linux/net/netfilter/Kconfig
<<
>>
Prefs
   1menu "Core Netfilter Configuration"
   2        depends on NET && INET && NETFILTER
   3
   4config NETFILTER_NETLINK
   5        tristate
   6
   7config NETFILTER_NETLINK_ACCT
   8tristate "Netfilter NFACCT over NFNETLINK interface"
   9        depends on NETFILTER_ADVANCED
  10        select NETFILTER_NETLINK
  11        help
  12          If this option is enabled, the kernel will include support
  13          for extended accounting via NFNETLINK.
  14
  15config NETFILTER_NETLINK_QUEUE
  16        tristate "Netfilter NFQUEUE over NFNETLINK interface"
  17        depends on NETFILTER_ADVANCED
  18        select NETFILTER_NETLINK
  19        help
  20          If this option is enabled, the kernel will include support
  21          for queueing packets via NFNETLINK.
  22          
  23config NETFILTER_NETLINK_LOG
  24        tristate "Netfilter LOG over NFNETLINK interface"
  25        default m if NETFILTER_ADVANCED=n
  26        select NETFILTER_NETLINK
  27        help
  28          If this option is enabled, the kernel will include support
  29          for logging packets via NFNETLINK.
  30
  31          This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
  32          and is also scheduled to replace the old syslog-based ipt_LOG
  33          and ip6t_LOG modules.
  34
  35config NF_CONNTRACK
  36        tristate "Netfilter connection tracking support"
  37        default m if NETFILTER_ADVANCED=n
  38        help
  39          Connection tracking keeps a record of what packets have passed
  40          through your machine, in order to figure out how they are related
  41          into connections.
  42
  43          This is required to do Masquerading or other kinds of Network
  44          Address Translation.  It can also be used to enhance packet
  45          filtering (see `Connection state match support' below).
  46
  47          To compile it as a module, choose M here.  If unsure, say N.
  48
  49if NF_CONNTRACK
  50
  51config NF_CONNTRACK_MARK
  52        bool  'Connection mark tracking support'
  53        depends on NETFILTER_ADVANCED
  54        help
  55          This option enables support for connection marks, used by the
  56          `CONNMARK' target and `connmark' match. Similar to the mark value
  57          of packets, but this mark value is kept in the conntrack session
  58          instead of the individual packets.
  59
  60config NF_CONNTRACK_SECMARK
  61        bool  'Connection tracking security mark support'
  62        depends on NETWORK_SECMARK
  63        default m if NETFILTER_ADVANCED=n
  64        help
  65          This option enables security markings to be applied to
  66          connections.  Typically they are copied to connections from
  67          packets using the CONNSECMARK target and copied back from
  68          connections to packets with the same target, with the packets
  69          being originally labeled via SECMARK.
  70
  71          If unsure, say 'N'.
  72
  73config NF_CONNTRACK_ZONES
  74        bool  'Connection tracking zones'
  75        depends on NETFILTER_ADVANCED
  76        depends on NETFILTER_XT_TARGET_CT
  77        help
  78          This option enables support for connection tracking zones.
  79          Normally, each connection needs to have a unique system wide
  80          identity. Connection tracking zones allow to have multiple
  81          connections using the same identity, as long as they are
  82          contained in different zones.
  83
  84          If unsure, say `N'.
  85
  86config NF_CONNTRACK_PROCFS
  87        bool "Supply CT list in procfs (OBSOLETE)"
  88        default y
  89        depends on PROC_FS
  90        ---help---
  91        This option enables for the list of known conntrack entries
  92        to be shown in procfs under net/netfilter/nf_conntrack. This
  93        is considered obsolete in favor of using the conntrack(8)
  94        tool which uses Netlink.
  95
  96config NF_CONNTRACK_EVENTS
  97        bool "Connection tracking events"
  98        depends on NETFILTER_ADVANCED
  99        help
 100          If this option is enabled, the connection tracking code will
 101          provide a notifier chain that can be used by other kernel code
 102          to get notified about changes in the connection tracking state.
 103
 104          If unsure, say `N'.
 105
 106config NF_CONNTRACK_TIMEOUT
 107        bool  'Connection tracking timeout'
 108        depends on NETFILTER_ADVANCED
 109        help
 110          This option enables support for connection tracking timeout
 111          extension. This allows you to attach timeout policies to flow
 112          via the CT target.
 113
 114          If unsure, say `N'.
 115
 116config NF_CONNTRACK_TIMESTAMP
 117        bool  'Connection tracking timestamping'
 118        depends on NETFILTER_ADVANCED
 119        help
 120          This option enables support for connection tracking timestamping.
 121          This allows you to store the flow start-time and to obtain
 122          the flow-stop time (once it has been destroyed) via Connection
 123          tracking events.
 124
 125          If unsure, say `N'.
 126
 127config NF_CT_PROTO_DCCP
 128        tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
 129        depends on EXPERIMENTAL
 130        depends on NETFILTER_ADVANCED
 131        default IP_DCCP
 132        help
 133          With this option enabled, the layer 3 independent connection
 134          tracking code will be able to do state tracking on DCCP connections.
 135
 136          If unsure, say 'N'.
 137
 138config NF_CT_PROTO_GRE
 139        tristate
 140
 141config NF_CT_PROTO_SCTP
 142        tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
 143        depends on EXPERIMENTAL
 144        depends on NETFILTER_ADVANCED
 145        default IP_SCTP
 146        help
 147          With this option enabled, the layer 3 independent connection
 148          tracking code will be able to do state tracking on SCTP connections.
 149
 150          If you want to compile it as a module, say M here and read
 151          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 152
 153config NF_CT_PROTO_UDPLITE
 154        tristate 'UDP-Lite protocol connection tracking support'
 155        depends on NETFILTER_ADVANCED
 156        help
 157          With this option enabled, the layer 3 independent connection
 158          tracking code will be able to do state tracking on UDP-Lite
 159          connections.
