Root/net/netfilter/Kconfig

1menu "Core Netfilter Configuration"
2    depends on NET && INET && NETFILTER
3
4config NETFILTER_NETLINK
5    tristate
6
7config NETFILTER_NETLINK_QUEUE
8    tristate "Netfilter NFQUEUE over NFNETLINK interface"
9    depends on NETFILTER_ADVANCED
10    select NETFILTER_NETLINK
11    help
12      If this option is enabled, the kernel will include support
13      for queueing packets via NFNETLINK.
14      
15config NETFILTER_NETLINK_LOG
16    tristate "Netfilter LOG over NFNETLINK interface"
17    default m if NETFILTER_ADVANCED=n
18    select NETFILTER_NETLINK
19    help
20      If this option is enabled, the kernel will include support
21      for logging packets via NFNETLINK.
22
23      This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
24      and is also scheduled to replace the old syslog-based ipt_LOG
25      and ip6t_LOG modules.
26
27config NF_CONNTRACK
28    tristate "Netfilter connection tracking support"
29    default m if NETFILTER_ADVANCED=n
30    help
31      Connection tracking keeps a record of what packets have passed
32      through your machine, in order to figure out how they are related
33      into connections.
34
35      This is required to do Masquerading or other kinds of Network
36      Address Translation. It can also be used to enhance packet
37      filtering (see `Connection state match support' below).
38
39      To compile it as a module, choose M here. If unsure, say N.
40
41if NF_CONNTRACK
42
43config NF_CT_ACCT
44    bool "Connection tracking flow accounting"
45    depends on NETFILTER_ADVANCED
46    help
47      If this option is enabled, the connection tracking code will
48      keep per-flow packet and byte counters.
49
50      Those counters can be used for flow-based accounting or the
51      `connbytes' match.
52
53      Please note that currently this option only sets a default state.
54      You may change it at boot time with nf_conntrack.acct=0/1 kernel
55      parameter or by loading the nf_conntrack module with acct=0/1.
56
57      You may also disable/enable it on a running system with:
58       sysctl net.netfilter.nf_conntrack_acct=0/1
59
60      This option will be removed in 2.6.29.
61
62      If unsure, say `N'.
63
64config NF_CONNTRACK_MARK
65    bool 'Connection mark tracking support'
66    depends on NETFILTER_ADVANCED
67    help
68      This option enables support for connection marks, used by the
69      `CONNMARK' target and `connmark' match. Similar to the mark value
70      of packets, but this mark value is kept in the conntrack session
71      instead of the individual packets.
72
73config NF_CONNTRACK_SECMARK
74    bool 'Connection tracking security mark support'
75    depends on NETWORK_SECMARK
76    default m if NETFILTER_ADVANCED=n
77    help
78      This option enables security markings to be applied to
79      connections. Typically they are copied to connections from
80      packets using the CONNSECMARK target and copied back from
81      connections to packets with the same target, with the packets
82      being originally labeled via SECMARK.
83
84      If unsure, say 'N'.
85
86config NF_CONNTRACK_ZONES
87    bool 'Connection tracking zones'
88    depends on NETFILTER_ADVANCED
89    depends on NETFILTER_XT_TARGET_CT
90    help
91      This option enables support for connection tracking zones.
92      Normally, each connection needs to have a unique system wide
93      identity. Connection tracking zones allow to have multiple
94      connections using the same identity, as long as they are
95      contained in different zones.
96
97      If unsure, say `N'.
98
99config NF_CONNTRACK_EVENTS
100    bool "Connection tracking events"
101    depends on NETFILTER_ADVANCED
102    help
103      If this option is enabled, the connection tracking code will
104      provide a notifier chain that can be used by other kernel code
105      to get notified about changes in the connection tracking state.
106
107      If unsure, say `N'.
108
109config NF_CT_PROTO_DCCP
110    tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
111    depends on EXPERIMENTAL
112    depends on NETFILTER_ADVANCED
113    default IP_DCCP
114    help
115      With this option enabled, the layer 3 independent connection
116      tracking code will be able to do state tracking on DCCP connections.
117
118      If unsure, say 'N'.
119
120config NF_CT_PROTO_GRE
121    tristate
122
123config NF_CT_PROTO_SCTP
124    tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
125    depends on EXPERIMENTAL
126    depends on NETFILTER_ADVANCED
127    default IP_SCTP
128    help
129      With this option enabled, the layer 3 independent connection
130      tracking code will be able to do state tracking on SCTP connections.
