1 menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
4 config NETFILTER_NETLINK
5 tristate "Netfilter netlink interface"
7 If this option is enabled, the kernel will include support
8 for the new netfilter netlink interface.
10 config NETFILTER_NETLINK_QUEUE
11 tristate "Netfilter NFQUEUE over NFNETLINK interface"
12 depends on NETFILTER_NETLINK
14 If this option is enabled, the kernel will include support
15 for queueing packets via NFNETLINK.
17 config NETFILTER_NETLINK_LOG
18 tristate "Netfilter LOG over NFNETLINK interface"
19 depends on NETFILTER_NETLINK
21 If this option is enabled, the kernel will include support
22 for logging packets via NFNETLINK.
24 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
25 and is also scheduled to replace the old syslog-based ipt_LOG
28 # Rename this to NF_CONNTRACK in a 2.6.25
29 config NF_CONNTRACK_ENABLED
30 tristate "Netfilter connection tracking support"
32 Connection tracking keeps a record of what packets have passed
33 through your machine, in order to figure out how they are related
36 This is required to do Masquerading or other kinds of Network
37 Address Translation (except for Fast NAT). It can also be used to
38 enhance packet filtering (see `Connection state match support'
41 To compile it as a module, choose M here. If unsure, say N.
45 default NF_CONNTRACK_ENABLED
48 bool "Connection tracking flow accounting"
49 depends on NF_CONNTRACK
51 If this option is enabled, the connection tracking code will
52 keep per-flow packet and byte counters.
54 Those counters can be used for flow-based accounting or the
59 config IP_NF_MATCH_ACCOUNT
60 tristate "account match support"
61 depends on IP_NF_IPTABLES
63 This patch adds the account match
65 The account match provides simple traffic accounting for continuous networks.
66 --aaddr subnet for which enable traffic accounting
67 --aname table name with traffic counters, it can be accessed by reading
68 /proc/net/ipt_account/<table name>
69 --ashort do simple statistics (no tcp/udp/icmp counters)
71 More options can be found on project homepage.
74 http://www.svn.barbara.eu.org/ipt_account/
76 To compile it as a module, choose M here. If unsure, say N.
78 config NF_CONNTRACK_MARK
79 bool 'Connection mark tracking support'
80 depends on NF_CONNTRACK
82 This option enables support for connection marks, used by the
83 `CONNMARK' target and `connmark' match. Similar to the mark value
84 of packets, but this mark value is kept in the conntrack session
85 instead of the individual packets.
87 config NF_CONNTRACK_SECMARK
88 bool 'Connection tracking security mark support'
89 depends on NF_CONNTRACK && NETWORK_SECMARK
91 This option enables security markings to be applied to
92 connections. Typically they are copied to connections from
93 packets using the CONNSECMARK target and copied back from
94 connections to packets with the same target, with the packets
95 being originally labeled via SECMARK.
99 config NF_CONNTRACK_EVENTS
100 bool "Connection tracking events (EXPERIMENTAL)"
101 depends on EXPERIMENTAL && NF_CONNTRACK
103 If this option is enabled, the connection tracking code will
104 provide a notifier chain that can be used by other kernel code
105 to get notified about changes in the connection tracking state.
109 config NF_CT_PROTO_GRE
111 depends on NF_CONNTRACK
113 config NF_CT_PROTO_SCTP
114 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
115 depends on EXPERIMENTAL && NF_CONNTRACK
118 With this option enabled, the layer 3 independent connection
119 tracking code will be able to do state tracking on SCTP connections.
121 If you want to compile it as a module, say M here and read
122 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
124 config NF_CONNTRACK_AMANDA
125 tristate "Amanda backup protocol support"
126 depends on NF_CONNTRACK
128 select TEXTSEARCH_KMP
130 If you are running the Amanda backup package <http://www.amanda.org/>
131 on this machine or machines that will be MASQUERADED through this
132 machine, then you may want to enable this feature. This allows the
133 connection tracking and natting code to allow the sub-channels that
134 Amanda requires for communication of the backup data, messages and
137 To compile it as a module, choose M here. If unsure, say N.
139 config NF_CONNTRACK_FTP
140 tristate "FTP protocol support"
141 depends on NF_CONNTRACK
143 Tracking FTP connections is problematic: special helpers are
144 required for tracking them, and doing masquerading and other forms
145 of Network Address Translation on them.
