Version:  2.0.40 2.2.26 2.4.37 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9

Linux/net/netfilter/Kconfig

  1 menu "Core Netfilter Configuration"
  2         depends on NET && INET && NETFILTER
  3 
  4 config NETFILTER_INGRESS
  5         bool "Netfilter ingress support"
  6         default y
  7         select NET_INGRESS
  8         help
  9           This allows you to classify packets from ingress using the Netfilter
 10           infrastructure.
 11 
 12 config NETFILTER_NETLINK
 13         tristate
 14 
 15 config NETFILTER_NETLINK_ACCT
 16 tristate "Netfilter NFACCT over NFNETLINK interface"
 17         depends on NETFILTER_ADVANCED
 18         select NETFILTER_NETLINK
 19         help
 20           If this option is enabled, the kernel will include support
 21           for extended accounting via NFNETLINK.
 22 
 23 config NETFILTER_NETLINK_QUEUE
 24         tristate "Netfilter NFQUEUE over NFNETLINK interface"
 25         depends on NETFILTER_ADVANCED
 26         select NETFILTER_NETLINK
 27         help
 28           If this option is enabled, the kernel will include support
 29           for queueing packets via NFNETLINK.
 30           
 31 config NETFILTER_NETLINK_LOG
 32         tristate "Netfilter LOG over NFNETLINK interface"
 33         default m if NETFILTER_ADVANCED=n
 34         select NETFILTER_NETLINK
 35         help
 36           If this option is enabled, the kernel will include support
 37           for logging packets via NFNETLINK.
 38 
 39           This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
 40           and is also scheduled to replace the old syslog-based ipt_LOG
 41           and ip6t_LOG modules.
 42 
 43 config NF_CONNTRACK
 44         tristate "Netfilter connection tracking support"
 45         default m if NETFILTER_ADVANCED=n
 46         help
 47           Connection tracking keeps a record of what packets have passed
 48           through your machine, in order to figure out how they are related
 49           into connections.
 50 
 51           This is required to do Masquerading or other kinds of Network
 52           Address Translation.  It can also be used to enhance packet
 53           filtering (see `Connection state match support' below).
 54 
 55           To compile it as a module, choose M here.  If unsure, say N.
 56 
 57 config NF_LOG_COMMON
 58         tristate
 59 
 60 if NF_CONNTRACK
 61 
 62 config NF_CONNTRACK_MARK
 63         bool  'Connection mark tracking support'
 64         depends on NETFILTER_ADVANCED
 65         help
 66           This option enables support for connection marks, used by the
 67           `CONNMARK' target and `connmark' match. Similar to the mark value
 68           of packets, but this mark value is kept in the conntrack session
 69           instead of the individual packets.
 70 
 71 config NF_CONNTRACK_SECMARK
 72         bool  'Connection tracking security mark support'
 73         depends on NETWORK_SECMARK
 74         default m if NETFILTER_ADVANCED=n
 75         help
 76           This option enables security markings to be applied to
 77           connections.  Typically they are copied to connections from
 78           packets using the CONNSECMARK target and copied back from
 79           connections to packets with the same target, with the packets
 80           being originally labeled via SECMARK.
 81 
 82           If unsure, say 'N'.
 83 
 84 config NF_CONNTRACK_ZONES
 85         bool  'Connection tracking zones'
 86         depends on NETFILTER_ADVANCED
 87         depends on NETFILTER_XT_TARGET_CT
 88         help
 89           This option enables support for connection tracking zones.
 90           Normally, each connection needs to have a unique system wide
 91           identity. Connection tracking zones allow to have multiple
 92           connections using the same identity, as long as they are
 93           contained in different zones.
 94 
 95           If unsure, say `N'.
 96 
 97 config NF_CONNTRACK_PROCFS
 98         bool "Supply CT list in procfs (OBSOLETE)"
 99         default y
100         depends on PROC_FS
101         ---help---
102         This option enables for the list of known conntrack entries
103         to be shown in procfs under net/netfilter/nf_conntrack. This
104         is considered obsolete in favor of using the conntrack(8)
105         tool which uses Netlink.
106 
107 config NF_CONNTRACK_EVENTS
108         bool "Connection tracking events"
109         depends on NETFILTER_ADVANCED
110         help
111           If this option is enabled, the connection tracking code will
112           provide a notifier chain that can be used by other kernel code
113           to get notified about changes in the connection tracking state.
114 
115           If unsure, say `N'.
116 
117 config NF_CONNTRACK_TIMEOUT
118         bool  'Connection tracking timeout'
119         depends on NETFILTER_ADVANCED
120         help
121           This option enables support for connection tracking timeout
122           extension. This allows you to attach timeout policies to flow
123           via the CT target.
124 
125           If unsure, say `N'.
126 
127 config NF_CONNTRACK_TIMESTAMP
128         bool  'Connection tracking timestamping'
129         depends on NETFILTER_ADVANCED
130         help
131           This option enables support for connection tracking timestamping.
132           This allows you to store the flow start-time and to obtain
133           the flow-stop time (once it has been destroyed) via Connection
134           tracking events.
135 
136           If unsure, say `N'.
137 
138 config NF_CONNTRACK_LABELS
139         bool
140         help
141           This option enables support for assigning user-defined flag bits
142           to connection tracking entries.  It selected by the connlabel match.
143 
144 config NF_CT_PROTO_DCCP
145         tristate 'DCCP protocol connection tracking support'
146         depends on NETFILTER_ADVANCED
147         default IP_DCCP
148         help
149           With this option enabled, the layer 3 independent connection
150           tracking code will be able to do state tracking on DCCP connections.
151 
152           If unsure, say 'N'.
153 
154 config NF_CT_PROTO_GRE
155         tristate
156 
157 config NF_CT_PROTO_SCTP
158         tristate 'SCTP protocol connection tracking support'
159         depends on NETFILTER_ADVANCED
160         default IP_SCTP
161         help
162           With this option enabled, the layer 3 independent connection
163           tracking code will be able to do state tracking on SCTP connections.
164 
165           If you want to compile it as a module, say M here and read
166           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
167 
168 config NF_CT_PROTO_UDPLITE
169         tristate 'UDP-Lite protocol connection tracking support'
170         depends on NETFILTER_ADVANCED
171         help
172           With this option enabled, the layer 3 independent connection
173           tracking code will be able to do state tracking on UDP-Lite
174           connections.
175 
176           To compile it as a module, choose M here.  If unsure, say N.
177 
178 config NF_CONNTRACK_AMANDA
179         tristate "Amanda backup protocol support"
180         depends on NETFILTER_ADVANCED
181         select TEXTSEARCH
182         select TEXTSEARCH_KMP
183         help
184           If you are running the Amanda backup package <http://www.amanda.org/>
185           on this machine or machines that will be MASQUERADED through this
186           machine, then you may want to enable this feature.  This allows the
187           connection tracking and natting code to allow the sub-channels that
188           Amanda requires for communication of the backup data, messages and
189           index.
