Version:  2.0.40 2.2.26 2.4.37 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18

Linux/net/netfilter/Kconfig

  1 menu "Core Netfilter Configuration"
  2         depends on NET && INET && NETFILTER
  3 
  4 config NETFILTER_NETLINK
  5         tristate
  6 
  7 config NETFILTER_NETLINK_ACCT
  8 tristate "Netfilter NFACCT over NFNETLINK interface"
  9         depends on NETFILTER_ADVANCED
 10         select NETFILTER_NETLINK
 11         help
 12           If this option is enabled, the kernel will include support
 13           for extended accounting via NFNETLINK.
 14 
 15 config NETFILTER_NETLINK_QUEUE
 16         tristate "Netfilter NFQUEUE over NFNETLINK interface"
 17         depends on NETFILTER_ADVANCED
 18         select NETFILTER_NETLINK
 19         help
 20           If this option is enabled, the kernel will include support
 21           for queueing packets via NFNETLINK.
 22           
 23 config NETFILTER_NETLINK_LOG
 24         tristate "Netfilter LOG over NFNETLINK interface"
 25         default m if NETFILTER_ADVANCED=n
 26         select NETFILTER_NETLINK
 27         help
 28           If this option is enabled, the kernel will include support
 29           for logging packets via NFNETLINK.
 30 
 31           This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
 32           and is also scheduled to replace the old syslog-based ipt_LOG
 33           and ip6t_LOG modules.
 34 
 35 config NF_CONNTRACK
 36         tristate "Netfilter connection tracking support"
 37         default m if NETFILTER_ADVANCED=n
 38         help
 39           Connection tracking keeps a record of what packets have passed
 40           through your machine, in order to figure out how they are related
 41           into connections.
 42 
 43           This is required to do Masquerading or other kinds of Network
 44           Address Translation.  It can also be used to enhance packet
 45           filtering (see `Connection state match support' below).
 46 
 47           To compile it as a module, choose M here.  If unsure, say N.
 48 
 49 config NF_LOG_COMMON
 50         tristate
 51 
 52 if NF_CONNTRACK
 53 
 54 config NF_CONNTRACK_MARK
 55         bool  'Connection mark tracking support'
 56         depends on NETFILTER_ADVANCED
 57         help
 58           This option enables support for connection marks, used by the
 59           `CONNMARK' target and `connmark' match. Similar to the mark value
 60           of packets, but this mark value is kept in the conntrack session
 61           instead of the individual packets.
 62 
 63 config NF_CONNTRACK_SECMARK
 64         bool  'Connection tracking security mark support'
 65         depends on NETWORK_SECMARK
 66         default m if NETFILTER_ADVANCED=n
 67         help
 68           This option enables security markings to be applied to
 69           connections.  Typically they are copied to connections from
 70           packets using the CONNSECMARK target and copied back from
 71           connections to packets with the same target, with the packets
 72           being originally labeled via SECMARK.
 73 
 74           If unsure, say 'N'.
 75 
 76 config NF_CONNTRACK_ZONES
 77         bool  'Connection tracking zones'
 78         depends on NETFILTER_ADVANCED
 79         depends on NETFILTER_XT_TARGET_CT
 80         help
 81           This option enables support for connection tracking zones.
 82           Normally, each connection needs to have a unique system wide
 83           identity. Connection tracking zones allow to have multiple
 84           connections using the same identity, as long as they are
 85           contained in different zones.
 86 
 87           If unsure, say `N'.
 88 
 89 config NF_CONNTRACK_PROCFS
 90         bool "Supply CT list in procfs (OBSOLETE)"
 91         default y
 92         depends on PROC_FS
 93         ---help---
 94         This option enables for the list of known conntrack entries
 95         to be shown in procfs under net/netfilter/nf_conntrack. This
 96         is considered obsolete in favor of using the conntrack(8)
 97         tool which uses Netlink.
 98 
 99 config NF_CONNTRACK_EVENTS
100         bool "Connection tracking events"
101         depends on NETFILTER_ADVANCED
102         help
103           If this option is enabled, the connection tracking code will
104           provide a notifier chain that can be used by other kernel code
105           to get notified about changes in the connection tracking state.
106 
107           If unsure, say `N'.
108 
109 config NF_CONNTRACK_TIMEOUT
110         bool  'Connection tracking timeout'
111         depends on NETFILTER_ADVANCED
112         help
113           This option enables support for connection tracking timeout
114           extension. This allows you to attach timeout policies to flow
115           via the CT target.
116 
117           If unsure, say `N'.
118 
119 config NF_CONNTRACK_TIMESTAMP
120         bool  'Connection tracking timestamping'
121         depends on NETFILTER_ADVANCED
122         help
123           This option enables support for connection tracking timestamping.
124           This allows you to store the flow start-time and to obtain
125           the flow-stop time (once it has been destroyed) via Connection
126           tracking events.
127 
128           If unsure, say `N'.
129 
130 config NF_CONNTRACK_LABELS
131         bool
132         help
133           This option enables support for assigning user-defined flag bits
134           to connection tracking entries.  It selected by the connlabel match.
135 
136 config NF_CT_PROTO_DCCP
137         tristate 'DCCP protocol connection tracking support'
138         depends on NETFILTER_ADVANCED
139         default IP_DCCP
140         help
141           With this option enabled, the layer 3 independent connection
142           tracking code will be able to do state tracking on DCCP connections.
143 
144           If unsure, say 'N'.
145 
146 config NF_CT_PROTO_GRE
147         tristate
148 
149 config NF_CT_PROTO_SCTP
150         tristate 'SCTP protocol connection tracking support'
151         depends on NETFILTER_ADVANCED
152         default IP_SCTP
153         help
154           With this option enabled, the layer 3 independent connection
155           tracking code will be able to do state tracking on SCTP connections.
156 
157           If you want to compile it as a module, say M here and read
158           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
159 
160 config NF_CT_PROTO_UDPLITE
161         tristate 'UDP-Lite protocol connection tracking support'
162         depends on NETFILTER_ADVANCED
163         help
164           With this option enabled, the layer 3 independent connection
165           tracking code will be able to do state tracking on UDP-Lite
166           connections.
167 
168           To compile it as a module, choose M here.  If unsure, say N.
169 
170 config NF_CONNTRACK_AMANDA
171         tristate "Amanda backup protocol support"
172         depends on NETFILTER_ADVANCED
173         select TEXTSEARCH
174         select TEXTSEARCH_KMP
175         help
176           If you are running the Amanda backup package <http://www.amanda.org/>
177           on this machine or machines that will be MASQUERADED through this
178           machine, then you may want to enable this feature.  This allows the
179           connection tracking and natting code to allow the sub-channels that
180           Amanda requires for communication of the backup data, messages and
181           index.
