Root/net/netfilter/Kconfig

1menu "Core Netfilter Configuration"
2    depends on NET && INET && NETFILTER
3
4config NETFILTER_NETLINK
5    tristate
6
7config NETFILTER_NETLINK_QUEUE
8    tristate "Netfilter NFQUEUE over NFNETLINK interface"
9    depends on NETFILTER_ADVANCED
10    select NETFILTER_NETLINK
11    help
12      If this option is enabled, the kernel will include support
13      for queueing packets via NFNETLINK.
14      
15config NETFILTER_NETLINK_LOG
16    tristate "Netfilter LOG over NFNETLINK interface"
17    default m if NETFILTER_ADVANCED=n
18    select NETFILTER_NETLINK
19    help
20      If this option is enabled, the kernel will include support
21      for logging packets via NFNETLINK.
22
23      This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
24      and is also scheduled to replace the old syslog-based ipt_LOG
25      and ip6t_LOG modules.
26
27config NF_CONNTRACK
28    tristate "Netfilter connection tracking support"
29    default m if NETFILTER_ADVANCED=n
30    help
31      Connection tracking keeps a record of what packets have passed
32      through your machine, in order to figure out how they are related
33      into connections.
34
35      This is required to do Masquerading or other kinds of Network
36      Address Translation. It can also be used to enhance packet
37      filtering (see `Connection state match support' below).
38
39      To compile it as a module, choose M here. If unsure, say N.
40
41if NF_CONNTRACK
42
43config NF_CONNTRACK_MARK
44    bool 'Connection mark tracking support'
45    depends on NETFILTER_ADVANCED
46    help
47      This option enables support for connection marks, used by the
48      `CONNMARK' target and `connmark' match. Similar to the mark value
49      of packets, but this mark value is kept in the conntrack session
50      instead of the individual packets.
51
52config NF_CONNTRACK_SECMARK
53    bool 'Connection tracking security mark support'
54    depends on NETWORK_SECMARK
55    default m if NETFILTER_ADVANCED=n
56    help
57      This option enables security markings to be applied to
58      connections. Typically they are copied to connections from
59      packets using the CONNSECMARK target and copied back from
60      connections to packets with the same target, with the packets
61      being originally labeled via SECMARK.
62
63      If unsure, say 'N'.
64
65config NF_CONNTRACK_ZONES
66    bool 'Connection tracking zones'
67    depends on NETFILTER_ADVANCED
68    depends on NETFILTER_XT_TARGET_CT
69    help
70      This option enables support for connection tracking zones.
71      Normally, each connection needs to have a unique system wide
72      identity. Connection tracking zones allow to have multiple
73      connections using the same identity, as long as they are
74      contained in different zones.
75
76      If unsure, say `N'.
77
78config NF_CONNTRACK_EVENTS
79    bool "Connection tracking events"
80    depends on NETFILTER_ADVANCED
81    help
82      If this option is enabled, the connection tracking code will
83      provide a notifier chain that can be used by other kernel code
84      to get notified about changes in the connection tracking state.
85
86      If unsure, say `N'.
87
88config NF_CT_PROTO_DCCP
89    tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
90    depends on EXPERIMENTAL
91    depends on NETFILTER_ADVANCED
92    default IP_DCCP
93    help
94      With this option enabled, the layer 3 independent connection
95      tracking code will be able to do state tracking on DCCP connections.
96
97      If unsure, say 'N'.
98
99config NF_CT_PROTO_GRE
100    tristate
101
102config NF_CT_PROTO_SCTP
103    tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
104    depends on EXPERIMENTAL
105    depends on NETFILTER_ADVANCED
106    default IP_SCTP
107    help
108      With this option enabled, the layer 3 independent connection
109      tracking code will be able to do state tracking on SCTP connections.
110
111      If you want to compile it as a module, say M here and read
112      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
113
114config NF_CT_PROTO_UDPLITE
115    tristate 'UDP-Lite protocol connection tracking support'
116    depends on NETFILTER_ADVANCED
117    help
118      With this option enabled, the layer 3 independent connection
119      tracking code will be able to do state tracking on UDP-Lite
120      connections.
121
122      To compile it as a module, choose M here. If unsure, say N.
123
124config NF_CONNTRACK_AMANDA
125    tristate "Amanda backup protocol support"
126    depends on NETFILTER_ADVANCED
127    select TEXTSEARCH
128    select TEXTSEARCH_KMP
129    help
130      If you are running the Amanda backup package <http://www.amanda.org/>
131      on this machine or machines that will be MASQUERADED through this
132      machine, then you may want to enable this feature. This allows the
133      connection tracking and natting code to allow the sub-channels that
134      Amanda requires for communication of the backup data, messages and
135      index.
