1 menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
4 config NETFILTER_NETLINK
7 config NETFILTER_NETLINK_QUEUE
8 tristate "Netfilter NFQUEUE over NFNETLINK interface"
9 depends on NETFILTER_ADVANCED
10 select NETFILTER_NETLINK
12 If this option is enabled, the kernel will include support
13 for queueing packets via NFNETLINK.
15 config NETFILTER_NETLINK_LOG
16 tristate "Netfilter LOG over NFNETLINK interface"
17 default m if NETFILTER_ADVANCED=n
18 select NETFILTER_NETLINK
20 If this option is enabled, the kernel will include support
21 for logging packets via NFNETLINK.
23 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
24 and is also scheduled to replace the old syslog-based ipt_LOG
28 tristate "Netfilter connection tracking support"
29 default m if NETFILTER_ADVANCED=n
31 Connection tracking keeps a record of what packets have passed
32 through your machine, in order to figure out how they are related
35 This is required to do Masquerading or other kinds of Network
36 Address Translation. It can also be used to enhance packet
37 filtering (see `Connection state match support' below).
39 To compile it as a module, choose M here. If unsure, say N.
43 config NF_CONNTRACK_MARK
44 bool 'Connection mark tracking support'
45 depends on NETFILTER_ADVANCED
47 This option enables support for connection marks, used by the
48 `CONNMARK' target and `connmark' match. Similar to the mark value
49 of packets, but this mark value is kept in the conntrack session
50 instead of the individual packets.
52 config NF_CONNTRACK_SECMARK
53 bool 'Connection tracking security mark support'
54 depends on NETWORK_SECMARK
55 default m if NETFILTER_ADVANCED=n
57 This option enables security markings to be applied to
58 connections. Typically they are copied to connections from
59 packets using the CONNSECMARK target and copied back from
60 connections to packets with the same target, with the packets
61 being originally labeled via SECMARK.
65 config NF_CONNTRACK_ZONES
66 bool 'Connection tracking zones'
67 depends on NETFILTER_ADVANCED
68 depends on NETFILTER_XT_TARGET_CT
70 This option enables support for connection tracking zones.
71 Normally, each connection needs to have a unique system wide
72 identity. Connection tracking zones allow to have multiple
73 connections using the same identity, as long as they are
74 contained in different zones.
78 config NF_CONNTRACK_EVENTS
79 bool "Connection tracking events"
80 depends on NETFILTER_ADVANCED
82 If this option is enabled, the connection tracking code will
83 provide a notifier chain that can be used by other kernel code
84 to get notified about changes in the connection tracking state.
88 config NF_CT_PROTO_DCCP
89 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
90 depends on EXPERIMENTAL
91 depends on NETFILTER_ADVANCED
94 With this option enabled, the layer 3 independent connection
95 tracking code will be able to do state tracking on DCCP connections.
99 config NF_CT_PROTO_GRE
102 config NF_CT_PROTO_SCTP
103 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
104 depends on EXPERIMENTAL
105 depends on NETFILTER_ADVANCED
108 With this option enabled, the layer 3 independent connection
109 tracking code will be able to do state tracking on SCTP connections.
111 If you want to compile it as a module, say M here and read
112 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
114 config NF_CT_PROTO_UDPLITE
115 tristate 'UDP-Lite protocol connection tracking support'
116 depends on NETFILTER_ADVANCED
118 With this option enabled, the layer 3 independent connection
119 tracking code will be able to do state tracking on UDP-Lite
122 To compile it as a module, choose M here. If unsure, say N.
124 config NF_CONNTRACK_AMANDA
125 tristate "Amanda backup protocol support"
126 depends on NETFILTER_ADVANCED
128 select TEXTSEARCH_KMP
130 If you are running the Amanda backup package <http://www.amanda.org/>
131 on this machine or machines that will be MASQUERADED through this
132 machine, then you may want to enable this feature. This allows the
133 connection tracking and natting code to allow the sub-channels that
134 Amanda requires for communication of the backup data, messages and
137 To compile it as a module, choose M here. If unsure, say N.
139 config NF_CONNTRACK_FTP
140 tristate "FTP protocol support"
141 default m if NETFILTER_ADVANCED=n
143 Tracking FTP connections is problematic: special helpers are
144 required for tracking them, and doing masquerading and other forms
145 of Network Address Translation on them.
147 This is FTP support on Layer 3 independent connection tracking.
148 Layer 3 independent connection tracking is experimental scheme
149 which generalize ip_conntrack to support other layer 3 protocols.
