Root/
1 | menu "Core Netfilter Configuration" |
2 | depends on NET && INET && NETFILTER |
3 | |
4 | config NETFILTER_NETLINK |
5 | tristate |
6 | |
7 | config NETFILTER_NETLINK_QUEUE |
8 | tristate "Netfilter NFQUEUE over NFNETLINK interface" |
9 | depends on NETFILTER_ADVANCED |
10 | select NETFILTER_NETLINK |
11 | help |
12 | If this option is enabled, the kernel will include support |
13 | for queueing packets via NFNETLINK. |
14 | |
15 | config NETFILTER_NETLINK_LOG |
16 | tristate "Netfilter LOG over NFNETLINK interface" |
17 | default m if NETFILTER_ADVANCED=n |
18 | select NETFILTER_NETLINK |
19 | help |
20 | If this option is enabled, the kernel will include support |
21 | for logging packets via NFNETLINK. |
22 | |
23 | This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, |
24 | and is also scheduled to replace the old syslog-based ipt_LOG |
25 | and ip6t_LOG modules. |
26 | |
27 | config NF_CONNTRACK |
28 | tristate "Netfilter connection tracking support" |
29 | default m if NETFILTER_ADVANCED=n |
30 | help |
31 | Connection tracking keeps a record of what packets have passed |
32 | through your machine, in order to figure out how they are related |
33 | into connections. |
34 | |
35 | This is required to do Masquerading or other kinds of Network |
36 | Address Translation. It can also be used to enhance packet |
37 | filtering (see `Connection state match support' below). |
38 | |
39 | To compile it as a module, choose M here. If unsure, say N. |
40 | |
41 | if NF_CONNTRACK |
42 | |
43 | config NF_CT_ACCT |
44 | bool "Connection tracking flow accounting" |
45 | depends on NETFILTER_ADVANCED |
46 | help |
47 | If this option is enabled, the connection tracking code will |
48 | keep per-flow packet and byte counters. |
49 | |
50 | Those counters can be used for flow-based accounting or the |
51 | `connbytes' match. |
52 | |
53 | Please note that currently this option only sets a default state. |
54 | You may change it at boot time with nf_conntrack.acct=0/1 kernel |
55 | parameter or by loading the nf_conntrack module with acct=0/1. |
56 | |
57 | You may also disable/enable it on a running system with: |
58 | sysctl net.netfilter.nf_conntrack_acct=0/1 |
59 | |
60 | This option will be removed in 2.6.29. |
61 | |
62 | If unsure, say `N'. |
63 | |
64 | config NF_CONNTRACK_MARK |
65 | bool 'Connection mark tracking support' |
66 | depends on NETFILTER_ADVANCED |
67 | help |
68 | This option enables support for connection marks, used by the |
69 | `CONNMARK' target and `connmark' match. Similar to the mark value |
70 | of packets, but this mark value is kept in the conntrack session |
71 | instead of the individual packets. |
72 | |
73 | config NF_CONNTRACK_SECMARK |
74 | bool 'Connection tracking security mark support' |
75 | depends on NETWORK_SECMARK |
76 | default m if NETFILTER_ADVANCED=n |
77 | help |
78 | This option enables security markings to be applied to |
79 | connections. Typically they are copied to connections from |
80 | packets using the CONNSECMARK target and copied back from |
81 | connections to packets with the same target, with the packets |
82 | being originally labeled via SECMARK. |
83 | |
84 | If unsure, say 'N'. |
85 | |
86 | config NF_CONNTRACK_ZONES |
87 | bool 'Connection tracking zones' |
88 | depends on NETFILTER_ADVANCED |
89 | depends on NETFILTER_XT_TARGET_CT |
90 | help |
91 | This option enables support for connection tracking zones. |
92 | Normally, each connection needs to have a unique system wide |
93 | identity. Connection tracking zones allow to have multiple |
94 | connections using the same identity, as long as they are |
95 | contained in different zones. |
96 | |
97 | If unsure, say `N'. |
98 | |
99 | config NF_CONNTRACK_EVENTS |
100 | bool "Connection tracking events" |
101 | depends on NETFILTER_ADVANCED |
102 | help |
103 | If this option is enabled, the connection tracking code will |
104 | provide a notifier chain that can be used by other kernel code |
105 | to get notified about changes in the connection tracking state. |
106 | |
107 | If unsure, say `N'. |
108 | |
109 | config NF_CT_PROTO_DCCP |
110 | tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' |
111 | depends on EXPERIMENTAL |
112 | depends on NETFILTER_ADVANCED |
113 | default IP_DCCP |
114 | help |
115 | With this option enabled, the layer 3 independent connection |
116 | tracking code will be able to do state tracking on DCCP connections. |
117 | |
118 | If unsure, say 'N'. |
119 | |
120 | config NF_CT_PROTO_GRE |
121 | tristate |
122 | |
123 | config NF_CT_PROTO_SCTP |
124 | tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' |
125 | depends on EXPERIMENTAL |
126 | depends on NETFILTER_ADVANCED |
127 | default IP_SCTP |
128 | help |
129 | With this option enabled, the layer 3 independent connection |
130 | tracking code will be able to do state tracking on SCTP connections. |
131 | |
132 | If you want to compile it as a module, say M here and read |