147 This is FTP support on Layer 3 independent connection tracking.
148 Layer 3 independent connection tracking is experimental scheme
149 which generalize ip_conntrack to support other layer 3 protocols.
151 To compile it as a module, choose M here. If unsure, say N.
153 config NF_CONNTRACK_H323
154 tristate "H.323 protocol support (EXPERIMENTAL)"
155 depends on EXPERIMENTAL && NF_CONNTRACK && (IPV6 || IPV6=n)
157 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
158 important VoIP protocols, it is widely used by voice hardware and
159 software including voice gateways, IP phones, Netmeeting, OpenPhone,
162 With this module you can support H.323 on a connection tracking/NAT
165 This module supports RAS, Fast Start, H.245 Tunnelling, Call
166 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
167 whiteboard, file transfer, etc. For more information, please
168 visit http://nath323.sourceforge.net/.
170 To compile it as a module, choose M here. If unsure, say N.
172 config NF_CONNTRACK_IRC
173 tristate "IRC protocol support"
174 depends on NF_CONNTRACK
176 There is a commonly-used extension to IRC called
177 Direct Client-to-Client Protocol (DCC). This enables users to send
178 files to each other, and also chat to each other without the need
179 of a server. DCC Sending is used anywhere you send files over IRC,
180 and DCC Chat is most commonly used by Eggdrop bots. If you are
181 using NAT, this extension will enable you to send files and initiate
182 chats. Note that you do NOT need this extension to get files or
183 have others initiate chats, or everything else in IRC.
185 To compile it as a module, choose M here. If unsure, say N.
187 config NF_CONNTRACK_NETBIOS_NS
188 tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
189 depends on EXPERIMENTAL && NF_CONNTRACK
191 NetBIOS name service requests are sent as broadcast messages from an
192 unprivileged port and responded to with unicast messages to the
193 same port. This make them hard to firewall properly because connection
194 tracking doesn't deal with broadcasts. This helper tracks locally
195 originating NetBIOS name service requests and the corresponding
196 responses. It relies on correct IP address configuration, specifically
197 netmask and broadcast address. When properly configured, the output
198 of "ip address show" should look similar to this:
200 $ ip -4 address show eth0
201 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
202 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
204 To compile it as a module, choose M here. If unsure, say N.
206 config NF_CONNTRACK_PPTP
207 tristate "PPtP protocol support"
208 depends on NF_CONNTRACK
209 select NF_CT_PROTO_GRE
211 This module adds support for PPTP (Point to Point Tunnelling
212 Protocol, RFC2637) connection tracking and NAT.
214 If you are running PPTP sessions over a stateful firewall or NAT
215 box, you may want to enable this feature.
217 Please note that not all PPTP modes of operation are supported yet.
218 Specifically these limitations exist:
219 - Blindly assumes that control connections are always established
220 in PNS->PAC direction. This is a violation of RFC2637.
221 - Only supports a single call within each session
223 To compile it as a module, choose M here. If unsure, say N.
225 config NF_CONNTRACK_SANE
226 tristate "SANE protocol support (EXPERIMENTAL)"
227 depends on EXPERIMENTAL && NF_CONNTRACK
229 SANE is a protocol for remote access to scanners as implemented
230 by the 'saned' daemon. Like FTP, it uses separate control and
233 With this module you can support SANE on a connection tracking
236 To compile it as a module, choose M here. If unsure, say N.
238 config NF_CONNTRACK_SIP
239 tristate "SIP protocol support (EXPERIMENTAL)"
240 depends on EXPERIMENTAL && NF_CONNTRACK
242 SIP is an application-layer control protocol that can establish,
243 modify, and terminate multimedia sessions (conferences) such as
244 Internet telephony calls. With the ip_conntrack_sip and
245 the nf_nat_sip modules you can support the protocol on a connection
246 tracking/NATing firewall.
