Root/
1 | menu "Core Netfilter Configuration" |
2 | depends on NET && INET && NETFILTER |
3 | |
4 | config NETFILTER_NETLINK |
5 | tristate |
6 | |
7 | config NETFILTER_NETLINK_QUEUE |
8 | tristate "Netfilter NFQUEUE over NFNETLINK interface" |
9 | depends on NETFILTER_ADVANCED |
10 | select NETFILTER_NETLINK |
11 | help |
12 | If this option is enabled, the kernel will include support |
13 | for queueing packets via NFNETLINK. |
14 | |
15 | config NETFILTER_NETLINK_LOG |
16 | tristate "Netfilter LOG over NFNETLINK interface" |
17 | default m if NETFILTER_ADVANCED=n |
18 | select NETFILTER_NETLINK |
19 | help |
20 | If this option is enabled, the kernel will include support |
21 | for logging packets via NFNETLINK. |
22 | |
23 | This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, |
24 | and is also scheduled to replace the old syslog-based ipt_LOG |
25 | and ip6t_LOG modules. |
26 | |
27 | config NF_CONNTRACK |
28 | tristate "Netfilter connection tracking support" |
29 | default m if NETFILTER_ADVANCED=n |
30 | help |
31 | Connection tracking keeps a record of what packets have passed |
32 | through your machine, in order to figure out how they are related |
33 | into connections. |
34 | |
35 | This is required to do Masquerading or other kinds of Network |
36 | Address Translation. It can also be used to enhance packet |
37 | filtering (see `Connection state match support' below). |
38 | |
39 | To compile it as a module, choose M here. If unsure, say N. |
40 | |
41 | if NF_CONNTRACK |
42 | |
43 | config NF_CONNTRACK_MARK |
44 | bool 'Connection mark tracking support' |
45 | depends on NETFILTER_ADVANCED |
46 | help |
47 | This option enables support for connection marks, used by the |
48 | `CONNMARK' target and `connmark' match. Similar to the mark value |
49 | of packets, but this mark value is kept in the conntrack session |
50 | instead of the individual packets. |
51 | |
52 | config NF_CONNTRACK_SECMARK |
53 | bool 'Connection tracking security mark support' |
54 | depends on NETWORK_SECMARK |
55 | default m if NETFILTER_ADVANCED=n |
56 | help |
57 | This option enables security markings to be applied to |
58 | connections. Typically they are copied to connections from |
59 | packets using the CONNSECMARK target and copied back from |
60 | connections to packets with the same target, with the packets |
61 | being originally labeled via SECMARK. |
62 | |
63 | If unsure, say 'N'. |
64 | |
65 | config NF_CONNTRACK_ZONES |
66 | bool 'Connection tracking zones' |
67 | depends on NETFILTER_ADVANCED |
68 | depends on NETFILTER_XT_TARGET_CT |
69 | help |
70 | This option enables support for connection tracking zones. |
71 | Normally, each connection needs to have a unique system wide |
72 | identity. Connection tracking zones allow to have multiple |
73 | connections using the same identity, as long as they are |
74 | contained in different zones. |
75 | |
76 | If unsure, say `N'. |
77 | |
78 | config NF_CONNTRACK_EVENTS |
79 | bool "Connection tracking events" |
80 | depends on NETFILTER_ADVANCED |
81 | help |
82 | If this option is enabled, the connection tracking code will |
83 | provide a notifier chain that can be used by other kernel code |
84 | to get notified about changes in the connection tracking state. |
85 | |
86 | If unsure, say `N'. |
87 | |
88 | config NF_CT_PROTO_DCCP |
89 | tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' |
90 | depends on EXPERIMENTAL |
91 | depends on NETFILTER_ADVANCED |
92 | default IP_DCCP |
93 | help |
94 | With this option enabled, the layer 3 independent connection |
95 | tracking code will be able to do state tracking on DCCP connections. |
96 | |
97 | If unsure, say 'N'. |
98 | |
99 | config NF_CT_PROTO_GRE |
100 | tristate |
101 | |
102 | config NF_CT_PROTO_SCTP |
103 | tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' |
104 | depends on EXPERIMENTAL |
105 | depends on NETFILTER_ADVANCED |
106 | default IP_SCTP |
107 | help |
108 | With this option enabled, the layer 3 independent connection |
109 | tracking code will be able to do state tracking on SCTP connections. |
110 | |
111 | If you want to compile it as a module, say M here and read |
112 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
113 | |
114 | config NF_CT_PROTO_UDPLITE |
115 | tristate 'UDP-Lite protocol connection tracking support' |
116 | depends on NETFILTER_ADVANCED |
117 | help |
118 | With this option enabled, the layer 3 independent connection |
119 | tracking code will be able to do state tracking on UDP-Lite |
120 | connections. |
121 | |
122 | To compile it as a module, choose M here. If unsure, say N. |
123 | |
124 | config NF_CONNTRACK_AMANDA |
125 | tristate "Amanda backup protocol support" |
126 | depends on NETFILTER_ADVANCED |
127 | select TEXTSEARCH |
128 | select TEXTSEARCH_KMP |
129 | help |
130 | If you are running the Amanda backup package <http://www.amanda.org/> |
131 | on this machine or machines that will be MASQUERADED through this |
132 | machine, then you may want to enable this feature. This allows the |
133 | connection tracking and natting code to allow the sub-channels that |
134 | Amanda requires for communication of the backup data, messages and |