151 To compile it as a module, choose M here. If unsure, say N.
153 config NF_CONNTRACK_H323
154 tristate "H.323 protocol support"
155 depends on (IPV6 || IPV6=n)
156 depends on NETFILTER_ADVANCED
158 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
159 important VoIP protocols, it is widely used by voice hardware and
160 software including voice gateways, IP phones, Netmeeting, OpenPhone,
163 With this module you can support H.323 on a connection tracking/NAT
166 This module supports RAS, Fast Start, H.245 Tunnelling, Call
167 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
168 whiteboard, file transfer, etc. For more information, please
169 visit http://nath323.sourceforge.net/.
171 To compile it as a module, choose M here. If unsure, say N.
173 config NF_CONNTRACK_IRC
174 tristate "IRC protocol support"
175 default m if NETFILTER_ADVANCED=n
177 There is a commonly-used extension to IRC called
178 Direct Client-to-Client Protocol (DCC). This enables users to send
179 files to each other, and also chat to each other without the need
180 of a server. DCC Sending is used anywhere you send files over IRC,
181 and DCC Chat is most commonly used by Eggdrop bots. If you are
182 using NAT, this extension will enable you to send files and initiate
183 chats. Note that you do NOT need this extension to get files or
184 have others initiate chats, or everything else in IRC.
186 To compile it as a module, choose M here. If unsure, say N.
188 config NF_CONNTRACK_NETBIOS_NS
189 tristate "NetBIOS name service protocol support"
190 depends on NETFILTER_ADVANCED
192 NetBIOS name service requests are sent as broadcast messages from an
193 unprivileged port and responded to with unicast messages to the
194 same port. This make them hard to firewall properly because connection
195 tracking doesn't deal with broadcasts. This helper tracks locally
196 originating NetBIOS name service requests and the corresponding
197 responses. It relies on correct IP address configuration, specifically
198 netmask and broadcast address. When properly configured, the output
199 of "ip address show" should look similar to this:
201 $ ip -4 address show eth0
202 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
203 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
205 To compile it as a module, choose M here. If unsure, say N.
207 config NF_CONNTRACK_PPTP
208 tristate "PPtP protocol support"
209 depends on NETFILTER_ADVANCED
210 select NF_CT_PROTO_GRE
212 This module adds support for PPTP (Point to Point Tunnelling
213 Protocol, RFC2637) connection tracking and NAT.
215 If you are running PPTP sessions over a stateful firewall or NAT
216 box, you may want to enable this feature.
218 Please note that not all PPTP modes of operation are supported yet.
219 Specifically these limitations exist:
220 - Blindly assumes that control connections are always established
221 in PNS->PAC direction. This is a violation of RFC2637.
222 - Only supports a single call within each session
224 To compile it as a module, choose M here. If unsure, say N.
226 config NF_CONNTRACK_RTSP
227 tristate "RTSP protocol support"
228 depends on NETFILTER_ADVANCED
230 Support the RTSP protocol. This allows UDP transports to be setup
231 properly, including RTP and RDT.
233 If you want to compile it as a module, say 'M' here and read
234 Documentation/modules.txt. If unsure, say 'Y'.
236 config NF_CONNTRACK_SANE
237 tristate "SANE protocol support (EXPERIMENTAL)"
238 depends on EXPERIMENTAL
239 depends on NETFILTER_ADVANCED
241 SANE is a protocol for remote access to scanners as implemented
242 by the 'saned' daemon. Like FTP, it uses separate control and
245 With this module you can support SANE on a connection tracking
248 To compile it as a module, choose M here. If unsure, say N.
250 config NF_CONNTRACK_SIP
251 tristate "SIP protocol support"
252 default m if NETFILTER_ADVANCED=n
254 SIP is an application-layer control protocol that can establish,
255 modify, and terminate multimedia sessions (conferences) such as
256 Internet telephony calls. With the ip_conntrack_sip and
257 the nf_nat_sip modules you can support the protocol on a connection
258 tracking/NATing firewall.
260 To compile it as a module, choose M here. If unsure, say N.
262 config NF_CONNTRACK_TFTP
263 tristate "TFTP protocol support"
264 depends on NETFILTER_ADVANCED
266 TFTP connection tracking helper, this is required depending
267 on how restrictive your ruleset is.
268 If you are using a tftp client behind -j SNAT or -j MASQUERADING
271 To compile it as a module, choose M here. If unsure, say N.
274 tristate 'Connection tracking netlink interface'
275 select NETFILTER_NETLINK
276 default m if NETFILTER_ADVANCED=n
278 This option enables support for a netlink-based userspace interface
282 # transparent proxy support
283 config NETFILTER_TPROXY
284 tristate "Transparent proxying support (EXPERIMENTAL)"
285 depends on EXPERIMENTAL
286 depends on IP_NF_MANGLE
287 depends on NETFILTER_ADVANCED
289 This option enables transparent proxying support, that is,
290 support for handling non-locally bound IPv4 TCP and UDP sockets.