248 To compile it as a module, choose M here. If unsure, say N.
250 config NF_CONNTRACK_TFTP
251 tristate "TFTP protocol support"
252 depends on NF_CONNTRACK
254 TFTP connection tracking helper, this is required depending
255 on how restrictive your ruleset is.
256 If you are using a tftp client behind -j SNAT or -j MASQUERADING
259 To compile it as a module, choose M here. If unsure, say N.
261 config NF_CONNTRACK_RTSP
262 tristate "RTSP protocol support"
263 depends on NF_CONNTRACK
265 Support the RTSP protocol. This allows UDP transports to be setup
266 properly, including RTP and RDT.
268 If you want to compile it as a module, say 'M' here and read
269 Documentation/modules.txt. If unsure, say 'Y'.
272 tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
273 depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK
274 depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m
275 depends on NF_NAT=n || NF_NAT
277 This option enables support for a netlink-based userspace interface
279 config NETFILTER_XTABLES
280 tristate "Netfilter Xtables support (required for ip_tables)"
282 This is required if you intend to use any of ip_tables,
283 ip6_tables or arp_tables.
285 # alphabetically ordered list of targets
287 config NETFILTER_XT_TARGET_CLASSIFY
288 tristate '"CLASSIFY" target support'
289 depends on NETFILTER_XTABLES
291 This option adds a `CLASSIFY' target, which enables the user to set
292 the priority of a packet. Some qdiscs can use this value for
293 classification, among these are:
295 atm, cbq, dsmark, pfifo_fast, htb, prio
297 To compile it as a module, choose M here. If unsure, say N.
299 config NETFILTER_XT_TARGET_CONNMARK
300 tristate '"CONNMARK" target support'
301 depends on NETFILTER_XTABLES
302 depends on IP_NF_MANGLE || IP6_NF_MANGLE
303 depends on NF_CONNTRACK
304 select NF_CONNTRACK_MARK
306 This option adds a `CONNMARK' target, which allows one to manipulate
307 the connection mark value. Similar to the MARK target, but
308 affects the connection mark value rather than the packet mark value.
310 If you want to compile it as a module, say M here and read
311 <file:Documentation/kbuild/modules.txt>. The module will be called
312 ipt_CONNMARK.ko. If unsure, say `N'.
314 config NETFILTER_XT_TARGET_DSCP
315 tristate '"DSCP" target support'
316 depends on NETFILTER_XTABLES
317 depends on IP_NF_MANGLE || IP6_NF_MANGLE
319 This option adds a `DSCP' target, which allows you to manipulate
320 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
322 The DSCP field can have any value between 0x0 and 0x3f inclusive.
324 To compile it as a module, choose M here. If unsure, say N.
326 config NETFILTER_XT_TARGET_HL
327 tristate '"HL" hoplimit target support'
328 depends on IP_NF_MANGLE || IP6_NF_MANGLE
330 This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
331 targets, which enable the user to change the
332 hoplimit/time-to-live value of the IP header.
334 While it is safe to decrement the hoplimit/TTL value, the
335 modules also allow to increment and set the hoplimit value of
336 the header to arbitrary values. This is EXTREMELY DANGEROUS
337 since you can easily create immortal packets that loop
338 forever on the network.
340 config NETFILTER_XT_TARGET_IMQ
341 tristate "IMQ target support"
342 depends on NETFILTER_XTABLES
343 depends on IP_NF_MANGLE || IP6_NF_MANGLE
347 This option adds a `IMQ' target which is used to specify if and
348 to which IMQ device packets should get enqueued/dequeued.