136
137      To compile it as a module, choose M here. If unsure, say N.
138
139config NF_CONNTRACK_FTP
140    tristate "FTP protocol support"
141    default m if NETFILTER_ADVANCED=n
142    help
143      Tracking FTP connections is problematic: special helpers are
144      required for tracking them, and doing masquerading and other forms
145      of Network Address Translation on them.
146
147      This is FTP support on Layer 3 independent connection tracking.
148      Layer 3 independent connection tracking is experimental scheme
149      which generalize ip_conntrack to support other layer 3 protocols.
150
151      To compile it as a module, choose M here. If unsure, say N.
152
153config NF_CONNTRACK_H323
154    tristate "H.323 protocol support"
155    depends on (IPV6 || IPV6=n)
156    depends on NETFILTER_ADVANCED
157    help
158      H.323 is a VoIP signalling protocol from ITU-T. As one of the most
159      important VoIP protocols, it is widely used by voice hardware and
160      software including voice gateways, IP phones, Netmeeting, OpenPhone,
161      Gnomemeeting, etc.
162
163      With this module you can support H.323 on a connection tracking/NAT
164      firewall.
165
166      This module supports RAS, Fast Start, H.245 Tunnelling, Call
167      Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
168      whiteboard, file transfer, etc. For more information, please
169      visit http://nath323.sourceforge.net/.
170
171      To compile it as a module, choose M here. If unsure, say N.
172
173config NF_CONNTRACK_IRC
174    tristate "IRC protocol support"
175    default m if NETFILTER_ADVANCED=n
176    help
177      There is a commonly-used extension to IRC called
178      Direct Client-to-Client Protocol (DCC). This enables users to send
179      files to each other, and also chat to each other without the need
180      of a server. DCC Sending is used anywhere you send files over IRC,
181      and DCC Chat is most commonly used by Eggdrop bots. If you are
182      using NAT, this extension will enable you to send files and initiate
183      chats. Note that you do NOT need this extension to get files or
184      have others initiate chats, or everything else in IRC.
185
186      To compile it as a module, choose M here. If unsure, say N.
187
188config NF_CONNTRACK_NETBIOS_NS
189    tristate "NetBIOS name service protocol support"
190    depends on NETFILTER_ADVANCED
191    help
192      NetBIOS name service requests are sent as broadcast messages from an
193      unprivileged port and responded to with unicast messages to the
194      same port. This make them hard to firewall properly because connection
195      tracking doesn't deal with broadcasts. This helper tracks locally
196      originating NetBIOS name service requests and the corresponding
197      responses. It relies on correct IP address configuration, specifically
198      netmask and broadcast address. When properly configured, the output
199      of "ip address show" should look similar to this:
200
201      $ ip -4 address show eth0
202      4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
203          inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
204
205      To compile it as a module, choose M here. If unsure, say N.
206
207config NF_CONNTRACK_PPTP
208    tristate "PPtP protocol support"
209    depends on NETFILTER_ADVANCED
210    select NF_CT_PROTO_GRE
211    help
212      This module adds support for PPTP (Point to Point Tunnelling
213      Protocol, RFC2637) connection tracking and NAT.
214
215      If you are running PPTP sessions over a stateful firewall or NAT
216      box, you may want to enable this feature.
217
218      Please note that not all PPTP modes of operation are supported yet.
219      Specifically these limitations exist:
220        - Blindly assumes that control connections are always established
221          in PNS->PAC direction. This is a violation of RFC2637.
222        - Only supports a single call within each session
223
224      To compile it as a module, choose M here. If unsure, say N.
225
226config NF_CONNTRACK_SANE
227    tristate "SANE protocol support (EXPERIMENTAL)"
228    depends on EXPERIMENTAL
229    depends on NETFILTER_ADVANCED
230    help
231      SANE is a protocol for remote access to scanners as implemented
232      by the 'saned' daemon. Like FTP, it uses separate control and
233      data connections.
234
235      With this module you can support SANE on a connection tracking
236      firewall.
237
238      To compile it as a module, choose M here. If unsure, say N.
239
240config NF_CONNTRACK_SIP
241    tristate "SIP protocol support"
242    default m if NETFILTER_ADVANCED=n
243    help
244      SIP is an application-layer control protocol that can establish,
245      modify, and terminate multimedia sessions (conferences) such as
246      Internet telephony calls. With the ip_conntrack_sip and
247      the nf_nat_sip modules you can support the protocol on a connection
248      tracking/NATing firewall.
249
250      To compile it as a module, choose M here. If unsure, say N.
251
252config NF_CONNTRACK_TFTP
253    tristate "TFTP protocol support"
254    depends on NETFILTER_ADVANCED
255    help
256      TFTP connection tracking helper, this is required depending
257      on how restrictive your ruleset is.