131
132      If you want to compile it as a module, say M here and read
133      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
134
135config NF_CT_PROTO_UDPLITE
136    tristate 'UDP-Lite protocol connection tracking support'
137    depends on NETFILTER_ADVANCED
138    help
139      With this option enabled, the layer 3 independent connection
140      tracking code will be able to do state tracking on UDP-Lite
141      connections.
142
143      To compile it as a module, choose M here. If unsure, say N.
144
145config NF_CONNTRACK_AMANDA
146    tristate "Amanda backup protocol support"
147    depends on NETFILTER_ADVANCED
148    select TEXTSEARCH
149    select TEXTSEARCH_KMP
150    help
151      If you are running the Amanda backup package <http://www.amanda.org/>
152      on this machine or machines that will be MASQUERADED through this
153      machine, then you may want to enable this feature. This allows the
154      connection tracking and natting code to allow the sub-channels that
155      Amanda requires for communication of the backup data, messages and
156      index.
157
158      To compile it as a module, choose M here. If unsure, say N.
159
160config NF_CONNTRACK_FTP
161    tristate "FTP protocol support"
162    default m if NETFILTER_ADVANCED=n
163    help
164      Tracking FTP connections is problematic: special helpers are
165      required for tracking them, and doing masquerading and other forms
166      of Network Address Translation on them.
167
168      This is FTP support on Layer 3 independent connection tracking.
169      Layer 3 independent connection tracking is experimental scheme
170      which generalize ip_conntrack to support other layer 3 protocols.
171
172      To compile it as a module, choose M here. If unsure, say N.
173
174config NF_CONNTRACK_H323
175    tristate "H.323 protocol support"
176    depends on (IPV6 || IPV6=n)
177    depends on NETFILTER_ADVANCED
178    help
179      H.323 is a VoIP signalling protocol from ITU-T. As one of the most
180      important VoIP protocols, it is widely used by voice hardware and
181      software including voice gateways, IP phones, Netmeeting, OpenPhone,
182      Gnomemeeting, etc.
183
184      With this module you can support H.323 on a connection tracking/NAT
185      firewall.
186
187      This module supports RAS, Fast Start, H.245 Tunnelling, Call
188      Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
189      whiteboard, file transfer, etc. For more information, please
190      visit http://nath323.sourceforge.net/.
191
192      To compile it as a module, choose M here. If unsure, say N.
193
194config NF_CONNTRACK_IRC
195    tristate "IRC protocol support"
196    default m if NETFILTER_ADVANCED=n
197    help
198      There is a commonly-used extension to IRC called
199      Direct Client-to-Client Protocol (DCC). This enables users to send
200      files to each other, and also chat to each other without the need
201      of a server. DCC Sending is used anywhere you send files over IRC,
202      and DCC Chat is most commonly used by Eggdrop bots. If you are
203      using NAT, this extension will enable you to send files and initiate
204      chats. Note that you do NOT need this extension to get files or
205      have others initiate chats, or everything else in IRC.
206
207      To compile it as a module, choose M here. If unsure, say N.
208
209config NF_CONNTRACK_NETBIOS_NS
210    tristate "NetBIOS name service protocol support"
211    depends on NETFILTER_ADVANCED
212    help
213      NetBIOS name service requests are sent as broadcast messages from an
214      unprivileged port and responded to with unicast messages to the
215      same port. This make them hard to firewall properly because connection
216      tracking doesn't deal with broadcasts. This helper tracks locally
217      originating NetBIOS name service requests and the corresponding
218      responses. It relies on correct IP address configuration, specifically
219      netmask and broadcast address. When properly configured, the output
220      of "ip address show" should look similar to this:
221
222      $ ip -4 address show eth0
223      4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
224          inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
225
226      To compile it as a module, choose M here. If unsure, say N.
227
228config NF_CONNTRACK_PPTP
229    tristate "PPtP protocol support"
230    depends on NETFILTER_ADVANCED
231    select NF_CT_PROTO_GRE
232    help
233      This module adds support for PPTP (Point to Point Tunnelling
234      Protocol, RFC2637) connection tracking and NAT.
235
236      If you are running PPTP sessions over a stateful firewall or NAT
237      box, you may want to enable this feature.
238
239      Please note that not all PPTP modes of operation are supported yet.
240      Specifically these limitations exist:
241        - Blindly assumes that control connections are always established
242          in PNS->PAC direction. This is a violation of RFC2637.
