linux/net/netfilter/Kconfig
<<
>>
Prefs
   1menu "Core Netfilter Configuration"
   2        depends on NET && INET && NETFILTER
   3
   4config NETFILTER_NETLINK
   5        tristate
   6
   7config NETFILTER_NETLINK_QUEUE
   8        tristate "Netfilter NFQUEUE over NFNETLINK interface"
   9        depends on NETFILTER_ADVANCED
  10        select NETFILTER_NETLINK
  11        help
  12          If this option is enabled, the kernel will include support
  13          for queueing packets via NFNETLINK.
  14          
  15config NETFILTER_NETLINK_LOG
  16        tristate "Netfilter LOG over NFNETLINK interface"
  17        default m if NETFILTER_ADVANCED=n
  18        select NETFILTER_NETLINK
  19        help
  20          If this option is enabled, the kernel will include support
  21          for logging packets via NFNETLINK.
  22
  23          This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
  24          and is also scheduled to replace the old syslog-based ipt_LOG
  25          and ip6t_LOG modules.
  26
  27config NF_CONNTRACK
  28        tristate "Netfilter connection tracking support"
  29        default m if NETFILTER_ADVANCED=n
  30        help
  31          Connection tracking keeps a record of what packets have passed
  32          through your machine, in order to figure out how they are related
  33          into connections.
  34
  35          This is required to do Masquerading or other kinds of Network
  36          Address Translation.  It can also be used to enhance packet
  37          filtering (see `Connection state match support' below).
  38
  39          To compile it as a module, choose M here.  If unsure, say N.
  40
  41if NF_CONNTRACK
  42
  43config NF_CONNTRACK_MARK
  44        bool  'Connection mark tracking support'
  45        depends on NETFILTER_ADVANCED
  46        help
  47          This option enables support for connection marks, used by the
  48          `CONNMARK' target and `connmark' match. Similar to the mark value
  49          of packets, but this mark value is kept in the conntrack session
  50          instead of the individual packets.
  51
  52config NF_CONNTRACK_SECMARK
  53        bool  'Connection tracking security mark support'
  54        depends on NETWORK_SECMARK
  55        default m if NETFILTER_ADVANCED=n
  56        help
  57          This option enables security markings to be applied to
  58          connections.  Typically they are copied to connections from
  59          packets using the CONNSECMARK target and copied back from
  60          connections to packets with the same target, with the packets
  61          being originally labeled via SECMARK.
  62
  63          If unsure, say 'N'.
  64
  65config NF_CONNTRACK_ZONES
  66        bool  'Connection tracking zones'
  67        depends on NETFILTER_ADVANCED
  68        depends on NETFILTER_XT_TARGET_CT
  69        help
  70          This option enables support for connection tracking zones.
  71          Normally, each connection needs to have a unique system wide
  72          identity. Connection tracking zones allow to have multiple
  73          connections using the same identity, as long as they are
  74          contained in different zones.
  75
  76          If unsure, say `N'.
  77
  78config NF_CONNTRACK_EVENTS
  79        bool "Connection tracking events"
  80        depends on NETFILTER_ADVANCED
  81        help
  82          If this option is enabled, the connection tracking code will
  83          provide a notifier chain that can be used by other kernel code
  84          to get notified about changes in the connection tracking state.
  85
  86          If unsure, say `N'.
  87
  88config NF_CONNTRACK_TIMESTAMP
  89        bool  'Connection tracking timestamping'
  90        depends on NETFILTER_ADVANCED
  91        help
  92          This option enables support for connection tracking timestamping.
  93          This allows you to store the flow start-time and to obtain
  94          the flow-stop time (once it has been destroyed) via Connection
  95          tracking events.
  96
  97          If unsure, say `N'.
  98
  99config NF_CT_PROTO_DCCP
 100        tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
 101        depends on EXPERIMENTAL
 102        depends on NETFILTER_ADVANCED
 103        default IP_DCCP
 104        help
 105          With this option enabled, the layer 3 independent connection
 106          tracking code will be able to do state tracking on DCCP connections.
 107
 108          If unsure, say 'N'.
 109
 110config NF_CT_PROTO_GRE
 111        tristate
 112
 113config NF_CT_PROTO_SCTP
 114        tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
 115        depends on EXPERIMENTAL
 116        depends on NETFILTER_ADVANCED
 117        default IP_SCTP
 118        help
 119          With this option enabled, the layer 3 independent connection
 120          tracking code will be able to do state tracking on SCTP connections.
 121
 122          If you want to compile it as a module, say M here and read
 123          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 124
 125config NF_CT_PROTO_UDPLITE
 126        tristate 'UDP-Lite protocol connection tracking support'
 127        depends on NETFILTER_ADVANCED
 128        help
 129          With this option enabled, the layer 3 independent connection
 130          tracking code will be able to do state tracking on UDP-Lite
 131          connections.
 132
 133          To compile it as a module, choose M here.  If unsure, say N.
 134
 135config NF_CONNTRACK_AMANDA
 136        tristate "Amanda backup protocol support"
 137        depends on NETFILTER_ADVANCED
 138        select TEXTSEARCH
 139        select TEXTSEARCH_KMP
 140        help
 141          If you are running the Amanda backup package <http://www.amanda.org/>
 142          on this machine or machines that will be MASQUERADED through this
 143          machine, then you may want to enable this feature.  This allows the
 144          connection tracking and natting code to allow the sub-channels that
 145          Amanda requires for communication of the backup data, messages and
 146          index.