258      If you are using a tftp client behind -j SNAT or -j MASQUERADING
259      you will need this.
260
261      To compile it as a module, choose M here. If unsure, say N.
262
263config NF_CT_NETLINK
264    tristate 'Connection tracking netlink interface'
265    select NETFILTER_NETLINK
266    default m if NETFILTER_ADVANCED=n
267    help
268      This option enables support for a netlink-based userspace interface
269
270endif # NF_CONNTRACK
271
272# transparent proxy support
273config NETFILTER_TPROXY
274    tristate "Transparent proxying support (EXPERIMENTAL)"
275    depends on EXPERIMENTAL
276    depends on IP_NF_MANGLE
277    depends on NETFILTER_ADVANCED
278    help
279      This option enables transparent proxying support, that is,
280      support for handling non-locally bound IPv4 TCP and UDP sockets.
281      For it to work you will have to configure certain iptables rules
282      and use policy routing. For more information on how to set it up
283      see Documentation/networking/tproxy.txt.
284
285      To compile it as a module, choose M here. If unsure, say N.
286
287config NETFILTER_XTABLES
288    tristate "Netfilter Xtables support (required for ip_tables)"
289    default m if NETFILTER_ADVANCED=n
290    help
291      This is required if you intend to use any of ip_tables,
292      ip6_tables or arp_tables.
293
294if NETFILTER_XTABLES
295
296comment "Xtables combined modules"
297
298config NETFILTER_XT_MARK
299    tristate 'nfmark target and match support'
300    default m if NETFILTER_ADVANCED=n
301    ---help---
302    This option adds the "MARK" target and "mark" match.
303
304    Netfilter mark matching allows you to match packets based on the
305    "nfmark" value in the packet.
306    The target allows you to create rules in the "mangle" table which alter
307    the netfilter mark (nfmark) field associated with the packet.
308
309    Prior to routing, the nfmark can influence the routing method (see
310    "Use netfilter MARK value as routing key") and can also be used by
311    other subsystems to change their behavior.
312
313config NETFILTER_XT_CONNMARK
314    tristate 'ctmark target and match support'
315    depends on NF_CONNTRACK
316    depends on NETFILTER_ADVANCED
317    select NF_CONNTRACK_MARK
318    ---help---
319    This option adds the "CONNMARK" target and "connmark" match.
320
321    Netfilter allows you to store a mark value per connection (a.k.a.
322    ctmark), similarly to the packet mark (nfmark). Using this
323    target and match, you can set and match on this mark.
324
325# alphabetically ordered list of targets
326
327comment "Xtables targets"
328
329config NETFILTER_XT_TARGET_CHECKSUM
330    tristate "CHECKSUM target support"
331    depends on IP_NF_MANGLE || IP6_NF_MANGLE
332    depends on NETFILTER_ADVANCED
333    ---help---
334      This option adds a `CHECKSUM' target, which can be used in the iptables mangle
335      table.
336
337      You can use this target to compute and fill in the checksum in
338      a packet that lacks a checksum. This is particularly useful,
339      if you need to work around old applications such as dhcp clients,
340      that do not work well with checksum offloads, but don't want to disable
341      checksum offload in your device.
342
343      To compile it as a module, choose M here. If unsure, say N.
344
345config NETFILTER_XT_TARGET_CLASSIFY
346    tristate '"CLASSIFY" target support'
347    depends on NETFILTER_ADVANCED
348    help
349      This option adds a `CLASSIFY' target, which enables the user to set
350      the priority of a packet. Some qdiscs can use this value for
351      classification, among these are:
352
353        atm, cbq, dsmark, pfifo_fast, htb, prio
354
355      To compile it as a module, choose M here. If unsure, say N.
356
357config NETFILTER_XT_TARGET_CONNMARK
358    tristate '"CONNMARK" target support'
359    depends on NF_CONNTRACK
360    depends on NETFILTER_ADVANCED
361    select NETFILTER_XT_CONNMARK
362    ---help---
363    This is a backwards-compat option for the user's convenience
364    (e.g. when running oldconfig). It selects
365    CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
366
367config NETFILTER_XT_TARGET_CONNSECMARK
368    tristate '"CONNSECMARK" target support'
369    depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
370    default m if NETFILTER_ADVANCED=n
371    help
372      The CONNSECMARK target copies security markings from packets
373      to connections, and restores security markings from connections
374      to packets (if the packets are not already marked). This would
375      normally be used in conjunction with the SECMARK target.
