as a module, choose M here.  If unsure, say Y.
1222 
1223 config NETFILTER_XT_MATCH_HL
1224         tristate '"hl" hoplimit/TTL match support'
1225         depends on NETFILTER_ADVANCED
1226         ---help---
1227         HL matching allows you to match packets based on the hoplimit
1228         in the IPv6 header, or the time-to-live field in the IPv4
1229         header of the packet.
1230 
1231 config NETFILTER_XT_MATCH_IPCOMP
1232         tristate '"ipcomp" match support'
1233         depends on NETFILTER_ADVANCED
1234         help
1235           This match extension allows you to match a range of CPIs(16 bits)
1236           inside IPComp header of IPSec packets.
1237 
1238           To compile it as a module, choose M here.  If unsure, say N.
1239 
1240 config NETFILTER_XT_MATCH_IPRANGE
1241         tristate '"iprange" address range match support'
1242         depends on NETFILTER_ADVANCED
1243         ---help---
1244         This option adds a "iprange" match, which allows you to match based on
1245         an IP address range. (Normal iptables only matches on single addresses
1246         with an optional mask.)
1247 
1248         If unsure, say M.
1249 
1250 config NETFILTER_XT_MATCH_IPVS
1251         tristate '"ipvs" match support'
1252         depends on IP_VS
1253         depends on NETFILTER_ADVANCED
1254         depends on NF_CONNTRACK
1255         help
1256           This option allows you to match against IPVS properties of a packet.
1257 
1258           If unsure, say N.
1259 
1260 config NETFILTER_XT_MATCH_L2TP
1261         tristate '"l2tp" match support'
1262         depends on NETFILTER_ADVANCED
1263         default L2TP
1264         ---help---
1265         This option adds an "L2TP" match, which allows you to match against
1266         L2TP protocol header fields.
1267 
1268         To compile it as a module, choose M here. If unsure, say N.
1269 
1270 config NETFILTER_XT_MATCH_LENGTH
1271         tristate '"length" match support'
1272         depends on NETFILTER_ADVANCED
1273         help
1274           This option allows you to match the length of a packet against a
1275           specific value or range of values.
1276 
1277           To compile it as a module, choose M here.  If unsure, say N.
1278 
1279 config NETFILTER_XT_MATCH_LIMIT
1280         tristate '"limit" match support'
1281         depends on NETFILTER_ADVANCED
1282         help
1283           limit matching allows you to control the rate at which a rule can be
1284           matched: mainly useful in combination with the LOG target ("LOG
1285           target support", below) and to avoid some Denial of Service attacks.
1286 
1287           To compile it as a module, choose M here.  If unsure, say N.
1288 
1289 config NETFILTER_XT_MATCH_MAC
1290         tristate '"mac" address match support'
1291         depends on NETFILTER_ADVANCED
1292         help
1293           MAC matching allows you to match packets based on the source
1294           Ethernet address of the packet.
1295 
1296           To compile it as a module, choose M here.  If unsure, say N.
1297 
1298 config NETFILTER_XT_MATCH_MARK
1299         tristate '"mark" match support'
1300         depends on NETFILTER_ADVANCED
1301         select NETFILTER_XT_MARK
1302         ---help---
1303         This is a backwards-compat option for the user's convenience
1304         (e.g. when running oldconfig). It selects
1305         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1306 
1307 config NETFILTER_XT_MATCH_MULTIPORT
1308         tristate '"multiport" Multiple port match support'
1309         depends on NETFILTER_ADVANCED
1310         help
1311           Multiport matching allows you to match TCP or UDP packets based on
1312           a series of source or destination ports: normally a rule can only
1313           match a single range of ports.
1314 
1315           To compile it as a module, choose M here.  If unsure, say N.
1316 
1317 config NETFILTER_XT_MATCH_NFACCT
1318         tristate '"nfacct" match support'
1319         depends on NETFILTER_ADVANCED
1320         select NETFILTER_NETLINK_ACCT
1321         help
1322           This option allows you to use the extended accounting through
1323           nfnetlink_acct.