291 For it to work you will have to configure certain iptables rules
292 and use policy routing. For more information on how to set it up
293 see Documentation/networking/tproxy.txt.
295 To compile it as a module, choose M here. If unsure, say N.
297 config NETFILTER_XTABLES
298 tristate "Netfilter Xtables support (required for ip_tables)"
299 default m if NETFILTER_ADVANCED=n
301 This is required if you intend to use any of ip_tables,
302 ip6_tables or arp_tables.
306 comment "Xtables combined modules"
308 config NETFILTER_XT_MARK
309 tristate 'nfmark target and match support'
310 default m if NETFILTER_ADVANCED=n
312 This option adds the "MARK" target and "mark" match.
314 Netfilter mark matching allows you to match packets based on the
315 "nfmark" value in the packet.
316 The target allows you to create rules in the "mangle" table which alter
317 the netfilter mark (nfmark) field associated with the packet.
319 Prior to routing, the nfmark can influence the routing method (see
320 "Use netfilter MARK value as routing key") and can also be used by
321 other subsystems to change their behavior.
323 config NETFILTER_XT_CONNMARK
324 tristate 'ctmark target and match support'
325 depends on NF_CONNTRACK
326 depends on NETFILTER_ADVANCED
327 select NF_CONNTRACK_MARK
329 This option adds the "CONNMARK" target and "connmark" match.
331 Netfilter allows you to store a mark value per connection (a.k.a.
332 ctmark), similarly to the packet mark (nfmark). Using this
333 target and match, you can set and match on this mark.
335 # alphabetically ordered list of targets
337 comment "Xtables targets"
339 config NETFILTER_XT_TARGET_CHECKSUM
340 tristate "CHECKSUM target support"
341 depends on IP_NF_MANGLE || IP6_NF_MANGLE
342 depends on NETFILTER_ADVANCED
344 This option adds a `CHECKSUM' target, which can be used in the iptables mangle
347 You can use this target to compute and fill in the checksum in
348 a packet that lacks a checksum. This is particularly useful,
349 if you need to work around old applications such as dhcp clients,
350 that do not work well with checksum offloads, but don't want to disable
351 checksum offload in your device.
353 To compile it as a module, choose M here. If unsure, say N.
355 config NETFILTER_XT_TARGET_CLASSIFY
356 tristate '"CLASSIFY" target support'
357 depends on NETFILTER_ADVANCED
359 This option adds a `CLASSIFY' target, which enables the user to set
360 the priority of a packet. Some qdiscs can use this value for
361 classification, among these are:
363 atm, cbq, dsmark, pfifo_fast, htb, prio
365 To compile it as a module, choose M here. If unsure, say N.
367 config NETFILTER_XT_TARGET_CONNMARK
368 tristate '"CONNMARK" target support'
369 depends on NF_CONNTRACK
370 depends on NETFILTER_ADVANCED
371 select NETFILTER_XT_CONNMARK
373 This is a backwards-compat option for the user's convenience
374 (e.g. when running oldconfig). It selects
375 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
377 config NETFILTER_XT_TARGET_CONNSECMARK
378 tristate '"CONNSECMARK" target support'
379 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
380 default m if NETFILTER_ADVANCED=n
382 The CONNSECMARK target copies security markings from packets
383 to connections, and restores security markings from connections
384 to packets (if the packets are not already marked). This would
385 normally be used in conjunction with the SECMARK target.
387 To compile it as a module, choose M here. If unsure, say N.
389 config NETFILTER_XT_TARGET_CT
390 tristate '"CT" target support'
391 depends on NF_CONNTRACK
392 depends on IP_NF_RAW || IP6_NF_RAW
393 depends on NETFILTER_ADVANCED
395 This options adds a `CT' target, which allows to specify initial
396 connection tracking parameters like events to be delivered and
397 the helper to be used.
399 To compile it as a module, choose M here. If unsure, say N.
401 config NETFILTER_XT_TARGET_DSCP
402 tristate '"DSCP" and "TOS" target support'
403 depends on IP_NF_MANGLE || IP6_NF_MANGLE
404 depends on NETFILTER_ADVANCED
406 This option adds a `DSCP' target, which allows you to manipulate
407 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
409 The DSCP field can have any value between 0x0 and 0x3f inclusive.
411 It also adds the "TOS" target, which allows you to create rules in
412 the "mangle" table which alter the Type Of Service field of an IPv4
413 or the Priority field of an IPv6 packet, prior to routing.
415 To compile it as a module, choose M here. If unsure, say N.
417 config NETFILTER_XT_TARGET_HL
418 tristate '"HL" hoplimit target support'
419 depends on IP_NF_MANGLE || IP6_NF_MANGLE
420 depends on NETFILTER_ADVANCED
422 This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
423 targets, which enable the user to change the
424 hoplimit/time-to-live value of the IP header.