135 | index. |
136 | |
137 | To compile it as a module, choose M here. If unsure, say N. |
138 | |
139 | config NF_CONNTRACK_FTP |
140 | tristate "FTP protocol support" |
141 | default m if NETFILTER_ADVANCED=n |
142 | help |
143 | Tracking FTP connections is problematic: special helpers are |
144 | required for tracking them, and doing masquerading and other forms |
145 | of Network Address Translation on them. |
146 | |
147 | This is FTP support on Layer 3 independent connection tracking. |
148 | Layer 3 independent connection tracking is experimental scheme |
149 | which generalize ip_conntrack to support other layer 3 protocols. |
150 | |
151 | To compile it as a module, choose M here. If unsure, say N. |
152 | |
153 | config NF_CONNTRACK_H323 |
154 | tristate "H.323 protocol support" |
155 | depends on (IPV6 || IPV6=n) |
156 | depends on NETFILTER_ADVANCED |
157 | help |
158 | H.323 is a VoIP signalling protocol from ITU-T. As one of the most |
159 | important VoIP protocols, it is widely used by voice hardware and |
160 | software including voice gateways, IP phones, Netmeeting, OpenPhone, |
161 | Gnomemeeting, etc. |
162 | |
163 | With this module you can support H.323 on a connection tracking/NAT |
164 | firewall. |
165 | |
166 | This module supports RAS, Fast Start, H.245 Tunnelling, Call |
167 | Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, |
168 | whiteboard, file transfer, etc. For more information, please |
169 | visit http://nath323.sourceforge.net/. |
170 | |
171 | To compile it as a module, choose M here. If unsure, say N. |
172 | |
173 | config NF_CONNTRACK_IRC |
174 | tristate "IRC protocol support" |
175 | default m if NETFILTER_ADVANCED=n |
176 | help |
177 | There is a commonly-used extension to IRC called |
178 | Direct Client-to-Client Protocol (DCC). This enables users to send |
179 | files to each other, and also chat to each other without the need |
180 | of a server. DCC Sending is used anywhere you send files over IRC, |
181 | and DCC Chat is most commonly used by Eggdrop bots. If you are |
182 | using NAT, this extension will enable you to send files and initiate |
183 | chats. Note that you do NOT need this extension to get files or |
184 | have others initiate chats, or everything else in IRC. |
185 | |
186 | To compile it as a module, choose M here. If unsure, say N. |
187 | |
188 | config NF_CONNTRACK_NETBIOS_NS |
189 | tristate "NetBIOS name service protocol support" |
190 | depends on NETFILTER_ADVANCED |
191 | help |
192 | NetBIOS name service requests are sent as broadcast messages from an |
193 | unprivileged port and responded to with unicast messages to the |
194 | same port. This make them hard to firewall properly because connection |
195 | tracking doesn't deal with broadcasts. This helper tracks locally |
196 | originating NetBIOS name service requests and the corresponding |
197 | responses. It relies on correct IP address configuration, specifically |
198 | netmask and broadcast address. When properly configured, the output |
199 | of "ip address show" should look similar to this: |
200 | |
201 | $ ip -4 address show eth0 |
202 | 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 |
203 | inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 |
204 | |
205 | To compile it as a module, choose M here. If unsure, say N. |
206 | |
207 | config NF_CONNTRACK_PPTP |
208 | tristate "PPtP protocol support" |
209 | depends on NETFILTER_ADVANCED |
210 | select NF_CT_PROTO_GRE |
211 | help |
212 | This module adds support for PPTP (Point to Point Tunnelling |
213 | Protocol, RFC2637) connection tracking and NAT. |
214 | |
215 | If you are running PPTP sessions over a stateful firewall or NAT |
216 | box, you may want to enable this feature. |
217 | |
218 | Please note that not all PPTP modes of operation are supported yet. |
219 | Specifically these limitations exist: |
220 | - Blindly assumes that control connections are always established |
221 | in PNS->PAC direction. This is a violation of RFC2637. |
222 | - Only supports a single call within each session |
223 | |
224 | To compile it as a module, choose M here. If unsure, say N. |
225 | |
226 | config NF_CONNTRACK_SANE |
227 | tristate "SANE protocol support (EXPERIMENTAL)" |
228 | depends on EXPERIMENTAL |
229 | depends on NETFILTER_ADVANCED |
230 | help |
231 | SANE is a protocol for remote access to scanners as implemented |
232 | by the 'saned' daemon. Like FTP, it uses separate control and |
233 | data connections. |
234 | |
235 | With this module you can support SANE on a connection tracking |
236 | firewall. |
237 | |
238 | To compile it as a module, choose M here. If unsure, say N. |
239 | |
240 | config NF_CONNTRACK_SIP |
241 | tristate "SIP protocol support" |
242 | default m if NETFILTER_ADVANCED=n |
243 | help |
244 | SIP is an application-layer control protocol that can establish, |
245 | modify, and terminate multimedia sessions (conferences) such as |
246 | Internet telephony calls. With the ip_conntrack_sip and |
247 | the nf_nat_sip modules you can support the protocol on a connection |
248 | tracking/NATing firewall. |
249 | |
250 | To compile it as a module, choose M here. If unsure, say N. |