 160
 161          To compile it as a module, choose M here.  If unsure, say N.
 162
 163config NF_CONNTRACK_AMANDA
 164        tristate "Amanda backup protocol support"
 165        depends on NETFILTER_ADVANCED
 166        select TEXTSEARCH
 167        select TEXTSEARCH_KMP
 168        help
 169          If you are running the Amanda backup package <http://www.amanda.org/>
 170          on this machine or machines that will be MASQUERADED through this
 171          machine, then you may want to enable this feature.  This allows the
 172          connection tracking and natting code to allow the sub-channels that
 173          Amanda requires for communication of the backup data, messages and
 174          index.
 175
 176          To compile it as a module, choose M here.  If unsure, say N.
 177
 178config NF_CONNTRACK_FTP
 179        tristate "FTP protocol support"
 180        default m if NETFILTER_ADVANCED=n
 181        help
 182          Tracking FTP connections is problematic: special helpers are
 183          required for tracking them, and doing masquerading and other forms
 184          of Network Address Translation on them.
 185
 186          This is FTP support on Layer 3 independent connection tracking.
 187          Layer 3 independent connection tracking is experimental scheme
 188          which generalize ip_conntrack to support other layer 3 protocols.
 189
 190          To compile it as a module, choose M here.  If unsure, say N.
 191
 192config NF_CONNTRACK_H323
 193        tristate "H.323 protocol support"
 194        depends on (IPV6 || IPV6=n)
 195        depends on NETFILTER_ADVANCED
 196        help
 197          H.323 is a VoIP signalling protocol from ITU-T. As one of the most
 198          important VoIP protocols, it is widely used by voice hardware and
 199          software including voice gateways, IP phones, Netmeeting, OpenPhone,
 200          Gnomemeeting, etc.
 201
 202          With this module you can support H.323 on a connection tracking/NAT
 203          firewall.
 204
 205          This module supports RAS, Fast Start, H.245 Tunnelling, Call
 206          Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
 207          whiteboard, file transfer, etc. For more information, please
 208          visit http://nath323.sourceforge.net/.
 209
 210          To compile it as a module, choose M here.  If unsure, say N.
 211
 212config NF_CONNTRACK_IRC
 213        tristate "IRC protocol support"
 214        default m if NETFILTER_ADVANCED=n
 215        help
 216          There is a commonly-used extension to IRC called
 217          Direct Client-to-Client Protocol (DCC).  This enables users to send
 218          files to each other, and also chat to each other without the need
 219          of a server.  DCC Sending is used anywhere you send files over IRC,
 220          and DCC Chat is most commonly used by Eggdrop bots.  If you are
 221          using NAT, this extension will enable you to send files and initiate
 222          chats.  Note that you do NOT need this extension to get files or
 223          have others initiate chats, or everything else in IRC.
 224
 225          To compile it as a module, choose M here.  If unsure, say N.
 226
 227config NF_CONNTRACK_BROADCAST
 228        tristate
 229
 230config NF_CONNTRACK_NETBIOS_NS
 231        tristate "NetBIOS name service protocol support"
 232        select NF_CONNTRACK_BROADCAST
 233        help
 234          NetBIOS name service requests are sent as broadcast messages from an
 235          unprivileged port and responded to with unicast messages to the
 236          same port. This make them hard to firewall properly because connection
 237          tracking doesn't deal with broadcasts. This helper tracks locally
 238          originating NetBIOS name service requests and the corresponding
 239          responses. It relies on correct IP address configuration, specifically
 240          netmask and broadcast address. When properly configured, the output
 241          of "ip address show" should look similar to this:
 242
 243          $ ip -4 address show eth0
 244          4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
 245              inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
 246
 247          To compile it as a module, choose M here.  If unsure, say N.
 248
 249config NF_CONNTRACK_SNMP
 250        tristate "SNMP service protocol support"
 251        depends on NETFILTER_ADVANCED
 252        select NF_CONNTRACK_BROADCAST
 253        help
 254          SNMP service requests are sent as broadcast messages from an
 255          unprivileged port and responded to with unicast messages to the
 256          same port. This make them hard to firewall properly because connection
 257          tracking doesn't deal with broadcasts. This helper tracks locally
 258          originating SNMP service requests and the corresponding
 259          responses. It relies on correct IP address configuration, specifically
 260          netmask and broadcast address.
 261
 262          To compile it as a module, choose M here.  If unsure, say N.
 263
 264config NF_CONNTRACK_PPTP
 265        tristate "PPtP protocol support"
 266        depends on NETFILTER_ADVANCED
 267        select NF_CT_PROTO_GRE
 268        help
 269          This module adds support for PPTP (Point to Point Tunnelling
 270          Protocol, RFC2637) connection tracking and NAT.
 271
 272          If you are running PPTP sessions over a stateful firewall or NAT
 273          box, you may want to enable this feature.
 274
 275          Please note that not all PPTP modes of operation are supported yet.
 276          Specifically these limitations exist:
 277            - Blindly assumes that control connections are always established
 278              in PNS->PAC direction. This is a violation of RFC2637.
 279            - Only supports a single call within each session
 280
 281          To compile it as a module, choose M here.  If unsure, say N.
 282
 283config NF_CONNTRACK_SANE
 284        tristate "SANE protocol support (EXPERIMENTAL)"
 285        depends on EXPERIMENTAL
 286        depends on NETFILTER_ADVANCED
 287        help
 288          SANE is a protocol for remote access to scanners as implemented
 289          by the 'saned' daemon. Like FTP, it uses separate control and
 290          data connections.
 291
 292          With this module you can support SANE on a connection tracking
 293          firewall.
 294
 295          To compile it as a module, choose M here.  If unsure, say N.
 296
 297config NF_CONNTRACK_SIP
 298        tristate "SIP protocol support"
 299        default m if NETFILTER_ADVANCED=n
 300        help
 301          SIP is an application-layer control protocol that can establish,
 302          modify, and terminate multimedia sessions (conferences) such as
 303          Internet telephony calls. With the ip_conntrack_sip and
 304          the nf_nat_sip modules you can support the protocol on a connection
 305          tracking/NATing firewall.
