Version:  2.0.40 2.2.26 2.4.37 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1 4.2 4.3 4.4 4.5 4.6

Linux/net/netfilter/Kconfig

  1 menu "Core Netfilter Configuration"
  2         depends on NET && INET && NETFILTER
  3 
  4 config NETFILTER_INGRESS
  5         bool "Netfilter ingress support"
  6         default y
  7         select NET_INGRESS
  8         help
  9           This allows you to classify packets from ingress using the Netfilter
 10           infrastructure.
 11 
 12 config NETFILTER_NETLINK
 13         tristate
 14 
 15 config NETFILTER_NETLINK_ACCT
 16 tristate "Netfilter NFACCT over NFNETLINK interface"
 17         depends on NETFILTER_ADVANCED
 18         select NETFILTER_NETLINK
 19         help
 20           If this option is enabled, the kernel will include support
 21           for extended accounting via NFNETLINK.
 22 
 23 config NETFILTER_NETLINK_QUEUE
 24         tristate "Netfilter NFQUEUE over NFNETLINK interface"
 25         depends on NETFILTER_ADVANCED
 26         select NETFILTER_NETLINK
 27         help
 28           If this option is enabled, the kernel will include support
 29           for queueing packets via NFNETLINK.
 30           
 31 config NETFILTER_NETLINK_LOG
 32         tristate "Netfilter LOG over NFNETLINK interface"
 33         default m if NETFILTER_ADVANCED=n
 34         select NETFILTER_NETLINK
 35         help
 36           If this option is enabled, the kernel will include support
 37           for logging packets via NFNETLINK.
 38 
 39           This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
 40           and is also scheduled to replace the old syslog-based ipt_LOG
 41           and ip6t_LOG modules.
 42 
 43 config NF_CONNTRACK
 44         tristate "Netfilter connection tracking support"
 45         default m if NETFILTER_ADVANCED=n
 46         help
 47           Connection tracking keeps a record of what packets have passed
 48           through your machine, in order to figure out how they are related
 49           into connections.
 50 
 51           This is required to do Masquerading or other kinds of Network
 52           Address Translation.  It can also be used to enhance packet
 53           filtering (see `Connection state match support' below).
 54 
 55           To compile it as a module, choose M here.  If unsure, say N.
 56 
 57 config NF_LOG_COMMON
 58         tristate
 59 
 60 if NF_CONNTRACK
 61 
 62 config NF_CONNTRACK_MARK
 63         bool  'Connection mark tracking support'
 64         depends on NETFILTER_ADVANCED
 65         help
 66           This option enables support for connection marks, used by the
 67           `CONNMARK' target and `connmark' match. Similar to the mark value
 68           of packets, but this mark value is kept in the conntrack session
 69           instead of the individual packets.
 70 
 71 config NF_CONNTRACK_SECMARK
 72         bool  'Connection tracking security mark support'
 73         depends on NETWORK_SECMARK
 74         default m if NETFILTER_ADVANCED=n
 75         help
 76           This option enables security markings to be applied to
 77           connections.  Typically they are copied to connections from
 78           packets using the CONNSECMARK target and copied back from
 79           connections to packets with the same target, with the packets
 80           being originally labeled via SECMARK.
 81 
 82           If unsure, say 'N'.
 83 
 84 config NF_CONNTRACK_ZONES
 85         bool  'Connection tracking zones'
 86         depends on NETFILTER_ADVANCED
 87         depends on NETFILTER_XT_TARGET_CT
 88         help
 89           This option enables support for connection tracking zones.
 90           Normally, each connection needs to have a unique system wide
 91           identity. Connection tracking zones allow to have multiple
 92           connections using the same identity, as long as they are
 93           contained in different zones.
 94 
 95           If unsure, say `N'.
 96 
 97 config NF_CONNTRACK_PROCFS
 98         bool "Supply CT list in procfs (OBSOLETE)"
 99         default y
100         depends on PROC_FS
101         ---help---
102         This option enables for the list of known conntrack entries
103         to be shown in procfs under net/netfilter/nf_conntrack. This
104         is considered obsolete in favor of using the conntrack(8)
105         tool which uses Netlink.
106 
107 config NF_CONNTRACK_EVENTS
108         bool "Connection tracking events"
109         depends on NETFILTER_ADVANCED
110         help
111           If this option is enabled, the connection tracking code will
112           provide a notifier chain that can be used by other kernel code
113           to get notified about changes in the connection tracking state.
114 
115           If unsure, say `N'.
116 
117 config NF_CONNTRACK_TIMEOUT
118         bool  'Connection tracking timeout'
119         depends on NETFILTER_ADVANCED
120         help
121           This option enables support for connection tracking timeout
122           extension. This allows you to attach timeout policies to flow
123           via the CT target.
124 
125           If unsure, say `N'.
126 
127 config NF_CONNTRACK_TIMESTAMP
128         bool  'Connection tracking timestamping'
129         depends on NETFILTER_ADVANCED
130         help
131           This option enables support for connection tracking timestamping.
132           This allows you to store the flow start-time and to obtain
133           the flow-stop time (once it has been destroyed) via Connection
134           tracking events.
135 
136           If unsure, say `N'.
137 
138 config NF_CONNTRACK_LABELS
139         bool
140         help
141           This option enables support for assigning user-defined flag bits
142           to connection tracking entries.  It selected by the connlabel match.
143 
144 config NF_CT_PROTO_DCCP
145         tristate 'DCCP protocol connection tracking support'
146         depends on NETFILTER_ADVANCED
147         default IP_DCCP
148         help
149           With this option enabled, the layer 3 independent connection
150           tracking code will be able to do state tracking on DCCP connections.
151 
152           If unsure, say 'N'.
153 
154 config NF_CT_PROTO_GRE
155         tristate
156 
157 config NF_CT_PROTO_SCTP
158         tristate 'SCTP protocol connection tracking support'
159         depends on NETFILTER_ADVANCED
160         default IP_SCTP
161         help
162           With this option enabled, the layer 3 independent connection
163           tracking code will be able to do state tracking on SCTP connections.
164 
165           If you want to compile it as a module, say M here and read
166           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
167 
168 config NF_CT_PROTO_UDPLITE
169         tristate 'UDP-Lite protocol connection tracking support'
170         depends on NETFILTER_ADVANCED
171         help
172           With this option enabled, the layer 3 independent connection
173           tracking code will be able to do state tracking on UDP-Lite
174           connections.
175 
176           To compile it as a module, choose M here.  If unsure, say N.
177 
178 config NF_CONNTRACK_AMANDA
179         tristate "Amanda backup protocol support"
180         depends on NETFILTER_ADVANCED
181         select TEXTSEARCH
182         select TEXTSEARCH_KMP
183         help
184           If you are running the Amanda backup package <http://www.amanda.org/>
185           on this machine or machines that will be MASQUERADED through this
186           machine, then you may want to enable this feature.  This allows the
187           connection tracking and natting code to allow the sub-channels that
188           Amanda requires for communication of the backup data, messages and
189           index.