243        - Only supports a single call within each session
244
245      To compile it as a module, choose M here. If unsure, say N.
246
247config NF_CONNTRACK_SANE
248    tristate "SANE protocol support (EXPERIMENTAL)"
249    depends on EXPERIMENTAL
250    depends on NETFILTER_ADVANCED
251    help
252      SANE is a protocol for remote access to scanners as implemented
253      by the 'saned' daemon. Like FTP, it uses separate control and
254      data connections.
255
256      With this module you can support SANE on a connection tracking
257      firewall.
258
259      To compile it as a module, choose M here. If unsure, say N.
260
261config NF_CONNTRACK_SIP
262    tristate "SIP protocol support"
263    default m if NETFILTER_ADVANCED=n
264    help
265      SIP is an application-layer control protocol that can establish,
266      modify, and terminate multimedia sessions (conferences) such as
267      Internet telephony calls. With the ip_conntrack_sip and
268      the nf_nat_sip modules you can support the protocol on a connection
269      tracking/NATing firewall.
270
271      To compile it as a module, choose M here. If unsure, say N.
272
273config NF_CONNTRACK_TFTP
274    tristate "TFTP protocol support"
275    depends on NETFILTER_ADVANCED
276    help
277      TFTP connection tracking helper, this is required depending
278      on how restrictive your ruleset is.
279      If you are using a tftp client behind -j SNAT or -j MASQUERADING
280      you will need this.
281
282      To compile it as a module, choose M here. If unsure, say N.
283
284config NF_CT_NETLINK
285    tristate 'Connection tracking netlink interface'
286    select NETFILTER_NETLINK
287    default m if NETFILTER_ADVANCED=n
288    help
289      This option enables support for a netlink-based userspace interface
290
291endif # NF_CONNTRACK
292
293# transparent proxy support
294config NETFILTER_TPROXY
295    tristate "Transparent proxying support (EXPERIMENTAL)"
296    depends on EXPERIMENTAL
297    depends on IP_NF_MANGLE
298    depends on NETFILTER_ADVANCED
299    help
300      This option enables transparent proxying support, that is,
301      support for handling non-locally bound IPv4 TCP and UDP sockets.
302      For it to work you will have to configure certain iptables rules
303      and use policy routing. For more information on how to set it up
304      see Documentation/networking/tproxy.txt.
305
306      To compile it as a module, choose M here. If unsure, say N.
307
308config NETFILTER_XTABLES
309    tristate "Netfilter Xtables support (required for ip_tables)"
310    default m if NETFILTER_ADVANCED=n
311    help
312      This is required if you intend to use any of ip_tables,
313      ip6_tables or arp_tables.
314
315if NETFILTER_XTABLES
316
317# alphabetically ordered list of targets
318
319config NETFILTER_XT_TARGET_CLASSIFY
320    tristate '"CLASSIFY" target support'
321    depends on NETFILTER_ADVANCED
322    help
323      This option adds a `CLASSIFY' target, which enables the user to set
324      the priority of a packet. Some qdiscs can use this value for
325      classification, among these are:
326
327        atm, cbq, dsmark, pfifo_fast, htb, prio
328
329      To compile it as a module, choose M here. If unsure, say N.
330
331config NETFILTER_XT_TARGET_CONNMARK
332    tristate '"CONNMARK" target support'
333    depends on NF_CONNTRACK
334    depends on NETFILTER_ADVANCED
335    select NF_CONNTRACK_MARK
336    help
337      This option adds a `CONNMARK' target, which allows one to manipulate
338      the connection mark value. Similar to the MARK target, but
339      affects the connection mark value rather than the packet mark value.
340
341      If you want to compile it as a module, say M here and read
342      <file:Documentation/kbuild/modules.txt>. The module will be called
343      ipt_CONNMARK. If unsure, say `N'.
344
345config NETFILTER_XT_TARGET_CONNSECMARK
346    tristate '"CONNSECMARK" target support'
347    depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
348    default m if NETFILTER_ADVANCED=n
349    help
350      The CONNSECMARK target copies security markings from packets
351      to connections, and restores security markings from connections
352      to packets (if the packets are not already marked). This would
353      normally be used in conjunction with the SECMARK target.
354
355      To compile it as a module, choose M here. If unsure, say N.
356
357config NETFILTER_XT_TARGET_CT
358    tristate '"CT" target support'
359    depends on NF_CONNTRACK
360    depends on IP_NF_RAW || IP6_NF_RAW
361    depends on NETFILTER_ADVANCED
362    help
363      This options adds a `CT' target, which allows to specify initial
364      connection tracking parameters like events to be delivered and
365      the helper to be used.