 306
 307          To compile it as a module, choose M here.  If unsure, say N.
 308
 309config NF_CONNTRACK_TFTP
 310        tristate "TFTP protocol support"
 311        depends on NETFILTER_ADVANCED
 312        help
 313          TFTP connection tracking helper, this is required depending
 314          on how restrictive your ruleset is.
 315          If you are using a tftp client behind -j SNAT or -j MASQUERADING
 316          you will need this.
 317
 318          To compile it as a module, choose M here.  If unsure, say N.
 319
 320config NF_CT_NETLINK
 321        tristate 'Connection tracking netlink interface'
 322        select NETFILTER_NETLINK
 323        default m if NETFILTER_ADVANCED=n
 324        help
 325          This option enables support for a netlink-based userspace interface
 326
 327config NF_CT_NETLINK_TIMEOUT
 328        tristate  'Connection tracking timeout tuning via Netlink'
 329        select NETFILTER_NETLINK
 330        depends on NETFILTER_ADVANCED
 331        help
 332          This option enables support for connection tracking timeout
 333          fine-grain tuning. This allows you to attach specific timeout
 334          policies to flows, instead of using the global timeout policy.
 335
 336          If unsure, say `N'.
 337
 338config NF_CT_NETLINK_HELPER
 339        tristate 'Connection tracking helpers in user-space via Netlink'
 340        select NETFILTER_NETLINK
 341        depends on NF_CT_NETLINK
 342        depends on NETFILTER_NETLINK_QUEUE
 343        depends on NETFILTER_NETLINK_QUEUE_CT
 344        depends on NETFILTER_ADVANCED
 345        help
 346          This option enables the user-space connection tracking helpers
 347          infrastructure.
 348
 349          If unsure, say `N'.
 350
 351config NETFILTER_NETLINK_QUEUE_CT
 352        bool "NFQUEUE integration with Connection Tracking"
 353        default n
 354        depends on NETFILTER_NETLINK_QUEUE
 355        help
 356          If this option is enabled, NFQUEUE can include Connection Tracking
 357          information together with the packet is the enqueued via NFNETLINK.
 358
 359config NF_NAT
 360        tristate
 361
 362config NF_NAT_NEEDED
 363        bool
 364        depends on NF_NAT
 365        default y
 366
 367config NF_NAT_PROTO_DCCP
 368        tristate
 369        depends on NF_NAT && NF_CT_PROTO_DCCP
 370        default NF_NAT && NF_CT_PROTO_DCCP
 371
 372config NF_NAT_PROTO_UDPLITE
 373        tristate
 374        depends on NF_NAT && NF_CT_PROTO_UDPLITE
 375        default NF_NAT && NF_CT_PROTO_UDPLITE
 376
 377config NF_NAT_PROTO_SCTP
 378        tristate
 379        default NF_NAT && NF_CT_PROTO_SCTP
 380        depends on NF_NAT && NF_CT_PROTO_SCTP
 381        select LIBCRC32C
 382
 383config NF_NAT_AMANDA
 384        tristate
 385        depends on NF_CONNTRACK && NF_NAT
 386        default NF_NAT && NF_CONNTRACK_AMANDA
 387
 388config NF_NAT_FTP
 389        tristate
 390        depends on NF_CONNTRACK && NF_NAT
 391        default NF_NAT && NF_CONNTRACK_FTP
 392
 393config NF_NAT_IRC
 394        tristate
 395        depends on NF_CONNTRACK && NF_NAT
 396        default NF_NAT && NF_CONNTRACK_IRC
 397
 398config NF_NAT_SIP
 399        tristate
 400        depends on NF_CONNTRACK && NF_NAT
 401        default NF_NAT && NF_CONNTRACK_SIP
 402
 403config NF_NAT_TFTP
 404        tristate
 405        depends on NF_CONNTRACK && NF_NAT
 406        default NF_NAT && NF_CONNTRACK_TFTP
 407
 408endif # NF_CONNTRACK
 409
 410# transparent proxy support
 411config NETFILTER_TPROXY
 412        tristate "Transparent proxying support (EXPERIMENTAL)"
 413        depends on EXPERIMENTAL
 414        depends on IP_NF_MANGLE
 415        depends on NETFILTER_ADVANCED
 416        help
 417          This option enables transparent proxying support, that is,
 418          support for handling non-locally bound IPv4 TCP and UDP sockets.
 419          For it to work you will have to configure certain iptables rules
 420          and use policy routing. For more information on how to set it up
 421          see Documentation/networking/tproxy.txt.
 422
 423          To compile it as a module, choose M here.  If unsure, say N.
 424
 425config NETFILTER_XTABLES
 426        tristate "Netfilter Xtables support (required for ip_tables)"
 427        default m if NETFILTER_ADVANCED=n
 428        help
 429          This is required if you intend to use any of ip_tables,
 430          ip6_tables or arp_tables.
 431
 432if NETFILTER_XTABLES
 433
 434comment "Xtables combined modules"
 435
 436config NETFILTER_XT_MARK
 437        tristate 'nfmark target and match support'
 438        default m if NETFILTER_ADVANCED=n
 439        ---help---
 440        This option adds the "MARK" target and "mark" match.
 441
 442        Netfilter mark matching allows you to match packets based on the
 443        "nfmark" value in the packet.
 444        The target allows you to create rules in the "mangle" table which alter
 445        the netfilter mark (nfmark) field associated with the packet.
 446
 447        Prior to routing, the nfmark can influence the routing method (see
 448        "Use netfilter MARK value as routing key") and can also be used by
 449        other subsystems to change their behavior.
 450
 451config NETFILTER_XT_CONNMARK
 452        tristate 'ctmark target and match support'
 453        depends on NF_CONNTRACK
 454        depends on NETFILTER_ADVANCED
 455        select NF_CONNTRACK_MARK
 456        ---help---
 457        This option adds the "CONNMARK" target and "connmark" match.
 458
 459        Netfilter allows you to store a mark value per connection (a.k.a.
 460        ctmark), similarly to the packet mark (nfmark). Using this
 461        target and match, you can set and match on this mark.