133 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
134 | |
135 | config NF_CT_PROTO_UDPLITE |
136 | tristate 'UDP-Lite protocol connection tracking support' |
137 | depends on NETFILTER_ADVANCED |
138 | help |
139 | With this option enabled, the layer 3 independent connection |
140 | tracking code will be able to do state tracking on UDP-Lite |
141 | connections. |
142 | |
143 | To compile it as a module, choose M here. If unsure, say N. |
144 | |
145 | config NF_CONNTRACK_AMANDA |
146 | tristate "Amanda backup protocol support" |
147 | depends on NETFILTER_ADVANCED |
148 | select TEXTSEARCH |
149 | select TEXTSEARCH_KMP |
150 | help |
151 | If you are running the Amanda backup package <http://www.amanda.org/> |
152 | on this machine or machines that will be MASQUERADED through this |
153 | machine, then you may want to enable this feature. This allows the |
154 | connection tracking and natting code to allow the sub-channels that |
155 | Amanda requires for communication of the backup data, messages and |
156 | index. |
157 | |
158 | To compile it as a module, choose M here. If unsure, say N. |
159 | |
160 | config NF_CONNTRACK_FTP |
161 | tristate "FTP protocol support" |
162 | default m if NETFILTER_ADVANCED=n |
163 | help |
164 | Tracking FTP connections is problematic: special helpers are |
165 | required for tracking them, and doing masquerading and other forms |
166 | of Network Address Translation on them. |
167 | |
168 | This is FTP support on Layer 3 independent connection tracking. |
169 | Layer 3 independent connection tracking is experimental scheme |
170 | which generalize ip_conntrack to support other layer 3 protocols. |
171 | |
172 | To compile it as a module, choose M here. If unsure, say N. |
173 | |
174 | config NF_CONNTRACK_H323 |
175 | tristate "H.323 protocol support" |
176 | depends on (IPV6 || IPV6=n) |
177 | depends on NETFILTER_ADVANCED |
178 | help |
179 | H.323 is a VoIP signalling protocol from ITU-T. As one of the most |
180 | important VoIP protocols, it is widely used by voice hardware and |
181 | software including voice gateways, IP phones, Netmeeting, OpenPhone, |
182 | Gnomemeeting, etc. |
183 | |
184 | With this module you can support H.323 on a connection tracking/NAT |
185 | firewall. |
186 | |
187 | This module supports RAS, Fast Start, H.245 Tunnelling, Call |
188 | Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, |
189 | whiteboard, file transfer, etc. For more information, please |
190 | visit http://nath323.sourceforge.net/. |
191 | |
192 | To compile it as a module, choose M here. If unsure, say N. |
193 | |
194 | config NF_CONNTRACK_IRC |
195 | tristate "IRC protocol support" |
196 | default m if NETFILTER_ADVANCED=n |
197 | help |
198 | There is a commonly-used extension to IRC called |
199 | Direct Client-to-Client Protocol (DCC). This enables users to send |
200 | files to each other, and also chat to each other without the need |
201 | of a server. DCC Sending is used anywhere you send files over IRC, |
202 | and DCC Chat is most commonly used by Eggdrop bots. If you are |
203 | using NAT, this extension will enable you to send files and initiate |
204 | chats. Note that you do NOT need this extension to get files or |
205 | have others initiate chats, or everything else in IRC. |
206 | |
207 | To compile it as a module, choose M here. If unsure, say N. |
208 | |
209 | config NF_CONNTRACK_NETBIOS_NS |
210 | tristate "NetBIOS name service protocol support" |
211 | depends on NETFILTER_ADVANCED |
212 | help |
213 | NetBIOS name service requests are sent as broadcast messages from an |
214 | unprivileged port and responded to with unicast messages to the |
215 | same port. This make them hard to firewall properly because connection |
216 | tracking doesn't deal with broadcasts. This helper tracks locally |
217 | originating NetBIOS name service requests and the corresponding |
218 | responses. It relies on correct IP address configuration, specifically |
219 | netmask and broadcast address. When properly configured, the output |
220 | of "ip address show" should look similar to this: |
221 | |
222 | $ ip -4 address show eth0 |
223 | 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 |
224 | inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 |
225 | |
226 | To compile it as a module, choose M here. If unsure, say N. |
227 | |
228 | config NF_CONNTRACK_PPTP |
229 | tristate "PPtP protocol support" |
230 | depends on NETFILTER_ADVANCED |
231 | select NF_CT_PROTO_GRE |
232 | help |
233 | This module adds support for PPTP (Point to Point Tunnelling |
234 | Protocol, RFC2637) connection tracking and NAT. |
235 | |
236 | If you are running PPTP sessions over a stateful firewall or NAT |
237 | box, you may want to enable this feature. |
238 | |
239 | Please note that not all PPTP modes of operation are supported yet. |
240 | Specifically these limitations exist: |
241 | - Blindly assumes that control connections are always established |
