linux/net/netfilter/Kconfig
<<
>>
Prefs
   1menu "Core Netfilter Configuration"
   2        depends on NET && INET && NETFILTER
   3
   4config NETFILTER_NETLINK
   5        tristate
   6
   7config NETFILTER_NETLINK_ACCT
   8tristate "Netfilter NFACCT over NFNETLINK interface"
   9        depends on NETFILTER_ADVANCED
  10        select NETFILTER_NETLINK
  11        help
  12          If this option is enabled, the kernel will include support
  13          for extended accounting via NFNETLINK.
  14
  15config NETFILTER_NETLINK_QUEUE
  16        tristate "Netfilter NFQUEUE over NFNETLINK interface"
  17        depends on NETFILTER_ADVANCED
  18        select NETFILTER_NETLINK
  19        help
  20          If this option is enabled, the kernel will include support
  21          for queueing packets via NFNETLINK.
  22          
  23config NETFILTER_NETLINK_LOG
  24        tristate "Netfilter LOG over NFNETLINK interface"
  25        default m if NETFILTER_ADVANCED=n
  26        select NETFILTER_NETLINK
  27        help
  28          If this option is enabled, the kernel will include support
  29          for logging packets via NFNETLINK.
  30
  31          This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
  32          and is also scheduled to replace the old syslog-based ipt_LOG
  33          and ip6t_LOG modules.
  34
  35config NF_CONNTRACK
  36        tristate "Netfilter connection tracking support"
  37        default m if NETFILTER_ADVANCED=n
  38        help
  39          Connection tracking keeps a record of what packets have passed
  40          through your machine, in order to figure out how they are related
  41          into connections.
  42
  43          This is required to do Masquerading or other kinds of Network
  44          Address Translation.  It can also be used to enhance packet
  45          filtering (see `Connection state match support' below).
  46
  47          To compile it as a module, choose M here.  If unsure, say N.
  48
  49if NF_CONNTRACK
  50
  51config NF_CONNTRACK_MARK
  52        bool  'Connection mark tracking support'
  53        depends on NETFILTER_ADVANCED
  54        help
  55          This option enables support for connection marks, used by the
  56          `CONNMARK' target and `connmark' match. Similar to the mark value
  57          of packets, but this mark value is kept in the conntrack session
  58          instead of the individual packets.
  59
  60config NF_CONNTRACK_SECMARK
  61        bool  'Connection tracking security mark support'
  62        depends on NETWORK_SECMARK
  63        default m if NETFILTER_ADVANCED=n
  64        help
  65          This option enables security markings to be applied to
  66          connections.  Typically they are copied to connections from
  67          packets using the CONNSECMARK target and copied back from
  68          connections to packets with the same target, with the packets
  69          being originally labeled via SECMARK.
  70
  71          If unsure, say 'N'.
  72
  73config NF_CONNTRACK_ZONES
  74        bool  'Connection tracking zones'
  75        depends on NETFILTER_ADVANCED
  76        depends on NETFILTER_XT_TARGET_CT
  77        help
  78          This option enables support for connection tracking zones.
  79          Normally, each connection needs to have a unique system wide
  80          identity. Connection tracking zones allow to have multiple
  81          connections using the same identity, as long as they are
  82          contained in different zones.
  83
  84          If unsure, say `N'.
  85
  86config NF_CONNTRACK_PROCFS
  87        bool "Supply CT list in procfs (OBSOLETE)"
  88        default y
  89        depends on PROC_FS
  90        ---help---
  91        This option enables for the list of known conntrack entries
  92        to be shown in procfs under net/netfilter/nf_conntrack. This
  93        is considered obsolete in favor of using the conntrack(8)
  94        tool which uses Netlink.
  95
  96config NF_CONNTRACK_EVENTS
  97        bool "Connection tracking events"
  98        depends on NETFILTER_ADVANCED
  99        help
 100          If this option is enabled, the connection tracking code will
 101          provide a notifier chain that can be used by other kernel code
 102          to get notified about changes in the connection tracking state.
 103
 104          If unsure, say `N'.
 105
 106config NF_CONNTRACK_TIMEOUT
 107        bool  'Connection tracking timeout'
 108        depends on NETFILTER_ADVANCED
 109        help
 110          This option enables support for connection tracking timeout
 111          extension. This allows you to attach timeout policies to flow
 112          via the CT target.
 113
 114          If unsure, say `N'.
 115
 116config NF_CONNTRACK_TIMESTAMP
 117        bool  'Connection tracking timestamping'
 118        depends on NETFILTER_ADVANCED
 119        help
 120          This option enables support for connection tracking timestamping.
 121          This allows you to store the flow start-time and to obtain
 122          the flow-stop time (once it has been destroyed) via Connection
 123          tracking events.
 124
 125          If unsure, say `N'.
 126
 127config NF_CT_PROTO_DCCP
 128        tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
 129        depends on EXPERIMENTAL
 130        depends on NETFILTER_ADVANCED
 131        default IP_DCCP
 132        help
 133          With this option enabled, the layer 3 independent connection
 134          tracking code will be able to do state tracking on DCCP connections.
 135
 136          If unsure, say 'N'.
 137
 138config NF_CT_PROTO_GRE
 139        tristate
 140
 141config NF_CT_PROTO_SCTP
 142        tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
 143        depends on EXPERIMENTAL
 144        depends on NETFILTER_ADVANCED
 145        default IP_SCTP
 146        help
 147          With this option enabled, the layer 3 independent connection
 148          tracking code will be able to do state tracking on SCTP connections.
 149
 150          If you want to compile it as a module, say M here and read
 151          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 152
 153config NF_CT_PROTO_UDPLITE
 154        tristate 'UDP-Lite protocol connection tracking support'
 155        depends on NETFILTER_ADVANCED
 156        help
 157          With this option enabled, the layer 3 independent connection
 158          tracking code will be able to do state tracking on UDP-Lite
 159          connections.