190 
191           To compile it as a module, choose M here.  If unsure, say N.
192 
193 config NF_CONNTRACK_FTP
194         tristate "FTP protocol support"
195         default m if NETFILTER_ADVANCED=n
196         help
197           Tracking FTP connections is problematic: special helpers are
198           required for tracking them, and doing masquerading and other forms
199           of Network Address Translation on them.
200 
201           This is FTP support on Layer 3 independent connection tracking.
202           Layer 3 independent connection tracking is experimental scheme
203           which generalize ip_conntrack to support other layer 3 protocols.
204 
205           To compile it as a module, choose M here.  If unsure, say N.
206 
207 config NF_CONNTRACK_H323
208         tristate "H.323 protocol support"
209         depends on IPV6 || IPV6=n
210         depends on NETFILTER_ADVANCED
211         help
212           H.323 is a VoIP signalling protocol from ITU-T. As one of the most
213           important VoIP protocols, it is widely used by voice hardware and
214           software including voice gateways, IP phones, Netmeeting, OpenPhone,
215           Gnomemeeting, etc.
216 
217           With this module you can support H.323 on a connection tracking/NAT
218           firewall.
219 
220           This module supports RAS, Fast Start, H.245 Tunnelling, Call
221           Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
222           whiteboard, file transfer, etc. For more information, please
223           visit http://nath323.sourceforge.net/.
224 
225           To compile it as a module, choose M here.  If unsure, say N.
226 
227 config NF_CONNTRACK_IRC
228         tristate "IRC protocol support"
229         default m if NETFILTER_ADVANCED=n
230         help
231           There is a commonly-used extension to IRC called
232           Direct Client-to-Client Protocol (DCC).  This enables users to send
233           files to each other, and also chat to each other without the need
234           of a server.  DCC Sending is used anywhere you send files over IRC,
235           and DCC Chat is most commonly used by Eggdrop bots.  If you are
236           using NAT, this extension will enable you to send files and initiate
237           chats.  Note that you do NOT need this extension to get files or
238           have others initiate chats, or everything else in IRC.
239 
240           To compile it as a module, choose M here.  If unsure, say N.
241 
242 config NF_CONNTRACK_BROADCAST
243         tristate
244 
245 config NF_CONNTRACK_NETBIOS_NS
246         tristate "NetBIOS name service protocol support"
247         select NF_CONNTRACK_BROADCAST
248         help
249           NetBIOS name service requests are sent as broadcast messages from an
250           unprivileged port and responded to with unicast messages to the
251           same port. This make them hard to firewall properly because connection
252           tracking doesn't deal with broadcasts. This helper tracks locally
253           originating NetBIOS name service requests and the corresponding
254           responses. It relies on correct IP address configuration, specifically
255           netmask and broadcast address. When properly configured, the output
256           of "ip address show" should look similar to this:
257 
258           $ ip -4 address show eth0
259           4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
260               inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
261 
262           To compile it as a module, choose M here.  If unsure, say N.
263 
264 config NF_CONNTRACK_SNMP
265         tristate "SNMP service protocol support"
266         depends on NETFILTER_ADVANCED
267         select NF_CONNTRACK_BROADCAST
268         help
269           SNMP service requests are sent as broadcast messages from an
270           unprivileged port and responded to with unicast messages to the
271           same port. This make them hard to firewall properly because connection
272           tracking doesn't deal with broadcasts. This helper tracks locally
273           originating SNMP service requests and the corresponding
274           responses. It relies on correct IP address configuration, specifically
275           netmask and broadcast address.
276 
277           To compile it as a module, choose M here.  If unsure, say N.
278 
279 config NF_CONNTRACK_PPTP
280         tristate "PPtP protocol support"
281         depends on NETFILTER_ADVANCED
282         select NF_CT_PROTO_GRE
283         help
284           This module adds support for PPTP (Point to Point Tunnelling
285           Protocol, RFC2637) connection tracking and NAT.
286 
287           If you are running PPTP sessions over a stateful firewall or NAT
288           box, you may want to enable this feature.
289 
290           Please note that not all PPTP modes of operation are supported yet.
291           Specifically these limitations exist:
292             - Blindly assumes that control connections are always established
293               in PNS->PAC direction. This is a violation of RFC2637.
294             - Only supports a single call within each session
295 
296           To compile it as a module, choose M here.  If unsure, say N.
297 
298 config NF_CONNTRACK_SANE
299         tristate "SANE protocol support"
300         depends on NETFILTER_ADVANCED
301         help
302           SANE is a protocol for remote access to scanners as implemented
303           by the 'saned' daemon. Like FTP, it uses separate control and
304           data connections.
305 
306           With this module you can support SANE on a connection tracking
307           firewall.
308 
309           To compile it as a module, choose M here.  If unsure, say N.
310 
311 config NF_CONNTRACK_SIP
312         tristate "SIP protocol support"
313         default m if NETFILTER_ADVANCED=n
314         help
315           SIP is an application-layer control protocol that can establish,
316           modify, and terminate multimedia sessions (conferences) such as
317           Internet telephony calls. With the ip_conntrack_sip and
318           the nf_nat_sip modules you can support the protocol on a connection
319           tracking/NATing firewall.
320 
321           To compile it as a module, choose M here.  If unsure, say N.
322 
323 config NF_CONNTRACK_TFTP
324         tristate "TFTP protocol support"
325         depends on NETFILTER_ADVANCED
326         help
327           TFTP connection tracking helper, this is required depending
328           on how restrictive your ruleset is.
329           If you are using a tftp client behind -j SNAT or -j MASQUERADING
330           you will need this.
331 
332           To compile it as a module, choose M here.  If unsure, say N.
333 
334 config NF_CT_NETLINK
335         tristate 'Connection tracking netlink interface'
336         select NETFILTER_NETLINK
337         default m if NETFILTER_ADVANCED=n
338         help
339           This option enables support for a netlink-based userspace interface
340 
341 config NF_CT_NETLINK_TIMEOUT
342         tristate  'Connection tracking timeout tuning via Netlink'
343         select NETFILTER_NETLINK
344         depends on NETFILTER_ADVANCED
345         help
346           This option enables support for connection tracking timeout
347           fine-grain tuning. This allows you to attach specific timeout
348           policies to flows, instead of using the global timeout policy.
349 
350           If unsure, say `N'.
351 
352 config NF_CT_NETLINK_HELPER
353         tristate 'Connection tracking helpers in user-space via Netlink'
354         select NETFILTER_NETLINK
355         depends on NF_CT_NETLINK
356         depends on NETFILTER_NETLINK_QUEUE
357         depends on NETFILTER_NETLINK_GLUE_CT
358         depends on NETFILTER_ADVANCED
359         help
360           This option enables the user-space connection tracking helpers
361           infrastructure.