190 
191           To compile it as a module, choose M here.  If unsure, say N.
192 
193 config NF_CONNTRACK_FTP
194         tristate "FTP protocol support"
195         default m if NETFILTER_ADVANCED=n
196         help
197           Tracking FTP connections is problematic: special helpers are
198           required for tracking them, and doing masquerading and other forms
199           of Network Address Translation on them.
200 
201           This is FTP support on Layer 3 independent connection tracking.
202           Layer 3 independent connection tracking is experimental scheme
203           which generalize ip_conntrack to support other layer 3 protocols.
204 
205           To compile it as a module, choose M here.  If unsure, say N.
206 
207 config NF_CONNTRACK_H323
208         tristate "H.323 protocol support"
209         depends on IPV6 || IPV6=n
210         depends on NETFILTER_ADVANCED
211         help
212           H.323 is a VoIP signalling protocol from ITU-T. As one of the most
213           important VoIP protocols, it is widely used by voice hardware and
214           software including voice gateways, IP phones, Netmeeting, OpenPhone,
215           Gnomemeeting, etc.
216 
217           With this module you can support H.323 on a connection tracking/NAT
218           firewall.
219 
220           This module supports RAS, Fast Start, H.245 Tunnelling, Call
221           Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
222           whiteboard, file transfer, etc. For more information, please
223           visit http://nath323.sourceforge.net/.
224 
225           To compile it as a module, choose M here.  If unsure, say N.
226 
227 config NF_CONNTRACK_IRC
228         tristate "IRC protocol support"
229         default m if NETFILTER_ADVANCED=n
230         help
231           There is a commonly-used extension to IRC called
232           Direct Client-to-Client Protocol (DCC).  This enables users to send
233           files to each other, and also chat to each other without the need
234           of a server.  DCC Sending is used anywhere you send files over IRC,
235           and DCC Chat is most commonly used by Eggdrop bots.  If you are
236           using NAT, this extension will enable you to send files and initiate
237           chats.  Note that you do NOT need this extension to get files or
238           have others initiate chats, or everything else in IRC.
239 
240           To compile it as a module, choose M here.  If unsure, say N.
241 
242 config NF_CONNTRACK_BROADCAST
243         tristate
244 
245 config NF_CONNTRACK_NETBIOS_NS
246         tristate "NetBIOS name service protocol support"
247         select NF_CONNTRACK_BROADCAST
248         help
249           NetBIOS name service requests are sent as broadcast messages from an
250           unprivileged port and responded to with unicast messages to the
251           same port. This make them hard to firewall properly because connection
252           tracking doesn't deal with broadcasts. This helper tracks locally
253           originating NetBIOS name service requests and the corresponding
254           responses. It relies on correct IP address configuration, specifically
255           netmask and broadcast address. When properly configured, the output
256           of "ip address show" should look similar to this:
257 
258           $ ip -4 address show eth0
259           4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
260               inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
261 
262           To compile it as a module, choose M here.  If unsure, say N.
263 
264 config NF_CONNTRACK_SNMP
265         tristate "SNMP service protocol support"
266         depends on NETFILTER_ADVANCED
267         select NF_CONNTRACK_BROADCAST
268         help
269           SNMP service requests are sent as broadcast messages from an
270           unprivileged port and responded to with unicast messages to the
271           same port. This make them hard to firewall properly because connection
272           tracking doesn't deal with broadcasts. This helper tracks locally
273           originating SNMP service requests and the corresponding
274           responses. It relies on correct IP address configuration, specifically
275           netmask and broadcast address.
276 
277           To compile it as a module, choose M here.  If unsure, say N.
278 
279 config NF_CONNTRACK_PPTP
280         tristate "PPtP protocol support"
281         depends on NETFILTER_ADVANCED
282         select NF_CT_PROTO_GRE
283         help
284           This module adds support for PPTP (Point to Point Tunnelling
285           Protocol, RFC2637) connection tracking and NAT.
286 
287           If you are running PPTP sessions over a stateful firewall or NAT
288           box, you may want to enable this feature.
289 
290           Please note that not all PPTP modes of operation are supported yet.
291           Specifically these limitations exist:
292             - Blindly assumes that control connections are always established
293               in PNS->PAC direction. This is a violation of RFC2637.
294             - Only supports a single call within each session
295 
296           To compile it as a module, choose M here.  If unsure, say N.
297 
298 config NF_CONNTRACK_SANE
299         tristate "SANE protocol support"
300         depends on NETFILTER_ADVANCED
301         help
302           SANE is a protocol for remote access to scanners as implemented
303           by the 'saned' daemon. Like FTP, it uses separate control and
304           data connections.
305 
306           With this module you can support SANE on a connection tracking
307           firewall.
308 
309           To compile it as a module, choose M here.  If unsure, say N.
310 
311 config NF_CONNTRACK_SIP
312         tristate "SIP protocol support"
313         default m if NETFILTER_ADVANCED=n
314         help
315           SIP is an application-layer control protocol that can establish,
316           modify, and terminate multimedia sessions (conferences) such as
317           Internet telephony calls. With the ip_conntrack_sip and
318           the nf_nat_sip modules you can support the protocol on a connection
319           tracking/NATing firewall.
320 
321           To compile it as a module, choose M here.  If unsure, say N.
322 
323 config NF_CONNTRACK_TFTP
324         tristate "TFTP protocol support"
325         depends on NETFILTER_ADVANCED
326         help
327           TFTP connection tracking helper, this is required depending
328           on how restrictive your ruleset is.
329           If you are using a tftp client behind -j SNAT or -j MASQUERADING
330           you will need this.
331 
332           To compile it as a module, choose M here.  If unsure, say N.
333 
334 config NF_CT_NETLINK
335         tristate 'Connection tracking netlink interface'
336         select NETFILTER_NETLINK
337         default m if NETFILTER_ADVANCED=n
338         help
339           This option enables support for a netlink-based userspace interface
340 
341 config NF_CT_NETLINK_TIMEOUT
342         tristate  'Connection tracking timeout tuning via Netlink'
343         select NETFILTER_NETLINK
344         depends on NETFILTER_ADVANCED
345         help
346           This option enables support for connection tracking timeout
347           fine-grain tuning. This allows you to attach specific timeout
348           policies to flows, instead of using the global timeout policy.
349 
350           If unsure, say `N'.
351 
352 config NF_CT_NETLINK_HELPER
353         tristate 'Connection tracking helpers in user-space via Netlink'
354         select NETFILTER_NETLINK
355         depends on NF_CT_NETLINK
356         depends on NETFILTER_NETLINK_QUEUE
357         depends on NETFILTER_NETLINK_GLUE_CT
358         depends on NETFILTER_ADVANCED
359         help
360           This option enables the user-space connection tracking helpers
361           infrastructure.
362 
363           If unsure, say `N'.
364 
365 config NETFILTER_NETLINK_GLUE_CT
366         bool "NFQUEUE and NFLOG integration with Connection Tracking"
367         default n
368         depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
369         help
370           If this option is enabled, NFQUEUE and NFLOG can include
371           Connection Tracking information together with the packet is
372           the enqueued via NFNETLINK.