 160
 161          To compile it as a module, choose M here.  If unsure, say N.
 162
 163config NF_CONNTRACK_AMANDA
 164        tristate "Amanda backup protocol support"
 165        depends on NETFILTER_ADVANCED
 166        select TEXTSEARCH
 167        select TEXTSEARCH_KMP
 168        help
 169          If you are running the Amanda backup package <http://www.amanda.org/>
 170          on this machine or machines that will be MASQUERADED through this
 171          machine, then you may want to enable this feature.  This allows the
 172          connection tracking and natting code to allow the sub-channels that
 173          Amanda requires for communication of the backup data, messages and
 174          index.
 175
 176          To compile it as a module, choose M here.  If unsure, say N.
 177
 178config NF_CONNTRACK_FTP
 179        tristate "FTP protocol support"
 180        default m if NETFILTER_ADVANCED=n
 181        help
 182          Tracking FTP connections is problematic: special helpers are
 183          required for tracking them, and doing masquerading and other forms
 184          of Network Address Translation on them.
 185
 186          This is FTP support on Layer 3 independent connection tracking.
 187          Layer 3 independent connection tracking is experimental scheme
 188          which generalize ip_conntrack to support other layer 3 protocols.
 189
 190          To compile it as a module, choose M here.  If unsure, say N.
 191
 192config NF_CONNTRACK_H323
 193        tristate "H.323 protocol support"
 194        depends on (IPV6 || IPV6=n)
 195        depends on NETFILTER_ADVANCED
 196        help
 197          H.323 is a VoIP signalling protocol from ITU-T. As one of the most
 198          important VoIP protocols, it is widely used by voice hardware and
 199          software including voice gateways, IP phones, Netmeeting, OpenPhone,
 200          Gnomemeeting, etc.
 201
 202          With this module you can support H.323 on a connection tracking/NAT
 203          firewall.
 204
 205          This module supports RAS, Fast Start, H.245 Tunnelling, Call
 206          Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
 207          whiteboard, file transfer, etc. For more information, please
 208          visit http://nath323.sourceforge.net/.
 209
 210          To compile it as a module, choose M here.  If unsure, say N.
 211
 212config NF_CONNTRACK_IRC
 213        tristate "IRC protocol support"
 214        default m if NETFILTER_ADVANCED=n
 215        help
 216          There is a commonly-used extension to IRC called
 217          Direct Client-to-Client Protocol (DCC).  This enables users to send
 218          files to each other, and also chat to each other without the need
 219          of a server.  DCC Sending is used anywhere you send files over IRC,
 220          and DCC Chat is most commonly used by Eggdrop bots.  If you are
 221          using NAT, this extension will enable you to send files and initiate
 222          chats.  Note that you do NOT need this extension to get files or
 223          have others initiate chats, or everything else in IRC.
 224
 225          To compile it as a module, choose M here.  If unsure, say N.
 226
 227config NF_CONNTRACK_BROADCAST
 228        tristate
 229
 230config NF_CONNTRACK_NETBIOS_NS
 231        tristate "NetBIOS name service protocol support"
 232        select NF_CONNTRACK_BROADCAST
 233        help
 234          NetBIOS name service requests are sent as broadcast messages from an
 235          unprivileged port and responded to with unicast messages to the
 236          same port. This make them hard to firewall properly because connection
 237          tracking doesn't deal with broadcasts. This helper tracks locally
 238          originating NetBIOS name service requests and the corresponding
 239          responses. It relies on correct IP address configuration, specifically
 240          netmask and broadcast address. When properly configured, the output
 241          of "ip address show" should look similar to this:
 242
 243          $ ip -4 address show eth0
 244          4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
 245              inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
 246
 247          To compile it as a module, choose M here.  If unsure, say N.
 248
 249config NF_CONNTRACK_SNMP
 250        tristate "SNMP service protocol support"
 251        depends on NETFILTER_ADVANCED
 252        select NF_CONNTRACK_BROADCAST
 253        help
 254          SNMP service requests are sent as broadcast messages from an
 255          unprivileged port and responded to with unicast messages to the
 256          same port. This make them hard to firewall properly because connection
 257          tracking doesn't deal with broadcasts. This helper tracks locally
 258          originating SNMP service requests and the corresponding
 259          responses. It relies on correct IP address configuration, specifically
 260          netmask and broadcast address.
 261
 262          To compile it as a module, choose M here.  If unsure, say N.
 263
 264config NF_CONNTRACK_PPTP
 265        tristate "PPtP protocol support"
 266        depends on NETFILTER_ADVANCED
 267        select NF_CT_PROTO_GRE
 268        help
 269          This module adds support for PPTP (Point to Point Tunnelling
 270          Protocol, RFC2637) connection tracking and NAT.
 271
 272          If you are running PPTP sessions over a stateful firewall or NAT
 273          box, you may want to enable this feature.
 274
 275          Please note that not all PPTP modes of operation are supported yet.
 276          Specifically these limitations exist:
 277            - Blindly assumes that control connections are always established
 278              in PNS->PAC direction. This is a violation of RFC2637.
 279            - Only supports a single call within each session
 280
 281          To compile it as a module, choose M here.  If unsure, say N.
 282
 283config NF_CONNTRACK_SANE
 284        tristate "SANE protocol support (EXPERIMENTAL)"
 285        depends on EXPERIMENTAL
 286        depends on NETFILTER_ADVANCED
 287        help
 288          SANE is a protocol for remote access to scanners as implemented
 289          by the 'saned' daemon. Like FTP, it uses separate control and
 290          data connections.
 291
 292          With this module you can support SANE on a connection tracking
 293          firewall.
