1menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
3
4config NETFILTER_NETLINK
5 tristate
6
7config NETFILTER_NETLINK_QUEUE
8 tristate "Netfilter NFQUEUE over NFNETLINK interface"
9 depends on NETFILTER_ADVANCED
10 select NETFILTER_NETLINK
11 help
12 If this option is enabled, the kernel will include support
13 for queueing packets via NFNETLINK.
14
15config NETFILTER_NETLINK_LOG
16 tristate "Netfilter LOG over NFNETLINK interface"
17 default m if NETFILTER_ADVANCED=n
18 select NETFILTER_NETLINK
19 help
20 If this option is enabled, the kernel will include support
21 for logging packets via NFNETLINK.
22
23 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
24 and is also scheduled to replace the old syslog-based ipt_LOG
25 and ip6t_LOG modules.
26
27config NF_CONNTRACK
28 tristate "Netfilter connection tracking support"
29 default m if NETFILTER_ADVANCED=n
30 help
31 Connection tracking keeps a record of what packets have passed
32 through your machine, in order to figure out how they are related
33 into connections.
34
35 This is required to do Masquerading or other kinds of Network
36 Address Translation. It can also be used to enhance packet
37 filtering (see `Connection state match support' below).
38
39 To compile it as a module, choose M here. If unsure, say N.
40
41if NF_CONNTRACK
42
43config NF_CONNTRACK_MARK
44 bool 'Connection mark tracking support'
45 depends on NETFILTER_ADVANCED
46 help
47 This option enables support for connection marks, used by the
48 `CONNMARK' target and `connmark' match. Similar to the mark value
49 of packets, but this mark value is kept in the conntrack session
50 instead of the individual packets.
51
52config NF_CONNTRACK_SECMARK
53 bool 'Connection tracking security mark support'
54 depends on NETWORK_SECMARK
55 default m if NETFILTER_ADVANCED=n
56 help
57 This option enables security markings to be applied to
58 connections. Typically they are copied to connections from
59 packets using the CONNSECMARK target and copied back from
60 connections to packets with the same target, with the packets
61 being originally labeled via SECMARK.
62
63 If unsure, say 'N'.
64
65config NF_CONNTRACK_ZONES
66 bool 'Connection tracking zones'
67 depends on NETFILTER_ADVANCED
68 depends on NETFILTER_XT_TARGET_CT
69 help
70 This option enables support for connection tracking zones.
71 Normally, each connection needs to have a unique system wide
72 identity. Connection tracking zones allow to have multiple
73 connections using the same identity, as long as they are
74 contained in different zones.
75
76 If unsure, say `N'.
77
78config NF_CONNTRACK_EVENTS
79 bool "Connection tracking events"
80 depends on NETFILTER_ADVANCED
81 help
82 If this option is enabled, the connection tracking code will
83 provide a notifier chain that can be used by other kernel code
84 to get notified about changes in the connection tracking state.
85
86 If unsure, say `N'.
87
88config NF_CONNTRACK_TIMESTAMP
89 bool 'Connection tracking timestamping'
90 depends on NETFILTER_ADVANCED
91 help
92 This option enables support for connection tracking timestamping.
93 This allows you to store the flow start-time and to obtain
94 the flow-stop time (once it has been destroyed) via Connection
95 tracking events.
96
97 If unsure, say `N'.
98
99config NF_CT_PROTO_DCCP
100 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
101 depends on EXPERIMENTAL
102 depends on NETFILTER_ADVANCED
103 default IP_DCCP
104 help
105 With this option enabled, the layer 3 independent connection
106 tracking code will be able to do state tracking on DCCP connections.
107
108 If unsure, say 'N'.
109
110config NF_CT_PROTO_GRE
111 tristate
112
113config NF_CT_PROTO_SCTP
114 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
115 depends on EXPERIMENTAL
116 depends on NETFILTER_ADVANCED
117 default IP_SCTP
118 help
119 With this option enabled, the layer 3 independent connection
120 tracking code will be able to do state tracking on SCTP connections.
121
122 If you want to compile it as a module, say M here and read
123 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
124
125config NF_CT_PROTO_UDPLITE
126 tristate 'UDP-Lite protocol connection tracking support'
127 depends on NETFILTER_ADVANCED
128 help
129 With this option enabled, the layer 3 independent connection
130 tracking code will be able to do state tracking on UDP-Lite
131 connections.
132
133 To compile it as a module, choose M here. If unsure, say N.
134
135config NF_CONNTRACK_AMANDA
136 tristate "Amanda backup protocol support"
137 depends on NETFILTER_ADVANCED
138 select TEXTSEARCH
139 select TEXTSEARCH_KMP
140 help
141 If you are running the Amanda backup package <http://www.amanda.org/>
142 on this machine or machines that will be MASQUERADED through this
143 machine, then you may want to enable this feature. This allows the
144 connection tracking and natting code to allow the sub-channels that
145 Amanda requires for communication of the backup data, messages and
146 index.
