Version:  2.0.40 2.2.26 2.4.37 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1 4.2

Linux/net/netfilter/Kconfig

  1 menu "Core Netfilter Configuration"
  2         depends on NET && INET && NETFILTER
  3 
  4 config NETFILTER_INGRESS
  5         bool "Netfilter ingress support"
  6         default y
  7         select NET_INGRESS
  8         help
  9           This allows you to classify packets from ingress using the Netfilter
 10           infrastructure.
 11 
 12 config NETFILTER_NETLINK
 13         tristate
 14 
 15 config NETFILTER_NETLINK_ACCT
 16 tristate "Netfilter NFACCT over NFNETLINK interface"
 17         depends on NETFILTER_ADVANCED
 18         select NETFILTER_NETLINK
 19         help
 20           If this option is enabled, the kernel will include support
 21           for extended accounting via NFNETLINK.
 22 
 23 config NETFILTER_NETLINK_QUEUE
 24         tristate "Netfilter NFQUEUE over NFNETLINK interface"
 25         depends on NETFILTER_ADVANCED
 26         select NETFILTER_NETLINK
 27         help
 28           If this option is enabled, the kernel will include support
 29           for queueing packets via NFNETLINK.
 30           
 31 config NETFILTER_NETLINK_LOG
 32         tristate "Netfilter LOG over NFNETLINK interface"
 33         default m if NETFILTER_ADVANCED=n
 34         select NETFILTER_NETLINK
 35         help
 36           If this option is enabled, the kernel will include support
 37           for logging packets via NFNETLINK.
 38 
 39           This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
 40           and is also scheduled to replace the old syslog-based ipt_LOG
 41           and ip6t_LOG modules.
 42 
 43 config NF_CONNTRACK
 44         tristate "Netfilter connection tracking support"
 45         default m if NETFILTER_ADVANCED=n
 46         help
 47           Connection tracking keeps a record of what packets have passed
 48           through your machine, in order to figure out how they are related
 49           into connections.
 50 
 51           This is required to do Masquerading or other kinds of Network
 52           Address Translation.  It can also be used to enhance packet
 53           filtering (see `Connection state match support' below).
 54 
 55           To compile it as a module, choose M here.  If unsure, say N.
 56 
 57 config NF_LOG_COMMON
 58         tristate
 59 
 60 if NF_CONNTRACK
 61 
 62 config NF_CONNTRACK_MARK
 63         bool  'Connection mark tracking support'
 64         depends on NETFILTER_ADVANCED
 65         help
 66           This option enables support for connection marks, used by the
 67           `CONNMARK' target and `connmark' match. Similar to the mark value
 68           of packets, but this mark value is kept in the conntrack session
 69           instead of the individual packets.
 70 
 71 config NF_CONNTRACK_SECMARK
 72         bool  'Connection tracking security mark support'
 73         depends on NETWORK_SECMARK
 74         default m if NETFILTER_ADVANCED=n
 75         help
 76           This option enables security markings to be applied to
 77           connections.  Typically they are copied to connections from
 78           packets using the CONNSECMARK target and copied back from
 79           connections to packets with the same target, with the packets
 80           being originally labeled via SECMARK.
 81 
 82           If unsure, say 'N'.
 83 
 84 config NF_CONNTRACK_ZONES
 85         bool  'Connection tracking zones'
 86         depends on NETFILTER_ADVANCED
 87         depends on NETFILTER_XT_TARGET_CT
 88         help
 89           This option enables support for connection tracking zones.
 90           Normally, each connection needs to have a unique system wide
 91           identity. Connection tracking zones allow to have multiple
 92           connections using the same identity, as long as they are
 93           contained in different zones.
 94 
 95           If unsure, say `N'.
 96 
 97 config NF_CONNTRACK_PROCFS
 98         bool "Supply CT list in procfs (OBSOLETE)"
 99         default y
100         depends on PROC_FS
101         ---help---
102         This option enables for the list of known conntrack entries
103         to be shown in procfs under net/netfilter/nf_conntrack. This
104         is considered obsolete in favor of using the conntrack(8)
105         tool which uses Netlink.
106 
107 config NF_CONNTRACK_EVENTS
108         bool "Connection tracking events"
109         depends on NETFILTER_ADVANCED
110         help
111           If this option is enabled, the connection tracking code will
112           provide a notifier chain that can be used by other kernel code
113           to get notified about changes in the connection tracking state.
114 
115           If unsure, say `N'.
116 
117 config NF_CONNTRACK_TIMEOUT
118         bool  'Connection tracking timeout'
119         depends on NETFILTER_ADVANCED
120         help
121           This option enables support for connection tracking timeout
122           extension. This allows you to attach timeout policies to flow
123           via the CT target.
124 
125           If unsure, say `N'.
126 
127 config NF_CONNTRACK_TIMESTAMP
128         bool  'Connection tracking timestamping'
129         depends on NETFILTER_ADVANCED
130         help
131           This option enables support for connection tracking timestamping.
132           This allows you to store the flow start-time and to obtain
133           the flow-stop time (once it has been destroyed) via Connection
134           tracking events.
135 
136           If unsure, say `N'.
137 
138 config NF_CONNTRACK_LABELS
139         bool
140         help
141           This option enables support for assigning user-defined flag bits
142           to connection tracking entries.  It selected by the connlabel match.
143 
144 config NF_CT_PROTO_DCCP
145         tristate 'DCCP protocol connection tracking support'
146         depends on NETFILTER_ADVANCED
147         default IP_DCCP
148         help
149           With this option enabled, the layer 3 independent connection
150           tracking code will be able to do state tracking on DCCP connections.
151 
152           If unsure, say 'N'.
153 
154 config NF_CT_PROTO_GRE
155         tristate
156 
157 config NF_CT_PROTO_SCTP
158         tristate 'SCTP protocol connection tracking support'
159         depends on NETFILTER_ADVANCED
160         default IP_SCTP
161         help
162           With this option enabled, the layer 3 independent connection
163           tracking code will be able to do state tracking on SCTP connections.
164 
165           If you want to compile it as a module, say M here and read
166           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
167 
168 config NF_CT_PROTO_UDPLITE
169         tristate 'UDP-Lite protocol connection tracking support'
170         depends on NETFILTER_ADVANCED
171         help
172           With this option enabled, the layer 3 independent connection
173           tracking code will be able to do state tracking on UDP-Lite
174           connections.
175 
176           To compile it as a module, choose M here.  If unsure, say N.
177 
178 config NF_CONNTRACK_AMANDA
179         tristate "Amanda backup protocol support"
180         depends on NETFILTER_ADVANCED
181         select TEXTSEARCH
182         select TEXTSEARCH_KMP
183         help
184           If you are running the Amanda backup package <http://www.amanda.org/>
185           on this machine or machines that will be MASQUERADED through this
186           machine, then you may want to enable this feature.  This allows the
187           connection tracking and natting code to allow the sub-channels that
188           Amanda requires for communication of the backup data, messages and
189           index.