373 
374 config NF_NAT
375         tristate
376 
377 config NF_NAT_NEEDED
378         bool
379         depends on NF_NAT
380         default y
381 
382 config NF_NAT_PROTO_DCCP
383         tristate
384         depends on NF_NAT && NF_CT_PROTO_DCCP
385         default NF_NAT && NF_CT_PROTO_DCCP
386 
387 config NF_NAT_PROTO_UDPLITE
388         tristate
389         depends on NF_NAT && NF_CT_PROTO_UDPLITE
390         default NF_NAT && NF_CT_PROTO_UDPLITE
391 
392 config NF_NAT_PROTO_SCTP
393         tristate
394         default NF_NAT && NF_CT_PROTO_SCTP
395         depends on NF_NAT && NF_CT_PROTO_SCTP
396         select LIBCRC32C
397 
398 config NF_NAT_AMANDA
399         tristate
400         depends on NF_CONNTRACK && NF_NAT
401         default NF_NAT && NF_CONNTRACK_AMANDA
402 
403 config NF_NAT_FTP
404         tristate
405         depends on NF_CONNTRACK && NF_NAT
406         default NF_NAT && NF_CONNTRACK_FTP
407 
408 config NF_NAT_IRC
409         tristate
410         depends on NF_CONNTRACK && NF_NAT
411         default NF_NAT && NF_CONNTRACK_IRC
412 
413 config NF_NAT_SIP
414         tristate
415         depends on NF_CONNTRACK && NF_NAT
416         default NF_NAT && NF_CONNTRACK_SIP
417 
418 config NF_NAT_TFTP
419         tristate
420         depends on NF_CONNTRACK && NF_NAT
421         default NF_NAT && NF_CONNTRACK_TFTP
422 
423 config NF_NAT_REDIRECT
424         tristate "IPv4/IPv6 redirect support"
425         depends on NF_NAT
426         help
427           This is the kernel functionality to redirect packets to local
428           machine through NAT.
429 
430 config NETFILTER_SYNPROXY
431         tristate
432 
433 endif # NF_CONNTRACK
434 
435 config NF_TABLES
436         select NETFILTER_NETLINK
437         tristate "Netfilter nf_tables support"
438         help
439           nftables is the new packet classification framework that intends to
440           replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
441           provides a pseudo-state machine with an extensible instruction-set
442           (also known as expressions) that the userspace 'nft' utility
443           (http://www.netfilter.org/projects/nftables) uses to build the
444           rule-set. It also comes with the generic set infrastructure that
445           allows you to construct mappings between matchings and actions
446           for performance lookups.
447 
448           To compile it as a module, choose M here.
449 
450 if NF_TABLES
451 
452 config NF_TABLES_INET
453         depends on IPV6
454         select NF_TABLES_IPV4
455         select NF_TABLES_IPV6
456         tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
457         help
458           This option enables support for a mixed IPv4/IPv6 "inet" table.
459 
460 config NF_TABLES_NETDEV
461         tristate "Netfilter nf_tables netdev tables support"
462         help
463           This option enables support for the "netdev" table.
464 
465 config NFT_EXTHDR
466         tristate "Netfilter nf_tables IPv6 exthdr module"
467         help
468           This option adds the "exthdr" expression that you can use to match
469           IPv6 extension headers.
470 
471 config NFT_META
472         tristate "Netfilter nf_tables meta module"
473         help
474           This option adds the "meta" expression that you can use to match and
475           to set packet metainformation such as the packet mark.
476 
477 config NFT_NUMGEN
478         tristate "Netfilter nf_tables number generator module"
479         help
480           This option adds the number generator expression used to perform
481           incremental counting and random numbers bound to a upper limit.
482 
483 config NFT_CT
484         depends on NF_CONNTRACK
485         tristate "Netfilter nf_tables conntrack module"
486         help
487           This option adds the "meta" expression that you can use to match
488           connection tracking information such as the flow state.
489 
490 config NFT_SET_RBTREE
491         tristate "Netfilter nf_tables rbtree set module"
492         help
493           This option adds the "rbtree" set type (Red Black tree) that is used
494           to build interval-based sets.
495 
496 config NFT_SET_HASH
497         tristate "Netfilter nf_tables hash set module"
498         help
499           This option adds the "hash" set type that is used to build one-way
500           mappings between matchings and actions.
501 
502 config NFT_COUNTER
503         tristate "Netfilter nf_tables counter module"
504         help
505           This option adds the "counter" expression that you can use to
506           include packet and byte counters in a rule.
507 
508 config NFT_LOG
509         tristate "Netfilter nf_tables log module"
510         help
511           This option adds the "log" expression that you can use to log
512           packets matching some criteria.
513 
514 config NFT_LIMIT
515         tristate "Netfilter nf_tables limit module"
516         help
517           This option adds the "limit" expression that you can use to
518           ratelimit rule matchings.
519 
520 config NFT_MASQ
521         depends on NF_CONNTRACK
522         depends on NF_NAT
523         tristate "Netfilter nf_tables masquerade support"
524         help
525           This option adds the "masquerade" expression that you can use
526           to perform NAT in the masquerade flavour.
527 
528 config NFT_REDIR
529         depends on NF_CONNTRACK
530         depends on NF_NAT
531         tristate "Netfilter nf_tables redirect support"
532         help
533           This options adds the "redirect" expression that you can use
534           to perform NAT in the redirect flavour.
535 
536 config NFT_NAT
537         depends on NF_CONNTRACK
538         select NF_NAT
539         tristate "Netfilter nf_tables nat module"
540         help
541           This option adds the "nat" expression that you can use to perform
542           typical Network Address Translation (NAT) packet transformations.
543 
544 config NFT_QUEUE
545         depends on NETFILTER_NETLINK_QUEUE
546         tristate "Netfilter nf_tables queue module"
547         help
548           This is required if you intend to use the userspace queueing
549           infrastructure (also known as NFQUEUE) from nftables.
550 
551 config NFT_QUOTA
552         tristate "Netfilter nf_tables quota module"
553         help
554           This option adds the "quota" expression that you can use to match
555           enforce bytes quotas.
556 
557 config NFT_REJECT
558         default m if NETFILTER_ADVANCED=n
559         tristate "Netfilter nf_tables reject support"
560         help
561           This option adds the "reject" expression that you can use to
562           explicitly deny and notify via TCP reset/ICMP informational errors
563           unallowed traffic.
564 
565 config NFT_REJECT_INET
566         depends on NF_TABLES_INET
567         default NFT_REJECT
568         tristate
569 
570 config NFT_COMPAT
571         depends on NETFILTER_XTABLES
572         tristate "Netfilter x_tables over nf_tables module"
573         help
574           This is required if you intend to use any of existing
575           x_tables match/target extensions over the nf_tables
576           framework.
577 
578 config NFT_HASH
579         tristate "Netfilter nf_tables hash module"
580         help
581           This option adds the "hash" expression that you can use to perform
582           a hash operation on registers.