147
148 To compile it as a module, choose M here. If unsure, say N.
149
150config NF_CONNTRACK_FTP
151 tristate "FTP protocol support"
152 default m if NETFILTER_ADVANCED=n
153 help
154 Tracking FTP connections is problematic: special helpers are
155 required for tracking them, and doing masquerading and other forms
156 of Network Address Translation on them.
157
158 This is FTP support on Layer 3 independent connection tracking.
159 Layer 3 independent connection tracking is experimental scheme
160 which generalize ip_conntrack to support other layer 3 protocols.
161
162 To compile it as a module, choose M here. If unsure, say N.
163
164config NF_CONNTRACK_H323
165 tristate "H.323 protocol support"
166 depends on (IPV6 || IPV6=n)
167 depends on NETFILTER_ADVANCED
168 help
169 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
170 important VoIP protocols, it is widely used by voice hardware and
171 software including voice gateways, IP phones, Netmeeting, OpenPhone,
172 Gnomemeeting, etc.
173
174 With this module you can support H.323 on a connection tracking/NAT
175 firewall.
176
177 This module supports RAS, Fast Start, H.245 Tunnelling, Call
178 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
179 whiteboard, file transfer, etc. For more information, please
180 visit http://nath323.sourceforge.net/.
181
182 To compile it as a module, choose M here. If unsure, say N.
183
184config NF_CONNTRACK_IRC
185 tristate "IRC protocol support"
186 default m if NETFILTER_ADVANCED=n
187 help
188 There is a commonly-used extension to IRC called
189 Direct Client-to-Client Protocol (DCC). This enables users to send
190 files to each other, and also chat to each other without the need
191 of a server. DCC Sending is used anywhere you send files over IRC,
192 and DCC Chat is most commonly used by Eggdrop bots. If you are
193 using NAT, this extension will enable you to send files and initiate
194 chats. Note that you do NOT need this extension to get files or
195 have others initiate chats, or everything else in IRC.
196
197 To compile it as a module, choose M here. If unsure, say N.
198
199config NF_CONNTRACK_BROADCAST
200 tristate
201
202config NF_CONNTRACK_NETBIOS_NS
203 tristate "NetBIOS name service protocol support"
204 depends on NETFILTER_ADVANCED
205 select NF_CONNTRACK_BROADCAST
206 help
207 NetBIOS name service requests are sent as broadcast messages from an
208 unprivileged port and responded to with unicast messages to the
209 same port. This make them hard to firewall properly because connection
210 tracking doesn't deal with broadcasts. This helper tracks locally
211 originating NetBIOS name service requests and the corresponding
212 responses. It relies on correct IP address configuration, specifically
213 netmask and broadcast address. When properly configured, the output
214 of "ip address show" should look similar to this:
215
216 $ ip -4 address show eth0
217 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
218 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
219
220 To compile it as a module, choose M here. If unsure, say N.
221
222config NF_CONNTRACK_SNMP
223 tristate "SNMP service protocol support"
224 depends on NETFILTER_ADVANCED
225 select NF_CONNTRACK_BROADCAST
226 help
227 SNMP service requests are sent as broadcast messages from an
228 unprivileged port and responded to with unicast messages to the
229 same port. This make them hard to firewall properly because connection
230 tracking doesn't deal with broadcasts. This helper tracks locally
231 originating SNMP service requests and the corresponding
232 responses. It relies on correct IP address configuration, specifically
233 netmask and broadcast address.
234
235 To compile it as a module, choose M here. If unsure, say N.
236
237config NF_CONNTRACK_PPTP
238 tristate "PPtP protocol support"
239 depends on NETFILTER_ADVANCED
240 select NF_CT_PROTO_GRE
241 help
242 This module adds support for PPTP (Point to Point Tunnelling
243 Protocol, RFC2637) connection tracking and NAT.
244
245 If you are running PPTP sessions over a stateful firewall or NAT
246 box, you may want to enable this feature.
247
248 Please note that not all PPTP modes of operation are supported yet.
249 Specifically these limitations exist:
250 - Blindly assumes that control connections are always established
251 in PNS->PAC direction. This is a violation of RFC2637.
252 - Only supports a single call within each session
253
254 To compile it as a module, choose M here. If unsure, say N.
255
256config NF_CONNTRACK_SANE
257 tristate "SANE protocol support (EXPERIMENTAL)"
258 depends on EXPERIMENTAL
259 depends on NETFILTER_ADVANCED
260 help
261 SANE is a protocol for remote access to scanners as implemented
262 by the 'saned' daemon. Like FTP, it uses separate control and
263 data connections.
264
265 With this module you can support SANE on a connection tracking
266 firewall.
267
268 To compile it as a module, choose M here. If unsure, say N.
269
270config NF_CONNTRACK_SIP
271 tristate "SIP protocol support"
272 default m if NETFILTER_ADVANCED=n
273 help
274 SIP is an application-layer control protocol that can establish,
275 modify, and terminate multimedia sessions (conferences) such as
276 Internet telephony calls. With the ip_conntrack_sip and
277 the nf_nat_sip modules you can support the protocol on a connection
278 tracking/NATing firewall.