190 
191           To compile it as a module, choose M here.  If unsure, say N.
192 
193 config NF_CONNTRACK_FTP
194         tristate "FTP protocol support"
195         default m if NETFILTER_ADVANCED=n
196         help
197           Tracking FTP connections is problematic: special helpers are
198           required for tracking them, and doing masquerading and other forms
199           of Network Address Translation on them.
200 
201           This is FTP support on Layer 3 independent connection tracking.
202           Layer 3 independent connection tracking is experimental scheme
203           which generalize ip_conntrack to support other layer 3 protocols.
204 
205           To compile it as a module, choose M here.  If unsure, say N.
206 
207 config NF_CONNTRACK_H323
208         tristate "H.323 protocol support"
209         depends on IPV6 || IPV6=n
210         depends on NETFILTER_ADVANCED
211         help
212           H.323 is a VoIP signalling protocol from ITU-T. As one of the most
213           important VoIP protocols, it is widely used by voice hardware and
214           software including voice gateways, IP phones, Netmeeting, OpenPhone,
215           Gnomemeeting, etc.
216 
217           With this module you can support H.323 on a connection tracking/NAT
218           firewall.
219 
220           This module supports RAS, Fast Start, H.245 Tunnelling, Call
221           Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
222           whiteboard, file transfer, etc. For more information, please
223           visit http://nath323.sourceforge.net/.
224 
225           To compile it as a module, choose M here.  If unsure, say N.
226 
227 config NF_CONNTRACK_IRC
228         tristate "IRC protocol support"
229         default m if NETFILTER_ADVANCED=n
230         help
231           There is a commonly-used extension to IRC called
232           Direct Client-to-Client Protocol (DCC).  This enables users to send
233           files to each other, and also chat to each other without the need
234           of a server.  DCC Sending is used anywhere you send files over IRC,
235           and DCC Chat is most commonly used by Eggdrop bots.  If you are
236           using NAT, this extension will enable you to send files and initiate
237           chats.  Note that you do NOT need this extension to get files or
238           have others initiate chats, or everything else in IRC.
239 
240           To compile it as a module, choose M here.  If unsure, say N.
241 
242 config NF_CONNTRACK_BROADCAST
243         tristate
244 
245 config NF_CONNTRACK_NETBIOS_NS
246         tristate "NetBIOS name service protocol support"
247         select NF_CONNTRACK_BROADCAST
248         help
249           NetBIOS name service requests are sent as broadcast messages from an
250           unprivileged port and responded to with unicast messages to the
251           same port. This make them hard to firewall properly because connection
252           tracking doesn't deal with broadcasts. This helper tracks locally
253           originating NetBIOS name service requests and the corresponding
254           responses. It relies on correct IP address configuration, specifically
255           netmask and broadcast address. When properly configured, the output
256           of "ip address show" should look similar to this:
257 
258           $ ip -4 address show eth0
259           4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
260               inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
261 
262           To compile it as a module, choose M here.  If unsure, say N.
263 
264 config NF_CONNTRACK_SNMP
265         tristate "SNMP service protocol support"
266         depends on NETFILTER_ADVANCED
267         select NF_CONNTRACK_BROADCAST
268         help
269           SNMP service requests are sent as broadcast messages from an
270           unprivileged port and responded to with unicast messages to the
271           same port. This make them hard to firewall properly because connection
272           tracking doesn't deal with broadcasts. This helper tracks locally
273           originating SNMP service requests and the corresponding
274           responses. It relies on correct IP address configuration, specifically
275           netmask and broadcast address.
276 
277           To compile it as a module, choose M here.  If unsure, say N.
278 
279 config NF_CONNTRACK_PPTP
280         tristate "PPtP protocol support"
281         depends on NETFILTER_ADVANCED
282         select NF_CT_PROTO_GRE
283         help
284           This module adds support for PPTP (Point to Point Tunnelling
285           Protocol, RFC2637) connection tracking and NAT.
286 
287           If you are running PPTP sessions over a stateful firewall or NAT
288           box, you may want to enable this feature.
289 
290           Please note that not all PPTP modes of operation are supported yet.
291           Specifically these limitations exist:
292             - Blindly assumes that control connections are always established
293               in PNS->PAC direction. This is a violation of RFC2637.
294             - Only supports a single call within each session
295 
296           To compile it as a module, choose M here.  If unsure, say N.
297 
298 config NF_CONNTRACK_SANE
299         tristate "SANE protocol support"
300         depends on NETFILTER_ADVANCED
301         help
302           SANE is a protocol for remote access to scanners as implemented
303           by the 'saned' daemon. Like FTP, it uses separate control and
304           data connections.
305 
306           With this module you can support SANE on a connection tracking
307           firewall.
308 
309           To compile it as a module, choose M here.  If unsure, say N.
310 
311 config NF_CONNTRACK_SIP
312         tristate "SIP protocol support"
313         default m if NETFILTER_ADVANCED=n
314         help
315           SIP is an application-layer control protocol that can establish,
316           modify, and terminate multimedia sessions (conferences) such as
317           Internet telephony calls. With the ip_conntrack_sip and
318           the nf_nat_sip modules you can support the protocol on a connection
319           tracking/NATing firewall.
320 
321           To compile it as a module, choose M here.  If unsure, say N.
322 
323 config NF_CONNTRACK_TFTP
324         tristate "TFTP protocol support"
325         depends on NETFILTER_ADVANCED
326         help
327           TFTP connection tracking helper, this is required depending
328           on how restrictive your ruleset is.
329           If you are using a tftp client behind -j SNAT or -j MASQUERADING
330           you will need this.
331 
332           To compile it as a module, choose M here.  If unsure, say N.
333 
334 config NF_CT_NETLINK
335         tristate 'Connection tracking netlink interface'
336         select NETFILTER_NETLINK
337         default m if NETFILTER_ADVANCED=n
338         help
339           This option enables support for a netlink-based userspace interface
340 
341 config NF_CT_NETLINK_TIMEOUT
342         tristate  'Connection tracking timeout tuning via Netlink'
343         select NETFILTER_NETLINK
344         depends on NETFILTER_ADVANCED
345         help
346           This option enables support for connection tracking timeout
347           fine-grain tuning. This allows you to attach specific timeout
348           policies to flows, instead of using the global timeout policy.
349 
350           If unsure, say `N'.
351 
352 config NF_CT_NETLINK_HELPER
353         tristate 'Connection tracking helpers in user-space via Netlink'
354         select NETFILTER_NETLINK
355         depends on NF_CT_NETLINK
356         depends on NETFILTER_NETLINK_QUEUE
357         depends on NETFILTER_NETLINK_QUEUE_CT
358         depends on NETFILTER_ADVANCED
359         help
360           This option enables the user-space connection tracking helpers
361           infrastructure.