 147
 148          To compile it as a module, choose M here.  If unsure, say N.
 149
 150config NF_CONNTRACK_FTP
 151        tristate "FTP protocol support"
 152        default m if NETFILTER_ADVANCED=n
 153        help
 154          Tracking FTP connections is problematic: special helpers are
 155          required for tracking them, and doing masquerading and other forms
 156          of Network Address Translation on them.
 157
 158          This is FTP support on Layer 3 independent connection tracking.
 159          Layer 3 independent connection tracking is experimental scheme
 160          which generalize ip_conntrack to support other layer 3 protocols.
 161
 162          To compile it as a module, choose M here.  If unsure, say N.
 163
 164config NF_CONNTRACK_H323
 165        tristate "H.323 protocol support"
 166        depends on (IPV6 || IPV6=n)
 167        depends on NETFILTER_ADVANCED
 168        help
 169          H.323 is a VoIP signalling protocol from ITU-T. As one of the most
 170          important VoIP protocols, it is widely used by voice hardware and
 171          software including voice gateways, IP phones, Netmeeting, OpenPhone,
 172          Gnomemeeting, etc.
 173
 174          With this module you can support H.323 on a connection tracking/NAT
 175          firewall.
 176
 177          This module supports RAS, Fast Start, H.245 Tunnelling, Call
 178          Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
 179          whiteboard, file transfer, etc. For more information, please
 180          visit http://nath323.sourceforge.net/.
 181
 182          To compile it as a module, choose M here.  If unsure, say N.
 183
 184config NF_CONNTRACK_IRC
 185        tristate "IRC protocol support"
 186        default m if NETFILTER_ADVANCED=n
 187        help
 188          There is a commonly-used extension to IRC called
 189          Direct Client-to-Client Protocol (DCC).  This enables users to send
 190          files to each other, and also chat to each other without the need
 191          of a server.  DCC Sending is used anywhere you send files over IRC,
 192          and DCC Chat is most commonly used by Eggdrop bots.  If you are
 193          using NAT, this extension will enable you to send files and initiate
 194          chats.  Note that you do NOT need this extension to get files or
 195          have others initiate chats, or everything else in IRC.
 196
 197          To compile it as a module, choose M here.  If unsure, say N.
 198
 199config NF_CONNTRACK_BROADCAST
 200        tristate
 201
 202config NF_CONNTRACK_NETBIOS_NS
 203        tristate "NetBIOS name service protocol support"
 204        depends on NETFILTER_ADVANCED
 205        select NF_CONNTRACK_BROADCAST
 206        help
 207          NetBIOS name service requests are sent as broadcast messages from an
 208          unprivileged port and responded to with unicast messages to the
 209          same port. This make them hard to firewall properly because connection
 210          tracking doesn't deal with broadcasts. This helper tracks locally
 211          originating NetBIOS name service requests and the corresponding
 212          responses. It relies on correct IP address configuration, specifically
 213          netmask and broadcast address. When properly configured, the output
 214          of "ip address show" should look similar to this:
 215
 216          $ ip -4 address show eth0
 217          4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
 218              inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
 219
 220          To compile it as a module, choose M here.  If unsure, say N.
 221
 222config NF_CONNTRACK_SNMP
 223        tristate "SNMP service protocol support"
 224        depends on NETFILTER_ADVANCED
 225        select NF_CONNTRACK_BROADCAST
 226        help
 227          SNMP service requests are sent as broadcast messages from an
 228          unprivileged port and responded to with unicast messages to the
 229          same port. This make them hard to firewall properly because connection
 230          tracking doesn't deal with broadcasts. This helper tracks locally
 231          originating SNMP service requests and the corresponding
 232          responses. It relies on correct IP address configuration, specifically
 233          netmask and broadcast address.
 234
 235          To compile it as a module, choose M here.  If unsure, say N.
 236
 237config NF_CONNTRACK_PPTP
 238        tristate "PPtP protocol support"
 239        depends on NETFILTER_ADVANCED
 240        select NF_CT_PROTO_GRE
 241        help
 242          This module adds support for PPTP (Point to Point Tunnelling
 243          Protocol, RFC2637) connection tracking and NAT.
 244
 245          If you are running PPTP sessions over a stateful firewall or NAT
 246          box, you may want to enable this feature.
 247
 248          Please note that not all PPTP modes of operation are supported yet.
 249          Specifically these limitations exist:
 250            - Blindly assumes that control connections are always established
 251              in PNS->PAC direction. This is a violation of RFC2637.
 252            - Only supports a single call within each session
 253
 254          To compile it as a module, choose M here.  If unsure, say N.
 255
 256config NF_CONNTRACK_SANE
 257        tristate "SANE protocol support (EXPERIMENTAL)"
 258        depends on EXPERIMENTAL
 259        depends on NETFILTER_ADVANCED
 260        help
 261          SANE is a protocol for remote access to scanners as implemented
 262          by the 'saned' daemon. Like FTP, it uses separate control and
 263          data connections.
 264
 265          With this module you can support SANE on a connection tracking
 266          firewall.