279
280 To compile it as a module, choose M here. If unsure, say N.
281
282config NF_CONNTRACK_TFTP
283 tristate "TFTP protocol support"
284 depends on NETFILTER_ADVANCED
285 help
286 TFTP connection tracking helper, this is required depending
287 on how restrictive your ruleset is.
288 If you are using a tftp client behind -j SNAT or -j MASQUERADING
289 you will need this.
290
291 To compile it as a module, choose M here. If unsure, say N.
292
293config NF_CT_NETLINK
294 tristate 'Connection tracking netlink interface'
295 select NETFILTER_NETLINK
296 default m if NETFILTER_ADVANCED=n
297 help
298 This option enables support for a netlink-based userspace interface
299
300endif
301
302
303config NETFILTER_TPROXY
304 tristate "Transparent proxying support (EXPERIMENTAL)"
305 depends on EXPERIMENTAL
306 depends on IP_NF_MANGLE
307 depends on NETFILTER_ADVANCED
308 help
309 This option enables transparent proxying support, that is,
310 support for handling non-locally bound IPv4 TCP and UDP sockets.
311 For it to work you will have to configure certain iptables rules
312 and use policy routing. For more information on how to set it up
313 see Documentation/networking/tproxy.txt.
314
315 To compile it as a module, choose M here. If unsure, say N.
316
317config NETFILTER_XTABLES
318 tristate "Netfilter Xtables support (required for ip_tables)"
319 default m if NETFILTER_ADVANCED=n
320 help
321 This is required if you intend to use any of ip_tables,
322 ip6_tables or arp_tables.
323
324if NETFILTER_XTABLES
325
326comment "Xtables combined modules"
327
328config NETFILTER_XT_MARK
329 tristate 'nfmark target and match support'
330 default m if NETFILTER_ADVANCED=n
331 ---help---
332 This option adds the "MARK" target and "mark" match.
333
334 Netfilter mark matching allows you to match packets based on the
335 "nfmark" value in the packet.
336 The target allows you to create rules in the "mangle" table which alter
337 the netfilter mark (nfmark) field associated with the packet.
338
339 Prior to routing, the nfmark can influence the routing method (see
340 "Use netfilter MARK value as routing key") and can also be used by
341 other subsystems to change their behavior.
342
343config NETFILTER_XT_CONNMARK
344 tristate 'ctmark target and match support'
345 depends on NF_CONNTRACK
346 depends on NETFILTER_ADVANCED
347 select NF_CONNTRACK_MARK
348 ---help---
349 This option adds the "CONNMARK" target and "connmark" match.
350
351 Netfilter allows you to store a mark value per connection (a.k.a.
352 ctmark), similarly to the packet mark (nfmark). Using this
353 target and match, you can set and match on this mark.
354
355config NETFILTER_XT_SET
356 tristate 'set target and match support'
357 depends on IP_SET
358 depends on NETFILTER_ADVANCED
359 help
360 This option adds the "SET" target and "set" match.
361
362 Using this target and match, you can add/delete and match
363 elements in the sets created by ipset(8).
364
365 To compile it as a module, choose M here. If unsure, say N.
366
367
368
369comment "Xtables targets"
370
371config NETFILTER_XT_TARGET_AUDIT
372 tristate "AUDIT target support"
373 depends on AUDIT
374 depends on NETFILTER_ADVANCED
375 ---help---
376 This option adds a 'AUDIT' target, which can be used to create
377 audit records for packets dropped/accepted.
378
379 To compileit as a module, choose M here. If unsure, say N.
380
381config NETFILTER_XT_TARGET_CHECKSUM
382 tristate "CHECKSUM target support"
383 depends on IP_NF_MANGLE || IP6_NF_MANGLE
384 depends on NETFILTER_ADVANCED
385 ---help---
386 This option adds a `CHECKSUM' target, which can be used in the iptables mangle
387 table.
388
389 You can use this target to compute and fill in the checksum in
390 a packet that lacks a checksum. This is particularly useful,
391 if you need to work around old applications such as dhcp clients,
392 that do not work well with checksum offloads, but don't want to disable
393 checksum offload in your device.
394
395 To compile it as a module, choose M here. If unsure, say N.
396
397config NETFILTER_XT_TARGET_CLASSIFY
398 tristate '"CLASSIFY" target support'
399 depends on NETFILTER_ADVANCED
400 help
401 This option adds a `CLASSIFY' target, which enables the user to set
402 the priority of a packet. Some qdiscs can use this value for
403 classification, among these are:
404
405 atm, cbq, dsmark, pfifo_fast, htb, prio
406
407 To compile it as a module, choose M here. If unsure, say N.
408
409config NETFILTER_XT_TARGET_CONNMARK
410 tristate '"CONNMARK" target support'
411 depends on NF_CONNTRACK
412 depends on NETFILTER_ADVANCED
413 select NETFILTER_XT_CONNMARK
414 ---help---
415 This is a backwards-compat option for the user's convenience
416 (e.g. when running oldconfig). It selects
417 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
418
419config NETFILTER_XT_TARGET_CONNSECMARK
420 tristate '"CONNSECMARK" target support'
421 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
422 default m if NETFILTER_ADVANCED=n
423 help
424 The CONNSECMARK target copies security markings from packets
425 to connections, and restores security markings from connections
426 to packets (if the packets are not already marked). This would
427 normally be used in conjunction with the SECMARK target.