 294
 295          To compile it as a module, choose M here.  If unsure, say N.
 296
 297config NF_CONNTRACK_SIP
 298        tristate "SIP protocol support"
 299        default m if NETFILTER_ADVANCED=n
 300        help
 301          SIP is an application-layer control protocol that can establish,
 302          modify, and terminate multimedia sessions (conferences) such as
 303          Internet telephony calls. With the ip_conntrack_sip and
 304          the nf_nat_sip modules you can support the protocol on a connection
 305          tracking/NATing firewall.
 306
 307          To compile it as a module, choose M here.  If unsure, say N.
 308
 309config NF_CONNTRACK_TFTP
 310        tristate "TFTP protocol support"
 311        depends on NETFILTER_ADVANCED
 312        help
 313          TFTP connection tracking helper, this is required depending
 314          on how restrictive your ruleset is.
 315          If you are using a tftp client behind -j SNAT or -j MASQUERADING
 316          you will need this.
 317
 318          To compile it as a module, choose M here.  If unsure, say N.
 319
 320config NF_CT_NETLINK
 321        tristate 'Connection tracking netlink interface'
 322        select NETFILTER_NETLINK
 323        default m if NETFILTER_ADVANCED=n
 324        help
 325          This option enables support for a netlink-based userspace interface
 326
 327config NF_CT_NETLINK_TIMEOUT
 328        tristate  'Connection tracking timeout tuning via Netlink'
 329        select NETFILTER_NETLINK
 330        depends on NETFILTER_ADVANCED
 331        help
 332          This option enables support for connection tracking timeout
 333          fine-grain tuning. This allows you to attach specific timeout
 334          policies to flows, instead of using the global timeout policy.
 335
 336          If unsure, say `N'.
 337
 338config NF_CT_NETLINK_HELPER
 339        tristate 'Connection tracking helpers in user-space via Netlink'
 340        select NETFILTER_NETLINK
 341        depends on NF_CT_NETLINK
 342        depends on NETFILTER_NETLINK_QUEUE
 343        depends on NETFILTER_NETLINK_QUEUE_CT
 344        depends on NETFILTER_ADVANCED
 345        help
 346          This option enables the user-space connection tracking helpers
 347          infrastructure.
 348
 349          If unsure, say `N'.
 350
 351config NETFILTER_NETLINK_QUEUE_CT
 352        bool "NFQUEUE integration with Connection Tracking"
 353        default n
 354        depends on NETFILTER_NETLINK_QUEUE
 355        help
 356          If this option is enabled, NFQUEUE can include Connection Tracking
 357          information together with the packet is the enqueued via NFNETLINK.
 358
 359endif # NF_CONNTRACK
 360
 361# transparent proxy support
 362config NETFILTER_TPROXY
 363        tristate "Transparent proxying support (EXPERIMENTAL)"
 364        depends on EXPERIMENTAL
 365        depends on IP_NF_MANGLE
 366        depends on NETFILTER_ADVANCED
 367        help
 368          This option enables transparent proxying support, that is,
 369          support for handling non-locally bound IPv4 TCP and UDP sockets.
 370          For it to work you will have to configure certain iptables rules
 371          and use policy routing. For more information on how to set it up
 372          see Documentation/networking/tproxy.txt.
 373
 374          To compile it as a module, choose M here.  If unsure, say N.
 375
 376config NETFILTER_XTABLES
 377        tristate "Netfilter Xtables support (required for ip_tables)"
 378        default m if NETFILTER_ADVANCED=n
 379        help
 380          This is required if you intend to use any of ip_tables,
 381          ip6_tables or arp_tables.
 382
 383if NETFILTER_XTABLES
 384
 385comment "Xtables combined modules"
 386
 387config NETFILTER_XT_MARK
 388        tristate 'nfmark target and match support'
 389        default m if NETFILTER_ADVANCED=n
 390        ---help---
 391        This option adds the "MARK" target and "mark" match.
 392
 393        Netfilter mark matching allows you to match packets based on the
 394        "nfmark" value in the packet.
 395        The target allows you to create rules in the "mangle" table which alter
 396        the netfilter mark (nfmark) field associated with the packet.
 397
 398        Prior to routing, the nfmark can influence the routing method (see
 399        "Use netfilter MARK value as routing key") and can also be used by
 400        other subsystems to change their behavior.
 401
 402config NETFILTER_XT_CONNMARK
 403        tristate 'ctmark target and match support'
 404        depends on NF_CONNTRACK
 405        depends on NETFILTER_ADVANCED
 406        select NF_CONNTRACK_MARK
 407        ---help---
 408        This option adds the "CONNMARK" target and "connmark" match.
 409
 410        Netfilter allows you to store a mark value per connection (a.k.a.
 411        ctmark), similarly to the packet mark (nfmark). Using this
 412        target and match, you can set and match on this mark.
 413
 414config NETFILTER_XT_SET
 415        tristate 'set target and match support'
 416        depends on IP_SET
 417        depends on NETFILTER_ADVANCED
 418        help
 419          This option adds the "SET" target and "set" match.
 420
 421          Using this target and match, you can add/delete and match
 422          elements in the sets created by ipset(8).
 423
 424          To compile it as a module, choose M here.  If unsure, say N.
 425
 426# alphabetically ordered list of targets
 427
 428comment "Xtables targets"
 429
 430config NETFILTER_XT_TARGET_AUDIT
 431        tristate "AUDIT target support"
 432        depends on AUDIT
 433        depends on NETFILTER_ADVANCED
 434        ---help---
 435          This option adds a 'AUDIT' target, which can be used to create
 436          audit records for packets dropped/accepted.
 437
 438          To compileit as a module, choose M here. If unsure, say N.
 439
 440config NETFILTER_XT_TARGET_CHECKSUM
 441        tristate "CHECKSUM target support"
 442        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 443        depends on NETFILTER_ADVANCED
 444        ---help---
 445          This option adds a `CHECKSUM' target, which can be used in the iptables mangle
 446          table.