426 While it is safe to decrement the hoplimit/TTL value, the
427 modules also allow to increment and set the hoplimit value of
428 the header to arbitrary values. This is EXTREMELY DANGEROUS
429 since you can easily create immortal packets that loop
430 forever on the network.
432 config NETFILTER_XT_TARGET_IDLETIMER
433 tristate "IDLETIMER target support"
434 depends on NETFILTER_ADVANCED
437 This option adds the `IDLETIMER' target. Each matching packet
438 resets the timer associated with label specified when the rule is
439 added. When the timer expires, it triggers a sysfs notification.
440 The remaining time for expiration can be read via sysfs.
442 To compile it as a module, choose M here. If unsure, say N.
444 config NETFILTER_XT_TARGET_LED
445 tristate '"LED" target support'
446 depends on LEDS_CLASS && LEDS_TRIGGERS
447 depends on NETFILTER_ADVANCED
449 This option adds a `LED' target, which allows you to blink LEDs in
450 response to particular packets passing through your machine.
452 This can be used to turn a spare LED into a network activity LED,
453 which only flashes in response to FTP transfers, for example. Or
454 you could have an LED which lights up for a minute or two every time
455 somebody connects to your machine via SSH.
457 You will need support for the "led" class to make this work.
459 To create an LED trigger for incoming SSH traffic:
460 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
462 Then attach the new trigger to an LED on your system:
463 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
465 For more information on the LEDs available on your system, see
466 Documentation/leds-class.txt
468 config NETFILTER_XT_TARGET_IMQ
469 tristate '"IMQ" target support'
470 depends on NETFILTER_XTABLES
471 depends on IP_NF_MANGLE || IP6_NF_MANGLE
473 default m if NETFILTER_ADVANCED=n
475 This option adds a `IMQ' target which is used to specify if and
476 to which imq device packets should get enqueued/dequeued.
478 To compile it as a module, choose M here. If unsure, say N.
480 config NETFILTER_XT_TARGET_MARK
481 tristate '"MARK" target support'
482 depends on NETFILTER_ADVANCED
483 select NETFILTER_XT_MARK
485 This is a backwards-compat option for the user's convenience
486 (e.g. when running oldconfig). It selects
487 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
489 config NETFILTER_XT_TARGET_NFLOG
490 tristate '"NFLOG" target support'
491 default m if NETFILTER_ADVANCED=n
492 select NETFILTER_NETLINK_LOG
494 This option enables the NFLOG target, which allows to LOG
495 messages through nfnetlink_log.
497 To compile it as a module, choose M here. If unsure, say N.
499 config NETFILTER_XT_TARGET_NFQUEUE
500 tristate '"NFQUEUE" target Support'
501 depends on NETFILTER_ADVANCED
503 This target replaced the old obsolete QUEUE target.
505 As opposed to QUEUE, it supports 65535 different queues,
508 To compile it as a module, choose M here. If unsure, say N.
510 config NETFILTER_XT_TARGET_NOTRACK
511 tristate '"NOTRACK" target support'
512 depends on IP_NF_RAW || IP6_NF_RAW
513 depends on NF_CONNTRACK
514 depends on NETFILTER_ADVANCED
516 The NOTRACK target allows a select rule to specify
517 which packets *not* to enter the conntrack/NAT
518 subsystem with all the consequences (no ICMP error tracking,
519 no protocol helpers for the selected packets).
521 If you want to compile it as a module, say M here and read
522 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
524 config NETFILTER_XT_TARGET_RATEEST
525 tristate '"RATEEST" target support'
526 depends on NETFILTER_ADVANCED
528 This option adds a `RATEEST' target, which allows to measure
529 rates similar to TC estimators. The `rateest' match can be
530 used to match on the measured rates.
532 To compile it as a module, choose M here. If unsure, say N.
534 config NETFILTER_XT_TARGET_TEE
535 tristate '"TEE" - packet cloning to alternate destination'
536 depends on NETFILTER_ADVANCED
537 depends on (IPV6 || IPV6=n)
538 depends on !NF_CONNTRACK || NF_CONNTRACK
540 This option adds a "TEE" target with which a packet can be cloned and
541 this clone be rerouted to another nexthop.
543 config NETFILTER_XT_TARGET_TPROXY
544 tristate '"TPROXY" target support (EXPERIMENTAL)'
545 depends on EXPERIMENTAL
546 depends on NETFILTER_TPROXY
547 depends on NETFILTER_XTABLES
548 depends on NETFILTER_ADVANCED
549 select NF_DEFRAG_IPV4
551 This option adds a `TPROXY' target, which is somewhat similar to
552 REDIRECT. It can only be used in the mangle table and is useful
553 to redirect traffic to a transparent proxy. It does _not_ depend
554 on Netfilter connection tracking and NAT, unlike REDIRECT.