366
367      To compile it as a module, choose M here. If unsure, say N.
368
369config NETFILTER_XT_TARGET_DSCP
370    tristate '"DSCP" and "TOS" target support'
371    depends on IP_NF_MANGLE || IP6_NF_MANGLE
372    depends on NETFILTER_ADVANCED
373    help
374      This option adds a `DSCP' target, which allows you to manipulate
375      the IPv4/IPv6 header DSCP field (differentiated services codepoint).
376
377      The DSCP field can have any value between 0x0 and 0x3f inclusive.
378
379      It also adds the "TOS" target, which allows you to create rules in
380      the "mangle" table which alter the Type Of Service field of an IPv4
381      or the Priority field of an IPv6 packet, prior to routing.
382
383      To compile it as a module, choose M here. If unsure, say N.
384
385config NETFILTER_XT_TARGET_HL
386    tristate '"HL" hoplimit target support'
387    depends on IP_NF_MANGLE || IP6_NF_MANGLE
388    depends on NETFILTER_ADVANCED
389    ---help---
390    This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
391    targets, which enable the user to change the
392    hoplimit/time-to-live value of the IP header.
393
394    While it is safe to decrement the hoplimit/TTL value, the
395    modules also allow to increment and set the hoplimit value of
396    the header to arbitrary values. This is EXTREMELY DANGEROUS
397    since you can easily create immortal packets that loop
398    forever on the network.
399
400config NETFILTER_XT_TARGET_LED
401    tristate '"LED" target support'
402    depends on LEDS_CLASS && LEDS_TRIGGERS
403    depends on NETFILTER_ADVANCED
404    help
405      This option adds a `LED' target, which allows you to blink LEDs in
406      response to particular packets passing through your machine.
407
408      This can be used to turn a spare LED into a network activity LED,
409      which only flashes in response to FTP transfers, for example. Or
410      you could have an LED which lights up for a minute or two every time
411      somebody connects to your machine via SSH.
412
413      You will need support for the "led" class to make this work.
414
415      To create an LED trigger for incoming SSH traffic:
416        iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
417
418      Then attach the new trigger to an LED on your system:
419        echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
420
421      For more information on the LEDs available on your system, see
422      Documentation/leds-class.txt
423
424config NETFILTER_XT_TARGET_MARK
425    tristate '"MARK" target support'
426    default m if NETFILTER_ADVANCED=n
427    help
428      This option adds a `MARK' target, which allows you to create rules
429      in the `mangle' table which alter the netfilter mark (nfmark) field
430      associated with the packet prior to routing. This can change
431      the routing method (see `Use netfilter MARK value as routing
432      key') and can also be used by other subsystems to change their
433      behavior.
434
435      To compile it as a module, choose M here. If unsure, say N.
436
437config NETFILTER_XT_TARGET_NFLOG
438    tristate '"NFLOG" target support'
439    default m if NETFILTER_ADVANCED=n
440    select NETFILTER_NETLINK_LOG
441    help
442      This option enables the NFLOG target, which allows to LOG
443      messages through nfnetlink_log.
444
445      To compile it as a module, choose M here. If unsure, say N.
446
447config NETFILTER_XT_TARGET_NFQUEUE
448    tristate '"NFQUEUE" target Support'
449    depends on NETFILTER_ADVANCED
450    help
451      This target replaced the old obsolete QUEUE target.
452
453      As opposed to QUEUE, it supports 65535 different queues,
454      not just one.
455
456      To compile it as a module, choose M here. If unsure, say N.
457
458config NETFILTER_XT_TARGET_NOTRACK
459    tristate '"NOTRACK" target support'
460    depends on IP_NF_RAW || IP6_NF_RAW
461    depends on NF_CONNTRACK
462    depends on NETFILTER_ADVANCED
463    help
464      The NOTRACK target allows a select rule to specify
465      which packets *not* to enter the conntrack/NAT
466      subsystem with all the consequences (no ICMP error tracking,
467      no protocol helpers for the selected packets).
468
469      If you want to compile it as a module, say M here and read
470      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
471
472config NETFILTER_XT_TARGET_RATEEST
473    tristate '"RATEEST" target support'
474    depends on NETFILTER_ADVANCED
475    help
476      This option adds a `RATEEST' target, which allows to measure
477      rates similar to TC estimators. The `rateest' match can be
478      used to match on the measured rates.