 447
 448          You can use this target to compute and fill in the checksum in
 449          a packet that lacks a checksum.  This is particularly useful,
 450          if you need to work around old applications such as dhcp clients,
 451          that do not work well with checksum offloads, but don't want to disable
 452          checksum offload in your device.
 453
 454          To compile it as a module, choose M here.  If unsure, say N.
 455
 456config NETFILTER_XT_TARGET_CLASSIFY
 457        tristate '"CLASSIFY" target support'
 458        depends on NETFILTER_ADVANCED
 459        help
 460          This option adds a `CLASSIFY' target, which enables the user to set
 461          the priority of a packet. Some qdiscs can use this value for
 462          classification, among these are:
 463
 464          atm, cbq, dsmark, pfifo_fast, htb, prio
 465
 466          To compile it as a module, choose M here.  If unsure, say N.
 467
 468config NETFILTER_XT_TARGET_CONNMARK
 469        tristate  '"CONNMARK" target support'
 470        depends on NF_CONNTRACK
 471        depends on NETFILTER_ADVANCED
 472        select NETFILTER_XT_CONNMARK
 473        ---help---
 474        This is a backwards-compat option for the user's convenience
 475        (e.g. when running oldconfig). It selects
 476        CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
 477
 478config NETFILTER_XT_TARGET_CONNSECMARK
 479        tristate '"CONNSECMARK" target support'
 480        depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
 481        default m if NETFILTER_ADVANCED=n
 482        help
 483          The CONNSECMARK target copies security markings from packets
 484          to connections, and restores security markings from connections
 485          to packets (if the packets are not already marked).  This would
 486          normally be used in conjunction with the SECMARK target.
 487
 488          To compile it as a module, choose M here.  If unsure, say N.
 489
 490config NETFILTER_XT_TARGET_CT
 491        tristate '"CT" target support'
 492        depends on NF_CONNTRACK
 493        depends on IP_NF_RAW || IP6_NF_RAW
 494        depends on NETFILTER_ADVANCED
 495        help
 496          This options adds a `CT' target, which allows to specify initial
 497          connection tracking parameters like events to be delivered and
 498          the helper to be used.
 499
 500          To compile it as a module, choose M here.  If unsure, say N.
 501
 502config NETFILTER_XT_TARGET_DSCP
 503        tristate '"DSCP" and "TOS" target support'
 504        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 505        depends on NETFILTER_ADVANCED
 506        help
 507          This option adds a `DSCP' target, which allows you to manipulate
 508          the IPv4/IPv6 header DSCP field (differentiated services codepoint).
 509
 510          The DSCP field can have any value between 0x0 and 0x3f inclusive.
 511
 512          It also adds the "TOS" target, which allows you to create rules in
 513          the "mangle" table which alter the Type Of Service field of an IPv4
 514          or the Priority field of an IPv6 packet, prior to routing.
 515
 516          To compile it as a module, choose M here.  If unsure, say N.
 517
 518config NETFILTER_XT_TARGET_HL
 519        tristate '"HL" hoplimit target support'
 520        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 521        depends on NETFILTER_ADVANCED
 522        ---help---
 523        This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
 524        targets, which enable the user to change the
 525        hoplimit/time-to-live value of the IP header.
 526
 527        While it is safe to decrement the hoplimit/TTL value, the
 528        modules also allow to increment and set the hoplimit value of
 529        the header to arbitrary values. This is EXTREMELY DANGEROUS
 530        since you can easily create immortal packets that loop
 531        forever on the network.
 532
 533config NETFILTER_XT_TARGET_HMARK
 534        tristate '"HMARK" target support'
 535        depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
 536        depends on NETFILTER_ADVANCED
 537        ---help---
 538        This option adds the "HMARK" target.
 539
 540        The target allows you to create rules in the "raw" and "mangle" tables
 541        which set the skbuff mark by means of hash calculation within a given
 542        range. The nfmark can influence the routing method (see "Use netfilter
 543        MARK value as routing key") and can also be used by other subsystems to
 544        change their behaviour.
 545
 546        To compile it as a module, choose M here. If unsure, say N.
 547
 548config NETFILTER_XT_TARGET_IDLETIMER
 549        tristate  "IDLETIMER target support"
 550        depends on NETFILTER_ADVANCED
 551        help
 552
 553          This option adds the `IDLETIMER' target.  Each matching packet
 554          resets the timer associated with label specified when the rule is
 555          added.  When the timer expires, it triggers a sysfs notification.
 556          The remaining time for expiration can be read via sysfs.
 557
 558          To compile it as a module, choose M here.  If unsure, say N.
 559
 560config NETFILTER_XT_TARGET_LED
 561        tristate '"LED" target support'
 562        depends on LEDS_CLASS && LEDS_TRIGGERS
 563        depends on NETFILTER_ADVANCED
 564        help
 565          This option adds a `LED' target, which allows you to blink LEDs in
 566          response to particular packets passing through your machine.
 567
 568          This can be used to turn a spare LED into a network activity LED,
 569          which only flashes in response to FTP transfers, for example.  Or
 570          you could have an LED which lights up for a minute or two every time
 571          somebody connects to your machine via SSH.
 572
 573          You will need support for the "led" class to make this work.
 574
 575          To create an LED trigger for incoming SSH traffic:
 576            iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
 577
 578          Then attach the new trigger to an LED on your system:
 579            echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
 580
 581          For more information on the LEDs available on your system, see
 582          Documentation/leds/leds-class.txt
 583
 584config NETFILTER_XT_TARGET_LOG
 585        tristate "LOG target support"
 586        default m if NETFILTER_ADVANCED=n
 587        help
 588          This option adds a `LOG' target, which allows you to create rules in
 589          any iptables table which records the packet header to the syslog.