350 For more information visit: http://www.linuximq.net/
352 To compile it as a module, choose M here. If unsure, say N.
354 config NETFILTER_XT_TARGET_MARK
355 tristate '"MARK" target support'
356 depends on NETFILTER_XTABLES
358 This option adds a `MARK' target, which allows you to create rules
359 in the `mangle' table which alter the netfilter mark (nfmark) field
360 associated with the packet prior to routing. This can change
361 the routing method (see `Use netfilter MARK value as routing
362 key') and can also be used by other subsystems to change their
365 To compile it as a module, choose M here. If unsure, say N.
367 config NETFILTER_XT_TARGET_NFQUEUE
368 tristate '"NFQUEUE" target Support'
369 depends on NETFILTER_XTABLES
371 This target replaced the old obsolete QUEUE target.
373 As opposed to QUEUE, it supports 65535 different queues,
376 To compile it as a module, choose M here. If unsure, say N.
378 config NETFILTER_XT_TARGET_NFLOG
379 tristate '"NFLOG" target support'
380 depends on NETFILTER_XTABLES
382 This option enables the NFLOG target, which allows to LOG
383 messages through the netfilter logging API, which can use
384 either the old LOG target, the old ULOG target or nfnetlink_log
387 To compile it as a module, choose M here. If unsure, say N.
389 config NETFILTER_XT_TARGET_NOTRACK
390 tristate '"NOTRACK" target support'
391 depends on NETFILTER_XTABLES
392 depends on IP_NF_RAW || IP6_NF_RAW
393 depends on NF_CONNTRACK
395 The NOTRACK target allows a select rule to specify
396 which packets *not* to enter the conntrack/NAT
397 subsystem with all the consequences (no ICMP error tracking,
398 no protocol helpers for the selected packets).
400 If you want to compile it as a module, say M here and read
401 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
403 config NETFILTER_XT_TARGET_SECMARK
404 tristate '"SECMARK" target support'
405 depends on NETFILTER_XTABLES && NETWORK_SECMARK
407 The SECMARK target allows security marking of network
408 packets, for use with security subsystems.
410 To compile it as a module, choose M here. If unsure, say N.
412 config NETFILTER_XT_TARGET_CONNSECMARK
413 tristate '"CONNSECMARK" target support'
414 depends on NETFILTER_XTABLES && NF_CONNTRACK && NF_CONNTRACK_SECMARK
416 The CONNSECMARK target copies security markings from packets
417 to connections, and restores security markings from connections
418 to packets (if the packets are not already marked). This would
419 normally be used in conjunction with the SECMARK target.
421 To compile it as a module, choose M here. If unsure, say N.
423 config NETFILTER_XT_TARGET_TCPMSS
424 tristate '"TCPMSS" target support'
425 depends on NETFILTER_XTABLES && (IPV6 || IPV6=n)
427 This option adds a `TCPMSS' target, which allows you to alter the
428 MSS value of TCP SYN packets, to control the maximum size for that
429 connection (usually limiting it to your outgoing interface's MTU
432 This is used to overcome criminally braindead ISPs or servers which
433 block ICMP Fragmentation Needed packets. The symptoms of this
434 problem are that everything works fine from your Linux
435 firewall/router, but machines behind it can never exchange large
437 1) Web browsers connect, then hang with no data received.
438 2) Small mail works fine, but large emails hang.
439 3) ssh works fine, but scp hangs after initial handshaking.
441 Workaround: activate this option and add a rule to your firewall
444 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
445 -j TCPMSS --clamp-mss-to-pmtu
447 To compile it as a module, choose M here. If unsure, say N.
449 config NETFILTER_XT_MATCH_COMMENT
450 tristate '"comment" match support'
451 depends on NETFILTER_XTABLES
453 This option adds a `comment' dummy-match, which allows you to put
454 comments in your iptables ruleset.
456 If you want to compile it as a module, say M here and read
457 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
459 config NETFILTER_XT_MATCH_CONNBYTES
460 tristate '"connbytes" per-connection counter match support'
461 depends on NETFILTER_XTABLES
462 depends on NF_CONNTRACK
465 This option adds a `connbytes' match, which allows you to match the
466 number of bytes and/or packets for each direction within a connection.