242 | in PNS->PAC direction. This is a violation of RFC2637. |
243 | - Only supports a single call within each session |
244 | |
245 | To compile it as a module, choose M here. If unsure, say N. |
246 | |
247 | config NF_CONNTRACK_SANE |
248 | tristate "SANE protocol support (EXPERIMENTAL)" |
249 | depends on EXPERIMENTAL |
250 | depends on NETFILTER_ADVANCED |
251 | help |
252 | SANE is a protocol for remote access to scanners as implemented |
253 | by the 'saned' daemon. Like FTP, it uses separate control and |
254 | data connections. |
255 | |
256 | With this module you can support SANE on a connection tracking |
257 | firewall. |
258 | |
259 | To compile it as a module, choose M here. If unsure, say N. |
260 | |
261 | config NF_CONNTRACK_SIP |
262 | tristate "SIP protocol support" |
263 | default m if NETFILTER_ADVANCED=n |
264 | help |
265 | SIP is an application-layer control protocol that can establish, |
266 | modify, and terminate multimedia sessions (conferences) such as |
267 | Internet telephony calls. With the ip_conntrack_sip and |
268 | the nf_nat_sip modules you can support the protocol on a connection |
269 | tracking/NATing firewall. |
270 | |
271 | To compile it as a module, choose M here. If unsure, say N. |
272 | |
273 | config NF_CONNTRACK_TFTP |
274 | tristate "TFTP protocol support" |
275 | depends on NETFILTER_ADVANCED |
276 | help |
277 | TFTP connection tracking helper, this is required depending |
278 | on how restrictive your ruleset is. |
279 | If you are using a tftp client behind -j SNAT or -j MASQUERADING |
280 | you will need this. |
281 | |
282 | To compile it as a module, choose M here. If unsure, say N. |
283 | |
284 | config NF_CT_NETLINK |
285 | tristate 'Connection tracking netlink interface' |
286 | select NETFILTER_NETLINK |
287 | default m if NETFILTER_ADVANCED=n |
288 | help |
289 | This option enables support for a netlink-based userspace interface |
290 | |
291 | endif # NF_CONNTRACK |
292 | |
293 | # transparent proxy support |
294 | config NETFILTER_TPROXY |
295 | tristate "Transparent proxying support (EXPERIMENTAL)" |
296 | depends on EXPERIMENTAL |
297 | depends on IP_NF_MANGLE |
298 | depends on NETFILTER_ADVANCED |
299 | help |
300 | This option enables transparent proxying support, that is, |
301 | support for handling non-locally bound IPv4 TCP and UDP sockets. |
302 | For it to work you will have to configure certain iptables rules |
303 | and use policy routing. For more information on how to set it up |
304 | see Documentation/networking/tproxy.txt. |
305 | |
306 | To compile it as a module, choose M here. If unsure, say N. |
307 | |
308 | config NETFILTER_XTABLES |
309 | tristate "Netfilter Xtables support (required for ip_tables)" |
310 | default m if NETFILTER_ADVANCED=n |
311 | help |
312 | This is required if you intend to use any of ip_tables, |
313 | ip6_tables or arp_tables. |
314 | |
315 | if NETFILTER_XTABLES |
316 | |
317 | # alphabetically ordered list of targets |
318 | |
319 | config NETFILTER_XT_TARGET_CLASSIFY |
320 | tristate '"CLASSIFY" target support' |
321 | depends on NETFILTER_ADVANCED |
322 | help |
323 | This option adds a `CLASSIFY' target, which enables the user to set |
324 | the priority of a packet. Some qdiscs can use this value for |
325 | classification, among these are: |
326 | |
327 | atm, cbq, dsmark, pfifo_fast, htb, prio |
328 | |
329 | To compile it as a module, choose M here. If unsure, say N. |
330 | |
331 | config NETFILTER_XT_TARGET_CONNMARK |
332 | tristate '"CONNMARK" target support' |
333 | depends on NF_CONNTRACK |
334 | depends on NETFILTER_ADVANCED |
335 | select NF_CONNTRACK_MARK |
336 | help |
337 | This option adds a `CONNMARK' target, which allows one to manipulate |
338 | the connection mark value. Similar to the MARK target, but |
339 | affects the connection mark value rather than the packet mark value. |
340 | |
341 | If you want to compile it as a module, say M here and read |
342 | <file:Documentation/kbuild/modules.txt>. The module will be called |
343 | ipt_CONNMARK. If unsure, say `N'. |
344 | |
345 | config NETFILTER_XT_TARGET_CONNSECMARK |
346 | tristate '"CONNSECMARK" target support' |
347 | depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK |
348 | default m if NETFILTER_ADVANCED=n |
349 | help |
350 | The CONNSECMARK target copies security markings from packets |
351 | to connections, and restores security markings from connections |
352 | to packets (if the packets are not already marked). This would |
353 | normally be used in conjunction with the SECMARK target. |
354 | |
355 | To compile it as a module, choose M here. If unsure, say N. |
356 | |
357 | config NETFILTER_XT_TARGET_CT |
358 | tristate '"CT" target support' |
359 | depends on NF_CONNTRACK |
360 | depends on IP_NF_RAW || IP6_NF_RAW |
361 | depends on NETFILTER_ADVANCED |
362 | help |
363 | This options adds a `CT' target, which allows to specify initial |