182 
183           To compile it as a module, choose M here.  If unsure, say N.
184 
185 config NF_CONNTRACK_FTP
186         tristate "FTP protocol support"
187         default m if NETFILTER_ADVANCED=n
188         help
189           Tracking FTP connections is problematic: special helpers are
190           required for tracking them, and doing masquerading and other forms
191           of Network Address Translation on them.
192 
193           This is FTP support on Layer 3 independent connection tracking.
194           Layer 3 independent connection tracking is experimental scheme
195           which generalize ip_conntrack to support other layer 3 protocols.
196 
197           To compile it as a module, choose M here.  If unsure, say N.
198 
199 config NF_CONNTRACK_H323
200         tristate "H.323 protocol support"
201         depends on (IPV6 || IPV6=n)
202         depends on NETFILTER_ADVANCED
203         help
204           H.323 is a VoIP signalling protocol from ITU-T. As one of the most
205           important VoIP protocols, it is widely used by voice hardware and
206           software including voice gateways, IP phones, Netmeeting, OpenPhone,
207           Gnomemeeting, etc.
208 
209           With this module you can support H.323 on a connection tracking/NAT
210           firewall.
211 
212           This module supports RAS, Fast Start, H.245 Tunnelling, Call
213           Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
214           whiteboard, file transfer, etc. For more information, please
215           visit http://nath323.sourceforge.net/.
216 
217           To compile it as a module, choose M here.  If unsure, say N.
218 
219 config NF_CONNTRACK_IRC
220         tristate "IRC protocol support"
221         default m if NETFILTER_ADVANCED=n
222         help
223           There is a commonly-used extension to IRC called
224           Direct Client-to-Client Protocol (DCC).  This enables users to send
225           files to each other, and also chat to each other without the need
226           of a server.  DCC Sending is used anywhere you send files over IRC,
227           and DCC Chat is most commonly used by Eggdrop bots.  If you are
228           using NAT, this extension will enable you to send files and initiate
229           chats.  Note that you do NOT need this extension to get files or
230           have others initiate chats, or everything else in IRC.
231 
232           To compile it as a module, choose M here.  If unsure, say N.
233 
234 config NF_CONNTRACK_BROADCAST
235         tristate
236 
237 config NF_CONNTRACK_NETBIOS_NS
238         tristate "NetBIOS name service protocol support"
239         select NF_CONNTRACK_BROADCAST
240         help
241           NetBIOS name service requests are sent as broadcast messages from an
242           unprivileged port and responded to with unicast messages to the
243           same port. This make them hard to firewall properly because connection
244           tracking doesn't deal with broadcasts. This helper tracks locally
245           originating NetBIOS name service requests and the corresponding
246           responses. It relies on correct IP address configuration, specifically
247           netmask and broadcast address. When properly configured, the output
248           of "ip address show" should look similar to this:
249 
250           $ ip -4 address show eth0
251           4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
252               inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
253 
254           To compile it as a module, choose M here.  If unsure, say N.
255 
256 config NF_CONNTRACK_SNMP
257         tristate "SNMP service protocol support"
258         depends on NETFILTER_ADVANCED
259         select NF_CONNTRACK_BROADCAST
260         help
261           SNMP service requests are sent as broadcast messages from an
262           unprivileged port and responded to with unicast messages to the
263           same port. This make them hard to firewall properly because connection
264           tracking doesn't deal with broadcasts. This helper tracks locally
265           originating SNMP service requests and the corresponding
266           responses. It relies on correct IP address configuration, specifically
267           netmask and broadcast address.
268 
269           To compile it as a module, choose M here.  If unsure, say N.
270 
271 config NF_CONNTRACK_PPTP
272         tristate "PPtP protocol support"
273         depends on NETFILTER_ADVANCED
274         select NF_CT_PROTO_GRE
275         help
276           This module adds support for PPTP (Point to Point Tunnelling
277           Protocol, RFC2637) connection tracking and NAT.
278 
279           If you are running PPTP sessions over a stateful firewall or NAT
280           box, you may want to enable this feature.
281 
282           Please note that not all PPTP modes of operation are supported yet.
283           Specifically these limitations exist:
284             - Blindly assumes that control connections are always established
285               in PNS->PAC direction. This is a violation of RFC2637.
286             - Only supports a single call within each session
287 
288           To compile it as a module, choose M here.  If unsure, say N.
289 
290 config NF_CONNTRACK_SANE
291         tristate "SANE protocol support"
292         depends on NETFILTER_ADVANCED
293         help
294           SANE is a protocol for remote access to scanners as implemented
295           by the 'saned' daemon. Like FTP, it uses separate control and
296           data connections.
297 
298           With this module you can support SANE on a connection tracking
299           firewall.
300 
301           To compile it as a module, choose M here.  If unsure, say N.
302 
303 config NF_CONNTRACK_SIP
304         tristate "SIP protocol support"
305         default m if NETFILTER_ADVANCED=n
306         help
307           SIP is an application-layer control protocol that can establish,
308           modify, and terminate multimedia sessions (conferences) such as
309           Internet telephony calls. With the ip_conntrack_sip and
310           the nf_nat_sip modules you can support the protocol on a connection
311           tracking/NATing firewall.
312 
313           To compile it as a module, choose M here.  If unsure, say N.
314 
315 config NF_CONNTRACK_TFTP
316         tristate "TFTP protocol support"
317         depends on NETFILTER_ADVANCED
318         help
319           TFTP connection tracking helper, this is required depending
320           on how restrictive your ruleset is.
321           If you are using a tftp client behind -j SNAT or -j MASQUERADING
322           you will need this.
323 
324           To compile it as a module, choose M here.  If unsure, say N.
325 
326 config NF_CT_NETLINK
327         tristate 'Connection tracking netlink interface'
328         select NETFILTER_NETLINK
329         default m if NETFILTER_ADVANCED=n
330         help
331           This option enables support for a netlink-based userspace interface
332 
333 config NF_CT_NETLINK_TIMEOUT
334         tristate  'Connection tracking timeout tuning via Netlink'
335         select NETFILTER_NETLINK
336         depends on NETFILTER_ADVANCED
337         help
338           This option enables support for connection tracking timeout
339           fine-grain tuning. This allows you to attach specific timeout
340           policies to flows, instead of using the global timeout policy.
341 
342           If unsure, say `N'.
343 
344 config NF_CT_NETLINK_HELPER
345         tristate 'Connection tracking helpers in user-space via Netlink'
346         select NETFILTER_NETLINK
347         depends on NF_CT_NETLINK
348         depends on NETFILTER_NETLINK_QUEUE
349         depends on NETFILTER_NETLINK_QUEUE_CT
350         depends on NETFILTER_ADVANCED
351         help
352           This option enables the user-space connection tracking helpers
353           infrastructure.