 590
 591          To compile it as a module, choose M here.  If unsure, say N.
 592
 593config NETFILTER_XT_TARGET_MARK
 594        tristate '"MARK" target support'
 595        depends on NETFILTER_ADVANCED
 596        select NETFILTER_XT_MARK
 597        ---help---
 598        This is a backwards-compat option for the user's convenience
 599        (e.g. when running oldconfig). It selects
 600        CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
 601
 602config NETFILTER_XT_TARGET_NFLOG
 603        tristate '"NFLOG" target support'
 604        default m if NETFILTER_ADVANCED=n
 605        select NETFILTER_NETLINK_LOG
 606        help
 607          This option enables the NFLOG target, which allows to LOG
 608          messages through nfnetlink_log.
 609
 610          To compile it as a module, choose M here.  If unsure, say N.
 611
 612config NETFILTER_XT_TARGET_NFQUEUE
 613        tristate '"NFQUEUE" target Support'
 614        depends on NETFILTER_ADVANCED
 615        select NETFILTER_NETLINK_QUEUE
 616        help
 617          This target replaced the old obsolete QUEUE target.
 618
 619          As opposed to QUEUE, it supports 65535 different queues,
 620          not just one.
 621
 622          To compile it as a module, choose M here.  If unsure, say N.
 623
 624config NETFILTER_XT_TARGET_NOTRACK
 625        tristate  '"NOTRACK" target support'
 626        depends on IP_NF_RAW || IP6_NF_RAW
 627        depends on NF_CONNTRACK
 628        help
 629          The NOTRACK target allows a select rule to specify
 630          which packets *not* to enter the conntrack/NAT
 631          subsystem with all the consequences (no ICMP error tracking,
 632          no protocol helpers for the selected packets).
 633
 634          If you want to compile it as a module, say M here and read
 635          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 636
 637config NETFILTER_XT_TARGET_RATEEST
 638        tristate '"RATEEST" target support'
 639        depends on NETFILTER_ADVANCED
 640        help
 641          This option adds a `RATEEST' target, which allows to measure
 642          rates similar to TC estimators. The `rateest' match can be
 643          used to match on the measured rates.
 644
 645          To compile it as a module, choose M here.  If unsure, say N.
 646
 647config NETFILTER_XT_TARGET_TEE
 648        tristate '"TEE" - packet cloning to alternate destination'
 649        depends on NETFILTER_ADVANCED
 650        depends on (IPV6 || IPV6=n)
 651        depends on !NF_CONNTRACK || NF_CONNTRACK
 652        ---help---
 653        This option adds a "TEE" target with which a packet can be cloned and
 654        this clone be rerouted to another nexthop.
 655
 656config NETFILTER_XT_TARGET_TPROXY
 657        tristate '"TPROXY" target support (EXPERIMENTAL)'
 658        depends on EXPERIMENTAL
 659        depends on NETFILTER_TPROXY
 660        depends on NETFILTER_XTABLES
 661        depends on NETFILTER_ADVANCED
 662        select NF_DEFRAG_IPV4
 663        select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
 664        help
 665          This option adds a `TPROXY' target, which is somewhat similar to
 666          REDIRECT.  It can only be used in the mangle table and is useful
 667          to redirect traffic to a transparent proxy.  It does _not_ depend
 668          on Netfilter connection tracking and NAT, unlike REDIRECT.
 669
 670          To compile it as a module, choose M here.  If unsure, say N.
 671
 672config NETFILTER_XT_TARGET_TRACE
 673        tristate  '"TRACE" target support'
 674        depends on IP_NF_RAW || IP6_NF_RAW
 675        depends on NETFILTER_ADVANCED
 676        help
 677          The TRACE target allows you to mark packets so that the kernel
 678          will log every rule which match the packets as those traverse
 679          the tables, chains, rules.
 680
 681          If you want to compile it as a module, say M here and read
 682          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 683
 684config NETFILTER_XT_TARGET_SECMARK
 685        tristate '"SECMARK" target support'
 686        depends on NETWORK_SECMARK
 687        default m if NETFILTER_ADVANCED=n
 688        help
 689          The SECMARK target allows security marking of network
 690          packets, for use with security subsystems.
 691
 692          To compile it as a module, choose M here.  If unsure, say N.
 693
 694config NETFILTER_XT_TARGET_TCPMSS
 695        tristate '"TCPMSS" target support'
 696        depends on (IPV6 || IPV6=n)
 697        default m if NETFILTER_ADVANCED=n
 698        ---help---
 699          This option adds a `TCPMSS' target, which allows you to alter the
 700          MSS value of TCP SYN packets, to control the maximum size for that
 701          connection (usually limiting it to your outgoing interface's MTU
 702          minus 40).
 703
 704          This is used to overcome criminally braindead ISPs or servers which
 705          block ICMP Fragmentation Needed packets.  The symptoms of this
 706          problem are that everything works fine from your Linux
 707          firewall/router, but machines behind it can never exchange large
 708          packets:
 709                1) Web browsers connect, then hang with no data received.
 710                2) Small mail works fine, but large emails hang.
 711                3) ssh works fine, but scp hangs after initial handshaking.
 712
 713          Workaround: activate this option and add a rule to your firewall
 714          configuration like:
 715
 716          iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
 717                         -j TCPMSS --clamp-mss-to-pmtu
 718
 719          To compile it as a module, choose M here.  If unsure, say N.
 720
 721config NETFILTER_XT_TARGET_TCPOPTSTRIP
 722        tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)'
 723        depends on EXPERIMENTAL
 724        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 725        depends on NETFILTER_ADVANCED
 726        help
 727          This option adds a "TCPOPTSTRIP" target, which allows you to strip
 728          TCP options from TCP packets.
 729
 730# alphabetically ordered list of matches
 731
 732comment "Xtables matches"
 733
 734config NETFILTER_XT_MATCH_ADDRTYPE
 735        tristate '"addrtype" address type match support'
 736        depends on NETFILTER_ADVANCED
 737        ---help---
 738          This option allows you to match what routing thinks of an address,
 739          eg. UNICAST, LOCAL, BROADCAST, ...