556 To compile it as a module, choose M here. If unsure, say N.
558 config NETFILTER_XT_TARGET_TRACE
559 tristate '"TRACE" target support'
560 depends on IP_NF_RAW || IP6_NF_RAW
561 depends on NETFILTER_ADVANCED
563 The TRACE target allows you to mark packets so that the kernel
564 will log every rule which match the packets as those traverse
565 the tables, chains, rules.
567 If you want to compile it as a module, say M here and read
568 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
570 config NETFILTER_XT_TARGET_SECMARK
571 tristate '"SECMARK" target support'
572 depends on NETWORK_SECMARK
573 default m if NETFILTER_ADVANCED=n
575 The SECMARK target allows security marking of network
576 packets, for use with security subsystems.
578 To compile it as a module, choose M here. If unsure, say N.
580 config NETFILTER_XT_TARGET_TCPMSS
581 tristate '"TCPMSS" target support'
582 depends on (IPV6 || IPV6=n)
583 default m if NETFILTER_ADVANCED=n
585 This option adds a `TCPMSS' target, which allows you to alter the
586 MSS value of TCP SYN packets, to control the maximum size for that
587 connection (usually limiting it to your outgoing interface's MTU
590 This is used to overcome criminally braindead ISPs or servers which
591 block ICMP Fragmentation Needed packets. The symptoms of this
592 problem are that everything works fine from your Linux
593 firewall/router, but machines behind it can never exchange large
595 1) Web browsers connect, then hang with no data received.
596 2) Small mail works fine, but large emails hang.
597 3) ssh works fine, but scp hangs after initial handshaking.
599 Workaround: activate this option and add a rule to your firewall
602 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
603 -j TCPMSS --clamp-mss-to-pmtu
605 To compile it as a module, choose M here. If unsure, say N.
607 config NETFILTER_XT_TARGET_TCPOPTSTRIP
608 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)'
609 depends on EXPERIMENTAL
610 depends on IP_NF_MANGLE || IP6_NF_MANGLE
611 depends on NETFILTER_ADVANCED
613 This option adds a "TCPOPTSTRIP" target, which allows you to strip
614 TCP options from TCP packets.
616 # alphabetically ordered list of matches
618 comment "Xtables matches"
620 config NETFILTER_XT_MATCH_CLUSTER
621 tristate '"cluster" match support'
622 depends on NF_CONNTRACK
623 depends on NETFILTER_ADVANCED
625 This option allows you to build work-load-sharing clusters of
626 network servers/stateful firewalls without having a dedicated
627 load-balancing router/server/switch. Basically, this match returns
628 true when the packet must be handled by this cluster node. Thus,
629 all nodes see all packets and this match decides which node handles
630 what packets. The work-load sharing algorithm is based on source
633 If you say Y or M here, try `iptables -m cluster --help` for
636 config NETFILTER_XT_MATCH_COMMENT
637 tristate '"comment" match support'
638 depends on NETFILTER_ADVANCED
640 This option adds a `comment' dummy-match, which allows you to put
641 comments in your iptables ruleset.
643 If you want to compile it as a module, say M here and read
644 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
646 config NETFILTER_XT_MATCH_CONNBYTES
647 tristate '"connbytes" per-connection counter match support'
648 depends on NF_CONNTRACK
649 depends on NETFILTER_ADVANCED
651 This option adds a `connbytes' match, which allows you to match the
652 number of bytes and/or packets for each direction within a connection.
654 If you want to compile it as a module, say M here and read
655 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
657 config NETFILTER_XT_MATCH_CONNLIMIT
658 tristate '"connlimit" match support"'
659 depends on NF_CONNTRACK
660 depends on NETFILTER_ADVANCED
662 This match allows you to match against the number of parallel
663 connections to a server per client IP address (or address block).
665 config NETFILTER_XT_MATCH_CONNMARK
666 tristate '"connmark" connection mark match support'
667 depends on NF_CONNTRACK
668 depends on NETFILTER_ADVANCED
669 select NETFILTER_XT_CONNMARK
671 This is a backwards-compat option for the user's convenience
672 (e.g. when running oldconfig). It selects
673 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
675 config NETFILTER_XT_MATCH_CONNTRACK
676 tristate '"conntrack" connection tracking match support'
677 depends on NF_CONNTRACK
678 default m if NETFILTER_ADVANCED=n
680 This is a general conntrack match module, a superset of the state match.
682 It allows matching on additional conntrack information, which is
683 useful in complex configurations, such as NAT gateways with multiple
684 internet links or tunnels.