583 
584 if NF_TABLES_NETDEV
585 
586 config NF_DUP_NETDEV
587         tristate "Netfilter packet duplication support"
588         help
589           This option enables the generic packet duplication infrastructure
590           for Netfilter.
591 
592 config NFT_DUP_NETDEV
593         tristate "Netfilter nf_tables netdev packet duplication support"
594         select NF_DUP_NETDEV
595         help
596           This option enables packet duplication for the "netdev" family.
597 
598 config NFT_FWD_NETDEV
599         tristate "Netfilter nf_tables netdev packet forwarding support"
600         select NF_DUP_NETDEV
601         help
602           This option enables packet forwarding for the "netdev" family.
603 
604 endif # NF_TABLES_NETDEV
605 
606 endif # NF_TABLES
607 
608 config NETFILTER_XTABLES
609         tristate "Netfilter Xtables support (required for ip_tables)"
610         default m if NETFILTER_ADVANCED=n
611         help
612           This is required if you intend to use any of ip_tables,
613           ip6_tables or arp_tables.
614 
615 if NETFILTER_XTABLES
616 
617 comment "Xtables combined modules"
618 
619 config NETFILTER_XT_MARK
620         tristate 'nfmark target and match support'
621         default m if NETFILTER_ADVANCED=n
622         ---help---
623         This option adds the "MARK" target and "mark" match.
624 
625         Netfilter mark matching allows you to match packets based on the
626         "nfmark" value in the packet.
627         The target allows you to create rules in the "mangle" table which alter
628         the netfilter mark (nfmark) field associated with the packet.
629 
630         Prior to routing, the nfmark can influence the routing method and can
631         also be used by other subsystems to change their behavior.
632 
633 config NETFILTER_XT_CONNMARK
634         tristate 'ctmark target and match support'
635         depends on NF_CONNTRACK
636         depends on NETFILTER_ADVANCED
637         select NF_CONNTRACK_MARK
638         ---help---
639         This option adds the "CONNMARK" target and "connmark" match.
640 
641         Netfilter allows you to store a mark value per connection (a.k.a.
642         ctmark), similarly to the packet mark (nfmark). Using this
643         target and match, you can set and match on this mark.
644 
645 config NETFILTER_XT_SET
646         tristate 'set target and match support'
647         depends on IP_SET
648         depends on NETFILTER_ADVANCED
649         help
650           This option adds the "SET" target and "set" match.
651 
652           Using this target and match, you can add/delete and match
653           elements in the sets created by ipset(8).
654 
655           To compile it as a module, choose M here.  If unsure, say N.
656 
657 # alphabetically ordered list of targets
658 
659 comment "Xtables targets"
660 
661 config NETFILTER_XT_TARGET_AUDIT
662         tristate "AUDIT target support"
663         depends on AUDIT
664         depends on NETFILTER_ADVANCED
665         ---help---
666           This option adds a 'AUDIT' target, which can be used to create
667           audit records for packets dropped/accepted.
668 
669           To compileit as a module, choose M here. If unsure, say N.
670 
671 config NETFILTER_XT_TARGET_CHECKSUM
672         tristate "CHECKSUM target support"
673         depends on IP_NF_MANGLE || IP6_NF_MANGLE
674         depends on NETFILTER_ADVANCED
675         ---help---
676           This option adds a `CHECKSUM' target, which can be used in the iptables mangle
677           table.
678 
679           You can use this target to compute and fill in the checksum in
680           a packet that lacks a checksum.  This is particularly useful,
681           if you need to work around old applications such as dhcp clients,
682           that do not work well with checksum offloads, but don't want to disable
683           checksum offload in your device.
684 
685           To compile it as a module, choose M here.  If unsure, say N.
686 
687 config NETFILTER_XT_TARGET_CLASSIFY
688         tristate '"CLASSIFY" target support'
689         depends on NETFILTER_ADVANCED
690         help
691           This option adds a `CLASSIFY' target, which enables the user to set
692           the priority of a packet. Some qdiscs can use this value for
693           classification, among these are:
694 
695           atm, cbq, dsmark, pfifo_fast, htb, prio
696 
697           To compile it as a module, choose M here.  If unsure, say N.
698 
699 config NETFILTER_XT_TARGET_CONNMARK
700         tristate  '"CONNMARK" target support'
701         depends on NF_CONNTRACK
702         depends on NETFILTER_ADVANCED
703         select NETFILTER_XT_CONNMARK
704         ---help---
705         This is a backwards-compat option for the user's convenience
706         (e.g. when running oldconfig). It selects
707         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
708 
709 config NETFILTER_XT_TARGET_CONNSECMARK
710         tristate '"CONNSECMARK" target support'
711         depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
712         default m if NETFILTER_ADVANCED=n
713         help
714           The CONNSECMARK target copies security markings from packets
715           to connections, and restores security markings from connections
716           to packets (if the packets are not already marked).  This would
717           normally be used in conjunction with the SECMARK target.
718 
719           To compile it as a module, choose M here.  If unsure, say N.
720 
721 config NETFILTER_XT_TARGET_CT
722         tristate '"CT" target support'
723         depends on NF_CONNTRACK
724         depends on IP_NF_RAW || IP6_NF_RAW
725         depends on NETFILTER_ADVANCED
726         help
727           This options adds a `CT' target, which allows to specify initial
728           connection tracking parameters like events to be delivered and
729           the helper to be used.
730 
731           To compile it as a module, choose M here.  If unsure, say N.
732 
733 config NETFILTER_XT_TARGET_DSCP
734         tristate '"DSCP" and "TOS" target support'
735         depends on IP_NF_MANGLE || IP6_NF_MANGLE
736         depends on NETFILTER_ADVANCED
737         help
738           This option adds a `DSCP' target, which allows you to manipulate
739           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
740 
741           The DSCP field can have any value between 0x0 and 0x3f inclusive.
742 
743           It also adds the "TOS" target, which allows you to create rules in
744           the "mangle" table which alter the Type Of Service field of an IPv4
745           or the Priority field of an IPv6 packet, prior to routing.
746 
747           To compile it as a module, choose M here.  If unsure, say N.
748 
749 config NETFILTER_XT_TARGET_HL
750         tristate '"HL" hoplimit target support'
751         depends on IP_NF_MANGLE || IP6_NF_MANGLE
752         depends on NETFILTER_ADVANCED
753         ---help---
754         This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
755         targets, which enable the user to change the
756         hoplimit/time-to-live value of the IP header.
757 
758         While it is safe to decrement the hoplimit/TTL value, the
759         modules also allow to increment and set the hoplimit value of
760         the header to arbitrary values. This is EXTREMELY DANGEROUS
761         since you can easily create immortal packets that loop
762         forever on the network.
763 
764 config NETFILTER_XT_TARGET_HMARK
765         tristate '"HMARK" target support'
766         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
767         depends on NETFILTER_ADVANCED
768         ---help---
769         This option adds the "HMARK" target.
770 
771         The target allows you to create rules in the "raw" and "mangle" tables
772         which set the skbuff mark by means of hash calculation within a given
773         range. The nfmark can influence the routing method and can also be used
774         by other subsystems to change their behaviour.