354 
355           If unsure, say `N'.
356 
357 config NETFILTER_NETLINK_QUEUE_CT
358         bool "NFQUEUE integration with Connection Tracking"
359         default n
360         depends on NETFILTER_NETLINK_QUEUE
361         help
362           If this option is enabled, NFQUEUE can include Connection Tracking
363           information together with the packet is the enqueued via NFNETLINK.
364 
365 config NF_NAT
366         tristate
367 
368 config NF_NAT_NEEDED
369         bool
370         depends on NF_NAT
371         default y
372 
373 config NF_NAT_PROTO_DCCP
374         tristate
375         depends on NF_NAT && NF_CT_PROTO_DCCP
376         default NF_NAT && NF_CT_PROTO_DCCP
377 
378 config NF_NAT_PROTO_UDPLITE
379         tristate
380         depends on NF_NAT && NF_CT_PROTO_UDPLITE
381         default NF_NAT && NF_CT_PROTO_UDPLITE
382 
383 config NF_NAT_PROTO_SCTP
384         tristate
385         default NF_NAT && NF_CT_PROTO_SCTP
386         depends on NF_NAT && NF_CT_PROTO_SCTP
387         select LIBCRC32C
388 
389 config NF_NAT_AMANDA
390         tristate
391         depends on NF_CONNTRACK && NF_NAT
392         default NF_NAT && NF_CONNTRACK_AMANDA
393 
394 config NF_NAT_FTP
395         tristate
396         depends on NF_CONNTRACK && NF_NAT
397         default NF_NAT && NF_CONNTRACK_FTP
398 
399 config NF_NAT_IRC
400         tristate
401         depends on NF_CONNTRACK && NF_NAT
402         default NF_NAT && NF_CONNTRACK_IRC
403 
404 config NF_NAT_SIP
405         tristate
406         depends on NF_CONNTRACK && NF_NAT
407         default NF_NAT && NF_CONNTRACK_SIP
408 
409 config NF_NAT_TFTP
410         tristate
411         depends on NF_CONNTRACK && NF_NAT
412         default NF_NAT && NF_CONNTRACK_TFTP
413 
414 config NETFILTER_SYNPROXY
415         tristate
416 
417 endif # NF_CONNTRACK
418 
419 config NF_TABLES
420         select NETFILTER_NETLINK
421         tristate "Netfilter nf_tables support"
422         help
423           nftables is the new packet classification framework that intends to
424           replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
425           provides a pseudo-state machine with an extensible instruction-set
426           (also known as expressions) that the userspace 'nft' utility
427           (http://www.netfilter.org/projects/nftables) uses to build the
428           rule-set. It also comes with the generic set infrastructure that
429           allows you to construct mappings between matchings and actions
430           for performance lookups.
431 
432           To compile it as a module, choose M here.
433 
434 config NF_TABLES_INET
435         depends on NF_TABLES && IPV6
436         select NF_TABLES_IPV4
437         select NF_TABLES_IPV6
438         tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
439         help
440           This option enables support for a mixed IPv4/IPv6 "inet" table.
441 
442 config NFT_EXTHDR
443         depends on NF_TABLES
444         tristate "Netfilter nf_tables IPv6 exthdr module"
445         help
446           This option adds the "exthdr" expression that you can use to match
447           IPv6 extension headers.
448 
449 config NFT_META
450         depends on NF_TABLES
451         tristate "Netfilter nf_tables meta module"
452         help
453           This option adds the "meta" expression that you can use to match and
454           to set packet metainformation such as the packet mark.
455 
456 config NFT_CT
457         depends on NF_TABLES
458         depends on NF_CONNTRACK
459         tristate "Netfilter nf_tables conntrack module"
460         help
461           This option adds the "meta" expression that you can use to match
462           connection tracking information such as the flow state.
463 
464 config NFT_RBTREE
465         depends on NF_TABLES
466         tristate "Netfilter nf_tables rbtree set module"
467         help
468           This option adds the "rbtree" set type (Red Black tree) that is used
469           to build interval-based sets.
470 
471 config NFT_HASH
472         depends on NF_TABLES
473         tristate "Netfilter nf_tables hash set module"
474         help
475           This option adds the "hash" set type that is used to build one-way
476           mappings between matchings and actions.
477 
478 config NFT_COUNTER
479         depends on NF_TABLES
480         tristate "Netfilter nf_tables counter module"
481         help
482           This option adds the "counter" expression that you can use to
483           include packet and byte counters in a rule.
484 
485 config NFT_LOG
486         depends on NF_TABLES
487         tristate "Netfilter nf_tables log module"
488         help
489           This option adds the "log" expression that you can use to log
490           packets matching some criteria.
491 
492 config NFT_LIMIT
493         depends on NF_TABLES
494         tristate "Netfilter nf_tables limit module"
495         help
496           This option adds the "limit" expression that you can use to
497           ratelimit rule matchings.
498 
499 config NFT_MASQ
500         depends on NF_TABLES
501         depends on NF_CONNTRACK
502         depends on NF_NAT
503         tristate "Netfilter nf_tables masquerade support"
504         help
505           This option adds the "masquerade" expression that you can use
506           to perform NAT in the masquerade flavour.
507 
508 config NFT_NAT
509         depends on NF_TABLES
510         depends on NF_CONNTRACK
511         select NF_NAT
512         tristate "Netfilter nf_tables nat module"
513         help
514           This option adds the "nat" expression that you can use to perform
515           typical Network Address Translation (NAT) packet transformations.
516 
517 config NFT_QUEUE
518         depends on NF_TABLES
519         depends on NETFILTER_XTABLES
520         depends on NETFILTER_NETLINK_QUEUE
521         tristate "Netfilter nf_tables queue module"
522         help
523           This is required if you intend to use the userspace queueing
524           infrastructure (also known as NFQUEUE) from nftables.
525 
526 config NFT_REJECT
527         depends on NF_TABLES
528         default m if NETFILTER_ADVANCED=n
529         tristate "Netfilter nf_tables reject support"
530         help
531           This option adds the "reject" expression that you can use to
532           explicitly deny and notify via TCP reset/ICMP informational errors
533           unallowed traffic.
534 
535 config NFT_REJECT_INET
536         depends on NF_TABLES_INET
537         default NFT_REJECT
538         tristate
539 
540 config NFT_COMPAT
541         depends on NF_TABLES
542         depends on NETFILTER_XTABLES
543         tristate "Netfilter x_tables over nf_tables module"
544         help
545           This is required if you intend to use any of existing
546           x_tables match/target extensions over the nf_tables
547           framework.
548 
549 config NETFILTER_XTABLES
550         tristate "Netfilter Xtables support (required for ip_tables)"
551         default m if NETFILTER_ADVANCED=n
552         help
553           This is required if you intend to use any of ip_tables,
554           ip6_tables or arp_tables.