362 
363           If unsure, say `N'.
364 
365 config NETFILTER_NETLINK_GLUE_CT
366         bool "NFQUEUE and NFLOG integration with Connection Tracking"
367         default n
368         depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
369         help
370           If this option is enabled, NFQUEUE and NFLOG can include
371           Connection Tracking information together with the packet is
372           the enqueued via NFNETLINK.
373 
374 config NF_NAT
375         tristate
376 
377 config NF_NAT_NEEDED
378         bool
379         depends on NF_NAT
380         default y
381 
382 config NF_NAT_PROTO_DCCP
383         tristate
384         depends on NF_NAT && NF_CT_PROTO_DCCP
385         default NF_NAT && NF_CT_PROTO_DCCP
386 
387 config NF_NAT_PROTO_UDPLITE
388         tristate
389         depends on NF_NAT && NF_CT_PROTO_UDPLITE
390         default NF_NAT && NF_CT_PROTO_UDPLITE
391 
392 config NF_NAT_PROTO_SCTP
393         tristate
394         default NF_NAT && NF_CT_PROTO_SCTP
395         depends on NF_NAT && NF_CT_PROTO_SCTP
396         select LIBCRC32C
397 
398 config NF_NAT_AMANDA
399         tristate
400         depends on NF_CONNTRACK && NF_NAT
401         default NF_NAT && NF_CONNTRACK_AMANDA
402 
403 config NF_NAT_FTP
404         tristate
405         depends on NF_CONNTRACK && NF_NAT
406         default NF_NAT && NF_CONNTRACK_FTP
407 
408 config NF_NAT_IRC
409         tristate
410         depends on NF_CONNTRACK && NF_NAT
411         default NF_NAT && NF_CONNTRACK_IRC
412 
413 config NF_NAT_SIP
414         tristate
415         depends on NF_CONNTRACK && NF_NAT
416         default NF_NAT && NF_CONNTRACK_SIP
417 
418 config NF_NAT_TFTP
419         tristate
420         depends on NF_CONNTRACK && NF_NAT
421         default NF_NAT && NF_CONNTRACK_TFTP
422 
423 config NF_NAT_REDIRECT
424         tristate "IPv4/IPv6 redirect support"
425         depends on NF_NAT
426         help
427           This is the kernel functionality to redirect packets to local
428           machine through NAT.
429 
430 config NETFILTER_SYNPROXY
431         tristate
432 
433 endif # NF_CONNTRACK
434 
435 config NF_TABLES
436         select NETFILTER_NETLINK
437         tristate "Netfilter nf_tables support"
438         help
439           nftables is the new packet classification framework that intends to
440           replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
441           provides a pseudo-state machine with an extensible instruction-set
442           (also known as expressions) that the userspace 'nft' utility
443           (http://www.netfilter.org/projects/nftables) uses to build the
444           rule-set. It also comes with the generic set infrastructure that
445           allows you to construct mappings between matchings and actions
446           for performance lookups.
447 
448           To compile it as a module, choose M here.
449 
450 if NF_TABLES
451 
452 config NF_TABLES_INET
453         depends on IPV6
454         select NF_TABLES_IPV4
455         select NF_TABLES_IPV6
456         tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
457         help
458           This option enables support for a mixed IPv4/IPv6 "inet" table.
459 
460 config NF_TABLES_NETDEV
461         tristate "Netfilter nf_tables netdev tables support"
462         help
463           This option enables support for the "netdev" table.
464 
465 config NFT_EXTHDR
466         tristate "Netfilter nf_tables IPv6 exthdr module"
467         help
468           This option adds the "exthdr" expression that you can use to match
469           IPv6 extension headers.
470 
471 config NFT_META
472         tristate "Netfilter nf_tables meta module"
473         help
474           This option adds the "meta" expression that you can use to match and
475           to set packet metainformation such as the packet mark.
476 
477 config NFT_CT
478         depends on NF_CONNTRACK
479         tristate "Netfilter nf_tables conntrack module"
480         help
481           This option adds the "meta" expression that you can use to match
482           connection tracking information such as the flow state.
483 
484 config NFT_RBTREE
485         tristate "Netfilter nf_tables rbtree set module"
486         help
487           This option adds the "rbtree" set type (Red Black tree) that is used
488           to build interval-based sets.
489 
490 config NFT_HASH
491         tristate "Netfilter nf_tables hash set module"
492         help
493           This option adds the "hash" set type that is used to build one-way
494           mappings between matchings and actions.
495 
496 config NFT_COUNTER
497         tristate "Netfilter nf_tables counter module"
498         help
499           This option adds the "counter" expression that you can use to
500           include packet and byte counters in a rule.
501 
502 config NFT_LOG
503         tristate "Netfilter nf_tables log module"
504         help
505           This option adds the "log" expression that you can use to log
506           packets matching some criteria.
507 
508 config NFT_LIMIT
509         tristate "Netfilter nf_tables limit module"
510         help
511           This option adds the "limit" expression that you can use to
512           ratelimit rule matchings.
513 
514 config NFT_MASQ
515         depends on NF_CONNTRACK
516         depends on NF_NAT
517         tristate "Netfilter nf_tables masquerade support"
518         help
519           This option adds the "masquerade" expression that you can use
520           to perform NAT in the masquerade flavour.
521 
522 config NFT_REDIR
523         depends on NF_CONNTRACK
524         depends on NF_NAT
525         tristate "Netfilter nf_tables redirect support"
526         help
527           This options adds the "redirect" expression that you can use
528           to perform NAT in the redirect flavour.
529 
530 config NFT_NAT
531         depends on NF_CONNTRACK
532         select NF_NAT
533         tristate "Netfilter nf_tables nat module"
534         help
535           This option adds the "nat" expression that you can use to perform
536           typical Network Address Translation (NAT) packet transformations.
537 
538 config NFT_QUEUE
539         depends on NETFILTER_NETLINK_QUEUE
540         tristate "Netfilter nf_tables queue module"
541         help
542           This is required if you intend to use the userspace queueing
543           infrastructure (also known as NFQUEUE) from nftables.
544 
545 config NFT_REJECT
546         default m if NETFILTER_ADVANCED=n
547         tristate "Netfilter nf_tables reject support"
548         help
549           This option adds the "reject" expression that you can use to
550           explicitly deny and notify via TCP reset/ICMP informational errors
551           unallowed traffic.
552 
553 config NFT_REJECT_INET
554         depends on NF_TABLES_INET
555         default NFT_REJECT
556         tristate
557 
558 config NFT_COMPAT
559         depends on NETFILTER_XTABLES
560         tristate "Netfilter x_tables over nf_tables module"
561         help
562           This is required if you intend to use any of existing
563           x_tables match/target extensions over the nf_tables
564           framework.
565 
566 if NF_TABLES_NETDEV
567 
568 config NF_DUP_NETDEV
569         tristate "Netfilter packet duplication support"
570         help
571           This option enables the generic packet duplication infrastructure
572           for Netfilter.