775 
776         To compile it as a module, choose M here. If unsure, say N.
777 
778 config NETFILTER_XT_TARGET_IDLETIMER
779         tristate  "IDLETIMER target support"
780         depends on NETFILTER_ADVANCED
781         help
782 
783           This option adds the `IDLETIMER' target.  Each matching packet
784           resets the timer associated with label specified when the rule is
785           added.  When the timer expires, it triggers a sysfs notification.
786           The remaining time for expiration can be read via sysfs.
787 
788           To compile it as a module, choose M here.  If unsure, say N.
789 
790 config NETFILTER_XT_TARGET_LED
791         tristate '"LED" target support'
792         depends on LEDS_CLASS && LEDS_TRIGGERS
793         depends on NETFILTER_ADVANCED
794         help
795           This option adds a `LED' target, which allows you to blink LEDs in
796           response to particular packets passing through your machine.
797 
798           This can be used to turn a spare LED into a network activity LED,
799           which only flashes in response to FTP transfers, for example.  Or
800           you could have an LED which lights up for a minute or two every time
801           somebody connects to your machine via SSH.
802 
803           You will need support for the "led" class to make this work.
804 
805           To create an LED trigger for incoming SSH traffic:
806             iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
807 
808           Then attach the new trigger to an LED on your system:
809             echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
810 
811           For more information on the LEDs available on your system, see
812           Documentation/leds/leds-class.txt
813 
814 config NETFILTER_XT_TARGET_LOG
815         tristate "LOG target support"
816         select NF_LOG_COMMON
817         select NF_LOG_IPV4
818         select NF_LOG_IPV6 if IPV6
819         default m if NETFILTER_ADVANCED=n
820         help
821           This option adds a `LOG' target, which allows you to create rules in
822           any iptables table which records the packet header to the syslog.
823 
824           To compile it as a module, choose M here.  If unsure, say N.
825 
826 config NETFILTER_XT_TARGET_MARK
827         tristate '"MARK" target support'
828         depends on NETFILTER_ADVANCED
829         select NETFILTER_XT_MARK
830         ---help---
831         This is a backwards-compat option for the user's convenience
832         (e.g. when running oldconfig). It selects
833         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
834 
835 config NETFILTER_XT_NAT
836         tristate '"SNAT and DNAT" targets support'
837         depends on NF_NAT
838         ---help---
839         This option enables the SNAT and DNAT targets.
840 
841         To compile it as a module, choose M here. If unsure, say N.
842 
843 config NETFILTER_XT_TARGET_NETMAP
844         tristate '"NETMAP" target support'
845         depends on NF_NAT
846         ---help---
847         NETMAP is an implementation of static 1:1 NAT mapping of network
848         addresses. It maps the network address part, while keeping the host
849         address part intact.
850 
851         To compile it as a module, choose M here. If unsure, say N.
852 
853 config NETFILTER_XT_TARGET_NFLOG
854         tristate '"NFLOG" target support'
855         default m if NETFILTER_ADVANCED=n
856         select NETFILTER_NETLINK_LOG
857         help
858           This option enables the NFLOG target, which allows to LOG
859           messages through nfnetlink_log.
860 
861           To compile it as a module, choose M here.  If unsure, say N.
862 
863 config NETFILTER_XT_TARGET_NFQUEUE
864         tristate '"NFQUEUE" target Support'
865         depends on NETFILTER_ADVANCED
866         select NETFILTER_NETLINK_QUEUE
867         help
868           This target replaced the old obsolete QUEUE target.
869 
870           As opposed to QUEUE, it supports 65535 different queues,
871           not just one.
872 
873           To compile it as a module, choose M here.  If unsure, say N.
874 
875 config NETFILTER_XT_TARGET_NOTRACK
876         tristate  '"NOTRACK" target support (DEPRECATED)'
877         depends on NF_CONNTRACK
878         depends on IP_NF_RAW || IP6_NF_RAW
879         depends on NETFILTER_ADVANCED
880         select NETFILTER_XT_TARGET_CT
881 
882 config NETFILTER_XT_TARGET_RATEEST
883         tristate '"RATEEST" target support'
884         depends on NETFILTER_ADVANCED
885         help
886           This option adds a `RATEEST' target, which allows to measure
887           rates similar to TC estimators. The `rateest' match can be
888           used to match on the measured rates.
889 
890           To compile it as a module, choose M here.  If unsure, say N.
891 
892 config NETFILTER_XT_TARGET_REDIRECT
893         tristate "REDIRECT target support"
894         depends on NF_NAT
895         select NF_NAT_REDIRECT
896         ---help---
897         REDIRECT is a special case of NAT: all incoming connections are
898         mapped onto the incoming interface's address, causing the packets to
899         come to the local machine instead of passing through. This is
900         useful for transparent proxies.
901 
902         To compile it as a module, choose M here. If unsure, say N.
903 
904 config NETFILTER_XT_TARGET_TEE
905         tristate '"TEE" - packet cloning to alternate destination'
906         depends on NETFILTER_ADVANCED
907         depends on IPV6 || IPV6=n
908         depends on !NF_CONNTRACK || NF_CONNTRACK
909         select NF_DUP_IPV4
910         select NF_DUP_IPV6 if IPV6
911         ---help---
912         This option adds a "TEE" target with which a packet can be cloned and
913         this clone be rerouted to another nexthop.
914 
915 config NETFILTER_XT_TARGET_TPROXY
916         tristate '"TPROXY" target transparent proxying support'
917         depends on NETFILTER_XTABLES
918         depends on NETFILTER_ADVANCED
919         depends on IPV6 || IPV6=n
920         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
921         depends on IP_NF_MANGLE
922         select NF_DEFRAG_IPV4
923         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
924         help
925           This option adds a `TPROXY' target, which is somewhat similar to
926           REDIRECT.  It can only be used in the mangle table and is useful
927           to redirect traffic to a transparent proxy.  It does _not_ depend
928           on Netfilter connection tracking and NAT, unlike REDIRECT.
929           For it to work you will have to configure certain iptables rules
930           and use policy routing. For more information on how to set it up
931           see Documentation/networking/tproxy.txt.
932 
933           To compile it as a module, choose M here.  If unsure, say N.
934 
935 config NETFILTER_XT_TARGET_TRACE
936         tristate  '"TRACE" target support'
937         depends on IP_NF_RAW || IP6_NF_RAW
938         depends on NETFILTER_ADVANCED
939         help
940           The TRACE target allows you to mark packets so that the kernel
941           will log every rule which match the packets as those traverse
942           the tables, chains, rules.
943 
944           If you want to compile it as a module, say M here and read
945           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
946 
947 config NETFILTER_XT_TARGET_SECMARK
948         tristate '"SECMARK" target support'
949         depends on NETWORK_SECMARK
950         default m if NETFILTER_ADVANCED=n
951         help
952           The SECMARK target allows security marking of network
953           packets, for use with security subsystems.