 267
 268          To compile it as a module, choose M here.  If unsure, say N.
 269
 270config NF_CONNTRACK_SIP
 271        tristate "SIP protocol support"
 272        default m if NETFILTER_ADVANCED=n
 273        help
 274          SIP is an application-layer control protocol that can establish,
 275          modify, and terminate multimedia sessions (conferences) such as
 276          Internet telephony calls. With the ip_conntrack_sip and
 277          the nf_nat_sip modules you can support the protocol on a connection
 278          tracking/NATing firewall.
 279
 280          To compile it as a module, choose M here.  If unsure, say N.
 281
 282config NF_CONNTRACK_TFTP
 283        tristate "TFTP protocol support"
 284        depends on NETFILTER_ADVANCED
 285        help
 286          TFTP connection tracking helper, this is required depending
 287          on how restrictive your ruleset is.
 288          If you are using a tftp client behind -j SNAT or -j MASQUERADING
 289          you will need this.
 290
 291          To compile it as a module, choose M here.  If unsure, say N.
 292
 293config NF_CT_NETLINK
 294        tristate 'Connection tracking netlink interface'
 295        select NETFILTER_NETLINK
 296        default m if NETFILTER_ADVANCED=n
 297        help
 298          This option enables support for a netlink-based userspace interface
 299
 300endif # NF_CONNTRACK
 301
 302# transparent proxy support
 303config NETFILTER_TPROXY
 304        tristate "Transparent proxying support (EXPERIMENTAL)"
 305        depends on EXPERIMENTAL
 306        depends on IP_NF_MANGLE
 307        depends on NETFILTER_ADVANCED
 308        help
 309          This option enables transparent proxying support, that is,
 310          support for handling non-locally bound IPv4 TCP and UDP sockets.
 311          For it to work you will have to configure certain iptables rules
 312          and use policy routing. For more information on how to set it up
 313          see Documentation/networking/tproxy.txt.
 314
 315          To compile it as a module, choose M here.  If unsure, say N.
 316
 317config NETFILTER_XTABLES
 318        tristate "Netfilter Xtables support (required for ip_tables)"
 319        default m if NETFILTER_ADVANCED=n
 320        help
 321          This is required if you intend to use any of ip_tables,
 322          ip6_tables or arp_tables.
 323
 324if NETFILTER_XTABLES
 325
 326comment "Xtables combined modules"
 327
 328config NETFILTER_XT_MARK
 329        tristate 'nfmark target and match support'
 330        default m if NETFILTER_ADVANCED=n
 331        ---help---
 332        This option adds the "MARK" target and "mark" match.
 333
 334        Netfilter mark matching allows you to match packets based on the
 335        "nfmark" value in the packet.
 336        The target allows you to create rules in the "mangle" table which alter
 337        the netfilter mark (nfmark) field associated with the packet.
 338
 339        Prior to routing, the nfmark can influence the routing method (see
 340        "Use netfilter MARK value as routing key") and can also be used by
 341        other subsystems to change their behavior.
 342
 343config NETFILTER_XT_CONNMARK
 344        tristate 'ctmark target and match support'
 345        depends on NF_CONNTRACK
 346        depends on NETFILTER_ADVANCED
 347        select NF_CONNTRACK_MARK
 348        ---help---
 349        This option adds the "CONNMARK" target and "connmark" match.
 350
 351        Netfilter allows you to store a mark value per connection (a.k.a.
 352        ctmark), similarly to the packet mark (nfmark). Using this
 353        target and match, you can set and match on this mark.
 354
 355config NETFILTER_XT_SET
 356        tristate 'set target and match support'
 357        depends on IP_SET
 358        depends on NETFILTER_ADVANCED
 359        help
 360          This option adds the "SET" target and "set" match.
 361
 362          Using this target and match, you can add/delete and match
 363          elements in the sets created by ipset(8).
 364
 365          To compile it as a module, choose M here.  If unsure, say N.
 366
 367# alphabetically ordered list of targets
 368
 369comment "Xtables targets"
 370
 371config NETFILTER_XT_TARGET_AUDIT
 372        tristate "AUDIT target support"
 373        depends on AUDIT
 374        depends on NETFILTER_ADVANCED
 375        ---help---
 376          This option adds a 'AUDIT' target, which can be used to create
 377          audit records for packets dropped/accepted.
 378
 379          To compileit as a module, choose M here. If unsure, say N.
 380
 381config NETFILTER_XT_TARGET_CHECKSUM
 382        tristate "CHECKSUM target support"
 383        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 384        depends on NETFILTER_ADVANCED
 385        ---help---
 386          This option adds a `CHECKSUM' target, which can be used in the iptables mangle
 387          table.
 388
 389          You can use this target to compute and fill in the checksum in
 390          a packet that lacks a checksum.  This is particularly useful,
 391          if you need to work around old applications such as dhcp clients,
 392          that do not work well with checksum offloads, but don't want to disable
 393          checksum offload in your device.