 462
 463config NETFILTER_XT_SET
 464        tristate 'set target and match support'
 465        depends on IP_SET
 466        depends on NETFILTER_ADVANCED
 467        help
 468          This option adds the "SET" target and "set" match.
 469
 470          Using this target and match, you can add/delete and match
 471          elements in the sets created by ipset(8).
 472
 473          To compile it as a module, choose M here.  If unsure, say N.
 474
 475# alphabetically ordered list of targets
 476
 477comment "Xtables targets"
 478
 479config NETFILTER_XT_TARGET_AUDIT
 480        tristate "AUDIT target support"
 481        depends on AUDIT
 482        depends on NETFILTER_ADVANCED
 483        ---help---
 484          This option adds a 'AUDIT' target, which can be used to create
 485          audit records for packets dropped/accepted.
 486
 487          To compileit as a module, choose M here. If unsure, say N.
 488
 489config NETFILTER_XT_TARGET_CHECKSUM
 490        tristate "CHECKSUM target support"
 491        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 492        depends on NETFILTER_ADVANCED
 493        ---help---
 494          This option adds a `CHECKSUM' target, which can be used in the iptables mangle
 495          table.
 496
 497          You can use this target to compute and fill in the checksum in
 498          a packet that lacks a checksum.  This is particularly useful,
 499          if you need to work around old applications such as dhcp clients,
 500          that do not work well with checksum offloads, but don't want to disable
 501          checksum offload in your device.
 502
 503          To compile it as a module, choose M here.  If unsure, say N.
 504
 505config NETFILTER_XT_TARGET_CLASSIFY
 506        tristate '"CLASSIFY" target support'
 507        depends on NETFILTER_ADVANCED
 508        help
 509          This option adds a `CLASSIFY' target, which enables the user to set
 510          the priority of a packet. Some qdiscs can use this value for
 511          classification, among these are:
 512
 513          atm, cbq, dsmark, pfifo_fast, htb, prio
 514
 515          To compile it as a module, choose M here.  If unsure, say N.
 516
 517config NETFILTER_XT_TARGET_CONNMARK
 518        tristate  '"CONNMARK" target support'
 519        depends on NF_CONNTRACK
 520        depends on NETFILTER_ADVANCED
 521        select NETFILTER_XT_CONNMARK
 522        ---help---
 523        This is a backwards-compat option for the user's convenience
 524        (e.g. when running oldconfig). It selects
 525        CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
 526
 527config NETFILTER_XT_TARGET_CONNSECMARK
 528        tristate '"CONNSECMARK" target support'
 529        depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
 530        default m if NETFILTER_ADVANCED=n
 531        help
 532          The CONNSECMARK target copies security markings from packets
 533          to connections, and restores security markings from connections
 534          to packets (if the packets are not already marked).  This would
 535          normally be used in conjunction with the SECMARK target.
 536
 537          To compile it as a module, choose M here.  If unsure, say N.
 538
 539config NETFILTER_XT_TARGET_CT
 540        tristate '"CT" target support'
 541        depends on NF_CONNTRACK
 542        depends on IP_NF_RAW || IP6_NF_RAW
 543        depends on NETFILTER_ADVANCED
 544        help
 545          This options adds a `CT' target, which allows to specify initial
 546          connection tracking parameters like events to be delivered and
 547          the helper to be used.
 548
 549          To compile it as a module, choose M here.  If unsure, say N.
 550
 551config NETFILTER_XT_TARGET_DSCP
 552        tristate '"DSCP" and "TOS" target support'
 553        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 554        depends on NETFILTER_ADVANCED
 555        help
 556          This option adds a `DSCP' target, which allows you to manipulate
 557          the IPv4/IPv6 header DSCP field (differentiated services codepoint).
 558
 559          The DSCP field can have any value between 0x0 and 0x3f inclusive.
 560
 561          It also adds the "TOS" target, which allows you to create rules in
 562          the "mangle" table which alter the Type Of Service field of an IPv4
 563          or the Priority field of an IPv6 packet, prior to routing.
 564
 565          To compile it as a module, choose M here.  If unsure, say N.
 566
 567config NETFILTER_XT_TARGET_HL
 568        tristate '"HL" hoplimit target support'
 569        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 570        depends on NETFILTER_ADVANCED
 571        ---help---
 572        This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
 573        targets, which enable the user to change the
 574        hoplimit/time-to-live value of the IP header.
 575
 576        While it is safe to decrement the hoplimit/TTL value, the
 577        modules also allow to increment and set the hoplimit value of
 578        the header to arbitrary values. This is EXTREMELY DANGEROUS
 579        since you can easily create immortal packets that loop
 580        forever on the network.
 581
 582config NETFILTER_XT_TARGET_HMARK
 583        tristate '"HMARK" target support'
 584        depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
 585        depends on NETFILTER_ADVANCED
 586        ---help---
 587        This option adds the "HMARK" target.
 588
 589        The target allows you to create rules in the "raw" and "mangle" tables
 590        which set the skbuff mark by means of hash calculation within a given
 591        range. The nfmark can influence the routing method (see "Use netfilter
 592        MARK value as routing key") and can also be used by other subsystems to
 593        change their behaviour.
 594
 595        To compile it as a module, choose M here. If unsure, say N.
 596
 597config NETFILTER_XT_TARGET_IDLETIMER
 598        tristate  "IDLETIMER target support"
 599        depends on NETFILTER_ADVANCED
 600        help
 601
 602          This option adds the `IDLETIMER' target.  Each matching packet
 603          resets the timer associated with label specified when the rule is
 604          added.  When the timer expires, it triggers a sysfs notification.
 605          The remaining time for expiration can be read via sysfs.
 606
 607          To compile it as a module, choose M here.  If unsure, say N.
 608
 609config NETFILTER_XT_TARGET_LED
 610        tristate '"LED" target support'
 611        depends on LEDS_CLASS && LEDS_TRIGGERS
 612        depends on NETFILTER_ADVANCED
 613        help
 614          This option adds a `LED' target, which allows you to blink LEDs in
 615          response to particular packets passing through your machine.
 616
 617          This can be used to turn a spare LED into a network activity LED,
 618          which only flashes in response to FTP transfers, for example.  Or
 619          you could have an LED which lights up for a minute or two every time
 620          somebody connects to your machine via SSH.