 740
 741          If you want to compile it as a module, say M here and read
 742          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 743
 744config NETFILTER_XT_MATCH_CLUSTER
 745        tristate '"cluster" match support'
 746        depends on NF_CONNTRACK
 747        depends on NETFILTER_ADVANCED
 748        ---help---
 749          This option allows you to build work-load-sharing clusters of
 750          network servers/stateful firewalls without having a dedicated
 751          load-balancing router/server/switch. Basically, this match returns
 752          true when the packet must be handled by this cluster node. Thus,
 753          all nodes see all packets and this match decides which node handles
 754          what packets. The work-load sharing algorithm is based on source
 755          address hashing.
 756
 757          If you say Y or M here, try `iptables -m cluster --help` for
 758          more information.
 759
 760config NETFILTER_XT_MATCH_COMMENT
 761        tristate  '"comment" match support'
 762        depends on NETFILTER_ADVANCED
 763        help
 764          This option adds a `comment' dummy-match, which allows you to put
 765          comments in your iptables ruleset.
 766
 767          If you want to compile it as a module, say M here and read
 768          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 769
 770config NETFILTER_XT_MATCH_CONNBYTES
 771        tristate  '"connbytes" per-connection counter match support'
 772        depends on NF_CONNTRACK
 773        depends on NETFILTER_ADVANCED
 774        help
 775          This option adds a `connbytes' match, which allows you to match the
 776          number of bytes and/or packets for each direction within a connection.
 777
 778          If you want to compile it as a module, say M here and read
 779          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 780
 781config NETFILTER_XT_MATCH_CONNLIMIT
 782        tristate '"connlimit" match support"'
 783        depends on NF_CONNTRACK
 784        depends on NETFILTER_ADVANCED
 785        ---help---
 786          This match allows you to match against the number of parallel
 787          connections to a server per client IP address (or address block).
 788
 789config NETFILTER_XT_MATCH_CONNMARK
 790        tristate  '"connmark" connection mark match support'
 791        depends on NF_CONNTRACK
 792        depends on NETFILTER_ADVANCED
 793        select NETFILTER_XT_CONNMARK
 794        ---help---
 795        This is a backwards-compat option for the user's convenience
 796        (e.g. when running oldconfig). It selects
 797        CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
 798
 799config NETFILTER_XT_MATCH_CONNTRACK
 800        tristate '"conntrack" connection tracking match support'
 801        depends on NF_CONNTRACK
 802        default m if NETFILTER_ADVANCED=n
 803        help
 804          This is a general conntrack match module, a superset of the state match.
 805
 806          It allows matching on additional conntrack information, which is
 807          useful in complex configurations, such as NAT gateways with multiple
 808          internet links or tunnels.
 809
 810          To compile it as a module, choose M here.  If unsure, say N.
 811
 812config NETFILTER_XT_MATCH_CPU
 813        tristate '"cpu" match support'
 814        depends on NETFILTER_ADVANCED
 815        help
 816          CPU matching allows you to match packets based on the CPU
 817          currently handling the packet.
 818
 819          To compile it as a module, choose M here.  If unsure, say N.
 820
 821config NETFILTER_XT_MATCH_DCCP
 822        tristate '"dccp" protocol match support'
 823        depends on NETFILTER_ADVANCED
 824        default IP_DCCP
 825        help
 826          With this option enabled, you will be able to use the iptables
 827          `dccp' match in order to match on DCCP source/destination ports
 828          and DCCP flags.
 829
 830          If you want to compile it as a module, say M here and read
 831          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 832
 833config NETFILTER_XT_MATCH_DEVGROUP
 834        tristate '"devgroup" match support'
 835        depends on NETFILTER_ADVANCED
 836        help
 837          This options adds a `devgroup' match, which allows to match on the
 838          device group a network device is assigned to.
 839
 840          To compile it as a module, choose M here.  If unsure, say N.
 841
 842config NETFILTER_XT_MATCH_DSCP
 843        tristate '"dscp" and "tos" match support'
 844        depends on NETFILTER_ADVANCED
 845        help
 846          This option adds a `DSCP' match, which allows you to match against
 847          the IPv4/IPv6 header DSCP field (differentiated services codepoint).
 848
 849          The DSCP field can have any value between 0x0 and 0x3f inclusive.
 850
 851          It will also add a "tos" match, which allows you to match packets
 852          based on the Type Of Service fields of the IPv4 packet (which share
 853          the same bits as DSCP).
 854
 855          To compile it as a module, choose M here.  If unsure, say N.
 856
 857config NETFILTER_XT_MATCH_ECN
 858        tristate '"ecn" match support'
 859        depends on NETFILTER_ADVANCED
 860        ---help---
 861        This option adds an "ECN" match, which allows you to match against
 862        the IPv4 and TCP header ECN fields.
 863
 864        To compile it as a module, choose M here. If unsure, say N.
 865
 866config NETFILTER_XT_MATCH_ESP
 867        tristate '"esp" match support'
 868        depends on NETFILTER_ADVANCED
 869        help
 870          This match extension allows you to match a range of SPIs
 871          inside ESP header of IPSec packets.
 872
 873          To compile it as a module, choose M here.  If unsure, say N.
 874
 875config NETFILTER_XT_MATCH_HASHLIMIT
 876        tristate '"hashlimit" match support'
 877        depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
 878        depends on NETFILTER_ADVANCED
 879        help
 880          This option adds a `hashlimit' match.
 881
 882          As opposed to `limit', this match dynamically creates a hash table
 883          of limit buckets, based on your selection of source/destination
 884          addresses and/or ports.
