Kconfig 48 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463
  1. menu "Core Netfilter Configuration"
  2. depends on NET && INET && NETFILTER
  3. config NETFILTER_INGRESS
  4. bool "Netfilter ingress support"
  5. default y
  6. select NET_INGRESS
  7. help
  8. This allows you to classify packets from ingress using the Netfilter
  9. infrastructure.
  10. config NETFILTER_NETLINK
  11. tristate
  12. config NETFILTER_NETLINK_ACCT
  13. tristate "Netfilter NFACCT over NFNETLINK interface"
  14. depends on NETFILTER_ADVANCED
  15. select NETFILTER_NETLINK
  16. help
  17. If this option is enabled, the kernel will include support
  18. for extended accounting via NFNETLINK.
  19. config NETFILTER_NETLINK_QUEUE
  20. tristate "Netfilter NFQUEUE over NFNETLINK interface"
  21. depends on NETFILTER_ADVANCED
  22. select NETFILTER_NETLINK
  23. help
  24. If this option is enabled, the kernel will include support
  25. for queueing packets via NFNETLINK.
  26. config NETFILTER_NETLINK_LOG
  27. tristate "Netfilter LOG over NFNETLINK interface"
  28. default m if NETFILTER_ADVANCED=n
  29. select NETFILTER_NETLINK
  30. help
  31. If this option is enabled, the kernel will include support
  32. for logging packets via NFNETLINK.
  33. This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
  34. and is also scheduled to replace the old syslog-based ipt_LOG
  35. and ip6t_LOG modules.
  36. config NF_CONNTRACK
  37. tristate "Netfilter connection tracking support"
  38. default m if NETFILTER_ADVANCED=n
  39. help
  40. Connection tracking keeps a record of what packets have passed
  41. through your machine, in order to figure out how they are related
  42. into connections.
  43. This is required to do Masquerading or other kinds of Network
  44. Address Translation. It can also be used to enhance packet
  45. filtering (see `Connection state match support' below).
  46. To compile it as a module, choose M here. If unsure, say N.
  47. config NF_LOG_COMMON
  48. tristate
  49. if NF_CONNTRACK
  50. config NF_CONNTRACK_MARK
  51. bool 'Connection mark tracking support'
  52. depends on NETFILTER_ADVANCED
  53. help
  54. This option enables support for connection marks, used by the
  55. `CONNMARK' target and `connmark' match. Similar to the mark value
  56. of packets, but this mark value is kept in the conntrack session
  57. instead of the individual packets.
  58. config NF_CONNTRACK_SECMARK
  59. bool 'Connection tracking security mark support'
  60. depends on NETWORK_SECMARK
  61. default m if NETFILTER_ADVANCED=n
  62. help
  63. This option enables security markings to be applied to
  64. connections. Typically they are copied to connections from
  65. packets using the CONNSECMARK target and copied back from
  66. connections to packets with the same target, with the packets
  67. being originally labeled via SECMARK.
  68. If unsure, say 'N'.
  69. config NF_CONNTRACK_ZONES
  70. bool 'Connection tracking zones'
  71. depends on NETFILTER_ADVANCED
  72. depends on NETFILTER_XT_TARGET_CT
  73. help
  74. This option enables support for connection tracking zones.
  75. Normally, each connection needs to have a unique system wide
  76. identity. Connection tracking zones allow to have multiple
  77. connections using the same identity, as long as they are
  78. contained in different zones.
  79. If unsure, say `N'.
  80. config NF_CONNTRACK_PROCFS
  81. bool "Supply CT list in procfs (OBSOLETE)"
  82. default y
  83. depends on PROC_FS
  84. ---help---
  85. This option enables for the list of known conntrack entries
  86. to be shown in procfs under net/netfilter/nf_conntrack. This
  87. is considered obsolete in favor of using the conntrack(8)
  88. tool which uses Netlink.
  89. config NF_CONNTRACK_EVENTS
  90. bool "Connection tracking events"
  91. depends on NETFILTER_ADVANCED
  92. help
  93. If this option is enabled, the connection tracking code will
  94. provide a notifier chain that can be used by other kernel code
  95. to get notified about changes in the connection tracking state.
  96. If unsure, say `N'.
  97. config NF_CONNTRACK_TIMEOUT
  98. bool 'Connection tracking timeout'
  99. depends on NETFILTER_ADVANCED
  100. help
  101. This option enables support for connection tracking timeout
  102. extension. This allows you to attach timeout policies to flow
  103. via the CT target.
  104. If unsure, say `N'.
  105. config NF_CONNTRACK_TIMESTAMP
  106. bool 'Connection tracking timestamping'
  107. depends on NETFILTER_ADVANCED
  108. help
  109. This option enables support for connection tracking timestamping.
  110. This allows you to store the flow start-time and to obtain
  111. the flow-stop time (once it has been destroyed) via Connection
  112. tracking events.
  113. If unsure, say `N'.
  114. config NF_CONNTRACK_LABELS
  115. bool
  116. help
  117. This option enables support for assigning user-defined flag bits
  118. to connection tracking entries. It selected by the connlabel match.
  119. config NF_CT_PROTO_DCCP
  120. tristate 'DCCP protocol connection tracking support'
  121. depends on NETFILTER_ADVANCED
  122. default IP_DCCP
  123. help
  124. With this option enabled, the layer 3 independent connection
  125. tracking code will be able to do state tracking on DCCP connections.
  126. If unsure, say 'N'.
  127. config NF_CT_PROTO_GRE
  128. tristate
  129. config NF_CT_PROTO_SCTP
  130. tristate 'SCTP protocol connection tracking support'
  131. depends on NETFILTER_ADVANCED
  132. default IP_SCTP
  133. help
  134. With this option enabled, the layer 3 independent connection
  135. tracking code will be able to do state tracking on SCTP connections.
  136. If you want to compile it as a module, say M here and read
  137. <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
  138. config NF_CT_PROTO_UDPLITE
  139. tristate 'UDP-Lite protocol connection tracking support'
  140. depends on NETFILTER_ADVANCED
  141. help
  142. With this option enabled, the layer 3 independent connection
  143. tracking code will be able to do state tracking on UDP-Lite
  144. connections.
  145. To compile it as a module, choose M here. If unsure, say N.
  146. config NF_CONNTRACK_AMANDA
  147. tristate "Amanda backup protocol support"
  148. depends on NETFILTER_ADVANCED
  149. select TEXTSEARCH
  150. select TEXTSEARCH_KMP
  151. help
  152. If you are running the Amanda backup package <http://www.amanda.org/>
  153. on this machine or machines that will be MASQUERADED through this
  154. machine, then you may want to enable this feature. This allows the
  155. connection tracking and natting code to allow the sub-channels that
  156. Amanda requires for communication of the backup data, messages and
  157. index.