 394
 395          To compile it as a module, choose M here.  If unsure, say N.
 396
 397config NETFILTER_XT_TARGET_CLASSIFY
 398        tristate '"CLASSIFY" target support'
 399        depends on NETFILTER_ADVANCED
 400        help
 401          This option adds a `CLASSIFY' target, which enables the user to set
 402          the priority of a packet. Some qdiscs can use this value for
 403          classification, among these are:
 404
 405          atm, cbq, dsmark, pfifo_fast, htb, prio
 406
 407          To compile it as a module, choose M here.  If unsure, say N.
 408
 409config NETFILTER_XT_TARGET_CONNMARK
 410        tristate  '"CONNMARK" target support'
 411        depends on NF_CONNTRACK
 412        depends on NETFILTER_ADVANCED
 413        select NETFILTER_XT_CONNMARK
 414        ---help---
 415        This is a backwards-compat option for the user's convenience
 416        (e.g. when running oldconfig). It selects
 417        CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
 418
 419config NETFILTER_XT_TARGET_CONNSECMARK
 420        tristate '"CONNSECMARK" target support'
 421        depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
 422        default m if NETFILTER_ADVANCED=n
 423        help
 424          The CONNSECMARK target copies security markings from packets
 425          to connections, and restores security markings from connections
 426          to packets (if the packets are not already marked).  This would
 427          normally be used in conjunction with the SECMARK target.
 428
 429          To compile it as a module, choose M here.  If unsure, say N.
 430
 431config NETFILTER_XT_TARGET_CT
 432        tristate '"CT" target support'
 433        depends on NF_CONNTRACK
 434        depends on IP_NF_RAW || IP6_NF_RAW
 435        depends on NETFILTER_ADVANCED
 436        help
 437          This options adds a `CT' target, which allows to specify initial
 438          connection tracking parameters like events to be delivered and
 439          the helper to be used.
 440
 441          To compile it as a module, choose M here.  If unsure, say N.
 442
 443config NETFILTER_XT_TARGET_DSCP
 444        tristate '"DSCP" and "TOS" target support'
 445        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 446        depends on NETFILTER_ADVANCED
 447        help
 448          This option adds a `DSCP' target, which allows you to manipulate
 449          the IPv4/IPv6 header DSCP field (differentiated services codepoint).
 450
 451          The DSCP field can have any value between 0x0 and 0x3f inclusive.
 452
 453          It also adds the "TOS" target, which allows you to create rules in
 454          the "mangle" table which alter the Type Of Service field of an IPv4
 455          or the Priority field of an IPv6 packet, prior to routing.
 456
 457          To compile it as a module, choose M here.  If unsure, say N.
 458
 459config NETFILTER_XT_TARGET_HL
 460        tristate '"HL" hoplimit target support'
 461        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 462        depends on NETFILTER_ADVANCED
 463        ---help---
 464        This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
 465        targets, which enable the user to change the
 466        hoplimit/time-to-live value of the IP header.
 467
 468        While it is safe to decrement the hoplimit/TTL value, the
 469        modules also allow to increment and set the hoplimit value of
 470        the header to arbitrary values. This is EXTREMELY DANGEROUS
 471        since you can easily create immortal packets that loop
 472        forever on the network.
 473
 474config NETFILTER_XT_TARGET_IDLETIMER
 475        tristate  "IDLETIMER target support"
 476        depends on NETFILTER_ADVANCED
 477        help
 478
 479          This option adds the `IDLETIMER' target.  Each matching packet
 480          resets the timer associated with label specified when the rule is
 481          added.  When the timer expires, it triggers a sysfs notification.
 482          The remaining time for expiration can be read via sysfs.
 483
 484          To compile it as a module, choose M here.  If unsure, say N.
 485
 486config NETFILTER_XT_TARGET_LED
 487        tristate '"LED" target support'
 488        depends on LEDS_CLASS && LEDS_TRIGGERS
 489        depends on NETFILTER_ADVANCED
 490        help
 491          This option adds a `LED' target, which allows you to blink LEDs in
 492          response to particular packets passing through your machine.
 493
 494          This can be used to turn a spare LED into a network activity LED,
 495          which only flashes in response to FTP transfers, for example.  Or
 496          you could have an LED which lights up for a minute or two every time
 497          somebody connects to your machine via SSH.
 498
 499          You will need support for the "led" class to make this work.
 500
 501          To create an LED trigger for incoming SSH traffic:
 502            iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
 503
 504          Then attach the new trigger to an LED on your system:
 505            echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
 506
 507          For more information on the LEDs available on your system, see
 508          Documentation/leds-class.txt
 509
 510config NETFILTER_XT_TARGET_MARK
 511        tristate '"MARK" target support'
 512        depends on NETFILTER_ADVANCED
 513        select NETFILTER_XT_MARK
 514        ---help---
 515        This is a backwards-compat option for the user's convenience
 516        (e.g. when running oldconfig). It selects
 517        CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
 518
 519config NETFILTER_XT_TARGET_NFLOG
 520        tristate '"NFLOG" target support'
 521        default m if NETFILTER_ADVANCED=n
 522        select NETFILTER_NETLINK_LOG
 523        help
 524          This option enables the NFLOG target, which allows to LOG
 525          messages through nfnetlink_log.
 526
 527          To compile it as a module, choose M here.  If unsure, say N.
 528
 529config NETFILTER_XT_TARGET_NFQUEUE
 530        tristate '"NFQUEUE" target Support'
 531        depends on NETFILTER_ADVANCED
 532        select NETFILTER_NETLINK_QUEUE
 533        help
 534          This target replaced the old obsolete QUEUE target.
 535
 536          As opposed to QUEUE, it supports 65535 different queues,
 537          not just one.