954 
955           To compile it as a module, choose M here.  If unsure, say N.
956 
957 config NETFILTER_XT_TARGET_TCPMSS
958         tristate '"TCPMSS" target support'
959         depends on IPV6 || IPV6=n
960         default m if NETFILTER_ADVANCED=n
961         ---help---
962           This option adds a `TCPMSS' target, which allows you to alter the
963           MSS value of TCP SYN packets, to control the maximum size for that
964           connection (usually limiting it to your outgoing interface's MTU
965           minus 40).
966 
967           This is used to overcome criminally braindead ISPs or servers which
968           block ICMP Fragmentation Needed packets.  The symptoms of this
969           problem are that everything works fine from your Linux
970           firewall/router, but machines behind it can never exchange large
971           packets:
972                 1) Web browsers connect, then hang with no data received.
973                 2) Small mail works fine, but large emails hang.
974                 3) ssh works fine, but scp hangs after initial handshaking.
975 
976           Workaround: activate this option and add a rule to your firewall
977           configuration like:
978 
979           iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
980                          -j TCPMSS --clamp-mss-to-pmtu
981 
982           To compile it as a module, choose M here.  If unsure, say N.
983 
984 config NETFILTER_XT_TARGET_TCPOPTSTRIP
985         tristate '"TCPOPTSTRIP" target support'
986         depends on IP_NF_MANGLE || IP6_NF_MANGLE
987         depends on NETFILTER_ADVANCED
988         help
989           This option adds a "TCPOPTSTRIP" target, which allows you to strip
990           TCP options from TCP packets.
991 
992 # alphabetically ordered list of matches
993 
994 comment "Xtables matches"
995 
996 config NETFILTER_XT_MATCH_ADDRTYPE
997         tristate '"addrtype" address type match support'
998         default m if NETFILTER_ADVANCED=n
999         ---help---
1000           This option allows you to match what routing thinks of an address,
1001           eg. UNICAST, LOCAL, BROADCAST, ...
1002 
1003           If you want to compile it as a module, say M here and read
1004           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1005 
1006 config NETFILTER_XT_MATCH_BPF
1007         tristate '"bpf" match support'
1008         depends on NETFILTER_ADVANCED
1009         help
1010           BPF matching applies a linux socket filter to each packet and
1011           accepts those for which the filter returns non-zero.
1012 
1013           To compile it as a module, choose M here.  If unsure, say N.
1014 
1015 config NETFILTER_XT_MATCH_CGROUP
1016         tristate '"control group" match support'
1017         depends on NETFILTER_ADVANCED
1018         depends on CGROUPS
1019         select CGROUP_NET_CLASSID
1020         ---help---
1021         Socket/process control group matching allows you to match locally
1022         generated packets based on which net_cls control group processes
1023         belong to.
1024 
1025 config NETFILTER_XT_MATCH_CLUSTER
1026         tristate '"cluster" match support'
1027         depends on NF_CONNTRACK
1028         depends on NETFILTER_ADVANCED
1029         ---help---
1030           This option allows you to build work-load-sharing clusters of
1031           network servers/stateful firewalls without having a dedicated
1032           load-balancing router/server/switch. Basically, this match returns
1033           true when the packet must be handled by this cluster node. Thus,
1034           all nodes see all packets and this match decides which node handles
1035           what packets. The work-load sharing algorithm is based on source
1036           address hashing.
1037 
1038           If you say Y or M here, try `iptables -m cluster --help` for
1039           more information.
1040 
1041 config NETFILTER_XT_MATCH_COMMENT
1042         tristate  '"comment" match support'
1043         depends on NETFILTER_ADVANCED
1044         help
1045           This option adds a `comment' dummy-match, which allows you to put
1046           comments in your iptables ruleset.
1047 
1048           If you want to compile it as a module, say M here and read
1049           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1050 
1051 config NETFILTER_XT_MATCH_CONNBYTES
1052         tristate  '"connbytes" per-connection counter match support'
1053         depends on NF_CONNTRACK
1054         depends on NETFILTER_ADVANCED
1055         help
1056           This option adds a `connbytes' match, which allows you to match the
1057           number of bytes and/or packets for each direction within a connection.
1058 
1059           If you want to compile it as a module, say M here and read
1060           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1061 
1062 config NETFILTER_XT_MATCH_CONNLABEL
1063         tristate '"connlabel" match support'
1064         select NF_CONNTRACK_LABELS
1065         depends on NF_CONNTRACK
1066         depends on NETFILTER_ADVANCED
1067         ---help---
1068           This match allows you to test and assign userspace-defined labels names
1069           to a connection.  The kernel only stores bit values - mapping
1070           names to bits is done by userspace.
1071 
1072           Unlike connmark, more than 32 flag bits may be assigned to a
1073           connection simultaneously.
1074 
1075 config NETFILTER_XT_MATCH_CONNLIMIT
1076         tristate '"connlimit" match support'
1077         depends on NF_CONNTRACK
1078         depends on NETFILTER_ADVANCED
1079         ---help---
1080           This match allows you to match against the number of parallel
1081           connections to a server per client IP address (or address block).
1082 
1083 config NETFILTER_XT_MATCH_CONNMARK
1084         tristate  '"connmark" connection mark match support'
1085         depends on NF_CONNTRACK
1086         depends on NETFILTER_ADVANCED
1087         select NETFILTER_XT_CONNMARK
1088         ---help---
1089         This is a backwards-compat option for the user's convenience
1090         (e.g. when running oldconfig). It selects
1091         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1092 
1093 config NETFILTER_XT_MATCH_CONNTRACK
1094         tristate '"conntrack" connection tracking match support'
1095         depends on NF_CONNTRACK
1096         default m if NETFILTER_ADVANCED=n
1097         help
1098           This is a general conntrack match module, a superset of the state match.
1099 
1100           It allows matching on additional conntrack information, which is
1101           useful in complex configurations, such as NAT gateways with multiple
1102           internet links or tunnels.
1103 
1104           To compile it as a module, choose M here.  If unsure, say N.
1105 
1106 config NETFILTER_XT_MATCH_CPU
1107         tristate '"cpu" match support'
1108         depends on NETFILTER_ADVANCED
1109         help
1110           CPU matching allows you to match packets based on the CPU
1111           currently handling the packet.
1112 
1113           To compile it as a module, choose M here.  If unsure, say N.
1114 
1115 config NETFILTER_XT_MATCH_DCCP
1116         tristate '"dccp" protocol match support'
1117         depends on NETFILTER_ADVANCED
1118         default IP_DCCP
1119         help
1120           With this option enabled, you will be able to use the iptables
1121           `dccp' match in order to match on DCCP source/destination ports
1122           and DCCP flags.
1123 
1124           If you want to compile it as a module, say M here and read
1125           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1126 
1127 config NETFILTER_XT_MATCH_DEVGROUP
1128         tristate '"devgroup" match support'
1129         depends on NETFILTER_ADVANCED
1130         help
1131           This options adds a `devgroup' match, which allows to match on the
1132           device group a network device is assigned to.