555 
556 if NETFILTER_XTABLES
557 
558 comment "Xtables combined modules"
559 
560 config NETFILTER_XT_MARK
561         tristate 'nfmark target and match support'
562         default m if NETFILTER_ADVANCED=n
563         ---help---
564         This option adds the "MARK" target and "mark" match.
565 
566         Netfilter mark matching allows you to match packets based on the
567         "nfmark" value in the packet.
568         The target allows you to create rules in the "mangle" table which alter
569         the netfilter mark (nfmark) field associated with the packet.
570 
571         Prior to routing, the nfmark can influence the routing method (see
572         "Use netfilter MARK value as routing key") and can also be used by
573         other subsystems to change their behavior.
574 
575 config NETFILTER_XT_CONNMARK
576         tristate 'ctmark target and match support'
577         depends on NF_CONNTRACK
578         depends on NETFILTER_ADVANCED
579         select NF_CONNTRACK_MARK
580         ---help---
581         This option adds the "CONNMARK" target and "connmark" match.
582 
583         Netfilter allows you to store a mark value per connection (a.k.a.
584         ctmark), similarly to the packet mark (nfmark). Using this
585         target and match, you can set and match on this mark.
586 
587 config NETFILTER_XT_SET
588         tristate 'set target and match support'
589         depends on IP_SET
590         depends on NETFILTER_ADVANCED
591         help
592           This option adds the "SET" target and "set" match.
593 
594           Using this target and match, you can add/delete and match
595           elements in the sets created by ipset(8).
596 
597           To compile it as a module, choose M here.  If unsure, say N.
598 
599 # alphabetically ordered list of targets
600 
601 comment "Xtables targets"
602 
603 config NETFILTER_XT_TARGET_AUDIT
604         tristate "AUDIT target support"
605         depends on AUDIT
606         depends on NETFILTER_ADVANCED
607         ---help---
608           This option adds a 'AUDIT' target, which can be used to create
609           audit records for packets dropped/accepted.
610 
611           To compileit as a module, choose M here. If unsure, say N.
612 
613 config NETFILTER_XT_TARGET_CHECKSUM
614         tristate "CHECKSUM target support"
615         depends on IP_NF_MANGLE || IP6_NF_MANGLE
616         depends on NETFILTER_ADVANCED
617         ---help---
618           This option adds a `CHECKSUM' target, which can be used in the iptables mangle
619           table.
620 
621           You can use this target to compute and fill in the checksum in
622           a packet that lacks a checksum.  This is particularly useful,
623           if you need to work around old applications such as dhcp clients,
624           that do not work well with checksum offloads, but don't want to disable
625           checksum offload in your device.
626 
627           To compile it as a module, choose M here.  If unsure, say N.
628 
629 config NETFILTER_XT_TARGET_CLASSIFY
630         tristate '"CLASSIFY" target support'
631         depends on NETFILTER_ADVANCED
632         help
633           This option adds a `CLASSIFY' target, which enables the user to set
634           the priority of a packet. Some qdiscs can use this value for
635           classification, among these are:
636 
637           atm, cbq, dsmark, pfifo_fast, htb, prio
638 
639           To compile it as a module, choose M here.  If unsure, say N.
640 
641 config NETFILTER_XT_TARGET_CONNMARK
642         tristate  '"CONNMARK" target support'
643         depends on NF_CONNTRACK
644         depends on NETFILTER_ADVANCED
645         select NETFILTER_XT_CONNMARK
646         ---help---
647         This is a backwards-compat option for the user's convenience
648         (e.g. when running oldconfig). It selects
649         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
650 
651 config NETFILTER_XT_TARGET_CONNSECMARK
652         tristate '"CONNSECMARK" target support'
653         depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
654         default m if NETFILTER_ADVANCED=n
655         help
656           The CONNSECMARK target copies security markings from packets
657           to connections, and restores security markings from connections
658           to packets (if the packets are not already marked).  This would
659           normally be used in conjunction with the SECMARK target.
660 
661           To compile it as a module, choose M here.  If unsure, say N.
662 
663 config NETFILTER_XT_TARGET_CT
664         tristate '"CT" target support'
665         depends on NF_CONNTRACK
666         depends on IP_NF_RAW || IP6_NF_RAW
667         depends on NETFILTER_ADVANCED
668         help
669           This options adds a `CT' target, which allows to specify initial
670           connection tracking parameters like events to be delivered and
671           the helper to be used.
672 
673           To compile it as a module, choose M here.  If unsure, say N.
674 
675 config NETFILTER_XT_TARGET_DSCP
676         tristate '"DSCP" and "TOS" target support'
677         depends on IP_NF_MANGLE || IP6_NF_MANGLE
678         depends on NETFILTER_ADVANCED
679         help
680           This option adds a `DSCP' target, which allows you to manipulate
681           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
682 
683           The DSCP field can have any value between 0x0 and 0x3f inclusive.
684 
685           It also adds the "TOS" target, which allows you to create rules in
686           the "mangle" table which alter the Type Of Service field of an IPv4
687           or the Priority field of an IPv6 packet, prior to routing.
688 
689           To compile it as a module, choose M here.  If unsure, say N.
690 
691 config NETFILTER_XT_TARGET_HL
692         tristate '"HL" hoplimit target support'
693         depends on IP_NF_MANGLE || IP6_NF_MANGLE
694         depends on NETFILTER_ADVANCED
695         ---help---
696         This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
697         targets, which enable the user to change the
698         hoplimit/time-to-live value of the IP header.
699 
700         While it is safe to decrement the hoplimit/TTL value, the
701         modules also allow to increment and set the hoplimit value of
702         the header to arbitrary values. This is EXTREMELY DANGEROUS
703         since you can easily create immortal packets that loop
704         forever on the network.
705 
706 config NETFILTER_XT_TARGET_HMARK
707         tristate '"HMARK" target support'
708         depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
709         depends on NETFILTER_ADVANCED
710         ---help---
711         This option adds the "HMARK" target.
712 
713         The target allows you to create rules in the "raw" and "mangle" tables
714         which set the skbuff mark by means of hash calculation within a given
715         range. The nfmark can influence the routing method (see "Use netfilter
716         MARK value as routing key") and can also be used by other subsystems to
717         change their behaviour.
718 
719         To compile it as a module, choose M here. If unsure, say N.
720 
721 config NETFILTER_XT_TARGET_IDLETIMER
722         tristate  "IDLETIMER target support"
723         depends on NETFILTER_ADVANCED
724         help
725 
726           This option adds the `IDLETIMER' target.  Each matching packet
727           resets the timer associated with label specified when the rule is
728           added.  When the timer expires, it triggers a sysfs notification.