 538
 539          To compile it as a module, choose M here.  If unsure, say N.
 540
 541config NETFILTER_XT_TARGET_NOTRACK
 542        tristate  '"NOTRACK" target support'
 543        depends on IP_NF_RAW || IP6_NF_RAW
 544        depends on NF_CONNTRACK
 545        depends on NETFILTER_ADVANCED
 546        help
 547          The NOTRACK target allows a select rule to specify
 548          which packets *not* to enter the conntrack/NAT
 549          subsystem with all the consequences (no ICMP error tracking,
 550          no protocol helpers for the selected packets).
 551
 552          If you want to compile it as a module, say M here and read
 553          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 554
 555config NETFILTER_XT_TARGET_RATEEST
 556        tristate '"RATEEST" target support'
 557        depends on NETFILTER_ADVANCED
 558        help
 559          This option adds a `RATEEST' target, which allows to measure
 560          rates similar to TC estimators. The `rateest' match can be
 561          used to match on the measured rates.
 562
 563          To compile it as a module, choose M here.  If unsure, say N.
 564
 565config NETFILTER_XT_TARGET_TEE
 566        tristate '"TEE" - packet cloning to alternate destination'
 567        depends on NETFILTER_ADVANCED
 568        depends on (IPV6 || IPV6=n)
 569        depends on !NF_CONNTRACK || NF_CONNTRACK
 570        ---help---
 571        This option adds a "TEE" target with which a packet can be cloned and
 572        this clone be rerouted to another nexthop.
 573
 574config NETFILTER_XT_TARGET_TPROXY
 575        tristate '"TPROXY" target support (EXPERIMENTAL)'
 576        depends on EXPERIMENTAL
 577        depends on NETFILTER_TPROXY
 578        depends on NETFILTER_XTABLES
 579        depends on NETFILTER_ADVANCED
 580        select NF_DEFRAG_IPV4
 581        select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
 582        help
 583          This option adds a `TPROXY' target, which is somewhat similar to
 584          REDIRECT.  It can only be used in the mangle table and is useful
 585          to redirect traffic to a transparent proxy.  It does _not_ depend
 586          on Netfilter connection tracking and NAT, unlike REDIRECT.
 587
 588          To compile it as a module, choose M here.  If unsure, say N.
 589
 590config NETFILTER_XT_TARGET_TRACE
 591        tristate  '"TRACE" target support'
 592        depends on IP_NF_RAW || IP6_NF_RAW
 593        depends on NETFILTER_ADVANCED
 594        help
 595          The TRACE target allows you to mark packets so that the kernel
 596          will log every rule which match the packets as those traverse
 597          the tables, chains, rules.
 598
 599          If you want to compile it as a module, say M here and read
 600          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 601
 602config NETFILTER_XT_TARGET_SECMARK
 603        tristate '"SECMARK" target support'
 604        depends on NETWORK_SECMARK
 605        default m if NETFILTER_ADVANCED=n
 606        help
 607          The SECMARK target allows security marking of network
 608          packets, for use with security subsystems.
 609
 610          To compile it as a module, choose M here.  If unsure, say N.
 611
 612config NETFILTER_XT_TARGET_TCPMSS
 613        tristate '"TCPMSS" target support'
 614        depends on (IPV6 || IPV6=n)
 615        default m if NETFILTER_ADVANCED=n
 616        ---help---
 617          This option adds a `TCPMSS' target, which allows you to alter the
 618          MSS value of TCP SYN packets, to control the maximum size for that
 619          connection (usually limiting it to your outgoing interface's MTU
 620          minus 40).
 621
 622          This is used to overcome criminally braindead ISPs or servers which
 623          block ICMP Fragmentation Needed packets.  The symptoms of this
 624          problem are that everything works fine from your Linux
 625          firewall/router, but machines behind it can never exchange large
 626          packets:
 627                1) Web browsers connect, then hang with no data received.
 628                2) Small mail works fine, but large emails hang.
 629                3) ssh works fine, but scp hangs after initial handshaking.
 630
 631          Workaround: activate this option and add a rule to your firewall
 632          configuration like:
 633
 634          iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
 635                         -j TCPMSS --clamp-mss-to-pmtu
 636
 637          To compile it as a module, choose M here.  If unsure, say N.
 638
 639config NETFILTER_XT_TARGET_TCPOPTSTRIP
 640        tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)'
 641        depends on EXPERIMENTAL
 642        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 643        depends on NETFILTER_ADVANCED
 644        help
 645          This option adds a "TCPOPTSTRIP" target, which allows you to strip
 646          TCP options from TCP packets.
 647
 648# alphabetically ordered list of matches
 649
 650comment "Xtables matches"
 651
 652config NETFILTER_XT_MATCH_ADDRTYPE
 653        tristate '"addrtype" address type match support'
 654        depends on NETFILTER_ADVANCED
 655        ---help---
 656          This option allows you to match what routing thinks of an address,
 657          eg. UNICAST, LOCAL, BROADCAST, ...
 658
 659          If you want to compile it as a module, say M here and read
 660          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 661
 662config NETFILTER_XT_MATCH_CLUSTER
 663        tristate '"cluster" match support'
 664        depends on NF_CONNTRACK
 665        depends on NETFILTER_ADVANCED
 666        ---help---
 667          This option allows you to build work-load-sharing clusters of
 668          network servers/stateful firewalls without having a dedicated
 669          load-balancing router/server/switch. Basically, this match returns
 670          true when the packet must be handled by this cluster node. Thus,
 671          all nodes see all packets and this match decides which node handles
 672          what packets. The work-load sharing algorithm is based on source
 673          address hashing.