428
429 To compile it as a module, choose M here. If unsure, say N.
430
431config NETFILTER_XT_TARGET_CT
432 tristate '"CT" target support'
433 depends on NF_CONNTRACK
434 depends on IP_NF_RAW || IP6_NF_RAW
435 depends on NETFILTER_ADVANCED
436 help
437 This options adds a `CT' target, which allows to specify initial
438 connection tracking parameters like events to be delivered and
439 the helper to be used.
440
441 To compile it as a module, choose M here. If unsure, say N.
442
443config NETFILTER_XT_TARGET_DSCP
444 tristate '"DSCP" and "TOS" target support'
445 depends on IP_NF_MANGLE || IP6_NF_MANGLE
446 depends on NETFILTER_ADVANCED
447 help
448 This option adds a `DSCP' target, which allows you to manipulate
449 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
450
451 The DSCP field can have any value between 0x0 and 0x3f inclusive.
452
453 It also adds the "TOS" target, which allows you to create rules in
454 the "mangle" table which alter the Type Of Service field of an IPv4
455 or the Priority field of an IPv6 packet, prior to routing.
456
457 To compile it as a module, choose M here. If unsure, say N.
458
459config NETFILTER_XT_TARGET_HL
460 tristate '"HL" hoplimit target support'
461 depends on IP_NF_MANGLE || IP6_NF_MANGLE
462 depends on NETFILTER_ADVANCED
463 ---help---
464 This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
465 targets, which enable the user to change the
466 hoplimit/time-to-live value of the IP header.
467
468 While it is safe to decrement the hoplimit/TTL value, the
469 modules also allow to increment and set the hoplimit value of
470 the header to arbitrary values. This is EXTREMELY DANGEROUS
471 since you can easily create immortal packets that loop
472 forever on the network.
473
474config NETFILTER_XT_TARGET_IDLETIMER
475 tristate "IDLETIMER target support"
476 depends on NETFILTER_ADVANCED
477 help
478
479 This option adds the `IDLETIMER' target. Each matching packet
480 resets the timer associated with label specified when the rule is
481 added. When the timer expires, it triggers a sysfs notification.
482 The remaining time for expiration can be read via sysfs.
483
484 To compile it as a module, choose M here. If unsure, say N.
485
486config NETFILTER_XT_TARGET_LED
487 tristate '"LED" target support'
488 depends on LEDS_CLASS && LEDS_TRIGGERS
489 depends on NETFILTER_ADVANCED
490 help
491 This option adds a `LED' target, which allows you to blink LEDs in
492 response to particular packets passing through your machine.
493
494 This can be used to turn a spare LED into a network activity LED,
495 which only flashes in response to FTP transfers, for example. Or
496 you could have an LED which lights up for a minute or two every time
497 somebody connects to your machine via SSH.
498
499 You will need support for the "led" class to make this work.
500
501 To create an LED trigger for incoming SSH traffic:
502 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
503
504 Then attach the new trigger to an LED on your system:
505 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
506
507 For more information on the LEDs available on your system, see
508 Documentation/leds-class.txt
509
510config NETFILTER_XT_TARGET_MARK
511 tristate '"MARK" target support'
512 depends on NETFILTER_ADVANCED
513 select NETFILTER_XT_MARK
514 ---help---
515 This is a backwards-compat option for the user's convenience
516 (e.g. when running oldconfig). It selects
517 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
518
519config NETFILTER_XT_TARGET_NFLOG
520 tristate '"NFLOG" target support'
521 default m if NETFILTER_ADVANCED=n
522 select NETFILTER_NETLINK_LOG
523 help
524 This option enables the NFLOG target, which allows to LOG
525 messages through nfnetlink_log.
526
527 To compile it as a module, choose M here. If unsure, say N.
528
529config NETFILTER_XT_TARGET_NFQUEUE
530 tristate '"NFQUEUE" target Support'
531 depends on NETFILTER_ADVANCED
532 select NETFILTER_NETLINK_QUEUE
533 help
534 This target replaced the old obsolete QUEUE target.
535
536 As opposed to QUEUE, it supports 65535 different queues,
537 not just one.
538
539 To compile it as a module, choose M here. If unsure, say N.
540
541config NETFILTER_XT_TARGET_NOTRACK
542 tristate '"NOTRACK" target support'
543 depends on IP_NF_RAW || IP6_NF_RAW
544 depends on NF_CONNTRACK
545 depends on NETFILTER_ADVANCED
546 help
547 The NOTRACK target allows a select rule to specify
548 which packets *not* to enter the conntrack/NAT
549 subsystem with all the consequences (no ICMP error tracking,
550 no protocol helpers for the selected packets).