 885
 886          It enables you to express policies like `10kpps for any given
 887          destination address' or `500pps from any given source address'
 888          with a single rule.
 889
 890config NETFILTER_XT_MATCH_HELPER
 891        tristate '"helper" match support'
 892        depends on NF_CONNTRACK
 893        depends on NETFILTER_ADVANCED
 894        help
 895          Helper matching allows you to match packets in dynamic connections
 896          tracked by a conntrack-helper, ie. ip_conntrack_ftp
 897
 898          To compile it as a module, choose M here.  If unsure, say Y.
 899
 900config NETFILTER_XT_MATCH_HL
 901        tristate '"hl" hoplimit/TTL match support'
 902        depends on NETFILTER_ADVANCED
 903        ---help---
 904        HL matching allows you to match packets based on the hoplimit
 905        in the IPv6 header, or the time-to-live field in the IPv4
 906        header of the packet.
 907
 908config NETFILTER_XT_MATCH_IPRANGE
 909        tristate '"iprange" address range match support'
 910        depends on NETFILTER_ADVANCED
 911        ---help---
 912        This option adds a "iprange" match, which allows you to match based on
 913        an IP address range. (Normal iptables only matches on single addresses
 914        with an optional mask.)
 915
 916        If unsure, say M.
 917
 918config NETFILTER_XT_MATCH_IPVS
 919        tristate '"ipvs" match support'
 920        depends on IP_VS
 921        depends on NETFILTER_ADVANCED
 922        depends on NF_CONNTRACK
 923        help
 924          This option allows you to match against IPVS properties of a packet.
 925
 926          If unsure, say N.
 927
 928config NETFILTER_XT_MATCH_LENGTH
 929        tristate '"length" match support'
 930        depends on NETFILTER_ADVANCED
 931        help
 932          This option allows you to match the length of a packet against a
 933          specific value or range of values.
 934
 935          To compile it as a module, choose M here.  If unsure, say N.
 936
 937config NETFILTER_XT_MATCH_LIMIT
 938        tristate '"limit" match support'
 939        depends on NETFILTER_ADVANCED
 940        help
 941          limit matching allows you to control the rate at which a rule can be
 942          matched: mainly useful in combination with the LOG target ("LOG
 943          target support", below) and to avoid some Denial of Service attacks.
 944
 945          To compile it as a module, choose M here.  If unsure, say N.
 946
 947config NETFILTER_XT_MATCH_MAC
 948        tristate '"mac" address match support'
 949        depends on NETFILTER_ADVANCED
 950        help
 951          MAC matching allows you to match packets based on the source
 952          Ethernet address of the packet.
 953
 954          To compile it as a module, choose M here.  If unsure, say N.
 955
 956config NETFILTER_XT_MATCH_MARK
 957        tristate '"mark" match support'
 958        depends on NETFILTER_ADVANCED
 959        select NETFILTER_XT_MARK
 960        ---help---
 961        This is a backwards-compat option for the user's convenience
 962        (e.g. when running oldconfig). It selects
 963        CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
 964
 965config NETFILTER_XT_MATCH_MULTIPORT
 966        tristate '"multiport" Multiple port match support'
 967        depends on NETFILTER_ADVANCED
 968        help
 969          Multiport matching allows you to match TCP or UDP packets based on
 970          a series of source or destination ports: normally a rule can only
 971          match a single range of ports.
 972
 973          To compile it as a module, choose M here.  If unsure, say N.
 974
 975config NETFILTER_XT_MATCH_NFACCT
 976        tristate '"nfacct" match support'
 977        depends on NETFILTER_ADVANCED
 978        select NETFILTER_NETLINK_ACCT
 979        help
 980          This option allows you to use the extended accounting through
 981          nfnetlink_acct.
 982
 983          To compile it as a module, choose M here.  If unsure, say N.
 984
 985config NETFILTER_XT_MATCH_OSF
 986        tristate '"osf" Passive OS fingerprint match'
 987        depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
 988        help
 989          This option selects the Passive OS Fingerprinting match module
 990          that allows to passively match the remote operating system by
 991          analyzing incoming TCP SYN packets.
 992
 993          Rules and loading software can be downloaded from
 994          http://www.ioremap.net/projects/osf
 995
 996          To compile it as a module, choose M here.  If unsure, say N.
 997
 998config NETFILTER_XT_MATCH_OWNER
 999        tristate '"owner" match support'
1000        depends on NETFILTER_ADVANCED
1001        ---help---
1002        Socket owner matching allows you to match locally-generated packets
1003        based on who created the socket: the user or group. It is also
1004        possible to check whether a socket actually exists.
1005
1006config NETFILTER_XT_MATCH_POLICY
1007        tristate 'IPsec "policy" match support'
1008        depends on XFRM
1009        default m if NETFILTER_ADVANCED=n
1010        help
1011          Policy matching allows you to match packets based on the
1012          IPsec policy that was used during decapsulation/will
1013          be used during encapsulation.
1014
1015          To compile it as a module, choose M here.  If unsure, say N.
1016
1017config NETFILTER_XT_MATCH_PHYSDEV
1018        tristate '"physdev" match support'
1019        depends on BRIDGE && BRIDGE_NETFILTER
1020        depends on NETFILTER_ADVANCED
1021        help
1022          Physdev packet matching matches against the physical bridge ports
1023          the IP packet arrived on or will leave by.
1024
1025          To compile it as a module, choose M here.  If unsure, say N.
1026
1027config NETFILTER_XT_MATCH_PKTTYPE
1028        tristate '"pkttype" packet type match support'
1029        depends on NETFILTER_ADVANCED
1030        help
1031          Packet type matching allows you to match a packet by
1032          its "class", eg. BROADCAST, MULTICAST, ...