 674
 675          If you say Y or M here, try `iptables -m cluster --help` for
 676          more information.
 677
 678config NETFILTER_XT_MATCH_COMMENT
 679        tristate  '"comment" match support'
 680        depends on NETFILTER_ADVANCED
 681        help
 682          This option adds a `comment' dummy-match, which allows you to put
 683          comments in your iptables ruleset.
 684
 685          If you want to compile it as a module, say M here and read
 686          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 687
 688config NETFILTER_XT_MATCH_CONNBYTES
 689        tristate  '"connbytes" per-connection counter match support'
 690        depends on NF_CONNTRACK
 691        depends on NETFILTER_ADVANCED
 692        help
 693          This option adds a `connbytes' match, which allows you to match the
 694          number of bytes and/or packets for each direction within a connection.
 695
 696          If you want to compile it as a module, say M here and read
 697          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 698
 699config NETFILTER_XT_MATCH_CONNLIMIT
 700        tristate '"connlimit" match support"'
 701        depends on NF_CONNTRACK
 702        depends on NETFILTER_ADVANCED
 703        ---help---
 704          This match allows you to match against the number of parallel
 705          connections to a server per client IP address (or address block).
 706
 707config NETFILTER_XT_MATCH_CONNMARK
 708        tristate  '"connmark" connection mark match support'
 709        depends on NF_CONNTRACK
 710        depends on NETFILTER_ADVANCED
 711        select NETFILTER_XT_CONNMARK
 712        ---help---
 713        This is a backwards-compat option for the user's convenience
 714        (e.g. when running oldconfig). It selects
 715        CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
 716
 717config NETFILTER_XT_MATCH_CONNTRACK
 718        tristate '"conntrack" connection tracking match support'
 719        depends on NF_CONNTRACK
 720        default m if NETFILTER_ADVANCED=n
 721        help
 722          This is a general conntrack match module, a superset of the state match.
 723
 724          It allows matching on additional conntrack information, which is
 725          useful in complex configurations, such as NAT gateways with multiple
 726          internet links or tunnels.
 727
 728          To compile it as a module, choose M here.  If unsure, say N.
 729
 730config NETFILTER_XT_MATCH_CPU
 731        tristate '"cpu" match support'
 732        depends on NETFILTER_ADVANCED
 733        help
 734          CPU matching allows you to match packets based on the CPU
 735          currently handling the packet.
 736
 737          To compile it as a module, choose M here.  If unsure, say N.
 738
 739config NETFILTER_XT_MATCH_DCCP
 740        tristate '"dccp" protocol match support'
 741        depends on NETFILTER_ADVANCED
 742        default IP_DCCP
 743        help
 744          With this option enabled, you will be able to use the iptables
 745          `dccp' match in order to match on DCCP source/destination ports
 746          and DCCP flags.
 747
 748          If you want to compile it as a module, say M here and read
 749          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 750
 751config NETFILTER_XT_MATCH_DEVGROUP
 752        tristate '"devgroup" match support'
 753        depends on NETFILTER_ADVANCED
 754        help
 755          This options adds a `devgroup' match, which allows to match on the
 756          device group a network device is assigned to.
 757
 758          To compile it as a module, choose M here.  If unsure, say N.
 759
 760config NETFILTER_XT_MATCH_DSCP
 761        tristate '"dscp" and "tos" match support'
 762        depends on NETFILTER_ADVANCED
 763        help
 764          This option adds a `DSCP' match, which allows you to match against
 765          the IPv4/IPv6 header DSCP field (differentiated services codepoint).
 766
 767          The DSCP field can have any value between 0x0 and 0x3f inclusive.
 768
 769          It will also add a "tos" match, which allows you to match packets
 770          based on the Type Of Service fields of the IPv4 packet (which share
 771          the same bits as DSCP).
 772
 773          To compile it as a module, choose M here.  If unsure, say N.
 774
 775config NETFILTER_XT_MATCH_ESP
 776        tristate '"esp" match support'
 777        depends on NETFILTER_ADVANCED
 778        help
 779          This match extension allows you to match a range of SPIs
 780          inside ESP header of IPSec packets.
 781
 782          To compile it as a module, choose M here.  If unsure, say N.
 783
 784config NETFILTER_XT_MATCH_HASHLIMIT
 785        tristate '"hashlimit" match support'
 786        depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
 787        depends on NETFILTER_ADVANCED
 788        help
 789          This option adds a `hashlimit' match.
 790
 791          As opposed to `limit', this match dynamically creates a hash table
 792          of limit buckets, based on your selection of source/destination
 793          addresses and/or ports.
 794
 795          It enables you to express policies like `10kpps for any given
 796          destination address' or `500pps from any given source address'
 797          with a single rule.
 798
 799config NETFILTER_XT_MATCH_HELPER
 800        tristate '"helper" match support'
 801        depends on NF_CONNTRACK
 802        depends on NETFILTER_ADVANCED
 803        help
 804          Helper matching allows you to match packets in dynamic connections
 805          tracked by a conntrack-helper, ie. ip_conntrack_ftp
 806
 807          To compile it as a module, choose M here.  If unsure, say Y.
 808
 809config NETFILTER_XT_MATCH_HL
 810        tristate '"hl" hoplimit/TTL match support'
 811        depends on NETFILTER_ADVANCED
 812        ---help---
 813        HL matching allows you to match packets based on the hoplimit
 814        in the IPv6 header, or the time-to-live field in the IPv4
 815        header of the packet.