729           The remaining time for expiration can be read via sysfs.
730 
731           To compile it as a module, choose M here.  If unsure, say N.
732 
733 config NETFILTER_XT_TARGET_LED
734         tristate '"LED" target support'
735         depends on LEDS_CLASS && LEDS_TRIGGERS
736         depends on NETFILTER_ADVANCED
737         help
738           This option adds a `LED' target, which allows you to blink LEDs in
739           response to particular packets passing through your machine.
740 
741           This can be used to turn a spare LED into a network activity LED,
742           which only flashes in response to FTP transfers, for example.  Or
743           you could have an LED which lights up for a minute or two every time
744           somebody connects to your machine via SSH.
745 
746           You will need support for the "led" class to make this work.
747 
748           To create an LED trigger for incoming SSH traffic:
749             iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
750 
751           Then attach the new trigger to an LED on your system:
752             echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
753 
754           For more information on the LEDs available on your system, see
755           Documentation/leds/leds-class.txt
756 
757 config NETFILTER_XT_TARGET_LOG
758         tristate "LOG target support"
759         select NF_LOG_COMMON
760         select NF_LOG_IPV4
761         select NF_LOG_IPV6 if IPV6
762         default m if NETFILTER_ADVANCED=n
763         help
764           This option adds a `LOG' target, which allows you to create rules in
765           any iptables table which records the packet header to the syslog.
766 
767           To compile it as a module, choose M here.  If unsure, say N.
768 
769 config NETFILTER_XT_TARGET_MARK
770         tristate '"MARK" target support'
771         depends on NETFILTER_ADVANCED
772         select NETFILTER_XT_MARK
773         ---help---
774         This is a backwards-compat option for the user's convenience
775         (e.g. when running oldconfig). It selects
776         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
777 
778 config NETFILTER_XT_NAT
779         tristate '"SNAT and DNAT" targets support'
780         depends on NF_NAT
781         ---help---
782         This option enables the SNAT and DNAT targets.
783 
784         To compile it as a module, choose M here. If unsure, say N.
785 
786 config NETFILTER_XT_TARGET_NETMAP
787         tristate '"NETMAP" target support'
788         depends on NF_NAT
789         ---help---
790         NETMAP is an implementation of static 1:1 NAT mapping of network
791         addresses. It maps the network address part, while keeping the host
792         address part intact.
793 
794         To compile it as a module, choose M here. If unsure, say N.
795 
796 config NETFILTER_XT_TARGET_NFLOG
797         tristate '"NFLOG" target support'
798         default m if NETFILTER_ADVANCED=n
799         select NETFILTER_NETLINK_LOG
800         help
801           This option enables the NFLOG target, which allows to LOG
802           messages through nfnetlink_log.
803 
804           To compile it as a module, choose M here.  If unsure, say N.
805 
806 config NETFILTER_XT_TARGET_NFQUEUE
807         tristate '"NFQUEUE" target Support'
808         depends on NETFILTER_ADVANCED
809         select NETFILTER_NETLINK_QUEUE
810         help
811           This target replaced the old obsolete QUEUE target.
812 
813           As opposed to QUEUE, it supports 65535 different queues,
814           not just one.
815 
816           To compile it as a module, choose M here.  If unsure, say N.
817 
818 config NETFILTER_XT_TARGET_NOTRACK
819         tristate  '"NOTRACK" target support (DEPRECATED)'
820         depends on NF_CONNTRACK
821         depends on IP_NF_RAW || IP6_NF_RAW
822         depends on NETFILTER_ADVANCED
823         select NETFILTER_XT_TARGET_CT
824 
825 config NETFILTER_XT_TARGET_RATEEST
826         tristate '"RATEEST" target support'
827         depends on NETFILTER_ADVANCED
828         help
829           This option adds a `RATEEST' target, which allows to measure
830           rates similar to TC estimators. The `rateest' match can be
831           used to match on the measured rates.
832 
833           To compile it as a module, choose M here.  If unsure, say N.
834 
835 config NETFILTER_XT_TARGET_REDIRECT
836         tristate "REDIRECT target support"
837         depends on NF_NAT
838         ---help---
839         REDIRECT is a special case of NAT: all incoming connections are
840         mapped onto the incoming interface's address, causing the packets to
841         come to the local machine instead of passing through. This is
842         useful for transparent proxies.
843 
844         To compile it as a module, choose M here. If unsure, say N.
845 
846 config NETFILTER_XT_TARGET_TEE
847         tristate '"TEE" - packet cloning to alternate destination'
848         depends on NETFILTER_ADVANCED
849         depends on (IPV6 || IPV6=n)
850         depends on !NF_CONNTRACK || NF_CONNTRACK
851         ---help---
852         This option adds a "TEE" target with which a packet can be cloned and
853         this clone be rerouted to another nexthop.
854 
855 config NETFILTER_XT_TARGET_TPROXY
856         tristate '"TPROXY" target transparent proxying support'
857         depends on NETFILTER_XTABLES
858         depends on NETFILTER_ADVANCED
859         depends on (IPV6 || IPV6=n)
860         depends on IP_NF_MANGLE
861         select NF_DEFRAG_IPV4
862         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
863         help
864           This option adds a `TPROXY' target, which is somewhat similar to
865           REDIRECT.  It can only be used in the mangle table and is useful
866           to redirect traffic to a transparent proxy.  It does _not_ depend
867           on Netfilter connection tracking and NAT, unlike REDIRECT.
868           For it to work you will have to configure certain iptables rules
869           and use policy routing. For more information on how to set it up
870           see Documentation/networking/tproxy.txt.
871 
872           To compile it as a module, choose M here.  If unsure, say N.
873 
874 config NETFILTER_XT_TARGET_TRACE
875         tristate  '"TRACE" target support'
876         depends on IP_NF_RAW || IP6_NF_RAW
877         depends on NETFILTER_ADVANCED
878         help
879           The TRACE target allows you to mark packets so that the kernel
880           will log every rule which match the packets as those traverse
881           the tables, chains, rules.
882 
883           If you want to compile it as a module, say M here and read
884           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
885 
886 config NETFILTER_XT_TARGET_SECMARK
887         tristate '"SECMARK" target support'
888         depends on NETWORK_SECMARK
889         default m if NETFILTER_ADVANCED=n
890         help
891           The SECMARK target allows security marking of network
892           packets, for use with security subsystems.
893 
894           To compile it as a module, choose M here.  If unsure, say N.
895 
896 config NETFILTER_XT_TARGET_TCPMSS
897         tristate '"TCPMSS" target support'
898         depends on (IPV6 || IPV6=n)
899         default m if NETFILTER_ADVANCED=n
900         ---help---
901           This option adds a `TCPMSS' target, which allows you to alter the
902           MSS value of TCP SYN packets, to control the maximum size for that
903           connection (usually limiting it to your outgoing interface's MTU
904           minus 40).