 621
 622          You will need support for the "led" class to make this work.
 623
 624          To create an LED trigger for incoming SSH traffic:
 625            iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
 626
 627          Then attach the new trigger to an LED on your system:
 628            echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
 629
 630          For more information on the LEDs available on your system, see
 631          Documentation/leds/leds-class.txt
 632
 633config NETFILTER_XT_TARGET_LOG
 634        tristate "LOG target support"
 635        default m if NETFILTER_ADVANCED=n
 636        help
 637          This option adds a `LOG' target, which allows you to create rules in
 638          any iptables table which records the packet header to the syslog.
 639
 640          To compile it as a module, choose M here.  If unsure, say N.
 641
 642config NETFILTER_XT_TARGET_MARK
 643        tristate '"MARK" target support'
 644        depends on NETFILTER_ADVANCED
 645        select NETFILTER_XT_MARK
 646        ---help---
 647        This is a backwards-compat option for the user's convenience
 648        (e.g. when running oldconfig). It selects
 649        CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
 650
 651config NETFILTER_XT_TARGET_NETMAP
 652        tristate '"NETMAP" target support'
 653        depends on NF_NAT
 654        ---help---
 655        NETMAP is an implementation of static 1:1 NAT mapping of network
 656        addresses. It maps the network address part, while keeping the host
 657        address part intact.
 658
 659        To compile it as a module, choose M here. If unsure, say N.
 660
 661config NETFILTER_XT_TARGET_NFLOG
 662        tristate '"NFLOG" target support'
 663        default m if NETFILTER_ADVANCED=n
 664        select NETFILTER_NETLINK_LOG
 665        help
 666          This option enables the NFLOG target, which allows to LOG
 667          messages through nfnetlink_log.
 668
 669          To compile it as a module, choose M here.  If unsure, say N.
 670
 671config NETFILTER_XT_TARGET_NFQUEUE
 672        tristate '"NFQUEUE" target Support'
 673        depends on NETFILTER_ADVANCED
 674        select NETFILTER_NETLINK_QUEUE
 675        help
 676          This target replaced the old obsolete QUEUE target.
 677
 678          As opposed to QUEUE, it supports 65535 different queues,
 679          not just one.
 680
 681          To compile it as a module, choose M here.  If unsure, say N.
 682
 683config NETFILTER_XT_TARGET_RATEEST
 684        tristate '"RATEEST" target support'
 685        depends on NETFILTER_ADVANCED
 686        help
 687          This option adds a `RATEEST' target, which allows to measure
 688          rates similar to TC estimators. The `rateest' match can be
 689          used to match on the measured rates.
 690
 691          To compile it as a module, choose M here.  If unsure, say N.
 692
 693config NETFILTER_XT_TARGET_REDIRECT
 694        tristate "REDIRECT target support"
 695        depends on NF_NAT
 696        ---help---
 697        REDIRECT is a special case of NAT: all incoming connections are
 698        mapped onto the incoming interface's address, causing the packets to
 699        come to the local machine instead of passing through. This is
 700        useful for transparent proxies.
 701
 702        To compile it as a module, choose M here. If unsure, say N.
 703
 704config NETFILTER_XT_TARGET_TEE
 705        tristate '"TEE" - packet cloning to alternate destination'
 706        depends on NETFILTER_ADVANCED
 707        depends on (IPV6 || IPV6=n)
 708        depends on !NF_CONNTRACK || NF_CONNTRACK
 709        ---help---
 710        This option adds a "TEE" target with which a packet can be cloned and
 711        this clone be rerouted to another nexthop.
 712
 713config NETFILTER_XT_TARGET_TPROXY
 714        tristate '"TPROXY" target support (EXPERIMENTAL)'
 715        depends on EXPERIMENTAL
 716        depends on NETFILTER_TPROXY
 717        depends on NETFILTER_XTABLES
 718        depends on NETFILTER_ADVANCED
 719        select NF_DEFRAG_IPV4
 720        select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
 721        help
 722          This option adds a `TPROXY' target, which is somewhat similar to
 723          REDIRECT.  It can only be used in the mangle table and is useful
 724          to redirect traffic to a transparent proxy.  It does _not_ depend
 725          on Netfilter connection tracking and NAT, unlike REDIRECT.
 726
 727          To compile it as a module, choose M here.  If unsure, say N.
 728
 729config NETFILTER_XT_TARGET_TRACE
 730        tristate  '"TRACE" target support'
 731        depends on IP_NF_RAW || IP6_NF_RAW
 732        depends on NETFILTER_ADVANCED
 733        help
 734          The TRACE target allows you to mark packets so that the kernel
 735          will log every rule which match the packets as those traverse
 736          the tables, chains, rules.
 737
 738          If you want to compile it as a module, say M here and read
 739          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 740
 741config NETFILTER_XT_TARGET_SECMARK
 742        tristate '"SECMARK" target support'
 743        depends on NETWORK_SECMARK
 744        default m if NETFILTER_ADVANCED=n
 745        help
 746          The SECMARK target allows security marking of network
 747          packets, for use with security subsystems.
 748
 749          To compile it as a module, choose M here.  If unsure, say N.
 750
 751config NETFILTER_XT_TARGET_TCPMSS
 752        tristate '"TCPMSS" target support'
 753        depends on (IPV6 || IPV6=n)
 754        default m if NETFILTER_ADVANCED=n
 755        ---help---
 756          This option adds a `TCPMSS' target, which allows you to alter the
 757          MSS value of TCP SYN packets, to control the maximum size for that
 758          connection (usually limiting it to your outgoing interface's MTU
 759          minus 40).
 760
 761          This is used to overcome criminally braindead ISPs or servers which
 762          block ICMP Fragmentation Needed packets.  The symptoms of this
 763          problem are that everything works fine from your Linux
 764          firewall/router, but machines behind it can never exchange large
 765          packets:
 766                1) Web browsers connect, then hang with no data received.
 767                2) Small mail works fine, but large emails hang.