362 
363           If unsure, say `N'.
364 
365 config NETFILTER_NETLINK_QUEUE_CT
366         bool "NFQUEUE integration with Connection Tracking"
367         default n
368         depends on NETFILTER_NETLINK_QUEUE
369         help
370           If this option is enabled, NFQUEUE can include Connection Tracking
371           information together with the packet is the enqueued via NFNETLINK.
372 
373 config NF_NAT
374         tristate
375 
376 config NF_NAT_NEEDED
377         bool
378         depends on NF_NAT
379         default y
380 
381 config NF_NAT_PROTO_DCCP
382         tristate
383         depends on NF_NAT && NF_CT_PROTO_DCCP
384         default NF_NAT && NF_CT_PROTO_DCCP
385 
386 config NF_NAT_PROTO_UDPLITE
387         tristate
388         depends on NF_NAT && NF_CT_PROTO_UDPLITE
389         default NF_NAT && NF_CT_PROTO_UDPLITE
390 
391 config NF_NAT_PROTO_SCTP
392         tristate
393         default NF_NAT && NF_CT_PROTO_SCTP
394         depends on NF_NAT && NF_CT_PROTO_SCTP
395         select LIBCRC32C
396 
397 config NF_NAT_AMANDA
398         tristate
399         depends on NF_CONNTRACK && NF_NAT
400         default NF_NAT && NF_CONNTRACK_AMANDA
401 
402 config NF_NAT_FTP
403         tristate
404         depends on NF_CONNTRACK && NF_NAT
405         default NF_NAT && NF_CONNTRACK_FTP
406 
407 config NF_NAT_IRC
408         tristate
409         depends on NF_CONNTRACK && NF_NAT
410         default NF_NAT && NF_CONNTRACK_IRC
411 
412 config NF_NAT_SIP
413         tristate
414         depends on NF_CONNTRACK && NF_NAT
415         default NF_NAT && NF_CONNTRACK_SIP
416 
417 config NF_NAT_TFTP
418         tristate
419         depends on NF_CONNTRACK && NF_NAT
420         default NF_NAT && NF_CONNTRACK_TFTP
421 
422 config NF_NAT_REDIRECT
423         tristate "IPv4/IPv6 redirect support"
424         depends on NF_NAT
425         help
426           This is the kernel functionality to redirect packets to local
427           machine through NAT.
428 
429 config NETFILTER_SYNPROXY
430         tristate
431 
432 endif # NF_CONNTRACK
433 
434 config NF_TABLES
435         select NETFILTER_NETLINK
436         tristate "Netfilter nf_tables support"
437         help
438           nftables is the new packet classification framework that intends to
439           replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
440           provides a pseudo-state machine with an extensible instruction-set
441           (also known as expressions) that the userspace 'nft' utility
442           (http://www.netfilter.org/projects/nftables) uses to build the
443           rule-set. It also comes with the generic set infrastructure that
444           allows you to construct mappings between matchings and actions
445           for performance lookups.
446 
447           To compile it as a module, choose M here.
448 
449 if NF_TABLES
450 
451 config NF_TABLES_INET
452         depends on IPV6
453         select NF_TABLES_IPV4
454         select NF_TABLES_IPV6
455         tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
456         help
457           This option enables support for a mixed IPv4/IPv6 "inet" table.
458 
459 config NF_TABLES_NETDEV
460         tristate "Netfilter nf_tables netdev tables support"
461         help
462           This option enables support for the "netdev" table.
463 
464 config NFT_EXTHDR
465         tristate "Netfilter nf_tables IPv6 exthdr module"
466         help
467           This option adds the "exthdr" expression that you can use to match
468           IPv6 extension headers.
469 
470 config NFT_META
471         tristate "Netfilter nf_tables meta module"
472         help
473           This option adds the "meta" expression that you can use to match and
474           to set packet metainformation such as the packet mark.
475 
476 config NFT_CT
477         depends on NF_CONNTRACK
478         tristate "Netfilter nf_tables conntrack module"
479         help
480           This option adds the "meta" expression that you can use to match
481           connection tracking information such as the flow state.
482 
483 config NFT_RBTREE
484         tristate "Netfilter nf_tables rbtree set module"
485         help
486           This option adds the "rbtree" set type (Red Black tree) that is used
487           to build interval-based sets.
488 
489 config NFT_HASH
490         tristate "Netfilter nf_tables hash set module"
491         help
492           This option adds the "hash" set type that is used to build one-way
493           mappings between matchings and actions.
494 
495 config NFT_COUNTER
496         tristate "Netfilter nf_tables counter module"
497         help
498           This option adds the "counter" expression that you can use to
499           include packet and byte counters in a rule.
500 
501 config NFT_LOG
502         tristate "Netfilter nf_tables log module"
503         help
504           This option adds the "log" expression that you can use to log
505           packets matching some criteria.
506 
507 config NFT_LIMIT
508         tristate "Netfilter nf_tables limit module"
509         help
510           This option adds the "limit" expression that you can use to
511           ratelimit rule matchings.
512 
513 config NFT_MASQ
514         depends on NF_CONNTRACK
515         depends on NF_NAT
516         tristate "Netfilter nf_tables masquerade support"
517         help
518           This option adds the "masquerade" expression that you can use
519           to perform NAT in the masquerade flavour.
520 
521 config NFT_REDIR
522         depends on NF_CONNTRACK
523         depends on NF_NAT
524         tristate "Netfilter nf_tables redirect support"
525         help
526           This options adds the "redirect" expression that you can use
527           to perform NAT in the redirect flavour.
528 
529 config NFT_NAT
530         depends on NF_CONNTRACK
531         select NF_NAT
532         tristate "Netfilter nf_tables nat module"
533         help
534           This option adds the "nat" expression that you can use to perform
535           typical Network Address Translation (NAT) packet transformations.
536 
537 config NFT_QUEUE
538         depends on NETFILTER_NETLINK_QUEUE
539         tristate "Netfilter nf_tables queue module"
540         help
541           This is required if you intend to use the userspace queueing
542           infrastructure (also known as NFQUEUE) from nftables.
543 
544 config NFT_REJECT
545         default m if NETFILTER_ADVANCED=n
546         tristate "Netfilter nf_tables reject support"
547         help
548           This option adds the "reject" expression that you can use to
549           explicitly deny and notify via TCP reset/ICMP informational errors
550           unallowed traffic.
551 
552 config NFT_REJECT_INET
553         depends on NF_TABLES_INET
554         default NFT_REJECT
555         tristate
556 
557 config NFT_COMPAT
558         depends on NETFILTER_XTABLES
559         tristate "Netfilter x_tables over nf_tables module"
560         help
561           This is required if you intend to use any of existing
562           x_tables match/target extensions over the nf_tables
563           framework.