905 
906           This is used to overcome criminally braindead ISPs or servers which
907           block ICMP Fragmentation Needed packets.  The symptoms of this
908           problem are that everything works fine from your Linux
909           firewall/router, but machines behind it can never exchange large
910           packets:
911                 1) Web browsers connect, then hang with no data received.
912                 2) Small mail works fine, but large emails hang.
913                 3) ssh works fine, but scp hangs after initial handshaking.
914 
915           Workaround: activate this option and add a rule to your firewall
916           configuration like:
917 
918           iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
919                          -j TCPMSS --clamp-mss-to-pmtu
920 
921           To compile it as a module, choose M here.  If unsure, say N.
922 
923 config NETFILTER_XT_TARGET_TCPOPTSTRIP
924         tristate '"TCPOPTSTRIP" target support'
925         depends on IP_NF_MANGLE || IP6_NF_MANGLE
926         depends on NETFILTER_ADVANCED
927         help
928           This option adds a "TCPOPTSTRIP" target, which allows you to strip
929           TCP options from TCP packets.
930 
931 # alphabetically ordered list of matches
932 
933 comment "Xtables matches"
934 
935 config NETFILTER_XT_MATCH_ADDRTYPE
936         tristate '"addrtype" address type match support'
937         depends on NETFILTER_ADVANCED
938         ---help---
939           This option allows you to match what routing thinks of an address,
940           eg. UNICAST, LOCAL, BROADCAST, ...
941 
942           If you want to compile it as a module, say M here and read
943           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
944 
945 config NETFILTER_XT_MATCH_BPF
946         tristate '"bpf" match support'
947         depends on NETFILTER_ADVANCED
948         help
949           BPF matching applies a linux socket filter to each packet and
950           accepts those for which the filter returns non-zero.
951 
952           To compile it as a module, choose M here.  If unsure, say N.
953 
954 config NETFILTER_XT_MATCH_CGROUP
955         tristate '"control group" match support'
956         depends on NETFILTER_ADVANCED
957         depends on CGROUPS
958         select CGROUP_NET_CLASSID
959         ---help---
960         Socket/process control group matching allows you to match locally
961         generated packets based on which net_cls control group processes
962         belong to.
963 
964 config NETFILTER_XT_MATCH_CLUSTER
965         tristate '"cluster" match support'
966         depends on NF_CONNTRACK
967         depends on NETFILTER_ADVANCED
968         ---help---
969           This option allows you to build work-load-sharing clusters of
970           network servers/stateful firewalls without having a dedicated
971           load-balancing router/server/switch. Basically, this match returns
972           true when the packet must be handled by this cluster node. Thus,
973           all nodes see all packets and this match decides which node handles
974           what packets. The work-load sharing algorithm is based on source
975           address hashing.
976 
977           If you say Y or M here, try `iptables -m cluster --help` for
978           more information.
979 
980 config NETFILTER_XT_MATCH_COMMENT
981         tristate  '"comment" match support'
982         depends on NETFILTER_ADVANCED
983         help
984           This option adds a `comment' dummy-match, which allows you to put
985           comments in your iptables ruleset.
986 
987           If you want to compile it as a module, say M here and read
988           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
989 
990 config NETFILTER_XT_MATCH_CONNBYTES
991         tristate  '"connbytes" per-connection counter match support'
992         depends on NF_CONNTRACK
993         depends on NETFILTER_ADVANCED
994         help
995           This option adds a `connbytes' match, which allows you to match the
996           number of bytes and/or packets for each direction within a connection.
997 
998           If you want to compile it as a module, say M here and read
999           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1000 
1001 config NETFILTER_XT_MATCH_CONNLABEL
1002         tristate '"connlabel" match support'
1003         select NF_CONNTRACK_LABELS
1004         depends on NF_CONNTRACK
1005         depends on NETFILTER_ADVANCED
1006         ---help---
1007           This match allows you to test and assign userspace-defined labels names
1008           to a connection.  The kernel only stores bit values - mapping
1009           names to bits is done by userspace.
1010 
1011           Unlike connmark, more than 32 flag bits may be assigned to a
1012           connection simultaneously.
1013 
1014 config NETFILTER_XT_MATCH_CONNLIMIT
1015         tristate '"connlimit" match support'
1016         depends on NF_CONNTRACK
1017         depends on NETFILTER_ADVANCED
1018         ---help---
1019           This match allows you to match against the number of parallel
1020           connections to a server per client IP address (or address block).
1021 
1022 config NETFILTER_XT_MATCH_CONNMARK
1023         tristate  '"connmark" connection mark match support'
1024         depends on NF_CONNTRACK
1025         depends on NETFILTER_ADVANCED
1026         select NETFILTER_XT_CONNMARK
1027         ---help---
1028         This is a backwards-compat option for the user's convenience
1029         (e.g. when running oldconfig). It selects
1030         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1031 
1032 config NETFILTER_XT_MATCH_CONNTRACK
1033         tristate '"conntrack" connection tracking match support'
1034         depends on NF_CONNTRACK
1035         default m if NETFILTER_ADVANCED=n
1036         help
1037           This is a general conntrack match module, a superset of the state match.
1038 
1039           It allows matching on additional conntrack information, which is
1040           useful in complex configurations, such as NAT gateways with multiple
1041           internet links or tunnels.
1042 
1043           To compile it as a module, choose M here.  If unsure, say N.
1044 
1045 config NETFILTER_XT_MATCH_CPU
1046         tristate '"cpu" match support'
1047         depends on NETFILTER_ADVANCED
1048         help
1049           CPU matching allows you to match packets based on the CPU
1050           currently handling the packet.
1051 
1052           To compile it as a module, choose M here.  If unsure, say N.
1053 
1054 config NETFILTER_XT_MATCH_DCCP
1055         tristate '"dccp" protocol match support'
1056         depends on NETFILTER_ADVANCED
1057         default IP_DCCP
1058         help
1059           With this option enabled, you will be able to use the iptables
1060           `dccp' match in order to match on DCCP source/destination ports
1061           and DCCP flags.
1062 
1063           If you want to compile it as a module, say M here and read
1064           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1065 
1066 config NETFILTER_XT_MATCH_DEVGROUP
1067         tristate '"devgroup" match support'
1068         depends on NETFILTER_ADVANCED
1069         help
1070           This options adds a `devgroup' match, which allows to match on the
1071           device group a network device is assigned to.
1072 
1073           To compile it as a module, choose M here.  If unsure, say N.
1074 
1075 config NETFILTER_XT_MATCH_DSCP
1076         tristate '"dscp" and "tos" match support'
1077         depends on NETFILTER_ADVANCED
1078         help
1079           This option adds a `DSCP' match, which allows you to match against
1080           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1081 
1082           The DSCP field can have any value between 0x0 and 0x3f inclusive.
1083 
1084           It will also add a "tos" match, which allows you to match packets
1085           based on the Type Of Service fields of the IPv4 packet (which share
1086           the same bits as DSCP).