  158. To compile it as a module, choose M here. If unsure, say N.
  159. config NF_CONNTRACK_FTP
  160. tristate "FTP protocol support"
  161. default m if NETFILTER_ADVANCED=n
  162. help
  163. Tracking FTP connections is problematic: special helpers are
  164. required for tracking them, and doing masquerading and other forms
  165. of Network Address Translation on them.
  166. This is FTP support on Layer 3 independent connection tracking.
  167. Layer 3 independent connection tracking is experimental scheme
  168. which generalize ip_conntrack to support other layer 3 protocols.
  169. To compile it as a module, choose M here. If unsure, say N.
  170. config NF_CONNTRACK_H323
  171. tristate "H.323 protocol support"
  172. depends on IPV6 || IPV6=n
  173. depends on NETFILTER_ADVANCED
  174. help
  175. H.323 is a VoIP signalling protocol from ITU-T. As one of the most
  176. important VoIP protocols, it is widely used by voice hardware and
  177. software including voice gateways, IP phones, Netmeeting, OpenPhone,
  178. Gnomemeeting, etc.
  179. With this module you can support H.323 on a connection tracking/NAT
  180. firewall.
  181. This module supports RAS, Fast Start, H.245 Tunnelling, Call
  182. Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
  183. whiteboard, file transfer, etc. For more information, please
  184. visit http://nath323.sourceforge.net/.
  185. To compile it as a module, choose M here. If unsure, say N.
  186. config NF_CONNTRACK_IRC
  187. tristate "IRC protocol support"
  188. default m if NETFILTER_ADVANCED=n
  189. help
  190. There is a commonly-used extension to IRC called
  191. Direct Client-to-Client Protocol (DCC). This enables users to send
  192. files to each other, and also chat to each other without the need
  193. of a server. DCC Sending is used anywhere you send files over IRC,
  194. and DCC Chat is most commonly used by Eggdrop bots. If you are
  195. using NAT, this extension will enable you to send files and initiate
  196. chats. Note that you do NOT need this extension to get files or
  197. have others initiate chats, or everything else in IRC.
  198. To compile it as a module, choose M here. If unsure, say N.
  199. config NF_CONNTRACK_BROADCAST
  200. tristate
  201. config NF_CONNTRACK_NETBIOS_NS
  202. tristate "NetBIOS name service protocol support"
  203. select NF_CONNTRACK_BROADCAST
  204. help
  205. NetBIOS name service requests are sent as broadcast messages from an
  206. unprivileged port and responded to with unicast messages to the
  207. same port. This make them hard to firewall properly because connection
  208. tracking doesn't deal with broadcasts. This helper tracks locally
  209. originating NetBIOS name service requests and the corresponding
  210. responses. It relies on correct IP address configuration, specifically
  211. netmask and broadcast address. When properly configured, the output
  212. of "ip address show" should look similar to this:
  213. $ ip -4 address show eth0
  214. 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
  215. inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
  216. To compile it as a module, choose M here. If unsure, say N.
  217. config NF_CONNTRACK_SNMP
  218. tristate "SNMP service protocol support"
  219. depends on NETFILTER_ADVANCED
  220. select NF_CONNTRACK_BROADCAST
  221. help
  222. SNMP service requests are sent as broadcast messages from an
  223. unprivileged port and responded to with unicast messages to the
  224. same port. This make them hard to firewall properly because connection
  225. tracking doesn't deal with broadcasts. This helper tracks locally
  226. originating SNMP service requests and the corresponding
  227. responses. It relies on correct IP address configuration, specifically
  228. netmask and broadcast address.
  229. To compile it as a module, choose M here. If unsure, say N.
  230. config NF_CONNTRACK_PPTP
  231. tristate "PPtP protocol support"
  232. depends on NETFILTER_ADVANCED
  233. select NF_CT_PROTO_GRE
  234. help
  235. This module adds support for PPTP (Point to Point Tunnelling
  236. Protocol, RFC2637) connection tracking and NAT.
  237. If you are running PPTP sessions over a stateful firewall or NAT
  238. box, you may want to enable this feature.
  239. Please note that not all PPTP modes of operation are supported yet.
  240. Specifically these limitations exist:
  241. - Blindly assumes that control connections are always established
  242. in PNS->PAC direction. This is a violation of RFC2637.
  243. - Only supports a single call within each session
  244. To compile it as a module, choose M here. If unsure, say N.
  245. config NF_CONNTRACK_SANE
  246. tristate "SANE protocol support"
  247. depends on NETFILTER_ADVANCED
  248. help
  249. SANE is a protocol for remote access to scanners as implemented
  250. by the 'saned' daemon. Like FTP, it uses separate control and
  251. data connections.
  252. With this module you can support SANE on a connection tracking
  253. firewall.
  254. To compile it as a module, choose M here. If unsure, say N.
  255. config NF_CONNTRACK_SIP
  256. tristate "SIP protocol support"
  257. default m if NETFILTER_ADVANCED=n
  258. help
  259. SIP is an application-layer control protocol that can establish,
  260. modify, and terminate multimedia sessions (conferences) such as
  261. Internet telephony calls. With the ip_conntrack_sip and
  262. the nf_nat_sip modules you can support the protocol on a connection
  263. tracking/NATing firewall.
  264. To compile it as a module, choose M here. If unsure, say N.
  265. config NF_CONNTRACK_TFTP
  266. tristate "TFTP protocol support"
  267. depends on NETFILTER_ADVANCED
  268. help
  269. TFTP connection tracking helper, this is required depending
  270. on how restrictive your ruleset is.
  271. If you are using a tftp client behind -j SNAT or -j MASQUERADING
  272. you will need this.
  273. To compile it as a module, choose M here. If unsure, say N.
  274. config NF_CT_NETLINK
  275. tristate 'Connection tracking netlink interface'
  276. select NETFILTER_NETLINK
  277. default m if NETFILTER_ADVANCED=n
  278. help
  279. This option enables support for a netlink-based userspace interface
  280. config NF_CT_NETLINK_TIMEOUT
  281. tristate 'Connection tracking timeout tuning via Netlink'
  282. select NETFILTER_NETLINK
  283. depends on NETFILTER_ADVANCED
  284. help
  285. This option enables support for connection tracking timeout
  286. fine-grain tuning. This allows you to attach specific timeout
  287. policies to flows, instead of using the global timeout policy.
  288. If unsure, say `N'.
  289. config NF_CT_NETLINK_HELPER
  290. tristate 'Connection tracking helpers in user-space via Netlink'
  291. select NETFILTER_NETLINK
  292. depends on NF_CT_NETLINK
  293. depends on NETFILTER_NETLINK_QUEUE
  294. depends on NETFILTER_NETLINK_GLUE_CT
  295. depends on NETFILTER_ADVANCED
  296. help
  297. This option enables the user-space connection tracking helpers
  298. infrastructure.