251 | |
252 | config NF_CONNTRACK_TFTP |
253 | tristate "TFTP protocol support" |
254 | depends on NETFILTER_ADVANCED |
255 | help |
256 | TFTP connection tracking helper, this is required depending |
257 | on how restrictive your ruleset is. |
258 | If you are using a tftp client behind -j SNAT or -j MASQUERADING |
259 | you will need this. |
260 | |
261 | To compile it as a module, choose M here. If unsure, say N. |
262 | |
263 | config NF_CT_NETLINK |
264 | tristate 'Connection tracking netlink interface' |
265 | select NETFILTER_NETLINK |
266 | default m if NETFILTER_ADVANCED=n |
267 | help |
268 | This option enables support for a netlink-based userspace interface |
269 | |
270 | endif # NF_CONNTRACK |
271 | |
272 | # transparent proxy support |
273 | config NETFILTER_TPROXY |
274 | tristate "Transparent proxying support (EXPERIMENTAL)" |
275 | depends on EXPERIMENTAL |
276 | depends on IP_NF_MANGLE |
277 | depends on NETFILTER_ADVANCED |
278 | help |
279 | This option enables transparent proxying support, that is, |
280 | support for handling non-locally bound IPv4 TCP and UDP sockets. |
281 | For it to work you will have to configure certain iptables rules |
282 | and use policy routing. For more information on how to set it up |
283 | see Documentation/networking/tproxy.txt. |
284 | |
285 | To compile it as a module, choose M here. If unsure, say N. |
286 | |
287 | config NETFILTER_XTABLES |
288 | tristate "Netfilter Xtables support (required for ip_tables)" |
289 | default m if NETFILTER_ADVANCED=n |
290 | help |
291 | This is required if you intend to use any of ip_tables, |
292 | ip6_tables or arp_tables. |
293 | |
294 | if NETFILTER_XTABLES |
295 | |
296 | comment "Xtables combined modules" |
297 | |
298 | config NETFILTER_XT_MARK |
299 | tristate 'nfmark target and match support' |
300 | default m if NETFILTER_ADVANCED=n |
301 | ---help--- |
302 | This option adds the "MARK" target and "mark" match. |
303 | |
304 | Netfilter mark matching allows you to match packets based on the |
305 | "nfmark" value in the packet. |
306 | The target allows you to create rules in the "mangle" table which alter |
307 | the netfilter mark (nfmark) field associated with the packet. |
308 | |
309 | Prior to routing, the nfmark can influence the routing method (see |
310 | "Use netfilter MARK value as routing key") and can also be used by |
311 | other subsystems to change their behavior. |
312 | |
313 | config NETFILTER_XT_CONNMARK |
314 | tristate 'ctmark target and match support' |
315 | depends on NF_CONNTRACK |
316 | depends on NETFILTER_ADVANCED |
317 | select NF_CONNTRACK_MARK |
318 | ---help--- |
319 | This option adds the "CONNMARK" target and "connmark" match. |
320 | |
321 | Netfilter allows you to store a mark value per connection (a.k.a. |
322 | ctmark), similarly to the packet mark (nfmark). Using this |
323 | target and match, you can set and match on this mark. |
324 | |
325 | # alphabetically ordered list of targets |
326 | |
327 | comment "Xtables targets" |
328 | |
329 | config NETFILTER_XT_TARGET_CHECKSUM |
330 | tristate "CHECKSUM target support" |
331 | depends on IP_NF_MANGLE || IP6_NF_MANGLE |
332 | depends on NETFILTER_ADVANCED |
333 | ---help--- |
334 | This option adds a `CHECKSUM' target, which can be used in the iptables mangle |
335 | table. |
336 | |
337 | You can use this target to compute and fill in the checksum in |
338 | a packet that lacks a checksum. This is particularly useful, |
339 | if you need to work around old applications such as dhcp clients, |
340 | that do not work well with checksum offloads, but don't want to disable |
341 | checksum offload in your device. |
342 | |
343 | To compile it as a module, choose M here. If unsure, say N. |
344 | |
345 | config NETFILTER_XT_TARGET_CLASSIFY |
346 | tristate '"CLASSIFY" target support' |
347 | depends on NETFILTER_ADVANCED |
348 | help |
349 | This option adds a `CLASSIFY' target, which enables the user to set |
350 | the priority of a packet. Some qdiscs can use this value for |
351 | classification, among these are: |
352 | |
353 | atm, cbq, dsmark, pfifo_fast, htb, prio |
354 | |
355 | To compile it as a module, choose M here. If unsure, say N. |
356 | |
357 | config NETFILTER_XT_TARGET_CONNMARK |
358 | tristate '"CONNMARK" target support' |
359 | depends on NF_CONNTRACK |
360 | depends on NETFILTER_ADVANCED |
361 | select NETFILTER_XT_CONNMARK |
362 | ---help--- |
363 | This is a backwards-compat option for the user's convenience |
364 | (e.g. when running oldconfig). It selects |
365 | CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). |
366 | |
367 | config NETFILTER_XT_TARGET_CONNSECMARK |
368 | tristate '"CONNSECMARK" target support' |
369 | depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK |
370 | default m if NETFILTER_ADVANCED=n |
371 | help |
372 | The CONNSECMARK target copies security markings from packets |
373 | to connections, and restores security markings from connections |
374 | to packets (if the packets are not already marked). This would |
375 | normally be used in conjunction with the SECMARK target. |
376 | |
377 | To compile it as a module, choose M here. If unsure, say N. |