1087 
1088           To compile it as a module, choose M here.  If unsure, say N.
1089 
1090 config NETFILTER_XT_MATCH_ECN
1091         tristate '"ecn" match support'
1092         depends on NETFILTER_ADVANCED
1093         ---help---
1094         This option adds an "ECN" match, which allows you to match against
1095         the IPv4 and TCP header ECN fields.
1096 
1097         To compile it as a module, choose M here. If unsure, say N.
1098 
1099 config NETFILTER_XT_MATCH_ESP
1100         tristate '"esp" match support'
1101         depends on NETFILTER_ADVANCED
1102         help
1103           This match extension allows you to match a range of SPIs
1104           inside ESP header of IPSec packets.
1105 
1106           To compile it as a module, choose M here.  If unsure, say N.
1107 
1108 config NETFILTER_XT_MATCH_HASHLIMIT
1109         tristate '"hashlimit" match support'
1110         depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
1111         depends on NETFILTER_ADVANCED
1112         help
1113           This option adds a `hashlimit' match.
1114 
1115           As opposed to `limit', this match dynamically creates a hash table
1116           of limit buckets, based on your selection of source/destination
1117           addresses and/or ports.
1118 
1119           It enables you to express policies like `10kpps for any given
1120           destination address' or `500pps from any given source address'
1121           with a single rule.
1122 
1123 config NETFILTER_XT_MATCH_HELPER
1124         tristate '"helper" match support'
1125         depends on NF_CONNTRACK
1126         depends on NETFILTER_ADVANCED
1127         help
1128           Helper matching allows you to match packets in dynamic connections
1129           tracked by a conntrack-helper, ie. ip_conntrack_ftp
1130 
1131           To compile it as a module, choose M here.  If unsure, say Y.
1132 
1133 config NETFILTER_XT_MATCH_HL
1134         tristate '"hl" hoplimit/TTL match support'
1135         depends on NETFILTER_ADVANCED
1136         ---help---
1137         HL matching allows you to match packets based on the hoplimit
1138         in the IPv6 header, or the time-to-live field in the IPv4
1139         header of the packet.
1140 
1141 config NETFILTER_XT_MATCH_IPCOMP
1142         tristate '"ipcomp" match support'
1143         depends on NETFILTER_ADVANCED
1144         help
1145           This match extension allows you to match a range of CPIs(16 bits)
1146           inside IPComp header of IPSec packets.
1147 
1148           To compile it as a module, choose M here.  If unsure, say N.
1149 
1150 config NETFILTER_XT_MATCH_IPRANGE
1151         tristate '"iprange" address range match support'
1152         depends on NETFILTER_ADVANCED
1153         ---help---
1154         This option adds a "iprange" match, which allows you to match based on
1155         an IP address range. (Normal iptables only matches on single addresses
1156         with an optional mask.)
1157 
1158         If unsure, say M.
1159 
1160 config NETFILTER_XT_MATCH_IPVS
1161         tristate '"ipvs" match support'
1162         depends on IP_VS
1163         depends on NETFILTER_ADVANCED
1164         depends on NF_CONNTRACK
1165         help
1166           This option allows you to match against IPVS properties of a packet.
1167 
1168           If unsure, say N.
1169 
1170 config NETFILTER_XT_MATCH_L2TP
1171         tristate '"l2tp" match support'
1172         depends on NETFILTER_ADVANCED
1173         default L2TP
1174         ---help---
1175         This option adds an "L2TP" match, which allows you to match against
1176         L2TP protocol header fields.
1177 
1178         To compile it as a module, choose M here. If unsure, say N.
1179 
1180 config NETFILTER_XT_MATCH_LENGTH
1181         tristate '"length" match support'
1182         depends on NETFILTER_ADVANCED
1183         help
1184           This option allows you to match the length of a packet against a
1185           specific value or range of values.
1186 
1187           To compile it as a module, choose M here.  If unsure, say N.
1188 
1189 config NETFILTER_XT_MATCH_LIMIT
1190         tristate '"limit" match support'
1191         depends on NETFILTER_ADVANCED
1192         help
1193           limit matching allows you to control the rate at which a rule can be
1194           matched: mainly useful in combination with the LOG target ("LOG
1195           target support", below) and to avoid some Denial of Service attacks.
1196 
1197           To compile it as a module, choose M here.  If unsure, say N.
1198 
1199 config NETFILTER_XT_MATCH_MAC
1200         tristate '"mac" address match support'
1201         depends on NETFILTER_ADVANCED
1202         help
1203           MAC matching allows you to match packets based on the source
1204           Ethernet address of the packet.
1205 
1206           To compile it as a module, choose M here.  If unsure, say N.
1207 
1208 config NETFILTER_XT_MATCH_MARK
1209         tristate '"mark" match support'
1210         depends on NETFILTER_ADVANCED
1211         select NETFILTER_XT_MARK
1212         ---help---
1213         This is a backwards-compat option for the user's convenience
1214         (e.g. when running oldconfig). It selects
1215         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1216 
1217 config NETFILTER_XT_MATCH_MULTIPORT
1218         tristate '"multiport" Multiple port match support'
1219         depends on NETFILTER_ADVANCED
1220         help
1221           Multiport matching allows you to match TCP or UDP packets based on
1222           a series of source or destination ports: normally a rule can only
1223           match a single range of ports.
1224 
1225           To compile it as a module, choose M here.  If unsure, say N.
1226 
1227 config NETFILTER_XT_MATCH_NFACCT
1228         tristate '"nfacct" match support'
1229         depends on NETFILTER_ADVANCED
1230         select NETFILTER_NETLINK_ACCT
1231         help
1232           This option allows you to use the extended accounting through
1233           nfnetlink_acct.
1234 
1235           To compile it as a module, choose M here.  If unsure, say N.
1236 
1237 config NETFILTER_XT_MATCH_OSF
1238         tristate '"osf" Passive OS fingerprint match'
1239         depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1240         help
1241           This option selects the Passive OS Fingerprinting match module
1242           that allows to passively match the remote operating system by
1243           analyzing incoming TCP SYN packets.
1244 
1245           Rules and loading software can be downloaded from
1246           http://www.ioremap.net/projects/osf
1247 
1248           To compile it as a module, choose M here.  If unsure, say N.
1249 
1250 config NETFILTER_XT_MATCH_OWNER
1251         tristate '"owner" match support'
1252         depends on NETFILTER_ADVANCED
1253         ---help---
1254         Socket owner matching allows you to match locally-generated packets
1255         based on who created the socket: the user or group. It is also
1256         possible to check whether a socket actually exists.
1257 
1258 config NETFILTER_XT_MATCH_POLICY
1259         tristate 'IPsec "policy" match support'
1260         depends on XFRM
1261         default m if NETFILTER_ADVANCED=n
1262         help
1263           Policy matching allows you to match packets based on the
1264           IPsec policy that was used during decapsulation/will
1265           be used during encapsulation.