479
480      To compile it as a module, choose M here. If unsure, say N.
481
482config NETFILTER_XT_TARGET_TPROXY
483    tristate '"TPROXY" target support (EXPERIMENTAL)'
484    depends on EXPERIMENTAL
485    depends on NETFILTER_TPROXY
486    depends on NETFILTER_XTABLES
487    depends on NETFILTER_ADVANCED
488    select NF_DEFRAG_IPV4
489    help
490      This option adds a `TPROXY' target, which is somewhat similar to
491      REDIRECT. It can only be used in the mangle table and is useful
492      to redirect traffic to a transparent proxy. It does _not_ depend
493      on Netfilter connection tracking and NAT, unlike REDIRECT.
494
495      To compile it as a module, choose M here. If unsure, say N.
496
497config NETFILTER_XT_TARGET_TRACE
498    tristate '"TRACE" target support'
499    depends on IP_NF_RAW || IP6_NF_RAW
500    depends on NETFILTER_ADVANCED
501    help
502      The TRACE target allows you to mark packets so that the kernel
503      will log every rule which match the packets as those traverse
504      the tables, chains, rules.
505
506      If you want to compile it as a module, say M here and read
507      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
508
509config NETFILTER_XT_TARGET_SECMARK
510    tristate '"SECMARK" target support'
511    depends on NETWORK_SECMARK
512    default m if NETFILTER_ADVANCED=n
513    help
514      The SECMARK target allows security marking of network
515      packets, for use with security subsystems.
516
517      To compile it as a module, choose M here. If unsure, say N.
518
519config NETFILTER_XT_TARGET_TCPMSS
520    tristate '"TCPMSS" target support'
521    depends on (IPV6 || IPV6=n)
522    default m if NETFILTER_ADVANCED=n
523    ---help---
524      This option adds a `TCPMSS' target, which allows you to alter the
525      MSS value of TCP SYN packets, to control the maximum size for that
526      connection (usually limiting it to your outgoing interface's MTU
527      minus 40).
528
529      This is used to overcome criminally braindead ISPs or servers which
530      block ICMP Fragmentation Needed packets. The symptoms of this
531      problem are that everything works fine from your Linux
532      firewall/router, but machines behind it can never exchange large
533      packets:
534            1) Web browsers connect, then hang with no data received.
535            2) Small mail works fine, but large emails hang.
536            3) ssh works fine, but scp hangs after initial handshaking.
537
538      Workaround: activate this option and add a rule to your firewall
539      configuration like:
540
541      iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
542                     -j TCPMSS --clamp-mss-to-pmtu
543
544      To compile it as a module, choose M here. If unsure, say N.
545
546config NETFILTER_XT_TARGET_TCPOPTSTRIP
547    tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)'
548    depends on EXPERIMENTAL
549    depends on IP_NF_MANGLE || IP6_NF_MANGLE
550    depends on NETFILTER_ADVANCED
551    help
552      This option adds a "TCPOPTSTRIP" target, which allows you to strip
553      TCP options from TCP packets.
554
555config NETFILTER_XT_MATCH_CLUSTER
556    tristate '"cluster" match support'
557    depends on NF_CONNTRACK
558    depends on NETFILTER_ADVANCED
559    ---help---
560      This option allows you to build work-load-sharing clusters of
561      network servers/stateful firewalls without having a dedicated
562      load-balancing router/server/switch. Basically, this match returns
563      true when the packet must be handled by this cluster node. Thus,
564      all nodes see all packets and this match decides which node handles
565      what packets. The work-load sharing algorithm is based on source
566      address hashing.
567
568      If you say Y or M here, try `iptables -m cluster --help` for
569      more information.
570
571config NETFILTER_XT_MATCH_COMMENT
572    tristate '"comment" match support'
573    depends on NETFILTER_ADVANCED
574    help
575      This option adds a `comment' dummy-match, which allows you to put
576      comments in your iptables ruleset.
577
578      If you want to compile it as a module, say M here and read
579      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
580
581config NETFILTER_XT_MATCH_CONNBYTES
582    tristate '"connbytes" per-connection counter match support'
583    depends on NF_CONNTRACK
584    depends on NETFILTER_ADVANCED
585    select NF_CT_ACCT
586    help
587      This option adds a `connbytes' match, which allows you to match the
588      number of bytes and/or packets for each direction within a connection.