  299. If unsure, say `N'.
  300. config NETFILTER_NETLINK_GLUE_CT
  301. bool "NFQUEUE and NFLOG integration with Connection Tracking"
  302. default n
  303. depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
  304. help
  305. If this option is enabled, NFQUEUE and NFLOG can include
  306. Connection Tracking information together with the packet is
  307. the enqueued via NFNETLINK.
  308. config NF_NAT
  309. tristate
  310. config NF_NAT_NEEDED
  311. bool
  312. depends on NF_NAT
  313. default y
  314. config NF_NAT_PROTO_DCCP
  315. tristate
  316. depends on NF_NAT && NF_CT_PROTO_DCCP
  317. default NF_NAT && NF_CT_PROTO_DCCP
  318. config NF_NAT_PROTO_UDPLITE
  319. tristate
  320. depends on NF_NAT && NF_CT_PROTO_UDPLITE
  321. default NF_NAT && NF_CT_PROTO_UDPLITE
  322. config NF_NAT_PROTO_SCTP
  323. tristate
  324. default NF_NAT && NF_CT_PROTO_SCTP
  325. depends on NF_NAT && NF_CT_PROTO_SCTP
  326. select LIBCRC32C
  327. config NF_NAT_AMANDA
  328. tristate
  329. depends on NF_CONNTRACK && NF_NAT
  330. default NF_NAT && NF_CONNTRACK_AMANDA
  331. config NF_NAT_FTP
  332. tristate
  333. depends on NF_CONNTRACK && NF_NAT
  334. default NF_NAT && NF_CONNTRACK_FTP
  335. config NF_NAT_IRC
  336. tristate
  337. depends on NF_CONNTRACK && NF_NAT
  338. default NF_NAT && NF_CONNTRACK_IRC
  339. config NF_NAT_SIP
  340. tristate
  341. depends on NF_CONNTRACK && NF_NAT
  342. default NF_NAT && NF_CONNTRACK_SIP
  343. config NF_NAT_TFTP
  344. tristate
  345. depends on NF_CONNTRACK && NF_NAT
  346. default NF_NAT && NF_CONNTRACK_TFTP
  347. config NF_NAT_REDIRECT
  348. tristate "IPv4/IPv6 redirect support"
  349. depends on NF_NAT
  350. help
  351. This is the kernel functionality to redirect packets to local
  352. machine through NAT.
  353. config NETFILTER_SYNPROXY
  354. tristate
  355. endif # NF_CONNTRACK
  356. config NF_TABLES
  357. select NETFILTER_NETLINK
  358. tristate "Netfilter nf_tables support"
  359. help
  360. nftables is the new packet classification framework that intends to
  361. replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
  362. provides a pseudo-state machine with an extensible instruction-set
  363. (also known as expressions) that the userspace 'nft' utility
  364. (http://www.netfilter.org/projects/nftables) uses to build the
  365. rule-set. It also comes with the generic set infrastructure that
  366. allows you to construct mappings between matchings and actions
  367. for performance lookups.
  368. To compile it as a module, choose M here.
  369. if NF_TABLES
  370. config NF_TABLES_INET
  371. depends on IPV6
  372. select NF_TABLES_IPV4
  373. select NF_TABLES_IPV6
  374. tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
  375. help
  376. This option enables support for a mixed IPv4/IPv6 "inet" table.
  377. config NF_TABLES_NETDEV
  378. tristate "Netfilter nf_tables netdev tables support"
  379. help
  380. This option enables support for the "netdev" table.
  381. config NFT_EXTHDR
  382. tristate "Netfilter nf_tables IPv6 exthdr module"
  383. help
  384. This option adds the "exthdr" expression that you can use to match
  385. IPv6 extension headers.
  386. config NFT_META
  387. tristate "Netfilter nf_tables meta module"
  388. help
  389. This option adds the "meta" expression that you can use to match and
  390. to set packet metainformation such as the packet mark.
  391. config NFT_CT
  392. depends on NF_CONNTRACK
  393. tristate "Netfilter nf_tables conntrack module"
  394. help
  395. This option adds the "meta" expression that you can use to match
  396. connection tracking information such as the flow state.
  397. config NFT_RBTREE
  398. tristate "Netfilter nf_tables rbtree set module"
  399. help
  400. This option adds the "rbtree" set type (Red Black tree) that is used
  401. to build interval-based sets.
  402. config NFT_HASH
  403. tristate "Netfilter nf_tables hash set module"
  404. help
  405. This option adds the "hash" set type that is used to build one-way
  406. mappings between matchings and actions.
  407. config NFT_COUNTER
  408. tristate "Netfilter nf_tables counter module"
  409. help
  410. This option adds the "counter" expression that you can use to
  411. include packet and byte counters in a rule.
  412. config NFT_LOG
  413. tristate "Netfilter nf_tables log module"
  414. help
  415. This option adds the "log" expression that you can use to log
  416. packets matching some criteria.
  417. config NFT_LIMIT
  418. tristate "Netfilter nf_tables limit module"
  419. help
  420. This option adds the "limit" expression that you can use to
  421. ratelimit rule matchings.
  422. config NFT_MASQ
  423. depends on NF_CONNTRACK
  424. depends on NF_NAT
  425. tristate "Netfilter nf_tables masquerade support"
  426. help
  427. This option adds the "masquerade" expression that you can use
  428. to perform NAT in the masquerade flavour.
  429. config NFT_REDIR
  430. depends on NF_CONNTRACK
  431. depends on NF_NAT
  432. tristate "Netfilter nf_tables redirect support"
  433. help
  434. This options adds the "redirect" expression that you can use
  435. to perform NAT in the redirect flavour.
  436. config NFT_NAT
  437. depends on NF_CONNTRACK
  438. select NF_NAT
  439. tristate "Netfilter nf_tables nat module"
  440. help
  441. This option adds the "nat" expression that you can use to perform
  442. typical Network Address Translation (NAT) packet transformations.
  443. config NFT_QUEUE
  444. depends on NETFILTER_NETLINK_QUEUE
  445. tristate "Netfilter nf_tables queue module"
  446. help
  447. This is required if you intend to use the userspace queueing
  448. infrastructure (also known as NFQUEUE) from nftables.
  449. config NFT_REJECT
  450. default m if NETFILTER_ADVANCED=n
  451. tristate "Netfilter nf_tables reject support"
  452. help
  453. This option adds the "reject" expression that you can use to
  454. explicitly deny and notify via TCP reset/ICMP informational errors
  455. unallowed traffic.
  456. config NFT_REJECT_INET
  457. depends on NF_TABLES_INET
  458. default NFT_REJECT
  459. tristate
  460. config NFT_COMPAT
  461. depends on NETFILTER_XTABLES
  462. tristate "Netfilter x_tables over nf_tables module"
  463. help
  464. This is required if you intend to use any of existing
  465. x_tables match/target extensions over the nf_tables
  466. framework.