378 | |
379 | config NETFILTER_XT_TARGET_CT |
380 | tristate '"CT" target support' |
381 | depends on NF_CONNTRACK |
382 | depends on IP_NF_RAW || IP6_NF_RAW |
383 | depends on NETFILTER_ADVANCED |
384 | help |
385 | This options adds a `CT' target, which allows to specify initial |
386 | connection tracking parameters like events to be delivered and |
387 | the helper to be used. |
388 | |
389 | To compile it as a module, choose M here. If unsure, say N. |
390 | |
391 | config NETFILTER_XT_TARGET_DSCP |
392 | tristate '"DSCP" and "TOS" target support' |
393 | depends on IP_NF_MANGLE || IP6_NF_MANGLE |
394 | depends on NETFILTER_ADVANCED |
395 | help |
396 | This option adds a `DSCP' target, which allows you to manipulate |
397 | the IPv4/IPv6 header DSCP field (differentiated services codepoint). |
398 | |
399 | The DSCP field can have any value between 0x0 and 0x3f inclusive. |
400 | |
401 | It also adds the "TOS" target, which allows you to create rules in |
402 | the "mangle" table which alter the Type Of Service field of an IPv4 |
403 | or the Priority field of an IPv6 packet, prior to routing. |
404 | |
405 | To compile it as a module, choose M here. If unsure, say N. |
406 | |
407 | config NETFILTER_XT_TARGET_HL |
408 | tristate '"HL" hoplimit target support' |
409 | depends on IP_NF_MANGLE || IP6_NF_MANGLE |
410 | depends on NETFILTER_ADVANCED |
411 | ---help--- |
412 | This option adds the "HL" (for IPv6) and "TTL" (for IPv4) |
413 | targets, which enable the user to change the |
414 | hoplimit/time-to-live value of the IP header. |
415 | |
416 | While it is safe to decrement the hoplimit/TTL value, the |
417 | modules also allow to increment and set the hoplimit value of |
418 | the header to arbitrary values. This is EXTREMELY DANGEROUS |
419 | since you can easily create immortal packets that loop |
420 | forever on the network. |
421 | |
422 | config NETFILTER_XT_TARGET_IDLETIMER |
423 | tristate "IDLETIMER target support" |
424 | depends on NETFILTER_ADVANCED |
425 | help |
426 | |
427 | This option adds the `IDLETIMER' target. Each matching packet |
428 | resets the timer associated with label specified when the rule is |
429 | added. When the timer expires, it triggers a sysfs notification. |
430 | The remaining time for expiration can be read via sysfs. |
431 | |
432 | To compile it as a module, choose M here. If unsure, say N. |
433 | |
434 | config NETFILTER_XT_TARGET_LED |
435 | tristate '"LED" target support' |
436 | depends on LEDS_CLASS && LEDS_TRIGGERS |
437 | depends on NETFILTER_ADVANCED |
438 | help |
439 | This option adds a `LED' target, which allows you to blink LEDs in |
440 | response to particular packets passing through your machine. |
441 | |
442 | This can be used to turn a spare LED into a network activity LED, |
443 | which only flashes in response to FTP transfers, for example. Or |
444 | you could have an LED which lights up for a minute or two every time |
445 | somebody connects to your machine via SSH. |
446 | |
447 | You will need support for the "led" class to make this work. |
448 | |
449 | To create an LED trigger for incoming SSH traffic: |
450 | iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 |
451 | |
452 | Then attach the new trigger to an LED on your system: |
453 | echo netfilter-ssh > /sys/class/leds/<ledname>/trigger |
454 | |
455 | For more information on the LEDs available on your system, see |
456 | Documentation/leds-class.txt |
457 | |
458 | config NETFILTER_XT_TARGET_MARK |
459 | tristate '"MARK" target support' |
460 | depends on NETFILTER_ADVANCED |
461 | select NETFILTER_XT_MARK |
462 | ---help--- |
463 | This is a backwards-compat option for the user's convenience |
464 | (e.g. when running oldconfig). It selects |
465 | CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). |
466 | |
467 | config NETFILTER_XT_TARGET_NFLOG |
468 | tristate '"NFLOG" target support' |
469 | default m if NETFILTER_ADVANCED=n |
470 | select NETFILTER_NETLINK_LOG |
471 | help |
472 | This option enables the NFLOG target, which allows to LOG |
473 | messages through nfnetlink_log. |
474 | |
475 | To compile it as a module, choose M here. If unsure, say N. |
476 | |
477 | config NETFILTER_XT_TARGET_NFQUEUE |
478 | tristate '"NFQUEUE" target Support' |
479 | depends on NETFILTER_ADVANCED |
480 | help |
481 | This target replaced the old obsolete QUEUE target. |
482 | |
483 | As opposed to QUEUE, it supports 65535 different queues, |
484 | not just one. |
485 | |
486 | To compile it as a module, choose M here. If unsure, say N. |
487 | |
488 | config NETFILTER_XT_TARGET_NOTRACK |
489 | tristate '"NOTRACK" target support' |
490 | depends on IP_NF_RAW || IP6_NF_RAW |
491 | depends on NF_CONNTRACK |
492 | depends on NETFILTER_ADVANCED |
493 | help |
494 | The NOTRACK target allows a select rule to specify |
495 | which packets *not* to enter the conntrack/NAT |
496 | subsystem with all the consequences (no ICMP error tracking, |
497 | no protocol helpers for the selected packets). |
498 | |
499 | If you want to compile it as a module, say M here and read |
500 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
501 | |
502 | config NETFILTER_XT_TARGET_RATEEST |