364 | connection tracking parameters like events to be delivered and |
365 | the helper to be used. |
366 | |
367 | To compile it as a module, choose M here. If unsure, say N. |
368 | |
369 | config NETFILTER_XT_TARGET_DSCP |
370 | tristate '"DSCP" and "TOS" target support' |
371 | depends on IP_NF_MANGLE || IP6_NF_MANGLE |
372 | depends on NETFILTER_ADVANCED |
373 | help |
374 | This option adds a `DSCP' target, which allows you to manipulate |
375 | the IPv4/IPv6 header DSCP field (differentiated services codepoint). |
376 | |
377 | The DSCP field can have any value between 0x0 and 0x3f inclusive. |
378 | |
379 | It also adds the "TOS" target, which allows you to create rules in |
380 | the "mangle" table which alter the Type Of Service field of an IPv4 |
381 | or the Priority field of an IPv6 packet, prior to routing. |
382 | |
383 | To compile it as a module, choose M here. If unsure, say N. |
384 | |
385 | config NETFILTER_XT_TARGET_HL |
386 | tristate '"HL" hoplimit target support' |
387 | depends on IP_NF_MANGLE || IP6_NF_MANGLE |
388 | depends on NETFILTER_ADVANCED |
389 | ---help--- |
390 | This option adds the "HL" (for IPv6) and "TTL" (for IPv4) |
391 | targets, which enable the user to change the |
392 | hoplimit/time-to-live value of the IP header. |
393 | |
394 | While it is safe to decrement the hoplimit/TTL value, the |
395 | modules also allow to increment and set the hoplimit value of |
396 | the header to arbitrary values. This is EXTREMELY DANGEROUS |
397 | since you can easily create immortal packets that loop |
398 | forever on the network. |
399 | |
400 | config NETFILTER_XT_TARGET_LED |
401 | tristate '"LED" target support' |
402 | depends on LEDS_CLASS && LEDS_TRIGGERS |
403 | depends on NETFILTER_ADVANCED |
404 | help |
405 | This option adds a `LED' target, which allows you to blink LEDs in |
406 | response to particular packets passing through your machine. |
407 | |
408 | This can be used to turn a spare LED into a network activity LED, |
409 | which only flashes in response to FTP transfers, for example. Or |
410 | you could have an LED which lights up for a minute or two every time |
411 | somebody connects to your machine via SSH. |
412 | |
413 | You will need support for the "led" class to make this work. |
414 | |
415 | To create an LED trigger for incoming SSH traffic: |
416 | iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 |
417 | |
418 | Then attach the new trigger to an LED on your system: |
419 | echo netfilter-ssh > /sys/class/leds/<ledname>/trigger |
420 | |
421 | For more information on the LEDs available on your system, see |
422 | Documentation/leds-class.txt |
423 | |
424 | config NETFILTER_XT_TARGET_MARK |
425 | tristate '"MARK" target support' |
426 | default m if NETFILTER_ADVANCED=n |
427 | help |
428 | This option adds a `MARK' target, which allows you to create rules |
429 | in the `mangle' table which alter the netfilter mark (nfmark) field |
430 | associated with the packet prior to routing. This can change |
431 | the routing method (see `Use netfilter MARK value as routing |
432 | key') and can also be used by other subsystems to change their |
433 | behavior. |
434 | |
435 | To compile it as a module, choose M here. If unsure, say N. |
436 | |
437 | config NETFILTER_XT_TARGET_NFLOG |
438 | tristate '"NFLOG" target support' |
439 | default m if NETFILTER_ADVANCED=n |
440 | select NETFILTER_NETLINK_LOG |
441 | help |
442 | This option enables the NFLOG target, which allows to LOG |
443 | messages through nfnetlink_log. |
444 | |
445 | To compile it as a module, choose M here. If unsure, say N. |
446 | |
447 | config NETFILTER_XT_TARGET_NFQUEUE |
448 | tristate '"NFQUEUE" target Support' |
449 | depends on NETFILTER_ADVANCED |
450 | help |
451 | This target replaced the old obsolete QUEUE target. |
452 | |
453 | As opposed to QUEUE, it supports 65535 different queues, |
454 | not just one. |
455 | |
456 | To compile it as a module, choose M here. If unsure, say N. |
457 | |
458 | config NETFILTER_XT_TARGET_NOTRACK |
459 | tristate '"NOTRACK" target support' |
460 | depends on IP_NF_RAW || IP6_NF_RAW |
461 | depends on NF_CONNTRACK |
462 | depends on NETFILTER_ADVANCED |
463 | help |
464 | The NOTRACK target allows a select rule to specify |
465 | which packets *not* to enter the conntrack/NAT |
466 | subsystem with all the consequences (no ICMP error tracking, |
467 | no protocol helpers for the selected packets). |
468 | |
469 | If you want to compile it as a module, say M here and read |
470 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
471 | |
472 | config NETFILTER_XT_TARGET_RATEEST |
473 | tristate '"RATEEST" target support' |
474 | depends on NETFILTER_ADVANCED |
475 | help |
476 | This option adds a `RATEEST' target, which allows to measure |
477 | rates similar to TC estimators. The `rateest' match can be |
478 | used to match on the measured rates. |
479 | |
480 | To compile it as a module, choose M here. If unsure, say N. |