 768                3) ssh works fine, but scp hangs after initial handshaking.
 769
 770          Workaround: activate this option and add a rule to your firewall
 771          configuration like:
 772
 773          iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
 774                         -j TCPMSS --clamp-mss-to-pmtu
 775
 776          To compile it as a module, choose M here.  If unsure, say N.
 777
 778config NETFILTER_XT_TARGET_TCPOPTSTRIP
 779        tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)'
 780        depends on EXPERIMENTAL
 781        depends on IP_NF_MANGLE || IP6_NF_MANGLE
 782        depends on NETFILTER_ADVANCED
 783        help
 784          This option adds a "TCPOPTSTRIP" target, which allows you to strip
 785          TCP options from TCP packets.
 786
 787# alphabetically ordered list of matches
 788
 789comment "Xtables matches"
 790
 791config NETFILTER_XT_MATCH_ADDRTYPE
 792        tristate '"addrtype" address type match support'
 793        depends on NETFILTER_ADVANCED
 794        ---help---
 795          This option allows you to match what routing thinks of an address,
 796          eg. UNICAST, LOCAL, BROADCAST, ...
 797
 798          If you want to compile it as a module, say M here and read
 799          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 800
 801config NETFILTER_XT_MATCH_CLUSTER
 802        tristate '"cluster" match support'
 803        depends on NF_CONNTRACK
 804        depends on NETFILTER_ADVANCED
 805        ---help---
 806          This option allows you to build work-load-sharing clusters of
 807          network servers/stateful firewalls without having a dedicated
 808          load-balancing router/server/switch. Basically, this match returns
 809          true when the packet must be handled by this cluster node. Thus,
 810          all nodes see all packets and this match decides which node handles
 811          what packets. The work-load sharing algorithm is based on source
 812          address hashing.
 813
 814          If you say Y or M here, try `iptables -m cluster --help` for
 815          more information.
 816
 817config NETFILTER_XT_MATCH_COMMENT
 818        tristate  '"comment" match support'
 819        depends on NETFILTER_ADVANCED
 820        help
 821          This option adds a `comment' dummy-match, which allows you to put
 822          comments in your iptables ruleset.
 823
 824          If you want to compile it as a module, say M here and read
 825          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 826
 827config NETFILTER_XT_MATCH_CONNBYTES
 828        tristate  '"connbytes" per-connection counter match support'
 829        depends on NF_CONNTRACK
 830        depends on NETFILTER_ADVANCED
 831        help
 832          This option adds a `connbytes' match, which allows you to match the
 833          number of bytes and/or packets for each direction within a connection.
 834
 835          If you want to compile it as a module, say M here and read
 836          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 837
 838config NETFILTER_XT_MATCH_CONNLIMIT
 839        tristate '"connlimit" match support"'
 840        depends on NF_CONNTRACK
 841        depends on NETFILTER_ADVANCED
 842        ---help---
 843          This match allows you to match against the number of parallel
 844          connections to a server per client IP address (or address block).
 845
 846config NETFILTER_XT_MATCH_CONNMARK
 847        tristate  '"connmark" connection mark match support'
 848        depends on NF_CONNTRACK
 849        depends on NETFILTER_ADVANCED
 850        select NETFILTER_XT_CONNMARK
 851        ---help---
 852        This is a backwards-compat option for the user's convenience
 853        (e.g. when running oldconfig). It selects
 854        CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
 855
 856config NETFILTER_XT_MATCH_CONNTRACK
 857        tristate '"conntrack" connection tracking match support'
 858        depends on NF_CONNTRACK
 859        default m if NETFILTER_ADVANCED=n
 860        help
 861          This is a general conntrack match module, a superset of the state match.
 862
 863          It allows matching on additional conntrack information, which is
 864          useful in complex configurations, such as NAT gateways with multiple
 865          internet links or tunnels.
 866
 867          To compile it as a module, choose M here.  If unsure, say N.
 868
 869config NETFILTER_XT_MATCH_CPU
 870        tristate '"cpu" match support'
 871        depends on NETFILTER_ADVANCED
 872        help
 873          CPU matching allows you to match packets based on the CPU
 874          currently handling the packet.
 875
 876          To compile it as a module, choose M here.  If unsure, say N.
 877
 878config NETFILTER_XT_MATCH_DCCP
 879        tristate '"dccp" protocol match support'
 880        depends on NETFILTER_ADVANCED
 881        default IP_DCCP
 882        help
 883          With this option enabled, you will be able to use the iptables
 884          `dccp' match in order to match on DCCP source/destination ports
 885          and DCCP flags.
 886
 887          If you want to compile it as a module, say M here and read
 888          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 889
 890config NETFILTER_XT_MATCH_DEVGROUP
 891        tristate '"devgroup" match support'
 892        depends on NETFILTER_ADVANCED
 893        help
 894          This options adds a `devgroup' match, which allows to match on the
 895          device group a network device is assigned to.
 896
 897          To compile it as a module, choose M here.  If unsure, say N.
 898
 899config NETFILTER_XT_MATCH_DSCP
 900        tristate '"dscp" and "tos" match support'
 901        depends on NETFILTER_ADVANCED
 902        help
 903          This option adds a `DSCP' match, which allows you to match against
 904          the IPv4/IPv6 header DSCP field (differentiated services codepoint).
 905
 906          The DSCP field can have any value between 0x0 and 0x3f inclusive.
 907
 908          It will also add a "tos" match, which allows you to match packets
 909          based on the Type Of Service fields of the IPv4 packet (which share
 910          the same bits as DSCP).
 911
 912          To compile it as a module, choose M here.  If unsure, say N.
 913
 914config NETFILTER_XT_MATCH_ECN
 915        tristate '"ecn" match support'
 916        depends on NETFILTER_ADVANCED
 917        ---help---
 918        This option adds an "ECN" match, which allows you to match against
 919        the IPv4 and TCP header ECN fields.
 920
 921        To compile it as a module, choose M here. If unsure, say N.
 922
 923config NETFILTER_XT_MATCH_ESP
 924        tristate '"esp" match support'
 925        depends on NETFILTER_ADVANCED
 926        help
 927          This match extension allows you to match a range of SPIs
 928          inside ESP header of IPSec packets.