551
552 If you want to compile it as a module, say M here and read
553 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
554
555config NETFILTER_XT_TARGET_RATEEST
556 tristate '"RATEEST" target support'
557 depends on NETFILTER_ADVANCED
558 help
559 This option adds a `RATEEST' target, which allows to measure
560 rates similar to TC estimators. The `rateest' match can be
561 used to match on the measured rates.
562
563 To compile it as a module, choose M here. If unsure, say N.
564
565config NETFILTER_XT_TARGET_TEE
566 tristate '"TEE" - packet cloning to alternate destination'
567 depends on NETFILTER_ADVANCED
568 depends on (IPV6 || IPV6=n)
569 depends on !NF_CONNTRACK || NF_CONNTRACK
570 ---help---
571 This option adds a "TEE" target with which a packet can be cloned and
572 this clone be rerouted to another nexthop.
573
574config NETFILTER_XT_TARGET_TPROXY
575 tristate '"TPROXY" target support (EXPERIMENTAL)'
576 depends on EXPERIMENTAL
577 depends on NETFILTER_TPROXY
578 depends on NETFILTER_XTABLES
579 depends on NETFILTER_ADVANCED
580 select NF_DEFRAG_IPV4
581 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
582 help
583 This option adds a `TPROXY' target, which is somewhat similar to
584 REDIRECT. It can only be used in the mangle table and is useful
585 to redirect traffic to a transparent proxy. It does _not_ depend
586 on Netfilter connection tracking and NAT, unlike REDIRECT.
587
588 To compile it as a module, choose M here. If unsure, say N.
589
590config NETFILTER_XT_TARGET_TRACE
591 tristate '"TRACE" target support'
592 depends on IP_NF_RAW || IP6_NF_RAW
593 depends on NETFILTER_ADVANCED
594 help
595 The TRACE target allows you to mark packets so that the kernel
596 will log every rule which match the packets as those traverse
597 the tables, chains, rules.
598
599 If you want to compile it as a module, say M here and read
600 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
601
602config NETFILTER_XT_TARGET_SECMARK
603 tristate '"SECMARK" target support'
604 depends on NETWORK_SECMARK
605 default m if NETFILTER_ADVANCED=n
606 help
607 The SECMARK target allows security marking of network
608 packets, for use with security subsystems.
609
610 To compile it as a module, choose M here. If unsure, say N.
611
612config NETFILTER_XT_TARGET_TCPMSS
613 tristate '"TCPMSS" target support'
614 depends on (IPV6 || IPV6=n)
615 default m if NETFILTER_ADVANCED=n
616 ---help---
617 This option adds a `TCPMSS' target, which allows you to alter the
618 MSS value of TCP SYN packets, to control the maximum size for that
619 connection (usually limiting it to your outgoing interface's MTU
620 minus 40).
621
622 This is used to overcome criminally braindead ISPs or servers which
623 block ICMP Fragmentation Needed packets. The symptoms of this
624 problem are that everything works fine from your Linux
625 firewall/router, but machines behind it can never exchange large
626 packets:
627 1) Web browsers connect, then hang with no data received.
628 2) Small mail works fine, but large emails hang.
629 3) ssh works fine, but scp hangs after initial handshaking.
630
631 Workaround: activate this option and add a rule to your firewall
632 configuration like:
633
634 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
635 -j TCPMSS --clamp-mss-to-pmtu
636
637 To compile it as a module, choose M here. If unsure, say N.
638
639config NETFILTER_XT_TARGET_TCPOPTSTRIP
640 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)'
641 depends on EXPERIMENTAL
642 depends on IP_NF_MANGLE || IP6_NF_MANGLE
643 depends on NETFILTER_ADVANCED
644 help
645 This option adds a "TCPOPTSTRIP" target, which allows you to strip
646 TCP options from TCP packets.
647
648
649
650comment "Xtables matches"
651
652config NETFILTER_XT_MATCH_ADDRTYPE
653 tristate '"addrtype" address type match support'
654 depends on NETFILTER_ADVANCED
655 ---help---
656 This option allows you to match what routing thinks of an address,
657 eg. UNICAST, LOCAL, BROADCAST, ...
658
659 If you want to compile it as a module, say M here and read
660 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
661
662config NETFILTER_XT_MATCH_CLUSTER
663 tristate '"cluster" match support'
664 depends on NF_CONNTRACK
665 depends on NETFILTER_ADVANCED
666 ---help---
667 This option allows you to build work-load-sharing clusters of
668 network servers/stateful firewalls without having a dedicated
669 load-balancing router/server/switch. Basically, this match returns
670 true when the packet must be handled by this cluster node. Thus,
671 all nodes see all packets and this match decides which node handles
672 what packets. The work-load sharing algorithm is based on source
673 address hashing.