376
377      To compile it as a module, choose M here. If unsure, say N.
378
379config NETFILTER_XT_TARGET_CT
380    tristate '"CT" target support'
381    depends on NF_CONNTRACK
382    depends on IP_NF_RAW || IP6_NF_RAW
383    depends on NETFILTER_ADVANCED
384    help
385      This options adds a `CT' target, which allows to specify initial
386      connection tracking parameters like events to be delivered and
387      the helper to be used.
388
389      To compile it as a module, choose M here. If unsure, say N.
390
391config NETFILTER_XT_TARGET_DSCP
392    tristate '"DSCP" and "TOS" target support'
393    depends on IP_NF_MANGLE || IP6_NF_MANGLE
394    depends on NETFILTER_ADVANCED
395    help
396      This option adds a `DSCP' target, which allows you to manipulate
397      the IPv4/IPv6 header DSCP field (differentiated services codepoint).
398
399      The DSCP field can have any value between 0x0 and 0x3f inclusive.
400
401      It also adds the "TOS" target, which allows you to create rules in
402      the "mangle" table which alter the Type Of Service field of an IPv4
403      or the Priority field of an IPv6 packet, prior to routing.
404
405      To compile it as a module, choose M here. If unsure, say N.
406
407config NETFILTER_XT_TARGET_HL
408    tristate '"HL" hoplimit target support'
409    depends on IP_NF_MANGLE || IP6_NF_MANGLE
410    depends on NETFILTER_ADVANCED
411    ---help---
412    This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
413    targets, which enable the user to change the
414    hoplimit/time-to-live value of the IP header.
415
416    While it is safe to decrement the hoplimit/TTL value, the
417    modules also allow to increment and set the hoplimit value of
418    the header to arbitrary values. This is EXTREMELY DANGEROUS
419    since you can easily create immortal packets that loop
420    forever on the network.
421
422config NETFILTER_XT_TARGET_IDLETIMER
423    tristate "IDLETIMER target support"
424    depends on NETFILTER_ADVANCED
425    help
426
427      This option adds the `IDLETIMER' target. Each matching packet
428      resets the timer associated with label specified when the rule is
429      added. When the timer expires, it triggers a sysfs notification.
430      The remaining time for expiration can be read via sysfs.
431
432      To compile it as a module, choose M here. If unsure, say N.
433
434config NETFILTER_XT_TARGET_LED
435    tristate '"LED" target support'
436    depends on LEDS_CLASS && LEDS_TRIGGERS
437    depends on NETFILTER_ADVANCED
438    help
439      This option adds a `LED' target, which allows you to blink LEDs in
440      response to particular packets passing through your machine.
441
442      This can be used to turn a spare LED into a network activity LED,
443      which only flashes in response to FTP transfers, for example. Or
444      you could have an LED which lights up for a minute or two every time
445      somebody connects to your machine via SSH.
446
447      You will need support for the "led" class to make this work.
448
449      To create an LED trigger for incoming SSH traffic:
450        iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
451
452      Then attach the new trigger to an LED on your system:
453        echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
454
455      For more information on the LEDs available on your system, see
456      Documentation/leds-class.txt
457
458config NETFILTER_XT_TARGET_MARK
459    tristate '"MARK" target support'
460    depends on NETFILTER_ADVANCED
461    select NETFILTER_XT_MARK
462    ---help---
463    This is a backwards-compat option for the user's convenience
464    (e.g. when running oldconfig). It selects
465    CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
466
467config NETFILTER_XT_TARGET_NFLOG
468    tristate '"NFLOG" target support'
469    default m if NETFILTER_ADVANCED=n
470    select NETFILTER_NETLINK_LOG
471    help
472      This option enables the NFLOG target, which allows to LOG
473      messages through nfnetlink_log.
474
475      To compile it as a module, choose M here. If unsure, say N.
476
477config NETFILTER_XT_TARGET_NFQUEUE
478    tristate '"NFQUEUE" target Support'
479    depends on NETFILTER_ADVANCED
480    help
481      This target replaced the old obsolete QUEUE target.
482
483      As opposed to QUEUE, it supports 65535 different queues,
484      not just one.
485
486      To compile it as a module, choose M here. If unsure, say N.
487
488config NETFILTER_XT_TARGET_NOTRACK
489    tristate '"NOTRACK" target support'
490    depends on IP_NF_RAW || IP6_NF_RAW
491    depends on NF_CONNTRACK
492    depends on NETFILTER_ADVANCED
493    help
494      The NOTRACK target allows a select rule to specify
495      which packets *not* to enter the conntrack/NAT
496      subsystem with all the consequences (no ICMP error tracking,
497      no protocol helpers for the selected packets).