468 If you want to compile it as a module, say M here and read
469 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
471 config NETFILTER_XT_MATCH_CONNLIMIT
472 tristate '"connlimit" match support"'
473 depends on NETFILTER_XTABLES
475 This match allows you to match against the number of parallel
476 connections to a server per client IP address (or address block).
478 config NETFILTER_XT_MATCH_CONNMARK
479 tristate '"connmark" connection mark match support'
480 depends on NETFILTER_XTABLES
481 depends on NF_CONNTRACK
482 select NF_CONNTRACK_MARK
484 This option adds a `connmark' match, which allows you to match the
485 connection mark value previously set for the session by `CONNMARK'.
487 If you want to compile it as a module, say M here and read
488 <file:Documentation/kbuild/modules.txt>. The module will be called
489 ipt_connmark.ko. If unsure, say `N'.
491 config NETFILTER_XT_MATCH_CONNTRACK
492 tristate '"conntrack" connection tracking match support'
493 depends on NETFILTER_XTABLES
494 depends on NF_CONNTRACK
496 This is a general conntrack match module, a superset of the state match.
498 It allows matching on additional conntrack information, which is
499 useful in complex configurations, such as NAT gateways with multiple
500 internet links or tunnels.
502 To compile it as a module, choose M here. If unsure, say N.
504 config NETFILTER_XT_MATCH_DCCP
505 tristate '"DCCP" protocol match support'
506 depends on NETFILTER_XTABLES
508 With this option enabled, you will be able to use the iptables
509 `dccp' match in order to match on DCCP source/destination ports
512 If you want to compile it as a module, say M here and read
513 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
515 config NETFILTER_XT_MATCH_DSCP
516 tristate '"DSCP" match support'
517 depends on NETFILTER_XTABLES
519 This option adds a `DSCP' match, which allows you to match against
520 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
522 The DSCP field can have any value between 0x0 and 0x3f inclusive.
524 To compile it as a module, choose M here. If unsure, say N.
526 config NETFILTER_XT_MATCH_ESP
527 tristate '"ESP" match support'
528 depends on NETFILTER_XTABLES
530 This match extension allows you to match a range of SPIs
531 inside ESP header of IPSec packets.
533 To compile it as a module, choose M here. If unsure, say N.
535 config NETFILTER_XT_MATCH_HELPER
536 tristate '"helper" match support'
537 depends on NETFILTER_XTABLES
538 depends on NF_CONNTRACK
540 Helper matching allows you to match packets in dynamic connections
541 tracked by a conntrack-helper, ie. ip_conntrack_ftp
543 To compile it as a module, choose M here. If unsure, say Y.
545 config NETFILTER_XT_MATCH_HL
546 tristate '"hl" hoplimit/TTL match support'
547 depends on NETFILTER_XTABLES
549 HL matching allows you to match packets based on the hoplimit
550 in the IPv6 header, or the time-to-live field in the IPv4
551 header of the packet.
553 config NETFILTER_XT_MATCH_IPRANGE
554 tristate '"iprange" address range match support'
555 depends on NETFILTER_XTABLES
557 This option adds a "iprange" match, which allows you to match based on
558 an IP address range. (Normal iptables only matches on single addresses
559 with an optional mask.)
563 config NETFILTER_XT_MATCH_LENGTH
564 tristate '"length" match support'
565 depends on NETFILTER_XTABLES
567 This option allows you to match the length of a packet against a
568 specific value or range of values.
570 To compile it as a module, choose M here. If unsure, say N.
572 config NETFILTER_XT_MATCH_LIMIT
573 tristate '"limit" match support'
574 depends on NETFILTER_XTABLES
576 limit matching allows you to control the rate at which a rule can be
577 matched: mainly useful in combination with the LOG target ("LOG
578 target support", below) and to avoid some Denial of Service attacks.