  467. endif # NF_TABLES
  468. config NETFILTER_XTABLES
  469. tristate "Netfilter Xtables support (required for ip_tables)"
  470. default m if NETFILTER_ADVANCED=n
  471. help
  472. This is required if you intend to use any of ip_tables,
  473. ip6_tables or arp_tables.
  474. if NETFILTER_XTABLES
  475. comment "Xtables combined modules"
  476. config NETFILTER_XT_MARK
  477. tristate 'nfmark target and match support'
  478. default m if NETFILTER_ADVANCED=n
  479. ---help---
  480. This option adds the "MARK" target and "mark" match.
  481. Netfilter mark matching allows you to match packets based on the
  482. "nfmark" value in the packet.
  483. The target allows you to create rules in the "mangle" table which alter
  484. the netfilter mark (nfmark) field associated with the packet.
  485. Prior to routing, the nfmark can influence the routing method (see
  486. "Use netfilter MARK value as routing key") and can also be used by
  487. other subsystems to change their behavior.
  488. config NETFILTER_XT_CONNMARK
  489. tristate 'ctmark target and match support'
  490. depends on NF_CONNTRACK
  491. depends on NETFILTER_ADVANCED
  492. select NF_CONNTRACK_MARK
  493. ---help---
  494. This option adds the "CONNMARK" target and "connmark" match.
  495. Netfilter allows you to store a mark value per connection (a.k.a.
  496. ctmark), similarly to the packet mark (nfmark). Using this
  497. target and match, you can set and match on this mark.
  498. config NETFILTER_XT_SET
  499. tristate 'set target and match support'
  500. depends on IP_SET
  501. depends on NETFILTER_ADVANCED
  502. help
  503. This option adds the "SET" target and "set" match.
  504. Using this target and match, you can add/delete and match
  505. elements in the sets created by ipset(8).
  506. To compile it as a module, choose M here. If unsure, say N.
  507. # alphabetically ordered list of targets
  508. comment "Xtables targets"
  509. config NETFILTER_XT_TARGET_AUDIT
  510. tristate "AUDIT target support"
  511. depends on AUDIT
  512. depends on NETFILTER_ADVANCED
  513. ---help---
  514. This option adds a 'AUDIT' target, which can be used to create
  515. audit records for packets dropped/accepted.
  516. To compileit as a module, choose M here. If unsure, say N.
  517. config NETFILTER_XT_TARGET_CHECKSUM
  518. tristate "CHECKSUM target support"
  519. depends on IP_NF_MANGLE || IP6_NF_MANGLE
  520. depends on NETFILTER_ADVANCED
  521. ---help---
  522. This option adds a `CHECKSUM' target, which can be used in the iptables mangle
  523. table.
  524. You can use this target to compute and fill in the checksum in
  525. a packet that lacks a checksum. This is particularly useful,
  526. if you need to work around old applications such as dhcp clients,
  527. that do not work well with checksum offloads, but don't want to disable
  528. checksum offload in your device.
  529. To compile it as a module, choose M here. If unsure, say N.
  530. config NETFILTER_XT_TARGET_CLASSIFY
  531. tristate '"CLASSIFY" target support'
  532. depends on NETFILTER_ADVANCED
  533. help
  534. This option adds a `CLASSIFY' target, which enables the user to set
  535. the priority of a packet. Some qdiscs can use this value for
  536. classification, among these are:
  537. atm, cbq, dsmark, pfifo_fast, htb, prio
  538. To compile it as a module, choose M here. If unsure, say N.
  539. config NETFILTER_XT_TARGET_CONNMARK
  540. tristate '"CONNMARK" target support'
  541. depends on NF_CONNTRACK
  542. depends on NETFILTER_ADVANCED
  543. select NETFILTER_XT_CONNMARK
  544. ---help---
  545. This is a backwards-compat option for the user's convenience
  546. (e.g. when running oldconfig). It selects
  547. CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
  548. config NETFILTER_XT_TARGET_CONNSECMARK
  549. tristate '"CONNSECMARK" target support'
  550. depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
  551. default m if NETFILTER_ADVANCED=n
  552. help
  553. The CONNSECMARK target copies security markings from packets
  554. to connections, and restores security markings from connections
  555. to packets (if the packets are not already marked). This would
  556. normally be used in conjunction with the SECMARK target.
  557. To compile it as a module, choose M here. If unsure, say N.
  558. config NETFILTER_XT_TARGET_CT
  559. tristate '"CT" target support'
  560. depends on NF_CONNTRACK
  561. depends on IP_NF_RAW || IP6_NF_RAW
  562. depends on NETFILTER_ADVANCED
  563. help
  564. This options adds a `CT' target, which allows to specify initial
  565. connection tracking parameters like events to be delivered and
  566. the helper to be used.
  567. To compile it as a module, choose M here. If unsure, say N.
  568. config NETFILTER_XT_TARGET_DSCP
  569. tristate '"DSCP" and "TOS" target support'
  570. depends on IP_NF_MANGLE || IP6_NF_MANGLE
  571. depends on NETFILTER_ADVANCED
  572. help
  573. This option adds a `DSCP' target, which allows you to manipulate
  574. the IPv4/IPv6 header DSCP field (differentiated services codepoint).
  575. The DSCP field can have any value between 0x0 and 0x3f inclusive.
  576. It also adds the "TOS" target, which allows you to create rules in
  577. the "mangle" table which alter the Type Of Service field of an IPv4
  578. or the Priority field of an IPv6 packet, prior to routing.
  579. To compile it as a module, choose M here. If unsure, say N.
  580. config NETFILTER_XT_TARGET_HL
  581. tristate '"HL" hoplimit target support'
  582. depends on IP_NF_MANGLE || IP6_NF_MANGLE
  583. depends on NETFILTER_ADVANCED
  584. ---help---
  585. This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
  586. targets, which enable the user to change the
  587. hoplimit/time-to-live value of the IP header.
  588. While it is safe to decrement the hoplimit/TTL value, the
  589. modules also allow to increment and set the hoplimit value of
  590. the header to arbitrary values. This is EXTREMELY DANGEROUS
  591. since you can easily create immortal packets that loop
  592. forever on the network.
  593. config NETFILTER_XT_TARGET_HMARK
  594. tristate '"HMARK" target support'
  595. depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
  596. depends on NETFILTER_ADVANCED
  597. ---help---
  598. This option adds the "HMARK" target.
  599. The target allows you to create rules in the "raw" and "mangle" tables
  600. which set the skbuff mark by means of hash calculation within a given
  601. range. The nfmark can influence the routing method (see "Use netfilter
  602. MARK value as routing key") and can also be used by other subsystems to
  603. change their behaviour.
  604. To compile it as a module, choose M here. If unsure, say N.
  605. config NETFILTER_XT_TARGET_IDLETIMER
  606. tristate "IDLETIMER target support"
  607. depends on NETFILTER_ADVANCED
  608. help
  609. This option adds the `IDLETIMER' target. Each matching packet
  610. resets the timer associated with label specified when the rule is
  611. added. When the timer expires, it triggers a sysfs notification.
