linux/net/netfilter/Kconfig
<<
>>
Prefs
   1menu "Core Netfilter Configuration"
   2        depends on NET && INET && NETFILTER
   3
   4config NETFILTER_NETLINK
   5        tristate
   6
   7config NETFILTER_NETLINK_ACCT
   8tristate "Netfilter NFACCT over NFNETLINK interface"
   9        depends on NETFILTER_ADVANCED
  10        select NETFILTER_NETLINK
  11        help
  12          If this option is enabled, the kernel will include support
  13          for extended accounting via NFNETLINK.
  14
  15config NETFILTER_NETLINK_QUEUE
  16        tristate "Netfilter NFQUEUE over NFNETLINK interface"
  17        depends on NETFILTER_ADVANCED
  18        select NETFILTER_NETLINK
  19        help
  20          If this option is enabled, the kernel will include support
  21          for queueing packets via NFNETLINK.
  22          
  23config NETFILTER_NETLINK_LOG
  24        tristate "Netfilter LOG over NFNETLINK interface"
  25        default m if NETFILTER_ADVANCED=n
  26        select NETFILTER_NETLINK
  27        help
  28          If this option is enabled, the kernel will include support
  29          for logging packets via NFNETLINK.
  30
  31          This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
  32          and is also scheduled to replace the old syslog-based ipt_LOG
  33          and ip6t_LOG modules.
  34
  35config NF_CONNTRACK
  36        tristate "Netfilter connection tracking support"
  37        default m if NETFILTER_ADVANCED=n
  38        help
  39          Connection tracking keeps a record of what packets have passed
  40          through your machine, in order to figure out how they are related
  41          into connections.
  42
  43          This is required to do Masquerading or other kinds of Network
  44          Address Translation.  It can also be used to enhance packet
  45          filtering (see `Connection state match support' below).
  46
  47          To compile it as a module, choose M here.  If unsure, say N.
  48
  49if NF_CONNTRACK
  50
  51config NF_CONNTRACK_MARK
  52        bool  'Connection mark tracking support'
  53        depends on NETFILTER_ADVANCED
  54        help
  55          This option enables support for connection marks, used by the
  56          `CONNMARK' target and `connmark' match. Similar to the mark value
  57          of packets, but this mark value is kept in the conntrack session
  58          instead of the individual packets.
  59
  60config NF_CONNTRACK_SECMARK
  61        bool  'Connection tracking security mark support'
  62        depends on NETWORK_SECMARK
  63        default m if NETFILTER_ADVANCED=n
  64        help
  65          This option enables security markings to be applied to
  66          connections.  Typically they are copied to connections from
  67          packets using the CONNSECMARK target and copied back from
  68          connections to packets with the same target, with the packets
  69          being originally labeled via SECMARK.
  70
  71          If unsure, say 'N'.
  72
  73config NF_CONNTRACK_ZONES
  74        bool  'Connection tracking zones'
  75        depends on NETFILTER_ADVANCED
  76        depends on NETFILTER_XT_TARGET_CT
  77        help
  78          This option enables support for connection tracking zones.
  79          Normally, each connection needs to have a unique system wide
  80          identity. Connection tracking zones allow to have multiple
  81          connections using the same identity, as long as they are
  82          contained in different zones.
  83
  84          If unsure, say `N'.
  85
  86config NF_CONNTRACK_PROCFS
  87        bool "Supply CT list in procfs (OBSOLETE)"
  88        default y
  89        depends on PROC_FS
  90        ---help---
  91        This option enables for the list of known conntrack entries
  92        to be shown in procfs under net/netfilter/nf_conntrack. This
  93        is considered obsolete in favor of using the conntrack(8)
  94        tool which uses Netlink.
  95
  96config NF_CONNTRACK_EVENTS
  97        bool "Connection tracking events"
  98        depends on NETFILTER_ADVANCED
  99        help
 100          If this option is enabled, the connection tracking code will
 101          provide a notifier chain that can be used by other kernel code
 102          to get notified about changes in the connection tracking state.
 103
 104          If unsure, say `N'.
 105
 106config NF_CONNTRACK_TIMEOUT
 107        bool  'Connection tracking timeout'
 108        depends on NETFILTER_ADVANCED
 109        help
 110          This option enables support for connection tracking timeout
 111          extension. This allows you to attach timeout policies to flow
 112          via the CT target.
 113
 114          If unsure, say `N'.
 115
 116config NF_CONNTRACK_TIMESTAMP
 117        bool  'Connection tracking timestamping'
 118        depends on NETFILTER_ADVANCED
 119        help
 120          This option enables support for connection tracking timestamping.
 121          This allows you to store the flow start-time and to obtain
 122          the flow-stop time (once it has been destroyed) via Connection
 123          tracking events.
 124
 125          If unsure, say `N'.
 126
 127config NF_CONNTRACK_LABELS
 128        bool
 129        help
 130          This option enables support for assigning user-defined flag bits
 131          to connection tracking entries.  It selected by the connlabel match.
 132
 133config NF_CT_PROTO_DCCP
 134        tristate 'DCCP protocol connection tracking support'
 135        depends on NETFILTER_ADVANCED
 136        default IP_DCCP
 137        help
 138          With this option enabled, the layer 3 independent connection
 139          tracking code will be able to do state tracking on DCCP connections.
 140
 141          If unsure, say 'N'.
 142
 143config NF_CT_PROTO_GRE
 144        tristate
 145
 146config NF_CT_PROTO_SCTP
 147        tristate 'SCTP protocol connection tracking support'
 148        depends on NETFILTER_ADVANCED
 149        default IP_SCTP
 150        help
 151          With this option enabled, the layer 3 independent connection
 152          tracking code will be able to do state tracking on SCTP connections.
 153
 154          If you want to compile it as a module, say M here and read
 155          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 156
 157config NF_CT_PROTO_UDPLITE
 158        tristate 'UDP-Lite protocol connection tracking support'
 159        depends on NETFILTER_ADVANCED
 160        help
 161          With this option enabled, the layer 3 independent connection
 162          tracking code will be able to do state tracking on UDP-Lite
 163          connections.