573 
574 config NFT_DUP_NETDEV
575         tristate "Netfilter nf_tables netdev packet duplication support"
576         select NF_DUP_NETDEV
577         help
578           This option enables packet duplication for the "netdev" family.
579 
580 config NFT_FWD_NETDEV
581         tristate "Netfilter nf_tables netdev packet forwarding support"
582         select NF_DUP_NETDEV
583         help
584           This option enables packet forwarding for the "netdev" family.
585 
586 endif # NF_TABLES_NETDEV
587 
588 endif # NF_TABLES
589 
590 config NETFILTER_XTABLES
591         tristate "Netfilter Xtables support (required for ip_tables)"
592         default m if NETFILTER_ADVANCED=n
593         help
594           This is required if you intend to use any of ip_tables,
595           ip6_tables or arp_tables.
596 
597 if NETFILTER_XTABLES
598 
599 comment "Xtables combined modules"
600 
601 config NETFILTER_XT_MARK
602         tristate 'nfmark target and match support'
603         default m if NETFILTER_ADVANCED=n
604         ---help---
605         This option adds the "MARK" target and "mark" match.
606 
607         Netfilter mark matching allows you to match packets based on the
608         "nfmark" value in the packet.
609         The target allows you to create rules in the "mangle" table which alter
610         the netfilter mark (nfmark) field associated with the packet.
611 
612         Prior to routing, the nfmark can influence the routing method (see
613         "Use netfilter MARK value as routing key") and can also be used by
614         other subsystems to change their behavior.
615 
616 config NETFILTER_XT_CONNMARK
617         tristate 'ctmark target and match support'
618         depends on NF_CONNTRACK
619         depends on NETFILTER_ADVANCED
620         select NF_CONNTRACK_MARK
621         ---help---
622         This option adds the "CONNMARK" target and "connmark" match.
623 
624         Netfilter allows you to store a mark value per connection (a.k.a.
625         ctmark), similarly to the packet mark (nfmark). Using this
626         target and match, you can set and match on this mark.
627 
628 config NETFILTER_XT_SET
629         tristate 'set target and match support'
630         depends on IP_SET
631         depends on NETFILTER_ADVANCED
632         help
633           This option adds the "SET" target and "set" match.
634 
635           Using this target and match, you can add/delete and match
636           elements in the sets created by ipset(8).
637 
638           To compile it as a module, choose M here.  If unsure, say N.
639 
640 # alphabetically ordered list of targets
641 
642 comment "Xtables targets"
643 
644 config NETFILTER_XT_TARGET_AUDIT
645         tristate "AUDIT target support"
646         depends on AUDIT
647         depends on NETFILTER_ADVANCED
648         ---help---
649           This option adds a 'AUDIT' target, which can be used to create
650           audit records for packets dropped/accepted.
651 
652           To compileit as a module, choose M here. If unsure, say N.
653 
654 config NETFILTER_XT_TARGET_CHECKSUM
655         tristate "CHECKSUM target support"
656         depends on IP_NF_MANGLE || IP6_NF_MANGLE
657         depends on NETFILTER_ADVANCED
658         ---help---
659           This option adds a `CHECKSUM' target, which can be used in the iptables mangle
660           table.
661 
662           You can use this target to compute and fill in the checksum in
663           a packet that lacks a checksum.  This is particularly useful,
664           if you need to work around old applications such as dhcp clients,
665           that do not work well with checksum offloads, but don't want to disable
666           checksum offload in your device.
667 
668           To compile it as a module, choose M here.  If unsure, say N.
669 
670 config NETFILTER_XT_TARGET_CLASSIFY
671         tristate '"CLASSIFY" target support'
672         depends on NETFILTER_ADVANCED
673         help
674           This option adds a `CLASSIFY' target, which enables the user to set
675           the priority of a packet. Some qdiscs can use this value for
676           classification, among these are:
677 
678           atm, cbq, dsmark, pfifo_fast, htb, prio
679 
680           To compile it as a module, choose M here.  If unsure, say N.
681 
682 config NETFILTER_XT_TARGET_CONNMARK
683         tristate  '"CONNMARK" target support'
684         depends on NF_CONNTRACK
685         depends on NETFILTER_ADVANCED
686         select NETFILTER_XT_CONNMARK
687         ---help---
688         This is a backwards-compat option for the user's convenience
689         (e.g. when running oldconfig). It selects
690         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
691 
692 config NETFILTER_XT_TARGET_CONNSECMARK
693         tristate '"CONNSECMARK" target support'
694         depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
695         default m if NETFILTER_ADVANCED=n
696         help
697           The CONNSECMARK target copies security markings from packets
698           to connections, and restores security markings from connections
699           to packets (if the packets are not already marked).  This would
700           normally be used in conjunction with the SECMARK target.
701 
702           To compile it as a module, choose M here.  If unsure, say N.
703 
704 config NETFILTER_XT_TARGET_CT
705         tristate '"CT" target support'
706         depends on NF_CONNTRACK
707         depends on IP_NF_RAW || IP6_NF_RAW
708         depends on NETFILTER_ADVANCED
709         help
710           This options adds a `CT' target, which allows to specify initial
711           connection tracking parameters like events to be delivered and
712           the helper to be used.
713 
714           To compile it as a module, choose M here.  If unsure, say N.
715 
716 config NETFILTER_XT_TARGET_DSCP
717         tristate '"DSCP" and "TOS" target support'
718         depends on IP_NF_MANGLE || IP6_NF_MANGLE
719         depends on NETFILTER_ADVANCED
720         help
721           This option adds a `DSCP' target, which allows you to manipulate
722           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
723 
724           The DSCP field can have any value between 0x0 and 0x3f inclusive.
725 
726           It also adds the "TOS" target, which allows you to create rules in
727           the "mangle" table which alter the Type Of Service field of an IPv4
728           or the Priority field of an IPv6 packet, prior to routing.
729 
730           To compile it as a module, choose M here.  If unsure, say N.
731 
732 config NETFILTER_XT_TARGET_HL
733         tristate '"HL" hoplimit target support'
734         depends on IP_NF_MANGLE || IP6_NF_MANGLE
735         depends on NETFILTER_ADVANCED
736         ---help---
737         This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
738         targets, which enable the user to change the
739         hoplimit/time-to-live value of the IP header.
740 
741         While it is safe to decrement the hoplimit/TTL value, the
742         modules also allow to increment and set the hoplimit value of
743         the header to arbitrary values. This is EXTREMELY DANGEROUS
744         since you can easily create immortal packets that loop
745         forever on the network.
746 
747 config NETFILTER_XT_TARGET_HMARK
748         tristate '"HMARK" target support'
749         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
750         depends on NETFILTER_ADVANCED
751         ---help---
752         This option adds the "HMARK" target.
753 
754         The target allows you to create rules in the "raw" and "mangle" tables
755         which set the skbuff mark by means of hash calculation within a given
756         range. The nfmark can influence the routing method (see "Use netfilter
757         MARK value as routing key") and can also be used by other subsystems to
758         change their behaviour.