  612. The remaining time for expiration can be read via sysfs.
  613. To compile it as a module, choose M here. If unsure, say N.
  614. config NETFILTER_XT_TARGET_LED
  615. tristate '"LED" target support'
  616. depends on LEDS_CLASS && LEDS_TRIGGERS
  617. depends on NETFILTER_ADVANCED
  618. help
  619. This option adds a `LED' target, which allows you to blink LEDs in
  620. response to particular packets passing through your machine.
  621. This can be used to turn a spare LED into a network activity LED,
  622. which only flashes in response to FTP transfers, for example. Or
  623. you could have an LED which lights up for a minute or two every time
  624. somebody connects to your machine via SSH.
  625. You will need support for the "led" class to make this work.
  626. To create an LED trigger for incoming SSH traffic:
  627. iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
  628. Then attach the new trigger to an LED on your system:
  629. echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
  630. For more information on the LEDs available on your system, see
  631. Documentation/leds/leds-class.txt
  632. config NETFILTER_XT_TARGET_LOG
  633. tristate "LOG target support"
  634. select NF_LOG_COMMON
  635. select NF_LOG_IPV4
  636. select NF_LOG_IPV6 if IPV6
  637. default m if NETFILTER_ADVANCED=n
  638. help
  639. This option adds a `LOG' target, which allows you to create rules in
  640. any iptables table which records the packet header to the syslog.
  641. To compile it as a module, choose M here. If unsure, say N.
  642. config NETFILTER_XT_TARGET_MARK
  643. tristate '"MARK" target support'
  644. depends on NETFILTER_ADVANCED
  645. select NETFILTER_XT_MARK
  646. ---help---
  647. This is a backwards-compat option for the user's convenience
  648. (e.g. when running oldconfig). It selects
  649. CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
  650. config NETFILTER_XT_NAT
  651. tristate '"SNAT and DNAT" targets support'
  652. depends on NF_NAT
  653. ---help---
  654. This option enables the SNAT and DNAT targets.
  655. To compile it as a module, choose M here. If unsure, say N.
  656. config NETFILTER_XT_TARGET_NETMAP
  657. tristate '"NETMAP" target support'
  658. depends on NF_NAT
  659. ---help---
  660. NETMAP is an implementation of static 1:1 NAT mapping of network
  661. addresses. It maps the network address part, while keeping the host
  662. address part intact.
  663. To compile it as a module, choose M here. If unsure, say N.
  664. config NETFILTER_XT_TARGET_NFLOG
  665. tristate '"NFLOG" target support'
  666. default m if NETFILTER_ADVANCED=n
  667. select NETFILTER_NETLINK_LOG
  668. help
  669. This option enables the NFLOG target, which allows to LOG
  670. messages through nfnetlink_log.
  671. To compile it as a module, choose M here. If unsure, say N.
  672. config NETFILTER_XT_TARGET_NFQUEUE
  673. tristate '"NFQUEUE" target Support'
  674. depends on NETFILTER_ADVANCED
  675. select NETFILTER_NETLINK_QUEUE
  676. help
  677. This target replaced the old obsolete QUEUE target.
  678. As opposed to QUEUE, it supports 65535 different queues,
  679. not just one.
  680. To compile it as a module, choose M here. If unsure, say N.
  681. config NETFILTER_XT_TARGET_NOTRACK
  682. tristate '"NOTRACK" target support (DEPRECATED)'
  683. depends on NF_CONNTRACK
  684. depends on IP_NF_RAW || IP6_NF_RAW
  685. depends on NETFILTER_ADVANCED
  686. select NETFILTER_XT_TARGET_CT
  687. config NETFILTER_XT_TARGET_RATEEST
  688. tristate '"RATEEST" target support'
  689. depends on NETFILTER_ADVANCED
  690. help
  691. This option adds a `RATEEST' target, which allows to measure
  692. rates similar to TC estimators. The `rateest' match can be
  693. used to match on the measured rates.
  694. To compile it as a module, choose M here. If unsure, say N.
  695. config NETFILTER_XT_TARGET_REDIRECT
  696. tristate "REDIRECT target support"
  697. depends on NF_NAT
  698. select NF_NAT_REDIRECT
  699. ---help---
  700. REDIRECT is a special case of NAT: all incoming connections are
  701. mapped onto the incoming interface's address, causing the packets to
  702. come to the local machine instead of passing through. This is
  703. useful for transparent proxies.
  704. To compile it as a module, choose M here. If unsure, say N.
  705. config NETFILTER_XT_TARGET_TEE
  706. tristate '"TEE" - packet cloning to alternate destination'
  707. depends on NETFILTER_ADVANCED
  708. depends on IPV6 || IPV6=n
  709. depends on !NF_CONNTRACK || NF_CONNTRACK
  710. select NF_DUP_IPV4
  711. select NF_DUP_IPV6 if IP6_NF_IPTABLES != n
  712. ---help---
  713. This option adds a "TEE" target with which a packet can be cloned and
  714. this clone be rerouted to another nexthop.
  715. config NETFILTER_XT_TARGET_TPROXY
  716. tristate '"TPROXY" target transparent proxying support'
  717. depends on NETFILTER_XTABLES
  718. depends on NETFILTER_ADVANCED
  719. depends on IPV6 || IPV6=n
  720. depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
  721. depends on IP_NF_MANGLE
  722. select NF_DEFRAG_IPV4
  723. select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
  724. help
  725. This option adds a `TPROXY' target, which is somewhat similar to
  726. REDIRECT. It can only be used in the mangle table and is useful
  727. to redirect traffic to a transparent proxy. It does _not_ depend
  728. on Netfilter connection tracking and NAT, unlike REDIRECT.
  729. For it to work you will have to configure certain iptables rules
  730. and use policy routing. For more information on how to set it up
  731. see Documentation/networking/tproxy.txt.
  732. To compile it as a module, choose M here. If unsure, say N.
  733. config NETFILTER_XT_TARGET_TRACE
  734. tristate '"TRACE" target support'
  735. depends on IP_NF_RAW || IP6_NF_RAW
  736. depends on NETFILTER_ADVANCED
  737. help
  738. The TRACE target allows you to mark packets so that the kernel
  739. will log every rule which match the packets as those traverse
  740. the tables, chains, rules.
  741. If you want to compile it as a module, say M here and read
  742. <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
  743. config NETFILTER_XT_TARGET_SECMARK
  744. tristate '"SECMARK" target support'
  745. depends on NETWORK_SECMARK
  746. default m if NETFILTER_ADVANCED=n
  747. help
  748. The SECMARK target allows security marking of network
  749. packets, for use with security subsystems.