503 | tristate '"RATEEST" target support' |
504 | depends on NETFILTER_ADVANCED |
505 | help |
506 | This option adds a `RATEEST' target, which allows to measure |
507 | rates similar to TC estimators. The `rateest' match can be |
508 | used to match on the measured rates. |
509 | |
510 | To compile it as a module, choose M here. If unsure, say N. |
511 | |
512 | config NETFILTER_XT_TARGET_TEE |
513 | tristate '"TEE" - packet cloning to alternate destination' |
514 | depends on NETFILTER_ADVANCED |
515 | depends on (IPV6 || IPV6=n) |
516 | depends on !NF_CONNTRACK || NF_CONNTRACK |
517 | ---help--- |
518 | This option adds a "TEE" target with which a packet can be cloned and |
519 | this clone be rerouted to another nexthop. |
520 | |
521 | config NETFILTER_XT_TARGET_TPROXY |
522 | tristate '"TPROXY" target support (EXPERIMENTAL)' |
523 | depends on EXPERIMENTAL |
524 | depends on NETFILTER_TPROXY |
525 | depends on NETFILTER_XTABLES |
526 | depends on NETFILTER_ADVANCED |
527 | select NF_DEFRAG_IPV4 |
528 | help |
529 | This option adds a `TPROXY' target, which is somewhat similar to |
530 | REDIRECT. It can only be used in the mangle table and is useful |
531 | to redirect traffic to a transparent proxy. It does _not_ depend |
532 | on Netfilter connection tracking and NAT, unlike REDIRECT. |
533 | |
534 | To compile it as a module, choose M here. If unsure, say N. |
535 | |
536 | config NETFILTER_XT_TARGET_TRACE |
537 | tristate '"TRACE" target support' |
538 | depends on IP_NF_RAW || IP6_NF_RAW |
539 | depends on NETFILTER_ADVANCED |
540 | help |
541 | The TRACE target allows you to mark packets so that the kernel |
542 | will log every rule which match the packets as those traverse |
543 | the tables, chains, rules. |
544 | |
545 | If you want to compile it as a module, say M here and read |
546 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
547 | |
548 | config NETFILTER_XT_TARGET_SECMARK |
549 | tristate '"SECMARK" target support' |
550 | depends on NETWORK_SECMARK |
551 | default m if NETFILTER_ADVANCED=n |
552 | help |
553 | The SECMARK target allows security marking of network |
554 | packets, for use with security subsystems. |
555 | |
556 | To compile it as a module, choose M here. If unsure, say N. |
557 | |
558 | config NETFILTER_XT_TARGET_TCPMSS |
559 | tristate '"TCPMSS" target support' |
560 | depends on (IPV6 || IPV6=n) |
561 | default m if NETFILTER_ADVANCED=n |
562 | ---help--- |
563 | This option adds a `TCPMSS' target, which allows you to alter the |
564 | MSS value of TCP SYN packets, to control the maximum size for that |
565 | connection (usually limiting it to your outgoing interface's MTU |
566 | minus 40). |
567 | |
568 | This is used to overcome criminally braindead ISPs or servers which |
569 | block ICMP Fragmentation Needed packets. The symptoms of this |
570 | problem are that everything works fine from your Linux |
571 | firewall/router, but machines behind it can never exchange large |
572 | packets: |
573 | 1) Web browsers connect, then hang with no data received. |
574 | 2) Small mail works fine, but large emails hang. |
575 | 3) ssh works fine, but scp hangs after initial handshaking. |
576 | |
577 | Workaround: activate this option and add a rule to your firewall |
578 | configuration like: |
579 | |
580 | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ |
581 | -j TCPMSS --clamp-mss-to-pmtu |
582 | |
583 | To compile it as a module, choose M here. If unsure, say N. |
584 | |
585 | config NETFILTER_XT_TARGET_TCPOPTSTRIP |
586 | tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' |
587 | depends on EXPERIMENTAL |
588 | depends on IP_NF_MANGLE || IP6_NF_MANGLE |
589 | depends on NETFILTER_ADVANCED |
590 | help |
591 | This option adds a "TCPOPTSTRIP" target, which allows you to strip |
592 | TCP options from TCP packets. |
593 | |
594 | # alphabetically ordered list of matches |
595 | |
596 | comment "Xtables matches" |
597 | |
598 | config NETFILTER_XT_MATCH_CLUSTER |
599 | tristate '"cluster" match support' |
600 | depends on NF_CONNTRACK |
601 | depends on NETFILTER_ADVANCED |
602 | ---help--- |
603 | This option allows you to build work-load-sharing clusters of |
604 | network servers/stateful firewalls without having a dedicated |
605 | load-balancing router/server/switch. Basically, this match returns |
606 | true when the packet must be handled by this cluster node. Thus, |
607 | all nodes see all packets and this match decides which node handles |
608 | what packets. The work-load sharing algorithm is based on source |
609 | address hashing. |
610 | |
611 | If you say Y or M here, try `iptables -m cluster --help` for |
612 | more information. |
613 | |
614 | config NETFILTER_XT_MATCH_COMMENT |
615 | tristate '"comment" match support' |
616 | depends on NETFILTER_ADVANCED |
617 | help |
618 | This option adds a `comment' dummy-match, which allows you to put |
619 | comments in your iptables ruleset. |
620 | |
621 | If you want to compile it as a module, say M here and read |
622 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
623 | |
624 | config NETFILTER_XT_MATCH_CONNBYTES |
625 | tristate '"connbytes" per-connection counter match support' |