564 
565 endif # NF_TABLES
566 
567 config NETFILTER_XTABLES
568         tristate "Netfilter Xtables support (required for ip_tables)"
569         default m if NETFILTER_ADVANCED=n
570         help
571           This is required if you intend to use any of ip_tables,
572           ip6_tables or arp_tables.
573 
574 if NETFILTER_XTABLES
575 
576 comment "Xtables combined modules"
577 
578 config NETFILTER_XT_MARK
579         tristate 'nfmark target and match support'
580         default m if NETFILTER_ADVANCED=n
581         ---help---
582         This option adds the "MARK" target and "mark" match.
583 
584         Netfilter mark matching allows you to match packets based on the
585         "nfmark" value in the packet.
586         The target allows you to create rules in the "mangle" table which alter
587         the netfilter mark (nfmark) field associated with the packet.
588 
589         Prior to routing, the nfmark can influence the routing method (see
590         "Use netfilter MARK value as routing key") and can also be used by
591         other subsystems to change their behavior.
592 
593 config NETFILTER_XT_CONNMARK
594         tristate 'ctmark target and match support'
595         depends on NF_CONNTRACK
596         depends on NETFILTER_ADVANCED
597         select NF_CONNTRACK_MARK
598         ---help---
599         This option adds the "CONNMARK" target and "connmark" match.
600 
601         Netfilter allows you to store a mark value per connection (a.k.a.
602         ctmark), similarly to the packet mark (nfmark). Using this
603         target and match, you can set and match on this mark.
604 
605 config NETFILTER_XT_SET
606         tristate 'set target and match support'
607         depends on IP_SET
608         depends on NETFILTER_ADVANCED
609         help
610           This option adds the "SET" target and "set" match.
611 
612           Using this target and match, you can add/delete and match
613           elements in the sets created by ipset(8).
614 
615           To compile it as a module, choose M here.  If unsure, say N.
616 
617 # alphabetically ordered list of targets
618 
619 comment "Xtables targets"
620 
621 config NETFILTER_XT_TARGET_AUDIT
622         tristate "AUDIT target support"
623         depends on AUDIT
624         depends on NETFILTER_ADVANCED
625         ---help---
626           This option adds a 'AUDIT' target, which can be used to create
627           audit records for packets dropped/accepted.
628 
629           To compileit as a module, choose M here. If unsure, say N.
630 
631 config NETFILTER_XT_TARGET_CHECKSUM
632         tristate "CHECKSUM target support"
633         depends on IP_NF_MANGLE || IP6_NF_MANGLE
634         depends on NETFILTER_ADVANCED
635         ---help---
636           This option adds a `CHECKSUM' target, which can be used in the iptables mangle
637           table.
638 
639           You can use this target to compute and fill in the checksum in
640           a packet that lacks a checksum.  This is particularly useful,
641           if you need to work around old applications such as dhcp clients,
642           that do not work well with checksum offloads, but don't want to disable
643           checksum offload in your device.
644 
645           To compile it as a module, choose M here.  If unsure, say N.
646 
647 config NETFILTER_XT_TARGET_CLASSIFY
648         tristate '"CLASSIFY" target support'
649         depends on NETFILTER_ADVANCED
650         help
651           This option adds a `CLASSIFY' target, which enables the user to set
652           the priority of a packet. Some qdiscs can use this value for
653           classification, among these are:
654 
655           atm, cbq, dsmark, pfifo_fast, htb, prio
656 
657           To compile it as a module, choose M here.  If unsure, say N.
658 
659 config NETFILTER_XT_TARGET_CONNMARK
660         tristate  '"CONNMARK" target support'
661         depends on NF_CONNTRACK
662         depends on NETFILTER_ADVANCED
663         select NETFILTER_XT_CONNMARK
664         ---help---
665         This is a backwards-compat option for the user's convenience
666         (e.g. when running oldconfig). It selects
667         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
668 
669 config NETFILTER_XT_TARGET_CONNSECMARK
670         tristate '"CONNSECMARK" target support'
671         depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
672         default m if NETFILTER_ADVANCED=n
673         help
674           The CONNSECMARK target copies security markings from packets
675           to connections, and restores security markings from connections
676           to packets (if the packets are not already marked).  This would
677           normally be used in conjunction with the SECMARK target.
678 
679           To compile it as a module, choose M here.  If unsure, say N.
680 
681 config NETFILTER_XT_TARGET_CT
682         tristate '"CT" target support'
683         depends on NF_CONNTRACK
684         depends on IP_NF_RAW || IP6_NF_RAW
685         depends on NETFILTER_ADVANCED
686         help
687           This options adds a `CT' target, which allows to specify initial
688           connection tracking parameters like events to be delivered and
689           the helper to be used.
690 
691           To compile it as a module, choose M here.  If unsure, say N.
692 
693 config NETFILTER_XT_TARGET_DSCP
694         tristate '"DSCP" and "TOS" target support'
695         depends on IP_NF_MANGLE || IP6_NF_MANGLE
696         depends on NETFILTER_ADVANCED
697         help
698           This option adds a `DSCP' target, which allows you to manipulate
699           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
700 
701           The DSCP field can have any value between 0x0 and 0x3f inclusive.
702 
703           It also adds the "TOS" target, which allows you to create rules in
704           the "mangle" table which alter the Type Of Service field of an IPv4
705           or the Priority field of an IPv6 packet, prior to routing.
706 
707           To compile it as a module, choose M here.  If unsure, say N.
708 
709 config NETFILTER_XT_TARGET_HL
710         tristate '"HL" hoplimit target support'
711         depends on IP_NF_MANGLE || IP6_NF_MANGLE
712         depends on NETFILTER_ADVANCED
713         ---help---
714         This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
715         targets, which enable the user to change the
716         hoplimit/time-to-live value of the IP header.
717 
718         While it is safe to decrement the hoplimit/TTL value, the
719         modules also allow to increment and set the hoplimit value of
720         the header to arbitrary values. This is EXTREMELY DANGEROUS
721         since you can easily create immortal packets that loop
722         forever on the network.
723 
724 config NETFILTER_XT_TARGET_HMARK
725         tristate '"HMARK" target support'
726         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
727         depends on NETFILTER_ADVANCED
728         ---help---
729         This option adds the "HMARK" target.
730 
731         The target allows you to create rules in the "raw" and "mangle" tables
732         which set the skbuff mark by means of hash calculation within a given
733         range. The nfmark can influence the routing method (see "Use netfilter
734         MARK value as routing key") and can also be used by other subsystems to
735         change their behaviour.
736 
737         To compile it as a module, choose M here. If unsure, say N.
738 
739 config NETFILTER_XT_TARGET_IDLETIMER
740         tristate  "IDLETIMER target support"
741         depends on NETFILTER_ADVANCED
742         help
743 
744           This option adds the `IDLETIMER' target.  Each matching packet
745           resets the timer associated with label specified when the rule is
746           added.  When the timer expires, it triggers a sysfs notification.