  750. To compile it as a module, choose M here. If unsure, say N.
  751. config NETFILTER_XT_TARGET_TCPMSS
  752. tristate '"TCPMSS" target support'
  753. depends on IPV6 || IPV6=n
  754. default m if NETFILTER_ADVANCED=n
  755. ---help---
  756. This option adds a `TCPMSS' target, which allows you to alter the
  757. MSS value of TCP SYN packets, to control the maximum size for that
  758. connection (usually limiting it to your outgoing interface's MTU
  759. minus 40).
  760. This is used to overcome criminally braindead ISPs or servers which
  761. block ICMP Fragmentation Needed packets. The symptoms of this
  762. problem are that everything works fine from your Linux
  763. firewall/router, but machines behind it can never exchange large
  764. packets:
  765. 1) Web browsers connect, then hang with no data received.
  766. 2) Small mail works fine, but large emails hang.
  767. 3) ssh works fine, but scp hangs after initial handshaking.
  768. Workaround: activate this option and add a rule to your firewall
  769. configuration like:
  770. iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
  771. -j TCPMSS --clamp-mss-to-pmtu
  772. To compile it as a module, choose M here. If unsure, say N.
  773. config NETFILTER_XT_TARGET_TCPOPTSTRIP
  774. tristate '"TCPOPTSTRIP" target support'
  775. depends on IP_NF_MANGLE || IP6_NF_MANGLE
  776. depends on NETFILTER_ADVANCED
  777. help
  778. This option adds a "TCPOPTSTRIP" target, which allows you to strip
  779. TCP options from TCP packets.
  780. # alphabetically ordered list of matches
  781. comment "Xtables matches"
  782. config NETFILTER_XT_MATCH_ADDRTYPE
  783. tristate '"addrtype" address type match support'
  784. default m if NETFILTER_ADVANCED=n
  785. ---help---
  786. This option allows you to match what routing thinks of an address,
  787. eg. UNICAST, LOCAL, BROADCAST, ...
  788. If you want to compile it as a module, say M here and read
  789. <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
  790. config NETFILTER_XT_MATCH_BPF
  791. tristate '"bpf" match support'
  792. depends on NETFILTER_ADVANCED
  793. help
  794. BPF matching applies a linux socket filter to each packet and
  795. accepts those for which the filter returns non-zero.
  796. To compile it as a module, choose M here. If unsure, say N.
  797. config NETFILTER_XT_MATCH_CGROUP
  798. tristate '"control group" match support'
  799. depends on NETFILTER_ADVANCED
  800. depends on CGROUPS
  801. select CGROUP_NET_CLASSID
  802. ---help---
  803. Socket/process control group matching allows you to match locally
  804. generated packets based on which net_cls control group processes
  805. belong to.
  806. config NETFILTER_XT_MATCH_CLUSTER
  807. tristate '"cluster" match support'
  808. depends on NF_CONNTRACK
  809. depends on NETFILTER_ADVANCED
  810. ---help---
  811. This option allows you to build work-load-sharing clusters of
  812. network servers/stateful firewalls without having a dedicated
  813. load-balancing router/server/switch. Basically, this match returns
  814. true when the packet must be handled by this cluster node. Thus,
  815. all nodes see all packets and this match decides which node handles
  816. what packets. The work-load sharing algorithm is based on source
  817. address hashing.
  818. If you say Y or M here, try `iptables -m cluster --help` for
  819. more information.
  820. config NETFILTER_XT_MATCH_COMMENT
  821. tristate '"comment" match support'
  822. depends on NETFILTER_ADVANCED
  823. help
  824. This option adds a `comment' dummy-match, which allows you to put
  825. comments in your iptables ruleset.
  826. If you want to compile it as a module, say M here and read
  827. <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
  828. config NETFILTER_XT_MATCH_CONNBYTES
  829. tristate '"connbytes" per-connection counter match support'
  830. depends on NF_CONNTRACK
  831. depends on NETFILTER_ADVANCED
  832. help
  833. This option adds a `connbytes' match, which allows you to match the
  834. number of bytes and/or packets for each direction within a connection.
  835. If you want to compile it as a module, say M here and read
  836. <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
  837. config NETFILTER_XT_MATCH_CONNLABEL
  838. tristate '"connlabel" match support'
  839. select NF_CONNTRACK_LABELS
  840. depends on NF_CONNTRACK
  841. depends on NETFILTER_ADVANCED
  842. ---help---
  843. This match allows you to test and assign userspace-defined labels names
  844. to a connection. The kernel only stores bit values - mapping
  845. names to bits is done by userspace.
  846. Unlike connmark, more than 32 flag bits may be assigned to a
  847. connection simultaneously.
  848. config NETFILTER_XT_MATCH_CONNLIMIT
  849. tristate '"connlimit" match support'
  850. depends on NF_CONNTRACK
  851. depends on NETFILTER_ADVANCED
  852. ---help---
  853. This match allows you to match against the number of parallel
  854. connections to a server per client IP address (or address block).
  855. config NETFILTER_XT_MATCH_CONNMARK
  856. tristate '"connmark" connection mark match support'
  857. depends on NF_CONNTRACK
  858. depends on NETFILTER_ADVANCED
  859. select NETFILTER_XT_CONNMARK
  860. ---help---
  861. This is a backwards-compat option for the user's convenience
  862. (e.g. when running oldconfig). It selects
  863. CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
  864. config NETFILTER_XT_MATCH_CONNTRACK
  865. tristate '"conntrack" connection tracking match support'
  866. depends on NF_CONNTRACK
  867. default m if NETFILTER_ADVANCED=n
  868. help
  869. This is a general conntrack match module, a superset of the state match.
  870. It allows matching on additional conntrack information, which is
  871. useful in complex configurations, such as NAT gateways with multiple
  872. internet links or tunnels.
  873. To compile it as a module, choose M here. If unsure, say N.
  874. config NETFILTER_XT_MATCH_CPU
  875. tristate '"cpu" match support'
  876. depends on NETFILTER_ADVANCED
  877. help
  878. CPU matching allows you to match packets based on the CPU
  879. currently handling the packet.
  880. To compile it as a module, choose M here. If unsure, say N.
  881. config NETFILTER_XT_MATCH_DCCP
  882. tristate '"dccp" protocol match support'
  883. depends on NETFILTER_ADVANCED
  884. default IP_DCCP
  885. help
  886. With this option enabled, you will be able to use the iptables
  887. `dccp' match in order to match on DCCP source/destination ports
  888. and DCCP flags.
  889. If you want to compile it as a module, say M here and read
  890. <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
  891. config NETFILTER_XT_MATCH_DEVGROUP
  892. tristate '"devgroup" match support'
  893. depends on NETFILTER_ADVANCED
  894. help
  895. This options adds a `devgroup' match, which allows to match on the
  896. device group a network device is assigned to.