580 To compile it as a module, choose M here. If unsure, say N.
582 config NETFILTER_XT_MATCH_MAC
583 tristate '"mac" address match support'
584 depends on NETFILTER_XTABLES
586 MAC matching allows you to match packets based on the source
587 Ethernet address of the packet.
589 To compile it as a module, choose M here. If unsure, say N.
591 config NETFILTER_XT_MATCH_MARK
592 tristate '"mark" match support'
593 depends on NETFILTER_XTABLES
595 Netfilter mark matching allows you to match packets based on the
596 `nfmark' value in the packet. This can be set by the MARK target
599 To compile it as a module, choose M here. If unsure, say N.
601 config NETFILTER_XT_MATCH_POLICY
602 tristate 'IPsec "policy" match support'
603 depends on NETFILTER_XTABLES && XFRM
605 Policy matching allows you to match packets based on the
606 IPsec policy that was used during decapsulation/will
607 be used during encapsulation.
609 To compile it as a module, choose M here. If unsure, say N.
611 config NETFILTER_XT_MATCH_MULTIPORT
612 tristate "Multiple port match support"
613 depends on NETFILTER_XTABLES
615 Multiport matching allows you to match TCP or UDP packets based on
616 a series of source or destination ports: normally a rule can only
617 match a single range of ports.
619 To compile it as a module, choose M here. If unsure, say N.
621 config NETFILTER_XT_MATCH_PHYSDEV
622 tristate '"physdev" match support'
623 depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER
625 Physdev packet matching matches against the physical bridge ports
626 the IP packet arrived on or will leave by.
628 To compile it as a module, choose M here. If unsure, say N.
630 config NETFILTER_XT_MATCH_PKTTYPE
631 tristate '"pkttype" packet type match support'
632 depends on NETFILTER_XTABLES
634 Packet type matching allows you to match a packet by
635 its "class", eg. BROADCAST, MULTICAST, ...
638 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
640 To compile it as a module, choose M here. If unsure, say N.
642 config NETFILTER_XT_MATCH_QUOTA
643 tristate '"quota" match support'
644 depends on NETFILTER_XTABLES
646 This option adds a `quota' match, which allows to match on a
649 If you want to compile it as a module, say M here and read
650 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
652 config NETFILTER_XT_MATCH_REALM
653 tristate '"realm" match support'
654 depends on NETFILTER_XTABLES
657 This option adds a `realm' match, which allows you to use the realm
658 key from the routing subsystem inside iptables.
660 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
663 If you want to compile it as a module, say M here and read
664 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
666 config NETFILTER_XT_MATCH_RECENT
667 tristate '"recent" match support'
668 depends on NETFILTER_XTABLES
670 This match is used for creating one or many lists of recently
671 used addresses and then matching against that/those list(s).
673 Short options are available by using 'iptables -m recent -h'
674 Official Website: <http://snowman.net/projects/ipt_recent/>
676 config NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
677 bool 'Enable obsolete /proc/net/ipt_recent'
678 depends on NETFILTER_XT_MATCH_RECENT && PROC_FS
680 This option enables the old /proc/net/ipt_recent interface,
681 which has been obsoleted by /proc/net/xt_recent.
683 config NETFILTER_XT_MATCH_SCTP
684 tristate '"sctp" protocol match support (EXPERIMENTAL)'
685 depends on NETFILTER_XTABLES && EXPERIMENTAL
687 With this option enabled, you will be able to use the
688 `sctp' match in order to match on SCTP source/destination ports
689 and SCTP chunk types.
691 If you want to compile it as a module, say M here and read
692 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
694 config NETFILTER_XT_MATCH_STATE
695 tristate '"state" match support'
696 depends on NETFILTER_XTABLES
697 depends on NF_CONNTRACK
699 Connection state matching allows you to match packets based on their
700 relationship to a tracked connection (ie. previous packets). This
701 is a powerful tool for packet classification.