498
499      If you want to compile it as a module, say M here and read
500      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
501
502config NETFILTER_XT_TARGET_RATEEST
503    tristate '"RATEEST" target support'
504    depends on NETFILTER_ADVANCED
505    help
506      This option adds a `RATEEST' target, which allows to measure
507      rates similar to TC estimators. The `rateest' match can be
508      used to match on the measured rates.
509
510      To compile it as a module, choose M here. If unsure, say N.
511
512config NETFILTER_XT_TARGET_TEE
513    tristate '"TEE" - packet cloning to alternate destination'
514    depends on NETFILTER_ADVANCED
515    depends on (IPV6 || IPV6=n)
516    depends on !NF_CONNTRACK || NF_CONNTRACK
517    ---help---
518    This option adds a "TEE" target with which a packet can be cloned and
519    this clone be rerouted to another nexthop.
520
521config NETFILTER_XT_TARGET_TPROXY
522    tristate '"TPROXY" target support (EXPERIMENTAL)'
523    depends on EXPERIMENTAL
524    depends on NETFILTER_TPROXY
525    depends on NETFILTER_XTABLES
526    depends on NETFILTER_ADVANCED
527    select NF_DEFRAG_IPV4
528    help
529      This option adds a `TPROXY' target, which is somewhat similar to
530      REDIRECT. It can only be used in the mangle table and is useful
531      to redirect traffic to a transparent proxy. It does _not_ depend
532      on Netfilter connection tracking and NAT, unlike REDIRECT.
533
534      To compile it as a module, choose M here. If unsure, say N.
535
536config NETFILTER_XT_TARGET_TRACE
537    tristate '"TRACE" target support'
538    depends on IP_NF_RAW || IP6_NF_RAW
539    depends on NETFILTER_ADVANCED
540    help
541      The TRACE target allows you to mark packets so that the kernel
542      will log every rule which match the packets as those traverse
543      the tables, chains, rules.
544
545      If you want to compile it as a module, say M here and read
546      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
547
548config NETFILTER_XT_TARGET_SECMARK
549    tristate '"SECMARK" target support'
550    depends on NETWORK_SECMARK
551    default m if NETFILTER_ADVANCED=n
552    help
553      The SECMARK target allows security marking of network
554      packets, for use with security subsystems.
555
556      To compile it as a module, choose M here. If unsure, say N.
557
558config NETFILTER_XT_TARGET_TCPMSS
559    tristate '"TCPMSS" target support'
560    depends on (IPV6 || IPV6=n)
561    default m if NETFILTER_ADVANCED=n
562    ---help---
563      This option adds a `TCPMSS' target, which allows you to alter the
564      MSS value of TCP SYN packets, to control the maximum size for that
565      connection (usually limiting it to your outgoing interface's MTU
566      minus 40).
567
568      This is used to overcome criminally braindead ISPs or servers which
569      block ICMP Fragmentation Needed packets. The symptoms of this
570      problem are that everything works fine from your Linux
571      firewall/router, but machines behind it can never exchange large
572      packets:
573            1) Web browsers connect, then hang with no data received.
574            2) Small mail works fine, but large emails hang.
575            3) ssh works fine, but scp hangs after initial handshaking.
576
577      Workaround: activate this option and add a rule to your firewall
578      configuration like:
579
580      iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
581                     -j TCPMSS --clamp-mss-to-pmtu
582
583      To compile it as a module, choose M here. If unsure, say N.
584
585config NETFILTER_XT_TARGET_TCPOPTSTRIP
586    tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)'
587    depends on EXPERIMENTAL
588    depends on IP_NF_MANGLE || IP6_NF_MANGLE
589    depends on NETFILTER_ADVANCED
590    help
591      This option adds a "TCPOPTSTRIP" target, which allows you to strip
592      TCP options from TCP packets.
593
594# alphabetically ordered list of matches
595
596comment "Xtables matches"
597
598config NETFILTER_XT_MATCH_CLUSTER
599    tristate '"cluster" match support'
600    depends on NF_CONNTRACK
601    depends on NETFILTER_ADVANCED
602    ---help---
603      This option allows you to build work-load-sharing clusters of
604      network servers/stateful firewalls without having a dedicated
605      load-balancing router/server/switch. Basically, this match returns
606      true when the packet must be handled by this cluster node. Thus,
607      all nodes see all packets and this match decides which node handles
608      what packets. The work-load sharing algorithm is based on source
609      address hashing.
610
611      If you say Y or M here, try `iptables -m cluster --help` for
612      more information.
613
614config NETFILTER_XT_MATCH_COMMENT
615    tristate '"comment" match support'
616    depends on NETFILTER_ADVANCED
617    help
618      This option adds a `comment' dummy-match, which allows you to put
619      comments in your iptables ruleset.