747           The remaining time for expiration can be read via sysfs.
748 
749           To compile it as a module, choose M here.  If unsure, say N.
750 
751 config NETFILTER_XT_TARGET_LED
752         tristate '"LED" target support'
753         depends on LEDS_CLASS && LEDS_TRIGGERS
754         depends on NETFILTER_ADVANCED
755         help
756           This option adds a `LED' target, which allows you to blink LEDs in
757           response to particular packets passing through your machine.
758 
759           This can be used to turn a spare LED into a network activity LED,
760           which only flashes in response to FTP transfers, for example.  Or
761           you could have an LED which lights up for a minute or two every time
762           somebody connects to your machine via SSH.
763 
764           You will need support for the "led" class to make this work.
765 
766           To create an LED trigger for incoming SSH traffic:
767             iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
768 
769           Then attach the new trigger to an LED on your system:
770             echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
771 
772           For more information on the LEDs available on your system, see
773           Documentation/leds/leds-class.txt
774 
775 config NETFILTER_XT_TARGET_LOG
776         tristate "LOG target support"
777         select NF_LOG_COMMON
778         select NF_LOG_IPV4
779         select NF_LOG_IPV6 if IPV6
780         default m if NETFILTER_ADVANCED=n
781         help
782           This option adds a `LOG' target, which allows you to create rules in
783           any iptables table which records the packet header to the syslog.
784 
785           To compile it as a module, choose M here.  If unsure, say N.
786 
787 config NETFILTER_XT_TARGET_MARK
788         tristate '"MARK" target support'
789         depends on NETFILTER_ADVANCED
790         select NETFILTER_XT_MARK
791         ---help---
792         This is a backwards-compat option for the user's convenience
793         (e.g. when running oldconfig). It selects
794         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
795 
796 config NETFILTER_XT_NAT
797         tristate '"SNAT and DNAT" targets support'
798         depends on NF_NAT
799         ---help---
800         This option enables the SNAT and DNAT targets.
801 
802         To compile it as a module, choose M here. If unsure, say N.
803 
804 config NETFILTER_XT_TARGET_NETMAP
805         tristate '"NETMAP" target support'
806         depends on NF_NAT
807         ---help---
808         NETMAP is an implementation of static 1:1 NAT mapping of network
809         addresses. It maps the network address part, while keeping the host
810         address part intact.
811 
812         To compile it as a module, choose M here. If unsure, say N.
813 
814 config NETFILTER_XT_TARGET_NFLOG
815         tristate '"NFLOG" target support'
816         default m if NETFILTER_ADVANCED=n
817         select NETFILTER_NETLINK_LOG
818         help
819           This option enables the NFLOG target, which allows to LOG
820           messages through nfnetlink_log.
821 
822           To compile it as a module, choose M here.  If unsure, say N.
823 
824 config NETFILTER_XT_TARGET_NFQUEUE
825         tristate '"NFQUEUE" target Support'
826         depends on NETFILTER_ADVANCED
827         select NETFILTER_NETLINK_QUEUE
828         help
829           This target replaced the old obsolete QUEUE target.
830 
831           As opposed to QUEUE, it supports 65535 different queues,
832           not just one.
833 
834           To compile it as a module, choose M here.  If unsure, say N.
835 
836 config NETFILTER_XT_TARGET_NOTRACK
837         tristate  '"NOTRACK" target support (DEPRECATED)'
838         depends on NF_CONNTRACK
839         depends on IP_NF_RAW || IP6_NF_RAW
840         depends on NETFILTER_ADVANCED
841         select NETFILTER_XT_TARGET_CT
842 
843 config NETFILTER_XT_TARGET_RATEEST
844         tristate '"RATEEST" target support'
845         depends on NETFILTER_ADVANCED
846         help
847           This option adds a `RATEEST' target, which allows to measure
848           rates similar to TC estimators. The `rateest' match can be
849           used to match on the measured rates.
850 
851           To compile it as a module, choose M here.  If unsure, say N.
852 
853 config NETFILTER_XT_TARGET_REDIRECT
854         tristate "REDIRECT target support"
855         depends on NF_NAT
856         select NF_NAT_REDIRECT
857         ---help---
858         REDIRECT is a special case of NAT: all incoming connections are
859         mapped onto the incoming interface's address, causing the packets to
860         come to the local machine instead of passing through. This is
861         useful for transparent proxies.
862 
863         To compile it as a module, choose M here. If unsure, say N.
864 
865 config NETFILTER_XT_TARGET_TEE
866         tristate '"TEE" - packet cloning to alternate destination'
867         depends on NETFILTER_ADVANCED
868         depends on IPV6 || IPV6=n
869         depends on !NF_CONNTRACK || NF_CONNTRACK
870         ---help---
871         This option adds a "TEE" target with which a packet can be cloned and
872         this clone be rerouted to another nexthop.
873 
874 config NETFILTER_XT_TARGET_TPROXY
875         tristate '"TPROXY" target transparent proxying support'
876         depends on NETFILTER_XTABLES
877         depends on NETFILTER_ADVANCED
878         depends on IPV6 || IPV6=n
879         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
880         depends on IP_NF_MANGLE
881         select NF_DEFRAG_IPV4
882         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
883         help
884           This option adds a `TPROXY' target, which is somewhat similar to
885           REDIRECT.  It can only be used in the mangle table and is useful
886           to redirect traffic to a transparent proxy.  It does _not_ depend
887           on Netfilter connection tracking and NAT, unlike REDIRECT.
888           For it to work you will have to configure certain iptables rules
889           and use policy routing. For more information on how to set it up
890           see Documentation/networking/tproxy.txt.
891 
892           To compile it as a module, choose M here.  If unsure, say N.
893 
894 config NETFILTER_XT_TARGET_TRACE
895         tristate  '"TRACE" target support'
896         depends on IP_NF_RAW || IP6_NF_RAW
897         depends on NETFILTER_ADVANCED
898         help
899           The TRACE target allows you to mark packets so that the kernel
900           will log every rule which match the packets as those traverse
901           the tables, chains, rules.
902 
903           If you want to compile it as a module, say M here and read
904           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
905 
906 config NETFILTER_XT_TARGET_SECMARK
907         tristate '"SECMARK" target support'
908         depends on NETWORK_SECMARK
909         default m if NETFILTER_ADVANCED=n
910         help
911           The SECMARK target allows security marking of network
912           packets, for use with security subsystems.
913 
914           To compile it as a module, choose M here.  If unsure, say N.
915 
916 config NETFILTER_XT_TARGET_TCPMSS
917         tristate '"TCPMSS" target support'
918         depends on IPV6 || IPV6=n
919         default m if NETFILTER_ADVANCED=n
920         ---help---
921           This option adds a `TCPMSS' target, which allows you to alter the
922           MSS value of TCP SYN packets, to control the maximum size for that
923           connection (usually limiting it to your outgoing interface's MTU
924           minus 40).