 164
 165          To compile it as a module, choose M here.  If unsure, say N.
 166
 167config NF_CONNTRACK_AMANDA
 168        tristate "Amanda backup protocol support"
 169        depends on NETFILTER_ADVANCED
 170        select TEXTSEARCH
 171        select TEXTSEARCH_KMP
 172        help
 173          If you are running the Amanda backup package <http://www.amanda.org/>
 174          on this machine or machines that will be MASQUERADED through this
 175          machine, then you may want to enable this feature.  This allows the
 176          connection tracking and natting code to allow the sub-channels that
 177          Amanda requires for communication of the backup data, messages and
 178          index.
 179
 180          To compile it as a module, choose M here.  If unsure, say N.
 181
 182config NF_CONNTRACK_FTP
 183        tristate "FTP protocol support"
 184        default m if NETFILTER_ADVANCED=n
 185        help
 186          Tracking FTP connections is problematic: special helpers are
 187          required for tracking them, and doing masquerading and other forms
 188          of Network Address Translation on them.
 189
 190          This is FTP support on Layer 3 independent connection tracking.
 191          Layer 3 independent connection tracking is experimental scheme
 192          which generalize ip_conntrack to support other layer 3 protocols.
 193
 194          To compile it as a module, choose M here.  If unsure, say N.
 195
 196config NF_CONNTRACK_H323
 197        tristate "H.323 protocol support"
 198        depends on (IPV6 || IPV6=n)
 199        depends on NETFILTER_ADVANCED
 200        help
 201          H.323 is a VoIP signalling protocol from ITU-T. As one of the most
 202          important VoIP protocols, it is widely used by voice hardware and
 203          software including voice gateways, IP phones, Netmeeting, OpenPhone,
 204          Gnomemeeting, etc.
 205
 206          With this module you can support H.323 on a connection tracking/NAT
 207          firewall.
 208
 209          This module supports RAS, Fast Start, H.245 Tunnelling, Call
 210          Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
 211          whiteboard, file transfer, etc. For more information, please
 212          visit http://nath323.sourceforge.net/.
 213
 214          To compile it as a module, choose M here.  If unsure, say N.
 215
 216config NF_CONNTRACK_IRC
 217        tristate "IRC protocol support"
 218        default m if NETFILTER_ADVANCED=n
 219        help
 220          There is a commonly-used extension to IRC called
 221          Direct Client-to-Client Protocol (DCC).  This enables users to send
 222          files to each other, and also chat to each other without the need
 223          of a server.  DCC Sending is used anywhere you send files over IRC,
 224          and DCC Chat is most commonly used by Eggdrop bots.  If you are
 225          using NAT, this extension will enable you to send files and initiate
 226          chats.  Note that you do NOT need this extension to get files or
 227          have others initiate chats, or everything else in IRC.
 228
 229          To compile it as a module, choose M here.  If unsure, say N.
 230
 231config NF_CONNTRACK_BROADCAST
 232        tristate
 233
 234config NF_CONNTRACK_NETBIOS_NS
 235        tristate "NetBIOS name service protocol support"
 236        select NF_CONNTRACK_BROADCAST
 237        help
 238          NetBIOS name service requests are sent as broadcast messages from an
 239          unprivileged port and responded to with unicast messages to the
 240          same port. This make them hard to firewall properly because connection
 241          tracking doesn't deal with broadcasts. This helper tracks locally
 242          originating NetBIOS name service requests and the corresponding
 243          responses. It relies on correct IP address configuration, specifically
 244          netmask and broadcast address. When properly configured, the output
 245          of "ip address show" should look similar to this:
 246
 247          $ ip -4 address show eth0
 248          4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
 249              inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
 250
 251          To compile it as a module, choose M here.  If unsure, say N.
 252
 253config NF_CONNTRACK_SNMP
 254        tristate "SNMP service protocol support"
 255        depends on NETFILTER_ADVANCED
 256        select NF_CONNTRACK_BROADCAST
 257        help
 258          SNMP service requests are sent as broadcast messages from an
 259          unprivileged port and responded to with unicast messages to the
 260          same port. This make them hard to firewall properly because connection
 261          tracking doesn't deal with broadcasts. This helper tracks locally
 262          originating SNMP service requests and the corresponding
 263          responses. It relies on correct IP address configuration, specifically
 264          netmask and broadcast address.
 265
 266          To compile it as a module, choose M here.  If unsure, say N.
 267
 268config NF_CONNTRACK_PPTP
 269        tristate "PPtP protocol support"
 270        depends on NETFILTER_ADVANCED
 271        select NF_CT_PROTO_GRE
 272        help
 273          This module adds support for PPTP (Point to Point Tunnelling
 274          Protocol, RFC2637) connection tracking and NAT.
 275
 276          If you are running PPTP sessions over a stateful firewall or NAT
 277          box, you may want to enable this feature.
 278
 279          Please note that not all PPTP modes of operation are supported yet.
 280          Specifically these limitations exist:
 281            - Blindly assumes that control connections are always established
 282              in PNS->PAC direction. This is a violation of RFC2637.
 283            - Only supports a single call within each session
 284
 285          To compile it as a module, choose M here.  If unsure, say N.
 286
 287config NF_CONNTRACK_SANE
 288        tristate "SANE protocol support"
 289        depends on NETFILTER_ADVANCED
 290        help
 291          SANE is a protocol for remote access to scanners as implemented
 292          by the 'saned' daemon. Like FTP, it uses separate control and
 293          data connections.
 294
 295          With this module you can support SANE on a connection tracking
 296          firewall.
 297
 298          To compile it as a module, choose M here.  If unsure, say N.
 299
 300config NF_CONNTRACK_SIP
 301        tristate "SIP protocol support"
 302        default m if NETFILTER_ADVANCED=n
 303        help
 304          SIP is an application-layer control protocol that can establish,
 305          modify, and terminate multimedia sessions (conferences) such as
 306          Internet telephony calls. With the ip_conntrack_sip and
 307          the nf_nat_sip modules you can support the protocol on a connection
 308          tracking/NATing firewall.
 309
 310          To compile it as a module, choose M here.  If unsure, say N.
 311
 312config NF_CONNTRACK_TFTP
 313        tristate "TFTP protocol support"
 314        depends on NETFILTER_ADVANCED
 315        help
 316          TFTP connection tracking helper, this is required depending
 317          on how restrictive your ruleset is.