620
621      If you want to compile it as a module, say M here and read
622      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
623
624config NETFILTER_XT_MATCH_CONNBYTES
625    tristate '"connbytes" per-connection counter match support'
626    depends on NF_CONNTRACK
627    depends on NETFILTER_ADVANCED
628    help
629      This option adds a `connbytes' match, which allows you to match the
630      number of bytes and/or packets for each direction within a connection.
631
632      If you want to compile it as a module, say M here and read
633      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
634
635config NETFILTER_XT_MATCH_CONNLIMIT
636    tristate '"connlimit" match support"'
637    depends on NF_CONNTRACK
638    depends on NETFILTER_ADVANCED
639    ---help---
640      This match allows you to match against the number of parallel
641      connections to a server per client IP address (or address block).
642
643config NETFILTER_XT_MATCH_CONNMARK
644    tristate '"connmark" connection mark match support'
645    depends on NF_CONNTRACK
646    depends on NETFILTER_ADVANCED
647    select NETFILTER_XT_CONNMARK
648    ---help---
649    This is a backwards-compat option for the user's convenience
650    (e.g. when running oldconfig). It selects
651    CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
652
653config NETFILTER_XT_MATCH_CONNTRACK
654    tristate '"conntrack" connection tracking match support'
655    depends on NF_CONNTRACK
656    default m if NETFILTER_ADVANCED=n
657    help
658      This is a general conntrack match module, a superset of the state match.
659
660      It allows matching on additional conntrack information, which is
661      useful in complex configurations, such as NAT gateways with multiple
662      internet links or tunnels.
663
664      To compile it as a module, choose M here. If unsure, say N.
665
666config NETFILTER_XT_MATCH_CPU
667    tristate '"cpu" match support'
668    depends on NETFILTER_ADVANCED
669    help
670      CPU matching allows you to match packets based on the CPU
671      currently handling the packet.
672
673      To compile it as a module, choose M here. If unsure, say N.
674
675config NETFILTER_XT_MATCH_DCCP
676    tristate '"dccp" protocol match support'
677    depends on NETFILTER_ADVANCED
678    default IP_DCCP
679    help
680      With this option enabled, you will be able to use the iptables
681      `dccp' match in order to match on DCCP source/destination ports
682      and DCCP flags.
683
684      If you want to compile it as a module, say M here and read
685      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
686
687config NETFILTER_XT_MATCH_DSCP
688    tristate '"dscp" and "tos" match support'
689    depends on NETFILTER_ADVANCED
690    help
691      This option adds a `DSCP' match, which allows you to match against
692      the IPv4/IPv6 header DSCP field (differentiated services codepoint).
693
694      The DSCP field can have any value between 0x0 and 0x3f inclusive.
695
696      It will also add a "tos" match, which allows you to match packets
697      based on the Type Of Service fields of the IPv4 packet (which share
698      the same bits as DSCP).
699
700      To compile it as a module, choose M here. If unsure, say N.
701
702config NETFILTER_XT_MATCH_ESP
703    tristate '"esp" match support'
704    depends on NETFILTER_ADVANCED
705    help
706      This match extension allows you to match a range of SPIs
707      inside ESP header of IPSec packets.
708
709      To compile it as a module, choose M here. If unsure, say N.
710
711config NETFILTER_XT_MATCH_HASHLIMIT
712    tristate '"hashlimit" match support'
713    depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
714    depends on NETFILTER_ADVANCED
715    help
716      This option adds a `hashlimit' match.
717
718      As opposed to `limit', this match dynamically creates a hash table
719      of limit buckets, based on your selection of source/destination
720      addresses and/or ports.
721
722      It enables you to express policies like `10kpps for any given
723      destination address' or `500pps from any given source address'
724      with a single rule.
725
726config NETFILTER_XT_MATCH_HELPER
727    tristate '"helper" match support'
728    depends on NF_CONNTRACK
729    depends on NETFILTER_ADVANCED
730    help
731      Helper matching allows you to match packets in dynamic connections
732      tracked by a conntrack-helper, ie. ip_conntrack_ftp
733
734      To compile it as a module, choose M here. If unsure, say Y.
735
736config NETFILTER_XT_MATCH_HL
737    tristate '"hl" hoplimit/TTL match support'
738    depends on NETFILTER_ADVANCED
739    ---help---
740    HL matching allows you to match packets based on the hoplimit
741    in the IPv6 header, or the time-to-live field in the IPv4
742    header of the packet.
743
744config NETFILTER_XT_MATCH_IPRANGE
745    tristate '"iprange" address range match support'
746    depends on NETFILTER_ADVANCED
747    ---help---
748    This option adds a "iprange" match, which allows you to match based on
749    an IP address range. (Normal iptables only matches on single addresses
750    with an optional mask.)