925 
926           This is used to overcome criminally braindead ISPs or servers which
927           block ICMP Fragmentation Needed packets.  The symptoms of this
928           problem are that everything works fine from your Linux
929           firewall/router, but machines behind it can never exchange large
930           packets:
931                 1) Web browsers connect, then hang with no data received.
932                 2) Small mail works fine, but large emails hang.
933                 3) ssh works fine, but scp hangs after initial handshaking.
934 
935           Workaround: activate this option and add a rule to your firewall
936           configuration like:
937 
938           iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
939                          -j TCPMSS --clamp-mss-to-pmtu
940 
941           To compile it as a module, choose M here.  If unsure, say N.
942 
943 config NETFILTER_XT_TARGET_TCPOPTSTRIP
944         tristate '"TCPOPTSTRIP" target support'
945         depends on IP_NF_MANGLE || IP6_NF_MANGLE
946         depends on NETFILTER_ADVANCED
947         help
948           This option adds a "TCPOPTSTRIP" target, which allows you to strip
949           TCP options from TCP packets.
950 
951 # alphabetically ordered list of matches
952 
953 comment "Xtables matches"
954 
955 config NETFILTER_XT_MATCH_ADDRTYPE
956         tristate '"addrtype" address type match support'
957         default m if NETFILTER_ADVANCED=n
958         ---help---
959           This option allows you to match what routing thinks of an address,
960           eg. UNICAST, LOCAL, BROADCAST, ...
961 
962           If you want to compile it as a module, say M here and read
963           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
964 
965 config NETFILTER_XT_MATCH_BPF
966         tristate '"bpf" match support'
967         depends on NETFILTER_ADVANCED
968         help
969           BPF matching applies a linux socket filter to each packet and
970           accepts those for which the filter returns non-zero.
971 
972           To compile it as a module, choose M here.  If unsure, say N.
973 
974 config NETFILTER_XT_MATCH_CGROUP
975         tristate '"control group" match support'
976         depends on NETFILTER_ADVANCED
977         depends on CGROUPS
978         select CGROUP_NET_CLASSID
979         ---help---
980         Socket/process control group matching allows you to match locally
981         generated packets based on which net_cls control group processes
982         belong to.
983 
984 config NETFILTER_XT_MATCH_CLUSTER
985         tristate '"cluster" match support'
986         depends on NF_CONNTRACK
987         depends on NETFILTER_ADVANCED
988         ---help---
989           This option allows you to build work-load-sharing clusters of
990           network servers/stateful firewalls without having a dedicated
991           load-balancing router/server/switch. Basically, this match returns
992           true when the packet must be handled by this cluster node. Thus,
993           all nodes see all packets and this match decides which node handles
994           what packets. The work-load sharing algorithm is based on source
995           address hashing.
996 
997           If you say Y or M here, try `iptables -m cluster --help` for
998           more information.
999 
1000 config NETFILTER_XT_MATCH_COMMENT
1001         tristate  '"comment" match support'
1002         depends on NETFILTER_ADVANCED
1003         help
1004           This option adds a `comment' dummy-match, which allows you to put
1005           comments in your iptables ruleset.
1006 
1007           If you want to compile it as a module, say M here and read
1008           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1009 
1010 config NETFILTER_XT_MATCH_CONNBYTES
1011         tristate  '"connbytes" per-connection counter match support'
1012         depends on NF_CONNTRACK
1013         depends on NETFILTER_ADVANCED
1014         help
1015           This option adds a `connbytes' match, which allows you to match the
1016           number of bytes and/or packets for each direction within a connection.
1017 
1018           If you want to compile it as a module, say M here and read
1019           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1020 
1021 config NETFILTER_XT_MATCH_CONNLABEL
1022         tristate '"connlabel" match support'
1023         select NF_CONNTRACK_LABELS
1024         depends on NF_CONNTRACK
1025         depends on NETFILTER_ADVANCED
1026         ---help---
1027           This match allows you to test and assign userspace-defined labels names
1028           to a connection.  The kernel only stores bit values - mapping
1029           names to bits is done by userspace.
1030 
1031           Unlike connmark, more than 32 flag bits may be assigned to a
1032           connection simultaneously.
1033 
1034 config NETFILTER_XT_MATCH_CONNLIMIT
1035         tristate '"connlimit" match support'
1036         depends on NF_CONNTRACK
1037         depends on NETFILTER_ADVANCED
1038         ---help---
1039           This match allows you to match against the number of parallel
1040           connections to a server per client IP address (or address block).
1041 
1042 config NETFILTER_XT_MATCH_CONNMARK
1043         tristate  '"connmark" connection mark match support'
1044         depends on NF_CONNTRACK
1045         depends on NETFILTER_ADVANCED
1046         select NETFILTER_XT_CONNMARK
1047         ---help---
1048         This is a backwards-compat option for the user's convenience
1049         (e.g. when running oldconfig). It selects
1050         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1051 
1052 config NETFILTER_XT_MATCH_CONNTRACK
1053         tristate '"conntrack" connection tracking match support'
1054         depends on NF_CONNTRACK
1055         default m if NETFILTER_ADVANCED=n
1056         help
1057           This is a general conntrack match module, a superset of the state match.
1058 
1059           It allows matching on additional conntrack information, which is
1060           useful in complex configurations, such as NAT gateways with multiple
1061           internet links or tunnels.
1062 
1063           To compile it as a module, choose M here.  If unsure, say N.
1064 
1065 config NETFILTER_XT_MATCH_CPU
1066         tristate '"cpu" match support'
1067         depends on NETFILTER_ADVANCED
1068         help
1069           CPU matching allows you to match packets based on the CPU
1070           currently handling the packet.
1071 
1072           To compile it as a module, choose M here.  If unsure, say N.
1073 
1074 config NETFILTER_XT_MATCH_DCCP
1075         tristate '"dccp" protocol match support'
1076         depends on NETFILTER_ADVANCED
1077         default IP_DCCP
1078         help
1079           With this option enabled, you will be able to use the iptables
1080           `dccp' match in order to match on DCCP source/destination ports
1081           and DCCP flags.
1082 
1083           If you want to compile it as a module, say M here and read
1084           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1085 
1086 config NETFILTER_XT_MATCH_DEVGROUP
1087         tristate '"devgroup" match support'
1088         depends on NETFILTER_ADVANCED
1089         help
1090           This options adds a `devgroup' match, which allows to match on the
1091           device group a network device is assigned to.
1092 
1093           To compile it as a module, choose M here.  If unsure, say N.
1094 
1095 config NETFILTER_XT_MATCH_DSCP
1096         tristate '"dscp" and "tos" match support'
1097         depends on NETFILTER_ADVANCED
1098         help
1099           This option adds a `DSCP' match, which allows you to match against
1100           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1101 
1102           The DSCP field can have any value between 0x0 and 0x3f inclusive.
1103 
1104           It will also add a "tos" match, which allows you to match packets
1105           based on the Type Of Service fields of the IPv4 packet (which share
1106           the same bits as DSCP).