1133 
1134           To compile it as a module, choose M here.  If unsure, say N.
1135 
1136 config NETFILTER_XT_MATCH_DSCP
1137         tristate '"dscp" and "tos" match support'
1138         depends on NETFILTER_ADVANCED
1139         help
1140           This option adds a `DSCP' match, which allows you to match against
1141           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1142 
1143           The DSCP field can have any value between 0x0 and 0x3f inclusive.
1144 
1145           It will also add a "tos" match, which allows you to match packets
1146           based on the Type Of Service fields of the IPv4 packet (which share
1147           the same bits as DSCP).
1148 
1149           To compile it as a module, choose M here.  If unsure, say N.
1150 
1151 config NETFILTER_XT_MATCH_ECN
1152         tristate '"ecn" match support'
1153         depends on NETFILTER_ADVANCED
1154         ---help---
1155         This option adds an "ECN" match, which allows you to match against
1156         the IPv4 and TCP header ECN fields.
1157 
1158         To compile it as a module, choose M here. If unsure, say N.
1159 
1160 config NETFILTER_XT_MATCH_ESP
1161         tristate '"esp" match support'
1162         depends on NETFILTER_ADVANCED
1163         help
1164           This match extension allows you to match a range of SPIs
1165           inside ESP header of IPSec packets.
1166 
1167           To compile it as a module, choose M here.  If unsure, say N.
1168 
1169 config NETFILTER_XT_MATCH_HASHLIMIT
1170         tristate '"hashlimit" match support'
1171         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1172         depends on NETFILTER_ADVANCED
1173         help
1174           This option adds a `hashlimit' match.
1175 
1176           As opposed to `limit', this match dynamically creates a hash table
1177           of limit buckets, based on your selection of source/destination
1178           addresses and/or ports.
1179 
1180           It enables you to express policies like `10kpps for any given
1181           destination address' or `500pps from any given source address'
1182           with a single rule.
1183 
1184 config NETFILTER_XT_MATCH_HELPER
1185         tristate '"helper" match support'
1186         depends on NF_CONNTRACK
1187         depends on NETFILTER_ADVANCED
1188         help
1189           Helper matching allows you to match packets in dynamic connections
1190           tracked by a conntrack-helper, ie. ip_conntrack_ftp
1191 
1192           To compile it as a module, choose M here.  If unsure, say Y.
1193 
1194 config NETFILTER_XT_MATCH_HL
1195         tristate '"hl" hoplimit/TTL match support'
1196         depends on NETFILTER_ADVANCED
1197         ---help---
1198         HL matching allows you to match packets based on the hoplimit
1199         in the IPv6 header, or the time-to-live field in the IPv4
1200         header of the packet.
1201 
1202 config NETFILTER_XT_MATCH_IPCOMP
1203         tristate '"ipcomp" match support'
1204         depends on NETFILTER_ADVANCED
1205         help
1206           This match extension allows you to match a range of CPIs(16 bits)
1207           inside IPComp header of IPSec packets.
1208 
1209           To compile it as a module, choose M here.  If unsure, say N.
1210 
1211 config NETFILTER_XT_MATCH_IPRANGE
1212         tristate '"iprange" address range match support'
1213         depends on NETFILTER_ADVANCED
1214         ---help---
1215         This option adds a "iprange" match, which allows you to match based on
1216         an IP address range. (Normal iptables only matches on single addresses
1217         with an optional mask.)
1218 
1219         If unsure, say M.
1220 
1221 config NETFILTER_XT_MATCH_IPVS
1222         tristate '"ipvs" match support'
1223         depends on IP_VS
1224         depends on NETFILTER_ADVANCED
1225         depends on NF_CONNTRACK
1226         help
1227           This option allows you to match against IPVS properties of a packet.
1228 
1229           If unsure, say N.
1230 
1231 config NETFILTER_XT_MATCH_L2TP
1232         tristate '"l2tp" match support'
1233         depends on NETFILTER_ADVANCED
1234         default L2TP
1235         ---help---
1236         This option adds an "L2TP" match, which allows you to match against
1237         L2TP protocol header fields.
1238 
1239         To compile it as a module, choose M here. If unsure, say N.
1240 
1241 config NETFILTER_XT_MATCH_LENGTH
1242         tristate '"length" match support'
1243         depends on NETFILTER_ADVANCED
1244         help
1245           This option allows you to match the length of a packet against a
1246           specific value or range of values.
1247 
1248           To compile it as a module, choose M here.  If unsure, say N.
1249 
1250 config NETFILTER_XT_MATCH_LIMIT
1251         tristate '"limit" match support'
1252         depends on NETFILTER_ADVANCED
1253         help
1254           limit matching allows you to control the rate at which a rule can be
1255           matched: mainly useful in combination with the LOG target ("LOG
1256           target support", below) and to avoid some Denial of Service attacks.
1257 
1258           To compile it as a module, choose M here.  If unsure, say N.
1259 
1260 config NETFILTER_XT_MATCH_MAC
1261         tristate '"mac" address match support'
1262         depends on NETFILTER_ADVANCED
1263         help
1264           MAC matching allows you to match packets based on the source
1265           Ethernet address of the packet.
1266 
1267           To compile it as a module, choose M here.  If unsure, say N.
1268 
1269 config NETFILTER_XT_MATCH_MARK
1270         tristate '"mark" match support'
1271         depends on NETFILTER_ADVANCED
1272         select NETFILTER_XT_MARK
1273         ---help---
1274         This is a backwards-compat option for the user's convenience
1275         (e.g. when running oldconfig). It selects
1276         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1277 
1278 config NETFILTER_XT_MATCH_MULTIPORT
1279         tristate '"multiport" Multiple port match support'
1280         depends on NETFILTER_ADVANCED
1281         help
1282           Multiport matching allows you to match TCP or UDP packets based on
1283           a series of source or destination ports: normally a rule can only
1284           match a single range of ports.
1285 
1286           To compile it as a module, choose M here.  If unsure, say N.
1287 
1288 config NETFILTER_XT_MATCH_NFACCT
1289         tristate '"nfacct" match support'
1290         depends on NETFILTER_ADVANCED
1291         select NETFILTER_NETLINK_ACCT
1292         help
1293           This option allows you to use the extended accounting through
1294           nfnetlink_acct.
1295 
1296           To compile it as a module, choose M here.  If unsure, say N.
1297 
1298 config NETFILTER_XT_MATCH_OSF
1299         tristate '"osf" Passive OS fingerprint match'
1300         depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1301         help
1302           This option selects the Passive OS Fingerprinting match module
1303           that allows to passively match the remote operating system by
1304           analyzing incoming TCP SYN packets.
1305 
1306           Rules and loading software can be downloaded from
1307           http://www.ioremap.net/projects/osf
1308 
1309           To compile it as a module, choose M here.  If unsure, say N.
1310 
1311 config NETFILTER_XT_MATCH_OWNER
1312         tristate '"owner" match support'
1313         depends on NETFILTER_ADVANCED
1314         ---help---
1315         Socket owner matching allows you to match locally-generated packets
1316         based on who created the socket: the user or group. It is also
1317         possible to check whether a socket actually exists.