626 | depends on NF_CONNTRACK |
627 | depends on NETFILTER_ADVANCED |
628 | help |
629 | This option adds a `connbytes' match, which allows you to match the |
630 | number of bytes and/or packets for each direction within a connection. |
631 | |
632 | If you want to compile it as a module, say M here and read |
633 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
634 | |
635 | config NETFILTER_XT_MATCH_CONNLIMIT |
636 | tristate '"connlimit" match support"' |
637 | depends on NF_CONNTRACK |
638 | depends on NETFILTER_ADVANCED |
639 | ---help--- |
640 | This match allows you to match against the number of parallel |
641 | connections to a server per client IP address (or address block). |
642 | |
643 | config NETFILTER_XT_MATCH_CONNMARK |
644 | tristate '"connmark" connection mark match support' |
645 | depends on NF_CONNTRACK |
646 | depends on NETFILTER_ADVANCED |
647 | select NETFILTER_XT_CONNMARK |
648 | ---help--- |
649 | This is a backwards-compat option for the user's convenience |
650 | (e.g. when running oldconfig). It selects |
651 | CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). |
652 | |
653 | config NETFILTER_XT_MATCH_CONNTRACK |
654 | tristate '"conntrack" connection tracking match support' |
655 | depends on NF_CONNTRACK |
656 | default m if NETFILTER_ADVANCED=n |
657 | help |
658 | This is a general conntrack match module, a superset of the state match. |
659 | |
660 | It allows matching on additional conntrack information, which is |
661 | useful in complex configurations, such as NAT gateways with multiple |
662 | internet links or tunnels. |
663 | |
664 | To compile it as a module, choose M here. If unsure, say N. |
665 | |
666 | config NETFILTER_XT_MATCH_CPU |
667 | tristate '"cpu" match support' |
668 | depends on NETFILTER_ADVANCED |
669 | help |
670 | CPU matching allows you to match packets based on the CPU |
671 | currently handling the packet. |
672 | |
673 | To compile it as a module, choose M here. If unsure, say N. |
674 | |
675 | config NETFILTER_XT_MATCH_DCCP |
676 | tristate '"dccp" protocol match support' |
677 | depends on NETFILTER_ADVANCED |
678 | default IP_DCCP |
679 | help |
680 | With this option enabled, you will be able to use the iptables |
681 | `dccp' match in order to match on DCCP source/destination ports |
682 | and DCCP flags. |
683 | |
684 | If you want to compile it as a module, say M here and read |
685 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
686 | |
687 | config NETFILTER_XT_MATCH_DSCP |
688 | tristate '"dscp" and "tos" match support' |
689 | depends on NETFILTER_ADVANCED |
690 | help |
691 | This option adds a `DSCP' match, which allows you to match against |
692 | the IPv4/IPv6 header DSCP field (differentiated services codepoint). |
693 | |
694 | The DSCP field can have any value between 0x0 and 0x3f inclusive. |
695 | |
696 | It will also add a "tos" match, which allows you to match packets |
697 | based on the Type Of Service fields of the IPv4 packet (which share |
698 | the same bits as DSCP). |
699 | |
700 | To compile it as a module, choose M here. If unsure, say N. |
701 | |
702 | config NETFILTER_XT_MATCH_ESP |
703 | tristate '"esp" match support' |
704 | depends on NETFILTER_ADVANCED |
705 | help |
706 | This match extension allows you to match a range of SPIs |
707 | inside ESP header of IPSec packets. |
708 | |
709 | To compile it as a module, choose M here. If unsure, say N. |
710 | |
711 | config NETFILTER_XT_MATCH_HASHLIMIT |
712 | tristate '"hashlimit" match support' |
713 | depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) |
714 | depends on NETFILTER_ADVANCED |
715 | help |
716 | This option adds a `hashlimit' match. |
717 | |
718 | As opposed to `limit', this match dynamically creates a hash table |
719 | of limit buckets, based on your selection of source/destination |
720 | addresses and/or ports. |
721 | |
722 | It enables you to express policies like `10kpps for any given |
723 | destination address' or `500pps from any given source address' |
724 | with a single rule. |
725 | |
726 | config NETFILTER_XT_MATCH_HELPER |
727 | tristate '"helper" match support' |
728 | depends on NF_CONNTRACK |
729 | depends on NETFILTER_ADVANCED |
730 | help |
731 | Helper matching allows you to match packets in dynamic connections |
732 | tracked by a conntrack-helper, ie. ip_conntrack_ftp |
733 | |
734 | To compile it as a module, choose M here. If unsure, say Y. |
735 | |
736 | config NETFILTER_XT_MATCH_HL |
737 | tristate '"hl" hoplimit/TTL match support' |
738 | depends on NETFILTER_ADVANCED |
739 | ---help--- |
740 | HL matching allows you to match packets based on the hoplimit |
741 | in the IPv6 header, or the time-to-live field in the IPv4 |
742 | header of the packet. |
743 | |
744 | config NETFILTER_XT_MATCH_IPRANGE |
745 | tristate '"iprange" address range match support' |
746 | depends on NETFILTER_ADVANCED |
747 | ---help--- |
748 | This option adds a "iprange" match, which allows you to match based on |
749 | an IP address range. (Normal iptables only matches on single addresses |
750 | with an optional mask.) |
751 | |
752 | If unsure, say M. |
753 | |
754 | config NETFILTER_XT_MATCH_IPVS |