 929
 930          To compile it as a module, choose M here.  If unsure, say N.
 931
 932config NETFILTER_XT_MATCH_HASHLIMIT
 933        tristate '"hashlimit" match support'
 934        depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
 935        depends on NETFILTER_ADVANCED
 936        help
 937          This option adds a `hashlimit' match.
 938
 939          As opposed to `limit', this match dynamically creates a hash table
 940          of limit buckets, based on your selection of source/destination
 941          addresses and/or ports.
 942
 943          It enables you to express policies like `10kpps for any given
 944          destination address' or `500pps from any given source address'
 945          with a single rule.
 946
 947config NETFILTER_XT_MATCH_HELPER
 948        tristate '"helper" match support'
 949        depends on NF_CONNTRACK
 950        depends on NETFILTER_ADVANCED
 951        help
 952          Helper matching allows you to match packets in dynamic connections
 953          tracked by a conntrack-helper, ie. ip_conntrack_ftp
 954
 955          To compile it as a module, choose M here.  If unsure, say Y.
 956
 957config NETFILTER_XT_MATCH_HL
 958        tristate '"hl" hoplimit/TTL match support'
 959        depends on NETFILTER_ADVANCED
 960        ---help---
 961        HL matching allows you to match packets based on the hoplimit
 962        in the IPv6 header, or the time-to-live field in the IPv4
 963        header of the packet.
 964
 965config NETFILTER_XT_MATCH_IPRANGE
 966        tristate '"iprange" address range match support'
 967        depends on NETFILTER_ADVANCED
 968        ---help---
 969        This option adds a "iprange" match, which allows you to match based on
 970        an IP address range. (Normal iptables only matches on single addresses
 971        with an optional mask.)
 972
 973        If unsure, say M.
 974
 975config NETFILTER_XT_MATCH_IPVS
 976        tristate '"ipvs" match support'
 977        depends on IP_VS
 978        depends on NETFILTER_ADVANCED
 979        depends on NF_CONNTRACK
 980        help
 981          This option allows you to match against IPVS properties of a packet.
 982
 983          If unsure, say N.
 984
 985config NETFILTER_XT_MATCH_LENGTH
 986        tristate '"length" match support'
 987        depends on NETFILTER_ADVANCED
 988        help
 989          This option allows you to match the length of a packet against a
 990          specific value or range of values.
 991
 992          To compile it as a module, choose M here.  If unsure, say N.
 993
 994config NETFILTER_XT_MATCH_LIMIT
 995        tristate '"limit" match support'
 996        depends on NETFILTER_ADVANCED
 997        help
 998          limit matching allows you to control the rate at which a rule can be
 999          matched: mainly useful in combination with the LOG target ("LOG
1000          target support", below) and to avoid some Denial of Service attacks.
1001
1002          To compile it as a module, choose M here.  If unsure, say N.
1003
1004config NETFILTER_XT_MATCH_MAC
1005        tristate '"mac" address match support'
1006        depends on NETFILTER_ADVANCED
1007        help
1008          MAC matching allows you to match packets based on the source
1009          Ethernet address of the packet.
1010
1011          To compile it as a module, choose M here.  If unsure, say N.
1012
1013config NETFILTER_XT_MATCH_MARK
1014        tristate '"mark" match support'
1015        depends on NETFILTER_ADVANCED
1016        select NETFILTER_XT_MARK
1017        ---help---
1018        This is a backwards-compat option for the user's convenience
1019        (e.g. when running oldconfig). It selects
1020        CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1021
1022config NETFILTER_XT_MATCH_MULTIPORT
1023        tristate '"multiport" Multiple port match support'
1024        depends on NETFILTER_ADVANCED
1025        help
1026          Multiport matching allows you to match TCP or UDP packets based on
1027          a series of source or destination ports: normally a rule can only
1028          match a single range of ports.
1029
1030          To compile it as a module, choose M here.  If unsure, say N.
1031
1032config NETFILTER_XT_MATCH_NFACCT
1033        tristate '"nfacct" match support'
1034        depends on NETFILTER_ADVANCED
1035        select NETFILTER_NETLINK_ACCT
1036        help
1037          This option allows you to use the extended accounting through
1038          nfnetlink_acct.
1039
1040          To compile it as a module, choose M here.  If unsure, say N.
1041
1042config NETFILTER_XT_MATCH_OSF
1043        tristate '"osf" Passive OS fingerprint match'
1044        depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1045        help
1046          This option selects the Passive OS Fingerprinting match module
1047          that allows to passively match the remote operating system by
1048          analyzing incoming TCP SYN packets.
1049
1050          Rules and loading software can be downloaded from
1051          http://www.ioremap.net/projects/osf
1052
1053          To compile it as a module, choose M here.  If unsure, say N.
1054
1055config NETFILTER_XT_MATCH_OWNER
1056        tristate '"owner" match support'
1057        depends on NETFILTER_ADVANCED
1058        ---help---
1059        Socket owner matching allows you to match locally-generated packets
1060        based on who created the socket: the user or group. It is also
1061        possible to check whether a socket actually exists.
1062
1063config NETFILTER_XT_MATCH_POLICY
1064        tristate 'IPsec "policy" match support'
1065        depends on XFRM
1066        default m if NETFILTER_ADVANCED=n
1067        help
1068          Policy matching allows you to match packets based on the
1069          IPsec policy that was used during decapsulation/will
1070          be used during encapsulation.
1071
1072          To compile it as a module, choose M here.  If unsure, say N.
1073
1074config NETFILTER_XT_MATCH_PHYSDEV
1075        tristate '"physdev" match support'
1076        depends on BRIDGE && BRIDGE_NETFILTER
1077        depends on NETFILTER_ADVANCED
1078        help
1079          Physdev packet matching matches against the physical bridge ports
1080          the IP packet arrived on or will leave by.