686 To compile it as a module, choose M here. If unsure, say N.
688 config NETFILTER_XT_MATCH_CPU
689 tristate '"cpu" match support'
690 depends on NETFILTER_ADVANCED
692 CPU matching allows you to match packets based on the CPU
693 currently handling the packet.
695 To compile it as a module, choose M here. If unsure, say N.
697 config NETFILTER_XT_MATCH_DCCP
698 tristate '"dccp" protocol match support'
699 depends on NETFILTER_ADVANCED
702 With this option enabled, you will be able to use the iptables
703 `dccp' match in order to match on DCCP source/destination ports
706 If you want to compile it as a module, say M here and read
707 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
709 config NETFILTER_XT_MATCH_DSCP
710 tristate '"dscp" and "tos" match support'
711 depends on NETFILTER_ADVANCED
713 This option adds a `DSCP' match, which allows you to match against
714 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
716 The DSCP field can have any value between 0x0 and 0x3f inclusive.
718 It will also add a "tos" match, which allows you to match packets
719 based on the Type Of Service fields of the IPv4 packet (which share
720 the same bits as DSCP).
722 To compile it as a module, choose M here. If unsure, say N.
724 config NETFILTER_XT_MATCH_ESP
725 tristate '"esp" match support'
726 depends on NETFILTER_ADVANCED
728 This match extension allows you to match a range of SPIs
729 inside ESP header of IPSec packets.
731 To compile it as a module, choose M here. If unsure, say N.
733 config NETFILTER_XT_MATCH_HASHLIMIT
734 tristate '"hashlimit" match support'
735 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
736 depends on NETFILTER_ADVANCED
738 This option adds a `hashlimit' match.
740 As opposed to `limit', this match dynamically creates a hash table
741 of limit buckets, based on your selection of source/destination
742 addresses and/or ports.
744 It enables you to express policies like `10kpps for any given
745 destination address' or `500pps from any given source address'
748 config NETFILTER_XT_MATCH_HELPER
749 tristate '"helper" match support'
750 depends on NF_CONNTRACK
751 depends on NETFILTER_ADVANCED
753 Helper matching allows you to match packets in dynamic connections
754 tracked by a conntrack-helper, ie. ip_conntrack_ftp
756 To compile it as a module, choose M here. If unsure, say Y.
758 config NETFILTER_XT_MATCH_HL
759 tristate '"hl" hoplimit/TTL match support'
760 depends on NETFILTER_ADVANCED
762 HL matching allows you to match packets based on the hoplimit
763 in the IPv6 header, or the time-to-live field in the IPv4
764 header of the packet.
766 config NETFILTER_XT_MATCH_IPRANGE
767 tristate '"iprange" address range match support'
768 depends on NETFILTER_ADVANCED
770 This option adds a "iprange" match, which allows you to match based on
771 an IP address range. (Normal iptables only matches on single addresses
772 with an optional mask.)
776 config NETFILTER_XT_MATCH_IPVS
777 tristate '"ipvs" match support'
779 depends on NETFILTER_ADVANCED
780 depends on NF_CONNTRACK
782 This option allows you to match against IPVS properties of a packet.
786 config NETFILTER_XT_MATCH_LENGTH
787 tristate '"length" match support'
788 depends on NETFILTER_ADVANCED
790 This option allows you to match the length of a packet against a
791 specific value or range of values.
793 To compile it as a module, choose M here. If unsure, say N.
795 config NETFILTER_XT_MATCH_LIMIT
796 tristate '"limit" match support'
797 depends on NETFILTER_ADVANCED
799 limit matching allows you to control the rate at which a rule can be
800 matched: mainly useful in combination with the LOG target ("LOG
801 target support", below) and to avoid some Denial of Service attacks.
803 To compile it as a module, choose M here. If unsure, say N.
805 config NETFILTER_XT_MATCH_MAC
806 tristate '"mac" address match support'
807 depends on NETFILTER_ADVANCED
809 MAC matching allows you to match packets based on the source
810 Ethernet address of the packet.
812 To compile it as a module, choose M here. If unsure, say N.
814 config NETFILTER_XT_MATCH_MARK
815 tristate '"mark" match support'
816 depends on NETFILTER_ADVANCED
817 select NETFILTER_XT_MARK
819 This is a backwards-compat option for the user's convenience
820 (e.g. when running oldconfig). It selects
821 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
823 config NETFILTER_XT_MATCH_MULTIPORT
824 tristate '"multiport" Multiple port match support'
825 depends on NETFILTER_ADVANCED
827 Multiport matching allows you to match TCP or UDP packets based on
828 a series of source or destination ports: normally a rule can only
829 match a single range of ports.