1266 
1267           To compile it as a module, choose M here.  If unsure, say N.
1268 
1269 config NETFILTER_XT_MATCH_PHYSDEV
1270         tristate '"physdev" match support'
1271         depends on BRIDGE && BRIDGE_NETFILTER
1272         depends on NETFILTER_ADVANCED
1273         help
1274           Physdev packet matching matches against the physical bridge ports
1275           the IP packet arrived on or will leave by.
1276 
1277           To compile it as a module, choose M here.  If unsure, say N.
1278 
1279 config NETFILTER_XT_MATCH_PKTTYPE
1280         tristate '"pkttype" packet type match support'
1281         depends on NETFILTER_ADVANCED
1282         help
1283           Packet type matching allows you to match a packet by
1284           its "class", eg. BROADCAST, MULTICAST, ...
1285 
1286           Typical usage:
1287           iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1288 
1289           To compile it as a module, choose M here.  If unsure, say N.
1290 
1291 config NETFILTER_XT_MATCH_QUOTA
1292         tristate '"quota" match support'
1293         depends on NETFILTER_ADVANCED
1294         help
1295           This option adds a `quota' match, which allows to match on a
1296           byte counter.
1297 
1298           If you want to compile it as a module, say M here and read
1299           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1300 
1301 config NETFILTER_XT_MATCH_RATEEST
1302         tristate '"rateest" match support'
1303         depends on NETFILTER_ADVANCED
1304         select NETFILTER_XT_TARGET_RATEEST
1305         help
1306           This option adds a `rateest' match, which allows to match on the
1307           rate estimated by the RATEEST target.
1308 
1309           To compile it as a module, choose M here.  If unsure, say N.
1310 
1311 config NETFILTER_XT_MATCH_REALM
1312         tristate  '"realm" match support'
1313         depends on NETFILTER_ADVANCED
1314         select IP_ROUTE_CLASSID
1315         help
1316           This option adds a `realm' match, which allows you to use the realm
1317           key from the routing subsystem inside iptables.
1318 
1319           This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
1320           in tc world.
1321 
1322           If you want to compile it as a module, say M here and read
1323           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1324 
1325 config NETFILTER_XT_MATCH_RECENT
1326         tristate '"recent" match support'
1327         depends on NETFILTER_ADVANCED
1328         ---help---
1329         This match is used for creating one or many lists of recently
1330         used addresses and then matching against that/those list(s).
1331 
1332         Short options are available by using 'iptables -m recent -h'
1333         Official Website: <http://snowman.net/projects/ipt_recent/>
1334 
1335 config NETFILTER_XT_MATCH_SCTP
1336         tristate  '"sctp" protocol match support'
1337         depends on NETFILTER_ADVANCED
1338         default IP_SCTP
1339         help
1340           With this option enabled, you will be able to use the 
1341           `sctp' match in order to match on SCTP source/destination ports
1342           and SCTP chunk types.
1343 
1344           If you want to compile it as a module, say M here and read
1345           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1346 
1347 config NETFILTER_XT_MATCH_SOCKET
1348         tristate '"socket" match support'
1349         depends on NETFILTER_XTABLES
1350         depends on NETFILTER_ADVANCED
1351         depends on !NF_CONNTRACK || NF_CONNTRACK
1352         depends on (IPV6 || IPV6=n)
1353         select NF_DEFRAG_IPV4
1354         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1355         help
1356           This option adds a `socket' match, which can be used to match
1357           packets for which a TCP or UDP socket lookup finds a valid socket.
1358           It can be used in combination with the MARK target and policy
1359           routing to implement full featured non-locally bound sockets.
1360 
1361           To compile it as a module, choose M here.  If unsure, say N.
1362 
1363 config NETFILTER_XT_MATCH_STATE
1364         tristate '"state" match support'
1365         depends on NF_CONNTRACK
1366         default m if NETFILTER_ADVANCED=n
1367         help
1368           Connection state matching allows you to match packets based on their
1369           relationship to a tracked connection (ie. previous packets).  This
1370           is a powerful tool for packet classification.
1371 
1372           To compile it as a module, choose M here.  If unsure, say N.
1373 
1374 config NETFILTER_XT_MATCH_STATISTIC
1375         tristate '"statistic" match support'
1376         depends on NETFILTER_ADVANCED
1377         help
1378           This option adds a `statistic' match, which allows you to match
1379           on packets periodically or randomly with a given percentage.
1380 
1381           To compile it as a module, choose M here.  If unsure, say N.
1382 
1383 config NETFILTER_XT_MATCH_STRING
1384         tristate  '"string" match support'
1385         depends on NETFILTER_ADVANCED
1386         select TEXTSEARCH
1387         select TEXTSEARCH_KMP
1388         select TEXTSEARCH_BM
1389         select TEXTSEARCH_FSM
1390         help
1391           This option adds a `string' match, which allows you to look for
1392           pattern matchings in packets.
1393 
1394           To compile it as a module, choose M here.  If unsure, say N.
1395 
1396 config NETFILTER_XT_MATCH_TCPMSS
1397         tristate '"tcpmss" match support'
1398         depends on NETFILTER_ADVANCED
1399         help
1400           This option adds a `tcpmss' match, which allows you to examine the
1401           MSS value of TCP SYN packets, which control the maximum packet size
1402           for that connection.
1403 
1404           To compile it as a module, choose M here.  If unsure, say N.
1405 
1406 config NETFILTER_XT_MATCH_TIME
1407         tristate '"time" match support'
1408         depends on NETFILTER_ADVANCED
1409         ---help---
1410           This option adds a "time" match, which allows you to match based on
1411           the packet arrival time (at the machine which netfilter is running)
1412           on) or departure time/date (for locally generated packets).
1413 
1414           If you say Y here, try `iptables -m time --help` for
1415           more information.
1416 
1417           If you want to compile it as a module, say M here.
1418           If unsure, say N.
1419 
1420 config NETFILTER_XT_MATCH_U32
1421         tristate '"u32" match support'
1422         depends on NETFILTER_ADVANCED
1423         ---help---
1424           u32 allows you to extract quantities of up to 4 bytes from a packet,
1425           AND them with specified masks, shift them by specified amounts and
1426           test whether the results are in any of a set of specified ranges.
1427           The specification of what to extract is general enough to skip over
1428           headers with lengths stored in the packet, as in IP or TCP header
1429           lengths.
1430 
1431           Details and examples are in the kernel module source.
1432 
1433 endif # NETFILTER_XTABLES
1434 
1435 endmenu
1436 
1437 source "net/netfilter/ipset/Kconfig"
1438 
1439 source "net/netfilter/ipvs/Kconfig"

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us