589
590      If you want to compile it as a module, say M here and read
591      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
592
593config NETFILTER_XT_MATCH_CONNLIMIT
594    tristate '"connlimit" match support"'
595    depends on NF_CONNTRACK
596    depends on NETFILTER_ADVANCED
597    ---help---
598      This match allows you to match against the number of parallel
599      connections to a server per client IP address (or address block).
600
601config NETFILTER_XT_MATCH_CONNMARK
602    tristate '"connmark" connection mark match support'
603    depends on NF_CONNTRACK
604    depends on NETFILTER_ADVANCED
605    select NF_CONNTRACK_MARK
606    help
607      This option adds a `connmark' match, which allows you to match the
608      connection mark value previously set for the session by `CONNMARK'.
609
610      If you want to compile it as a module, say M here and read
611      <file:Documentation/kbuild/modules.txt>. The module will be called
612      ipt_connmark. If unsure, say `N'.
613
614config NETFILTER_XT_MATCH_CONNTRACK
615    tristate '"conntrack" connection tracking match support'
616    depends on NF_CONNTRACK
617    default m if NETFILTER_ADVANCED=n
618    help
619      This is a general conntrack match module, a superset of the state match.
620
621      It allows matching on additional conntrack information, which is
622      useful in complex configurations, such as NAT gateways with multiple
623      internet links or tunnels.
624
625      To compile it as a module, choose M here. If unsure, say N.
626
627config NETFILTER_XT_MATCH_DCCP
628    tristate '"dccp" protocol match support'
629    depends on NETFILTER_ADVANCED
630    default IP_DCCP
631    help
632      With this option enabled, you will be able to use the iptables
633      `dccp' match in order to match on DCCP source/destination ports
634      and DCCP flags.
635
636      If you want to compile it as a module, say M here and read
637      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
638
639config NETFILTER_XT_MATCH_DSCP
640    tristate '"dscp" and "tos" match support'
641    depends on NETFILTER_ADVANCED
642    help
643      This option adds a `DSCP' match, which allows you to match against
644      the IPv4/IPv6 header DSCP field (differentiated services codepoint).
645
646      The DSCP field can have any value between 0x0 and 0x3f inclusive.
647
648      It will also add a "tos" match, which allows you to match packets
649      based on the Type Of Service fields of the IPv4 packet (which share
650      the same bits as DSCP).
651
652      To compile it as a module, choose M here. If unsure, say N.
653
654config NETFILTER_XT_MATCH_ESP
655    tristate '"esp" match support'
656    depends on NETFILTER_ADVANCED
657    help
658      This match extension allows you to match a range of SPIs
659      inside ESP header of IPSec packets.
660
661      To compile it as a module, choose M here. If unsure, say N.
662
663config NETFILTER_XT_MATCH_HASHLIMIT
664    tristate '"hashlimit" match support'
665    depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
666    depends on NETFILTER_ADVANCED
667    help
668      This option adds a `hashlimit' match.
669
670      As opposed to `limit', this match dynamically creates a hash table
671      of limit buckets, based on your selection of source/destination
672      addresses and/or ports.
673
674      It enables you to express policies like `10kpps for any given
675      destination address' or `500pps from any given source address'
676      with a single rule.
677
678config NETFILTER_XT_MATCH_HELPER
679    tristate '"helper" match support'
680    depends on NF_CONNTRACK
681    depends on NETFILTER_ADVANCED
682    help
683      Helper matching allows you to match packets in dynamic connections
684      tracked by a conntrack-helper, ie. ip_conntrack_ftp
685
686      To compile it as a module, choose M here. If unsure, say Y.
687
688config NETFILTER_XT_MATCH_HL
689    tristate '"hl" hoplimit/TTL match support'
690    depends on NETFILTER_ADVANCED
691    ---help---
692    HL matching allows you to match packets based on the hoplimit
693    in the IPv6 header, or the time-to-live field in the IPv4
694    header of the packet.
695
696config NETFILTER_XT_MATCH_IPRANGE
697    tristate '"iprange" address range match support'
698    depends on NETFILTER_ADVANCED
699    ---help---
700    This option adds a "iprange" match, which allows you to match based on
701    an IP address range. (Normal iptables only matches on single addresses
702    with an optional mask.)
703
704    If unsure, say M.
705
706config NETFILTER_XT_MATCH_LENGTH
707    tristate '"length" match support'
708    depends on NETFILTER_ADVANCED
709    help
710      This option allows you to match the length of a packet against a
711      specific value or range of values.