831 To compile it as a module, choose M here. If unsure, say N.
833 config NETFILTER_XT_MATCH_OSF
834 tristate '"osf" Passive OS fingerprint match'
835 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
837 This option selects the Passive OS Fingerprinting match module
838 that allows to passively match the remote operating system by
839 analyzing incoming TCP SYN packets.
841 Rules and loading software can be downloaded from
842 http://www.ioremap.net/projects/osf
844 To compile it as a module, choose M here. If unsure, say N.
846 config NETFILTER_XT_MATCH_OWNER
847 tristate '"owner" match support'
848 depends on NETFILTER_ADVANCED
850 Socket owner matching allows you to match locally-generated packets
851 based on who created the socket: the user or group. It is also
852 possible to check whether a socket actually exists.
854 config NETFILTER_XT_MATCH_POLICY
855 tristate 'IPsec "policy" match support'
857 default m if NETFILTER_ADVANCED=n
859 Policy matching allows you to match packets based on the
860 IPsec policy that was used during decapsulation/will
861 be used during encapsulation.
863 To compile it as a module, choose M here. If unsure, say N.
865 config NETFILTER_XT_MATCH_PHYSDEV
866 tristate '"physdev" match support'
867 depends on BRIDGE && BRIDGE_NETFILTER
868 depends on NETFILTER_ADVANCED
870 Physdev packet matching matches against the physical bridge ports
871 the IP packet arrived on or will leave by.
873 To compile it as a module, choose M here. If unsure, say N.
875 config NETFILTER_XT_MATCH_PKTTYPE
876 tristate '"pkttype" packet type match support'
877 depends on NETFILTER_ADVANCED
879 Packet type matching allows you to match a packet by
880 its "class", eg. BROADCAST, MULTICAST, ...
883 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
885 To compile it as a module, choose M here. If unsure, say N.
887 config NETFILTER_XT_MATCH_QUOTA
888 tristate '"quota" match support'
889 depends on NETFILTER_ADVANCED
891 This option adds a `quota' match, which allows to match on a
894 If you want to compile it as a module, say M here and read
895 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
897 config NETFILTER_XT_MATCH_RATEEST
898 tristate '"rateest" match support'
899 depends on NETFILTER_ADVANCED
900 select NETFILTER_XT_TARGET_RATEEST
902 This option adds a `rateest' match, which allows to match on the
903 rate estimated by the RATEEST target.
905 To compile it as a module, choose M here. If unsure, say N.
907 config NETFILTER_XT_MATCH_REALM
908 tristate '"realm" match support'
909 depends on NETFILTER_ADVANCED
912 This option adds a `realm' match, which allows you to use the realm
913 key from the routing subsystem inside iptables.
915 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
918 If you want to compile it as a module, say M here and read
919 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
921 config NETFILTER_XT_MATCH_RECENT
922 tristate '"recent" match support'
923 depends on NETFILTER_ADVANCED
925 This match is used for creating one or many lists of recently
926 used addresses and then matching against that/those list(s).
928 Short options are available by using 'iptables -m recent -h'
929 Official Website: <http://snowman.net/projects/ipt_recent/>
931 config NETFILTER_XT_MATCH_SCTP
932 tristate '"sctp" protocol match support (EXPERIMENTAL)'
933 depends on EXPERIMENTAL
934 depends on NETFILTER_ADVANCED
937 With this option enabled, you will be able to use the
938 `sctp' match in order to match on SCTP source/destination ports
939 and SCTP chunk types.
941 If you want to compile it as a module, say M here and read
942 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
944 config NETFILTER_XT_MATCH_SOCKET
945 tristate '"socket" match support (EXPERIMENTAL)'
946 depends on EXPERIMENTAL
947 depends on NETFILTER_TPROXY
948 depends on NETFILTER_XTABLES
949 depends on NETFILTER_ADVANCED
950 depends on !NF_CONNTRACK || NF_CONNTRACK
951 select NF_DEFRAG_IPV4
953 This option adds a `socket' match, which can be used to match
954 packets for which a TCP or UDP socket lookup finds a valid socket.
955 It can be used in combination with the MARK target and policy
956 routing to implement full featured non-locally bound sockets.
958 To compile it as a module, choose M here. If unsure, say N.
960 config NETFILTER_XT_MATCH_STATE
961 tristate '"state" match support'
962 depends on NF_CONNTRACK
963 default m if NETFILTER_ADVANCED=n
965 Connection state matching allows you to match packets based on their
966 relationship to a tracked connection (ie. previous packets). This
967 is a powerful tool for packet classification.