1081
1082          To compile it as a module, choose M here.  If unsure, say N.
1083
1084config NETFILTER_XT_MATCH_PKTTYPE
1085        tristate '"pkttype" packet type match support'
1086        depends on NETFILTER_ADVANCED
1087        help
1088          Packet type matching allows you to match a packet by
1089          its "class", eg. BROADCAST, MULTICAST, ...
1090
1091          Typical usage:
1092          iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1093
1094          To compile it as a module, choose M here.  If unsure, say N.
1095
1096config NETFILTER_XT_MATCH_QUOTA
1097        tristate '"quota" match support'
1098        depends on NETFILTER_ADVANCED
1099        help
1100          This option adds a `quota' match, which allows to match on a
1101          byte counter.
1102
1103          If you want to compile it as a module, say M here and read
1104          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1105
1106config NETFILTER_XT_MATCH_RATEEST
1107        tristate '"rateest" match support'
1108        depends on NETFILTER_ADVANCED
1109        select NETFILTER_XT_TARGET_RATEEST
1110        help
1111          This option adds a `rateest' match, which allows to match on the
1112          rate estimated by the RATEEST target.
1113
1114          To compile it as a module, choose M here.  If unsure, say N.
1115
1116config NETFILTER_XT_MATCH_REALM
1117        tristate  '"realm" match support'
1118        depends on NETFILTER_ADVANCED
1119        select IP_ROUTE_CLASSID
1120        help
1121          This option adds a `realm' match, which allows you to use the realm
1122          key from the routing subsystem inside iptables.
1123
1124          This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
1125          in tc world.
1126
1127          If you want to compile it as a module, say M here and read
1128          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1129
1130config NETFILTER_XT_MATCH_RECENT
1131        tristate '"recent" match support'
1132        depends on NETFILTER_ADVANCED
1133        ---help---
1134        This match is used for creating one or many lists of recently
1135        used addresses and then matching against that/those list(s).
1136
1137        Short options are available by using 'iptables -m recent -h'
1138        Official Website: <http://snowman.net/projects/ipt_recent/>
1139
1140config NETFILTER_XT_MATCH_SCTP
1141        tristate  '"sctp" protocol match support (EXPERIMENTAL)'
1142        depends on EXPERIMENTAL
1143        depends on NETFILTER_ADVANCED
1144        default IP_SCTP
1145        help
1146          With this option enabled, you will be able to use the 
1147          `sctp' match in order to match on SCTP source/destination ports
1148          and SCTP chunk types.
1149
1150          If you want to compile it as a module, say M here and read
1151          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1152
1153config NETFILTER_XT_MATCH_SOCKET
1154        tristate '"socket" match support (EXPERIMENTAL)'
1155        depends on EXPERIMENTAL
1156        depends on NETFILTER_TPROXY
1157        depends on NETFILTER_XTABLES
1158        depends on NETFILTER_ADVANCED
1159        depends on !NF_CONNTRACK || NF_CONNTRACK
1160        select NF_DEFRAG_IPV4
1161        select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1162        help
1163          This option adds a `socket' match, which can be used to match
1164          packets for which a TCP or UDP socket lookup finds a valid socket.
1165          It can be used in combination with the MARK target and policy
1166          routing to implement full featured non-locally bound sockets.
1167
1168          To compile it as a module, choose M here.  If unsure, say N.
1169
1170config NETFILTER_XT_MATCH_STATE
1171        tristate '"state" match support'
1172        depends on NF_CONNTRACK
1173        default m if NETFILTER_ADVANCED=n
1174        help
1175          Connection state matching allows you to match packets based on their
1176          relationship to a tracked connection (ie. previous packets).  This
1177          is a powerful tool for packet classification.
1178
1179          To compile it as a module, choose M here.  If unsure, say N.
1180
1181config NETFILTER_XT_MATCH_STATISTIC
1182        tristate '"statistic" match support'
1183        depends on NETFILTER_ADVANCED
1184        help
1185          This option adds a `statistic' match, which allows you to match
1186          on packets periodically or randomly with a given percentage.
1187
1188          To compile it as a module, choose M here.  If unsure, say N.
1189
1190config NETFILTER_XT_MATCH_STRING
1191        tristate  '"string" match support'
1192        depends on NETFILTER_ADVANCED
1193        select TEXTSEARCH
1194        select TEXTSEARCH_KMP
1195        select TEXTSEARCH_BM
1196        select TEXTSEARCH_FSM
1197        help
1198          This option adds a `string' match, which allows you to look for
1199          pattern matchings in packets.
1200
1201          To compile it as a module, choose M here.  If unsure, say N.
1202
1203config NETFILTER_XT_MATCH_TCPMSS
1204        tristate '"tcpmss" match support'
1205        depends on NETFILTER_ADVANCED
1206        help
1207          This option adds a `tcpmss' match, which allows you to examine the
1208          MSS value of TCP SYN packets, which control the maximum packet size
1209          for that connection.
1210
1211          To compile it as a module, choose M here.  If unsure, say N.
1212
1213config NETFILTER_XT_MATCH_TIME
1214        tristate '"time" match support'
1215        depends on NETFILTER_ADVANCED
1216        ---help---
1217          This option adds a "time" match, which allows you to match based on
1218          the packet arrival time (at the machine which netfilter is running)
1219          on) or departure time/date (for locally generated packets).
1220
1221          If you say Y here, try `iptables -m time --help` for
1222          more information.
1223
1224          If you want to compile it as a module, say M here.
1225          If unsure, say N.
1226
1227config NETFILTER_XT_MATCH_U32
1228        tristate '"u32" match support'
1229        depends on NETFILTER_ADVANCED
1230        ---help---
1231          u32 allows you to extract quantities of up to 4 bytes from a packet,
1232          AND them with specified masks, shift them by specified amounts and
1233          test whether the results are in any of a set of specified ranges.
1234          The specification of what to extract is general enough to skip over
1235          headers with lengths stored in the packet, as in IP or TCP header
1236          lengths.
1237
1238          Details and examples are in the kernel module source.
1239
1240endif # NETFILTER_XTABLES
1241
1242endmenu
1243
1244source "net/netfilter/ipset/Kconfig"
1245
1246source "net/netfilter/ipvs/Kconfig"
1247
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.