1033
1034          Typical usage:
1035          iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1036
1037          To compile it as a module, choose M here.  If unsure, say N.
1038
1039config NETFILTER_XT_MATCH_QUOTA
1040        tristate '"quota" match support'
1041        depends on NETFILTER_ADVANCED
1042        help
1043          This option adds a `quota' match, which allows to match on a
1044          byte counter.
1045
1046          If you want to compile it as a module, say M here and read
1047          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1048
1049config NETFILTER_XT_MATCH_RATEEST
1050        tristate '"rateest" match support'
1051        depends on NETFILTER_ADVANCED
1052        select NETFILTER_XT_TARGET_RATEEST
1053        help
1054          This option adds a `rateest' match, which allows to match on the
1055          rate estimated by the RATEEST target.
1056
1057          To compile it as a module, choose M here.  If unsure, say N.
1058
1059config NETFILTER_XT_MATCH_REALM
1060        tristate  '"realm" match support'
1061        depends on NETFILTER_ADVANCED
1062        select IP_ROUTE_CLASSID
1063        help
1064          This option adds a `realm' match, which allows you to use the realm
1065          key from the routing subsystem inside iptables.
1066
1067          This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
1068          in tc world.
1069
1070          If you want to compile it as a module, say M here and read
1071          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1072
1073config NETFILTER_XT_MATCH_RECENT
1074        tristate '"recent" match support'
1075        depends on NETFILTER_ADVANCED
1076        ---help---
1077        This match is used for creating one or many lists of recently
1078        used addresses and then matching against that/those list(s).
1079
1080        Short options are available by using 'iptables -m recent -h'
1081        Official Website: <http://snowman.net/projects/ipt_recent/>
1082
1083config NETFILTER_XT_MATCH_SCTP
1084        tristate  '"sctp" protocol match support (EXPERIMENTAL)'
1085        depends on EXPERIMENTAL
1086        depends on NETFILTER_ADVANCED
1087        default IP_SCTP
1088        help
1089          With this option enabled, you will be able to use the 
1090          `sctp' match in order to match on SCTP source/destination ports
1091          and SCTP chunk types.
1092
1093          If you want to compile it as a module, say M here and read
1094          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1095
1096config NETFILTER_XT_MATCH_SOCKET
1097        tristate '"socket" match support (EXPERIMENTAL)'
1098        depends on EXPERIMENTAL
1099        depends on NETFILTER_TPROXY
1100        depends on NETFILTER_XTABLES
1101        depends on NETFILTER_ADVANCED
1102        depends on !NF_CONNTRACK || NF_CONNTRACK
1103        select NF_DEFRAG_IPV4
1104        select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1105        help
1106          This option adds a `socket' match, which can be used to match
1107          packets for which a TCP or UDP socket lookup finds a valid socket.
1108          It can be used in combination with the MARK target and policy
1109          routing to implement full featured non-locally bound sockets.
1110
1111          To compile it as a module, choose M here.  If unsure, say N.
1112
1113config NETFILTER_XT_MATCH_STATE
1114        tristate '"state" match support'
1115        depends on NF_CONNTRACK
1116        default m if NETFILTER_ADVANCED=n
1117        help
1118          Connection state matching allows you to match packets based on their
1119          relationship to a tracked connection (ie. previous packets).  This
1120          is a powerful tool for packet classification.
1121
1122          To compile it as a module, choose M here.  If unsure, say N.
1123
1124config NETFILTER_XT_MATCH_STATISTIC
1125        tristate '"statistic" match support'
1126        depends on NETFILTER_ADVANCED
1127        help
1128          This option adds a `statistic' match, which allows you to match
1129          on packets periodically or randomly with a given percentage.
1130
1131          To compile it as a module, choose M here.  If unsure, say N.
1132
1133config NETFILTER_XT_MATCH_STRING
1134        tristate  '"string" match support'
1135        depends on NETFILTER_ADVANCED
1136        select TEXTSEARCH
1137        select TEXTSEARCH_KMP
1138        select TEXTSEARCH_BM
1139        select TEXTSEARCH_FSM
1140        help
1141          This option adds a `string' match, which allows you to look for
1142          pattern matchings in packets.
1143
1144          To compile it as a module, choose M here.  If unsure, say N.
1145
1146config NETFILTER_XT_MATCH_TCPMSS
1147        tristate '"tcpmss" match support'
1148        depends on NETFILTER_ADVANCED
1149        help
1150          This option adds a `tcpmss' match, which allows you to examine the
1151          MSS value of TCP SYN packets, which control the maximum packet size
1152          for that connection.
1153
1154          To compile it as a module, choose M here.  If unsure, say N.
1155
1156config NETFILTER_XT_MATCH_TIME
1157        tristate '"time" match support'
1158        depends on NETFILTER_ADVANCED
1159        ---help---
1160          This option adds a "time" match, which allows you to match based on
1161          the packet arrival time (at the machine which netfilter is running)
1162          on) or departure time/date (for locally generated packets).
1163
1164          If you say Y here, try `iptables -m time --help` for
1165          more information.
1166
1167          If you want to compile it as a module, say M here.
1168          If unsure, say N.
1169
1170config NETFILTER_XT_MATCH_U32
1171        tristate '"u32" match support'
1172        depends on NETFILTER_ADVANCED
1173        ---help---
1174          u32 allows you to extract quantities of up to 4 bytes from a packet,
1175          AND them with specified masks, shift them by specified amounts and
1176          test whether the results are in any of a set of specified ranges.
1177          The specification of what to extract is general enough to skip over
1178          headers with lengths stored in the packet, as in IP or TCP header
1179          lengths.
1180
1181          Details and examples are in the kernel module source.
1182
1183endif # NETFILTER_XTABLES
1184
1185endmenu
1186
1187source "net/netfilter/ipset/Kconfig"
1188
1189source "net/netfilter/ipvs/Kconfig"
1190
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.