969 To compile it as a module, choose M here. If unsure, say N.
971 config NETFILTER_XT_MATCH_LAYER7
972 tristate '"layer7" match support'
973 depends on NETFILTER_XTABLES
974 depends on IP_NF_CONNTRACK || NF_CONNTRACK
975 depends on NF_CT_ACCT
977 Say Y if you want to be able to classify connections (and their
978 packets) based on regular expression matching of their application
979 layer data. This is one way to classify applications such as
980 peer-to-peer filesharing systems that do not always use the same
983 To compile it as a module, choose M here. If unsure, say N.
985 config NETFILTER_XT_MATCH_LAYER7_DEBUG
986 bool 'layer7 debugging output'
987 depends on NETFILTER_XT_MATCH_LAYER7
989 Say Y to get lots of debugging output.
991 config NETFILTER_XT_MATCH_STATISTIC
992 tristate '"statistic" match support'
993 depends on NETFILTER_ADVANCED
995 This option adds a `statistic' match, which allows you to match
996 on packets periodically or randomly with a given percentage.
998 To compile it as a module, choose M here. If unsure, say N.
1000 config NETFILTER_XT_MATCH_STRING
1001 tristate '"string" match support'
1002 depends on NETFILTER_ADVANCED
1004 select TEXTSEARCH_KMP
1005 select TEXTSEARCH_BM
1006 select TEXTSEARCH_FSM
1008 This option adds a `string' match, which allows you to look for
1009 pattern matchings in packets.
1011 To compile it as a module, choose M here. If unsure, say N.
1013 config NETFILTER_XT_MATCH_TCPMSS
1014 tristate '"tcpmss" match support'
1015 depends on NETFILTER_ADVANCED
1017 This option adds a `tcpmss' match, which allows you to examine the
1018 MSS value of TCP SYN packets, which control the maximum packet size
1019 for that connection.
1021 To compile it as a module, choose M here. If unsure, say N.
1023 config NETFILTER_XT_MATCH_TIME
1024 tristate '"time" match support'
1025 depends on NETFILTER_ADVANCED
1027 This option adds a "time" match, which allows you to match based on
1028 the packet arrival time (at the machine which netfilter is running)
1029 on) or departure time/date (for locally generated packets).
1031 If you say Y here, try `iptables -m time --help` for
1034 If you want to compile it as a module, say M here.
1037 config NETFILTER_XT_MATCH_U32
1038 tristate '"u32" match support'
1039 depends on NETFILTER_ADVANCED
1041 u32 allows you to extract quantities of up to 4 bytes from a packet,
1042 AND them with specified masks, shift them by specified amounts and
1043 test whether the results are in any of a set of specified ranges.
1044 The specification of what to extract is general enough to skip over
1045 headers with lengths stored in the packet, as in IP or TCP header
1048 Details and examples are in the kernel module source.
1050 config NETFILTER_XT_MATCH_LAYER7
1051 tristate '"layer7" match support'
1052 depends on NETFILTER_XTABLES
1053 depends on IP_NF_CONNTRACK || NF_CONNTRACK
1054 depends on NF_CT_ACCT
1056 Say Y if you want to be able to classify connections (and their
1057 packets) based on regular expression matching of their application
1058 layer data. This is one way to classify applications such as
1059 peer-to-peer filesharing systems that do not always use the same
1062 To compile it as a module, choose M here. If unsure, say N.
1064 config NETFILTER_XT_MATCH_LAYER7_DEBUG
1065 bool 'layer7 debugging output'
1066 depends on NETFILTER_XT_MATCH_LAYER7
1068 Say Y to get lots of debugging output.
1070 config NETFILTER_XT_MATCH_WEBSTR
1071 tristate '"webstr" match support'
1072 depends on NETFILTER_XTABLES
1074 This option adds a `webstr' match, which allows you to look for
1075 pattern matchings in http stream.
1077 To compile it as a module, choose M here. If unsure, say N.
1079 config NETFILTER_XT_MATCH_CONDITION
1080 tristate '"condition" match support'
1081 depends on NETFILTER_XTABLES
1083 This option allows you to match firewall rules against condition
1084 variables stored in the /proc/net/nf_condition directory.
1086 N.B.: older versions used /proc/net/ipt_condition. You can
1087 reenable it with "compat_dir_name".
1089 If you want to compile it as a module, say M here and read
1090 Documentation/modules.txt. If unsure, say `N'.
1092 config NETFILTER_XT_MATCH_GEOIP
1093 tristate '"geoip" match support'
1094 depends on NETFILTER_XTABLES
1096 This option allows you to match a packet by its source or
1097 destination country. Basically, you need a country's
1098 database containing all subnets and associated countries.
1100 For the complete procedure and understanding, read :
1101 http://people.netfilter.org/acidfu/geoip/howto/geoip-HOWTO.html
1103 If you want to compile it as a module, say M here and read
1104 <file:Documentation/modules.txt>. The module will be
1105 called `ipt_geoip'. If unsure, say `N'.
1107 endif # NETFILTER_XTABLES
1111 source "net/netfilter/ipvs/Kconfig"