759 
760         To compile it as a module, choose M here. If unsure, say N.
761 
762 config NETFILTER_XT_TARGET_IDLETIMER
763         tristate  "IDLETIMER target support"
764         depends on NETFILTER_ADVANCED
765         help
766 
767           This option adds the `IDLETIMER' target.  Each matching packet
768           resets the timer associated with label specified when the rule is
769           added.  When the timer expires, it triggers a sysfs notification.
770           The remaining time for expiration can be read via sysfs.
771 
772           To compile it as a module, choose M here.  If unsure, say N.
773 
774 config NETFILTER_XT_TARGET_LED
775         tristate '"LED" target support'
776         depends on LEDS_CLASS && LEDS_TRIGGERS
777         depends on NETFILTER_ADVANCED
778         help
779           This option adds a `LED' target, which allows you to blink LEDs in
780           response to particular packets passing through your machine.
781 
782           This can be used to turn a spare LED into a network activity LED,
783           which only flashes in response to FTP transfers, for example.  Or
784           you could have an LED which lights up for a minute or two every time
785           somebody connects to your machine via SSH.
786 
787           You will need support for the "led" class to make this work.
788 
789           To create an LED trigger for incoming SSH traffic:
790             iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
791 
792           Then attach the new trigger to an LED on your system:
793             echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
794 
795           For more information on the LEDs available on your system, see
796           Documentation/leds/leds-class.txt
797 
798 config NETFILTER_XT_TARGET_LOG
799         tristate "LOG target support"
800         select NF_LOG_COMMON
801         select NF_LOG_IPV4
802         select NF_LOG_IPV6 if IPV6
803         default m if NETFILTER_ADVANCED=n
804         help
805           This option adds a `LOG' target, which allows you to create rules in
806           any iptables table which records the packet header to the syslog.
807 
808           To compile it as a module, choose M here.  If unsure, say N.
809 
810 config NETFILTER_XT_TARGET_MARK
811         tristate '"MARK" target support'
812         depends on NETFILTER_ADVANCED
813         select NETFILTER_XT_MARK
814         ---help---
815         This is a backwards-compat option for the user's convenience
816         (e.g. when running oldconfig). It selects
817         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
818 
819 config NETFILTER_XT_NAT
820         tristate '"SNAT and DNAT" targets support'
821         depends on NF_NAT
822         ---help---
823         This option enables the SNAT and DNAT targets.
824 
825         To compile it as a module, choose M here. If unsure, say N.
826 
827 config NETFILTER_XT_TARGET_NETMAP
828         tristate '"NETMAP" target support'
829         depends on NF_NAT
830         ---help---
831         NETMAP is an implementation of static 1:1 NAT mapping of network
832         addresses. It maps the network address part, while keeping the host
833         address part intact.
834 
835         To compile it as a module, choose M here. If unsure, say N.
836 
837 config NETFILTER_XT_TARGET_NFLOG
838         tristate '"NFLOG" target support'
839         default m if NETFILTER_ADVANCED=n
840         select NETFILTER_NETLINK_LOG
841         help
842           This option enables the NFLOG target, which allows to LOG
843           messages through nfnetlink_log.
844 
845           To compile it as a module, choose M here.  If unsure, say N.
846 
847 config NETFILTER_XT_TARGET_NFQUEUE
848         tristate '"NFQUEUE" target Support'
849         depends on NETFILTER_ADVANCED
850         select NETFILTER_NETLINK_QUEUE
851         help
852           This target replaced the old obsolete QUEUE target.
853 
854           As opposed to QUEUE, it supports 65535 different queues,
855           not just one.
856 
857           To compile it as a module, choose M here.  If unsure, say N.
858 
859 config NETFILTER_XT_TARGET_NOTRACK
860         tristate  '"NOTRACK" target support (DEPRECATED)'
861         depends on NF_CONNTRACK
862         depends on IP_NF_RAW || IP6_NF_RAW
863         depends on NETFILTER_ADVANCED
864         select NETFILTER_XT_TARGET_CT
865 
866 config NETFILTER_XT_TARGET_RATEEST
867         tristate '"RATEEST" target support'
868         depends on NETFILTER_ADVANCED
869         help
870           This option adds a `RATEEST' target, which allows to measure
871           rates similar to TC estimators. The `rateest' match can be
872           used to match on the measured rates.
873 
874           To compile it as a module, choose M here.  If unsure, say N.
875 
876 config NETFILTER_XT_TARGET_REDIRECT
877         tristate "REDIRECT target support"
878         depends on NF_NAT
879         select NF_NAT_REDIRECT
880         ---help---
881         REDIRECT is a special case of NAT: all incoming connections are
882         mapped onto the incoming interface's address, causing the packets to
883         come to the local machine instead of passing through. This is
884         useful for transparent proxies.
885 
886         To compile it as a module, choose M here. If unsure, say N.
887 
888 config NETFILTER_XT_TARGET_TEE
889         tristate '"TEE" - packet cloning to alternate destination'
890         depends on NETFILTER_ADVANCED
891         depends on IPV6 || IPV6=n
892         depends on !NF_CONNTRACK || NF_CONNTRACK
893         select NF_DUP_IPV4
894         select NF_DUP_IPV6 if IPV6
895         ---help---
896         This option adds a "TEE" target with which a packet can be cloned and
897         this clone be rerouted to another nexthop.
898 
899 config NETFILTER_XT_TARGET_TPROXY
900         tristate '"TPROXY" target transparent proxying support'
901         depends on NETFILTER_XTABLES
902         depends on NETFILTER_ADVANCED
903         depends on IPV6 || IPV6=n
904         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
905         depends on IP_NF_MANGLE
906         select NF_DEFRAG_IPV4
907         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
908         help
909           This option adds a `TPROXY' target, which is somewhat similar to
910           REDIRECT.  It can only be used in the mangle table and is useful
911           to redirect traffic to a transparent proxy.  It does _not_ depend
912           on Netfilter connection tracking and NAT, unlike REDIRECT.
913           For it to work you will have to configure certain iptables rules
914           and use policy routing. For more information on how to set it up
915           see Documentation/networking/tproxy.txt.
916 
917           To compile it as a module, choose M here.  If unsure, say N.
918 
919 config NETFILTER_XT_TARGET_TRACE
920         tristate  '"TRACE" target support'
921         depends on IP_NF_RAW || IP6_NF_RAW
922         depends on NETFILTER_ADVANCED
923         help
924           The TRACE target allows you to mark packets so that the kernel
925           will log every rule which match the packets as those traverse
926           the tables, chains, rules.
927 
928           If you want to compile it as a module, say M here and read
929           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
930 
931 config NETFILTER_XT_TARGET_SECMARK
932         tristate '"SECMARK" target support'
933         depends on NETWORK_SECMARK
934         default m if NETFILTER_ADVANCED=n
935         help
936           The SECMARK target allows security marking of network
937           packets, for use with security subsystems.