755 | tristate '"ipvs" match support' |
756 | depends on IP_VS |
757 | depends on NETFILTER_ADVANCED |
758 | depends on NF_CONNTRACK |
759 | help |
760 | This option allows you to match against IPVS properties of a packet. |
761 | |
762 | If unsure, say N. |
763 | |
764 | config NETFILTER_XT_MATCH_LENGTH |
765 | tristate '"length" match support' |
766 | depends on NETFILTER_ADVANCED |
767 | help |
768 | This option allows you to match the length of a packet against a |
769 | specific value or range of values. |
770 | |
771 | To compile it as a module, choose M here. If unsure, say N. |
772 | |
773 | config NETFILTER_XT_MATCH_LIMIT |
774 | tristate '"limit" match support' |
775 | depends on NETFILTER_ADVANCED |
776 | help |
777 | limit matching allows you to control the rate at which a rule can be |
778 | matched: mainly useful in combination with the LOG target ("LOG |
779 | target support", below) and to avoid some Denial of Service attacks. |
780 | |
781 | To compile it as a module, choose M here. If unsure, say N. |
782 | |
783 | config NETFILTER_XT_MATCH_MAC |
784 | tristate '"mac" address match support' |
785 | depends on NETFILTER_ADVANCED |
786 | help |
787 | MAC matching allows you to match packets based on the source |
788 | Ethernet address of the packet. |
789 | |
790 | To compile it as a module, choose M here. If unsure, say N. |
791 | |
792 | config NETFILTER_XT_MATCH_MARK |
793 | tristate '"mark" match support' |
794 | depends on NETFILTER_ADVANCED |
795 | select NETFILTER_XT_MARK |
796 | ---help--- |
797 | This is a backwards-compat option for the user's convenience |
798 | (e.g. when running oldconfig). It selects |
799 | CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). |
800 | |
801 | config NETFILTER_XT_MATCH_MULTIPORT |
802 | tristate '"multiport" Multiple port match support' |
803 | depends on NETFILTER_ADVANCED |
804 | help |
805 | Multiport matching allows you to match TCP or UDP packets based on |
806 | a series of source or destination ports: normally a rule can only |
807 | match a single range of ports. |
808 | |
809 | To compile it as a module, choose M here. If unsure, say N. |
810 | |
811 | config NETFILTER_XT_MATCH_OSF |
812 | tristate '"osf" Passive OS fingerprint match' |
813 | depends on NETFILTER_ADVANCED && NETFILTER_NETLINK |
814 | help |
815 | This option selects the Passive OS Fingerprinting match module |
816 | that allows to passively match the remote operating system by |
817 | analyzing incoming TCP SYN packets. |
818 | |
819 | Rules and loading software can be downloaded from |
820 | http://www.ioremap.net/projects/osf |
821 | |
822 | To compile it as a module, choose M here. If unsure, say N. |
823 | |
824 | config NETFILTER_XT_MATCH_OWNER |
825 | tristate '"owner" match support' |
826 | depends on NETFILTER_ADVANCED |
827 | ---help--- |
828 | Socket owner matching allows you to match locally-generated packets |
829 | based on who created the socket: the user or group. It is also |
830 | possible to check whether a socket actually exists. |
831 | |
832 | config NETFILTER_XT_MATCH_POLICY |
833 | tristate 'IPsec "policy" match support' |
834 | depends on XFRM |
835 | default m if NETFILTER_ADVANCED=n |
836 | help |
837 | Policy matching allows you to match packets based on the |
838 | IPsec policy that was used during decapsulation/will |
839 | be used during encapsulation. |
840 | |
841 | To compile it as a module, choose M here. If unsure, say N. |
842 | |
843 | config NETFILTER_XT_MATCH_PHYSDEV |
844 | tristate '"physdev" match support' |
845 | depends on BRIDGE && BRIDGE_NETFILTER |
846 | depends on NETFILTER_ADVANCED |
847 | help |
848 | Physdev packet matching matches against the physical bridge ports |
849 | the IP packet arrived on or will leave by. |
850 | |
851 | To compile it as a module, choose M here. If unsure, say N. |
852 | |
853 | config NETFILTER_XT_MATCH_PKTTYPE |
854 | tristate '"pkttype" packet type match support' |
855 | depends on NETFILTER_ADVANCED |
856 | help |
857 | Packet type matching allows you to match a packet by |
858 | its "class", eg. BROADCAST, MULTICAST, ... |
859 | |
860 | Typical usage: |
861 | iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG |
862 | |
863 | To compile it as a module, choose M here. If unsure, say N. |
864 | |
865 | config NETFILTER_XT_MATCH_QUOTA |
866 | tristate '"quota" match support' |
867 | depends on NETFILTER_ADVANCED |
868 | help |
869 | This option adds a `quota' match, which allows to match on a |
870 | byte counter. |
871 | |
872 | If you want to compile it as a module, say M here and read |
873 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
874 | |
875 | config NETFILTER_XT_MATCH_RATEEST |
876 | tristate '"rateest" match support' |
877 | depends on NETFILTER_ADVANCED |
878 | select NETFILTER_XT_TARGET_RATEEST |
879 | help |
880 | This option adds a `rateest' match, which allows to match on the |
881 | rate estimated by the RATEEST target. |
882 | |
883 | To compile it as a module, choose M here. If unsure, say N. |
884 | |
885 | config NETFILTER_XT_MATCH_REALM |
886 | tristate '"realm" match support' |
887 | depends on NETFILTER_ADVANCED |
888 | select NET_CLS_ROUTE |