  897. To compile it as a module, choose M here. If unsure, say N.
  898. config NETFILTER_XT_MATCH_DSCP
  899. tristate '"dscp" and "tos" match support'
  900. depends on NETFILTER_ADVANCED
  901. help
  902. This option adds a `DSCP' match, which allows you to match against
  903. the IPv4/IPv6 header DSCP field (differentiated services codepoint).
  904. The DSCP field can have any value between 0x0 and 0x3f inclusive.
  905. It will also add a "tos" match, which allows you to match packets
  906. based on the Type Of Service fields of the IPv4 packet (which share
  907. the same bits as DSCP).
  908. To compile it as a module, choose M here. If unsure, say N.
  909. config NETFILTER_XT_MATCH_ECN
  910. tristate '"ecn" match support'
  911. depends on NETFILTER_ADVANCED
  912. ---help---
  913. This option adds an "ECN" match, which allows you to match against
  914. the IPv4 and TCP header ECN fields.
  915. To compile it as a module, choose M here. If unsure, say N.
  916. config NETFILTER_XT_MATCH_ESP
  917. tristate '"esp" match support'
  918. depends on NETFILTER_ADVANCED
  919. help
  920. This match extension allows you to match a range of SPIs
  921. inside ESP header of IPSec packets.
  922. To compile it as a module, choose M here. If unsure, say N.
  923. config NETFILTER_XT_MATCH_HASHLIMIT
  924. tristate '"hashlimit" match support'
  925. depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
  926. depends on NETFILTER_ADVANCED
  927. help
  928. This option adds a `hashlimit' match.
  929. As opposed to `limit', this match dynamically creates a hash table
  930. of limit buckets, based on your selection of source/destination
  931. addresses and/or ports.
  932. It enables you to express policies like `10kpps for any given
  933. destination address' or `500pps from any given source address'
  934. with a single rule.
  935. config NETFILTER_XT_MATCH_HELPER
  936. tristate '"helper" match support'
  937. depends on NF_CONNTRACK
  938. depends on NETFILTER_ADVANCED
  939. help
  940. Helper matching allows you to match packets in dynamic connections
  941. tracked by a conntrack-helper, ie. ip_conntrack_ftp
  942. To compile it as a module, choose M here. If unsure, say Y.
  943. config NETFILTER_XT_MATCH_HL
  944. tristate '"hl" hoplimit/TTL match support'
  945. depends on NETFILTER_ADVANCED
  946. ---help---
  947. HL matching allows you to match packets based on the hoplimit
  948. in the IPv6 header, or the time-to-live field in the IPv4
  949. header of the packet.
  950. config NETFILTER_XT_MATCH_IPCOMP
  951. tristate '"ipcomp" match support'
  952. depends on NETFILTER_ADVANCED
  953. help
  954. This match extension allows you to match a range of CPIs(16 bits)
  955. inside IPComp header of IPSec packets.
  956. To compile it as a module, choose M here. If unsure, say N.
  957. config NETFILTER_XT_MATCH_IPRANGE
  958. tristate '"iprange" address range match support'
  959. depends on NETFILTER_ADVANCED
  960. ---help---
  961. This option adds a "iprange" match, which allows you to match based on
  962. an IP address range. (Normal iptables only matches on single addresses
  963. with an optional mask.)
  964. If unsure, say M.
  965. config NETFILTER_XT_MATCH_IPVS
  966. tristate '"ipvs" match support'
  967. depends on IP_VS
  968. depends on NETFILTER_ADVANCED
  969. depends on NF_CONNTRACK
  970. help
  971. This option allows you to match against IPVS properties of a packet.
  972. If unsure, say N.
  973. config NETFILTER_XT_MATCH_L2TP
  974. tristate '"l2tp" match support'
  975. depends on NETFILTER_ADVANCED
  976. default L2TP
  977. ---help---
  978. This option adds an "L2TP" match, which allows you to match against
  979. L2TP protocol header fields.
  980. To compile it as a module, choose M here. If unsure, say N.
  981. config NETFILTER_XT_MATCH_LENGTH
  982. tristate '"length" match support'
  983. depends on NETFILTER_ADVANCED
  984. help
  985. This option allows you to match the length of a packet against a
  986. specific value or range of values.
  987. To compile it as a module, choose M here. If unsure, say N.
  988. config NETFILTER_XT_MATCH_LIMIT
  989. tristate '"limit" match support'
  990. depends on NETFILTER_ADVANCED
  991. help
  992. limit matching allows you to control the rate at which a rule can be
  993. matched: mainly useful in combination with the LOG target ("LOG
  994. target support", below) and to avoid some Denial of Service attacks.
  995. To compile it as a module, choose M here. If unsure, say N.
  996. config NETFILTER_XT_MATCH_MAC
  997. tristate '"mac" address match support'
  998. depends on NETFILTER_ADVANCED
  999. help
  1000. MAC matching allows you to match packets based on the source
  1001. Ethernet address of the packet.
  1002. To compile it as a module, choose M here. If unsure, say N.
  1003. config NETFILTER_XT_MATCH_MARK
  1004. tristate '"mark" match support'
  1005. depends on NETFILTER_ADVANCED
  1006. select NETFILTER_XT_MARK
  1007. ---help---
  1008. This is a backwards-compat option for the user's convenience
  1009. (e.g. when running oldconfig). It selects
  1010. CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
  1011. config NETFILTER_XT_MATCH_MULTIPORT
  1012. tristate '"multiport" Multiple port match support'
  1013. depends on NETFILTER_ADVANCED
  1014. help
  1015. Multiport matching allows you to match TCP or UDP packets based on
  1016. a series of source or destination ports: normally a rule can only
  1017. match a single range of ports.
  1018. To compile it as a module, choose M here. If unsure, say N.
  1019. config NETFILTER_XT_MATCH_NFACCT
  1020. tristate '"nfacct" match support'
  1021. depends on NETFILTER_ADVANCED
  1022. select NETFILTER_NETLINK_ACCT
  1023. help
  1024. This option allows you to use the extended accounting through
  1025. nfnetlink_acct.
  1026. To compile it as a module, choose M here. If unsure, say N.
  1027. config NETFILTER_XT_MATCH_OSF
  1028. tristate '"osf" Passive OS fingerprint match'
  1029. depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
  1030. help
  1031. This option selects the Passive OS Fingerprinting match module
  1032. that allows to passively match the remote operating system by
  1033. analyzing incoming TCP SYN packets.
  1034. Rules and loading software can be downloaded from
  1035. http://www.ioremap.net/projects/osf
  1036. To compile it as a module, choose M here. If unsure, say N.
  1037. config NETFILTER_XT_MATCH_OWNER
  1038. tristate '"owner" match support'
  1039. depends on NETFILTER_ADVANCED
  1040. ---help---
  1041. Socket owner matching allows you to match locally-generated packets
  1042. based on who created the socket: the user or group. It is also
  1043. possible to check whether a socket actually exists.