 318          If you are using a tftp client behind -j SNAT or -j MASQUERADING
 319          you will need this.
 320
 321          To compile it as a module, choose M here.  If unsure, say N.
 322
 323config NF_CT_NETLINK
 324        tristate 'Connection tracking netlink interface'
 325        select NETFILTER_NETLINK
 326        default m if NETFILTER_ADVANCED=n
 327        help
 328          This option enables support for a netlink-based userspace interface
 329
 330config NF_CT_NETLINK_TIMEOUT
 331        tristate  'Connection tracking timeout tuning via Netlink'
 332        select NETFILTER_NETLINK
 333        depends on NETFILTER_ADVANCED
 334        help
 335          This option enables support for connection tracking timeout
 336          fine-grain tuning. This allows you to attach specific timeout
 337          policies to flows, instead of using the global timeout policy.
 338
 339          If unsure, say `N'.
 340
 341config NF_CT_NETLINK_HELPER
 342        tristate 'Connection tracking helpers in user-space via Netlink'
 343        select NETFILTER_NETLINK
 344        depends on NF_CT_NETLINK
 345        depends on NETFILTER_NETLINK_QUEUE
 346        depends on NETFILTER_NETLINK_QUEUE_CT
 347        depends on NETFILTER_ADVANCED
 348        help
 349          This option enables the user-space connection tracking helpers
 350          infrastructure.
 351
 352          If unsure, say `N'.
 353
 354config NETFILTER_NETLINK_QUEUE_CT
 355        bool "NFQUEUE integration with Connection Tracking"
 356        default n
 357        depends on NETFILTER_NETLINK_QUEUE
 358        help
 359          If this option is enabled, NFQUEUE can include Connection Tracking
 360          information together with the packet is the enqueued via NFNETLINK.
 361
 362config NF_NAT
 363        tristate
 364
 365config NF_NAT_NEEDED
 366        bool
 367        depends on NF_NAT
 368        default y
 369
 370config NF_NAT_PROTO_DCCP
 371        tristate
 372        depends on NF_NAT && NF_CT_PROTO_DCCP
 373        default NF_NAT && NF_CT_PROTO_DCCP
 374
 375config NF_NAT_PROTO_UDPLITE
 376        tristate
 377        depends on NF_NAT && NF_CT_PROTO_UDPLITE
 378        default NF_NAT && NF_CT_PROTO_UDPLITE
 379
 380config NF_NAT_PROTO_SCTP
 381        tristate
 382        default NF_NAT && NF_CT_PROTO_SCTP
 383        depends on NF_NAT && NF_CT_PROTO_SCTP
 384        select LIBCRC32C
 385
 386config NF_NAT_AMANDA
 387        tristate
 388        depends on NF_CONNTRACK && NF_NAT
 389        default NF_NAT && NF_CONNTRACK_AMANDA
 390
 391config NF_NAT_FTP
 392        tristate
 393        depends on NF_CONNTRACK && NF_NAT
 394        default NF_NAT && NF_CONNTRACK_FTP
 395
 396config NF_NAT_IRC
 397        tristate
 398        depends on NF_CONNTRACK && NF_NAT
 399        default NF_NAT && NF_CONNTRACK_IRC
 400
 401config NF_NAT_SIP
 402        tristate
 403        depends on NF_CONNTRACK && NF_NAT
 404        default NF_NAT && NF_CONNTRACK_SIP
 405
 406config NF_NAT_TFTP
 407        tristate
 408        depends on NF_CONNTRACK && NF_NAT
 409        default NF_NAT && NF_CONNTRACK_TFTP
 410
 411endif # NF_CONNTRACK
 412
 413# transparent proxy support
 414config NETFILTER_TPROXY
 415        tristate "Transparent proxying support"
 416        depends on IP_NF_MANGLE
 417        depends on NETFILTER_ADVANCED
 418        help
 419          This option enables transparent proxying support, that is,
 420          support for handling non-locally bound IPv4 TCP and UDP sockets.
 421          For it to work you will have to configure certain iptables rules
 422          and use policy routing. For more information on how to set it up
 423          see Documentation/networking/tproxy.txt.
 424
 425          To compile it as a module, choose M here.  If unsure, say N.
 426
 427config NETFILTER_XTABLES
 428        tristate "Netfilter Xtables support (required for ip_tables)"
 429        default m if NETFILTER_ADVANCED=n
 430        help
 431          This is required if you intend to use any of ip_tables,
 432          ip6_tables or arp_tables.
 433
 434if NETFILTER_XTABLES
 435
 436comment "Xtables combined modules"
 437
 438config NETFILTER_XT_MARK
 439        tristate 'nfmark target and match support'
 440        default m if NETFILTER_ADVANCED=n
 441        ---help---
 442        This option adds the "MARK" target and "mark" match.
 443
 444        Netfilter mark matching allows you to match packets based on the
 445        "nfmark" value in the packet.
 446        The target allows you to create rules in the "mangle" table which alter
 447        the netfilter mark (nfmark) field associated with the packet.
 448
 449        Prior to routing, the nfmark can influence the routing method (see
 450        "Use netfilter MARK value as routing key") and can also be used by
 451        other subsystems to change their behavior.
 452
 453config NETFILTER_XT_CONNMARK
 454        tristate 'ctmark target and match support'
 455        depends on NF_CONNTRACK
 456        depends on NETFILTER_ADVANCED
 457        select NF_CONNTRACK_MARK
 458        ---help---
 459        This option adds the "CONNMARK" target and "connmark" match.
 460
 461        Netfilter allows you to store a mark value per connection (a.k.a.
 462        ctmark), similarly to the packet mark (nfmark). Using this
 463        target and match, you can set and match on this mark.
 464
 465config NETFILTER_XT_SET
 466        tristate 'set target and match support'
 467        depends on IP_SET
 468        depends on NETFILTER_ADVANCED
 469        help
 470          This option adds the "SET" target and "set" match.
 471
 472          Using this target and match, you can add/delete and match
 473          elements in the sets created by ipset(8).