 816
 817config NETFILTER_XT_MATCH_IPRANGE
 818        tristate '"iprange" address range match support'
 819        depends on NETFILTER_ADVANCED
 820        ---help---
 821        This option adds a "iprange" match, which allows you to match based on
 822        an IP address range. (Normal iptables only matches on single addresses
 823        with an optional mask.)
 824
 825        If unsure, say M.
 826
 827config NETFILTER_XT_MATCH_IPVS
 828        tristate '"ipvs" match support'
 829        depends on IP_VS
 830        depends on NETFILTER_ADVANCED
 831        depends on NF_CONNTRACK
 832        help
 833          This option allows you to match against IPVS properties of a packet.
 834
 835          If unsure, say N.
 836
 837config NETFILTER_XT_MATCH_LENGTH
 838        tristate '"length" match support'
 839        depends on NETFILTER_ADVANCED
 840        help
 841          This option allows you to match the length of a packet against a
 842          specific value or range of values.
 843
 844          To compile it as a module, choose M here.  If unsure, say N.
 845
 846config NETFILTER_XT_MATCH_LIMIT
 847        tristate '"limit" match support'
 848        depends on NETFILTER_ADVANCED
 849        help
 850          limit matching allows you to control the rate at which a rule can be
 851          matched: mainly useful in combination with the LOG target ("LOG
 852          target support", below) and to avoid some Denial of Service attacks.
 853
 854          To compile it as a module, choose M here.  If unsure, say N.
 855
 856config NETFILTER_XT_MATCH_MAC
 857        tristate '"mac" address match support'
 858        depends on NETFILTER_ADVANCED
 859        help
 860          MAC matching allows you to match packets based on the source
 861          Ethernet address of the packet.
 862
 863          To compile it as a module, choose M here.  If unsure, say N.
 864
 865config NETFILTER_XT_MATCH_MARK
 866        tristate '"mark" match support'
 867        depends on NETFILTER_ADVANCED
 868        select NETFILTER_XT_MARK
 869        ---help---
 870        This is a backwards-compat option for the user's convenience
 871        (e.g. when running oldconfig). It selects
 872        CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
 873
 874config NETFILTER_XT_MATCH_MULTIPORT
 875        tristate '"multiport" Multiple port match support'
 876        depends on NETFILTER_ADVANCED
 877        help
 878          Multiport matching allows you to match TCP or UDP packets based on
 879          a series of source or destination ports: normally a rule can only
 880          match a single range of ports.
 881
 882          To compile it as a module, choose M here.  If unsure, say N.
 883
 884config NETFILTER_XT_MATCH_OSF
 885        tristate '"osf" Passive OS fingerprint match'
 886        depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
 887        help
 888          This option selects the Passive OS Fingerprinting match module
 889          that allows to passively match the remote operating system by
 890          analyzing incoming TCP SYN packets.
 891
 892          Rules and loading software can be downloaded from
 893          http://www.ioremap.net/projects/osf
 894
 895          To compile it as a module, choose M here.  If unsure, say N.
 896
 897config NETFILTER_XT_MATCH_OWNER
 898        tristate '"owner" match support'
 899        depends on NETFILTER_ADVANCED
 900        ---help---
 901        Socket owner matching allows you to match locally-generated packets
 902        based on who created the socket: the user or group. It is also
 903        possible to check whether a socket actually exists.
 904
 905config NETFILTER_XT_MATCH_POLICY
 906        tristate 'IPsec "policy" match support'
 907        depends on XFRM
 908        default m if NETFILTER_ADVANCED=n
 909        help
 910          Policy matching allows you to match packets based on the
 911          IPsec policy that was used during decapsulation/will
 912          be used during encapsulation.
 913
 914          To compile it as a module, choose M here.  If unsure, say N.
 915
 916config NETFILTER_XT_MATCH_PHYSDEV
 917        tristate '"physdev" match support'
 918        depends on BRIDGE && BRIDGE_NETFILTER
 919        depends on NETFILTER_ADVANCED
 920        help
 921          Physdev packet matching matches against the physical bridge ports
 922          the IP packet arrived on or will leave by.
 923
 924          To compile it as a module, choose M here.  If unsure, say N.
 925
 926config NETFILTER_XT_MATCH_PKTTYPE
 927        tristate '"pkttype" packet type match support'
 928        depends on NETFILTER_ADVANCED
 929        help
 930          Packet type matching allows you to match a packet by
 931          its "class", eg. BROADCAST, MULTICAST, ...
 932
 933          Typical usage:
 934          iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
 935
 936          To compile it as a module, choose M here.  If unsure, say N.
 937
 938config NETFILTER_XT_MATCH_QUOTA
 939        tristate '"quota" match support'
 940        depends on NETFILTER_ADVANCED
 941        help
 942          This option adds a `quota' match, which allows to match on a
 943          byte counter.