938 
939           To compile it as a module, choose M here.  If unsure, say N.
940 
941 config NETFILTER_XT_TARGET_TCPMSS
942         tristate '"TCPMSS" target support'
943         depends on IPV6 || IPV6=n
944         default m if NETFILTER_ADVANCED=n
945         ---help---
946           This option adds a `TCPMSS' target, which allows you to alter the
947           MSS value of TCP SYN packets, to control the maximum size for that
948           connection (usually limiting it to your outgoing interface's MTU
949           minus 40).
950 
951           This is used to overcome criminally braindead ISPs or servers which
952           block ICMP Fragmentation Needed packets.  The symptoms of this
953           problem are that everything works fine from your Linux
954           firewall/router, but machines behind it can never exchange large
955           packets:
956                 1) Web browsers connect, then hang with no data received.
957                 2) Small mail works fine, but large emails hang.
958                 3) ssh works fine, but scp hangs after initial handshaking.
959 
960           Workaround: activate this option and add a rule to your firewall
961           configuration like:
962 
963           iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
964                          -j TCPMSS --clamp-mss-to-pmtu
965 
966           To compile it as a module, choose M here.  If unsure, say N.
967 
968 config NETFILTER_XT_TARGET_TCPOPTSTRIP
969         tristate '"TCPOPTSTRIP" target support'
970         depends on IP_NF_MANGLE || IP6_NF_MANGLE
971         depends on NETFILTER_ADVANCED
972         help
973           This option adds a "TCPOPTSTRIP" target, which allows you to strip
974           TCP options from TCP packets.
975 
976 # alphabetically ordered list of matches
977 
978 comment "Xtables matches"
979 
980 config NETFILTER_XT_MATCH_ADDRTYPE
981         tristate '"addrtype" address type match support'
982         default m if NETFILTER_ADVANCED=n
983         ---help---
984           This option allows you to match what routing thinks of an address,
985           eg. UNICAST, LOCAL, BROADCAST, ...
986 
987           If you want to compile it as a module, say M here and read
988           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
989 
990 config NETFILTER_XT_MATCH_BPF
991         tristate '"bpf" match support'
992         depends on NETFILTER_ADVANCED
993         help
994           BPF matching applies a linux socket filter to each packet and
995           accepts those for which the filter returns non-zero.
996 
997           To compile it as a module, choose M here.  If unsure, say N.
998 
999 config NETFILTER_XT_MATCH_CGROUP
1000         tristate '"control group" match support'
1001         depends on NETFILTER_ADVANCED
1002         depends on CGROUPS
1003         select CGROUP_NET_CLASSID
1004         ---help---
1005         Socket/process control group matching allows you to match locally
1006         generated packets based on which net_cls control group processes
1007         belong to.
1008 
1009 config NETFILTER_XT_MATCH_CLUSTER
1010         tristate '"cluster" match support'
1011         depends on NF_CONNTRACK
1012         depends on NETFILTER_ADVANCED
1013         ---help---
1014           This option allows you to build work-load-sharing clusters of
1015           network servers/stateful firewalls without having a dedicated
1016           load-balancing router/server/switch. Basically, this match returns
1017           true when the packet must be handled by this cluster node. Thus,
1018           all nodes see all packets and this match decides which node handles
1019           what packets. The work-load sharing algorithm is based on source
1020           address hashing.
1021 
1022           If you say Y or M here, try `iptables -m cluster --help` for
1023           more information.
1024 
1025 config NETFILTER_XT_MATCH_COMMENT
1026         tristate  '"comment" match support'
1027         depends on NETFILTER_ADVANCED
1028         help
1029           This option adds a `comment' dummy-match, which allows you to put
1030           comments in your iptables ruleset.
1031 
1032           If you want to compile it as a module, say M here and read
1033           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1034 
1035 config NETFILTER_XT_MATCH_CONNBYTES
1036         tristate  '"connbytes" per-connection counter match support'
1037         depends on NF_CONNTRACK
1038         depends on NETFILTER_ADVANCED
1039         help
1040           This option adds a `connbytes' match, which allows you to match the
1041           number of bytes and/or packets for each direction within a connection.
1042 
1043           If you want to compile it as a module, say M here and read
1044           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1045 
1046 config NETFILTER_XT_MATCH_CONNLABEL
1047         tristate '"connlabel" match support'
1048         select NF_CONNTRACK_LABELS
1049         depends on NF_CONNTRACK
1050         depends on NETFILTER_ADVANCED
1051         ---help---
1052           This match allows you to test and assign userspace-defined labels names
1053           to a connection.  The kernel only stores bit values - mapping
1054           names to bits is done by userspace.
1055 
1056           Unlike connmark, more than 32 flag bits may be assigned to a
1057           connection simultaneously.
1058 
1059 config NETFILTER_XT_MATCH_CONNLIMIT
1060         tristate '"connlimit" match support'
1061         depends on NF_CONNTRACK
1062         depends on NETFILTER_ADVANCED
1063         ---help---
1064           This match allows you to match against the number of parallel
1065           connections to a server per client IP address (or address block).
1066 
1067 config NETFILTER_XT_MATCH_CONNMARK
1068         tristate  '"connmark" connection mark match support'
1069         depends on NF_CONNTRACK
1070         depends on NETFILTER_ADVANCED
1071         select NETFILTER_XT_CONNMARK
1072         ---help---
1073         This is a backwards-compat option for the user's convenience
1074         (e.g. when running oldconfig). It selects
1075         CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1076 
1077 config NETFILTER_XT_MATCH_CONNTRACK
1078         tristate '"conntrack" connection tracking match support'
1079         depends on NF_CONNTRACK
1080         default m if NETFILTER_ADVANCED=n
1081         help
1082           This is a general conntrack match module, a superset of the state match.
1083 
1084           It allows matching on additional conntrack information, which is
1085           useful in complex configurations, such as NAT gateways with multiple
1086           internet links or tunnels.
1087 
1088           To compile it as a module, choose M here.  If unsure, say N.
1089 
1090 config NETFILTER_XT_MATCH_CPU
1091         tristate '"cpu" match support'
1092         depends on NETFILTER_ADVANCED
1093         help
1094           CPU matching allows you to match packets based on the CPU
1095           currently handling the packet.
1096 
1097           To compile it as a module, choose M here.  If unsure, say N.
1098 
1099 config NETFILTER_XT_MATCH_DCCP
1100         tristate '"dccp" protocol match support'
1101         depends on NETFILTER_ADVANCED
1102         default IP_DCCP
1103         help
1104           With this option enabled, you will be able to use the iptables
1105           `dccp' match in order to match on DCCP source/destination ports
1106           and DCCP flags.
1107 
1108           If you want to compile it as a module, say M here and read
1109           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1110 
1111 config NETFILTER_XT_MATCH_DEVGROUP
1112         tristate '"devgroup" match support'
1113         depends on NETFILTER_ADVANCED
1114         help
1115           This options adds a `devgroup' match, which allows to match on the
1116           device group a network device is assigned to.