 474
 475          To compile it as a module, choose M here.  If unsure, say N.
 476
 477# alphabetically ordered list of targets
 478
 479comment "Xtables targets"
 480
 481config NETFILTER_XT_TARGET_AUDIT
 482        tristate "AUDIT target support"
 483        depends on AUDIT
 484        depends on NETFILTER_ADVANCED
 485        ---help---
 486          This option adds a 'AUDIT' target, which can be used to create
 487          audit records for packets dropped/accepted.
 488
 489          To compileit as a module, choose M here. If unsure, say N.
 490
 491config NETFILTER_XT_TARGET_CHECKSUM
 492        tristate "CHECKSUM target support"
 493        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 494        depends on NETFILTER_ADVANCED
 495        ---help---
 496          This option adds a `CHECKSUM' target, which can be used in the iptables mangle
 497          table.
 498
 499          You can use this target to compute and fill in the checksum in
 500          a packet that lacks a checksum.  This is particularly useful,
 501          if you need to work around old applications such as dhcp clients,
 502          that do not work well with checksum offloads, but don't want to disable
 503          checksum offload in your device.
 504
 505          To compile it as a module, choose M here.  If unsure, say N.
 506
 507config NETFILTER_XT_TARGET_CLASSIFY
 508        tristate '"CLASSIFY" target support'
 509        depends on NETFILTER_ADVANCED
 510        help
 511          This option adds a `CLASSIFY' target, which enables the user to set
 512          the priority of a packet. Some qdiscs can use this value for
 513          classification, among these are:
 514
 515          atm, cbq, dsmark, pfifo_fast, htb, prio
 516
 517          To compile it as a module, choose M here.  If unsure, say N.
 518
 519config NETFILTER_XT_TARGET_CONNMARK
 520        tristate  '"CONNMARK" target support'
 521        depends on NF_CONNTRACK
 522        depends on NETFILTER_ADVANCED
 523        select NETFILTER_XT_CONNMARK
 524        ---help---
 525        This is a backwards-compat option for the user's convenience
 526        (e.g. when running oldconfig). It selects
 527        CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
 528
 529config NETFILTER_XT_TARGET_CONNSECMARK
 530        tristate '"CONNSECMARK" target support'
 531        depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
 532        default m if NETFILTER_ADVANCED=n
 533        help
 534          The CONNSECMARK target copies security markings from packets
 535          to connections, and restores security markings from connections
 536          to packets (if the packets are not already marked).  This would
 537          normally be used in conjunction with the SECMARK target.
 538
 539          To compile it as a module, choose M here.  If unsure, say N.
 540
 541config NETFILTER_XT_TARGET_CT
 542        tristate '"CT" target support'
 543        depends on NF_CONNTRACK
 544        depends on IP_NF_RAW || IP6_NF_RAW
 545        depends on NETFILTER_ADVANCED
 546        help
 547          This options adds a `CT' target, which allows to specify initial
 548          connection tracking parameters like events to be delivered and
 549          the helper to be used.
 550
 551          To compile it as a module, choose M here.  If unsure, say N.
 552
 553config NETFILTER_XT_TARGET_DSCP
 554        tristate '"DSCP" and "TOS" target support'
 555        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 556        depends on NETFILTER_ADVANCED
 557        help
 558          This option adds a `DSCP' target, which allows you to manipulate
 559          the IPv4/IPv6 header DSCP field (differentiated services codepoint).
 560
 561          The DSCP field can have any value between 0x0 and 0x3f inclusive.
 562
 563          It also adds the "TOS" target, which allows you to create rules in
 564          the "mangle" table which alter the Type Of Service field of an IPv4
 565          or the Priority field of an IPv6 packet, prior to routing.
 566
 567          To compile it as a module, choose M here.  If unsure, say N.
 568
 569config NETFILTER_XT_TARGET_HL
 570        tristate '"HL" hoplimit target support'
 571        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 572        depends on NETFILTER_ADVANCED
 573        ---help---
 574        This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
 575        targets, which enable the user to change the
 576        hoplimit/time-to-live value of the IP header.
 577
 578        While it is safe to decrement the hoplimit/TTL value, the
 579        modules also allow to increment and set the hoplimit value of
 580        the header to arbitrary values. This is EXTREMELY DANGEROUS
 581        since you can easily create immortal packets that loop
 582        forever on the network.
 583
 584config NETFILTER_XT_TARGET_HMARK
 585        tristate '"HMARK" target support'
 586        depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
 587        depends on NETFILTER_ADVANCED
 588        ---help---
 589        This option adds the "HMARK" target.
 590
 591        The target allows you to create rules in the "raw" and "mangle" tables
 592        which set the skbuff mark by means of hash calculation within a given
 593        range. The nfmark can influence the routing method (see "Use netfilter
 594        MARK value as routing key") and can also be used by other subsystems to
 595        change their behaviour.
 596
 597        To compile it as a module, choose M here. If unsure, say N.
 598
 599config NETFILTER_XT_TARGET_IDLETIMER
 600        tristate  "IDLETIMER target support"
 601        depends on NETFILTER_ADVANCED
 602        help
 603
 604          This option adds the `IDLETIMER' target.  Each matching packet
 605          resets the timer associated with label specified when the rule is
 606          added.  When the timer expires, it triggers a sysfs notification.
 607          The remaining time for expiration can be read via sysfs.
 608
 609          To compile it as a module, choose M here.  If unsure, say N.
 610
 611config NETFILTER_XT_TARGET_LED
 612        tristate '"LED" target support'
 613        depends on LEDS_CLASS && LEDS_TRIGGERS
 614        depends on NETFILTER_ADVANCED
 615        help
 616          This option adds a `LED' target, which allows you to blink LEDs in
 617          response to particular packets passing through your machine.
 618
 619          This can be used to turn a spare LED into a network activity LED,
 620          which only flashes in response to FTP transfers, for example.  Or
 621          you could have an LED which lights up for a minute or two every time
 622          somebody connects to your machine via SSH.
 623
 624          You will need support for the "led" class to make this work.
 625
 626          To create an LED trigger for incoming SSH traffic:
 627            iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
 628
 629          Then attach the new trigger to an LED on your system:
 630            echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
 631
 632          For more information on the LEDs available on your system, see
 633          Documentation/leds/leds-class.txt
 634
 635config NETFILTER_XT_TARGET_LOG
 636        tristate "LOG target support"
 637        default m if NETFILTER_ADVANCED=n
 638        help
 639          This option adds a `LOG' target, which allows you to create rules in
 640          any iptables table which records the packet header to the syslog.