674
675 If you say Y or M here, try `iptables -m cluster --help` for
676 more information.
677
678config NETFILTER_XT_MATCH_COMMENT
679 tristate '"comment" match support'
680 depends on NETFILTER_ADVANCED
681 help
682 This option adds a `comment' dummy-match, which allows you to put
683 comments in your iptables ruleset.
684
685 If you want to compile it as a module, say M here and read
686 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
687
688config NETFILTER_XT_MATCH_CONNBYTES
689 tristate '"connbytes" per-connection counter match support'
690 depends on NF_CONNTRACK
691 depends on NETFILTER_ADVANCED
692 help
693 This option adds a `connbytes' match, which allows you to match the
694 number of bytes and/or packets for each direction within a connection.
695
696 If you want to compile it as a module, say M here and read
697 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
698
699config NETFILTER_XT_MATCH_CONNLIMIT
700 tristate '"connlimit" match support"'
701 depends on NF_CONNTRACK
702 depends on NETFILTER_ADVANCED
703 ---help---
704 This match allows you to match against the number of parallel
705 connections to a server per client IP address (or address block).
706
707config NETFILTER_XT_MATCH_CONNMARK
708 tristate '"connmark" connection mark match support'
709 depends on NF_CONNTRACK
710 depends on NETFILTER_ADVANCED
711 select NETFILTER_XT_CONNMARK
712 ---help---
713 This is a backwards-compat option for the user's convenience
714 (e.g. when running oldconfig). It selects
715 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
716
717config NETFILTER_XT_MATCH_CONNTRACK
718 tristate '"conntrack" connection tracking match support'
719 depends on NF_CONNTRACK
720 default m if NETFILTER_ADVANCED=n
721 help
722 This is a general conntrack match module, a superset of the state match.
723
724 It allows matching on additional conntrack information, which is
725 useful in complex configurations, such as NAT gateways with multiple
726 internet links or tunnels.
727
728 To compile it as a module, choose M here. If unsure, say N.
729
730config NETFILTER_XT_MATCH_CPU
731 tristate '"cpu" match support'
732 depends on NETFILTER_ADVANCED
733 help
734 CPU matching allows you to match packets based on the CPU
735 currently handling the packet.
736
737 To compile it as a module, choose M here. If unsure, say N.
738
739config NETFILTER_XT_MATCH_DCCP
740 tristate '"dccp" protocol match support'
741 depends on NETFILTER_ADVANCED
742 default IP_DCCP
743 help
744 With this option enabled, you will be able to use the iptables
745 `dccp' match in order to match on DCCP source/destination ports
746 and DCCP flags.
747
748 If you want to compile it as a module, say M here and read
749 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
750
751config NETFILTER_XT_MATCH_DEVGROUP
752 tristate '"devgroup" match support'
753 depends on NETFILTER_ADVANCED
754 help
755 This options adds a `devgroup' match, which allows to match on the
756 device group a network device is assigned to.
757
758 To compile it as a module, choose M here. If unsure, say N.
759
760config NETFILTER_XT_MATCH_DSCP
761 tristate '"dscp" and "tos" match support'
762 depends on NETFILTER_ADVANCED
763 help
764 This option adds a `DSCP' match, which allows you to match against
765 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
766
767 The DSCP field can have any value between 0x0 and 0x3f inclusive.
768
769 It will also add a "tos" match, which allows you to match packets
770 based on the Type Of Service fields of the IPv4 packet (which share
771 the same bits as DSCP).
772
773 To compile it as a module, choose M here. If unsure, say N.
774
775config NETFILTER_XT_MATCH_ESP
776 tristate '"esp" match support'
777 depends on NETFILTER_ADVANCED
778 help
779 This match extension allows you to match a range of SPIs
780 inside ESP header of IPSec packets.
781
782 To compile it as a module, choose M here. If unsure, say N.
783
784config NETFILTER_XT_MATCH_HASHLIMIT
785 tristate '"hashlimit" match support'
786 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
787 depends on NETFILTER_ADVANCED
788 help
789 This option adds a `hashlimit' match.
790
791 As opposed to `limit', this match dynamically creates a hash table
792 of limit buckets, based on your selection of source/destination
793 addresses and/or ports.
794
795 It enables you to express policies like `10kpps for any given
796 destination address' or `500pps from any given source address'
797 with a single rule.
798
799config NETFILTER_XT_MATCH_HELPER
800 tristate '"helper" match support'
801 depends on NF_CONNTRACK
802 depends on NETFILTER_ADVANCED
803 help
804 Helper matching allows you to match packets in dynamic connections
805 tracked by a conntrack-helper, ie. ip_conntrack_ftp
806
807 To compile it as a module, choose M here. If unsure, say Y.
808
809config NETFILTER_XT_MATCH_HL
810 tristate '"hl" hoplimit/TTL match support'
811 depends on NETFILTER_ADVANCED
812 ---help---
813 HL matching allows you to match packets based on the hoplimit
814 in the IPv6 header, or the time-to-live field in the IPv4
815 header of the packet.