1318 
1319 config NETFILTER_XT_MATCH_POLICY
1320         tristate 'IPsec "policy" match support'
1321         depends on XFRM
1322         default m if NETFILTER_ADVANCED=n
1323         help
1324           Policy matching allows you to match packets based on the
1325           IPsec policy that was used during decapsulation/will
1326           be used during encapsulation.
1327 
1328           To compile it as a module, choose M here.  If unsure, say N.
1329 
1330 config NETFILTER_XT_MATCH_PHYSDEV
1331         tristate '"physdev" match support'
1332         depends on BRIDGE && BRIDGE_NETFILTER
1333         depends on NETFILTER_ADVANCED
1334         help
1335           Physdev packet matching matches against the physical bridge ports
1336           the IP packet arrived on or will leave by.
1337 
1338           To compile it as a module, choose M here.  If unsure, say N.
1339 
1340 config NETFILTER_XT_MATCH_PKTTYPE
1341         tristate '"pkttype" packet type match support'
1342         depends on NETFILTER_ADVANCED
1343         help
1344           Packet type matching allows you to match a packet by
1345           its "class", eg. BROADCAST, MULTICAST, ...
1346 
1347           Typical usage:
1348           iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1349 
1350           To compile it as a module, choose M here.  If unsure, say N.
1351 
1352 config NETFILTER_XT_MATCH_QUOTA
1353         tristate '"quota" match support'
1354         depends on NETFILTER_ADVANCED
1355         help
1356           This option adds a `quota' match, which allows to match on a
1357           byte counter.
1358 
1359           If you want to compile it as a module, say M here and read
1360           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1361 
1362 config NETFILTER_XT_MATCH_RATEEST
1363         tristate '"rateest" match support'
1364         depends on NETFILTER_ADVANCED
1365         select NETFILTER_XT_TARGET_RATEEST
1366         help
1367           This option adds a `rateest' match, which allows to match on the
1368           rate estimated by the RATEEST target.
1369 
1370           To compile it as a module, choose M here.  If unsure, say N.
1371 
1372 config NETFILTER_XT_MATCH_REALM
1373         tristate  '"realm" match support'
1374         depends on NETFILTER_ADVANCED
1375         select IP_ROUTE_CLASSID
1376         help
1377           This option adds a `realm' match, which allows you to use the realm
1378           key from the routing subsystem inside iptables.
1379 
1380           This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
1381           in tc world.
1382 
1383           If you want to compile it as a module, say M here and read
1384           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1385 
1386 config NETFILTER_XT_MATCH_RECENT
1387         tristate '"recent" match support'
1388         depends on NETFILTER_ADVANCED
1389         ---help---
1390         This match is used for creating one or many lists of recently
1391         used addresses and then matching against that/those list(s).
1392 
1393         Short options are available by using 'iptables -m recent -h'
1394         Official Website: <http://snowman.net/projects/ipt_recent/>
1395 
1396 config NETFILTER_XT_MATCH_SCTP
1397         tristate  '"sctp" protocol match support'
1398         depends on NETFILTER_ADVANCED
1399         default IP_SCTP
1400         help
1401           With this option enabled, you will be able to use the 
1402           `sctp' match in order to match on SCTP source/destination ports
1403           and SCTP chunk types.
1404 
1405           If you want to compile it as a module, say M here and read
1406           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1407 
1408 config NETFILTER_XT_MATCH_SOCKET
1409         tristate '"socket" match support'
1410         depends on NETFILTER_XTABLES
1411         depends on NETFILTER_ADVANCED
1412         depends on !NF_CONNTRACK || NF_CONNTRACK
1413         depends on IPV6 || IPV6=n
1414         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1415         select NF_DEFRAG_IPV4
1416         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1417         help
1418           This option adds a `socket' match, which can be used to match
1419           packets for which a TCP or UDP socket lookup finds a valid socket.
1420           It can be used in combination with the MARK target and policy
1421           routing to implement full featured non-locally bound sockets.
1422 
1423           To compile it as a module, choose M here.  If unsure, say N.
1424 
1425 config NETFILTER_XT_MATCH_STATE
1426         tristate '"state" match support'
1427         depends on NF_CONNTRACK
1428         default m if NETFILTER_ADVANCED=n
1429         help
1430           Connection state matching allows you to match packets based on their
1431           relationship to a tracked connection (ie. previous packets).  This
1432           is a powerful tool for packet classification.
1433 
1434           To compile it as a module, choose M here.  If unsure, say N.
1435 
1436 config NETFILTER_XT_MATCH_STATISTIC
1437         tristate '"statistic" match support'
1438         depends on NETFILTER_ADVANCED
1439         help
1440           This option adds a `statistic' match, which allows you to match
1441           on packets periodically or randomly with a given percentage.
1442 
1443           To compile it as a module, choose M here.  If unsure, say N.
1444 
1445 config NETFILTER_XT_MATCH_STRING
1446         tristate  '"string" match support'
1447         depends on NETFILTER_ADVANCED
1448         select TEXTSEARCH
1449         select TEXTSEARCH_KMP
1450         select TEXTSEARCH_BM
1451         select TEXTSEARCH_FSM
1452         help
1453           This option adds a `string' match, which allows you to look for
1454           pattern matchings in packets.
1455 
1456           To compile it as a module, choose M here.  If unsure, say N.
1457 
1458 config NETFILTER_XT_MATCH_TCPMSS
1459         tristate '"tcpmss" match support'
1460         depends on NETFILTER_ADVANCED
1461         help
1462           This option adds a `tcpmss' match, which allows you to examine the
1463           MSS value of TCP SYN packets, which control the maximum packet size
1464           for that connection.
1465 
1466           To compile it as a module, choose M here.  If unsure, say N.
1467 
1468 config NETFILTER_XT_MATCH_TIME
1469         tristate '"time" match support'
1470         depends on NETFILTER_ADVANCED
1471         ---help---
1472           This option adds a "time" match, which allows you to match based on
1473           the packet arrival time (at the machine which netfilter is running)
1474           on) or departure time/date (for locally generated packets).
1475 
1476           If you say Y here, try `iptables -m time --help` for
1477           more information.
1478 
1479           If you want to compile it as a module, say M here.
1480           If unsure, say N.
1481 
1482 config NETFILTER_XT_MATCH_U32
1483         tristate '"u32" match support'
1484         depends on NETFILTER_ADVANCED
1485         ---help---
1486           u32 allows you to extract quantities of up to 4 bytes from a packet,
1487           AND them with specified masks, shift them by specified amounts and
1488           test whether the results are in any of a set of specified ranges.
1489           The specification of what to extract is general enough to skip over
1490           headers with lengths stored in the packet, as in IP or TCP header
1491           lengths.
1492 
1493           Details and examples are in the kernel module source.
1494 
1495 endif # NETFILTER_XTABLES
1496 
1497 endmenu
1498 
1499 source "net/netfilter/ipset/Kconfig"
1500 
1501 source "net/netfilter/ipvs/Kconfig"

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us