1324 
1325           To compile it as a module, choose M here.  If unsure, say N.
1326 
1327 config NETFILTER_XT_MATCH_OSF
1328         tristate '"osf" Passive OS fingerprint match'
1329         depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1330         help
1331           This option selects the Passive OS Fingerprinting match module
1332           that allows to passively match the remote operating system by
1333           analyzing incoming TCP SYN packets.
1334 
1335           Rules and loading software can be downloaded from
1336           http://www.ioremap.net/projects/osf
1337 
1338           To compile it as a module, choose M here.  If unsure, say N.
1339 
1340 config NETFILTER_XT_MATCH_OWNER
1341         tristate '"owner" match support'
1342         depends on NETFILTER_ADVANCED
1343         ---help---
1344         Socket owner matching allows you to match locally-generated packets
1345         based on who created the socket: the user or group. It is also
1346         possible to check whether a socket actually exists.
1347 
1348 config NETFILTER_XT_MATCH_POLICY
1349         tristate 'IPsec "policy" match support'
1350         depends on XFRM
1351         default m if NETFILTER_ADVANCED=n
1352         help
1353           Policy matching allows you to match packets based on the
1354           IPsec policy that was used during decapsulation/will
1355           be used during encapsulation.
1356 
1357           To compile it as a module, choose M here.  If unsure, say N.
1358 
1359 config NETFILTER_XT_MATCH_PHYSDEV
1360         tristate '"physdev" match support'
1361         depends on BRIDGE && BRIDGE_NETFILTER
1362         depends on NETFILTER_ADVANCED
1363         help
1364           Physdev packet matching matches against the physical bridge ports
1365           the IP packet arrived on or will leave by.
1366 
1367           To compile it as a module, choose M here.  If unsure, say N.
1368 
1369 config NETFILTER_XT_MATCH_PKTTYPE
1370         tristate '"pkttype" packet type match support'
1371         depends on NETFILTER_ADVANCED
1372         help
1373           Packet type matching allows you to match a packet by
1374           its "class", eg. BROADCAST, MULTICAST, ...
1375 
1376           Typical usage:
1377           iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1378 
1379           To compile it as a module, choose M here.  If unsure, say N.
1380 
1381 config NETFILTER_XT_MATCH_QUOTA
1382         tristate '"quota" match support'
1383         depends on NETFILTER_ADVANCED
1384         help
1385           This option adds a `quota' match, which allows to match on a
1386           byte counter.
1387 
1388           If you want to compile it as a module, say M here and read
1389           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1390 
1391 config NETFILTER_XT_MATCH_RATEEST
1392         tristate '"rateest" match support'
1393         depends on NETFILTER_ADVANCED
1394         select NETFILTER_XT_TARGET_RATEEST
1395         help
1396           This option adds a `rateest' match, which allows to match on the
1397           rate estimated by the RATEEST target.
1398 
1399           To compile it as a module, choose M here.  If unsure, say N.
1400 
1401 config NETFILTER_XT_MATCH_REALM
1402         tristate  '"realm" match support'
1403         depends on NETFILTER_ADVANCED
1404         select IP_ROUTE_CLASSID
1405         help
1406           This option adds a `realm' match, which allows you to use the realm
1407           key from the routing subsystem inside iptables.
1408 
1409           This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
1410           in tc world.
1411 
1412           If you want to compile it as a module, say M here and read
1413           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1414 
1415 config NETFILTER_XT_MATCH_RECENT
1416         tristate '"recent" match support'
1417         depends on NETFILTER_ADVANCED
1418         ---help---
1419         This match is used for creating one or many lists of recently
1420         used addresses and then matching against that/those list(s).
1421 
1422         Short options are available by using 'iptables -m recent -h'
1423         Official Website: <http://snowman.net/projects/ipt_recent/>
1424 
1425 config NETFILTER_XT_MATCH_SCTP
1426         tristate  '"sctp" protocol match support'
1427         depends on NETFILTER_ADVANCED
1428         default IP_SCTP
1429         help
1430           With this option enabled, you will be able to use the 
1431           `sctp' match in order to match on SCTP source/destination ports
1432           and SCTP chunk types.