481 | |
482 | config NETFILTER_XT_TARGET_TPROXY |
483 | tristate '"TPROXY" target support (EXPERIMENTAL)' |
484 | depends on EXPERIMENTAL |
485 | depends on NETFILTER_TPROXY |
486 | depends on NETFILTER_XTABLES |
487 | depends on NETFILTER_ADVANCED |
488 | select NF_DEFRAG_IPV4 |
489 | help |
490 | This option adds a `TPROXY' target, which is somewhat similar to |
491 | REDIRECT. It can only be used in the mangle table and is useful |
492 | to redirect traffic to a transparent proxy. It does _not_ depend |
493 | on Netfilter connection tracking and NAT, unlike REDIRECT. |
494 | |
495 | To compile it as a module, choose M here. If unsure, say N. |
496 | |
497 | config NETFILTER_XT_TARGET_TRACE |
498 | tristate '"TRACE" target support' |
499 | depends on IP_NF_RAW || IP6_NF_RAW |
500 | depends on NETFILTER_ADVANCED |
501 | help |
502 | The TRACE target allows you to mark packets so that the kernel |
503 | will log every rule which match the packets as those traverse |
504 | the tables, chains, rules. |
505 | |
506 | If you want to compile it as a module, say M here and read |
507 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
508 | |
509 | config NETFILTER_XT_TARGET_SECMARK |
510 | tristate '"SECMARK" target support' |
511 | depends on NETWORK_SECMARK |
512 | default m if NETFILTER_ADVANCED=n |
513 | help |
514 | The SECMARK target allows security marking of network |
515 | packets, for use with security subsystems. |
516 | |
517 | To compile it as a module, choose M here. If unsure, say N. |
518 | |
519 | config NETFILTER_XT_TARGET_TCPMSS |
520 | tristate '"TCPMSS" target support' |
521 | depends on (IPV6 || IPV6=n) |
522 | default m if NETFILTER_ADVANCED=n |
523 | ---help--- |
524 | This option adds a `TCPMSS' target, which allows you to alter the |
525 | MSS value of TCP SYN packets, to control the maximum size for that |
526 | connection (usually limiting it to your outgoing interface's MTU |
527 | minus 40). |
528 | |
529 | This is used to overcome criminally braindead ISPs or servers which |
530 | block ICMP Fragmentation Needed packets. The symptoms of this |
531 | problem are that everything works fine from your Linux |
532 | firewall/router, but machines behind it can never exchange large |
533 | packets: |
534 | 1) Web browsers connect, then hang with no data received. |
535 | 2) Small mail works fine, but large emails hang. |
536 | 3) ssh works fine, but scp hangs after initial handshaking. |
537 | |
538 | Workaround: activate this option and add a rule to your firewall |
539 | configuration like: |
540 | |
541 | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ |
542 | -j TCPMSS --clamp-mss-to-pmtu |
543 | |
544 | To compile it as a module, choose M here. If unsure, say N. |
545 | |
546 | config NETFILTER_XT_TARGET_TCPOPTSTRIP |
547 | tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' |
548 | depends on EXPERIMENTAL |
549 | depends on IP_NF_MANGLE || IP6_NF_MANGLE |
550 | depends on NETFILTER_ADVANCED |
551 | help |
552 | This option adds a "TCPOPTSTRIP" target, which allows you to strip |
553 | TCP options from TCP packets. |
554 | |
555 | config NETFILTER_XT_MATCH_CLUSTER |
556 | tristate '"cluster" match support' |
557 | depends on NF_CONNTRACK |
558 | depends on NETFILTER_ADVANCED |
559 | ---help--- |
560 | This option allows you to build work-load-sharing clusters of |
561 | network servers/stateful firewalls without having a dedicated |
562 | load-balancing router/server/switch. Basically, this match returns |
563 | true when the packet must be handled by this cluster node. Thus, |
564 | all nodes see all packets and this match decides which node handles |
565 | what packets. The work-load sharing algorithm is based on source |
566 | address hashing. |
567 | |
568 | If you say Y or M here, try `iptables -m cluster --help` for |
569 | more information. |
570 | |
571 | config NETFILTER_XT_MATCH_COMMENT |
572 | tristate '"comment" match support' |
573 | depends on NETFILTER_ADVANCED |
574 | help |
575 | This option adds a `comment' dummy-match, which allows you to put |
576 | comments in your iptables ruleset. |
577 | |
578 | If you want to compile it as a module, say M here and read |
579 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
580 | |
581 | config NETFILTER_XT_MATCH_CONNBYTES |
582 | tristate '"connbytes" per-connection counter match support' |
583 | depends on NF_CONNTRACK |
584 | depends on NETFILTER_ADVANCED |
585 | select NF_CT_ACCT |
586 | help |
587 | This option adds a `connbytes' match, which allows you to match the |
588 | number of bytes and/or packets for each direction within a connection. |
589 | |
590 | If you want to compile it as a module, say M here and read |
591 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
592 | |
593 | config NETFILTER_XT_MATCH_CONNLIMIT |
594 | tristate '"connlimit" match support"' |
595 | depends on NF_CONNTRACK |
596 | depends on NETFILTER_ADVANCED |