 641
 642          To compile it as a module, choose M here.  If unsure, say N.
 643
 644config NETFILTER_XT_TARGET_MARK
 645        tristate '"MARK" target support'
 646        depends on NETFILTER_ADVANCED
 647        select NETFILTER_XT_MARK
 648        ---help---
 649        This is a backwards-compat option for the user's convenience
 650        (e.g. when running oldconfig). It selects
 651        CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
 652
 653config NETFILTER_XT_TARGET_NETMAP
 654        tristate '"NETMAP" target support'
 655        depends on NF_NAT
 656        ---help---
 657        NETMAP is an implementation of static 1:1 NAT mapping of network
 658        addresses. It maps the network address part, while keeping the host
 659        address part intact.
 660
 661        To compile it as a module, choose M here. If unsure, say N.
 662
 663config NETFILTER_XT_TARGET_NFLOG
 664        tristate '"NFLOG" target support'
 665        default m if NETFILTER_ADVANCED=n
 666        select NETFILTER_NETLINK_LOG
 667        help
 668          This option enables the NFLOG target, which allows to LOG
 669          messages through nfnetlink_log.
 670
 671          To compile it as a module, choose M here.  If unsure, say N.
 672
 673config NETFILTER_XT_TARGET_NFQUEUE
 674        tristate '"NFQUEUE" target Support'
 675        depends on NETFILTER_ADVANCED
 676        select NETFILTER_NETLINK_QUEUE
 677        help
 678          This target replaced the old obsolete QUEUE target.
 679
 680          As opposed to QUEUE, it supports 65535 different queues,
 681          not just one.
 682
 683          To compile it as a module, choose M here.  If unsure, say N.
 684
 685config NETFILTER_XT_TARGET_NOTRACK
 686        tristate  '"NOTRACK" target support (DEPRECATED)'
 687        depends on NF_CONNTRACK
 688        depends on IP_NF_RAW || IP6_NF_RAW
 689        depends on NETFILTER_ADVANCED
 690        select NETFILTER_XT_TARGET_CT
 691
 692config NETFILTER_XT_TARGET_RATEEST
 693        tristate '"RATEEST" target support'
 694        depends on NETFILTER_ADVANCED
 695        help
 696          This option adds a `RATEEST' target, which allows to measure
 697          rates similar to TC estimators. The `rateest' match can be
 698          used to match on the measured rates.
 699
 700          To compile it as a module, choose M here.  If unsure, say N.
 701
 702config NETFILTER_XT_TARGET_REDIRECT
 703        tristate "REDIRECT target support"
 704        depends on NF_NAT
 705        ---help---
 706        REDIRECT is a special case of NAT: all incoming connections are
 707        mapped onto the incoming interface's address, causing the packets to
 708        come to the local machine instead of passing through. This is
 709        useful for transparent proxies.
 710
 711        To compile it as a module, choose M here. If unsure, say N.
 712
 713config NETFILTER_XT_TARGET_TEE
 714        tristate '"TEE" - packet cloning to alternate destination'
 715        depends on NETFILTER_ADVANCED
 716        depends on (IPV6 || IPV6=n)
 717        depends on !NF_CONNTRACK || NF_CONNTRACK
 718        ---help---
 719        This option adds a "TEE" target with which a packet can be cloned and
 720        this clone be rerouted to another nexthop.
 721
 722config NETFILTER_XT_TARGET_TPROXY
 723        tristate '"TPROXY" target support'
 724        depends on NETFILTER_TPROXY
 725        depends on NETFILTER_XTABLES
 726        depends on NETFILTER_ADVANCED
 727        select NF_DEFRAG_IPV4
 728        select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
 729        help
 730          This option adds a `TPROXY' target, which is somewhat similar to
 731          REDIRECT.  It can only be used in the mangle table and is useful
 732          to redirect traffic to a transparent proxy.  It does _not_ depend
 733          on Netfilter connection tracking and NAT, unlike REDIRECT.
 734
 735          To compile it as a module, choose M here.  If unsure, say N.
 736
 737config NETFILTER_XT_TARGET_TRACE
 738        tristate  '"TRACE" target support'
 739        depends on IP_NF_RAW || IP6_NF_RAW
 740        depends on NETFILTER_ADVANCED
 741        help
 742          The TRACE target allows you to mark packets so that the kernel
 743          will log every rule which match the packets as those traverse
 744          the tables, chains, rules.
 745
 746          If you want to compile it as a module, say M here and read
 747          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 748
 749config NETFILTER_XT_TARGET_SECMARK
 750        tristate '"SECMARK" target support'
 751        depends on NETWORK_SECMARK
 752        default m if NETFILTER_ADVANCED=n
 753        help
 754          The SECMARK target allows security marking of network
 755          packets, for use with security subsystems.
 756
 757          To compile it as a module, choose M here.  If unsure, say N.
 758
 759config NETFILTER_XT_TARGET_TCPMSS
 760        tristate '"TCPMSS" target support'
 761        depends on (IPV6 || IPV6=n)
 762        default m if NETFILTER_ADVANCED=n
 763        ---help---
 764          This option adds a `TCPMSS' target, which allows you to alter the
 765          MSS value of TCP SYN packets, to control the maximum size for that
 766          connection (usually limiting it to your outgoing interface's MTU
 767          minus 40).
 768
 769          This is used to overcome criminally braindead ISPs or servers which
 770          block ICMP Fragmentation Needed packets.  The symptoms of this
 771          problem are that everything works fine from your Linux
 772          firewall/router, but machines behind it can never exchange large
 773          packets:
 774                1) Web browsers connect, then hang with no data received.
 775                2) Small mail works fine, but large emails hang.
 776                3) ssh works fine, but scp hangs after initial handshaking.