1117 
1118           To compile it as a module, choose M here.  If unsure, say N.
1119 
1120 config NETFILTER_XT_MATCH_DSCP
1121         tristate '"dscp" and "tos" match support'
1122         depends on NETFILTER_ADVANCED
1123         help
1124           This option adds a `DSCP' match, which allows you to match against
1125           the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1126 
1127           The DSCP field can have any value between 0x0 and 0x3f inclusive.
1128 
1129           It will also add a "tos" match, which allows you to match packets
1130           based on the Type Of Service fields of the IPv4 packet (which share
1131           the same bits as DSCP).
1132 
1133           To compile it as a module, choose M here.  If unsure, say N.
1134 
1135 config NETFILTER_XT_MATCH_ECN
1136         tristate '"ecn" match support'
1137         depends on NETFILTER_ADVANCED
1138         ---help---
1139         This option adds an "ECN" match, which allows you to match against
1140         the IPv4 and TCP header ECN fields.
1141 
1142         To compile it as a module, choose M here. If unsure, say N.
1143 
1144 config NETFILTER_XT_MATCH_ESP
1145         tristate '"esp" match support'
1146         depends on NETFILTER_ADVANCED
1147         help
1148           This match extension allows you to match a range of SPIs
1149           inside ESP header of IPSec packets.
1150 
1151           To compile it as a module, choose M here.  If unsure, say N.
1152 
1153 config NETFILTER_XT_MATCH_HASHLIMIT
1154         tristate '"hashlimit" match support'
1155         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1156         depends on NETFILTER_ADVANCED
1157         help
1158           This option adds a `hashlimit' match.
1159 
1160           As opposed to `limit', this match dynamically creates a hash table
1161           of limit buckets, based on your selection of source/destination
1162           addresses and/or ports.
1163 
1164           It enables you to express policies like `10kpps for any given
1165           destination address' or `500pps from any given source address'
1166           with a single rule.
1167 
1168 config NETFILTER_XT_MATCH_HELPER
1169         tristate '"helper" match support'
1170         depends on NF_CONNTRACK
1171         depends on NETFILTER_ADVANCED
1172         help
1173           Helper matching allows you to match packets in dynamic connections
1174           tracked by a conntrack-helper, ie. ip_conntrack_ftp
1175 
1176           To compile it as a module, choose M here.  If unsure, say Y.
1177 
1178 config NETFILTER_XT_MATCH_HL
1179         tristate '"hl" hoplimit/TTL match support'
1180         depends on NETFILTER_ADVANCED
1181         ---help---
1182         HL matching allows you to match packets based on the hoplimit
1183         in the IPv6 header, or the time-to-live field in the IPv4
1184         header of the packet.
1185 
1186 config NETFILTER_XT_MATCH_IPCOMP
1187         tristate '"ipcomp" match support'
1188         depends on NETFILTER_ADVANCED
1189         help
1190           This match extension allows you to match a range of CPIs(16 bits)
1191           inside IPComp header of IPSec packets.
1192 
1193           To compile it as a module, choose M here.  If unsure, say N.
1194 
1195 config NETFILTER_XT_MATCH_IPRANGE
1196         tristate '"iprange" address range match support'
1197         depends on NETFILTER_ADVANCED
1198         ---help---
1199         This option adds a "iprange" match, which allows you to match based on
1200         an IP address range. (Normal iptables only matches on single addresses
1201         with an optional mask.)
1202 
1203         If unsure, say M.
1204 
1205 config NETFILTER_XT_MATCH_IPVS
1206         tristate '"ipvs" match support'
1207         depends on IP_VS
1208         depends on NETFILTER_ADVANCED
1209         depends on NF_CONNTRACK
1210         help
1211           This option allows you to match against IPVS properties of a packet.
1212 
1213           If unsure, say N.
1214 
1215 config NETFILTER_XT_MATCH_L2TP
1216         tristate '"l2tp" match support'
1217         depends on NETFILTER_ADVANCED
1218         default L2TP
1219         ---help---
1220         This option adds an "L2TP" match, which allows you to match against
1221         L2TP protocol header fields.
1222 
1223         To compile it as a module, choose M here. If unsure, say N.
1224 
1225 config NETFILTER_XT_MATCH_LENGTH
1226         tristate '"length" match support'
1227         depends on NETFILTER_ADVANCED
1228         help
1229           This option allows you to match the length of a packet against a
1230           specific value or range of values.
1231 
1232           To compile it as a module, choose M here.  If unsure, say N.
1233 
1234 config NETFILTER_XT_MATCH_LIMIT
1235         tristate '"limit" match support'
1236         depends on NETFILTER_ADVANCED
1237         help
1238           limit matching allows you to control the rate at which a rule can be
1239           matched: mainly useful in combination with the LOG target ("LOG
1240           target support", below) and to avoid some Denial of Service attacks.
1241 
1242           To compile it as a module, choose M here.  If unsure, say N.
1243 
1244 config NETFILTER_XT_MATCH_MAC
1245         tristate '"mac" address match support'
1246         depends on NETFILTER_ADVANCED
1247         help
1248           MAC matching allows you to match packets based on the source
1249           Ethernet address of the packet.
1250 
1251           To compile it as a module, choose M here.  If unsure, say N.
1252 
1253 config NETFILTER_XT_MATCH_MARK
1254         tristate '"mark" match support'
1255         depends on NETFILTER_ADVANCED
1256         select NETFILTER_XT_MARK
1257         ---help---
1258         This is a backwards-compat option for the user's convenience
1259         (e.g. when running oldconfig). It selects
1260         CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1261 
1262 config NETFILTER_XT_MATCH_MULTIPORT
1263         tristate '"multiport" Multiple port match support'
1264         depends on NETFILTER_ADVANCED
1265         help
1266           Multiport matching allows you to match TCP or UDP packets based on
1267           a series of source or destination ports: normally a rule can only
1268           match a single range of ports.
1269 
1270           To compile it as a module, choose M here.  If unsure, say N.
1271 
1272 config NETFILTER_XT_MATCH_NFACCT
1273         tristate '"nfacct" match support'
1274         depends on NETFILTER_ADVANCED
1275         select NETFILTER_NETLINK_ACCT
1276         help
1277           This option allows you to use the extended accounting through
1278           nfnetlink_acct.
1279 
1280           To compile it as a module, choose M here.  If unsure, say N.
1281 
1282 config NETFILTER_XT_MATCH_OSF
1283         tristate '"osf" Passive OS fingerprint match'
1284         depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1285         help
1286           This option selects the Passive OS Fingerprinting match module
1287           that allows to passively match the remote operating system by
1288           analyzing incoming TCP SYN packets.
1289 
1290           Rules and loading software can be downloaded from
1291           http://www.ioremap.net/projects/osf
1292 
1293           To compile it as a module, choose M here.  If unsure, say N.
1294 
1295 config NETFILTER_XT_MATCH_OWNER
1296         tristate '"owner" match support'
1297         depends on NETFILTER_ADVANCED
1298         ---help---
1299         Socket owner matching allows you to match locally-generated packets
1300         based on who created the socket: the user or group. It is also
1301         possible to check whether a socket actually exists.