597 | ---help--- |
598 | This match allows you to match against the number of parallel |
599 | connections to a server per client IP address (or address block). |
600 | |
601 | config NETFILTER_XT_MATCH_CONNMARK |
602 | tristate '"connmark" connection mark match support' |
603 | depends on NF_CONNTRACK |
604 | depends on NETFILTER_ADVANCED |
605 | select NF_CONNTRACK_MARK |
606 | help |
607 | This option adds a `connmark' match, which allows you to match the |
608 | connection mark value previously set for the session by `CONNMARK'. |
609 | |
610 | If you want to compile it as a module, say M here and read |
611 | <file:Documentation/kbuild/modules.txt>. The module will be called |
612 | ipt_connmark. If unsure, say `N'. |
613 | |
614 | config NETFILTER_XT_MATCH_CONNTRACK |
615 | tristate '"conntrack" connection tracking match support' |
616 | depends on NF_CONNTRACK |
617 | default m if NETFILTER_ADVANCED=n |
618 | help |
619 | This is a general conntrack match module, a superset of the state match. |
620 | |
621 | It allows matching on additional conntrack information, which is |
622 | useful in complex configurations, such as NAT gateways with multiple |
623 | internet links or tunnels. |
624 | |
625 | To compile it as a module, choose M here. If unsure, say N. |
626 | |
627 | config NETFILTER_XT_MATCH_DCCP |
628 | tristate '"dccp" protocol match support' |
629 | depends on NETFILTER_ADVANCED |
630 | default IP_DCCP |
631 | help |
632 | With this option enabled, you will be able to use the iptables |
633 | `dccp' match in order to match on DCCP source/destination ports |
634 | and DCCP flags. |
635 | |
636 | If you want to compile it as a module, say M here and read |
637 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
638 | |
639 | config NETFILTER_XT_MATCH_DSCP |
640 | tristate '"dscp" and "tos" match support' |
641 | depends on NETFILTER_ADVANCED |
642 | help |
643 | This option adds a `DSCP' match, which allows you to match against |
644 | the IPv4/IPv6 header DSCP field (differentiated services codepoint). |
645 | |
646 | The DSCP field can have any value between 0x0 and 0x3f inclusive. |
647 | |
648 | It will also add a "tos" match, which allows you to match packets |
649 | based on the Type Of Service fields of the IPv4 packet (which share |
650 | the same bits as DSCP). |
651 | |
652 | To compile it as a module, choose M here. If unsure, say N. |
653 | |
654 | config NETFILTER_XT_MATCH_ESP |
655 | tristate '"esp" match support' |
656 | depends on NETFILTER_ADVANCED |
657 | help |
658 | This match extension allows you to match a range of SPIs |
659 | inside ESP header of IPSec packets. |
660 | |
661 | To compile it as a module, choose M here. If unsure, say N. |
662 | |
663 | config NETFILTER_XT_MATCH_HASHLIMIT |
664 | tristate '"hashlimit" match support' |
665 | depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) |
666 | depends on NETFILTER_ADVANCED |
667 | help |
668 | This option adds a `hashlimit' match. |
669 | |
670 | As opposed to `limit', this match dynamically creates a hash table |
671 | of limit buckets, based on your selection of source/destination |
672 | addresses and/or ports. |
673 | |
674 | It enables you to express policies like `10kpps for any given |
675 | destination address' or `500pps from any given source address' |
676 | with a single rule. |
677 | |
678 | config NETFILTER_XT_MATCH_HELPER |
679 | tristate '"helper" match support' |
680 | depends on NF_CONNTRACK |
681 | depends on NETFILTER_ADVANCED |
682 | help |
683 | Helper matching allows you to match packets in dynamic connections |
684 | tracked by a conntrack-helper, ie. ip_conntrack_ftp |
685 | |
686 | To compile it as a module, choose M here. If unsure, say Y. |
687 | |
688 | config NETFILTER_XT_MATCH_HL |
689 | tristate '"hl" hoplimit/TTL match support' |
690 | depends on NETFILTER_ADVANCED |
691 | ---help--- |
692 | HL matching allows you to match packets based on the hoplimit |
693 | in the IPv6 header, or the time-to-live field in the IPv4 |
694 | header of the packet. |
695 | |
696 | config NETFILTER_XT_MATCH_IPRANGE |
697 | tristate '"iprange" address range match support' |
698 | depends on NETFILTER_ADVANCED |
699 | ---help--- |
700 | This option adds a "iprange" match, which allows you to match based on |
701 | an IP address range. (Normal iptables only matches on single addresses |
702 | with an optional mask.) |
703 | |
704 | If unsure, say M. |
705 | |
706 | config NETFILTER_XT_MATCH_LENGTH |
707 | tristate '"length" match support' |
708 | depends on NETFILTER_ADVANCED |
709 | help |
710 | This option allows you to match the length of a packet against a |
711 | specific value or range of values. |
712 | |
713 | To compile it as a module, choose M here. If unsure, say N. |
714 | |
715 | config NETFILTER_XT_MATCH_LIMIT |
716 | tristate '"limit" match support' |
717 | depends on NETFILTER_ADVANCED |
718 | help |
719 | limit matching allows you to control the rate at which a rule can be |