1433 
1434           If you want to compile it as a module, say M here and read
1435           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1436 
1437 config NETFILTER_XT_MATCH_SOCKET
1438         tristate '"socket" match support'
1439         depends on NETFILTER_XTABLES
1440         depends on NETFILTER_ADVANCED
1441         depends on IPV6 || IPV6=n
1442         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1443         depends on NF_SOCKET_IPV4
1444         depends on NF_SOCKET_IPV6
1445         select NF_DEFRAG_IPV4
1446         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1447         help
1448           This option adds a `socket' match, which can be used to match
1449           packets for which a TCP or UDP socket lookup finds a valid socket.
1450           It can be used in combination with the MARK target and policy
1451           routing to implement full featured non-locally bound sockets.
1452 
1453           To compile it as a module, choose M here.  If unsure, say N.
1454 
1455 config NETFILTER_XT_MATCH_STATE
1456         tristate '"state" match support'
1457         depends on NF_CONNTRACK
1458         default m if NETFILTER_ADVANCED=n
1459         help
1460           Connection state matching allows you to match packets based on their
1461           relationship to a tracked connection (ie. previous packets).  This
1462           is a powerful tool for packet classification.
1463 
1464           To compile it as a module, choose M here.  If unsure, say N.
1465 
1466 config NETFILTER_XT_MATCH_STATISTIC
1467         tristate '"statistic" match support'
1468         depends on NETFILTER_ADVANCED
1469         help
1470           This option adds a `statistic' match, which allows you to match
1471           on packets periodically or randomly with a given percentage.
1472 
1473           To compile it as a module, choose M here.  If unsure, say N.
1474 
1475 config NETFILTER_XT_MATCH_STRING
1476         tristate  '"string" match support'
1477         depends on NETFILTER_ADVANCED
1478         select TEXTSEARCH
1479         select TEXTSEARCH_KMP
1480         select TEXTSEARCH_BM
1481         select TEXTSEARCH_FSM
1482         help
1483           This option adds a `string' match, which allows you to look for
1484           pattern matchings in packets.
1485 
1486           To compile it as a module, choose M here.  If unsure, say N.
1487 
1488 config NETFILTER_XT_MATCH_TCPMSS
1489         tristate '"tcpmss" match support'
1490         depends on NETFILTER_ADVANCED
1491         help
1492           This option adds a `tcpmss' match, which allows you to examine the
1493           MSS value of TCP SYN packets, which control the maximum packet size
1494           for that connection.
1495 
1496           To compile it as a module, choose M here.  If unsure, say N.
1497 
1498 config NETFILTER_XT_MATCH_TIME
1499         tristate '"time" match support'
1500         depends on NETFILTER_ADVANCED
1501         ---help---
1502           This option adds a "time" match, which allows you to match based on
1503           the packet arrival time (at the machine which netfilter is running)
1504           on) or departure time/date (for locally generated packets).
1505 
1506           If you say Y here, try `iptables -m time --help` for
1507           more information.
1508 
1509           If you want to compile it as a module, say M here.
1510           If unsure, say N.
1511 
1512 config NETFILTER_XT_MATCH_U32
1513         tristate '"u32" match support'
1514         depends on NETFILTER_ADVANCED
1515         ---help---
1516           u32 allows you to extract quantities of up to 4 bytes from a packet,
1517           AND them with specified masks, shift them by specified amounts and
1518           test whether the results are in any of a set of specified ranges.
1519           The specification of what to extract is general enough to skip over
1520           headers with lengths stored in the packet, as in IP or TCP header
1521           lengths.
1522 
1523           Details and examples are in the kernel module source.
1524 
1525 endif # NETFILTER_XTABLES
1526 
1527 endmenu
1528 
1529 source "net/netfilter/ipset/Kconfig"
1530 
1531 source "net/netfilter/ipvs/Kconfig"

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us