816
817config NETFILTER_XT_MATCH_IPRANGE
818 tristate '"iprange" address range match support'
819 depends on NETFILTER_ADVANCED
820 ---help---
821 This option adds a "iprange" match, which allows you to match based on
822 an IP address range. (Normal iptables only matches on single addresses
823 with an optional mask.)
824
825 If unsure, say M.
826
827config NETFILTER_XT_MATCH_IPVS
828 tristate '"ipvs" match support'
829 depends on IP_VS
830 depends on NETFILTER_ADVANCED
831 depends on NF_CONNTRACK
832 help
833 This option allows you to match against IPVS properties of a packet.
834
835 If unsure, say N.
836
837config NETFILTER_XT_MATCH_LENGTH
838 tristate '"length" match support'
839 depends on NETFILTER_ADVANCED
840 help
841 This option allows you to match the length of a packet against a
842 specific value or range of values.
843
844 To compile it as a module, choose M here. If unsure, say N.
845
846config NETFILTER_XT_MATCH_LIMIT
847 tristate '"limit" match support'
848 depends on NETFILTER_ADVANCED
849 help
850 limit matching allows you to control the rate at which a rule can be
851 matched: mainly useful in combination with the LOG target ("LOG
852 target support", below) and to avoid some Denial of Service attacks.
853
854 To compile it as a module, choose M here. If unsure, say N.
855
856config NETFILTER_XT_MATCH_MAC
857 tristate '"mac" address match support'
858 depends on NETFILTER_ADVANCED
859 help
860 MAC matching allows you to match packets based on the source
861 Ethernet address of the packet.
862
863 To compile it as a module, choose M here. If unsure, say N.
864
865config NETFILTER_XT_MATCH_MARK
866 tristate '"mark" match support'
867 depends on NETFILTER_ADVANCED
868 select NETFILTER_XT_MARK
869 ---help---
870 This is a backwards-compat option for the user's convenience
871 (e.g. when running oldconfig). It selects
872 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
873
874config NETFILTER_XT_MATCH_MULTIPORT
875 tristate '"multiport" Multiple port match support'
876 depends on NETFILTER_ADVANCED
877 help
878 Multiport matching allows you to match TCP or UDP packets based on
879 a series of source or destination ports: normally a rule can only
880 match a single range of ports.
881
882 To compile it as a module, choose M here. If unsure, say N.
883
884config NETFILTER_XT_MATCH_OSF
885 tristate '"osf" Passive OS fingerprint match'
886 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
887 help
888 This option selects the Passive OS Fingerprinting match module
889 that allows to passively match the remote operating system by
890 analyzing incoming TCP SYN packets.
891
892 Rules and loading software can be downloaded from
893 http://www.ioremap.net/projects/osf
894
895 To compile it as a module, choose M here. If unsure, say N.
896
897config NETFILTER_XT_MATCH_OWNER
898 tristate '"owner" match support'
899 depends on NETFILTER_ADVANCED
900 ---help---
901 Socket owner matching allows you to match locally-generated packets
902 based on who created the socket: the user or group. It is also
903 possible to check whether a socket actually exists.
904
905config NETFILTER_XT_MATCH_POLICY
906 tristate 'IPsec "policy" match support'
907 depends on XFRM
908 default m if NETFILTER_ADVANCED=n
909 help
910 Policy matching allows you to match packets based on the
911 IPsec policy that was used during decapsulation/will
912 be used during encapsulation.
913
914 To compile it as a module, choose M here. If unsure, say N.
915
916config NETFILTER_XT_MATCH_PHYSDEV
917 tristate '"physdev" match support'
918 depends on BRIDGE && BRIDGE_NETFILTER
919 depends on NETFILTER_ADVANCED
920 help
921 Physdev packet matching matches against the physical bridge ports
922 the IP packet arrived on or will leave by.
923
924 To compile it as a module, choose M here. If unsure, say N.
925
926config NETFILTER_XT_MATCH_PKTTYPE
927 tristate '"pkttype" packet type match support'
928 depends on NETFILTER_ADVANCED
929 help
930 Packet type matching allows you to match a packet by
931 its "class", eg. BROADCAST, MULTICAST, ...
932
933 Typical usage:
934 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
935
936 To compile it as a module, choose M here. If unsure, say N.
937
938config NETFILTER_XT_MATCH_QUOTA
939 tristate '"quota" match support'
940 depends on NETFILTER_ADVANCED
941 help
942 This option adds a `quota' match, which allows to match on a
943 byte counter.
944
945 If you want to compile it as a module, say M here and read
946 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
947
948config NETFILTER_XT_MATCH_RATEEST
949 tristate '"rateest" match support'
950 depends on NETFILTER_ADVANCED
951 select NETFILTER_XT_TARGET_RATEEST
952 help
953 This option adds a `rateest' match, which allows to match on the
954 rate estimated by the RATEEST target.