720 | matched: mainly useful in combination with the LOG target ("LOG |
721 | target support", below) and to avoid some Denial of Service attacks. |
722 | |
723 | To compile it as a module, choose M here. If unsure, say N. |
724 | |
725 | config NETFILTER_XT_MATCH_MAC |
726 | tristate '"mac" address match support' |
727 | depends on NETFILTER_ADVANCED |
728 | help |
729 | MAC matching allows you to match packets based on the source |
730 | Ethernet address of the packet. |
731 | |
732 | To compile it as a module, choose M here. If unsure, say N. |
733 | |
734 | config NETFILTER_XT_MATCH_MARK |
735 | tristate '"mark" match support' |
736 | default m if NETFILTER_ADVANCED=n |
737 | help |
738 | Netfilter mark matching allows you to match packets based on the |
739 | `nfmark' value in the packet. This can be set by the MARK target |
740 | (see below). |
741 | |
742 | To compile it as a module, choose M here. If unsure, say N. |
743 | |
744 | config NETFILTER_XT_MATCH_MULTIPORT |
745 | tristate '"multiport" Multiple port match support' |
746 | depends on NETFILTER_ADVANCED |
747 | help |
748 | Multiport matching allows you to match TCP or UDP packets based on |
749 | a series of source or destination ports: normally a rule can only |
750 | match a single range of ports. |
751 | |
752 | To compile it as a module, choose M here. If unsure, say N. |
753 | |
754 | config NETFILTER_XT_MATCH_OWNER |
755 | tristate '"owner" match support' |
756 | depends on NETFILTER_ADVANCED |
757 | ---help--- |
758 | Socket owner matching allows you to match locally-generated packets |
759 | based on who created the socket: the user or group. It is also |
760 | possible to check whether a socket actually exists. |
761 | |
762 | config NETFILTER_XT_MATCH_POLICY |
763 | tristate 'IPsec "policy" match support' |
764 | depends on XFRM |
765 | default m if NETFILTER_ADVANCED=n |
766 | help |
767 | Policy matching allows you to match packets based on the |
768 | IPsec policy that was used during decapsulation/will |
769 | be used during encapsulation. |
770 | |
771 | To compile it as a module, choose M here. If unsure, say N. |
772 | |
773 | config NETFILTER_XT_MATCH_PHYSDEV |
774 | tristate '"physdev" match support' |
775 | depends on BRIDGE && BRIDGE_NETFILTER |
776 | depends on NETFILTER_ADVANCED |
777 | help |
778 | Physdev packet matching matches against the physical bridge ports |
779 | the IP packet arrived on or will leave by. |
780 | |
781 | To compile it as a module, choose M here. If unsure, say N. |
782 | |
783 | config NETFILTER_XT_MATCH_PKTTYPE |
784 | tristate '"pkttype" packet type match support' |
785 | depends on NETFILTER_ADVANCED |
786 | help |
787 | Packet type matching allows you to match a packet by |
788 | its "class", eg. BROADCAST, MULTICAST, ... |
789 | |
790 | Typical usage: |
791 | iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG |
792 | |
793 | To compile it as a module, choose M here. If unsure, say N. |
794 | |
795 | config NETFILTER_XT_MATCH_QUOTA |
796 | tristate '"quota" match support' |
797 | depends on NETFILTER_ADVANCED |
798 | help |
799 | This option adds a `quota' match, which allows to match on a |
800 | byte counter. |
801 | |
802 | If you want to compile it as a module, say M here and read |
803 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
804 | |
805 | config NETFILTER_XT_MATCH_RATEEST |
806 | tristate '"rateest" match support' |
807 | depends on NETFILTER_ADVANCED |
808 | select NETFILTER_XT_TARGET_RATEEST |
809 | help |
810 | This option adds a `rateest' match, which allows to match on the |
811 | rate estimated by the RATEEST target. |
812 | |
813 | To compile it as a module, choose M here. If unsure, say N. |
814 | |
815 | config NETFILTER_XT_MATCH_REALM |
816 | tristate '"realm" match support' |
817 | depends on NETFILTER_ADVANCED |
818 | select NET_CLS_ROUTE |
819 | help |
820 | This option adds a `realm' match, which allows you to use the realm |
821 | key from the routing subsystem inside iptables. |
822 | |
823 | This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option |
824 | in tc world. |
825 | |
826 | If you want to compile it as a module, say M here and read |
827 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
828 | |
829 | config NETFILTER_XT_MATCH_RECENT |
830 | tristate '"recent" match support' |
831 | depends on NETFILTER_ADVANCED |
832 | ---help--- |
833 | This match is used for creating one or many lists of recently |
834 | used addresses and then matching against that/those list(s). |
835 | |
836 | Short options are available by using 'iptables -m recent -h' |
837 | Official Website: <http://snowman.net/projects/ipt_recent/> |
838 | |
839 | config NETFILTER_XT_MATCH_RECENT_PROC_COMPAT |
840 | bool 'Enable obsolete /proc/net/ipt_recent' |
841 | depends on NETFILTER_XT_MATCH_RECENT && PROC_FS |
842 | ---help--- |
843 | This option enables the old /proc/net/ipt_recent interface, |