703 To compile it as a module, choose M here. If unsure, say N.
705 config NETFILTER_XT_MATCH_LAYER7
706 tristate '"layer7" match support'
707 depends on NETFILTER_XTABLES
708 depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
709 depends on NF_CT_ACCT
711 Say Y if you want to be able to classify connections (and their
712 packets) based on regular expression matching of their application
713 layer data. This is one way to classify applications such as
714 peer-to-peer filesharing systems that do not always use the same
717 To compile it as a module, choose M here. If unsure, say N.
719 config NETFILTER_XT_MATCH_LAYER7_DEBUG
720 bool 'Layer 7 debugging output'
721 depends on NETFILTER_XT_MATCH_LAYER7
723 Say Y to get lots of debugging output.
726 config NETFILTER_XT_MATCH_STATISTIC
727 tristate '"statistic" match support'
728 depends on NETFILTER_XTABLES
730 This option adds a `statistic' match, which allows you to match
731 on packets periodically or randomly with a given percentage.
733 To compile it as a module, choose M here. If unsure, say N.
735 config NETFILTER_XT_MATCH_TIME
736 tristate '"time" match support'
737 depends on NETFILTER_XTABLES
739 This option adds a "time" match, which allows you to match based on
740 the packet arrival time (at the machine which netfilter is running)
741 on) or departure time/date (for locally generated packets).
743 If you say Y here, try `iptables -m time --help` for
746 To compile it as a module, choose M here. If unsure, say N.
748 config NETFILTER_XT_MATCH_STRING
749 tristate '"string" match support'
750 depends on NETFILTER_XTABLES
752 select TEXTSEARCH_KMP
754 select TEXTSEARCH_FSM
756 This option adds a `string' match, which allows you to look for
757 pattern matchings in packets.
759 To compile it as a module, choose M here. If unsure, say N.
761 config NETFILTER_XT_MATCH_WEBSTR
762 tristate '"webstr" match support'
763 depends on NETFILTER_XTABLES
765 This option adds a `webstr' match, which allows you to look for
766 pattern matchings in http stream.
768 To compile it as a module, choose M here. If unsure, say N.
770 config NETFILTER_XT_MATCH_WEB
771 tristate '"web" match support (EXPERIMENTAL)'
772 depends on EXPERIMENTAL && NETFILTER_XTABLES
774 This option adds a `web' match, which allows you to look for
775 pattern matchings in http stream.
777 To compile it as a module, choose M here. If unsure, say N.
779 config NETFILTER_XT_MATCH_WEBMON
780 tristate 'Web Monitor match'
781 depends on EXPERIMENTAL && NETFILTER_XTABLES
783 config NETFILTER_XT_MATCH_TCPMSS
784 tristate '"tcpmss" match support'
785 depends on NETFILTER_XTABLES
787 This option adds a `tcpmss' match, which allows you to examine the
788 MSS value of TCP SYN packets, which control the maximum packet size
791 To compile it as a module, choose M here. If unsure, say N.
793 config NETFILTER_XT_MATCH_HASHLIMIT
794 tristate '"hashlimit" match support'
795 depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
797 This option adds a `hashlimit' match.
799 As opposed to `limit', this match dynamically creates a hash table
800 of limit buckets, based on your selection of source/destination
801 addresses and/or ports.
803 It enables you to express policies like `10kpps for any given
804 destination address' or `500pps from any given source address'
807 config NETFILTER_XT_MATCH_CONDITION
808 tristate '"condition" match support'
809 depends on NETFILTER_XTABLES
811 This option allows you to match firewall rules against condition
812 variables stored in the /proc/net/nf_condition directory.
814 N.B.: older versions used /proc/net/ipt_condition. You can
815 reenable it with "compat_dir_name".
817 If you want to compile it as a module, say M here and read
818 Documentation/modules.txt. If unsure, say `N'.
820 config NETFILTER_XT_MATCH_GEOIP
821 tristate '"geoip" match support'
822 depends on NETFILTER_XTABLES
824 This option allows you to match a packet by its source or
825 destination country. Basically, you need a country's
826 database containing all subnets and associated countries.
828 For the complete procedure and understanding, read :
829 http://people.netfilter.org/acidfu/geoip/howto/geoip-HOWTO.html
831 If you want to compile it as a module, say M here and read
832 <file:Documentation/modules.txt>. The module will be
833 called `ipt_geoip'. If unsure, say `N'.