712
713      To compile it as a module, choose M here. If unsure, say N.
714
715config NETFILTER_XT_MATCH_LIMIT
716    tristate '"limit" match support'
717    depends on NETFILTER_ADVANCED
718    help
719      limit matching allows you to control the rate at which a rule can be
720      matched: mainly useful in combination with the LOG target ("LOG
721      target support", below) and to avoid some Denial of Service attacks.
722
723      To compile it as a module, choose M here. If unsure, say N.
724
725config NETFILTER_XT_MATCH_MAC
726    tristate '"mac" address match support'
727    depends on NETFILTER_ADVANCED
728    help
729      MAC matching allows you to match packets based on the source
730      Ethernet address of the packet.
731
732      To compile it as a module, choose M here. If unsure, say N.
733
734config NETFILTER_XT_MATCH_MARK
735    tristate '"mark" match support'
736    default m if NETFILTER_ADVANCED=n
737    help
738      Netfilter mark matching allows you to match packets based on the
739      `nfmark' value in the packet. This can be set by the MARK target
740      (see below).
741
742      To compile it as a module, choose M here. If unsure, say N.
743
744config NETFILTER_XT_MATCH_MULTIPORT
745    tristate '"multiport" Multiple port match support'
746    depends on NETFILTER_ADVANCED
747    help
748      Multiport matching allows you to match TCP or UDP packets based on
749      a series of source or destination ports: normally a rule can only
750      match a single range of ports.
751
752      To compile it as a module, choose M here. If unsure, say N.
753
754config NETFILTER_XT_MATCH_OWNER
755    tristate '"owner" match support'
756    depends on NETFILTER_ADVANCED
757    ---help---
758    Socket owner matching allows you to match locally-generated packets
759    based on who created the socket: the user or group. It is also
760    possible to check whether a socket actually exists.
761
762config NETFILTER_XT_MATCH_POLICY
763    tristate 'IPsec "policy" match support'
764    depends on XFRM
765    default m if NETFILTER_ADVANCED=n
766    help
767      Policy matching allows you to match packets based on the
768      IPsec policy that was used during decapsulation/will
769      be used during encapsulation.
770
771      To compile it as a module, choose M here. If unsure, say N.
772
773config NETFILTER_XT_MATCH_PHYSDEV
774    tristate '"physdev" match support'
775    depends on BRIDGE && BRIDGE_NETFILTER
776    depends on NETFILTER_ADVANCED
777    help
778      Physdev packet matching matches against the physical bridge ports
779      the IP packet arrived on or will leave by.
780
781      To compile it as a module, choose M here. If unsure, say N.
782
783config NETFILTER_XT_MATCH_PKTTYPE
784    tristate '"pkttype" packet type match support'
785    depends on NETFILTER_ADVANCED
786    help
787      Packet type matching allows you to match a packet by
788      its "class", eg. BROADCAST, MULTICAST, ...
789
790      Typical usage:
791      iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
792
793      To compile it as a module, choose M here. If unsure, say N.
794
795config NETFILTER_XT_MATCH_QUOTA
796    tristate '"quota" match support'
797    depends on NETFILTER_ADVANCED
798    help
799      This option adds a `quota' match, which allows to match on a
800      byte counter.
801
802      If you want to compile it as a module, say M here and read
803      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
804
805config NETFILTER_XT_MATCH_RATEEST
806    tristate '"rateest" match support'
807    depends on NETFILTER_ADVANCED
808    select NETFILTER_XT_TARGET_RATEEST
809    help
810      This option adds a `rateest' match, which allows to match on the
811      rate estimated by the RATEEST target.
812
813      To compile it as a module, choose M here. If unsure, say N.
814
815config NETFILTER_XT_MATCH_REALM
816    tristate '"realm" match support'
817    depends on NETFILTER_ADVANCED
818    select NET_CLS_ROUTE
819    help
820      This option adds a `realm' match, which allows you to use the realm
821      key from the routing subsystem inside iptables.
822
823      This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
824      in tc world.
825
826      If you want to compile it as a module, say M here and read
827      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
828
829config NETFILTER_XT_MATCH_RECENT
830    tristate '"recent" match support'
831    depends on NETFILTER_ADVANCED
832    ---help---
833    This match is used for creating one or many lists of recently
834    used addresses and then matching against that/those list(s).
835
836    Short options are available by using 'iptables -m recent -h'
837    Official Website: <http://snowman.net/projects/ipt_recent/>
838
839config NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
840    bool 'Enable obsolete /proc/net/ipt_recent'
841    depends on NETFILTER_XT_MATCH_RECENT && PROC_FS
842    ---help---
843    This option enables the old /proc/net/ipt_recent interface,
844    which has been obsoleted by /proc/net/xt_recent.