 777
 778          Workaround: activate this option and add a rule to your firewall
 779          configuration like:
 780
 781          iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
 782                         -j TCPMSS --clamp-mss-to-pmtu
 783
 784          To compile it as a module, choose M here.  If unsure, say N.
 785
 786config NETFILTER_XT_TARGET_TCPOPTSTRIP
 787        tristate '"TCPOPTSTRIP" target support'
 788        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 789        depends on NETFILTER_ADVANCED
 790        help
 791          This option adds a "TCPOPTSTRIP" target, which allows you to strip
 792          TCP options from TCP packets.
 793
 794# alphabetically ordered list of matches
 795
 796comment "Xtables matches"
 797
 798config NETFILTER_XT_MATCH_ADDRTYPE
 799        tristate '"addrtype" address type match support'
 800        depends on NETFILTER_ADVANCED
 801        ---help---
 802          This option allows you to match what routing thinks of an address,
 803          eg. UNICAST, LOCAL, BROADCAST, ...
 804
 805          If you want to compile it as a module, say M here and read
 806          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 807
 808config NETFILTER_XT_MATCH_BPF
 809        tristate '"bpf" match support'
 810        depends on NETFILTER_ADVANCED
 811        help
 812          BPF matching applies a linux socket filter to each packet and
 813          accepts those for which the filter returns non-zero.
 814
 815          To compile it as a module, choose M here.  If unsure, say N.
 816
 817config NETFILTER_XT_MATCH_CLUSTER
 818        tristate '"cluster" match support'
 819        depends on NF_CONNTRACK
 820        depends on NETFILTER_ADVANCED
 821        ---help---
 822          This option allows you to build work-load-sharing clusters of
 823          network servers/stateful firewalls without having a dedicated
 824          load-balancing router/server/switch. Basically, this match returns
 825          true when the packet must be handled by this cluster node. Thus,
 826          all nodes see all packets and this match decides which node handles
 827          what packets. The work-load sharing algorithm is based on source
 828          address hashing.
 829
 830          If you say Y or M here, try `iptables -m cluster --help` for
 831          more information.
 832
 833config NETFILTER_XT_MATCH_COMMENT
 834        tristate  '"comment" match support'
 835        depends on NETFILTER_ADVANCED
 836        help
 837          This option adds a `comment' dummy-match, which allows you to put
 838          comments in your iptables ruleset.
 839
 840          If you want to compile it as a module, say M here and read
 841          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 842
 843config NETFILTER_XT_MATCH_CONNBYTES
 844        tristate  '"connbytes" per-connection counter match support'
 845        depends on NF_CONNTRACK
 846        depends on NETFILTER_ADVANCED
 847        help
 848          This option adds a `connbytes' match, which allows you to match the
 849          number of bytes and/or packets for each direction within a connection.
 850
 851          If you want to compile it as a module, say M here and read
 852          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 853
 854config NETFILTER_XT_MATCH_CONNLABEL
 855        tristate '"connlabel" match support'
 856        select NF_CONNTRACK_LABELS
 857        depends on NF_CONNTRACK
 858        depends on NETFILTER_ADVANCED
 859        ---help---
 860          This match allows you to test and assign userspace-defined labels names
 861          to a connection.  The kernel only stores bit values - mapping
 862          names to bits is done by userspace.
 863
 864          Unlike connmark, more than 32 flag bits may be assigned to a
 865          connection simultaneously.
 866
 867config NETFILTER_XT_MATCH_CONNLIMIT
 868        tristate '"connlimit" match support"'
 869        depends on NF_CONNTRACK
 870        depends on NETFILTER_ADVANCED
 871        ---help---
 872          This match allows you to match against the number of parallel
 873          connections to a server per client IP address (or address block).
 874
 875config NETFILTER_XT_MATCH_CONNMARK
 876        tristate  '"connmark" connection mark match support'
 877        depends on NF_CONNTRACK
 878        depends on NETFILTER_ADVANCED
 879        select NETFILTER_XT_CONNMARK
 880        ---help---
 881        This is a backwards-compat option for the user's convenience
 882        (e.g. when running oldconfig). It selects
 883        CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
 884
 885config NETFILTER_XT_MATCH_CONNTRACK
 886        tristate '"conntrack" connection tracking match support'
 887        depends on NF_CONNTRACK
 888        default m if NETFILTER_ADVANCED=n
 889        help
 890          This is a general conntrack match module, a superset of the state match.
 891
 892          It allows matching on additional conntrack information, which is
 893          useful in complex configurations, such as NAT gateways with multiple
 894          internet links or tunnels.
 895
 896          To compile it as a module, choose M here.  If unsure, say N.
 897
 898config NETFILTER_XT_MATCH_CPU
 899        tristate '"cpu" match support'
 900        depends on NETFILTER_ADVANCED
 901        help
 902          CPU matching allows you to match packets based on the CPU
 903          currently handling the packet.
 904
 905          To compile it as a module, choose M here.  If unsure, say N.
 906
 907config NETFILTER_XT_MATCH_DCCP
 908        tristate '"dccp" protocol match support'
 909        depends on NETFILTER_ADVANCED
 910        default IP_DCCP
 911        help
 912          With this option enabled, you will be able to use the iptables
 913          `dccp' match in order to match on DCCP source/destination ports
 914          and DCCP flags.
 915
 916          If you want to compile it as a module, say M here and read
 917          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 918
 919config NETFILTER_XT_MATCH_DEVGROUP
 920        tristate '"devgroup" match support'
 921        depends on NETFILTER_ADVANCED
 922        help
 923          This options adds a `devgroup' match, which allows to match on the
 924          device group a network device is assigned to.
 925
 926          To compile it as a module, choose M here.  If unsure, say N.
 927
 928config NETFILTER_XT_MATCH_DSCP
 929        tristate '"dscp" and "tos" match support'
 930        depends on NETFILTER_ADVANCED
 931        help
 932          This option adds a `DSCP' match, which allows you to match against
 933          the IPv4/IPv6 header DSCP field (differentiated services codepoint).
 934
 935          The DSCP field can have any value between 0x0 and 0x3f inclusive.
 936
 937          It will also add a "tos" match, which allows you to match packets
 938          based on the Type Of Service fields of the IPv4 packet (which share
 939          the same bits as DSCP).
 940
 941          To compile it as a module, choose M here.  If unsure, say N.
 942
 943config NETFILTER_XT_MATCH_ECN
 944        tristate '"ecn" match support'
 945        depends on NETFILTER_ADVANCED
 946        ---help---
 947        This option adds an "ECN" match, which allows you to match against
 948        the IPv4 and TCP header ECN fields.