889 | help |
890 | This option adds a `realm' match, which allows you to use the realm |
891 | key from the routing subsystem inside iptables. |
892 | |
893 | This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option |
894 | in tc world. |
895 | |
896 | If you want to compile it as a module, say M here and read |
897 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
898 | |
899 | config NETFILTER_XT_MATCH_RECENT |
900 | tristate '"recent" match support' |
901 | depends on NETFILTER_ADVANCED |
902 | ---help--- |
903 | This match is used for creating one or many lists of recently |
904 | used addresses and then matching against that/those list(s). |
905 | |
906 | Short options are available by using 'iptables -m recent -h' |
907 | Official Website: <http://snowman.net/projects/ipt_recent/> |
908 | |
909 | config NETFILTER_XT_MATCH_SCTP |
910 | tristate '"sctp" protocol match support (EXPERIMENTAL)' |
911 | depends on EXPERIMENTAL |
912 | depends on NETFILTER_ADVANCED |
913 | default IP_SCTP |
914 | help |
915 | With this option enabled, you will be able to use the |
916 | `sctp' match in order to match on SCTP source/destination ports |
917 | and SCTP chunk types. |
918 | |
919 | If you want to compile it as a module, say M here and read |
920 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
921 | |
922 | config NETFILTER_XT_MATCH_SOCKET |
923 | tristate '"socket" match support (EXPERIMENTAL)' |
924 | depends on EXPERIMENTAL |
925 | depends on NETFILTER_TPROXY |
926 | depends on NETFILTER_XTABLES |
927 | depends on NETFILTER_ADVANCED |
928 | depends on !NF_CONNTRACK || NF_CONNTRACK |
929 | select NF_DEFRAG_IPV4 |
930 | help |
931 | This option adds a `socket' match, which can be used to match |
932 | packets for which a TCP or UDP socket lookup finds a valid socket. |
933 | It can be used in combination with the MARK target and policy |
934 | routing to implement full featured non-locally bound sockets. |
935 | |
936 | To compile it as a module, choose M here. If unsure, say N. |
937 | |
938 | config NETFILTER_XT_MATCH_STATE |
939 | tristate '"state" match support' |
940 | depends on NF_CONNTRACK |
941 | default m if NETFILTER_ADVANCED=n |
942 | help |
943 | Connection state matching allows you to match packets based on their |
944 | relationship to a tracked connection (ie. previous packets). This |
945 | is a powerful tool for packet classification. |
946 | |
947 | To compile it as a module, choose M here. If unsure, say N. |
948 | |
949 | config NETFILTER_XT_MATCH_STATISTIC |
950 | tristate '"statistic" match support' |
951 | depends on NETFILTER_ADVANCED |
952 | help |
953 | This option adds a `statistic' match, which allows you to match |
954 | on packets periodically or randomly with a given percentage. |
955 | |
956 | To compile it as a module, choose M here. If unsure, say N. |
957 | |
958 | config NETFILTER_XT_MATCH_STRING |
959 | tristate '"string" match support' |
960 | depends on NETFILTER_ADVANCED |
961 | select TEXTSEARCH |
962 | select TEXTSEARCH_KMP |
963 | select TEXTSEARCH_BM |
964 | select TEXTSEARCH_FSM |
965 | help |
966 | This option adds a `string' match, which allows you to look for |
967 | pattern matchings in packets. |
968 | |
969 | To compile it as a module, choose M here. If unsure, say N. |
970 | |
971 | config NETFILTER_XT_MATCH_TCPMSS |
972 | tristate '"tcpmss" match support' |
973 | depends on NETFILTER_ADVANCED |
974 | help |
975 | This option adds a `tcpmss' match, which allows you to examine the |
976 | MSS value of TCP SYN packets, which control the maximum packet size |
977 | for that connection. |
978 | |
979 | To compile it as a module, choose M here. If unsure, say N. |
980 | |
981 | config NETFILTER_XT_MATCH_TIME |
982 | tristate '"time" match support' |
983 | depends on NETFILTER_ADVANCED |
984 | ---help--- |
985 | This option adds a "time" match, which allows you to match based on |
986 | the packet arrival time (at the machine which netfilter is running) |
987 | on) or departure time/date (for locally generated packets). |
988 | |
989 | If you say Y here, try `iptables -m time --help` for |
990 | more information. |
991 | |
992 | If you want to compile it as a module, say M here. |
993 | If unsure, say N. |
994 | |
995 | config NETFILTER_XT_MATCH_U32 |
996 | tristate '"u32" match support' |
997 | depends on NETFILTER_ADVANCED |
998 | ---help--- |
999 | u32 allows you to extract quantities of up to 4 bytes from a packet, |
1000 | AND them with specified masks, shift them by specified amounts and |
1001 | test whether the results are in any of a set of specified ranges. |
1002 | The specification of what to extract is general enough to skip over |
1003 | headers with lengths stored in the packet, as in IP or TCP header |
1004 | lengths. |
1005 | |
1006 | Details and examples are in the kernel module source. |
1007 | |
1008 | endif # NETFILTER_XTABLES |
1009 | |
1010 | endmenu |
1011 | |
1012 | source "net/netfilter/ipvs/Kconfig" |
1013 |
Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.11
jz-3.12
jz-3.13
jz-3.15
jz-3.16
jz-3.18-dt
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master
Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9