955
956 To compile it as a module, choose M here. If unsure, say N.
957
958config NETFILTER_XT_MATCH_REALM
959 tristate '"realm" match support'
960 depends on NETFILTER_ADVANCED
961 select IP_ROUTE_CLASSID
962 help
963 This option adds a `realm' match, which allows you to use the realm
964 key from the routing subsystem inside iptables.
965
966 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
967 in tc world.
968
969 If you want to compile it as a module, say M here and read
970 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
971
972config NETFILTER_XT_MATCH_RECENT
973 tristate '"recent" match support'
974 depends on NETFILTER_ADVANCED
975 ---help---
976 This match is used for creating one or many lists of recently
977 used addresses and then matching against that/those list(s).
978
979 Short options are available by using 'iptables -m recent -h'
980 Official Website: <http://snowman.net/projects/ipt_recent/>
981
982config NETFILTER_XT_MATCH_SCTP
983 tristate '"sctp" protocol match support (EXPERIMENTAL)'
984 depends on EXPERIMENTAL
985 depends on NETFILTER_ADVANCED
986 default IP_SCTP
987 help
988 With this option enabled, you will be able to use the
989 `sctp' match in order to match on SCTP source/destination ports
990 and SCTP chunk types.
991
992 If you want to compile it as a module, say M here and read
993 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
994
995config NETFILTER_XT_MATCH_SOCKET
996 tristate '"socket" match support (EXPERIMENTAL)'
997 depends on EXPERIMENTAL
998 depends on NETFILTER_TPROXY
999 depends on NETFILTER_XTABLES
1000 depends on NETFILTER_ADVANCED
1001 depends on !NF_CONNTRACK || NF_CONNTRACK
1002 select NF_DEFRAG_IPV4
1003 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1004 help
1005 This option adds a `socket' match, which can be used to match
1006 packets for which a TCP or UDP socket lookup finds a valid socket.
1007 It can be used in combination with the MARK target and policy
1008 routing to implement full featured non-locally bound sockets.
1009
1010 To compile it as a module, choose M here. If unsure, say N.
1011
1012config NETFILTER_XT_MATCH_STATE
1013 tristate '"state" match support'
1014 depends on NF_CONNTRACK
1015 default m if NETFILTER_ADVANCED=n
1016 help
1017 Connection state matching allows you to match packets based on their
1018 relationship to a tracked connection (ie. previous packets). This
1019 is a powerful tool for packet classification.
1020
1021 To compile it as a module, choose M here. If unsure, say N.
1022
1023config NETFILTER_XT_MATCH_STATISTIC
1024 tristate '"statistic" match support'
1025 depends on NETFILTER_ADVANCED
1026 help
1027 This option adds a `statistic' match, which allows you to match
1028 on packets periodically or randomly with a given percentage.
1029
1030 To compile it as a module, choose M here. If unsure, say N.
1031
1032config NETFILTER_XT_MATCH_STRING
1033 tristate '"string" match support'
1034 depends on NETFILTER_ADVANCED
1035 select TEXTSEARCH
1036 select TEXTSEARCH_KMP
1037 select TEXTSEARCH_BM
1038 select TEXTSEARCH_FSM
1039 help
1040 This option adds a `string' match, which allows you to look for
1041 pattern matchings in packets.
1042
1043 To compile it as a module, choose M here. If unsure, say N.
1044
1045config NETFILTER_XT_MATCH_TCPMSS
1046 tristate '"tcpmss" match support'
1047 depends on NETFILTER_ADVANCED
1048 help
1049 This option adds a `tcpmss' match, which allows you to examine the
1050 MSS value of TCP SYN packets, which control the maximum packet size
1051 for that connection.
1052
1053 To compile it as a module, choose M here. If unsure, say N.
1054
1055config NETFILTER_XT_MATCH_TIME
1056 tristate '"time" match support'
1057 depends on NETFILTER_ADVANCED
1058 ---help---
1059 This option adds a "time" match, which allows you to match based on
1060 the packet arrival time (at the machine which netfilter is running)
1061 on) or departure time/date (for locally generated packets).
1062
1063 If you say Y here, try `iptables -m time --help` for
1064 more information.
1065
1066 If you want to compile it as a module, say M here.
1067 If unsure, say N.
1068
1069config NETFILTER_XT_MATCH_U32
1070 tristate '"u32" match support'
1071 depends on NETFILTER_ADVANCED
1072 ---help---
1073 u32 allows you to extract quantities of up to 4 bytes from a packet,
1074 AND them with specified masks, shift them by specified amounts and
1075 test whether the results are in any of a set of specified ranges.
1076 The specification of what to extract is general enough to skip over
1077 headers with lengths stored in the packet, as in IP or TCP header
1078 lengths.
1079
1080 Details and examples are in the kernel module source.
1081
1082endif
1083
1084endmenu
1085
1086source "net/netfilter/ipset/Kconfig"
1087
1088source "net/netfilter/ipvs/Kconfig"
1089