 949
 950        To compile it as a module, choose M here. If unsure, say N.
 951
 952config NETFILTER_XT_MATCH_ESP
 953        tristate '"esp" match support'
 954        depends on NETFILTER_ADVANCED
 955        help
 956          This match extension allows you to match a range of SPIs
 957          inside ESP header of IPSec packets.
 958
 959          To compile it as a module, choose M here.  If unsure, say N.
 960
 961config NETFILTER_XT_MATCH_HASHLIMIT
 962        tristate '"hashlimit" match support'
 963        depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
 964        depends on NETFILTER_ADVANCED
 965        help
 966          This option adds a `hashlimit' match.
 967
 968          As opposed to `limit', this match dynamically creates a hash table
 969          of limit buckets, based on your selection of source/destination
 970          addresses and/or ports.
 971
 972          It enables you to express policies like `10kpps for any given
 973          destination address' or `500pps from any given source address'
 974          with a single rule.
 975
 976config NETFILTER_XT_MATCH_HELPER
 977        tristate '"helper" match support'
 978        depends on NF_CONNTRACK
 979        depends on NETFILTER_ADVANCED
 980        help
 981          Helper matching allows you to match packets in dynamic connections
 982          tracked by a conntrack-helper, ie. ip_conntrack_ftp
 983
 984          To compile it as a module, choose M here.  If unsure, say Y.
 985
 986config NETFILTER_XT_MATCH_HL
 987        tristate '"hl" hoplimit/TTL match support'
 988        depends on NETFILTER_ADVANCED
 989        ---help---
 990        HL matching allows you to match packets based on the hoplimit
 991        in the IPv6 header, or the time-to-live field in the IPv4
 992        header of the packet.
 993
 994config NETFILTER_XT_MATCH_IPRANGE
 995        tristate '"iprange" address range match support'
 996        depends on NETFILTER_ADVANCED
 997        ---help---
 998        This option adds a "iprange" match, which allows you to match based on
 999        an IP address range. (Normal iptables only matches on single addresses
1000        with an optional mask.)
1001
1002        If unsure, say M.
1003
1004config NETFILTER_XT_MATCH_IPVS
1005        tristate '"ipvs" match support'
1006        depends on IP_VS
1007        depends on NETFILTER_ADVANCED
1008        depends on NF_CONNTRACK
1009        help
1010          This option allows you to match against IPVS properties of a packet.
1011
1012          If unsure, say N.
1013
1014config NETFILTER_XT_MATCH_LENGTH
1015        tristate '"length" match support'
1016        depends on NETFILTER_ADVANCED
1017        help
1018          This option allows you to match the length of a packet against a
1019          specific value or range of values.
1020
1021          To compile it as a module, choose M here.  If unsure, say N.
1022
1023config NETFILTER_XT_MATCH_LIMIT
1024        tristate '"limit" match support'
1025        depends on NETFILTER_ADVANCED
1026        help
1027          limit matching allows you to control the rate at which a rule can be
1028          matched: mainly useful in combination with the LOG target ("LOG
1029          target support", below) and to avoid some Denial of Service attacks.
1030
1031          To compile it as a module, choose M here.  If unsure, say N.
1032
1033config NETFILTER_XT_MATCH_MAC
1034        tristate '"mac" address match support'
1035        depends on NETFILTER_ADVANCED
1036        help
1037          MAC matching allows you to match packets based on the source
1038          Ethernet address of the packet.
1039
1040          To compile it as a module, choose M here.  If unsure, say N.
1041
1042config NETFILTER_XT_MATCH_MARK
1043        tristate '"mark" match support'
1044        depends on NETFILTER_ADVANCED
1045        select NETFILTER_XT_MARK
1046        ---help---
1047        This is a backwards-compat option for the user's convenience
1048        (e.g. when running oldconfig). It selects
1049        CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1050
1051config NETFILTER_XT_MATCH_MULTIPORT
1052        tristate '"multiport" Multiple port match support'
1053        depends on NETFILTER_ADVANCED
1054        help
1055          Multiport matching allows you to match TCP or UDP packets based on
1056          a series of source or destination ports: normally a rule can only
1057          match a single range of ports.
1058
1059          To compile it as a module, choose M here.  If unsure, say N.
1060
1061config NETFILTER_XT_MATCH_NFACCT
1062        tristate '"nfacct" match support'
1063        depends on NETFILTER_ADVANCED
1064        select NETFILTER_NETLINK_ACCT
1065        help
1066          This option allows you to use the extended accounting through
1067          nfnetlink_acct.
1068
1069          To compile it as a module, choose M here.  If unsure, say N.
1070
1071config NETFILTER_XT_MATCH_OSF
1072        tristate '"osf" Passive OS fingerprint match'
1073        depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1074        help
1075          This option selects the Passive OS Fingerprinting match module
1076          that allows to passively match the remote operating system by
1077          analyzing incoming TCP SYN packets.
1078
1079          Rules and loading software can be downloaded from
1080          http://www.ioremap.net/projects/osf
1081
1082          To compile it as a module, choose M here.  If unsure, say N.
1083
1084config NETFILTER_XT_MATCH_OWNER
1085        tristate '"owner" match support'
1086        depends on NETFILTER_ADVANCED
1087        ---help---
1088        Socket owner matching allows you to match locally-generated packets
1089        based on who created the socket: the user or group. It is also
1090        possible to check whether a socket actually exists.
1091
1092config NETFILTER_XT_MATCH_POLICY
1093        tristate 'IPsec "policy" match support'
1094        depends on XFRM
1095        default m if NETFILTER_ADVANCED=n
1096        help
1097          Policy matching allows you to match packets based on the
1098          IPsec policy that was used during decapsulation/will
1099          be used during encapsulation.
1100
1101          To compile it as a module, choose M here.  If unsure, say N.
1102
1103config NETFILTER_XT_MATCH_PHYSDEV
1104        tristate '"physdev" match support'
1105        depends on BRIDGE && BRIDGE_NETFILTER
1106        depends on NETFILTER_ADVANCED
1107        help
1108          Physdev packet matching matches against the physical bridge ports
1109          the IP packet arrived on or will leave by.