 944
 945          If you want to compile it as a module, say M here and read
 946          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 947
 948config NETFILTER_XT_MATCH_RATEEST
 949        tristate '"rateest" match support'
 950        depends on NETFILTER_ADVANCED
 951        select NETFILTER_XT_TARGET_RATEEST
 952        help
 953          This option adds a `rateest' match, which allows to match on the
 954          rate estimated by the RATEEST target.
 955
 956          To compile it as a module, choose M here.  If unsure, say N.
 957
 958config NETFILTER_XT_MATCH_REALM
 959        tristate  '"realm" match support'
 960        depends on NETFILTER_ADVANCED
 961        select IP_ROUTE_CLASSID
 962        help
 963          This option adds a `realm' match, which allows you to use the realm
 964          key from the routing subsystem inside iptables.
 965
 966          This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
 967          in tc world.
 968
 969          If you want to compile it as a module, say M here and read
 970          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 971
 972config NETFILTER_XT_MATCH_RECENT
 973        tristate '"recent" match support'
 974        depends on NETFILTER_ADVANCED
 975        ---help---
 976        This match is used for creating one or many lists of recently
 977        used addresses and then matching against that/those list(s).
 978
 979        Short options are available by using 'iptables -m recent -h'
 980        Official Website: <http://snowman.net/projects/ipt_recent/>
 981
 982config NETFILTER_XT_MATCH_SCTP
 983        tristate  '"sctp" protocol match support (EXPERIMENTAL)'
 984        depends on EXPERIMENTAL
 985        depends on NETFILTER_ADVANCED
 986        default IP_SCTP
 987        help
 988          With this option enabled, you will be able to use the 
 989          `sctp' match in order to match on SCTP source/destination ports
 990          and SCTP chunk types.
 991
 992          If you want to compile it as a module, say M here and read
 993          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 994
 995config NETFILTER_XT_MATCH_SOCKET
 996        tristate '"socket" match support (EXPERIMENTAL)'
 997        depends on EXPERIMENTAL
 998        depends on NETFILTER_TPROXY
 999        depends on NETFILTER_XTABLES
1000        depends on NETFILTER_ADVANCED
1001        depends on !NF_CONNTRACK || NF_CONNTRACK
1002        select NF_DEFRAG_IPV4
1003        select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1004        help
1005          This option adds a `socket' match, which can be used to match
1006          packets for which a TCP or UDP socket lookup finds a valid socket.
1007          It can be used in combination with the MARK target and policy
1008          routing to implement full featured non-locally bound sockets.
1009
1010          To compile it as a module, choose M here.  If unsure, say N.
1011
1012config NETFILTER_XT_MATCH_STATE
1013        tristate '"state" match support'
1014        depends on NF_CONNTRACK
1015        default m if NETFILTER_ADVANCED=n
1016        help
1017          Connection state matching allows you to match packets based on their
1018          relationship to a tracked connection (ie. previous packets).  This
1019          is a powerful tool for packet classification.
1020
1021          To compile it as a module, choose M here.  If unsure, say N.
1022
1023config NETFILTER_XT_MATCH_STATISTIC
1024        tristate '"statistic" match support'
1025        depends on NETFILTER_ADVANCED
1026        help
1027          This option adds a `statistic' match, which allows you to match
1028          on packets periodically or randomly with a given percentage.
1029
1030          To compile it as a module, choose M here.  If unsure, say N.
1031
1032config NETFILTER_XT_MATCH_STRING
1033        tristate  '"string" match support'
1034        depends on NETFILTER_ADVANCED
1035        select TEXTSEARCH
1036        select TEXTSEARCH_KMP
1037        select TEXTSEARCH_BM
1038        select TEXTSEARCH_FSM
1039        help
1040          This option adds a `string' match, which allows you to look for
1041          pattern matchings in packets.
1042
1043          To compile it as a module, choose M here.  If unsure, say N.
1044
1045config NETFILTER_XT_MATCH_TCPMSS
1046        tristate '"tcpmss" match support'
1047        depends on NETFILTER_ADVANCED
1048        help
1049          This option adds a `tcpmss' match, which allows you to examine the
1050          MSS value of TCP SYN packets, which control the maximum packet size
1051          for that connection.
1052
1053          To compile it as a module, choose M here.  If unsure, say N.
1054
1055config NETFILTER_XT_MATCH_TIME
1056        tristate '"time" match support'
1057        depends on NETFILTER_ADVANCED
1058        ---help---
1059          This option adds a "time" match, which allows you to match based on
1060          the packet arrival time (at the machine which netfilter is running)
1061          on) or departure time/date (for locally generated packets).
1062
1063          If you say Y here, try `iptables -m time --help` for
1064          more information.
1065
1066          If you want to compile it as a module, say M here.
1067          If unsure, say N.
1068
1069config NETFILTER_XT_MATCH_U32
1070        tristate '"u32" match support'
1071        depends on NETFILTER_ADVANCED
1072        ---help---
1073          u32 allows you to extract quantities of up to 4 bytes from a packet,
1074          AND them with specified masks, shift them by specified amounts and
1075          test whether the results are in any of a set of specified ranges.
1076          The specification of what to extract is general enough to skip over
1077          headers with lengths stored in the packet, as in IP or TCP header
1078          lengths.
1079
1080          Details and examples are in the kernel module source.
1081
1082endif # NETFILTER_XTABLES
1083
1084endmenu
1085
1086source "net/netfilter/ipset/Kconfig"
1087
1088source "net/netfilter/ipvs/Kconfig"
1089