845
846config NETFILTER_XT_MATCH_SCTP
847    tristate '"sctp" protocol match support (EXPERIMENTAL)'
848    depends on EXPERIMENTAL
849    depends on NETFILTER_ADVANCED
850    default IP_SCTP
851    help
852      With this option enabled, you will be able to use the
853      `sctp' match in order to match on SCTP source/destination ports
854      and SCTP chunk types.
855
856      If you want to compile it as a module, say M here and read
857      <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
858
859config NETFILTER_XT_MATCH_SOCKET
860    tristate '"socket" match support (EXPERIMENTAL)'
861    depends on EXPERIMENTAL
862    depends on NETFILTER_TPROXY
863    depends on NETFILTER_XTABLES
864    depends on NETFILTER_ADVANCED
865    depends on !NF_CONNTRACK || NF_CONNTRACK
866    select NF_DEFRAG_IPV4
867    help
868      This option adds a `socket' match, which can be used to match
869      packets for which a TCP or UDP socket lookup finds a valid socket.
870      It can be used in combination with the MARK target and policy
871      routing to implement full featured non-locally bound sockets.
872
873      To compile it as a module, choose M here. If unsure, say N.
874
875config NETFILTER_XT_MATCH_STATE
876    tristate '"state" match support'
877    depends on NF_CONNTRACK
878    default m if NETFILTER_ADVANCED=n
879    help
880      Connection state matching allows you to match packets based on their
881      relationship to a tracked connection (ie. previous packets). This
882      is a powerful tool for packet classification.
883
884      To compile it as a module, choose M here. If unsure, say N.
885
886config NETFILTER_XT_MATCH_STATISTIC
887    tristate '"statistic" match support'
888    depends on NETFILTER_ADVANCED
889    help
890      This option adds a `statistic' match, which allows you to match
891      on packets periodically or randomly with a given percentage.
892
893      To compile it as a module, choose M here. If unsure, say N.
894
895config NETFILTER_XT_MATCH_STRING
896    tristate '"string" match support'
897    depends on NETFILTER_ADVANCED
898    select TEXTSEARCH
899    select TEXTSEARCH_KMP
900    select TEXTSEARCH_BM
901    select TEXTSEARCH_FSM
902    help
903      This option adds a `string' match, which allows you to look for
904      pattern matchings in packets.
905
906      To compile it as a module, choose M here. If unsure, say N.
907
908config NETFILTER_XT_MATCH_TCPMSS
909    tristate '"tcpmss" match support'
910    depends on NETFILTER_ADVANCED
911    help
912      This option adds a `tcpmss' match, which allows you to examine the
913      MSS value of TCP SYN packets, which control the maximum packet size
914      for that connection.
915
916      To compile it as a module, choose M here. If unsure, say N.
917
918config NETFILTER_XT_MATCH_TIME
919    tristate '"time" match support'
920    depends on NETFILTER_ADVANCED
921    ---help---
922      This option adds a "time" match, which allows you to match based on
923      the packet arrival time (at the machine which netfilter is running)
924      on) or departure time/date (for locally generated packets).
925
926      If you say Y here, try `iptables -m time --help` for
927      more information.
928
929      If you want to compile it as a module, say M here.
930      If unsure, say N.
931
932config NETFILTER_XT_MATCH_U32
933    tristate '"u32" match support'
934    depends on NETFILTER_ADVANCED
935    ---help---
936      u32 allows you to extract quantities of up to 4 bytes from a packet,
937      AND them with specified masks, shift them by specified amounts and
938      test whether the results are in any of a set of specified ranges.
939      The specification of what to extract is general enough to skip over
940      headers with lengths stored in the packet, as in IP or TCP header
941      lengths.
942
943      Details and examples are in the kernel module source.
944
945config NETFILTER_XT_MATCH_OSF
946    tristate '"osf" Passive OS fingerprint match'
947    depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
948    help
949      This option selects the Passive OS Fingerprinting match module
950      that allows to passively match the remote operating system by
951      analyzing incoming TCP SYN packets.
952
953      Rules and loading software can be downloaded from
954      http://www.ioremap.net/projects/osf
955
956      To compile it as a module, choose M here. If unsure, say N.
957
958endif # NETFILTER_XTABLES
959
960endmenu
961
962source "net/netfilter/ipvs/Kconfig"
963

Archive Download this file



interactive