1110
1111          To compile it as a module, choose M here.  If unsure, say N.
1112
1113config NETFILTER_XT_MATCH_PKTTYPE
1114        tristate '"pkttype" packet type match support'
1115        depends on NETFILTER_ADVANCED
1116        help
1117          Packet type matching allows you to match a packet by
1118          its "class", eg. BROADCAST, MULTICAST, ...
1119
1120          Typical usage:
1121          iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1122
1123          To compile it as a module, choose M here.  If unsure, say N.
1124
1125config NETFILTER_XT_MATCH_QUOTA
1126        tristate '"quota" match support'
1127        depends on NETFILTER_ADVANCED
1128        help
1129          This option adds a `quota' match, which allows to match on a
1130          byte counter.
1131
1132          If you want to compile it as a module, say M here and read
1133          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1134
1135config NETFILTER_XT_MATCH_RATEEST
1136        tristate '"rateest" match support'
1137        depends on NETFILTER_ADVANCED
1138        select NETFILTER_XT_TARGET_RATEEST
1139        help
1140          This option adds a `rateest' match, which allows to match on the
1141          rate estimated by the RATEEST target.
1142
1143          To compile it as a module, choose M here.  If unsure, say N.
1144
1145config NETFILTER_XT_MATCH_REALM
1146        tristate  '"realm" match support'
1147        depends on NETFILTER_ADVANCED
1148        select IP_ROUTE_CLASSID
1149        help
1150          This option adds a `realm' match, which allows you to use the realm
1151          key from the routing subsystem inside iptables.
1152
1153          This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
1154          in tc world.
1155
1156          If you want to compile it as a module, say M here and read
1157          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1158
1159config NETFILTER_XT_MATCH_RECENT
1160        tristate '"recent" match support'
1161        depends on NETFILTER_ADVANCED
1162        ---help---
1163        This match is used for creating one or many lists of recently
1164        used addresses and then matching against that/those list(s).
1165
1166        Short options are available by using 'iptables -m recent -h'
1167        Official Website: <http://snowman.net/projects/ipt_recent/>
1168
1169config NETFILTER_XT_MATCH_SCTP
1170        tristate  '"sctp" protocol match support'
1171        depends on NETFILTER_ADVANCED
1172        default IP_SCTP
1173        help
1174          With this option enabled, you will be able to use the 
1175          `sctp' match in order to match on SCTP source/destination ports
1176          and SCTP chunk types.
1177
1178          If you want to compile it as a module, say M here and read
1179          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1180
1181config NETFILTER_XT_MATCH_SOCKET
1182        tristate '"socket" match support'
1183        depends on NETFILTER_TPROXY
1184        depends on NETFILTER_XTABLES
1185        depends on NETFILTER_ADVANCED
1186        depends on !NF_CONNTRACK || NF_CONNTRACK
1187        select NF_DEFRAG_IPV4
1188        select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1189        help
1190          This option adds a `socket' match, which can be used to match
1191          packets for which a TCP or UDP socket lookup finds a valid socket.
1192          It can be used in combination with the MARK target and policy
1193          routing to implement full featured non-locally bound sockets.
1194
1195          To compile it as a module, choose M here.  If unsure, say N.
1196
1197config NETFILTER_XT_MATCH_STATE
1198        tristate '"state" match support'
1199        depends on NF_CONNTRACK
1200        default m if NETFILTER_ADVANCED=n
1201        help
1202          Connection state matching allows you to match packets based on their
1203          relationship to a tracked connection (ie. previous packets).  This
1204          is a powerful tool for packet classification.
1205
1206          To compile it as a module, choose M here.  If unsure, say N.
1207
1208config NETFILTER_XT_MATCH_STATISTIC
1209        tristate '"statistic" match support'
1210        depends on NETFILTER_ADVANCED
1211        help
1212          This option adds a `statistic' match, which allows you to match
1213          on packets periodically or randomly with a given percentage.
1214
1215          To compile it as a module, choose M here.  If unsure, say N.
1216
1217config NETFILTER_XT_MATCH_STRING
1218        tristate  '"string" match support'
1219        depends on NETFILTER_ADVANCED
1220        select TEXTSEARCH
1221        select TEXTSEARCH_KMP
1222        select TEXTSEARCH_BM
1223        select TEXTSEARCH_FSM
1224        help
1225          This option adds a `string' match, which allows you to look for
1226          pattern matchings in packets.
1227
1228          To compile it as a module, choose M here.  If unsure, say N.
1229
1230config NETFILTER_XT_MATCH_TCPMSS
1231        tristate '"tcpmss" match support'
1232        depends on NETFILTER_ADVANCED
1233        help
1234          This option adds a `tcpmss' match, which allows you to examine the
1235          MSS value of TCP SYN packets, which control the maximum packet size
1236          for that connection.
1237
1238          To compile it as a module, choose M here.  If unsure, say N.
1239
1240config NETFILTER_XT_MATCH_TIME
1241        tristate '"time" match support'
1242        depends on NETFILTER_ADVANCED
1243        ---help---
1244          This option adds a "time" match, which allows you to match based on
1245          the packet arrival time (at the machine which netfilter is running)
1246          on) or departure time/date (for locally generated packets).
1247
1248          If you say Y here, try `iptables -m time --help` for
1249          more information.
1250
1251          If you want to compile it as a module, say M here.
1252          If unsure, say N.
1253
1254config NETFILTER_XT_MATCH_U32
1255        tristate '"u32" match support'
1256        depends on NETFILTER_ADVANCED
1257        ---help---
1258          u32 allows you to extract quantities of up to 4 bytes from a packet,
1259          AND them with specified masks, shift them by specified amounts and
1260          test whether the results are in any of a set of specified ranges.
1261          The specification of what to extract is general enough to skip over
1262          headers with lengths stored in the packet, as in IP or TCP header
1263          lengths.
1264
1265          Details and examples are in the kernel module source.
1266
1267endif # NETFILTER_XTABLES
1268
1269endmenu
1270
1271source "net/netfilter/ipset/Kconfig"
1272
1273source "net/netfilter/ipvs/Kconfig"
1274
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.