751
752    If unsure, say M.
753
754config NETFILTER_XT_MATCH_IPVS
755    tristate '"ipvs" match support'
756    depends on IP_VS
757    depends on NETFILTER_ADVANCED
758    depends on NF_CONNTRACK
759    help
760      This option allows you to match against IPVS properties of a packet.
761
762      If unsure, say N.
763
764config NETFILTER_XT_MATCH_LENGTH
765    tristate '"length" match support'
766    depends on NETFILTER_ADVANCED
767    help
768      This option allows you to match the length of a packet against a
769      specific value or range of values.
770
771      To compile it as a module, choose M here. If unsure, say N.
772
773config NETFILTER_XT_MATCH_LIMIT
774    tristate '"limit" match support'
775    depends on NETFILTER_ADVANCED
776    help
777      limit matching allows you to control the rate at which a rule can be
778      matched: mainly useful in combination with the LOG target ("LOG
779      target support", below) and to avoid some Denial of Service attacks.
780
781      To compile it as a module, choose M here. If unsure, say N.
782
783config NETFILTER_XT_MATCH_MAC
784    tristate '"mac" address match support'
785    depends on NETFILTER_ADVANCED
786    help
787      MAC matching allows you to match packets based on the source
788      Ethernet address of the packet.
789
790      To compile it as a module, choose M here. If unsure, say N.
791
792config NETFILTER_XT_MATCH_MARK
793    tristate '"mark" match support'
794    depends on NETFILTER_ADVANCED
795    select NETFILTER_XT_MARK
796    ---help---
797    This is a backwards-compat option for the user's convenience
798    (e.g. when running oldconfig). It selects
799    CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
800
801config NETFILTER_XT_MATCH_MULTIPORT
802    tristate '"multiport" Multiple port match support'
803    depends on NETFILTER_ADVANCED
804    help
805      Multiport matching allows you to match TCP or UDP packets based on
806      a series of source or destination ports: normally a rule can only
807      match a single range of ports.
808
809      To compile it as a module, choose M here. If unsure, say N.
810
811config NETFILTER_XT_MATCH_OSF
812    tristate '"osf" Passive OS fingerprint match'
813    depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
814    help
815      This option selects the Passive OS Fingerprinting match module
816      that allows to passively match the remote operating system by
817      analyzing incoming TCP SYN packets.
818
819      Rules and loading software can be downloaded from
820      http://www.ioremap.net/projects/osf
821
822      To compile it as a module, choose M here. If unsure, say N.
823
824config NETFILTER_XT_MATCH_OWNER
825    tristate '"owner" match support'
826    depends on NETFILTER_ADVANCED
827    ---help---
828    Socket owner matching allows you to match locally-generated packets
829    based on who created the socket: the user or group. It is also
830    possible to check whether a socket actually exists.
831
832config NETFILTER_XT_MATCH_POLICY
833    tristate 'IPsec "policy" match support'
834    depends on XFRM
835    default m if NETFILTER_ADVANCED=n
836    help
837      Policy matching allows you to match packets based on the
838      IPsec policy that was used during decapsulation/will
839      be used during encapsulation.
840
841      To compile it as a module, choose M here. If unsure, say N.
842
843config NETFILTER_XT_MATCH_PHYSDEV
844    tristate '"physdev" match support'
845    depends on BRIDGE && BRIDGE_NETFILTER
846    depends on NETFILTER_ADVANCED
847    help
848      Physdev packet matching matches against the physical bridge ports
849      the IP packet arrived on or will leave by.
850
851      To compile it as a module, choose M here. If unsure, say N.
852
853config NETFILTER_XT_MATCH_PKTTYPE
854    tristate '"pkttype" packet type match support'
855    depends on NETFILTER_ADVANCED
856    help
857      Packet type matching allows you to match a packet by
858      its "class", eg. BROADCAST, MULTICAST, ...
859
860      Typical usage:
861      iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
862
863      To compile it as a module, choose M here. If unsure, say N.
864
865config NETFILTER_XT_MATCH_QUOTA
866    tristate '"quota" match support'
867    depends on NETFILTER_ADVANCED
868    help
869      This option adds a `quota' match, which allows to match on a
870      byte counter.
871
872      If you want to compile it as a module, say M here and read
873      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
874
875config NETFILTER_XT_MATCH_RATEEST
876    tristate '"rateest" match support'
877    depends on NETFILTER_ADVANCED
878    select NETFILTER_XT_TARGET_RATEEST
879    help
880      This option adds a `rateest' match, which allows to match on the
881      rate estimated by the RATEEST target.