844 | which has been obsoleted by /proc/net/xt_recent. |
845 | |
846 | config NETFILTER_XT_MATCH_SCTP |
847 | tristate '"sctp" protocol match support (EXPERIMENTAL)' |
848 | depends on EXPERIMENTAL |
849 | depends on NETFILTER_ADVANCED |
850 | default IP_SCTP |
851 | help |
852 | With this option enabled, you will be able to use the |
853 | `sctp' match in order to match on SCTP source/destination ports |
854 | and SCTP chunk types. |
855 | |
856 | If you want to compile it as a module, say M here and read |
857 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
858 | |
859 | config NETFILTER_XT_MATCH_SOCKET |
860 | tristate '"socket" match support (EXPERIMENTAL)' |
861 | depends on EXPERIMENTAL |
862 | depends on NETFILTER_TPROXY |
863 | depends on NETFILTER_XTABLES |
864 | depends on NETFILTER_ADVANCED |
865 | depends on !NF_CONNTRACK || NF_CONNTRACK |
866 | select NF_DEFRAG_IPV4 |
867 | help |
868 | This option adds a `socket' match, which can be used to match |
869 | packets for which a TCP or UDP socket lookup finds a valid socket. |
870 | It can be used in combination with the MARK target and policy |
871 | routing to implement full featured non-locally bound sockets. |
872 | |
873 | To compile it as a module, choose M here. If unsure, say N. |
874 | |
875 | config NETFILTER_XT_MATCH_STATE |
876 | tristate '"state" match support' |
877 | depends on NF_CONNTRACK |
878 | default m if NETFILTER_ADVANCED=n |
879 | help |
880 | Connection state matching allows you to match packets based on their |
881 | relationship to a tracked connection (ie. previous packets). This |
882 | is a powerful tool for packet classification. |
883 | |
884 | To compile it as a module, choose M here. If unsure, say N. |
885 | |
886 | config NETFILTER_XT_MATCH_STATISTIC |
887 | tristate '"statistic" match support' |
888 | depends on NETFILTER_ADVANCED |
889 | help |
890 | This option adds a `statistic' match, which allows you to match |
891 | on packets periodically or randomly with a given percentage. |
892 | |
893 | To compile it as a module, choose M here. If unsure, say N. |
894 | |
895 | config NETFILTER_XT_MATCH_STRING |
896 | tristate '"string" match support' |
897 | depends on NETFILTER_ADVANCED |
898 | select TEXTSEARCH |
899 | select TEXTSEARCH_KMP |
900 | select TEXTSEARCH_BM |
901 | select TEXTSEARCH_FSM |
902 | help |
903 | This option adds a `string' match, which allows you to look for |
904 | pattern matchings in packets. |
905 | |
906 | To compile it as a module, choose M here. If unsure, say N. |
907 | |
908 | config NETFILTER_XT_MATCH_TCPMSS |
909 | tristate '"tcpmss" match support' |
910 | depends on NETFILTER_ADVANCED |
911 | help |
912 | This option adds a `tcpmss' match, which allows you to examine the |
913 | MSS value of TCP SYN packets, which control the maximum packet size |
914 | for that connection. |
915 | |
916 | To compile it as a module, choose M here. If unsure, say N. |
917 | |
918 | config NETFILTER_XT_MATCH_TIME |
919 | tristate '"time" match support' |
920 | depends on NETFILTER_ADVANCED |
921 | ---help--- |
922 | This option adds a "time" match, which allows you to match based on |
923 | the packet arrival time (at the machine which netfilter is running) |
924 | on) or departure time/date (for locally generated packets). |
925 | |
926 | If you say Y here, try `iptables -m time --help` for |
927 | more information. |
928 | |
929 | If you want to compile it as a module, say M here. |
930 | If unsure, say N. |
931 | |
932 | config NETFILTER_XT_MATCH_U32 |
933 | tristate '"u32" match support' |
934 | depends on NETFILTER_ADVANCED |
935 | ---help--- |
936 | u32 allows you to extract quantities of up to 4 bytes from a packet, |
937 | AND them with specified masks, shift them by specified amounts and |
938 | test whether the results are in any of a set of specified ranges. |
939 | The specification of what to extract is general enough to skip over |
940 | headers with lengths stored in the packet, as in IP or TCP header |
941 | lengths. |
942 | |
943 | Details and examples are in the kernel module source. |
944 | |
945 | config NETFILTER_XT_MATCH_OSF |
946 | tristate '"osf" Passive OS fingerprint match' |
947 | depends on NETFILTER_ADVANCED && NETFILTER_NETLINK |
948 | help |
949 | This option selects the Passive OS Fingerprinting match module |
950 | that allows to passively match the remote operating system by |
951 | analyzing incoming TCP SYN packets. |
952 | |
953 | Rules and loading software can be downloaded from |
954 | http://www.ioremap.net/projects/osf |
955 | |
956 | To compile it as a module, choose M here. If unsure, say N. |
957 | |
958 | endif # NETFILTER_XTABLES |
959 | |
960 | endmenu |
961 | |
962 | source "net/netfilter/ipvs/Kconfig" |
963 |
Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.11
jz-3.12
jz-3.13
jz-3.15
jz-3.16
jz-3.18-dt
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master
Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9