1107 
1108           To compile it as a module, choose M here.  If unsure, say N.
1109 
1110 config NETFILTER_XT_MATCH_ECN
1111         tristate '"ecn" match support'
1112         depends on NETFILTER_ADVANCED
1113         ---help---
1114         This option adds an "ECN" match, which allows you to match against
1115         the IPv4 and TCP header ECN fields.
1116 
1117         To compile it as a module, choose M here. If unsure, say N.
1118 
1119 config NETFILTER_XT_MATCH_ESP
1120         tristate '"esp" match support'
1121         depends on NETFILTER_ADVANCED
1122         help
1123           This match extension allows you to match a range of SPIs
1124           inside ESP header of IPSec packets.
1125 
1126           To compile it as a module, choose M here.  If unsure, say N.
1127 
1128 config NETFILTER_XT_MATCH_HASHLIMIT
1129         tristate '"hashlimit" match support'
1130         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1131         depends on NETFILTER_ADVANCED
1132         help
1133           This option adds a `hashlimit' match.
1134 
1135           As opposed to `limit', this match dynamically creates a hash table
1136           of limit buckets, based on your selection of source/destination
1137           addresses and/or ports.
1138 
1139           It enables you to express policies like `10kpps for any given
1140           destination address' or `500pps from any given source address'
1141           with a single rule.
1142 
1143 config NETFILTER_XT_MATCH_HELPER
1144         tristate '"helper" match support'
1145         depends on NF_CONNTRACK
1146         depends on NETFILTER_ADVANCED
1147         help
1148           Helper matching allows you to match packets in dynamic connections
1149           tracked by a conntrack-helper, ie. ip_conntrack_ftp
1150 
1151           To compile it as a module, choose M here.  If unsure, say Y.
1152 
1153 config NETFILTER_XT_MATCH_HL
1154         tristate '"hl" hoplimit/TTL match support'
1155         depends on NETFILTER_ADVANCED
1156         ---help---
1157         HL matching allows you to match packets based on the hoplimit
1158         in the IPv6 header, or the time-to-live field in the IPv4
1159         header of the packet.
1160 
1161 config NETFILTER_XT_MATCH_IPCOMP
1162         tristate '"ipcomp" match support'
1163         depends on NETFILTER_ADVANCED
1164         help
1165           This match extension allows you to match a range of CPIs(16 bits)
1166           inside IPComp header of IPSec packets.
1167 
1168           To compile it as a module, choose M here.  If unsure, say N.
1169 
1170 config NETFILTER_XT_MATCH_IPRANGE
1171         tristate '"iprange" address range match support'
1172         depends on NETFILTER_ADVANCED
1173         ---help---
1174         This option adds a "iprange" match, which allows you to match based on
1175         an IP address range. (Normal iptables only matches on single addresses
1176         with an optional mask.)
1177 
1178         If unsure, say M.
1179 
1180 config NETFILTER_XT_MATCH_IPVS
1181         tristate '"ipvs" match support'
1182         depends on IP_VS
1183         depends on NETFILTER_ADVANCED
1184         depends on NF_CONNTRACK
1185         help
1186           This option allows you to match against IPVS properties of a packet.
1187 
1188           If unsure, say N.
1189 
1190 config NETFILTER_XT_MATCH_L2TP
1191         tristate '"l2tp" match support'
1192         depends on NETFILTER_ADVANCED
1193         default L2TP
1194         ---help---
1195         This option adds an "L2TP" match, which allows you to match against
1196         L2TP protocol header fields.
1197 
1198         To compile it as a module, choose M here. If unsure, say N.
1199 
1200 config NETFILTER_XT_MATCH_LENGTH
1201         tristate '"length" match support'
1202         depends on NETFILTER_ADVANCED
1203         help
1204           This option allows you to match the length of a packet against a
1205           specific value or range of values.
1206 
1207           To compile it as a module, choose M here.  If unsure, say N.
1208 
1209 config NETFILTER_XT_MATCH_LIMIT
1210         tristate '"limit" match support'
1211         depends on NETFILTER_ADVANCED
1212         help
1213           limit matching allows you to control the rate at which a rule can be
1214           matched: mainly useful in combination with the LOG target ("LOG
1215           target support", below) and to avoid some Denial of Service attacks.
1216 
1217           To compile it as a module, choose M here.  If unsure, say N.
1218 
1219 config NETFILTER_XT_MATCH_MAC
1220         tristate '"mac" address match support'
1221         depends on NETFILTER_ADVANCED
1222         help
1223           MAC matching allows you to match packets based on the source
1224           Ethernet address of the packet.
1225 
1226           To compile it as a module, choose M here.  If unsure, say N.
1227 
1228 config NETFILTER_XT_MATCH_MARK
1229         tristate '"mark" match support'
1230         depends on NETFILTER_ADVANCED
1231         select NETFILTER_XT_MARK
1232         ---help---
1233         This is a backwards-compat option for the user's convenience
1234         (e.g. when running oldconfig). It selects
1235         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1236 
1237 config NETFILTER_XT_MATCH_MULTIPORT
1238         tristate '"multiport" Multiple port match support'
1239         depends on NETFILTER_ADVANCED
1240         help
1241           Multiport matching allows you to match TCP or UDP packets based on
1242           a series of source or destination ports: normally a rule can only
1243           match a single range of ports.
1244 
1245           To compile it as a module, choose M here.  If unsure, say N.
1246 
1247 config NETFILTER_XT_MATCH_NFACCT
1248         tristate '"nfacct" match support'
1249         depends on NETFILTER_ADVANCED
1250         select NETFILTER_NETLINK_ACCT
1251         help
1252           This option allows you to use the extended accounting through
1253           nfnetlink_acct.
1254 
1255           To compile it as a module, choose M here.  If unsure, say N.
1256 
1257 config NETFILTER_XT_MATCH_OSF
1258         tristate '"osf" Passive OS fingerprint match'
1259         depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1260         help
1261           This option selects the Passive OS Fingerprinting match module
1262           that allows to passively match the remote operating system by
1263           analyzing incoming TCP SYN packets.
1264 
1265           Rules and loading software can be downloaded from
1266           http://www.ioremap.net/projects/osf
1267 
1268           To compile it as a module, choose M here.  If unsure, say N.
1269 
1270 config NETFILTER_XT_MATCH_OWNER
1271         tristate '"owner" match support'
1272         depends on NETFILTER_ADVANCED
1273         ---help---
1274         Socket owner matching allows you to match locally-generated packets
1275         based on who created the socket: the user or group. It is also
1276         possible to check whether a socket actually exists.