882
883      To compile it as a module, choose M here. If unsure, say N.
884
885config NETFILTER_XT_MATCH_REALM
886    tristate '"realm" match support'
887    depends on NETFILTER_ADVANCED
888    select NET_CLS_ROUTE
889    help
890      This option adds a `realm' match, which allows you to use the realm
891      key from the routing subsystem inside iptables.
892
893      This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
894      in tc world.
895
896      If you want to compile it as a module, say M here and read
897      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
898
899config NETFILTER_XT_MATCH_RECENT
900    tristate '"recent" match support'
901    depends on NETFILTER_ADVANCED
902    ---help---
903    This match is used for creating one or many lists of recently
904    used addresses and then matching against that/those list(s).
905
906    Short options are available by using 'iptables -m recent -h'
907    Official Website: <http://snowman.net/projects/ipt_recent/>
908
909config NETFILTER_XT_MATCH_SCTP
910    tristate '"sctp" protocol match support (EXPERIMENTAL)'
911    depends on EXPERIMENTAL
912    depends on NETFILTER_ADVANCED
913    default IP_SCTP
914    help
915      With this option enabled, you will be able to use the
916      `sctp' match in order to match on SCTP source/destination ports
917      and SCTP chunk types.
918
919      If you want to compile it as a module, say M here and read
920      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
921
922config NETFILTER_XT_MATCH_SOCKET
923    tristate '"socket" match support (EXPERIMENTAL)'
924    depends on EXPERIMENTAL
925    depends on NETFILTER_TPROXY
926    depends on NETFILTER_XTABLES
927    depends on NETFILTER_ADVANCED
928    depends on !NF_CONNTRACK || NF_CONNTRACK
929    select NF_DEFRAG_IPV4
930    help
931      This option adds a `socket' match, which can be used to match
932      packets for which a TCP or UDP socket lookup finds a valid socket.
933      It can be used in combination with the MARK target and policy
934      routing to implement full featured non-locally bound sockets.
935
936      To compile it as a module, choose M here. If unsure, say N.
937
938config NETFILTER_XT_MATCH_STATE
939    tristate '"state" match support'
940    depends on NF_CONNTRACK
941    default m if NETFILTER_ADVANCED=n
942    help
943      Connection state matching allows you to match packets based on their
944      relationship to a tracked connection (ie. previous packets). This
945      is a powerful tool for packet classification.
946
947      To compile it as a module, choose M here. If unsure, say N.
948
949config NETFILTER_XT_MATCH_STATISTIC
950    tristate '"statistic" match support'
951    depends on NETFILTER_ADVANCED
952    help
953      This option adds a `statistic' match, which allows you to match
954      on packets periodically or randomly with a given percentage.
955
956      To compile it as a module, choose M here. If unsure, say N.
957
958config NETFILTER_XT_MATCH_STRING
959    tristate '"string" match support'
960    depends on NETFILTER_ADVANCED
961    select TEXTSEARCH
962    select TEXTSEARCH_KMP
963    select TEXTSEARCH_BM
964    select TEXTSEARCH_FSM
965    help
966      This option adds a `string' match, which allows you to look for
967      pattern matchings in packets.
968
969      To compile it as a module, choose M here. If unsure, say N.
970
971config NETFILTER_XT_MATCH_TCPMSS
972    tristate '"tcpmss" match support'
973    depends on NETFILTER_ADVANCED
974    help
975      This option adds a `tcpmss' match, which allows you to examine the
976      MSS value of TCP SYN packets, which control the maximum packet size
977      for that connection.
978
979      To compile it as a module, choose M here. If unsure, say N.
980
981config NETFILTER_XT_MATCH_TIME
982    tristate '"time" match support'
983    depends on NETFILTER_ADVANCED
984    ---help---
985      This option adds a "time" match, which allows you to match based on
986      the packet arrival time (at the machine which netfilter is running)
987      on) or departure time/date (for locally generated packets).
988
989      If you say Y here, try `iptables -m time --help` for
990      more information.
991
992      If you want to compile it as a module, say M here.
993      If unsure, say N.
994
995config NETFILTER_XT_MATCH_U32
996    tristate '"u32" match support'
997    depends on NETFILTER_ADVANCED
998    ---help---
999      u32 allows you to extract quantities of up to 4 bytes from a packet,
1000      AND them with specified masks, shift them by specified amounts and
1001      test whether the results are in any of a set of specified ranges.
1002      The specification of what to extract is general enough to skip over
1003      headers with lengths stored in the packet, as in IP or TCP header
1004      lengths.
1005
1006      Details and examples are in the kernel module source.
1007
1008endif # NETFILTER_XTABLES
1009
1010endmenu
1011
1012source "net/netfilter/ipvs/Kconfig"
1013

Archive Download this file



interactive