1302 
1303 config NETFILTER_XT_MATCH_POLICY
1304         tristate 'IPsec "policy" match support'
1305         depends on XFRM
1306         default m if NETFILTER_ADVANCED=n
1307         help
1308           Policy matching allows you to match packets based on the
1309           IPsec policy that was used during decapsulation/will
1310           be used during encapsulation.
1311 
1312           To compile it as a module, choose M here.  If unsure, say N.
1313 
1314 config NETFILTER_XT_MATCH_PHYSDEV
1315         tristate '"physdev" match support'
1316         depends on BRIDGE && BRIDGE_NETFILTER
1317         depends on NETFILTER_ADVANCED
1318         help
1319           Physdev packet matching matches against the physical bridge ports
1320           the IP packet arrived on or will leave by.
1321 
1322           To compile it as a module, choose M here.  If unsure, say N.
1323 
1324 config NETFILTER_XT_MATCH_PKTTYPE
1325         tristate '"pkttype" packet type match support'
1326         depends on NETFILTER_ADVANCED
1327         help
1328           Packet type matching allows you to match a packet by
1329           its "class", eg. BROADCAST, MULTICAST, ...
1330 
1331           Typical usage:
1332           iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1333 
1334           To compile it as a module, choose M here.  If unsure, say N.
1335 
1336 config NETFILTER_XT_MATCH_QUOTA
1337         tristate '"quota" match support'
1338         depends on NETFILTER_ADVANCED
1339         help
1340           This option adds a `quota' match, which allows to match on a
1341           byte counter.
1342 
1343           If you want to compile it as a module, say M here and read
1344           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1345 
1346 config NETFILTER_XT_MATCH_RATEEST
1347         tristate '"rateest" match support'
1348         depends on NETFILTER_ADVANCED
1349         select NETFILTER_XT_TARGET_RATEEST
1350         help
1351           This option adds a `rateest' match, which allows to match on the
1352           rate estimated by the RATEEST target.
1353 
1354           To compile it as a module, choose M here.  If unsure, say N.
1355 
1356 config NETFILTER_XT_MATCH_REALM
1357         tristate  '"realm" match support'
1358         depends on NETFILTER_ADVANCED
1359         select IP_ROUTE_CLASSID
1360         help
1361           This option adds a `realm' match, which allows you to use the realm
1362           key from the routing subsystem inside iptables.
1363 
1364           This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
1365           in tc world.
1366 
1367           If you want to compile it as a module, say M here and read
1368           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1369 
1370 config NETFILTER_XT_MATCH_RECENT
1371         tristate '"recent" match support'
1372         depends on NETFILTER_ADVANCED
1373         ---help---
1374         This match is used for creating one or many lists of recently
1375         used addresses and then matching against that/those list(s).
1376 
1377         Short options are available by using 'iptables -m recent -h'
1378         Official Website: <http://snowman.net/projects/ipt_recent/>
1379 
1380 config NETFILTER_XT_MATCH_SCTP
1381         tristate  '"sctp" protocol match support'
1382         depends on NETFILTER_ADVANCED
1383         default IP_SCTP
1384         help
1385           With this option enabled, you will be able to use the 
1386           `sctp' match in order to match on SCTP source/destination ports
1387           and SCTP chunk types.
1388 
1389           If you want to compile it as a module, say M here and read
1390           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1391 
1392 config NETFILTER_XT_MATCH_SOCKET
1393         tristate '"socket" match support'
1394         depends on NETFILTER_XTABLES
1395         depends on NETFILTER_ADVANCED
1396         depends on !NF_CONNTRACK || NF_CONNTRACK
1397         depends on IPV6 || IPV6=n
1398         depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1399         select NF_DEFRAG_IPV4
1400         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1401         help
1402           This option adds a `socket' match, which can be used to match
1403           packets for which a TCP or UDP socket lookup finds a valid socket.
1404           It can be used in combination with the MARK target and policy
1405           routing to implement full featured non-locally bound sockets.
1406 
1407           To compile it as a module, choose M here.  If unsure, say N.
1408 
1409 config NETFILTER_XT_MATCH_STATE
1410         tristate '"state" match support'
1411         depends on NF_CONNTRACK
1412         default m if NETFILTER_ADVANCED=n
1413         help
1414           Connection state matching allows you to match packets based on their
1415           relationship to a tracked connection (ie. previous packets).  This
1416           is a powerful tool for packet classification.
1417 
1418           To compile it as a module, choose M here.  If unsure, say N.
1419 
1420 config NETFILTER_XT_MATCH_STATISTIC
1421         tristate '"statistic" match support'
1422         depends on NETFILTER_ADVANCED
1423         help
1424           This option adds a `statistic' match, which allows you to match
1425           on packets periodically or randomly with a given percentage.
1426 
1427           To compile it as a module, choose M here.  If unsure, say N.
1428 
1429 config NETFILTER_XT_MATCH_STRING
1430         tristate  '"string" match support'
1431         depends on NETFILTER_ADVANCED
1432         select TEXTSEARCH
1433         select TEXTSEARCH_KMP
1434         select TEXTSEARCH_BM
1435         select TEXTSEARCH_FSM
1436         help
1437           This option adds a `string' match, which allows you to look for
1438           pattern matchings in packets.
1439 
1440           To compile it as a module, choose M here.  If unsure, say N.
1441 
1442 config NETFILTER_XT_MATCH_TCPMSS
1443         tristate '"tcpmss" match support'
1444         depends on NETFILTER_ADVANCED
1445         help
1446           This option adds a `tcpmss' match, which allows you to examine the
1447           MSS value of TCP SYN packets, which control the maximum packet size
1448           for that connection.
1449 
1450           To compile it as a module, choose M here.  If unsure, say N.
1451 
1452 config NETFILTER_XT_MATCH_TIME
1453         tristate '"time" match support'
1454         depends on NETFILTER_ADVANCED
1455         ---help---
1456           This option adds a "time" match, which allows you to match based on
1457           the packet arrival time (at the machine which netfilter is running)
1458           on) or departure time/date (for locally generated packets).
1459 
1460           If you say Y here, try `iptables -m time --help` for
1461           more information.
1462 
1463           If you want to compile it as a module, say M here.
1464           If unsure, say N.
1465 
1466 config NETFILTER_XT_MATCH_U32
1467         tristate '"u32" match support'
1468         depends on NETFILTER_ADVANCED
1469         ---help---
1470           u32 allows you to extract quantities of up to 4 bytes from a packet,
1471           AND them with specified masks, shift them by specified amounts and
1472           test whether the results are in any of a set of specified ranges.
1473           The specification of what to extract is general enough to skip over
1474           headers with lengths stored in the packet, as in IP or TCP header
1475           lengths.
1476 
1477           Details and examples are in the kernel module source.
1478 
1479 endif # NETFILTER_XTABLES
1480 
1481 endmenu
1482 
1483 source "net/netfilter/ipset/Kconfig"
1484 
1485 source "net/netfilter/ipvs/Kconfig"

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us