  1044. config NETFILTER_XT_MATCH_POLICY
  1045. tristate 'IPsec "policy" match support'
  1046. depends on XFRM
  1047. default m if NETFILTER_ADVANCED=n
  1048. help
  1049. Policy matching allows you to match packets based on the
  1050. IPsec policy that was used during decapsulation/will
  1051. be used during encapsulation.
  1052. To compile it as a module, choose M here. If unsure, say N.
  1053. config NETFILTER_XT_MATCH_PHYSDEV
  1054. tristate '"physdev" match support'
  1055. depends on BRIDGE && BRIDGE_NETFILTER
  1056. depends on NETFILTER_ADVANCED
  1057. help
  1058. Physdev packet matching matches against the physical bridge ports
  1059. the IP packet arrived on or will leave by.
  1060. To compile it as a module, choose M here. If unsure, say N.
  1061. config NETFILTER_XT_MATCH_PKTTYPE
  1062. tristate '"pkttype" packet type match support'
  1063. depends on NETFILTER_ADVANCED
  1064. help
  1065. Packet type matching allows you to match a packet by
  1066. its "class", eg. BROADCAST, MULTICAST, ...
  1067. Typical usage:
  1068. iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
  1069. To compile it as a module, choose M here. If unsure, say N.
  1070. config NETFILTER_XT_MATCH_QUOTA
  1071. tristate '"quota" match support'
  1072. depends on NETFILTER_ADVANCED
  1073. help
  1074. This option adds a `quota' match, which allows to match on a
  1075. byte counter.
  1076. If you want to compile it as a module, say M here and read
  1077. <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
  1078. config NETFILTER_XT_MATCH_RATEEST
  1079. tristate '"rateest" match support'
  1080. depends on NETFILTER_ADVANCED
  1081. select NETFILTER_XT_TARGET_RATEEST
  1082. help
  1083. This option adds a `rateest' match, which allows to match on the
  1084. rate estimated by the RATEEST target.
  1085. To compile it as a module, choose M here. If unsure, say N.
  1086. config NETFILTER_XT_MATCH_REALM
  1087. tristate '"realm" match support'
  1088. depends on NETFILTER_ADVANCED
  1089. select IP_ROUTE_CLASSID
  1090. help
  1091. This option adds a `realm' match, which allows you to use the realm
  1092. key from the routing subsystem inside iptables.
  1093. This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
  1094. in tc world.
  1095. If you want to compile it as a module, say M here and read
  1096. <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
  1097. config NETFILTER_XT_MATCH_RECENT
  1098. tristate '"recent" match support'
  1099. depends on NETFILTER_ADVANCED
  1100. ---help---
  1101. This match is used for creating one or many lists of recently
  1102. used addresses and then matching against that/those list(s).
  1103. Short options are available by using 'iptables -m recent -h'
  1104. Official Website: <http://snowman.net/projects/ipt_recent/>
  1105. config NETFILTER_XT_MATCH_SCTP
  1106. tristate '"sctp" protocol match support'
  1107. depends on NETFILTER_ADVANCED
  1108. default IP_SCTP
  1109. help
  1110. With this option enabled, you will be able to use the
  1111. `sctp' match in order to match on SCTP source/destination ports
  1112. and SCTP chunk types.
  1113. If you want to compile it as a module, say M here and read
  1114. <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
  1115. config NETFILTER_XT_MATCH_SOCKET
  1116. tristate '"socket" match support'
  1117. depends on NETFILTER_XTABLES
  1118. depends on NETFILTER_ADVANCED
  1119. depends on !NF_CONNTRACK || NF_CONNTRACK
  1120. depends on IPV6 || IPV6=n
  1121. depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
  1122. select NF_DEFRAG_IPV4
  1123. select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
  1124. help
  1125. This option adds a `socket' match, which can be used to match
  1126. packets for which a TCP or UDP socket lookup finds a valid socket.
  1127. It can be used in combination with the MARK target and policy
  1128. routing to implement full featured non-locally bound sockets.
  1129. To compile it as a module, choose M here. If unsure, say N.
  1130. config NETFILTER_XT_MATCH_STATE
  1131. tristate '"state" match support'
  1132. depends on NF_CONNTRACK
  1133. default m if NETFILTER_ADVANCED=n
  1134. help
  1135. Connection state matching allows you to match packets based on their
  1136. relationship to a tracked connection (ie. previous packets). This
  1137. is a powerful tool for packet classification.
  1138. To compile it as a module, choose M here. If unsure, say N.
  1139. config NETFILTER_XT_MATCH_STATISTIC
  1140. tristate '"statistic" match support'
  1141. depends on NETFILTER_ADVANCED
  1142. help
  1143. This option adds a `statistic' match, which allows you to match
  1144. on packets periodically or randomly with a given percentage.
  1145. To compile it as a module, choose M here. If unsure, say N.
  1146. config NETFILTER_XT_MATCH_STRING
  1147. tristate '"string" match support'
  1148. depends on NETFILTER_ADVANCED
  1149. select TEXTSEARCH
  1150. select TEXTSEARCH_KMP
  1151. select TEXTSEARCH_BM
  1152. select TEXTSEARCH_FSM
  1153. help
  1154. This option adds a `string' match, which allows you to look for
  1155. pattern matchings in packets.
  1156. To compile it as a module, choose M here. If unsure, say N.
  1157. config NETFILTER_XT_MATCH_TCPMSS
  1158. tristate '"tcpmss" match support'
  1159. depends on NETFILTER_ADVANCED
  1160. help
  1161. This option adds a `tcpmss' match, which allows you to examine the
  1162. MSS value of TCP SYN packets, which control the maximum packet size
  1163. for that connection.
  1164. To compile it as a module, choose M here. If unsure, say N.
  1165. config NETFILTER_XT_MATCH_TIME
  1166. tristate '"time" match support'
  1167. depends on NETFILTER_ADVANCED
  1168. ---help---
  1169. This option adds a "time" match, which allows you to match based on
  1170. the packet arrival time (at the machine which netfilter is running)
  1171. on) or departure time/date (for locally generated packets).
  1172. If you say Y here, try `iptables -m time --help` for
  1173. more information.
  1174. If you want to compile it as a module, say M here.
  1175. If unsure, say N.
  1176. config NETFILTER_XT_MATCH_U32
  1177. tristate '"u32" match support'
  1178. depends on NETFILTER_ADVANCED
  1179. ---help---
  1180. u32 allows you to extract quantities of up to 4 bytes from a packet,
  1181. AND them with specified masks, shift them by specified amounts and
  1182. test whether the results are in any of a set of specified ranges.
  1183. The specification of what to extract is general enough to skip over
  1184. headers with lengths stored in the packet, as in IP or TCP header
  1185. lengths.
  1186. Details and examples are in the kernel module source.
  1187. endif # NETFILTER_XTABLES
  1188. endmenu
  1189. source "net/netfilter/ipset/Kconfig"
  1190. source "net/netfilter/ipvs/Kconfig"