1277 
1278 config NETFILTER_XT_MATCH_POLICY
1279         tristate 'IPsec "policy" match support'
1280         depends on XFRM
1281         default m if NETFILTER_ADVANCED=n
1282         help
1283           Policy matching allows you to match packets based on the
1284           IPsec policy that was used during decapsulation/will
1285           be used during encapsulation.
1286 
1287           To compile it as a module, choose M here.  If unsure, say N.
1288 
1289 config NETFILTER_XT_MATCH_PHYSDEV
1290         tristate '"physdev" match support'
1291         depends on BRIDGE && BRIDGE_NETFILTER
1292         depends on NETFILTER_ADVANCED
1293         help
1294           Physdev packet matching matches against the physical bridge ports
1295           the IP packet arrived on or will leave by.
1296 
1297           To compile it as a module, choose M here.  If unsure, say N.
1298 
1299 config NETFILTER_XT_MATCH_PKTTYPE
1300         tristate '"pkttype" packet type match support'
1301         depends on NETFILTER_ADVANCED
1302         help
1303           Packet type matching allows you to match a packet by
1304           its "class", eg. BROADCAST, MULTICAST, ...
1305 
1306           Typical usage:
1307           iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1308 
1309           To compile it as a module, choose M here.  If unsure, say N.
1310 
1311 config NETFILTER_XT_MATCH_QUOTA
1312         tristate '"quota" match support'
1313         depends on NETFILTER_ADVANCED
1314         help
1315           This option adds a `quota' match, which allows to match on a
1316           byte counter.
1317 
1318           If you want to compile it as a module, say M here and read
1319           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1320 
1321 config NETFILTER_XT_MATCH_RATEEST
1322         tristate '"rateest" match support'
1323         depends on NETFILTER_ADVANCED
1324         select NETFILTER_XT_TARGET_RATEEST
1325         help
1326           This option adds a `rateest' match, which allows to match on the
1327           rate estimated by the RATEEST target.
1328 
1329           To compile it as a module, choose M here.  If unsure, say N.
1330 
1331 config NETFILTER_XT_MATCH_REALM
1332         tristate  '"realm" match support'
1333         depends on NETFILTER_ADVANCED
1334         select IP_ROUTE_CLASSID
1335         help
1336           This option adds a `realm' match, which allows you to use the realm
1337           key from the routing subsystem inside iptables.
1338 
1339           This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
1340           in tc world.
1341 
1342           If you want to compile it as a module, say M here and read
1343           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1344 
1345 config NETFILTER_XT_MATCH_RECENT
1346         tristate '"recent" match support'
1347         depends on NETFILTER_ADVANCED
1348         ---help---
1349         This match is used for creating one or many lists of recently
1350         used addresses and then matching against that/those list(s).
1351 
1352         Short options are available by using 'iptables -m recent -h'
1353         Official Website: <http://snowman.net/projects/ipt_recent/>
1354 
1355 config NETFILTER_XT_MATCH_SCTP
1356         tristate  '"sctp" protocol match support'
1357         depends on NETFILTER_ADVANCED
1358         default IP_SCTP
1359         help
1360           With this option enabled, you will be able to use the 
1361           `sctp' match in order to match on SCTP source/destination ports
1362           and SCTP chunk types.
1363 
1364           If you want to compile it as a module, say M here and read
1365           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1366 
1367 config NETFILTER_XT_MATCH_SOCKET
1368         tristate '"socket" match support'
1369         depends on NETFILTER_XTABLES
1370         depends on NETFILTER_ADVANCED
1371         depends on !NF_CONNTRACK || NF_CONNTRACK
1372         depends on IPV6 || IPV6=n
1373         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1374         select NF_DEFRAG_IPV4
1375         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1376         help
1377           This option adds a `socket' match, which can be used to match
1378           packets for which a TCP or UDP socket lookup finds a valid socket.
1379           It can be used in combination with the MARK target and policy
1380           routing to implement full featured non-locally bound sockets.
1381 
1382           To compile it as a module, choose M here.  If unsure, say N.
1383 
1384 config NETFILTER_XT_MATCH_STATE
1385         tristate '"state" match support'
1386         depends on NF_CONNTRACK
1387         default m if NETFILTER_ADVANCED=n
1388         help
1389           Connection state matching allows you to match packets based on their
1390           relationship to a tracked connection (ie. previous packets).  This
1391           is a powerful tool for packet classification.
1392 
1393           To compile it as a module, choose M here.  If unsure, say N.
1394 
1395 config NETFILTER_XT_MATCH_STATISTIC
1396         tristate '"statistic" match support'
1397         depends on NETFILTER_ADVANCED
1398         help
1399           This option adds a `statistic' match, which allows you to match
1400           on packets periodically or randomly with a given percentage.
1401 
1402           To compile it as a module, choose M here.  If unsure, say N.
1403 
1404 config NETFILTER_XT_MATCH_STRING
1405         tristate  '"string" match support'
1406         depends on NETFILTER_ADVANCED
1407         select TEXTSEARCH
1408         select TEXTSEARCH_KMP
1409         select TEXTSEARCH_BM
1410         select TEXTSEARCH_FSM
1411         help
1412           This option adds a `string' match, which allows you to look for
1413           pattern matchings in packets.
1414 
1415           To compile it as a module, choose M here.  If unsure, say N.
1416 
1417 config NETFILTER_XT_MATCH_TCPMSS
1418         tristate '"tcpmss" match support'
1419         depends on NETFILTER_ADVANCED
1420         help
1421           This option adds a `tcpmss' match, which allows you to examine the
1422           MSS value of TCP SYN packets, which control the maximum packet size
1423           for that connection.
1424 
1425           To compile it as a module, choose M here.  If unsure, say N.
1426 
1427 config NETFILTER_XT_MATCH_TIME
1428         tristate '"time" match support'
1429         depends on NETFILTER_ADVANCED
1430         ---help---
1431           This option adds a "time" match, which allows you to match based on
1432           the packet arrival time (at the machine which netfilter is running)
1433           on) or departure time/date (for locally generated packets).
1434 
1435           If you say Y here, try `iptables -m time --help` for
1436           more information.
1437 
1438           If you want to compile it as a module, say M here.
1439           If unsure, say N.
1440 
1441 config NETFILTER_XT_MATCH_U32
1442         tristate '"u32" match support'
1443         depends on NETFILTER_ADVANCED
1444         ---help---
1445           u32 allows you to extract quantities of up to 4 bytes from a packet,
1446           AND them with specified masks, shift them by specified amounts and
1447           test whether the results are in any of a set of specified ranges.
1448           The specification of what to extract is general enough to skip over
1449           headers with lengths stored in the packet, as in IP or TCP header
1450           lengths.
1451 
1452           Details and examples are in the kernel module source.
1453 
1454 endif # NETFILTER_XTABLES
1455 
1456 endmenu
1457 
1458 source "net/netfilter/ipset/Kconfig"
1459 
1460 source "net/netfilter/ipvs/Kconfig"

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us